Support setting entropy limit for detect-secrets from env

README.md

@@ -327,6 +327,16 @@ In order to remove noise and get only FAIL findings there is a `-q` flag that ma
 ./prowler -q -M csv -b
 ```
 
+### Set the entropy limit for detect-secrets
+
+Sets the entropy limit for high entropy base64 strings from environment variable `BASE64_LIMIT`. Value must be between 0.0 and 8.0, defaults is 4.5.
+Sets the entropy limit for high entropy hex strings from environment variable `HEX_LIMIT`. Value must be between 0.0 and 8.0, defaults is 3.0.
+
+```sh
+export BASE64_LIMIT=4.5
+export HEX_LIMIT=3.0
+```
+
 ## Security Hub integration
 
 Since version v2.3, Prowler supports natively sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and now from Prowler. It is as simple as running the command below:

include/secrets_detector

@@ -24,16 +24,16 @@ secretsDetector(){
             mkdir $SECRETS_TEMP_FOLDER
         fi
         PYTHON_PIP_DETECTSECRETS_INSTALLED=1
-        # Sets the entropy limit for high entropy base64 strings. Value
+        # Sets the entropy limit for high entropy base64 strings from
-        # must be between 0.0 and 8.0, defaults is 4.5.
+        # environment variable BASE64_LIMIT.
-        BASE64_LIMIT=3.0
+        # Value must be between 0.0 and 8.0, defaults is 4.5.
-        # Sets the entropy limit for high entropy hex strings. Value
+        # Sets the entropy limit for high entropy hex strings from
-        # must be between 0.0 and 8.0, defaults is 3.0.
+        # environment variable HEX_LIMIT.
-        HEX_LIMIT=3.0
+        # Value must be between 0.0 and 8.0, defaults is 3.0.
         case $1 in
             file )
                 # this is to scan a file
-                detect-secrets scan --hex-limit $HEX_LIMIT --base64-limit $BASE64_LIMIT $2 | \
+                detect-secrets scan --hex-limit ${HEX_LIMIT:-3.0} --base64-limit ${BASE64_LIMIT:-4.5} $2 | \
                 jq -r '.results[]|.[] | [.line_number, .type]|@csv' | wc -l
                 #jq -r '.results[] | .[] | "\(.line_number)\t\(.type)"'
                 # this command must return values in two colums:
@@ -41,12 +41,12 @@ secretsDetector(){
                 ;;
             string )
                 # this is to scan a given string
-                detect-secrets scan --hex-limit $HEX_LIMIT --base64-limit $BASE64_LIMIT --string $2 | \
+                detect-secrets scan --hex-limit ${HEX_LIMIT:-3.0} --base64-limit ${BASE64_LIMIT:-4.5} --string $2 | \
                 grep True| wc -l
             ;;
             folder )
                 # this is to scan a given folder with all lambda files
-                detect-secrets scan --hex-limit $HEX_LIMIT --base64-limit $BASE64_LIMIT --all-files $2 | \
+                detect-secrets scan --hex-limit ${HEX_LIMIT:-3.0} --base64-limit ${BASE64_LIMIT:-4.5} --all-files $2 | \
                 jq -r '.results[]|.[] | [.line_number, .type]|@csv' | wc -l
             ;;
         esac