scan confluence
Note
You must have version 0.17.0 or higher of the Vault Radar CLI installed.
To check the current version of your CLI, use the version command.
The scan confluence
command is used for scanning a Confluence Data Server or
Atlassian Confluence Cloud instance.
Authentication
vault-radar
needs some authentication credentials in order to be able to make
requests to the Confluence instance. The information needed depends on whether
you are using Confluence Cloud or Server (self hosted).
Confluence Cloud
This means your instance is hosted by Atlassian, and your instance URL should have ".atlassian.net" in it.
For cloud, there's only one supported pattern and it requires an Atlassian API Token and the email of the account that the token belongs to.
In order to provide the information to vault-radar
, assign the appropriate
values to both of these environment variables:
Confluence Server
For self hosted versions of Confluence, there are up to 2 different patterns possible.
Versions 7.9 and higher support creating a Personal Access Token for a
user.
The token will have all the same access rights as the user who creates it. To
use the token set the following environment variable to the generated token:
CONFLUENCE_PERSONAL_ACCESS_TOKEN
Using a personal access token is more secure and should be the preferred access pattern. A personal access token is easier to revoke and regenerate, and generally has a smaller blast radius than a password.
All versions of Confluence server supports authorization using the Username (not the email), and Password. To authenticate using these credentials set both of these environment variables:
Usage
Usage: vault-radar scan confluence [options]
Command options
--url, -u
: The url endpoint of the Confluence server to scan (required)--page-id, -p
: Specifies the Confluence page to scan--space-key, -s
: Specifies the Confluence space to scan--outfile, -o
: Specifies the file to store information about found secrets (required for offline only)--format, -f
: Specifies the output format, csv and json are supported. Defaults to csv--skip-history
: Specifies the scan should examine only the newest version of the scanning target. Only supported when --offline is specified--baseline, -b
: Specifies the file with previous scan results. Only new secrets will be reported.--limit, -l
: Specifies the maximum number of secrets to be reported. The scan will stop when the limit is reached--page-limit
: Specifies the maximum number of Confluences pages to scan--index-file
: Specifies the index file path to use in order to determine which risks are Vaulted--offline
: Specifies that the scan should be run in offline mode, without connecting to HCP--disable-ui
: Specifies that the scan summary should not be logged to stdout--skip-activeness
: If specified, skips activeness checks
The following examples all assume you have already set the appropriate environment variable or that you intend to include them as part of the command you run.
Scanning a space
Scan a space and upload results to HCP.
$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY>
Scanning a page
Scan a page and write the results to an outfile in CSV format, this is the default format for output.
$ vault-radar scan confluence -u <INSTANCE URL> \ -p <PAGE ID> \ -o <PATH TO OUTPUT>.csv
Scanning a page and output JSON
Scan a page and write the results to an outfile in JSON format.
$ vault-radar scan confluence -u <INSTANCE URL> -p <PAGE ID> \ -o <PATH TO OUTPUT>.json \ -f json
Scanning using a baseline file
Perform a scan using a previous scan's result and write the new changes to an outfile.
$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \ -b <PATH TO BASELINE> \ -o <PATH TO OUTPUT>.csv
HCP connection scanning behavior
The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.
To allow for scanning to continue working without the need for HCP cloud
connection you can use the new --offline
flag as such.
$ vault-radar scan confluence --offline -u <INSTANCE URL> \ -s <SPACE KEY> \ -o <PATH TO OUTPUT>.csv
Scanning latest version of all pages in a Space
Scan latest version of all pages in a Space and write the results to an outfile.
$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \ -o <PATH TO OUTPUT>.csv --skip-history --offline
Scanning using a Vault index file
Perform a scan using a generated vault index and upload results to HCP.
$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \ --index-file <PATH TO VAULT INDEX>.jsonl
Scan and restrict the number of pages scanned
Stop scanning the space after a defined number of pages are scanned.
$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \ --page-limit <NUM OF PAGES>
Scan and restrict the number of secrets found
Stop scanning the space when a defined number of secrets are found.
$ vault-radar scan confluence -u <INSTANCE URL> -s <SPACE KEY> \ -l <NUM OF SECRETS>
Troubleshooting help
What's the PageID for my page?
Sometimes you will see the "Pretty" URL which includes the Page Name. If you
want the page's ID, in the right corner there should be an options menu for the
page. It will usually look like 3 dots ...
. Click on that, and then look for
an option like Page Information
and select that. The URL of the page you land
on, should use the PageID in the URL.
Example:
http://localhost:8090/pages/viewinfo.action?pageId=123456
Where 123456
is this example page's ID.
What's the Space Key for my space or page?
The space key is not always included in the URl of a Page, but it should always be present when selecting the space you are interested in from the main Confluence toolbar. Additionally going to the space's summary details, should explicity define the space key.
Example:
http://localhost:8090/display/VSID/Some+Page
Where VSID
is the space key.