chore(secrets): use master branch of Yelp/detect-secrets (#5331)

Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
2026-01-25 02:08:11 +00:00 · 2024-10-08 16:54:13 +02:00
parent bdd17ea678
commit 12c7912ef5
5 changed files with 60 additions and 11 deletions
--- a/poetry.lock
+++ b/poetry.lock
@@ -1302,15 +1302,13 @@ wrapt = ">=1.10,<2"
 dev = ["PyTest", "PyTest-Cov", "bump2version (<1)", "sphinx (<2)", "tox"]

 [[package]]
-name = "detect-secrets"
+name = "detect_secrets"
 version = "1.5.0"
 description = "Tool for detecting secrets in the codebase"
 optional = false
 python-versions = "*"
-files = [
-    {file = "detect_secrets-1.5.0-py3-none-any.whl", hash = "sha256:e24e7b9b5a35048c313e983f76c4bd09dad89f045ff059e354f9943bf45aa060"},
-    {file = "detect_secrets-1.5.0.tar.gz", hash = "sha256:6bb46dcc553c10df51475641bb30fd69d25645cc12339e46c824c1e0c388898a"},
-]
+files = []
+develop = false

 [package.dependencies]
 pyyaml = "*"
@@ -1320,6 +1318,12 @@ requests = "*"
 gibberish = ["gibberish-detector"]
 word-list = ["pyahocorasick"]

+[package.source]
+type = "git"
+url = "https://github.com/Yelp/detect-secrets.git"
+reference = "master"
+resolved_reference = "462720710ec337300fab2b4f2290949c7ee141eb"
+
 [[package]]
 name = "dill"
 version = "0.3.9"
@@ -5060,4 +5064,4 @@ type = ["pytest-mypy"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.9,<3.13"
-content-hash = "dc828306f5e9f20d48ce7ad55ea41ec08e2e84f07e3757366670ac78a29e7896"
+content-hash = "edaed8972a6e8dc5f6a5b58e4dd92df8a9985a03f0a45f086e5ae953e830d180"
--- a/prowler/config/config.yaml
+++ b/prowler/config/config.yaml
@@ -330,8 +330,8 @@ aws:
  elbv2_min_azs: 2


-  # Known secrets to ignore on detection
-  # this will include a list of regex patterns to ignore on detection
+  # AWS Secrets Configuration
+  # Patterns to ignore in the secrets checks
  secrets_ignore_patterns: []

 # Azure Configuration
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -53,7 +53,7 @@ colorama = "0.4.6"
 cryptography = "43.0.1"
 dash = "2.18.1"
 dash-bootstrap-components = "1.6.0"
-detect-secrets = "1.5.0"
+detect-secrets = {git = "https://github.com/Yelp/detect-secrets.git", rev = "master"}
 google-api-python-client = "2.147.0"
 google-auth-httplib2 = ">=0.1,<0.3"
 jsonschema = "4.23.0"
--- a/tests/config/fixtures/config.yaml
+++ b/tests/config/fixtures/config.yaml
@@ -328,8 +328,8 @@ aws:
  # Minimum number of Availability Zones that an ELBv2 must be in
  elbv2_min_azs: 2

-  # Known secrets to ignore on detection
-  # this will include a list of regex patterns to ignore on detection
+  # AWS Secrets Configuration
+  # Patterns to ignore in the secrets checks
  secrets_ignore_patterns: []

 # Azure Configuration
--- a/tests/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code_test.py
+++ b/tests/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code_test.py
@@ -28,6 +28,12 @@ def lambda_handler(event, context):
        print("custom log event")
        return event
 """
+LAMBDA_FUNCTION_CODE_WITH_METADATA_API = """
+def lambda_handler(event, context):
+        metadata_api = "169.254.169.254"
+        print("custom log event")
+        return event
+"""


 def create_lambda_function() -> Function:
@@ -59,6 +65,12 @@ def mock_get_function_codewithout_secrets():
    )


+def mock_get_function_codewith_metadata_api():
+    yield create_lambda_function(), get_lambda_code_with_secrets(
+        LAMBDA_FUNCTION_CODE_WITH_METADATA_API
+    )
+
+
 class Test_awslambda_function_no_secrets_in_code:
    def test_no_functions(self):
        lambda_client = mock.MagicMock
@@ -144,3 +156,36 @@ class Test_awslambda_function_no_secrets_in_code:
                == f"No secrets found in Lambda function {LAMBDA_FUNCTION_NAME} code."
            )
            assert result[0].resource_tags == []
+
+    def test_function_code_with_metadata_api(self):
+        lambda_client = mock.MagicMock
+        lambda_client.functions = {LAMBDA_FUNCTION_ARN: create_lambda_function()}
+
+        lambda_client._get_function_code = mock_get_function_codewith_metadata_api
+        lambda_client.audit_config = {"secrets_ignore_patterns": []}
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=set_mocked_aws_provider(),
+        ), mock.patch(
+            "prowler.providers.aws.services.awslambda.awslambda_function_no_secrets_in_code.awslambda_function_no_secrets_in_code.awslambda_client",
+            new=lambda_client,
+        ):
+            # Test Check
+            from prowler.providers.aws.services.awslambda.awslambda_function_no_secrets_in_code.awslambda_function_no_secrets_in_code import (
+                awslambda_function_no_secrets_in_code,
+            )
+
+            check = awslambda_function_no_secrets_in_code()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == AWS_REGION_US_EAST_1
+            assert result[0].resource_id == LAMBDA_FUNCTION_NAME
+            assert result[0].resource_arn == LAMBDA_FUNCTION_ARN
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"No secrets found in Lambda function {LAMBDA_FUNCTION_NAME} code."
+            )
+            assert result[0].resource_tags == []