ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(secrets): Improve the status_extended with more information (#1937)

Browse Source 
Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
This commit is contained in:
Fennerr
2023-02-21 12:37:20 +02:00
committed by GitHub
parent f913536d88
commit c6647b4706
8 changed files with 68 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py
View File

@@ -26,15 +26,40 @@ class awslambda_function_no_secrets_in_code(Check):
function.code.code_zip.extractall(tmp_dir_name)
# List all files
files_in_zip = next(os.walk(tmp_dir_name))[2]
secrets_findings = []
for file in files_in_zip:
secrets = SecretsCollection()
with default_settings():
secrets.scan_file(f"{tmp_dir_name}/{file}")
detect_secrets_output = secrets.json()
if detect_secrets_output:
for (
file_name
) in (
detect_secrets_output.keys()
): # Appears that only 1 file is being scanned at a time, so could rework this
output_file_name = file_name.replace(
f"{tmp_dir_name}/", ""
)
secrets_string = ", ".join(
[
f"{secret['type']} on line {secret['line_number']}"
for secret in detect_secrets_output[file_name]
]
)
secrets_findings.append(
f"{output_file_name}: {secrets_string}"
)
if secrets.json():
report.status = "FAIL"
report.status_extended = f"Potential secret found in Lambda function {function.name} code"
break
if secrets_findings:
final_output_string = "; ".join(secrets_findings)
report.status = "FAIL"
# report.status_extended = f"Potential {'secrets' if len(secrets_findings)>1 else 'secret'} found in Lambda function {function.name} code. {final_output_string}"
if len(secrets_findings) > 1:
report.status_extended = f"Potential secrets found in Lambda function {function.name} code -> {final_output_string}"
else:
report.status_extended = f"Potential secret found in Lambda function {function.name} code -> {final_output_string}"
# break // Don't break as there may be additional findings
findings.append(report)

15
prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.py
View File

@@ -27,7 +27,8 @@ class awslambda_function_no_secrets_in_variables(Check):
temp_env_data_file = tempfile.NamedTemporaryFile(delete=False)
temp_env_data_file.write(
bytes(
json.dumps(function.environment), encoding="raw_unicode_escape"
json.dumps(function.environment, indent=2),
encoding="raw_unicode_escape",
)
)
temp_env_data_file.close()
@@ -35,9 +36,17 @@ class awslambda_function_no_secrets_in_variables(Check):
with default_settings():
secrets.scan_file(temp_env_data_file.name)
if secrets.json():
detect_secrets_output = secrets.json()
if detect_secrets_output:
environment_variable_names = list(function.environment.keys())
secrets_string = ", ".join(
[
f"{secret['type']} in variable {environment_variable_names[int(secret['line_number'])-2]}"
for secret in detect_secrets_output[temp_env_data_file.name]
]
)
report.status = "FAIL"
report.status_extended = f"Potential secret found in Lambda function {function.name} variables"
report.status_extended = f"Potential secret found in Lambda function {function.name} variables -> {secrets_string}"
os.remove(temp_env_data_file.name)

13
prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py
View File

@@ -26,7 +26,7 @@ class ecs_task_definitions_no_environment_secrets(Check):
temp_env_data_file = tempfile.NamedTemporaryFile(delete=False)
env_data = dumps(dump_env_vars)
env_data = dumps(dump_env_vars, indent=2)
temp_env_data_file.write(bytes(env_data, encoding="raw_unicode_escape"))
temp_env_data_file.close()
@@ -34,9 +34,16 @@ class ecs_task_definitions_no_environment_secrets(Check):
with default_settings():
secrets.scan_file(temp_env_data_file.name)
if secrets.json():
detect_secrets_output = secrets.json()
if detect_secrets_output:
secrets_string = ", ".join(
[
f"{secret['type']} on line {secret['line_number']}"
for secret in detect_secrets_output[temp_env_data_file.name]
]
)
report.status = "FAIL"
report.status_extended = f"Potential secret found in variables of ECS task definition {task_definition.name} with revision {task_definition.revision}"
report.status_extended = f"Potential secret found in variables of ECS task definition {task_definition.name} with revision {task_definition.revision} -> {secrets_string}"
os.remove(temp_env_data_file.name)

18
prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.py
View File

@@ -24,18 +24,26 @@ class ssm_document_secrets(Check):
if document.content:
temp_env_data_file = tempfile.NamedTemporaryFile(delete=False)
temp_env_data_file.write(
bytes(json.dumps(document.content), encoding="raw_unicode_escape")
bytes(
json.dumps(document.content, indent=2),
encoding="raw_unicode_escape",
)
)
temp_env_data_file.close()
secrets = SecretsCollection()
with default_settings():
secrets.scan_file(temp_env_data_file.name)
if secrets.json():
report.status = "FAIL"
report.status_extended = (
f"Potential secret found in SSM Document {document.name}"
detect_secrets_output = secrets.json()
if detect_secrets_output:
secrets_string = ", ".join(
[
f"{secret['type']} on line {secret['line_number']}"
for secret in detect_secrets_output[temp_env_data_file.name]
]
)
report.status = "FAIL"
report.status_extended = f"Potential secret found in SSM Document {document.name} -> {secrets_string}"
os.remove(temp_env_data_file.name)

2
tests/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code_test.py
View File

@@ -76,7 +76,7 @@ class Test_awslambda_function_no_secrets_in_code:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Potential secret found in Lambda function {function_name} code"
== f"Potential secret found in Lambda function {function_name} code -> lambda_function.py: Secret Keyword on line 3"
)
def test_function_code_without_secrets(self):

2
tests/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables_test.py
View File

@@ -102,7 +102,7 @@ class Test_awslambda_function_no_secrets_in_variables:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Potential secret found in Lambda function {function_name} variables"
== f"Potential secret found in Lambda function {function_name} variables -> Secret Keyword in variable db_password"
)
def test_function_no_secrets_in_variables(self):

2
tests/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets_test.py
View File

@@ -102,7 +102,7 @@ class Test_ecs_task_definitions_no_environment_secrets:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Potential secret found in variables of ECS task definition {task_name} with revision {task_revision}"
== f"Potential secret found in variables of ECS task definition {task_name} with revision {task_revision} -> Secret Keyword on line 2"
)
assert result[0].resource_id == f"{task_name}:1"
assert (

2
tests/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets_test.py
View File

@@ -59,7 +59,7 @@ class Test_ssm_documents_secrets:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Potential secret found in SSM Document {document_name}"
== f"Potential secret found in SSM Document {document_name} -> Secret Keyword on line 2"
)
def test_document_no_secrets(self):