Why We Built a Free Scanner
We talk to Azure teams every week who share the same story: they know secrets are expiring somewhere, but they don’t have visibility across all their subscriptions and Key Vaults. They’ve cobbled together PowerShell scripts, Azure Policy assignments, and calendar reminders, but nothing gives them a single, clear picture.
So we built one. cc-scan is a free command-line tool that audits every Key Vault you have access to and tells you exactly what’s expiring, what’s misconfigured, and what needs attention. No agents, no infrastructure, no cost. Just pip install and run.
What It Does
cc-scan performs a read-only audit of your Azure Key Vaults. It inventories secrets, certificates, and cryptographic keys across all accessible subscriptions, then evaluates them against 11 security rules covering expiry, network security, access control, and data protection.
A typical scan takes 30-60 seconds and produces output like this:
██████╗ ██████╗ ███████╗ ██████╗ █████╗ ███╗ ██╗
██╔════╝██╔════╝ ██╔════╝██╔════╝██╔══██╗████╗ ██║
██║ ██║ █████╗███████╗██║ ███████║██╔██╗ ██║
██║ ██║ ╚════╝╚════██║██║ ██╔══██║██║╚██╗██║
╚██████╗╚██████╗ ███████║╚██████╗██║ ██║██║ ╚████║
╚═════╝ ╚═════╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝
Scanning 3 subscriptions...
Found 12 Key Vaults with 247 assets
CRITICAL SEC-001 Expired secrets still enabled (14 found)
HIGH SEC-003 Network access unrestricted (4 vaults)
MEDIUM SEC-006 Secrets without expiry date (31 found)
INFO SEC-010 Secrets expiring within 30 days (8 found)
Score: 62/100 — 47 findings across 12 vaultsNo secret values are ever read. The scanner accesses metadata only: names, expiry dates, enabled status, vault configuration. Your credentials stay where they are.
The 11 Security Checks
Each finding is mapped to a severity level so you can prioritize your remediation effort:
| Severity | Rule | What It Catches |
|---|---|---|
| CRITICAL | SEC-001, SEC-002 | Expired secrets and certificates that are still enabled — ticking time bombs that indicate nobody is watching |
| HIGH | SEC-003 | Key Vaults with unrestricted network access, reachable from any IP on the internet |
| HIGH | SEC-004, SEC-005 | Missing soft-delete or purge protection, meaning an accidental or malicious delete is permanent |
| MEDIUM | SEC-006, SEC-007 | Secrets and certificates with no expiry date set, invisible to any expiry-based alerting |
| MEDIUM | SEC-008 | RBAC not enforced, relying on legacy access policies instead of Azure’s recommended model |
| LOW | SEC-009 | Standard SKU vaults without HSM backing for key operations |
| INFO | SEC-010, SEC-011 | Secrets and certificates expiring within 30 days, your upcoming to-do list |
These aren’t arbitrary rules. They map directly to the controls required by SOC 2, PCI-DSS, HIPAA, ISO 27001, and NIST 800-53. If an auditor asks “how do you manage key material lifecycle?”, a cc-scan report is a concrete answer.
Install in 30 Seconds
pip (Python 3.9+):
pip install certifycloudsHomebrew (macOS/Linux):
brew tap certifyclouds/certifyclouds
brew install certifycloudsFirst run requires a one-time email registration (no credit card, no expiry). After that:
az login
cc-scanThat’s it. The scanner discovers all subscriptions your account can access and scans every Key Vault within them.
Output Formats
The default output is a rich terminal table, but cc-scan supports multiple formats for different workflows:
--format jsonfor piping into jq, scripts, or SIEM ingestion--format csvfor spreadsheet analysis and sharing with non-technical stakeholders--format htmlfor a standalone report with charts and visualizations that you can open in any browser or attach to an email
# Generate an HTML report
cc-scan --format html -o audit-report.html
# JSON for automation
cc-scan --format json -o results.json
# Scan specific subscriptions only
cc-scan --subscription "sub-id-1" --subscription "sub-id-2"CI/CD Integration
cc-scan is built for pipelines. The exit codes are deterministic:
- Exit 0: Clean scan, no critical or high findings
- Exit 1: Critical or high findings detected
- Exit 2: Scan error (permissions, connectivity)
This means you can gate deployments on Key Vault hygiene:
# Azure DevOps pipeline
- script: |
pip install certifyclouds
cc-scan --format json -o scan-results.json
displayName: 'Key Vault Security Audit'
failOnStderr: false# GitHub Actions
- name: Audit Key Vaults
run: |
pip install certifyclouds
cc-scan --format json -o scan-results.jsonA failed gate means someone introduced a Key Vault without soft-delete, or a secret expired and nobody rotated it. Either way, you want to know before it hits production.
Privacy and Offline Mode
We designed cc-scan with a minimal data footprint. The only telemetry sent after registration is aggregate counts: how many vaults, secrets, certificates, and keys were scanned. No names, no values, no subscription identifiers.
If even that is too much for your environment, use --offline mode to disable all external communication after the initial registration:
cc-scan --offlineThe scan runs entirely locally against the Azure APIs. Nothing leaves your machine.
From Scanner to Platform
cc-scan gives you a point-in-time snapshot. That’s valuable for ad-hoc audits, CI/CD gates, and getting an initial handle on your secret landscape. But secrets expire continuously, teams create new credentials daily, and compliance requirements demand ongoing monitoring.
When you’re ready to move from periodic scans to continuous lifecycle management, CertifyClouds picks up where cc-scan leaves off:
- Continuous discovery with scheduled scans and real-time alerting
- Automated rotation of App Registration secrets and certificates with zero-downtime overlap windows
- Dependency mapping showing which App Services, Functions, and Container Apps consume each secret
- Multi-cloud sync to keep credentials consistent across Azure, AWS, and GCP
- Compliance scoring against SOC 2, PCI-DSS, HIPAA, ISO 27001, and NIST frameworks
The Starter tier is free and includes discovery, compliance scoring, alerts, and 3 manual rotations per month.
Get Started
Install cc-scan, authenticate with Azure, and run your first scan. In under a minute you’ll know exactly where your Key Vault security stands.
pip install certifyclouds
az login
cc-scanFull documentation: docs.certifyclouds.com/scanner
Found something unexpected in your scan results? That’s the point. Better to find it now than at 3 AM when a production integration fails because a certificate expired three weeks ago and nobody noticed.
Further Reading
- How to Find All Expiring Secrets and Certificates Across Azure Subscriptions — the manual methods cc-scan replaces
- Azure Key Vault Secret Rotation: Best Practices for 2026 — what to do after you’ve found the problems
- The True Cost of an Expired Azure Certificate in Production — why this matters in real dollars