-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add configuration for secret related checks #3905
Comments
Thanks @pr3l14t0r, this is a good idea to enhance our Mutelist feature! what do you think @jfagoagas @sergargar ? |
Hi @pr3l14t0r, I'm going to answer you inline:
Thanks for using Prowler 🚀 |
@jfagoagas Well... the check
I don't know what exactly the "environment": [
{
"name": "GCP_SECRET_ARN",
"value": "arn:aws:secretsmanager:<aws-region>:<aws-account-id>:secret:<name-of-my-secret>"
},
{
"name": "S3_BUCKET",
"value": "<REDACTED-name-of-my-output-bucket>"
},
{
"name": "AWS_STACK",
"value": "<name-of-my-aws-stack>"
}
] does it get flagged because if have named the environment variable |
That's not possible at the moment... In my example from above the |
Hi @pr3l14t0r,
That line number comes from the AWS ECS API response, sometimes there are differences between the format returned by the API and how is shown in the AWS Console.
I need to review the
You are right, we have identified some other scenarios like this and we are thinking about ways to improve the mutelist to allow combinations but for that we need to include more in the finding object, like the secret name for this use case. The only I can recommend you now is to move that secret from the Another option we are evaluating is to include the configuration you suggested with Thanks for using Prowler 🚀 |
I came here to open a similar issue - Specifically around the keys that are considered secret in Lambda envars
Just because I have the word "SECRET" doesn't mean there is a secret. In this case I'm just pointing my function to Secrets Manager. I'm not sure the Mutelist would help. As currently configured, the mutelist would allow you to mute specific resources, not attributes of a specific resource. This does seem to fit better as an array of |
Hi! @pr3l14t0r you can see the final approach for this issue here. Finally, we think that the best way to go is to improve the config from P.D. In any case, we do not rule out adding additional configuration to the checks you mentioned. |
hey! @pr3l14t0r @jchrisfarris finally we added a field on the |
Heyho @pedrooot !! |
Heyho @pedrooot ! The feature is available in version While testing, i have encountered a few errors and the results would be wrong. Example: Let's say i have a lambda with a variable configured like this: {
"Variables": {
"DATABASE_PASSWORD": "123456789ABCEF"
"SOME_API_KEY": "1234-4567-890-1234"
}
} Both Now i run the same thing again with using a config that looks like this: secrets_ignore_patterns:
[
"*ARN*",
"*SECRET_ARN*",
"arn:aws:secretsmanager",
"secretsmanager",
"arn:aws:ssm"
] Suddenly, all the secret-related checks do pass. And when i check the results for the functions' ARN, i see this in the description:
While the secrets should technically have been detected. Furthermore during runtime, i see a lot of these errors when i run with the configuration:
There are like hundreds of these lines.. Both on So unfortunately the configuration does not work for me, and even more bad: Findings won't get flagged correctly using the configuration... Any idea how i can sort this out? If it helps i can create a new issue for this. Thanks for any help in advance. :) Cheers! |
Hello @pr3l14t0r the issue here is that you are setting a list of regexp starting with an
Could you please try that? We will need also to add validation to inform that the regexp is not valid. The |
@jfagoagas thank you for your response!
Ah.. sorry, i must have completely overseen that... 🤦🏼 So stupid.. I am quite certain that i have already tested without the asterisks.. I will invoke another test according to your guidance and will let you know. :) Thanks again for your response, you guys are awesome! |
It is fine, we are here to always help you!
Thank you 🚀 |
New feature motivation
All checks related to secret detection lead to a massive amount of false positives. This could get prevented if there would be a possibility to configure those checks, since most of them use the
detect-secrets
package.Use case:
The checks awslambda_function_no_secrets_in_variables and ecs_task_definitions_no_environment_secrets do use the detect-secrets package.
Unfortunately there is no possibility (at least no documented one) that allows to configure the checks done with that package. The repository documents how you can use a customized settings file, which can for example adjust the threshold of
Base64HighEntropyString
etc.Could it be possible to add the JSON like config to the prowler's config.yaml?
Furthermore it would be nice to have an option to filter out environment variable names.
Example:
In an AWS
TaskDefinition
i use a variable namedGCP_SECRET_ARN
. This contains an ARN toAWS_SECRETS_MANAGER
service which will be used during runtime of a script to retrieve a JSON, since it is not really an option to mount a JSON with newline characters into an environment variable as secret. Thus i would like to filter out for name patterns like "*SECRET_ARN
".Would this make sense to you, too?
As documented for
detect-secrets
, one could use the following parameter:This could already help me out for my use-case.
Solution Proposed
Add an option to the config.yaml that would apply to all scans which use
detect-secrets
.My pseudo example:
And then fetch those values in the corresponding python scripts...
I know: configuring this is more a global option than a "per-check" option. So maybe it makes even more sense to create a default config-file for
detect-secrets
which someone could adjust. Just as with the yaml files.Describe alternatives you've considered
I did consider to overwrite the python scripts for the mentioned checks, but this is somewhat unfeasible to have it within a deployment CI-CD deployment.. It would be more easy if i could just specify or change a global settings file for the
detect-secrets
package.Additional context
Maybe i have overseen something in the documentation or something in the code itself. So if there already is a solution for my presented use cases, i would already like to apologize.
The text was updated successfully, but these errors were encountered: