prowler icon indicating copy to clipboard operation
prowler copied to clipboard
verified publisher icon prowler-cloud

feat(stackit): add new provider and first check

Open johannes-engler-mw opened this issue 1 month ago • 4 comments

Add StackIT Cloud Provider Support

Summary

This PR adds complete support for StackIT Cloud as a new provider in Prowler, enabling security assessments of StackIT infrastructure. The implementation focuses on critical network security checks for IaaS resources.

What's New

Provider Implementation

  • ✅ Complete StackIT provider with authentication, identity management, and configuration
  • ✅ IaaS service integration using the official StackIT Python SDK
  • ✅ Thread-safe credential handling without environment variable pollution
  • ✅ Project-based scoping with UUID validation

Security Checks (4 IaaS Checks)

  1. iaas_security_group_ssh_unrestricted - Detects unrestricted SSH access (port 22)
  2. iaas_security_group_rdp_unrestricted - Detects unrestricted RDP access (port 3389)
  3. iaas_security_group_database_unrestricted - Detects exposed database ports (MySQL, PostgreSQL, MongoDB, Redis, SQL Server, CouchDB)
  4. iaas_security_group_all_traffic_unrestricted - Detects security groups allowing all traffic

Check Features:

  • Scans ingress TCP rules for unrestricted access (0.0.0.0/0, ::/0, or None)
  • Only reports security groups attached to NICs with public IPs
  • Handles optional protocol and IP range fields (None = unrestricted)

Authentication

  • Service account key-based authentication via StackIT CLI
  • Generate access tokens: stackit auth activate-service-account --service-account-key-path <key> --only-print-access-token
  • Environment variable or CLI argument support
  • Complete token redaction in logs

Documentation

  • Comprehensive developer guide at docs/developer-guide/stackit-details.mdx
  • Provider architecture documentation
  • Step-by-step authentication setup
  • Check implementation patterns
  • Troubleshooting guide

Technical Details

Dependencies

  • Python Version: Bumped minimum from 3.9.1 to 3.10 (required for StackIT SDK urllib3 compatibility)
  • New Dependencies:
    • stackit-core==0.2.0 - Core SDK for authentication
    • stackit-iaas==0.9.0 - IaaS service management
    • stackit-objectstorage==1.2.1 - For future object storage checks and connection test

Testing

  • ✅ Full test coverage for all checks and services
  • ✅ 100% test pass rate
  • ✅ Comprehensive unit tests with mocked API responses

Code Quality

  • Type Hints: 90-95% coverage
  • Security: Thread-safe, complete credential redaction
  • Patterns: Follows Prowler best practices and provider patterns

Usage Examples

Basic Scan

# Generate access token
export TOKEN=$(stackit auth activate-service-account \
  --service-account-key-path ~/sa-key.json \
  --only-print-access-token)

# Run Prowler
prowler stackit \
  --stackit-api-token "$TOKEN" \
  --stackit-project-id "12345678-1234-1234-1234-123456789abc"

Specific Checks

prowler stackit \
  --stackit-api-token "$TOKEN" \
  --stackit-project-id "$PROJECT_ID" \
  --checks iaas_security_group_ssh_unrestricted

Breaking Changes

Python Version: Minimum Python version increased from 3.9.1 to 3.10
Reason: Required for StackIT SDK urllib3 2.x compatibility with botocore

Future Enhancements

Multi-project scanning
Multi-region support (eu02)
Additional IaaS checks (volume encryption, server exposure, backup status)
ObjectStorage service checks
Compliance framework mappings

Testing Checklist

All 4 checks execute successfully
Authentication works with access tokens
Provider properly handles missing credentials
Security groups correctly filtered by public IP attachment
Optional fields (protocol, ip_range) handled correctly
All tests pass
Documentation is complete and accurate

johannes-engler-mw avatar Nov 14 '25 15:11 johannes-engler-mw

Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

github-actions[bot] avatar Nov 14 '25 15:11 github-actions[bot]

Hey there,

with the help of Claude I implemented the StackIT provider and a first test. Would be nice if this got merged, but I don't know if you want to support another provider.

Also my Python knowledge is not that good that I could be 100% sure that everything is written correctly, hopefully you can have a look.

I have tested the checks in our own project and they worked for both cases.

BR and have a nice weekend.

Johannes

johannes-engler-mw avatar Nov 14 '25 16:11 johannes-engler-mw

Hello @johannes-engler-mw this is fantastic! We really appreciate this contribution 👏 I added the breaking-change label as it requires to bump Python. That's in our plans and we'll get back to you once the team starts reviewing the PR.

Again, thank you for contributing to Prowler 🚀

jfagoagas avatar Nov 17 '25 14:11 jfagoagas

Hello @jfagoagas ,

thats great, I have optimized the code now and looking forward to your review :).

BR, Johannes

johannes-engler-mw avatar Nov 18 '25 16:11 johannes-engler-mw