$ cc-scan CertifyClouds Scanner v1.2.0 Authenticated as: you@company.com Scanning Azure subscriptions... Production (sub-abc-123) vault-prod (eastus) - 12 secrets, 3 certificates, 2 keys vault-staging (westeurope) - 8 secrets, 1 certificates, 0 keys ──────────────── SUMMARY ──────────────── Subscriptions: 1 Vaults: 2 Total assets: 26 Secrets: 20 Certificates: 4 Keys: 2 EXPIRY WARNINGS EXPIRED 3 secrets, 1 certificates < 30 days 2 secrets SECURITY FINDINGS CRITICAL: 3 MEDIUM: 2 INFO: 4
What You Get
Full Vault Inventory
Scan every Key Vault across all subscriptions. Secrets, certificates, and keys with expiry dates, status, and metadata.
11 Security Checks
Expired secrets still enabled, public network access, missing soft delete, no RBAC, standard SKU, and more.
Multiple Formats
Rich terminal tables, JSON for pipelines, CSV for spreadsheets, standalone HTML reports with charts.
CI/CD Ready
Exit code 1 on critical findings. Use in GitHub Actions, Azure DevOps, or any pipeline for automated security gates.
Zero Config
Uses your existing Azure CLI credentials. No service principals needed. Just az login and cc-scan.
Privacy First
Runs locally. Never reads secret values. Only sends aggregate counts for telemetry. Use --offline to disable entirely.
Up and Running in 30 Seconds
Install
pip install certifyclouds Authenticate
az login Scan
cc-scan First run prompts for email to register a free API key. That's it.
Security Checks
Every scan runs 11 rules against your vaults and assets:
| Severity | Check | What It Finds |
|---|---|---|
| CRITICAL | SEC-001/002 | Expired secrets or certificates still enabled |
| HIGH | SEC-003 | Public network access enabled on vault |
| HIGH | SEC-004/005 | Soft delete or purge protection disabled |
| MEDIUM | SEC-006/007 | Secrets or certificates with no expiry date set |
| MEDIUM | SEC-008 | RBAC authorization not enabled on vault |
| LOW | SEC-009 | Standard SKU (no HSM backing) |
| INFO | SEC-010/011 | Secrets or certificates expiring within 30 days |
Scanner Finds Problems. Pro Fixes Them.
The scanner is step one. CertifyClouds Pro automates everything after that.
| Capability | Scanner (Free) | Pro |
|---|---|---|
| Vault discovery & inventory | ✓ | ✓ |
| Expiry tracking | ✓ | ✓ |
| Security findings | ✓ | ✓ |
| JSON / CSV / HTML reports | ✓ | ✓ |
| Continuous monitoring & dashboards | - | ✓ |
| Automated secret rotation | - | ✓ |
| Dependency mapping | - | ✓ |
| Multi-cloud sync (AWS / GCP) | - | ✓ |
| Compliance scoring & audit trail | - | ✓ |
| Email & webhook alerts | - | ✓ |
Occasional emails. No spam. Unsubscribe anytime.
Frequently Asked Questions
Yes, completely free. No credit card, no trial expiry. Register with your email and scan unlimited vaults, forever. We built it to help Azure teams find expiring secrets before they cause outages.
Only aggregate counts: number of vaults, secrets, certificates, and keys scanned. We never see your vault names, secret values, or any identifiable infrastructure details. Use --offline to disable all telemetry.
Yes. The scanner connects directly to Azure APIs using your local credentials. The only external call is a one-time registration and optional post-scan telemetry to license.certifyclouds.com. Use --offline to skip all external calls after registration.
Reader role on your subscriptions (to discover vaults) and Key Vault Secrets User, Key Vault Certificates User, and Key Vault Crypto User on each vault (to read metadata). The scanner never reads secret values, only expiry dates and metadata.
The scanner is a read-only, point-in-time audit tool. CertifyClouds Pro adds continuous monitoring, automated rotation, dependency mapping, multi-cloud sync, compliance scoring, and alerting. The scanner tells you what's wrong. Pro fixes it automatically.
Yes. Use --format json and --key flags for automation. Exit code 0 means clean, 1 means critical/high findings, 2 means scan error. Perfect for scheduled audits or PR gates.