Find secrets with HCP Vault Radar pre-commit hooks

7min
|
Vault
Video

HCP Vault Radar helps prevent committing secrets to version control by scanning for potential secrets in your code. By integrating Vault Radar pre-commit hooks with your IDE, you get feedback when attempting to commit secrets, reducing the risk of credential exposure and streamlining your secure development workflow.

Challenge

Committing secrets like API keys, database passwords, or private keys to version control systems is a common security vulnerability. These leaked secrets can lead to unauthorized access, data breaches, and significant financial remediation costs. Developers need real-time feedback during the software development lifecycle to catch security issues before they reach repositories.

Solution

HCP Vault Radar provides pre-commit hooks that scan your code for secrets before allowing a commit to proceed. This approach shifts security left in the software development lifecycle, preventing secrets from ever entering your version control system.

Prerequisites

Access to the HCP Portal with a user assigned the admin role
HCP Vault Radar CLI installed
Git installed

Set up the lab

Clone the repository to your local machine.

$ git clone https://github.com/radar-example/hcp-vault-radar-foundations.git

Change into the repository directory.
```
$ cd hcp-vault-radar-foundations
```
Verify you are on the main branch.
```
$ git branch
* main
```
This repository contains sample code with plaintext secrets.

Create an HCP service principal with viewer access

(Persona: Operations)

Your operations team manages identity and access management for HCP. The Vault Radar CLI authenticates to Vault Radar using an HCP service principal.

Create a project-scoped service principal with the Viewer role and generate a service principal key. The viewer role allows you to follow the principle of least privilege.

Plan to rotate the service principal key periodically to manage the key's full lifecycle by revoking keys older than your rotation period and generating new keys.

Create the service principal

Sign in to the HCP portal.
Select your organization and project.
In the left sidebar, click Access control (IAM).
Click Service principals.
Click Create service principal.
Enter vault-radar-precommit in the Service principal name field.
Click the Select service dropdown and select Vault Radar.
Click the Select role dropdown and select Vault Radar CLI User.
Click Create service principal.

Generate a service principal key

On the service principal detail page, click Keys
Click Generate key.
Copy the Client ID.
Open a terminal and export the client ID as an environment variable.
```
$ export HCP_CLIENT_ID=
```
Return to the HCP portal, copy the Client secret.
Return to the same terminal you exported the HCP_CLIENT_ID and export the secret as an environment variable.
```
$ export HCP_CLIENT_SECRET=
```
Click Back to service principals.
Click Back to dashboard.
Click View project settings.
Copy the Project ID.
Return to the same terminal you exported the HCP_CLIENT_ID and HCP_CLIENT_SECRET and export the project ID as an environment variable.
```
$ export HCP_PROJECT_ID=
```

Set up pre-commit hooks for local scanning

(Persona: Developer)

Start with the pre-commit hook for local feedback. The hook runs before every git commit and prevents commits containing secrets.

Install the pre-commit hook using the Vault Radar CLI.

$ vault-radar install git pre-commit-hook

Successfully installed pre-commit hook to 
'.../hcp-vault-radar-foundations/.git/hooks/pre-commit'

The command creates a .git/hooks/pre-commit script that calls vault-radar scan on staged files.

Make a directory to store the Vault Radar CLI configuration.
```
$ mkdir -p ./.hashicorp/vault-radar
```
Define the behavior for the pre-commit hook for the hcp-vault-radar-foundations repository.
```
$ cat >> ./.hashicorp/vault-radar/config.json <<EOF
{
   "fail_severity": "low"
}
EOF
```
You can also configure the pre-commit hook to work on all git repositories by writing the config.json to ~/.hashicorp/vault-radar/config.json.

Stage the configuration file.

$ git add ./.hashicorp/vault-radar/config.json

Commit the configuration file.
```
$ git commit -m "Add Vault Radar pre-commit hook configuration"
```
You have installed and configured the Vault Radar pre-commit hook.

Test the pre-commit hook

(Persona: Developer)

With the pre-commit hook installed, you can test it by simulating a secret being added to the codebase and attempting to commit the change.

Review the main.go file. Lines 11 and 12 include a username and password. This username and password represent secrets that HashiCups does not want included in their source code.
Warning
Never commit secrets such as passwords, API keys, and other sensitive information to source.
```
$ cat main.go | grep "const password"

const password = "N0p3stp@stw00rd3vA!!"
```
Update the password value in main.go to simulate a secret being added to the codebase.
```
$ sed -i '' 's/N0p3stp@stw00rd3vA!!/N0p3stp@stw00rd3vA!?/g' main.go
```

Verify the change in main.go.

$ cat main.go | grep "const password"

const password = "N0p3stp@stw00rd3vA!?"

Stage the change.
```
$ git add main.go
```
Attempt to commit the change.
```
$ git commit -m "Update password in main.go"
```
Example output:
```
error: main.go:12:19: detected Password assignment: severity medium
found risks with severity higher or equal than "Low"
```
The pre-commit hook prevented the commit because it detected a potential secret in main.go. The hook output includes the file and line number of the potential secret, the type of secret detected, and the severity level.

Knowledge checks

A quiz to test your knowledge.

What is the primary security benefit of using the Vault Radar pre-commit hook?
🔘 It automatically remediates and rotates secrets found in the codebase.
🔘 It shifts security left by preventing secrets from entering your version control system.
🔘 It automatically creates an HCP service principal for the developer.
🔘 It connects to GitHub Copilot to surface security findings in your IDE.
❌ It automatically remediates and rotates secrets found in the codebase.
✅ It shifts security left by preventing secrets from entering your version control system.
❌ It automatically creates an HCP service principal for the developer.
❌ It connects to GitHub Copilot to surface security findings in your IDE.
The pre-commit hook provides real-time feedback during the software development lifecycle, catching security issues before the commit is completed and keeping the secret out of the repository.
Which HCP role is assigned to the service principal to authenticate the Vault Radar CLI?
🔘 Contributor
🔘 Admin
🔘 Vault Radar CLI User
🔘 Viewer
❌ Contributor
❌ Admin
✅ Vault Radar CLI User
❌ Viewer
The tutorial instructs you to create a service principal and assign it the Vault Radar CLI User role to follow the principle of least privilege.
How do you configure the pre-commit hook to fail the commit if it detects secrets of "low" severity or higher?
You create a config.json file in the .hashicorp/vault-radar directory (either local to the repo or global in your home directory) and set the fail_severity attribute to low.

Summary

You have installed and configured the HCP Vault Radar pre-commit hook. You then added a secret to the codebase and tested the hook by attempting to commit the change. The pre-commit hook prevented the commit and provided feedback on the potential secret detected.

Next steps

To further strengthen your secret scanning strategy:

Learn about Vault Radar CLI scanning and configuration documentation
Well Architected Framework - Prevent leaked secrets
Well Architected Framework - Detect leaked secrets
Well Architected Framework - Review principle of least privilege

Scan for secrets in CI/CD pipelines

Explore tutorial library