HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Vault Radar FAQ

This FAQ contains frequently asked questions about HCP Vault Radar.

Q: Why does Vault Radar use HMAC + Argon?

Argon2id is a strong and secure hashing algorithm providing memory-hardness, parallelism-safety, and adjustable parameters. It has undergone years of cryptographic testing and analysis, and is resistant to brute-force attacks due to the increased compute cost to crack.

To increase security, Vault Radar also uses “peppering” on top of Argon2id hash.

Q: If both the database and the HMAC key are leaked, someone could launch a brute-force attack on the database?

One of Argon2id's main features is resistance against brute force attacks. It is very expensive in both memory and CPU to attempt these types of attacks.

Q: How do we calculate severity?

The severity can be overridden by event rules for specific patterns, but this applies only to HCP scans and not CLI offline scans.

SeverityDefinitions
Critical
  • The risk category is secret, secret is active and secret is in the latest version of a data source.
  • The risk category is secret, secret is active and secret is in the latest version of a secret manager.
High
  • This risk category is secret, secret is active and secret is not in the latest version of a data source.
  • The risk category is secret, secret is in the latest version of a secret manager and its activeness cannot be determined.
MediumIf none of the other conditions are met, the severity is set to medium by default.
Low
  • The risk category is PII.
  • The risk has certain tags (e.g., TagSecretInTestFile, TagSecretInExampleFile).
Info
  • The risk category is NIL.
  • The risk has certain tags (e.g., TagIgnoreRule, TagGoogleMapsApiKey, TagInactiveSecret).
  • The risk type is AwsAccessKeyId and is not active.

Q: What are the explicit exclusions made by Radar Secret Engine?

  • Keys and IDs containing EXAMPLE are not reported at all.
  • README files are marked as not important.
  • Files named Test are marked as not important.

Q: Can you share a script to list all my Confluence spaces?

#!/bin/bash

# Set Confluence credentials
USERNAME="your_username"
API_TOKEN="your_api_token"
CONFLUENCE_URL="https://your-confluence-site.com/wiki"

# Make API request to get all spaces
curl -u "$USERNAME:$API_TOKEN" -X GET "$CONFLUENCE_URL/rest/api/space" | jq '.results[].key'
All scripts are available at: https://drive.google.com/drive/u/0/folders/17HVZVYZnm-2HYHenRwq0IxgCHK_7pCQV.

Q: What IPs should be allowlisted for Vault Radar SaaS to scan data sources inside a user's network directly from HCP?

Users will need to allow inbound access from the following IP addresses in order for Vault Radar HCP to communicate with data sources within a secure network.

# Vault Radar Primary
3.213.172.245
44.215.93.123
34.226.175.235

# Vault Radar Failover
34.208.33.38
44.227.97.170
44.238.204.12

Note

There may be changes to these IP’s in the future, HashiCorp (Vault-Radar) will do its best to give customers a reasonable amount of time to make the necessary changes.

Q: What firewall allowlisting is required for Vault Radar CLI and Agent to authenticate with HCP?

If outbound traffic is restricted from within a user's network, then following fully qualified domain names (FQDNs) should be allowed in order for the Vault Radar Agent and/or CLI to communicate with HCP.

api.cloud.hashicorp.com
auth.idp.hashicorp.com

Note

HashiCorp HCP does not have a predefined set of static IP’s for ingress traffic to its servers at this time.