Output Format
Public Key Scan Results
{
"type": "pubkey",
"timestamp": "2025-12-15T12:29:20+05:30",
"urn": "urn:pubkey:name:document-signing:1",
"url": "https://10.1.127.31:8200/ui/vault/secrets/transit/show/document-signing",
"extra": {
"allow_plaintext_backup": false,
"cryptographic_algorithm": "Ed25519",
"cryptographic_length": 256,
"deletion_allowed": false,
"derived": false,
"engine_path": "transit",
"engine_type": "transit",
"exportable": false,
"key_id": "transit/document-signing",
"key_operations": [
"sign",
"verify"
],
"key_version": "1",
"latest_version": 1,
"name": "document-signing",
"purpose": "signing/verification",
"status": "enabled",
"vault_url": "https://10.1.127.31:8200"
},
"pubkey_pem": "a1XEMzVXj0TX...
}
Symmetric Key Scan Results
{
"type": "symkey",
"timestamp": "2025-12-15T12:29:19+05:30",
"urn": "urn:symkey:name:backup-restore:1",
"url": "https://10.1.127.31:8200/ui/vault/secrets/transit/show/backup-restore",
"extra": {
"allow_plaintext_backup": false,
"cryptographic_algorithm": "AES-GCM",
"cryptographic_length": 256,
"deletion_allowed": false,
"derived": true,
"engine_path": "transit",
"engine_type": "transit",
"exportable": true,
"key_id": "transit/backup-restore",
"key_operations": [
"encrypt",
"decrypt"
],
"key_version": "1",
"latest_version": 1,
"name": "backup-restore",
"purpose": "encryption/decryption",
"status": "enabled",
"vault_url": "https://10.1.127.31:8200"
}
}
Certificates Scan Results
{
"type": "cert",
"timestamp": "2025-12-15T12:29:16+05:30",
"urn": "urn:cert:sha256:2c9ee1f798c8e6a29a6ea445d1bed05a0e310e4109ae81424b609e3c03be4373",
"url": "https://10.1.127.31:8200/ui/vault/secrets/pki/show/01:93:c1:e6:42:0c:6c:2d:d4:c8:8a:f5:1e:06:6c:12:92:4a:05:d0",
"extra": {
"engine_path": "pki",
"engine_type": "pki",
"status": "valid",
"vault_serial": "01:93:c1:e6:42:0c:6c:2d:d4:c8:8a:f5:1e:06:6c:12:92:4a:05:d0",
"vault_url": "https://10.1.127.31:8200"
},
"cert_pem": "MIIDHzCCA...."
}
Secrets Scan Results
{
"type": "secret",
"timestamp": "2025-12-15T12:29:32+05:30",
"urn": "urn:secret:name:database/dev:1",
"url": "https://10.1.127.31:8200/ui/vault/secrets/secret/show/database/dev",
"extra": {
"created_date": "2025-11-28T10:26:31.281551177Z",
"current_version": "1",
"engine_path": "secret",
"engine_type": "kv",
"has_cert_data": false,
"has_key_data": false,
"key_count": 4,
"keys": [
"host",
"password",
"port",
"username"
],
"last_modified_date": "2025-11-28T10:26:31.281551177Z",
"name": "database/dev",
"vault_url": "https://10.1.127.31:8200"
}
}
Output Fields
Field | Description |
|---|---|
| Asset type ( |
| RFC3339 timestamp of when the scan was performed |
| Unique resource name based on asset type (SHA256 hash for certificates/public keys, name-based for symmetric keys/secrets) |
| Direct link to Vault UI for the asset |
| Base64-encoded certificate (PEM without headers/footers) - certificates only |
| Base64-encoded public key (PEM without headers/footers) - asymmetric keys only |
| Additional metadata (see Extra Fields section below) |
Extra Fields
The extra object contains HashiCorp Vault-specific metadata about the asset. The fields differ based on asset type.
