HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan confluence

Note

You must have version 0.5.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

The scan confluence command is used for scanning a Confluence Data Server or Atlassian Confluence Cloud instance.

Authentication

vault-radar needs some authentication credentials in order to be able to make requests to the Confluence instance. The information needed depends on whether you are using Confluence Cloud or Server (self hosted).

Confluence Cloud

This means your instance is hosted by Atlassian, and your instance URL should have ".atlassian.net" in it.

For cloud, there's only one supported pattern and it requires an Atlassian API Token and the email of the account that the token belongs to.

In order to provide the information to vault-radar, assign the appropriate values to both of these environment variables:

  1. ATLASSIAN_API_TOKEN
  2. ATLASSIAN_ACCOUNT_EMAIL

Confluence Server

For self hosted versions of Confluence, there are up to 2 different patterns possible.

Versions 7.9 and higher support creating a Personal Access Token for a user. The token will have all the same access rights as the user who creates it. To use the token set the following environment variable to the generated token: CONFLUENCE_PERSONAL_ACCESS_TOKEN

Using a personal access token is more secure and should be the preferred access pattern. A personal access token is easier to revoke and regenerate, and generally has a smaller blast radius than a password.

All versions of Confluence server supports authorization using the Username (not the email), and Password. To authenticate using these credentials set both of these environment variables:

  1. CONFLUENCE_USERNAME
  2. CONFLUENCE_PASSWORD

Usage

Usage: vault-radar scan confluence [options]

Command options

  • --url, -u: The url endpoint of the Confluence server to scan (required)
  • --page-id, -p: Specifies the Confluence page to scan
  • --space-key, -s: Specifies the Confluence space to scan
  • --outfile, -o: Specifies the file to store information about found secrets (required for offline only)
  • --format, -f: Specifies the output format, csv and json are supported. Defaults to csv
  • --skip-history: Specifies the scan should examine only the newest version of the scanning target. Only supported when --offline is specified
  • --baseline, -b: Specifies the file with previous scan results. Only new secrets will be reported.
  • --limit, -l: Specifies the maximum number of secrets to be reported. The scan will stop when the limit is reached
  • --page-limit: Specifies the maximum number of Confluences pages to scan
  • --index-file: Specifies the index file path to use in order to determine which risks are Vaulted
  • --offline: Specifies that the scan should be run in offline mode, without connecting to HCP
  • --disable-ui: Specifies that the scan summary should not be logged to stdout
  • --skip-activeness: If specified, skips activeness checks

The following examples all assume you have already set the appropriate environment variable or that you intend to include them as part of the command you run.

Scanning a space

Scan a space and upload results to HCP.

$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY>

Scanning a page

Scan a page and write the results to an outfile in CSV format, this is the default format for output.

$ vault-radar scan confluence -u <INSTANCE URL> \
    -p <PAGE ID> \
    -o <PATH TO OUTPUT>.csv

Scanning a page and output JSON

Scan a page and write the results to an outfile in JSON format.

$ vault-radar scan confluence -u <INSTANCE URL> -p <PAGE ID> \
    -o <PATH TO OUTPUT>.json \
    -f json

Scanning using a baseline file

Perform a scan using a previous scan's result and write the new changes to an outfile.

$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \
    -b <PATH TO BASELINE> \
    -o <PATH TO OUTPUT>.csv

HCP connection scanning behavior

The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.

To allow for scanning to continue working without the need for HCP cloud connection you can use the new --offline flag as such.

$ vault-radar scan confluence --offline -u <INSTANCE URL> \
    -s <SPACE KEY> \
    -o <PATH TO OUTPUT>.csv

Scanning latest version of all pages in a Space

Scan latest version of all pages in a Space and write the results to an outfile.

$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \
    -o <PATH TO OUTPUT>.csv --skip-history --offline

Scanning using a Vault index file

Perform a scan using a generated vault index and upload results to HCP.

$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \
    --index-file <PATH TO VAULT INDEX>.jsonl

How to generate a Vault Index

Scan and restrict the number of pages scanned

Stop scanning the space after a defined number of pages are scanned.

$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \
    --page-limit <NUM OF PAGES>

Scan and restrict the number of secrets found

Stop scanning the space when a defined number of secrets are found.

$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \
    -l <NUM OF SECRETS>

Troubleshooting help

What's the PageID for my page?

Sometimes you will see the "Pretty" URL which includes the Page Name. If you want the page's ID, in the right corner there should be an options menu for the page. It will usually look like 3 dots .... Click on that, and then look for an option like Page Information and select that. The URL of the page you land on, should use the PageID in the URL.

Example:

http://localhost:8090/pages/viewinfo.action?pageId=123456

Where 123456 is this example page's ID.

What's the Space Key for my space or page?

The space key is not always included in the URl of a Page, but it should always be present when selecting the space you are interested in from the main Confluence toolbar. Additionally going to the space's summary details, should explicity define the space key.

Example:

http://localhost:8090/display/VSID/Some+Page

Where VSID is the space key.