Including and excluding vaults

You can set the vaults that you scan with various settings in the configuration file.

Use the following settings in the configuration file to scan the vaults:

  • include_all_vaults (Boolean)
  • exclude_vaults (List)
  • vaults (Dictionary)

When include_all_vaults is true, all vaults in the system are scanned except for any vaults specified in the exclude_vaults list.

You might consider exclude_vaults a list of vaults to ignore and vaults is a list that specifies details of individual vaults to be scanned.

If include_all_vaults is true and the vaults list is populated, the list of vaults that are scanned is the superset of all vaults that are returned by the Manager that are merged with the vaults list from the config file.

An error is raised and the Scanner aborts on start-up if the same vault appears in both vaults and exclude_vaults.

Mirror, Proxy, Data Migration

IBM Cloud® Object Storage Scanner does not support scanning of the following:
  • Mirrored vaults
  • Proxy vaults
  • Vaults that are set up for migration

Any vaults of these types are ignored by the scanner and a warning logged in the debug log.

Examples for including and excluding vaults

To summarize the rules for including and excluding vaults, following are some examples:

Example 1
  • The system contains 1000 vaults.
  • Five of the 1000 vaults are management vaults (named mgmt-1 to mgmt-5).
  • The scan includes all vaults except the management vaults.

"include_all_vaults": true,  
"exclude-vaults": ["mgmt-1", "mgmt-2", "mgmt-3", "mgmt-4", "mgmt-5"] 
Example 2
  • The system contains 1000 vaults.
  • 5 of the 1000 vaults are management vaults (named mgmt-1 to mgmt-5).
  • The scan includes all vaults except the management vaults.
  • The scan includes a filter for scanning a vault that is named vault-x.
  • The scan includes only a scan of the objects whose key starts with production/finance.

"include_all_vaults": true,
"exclude-vaults": ["mgmt-1", "mgmt-2", "mgmt-3", "mgmt-4", "mgmt-5"],
"vaults": [
     {"vault_name":"vault-x", "prefix":"production/finance"}
  ]
Example 3
  • The system contains 1000 vaults.
  • 5 of the 1000 vaults are management vaults (named mgmt-1 to mgmt-5).
  • The scan includes all vaults except the management vaults.
  • The scan includes a filter for scanning a vault that is named vault-x.
  • The scan includes only a scan of the objects whose key starts with production/finance or production/marketing.

"include_all_vaults": true, 
"exclude-vaults": ["mgmt-1", "mgmt-2", "mgmt-3", "mgmt-4", "mgmt-5"],
"vaults": [
     {"vault_name":"vault-x", "prefix":"production/finance"},
     {"vault_name":"vault-x", "prefix":"production/marketing"}
   ] 
Example 4
  • The system contains 1000 vaults.
  • Run a test on three vaults named vault-a, vault-b, and versioned-vault-c.
  • Run a scan on versioned-vault-c and issue LIST requests. Do not issue HEAD requests because the objects do not have custom amz headers.

"include_all_vaults": false, 
"vaults": [
     {"vault_name":"vault-a"
     {"vault_name":"vault-b"
     {"vault_name":"vault-c",  "has_custom_metadata":false}
   ]