Skip to main content

Scanning and Findings

External Secrets Enterprise Edition provides a powerful scanning feature to help you identify and manage secrets across your infrastructure. This is particularly useful for discovering where secrets are being used and identifying potential duplicates or misconfigurations.

How it Works

The scanning process is driven by the Job resource (scan.external-secrets.io/Job), which defines the scope and frequency of a scan. When a scan job is executed, it searches for secrets within the all SecretStores and Targets available in its namespace. The Job will create Finding resources for any discovered items across multiple locations (SecretStore and Target).
  1. A Job resource is created to define the scan parameters.
  2. The job runs according to its runPolicy.
  3. During the scan, if a secret is found, a corresponding Finding resource is created.
  4. You can review the Finding resources to understand where your secrets are located.

The Job Resource

The Job resource is the core component of the scanning feature. It allows you to configure how and where the scan should be performed. Here is an example of a Job resource: 
apiVersion: scan.external-secrets.io/v1alpha1
kind: Job
metadata:
  name: daily-vm-scan
spec:
  runPolicy: Poll
  interval: 24h
  constraints:
    targetConstraints:
      - kind: VirtualMachine
        apiVersion: targets.external-secrets.io/v1alpha1
        matchLabels:
          environment: production

Job Specification

  • runPolicy: Defines when the job should run. It can be Poll (at a regular interval), OnChange (when a related resource changes), or Once.
  • interval: If the runPolicy is Poll, this field specifies the time between scans.
  • constraints: This field allows you to limit the scan to specific SecretStores or Targets using label selectors.

The Finding Resource

A Finding resource is created for each unique secret discovered during a scan. It contains information about the secret, including its hash and the locations where it was found. Here is an example of a Finding resource: 
apiVersion: scan.external-secrets.io/v1alpha1
kind: Finding
metadata:
  name: finding-abcde
spec:
  hash: "a1b2c3d4e5..."
status:
  locations:
    - secretStore:
        name: aws-secrets-manager
      remoteRef:
        remoteKey: /production/database/credentials
    - target:
        kind: VirtualMachine
        name: prod-web-server-1
      remoteRef:
        remoteKey: /etc/app/secrets/db.conf
By examining the Finding resources, you can gain valuable insights into your secret landscape and take action to remediate any issues, such as rotating credentials or removing duplicates. You can also leverage the Finding or the Location information from a finding to automate synchronization by leveraging Workflows