Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make DetectSecrets detectors configurable #6522

Closed
kagahd opened this issue Jan 14, 2025 · 5 comments · Fixed by #6544
Closed

make DetectSecrets detectors configurable #6522

kagahd opened this issue Jan 14, 2025 · 5 comments · Fixed by #6544
Assignees
@pedrooot
Labels
feature-request New feature request for Prowler. status/waiting-for-revision Waiting for maintainer's revision

Comments

@kagahd
Copy link
Contributor

kagahd commented Jan 14, 2025

New feature motivation

Instead to have all the detectors hard coded in utils.py, they could/should be in config.yaml. This would make it easier to deactivate detectors aka plugins.

Solution Proposed

For example, the KeywordDetector finds a lot of false-positives because even if the keyword is suspicious (e.g. DB_PASSWORD) the value may be harmless (e.g. the ARN to the secret in AWS secrets manager). Even worse, the user could only mitigate the "potential risk" by renaming the keyword, not its value, to make the check pass.
However, I wouldn't wipe the KeywordDetector one for all because it can be used for manual audits. Thus, making the used detectors configurable would be a good solution.

Describe alternatives you've considered

None so far

Additional context

No response
@kagahd kagahd added feature-request New feature request for Prowler. status/needs-triage Issue pending triage labels Jan 14, 2025
@pedrooot
Copy link
Member

Hey! @kagahd

Thanks for your feature request! I'll discuss this with the team and I'll be back with a solution.

@pedrooot pedrooot self-assigned this Jan 15, 2025
@pedrooot pedrooot added status/waiting-for-revision Waiting for maintainer's revision and removed status/needs-triage Issue pending triage labels Jan 15, 2025
@pedrooot pedrooot mentioned this issue Jan 15, 2025
Merged
4 tasks
@pedrooot
Copy link
Member

@kagahd on this PR you can see the solution!

@kagahd
Copy link
Contributor Author

kagahd commented Jan 15, 2025

Hi @pedrooot thanks for the quick implementation! Looks good to me! 👍

@kagahd
Copy link
Contributor Author

kagahd commented Jan 15, 2025
edited
Loading

Btw. I opened a PR on Yelp/DetectSecrets to add a new detector for Aiven tokens. However, I doubt that it will be merged soon considering all the open, unmerged other PR's for new detectors.
Do you mind integrating the AivenTokenDetector into Prowler? It's just copying detect_secrets/plugins/aiven_token.py to the site-packages folder. That would save me patching the Prowler image.

@jfagoagas
Copy link
Member

Hello @kagahd we are trying to push the detect-secrets team to increase the release frequency since we sent 2 PRs to improve things that are merged but not released yet. I recommend you doing the same since we don't have bandwidth to have like a fork and maintain it.

We are exploring several options since we can't be blocked by having a dependency without an active maintenance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pedrooot pedrooot

Labels
feature-request New feature request for Prowler. status/waiting-for-revision Waiting for maintainer's revision
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(detect-secrets): get secrets plugins from config.yaml prowler-cloud/prowler
3 participants
@jfagoagas @kagahd @pedrooot