prowler
prowler copied to clipboard
prowler-cloud
Allow secrets to be output when explicitly asked for using a flag
New feature motivation
There are use cases when it would be useful for the secret values to be output to the file It would help consultants whom have limited to to assess an account - and then they dont need to pull the source code for each lambda function (or look at the ones that are small enough in the console)
Solution Proposed
I havnt investigated on how to pass a cli option through to the check - but here is the pseudo-code on how to add the secret value to the output
class awslambda_function_no_secrets_in_code(Check):
def execute(self):
findings = []
for function in awslambda_client.functions.values():
if function.code:
report = Check_Report_AWS(self.metadata())
# ... [rest of the existing code]
if detect_secrets_output:
for file_name in detect_secrets_output.keys():
output_file_name = file_name.replace(f"{tmp_dir_name}/", "")
if <some check for the "show_secrets" flag>:
secrets_string = ", ".join(
[
f"{secret['type']} (Value: {secret['secret_value']}) on line {secret['line_number']}"
for secret in detect_secrets_output[file_name]
]
)
else:
secrets_string = ", ".join(
[
f"{secret['type']} on line {secret['line_number']}"
for secret in detect_secrets_output[file_name]
]
)
secrets_findings.append(f"{output_file_name}: {secrets_string}")
if <some check for the "show_secrets" flag>: would need to be updated
Describe alternatives you've considered
None
Additional context
No response
Hi @Fennerr, we've talked internally about this possibility:
- The
detect-secretslibrary has not the ability to show the detected secrets in plaintext. We could extract it from the source code using the line reported by the library. - We think is not a good practice to output the detected secret in the Prowler output.
- We think is enough to have the secret type and the line number for the auditor because you can pass that information to the code owner to fix the issue in a secret manner.
What do you think?
@jfagoagas that makes sense. I did notice that detect-secrets didnt actually store the the secret as plaintext, and thought about extracting it from the temp file it flagged on. But it could make the output very messy, especially if there are very long lines (such as a block of high entropy base64 encoded data).
What about having an option to store the lambda function's code in a detect-secrets-output folder within the output folder?
The last account I was looking at, the check flagged for ~180 lambda functions. It takes a while cross-referencing prowler to the lambda in the account (and switching regions), and since the code was already downloaded when prowler ran, it would be nice to have an option to preserve the code.
This would be an opt in option.
It could also be part of how secrets scanning is handled in general in the future (with a multiprocessing pool for secrets detection checks - as these checks are often CPU intensive and don't benefit from multithreading pools)
@Fennerr I'm not sure about saving code locally even with an option. I'm still don't get the benefits of having the source code just if it contains some plaintext secrets, but for sure you find value in that so we can discuss about it.