HashiCorp Cloud Platform
Vault Radar CLI
In addition to the HCP portal, Vault Radar offers an easy to use command-line interface (CLI) to scan a various data source for unmanaged secrets to reduce security vulnerability.
Note
You must have version 0.17.0 or higher of the Vault Radar CLI installed.
To check the current version of your CLI, use the version command.
Download and install CLI
CLI download instruction
Contact your customer success manager to enable HCP Vault Radar or for a license to run the CLI in offline mode.
The HCP Vault Radar CLI is available for download from releases.hashicorp.com/vault-radar as a zip archive and from popular package managers. It is also available as an image in Docker Hub.
To install the HCP Vault Radar CLI, find the appropriate package for your
system and download it. The
vault-radar
CLI is packaged as a zip archive.
After downloading the zip archive, unzip the package. The HCP Vault Radar
binary runs as a single binary named vault-radar
. Any other files in the
package can be safely removed and vault-radar
will still function.
The final step is to make sure that the vault-radar
binary is available on the
PATH. See this page for instructions on setting the PATH on Linux and
Mac
This page contains instructions for setting the PATH on
Windows.
Dependencies
The Vault Radar CLI requires access to the following URLs:
- api.cloud.hashicorp.com
- auth.idp.hashicorp.com
Configure the necessary rules within your network to ensure the CLI can access these URLs.
The following dependencies need to be installed on the machine vault-radar
is
running on.
- git - Required for
scan repo
andscan confluence
commands - Docker engine - Required for
scan docker-image
command.
Usage
Usage: radar [--version] [--help] <command> [<args>]
Available commands are:
agent Agent management
govern Govern commands
index Index commands
install Install commands
meter Meter commands
scan Scan commands
version Shows the vault-radar cli version and golang version
Some commands require a connection to HCP. You will need to set HCP_PROJECT_ID
, HCP_CLIENT_ID
, and HCP_CLIENT_SECRET
from your HCP project. More info on generating service principal keys here.
For more information, examples, and usage about a command, click on the name of the command in the sidebar.
Command help
To view a list of the available commands at any time, just run vault-radar
with no arguments:
$ vault-radar
Use help
(or -h
for shorthand) to see the specific command help output.
Example: See the help message for the vault-radar scan aws-parameter-store
command usage.
$ vault-radar scan aws-parameter-store -h
Usage: vault-radar scan aws-parameter-store [options]
Scans AWS Parameter Store
Options:
--region, -r Specifies the region of AWS Parameter Store to scan (required)
--outfile , -o Specifies the file to store information about found secrets (required)
--skip-history If specified, scans only the most recent version of the parameters. Default is to scan all available versions
--format, -f Specifies the output format, csv, json, and sarif are supported. Defaults to csv
--index-file Specifies the index file path to use in order to determine which risks are managed
--baseline, -b Specifies the file with previous scan results. Only new secrets will be reported.
--limit, -l Specifies the maximum number of secrets to be reported. The scan will stop when the limit is reached
--parameter-limit Specifies the maximum number of parameters to be scanned. The scan will stop when the limit is reached
--offline Specifies that the scan should be run in offline mode, without connecting to HCP
--disable-ui Specifies that the scan summary should not be logged to stdout
Global flags
Disable UI
The --disable-ui
flag disables logging the command status and summary to stdout.
This is particularly useful when you want to run a command in an environment where TTY
is not available like a CI/CD pipeline.
Example: Run the scan aws-parameter-store
command without logging the summary to stdout.
$ vault-radar scan aws-parameter-store --region us-west-2 --outfile secrets.csv --disable-ui
Offline mode
All the commands operate in an online mode by default where HCP credentials are required, but some commands also support an offline mode. The online mode is useful if you want to see consistent results no matter where CLI is run as it uses the configuration from the HCP.
In the offline mode, the CLI does not connect to HCP and uses the configuration stored on the
local machine. Use the --offline
flag to run a command in offline mode.
Note
Offline mode requires a license key to run. Set the license key using VAULT_RADAR_LICENSE
environment variable or
VAULT_RADAR_LICENSE_PATH
environment variable to the path of the license file. If none of these are set, the CLI will
try to read the license from ~/.hashicorp/vault-radar/vault-radar.hclic
.
Example: Run the scan aws-parameter-store
command in offline mode.
$ vault-radar scan aws-parameter-store --region us-west-2 \
--outfile secrets.csv --offline
Index file
All the scan commands support the --index-file
flag to specify the output file generated by
the index
command. When this flag is specified, the scan command uses the index file to determine
which secrets are managed (i.e the secret is also detected in a secrets manager such as HashiCorp Vault).
Example: Run the scan aws-parameter-store
command with the index file.
$ vault-radar scan aws-parameter-store --region us-west-2 \
--outfile secrets.csv --index-file index.jsonl
See How to generate a Vault Index
Risks limit
All the scan commands support the --limit
flag to specify the maximum number of secrets to be reported.
The scan will stop when the limit is reached.
Example: Run the scan aws-parameter-store
command with the limit.
$ vault-radar scan aws-parameter-store --region us-west-2 \
--outfile secrets.csv --limit 10