mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
feat(sdk): replace detect-secrets library with kingfisher (#11694)
This commit is contained in:
committed by
GitHub
parent
ed1fec8866
commit
5dac8a0a53
@@ -6,20 +6,33 @@ Prowler has some checks that analyse pentesting risks (Secrets, Internet Exposed
|
||||
|
||||
## Detect Secrets
|
||||
|
||||
Prowler uses `detect-secrets` library to search for any secrets that are stores in plaintext within your environment.
|
||||
Prowler scans for secrets stored in plaintext within the audited environment using [Kingfisher](https://github.com/mongodb/kingfisher), an open-source secret-scanning engine. By default these scans run fully offline, so no data leaves the audited environment. Discovered secrets can optionally be validated against the provider APIs to confirm whether they are live — see [Validating Discovered Secrets](/user-guide/cli/tutorials/configuration_file#validating-discovered-secrets).
|
||||
|
||||
The actual checks that have this functionality are the following:
|
||||
The checks with this functionality are the following.
|
||||
|
||||
AWS:
|
||||
|
||||
- autoscaling\_find\_secrets\_ec2\_launch\_configuration
|
||||
- awslambda\_function\_no\_secrets\_in\_code
|
||||
- awslambda\_function\_no\_secrets\_in\_variables
|
||||
- cloudformation\_stack\_outputs\_find\_secrets
|
||||
- cloudwatch\_log\_group\_no\_secrets\_in\_logs
|
||||
- codebuild\_project\_no\_secrets\_in\_variables
|
||||
- ec2\_instance\_secrets\_user\_data
|
||||
- ec2\_launch\_template\_no\_secrets
|
||||
- ecs\_task\_definitions\_no\_environment\_secrets
|
||||
- glue\_etl\_jobs\_no\_secrets\_in\_arguments
|
||||
- ssm\_document\_secrets
|
||||
- stepfunctions\_statemachine\_no\_secrets\_in\_definition
|
||||
|
||||
To execute detect-secrets related checks, you can run the following command:
|
||||
OpenStack:
|
||||
|
||||
- compute\_instance\_metadata\_sensitive\_data
|
||||
- blockstorage\_volume\_metadata\_sensitive\_data
|
||||
- blockstorage\_snapshot\_metadata\_sensitive\_data
|
||||
- objectstorage\_container\_metadata\_sensitive\_data
|
||||
|
||||
To execute the secret-scanning checks, run the following command:
|
||||
|
||||
```console
|
||||
prowler <provider> --categories secrets
|
||||
|
||||
Reference in New Issue
Block a user