feat(sdk): replace detect-secrets library with kingfisher (#11694)

This commit is contained in:
Daniel Barranquero
2026-06-30 15:36:23 +02:00
committed by GitHub
parent ed1fec8866
commit 5dac8a0a53
60 changed files with 2969 additions and 881 deletions
+16 -3
View File
@@ -6,20 +6,33 @@ Prowler has some checks that analyse pentesting risks (Secrets, Internet Exposed
## Detect Secrets
Prowler uses `detect-secrets` library to search for any secrets that are stores in plaintext within your environment.
Prowler scans for secrets stored in plaintext within the audited environment using [Kingfisher](https://github.com/mongodb/kingfisher), an open-source secret-scanning engine. By default these scans run fully offline, so no data leaves the audited environment. Discovered secrets can optionally be validated against the provider APIs to confirm whether they are live — see [Validating Discovered Secrets](/user-guide/cli/tutorials/configuration_file#validating-discovered-secrets).
The actual checks that have this functionality are the following:
The checks with this functionality are the following.
AWS:
- autoscaling\_find\_secrets\_ec2\_launch\_configuration
- awslambda\_function\_no\_secrets\_in\_code
- awslambda\_function\_no\_secrets\_in\_variables
- cloudformation\_stack\_outputs\_find\_secrets
- cloudwatch\_log\_group\_no\_secrets\_in\_logs
- codebuild\_project\_no\_secrets\_in\_variables
- ec2\_instance\_secrets\_user\_data
- ec2\_launch\_template\_no\_secrets
- ecs\_task\_definitions\_no\_environment\_secrets
- glue\_etl\_jobs\_no\_secrets\_in\_arguments
- ssm\_document\_secrets
- stepfunctions\_statemachine\_no\_secrets\_in\_definition
To execute detect-secrets related checks, you can run the following command:
OpenStack:
- compute\_instance\_metadata\_sensitive\_data
- blockstorage\_volume\_metadata\_sensitive\_data
- blockstorage\_snapshot\_metadata\_sensitive\_data
- objectstorage\_container\_metadata\_sensitive\_data
To execute the secret-scanning checks, run the following command:
```console
prowler <provider> --categories secrets