Skip to main content

ggshield hmsl check-secret-manager hashicorp-vault

Description

Check secrets of an Hashicorp Vault instance.

ggshield hmsl check-secret-manager hashicorp-vault [OPTIONS] VAULT_PATH

Only compatible with the kv secret engines (v1 or v2) for now.

Will use the VAULT_URL environment variable to get the Vault instance URL or the --url option if no environment variable is set.

Will use the VAULT_TOKEN environment variable to authenticate, except if the --use-cli-token option is set.

Options

  • --use-cli-token: Instead of getting the token from the environment variable, get it from the CLI tool.

  • --url TEXT: The URL of the secret manager server.

  • -r, --recursive: If the secret manager path is a directory and not a file, explore recursively.

  • --format [text|json]: Format to use for the output.

  • --json: Shorthand for --format json.

  • -f, --full-hashes: Put the full hashes into the payload instead of the prefixes. This is useful for partners that trust GitGuardian because it allows to send more hashes per batch, and consumes less credits.

  • -n, --naming-strategy [censored|cleartext|none|key]: Strategy to generate the hints in the output.

    • censored: only the first and last characters are displayed.
    • cleartext: the full secret is used as a hint (Not recommended!).
    • none: no hint is generated.
    • key: the key name is selected if available (e.g. in .env files), otherwise censored is used.

    Default: key.

This command supports all ggshield global options.

How can I help you ?