HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan folder

Beta feature

This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Note

You must have version 0.5.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

The scan folder command is used for scanning a local folder.

Usage

Usage: vault-radar scan folder [options]

Command options

  • --path, -p: If specified scans the given folder, otherwise it scans current working dir
  • --outfile, -o: Specifies the file to store information about found secrets (required)
  • --format, -f: Specifies the output format, csv and json are supported. Defaults to csv
  • --baseline, -b: Specifies the file with previous scan results. Only new secrets will be reported.
  • --limit, -l: Specifies the maximum number of secrets to be reported. The scan will stop when the limit is reached
  • --host-name: Specifies the host name to use in risk URI, defaults to local hostname
  • --path-prefix: Specifies the path prefix to use in risk URI. If not specified, then full local path will be used
  • --index-file: Specifies the index file path to use in order to determine which risks are Vaulted

Scanning a folder

Scan a folder and write the results to a file in CSV format, this is the default format for output.

$ vault-radar scan folder -p <PATH TO FOLDER> -o <PATH TO OUTPUT>.csv

Scanning a folder and output in JSON

Scan a folder and write the results to a file in JSON Lines format. 

$ vault-radar scan folder -p <PATH TO FOLDER> \
    -o <PATH TO OUTPUT>.jsonl \
    -f json

HCP connection scanning behavior

The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.

To allow for scanning to continue working without the need for HCP cloud connection you can use the new --offline flag as such.

$ vault-radar scan folder --offline -p <PATH TO FOLDER> \
    -o <PATH TO OUTPUT>.csv

Scanning using a baseline file

Perform a scan using a previous scan's result and write the new changes to an outfile. With -b option, only new risks, risks that were not found in the previous scan will be reported. 

$ vault-radar scan folder -p <PATH TO FOLDER> \
    -b <PATH TO BASELINE>.csv \
    -o <PATH TO OUTPUT>.csv

Scanning using a Vault index file

Perform a scan using a generated vault index and write the results to an output file. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.

$ vault-radar scan folder -p <PATH TO FOLDER> \
    -o <PATH TO OUTPUT>.csv \
    --index-file <PATH TO VAULT INDEX>.jsonl

How to generate a Vault Index

Scan and restrict the number of secrets found

Scan a clone and write the results to an outfile and stop scanning when the defined number of secrets are found.

$ vault-radar scan folder -p <PATH TO FOLDER> \
    -o <PATH TO OUTPUT>.csv \
    -l <NUM OF SECRETS>

Modify the secret URI in the output file

By default, the secret URI in the result file will be the full local file path where the secret has been found. If the results from scan runs on different machines must be combined for further analysis, --host-name and --path-prefix options could be used. --host-name specifies the host name to use in secret URI, defaults to local hostname. --path-prefix specifies the path prefix to use in secret URI. If not specified, then full local path will be used.

$ vault-radar scan folder -p <PATH TO FOLDER> \
    -o <PATH TO OUTPUT>.csv \
    --host-name <HOST NAME> \
    --path-prefix <PATH PREFIX>