Find Vault secret references in code, verify they exist in Vault, and flag unused/stale paths before they break deployments. Part of SpectreHub.
HashiCorp Vault tells you what secrets exist. Your codebase tells you what secrets are referenced. Neither tells you which secrets are actually still needed.
VaultSpectre bridges that gap — correlating secret references in code with live Vault state and audit logs. It is designed for teams who inherit Vault instances, want to clean them up safely, and would prefer not to cause a production incident in the process.
- Scans codebases for Vault secret references across Ansible, YAML, Terraform, Python, Bash, Go, and Kubernetes manifests
- Validates that referenced paths exist in Vault (KV v1/v2)
- Detects unused and stale secrets via metadata and audit logs
- Supports variable resolution from files, CLI flags, and Ansible auto-detection
- Continuous drift monitoring with delta reporting via
watchcommand - Outputs text, JSON, SARIF, and SpectreHub formats
- Not a Vault management tool — never writes, rotates, or deletes secrets
- Not a secret scanner — finds references, not leaked credentials
- Not a replacement for Vault audit logs — complements them
# Install
brew install ppiankov/tap/vaultspectre
# Generate config
vaultspectre init
# Scan a repository
vaultspectre scan --repo . --vault-addr $VAULT_ADDR --token $VAULT_TOKEN
# JSON output for CI/CD
vaultspectre scan --repo . --format json --fail-on-missing
# Continuous monitoring
vaultspectre watch --interval 5m --repo . --slack-webhook $SLACK_URL| Command | Description |
|---|---|
vaultspectre ls |
List Vault secret paths recursively (--tree, --count, --with-keys) |
vaultspectre scan |
Scan code for Vault references, validate against live Vault |
vaultspectre audit |
SpectreHub-compatible scan (spectre/v1 envelope, mapped exit codes) |
vaultspectre who |
Find which codebases reference a Vault path (rotation readiness) |
vaultspectre grep |
Search Vault secrets by key or value pattern (--stdin, --from-file) |
vaultspectre diff |
Compare two scan reports and show changes |
vaultspectre count |
Count secrets in a Vault tree (--by-depth, --by-prefix) |
vaultspectre watch |
Continuous drift detection with delta reporting |
vaultspectre correlate |
Cross-tool CH user to Vault secret mapping |
vaultspectre init |
Generate starter config and policy files (--with-policy) |
vaultspectre doctor |
Check config, connectivity, and readiness (ANCC schema) |
vaultspectre ci-init |
Generate CI pipeline snippet (GitLab/GitHub) |
vaultspectre serve |
MCP server for AI agent integration (stdio) |
vaultspectre version |
Print version (--format json) |
Key flags: --format json\|sarif\|spectrehub, --exclude, --fail-on-missing, --policy, --auth-method, --stdin, --from-file, --baseline, --slack-webhook
| Code | Meaning |
|---|---|
| 0 | Success, no findings |
| 1 | Internal error |
| 2 | Invalid arguments or config |
| 5 | Network error (Vault unreachable) |
| 6 | Findings detected |
Single binary, deterministic output, structured JSON, bounded scans.
Agents: read docs/SKILL.md for commands, JSON parsing patterns, and workflow examples.
spectrehub collect --tool vaultspectrevaultspectre operates in read-only mode — never writes, rotates, or deletes your secrets.
MIT — see LICENSE.
Built by Obsta Labs