HashiConf 2024 Now streaming live from Boston! Attend for free
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Create custom risk types

You can define a custom risk type that CLI will recognize. It can be a secret (e.g. an API token), a PII (Personal Identifying Information), or NIL (Non-Inclusive Language).

File format

Custom risk type is defined in an YAML file.

Example

The following file detects GitLab PAT token:

regex:
  value: glpat-[a-zA-Z0-9\-_]{20}
type: gitlab_personal_access_token
category: secret
description: GitLab personal access token
precedence: strong_pattern

Field descriptions

FieldDescription
valuespecifies a regular expression to match the risk. Vault Radar supports golang stype regular expressions as well as PCRE
typeUnique identifier for the risk type. While there are no restrictions on the actual value, the best practice is to keep it to lower-case letters and underscore only
categoryRisk category. Must be one of secret, pii, or nil
descriptionHuman friendly description of the risk type.
precedenceThis is internal to Vault Radar, use strong_pattern for all custom risk types.

Location

CLI loads .yaml files from $HOME/.hashicorp/vault-radar/custom_patterns folder.

Examples

Here are examples of custom risk definitions.

Non-Inclusive Language:

regex:
  value: (?i)whitelist
type: nil_whitelist
category: nil
description: Non-inclusive Language - Whitelist
precedence: strong_pattern

PII:

regex:
  value: \b((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\b
type: pii_ipv4
category: pii
description: PII - IPv4
precedence: strong_pattern