feat(attack-paths): The complete Attack Paths feature (#9805)

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: César Arroba <19954079+cesararroba@users.noreply.github.com> Co-authored-by: Alan Buscaglia <gentlemanprogramming@gmail.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Andoni Alonso <14891798+andoniaf@users.noreply.github.com> Co-authored-by: Rubén De la Torre Vico <ruben@prowler.com> Co-authored-by: HugoPBrito <hugopbrit@gmail.com> Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com> Co-authored-by: Pepe Fagoaga <pepe@prowler.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Chandrapal Badshah <Chan9390@users.noreply.github.com> Co-authored-by: Chandrapal Badshah <12944530+Chan9390@users.noreply.github.com> Co-authored-by: Adrián Peña <adrianjpr@gmail.com> Co-authored-by: Pedro Martín <pedromarting3@gmail.com> Co-authored-by: KonstGolfi <73020281+KonstGolfi@users.noreply.github.com> Co-authored-by: lydiavilchez <114735608+lydiavilchez@users.noreply.github.com> Co-authored-by: Prowler Bot <bot@prowler.com> Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com> Co-authored-by: StylusFrost <43682773+StylusFrost@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: alejandrobailo <alejandrobailo94@gmail.com> Co-authored-by: Alejandro Bailo <59607668+alejandrobailo@users.noreply.github.com> Co-authored-by: Víctor Fernández Poyatos <victor@prowler.com> Co-authored-by: bota4go <108249054+bota4go@users.noreply.github.com> Co-authored-by: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com> Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com> Co-authored-by: mchennai <50082780+mchennai@users.noreply.github.com> Co-authored-by: Ryan Nolette <sonofagl1tch@users.noreply.github.com> Co-authored-by: Ulissis Correa <123517149+ulissisc@users.noreply.github.com> Co-authored-by: Sergio Garcia <hello@mistercloudsec.com> Co-authored-by: Lee Trout <ltrout@watchpointlabs.com> Co-authored-by: Sergio Garcia <sergargar1@gmail.com> Co-authored-by: Alan-TheGentleman <alan@thegentleman.dev>
2026-01-25 02:08:11 +00:00 · 2026-01-16 13:37:09 +01:00
parent d7af97b30a
commit 032499c29a
104 changed files with 11792 additions and 322 deletions
--- a/skills/prowler-ci/SKILL.md
+++ b/skills/prowler-ci/SKILL.md
@@ -44,7 +44,31 @@ Use this skill whenever you are:
 3. If it's a title check: verify PR title matches Conventional Commits.
 4. If it's changelog: verify the right `CHANGELOG.md` is updated OR apply `no-changelog` label.
 5. If it's conflict checker: remove `<<<<<<<`, `=======`, `>>>>>>>` markers.
-6. If it's secrets: remove credentials and rotate anything leaked.
+6. If it's secrets (TruffleHog): see section below.
+
+## TruffleHog Secret Scanning
+
+TruffleHog scans for leaked secrets. Common false positives in test files:
+
+**Patterns that trigger TruffleHog:**
+- `sk-*T3BlbkFJ*` - OpenAI API keys
+- `AKIA[A-Z0-9]{16}` - AWS Access Keys
+- `ghp_*` / `gho_*` - GitHub tokens
+- Base64-encoded strings that look like credentials
+
+**Fix for test files:**
+```python
+# BAD - looks like real OpenAI key
+api_key = "sk-test1234567890T3BlbkFJtest1234567890"
+
+# GOOD - obviously fake
+api_key = "sk-fake-test-key-for-unit-testing-only"
+```
+
+**If TruffleHog flags a real secret:**
+1. Remove the secret from the code immediately
+2. Rotate the credential (it's now in git history)
+3. Consider using `.trufflehog-ignore` for known false positives (rarely needed)

 ## Notes

--- a/skills/prowler-test-api/SKILL.md
+++ b/skills/prowler-test-api/SKILL.md
@@ -20,6 +20,7 @@ allowed-tools: Read, Edit, Write, Glob, Grep, Bash, WebFetch, WebSearch, Task
 - ALWAYS use `content_type = "application/vnd.api+json"` in requests
 - ALWAYS test cross-tenant isolation with `other_tenant_provider` fixture
 - NEVER skip RLS isolation tests when adding new endpoints
+- NEVER use realistic-looking API keys in tests (TruffleHog will flag them)

 ---

@@ -107,6 +108,27 @@ def test_task_success(self, mock_scan):

 ---

+## 7. Fake Secrets in Tests (TruffleHog)
+
+CI runs TruffleHog to detect leaked secrets. Use obviously fake values:
+
+```python
+# BAD - TruffleHog will flag these patterns:
+api_key = "sk-test1234567890T3BlbkFJtest1234567890"  # OpenAI pattern
+api_key = "AKIA..."  # AWS pattern
+
+# GOOD - clearly fake values:
+api_key = "sk-fake-test-key-for-unit-testing-only"
+api_key = "fake-aws-key-for-testing"
+```
+
+**Patterns to avoid:**
+- `sk-*T3BlbkFJ*` (OpenAI)
+- `AKIA[A-Z0-9]{16}` (AWS Access Key)
+- `ghp_*` or `gho_*` (GitHub tokens)
+
+---
+
 ## Commands

 ```bash