VaultSpectre

Find Vault secret references in code, verify they exist in Vault, and flag unused/stale paths before they break deployments. Part of SpectreHub.

Why this exists

HashiCorp Vault tells you what secrets exist. Your codebase tells you what secrets are referenced. Neither tells you which secrets are actually still needed.

VaultSpectre bridges that gap — correlating secret references in code with live Vault state and audit logs. It is designed for teams who inherit Vault instances, want to clean them up safely, and would prefer not to cause a production incident in the process.

What it is

Scans codebases for Vault secret references across Ansible, YAML, Terraform, Python, Bash, Go, and Kubernetes manifests
Validates that referenced paths exist in Vault (KV v1/v2)
Detects unused and stale secrets via metadata and audit logs
Supports variable resolution from files, CLI flags, and Ansible auto-detection
Outputs text, JSON, SARIF, and SpectreHub formats

What it is NOT

Not a Vault management tool — never writes, rotates, or deletes secrets
Not a secret scanner — finds references, not leaked credentials
Not a monitoring tool — point-in-time scanner
Not a replacement for Vault audit logs — complements them

Quick start

# Install
brew install ppiankov/tap/vaultspectre

# Scan a repository
vaultspectre scan \
  --repo ./my-repo \
  --vault-addr https://vault.example.com \
  --token $VAULT_TOKEN

# JSON output for CI/CD
vaultspectre scan --repo . --vault-addr $VAULT_ADDR --token $VAULT_TOKEN --output json

# Fail on missing secrets
vaultspectre scan --repo . --vault-addr $VAULT_ADDR --token $VAULT_TOKEN --fail-on-missing

Agent integration

Single binary, deterministic output, structured JSON, bounded scans.

Agents: read SKILL.md for commands, JSON parsing patterns, and workflow examples.

Key pattern: vaultspectre scan --output json returns SpectreHub-compatible JSON with status classifications and health scores.

SpectreHub integration

spectrehub collect --tool vaultspectre

Safety

vaultspectre operates in read-only mode — never writes, rotates, or deletes your secrets.

Documentation

Document	Contents
CLI Reference	All flags, config, scanner coverage, status classifications, installation

License

MIT — see LICENSE.

Built by Obsta Labs

Name		Name	Last commit message	Last commit date
Latest commit History 30 Commits
.github/workflows		.github/workflows
Formula		Formula
cmd/vaultspectre		cmd/vaultspectre
docs		docs
examples		examples
internal		internal
scripts		scripts
.gitignore		.gitignore
.golangci.yml		.golangci.yml
.goreleaser.yml		.goreleaser.yml
CHANGELOG.md		CHANGELOG.md
CONTRIBUTING.md		CONTRIBUTING.md
Dockerfile		Dockerfile
Dockerfile.goreleaser		Dockerfile.goreleaser
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
SECURITY.md		SECURITY.md
go.mod		go.mod
go.sum		go.sum

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

VaultSpectre

Why this exists

What it is

What it is NOT

Quick start

Agent integration

SpectreHub integration

Safety

Documentation

License

About

Uh oh!

Releases 4

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

VaultSpectre

Why this exists

What it is

What it is NOT

Quick start

Agent integration

SpectreHub integration

Safety

Documentation

License

About

Resources

License

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 4

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages