diff --git a/.github/ISSUE_TEMPLATE/new-check-request.yml b/.github/ISSUE_TEMPLATE/new-check-request.yml new file mode 100644 index 0000000000..6c6687e14f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/new-check-request.yml @@ -0,0 +1,143 @@ +name: "🔎 New Check Request" +description: Request a new Prowler security check +title: "[New Check]: " +labels: ["feature-request", "status/needs-triage"] + +body: + - type: checkboxes + id: search + attributes: + label: Existing check search + description: Confirm this check does not already exist before opening a new request. + options: + - label: I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist. + required: true + + - type: markdown + attributes: + value: | + Use this form to describe the security condition that Prowler should evaluate. + + The most useful inputs for [Prowler Studio](https://github.com/prowler-cloud/prowler-studio) are: + - What should be detected + - What PASS and FAIL mean + - Vendor docs, API references, SDK methods, CLI commands, or reference code + + - type: dropdown + id: provider + attributes: + label: Provider + description: Cloud or platform this check targets. + options: + - AWS + - Azure + - GCP + - Kubernetes + - GitHub + - Microsoft 365 + - OCI + - Alibaba Cloud + - Cloudflare + - MongoDB Atlas + - Google Workspace + - OpenStack + - Vercel + - NHN + - Other / New provider + validations: + required: true + + - type: input + id: other_provider_name + attributes: + label: New provider name + description: Only fill this if you selected "Other / New provider" above. + placeholder: "NewProviderName" + validations: + required: false + + - type: input + id: service_name + attributes: + label: Service or product area + description: Optional. Main service, product, or feature to audit. + placeholder: "s3, bedrock, entra, repository, apiserver" + validations: + required: false + + - type: input + id: suggested_check_name + attributes: + label: Suggested check name + description: Optional. Use `snake_case` following `__`, with lowercase letters and underscores only. + placeholder: "bedrock_guardrail_sensitive_information_filter_enabled" + validations: + required: false + + - type: textarea + id: context + attributes: + label: Context and goal + description: Describe the security problem, why it matters, and what this new check should help detect. + placeholder: |- + - Security condition to validate: + - Why it matters: + - Resource, feature, or configuration involved: + validations: + required: true + + - type: textarea + id: expected_behavior + attributes: + label: Expected behavior + description: Explain what the check should evaluate and what PASS, FAIL, or MANUAL should mean. + placeholder: |- + - Resource or scope to evaluate: + - PASS when: + - FAIL when: + - MANUAL when (if applicable): + - Exclusions, thresholds, or edge cases: + validations: + required: true + + - type: textarea + id: references + attributes: + label: References + description: Add vendor docs, API references, SDK methods, CLI commands, endpoint docs, sample payloads, or similar reference material. + placeholder: |- + - Product or service documentation: + - API or SDK reference: + - CLI command or endpoint documentation: + - Sample payload or response: + - Security advisory or benchmark: + validations: + required: true + + - type: dropdown + id: severity + attributes: + label: Suggested severity + description: Your best estimate. Reviewers will confirm during triage. + options: + - Critical + - High + - Medium + - Low + - Informational + - Not sure + validations: + required: true + + - type: textarea + id: implementation_notes + attributes: + label: Additional implementation notes + description: Optional. Add permissions, unsupported regions, config knobs, product limitations, or anything else that may affect implementation. + placeholder: |- + - Required permissions or scopes: + - Region, tenant, or subscription limitations: + - Configurable behavior or thresholds: + - Other constraints: + validations: + required: false diff --git a/.github/workflows/api-code-quality.yml b/.github/workflows/api-code-quality.yml index 1724e51d70..d7bb27aa0a 100644 --- a/.github/workflows/api-code-quality.yml +++ b/.github/workflows/api-code-quality.yml @@ -5,10 +5,20 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/workflows/api-code-quality.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/workflows/api-code-quality.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/api-container-build-push.yml b/.github/workflows/api-container-build-push.yml index e6403ed689..ee73f97f1c 100644 --- a/.github/workflows/api-container-build-push.yml +++ b/.github/workflows/api-container-build-push.yml @@ -158,7 +158,7 @@ jobs: tags: | ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }} cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }} # Create and push multi-architecture manifest create-manifest: diff --git a/.github/workflows/api-container-checks.yml b/.github/workflows/api-container-checks.yml index 5b59939db9..a7705fdeef 100644 --- a/.github/workflows/api-container-checks.yml +++ b/.github/workflows/api-container-checks.yml @@ -5,10 +5,16 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-container-checks.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-container-checks.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -57,16 +63,7 @@ jobs: api-container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - arch: amd64 - - platform: linux/arm64 - runner: ubuntu-24.04-arm - arch: arm64 + runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read @@ -119,23 +116,22 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build container for ${{ matrix.arch }} + - name: Build container if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: ${{ env.API_WORKING_DIR }} push: false load: true - platforms: ${{ matrix.platform }} - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }} - - name: Scan container with Trivy for ${{ matrix.arch }} + - name: Scan container with Trivy if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }}-${{ matrix.arch }} + image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/api-security.yml b/.github/workflows/api-security.yml index 7b8dc72cb1..d3bb9e6108 100644 --- a/.github/workflows/api-security.yml +++ b/.github/workflows/api-security.yml @@ -5,10 +5,20 @@ on: branches: - "master" - "v5.*" + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/workflows/api-security.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - "master" - "v5.*" + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/workflows/api-security.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/api-tests.yml b/.github/workflows/api-tests.yml index 3d4e7e1799..4aec3af59e 100644 --- a/.github/workflows/api-tests.yml +++ b/.github/workflows/api-tests.yml @@ -5,10 +5,18 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'api/**' + - '.github/workflows/api-tests.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/conventional-commit.yml b/.github/workflows/conventional-commit.yml index 5fc31003a4..b0d6946387 100644 --- a/.github/workflows/conventional-commit.yml +++ b/.github/workflows/conventional-commit.yml @@ -4,8 +4,6 @@ on: pull_request: branches: - 'master' - - 'v3' - - 'v4.*' - 'v5.*' types: - 'opened' diff --git a/.github/workflows/create-backport-label.yml b/.github/workflows/create-backport-label.yml index d7aa5709ae..a9ee7f7f95 100644 --- a/.github/workflows/create-backport-label.yml +++ b/.github/workflows/create-backport-label.yml @@ -43,14 +43,11 @@ jobs: echo "Processing release tag: $RELEASE_TAG" - # Remove 'v' prefix if present (e.g., v3.2.0 -> 3.2.0) VERSION_ONLY="${RELEASE_TAG#v}" - # Check if it's a minor version (X.Y.0) if [[ "$VERSION_ONLY" =~ ^([0-9]+)\.([0-9]+)\.0$ ]]; then echo "Release $RELEASE_TAG (version $VERSION_ONLY) is a minor version. Proceeding to create backport label." - # Extract X.Y from X.Y.0 (e.g., 5.6 from 5.6.0) MAJOR="${BASH_REMATCH[1]}" MINOR="${BASH_REMATCH[2]}" TWO_DIGIT_VERSION="${MAJOR}.${MINOR}" @@ -62,7 +59,6 @@ jobs: echo "Label name: $LABEL_NAME" echo "Label description: $LABEL_DESC" - # Check if label already exists if gh label list --repo ${{ github.repository }} --limit 1000 | grep -q "^${LABEL_NAME}[[:space:]]"; then echo "Label '$LABEL_NAME' already exists." else diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml index 88f84d6729..e166dbb673 100644 --- a/.github/workflows/find-secrets.yml +++ b/.github/workflows/find-secrets.yml @@ -37,10 +37,13 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 + # PRs only need the diff range; push to master/release walks the new range from event.before. + # 50 is enough headroom for the longest realistic PR/push chain without paying for a full clone. + fetch-depth: 50 persist-credentials: false - - name: Scan for secrets with TruffleHog + - name: Scan diff for secrets with TruffleHog + # Action auto-injects --since-commit/--branch from event payload; passing them in extra_args produces duplicate flags. uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4 with: - extra_args: '--results=verified,unknown' + extra_args: --results=verified,unknown diff --git a/.github/workflows/mcp-container-build-push.yml b/.github/workflows/mcp-container-build-push.yml index 90157db9ab..1e1338e61c 100644 --- a/.github/workflows/mcp-container-build-push.yml +++ b/.github/workflows/mcp-container-build-push.yml @@ -152,7 +152,7 @@ jobs: org.opencontainers.image.created=${{ github.event_name == 'release' && github.event.release.published_at || github.event.head_commit.timestamp }} ${{ github.event_name == 'release' && format('org.opencontainers.image.version={0}', env.RELEASE_TAG) || '' }} cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }} # Create and push multi-architecture manifest create-manifest: diff --git a/.github/workflows/mcp-container-checks.yml b/.github/workflows/mcp-container-checks.yml index b205232b0c..5b750f0998 100644 --- a/.github/workflows/mcp-container-checks.yml +++ b/.github/workflows/mcp-container-checks.yml @@ -5,10 +5,16 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'mcp_server/**' + - '.github/workflows/mcp-container-checks.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'mcp_server/**' + - '.github/workflows/mcp-container-checks.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -56,16 +62,7 @@ jobs: mcp-container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - arch: amd64 - - platform: linux/arm64 - runner: ubuntu-24.04-arm - arch: arm64 + runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read @@ -112,23 +109,22 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build MCP container for ${{ matrix.arch }} + - name: Build MCP container if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: ${{ env.MCP_WORKING_DIR }} push: false load: true - platforms: ${{ matrix.platform }} - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }} - - name: Scan MCP container with Trivy for ${{ matrix.arch }} + - name: Scan MCP container with Trivy if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }}-${{ matrix.arch }} + image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/mcp-pypi-release.yml b/.github/workflows/mcp-pypi-release.yml index cccda1f664..92015873b5 100644 --- a/.github/workflows/mcp-pypi-release.yml +++ b/.github/workflows/mcp-pypi-release.yml @@ -86,11 +86,32 @@ jobs: with: python-version: ${{ env.PYTHON_VERSION }} + # The MCP server version (mcp_server/pyproject.toml) is decoupled from the Prowler release + # version: it only changes when MCP code changes. mcp-bump-version.yml normally keeps it in + # sync with mcp_server/CHANGELOG.md, but this publish workflow still runs on every release. + # Pre-flight PyPI check covers the legitimate "no MCP changes for this release" case (and any + # workflow_dispatch re-runs) without failing with HTTP 400 (version exists). + - name: Check if prowler-mcp version already exists on PyPI + id: pypi-check + working-directory: ${{ env.WORKING_DIRECTORY }} + run: | + MCP_VERSION=$(grep '^version' pyproject.toml | head -1 | sed -E 's/^version[[:space:]]*=[[:space:]]*"([^"]+)".*/\1/') + echo "mcp_version=${MCP_VERSION}" >> "$GITHUB_OUTPUT" + if curl -fsS "https://pypi.org/pypi/prowler-mcp/${MCP_VERSION}/json" >/dev/null 2>&1; then + echo "skip=true" >> "$GITHUB_OUTPUT" + echo "::notice title=Skipping prowler-mcp publish::Version ${MCP_VERSION} already exists on PyPI; bump mcp_server/pyproject.toml to publish a new release." + else + echo "skip=false" >> "$GITHUB_OUTPUT" + echo "::notice title=Publishing prowler-mcp::Version ${MCP_VERSION} not on PyPI yet; proceeding." + fi + - name: Build prowler-mcp package + if: steps.pypi-check.outputs.skip != 'true' working-directory: ${{ env.WORKING_DIRECTORY }} run: uv build - name: Publish prowler-mcp package to PyPI + if: steps.pypi-check.outputs.skip != 'true' uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/ diff --git a/.github/workflows/nightly-arm64-container-builds.yml b/.github/workflows/nightly-arm64-container-builds.yml new file mode 100644 index 0000000000..c3ad0a92d5 --- /dev/null +++ b/.github/workflows/nightly-arm64-container-builds.yml @@ -0,0 +1,98 @@ +name: 'Nightly: ARM64 Container Builds' + +# Mitigation for amd64-only PR container-checks: build amd64+arm64 nightly against +# master to keep arm-specific Dockerfile regressions caught quickly. Build only — +# no push, no Trivy (weekly checks already cover that). + +on: + schedule: + - cron: '0 4 * * *' + workflow_dispatch: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +permissions: {} + +jobs: + build-arm64: + if: github.repository == 'prowler-cloud/prowler' + runs-on: ubuntu-24.04-arm + timeout-minutes: 60 + permissions: + contents: read + strategy: + fail-fast: false + matrix: + include: + - component: sdk + context: . + dockerfile: ./Dockerfile + image_name: prowler + - component: api + context: ./api + dockerfile: ./api/Dockerfile + image_name: prowler-api + - component: ui + context: ./ui + dockerfile: ./ui/Dockerfile + image_name: prowler-ui + target: prod + build_args: | + NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX + - component: mcp + context: ./mcp_server + dockerfile: ./mcp_server/Dockerfile + image_name: prowler-mcp + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + + - name: Build ${{ matrix.component }} container (linux/arm64) + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + with: + context: ${{ matrix.context }} + file: ${{ matrix.dockerfile }} + target: ${{ matrix.target }} + push: false + load: false + platforms: linux/arm64 + tags: ${{ matrix.image_name }}:nightly-arm64 + build-args: ${{ matrix.build_args }} + cache-from: type=gha,scope=arm64 + cache-to: type=gha,mode=min,scope=arm64 + + notify-failure: + needs: build-arm64 + if: failure() && github.event_name == 'schedule' + runs-on: ubuntu-latest + timeout-minutes: 5 + permissions: + contents: read + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - name: Notify Slack on failure + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 + with: + method: chat.postMessage + token: ${{ secrets.SLACK_BOT_TOKEN }} + payload: | + channel: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }} + text: ":rotating_light: Nightly arm64 container build failed for prowler — <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|view run>" + errors: true diff --git a/.github/workflows/pr-check-changelog.yml b/.github/workflows/pr-check-changelog.yml index fa01ba4cbe..076ffea55c 100644 --- a/.github/workflows/pr-check-changelog.yml +++ b/.github/workflows/pr-check-changelog.yml @@ -41,10 +41,15 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 + fetch-depth: 1 # zizmor: ignore[artipacked] persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch + - name: Fetch PR base ref for tj-actions/changed-files + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: git fetch --depth=1 origin "${BASE_REF}" + - name: Get changed files id: changed-files uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 diff --git a/.github/workflows/pr-check-compliance-mapping.yml b/.github/workflows/pr-check-compliance-mapping.yml index be934d5983..d906a522f1 100644 --- a/.github/workflows/pr-check-compliance-mapping.yml +++ b/.github/workflows/pr-check-compliance-mapping.yml @@ -45,10 +45,15 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 + fetch-depth: 1 # zizmor: ignore[artipacked] persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch + - name: Fetch PR base ref for tj-actions/changed-files + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: git fetch --depth=1 origin "${BASE_REF}" + - name: Get changed files id: changed-files uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 diff --git a/.github/workflows/pr-conflict-checker.yml b/.github/workflows/pr-conflict-checker.yml index 667f807be8..6eeac30d82 100644 --- a/.github/workflows/pr-conflict-checker.yml +++ b/.github/workflows/pr-conflict-checker.yml @@ -36,8 +36,14 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - persist-credentials: false + fetch-depth: 1 + # zizmor: ignore[artipacked] + persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch + + - name: Fetch PR base ref for tj-actions/changed-files + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: git fetch --depth=1 origin "${BASE_REF}" - name: Get changed files id: changed-files diff --git a/.github/workflows/sdk-check-duplicate-test-names.yml b/.github/workflows/sdk-check-duplicate-test-names.yml index 17c595ca11..e5e5506df3 100644 --- a/.github/workflows/sdk-check-duplicate-test-names.yml +++ b/.github/workflows/sdk-check-duplicate-test-names.yml @@ -5,6 +5,9 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'tests/providers/**/*_test.py' + - '.github/workflows/sdk-check-duplicate-test-names.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/sdk-code-quality.yml b/.github/workflows/sdk-code-quality.yml index b777ee1657..87c6598942 100644 --- a/.github/workflows/sdk-code-quality.yml +++ b/.github/workflows/sdk-code-quality.yml @@ -5,10 +5,26 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/workflows/sdk-code-quality.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/workflows/sdk-code-quality.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/sdk-container-build-push.yml b/.github/workflows/sdk-container-build-push.yml index 8a2bba691c..c55c3cceca 100644 --- a/.github/workflows/sdk-container-build-push.yml +++ b/.github/workflows/sdk-container-build-push.yml @@ -3,9 +3,7 @@ name: 'SDK: Container Build and Push' on: push: branches: - - 'v3' # For v3-latest - - 'v4.6' # For v4-latest - - 'master' # For latest + - 'master' paths-ignore: - '.github/**' - '!.github/workflows/sdk-container-build-push.yml' @@ -56,7 +54,6 @@ jobs: timeout-minutes: 5 outputs: prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }} - prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }} latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }} stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }} permissions: @@ -92,32 +89,13 @@ jobs: PROWLER_VERSION="$(poetry version -s 2>/dev/null)" echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}" - # Extract major version PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}" - echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}" - - # Set version-specific tags - case ${PROWLER_VERSION_MAJOR} in - 3) - echo "latest_tag=v3-latest" >> "${GITHUB_OUTPUT}" - echo "stable_tag=v3-stable" >> "${GITHUB_OUTPUT}" - echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable" - ;; - 4) - echo "latest_tag=v4-latest" >> "${GITHUB_OUTPUT}" - echo "stable_tag=v4-stable" >> "${GITHUB_OUTPUT}" - echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable" - ;; - 5) - echo "latest_tag=latest" >> "${GITHUB_OUTPUT}" - echo "stable_tag=stable" >> "${GITHUB_OUTPUT}" - echo "✓ Prowler v5 detected - tags: latest, stable" - ;; - *) - echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}" - exit 1 - ;; - esac + if [[ "${PROWLER_VERSION_MAJOR}" != "5" ]]; then + echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}" + exit 1 + fi + echo "latest_tag=latest" >> "${GITHUB_OUTPUT}" + echo "stable_tag=stable" >> "${GITHUB_OUTPUT}" notify-release-started: if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch') @@ -228,7 +206,7 @@ jobs: tags: | ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-${{ matrix.arch }} cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }} # Create and push multi-architecture manifest create-manifest: @@ -386,39 +364,3 @@ jobs: payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json" step-outcome: ${{ steps.outcome.outputs.outcome }} update-ts: ${{ needs.notify-release-started.outputs.message-ts }} - - dispatch-v3-deployment: - needs: [setup, container-build-push] - if: always() && needs.setup.outputs.prowler_version_major == '3' && needs.setup.result == 'success' && needs.container-build-push.result == 'success' - runs-on: ubuntu-latest - timeout-minutes: 5 - permissions: - contents: read - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 - with: - egress-policy: audit - - - name: Calculate short SHA - id: short-sha - run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT - - - name: Dispatch v3 deployment (latest) - if: github.event_name == 'push' - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 - with: - token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }} - repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }} - event-type: dispatch - client-payload: '{"version":"v3-latest","tag":"${{ steps.short-sha.outputs.short_sha }}"}' - - - name: Dispatch v3 deployment (release) - if: github.event_name == 'release' - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 - with: - token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }} - repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }} - event-type: dispatch - client-payload: '{"version":"release","tag":"${{ needs.setup.outputs.prowler_version }}"}' diff --git a/.github/workflows/sdk-container-checks.yml b/.github/workflows/sdk-container-checks.yml index 3474df676e..218c4e7ebc 100644 --- a/.github/workflows/sdk-container-checks.yml +++ b/.github/workflows/sdk-container-checks.yml @@ -5,10 +5,22 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'Dockerfile*' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-container-checks.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'Dockerfile*' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-container-checks.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -56,16 +68,7 @@ jobs: sdk-container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - arch: amd64 - - platform: linux/arm64 - runner: ubuntu-24.04-arm - arch: arm64 + runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read @@ -132,23 +135,22 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build SDK container for ${{ matrix.arch }} + - name: Build SDK container if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . push: false load: true - platforms: ${{ matrix.platform }} - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }} - - name: Scan SDK container with Trivy for ${{ matrix.arch }} + - name: Scan SDK container with Trivy if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }}-${{ matrix.arch }} + image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/sdk-security.yml b/.github/workflows/sdk-security.yml index ceb6b1db1c..81504a4ec1 100644 --- a/.github/workflows/sdk-security.yml +++ b/.github/workflows/sdk-security.yml @@ -5,10 +5,26 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/workflows/sdk-security.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/workflows/sdk-security.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/sdk-tests.yml b/.github/workflows/sdk-tests.yml index 0646e5f8b5..d3cdc1be29 100644 --- a/.github/workflows/sdk-tests.yml +++ b/.github/workflows/sdk-tests.yml @@ -5,10 +5,24 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/actions/setup-python-poetry/**' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'prowler/**' + - 'tests/**' + - 'pyproject.toml' + - 'poetry.lock' + - '.github/workflows/sdk-tests.yml' + - '.github/actions/setup-python-poetry/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/ui-container-build-push.yml b/.github/workflows/ui-container-build-push.yml index 6fab2d1efb..d8db786d49 100644 --- a/.github/workflows/ui-container-build-push.yml +++ b/.github/workflows/ui-container-build-push.yml @@ -151,7 +151,7 @@ jobs: tags: | ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }} cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }} # Create and push multi-architecture manifest create-manifest: diff --git a/.github/workflows/ui-container-checks.yml b/.github/workflows/ui-container-checks.yml index eb7b508b58..d6ebaf46a3 100644 --- a/.github/workflows/ui-container-checks.yml +++ b/.github/workflows/ui-container-checks.yml @@ -5,10 +5,16 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'ui/**' + - '.github/workflows/ui-container-checks.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'ui/**' + - '.github/workflows/ui-container-checks.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -57,16 +63,7 @@ jobs: ui-container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - arch: amd64 - - platform: linux/arm64 - runner: ubuntu-24.04-arm - arch: arm64 + runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read @@ -114,7 +111,7 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build UI container for ${{ matrix.arch }} + - name: Build UI container if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: @@ -122,18 +119,17 @@ jobs: target: prod push: false load: true - platforms: ${{ matrix.platform }} - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }} build-args: | NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX - - name: Scan UI container with Trivy for ${{ matrix.arch }} + - name: Scan UI container with Trivy if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }}-${{ matrix.arch }} + image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/ui-e2e-tests-v2.yml b/.github/workflows/ui-e2e-tests-v2.yml index 2a91e460be..aab93057c7 100644 --- a/.github/workflows/ui-e2e-tests-v2.yml +++ b/.github/workflows/ui-e2e-tests-v2.yml @@ -15,6 +15,10 @@ on: - 'ui/**' - 'api/**' # API changes can affect UI E2E +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: @@ -266,7 +270,7 @@ jobs: with: name: playwright-report path: ui/playwright-report/ - retention-days: 30 + retention-days: 7 - name: Cleanup services if: always() diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml index c11e90b8f4..6d71a9eedf 100644 --- a/.github/workflows/ui-tests.yml +++ b/.github/workflows/ui-tests.yml @@ -5,10 +5,16 @@ on: branches: - 'master' - 'v5.*' + paths: + - 'ui/**' + - '.github/workflows/ui-tests.yml' pull_request: branches: - 'master' - 'v5.*' + paths: + - 'ui/**' + - '.github/workflows/ui-tests.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 931ef1b94c..ed0d3682d8 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -8,6 +8,7 @@ rules: - docs-bump-version.yml - issue-triage.lock.yml - mcp-container-build-push.yml + - nightly-arm64-container-builds.yml - pr-merged.yml - prepare-release.yml - sdk-bump-version.yml diff --git a/Dockerfile b/Dockerfile index 49fbc5356e..ca2fee8903 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler" ARG POWERSHELL_VERSION=7.5.0 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION} -ARG TRIVY_VERSION=0.69.2 +ARG TRIVY_VERSION=0.70.0 ENV TRIVY_VERSION=${TRIVY_VERSION} ARG ZIZMOR_VERSION=1.24.1 diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md index b259291299..f387077184 100644 --- a/api/CHANGELOG.md +++ b/api/CHANGELOG.md @@ -8,6 +8,11 @@ All notable changes to the **Prowler API** are documented in this file. - New `scan-reset-ephemeral-resources` post-scan task zeroes `failed_findings_count` for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort [(#10929)](https://github.com/prowler-cloud/prowler/pull/10929) - ASD Essential Eight (AWS) compliance framework support [(#10982)](https://github.com/prowler-cloud/prowler/pull/10982) +- `scan-reset-ephemeral-resources` post-scan task zeroes `failed_findings_count` for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort [(#10929)](https://github.com/prowler-cloud/prowler/pull/10929) + +### 🔐 Security + +- `trivy` binary from 0.69.2 to 0.70.0 and `cryptography` from 46.0.6 to 46.0.7 (transitive via prowler SDK) in the API image for CVE-2026-33186 and CVE-2026-39892 [(#10978)](https://github.com/prowler-cloud/prowler/pull/10978) --- diff --git a/api/Dockerfile b/api/Dockerfile index 6f8385934d..55b14dcf16 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -5,7 +5,7 @@ LABEL maintainer="https://github.com/prowler-cloud/api" ARG POWERSHELL_VERSION=7.5.0 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION} -ARG TRIVY_VERSION=0.69.2 +ARG TRIVY_VERSION=0.70.0 ENV TRIVY_VERSION=${TRIVY_VERSION} ARG ZIZMOR_VERSION=1.24.1 diff --git a/api/poetry.lock b/api/poetry.lock index f93e0d21e6..f84ad86ba6 100644 --- a/api/poetry.lock +++ b/api/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.3.4 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand. [[package]] name = "about-time" @@ -2504,61 +2504,61 @@ dev = ["bandit", "coverage", "flake8", "pydocstyle", "pylint", "pytest", "pytest [[package]] name = "cryptography" -version = "46.0.6" +version = "46.0.7" description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." optional = false python-versions = "!=3.9.0,!=3.9.1,>=3.8" groups = ["main", "dev"] files = [ - {file = "cryptography-46.0.6-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:64235194bad039a10bb6d2d930ab3323baaec67e2ce36215fd0952fad0930ca8"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:26031f1e5ca62fcb9d1fcb34b2b60b390d1aacaa15dc8b895a9ed00968b97b30"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9a693028b9cbe51b5a1136232ee8f2bc242e4e19d456ded3fa7c86e43c713b4a"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:67177e8a9f421aa2d3a170c3e56eca4e0128883cf52a071a7cbf53297f18b175"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:d9528b535a6c4f8ff37847144b8986a9a143585f0540fbcb1a98115b543aa463"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:22259338084d6ae497a19bae5d4c66b7ca1387d3264d1c2c0e72d9e9b6a77b97"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:760997a4b950ff00d418398ad73fbc91aa2894b5c1db7ccb45b4f68b42a63b3c"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:3dfa6567f2e9e4c5dceb8ccb5a708158a2a871052fa75c8b78cb0977063f1507"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:cdcd3edcbc5d55757e5f5f3d330dd00007ae463a7e7aa5bf132d1f22a4b62b19"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:d4e4aadb7fc1f88687f47ca20bb7227981b03afaae69287029da08096853b738"}, - {file = "cryptography-46.0.6-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2b417edbe8877cda9022dde3a008e2deb50be9c407eef034aeeb3a8b11d9db3c"}, - {file = "cryptography-46.0.6-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:380343e0653b1c9d7e1f55b52aaa2dbb2fdf2730088d48c43ca1c7c0abb7cc2f"}, - {file = "cryptography-46.0.6-cp311-abi3-win32.whl", hash = "sha256:bcb87663e1f7b075e48c3be3ecb5f0b46c8fc50b50a97cf264e7f60242dca3f2"}, - {file = "cryptography-46.0.6-cp311-abi3-win_amd64.whl", hash = "sha256:6739d56300662c468fddb0e5e291f9b4d084bead381667b9e654c7dd81705124"}, - {file = "cryptography-46.0.6-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:2ef9e69886cbb137c2aef9772c2e7138dc581fad4fcbcf13cc181eb5a3ab6275"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7f417f034f91dcec1cb6c5c35b07cdbb2ef262557f701b4ecd803ee8cefed4f4"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:d24c13369e856b94892a89ddf70b332e0b70ad4a5c43cf3e9cb71d6d7ffa1f7b"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:aad75154a7ac9039936d50cf431719a2f8d4ed3d3c277ac03f3339ded1a5e707"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:3c21d92ed15e9cfc6eb64c1f5a0326db22ca9c2566ca46d845119b45b4400361"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:4668298aef7cddeaf5c6ecc244c2302a2b8e40f384255505c22875eebb47888b"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:8ce35b77aaf02f3b59c90b2c8a05c73bac12cea5b4e8f3fbece1f5fddea5f0ca"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:c89eb37fae9216985d8734c1afd172ba4927f5a05cfd9bf0e4863c6d5465b013"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:ed418c37d095aeddf5336898a132fba01091f0ac5844e3e8018506f014b6d2c4"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:69cf0056d6947edc6e6760e5f17afe4bea06b56a9ac8a06de9d2bd6b532d4f3a"}, - {file = "cryptography-46.0.6-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:8e7304c4f4e9490e11efe56af6713983460ee0780f16c63f219984dab3af9d2d"}, - {file = "cryptography-46.0.6-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:b928a3ca837c77a10e81a814a693f2295200adb3352395fad024559b7be7a736"}, - {file = "cryptography-46.0.6-cp314-cp314t-win32.whl", hash = "sha256:97c8115b27e19e592a05c45d0dd89c57f81f841cc9880e353e0d3bf25b2139ed"}, - {file = "cryptography-46.0.6-cp314-cp314t-win_amd64.whl", hash = "sha256:c797e2517cb7880f8297e2c0f43bb910e91381339336f75d2c1c2cbf811b70b4"}, - {file = "cryptography-46.0.6-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:12cae594e9473bca1a7aceb90536060643128bb274fcea0fc459ab90f7d1ae7a"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:639301950939d844a9e1c4464d7e07f902fe9a7f6b215bb0d4f28584729935d8"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ed3775295fb91f70b4027aeba878d79b3e55c0b3e97eaa4de71f8f23a9f2eb77"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:8927ccfbe967c7df312ade694f987e7e9e22b2425976ddbf28271d7e58845290"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:b12c6b1e1651e42ab5de8b1e00dc3b6354fdfd778e7fa60541ddacc27cd21410"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:063b67749f338ca9c5a0b7fe438a52c25f9526b851e24e6c9310e7195aad3b4d"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:02fad249cb0e090b574e30b276a3da6a149e04ee2f049725b1f69e7b8351ec70"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e6142674f2a9291463e5e150090b95a8519b2fb6e6aaec8917dd8d094ce750d"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:456b3215172aeefb9284550b162801d62f5f264a081049a3e94307fe20792cfa"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:341359d6c9e68834e204ceaf25936dffeafea3829ab80e9503860dcc4f4dac58"}, - {file = "cryptography-46.0.6-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9a9c42a2723999a710445bc0d974e345c32adfd8d2fac6d8a251fa829ad31cfb"}, - {file = "cryptography-46.0.6-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:6617f67b1606dfd9fe4dbfa354a9508d4a6d37afe30306fe6c101b7ce3274b72"}, - {file = "cryptography-46.0.6-cp38-abi3-win32.whl", hash = "sha256:7f6690b6c55e9c5332c0b59b9c8a3fb232ebf059094c17f9019a51e9827df91c"}, - {file = "cryptography-46.0.6-cp38-abi3-win_amd64.whl", hash = "sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:2ea0f37e9a9cf0df2952893ad145fd9627d326a59daec9b0802480fa3bcd2ead"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:a3e84d5ec9ba01f8fd03802b2147ba77f0c8f2617b2aff254cedd551844209c8"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:12f0fa16cc247b13c43d56d7b35287ff1569b5b1f4c5e87e92cc4fcc00cd10c0"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:50575a76e2951fe7dbd1f56d181f8c5ceeeb075e9ff88e7ad997d2f42af06e7b"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:90e5f0a7b3be5f40c3a0a0eafb32c681d8d2c181fc2a1bdabe9b3f611d9f6b1a"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:6728c49e3b2c180ef26f8e9f0a883a2c585638db64cf265b49c9ba10652d430e"}, - {file = "cryptography-46.0.6.tar.gz", hash = "sha256:27550628a518c5c6c903d84f637fbecf287f6cb9ced3804838a1295dc1fd0759"}, + {file = "cryptography-46.0.7-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:ea42cbe97209df307fdc3b155f1b6fa2577c0defa8f1f7d3be7d31d189108ad4"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b36a4695e29fe69215d75960b22577197aca3f7a25b9cf9d165dcfe9d80bc325"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:5ad9ef796328c5e3c4ceed237a183f5d41d21150f972455a9d926593a1dcb308"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:73510b83623e080a2c35c62c15298096e2a5dc8d51c3b4e1740211839d0dea77"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cbd5fb06b62bd0721e1170273d3f4d5a277044c47ca27ee257025146c34cbdd1"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:420b1e4109cc95f0e5700eed79908cef9268265c773d3a66f7af1eef53d409ef"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:24402210aa54baae71d99441d15bb5a1919c195398a87b563df84468160a65de"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:8a469028a86f12eb7d2fe97162d0634026d92a21f3ae0ac87ed1c4a447886c83"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9694078c5d44c157ef3162e3bf3946510b857df5a3955458381d1c7cfc143ddb"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:42a1e5f98abb6391717978baf9f90dc28a743b7d9be7f0751a6f56a75d14065b"}, + {file = "cryptography-46.0.7-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:91bbcb08347344f810cbe49065914fe048949648f6bd5c2519f34619142bbe85"}, + {file = "cryptography-46.0.7-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:5d1c02a14ceb9148cc7816249f64f623fbfee39e8c03b3650d842ad3f34d637e"}, + {file = "cryptography-46.0.7-cp311-abi3-win32.whl", hash = "sha256:d23c8ca48e44ee015cd0a54aeccdf9f09004eba9fc96f38c911011d9ff1bd457"}, + {file = "cryptography-46.0.7-cp311-abi3-win_amd64.whl", hash = "sha256:397655da831414d165029da9bc483bed2fe0e75dde6a1523ec2fe63f3c46046b"}, + {file = "cryptography-46.0.7-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:d151173275e1728cf7839aaa80c34fe550c04ddb27b34f48c232193df8db5842"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:db0f493b9181c7820c8134437eb8b0b4792085d37dbb24da050476ccb664e59c"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ebd6daf519b9f189f85c479427bbd6e9c9037862cf8fe89ee35503bd209ed902"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:b7b412817be92117ec5ed95f880defe9cf18a832e8cafacf0a22337dc1981b4d"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:fbfd0e5f273877695cb93baf14b185f4878128b250cc9f8e617ea0c025dfb022"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:ffca7aa1d00cf7d6469b988c581598f2259e46215e0140af408966a24cf086ce"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:60627cf07e0d9274338521205899337c5d18249db56865f943cbe753aa96f40f"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:80406c3065e2c55d7f49a9550fe0c49b3f12e5bfff5dedb727e319e1afb9bf99"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:c5b1ccd1239f48b7151a65bc6dd54bcfcc15e028c8ac126d3fada09db0e07ef1"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:d5f7520159cd9c2154eb61eb67548ca05c5774d39e9c2c4339fd793fe7d097b2"}, + {file = "cryptography-46.0.7-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:fcd8eac50d9138c1d7fc53a653ba60a2bee81a505f9f8850b6b2888555a45d0e"}, + {file = "cryptography-46.0.7-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:65814c60f8cc400c63131584e3e1fad01235edba2614b61fbfbfa954082db0ee"}, + {file = "cryptography-46.0.7-cp314-cp314t-win32.whl", hash = "sha256:fdd1736fed309b4300346f88f74cd120c27c56852c3838cab416e7a166f67298"}, + {file = "cryptography-46.0.7-cp314-cp314t-win_amd64.whl", hash = "sha256:e06acf3c99be55aa3b516397fe42f5855597f430add9c17fa46bf2e0fb34c9bb"}, + {file = "cryptography-46.0.7-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:462ad5cb1c148a22b2e3bcc5ad52504dff325d17daf5df8d88c17dda1f75f2a4"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:84d4cced91f0f159a7ddacad249cc077e63195c36aac40b4150e7a57e84fffe7"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:128c5edfe5e5938b86b03941e94fac9ee793a94452ad1365c9fc3f4f62216832"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:5e51be372b26ef4ba3de3c167cd3d1022934bc838ae9eaad7e644986d2a3d163"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cdf1a610ef82abb396451862739e3fc93b071c844399e15b90726ef7470eeaf2"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1d25aee46d0c6f1a501adcddb2d2fee4b979381346a78558ed13e50aa8a59067"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:cdfbe22376065ffcf8be74dc9a909f032df19bc58a699456a21712d6e5eabfd0"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:abad9dac36cbf55de6eb49badd4016806b3165d396f64925bf2999bcb67837ba"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:935ce7e3cfdb53e3536119a542b839bb94ec1ad081013e9ab9b7cfd478b05006"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:35719dc79d4730d30f1c2b6474bd6acda36ae2dfae1e3c16f2051f215df33ce0"}, + {file = "cryptography-46.0.7-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:7bbc6ccf49d05ac8f7d7b5e2e2c33830d4fe2061def88210a126d130d7f71a85"}, + {file = "cryptography-46.0.7-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a1529d614f44b863a7b480c6d000fe93b59acee9c82ffa027cfadc77521a9f5e"}, + {file = "cryptography-46.0.7-cp38-abi3-win32.whl", hash = "sha256:f247c8c1a1fb45e12586afbb436ef21ff1e80670b2861a90353d9b025583d246"}, + {file = "cryptography-46.0.7-cp38-abi3-win_amd64.whl", hash = "sha256:506c4ff91eff4f82bdac7633318a526b1d1309fc07ca76a3ad182cb5b686d6d3"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:fc9ab8856ae6cf7c9358430e49b368f3108f050031442eaeb6b9d87e4dcf4e4f"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:d3b99c535a9de0adced13d159c5a9cf65c325601aa30f4be08afd680643e9c15"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:d02c738dacda7dc2a74d1b2b3177042009d5cab7c7079db74afc19e56ca1b455"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:04959522f938493042d595a736e7dbdff6eb6cc2339c11465b3ff89343b65f65"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:3986ac1dee6def53797289999eabe84798ad7817f3e97779b5061a95b0ee4968"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:258514877e15963bd43b558917bc9f54cf7cf866c38aa576ebf47a77ddbc43a4"}, + {file = "cryptography-46.0.7.tar.gz", hash = "sha256:e4cfd68c5f3e0bfdad0d38e023239b96a2fe84146481852dffbcca442c245aa5"}, ] [package.dependencies] @@ -2571,7 +2571,7 @@ nox = ["nox[uv] (>=2024.4.15)"] pep8test = ["check-sdist", "click (>=8.0.1)", "mypy (>=1.14)", "ruff (>=0.11.11)"] sdist = ["build (>=1.0.0)"] ssh = ["bcrypt (>=3.1.5)"] -test = ["certifi (>=2024)", "cryptography-vectors (==46.0.6)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"] +test = ["certifi (>=2024)", "cryptography-vectors (==46.0.7)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"] test-randomorder = ["pytest-randomly"] [[package]] @@ -6665,7 +6665,7 @@ files = [ [[package]] name = "prowler" -version = "5.25.0" +version = "5.26.0" description = "Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks." optional = false python-versions = ">=3.10,<3.13" @@ -6720,7 +6720,7 @@ boto3 = "1.40.61" botocore = "1.40.61" cloudflare = "4.3.1" colorama = "0.4.6" -cryptography = "46.0.6" +cryptography = "46.0.7" dash = "3.1.1" dash-bootstrap-components = "2.0.3" defusedxml = "0.7.1" @@ -6754,8 +6754,8 @@ uuid6 = "2024.7.10" [package.source] type = "git" url = "https://github.com/prowler-cloud/prowler.git" -reference = "master" -resolved_reference = "ca29e354b622198ff6a70e2ea5eb04e4a44a0903" +reference = "eb1b4190ab2d9c265b46c9ede0298b81bdcf35a8" +resolved_reference = "eb1b4190ab2d9c265b46c9ede0298b81bdcf35a8" [[package]] name = "psutil" @@ -7912,26 +7912,26 @@ shaping = ["uharfbuzz"] [[package]] name = "requests" -version = "2.32.5" +version = "2.33.1" description = "Python HTTP for Humans." optional = false -python-versions = ">=3.9" +python-versions = ">=3.10" groups = ["main", "dev"] files = [ - {file = "requests-2.32.5-py3-none-any.whl", hash = "sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6"}, - {file = "requests-2.32.5.tar.gz", hash = "sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf"}, + {file = "requests-2.33.1-py3-none-any.whl", hash = "sha256:4e6d1ef462f3626a1f0a0a9c42dd93c63bad33f9f1c1937509b8c5c8718ab56a"}, + {file = "requests-2.33.1.tar.gz", hash = "sha256:18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517"}, ] [package.dependencies] -certifi = ">=2017.4.17" +certifi = ">=2023.5.7" charset_normalizer = ">=2,<4" idna = ">=2.5,<4" PySocks = {version = ">=1.5.6,<1.5.7 || >1.5.7", optional = true, markers = "extra == \"socks\""} -urllib3 = ">=1.21.1,<3" +urllib3 = ">=1.26,<3" [package.extras] socks = ["PySocks (>=1.5.6,!=1.5.7)"] -use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"] +use-chardet-on-py3 = ["chardet (>=3.0.2,<8)"] [[package]] name = "requests-file" @@ -9424,4 +9424,4 @@ files = [ [metadata] lock-version = "2.1" python-versions = ">=3.11,<3.13" -content-hash = "a3ab982d11a87d951ff15694d2ca7fd51f1f51a451abb0baa067ccf6966367a8" +content-hash = "df8a20081fe91c40d071e508dbe19590c8b7ffb5dcc61e71cf30ed016bad5a34" diff --git a/api/pyproject.toml b/api/pyproject.toml index 838a30fdf7..a634831549 100644 --- a/api/pyproject.toml +++ b/api/pyproject.toml @@ -25,7 +25,7 @@ dependencies = [ "defusedxml==0.7.1", "gunicorn==23.0.0", "lxml==5.3.2", - "prowler @ git+https://github.com/prowler-cloud/prowler.git@master", + "prowler @ git+https://github.com/prowler-cloud/prowler.git@eb1b4190ab2d9c265b46c9ede0298b81bdcf35a8", "psycopg2-binary==2.9.9", "pytest-celery[redis] (==1.3.0)", "sentry-sdk[django] (==2.56.0)", diff --git a/api/src/backend/tasks/jobs/scan.py b/api/src/backend/tasks/jobs/scan.py index 515aea8620..d4bc2afba3 100644 --- a/api/src/backend/tasks/jobs/scan.py +++ b/api/src/backend/tasks/jobs/scan.py @@ -202,8 +202,9 @@ def _get_attack_surface_mapping_from_provider(provider_type: str) -> dict: "iam_inline_policy_allows_privilege_escalation", }, "ec2-imdsv1": { - "ec2_instance_imdsv2_enabled" - }, # AWS only - IMDSv1 enabled findings + "ec2_instance_imdsv2_enabled", + "ec2_instance_account_imdsv2_enabled", + }, # AWS only - instance-level IMDSv1 exposure and account IMDS defaults } for category_name, check_ids in attack_surface_check_mappings.items(): if check_ids is None: diff --git a/api/src/backend/tasks/tests/test_scan.py b/api/src/backend/tasks/tests/test_scan.py index dc13c31e08..0a7193cd4d 100644 --- a/api/src/backend/tasks/tests/test_scan.py +++ b/api/src/backend/tasks/tests/test_scan.py @@ -3853,6 +3853,7 @@ class TestAggregateAttackSurface: in result["privilege-escalation"] ) assert "ec2_instance_imdsv2_enabled" in result["ec2-imdsv1"] + assert "ec2_instance_account_imdsv2_enabled" in result["ec2-imdsv1"] @patch("tasks.jobs.scan.AttackSurfaceOverview.objects.bulk_create") @patch("tasks.jobs.scan.Finding.all_objects.filter") diff --git a/docs/developer-guide/aws-details.mdx b/docs/developer-guide/aws-details.mdx index 70f94f4006..e6f561ea3d 100644 --- a/docs/developer-guide/aws-details.mdx +++ b/docs/developer-guide/aws-details.mdx @@ -73,6 +73,58 @@ The best reference to understand how to implement a new service is following the - AWS API calls are wrapped in try/except blocks, with specific handling for `ClientError` and generic exceptions, always logging errors. - If ARN is not present for some resource, it can be constructed using string interpolation, always including partition, service, region, account, and resource ID. - Tags and additional attributes that cannot be retrieved from the default call, should be collected and stored for each resource using dedicated methods and threading using the resource object list as iterator. +- When accessing dictionary values from AWS API responses, always use `.get()` with a default value instead of direct dictionary access (e.g., `response.get("Policies", {})` instead of `response["Policies"]`). AWS API responses may not always include all keys, and direct access can cause `KeyError` exceptions that break the entire scan for that service. + +### Extending an Existing Service with New Attributes + +When adding a new check that requires data not yet collected by an existing service, you need to extend the service by adding new attributes to its resource models and updating the data collection methods. This is a common contributor task that follows a consistent pattern: + +1. **Identify the missing data**: Determine which AWS API call provides the data you need and whether it's already being called by the service. + +2. **Add new attributes to the resource model**: Extend the Pydantic `BaseModel` class for the resource with the new fields. Use `Optional` types with `None` as the default value to maintain backward compatibility with existing checks. + +3. **Update the data collection method**: Modify the existing method that fetches resource details to also extract and store the new attributes. If no existing method fetches the data, add a new method and call it in the constructor using `self.__threading_call__` if possible. + +4. **Use safe dictionary access**: When extracting values from API responses, always use `.get()` with appropriate defaults to prevent `KeyError` exceptions when the API doesn't return certain fields. + +#### Example: Adding DKIM Status to SES Identities + +```python +# Step 1 & 2: Add new fields to the resource model +class Identity(BaseModel): + name: str + arn: str + region: str + type: Optional[str] + policy: Optional[dict] = None + tags: Optional[list] = [] + # New attributes for DKIM check + dkim_status: Optional[str] = None + dkim_signing_attributes_origin: Optional[str] = None + +# Step 3: Update the data collection method +def _get_email_identities(self, identity): + try: + regional_client = self.regional_clients[identity.region] + identity_attributes = regional_client.get_email_identity( + EmailIdentity=identity.name + ) + # Step 4: Use .get() for safe dictionary access + for content_key, content_value in identity_attributes.get("Policies", {}).items(): + identity.policy = loads(content) + identity.tags = identity_attributes.get("Tags", []) + # Extract new DKIM attributes + identity.dkim_status = identity_attributes.get("DkimStatus") + identity.dkim_signing_attributes_origin = ( + identity_attributes.get("DkimSigningAttributesOrigin") + ) + except Exception as error: + logger.error( + f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) +``` + +5. **Update the service tests**: Add the new attributes to the test mock data and assertions to verify correct data extraction. ## Specific Patterns in AWS Checks diff --git a/docs/developer-guide/checks.mdx b/docs/developer-guide/checks.mdx index 956dc293d1..c5dacc72d9 100644 --- a/docs/developer-guide/checks.mdx +++ b/docs/developer-guide/checks.mdx @@ -27,14 +27,28 @@ The most common high level steps to create a new check are: ### Naming Format for Checks -Checks must be named following the format: `service_subservice_resource_action`. +If you already know the check name when creating a request or implementing a check, use a descriptive identifier with lowercase letters and underscores only. + +Recommended patterns: + +- `__` The name components are: -- `service` – The main service being audited (e.g., ec2, entra, iam, etc.) -- `subservice` – An individual component or subset of functionality within the service that is being audited. This may correspond to a shortened version of the class attribute accessed within the check. If there is no subservice, just omit. -- `resource` – The specific resource type being evaluated (e.g., instance, policy, role, etc.) -- `action` – The security aspect or configuration being checked (e.g., public, encrypted, enabled, etc.) +- `service` – The main service or product area being audited (e.g., ec2, entra, iam, bedrock). +- `resource` – The resource, feature, or configuration being evaluated. It can be a single word or a compound phrase joined with underscores (e.g., instance, policy, guardrail, sensitive_information_filter). +- `best_practice` – The expected secure state or best practice being checked (e.g., enabled, encrypted, restricted, configured, not_publicly_accessible). + +Additional guidance: + +- Use underscores only. Do not use hyphens. +- Keep the name specific enough to describe the behavior of the check. +- The first segment should match the service or product area whenever possible. + +Examples: + +- `s3_bucket_versioning_enabled` +- `bedrock_guardrail_sensitive_information_filter_enabled` ### File Creation diff --git a/docs/developer-guide/provider.mdx b/docs/developer-guide/provider.mdx index ec3e106150..f7a1057d11 100644 --- a/docs/developer-guide/provider.mdx +++ b/docs/developer-guide/provider.mdx @@ -1003,7 +1003,7 @@ class ProwlerArgumentParser: formatter_class=RawTextHelpFormatter, usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,nhn,dashboard,iac,your_provider} ...", epilog=""" -Available Cloud Providers: +Available Providers: {aws,azure,gcp,kubernetes,m365,github,iac,nhn,your_provider} aws AWS Provider azure Azure Provider diff --git a/docs/developer-guide/prowler-studio.mdx b/docs/developer-guide/prowler-studio.mdx new file mode 100644 index 0000000000..a4a2a609b5 --- /dev/null +++ b/docs/developer-guide/prowler-studio.mdx @@ -0,0 +1,131 @@ +--- +title: 'Prowler Studio' +--- + +**Prowler Studio is an AI workflow that ensures Claude Code follows Prowler's skills, guardrails, and best practices when creating new security checks.** What lands in the resulting pull request is consistent, tested, and ready for human review — not half-correct boilerplate that needs to be rewritten. + + +**Contributor Tool**: Prowler Studio is a workflow for advanced contributors adding new Prowler security checks. It is not part of Prowler Cloud, Prowler App, or Prowler CLI. + + + +**Preview Feature**: Prowler Studio is under active development and breaking changes are expected. Please report issues or share feedback on [GitHub](https://github.com/prowler-cloud/prowler-studio/issues) or in the [Slack community](https://goto.prowler.com/slack). + + + + Clone the source code, install Prowler Studio, and explore the agent workflow in detail. + + +## The Problem + +Adding a new check to [Prowler](https://github.com/prowler-cloud/prowler) is more than writing detection logic. A correct check has to: + +- Match Prowler's exact service and check folder structure and naming conventions +- Wire up metadata, severity, remediation, tests, and compliance mappings +- Mirror the patterns used by the hundreds of existing checks in the same provider +- Actually load when Prowler scans for available checks — silent structural mistakes are easy to make + +Asking a general-purpose AI assistant to do this usually means guessing. It misses conventions, skips tests, or invents structure that looks right but does not load. The result is a half-correct PR that needs to be reviewed line by line or rewritten. + +## The Solution + +Prowler Studio enforces the workflow end-to-end. Describe the check once — a markdown ticket, a Jira issue, or a GitHub issue — and the workflow: + +1. **Loads Prowler-specific skills into every agent.** Every step starts with the same context an experienced Prowler engineer would have in mind. See [AI Skills System](/developer-guide/ai-skills) for how skills are structured. +2. **Runs specialized agents in sequence.** Implementation → testing → compliance mapping → review → PR creation. Each agent has one job and a tight scope. +3. **Verifies as it goes.** The check must load in Prowler. Tests must pass. If something fails, the agent fixes it and re-runs (up to a bounded number of attempts) before moving on. +4. **Produces a complete pull request.** Branch, passing check, tests, compliance mappings, and a pull request waiting for human review. + +The result is a consistent starting point, every time, on every supported provider. + +## Quick Start + +### Install + +Prowler Studio requires [`uv`](https://docs.astral.sh/uv/getting-started/installation/) — see the official [installation guide](https://docs.astral.sh/uv/getting-started/installation/). + +```bash +git clone https://github.com/prowler-cloud/prowler-studio +cd prowler-studio +uv sync +source .venv/bin/activate +``` + +### Describe the Check + +A ticket is a structured markdown description of the check to create. It is the only input the workflow needs; every agent (implementation, testing, compliance mapping, review, PR creation) uses it as the source of truth, so the more concrete it is, the closer the first PR will land to the desired outcome. + +The ticket can be supplied in three ways: + +- **Local markdown file** → `--ticket path/to/ticket.md` +- **Jira issue** → `--jira-url https://...` (uses the issue body) +- **GitHub issue** → `--github-url https://...` (uses the issue body) + +The content should follow the **New Check Request** template: + +- The local copy at [`check_ticket_template.md`](https://github.com/prowler-cloud/prowler-studio/blob/main/check_ticket_template.md) covers `--ticket` and Jira tickets. +- A prefilled GitHub form is also available: [Create a New Check Request issue](https://github.com/prowler-cloud/prowler/issues/new?template=new-check-request.yml). + +Sections marked *Optional* can be skipped; everything else helps the agents make the right decisions. + +### Run the Workflow + +From a local markdown ticket: + +```bash +prowler-studio --ticket check_ticket.md +``` + +From a Jira ticket: + +```bash +prowler-studio --jira-url https://mycompany.atlassian.net/browse/PROJ-123 +``` + +From a GitHub issue: + +```bash +prowler-studio --github-url https://github.com/owner/repo/issues/123 +``` + + +Provide exactly one of `--ticket`, `--jira-url`, or `--github-url`. + + +Keep changes local (no push, no pull request): + +```bash +prowler-studio -b feat/my-check --ticket check_ticket.md --local +``` + +### What You Get + +After a successful run the working environment contains: + +- A new branch on a clean Prowler worktree containing the check, metadata, tests, and compliance mappings +- A pull request opened against Prowler (skipped with `--local`) +- A timestamped log file under `logs/` capturing every step the agents took + +## CLI Options + +| Option | Short | Description | +|--------|-------|-------------| +| `--branch` | `-b` | Branch name (default: `feat/-` or `feat/`) | +| `--ticket` | `-t` | Path to a markdown check ticket file | +| `--jira-url` | `-j` | Jira ticket URL (e.g., `https://mycompany.atlassian.net/browse/PROJ-123`) | +| `--github-url` | `-g` | GitHub issue URL (e.g., `https://github.com/owner/repo/issues/123`) | +| `--working-dir` | `-w` | Working directory for the Prowler clone (default: `./working`) | +| `--no-worktree` | | Legacy mode — work directly on the main clone instead of using worktrees | +| `--cleanup-worktree` | | Remove the worktree after a successful pull request is created | +| `--local` | | Keep changes local — skip push and pull request creation | + +## Configuration + +Set these environment variables depending on the input source: + +| Variable | When Needed | Purpose | +|----------|-------------|---------| +| `GITHUB_TOKEN` | `--github-url` (recommended) | Higher GitHub API rate limits and access to private issues | +| `JIRA_SITE_URL` | `--jira-url` | Jira site, e.g. `https://mycompany.atlassian.net` | +| `JIRA_EMAIL` | `--jira-url` | Email of the Jira account used to fetch the ticket | +| `JIRA_API_TOKEN` | `--jira-url` | API token for the Jira account | diff --git a/docs/docs.json b/docs/docs.json index aee4e3259a..e9c8cc9347 100644 --- a/docs/docs.json +++ b/docs/docs.json @@ -365,7 +365,8 @@ "developer-guide/security-compliance-framework", "developer-guide/lighthouse-architecture", "developer-guide/mcp-server", - "developer-guide/ai-skills" + "developer-guide/ai-skills", + "developer-guide/prowler-studio" ] }, { diff --git a/docs/getting-started/basic-usage/prowler-app.mdx b/docs/getting-started/basic-usage/prowler-app.mdx index 26d7d8ee2e..bc39353dcc 100644 --- a/docs/getting-started/basic-usage/prowler-app.mdx +++ b/docs/getting-started/basic-usage/prowler-app.mdx @@ -32,11 +32,11 @@ Access Prowler App by logging in with **email and password**. Log In -## Add Cloud Provider +## Add Provider -Configure a cloud provider for scanning: +Configure a provider for scanning: -1. Navigate to `Settings > Cloud Providers` and click `Add Account`. +1. Navigate to `Settings > Providers` and click `Add Provider`. 2. Select the cloud provider. 3. Enter the provider's identifier (Optional: Add an alias): - **AWS**: Account ID diff --git a/docs/getting-started/installation/prowler-app.mdx b/docs/getting-started/installation/prowler-app.mdx index 0b9d15852b..cf88d1aded 100644 --- a/docs/getting-started/installation/prowler-app.mdx +++ b/docs/getting-started/installation/prowler-app.mdx @@ -121,8 +121,8 @@ To update the environment file: Edit the `.env` file and change version values: ```env -PROWLER_UI_VERSION="5.25.1" -PROWLER_API_VERSION="5.25.1" +PROWLER_UI_VERSION="5.25.2" +PROWLER_API_VERSION="5.25.2" ``` diff --git a/docs/troubleshooting.mdx b/docs/troubleshooting.mdx index a6a28c0ad6..9d60c57321 100644 --- a/docs/troubleshooting.mdx +++ b/docs/troubleshooting.mdx @@ -159,6 +159,40 @@ When these environment variables are set, the API will use them directly instead A fix addressing this permission issue is being evaluated in [PR #9953](https://github.com/prowler-cloud/prowler/pull/9953). +### Scan Stuck in Executing State After Worker Crash + +When running Prowler App via Docker Compose, a scan may remain indefinitely in the `executing` state if the worker process crashes (for example, due to an Out of Memory condition) before it can update the scan status. Since it is not currently possible to cancel a scan in `executing` state through the UI, the workaround is to manually update the scan record in the database. + +**Root Cause:** + +The Celery worker process terminates unexpectedly (OOM, node failure, etc.) before transitioning the scan state to `completed` or `failed`. The scan record remains in `executing` with no active process to advance it. + +**Solution:** + +Connect to the database using the `prowler_admin` user. Due to Row-Level Security (RLS), the default database user cannot see scan records — you must use `prowler_admin`: + +```bash +psql -U prowler_admin -d prowler_db +``` + +Identify the stuck scan by filtering for scans in `executing` state: + +```sql +SELECT id, name, state, started_at FROM scans WHERE state = 'executing'; +``` + +Update the scan state to `failed` using the scan ID: + +```sql +UPDATE scans SET state = 'failed' WHERE id = ''; +``` + +After this change, the scan will appear as failed in the UI and you can launch a new scan. + + +A feature to cancel executing scans directly from the UI is being tracked in [GitHub Issue #6893](https://github.com/prowler-cloud/prowler/issues/6893). + + ### SAML/OAuth ACS URL Incorrect When Running Behind a Proxy or Load Balancer See [GitHub Issue #9724](https://github.com/prowler-cloud/prowler/issues/9724) for more details. diff --git a/docs/user-guide/cli/tutorials/prowler-check-kreator.mdx b/docs/user-guide/cli/tutorials/prowler-check-kreator.mdx deleted file mode 100644 index e6c708a212..0000000000 --- a/docs/user-guide/cli/tutorials/prowler-check-kreator.mdx +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: 'Prowler Check Kreator' ---- - - -Currently, this tool is only available for creating checks for the AWS provider. - - - -If you are looking for a way to create new checks for all the supported providers, you can use [Prowler Studio](https://github.com/prowler-cloud/prowler-studio), it is an AI-powered toolkit for generating and managing security checks for Prowler (better version of the Check Kreator). - - -## Introduction - -**Prowler Check Kreator** is a utility designed to streamline the creation of new checks for Prowler. This tool generates all necessary files required to add a new check to the Prowler repository. Specifically, it creates: - -- A dedicated folder for the check. -- The main check script. -- A metadata file with essential details. -- A folder and file structure for testing the check. - -## Usage - -To use the tool, execute the main script with the following command: - -```bash -python util/prowler_check_kreator/prowler_check_kreator.py -``` - -Parameters: - -- ``: Currently only AWS is supported. -- ``: The name you wish to assign to the new check. - -## AI integration - -This tool optionally integrates AI to assist in generating the check code and metadata file content. When AI assistance is chosen, the tool uses [Gemini](https://gemini.google.com/) to produce preliminary code and metadata. - - -For this feature to work, you must have the library `google-generativeai` installed in your Python environment. - - - -AI-generated code and metadata might contain errors or require adjustments to align with specific Prowler requirements. Carefully review all AI-generated content before committing. - - -To enable AI assistance, simply confirm when prompted by the tool. Additionally, ensure that the `GEMINI_API_KEY` environment variable is set with a valid Gemini API key. For instructions on obtaining your API key, refer to the [Gemini documentation](https://ai.google.dev/gemini-api/docs/api-key). diff --git a/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx b/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx index a3de5fc8fa..36520a8f8c 100644 --- a/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx +++ b/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx @@ -40,13 +40,13 @@ Before you begin, make sure you have: ### Step 2: Access Prowler Cloud 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app) -2. Go to "Configuration" > "Cloud Providers" +2. Go to "Configuration" > "Providers" - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider" +3. Click "Add Provider" - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Alibaba Cloud" diff --git a/docs/user-guide/providers/aws/getting-started-aws.mdx b/docs/user-guide/providers/aws/getting-started-aws.mdx index 8127e873e7..f0c5ab882a 100644 --- a/docs/user-guide/providers/aws/getting-started-aws.mdx +++ b/docs/user-guide/providers/aws/getting-started-aws.mdx @@ -19,13 +19,13 @@ title: 'Getting Started With AWS on Prowler' ### Step 2: Access Prowler Cloud 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app) -2. Go to "Configuration" > "Cloud Providers" +2. Go to "Configuration" > "Providers" - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider" +3. Click "Add Provider" - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Amazon Web Services" diff --git a/docs/user-guide/providers/azure/getting-started-azure.mdx b/docs/user-guide/providers/azure/getting-started-azure.mdx index 456c226aab..66b3b14e3a 100644 --- a/docs/user-guide/providers/azure/getting-started-azure.mdx +++ b/docs/user-guide/providers/azure/getting-started-azure.mdx @@ -35,13 +35,13 @@ For detailed instructions on how to create the Service Principal and configure p ### Step 2: Access Prowler Cloud 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app) -2. Navigate to `Configuration` > `Cloud Providers` +2. Navigate to `Configuration` > `Providers` - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click on `Add Cloud Provider` +3. Click on `Add Provider` - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select `Microsoft Azure` diff --git a/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx b/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx index 2bc18bcca8..00320bd34f 100644 --- a/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx +++ b/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx @@ -42,13 +42,13 @@ The Account ID is a 32-character hexadecimal string (e.g., `372e67954025e0ba6aaa ### Step 2: Open Prowler Cloud 1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app). -2. Navigate to "Configuration" > "Cloud Providers". +2. Navigate to "Configuration" > "Providers". - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider". +3. Click "Add Provider". - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Cloudflare". diff --git a/docs/user-guide/providers/gcp/getting-started-gcp.mdx b/docs/user-guide/providers/gcp/getting-started-gcp.mdx index c70250c8a9..e16114e19a 100644 --- a/docs/user-guide/providers/gcp/getting-started-gcp.mdx +++ b/docs/user-guide/providers/gcp/getting-started-gcp.mdx @@ -14,13 +14,13 @@ title: 'Getting Started With GCP on Prowler' ### Step 2: Access Prowler Cloud 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app) -2. Go to "Configuration" > "Cloud Providers" +2. Go to "Configuration" > "Providers" - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider" +3. Click "Add Provider" - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Google Cloud Platform" diff --git a/docs/user-guide/providers/github/authentication.mdx b/docs/user-guide/providers/github/authentication.mdx index adbfd235a8..0b5ab6b720 100644 --- a/docs/user-guide/providers/github/authentication.mdx +++ b/docs/user-guide/providers/github/authentication.mdx @@ -275,7 +275,7 @@ For step-by-step setup instructions for Prowler Cloud, see the [Getting Started ### Using Personal Access Token -1. In Prowler Cloud, navigate to **Configuration** > **Cloud Providers** > **Add Cloud Provider** > **GitHub**. +1. In Prowler Cloud, navigate to **Configuration** > **Providers** > **Add Provider** > **GitHub**. 2. Enter your GitHub Account ID (username or organization name). diff --git a/docs/user-guide/providers/github/getting-started-github.mdx b/docs/user-guide/providers/github/getting-started-github.mdx index 3211d7058d..e946660b51 100644 --- a/docs/user-guide/providers/github/getting-started-github.mdx +++ b/docs/user-guide/providers/github/getting-started-github.mdx @@ -49,13 +49,13 @@ Before adding GitHub to Prowler Cloud/App, ensure you have: ### Step 1: Access Prowler Cloud/App 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app) -2. Go to **Configuration** → **Cloud Providers** +2. Go to **Configuration** → **Providers** - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click **Add Cloud Provider** +3. Click **Add Provider** - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select **GitHub** diff --git a/docs/user-guide/providers/googleworkspace/getting-started-googleworkspace.mdx b/docs/user-guide/providers/googleworkspace/getting-started-googleworkspace.mdx index af09ab75c3..8931c43ebd 100644 --- a/docs/user-guide/providers/googleworkspace/getting-started-googleworkspace.mdx +++ b/docs/user-guide/providers/googleworkspace/getting-started-googleworkspace.mdx @@ -43,13 +43,13 @@ The Customer ID starts with the letter "C" followed by alphanumeric characters ( ### Step 2: Open Prowler Cloud 1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app). -2. Navigate to "Configuration" > "Cloud Providers". +2. Navigate to "Configuration" > "Providers". - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider". +3. Click "Add Provider". - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Google Workspace". diff --git a/docs/user-guide/providers/iac/getting-started-iac.mdx b/docs/user-guide/providers/iac/getting-started-iac.mdx index 2a1e588018..d1e978dc75 100644 --- a/docs/user-guide/providers/iac/getting-started-iac.mdx +++ b/docs/user-guide/providers/iac/getting-started-iac.mdx @@ -42,13 +42,13 @@ Scanner selection is not configurable in Prowler App. Default scanners, misconfi ### Step 1: Access Prowler Cloud/App 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app) -2. Go to "Configuration" > "Cloud Providers" +2. Go to "Configuration" > "Providers" - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider" +3. Click "Add Provider" - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Infrastructure as Code" diff --git a/docs/user-guide/providers/image/getting-started-image.mdx b/docs/user-guide/providers/image/getting-started-image.mdx index 9a3d67258d..b9c305d0ef 100644 --- a/docs/user-guide/providers/image/getting-started-image.mdx +++ b/docs/user-guide/providers/image/getting-started-image.mdx @@ -34,13 +34,13 @@ Prowler Cloud does not support scanner selection. The vulnerability, secret, and ### Step 1: Access Prowler Cloud 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app) -2. Navigate to "Configuration" > "Cloud Providers" +2. Navigate to "Configuration" > "Providers" - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider" +3. Click "Add Provider" - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Container Registry" diff --git a/docs/user-guide/providers/kubernetes/getting-started-k8s.mdx b/docs/user-guide/providers/kubernetes/getting-started-k8s.mdx index aff63b81a3..9ca791110f 100644 --- a/docs/user-guide/providers/kubernetes/getting-started-k8s.mdx +++ b/docs/user-guide/providers/kubernetes/getting-started-k8s.mdx @@ -7,13 +7,13 @@ title: 'Getting Started with Kubernetes' ### Step 1: Access Prowler Cloud/App 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app) -2. Go to "Configuration" > "Cloud Providers" +2. Go to "Configuration" > "Providers" - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider" +3. Click "Add Provider" - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Kubernetes" diff --git a/docs/user-guide/providers/microsoft365/getting-started-m365.mdx b/docs/user-guide/providers/microsoft365/getting-started-m365.mdx index 1e6830c722..a21b796b5c 100644 --- a/docs/user-guide/providers/microsoft365/getting-started-m365.mdx +++ b/docs/user-guide/providers/microsoft365/getting-started-m365.mdx @@ -42,13 +42,13 @@ Set up authentication for Microsoft 365 with the [Microsoft 365 Authentication]( ### Step 2: Open Prowler Cloud 1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app). -2. Navigate to "Configuration" > "Cloud Providers". +2. Navigate to "Configuration" > "Providers". - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider". +3. Click "Add Provider". - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Microsoft 365". diff --git a/docs/user-guide/providers/mongodbatlas/getting-started-mongodbatlas.mdx b/docs/user-guide/providers/mongodbatlas/getting-started-mongodbatlas.mdx index c10c6aac30..c68bfac9c2 100644 --- a/docs/user-guide/providers/mongodbatlas/getting-started-mongodbatlas.mdx +++ b/docs/user-guide/providers/mongodbatlas/getting-started-mongodbatlas.mdx @@ -38,7 +38,7 @@ If **Require IP Access List for the Atlas Administration API** is enabled in you ### Step 1: Add the provider -1. Navigate to **Cloud Providers** and click **Add Cloud Provider**. +1. Navigate to **Providers** and click **Add Provider**. ![Add provider list](./img/add-provider-list.png) 2. Select **MongoDB Atlas** from the provider list. 3. Enter your **Organization ID** (24 hex characters). This value is visible in the Atlas UI under **Organization Settings**. diff --git a/docs/user-guide/providers/oci/getting-started-oci.mdx b/docs/user-guide/providers/oci/getting-started-oci.mdx index 459d9ad685..d3024bc1c1 100644 --- a/docs/user-guide/providers/oci/getting-started-oci.mdx +++ b/docs/user-guide/providers/oci/getting-started-oci.mdx @@ -16,8 +16,8 @@ The following steps apply to Prowler Cloud and the self-hosted Prowler App. ### Step 2: Access Prowler Cloud 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app). -2. Go to **Configuration** → **Cloud Providers** and click **Add Cloud Provider**. -![Add OCI Cloud Provider](./images/oci-add-cloud-provider.png) +2. Go to **Configuration** → **Providers** and click **Add Provider**. +![Add OCI Provider](./images/oci-add-cloud-provider.png) 3. Select **Oracle Cloud** and enter the **Tenancy OCID** and an optional alias, then choose **Next**. ![Add OCI Cloud Tenancy](./images/oci-add-tenancy.png) diff --git a/docs/user-guide/providers/openstack/getting-started-openstack.mdx b/docs/user-guide/providers/openstack/getting-started-openstack.mdx index b80ebe0e9f..1ff80c3e2e 100644 --- a/docs/user-guide/providers/openstack/getting-started-openstack.mdx +++ b/docs/user-guide/providers/openstack/getting-started-openstack.mdx @@ -34,7 +34,7 @@ Before running Prowler with the OpenStack provider, ensure you have: ### Step 1: Add the Provider -1. Navigate to "Cloud Providers" and click "Add Cloud Provider". +1. Navigate to "Providers" and click "Add Provider". ![Providers List](./images/select-provider.png) 2. Select "OpenStack" from the provider list. 3. Enter the "Project ID" from the OpenStack provider. diff --git a/docs/user-guide/providers/vercel/getting-started-vercel.mdx b/docs/user-guide/providers/vercel/getting-started-vercel.mdx index 8a6fdecc22..c39c5f1e6a 100644 --- a/docs/user-guide/providers/vercel/getting-started-vercel.mdx +++ b/docs/user-guide/providers/vercel/getting-started-vercel.mdx @@ -29,13 +29,13 @@ Set up authentication for Vercel with the [Vercel Authentication](/user-guide/pr ### Step 1: Add the Provider 1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app). -2. Navigate to "Configuration" > "Cloud Providers". +2. Navigate to "Configuration" > "Providers". - ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png) + ![Providers Page](/images/prowler-app/cloud-providers-page.png) -3. Click "Add Cloud Provider". +3. Click "Add Provider". - ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png) + ![Add a Provider](/images/prowler-app/add-cloud-provider.png) 4. Select "Vercel". diff --git a/docs/user-guide/tutorials/prowler-app-rbac.mdx b/docs/user-guide/tutorials/prowler-app-rbac.mdx index 31fd4a730e..cccbbc27cc 100644 --- a/docs/user-guide/tutorials/prowler-app-rbac.mdx +++ b/docs/user-guide/tutorials/prowler-app-rbac.mdx @@ -123,7 +123,7 @@ The Roles section in Prowler is designed to facilitate the assignment of custom ### Provider Groups -Provider Groups control visibility across specific providers. When creating a new role, you can assign specific groups to define their Cloud Provider visibility. This ensures that users with that role have access only to the Cloud Providers that are