Scanning and Findings
External Secrets Enterprise provides a powerful scanning feature to help you identify and manage secrets across your infrastructure. This is particularly useful for discovering where secrets are being used and identifying potential duplicates or misconfigurations.How it Works
The scanning process is driven by theJob
resource (scan.external-secrets.io/Job
), which defines the scope and frequency of a scan. When a scan job is executed, it searches for secrets within the all SecretStores
and Targets
available in its namespace.
The Job will create Finding
resources for any discovered items across multiple locations (SecretStore
and Target
).
The Scanning Workflow
The Scanning Workflow
- A
Job
resource is created to define the scan parameters. - The job runs according to its
runPolicy
. - During the scan, if a secret is found, a corresponding
Finding
resource is created. - You can review the
Finding
resources to understand where your secrets are located.
The Job
Resource
The Job
resource is the core component of the scanning feature. It allows you to configure how and where the scan should be performed.
Here is an example of a Job
resource:
Job Specification
runPolicy
: Defines when the job should run. It can bePoll
(at a regular interval),OnChange
(when a related resource changes), orOnce
.interval
: If therunPolicy
isPoll
, this field specifies the time between scans.constraints
: This field allows you to limit the scan to specificSecretStores
orTargets
using label selectors.
The Finding
Resource
A Finding
resource is created for each unique secret discovered during a scan. It contains information about the secret, including its hash and the locations where it was found.
Here is an example of a Finding
resource:
Finding
resources, you can gain valuable insights into your secret landscape and take action to remediate any issues, such as rotating credentials or removing duplicates.
You can also leverage the Finding
or the Location
information from a finding to automate synchronization by leveraging Workflows