feat(shub): add Security Hub integration (#1255)

2026-02-10 23:05:05 +00:00 · 2022-07-21 12:22:56 +02:00
parent 67834c3f8b
commit 7d0a95e98f
10 changed files with 171 additions and 16 deletions
--- a/lib/check/check.py
+++ b/lib/check/check.py
@@ -173,12 +173,18 @@ def import_check(check_path: str) -> ModuleType:
    return lib


-def set_output_options(quiet: bool, output_modes: list, input_output_directory: str):
+def set_output_options(
+    quiet: bool,
+    output_modes: list,
+    input_output_directory: str,
+    security_hub_enabled: bool,
+):
    global output_options
    output_options = Output_From_Options(
        is_quiet=quiet,
        output_modes=output_modes,
-        output_directory=input_output_directory
+        output_directory=input_output_directory,
+        security_hub_enabled=security_hub_enabled
        # set input options here
    )
    return output_options
--- a/lib/check/models.py
+++ b/lib/check/models.py
@@ -13,6 +13,7 @@ class Output_From_Options:
    is_quiet: bool
    output_modes: list
    output_directory: str
+    security_hub_enabled: bool


 # Testing Pending
--- a/lib/outputs/models.py
+++ b/lib/outputs/models.py
@@ -89,6 +89,7 @@ class Check_Output_JSON_ASFF(BaseModel):
    Description: str = ""
    Resources: List[Resource] = None
    Compliance: Compliance = None
+    Remediation: dict = None


@dataclass
--- a/lib/outputs/outputs.py
+++ b/lib/outputs/outputs.py
@@ -10,6 +10,7 @@ from config.config import (
    json_file_suffix,
    prowler_version,
    timestamp,
+    timestamp_utc,
 )
 from lib.outputs.models import (
    Check_Output_CSV,
@@ -20,7 +21,8 @@ from lib.outputs.models import (
    Resource,
    Severity,
 )
-from lib.utils.utils import file_exists, open_file
+from lib.utils.utils import file_exists, hash_sha512, open_file
+from providers.aws.aws_provider import send_to_security_hub


 def report(check_findings, output_options, audit_info):
@@ -83,6 +85,12 @@ def report(check_findings, output_options, audit_info):
                )
                file_descriptors["json-asff"].write(",")

+            # Check if it is needed to send findings to security hub
+            if output_options.security_hub_enabled:
+                send_to_security_hub(
+                    finding.region, finding_output, audit_info.audit_session
+                )
+
    if file_descriptors:
        # Close all file descriptors
        for file_descriptor in file_descriptors:
@@ -189,18 +197,21 @@ def fill_json(finding_output, audit_info, finding):


 def fill_json_asff(finding_output, audit_info, finding):
-    finding_output.Id = f"prowler-{finding.check_metadata.CheckID}-{audit_info.audited_account}-{finding.region}-{str(hash(finding.resource_id))}"
+    # Check if there are no resources in the finding
+    if finding.resource_id == "":
+        finding.resource_id = "NONE_PROVIDED"
+    finding_output.Id = f"prowler-{finding.check_metadata.CheckID}-{audit_info.audited_account}-{finding.region}-{hash_sha512(finding.resource_id)}"
    finding_output.ProductArn = f"arn:{audit_info.audited_partition}:securityhub:{finding.region}::product/prowler/prowler"
    finding_output.ProductFields = ProductFields(
        ProviderVersion=prowler_version, ProwlerResourceName=finding.resource_id
    )
    finding_output.GeneratorId = "prowler-" + finding.check_metadata.CheckID
    finding_output.AwsAccountId = audit_info.audited_account
-    finding_output.Types = finding.check_metadata.CheckType
+    finding_output.Types = [finding.check_metadata.CheckType]
    finding_output.FirstObservedAt = (
        finding_output.UpdatedAt
-    ) = finding_output.CreatedAt = timestamp.isoformat()
-    finding_output.Severity = Severity(Label=finding.check_metadata.Severity)
+    ) = finding_output.CreatedAt = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+    finding_output.Severity = Severity(Label=finding.check_metadata.Severity.upper())
    finding_output.Title = finding.check_metadata.CheckTitle
    finding_output.Description = finding.check_metadata.Description
    finding_output.Resources = [
@@ -211,9 +222,14 @@ def fill_json_asff(finding_output, audit_info, finding):
            Region=finding.region,
        )
    ]
+    # Add ED to PASS or FAIL (PASSED/FAILED)
    finding_output.Compliance = Compliance(
-        Status=finding.status, RelatedRequirements=[finding.check_metadata.CheckType]
+        Status=finding.status + "ED",
+        RelatedRequirements=[finding.check_metadata.CheckType],
    )
+    finding_output.Remediation = {
+        "Recommendation": finding.check_metadata.Remediation.Recommendation
+    }

    return finding_output

--- a/lib/utils/utils.py
+++ b/lib/utils/utils.py
@@ -1,5 +1,6 @@
 import json
 import sys
+from hashlib import sha512
 from io import TextIOWrapper
 from os.path import exists
 from typing import Any
@@ -40,3 +41,8 @@ def file_exists(filename: str):
            return True
        else:
            return False
+
+
+# create sha512 hash for string
+def hash_sha512(string: str) -> str:
+    return sha512(string.encode("utf-8")).hexdigest()[0:9]