HCP Vault Radar agent: Local secret scanning at enterprise scale

• Infra

As organizations scale, so does the surface area of risk, driven by the growing volume of code, systems, and users interacting across distributed environments. Beyond traditional security concerns, teams are now responsible for managing sensitive data in all its forms.

This includes secrets, personally identifiable information (PII), which, unlike secrets, can’t be rotated or changed, and addressing non-inclusive language (NIL) that poses both brand and retention risks. These challenges are especially relevant in industries with strict security, compliance, and governance requirements.

While cloud-based secret scanning is effective for many teams, it’s not always feasible for organizations needing complete data control. These organizations need:

• Granular control over how and where scans run
• Confidence that no secrets or sensitive content leaves their environment
• Centralized visibility, without data exposure

HCP Vault Radar agent and hybrid scanning

The HCP Vault Radar agent meets these needs by enabling hybrid scanning of source code and collaboration tools within your own environment. It helps teams detect and remediate secrets, PII, and non-inclusive language, enabling teams to stay compliant and move fast without compromising security. By bringing scanning capabilities directly into your private cloud or on-premises environment, it offers:

• Local scanning of code repositories and collaboration tools
• CLI integration with your existing CI/CD pipelines and secret managers like Vault
• Metadata reporting back to HCP for risk visibility and correlation, without exposing sensitive content

Whether you're operating fully on-premises, in the cloud, or across a hybrid environment, the agent delivers consistent scanning, complete visibility, and full control over how and where data is analyzed.

How Vault Radar agent works inside your environment

The agent operates in a hybrid model, running inside your trust boundary, connecting securely to HCP Vault Radar, and performing the standard scanning workflow. Once deployed, the agent acts as a local worker node that securely executes scans orchestrated by HCP Vault Radar. When launched, the agent will:

• Connect to HCP Vault Radar
• Poll HCP for available scans
• Execute scans using the same logic as the Radar CLI’s scan repo command
• Upload results and heartbeats to HCP for centralized visibility

Accelerate time to value with automated discovery

Vault Radar agent supports auto-discovery of data sources for GitHub, GitLab, Bitbucket, and Azure DevOps. This will allow users to onboard multiple repositories at a time (up to 5000). Once connected, these repositories are continuously scanned for secret exposure, with support for scheduled rescans and automatic detection of new commits.

Parallel scanning with end-to-end coverage

Each registered agent runs multiple dedicated workers to support multiple scan types simultaneously, optimized for distinct use cases, including:

• Commit diff scans to detect newly introduced secrets in near real time.
• Pull request scans to secure code in motion and ensure secrets are not shared across collaborative workflows.
• Full repository scans across all branches and historical commits to surface long-standing risks that may have gone unnoticed.

By running these scans in parallel, the agent delivers rapid feedback for developers during their development cycles, while giving security teams confidence in their ability to surface and remediate unmanaged secrets.

Built-in context and correlation

Vault Radar agent delivers secure, contextual scanning that goes beyond detection. Each scan, such as a repository scan or webhook registration, is securely scheduled, authenticated, and executed by the agent within your environment. When the agent identifies a new job, it:

• Authenticates using a local token
• Executes the scan against the target data source
• Returns results, checkpoint data, and discovered risks back to HCP

The agent then enriches findings through automated correlation, identifying unmanaged secrets and those already secured in a secrets manager, like Vault. This built-in context helps security teams understand not just what was leaked, but how impactful the exposure is. By correlating findings to known secrets, Vault Radar enables smarter decision-making, allowing teams to:

• Prioritize unmanaged, high-risk secrets
• Understand where secrets originated from
• Avoid unnecessary disruption when remediating leaks

Transparent reporting throughout the lifecycle

Vault Radar agent provides visibility at every step of the scanning process. As scans are executed, the agent reports progress incrementally, uploading partial results to HCP that include scan checkpoints and any newly discovered risks. These updates enable future incremental scans while keeping your teams informed in real time.

When a scan is complete, the agent delivers a comprehensive report, including scan results, metadata, and job status. With built-in accountability at every stage, Vault Radar agent enables teams to maintain real-time insight, audit readiness, and operational efficiency.

Enterprise-grade secret scanning in your environment

Vault Radar agent delivers the power of Vault Radar directly into your environment, enabling you to detect, prioritize, and respond to secret exposures without ever sending sensitive data to the cloud. It combines the flexibility of local scanning with the intelligence of centralized risk correlation, offering full visibility across your developer tools.

Whether you're navigating strict regulatory requirements or simply prioritizing tighter control over your security workflows, Vault Radar agent gives you a scalable, secure, and context-aware approach to secret detection.

Want to learn more about Vault Radar agent? Join our upcoming webinar.

Ready to see it in action? Start your 30-day trial and take control of secret scanning within your own environment.