Pull request check policies

Pull request checks allow Vault Radar to perform a scan against a pull request for every pull request that is opened, and for every new commit to any open pull requests.

Vault Radar will alert you to any sensitive data found in the pull request, including both the tip of the pull request and the history of any commits. The alert includes details on where and what type of secret was found.

There are two levels to the policies today -

1. Whether the scan should be marked failed if any secrets are at the tip of the pull request.
2. Whether the pull request should be blocked from merging into the target branch if the uploaded scan result shows secrets at the tip.

The first level of configuration is set in our Vault Radar UI as shown below, however, the second configuration needs to be set in your provider or pipeline settings.

GitHub Checks

To enable pull request checks on GitHub, a Vault Radar GitHub App must be installed.

Prerequisites

• Vault Radar project is configured and resources monitored
• To install the Vault Radar app for GitHub Checks, permissions to install a GitHub App on an org are required. This would be an organization owner or someone with admin level permissions in a repository.

GitHub Cloud

Vault Radar accounts are monitored by the Vault Radar Checks App.

1. Install the Vault Radar Checks App. (this must be done by someone who has permissions in GitHub to install the app).

Once installed, your future PRs and commits to PRs in monitored repos will be checked by Vault Radar.

GitHub Enterprise Server

This version of GitHub Checks is for customers using the self-managed GitHub Enterprise Server.

1. Create the GitHub Enterprise Server Checks app following the instructions here. Note: a step in those instructions is to add the app configuration details in the Vault Radar UI.

2. Install the app created from step 1 on the organization (this must be done by someone who has permissions in GitHub to install the app).

Once installed, your future PRs + commits to PRs in monitored repos will be checked by Vault Radar.

Configure repositories

To configure which repositories the Vault Radar app for GitHub Checks monitors after installation:

1. Go to your GitHub organization → settings → GitHub apps (the URL pattern is https://github.com/organizations/{orgname}/settings/installations) to review all applications installed in the org.

2. Find the Vault Radar app for GitHub Checks in the list and click the Configure button.

3. Using the GitHub interface, make selections about which repos the app can access, and save the changes.

   Any changes take effect with the next pull request (or commit in an open pull request), and apply to all users of the org.

Blocking pull requests

If you would like to block pull requests from being merged when Vault Radar uploads a failed scan to your pull request, the following repository-level setting can be configured on GitHub.

1. Navigate to your GitHub repository at https://github.com/{orgname}/{reponame}

2. Click on Settings in the top bar.

3. Click on Branches in the left nav.

4. Add a branch protection rule or update an existing branch protection rule based against the target branch you'd like to protect - when pull requests are created to merge into those target branch, these rules will apply.

1. Make sure to select Require status checks to pass before merging, and find and select the HashiCorp Vault Radar Secret Scan status check.

   a. Note: The HashiCorp Vault Radar Secret Scan status check may not appear unless a scan result has been uploaded to your repository within the past 7 days. If you get stuck in this state, you may need to first create a pull request to trigger a check before proceeding.

Disable GitHub checks

1. Follow the steps to configure the Vault Radar GitHub Checks app.

2. From the configuration page, select either suspend or uninstall.

Both options take effect immediately and apply to the entire GitHub org.

Bitbucket Insights

To turn on pull request scans on Bitbucket:

1. Navigate to your Bitbucket repo, and click on any commit. Within that commit view, in the bottom right hand corner there should be an option to index your repo by clicking Go to pull request. This may take a few minutes while the repository gets indexed in the background.

   

2. Contact the customer success team to enable Bitbucket Code Insights in your project.

Once set up, your future PRs and commits to PRs in monitored repos will be checked by Vault Radar and results will be uploaded to the Reports section of your pull request.