Vault Radar CLI

In addition to the HCP portal, Vault Radar offers an easy to use command-line interface (CLI) to scan a various data source for unmanaged secrets to reduce security vulnerability.

Note

You must have version 0.5.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

Download and install CLI

CLI download instruction

Contact your customer success manager to enable HCP Vault Radar or for a license to run the CLI in offline mode.

The HCP Vault Radar CLI is available for download from releases.hashicorp.com/vault-radar as a zip archive and from popular package managers. It is also available as an image in Docker Hub.

To install the HCP Vault Radar CLI, find the appropriate package for your system and download it. The vault-radar CLI is packaged as a zip archive.

After downloading the zip archive, unzip the package. The HCP Vault Radar binary runs as a single binary named vault-radar. Any other files in the package can be safely removed and vault-radar will still function.

The final step is to make sure that the vault-radar binary is available on the PATH. See this page for instructions on setting the PATH on Linux and Mac This page contains instructions for setting the PATH on Windows.

The installation steps provided were tested on macOS 14.4 and should work on other versions that utilize the Homebrew package manager.

Refer to the Homebrew installation instructions if it is not already installed.

Install the HahsiCorp tap.
```
$ brew tap hashicorp/tap
```
Install the HCP Vault Radar CLI.
```
$ brew install vault-radar
```

Verify the installation.

$ vault-radar --help

Usage: vault-radar [--version] [--help] <command> [<args>]

Available commands are:
    govern     Govern commands
    index      Index commands
    meter      Meter commands
    scan       Scan commands
    station    Station management
    version    Shows the vault-radar cli version and golang version

The installation steps provided were tested on Ubuntu 22.04 and should work on other Debian based distributions that utilize the apt package manager.

Update the apt repository.
```
$ sudo apt update
```

Download the HashiCorp GPG key.

$ curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

Add the HashiCorp repo.

$ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

Install the vault-radar CLI.

$ sudo apt update && sudo apt install vault-radar -y

Verify the installation.

$ vault-radar --help

Usage: vault-radar [--version] [--help] <command> [<args>]

Available commands are:
    govern     Govern commands
    index      Index commands
    meter      Meter commands
    scan       Scan commands
    station    Station management
    version    Shows the vault-radar cli version and golang version

The installation steps provided were tested on CentOS Stream 9 and should work on other distributions that utilize the yum package manager.

Update the yum repository.
```
$ sudo yum update
```
Add the HashiCorp repository.
Note
Refer to the official packaging guide for the correct RHEL/CentOS or Fedora configuration.
```
$ curl -fsSL https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo | sudo tee /etc/yum.repos.d/hashicorp.repo
```

Install the vault-radar CLI.

$ sudo yum update && sudo yum install vault-radar -y

Verify the installation.

$ vault-radar --help

Usage: vault-radar [--version] [--help] <command> [<args>]

Available commands are:
    govern     Govern commands
    index      Index commands
    meter      Meter commands
    scan       Scan commands
    station    Station management
    version    Shows the vault-radar cli version and golang version

The installation steps provided were tested on Fedora 39 using the dnf package manager.

Update the dnf repository.
```
$ sudo dnf update
```
Add the HashiCorp repository.
Note
Refer to the official packaging guide for the correct RHEL/CentOS or Fedora configuration.
```
$ sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/fedora/hashicorp.repo
```

Install the vault-radar CLI.

$ sudo dnf update && sudo dnf -y install vault-radar

Verify the installation.

$ vault-radar --help

Usage: vault-radar [--version] [--help] <command> [<args>]

Available commands are:
    govern     Govern commands
    index      Index commands
    meter      Meter commands
    scan       Scan commands
    station    Station management
    version    Shows the vault-radar cli version and golang version

The installation steps provided were tested on Amazon Linux 2 and should work on other distributions that utilize the yum package manager.

Update the yum repository.
```
$ sudo yum update
```

Add the HashiCorp repository.

Note

Refer to the official packaging guide for the correct RHEL/CentOS or Fedora configuration.

$ curl -fsSL https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo | sudo tee /etc/yum.repos.d/hashicorp.repo

Install the vault-radar CLI.

$ sudo yum update && sudo yum install vault-radar -y

Verify the installation.

$ vault-radar --help

Usage: vault-radar [--version] [--help] <command> [<args>]

Available commands are:
    govern     Govern commands
    index      Index commands
    meter      Meter commands
    scan       Scan commands
    station    Station management
    version    Shows the vault-radar cli version and golang version

HashiCorp does not maintain installation binaries using Chocolatey or Scoop. The latest version of the HCP Vault Radar CLI is available by manual installation.

This example downloads the Windows AMD64 binary using PowerShell. Use a Windows account with appropriate permissions to extract the binary to the Program Files directory and update the PATH.

Launch a PowerShell terminal using Run as Administrator. If prompted, click Yes.
Verify the latest (or desired) version of the HCP Vault Radar binary from releases.hashicorp.com. For example, "0.6.0".

Create some environment variables to configure the download:

$Env:RadarVersion = "0.6.0"
$Env:RadarArch = $Env:PROCESSOR_ARCHITECTURE.ToLower()
$Env:RadarURL = "https://releases.hashicorp.com/vault-radar/${Env:RadarVersion}"
$Env:RadarFile = "vault-radar_${Env:RadarVersion}_windows_${Env:RadarArch}.zip"

Download the zip archive to the current working directory.

