scan file
Beta feature
This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.
Note
You must have version 0.5.0 or higher of the Vault Radar CLI installed.
To check the current version of your CLI, use the version command.
The scan file command is used for scanning a file. It is similar to
scan folder command but can scan a
single file. One difference though is that it can read data from standard input.
Usage
Scanning a file
Scan a file and write the results to a file in CSV format, this is the default format for output.
Scanning a file and output in JSON
Scan a file and write the results to a file in JSON Lines format.
Read data from stdin
Scan data coming from stdin. The --name parameter can be used to name data
coming from stdin, and it will be used in secret URI in the output file.
Scanning using a baseline file
Perform a scan using a previous scan's result and write the new changes to an
outfile. With -b option, only new risks, risks that were not found in the
previous scan will be reported.
HCP connection scanning behavior
The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.
To allow for scanning to continue working without the need for HCP cloud
connection you can use the new --offline flag as such.
Scanning using a Vault index file
Perform a scan using a generated vault index and write the results to an outfile. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.
Scan and restrict the number of secrets found
Scan a clone and write the results to an outfile and stop scanning when the defined number of secrets are found.