Feature Description
Add a connector plugin for the HashiCorp Vault CLI (vault) so users can securely retrieve secrets, credentials, and API tokens during GRC evidence collection and IaC scanning workflows.
Motivation
Today, connectors and workflow runbooks often expect secrets as environment variables or inline configuration. Supporting Vault would let teams inject secrets at runtime from an enterprise-grade secret manager, reducing credential sprawl and improving auditability.
Proposed Capabilities
- KV v1 and KV v2 secret retrieval (
vault kv get)
- Dynamic secret generation (database, AWS, etc.)
- AppRole and token-based authentication
- Integration with
/grc-engineer:collect-evidence and connector setup commands
- Read-only by default; write paths require explicit opt-in
Alternatives Considered
- Expect users to export secrets before running Claude Code (less secure, more friction)
- Use AWS/GCP-native secret managers only (vendor lock-in for hybrid/on-prem environments)
References
- Vault CLI docs
- Existing connector pattern:
github-inspector, aws-inspector
Linked Linear Issue
Linear: GRC-65
Feature Description
Add a connector plugin for the HashiCorp Vault CLI (
vault) so users can securely retrieve secrets, credentials, and API tokens during GRC evidence collection and IaC scanning workflows.Motivation
Today, connectors and workflow runbooks often expect secrets as environment variables or inline configuration. Supporting Vault would let teams inject secrets at runtime from an enterprise-grade secret manager, reducing credential sprawl and improving auditability.
Proposed Capabilities
vault kv get)/grc-engineer:collect-evidenceand connector setup commandsAlternatives Considered
References
github-inspector,aws-inspectorLinked Linear Issue
Linear: GRC-65