Skip to content

VulnScannerCredential

Source: src/Cloudflare/VulnerabilityScanner/Credential.ts

A credential inside a Cloudflare Vulnerability Scanner credential set — an HTTP header or cookie value the DAST scanner attaches to outgoing requests so it can scan authenticated surfaces.

The credential value is write-only: Cloudflare never returns it, so the provider rotates it by comparing the desired value against the previously deployed one. name, location, and locationName are mutable in place; moving the credential to a different set triggers a replacement.

Creating a Credential

Section titled “Creating a Credential”

Authorization header

const creds = yield* Cloudflare.VulnScannerCredentialSet("scanner-creds", {});


const apiKey = yield* Cloudflare.VulnScannerCredential("api-key", {
  credentialSetId: creds.credentialSetId,
  location: "header",
  // Cloudflare requires normalized (lowercase) header/cookie names.
  locationName: "authorization",
  value: Redacted.make("Bearer my-api-key"),
});

Session cookie

const session = yield* Cloudflare.VulnScannerCredential("session", {
  credentialSetId: creds.credentialSetId,
  location: "cookie",
  locationName: "session_id",
  value: Redacted.make("s3cr3t-session-token"),
});

Rotating the Value

Section titled “Rotating the Value”
// Change the redacted value and redeploy — the provider PUTs the new
// value even though the API never echoes it back.
const rotated = yield* Cloudflare.VulnScannerCredential("api-key", {
  credentialSetId: creds.credentialSetId,
  location: "header",
  locationName: "authorization",
  value: Redacted.make("Bearer my-new-api-key"),
});