Output Format
X.509 Certificate Scan Results
{
"type": "cert",
"timestamp": "2025-12-01T08:31:22-05:00",
"urn": "urn:cert:sha256:5080fcb18b6cdce2069478d67d8ffaf2d67a772e190c8c99c44f9a9dc3641999",
"url": "https://token.actions.githubusercontent.com",
"extra": {
"cert_index": 0,
"issuer": "https://token.actions.githubusercontent.com",
"issuer_url": "https://token.actions.githubusercontent.com",
"jwk_algo": "RS256",
"jwk_keyId": "38826b17-6a30-5f9b-b169-8beb8202f723",
"jwk_use": "sig",
"jwk_x5t": "ykNaY4qM_ta4k2TgZOCEYLkcYlA",
"jwks_uri": "https://token.actions.githubusercontent.com/.well-known/jwks",
"source": "jwks",
"total_certs": 1
},
"cert_pem": "MIIDKzCCA...."
}
Public Key Scan Results
{
"type": "pubkey",
"timestamp": "2025-12-01T08:31:22-05:00",
"urn": "urn:pubkey:sha256:a8f2498a81ee69b679074f3ae9308076f3f8efadba7e7855d0a981d134277653",
"url": "https://token.actions.githubusercontent.com",
"extra": {
"issuer": "https://token.actions.githubusercontent.com",
"jwk_algorithm": "RS256",
"jwk_key_id": "cc413527-173f-5a05-976e-9c52b1d7b431",
"jwk_use": "sig",
"jwks_uri": "https://token.actions.githubusercontent.com/.well-known/jwks",
"name": "cc413527-173f-5a05-976e-9c52b1d7b431",
"origin": "oidc_jwks",
"purpose": "sign_verify",
"status": "active"
},
"pubkey_pem": "MIIBIjANB...."
}
URN Generation:
- For X.509 certificates: Generated using SHA-256 hash of the certificate DER bytes
- For public keys: Generated using SHA-256 hash of the public key data
Error Output: If an error occurs, the plugin outputs a structured JSON object with error details under data.errorDetails and a summary message in data.errorMessage.
Output Fields
Field | Description |
|---|---|
| Asset type ( |
| RFC3339 timestamp of when the scan was performed |
| Unique resource name based on asset type (SHA256 hash for certificates/public keys, name-based for symmetric keys/secrets) |
| Direct link to Vault UI for the asset |
| Base64-encoded certificate (PEM without headers/footers) - certificates only |
| RFC 7468 compliant PEM-encoded public key (base64 body without headers/footers or newlines) |
| Additional metadata (see Extra Fields section below) |
Extra Fields
Common Fields (Both Certificate and Public Key)
Field | Type | Description |
|---|---|---|
| string | Always |
| string | OIDC issuer identifier from provider metadata |
| string | JWKS endpoint URL where the asset was retrieved |
| string | SHA-1 X.509 certificate thumbprint (base64url encoded). Only present if provided in JWK |
| string | SHA-256 X.509 certificate thumbprint (base64url encoded). Only present if provided in JWK |
Certificate-Specific Fields
Field | Type | Description |
|---|---|---|
| string | Key ID from the JWK ( |
| string | Algorithm specified in the JWK (e.g., |
| string | Key usage from JWK (typically |
| string | OIDC provider issuer URL |
| integer | Position of this certificate in the X.509 certificate chain (0-based) |
| integer | Total number of certificates in the chain |
Public Key-Specific Fields
Field | Type | Description |
|---|---|---|
| string | Key identifier from JWK ( |
| string | Key purpose derived from JWK use field or algorithm. Values: |
| string | Key ID from the JWK ( |
| string | Algorithm specified in the JWK (e.g., |
| string | Key usage from JWK (e.g., |
| string | Curve name for EC/OKP keys (e.g., |
Note: Cryptographic algorithm details (algorithm type, key length, curve) are derivable from the PEM-encoded public key and are not duplicated in the extra fields.