Common Fields (Present in Most Assets)
platform_type(string): Always"hashicorp_vault"indicating the asset is from HashiCorp Vaultname(string): Asset name/identifier from Vaultvault_url(string): HashiCorp Vault server URLengine_path(string): Path of the secrets engine where the asset is storedengine_type(string): Type of secrets engine (values:"pki","transit","kv","kv-v2","ssh")status(string): Current asset state (values:"enabled","valid","expired","not_yet_valid")
Certificate-Specific Fields (type: "cert")
For PKI certificates, the following fields are included:
vault_serial(string): Certificate serial number as stored in Vaultnamespace(string): Vault namespace (only present for Vault Enterprise)
Note: Intrinsic certificate properties (issuer, subject, validity dates, key usage) are NOT included in extras as they can be parsed from the cert_pem field.
Public Key-Specific Fields (type: "pubkey")
For asymmetric keys from Transit engine, the following fields are included:
key_id(string): Full key identifier including engine path (e.g.,"transit/api-signing")purpose(string): Key usage purpose (value:"signing/verification")exportable(boolean): Whether the key can be exported from Vaultkey_operations(array of strings): Supported cryptographic operations (e.g.,["sign", "verify"])created_date(string): ISO 8601 timestamp of when the key was created (only present if available)cryptographic_algorithm(string): Algorithm type (e.g.,"RSA","ECDSA","Ed25519")cryptographic_length(integer): Key length in bits (e.g., 2048, 4096)key_version(string): Current key version numberlatest_version(integer): Latest version number available for this keydeletion_allowed(boolean): Whether the key can be deletedderived(boolean): Whether the key uses key derivationallow_plaintext_backup(boolean): Whether plaintext backup is allowednamespace(string): Vault namespace (only present for Vault Enterprise)
Symmetric Key-Specific Fields (type: "symkey")
For symmetric keys from Transit engine, the following fields are included:
key_id(string): Full key identifier including engine path (e.g.,"transit/backup-encryption")purpose(string): Key usage purpose (values:"encryption/decryption","MAC generation/verification")key_operations(array of strings): Supported cryptographic operations (e.g.,["encrypt", "decrypt"])created_date(string): ISO 8601 timestamp of when the key was created (only present if available)key_version(string): Current key version numbercryptographic_algorithm(string): Algorithm type (e.g.,"AES-GCM","ChaCha20-Poly1305","HMAC")cryptographic_length(integer): Key length in bits (e.g., 256, 512)latest_version(integer): Latest version number available for this keyexportable(boolean): Whether the key can be exported from Vaultdeletion_allowed(boolean): Whether the key can be deletedderived(boolean): Whether the key uses key derivationallow_plaintext_backup(boolean): Whether plaintext backup is allowednamespace(string): Vault namespace (only present for Vault Enterprise)
Secret-Specific Fields (type: "secret")
For secrets from KV engines, the following fields are included:
created_date(string): ISO 8601 timestamp of when the secret was createdlast_modified_date(string): ISO 8601 timestamp of last modification (only present if available)has_cert_data(boolean): Whether the secret contains certificate datahas_key_data(boolean): Whether the secret contains key datakey_count(integer): Number of key-value pairs in the secretkeys(array of strings): List of keys in the secret (only present if keys exist)current_version(string): Current version number (only present for KV v2 secrets)namespace(string): Vault namespace (only present for Vault Enterprise)
Note: The plugin analyzes KV secrets to determine if they contain cryptographic material but does not extract the actual secret values.
Supported Secrets Engines
The plugin can discover assets from the following HashiCorp Vault secrets engines:
- PKI: Public Key Infrastructure certificates
- Transit: Encryption-as-a-service keys (symmetric and asymmetric)
- KV v1: Key-Value secrets (version 1)
- KV v2: Versioned Key-Value secrets (version 2)
Note: If no specific secrets engines are configured, the plugin will automatically discover and scan all available engines in the Vault instance.