scan tfe-variables
Beta feature
This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.
Note
You must have version 0.17.0 or higher of the Vault Radar CLI installed.
To check the current version of your CLI, use the version command.
The scan tfe-variables
command is used for scanning non-sensitive variables in
an HCP Terraform (previously known as Terraform Cloud) or Terraform Enterprise
organization and identifying variable values that contain sensitive secrets. All
non-sensitive variables defined in Variable sets and Workspaces are scanned.
Both Terraform and Environment variables are scanned.
Authentication
The scan tfe-variables
command needs some authentication credentials in order
to be able to make requests to HCP Terraform or Terraform Enterprise.
Terraform Enterprise (TFE)
In order to provide the information to vault-radar
, specify the following
environment variables:
HCP Terraform
For HCP Terraform, use https://app.terraform.io
as TFE_ADDRESS
Usage
The following examples all assume you have already set the appropriate environment variable or that you intend to include them as part of the command you run.
Scanning variables in all workspaces
Scan all workspaces in an HCP Terraform or Terraform Enterprise organization and write the results to a file in CSV format, this is the default format for output.
Scanning variables in all workspaces and output in JSON
Scan all workspaces in an HCP Terraform or Terraform Enterprise organization and write the results to a file in JSON Lines format.
HCP connection scanning behavior
The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.
To allow for scanning to continue working without the need for HCP cloud
connection you can use the new --offline
flag as such.
Scanning using a Vault index file
Perform a scan using a generated vault index and write the results to an outfile. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.
Scan and restrict the number of secrets found
Scan all workspaces in an HCP Terraform or Terraform Enterprise organization and write the results to an outfile and stop scanning when the defined number of secrets are found.