feat(ecs_task_definitions_no_environment_secrets): Update resource_id (#1665)

Co-authored-by: sergargar <sergio@verica.io>
2026-02-10 06:45:08 +00:00 · 2023-01-09 17:05:45 +02:00
parent f9d67f0e9d
commit b965fda226
2 changed files with 16 additions and 16 deletions
--- a/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py
+++ b/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py
@@ -15,10 +15,10 @@ class ecs_task_definitions_no_environment_secrets(Check):
        for task_definition in ecs_client.task_definitions:
            report = Check_Report_AWS(self.metadata())
            report.region = task_definition.region
-            report.resource_id = task_definition.name
+            report.resource_id = f"{task_definition.name}:{task_definition.revision}"
            report.resource_arn = task_definition.arn
            report.status = "PASS"
-            report.status_extended = f"No secrets found in variables of ECS task definition {task_definition.name} revision {task_definition.revision}"
+            report.status_extended = f"No secrets found in variables of ECS task definition {task_definition.name} with revision {task_definition.revision}"
            if task_definition.environment_variables:
                for env_var in task_definition.environment_variables:
                    dump_env_vars = {}
@@ -36,7 +36,7 @@ class ecs_task_definitions_no_environment_secrets(Check):

                if secrets.json():
                    report.status = "FAIL"
-                    report.status_extended = f"Potential secret found in variables of ECS task definition {task_definition.name} revision {task_definition.revision}"
+                    report.status_extended = f"Potential secret found in variables of ECS task definition {task_definition.name} with revision {task_definition.revision}"

                os.remove(temp_env_data_file.name)

--- a/tests/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets_test.py
+++ b/tests/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets_test.py
@@ -1,4 +1,3 @@
-from re import search
 from unittest import mock

 from prowler.providers.aws.services.ecs.ecs_service import (
@@ -9,6 +8,7 @@ from prowler.providers.aws.services.ecs.ecs_service import (
 AWS_REGION = "eu-west-1"
 AWS_ACCOUNT_NUMBER = "123456789012"
 task_name = "test-task"
+task_revision = "1"
 env_var_name_no_secrets = "host"
 env_var_value_no_secrets = "localhost:1234"
 env_var_name_with_secrets = "DB_PASSWORD"
@@ -38,7 +38,7 @@ class Test_ecs_task_definitions_no_environment_secrets:
        ecs_client.task_definitions.append(
            TaskDefinition(
                name=task_name,
-                arn=f"arn:aws:ecs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:task-definition/{task_name}:1",
+                arn=f"arn:aws:ecs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:task-definition/{task_name}:{task_revision}",
                revision="1",
                region=AWS_REGION,
                environment_variables=[
@@ -61,14 +61,14 @@ class Test_ecs_task_definitions_no_environment_secrets:
            result = check.execute()
            assert len(result) == 1
            assert result[0].status == "PASS"
-            assert search(
-                "No secrets found in variables of ECS task definition",
-                result[0].status_extended,
+            assert (
+                result[0].status_extended
+                == f"No secrets found in variables of ECS task definition {task_name} with revision {task_revision}"
            )
-            assert result[0].resource_id == task_name
+            assert result[0].resource_id == f"{task_name}:1"
            assert (
                result[0].resource_arn
-                == f"arn:aws:ecs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:task-definition/{task_name}:1"
+                == f"arn:aws:ecs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:task-definition/{task_name}:{task_revision}"
            )

    def test_container_env_var_with_secrets(self):
@@ -77,7 +77,7 @@ class Test_ecs_task_definitions_no_environment_secrets:
        ecs_client.task_definitions.append(
            TaskDefinition(
                name=task_name,
-                arn=f"arn:aws:ecs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:task-definition/{task_name}:1",
+                arn=f"arn:aws:ecs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:task-definition/{task_name}:{task_revision}",
                revision="1",
                region=AWS_REGION,
                environment_variables=[
@@ -100,12 +100,12 @@ class Test_ecs_task_definitions_no_environment_secrets:
            result = check.execute()
            assert len(result) == 1
            assert result[0].status == "FAIL"
-            assert search(
-                "Potential secret found in variables of ECS task definition",
-                result[0].status_extended,
+            assert (
+                result[0].status_extended
+                == f"Potential secret found in variables of ECS task definition {task_name} with revision {task_revision}"
            )
-            assert result[0].resource_id == task_name
+            assert result[0].resource_id == f"{task_name}:1"
            assert (
                result[0].resource_arn
-                == f"arn:aws:ecs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:task-definition/{task_name}:1"
+                == f"arn:aws:ecs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:task-definition/{task_name}:{task_revision}"
            )