Asset Discovery¶
Asset Discovery scans all Azure Key Vaults across your subscriptions to inventory secrets, keys, and certificates with expiration tracking.
Overview¶
Discovery provides a centralized view of all vault contents across your Azure environment:
- Multi-subscription scanning: Scan all Key Vaults across multiple Azure subscriptions
- Complete inventory: Secrets, keys, and certificates with metadata
- Expiration tracking: Visual indicators for healthy, warning, and critical status
- Historical data: Track changes over time with scan history
- Delta scanning: Efficient updates using cached data
What Gets Scanned¶
Secrets¶
| Attribute | Description |
|---|---|
| Name | Secret identifier |
| Enabled | Active or disabled status |
| Expiry Date | When the secret expires (if set) |
| Not Before | Activation date (if set) |
| Created | Creation timestamp |
| Updated | Last modification timestamp |
| Content Type | MIME type (e.g., text/plain, application/json) |
| Tags | Azure tags for categorization |
Keys¶
| Attribute | Description |
|---|---|
| Name | Key identifier |
| Enabled | Active or disabled status |
| Expiry Date | When the key expires (if set) |
| Key Type | RSA, EC, or symmetric |
| Key Size | Bits (e.g., 2048, 4096) |
| Key Operations | Permitted operations (encrypt, decrypt, sign, verify) |
| Tags | Azure tags |
Certificates¶
| Attribute | Description |
|---|---|
| Name | Certificate identifier |
| Enabled | Active or disabled status |
| Expiry Date | Certificate expiration |
| Issuer | Certificate authority |
| Subject | Certificate subject DN |
| Thumbprint | SHA-1 fingerprint |
| Tags | Azure tags |
Running a Scan¶
From the UI¶
- Navigate to the Assets tab
- Click Scan Now
- Select scan mode:
- Full Scan: Complete refresh of all data
- Delta Scan: Only fetch changes (faster)
- Monitor progress in real-time
- View results when complete
Via API¶
# Start a full scan
curl -X POST http://localhost:8080/api/assets/discovery/scan \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"mode": "full"}'
# Start a delta scan (faster)
curl -X POST http://localhost:8080/api/assets/discovery/scan \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"mode": "delta"}'
Scan Modes¶
| Mode | Description | Speed | When to Use |
|---|---|---|---|
| Full | Complete rescan of all vaults | Slower | Initial scan, after permission changes |
| Delta | Only fetch changes since last scan | Faster | Regular scheduled scans |
| Force | Ignore cache, full rescan | Slowest | Troubleshooting, validation |
Expiration Status¶
CertifyClouds categorizes assets by expiration status:
| Status | Criteria | Color |
|---|---|---|
| Healthy | Expires in >30 days or no expiry set | Green |
| Warning | Expires in 8-30 days | Orange |
| Critical | Expires in ≤7 days | Red |
| Expired | Already past expiration date | Red |
Configuring Thresholds¶
Thresholds are configurable per alert rule:
- Go to Settings > Alerts
- Create or edit an expiring secrets rule
- Set your preferred threshold (e.g., 14, 30, 60 days)
Scan Results¶
Dashboard View¶
The Assets dashboard shows:
- Total Assets: Count by type (secrets, keys, certificates)
- Expiration Distribution: Donut chart of healthy/warning/critical
- Recent Scans: History with duration and counts
- Vault List: All vaults with asset counts
Asset Details¶
Click any vault to see:
- Vault Properties: Name, location, resource group, SKU
- Access Configuration: RBAC vs Access Policies
- Network Settings: Public/private access, firewall rules
- Asset List: All secrets, keys, and certificates
Export Options¶
Export scan results in multiple formats:
- JSON: For automation and integration
- CSV: For spreadsheets and reporting
- PDF: For compliance documentation
Scan Performance¶
Configuration¶
Tune scan performance via Settings > Advanced or environment variables:
| Setting | Default | Description |
|---|---|---|
| Max Workers | 5 | Concurrent scanning threads |
| Scan Timeout | 300s | Maximum scan duration |
| Max Retries | 1 | Retry failed vault scans |
| Retry Wait Min | 1s | Minimum retry delay |
| Retry Wait Max | 2s | Maximum retry delay |
Performance Tips¶
- Use Delta Scans: For regular monitoring, delta scans are significantly faster
- Reduce Workers: If hitting Azure API rate limits, reduce max workers
- Subscription Filtering: Scan only needed subscriptions to reduce time
- Schedule Off-Peak: Run full scans during low-usage periods
Typical Scan Times¶
| Environment Size | Vaults | Secrets | Approximate Time |
|---|---|---|---|
| Small | 1-10 | <500 | 30-60 seconds |
| Medium | 10-50 | <2,000 | 1-3 minutes |
| Large | 50-200 | <10,000 | 5-15 minutes |
Scheduled Scanning¶
CertifyClouds can automatically run discovery scans on a schedule:
Configure Schedule¶
- Go to Settings > Discovery
- Enable Scheduled Scanning
- Set frequency:
- Every 6 hours
- Every 12 hours
- Daily
- Custom cron expression
- Save settings
Best Practices¶
- Run at least once daily for compliance monitoring
- Use delta scans for frequent schedules
- Schedule full scans weekly
- Monitor scan history for performance trends
Filtering and Search¶
Filter Options¶
| Filter | Description |
|---|---|
| Subscription | Filter by Azure subscription |
| Vault | Filter by specific vault |
| Asset Type | Secrets, Keys, or Certificates |
| Status | Healthy, Warning, Critical, Expired |
| Expiry Range | Assets expiring within N days |
Search¶
Search across all assets by:
- Name (partial match)
- Tags (key or value)
- Content type
- Vault name
Troubleshooting¶
"Access denied" for some vaults¶
Cause: CertifyClouds doesn't have read permissions on the vault.
Fix: Run the setup script to grant permissions:
"Network unreachable" errors¶
Cause: Key Vault has firewall enabled and CertifyClouds IP is blocked.
Fix: Add your subnet to the vault's firewall rules, or use private endpoints.
Slow scan times¶
Cause: Too many concurrent workers hitting rate limits.
Fix: Reduce DISCOVERY_MAX_WORKERS to 3 or lower.
Missing subscriptions¶
Cause: CertifyClouds doesn't have Reader role on the subscription.
Fix: Grant Reader role at subscription scope:
az role assignment create \
--assignee $PRINCIPAL_ID \
--role Reader \
--scope /subscriptions/<subscription-id>
API Reference¶
Start Scan¶
POST /api/assets/discovery/scan
Content-Type: application/json
{
"mode": "full" | "delta" | "force",
"subscriptions": ["sub-id-1", "sub-id-2"] // optional filter
}
Get Scan Status¶
Get Scan Results¶
List All Assets¶
Best Practices¶
- Run Regular Scans: Schedule daily delta scans for continuous monitoring
- Act on Critical: Address critical expiration items immediately
- Set Up Alerts: Configure email/webhook alerts for expiring assets
- Review Compliance: Check compliance score after each scan
- Archive History: Keep scan history for audit trails