$ Invoke-WebRequest                         `
  -URI "${Env:RadarURL}/${Env:RadarFile}" `
  -OutFile "./${Env:RadarFile}"

Extract the archive file to the default program directory.

$ Expand-Archive              `
  -Path ".\${Env:RadarFile}"  `
  -Destination "${Env:Programfiles}\HashiCorp\radar-cli\bin\"

Update the Windows user path:

$ [System.Environment]::SetEnvironmentVariable("Path",
    "$Env:Path;${Env:Programfiles}\HashiCorp\radar-cli\bin",
    [System.EnvironmentVariableTarget]::User
  )

Close the session and re-open Powershell normally.

Verify the installation.

$ vault-radar --help

Usage: vault-radar [--version] [--help] <command> [<args>]

Available commands are:
    govern     Govern commands
    index      Index commands
    meter      Meter commands
    scan       Scan commands
    station    Station management
    version    Shows the vault-radar cli version and golang version

The HCP Vault Radar CLI is also available as a Docker image. This image can be used to run the CLI in a containerized environment.

Verify the latest (or desired) version of the HCP Vault Radar binary from Docker Hub. For example, "0.6.0".
Set the version as an environment variable.
```
$ export VAULT_RADAR_VERSION=0.6.0
```

Pull the Docker image.

$ docker pull hashicorp/vault-radar:${VAULT_RADAR_VERSION}

Run the Docker container.

$ docker run --rm hashicorp/vault-radar:${VAULT_RADAR_VERSION} vault-radar --help

Dependencies

The Vault Radar CLI requires access to the following URLs:

api.cloud.hashicorp.com
auth.idp.hashicorp.com

Configure the necessary rules within your network to ensure the CLI can access these URLs.

The following dependencies need to be installed on the machine vault-radar is running on.

git - Required for scan repo and scan confluence commands
Docker engine - Required for scan docker-image command.

Usage

Usage: radar [--version] [--help] <command> [<args>]

Available commands are:
    agent      Agent management
    govern     Govern commands
    index      Index commands
    install    Install commands
    meter      Meter commands
    scan       Scan commands
    version    Shows the vault-radar cli version and golang version

Some commands require a connection to HCP. You will need to set HCP_PROJECT_ID, HCP_CLIENT_ID, and HCP_CLIENT_SECRET from your HCP project. More info on generating service principal keys here.

For more information, examples, and usage about a command, click on the name of the command in the sidebar.

Command help

To view a list of the available commands at any time, just run vault-radar with no arguments:

$ vault-radar

Use help (or -h for shorthand) to see the specific command help output.

Example: See the help message for the vault-radar scan aws-parameter-store command usage.

$ vault-radar scan aws-parameter-store -h
Usage: vault-radar scan aws-parameter-store [options]

  Scans AWS Parameter Store

Options:

  --region, -r             Specifies the region of AWS Parameter Store to scan (required)
  --outfile , -o           Specifies the file to store information about found secrets (required)
  --skip-history           If specified, scans only the most recent version of the parameters. Default is to scan all available versions
  --format, -f             Specifies the output format, csv, json, and sarif are supported. Defaults to csv
  --index-file             Specifies the index file path to use in order to determine which risks are managed
  --baseline, -b           Specifies the file with previous scan results. Only new secrets will be reported.
  --limit, -l              Specifies the maximum number of secrets to be reported. The scan will stop when the limit is reached
  --parameter-limit        Specifies the maximum number of parameters to be scanned. The scan will stop when the limit is reached
  --offline                Specifies that the scan should be run in offline mode, without connecting to HCP
  --disable-ui             Specifies that the scan summary should not be logged to stdout

Global flags

Disable UI

The --disable-ui flag disables logging the command status and summary to stdout. This is particularly useful when you want to run a command in an environment where TTY is not available like a CI/CD pipeline.

Example: Run the scan aws-parameter-store command without logging the summary to stdout.

$ vault-radar scan aws-parameter-store --region us-west-2 --outfile secrets.csv --disable-ui

Offline mode

All the commands operate in an online mode by default where HCP credentials are required, but some commands also support an offline mode. The online mode is useful if you want to see consistent results no matter where CLI is run as it uses the configuration from the HCP.

In the offline mode, the CLI does not connect to HCP and uses the configuration stored on the local machine. Use the --offline flag to run a command in offline mode.

Note

Offline mode requires a license key to run. Set the license key using VAULT_RADAR_LICENSE environment variable or VAULT_RADAR_LICENSE_PATH environment variable to the path of the license file. If none of these are set, the CLI will try to read the license from ~/.hashicorp/vault-radar/vault-radar.hclic.

Example: Run the scan aws-parameter-store command in offline mode.

$ vault-radar scan aws-parameter-store --region us-west-2 \
  --outfile secrets.csv --offline

Index file

All the scan commands support the --index-file flag to specify the output file generated by the index command. When this flag is specified, the scan command uses the index file to determine which secrets are managed (i.e the secret is also detected in a secrets manager such as HashiCorp Vault).

Example: Run the scan aws-parameter-store command with the index file.

$ vault-radar scan aws-parameter-store --region us-west-2 \
  --outfile secrets.csv --index-file index.jsonl

See How to generate a Vault Index

Risks limit

All the scan commands support the --limit flag to specify the maximum number of secrets to be reported. The scan will stop when the limit is reached.

Example: Run the scan aws-parameter-store command with the limit.

$ vault-radar scan aws-parameter-store --region us-west-2 \
  --outfile secrets.csv --limit 10