required. +Provider Groups control visibility across specific providers. When creating a new role, you can assign specific groups to define their Provider visibility. This ensures that users with that role have access only to the Providers that are required. By default, a new user role does not have visibility into any group. @@ -223,7 +223,7 @@ Assign administrative permissions by selecting from the following options: | Invite and Manage Users | All | Invite new users and manage existing ones. | | Manage Account | All | Adjust account settings, delete users and read/manage users permissions. | | Manage Scans | All | Run and review scans. | -| Manage Cloud Providers | All | Add or modify connected cloud providers. | +| Manage Providers | All | Add or modify connected providers. | | Manage Integrations | All | Add or modify the Prowler Integrations. | | Manage Ingestions | Prowler Cloud | Allow or deny the ability to submit findings ingestion batches via the API. | | Manage Billing | Prowler Cloud | Access and manage billing settings and subscription information. | diff --git a/docs/user-guide/tutorials/prowler-app-s3-integration.mdx b/docs/user-guide/tutorials/prowler-app-s3-integration.mdx index 728e4a4354..284b10eaaf 100644 --- a/docs/user-guide/tutorials/prowler-app-s3-integration.mdx +++ b/docs/user-guide/tutorials/prowler-app-s3-integration.mdx @@ -320,7 +320,7 @@ Once the required permissions are set up, proceed to configure the S3 integratio ![Add integration button](/images/prowler-app/s3/s3-integration-ui-3.png) 4. Complete the configuration form with the following details: - - **Cloud Providers:** Select the providers whose scan results should be exported to this S3 bucket + - **Providers:** Select the providers whose scan results should be exported to this S3 bucket - **Bucket Name:** Enter the name of the target S3 bucket (e.g., `my-security-findings-bucket`) - **Output Directory:** Specify the directory path within the bucket (e.g., `/prowler-findings/`, defaults to `output`) diff --git a/docs/user-guide/tutorials/prowler-app.mdx b/docs/user-guide/tutorials/prowler-app.mdx index 0b368c5ad4..5e99a41ae7 100644 --- a/docs/user-guide/tutorials/prowler-app.mdx +++ b/docs/user-guide/tutorials/prowler-app.mdx @@ -72,8 +72,8 @@ To perform security scans, link a cloud provider account. Prowler supports the f Steps to add a provider: -1. Navigate to `Settings > Cloud Providers`. -2. Click `Add Account` to set up a new provider and provide your credentials. +1. Navigate to `Settings > Providers`. +2. Click `Add Provider` to set up a new provider and provide your credentials. Add Provider diff --git a/docs/user-guide/tutorials/prowler-check-kreator.mdx b/docs/user-guide/tutorials/prowler-check-kreator.mdx deleted file mode 100644 index 253f659814..0000000000 --- a/docs/user-guide/tutorials/prowler-check-kreator.mdx +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: 'Prowler Check Kreator' ---- - - -Currently, this tool is only available for creating checks for the AWS provider. - - - - -If you are looking for a way to create new checks for all the supported providers, you can use [Prowler Studio](https://github.com/prowler-cloud/prowler-studio), it is an AI-powered toolkit for generating and managing security checks for Prowler (better version of the Check Kreator). - - - -## Introduction - -**Prowler Check Kreator** is a utility designed to streamline the creation of new checks for Prowler. This tool generates all necessary files required to add a new check to the Prowler repository. Specifically, it creates: - -- A dedicated folder for the check. -- The main check script. -- A metadata file with essential details. -- A folder and file structure for testing the check. - -## Usage - -To use the tool, execute the main script with the following command: - -```bash -python util/prowler_check_kreator/prowler_check_kreator.py -``` - -Parameters: - -- ``: Currently only AWS is supported. -- ``: The name you wish to assign to the new check. - -## AI integration - -This tool optionally integrates AI to assist in generating the check code and metadata file content. When AI assistance is chosen, the tool uses [Gemini](https://gemini.google.com/) to produce preliminary code and metadata. - - -For this feature to work, you must have the library `google-generativeai` installed in your Python environment. - - - - -AI-generated code and metadata might contain errors or require adjustments to align with specific Prowler requirements. Carefully review all AI-generated content before committing. - - - -To enable AI assistance, simply confirm when prompted by the tool. Additionally, ensure that the `GEMINI_API_KEY` environment variable is set with a valid Gemini API key. For instructions on obtaining your API key, refer to the [Gemini documentation](https://ai.google.dev/gemini-api/docs/api-key). diff --git a/docs/user-guide/tutorials/prowler-cloud-aws-organizations.mdx b/docs/user-guide/tutorials/prowler-cloud-aws-organizations.mdx index e56627ee20..d9c17aaa5f 100644 --- a/docs/user-guide/tutorials/prowler-cloud-aws-organizations.mdx +++ b/docs/user-guide/tutorials/prowler-cloud-aws-organizations.mdx @@ -246,10 +246,10 @@ Now that both roles are deployed — the management account role (Step 1) and th ### Open the Wizard -1. Navigate to **Cloud Providers** and click **Add Cloud Provider**. +1. Navigate to **Providers** and click **Add Provider**. - Cloud Providers page showing the Add Cloud Provider button + Providers page showing the Add Provider button 2. Select **Amazon Web Services** as the provider. diff --git a/mcp_server/CHANGELOG.md b/mcp_server/CHANGELOG.md index 64ea033f0e..b0a1d70565 100644 --- a/mcp_server/CHANGELOG.md +++ b/mcp_server/CHANGELOG.md @@ -2,6 +2,14 @@ All notable changes to the **Prowler MCP Server** are documented in this file. +## [0.7.0] (Prowler UNRELEASED) + +### 🔐 Security + +- `cryptography` from 46.0.1 to 47.0.0 (transitive) for CVE-2026-39892 and CVE-2026-26007 / CVE-2026-34073 [(#10978)](https://github.com/prowler-cloud/prowler/pull/10978) + +--- + ## [0.6.0] (Prowler v5.23.0) ### 🚀 Added diff --git a/mcp_server/uv.lock b/mcp_server/uv.lock index 5daf74c94a..0c49cdb89a 100644 --- a/mcp_server/uv.lock +++ b/mcp_server/uv.lock @@ -204,58 +204,55 @@ wheels = [ [[package]] name = "cryptography" -version = "46.0.1" +version = "47.0.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cffi", marker = "platform_python_implementation != 'PyPy'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/a9/62/e3664e6ffd7743e1694b244dde70b43a394f6f7fbcacf7014a8ff5197c73/cryptography-46.0.1.tar.gz", hash = "sha256:ed570874e88f213437f5cf758f9ef26cbfc3f336d889b1e592ee11283bb8d1c7", size = 749198, upload-time = "2025-09-17T00:10:35.797Z" } +sdist = { url = "https://files.pythonhosted.org/packages/ef/b2/7ffa7fe8207a8c42147ffe70c3e360b228160c1d85dc3faff16aaa3244c0/cryptography-47.0.0.tar.gz", hash = "sha256:9f8e55fe4e63613a5e1cc5819030f27b97742d720203a087802ce4ce9ceb52bb", size = 830863, upload-time = "2026-04-24T19:54:57.056Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/4c/8c/44ee01267ec01e26e43ebfdae3f120ec2312aa72fa4c0507ebe41a26739f/cryptography-46.0.1-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:1cd6d50c1a8b79af1a6f703709d8973845f677c8e97b1268f5ff323d38ce8475", size = 7285044, upload-time = "2025-09-17T00:08:36.807Z" }, - { url = "https://files.pythonhosted.org/packages/22/59/9ae689a25047e0601adfcb159ec4f83c0b4149fdb5c3030cc94cd218141d/cryptography-46.0.1-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:0ff483716be32690c14636e54a1f6e2e1b7bf8e22ca50b989f88fa1b2d287080", size = 4308182, upload-time = "2025-09-17T00:08:39.388Z" }, - { url = "https://files.pythonhosted.org/packages/c4/ee/ca6cc9df7118f2fcd142c76b1da0f14340d77518c05b1ebfbbabca6b9e7d/cryptography-46.0.1-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9873bf7c1f2a6330bdfe8621e7ce64b725784f9f0c3a6a55c3047af5849f920e", size = 4572393, upload-time = "2025-09-17T00:08:41.663Z" }, - { url = "https://files.pythonhosted.org/packages/7f/a3/0f5296f63815d8e985922b05c31f77ce44787b3127a67c0b7f70f115c45f/cryptography-46.0.1-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:0dfb7c88d4462a0cfdd0d87a3c245a7bc3feb59de101f6ff88194f740f72eda6", size = 4308400, upload-time = "2025-09-17T00:08:43.559Z" }, - { url = "https://files.pythonhosted.org/packages/5d/8c/74fcda3e4e01be1d32775d5b4dd841acaac3c1b8fa4d0774c7ac8d52463d/cryptography-46.0.1-cp311-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:e22801b61613ebdebf7deb18b507919e107547a1d39a3b57f5f855032dd7cfb8", size = 4015786, upload-time = "2025-09-17T00:08:45.758Z" }, - { url = "https://files.pythonhosted.org/packages/dc/b8/85d23287baeef273b0834481a3dd55bbed3a53587e3b8d9f0898235b8f91/cryptography-46.0.1-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:757af4f6341ce7a1e47c326ca2a81f41d236070217e5fbbad61bbfe299d55d28", size = 4982606, upload-time = "2025-09-17T00:08:47.602Z" }, - { url = "https://files.pythonhosted.org/packages/e5/d3/de61ad5b52433b389afca0bc70f02a7a1f074651221f599ce368da0fe437/cryptography-46.0.1-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:f7a24ea78de345cfa7f6a8d3bde8b242c7fac27f2bd78fa23474ca38dfaeeab9", size = 4604234, upload-time = "2025-09-17T00:08:49.879Z" }, - { url = "https://files.pythonhosted.org/packages/dc/1f/dbd4d6570d84748439237a7478d124ee0134bf166ad129267b7ed8ea6d22/cryptography-46.0.1-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:9e8776dac9e660c22241b6587fae51a67b4b0147daa4d176b172c3ff768ad736", size = 4307669, upload-time = "2025-09-17T00:08:52.321Z" }, - { url = "https://files.pythonhosted.org/packages/ec/fd/ca0a14ce7f0bfe92fa727aacaf2217eb25eb7e4ed513b14d8e03b26e63ed/cryptography-46.0.1-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9f40642a140c0c8649987027867242b801486865277cbabc8c6059ddef16dc8b", size = 4947579, upload-time = "2025-09-17T00:08:54.697Z" }, - { url = "https://files.pythonhosted.org/packages/89/6b/09c30543bb93401f6f88fce556b3bdbb21e55ae14912c04b7bf355f5f96c/cryptography-46.0.1-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:449ef2b321bec7d97ef2c944173275ebdab78f3abdd005400cc409e27cd159ab", size = 4603669, upload-time = "2025-09-17T00:08:57.16Z" }, - { url = "https://files.pythonhosted.org/packages/23/9a/38cb01cb09ce0adceda9fc627c9cf98eb890fc8d50cacbe79b011df20f8a/cryptography-46.0.1-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2dd339ba3345b908fa3141ddba4025568fa6fd398eabce3ef72a29ac2d73ad75", size = 4435828, upload-time = "2025-09-17T00:08:59.606Z" }, - { url = "https://files.pythonhosted.org/packages/0f/53/435b5c36a78d06ae0bef96d666209b0ecd8f8181bfe4dda46536705df59e/cryptography-46.0.1-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:7411c910fb2a412053cf33cfad0153ee20d27e256c6c3f14d7d7d1d9fec59fd5", size = 4709553, upload-time = "2025-09-17T00:09:01.832Z" }, - { url = "https://files.pythonhosted.org/packages/f5/c4/0da6e55595d9b9cd3b6eb5dc22f3a07ded7f116a3ea72629cab595abb804/cryptography-46.0.1-cp311-abi3-win32.whl", hash = "sha256:cbb8e769d4cac884bb28e3ff620ef1001b75588a5c83c9c9f1fdc9afbe7f29b0", size = 3058327, upload-time = "2025-09-17T00:09:03.726Z" }, - { url = "https://files.pythonhosted.org/packages/95/0f/cd29a35e0d6e78a0ee61793564c8cff0929c38391cb0de27627bdc7525aa/cryptography-46.0.1-cp311-abi3-win_amd64.whl", hash = "sha256:92e8cfe8bd7dd86eac0a677499894862cd5cc2fd74de917daa881d00871ac8e7", size = 3523893, upload-time = "2025-09-17T00:09:06.272Z" }, - { url = "https://files.pythonhosted.org/packages/f2/dd/eea390f3e78432bc3d2f53952375f8b37cb4d37783e626faa6a51e751719/cryptography-46.0.1-cp311-abi3-win_arm64.whl", hash = "sha256:db5597a4c7353b2e5fb05a8e6cb74b56a4658a2b7bf3cb6b1821ae7e7fd6eaa0", size = 2932145, upload-time = "2025-09-17T00:09:08.568Z" }, - { url = "https://files.pythonhosted.org/packages/0a/fb/c73588561afcd5e24b089952bd210b14676c0c5bf1213376350ae111945c/cryptography-46.0.1-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:4c49eda9a23019e11d32a0eb51a27b3e7ddedde91e099c0ac6373e3aacc0d2ee", size = 7193928, upload-time = "2025-09-17T00:09:10.595Z" }, - { url = "https://files.pythonhosted.org/packages/26/34/0ff0bb2d2c79f25a2a63109f3b76b9108a906dd2a2eb5c1d460b9938adbb/cryptography-46.0.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:9babb7818fdd71394e576cf26c5452df77a355eac1a27ddfa24096665a27f8fd", size = 4293515, upload-time = "2025-09-17T00:09:12.861Z" }, - { url = "https://files.pythonhosted.org/packages/df/b7/d4f848aee24ecd1be01db6c42c4a270069a4f02a105d9c57e143daf6cf0f/cryptography-46.0.1-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9f2c4cc63be3ef43c0221861177cee5d14b505cd4d4599a89e2cd273c4d3542a", size = 4545619, upload-time = "2025-09-17T00:09:15.397Z" }, - { url = "https://files.pythonhosted.org/packages/44/a5/42fedefc754fd1901e2d95a69815ea4ec8a9eed31f4c4361fcab80288661/cryptography-46.0.1-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:41c281a74df173876da1dc9a9b6953d387f06e3d3ed9284e3baae3ab3f40883a", size = 4299160, upload-time = "2025-09-17T00:09:17.155Z" }, - { url = "https://files.pythonhosted.org/packages/86/a1/cd21174f56e769c831fbbd6399a1b7519b0ff6280acec1b826d7b072640c/cryptography-46.0.1-cp314-cp314t-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:0a17377fa52563d730248ba1f68185461fff36e8bc75d8787a7dd2e20a802b7a", size = 3994491, upload-time = "2025-09-17T00:09:18.971Z" }, - { url = "https://files.pythonhosted.org/packages/8d/2f/a8cbfa1c029987ddc746fd966711d4fa71efc891d37fbe9f030fe5ab4eec/cryptography-46.0.1-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:0d1922d9280e08cde90b518a10cd66831f632960a8d08cb3418922d83fce6f12", size = 4960157, upload-time = "2025-09-17T00:09:20.923Z" }, - { url = "https://files.pythonhosted.org/packages/67/ae/63a84e6789e0d5a2502edf06b552bcb0fa9ff16147265d5c44a211942abe/cryptography-46.0.1-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:af84e8e99f1a82cea149e253014ea9dc89f75b82c87bb6c7242203186f465129", size = 4577263, upload-time = "2025-09-17T00:09:23.356Z" }, - { url = "https://files.pythonhosted.org/packages/ef/8f/1b9fa8e92bd9cbcb3b7e1e593a5232f2c1e6f9bd72b919c1a6b37d315f92/cryptography-46.0.1-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:ef648d2c690703501714588b2ba640facd50fd16548133b11b2859e8655a69da", size = 4298703, upload-time = "2025-09-17T00:09:25.566Z" }, - { url = "https://files.pythonhosted.org/packages/c3/af/bb95db070e73fea3fae31d8a69ac1463d89d1c084220f549b00dd01094a8/cryptography-46.0.1-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:e94eb5fa32a8a9f9bf991f424f002913e3dd7c699ef552db9b14ba6a76a6313b", size = 4926363, upload-time = "2025-09-17T00:09:27.451Z" }, - { url = "https://files.pythonhosted.org/packages/f5/3b/d8fb17ffeb3a83157a1cc0aa5c60691d062aceecba09c2e5e77ebfc1870c/cryptography-46.0.1-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:534b96c0831855e29fc3b069b085fd185aa5353033631a585d5cd4dd5d40d657", size = 4576958, upload-time = "2025-09-17T00:09:29.924Z" }, - { url = "https://files.pythonhosted.org/packages/d9/46/86bc3a05c10c8aa88c8ae7e953a8b4e407c57823ed201dbcba55c4d655f4/cryptography-46.0.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:f9b55038b5c6c47559aa33626d8ecd092f354e23de3c6975e4bb205df128a2a0", size = 4422507, upload-time = "2025-09-17T00:09:32.222Z" }, - { url = "https://files.pythonhosted.org/packages/a8/4e/387e5a21dfd2b4198e74968a541cfd6128f66f8ec94ed971776e15091ac3/cryptography-46.0.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:ec13b7105117dbc9afd023300fb9954d72ca855c274fe563e72428ece10191c0", size = 4683964, upload-time = "2025-09-17T00:09:34.118Z" }, - { url = "https://files.pythonhosted.org/packages/25/a3/f9f5907b166adb8f26762071474b38bbfcf89858a5282f032899075a38a1/cryptography-46.0.1-cp314-cp314t-win32.whl", hash = "sha256:504e464944f2c003a0785b81668fe23c06f3b037e9cb9f68a7c672246319f277", size = 3029705, upload-time = "2025-09-17T00:09:36.381Z" }, - { url = "https://files.pythonhosted.org/packages/12/66/4d3a4f1850db2e71c2b1628d14b70b5e4c1684a1bd462f7fffb93c041c38/cryptography-46.0.1-cp314-cp314t-win_amd64.whl", hash = "sha256:c52fded6383f7e20eaf70a60aeddd796b3677c3ad2922c801be330db62778e05", size = 3502175, upload-time = "2025-09-17T00:09:38.261Z" }, - { url = "https://files.pythonhosted.org/packages/52/c7/9f10ad91435ef7d0d99a0b93c4360bea3df18050ff5b9038c489c31ac2f5/cryptography-46.0.1-cp314-cp314t-win_arm64.whl", hash = "sha256:9495d78f52c804b5ec8878b5b8c7873aa8e63db9cd9ee387ff2db3fffe4df784", size = 2912354, upload-time = "2025-09-17T00:09:40.078Z" }, - { url = "https://files.pythonhosted.org/packages/98/e5/fbd632385542a3311915976f88e0dfcf09e62a3fc0aff86fb6762162a24d/cryptography-46.0.1-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:d84c40bdb8674c29fa192373498b6cb1e84f882889d21a471b45d1f868d8d44b", size = 7255677, upload-time = "2025-09-17T00:09:42.407Z" }, - { url = "https://files.pythonhosted.org/packages/56/3e/13ce6eab9ad6eba1b15a7bd476f005a4c1b3f299f4c2f32b22408b0edccf/cryptography-46.0.1-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:9ed64e5083fa806709e74fc5ea067dfef9090e5b7a2320a49be3c9df3583a2d8", size = 4301110, upload-time = "2025-09-17T00:09:45.614Z" }, - { url = "https://files.pythonhosted.org/packages/a2/67/65dc233c1ddd688073cf7b136b06ff4b84bf517ba5529607c9d79720fc67/cryptography-46.0.1-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:341fb7a26bc9d6093c1b124b9f13acc283d2d51da440b98b55ab3f79f2522ead", size = 4562369, upload-time = "2025-09-17T00:09:47.601Z" }, - { url = "https://files.pythonhosted.org/packages/17/db/d64ae4c6f4e98c3dac5bf35dd4d103f4c7c345703e43560113e5e8e31b2b/cryptography-46.0.1-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:6ef1488967e729948d424d09c94753d0167ce59afba8d0f6c07a22b629c557b2", size = 4302126, upload-time = "2025-09-17T00:09:49.335Z" }, - { url = "https://files.pythonhosted.org/packages/3d/19/5f1eea17d4805ebdc2e685b7b02800c4f63f3dd46cfa8d4c18373fea46c8/cryptography-46.0.1-cp38-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:7823bc7cdf0b747ecfb096d004cc41573c2f5c7e3a29861603a2871b43d3ef32", size = 4009431, upload-time = "2025-09-17T00:09:51.239Z" }, - { url = "https://files.pythonhosted.org/packages/81/b5/229ba6088fe7abccbfe4c5edb96c7a5ad547fac5fdd0d40aa6ea540b2985/cryptography-46.0.1-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:f736ab8036796f5a119ff8211deda416f8c15ce03776db704a7a4e17381cb2ef", size = 4980739, upload-time = "2025-09-17T00:09:54.181Z" }, - { url = "https://files.pythonhosted.org/packages/3a/9c/50aa38907b201e74bc43c572f9603fa82b58e831bd13c245613a23cff736/cryptography-46.0.1-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:e46710a240a41d594953012213ea8ca398cd2448fbc5d0f1be8160b5511104a0", size = 4592289, upload-time = "2025-09-17T00:09:56.731Z" }, - { url = "https://files.pythonhosted.org/packages/5a/33/229858f8a5bb22f82468bb285e9f4c44a31978d5f5830bb4ea1cf8a4e454/cryptography-46.0.1-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:84ef1f145de5aee82ea2447224dc23f065ff4cc5791bb3b506615957a6ba8128", size = 4301815, upload-time = "2025-09-17T00:09:58.548Z" }, - { url = "https://files.pythonhosted.org/packages/52/cb/b76b2c87fbd6ed4a231884bea3ce073406ba8e2dae9defad910d33cbf408/cryptography-46.0.1-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9394c7d5a7565ac5f7d9ba38b2617448eba384d7b107b262d63890079fad77ca", size = 4943251, upload-time = "2025-09-17T00:10:00.475Z" }, - { url = "https://files.pythonhosted.org/packages/94/0f/f66125ecf88e4cb5b8017ff43f3a87ede2d064cb54a1c5893f9da9d65093/cryptography-46.0.1-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:ed957044e368ed295257ae3d212b95456bd9756df490e1ac4538857f67531fcc", size = 4591247, upload-time = "2025-09-17T00:10:02.874Z" }, - { url = "https://files.pythonhosted.org/packages/f6/22/9f3134ae436b63b463cfdf0ff506a0570da6873adb4bf8c19b8a5b4bac64/cryptography-46.0.1-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:f7de12fa0eee6234de9a9ce0ffcfa6ce97361db7a50b09b65c63ac58e5f22fc7", size = 4428534, upload-time = "2025-09-17T00:10:04.994Z" }, - { url = "https://files.pythonhosted.org/packages/89/39/e6042bcb2638650b0005c752c38ea830cbfbcbb1830e4d64d530000aa8dc/cryptography-46.0.1-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:7fab1187b6c6b2f11a326f33b036f7168f5b996aedd0c059f9738915e4e8f53a", size = 4699541, upload-time = "2025-09-17T00:10:06.925Z" }, - { url = "https://files.pythonhosted.org/packages/68/46/753d457492d15458c7b5a653fc9a84a1c9c7a83af6ebdc94c3fc373ca6e8/cryptography-46.0.1-cp38-abi3-win32.whl", hash = "sha256:45f790934ac1018adeba46a0f7289b2b8fe76ba774a88c7f1922213a56c98bc1", size = 3043779, upload-time = "2025-09-17T00:10:08.951Z" }, - { url = "https://files.pythonhosted.org/packages/2f/50/b6f3b540c2f6ee712feeb5fa780bb11fad76634e71334718568e7695cb55/cryptography-46.0.1-cp38-abi3-win_amd64.whl", hash = "sha256:7176a5ab56fac98d706921f6416a05e5aff7df0e4b91516f450f8627cda22af3", size = 3517226, upload-time = "2025-09-17T00:10:10.769Z" }, - { url = "https://files.pythonhosted.org/packages/ff/e8/77d17d00981cdd27cc493e81e1749a0b8bbfb843780dbd841e30d7f50743/cryptography-46.0.1-cp38-abi3-win_arm64.whl", hash = "sha256:efc9e51c3e595267ff84adf56e9b357db89ab2279d7e375ffcaf8f678606f3d9", size = 2923149, upload-time = "2025-09-17T00:10:13.236Z" }, + { url = "https://files.pythonhosted.org/packages/a4/98/40dfe932134bdcae4f6ab5927c87488754bf9eb79297d7e0070b78dd58e9/cryptography-47.0.0-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:160ad728f128972d362e714054f6ba0067cab7fb350c5202a9ae8ae4ce3ef1a0", size = 7912214, upload-time = "2026-04-24T19:53:03.864Z" }, + { url = "https://files.pythonhosted.org/packages/34/c6/2733531243fba725f58611b918056b277692f1033373dcc8bd01af1c05d4/cryptography-47.0.0-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b9a8943e359b7615db1a3ba587994618e094ff3d6fa5a390c73d079ce18b3973", size = 4644617, upload-time = "2026-04-24T19:53:06.909Z" }, + { url = "https://files.pythonhosted.org/packages/00/e3/b27be1a670a9b87f855d211cf0e1174a5d721216b7616bd52d8581d912ed/cryptography-47.0.0-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:f5c15764f261394b22aef6b00252f5195f46f2ca300bec57149474e2538b31f8", size = 4668186, upload-time = "2026-04-24T19:53:09.053Z" }, + { url = "https://files.pythonhosted.org/packages/81/b9/8443cfe5d17d482d348cee7048acf502bb89a51b6382f06240fd290d4ca3/cryptography-47.0.0-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:9c59ab0e0fa3a180a5a9c59f3a5abe3ef90d474bc56d7fadfbe80359491b615b", size = 4651244, upload-time = "2026-04-24T19:53:11.217Z" }, + { url = "https://files.pythonhosted.org/packages/5d/5e/13ed0cdd0eb88ba159d6dd5ebfece8cb901dbcf1ae5ac4072e28b55d3153/cryptography-47.0.0-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:34b4358b925a5ea3e14384ca781a2c0ef7ac219b57bb9eacc4457078e2b19f92", size = 5252906, upload-time = "2026-04-24T19:53:13.532Z" }, + { url = "https://files.pythonhosted.org/packages/64/16/ed058e1df0f33d440217cd120d41d5dda9dd215a80b8187f68483185af82/cryptography-47.0.0-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:0024b87d47ae2399165a6bfb20d24888881eeab83ae2566d62467c5ff0030ce7", size = 4701842, upload-time = "2026-04-24T19:53:15.618Z" }, + { url = "https://files.pythonhosted.org/packages/02/e0/3d30986b30fdbd9e969abbdf8ba00ed0618615144341faeb57f395a084fe/cryptography-47.0.0-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:1e47422b5557bb82d3fff997e8d92cff4e28b9789576984f08c248d2b3535d93", size = 4289313, upload-time = "2026-04-24T19:53:17.755Z" }, + { url = "https://files.pythonhosted.org/packages/df/fd/32db38e3ad0cb331f0691cb4c7a8a6f176f679124dee746b3af6633db4d9/cryptography-47.0.0-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:6f29f36582e6151d9686235e586dd35bb67491f024767d10b842e520dc6a07ac", size = 4650964, upload-time = "2026-04-24T19:53:20.062Z" }, + { url = "https://files.pythonhosted.org/packages/86/53/5395d944dfd48cb1f67917f533c609c34347185ef15eb4308024c876f274/cryptography-47.0.0-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:a9b761f012a943b7de0e828843c5688d0de94a0578d44d6c85a1bae32f87791f", size = 5207817, upload-time = "2026-04-24T19:53:22.498Z" }, + { url = "https://files.pythonhosted.org/packages/34/4f/e5711b28e1901f7d480a2b1b688b645aa4c77c73f10731ed17e7f7db3f0d/cryptography-47.0.0-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:4e1de79e047e25d6e9f8cea71c86b4a53aced64134f0f003bbcbf3655fd172c8", size = 4701544, upload-time = "2026-04-24T19:53:24.356Z" }, + { url = "https://files.pythonhosted.org/packages/22/22/c8ddc25de3010fc8da447648f5a092c40e7a8fadf01dd6d255d9c0b9373d/cryptography-47.0.0-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:ef6b3634087f18d2155b1e8ce264e5345a753da2c5fa9815e7d41315c90f8318", size = 4783536, upload-time = "2026-04-24T19:53:26.665Z" }, + { url = "https://files.pythonhosted.org/packages/66/b6/d4a68f4ea999c6d89e8498579cba1c5fcba4276284de7773b17e4fa69293/cryptography-47.0.0-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:11dbb9f50a0f1bb9757b3d8c27c1101780efb8f0bdecfb12439c22a74d64c001", size = 4926106, upload-time = "2026-04-24T19:53:28.686Z" }, + { url = "https://files.pythonhosted.org/packages/54/ed/5f524db1fade9c013aa618e1c99c6ed05e8ffc9ceee6cda22fed22dda3f4/cryptography-47.0.0-cp311-abi3-win32.whl", hash = "sha256:7fda2f02c9015db3f42bb8a22324a454516ed10a8c29ca6ece6cdbb5efe2a203", size = 3258581, upload-time = "2026-04-24T19:53:31.058Z" }, + { url = "https://files.pythonhosted.org/packages/b2/dc/1b901990b174786569029f67542b3edf72ac068b6c3c8683c17e6a2f5363/cryptography-47.0.0-cp311-abi3-win_amd64.whl", hash = "sha256:f5c3296dab66202f1b18a91fa266be93d6aa0c2806ea3d67762c69f60adc71aa", size = 3775309, upload-time = "2026-04-24T19:53:33.054Z" }, + { url = "https://files.pythonhosted.org/packages/14/88/7aa18ad9c11bc87689affa5ce4368d884b517502d75739d475fc6f4a03c7/cryptography-47.0.0-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:be12cb6a204f77ed968bcefe68086eb061695b540a3dd05edac507a3111b25f0", size = 7904299, upload-time = "2026-04-24T19:53:35.003Z" }, + { url = "https://files.pythonhosted.org/packages/07/55/c18f75724544872f234678fdedc871391722cb34a2aee19faa9f63100bb2/cryptography-47.0.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:2ebd84adf0728c039a3be2700289378e1c164afc6748df1a5ed456767bef9ba7", size = 4631180, upload-time = "2026-04-24T19:53:37.517Z" }, + { url = "https://files.pythonhosted.org/packages/ee/65/31a5cc0eaca99cec5bafffe155d407115d96136bb161e8b49e0ef73f09a7/cryptography-47.0.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7f68d6fbc7fbbcfb0939fea72c3b96a9f9a6edfc0e1b1d29778a2066030418b1", size = 4653529, upload-time = "2026-04-24T19:53:39.775Z" }, + { url = "https://files.pythonhosted.org/packages/e5/bc/641c0519a495f3bfd0421b48d7cd325c4336578523ccd76ea322b6c29c7a/cryptography-47.0.0-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:6651d32eff255423503aa276739da98c30f26c40cbeffcc6048e0d54ef704c0c", size = 4638570, upload-time = "2026-04-24T19:53:42.129Z" }, + { url = "https://files.pythonhosted.org/packages/2b/f2/300327b0a47f6dc94dd8b71b57052aefe178bb51745073d73d80604f11ab/cryptography-47.0.0-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:3fb8fa48075fad7193f2e5496135c6a76ac4b2aa5a38433df0a539296b377829", size = 5238019, upload-time = "2026-04-24T19:53:44.577Z" }, + { url = "https://files.pythonhosted.org/packages/e9/5a/5b5cf994391d4bf9d9c7efd4c66aabe4d95227256627f8fea6cff7dfadbd/cryptography-47.0.0-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:11438c7518132d95f354fa01a4aa2f806d172a061a7bed18cf18cbdacdb204d7", size = 4686832, upload-time = "2026-04-24T19:53:47.015Z" }, + { url = "https://files.pythonhosted.org/packages/dc/2c/ae950e28fd6475c852fc21a44db3e6b5bcc1261d1e370f2b6e42fa800fef/cryptography-47.0.0-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:8c1a736bbb3288005796c3f7ccb9453360d7fed483b13b9f468aea5171432923", size = 4269301, upload-time = "2026-04-24T19:53:48.97Z" }, + { url = "https://files.pythonhosted.org/packages/67/fb/6a39782e150ffe5cc1b0018cb6ddc48bf7ca62b498d7539ffc8a758e977d/cryptography-47.0.0-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:f1557695e5c2b86e204f6ce9470497848634100787935ab7adc5397c54abd7ab", size = 4638110, upload-time = "2026-04-24T19:53:51.011Z" }, + { url = "https://files.pythonhosted.org/packages/8e/d7/0b3c71090a76e5c203164a47688b697635ece006dcd2499ab3a4dbd3f0bd/cryptography-47.0.0-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:f9a034b642b960767fb343766ae5ba6ad653f2e890ddd82955aef288ffea8736", size = 5194988, upload-time = "2026-04-24T19:53:52.962Z" }, + { url = "https://files.pythonhosted.org/packages/63/33/63a961498a9df51721ab578c5a2622661411fc520e00bd83b0cc64eb20c4/cryptography-47.0.0-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:b1c76fca783aa7698eb21eb14f9c4aa09452248ee54a627d125025a43f83e7a7", size = 4686563, upload-time = "2026-04-24T19:53:55.274Z" }, + { url = "https://files.pythonhosted.org/packages/b7/bf/5ee5b145248f92250de86145d1c1d6edebbd57a7fe7caa4dedb5d4cf06a1/cryptography-47.0.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:4f7722c97826770bab8ae92959a2e7b20a5e9e9bf4deae68fd86c3ca457bab52", size = 4770094, upload-time = "2026-04-24T19:53:57.753Z" }, + { url = "https://files.pythonhosted.org/packages/92/43/21d220b2da5d517773894dacdcdb5c682c28d3fffce65548cb06e87d5501/cryptography-47.0.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:09f6d7bf6724f8db8b32f11eccf23efc8e759924bc5603800335cf8859a3ddbd", size = 4913811, upload-time = "2026-04-24T19:54:00.236Z" }, + { url = "https://files.pythonhosted.org/packages/31/98/dc4ad376ac5f1a1a7d4a83f7b0c6f2bcad36b5d2d8f30aeb482d3a7d9582/cryptography-47.0.0-cp314-cp314t-win32.whl", hash = "sha256:6eebcaf0df1d21ce1f90605c9b432dd2c4f4ab665ac29a40d5e3fc68f51b5e63", size = 3237158, upload-time = "2026-04-24T19:54:02.606Z" }, + { url = "https://files.pythonhosted.org/packages/bc/da/97f62d18306b5133468bc3f8cc73a3111e8cdc8cf8d3e69474d6e5fd2d1b/cryptography-47.0.0-cp314-cp314t-win_amd64.whl", hash = "sha256:51c9313e90bd1690ec5a75ed047c27c0b8e6c570029712943d6116ef9a90620b", size = 3758706, upload-time = "2026-04-24T19:54:04.433Z" }, + { url = "https://files.pythonhosted.org/packages/e0/34/a4fae8ae7c3bc227460c9ae43f56abf1b911da0ec29e0ebac53bb0a4b6b7/cryptography-47.0.0-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:14432c8a9bcb37009784f9594a62fae211a2ae9543e96c92b2a8e4c3cd5cd0c4", size = 7904072, upload-time = "2026-04-24T19:54:06.411Z" }, + { url = "https://files.pythonhosted.org/packages/01/64/d7b1e54fdb69f22d24a64bb3e88dc718b31c7fb10ef0b9691a3cf7eeea6e/cryptography-47.0.0-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:07efe86201817e7d3c18781ca9770bc0db04e1e48c994be384e4602bc38f8f27", size = 4635767, upload-time = "2026-04-24T19:54:08.519Z" }, + { url = "https://files.pythonhosted.org/packages/8b/7b/cca826391fb2a94efdcdfe4631eb69306ee1cff0b22f664a412c90713877/cryptography-47.0.0-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:2b45761c6ec22b7c726d6a829558777e32d0f1c8be7c3f3480f9c912d5ee8a10", size = 4654350, upload-time = "2026-04-24T19:54:10.795Z" }, + { url = "https://files.pythonhosted.org/packages/4c/65/4b57bcc823f42a991627c51c2f68c9fd6eb1393c1756aac876cba2accae2/cryptography-47.0.0-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:edd4da498015da5b9f26d38d3bfc2e90257bfa9cbed1f6767c282a0025ae649b", size = 4643394, upload-time = "2026-04-24T19:54:13.275Z" }, + { url = "https://files.pythonhosted.org/packages/f4/c4/2c5fbeea70adbbca2bbae865e1d605d6a4a7f8dbd9d33eaf69645087f06c/cryptography-47.0.0-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:9af828c0d5a65c70ec729cd7495a4bf1a67ecb66417b8f02ff125ab8a6326a74", size = 5225777, upload-time = "2026-04-24T19:54:15.18Z" }, + { url = "https://files.pythonhosted.org/packages/7e/b8/ac57107ef32749d2b244e36069bb688792a363aaaa3acc9e3cf84c130315/cryptography-47.0.0-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:256d07c78a04d6b276f5df935a9923275f53bd1522f214447fdf365494e2d515", size = 4688771, upload-time = "2026-04-24T19:54:17.835Z" }, + { url = "https://files.pythonhosted.org/packages/56/fc/9f1de22ff8be99d991f240a46863c52d475404c408886c5a38d2b5c3bb26/cryptography-47.0.0-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:5d0e362ff51041b0c0d219cc7d6924d7b8996f57ce5712bdcef71eb3c65a59cc", size = 4270753, upload-time = "2026-04-24T19:54:19.963Z" }, + { url = "https://files.pythonhosted.org/packages/00/68/d70c852797aa68e8e48d12e5a87170c43f67bb4a59403627259dd57d15de/cryptography-47.0.0-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:1581aef4219f7ca2849d0250edaa3866212fb74bf5667284f46aa92f9e65c1ca", size = 4642911, upload-time = "2026-04-24T19:54:21.818Z" }, + { url = "https://files.pythonhosted.org/packages/a5/51/661cbee74f594c5d97ff82d34f10d5551c085ca4668645f4606ebd22bd5d/cryptography-47.0.0-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:a49a3eb5341b9503fa3000a9a0db033161db90d47285291f53c2a9d2cd1b7f76", size = 5181411, upload-time = "2026-04-24T19:54:24.376Z" }, + { url = "https://files.pythonhosted.org/packages/94/87/f2b6c374a82cf076cfa1416992ac8e8ec94d79facc37aec87c1a5cb72352/cryptography-47.0.0-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:2207a498b03275d0051589e326b79d4cf59985c99031b05bb292ac52631c37fe", size = 4688262, upload-time = "2026-04-24T19:54:26.946Z" }, + { url = "https://files.pythonhosted.org/packages/14/e2/8b7462f4acf21ec509616f0245018bb197194ab0b65c2ea21a0bdd53c0eb/cryptography-47.0.0-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:7a02675e2fabd0c0fc04c868b8781863cbf1967691543c22f5470500ff840b31", size = 4775506, upload-time = "2026-04-24T19:54:28.926Z" }, + { url = "https://files.pythonhosted.org/packages/70/75/158e494e4c08dc05e039da5bb48553826bd26c23930cf8d3cd5f21fa8921/cryptography-47.0.0-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:80887c5cbd1774683cb126f0ab4184567f080071d5acf62205acb354b4b753b7", size = 4912060, upload-time = "2026-04-24T19:54:30.869Z" }, + { url = "https://files.pythonhosted.org/packages/06/bd/0a9d3edbf5eadbac926d7b9b3cd0c4be584eeeae4a003d24d9eda4affbbd/cryptography-47.0.0-cp38-abi3-win32.whl", hash = "sha256:ed67ea4e0cfb5faa5bc7ecb6e2b8838f3807a03758eec239d6c21c8769355310", size = 3248487, upload-time = "2026-04-24T19:54:33.494Z" }, + { url = "https://files.pythonhosted.org/packages/60/80/5681af756d0da3a599b7bdb586fac5a1540f1bcefd2717a20e611ddade45/cryptography-47.0.0-cp38-abi3-win_amd64.whl", hash = "sha256:835d2d7f47cdc53b3224e90810fb1d36ca94ea29cc1801fb4c1bc43876735769", size = 3755737, upload-time = "2026-04-24T19:54:35.408Z" }, ] [[package]] diff --git a/poetry.lock b/poetry.lock index 06941386e5..5431a16975 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.3.4 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand. [[package]] name = "about-time" @@ -2029,61 +2029,61 @@ toml = ["tomli ; python_full_version <= \"3.11.0a6\""] [[package]] name = "cryptography" -version = "46.0.6" +version = "46.0.7" description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." optional = false python-versions = "!=3.9.0,!=3.9.1,>=3.8" groups = ["main", "dev"] files = [ - {file = "cryptography-46.0.6-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:64235194bad039a10bb6d2d930ab3323baaec67e2ce36215fd0952fad0930ca8"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:26031f1e5ca62fcb9d1fcb34b2b60b390d1aacaa15dc8b895a9ed00968b97b30"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9a693028b9cbe51b5a1136232ee8f2bc242e4e19d456ded3fa7c86e43c713b4a"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:67177e8a9f421aa2d3a170c3e56eca4e0128883cf52a071a7cbf53297f18b175"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:d9528b535a6c4f8ff37847144b8986a9a143585f0540fbcb1a98115b543aa463"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:22259338084d6ae497a19bae5d4c66b7ca1387d3264d1c2c0e72d9e9b6a77b97"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:760997a4b950ff00d418398ad73fbc91aa2894b5c1db7ccb45b4f68b42a63b3c"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:3dfa6567f2e9e4c5dceb8ccb5a708158a2a871052fa75c8b78cb0977063f1507"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:cdcd3edcbc5d55757e5f5f3d330dd00007ae463a7e7aa5bf132d1f22a4b62b19"}, - {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:d4e4aadb7fc1f88687f47ca20bb7227981b03afaae69287029da08096853b738"}, - {file = "cryptography-46.0.6-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2b417edbe8877cda9022dde3a008e2deb50be9c407eef034aeeb3a8b11d9db3c"}, - {file = "cryptography-46.0.6-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:380343e0653b1c9d7e1f55b52aaa2dbb2fdf2730088d48c43ca1c7c0abb7cc2f"}, - {file = "cryptography-46.0.6-cp311-abi3-win32.whl", hash = "sha256:bcb87663e1f7b075e48c3be3ecb5f0b46c8fc50b50a97cf264e7f60242dca3f2"}, - {file = "cryptography-46.0.6-cp311-abi3-win_amd64.whl", hash = "sha256:6739d56300662c468fddb0e5e291f9b4d084bead381667b9e654c7dd81705124"}, - {file = "cryptography-46.0.6-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:2ef9e69886cbb137c2aef9772c2e7138dc581fad4fcbcf13cc181eb5a3ab6275"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7f417f034f91dcec1cb6c5c35b07cdbb2ef262557f701b4ecd803ee8cefed4f4"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:d24c13369e856b94892a89ddf70b332e0b70ad4a5c43cf3e9cb71d6d7ffa1f7b"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:aad75154a7ac9039936d50cf431719a2f8d4ed3d3c277ac03f3339ded1a5e707"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:3c21d92ed15e9cfc6eb64c1f5a0326db22ca9c2566ca46d845119b45b4400361"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:4668298aef7cddeaf5c6ecc244c2302a2b8e40f384255505c22875eebb47888b"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:8ce35b77aaf02f3b59c90b2c8a05c73bac12cea5b4e8f3fbece1f5fddea5f0ca"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:c89eb37fae9216985d8734c1afd172ba4927f5a05cfd9bf0e4863c6d5465b013"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:ed418c37d095aeddf5336898a132fba01091f0ac5844e3e8018506f014b6d2c4"}, - {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:69cf0056d6947edc6e6760e5f17afe4bea06b56a9ac8a06de9d2bd6b532d4f3a"}, - {file = "cryptography-46.0.6-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:8e7304c4f4e9490e11efe56af6713983460ee0780f16c63f219984dab3af9d2d"}, - {file = "cryptography-46.0.6-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:b928a3ca837c77a10e81a814a693f2295200adb3352395fad024559b7be7a736"}, - {file = "cryptography-46.0.6-cp314-cp314t-win32.whl", hash = "sha256:97c8115b27e19e592a05c45d0dd89c57f81f841cc9880e353e0d3bf25b2139ed"}, - {file = "cryptography-46.0.6-cp314-cp314t-win_amd64.whl", hash = "sha256:c797e2517cb7880f8297e2c0f43bb910e91381339336f75d2c1c2cbf811b70b4"}, - {file = "cryptography-46.0.6-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:12cae594e9473bca1a7aceb90536060643128bb274fcea0fc459ab90f7d1ae7a"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:639301950939d844a9e1c4464d7e07f902fe9a7f6b215bb0d4f28584729935d8"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ed3775295fb91f70b4027aeba878d79b3e55c0b3e97eaa4de71f8f23a9f2eb77"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:8927ccfbe967c7df312ade694f987e7e9e22b2425976ddbf28271d7e58845290"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:b12c6b1e1651e42ab5de8b1e00dc3b6354fdfd778e7fa60541ddacc27cd21410"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:063b67749f338ca9c5a0b7fe438a52c25f9526b851e24e6c9310e7195aad3b4d"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:02fad249cb0e090b574e30b276a3da6a149e04ee2f049725b1f69e7b8351ec70"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e6142674f2a9291463e5e150090b95a8519b2fb6e6aaec8917dd8d094ce750d"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:456b3215172aeefb9284550b162801d62f5f264a081049a3e94307fe20792cfa"}, - {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:341359d6c9e68834e204ceaf25936dffeafea3829ab80e9503860dcc4f4dac58"}, - {file = "cryptography-46.0.6-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9a9c42a2723999a710445bc0d974e345c32adfd8d2fac6d8a251fa829ad31cfb"}, - {file = "cryptography-46.0.6-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:6617f67b1606dfd9fe4dbfa354a9508d4a6d37afe30306fe6c101b7ce3274b72"}, - {file = "cryptography-46.0.6-cp38-abi3-win32.whl", hash = "sha256:7f6690b6c55e9c5332c0b59b9c8a3fb232ebf059094c17f9019a51e9827df91c"}, - {file = "cryptography-46.0.6-cp38-abi3-win_amd64.whl", hash = "sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:2ea0f37e9a9cf0df2952893ad145fd9627d326a59daec9b0802480fa3bcd2ead"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:a3e84d5ec9ba01f8fd03802b2147ba77f0c8f2617b2aff254cedd551844209c8"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:12f0fa16cc247b13c43d56d7b35287ff1569b5b1f4c5e87e92cc4fcc00cd10c0"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:50575a76e2951fe7dbd1f56d181f8c5ceeeb075e9ff88e7ad997d2f42af06e7b"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:90e5f0a7b3be5f40c3a0a0eafb32c681d8d2c181fc2a1bdabe9b3f611d9f6b1a"}, - {file = "cryptography-46.0.6-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:6728c49e3b2c180ef26f8e9f0a883a2c585638db64cf265b49c9ba10652d430e"}, - {file = "cryptography-46.0.6.tar.gz", hash = "sha256:27550628a518c5c6c903d84f637fbecf287f6cb9ced3804838a1295dc1fd0759"}, + {file = "cryptography-46.0.7-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:ea42cbe97209df307fdc3b155f1b6fa2577c0defa8f1f7d3be7d31d189108ad4"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b36a4695e29fe69215d75960b22577197aca3f7a25b9cf9d165dcfe9d80bc325"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:5ad9ef796328c5e3c4ceed237a183f5d41d21150f972455a9d926593a1dcb308"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:73510b83623e080a2c35c62c15298096e2a5dc8d51c3b4e1740211839d0dea77"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cbd5fb06b62bd0721e1170273d3f4d5a277044c47ca27ee257025146c34cbdd1"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:420b1e4109cc95f0e5700eed79908cef9268265c773d3a66f7af1eef53d409ef"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:24402210aa54baae71d99441d15bb5a1919c195398a87b563df84468160a65de"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:8a469028a86f12eb7d2fe97162d0634026d92a21f3ae0ac87ed1c4a447886c83"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9694078c5d44c157ef3162e3bf3946510b857df5a3955458381d1c7cfc143ddb"}, + {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:42a1e5f98abb6391717978baf9f90dc28a743b7d9be7f0751a6f56a75d14065b"}, + {file = "cryptography-46.0.7-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:91bbcb08347344f810cbe49065914fe048949648f6bd5c2519f34619142bbe85"}, + {file = "cryptography-46.0.7-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:5d1c02a14ceb9148cc7816249f64f623fbfee39e8c03b3650d842ad3f34d637e"}, + {file = "cryptography-46.0.7-cp311-abi3-win32.whl", hash = "sha256:d23c8ca48e44ee015cd0a54aeccdf9f09004eba9fc96f38c911011d9ff1bd457"}, + {file = "cryptography-46.0.7-cp311-abi3-win_amd64.whl", hash = "sha256:397655da831414d165029da9bc483bed2fe0e75dde6a1523ec2fe63f3c46046b"}, + {file = "cryptography-46.0.7-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:d151173275e1728cf7839aaa80c34fe550c04ddb27b34f48c232193df8db5842"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:db0f493b9181c7820c8134437eb8b0b4792085d37dbb24da050476ccb664e59c"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ebd6daf519b9f189f85c479427bbd6e9c9037862cf8fe89ee35503bd209ed902"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:b7b412817be92117ec5ed95f880defe9cf18a832e8cafacf0a22337dc1981b4d"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:fbfd0e5f273877695cb93baf14b185f4878128b250cc9f8e617ea0c025dfb022"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:ffca7aa1d00cf7d6469b988c581598f2259e46215e0140af408966a24cf086ce"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:60627cf07e0d9274338521205899337c5d18249db56865f943cbe753aa96f40f"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:80406c3065e2c55d7f49a9550fe0c49b3f12e5bfff5dedb727e319e1afb9bf99"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:c5b1ccd1239f48b7151a65bc6dd54bcfcc15e028c8ac126d3fada09db0e07ef1"}, + {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:d5f7520159cd9c2154eb61eb67548ca05c5774d39e9c2c4339fd793fe7d097b2"}, + {file = "cryptography-46.0.7-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:fcd8eac50d9138c1d7fc53a653ba60a2bee81a505f9f8850b6b2888555a45d0e"}, + {file = "cryptography-46.0.7-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:65814c60f8cc400c63131584e3e1fad01235edba2614b61fbfbfa954082db0ee"}, + {file = "cryptography-46.0.7-cp314-cp314t-win32.whl", hash = "sha256:fdd1736fed309b4300346f88f74cd120c27c56852c3838cab416e7a166f67298"}, + {file = "cryptography-46.0.7-cp314-cp314t-win_amd64.whl", hash = "sha256:e06acf3c99be55aa3b516397fe42f5855597f430add9c17fa46bf2e0fb34c9bb"}, + {file = "cryptography-46.0.7-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:462ad5cb1c148a22b2e3bcc5ad52504dff325d17daf5df8d88c17dda1f75f2a4"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:84d4cced91f0f159a7ddacad249cc077e63195c36aac40b4150e7a57e84fffe7"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:128c5edfe5e5938b86b03941e94fac9ee793a94452ad1365c9fc3f4f62216832"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:5e51be372b26ef4ba3de3c167cd3d1022934bc838ae9eaad7e644986d2a3d163"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cdf1a610ef82abb396451862739e3fc93b071c844399e15b90726ef7470eeaf2"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1d25aee46d0c6f1a501adcddb2d2fee4b979381346a78558ed13e50aa8a59067"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:cdfbe22376065ffcf8be74dc9a909f032df19bc58a699456a21712d6e5eabfd0"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:abad9dac36cbf55de6eb49badd4016806b3165d396f64925bf2999bcb67837ba"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:935ce7e3cfdb53e3536119a542b839bb94ec1ad081013e9ab9b7cfd478b05006"}, + {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:35719dc79d4730d30f1c2b6474bd6acda36ae2dfae1e3c16f2051f215df33ce0"}, + {file = "cryptography-46.0.7-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:7bbc6ccf49d05ac8f7d7b5e2e2c33830d4fe2061def88210a126d130d7f71a85"}, + {file = "cryptography-46.0.7-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a1529d614f44b863a7b480c6d000fe93b59acee9c82ffa027cfadc77521a9f5e"}, + {file = "cryptography-46.0.7-cp38-abi3-win32.whl", hash = "sha256:f247c8c1a1fb45e12586afbb436ef21ff1e80670b2861a90353d9b025583d246"}, + {file = "cryptography-46.0.7-cp38-abi3-win_amd64.whl", hash = "sha256:506c4ff91eff4f82bdac7633318a526b1d1309fc07ca76a3ad182cb5b686d6d3"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:fc9ab8856ae6cf7c9358430e49b368f3108f050031442eaeb6b9d87e4dcf4e4f"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:d3b99c535a9de0adced13d159c5a9cf65c325601aa30f4be08afd680643e9c15"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:d02c738dacda7dc2a74d1b2b3177042009d5cab7c7079db74afc19e56ca1b455"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:04959522f938493042d595a736e7dbdff6eb6cc2339c11465b3ff89343b65f65"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:3986ac1dee6def53797289999eabe84798ad7817f3e97779b5061a95b0ee4968"}, + {file = "cryptography-46.0.7-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:258514877e15963bd43b558917bc9f54cf7cf866c38aa576ebf47a77ddbc43a4"}, + {file = "cryptography-46.0.7.tar.gz", hash = "sha256:e4cfd68c5f3e0bfdad0d38e023239b96a2fe84146481852dffbcca442c245aa5"}, ] [package.dependencies] @@ -2097,7 +2097,7 @@ nox = ["nox[uv] (>=2024.4.15)"] pep8test = ["check-sdist", "click (>=8.0.1)", "mypy (>=1.14)", "ruff (>=0.11.11)"] sdist = ["build (>=1.0.0)"] ssh = ["bcrypt (>=3.1.5)"] -test = ["certifi (>=2024)", "cryptography-vectors (==46.0.6)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"] +test = ["certifi (>=2024)", "cryptography-vectors (==46.0.7)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"] test-randomorder = ["pytest-randomly"] [[package]] @@ -5445,25 +5445,25 @@ files = [ [[package]] name = "requests" -version = "2.32.4" +version = "2.33.1" description = "Python HTTP for Humans." optional = false -python-versions = ">=3.8" +python-versions = ">=3.10" groups = ["main", "dev"] files = [ - {file = "requests-2.32.4-py3-none-any.whl", hash = "sha256:27babd3cda2a6d50b30443204ee89830707d396671944c998b5975b031ac2b2c"}, - {file = "requests-2.32.4.tar.gz", hash = "sha256:27d0316682c8a29834d3264820024b62a36942083d52caf2f14c0591336d3422"}, + {file = "requests-2.33.1-py3-none-any.whl", hash = "sha256:4e6d1ef462f3626a1f0a0a9c42dd93c63bad33f9f1c1937509b8c5c8718ab56a"}, + {file = "requests-2.33.1.tar.gz", hash = "sha256:18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517"}, ] [package.dependencies] -certifi = ">=2017.4.17" +certifi = ">=2023.5.7" charset_normalizer = ">=2,<4" idna = ">=2.5,<4" -urllib3 = ">=1.21.1,<3" +urllib3 = ">=1.26,<3" [package.extras] socks = ["PySocks (>=1.5.6,!=1.5.7)"] -use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"] +use-chardet-on-py3 = ["chardet (>=3.0.2,<8)"] [[package]] name = "requests-file" @@ -6735,4 +6735,4 @@ files = [ [metadata] lock-version = "2.1" python-versions = ">=3.10,<3.13" -content-hash = "09ce4507a464b318702ed8c6a738f3bb1bc4cc6ff5a50a9c2884f560af9ab034" +content-hash = "d7e2ad41783a864bb845f63ccc10c88ae1e4ac36d61993ea106bbb4a5f58a843" diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 589f76323c..7d0915e31b 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -14,11 +14,11 @@ All notable changes to the **Prowler SDK** are documented in this file. ### 🔄 Changed -- `route53_dangling_ip_subdomain_takeover` now also flags `CNAME` records pointing to S3 website endpoints whose buckets are missing from the account [(#10920)](https://github.com/prowler-cloud/prowler/pull/10920) - Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for `network_flow_log_captured_sent` and align metadata with VNet-compatible flow log guidance [(#10645)](https://github.com/prowler-cloud/prowler/pull/10645) -- Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs +- Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs [(#10937)](https://github.com/prowler-cloud/prowler/pull/10937) - AWS CodeBuild service now batches `BatchGetProjects` and `BatchGetBuilds` calls per region (up to 100 items per call) to reduce API call volume and prevent throttling-induced false positives in `codebuild_project_not_publicly_accessible` [(#10639)](https://github.com/prowler-cloud/prowler/pull/10639) - `display_compliance_table` dispatch switched from substring `in` checks to `startswith` to prevent false matches between similarly named frameworks (e.g. `cisa` vs `cis`) [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301) +- Restore the `ec2-imdsv1` category for EC2 IMDS checks to keep Attack Surface and findings filters aligned [(#10998)](https://github.com/prowler-cloud/prowler/pull/10998) ### 🐞 Fixed @@ -29,6 +29,18 @@ All notable changes to the **Prowler SDK** are documented in this file. ### 🔐 Security - Parser-mismatch SSRF in image provider registry auth where crafted bearer-token realms and pagination links could force requests to internal addresses and leak credentials cross-origin [(#10945)](https://github.com/prowler-cloud/prowler/pull/10945) +- `cryptography` from 46.0.6 to 46.0.7 and `trivy` binary from 0.69.2 to 0.70.0 in the SDK image for CVE-2026-39892 and CVE-2026-33186 [(#10978)](https://github.com/prowler-cloud/prowler/pull/10978) + +--- + +## [5.25.2] (Prowler v5.25.2) + +### 🐞 Fixed + +- `route53_dangling_ip_subdomain_takeover` now also flags `CNAME` records pointing to S3 website endpoints whose buckets are missing from the account [(#10920)](https://github.com/prowler-cloud/prowler/pull/10920) +- Duplicate Kubernetes RBAC findings when the same User or Group subject appeared in multiple ClusterRoleBindings [(#10242)](https://github.com/prowler-cloud/prowler/pull/10242) +- Match K8s RBAC rules by `apiGroup` [(#10969)](https://github.com/prowler-cloud/prowler/pull/10969) +- Return a compact actor name from CloudTrail `userIdentity` events [(#10986)](https://github.com/prowler-cloud/prowler/pull/10986) --- diff --git a/prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py b/prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py index b73d070078..2f03dd8c84 100644 --- a/prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py +++ b/prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py @@ -221,27 +221,12 @@ class CloudTrailTimeline(TimelineService): @staticmethod def _extract_actor(user_identity: Dict[str, Any]) -> str: - """Extract a human-readable actor name from CloudTrail userIdentity.""" - # Try ARN first - most reliable + """Return a compact actor name from CloudTrail userIdentity. + + For ARNs, returns the resource portion (everything after the last + `:`) — e.g. `user/alice`, `assumed-role/MyRole/session-name`, + `root`. The full ARN is preserved separately in `actor_uid`. + """ if arn := user_identity.get("arn"): - if "/" in arn: - parts = arn.split("/") - # For assumed-role, return the role name (second-to-last part) - if "assumed-role" in arn and len(parts) >= 2: - return parts[-2] - return parts[-1] - return arn.split(":")[-1] - - # Fall back to userName - if username := user_identity.get("userName"): - return username - - # Fall back to principalId - if principal_id := user_identity.get("principalId"): - return principal_id - - # For service-invoked actions - if invoking_service := user_identity.get("invokedBy"): - return invoking_service - - return "Unknown" + return arn.rsplit(":", 1)[-1] + return user_identity.get("invokedBy") or "Unknown" diff --git a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json index bc074fe730..7228d5dd59 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json +++ b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json @@ -34,7 +34,8 @@ } }, "Categories": [ - "secrets" + "secrets", + "ec2-imdsv1" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json index 5637f40e23..77d24a4820 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json +++ b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json @@ -36,7 +36,8 @@ }, "Categories": [ "identity-access", - "secrets" + "secrets", + "ec2-imdsv1" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/lib/role_permissions.py b/prowler/providers/kubernetes/services/rbac/lib/role_permissions.py index c3db38b2f7..04bf9b4c9c 100644 --- a/prowler/providers/kubernetes/services/rbac/lib/role_permissions.py +++ b/prowler/providers/kubernetes/services/rbac/lib/role_permissions.py @@ -1,36 +1,37 @@ -def is_rule_allowing_permissions(rules, resources, verbs): +def is_rule_allowing_permissions(rules, resources, verbs, api_groups=("",)): """ - Check Kubernetes role permissions. + Check whether any RBAC rule grants the specified verbs on the specified + resources within the specified API groups. - This function takes in Kubernetes role rules, resources, and verbs, - and checks if any of the rules grant permissions on the specified - resources with the specified verbs. + A rule matches when its `apiGroups` includes any of `api_groups` (or "*"), + its `resources` includes any of `resources` (or "*"), and its `verbs` + includes any of `verbs` (or "*"). Args: - rules (List[Rule]): The list of Kubernetes role rules. - resources (List[str]): The list of resources to check permissions for. - verbs (List[str]): The list of verbs to check permissions for. + rules (List[Rule]): RBAC rules from a Role or ClusterRole. + resources (List[str]): Resources (or sub-resources) to check. + verbs (List[str]): Verbs to check. + api_groups (Iterable[str]): API groups the resources live in. Defaults + to ("",), the core API group, which matches the most common case. + Pass an explicit value for resources outside the core group, e.g. + ("admissionregistration.k8s.io",) for webhook configurations. Returns: - bool: True if any of the rules grant permissions, False otherwise. + bool: True if any rule grants the permission, False otherwise. """ - if rules: - # Iterate through each rule in the list of rules - for rule in rules: - # Ensure apiGroups are relevant ("" or "v1" for secrets) - if rule.apiGroups and all(api not in ["", "v1"] for api in rule.apiGroups): - continue # Skip rules with unrelated apiGroups - # Check if the rule has resources, verbs, and matches any of the specified resources and verbs - if ( - rule.resources - and ( - any(resource in rule.resources for resource in resources) - or "*" in rule.resources - ) - and rule.verbs - and (any(verb in rule.verbs for verb in verbs) or "*" in rule.verbs) - ): - # If the rule matches, return True - return True - # If no rule matches, return False + if not rules: + return False + for rule in rules: + rule_api_groups = rule.apiGroups or [""] + if not ( + any(g in rule_api_groups for g in api_groups) or "*" in rule_api_groups + ): + continue + if ( + rule.resources + and (any(r in rule.resources for r in resources) or "*" in rule.resources) + and rule.verbs + and (any(v in rule.verbs for v in verbs) or "*" in rule.verbs) + ): + return True return False diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py index f2527b4606..2b86f0cafe 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py @@ -6,29 +6,40 @@ from prowler.providers.kubernetes.services.rbac.rbac_client import rbac_client verbs = ["update", "patch"] resources = ["certificatesigningrequests/approval"] +api_groups = ["certificates.k8s.io"] class rbac_minimize_csr_approval_access(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] + # Collect unique subjects and the ClusterRole names bound to them + subjects_bound_roles = {} for crb in rbac_client.cluster_role_bindings.values(): for subject in crb.subjects: + # CIS benchmarks scope these checks to human identities only if subject.kind in ["User", "Group"]: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource=subject - ) - report.status = "PASS" - report.status_extended = f"User or group '{subject.name}' does not have access to update the CSR approval sub-resource." - for cr in rbac_client.cluster_roles.values(): - if cr.metadata.name == crb.roleRef.name: - if is_rule_allowing_permissions( - cr.rules, - resources, - verbs, - ): - report.status = "FAIL" - report.status_extended = f"User or group '{subject.name}' has access to update the CSR approval sub-resource." - break - findings.append(report) + key = (subject.kind, subject.name, subject.namespace) + if key not in subjects_bound_roles: + subjects_bound_roles[key] = (subject, set()) + subjects_bound_roles[key][1].add(crb.roleRef.name) + + cluster_roles_by_name = { + cr.metadata.name: cr for cr in rbac_client.cluster_roles.values() + } + for _, (subject, role_names) in subjects_bound_roles.items(): + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject) + report.resource_name = f"{subject.kind}:{subject.name}" + report.resource_id = f"{subject.kind}/{subject.name}" + report.status = "PASS" + report.status_extended = f"User or group '{subject.name}' does not have access to update the CSR approval sub-resource." + for role_name in role_names: + cr = cluster_roles_by_name.get(role_name) + if cr and is_rule_allowing_permissions( + cr.rules, resources, verbs, api_groups + ): + report.status = "FAIL" + report.status_extended = f"User or group '{subject.name}' has access to update the CSR approval sub-resource." + break + findings.append(report) return findings diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py index 913d968f31..377e5345da 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py @@ -11,20 +11,32 @@ resources = ["nodes/proxy"] class rbac_minimize_node_proxy_subresource_access(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] + # Collect unique subjects and the ClusterRole names bound to them + subjects_bound_roles = {} for crb in rbac_client.cluster_role_bindings.values(): for subject in crb.subjects: + # CIS benchmarks scope these checks to human identities only if subject.kind in ["User", "Group"]: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource=subject - ) - report.status = "PASS" - report.status_extended = f"User or group '{subject.name}' does not have access to the node proxy sub-resource." - for cr in rbac_client.cluster_roles.values(): - if cr.metadata.name == crb.roleRef.name: - if is_rule_allowing_permissions(cr.rules, resources, verbs): - report.status = "FAIL" - report.status_extended = f"User or group '{subject.name}' has access to the node proxy sub-resource." - break - findings.append(report) + key = (subject.kind, subject.name, subject.namespace) + if key not in subjects_bound_roles: + subjects_bound_roles[key] = (subject, set()) + subjects_bound_roles[key][1].add(crb.roleRef.name) + + cluster_roles_by_name = { + cr.metadata.name: cr for cr in rbac_client.cluster_roles.values() + } + for _, (subject, role_names) in subjects_bound_roles.items(): + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject) + report.resource_name = f"{subject.kind}:{subject.name}" + report.resource_id = f"{subject.kind}/{subject.name}" + report.status = "PASS" + report.status_extended = f"User or group '{subject.name}' does not have access to the node proxy sub-resource." + for role_name in role_names: + cr = cluster_roles_by_name.get(role_name) + if cr and is_rule_allowing_permissions(cr.rules, resources, verbs): + report.status = "FAIL" + report.status_extended = f"User or group '{subject.name}' has access to the node proxy sub-resource." + break + findings.append(report) return findings diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py index 204942c57e..2fb76bbed7 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py @@ -11,21 +11,32 @@ resources = ["persistentvolumes"] class rbac_minimize_pv_creation_access(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] - # Check each ClusterRoleBinding for access to create PersistentVolumes + # Collect unique subjects and the ClusterRole names bound to them + subjects_bound_roles = {} for crb in rbac_client.cluster_role_bindings.values(): for subject in crb.subjects: + # CIS benchmarks scope these checks to human identities only if subject.kind in ["User", "Group"]: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource=subject - ) - report.status = "PASS" - report.status_extended = f"User or group '{subject.name}' does not have access to create PersistentVolumes." - for cr in rbac_client.cluster_roles.values(): - if cr.metadata.name == crb.roleRef.name: - if is_rule_allowing_permissions(cr.rules, resources, verbs): - report.status = "FAIL" - report.status_extended = f"User or group '{subject.name}' has access to create PersistentVolumes." - break - findings.append(report) + key = (subject.kind, subject.name, subject.namespace) + if key not in subjects_bound_roles: + subjects_bound_roles[key] = (subject, set()) + subjects_bound_roles[key][1].add(crb.roleRef.name) + + cluster_roles_by_name = { + cr.metadata.name: cr for cr in rbac_client.cluster_roles.values() + } + for _, (subject, role_names) in subjects_bound_roles.items(): + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject) + report.resource_name = f"{subject.kind}:{subject.name}" + report.resource_id = f"{subject.kind}/{subject.name}" + report.status = "PASS" + report.status_extended = f"User or group '{subject.name}' does not have access to create PersistentVolumes." + for role_name in role_names: + cr = cluster_roles_by_name.get(role_name) + if cr and is_rule_allowing_permissions(cr.rules, resources, verbs): + report.status = "FAIL" + report.status_extended = f"User or group '{subject.name}' has access to create PersistentVolumes." + break + findings.append(report) return findings diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py index 9b1318c92f..8e492309db 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py @@ -11,20 +11,32 @@ resources = ["serviceaccounts/token"] class rbac_minimize_service_account_token_creation(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] + # Collect unique subjects and the ClusterRole names bound to them + subjects_bound_roles = {} for crb in rbac_client.cluster_role_bindings.values(): for subject in crb.subjects: + # CIS benchmarks scope these checks to human identities only if subject.kind in ["User", "Group"]: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource=subject - ) - report.status = "PASS" - report.status_extended = f"User or group '{subject.name}' does not have access to create service account tokens." - for cr in rbac_client.cluster_roles.values(): - if cr.metadata.name == crb.roleRef.name: - if is_rule_allowing_permissions(cr.rules, resources, verbs): - report.status = "FAIL" - report.status_extended = f"User or group '{subject.name}' has access to create service account tokens." - break - findings.append(report) + key = (subject.kind, subject.name, subject.namespace) + if key not in subjects_bound_roles: + subjects_bound_roles[key] = (subject, set()) + subjects_bound_roles[key][1].add(crb.roleRef.name) + + cluster_roles_by_name = { + cr.metadata.name: cr for cr in rbac_client.cluster_roles.values() + } + for _, (subject, role_names) in subjects_bound_roles.items(): + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject) + report.resource_name = f"{subject.kind}:{subject.name}" + report.resource_id = f"{subject.kind}/{subject.name}" + report.status = "PASS" + report.status_extended = f"User or group '{subject.name}' does not have access to create service account tokens." + for role_name in role_names: + cr = cluster_roles_by_name.get(role_name) + if cr and is_rule_allowing_permissions(cr.rules, resources, verbs): + report.status = "FAIL" + report.status_extended = f"User or group '{subject.name}' has access to create service account tokens." + break + findings.append(report) return findings diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py index 2da9893dab..e646efeeef 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py @@ -9,29 +9,40 @@ resources = [ "mutatingwebhookconfigurations", ] verbs = ["create", "update", "delete"] +api_groups = ["admissionregistration.k8s.io"] class rbac_minimize_webhook_config_access(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] + # Collect unique subjects and the ClusterRole names bound to them + subjects_bound_roles = {} for crb in rbac_client.cluster_role_bindings.values(): for subject in crb.subjects: + # CIS benchmarks scope these checks to human identities only if subject.kind in ["User", "Group"]: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource=subject - ) - report.status = "PASS" - report.status_extended = f"User or group '{subject.name}' does not have access to create, update, or delete webhook configurations." - for cr in rbac_client.cluster_roles.values(): - if cr.metadata.name == crb.roleRef.name: - if is_rule_allowing_permissions( - cr.rules, - resources, - verbs, - ): - report.status = "FAIL" - report.status_extended = f"User or group '{subject.name}' has access to create, update, or delete webhook configurations." - break - findings.append(report) + key = (subject.kind, subject.name, subject.namespace) + if key not in subjects_bound_roles: + subjects_bound_roles[key] = (subject, set()) + subjects_bound_roles[key][1].add(crb.roleRef.name) + + cluster_roles_by_name = { + cr.metadata.name: cr for cr in rbac_client.cluster_roles.values() + } + for _, (subject, role_names) in subjects_bound_roles.items(): + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject) + report.resource_name = f"{subject.kind}:{subject.name}" + report.resource_id = f"{subject.kind}/{subject.name}" + report.status = "PASS" + report.status_extended = f"User or group '{subject.name}' does not have access to create, update, or delete webhook configurations." + for role_name in role_names: + cr = cluster_roles_by_name.get(role_name) + if cr and is_rule_allowing_permissions( + cr.rules, resources, verbs, api_groups + ): + report.status = "FAIL" + report.status_extended = f"User or group '{subject.name}' has access to create, update, or delete webhook configurations." + break + findings.append(report) return findings diff --git a/pyproject.toml b/pyproject.toml index 74660c9c30..e363b6b54d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -45,7 +45,7 @@ dependencies = [ "boto3==1.40.61", "botocore==1.40.61", "colorama==0.4.6", - "cryptography==46.0.6", + "cryptography==46.0.7", "dash==3.1.1", "dash-bootstrap-components==2.0.3", "defusedxml==0.7.1", diff --git a/tests/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline_test.py b/tests/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline_test.py index aeca0f7c1d..5c2c99cbfc 100644 --- a/tests/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline_test.py +++ b/tests/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline_test.py @@ -100,7 +100,7 @@ class TestCloudTrailTimeline: assert len(result) == 1 assert result[0]["event_name"] == "RunInstances" - assert result[0]["actor"] == "admin" + assert result[0]["actor"] == "user/admin" assert result[0]["source_ip_address"] == "203.0.113.1" def test_get_resource_timeline_with_resource_uid( @@ -304,14 +304,28 @@ class TestExtractActor: "arn": "arn:aws:iam::123456789012:user/alice", "userName": "alice", } - assert CloudTrailTimeline._extract_actor(user_identity) == "alice" + assert CloudTrailTimeline._extract_actor(user_identity) == "user/alice" def test_extract_actor_assumed_role(self): user_identity = { "type": "AssumedRole", "arn": "arn:aws:sts::123456789012:assumed-role/MyRole/session-name", } - assert CloudTrailTimeline._extract_actor(user_identity) == "MyRole" + assert ( + CloudTrailTimeline._extract_actor(user_identity) + == "assumed-role/MyRole/session-name" + ) + + def test_extract_actor_assumed_role_sso(self): + """SSO sessions store the user identity in the session name.""" + user_identity = { + "type": "AssumedRole", + "arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_abcdef1234567890/user@example.com", + } + assert ( + CloudTrailTimeline._extract_actor(user_identity) + == "assumed-role/AWSReservedSSO_AdministratorAccess_abcdef1234567890/user@example.com" + ) def test_extract_actor_root(self): user_identity = {"type": "Root", "arn": "arn:aws:iam::123456789012:root"} @@ -327,21 +341,33 @@ class TestExtractActor: == "elasticloadbalancing.amazonaws.com" ) - def test_extract_actor_fallback_to_principal_id(self): - user_identity = {"type": "Unknown", "principalId": "AROAEXAMPLEID:session"} - assert ( - CloudTrailTimeline._extract_actor(user_identity) == "AROAEXAMPLEID:session" - ) - def test_extract_actor_unknown(self): assert CloudTrailTimeline._extract_actor({}) == "Unknown" + def test_extract_actor_username_only_returns_unknown(self): + """When userIdentity carries only userName/principalId (no arn or + invokedBy), we deliberately return "Unknown" — we rely on the ARN + from the upstream service for the actor.""" + assert ( + CloudTrailTimeline._extract_actor({"type": "IAMUser", "userName": "alice"}) + == "Unknown" + ) + assert ( + CloudTrailTimeline._extract_actor( + {"type": "Unknown", "principalId": "AROAEXAMPLEID:session"} + ) + == "Unknown" + ) + def test_extract_actor_federated_user(self): user_identity = { "type": "FederatedUser", "arn": "arn:aws:sts::123456789012:federated-user/developer", } - assert CloudTrailTimeline._extract_actor(user_identity) == "developer" + assert ( + CloudTrailTimeline._extract_actor(user_identity) + == "federated-user/developer" + ) class TestParseEvent: @@ -380,7 +406,7 @@ class TestParseEvent: assert result is not None assert result["event_name"] == "RunInstances" assert result["event_source"] == "ec2.amazonaws.com" - assert result["actor"] == "admin" + assert result["actor"] == "user/admin" assert result["actor_uid"] == "arn:aws:iam::123456789012:user/admin" assert result["actor_type"] == "IAMUser" @@ -424,7 +450,10 @@ class TestParseEvent: "EventName": "RunInstances", "EventSource": "ec2.amazonaws.com", "CloudTrailEvent": { - "userIdentity": {"type": "IAMUser", "userName": "admin"}, + "userIdentity": { + "type": "IAMUser", + "arn": "arn:aws:iam::123456789012:user/admin", + }, }, } timeline = CloudTrailTimeline(session=mock_session) @@ -432,7 +461,7 @@ class TestParseEvent: assert result is not None assert result["event_name"] == "RunInstances" - assert result["actor"] == "admin" + assert result["actor"] == "user/admin" def test_parse_event_missing_event_id(self, mock_session): """Test parsing event without EventId returns None (event_id is required).""" @@ -506,7 +535,7 @@ class TestParseEvent: assert result is not None assert result["event_name"] == "RunInstances" - assert result["actor"] == "admin" + assert result["actor"] == "user/admin" # actor_type should be None when not present in userIdentity assert result["actor_type"] is None diff --git a/tests/providers/kubernetes/services/rbac/lib/role_permissions_test.py b/tests/providers/kubernetes/services/rbac/lib/role_permissions_test.py index 696550c06c..94028547e9 100644 --- a/tests/providers/kubernetes/services/rbac/lib/role_permissions_test.py +++ b/tests/providers/kubernetes/services/rbac/lib/role_permissions_test.py @@ -6,90 +6,92 @@ from prowler.providers.kubernetes.services.rbac.rbac_service import Rule class TestCheckRolePermissions: def test_is_rule_allowing_permissions(self): - # Define some sample rules, resources, and verbs for testing rules = [ - # Rule 1: Allows 'get' and 'list' on 'pods' and 'services' Rule(resources=["pods", "services"], verbs=["get", "list"]), - # Rule 2: Allows 'create' and 'delete' on 'deployments' Rule(resources=["deployments"], verbs=["create", "delete"]), ] - resources = ["pods", "deployments"] - verbs = ["get", "create"] - - assert is_rule_allowing_permissions(rules, resources, verbs) + assert is_rule_allowing_permissions( + rules, ["pods", "deployments"], ["get", "create"] + ) def test_no_permissions(self): - # Test when there are no rules - rules = [] - resources = ["pods", "deployments"] - verbs = ["get", "create"] - - assert not is_rule_allowing_permissions(rules, resources, verbs) + assert not is_rule_allowing_permissions([], ["pods"], ["get"]) def test_no_matching_rules(self): - # Test when there are rules, but none match the specified resources and verbs rules = [ Rule(resources=["services"], verbs=["get", "list"]), Rule(resources=["pods"], verbs=["create", "delete"]), ] - resources = ["deployments", "configmaps"] - verbs = ["get", "create"] - - assert not is_rule_allowing_permissions(rules, resources, verbs) + assert not is_rule_allowing_permissions( + rules, ["deployments", "configmaps"], ["get", "create"] + ) def test_empty_rules(self): - # Test when the rules list is empty - rules = [] - resources = ["pods", "deployments"] - verbs = ["get", "create"] - - assert not is_rule_allowing_permissions(rules, resources, verbs) + assert not is_rule_allowing_permissions([], ["pods"], ["get"]) def test_empty_resources_and_verbs(self): - # Test when resources and verbs are empty lists - rules = [ - Rule(resources=["pods"], verbs=["get"]), - Rule(resources=["services"], verbs=["list"]), - ] - resources = [] - verbs = [] - - assert not is_rule_allowing_permissions(rules, resources, verbs) + rules = [Rule(resources=["pods"], verbs=["get"])] + assert not is_rule_allowing_permissions(rules, [], []) def test_matching_rule_with_empty_resources_or_verbs(self): - # Test when a rule matches, but either resources or verbs are empty + rules = [Rule(resources=["pods"], verbs=["get"])] + assert not is_rule_allowing_permissions(rules, [], ["get"]) + assert not is_rule_allowing_permissions(rules, ["pods"], []) + + def test_rule_with_non_matching_api_group(self): + rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=["apps"])] + assert not is_rule_allowing_permissions(rules, ["pods"], ["get"]) + + def test_rule_with_matching_api_group(self): + rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=[""])] + assert is_rule_allowing_permissions(rules, ["pods"], ["get"]) + + def test_default_api_group_is_core(self): + rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=None)] + assert is_rule_allowing_permissions(rules, ["pods"], ["get"]) + + def test_rule_with_empty_api_groups_does_not_match_non_core_request(self): + rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=None)] + assert not is_rule_allowing_permissions( + rules, ["pods"], ["get"], ["admissionregistration.k8s.io"] + ) + + def test_non_core_rule_does_not_match_without_api_groups_argument(self): rules = [ - Rule(resources=["pods"], verbs=["get"]), - Rule(resources=["services"], verbs=["list"]), + Rule( + resources=["validatingwebhookconfigurations"], + verbs=["create"], + apiGroups=["admissionregistration.k8s.io"], + ) ] - resources = [] - verbs = ["get"] + assert not is_rule_allowing_permissions( + rules, ["validatingwebhookconfigurations"], ["create"] + ) - assert not is_rule_allowing_permissions(rules, resources, verbs) - - resources = ["pods"] - verbs = [] - - assert not is_rule_allowing_permissions(rules, resources, verbs) - - def test_rule_with_ignored_api_groups(self): - # Test when a rule has apiGroups that are not relevant + def test_explicit_non_core_api_group(self): rules = [ - Rule(resources=["pods"], verbs=["get"], apiGroups=["test"]), - Rule(resources=["services"], verbs=["list"], apiGroups=["test2"]), + Rule( + resources=["validatingwebhookconfigurations"], + verbs=["create"], + apiGroups=["admissionregistration.k8s.io"], + ) ] - resources = ["pods"] - verbs = ["get"] + assert is_rule_allowing_permissions( + rules, + ["validatingwebhookconfigurations"], + ["create"], + ["admissionregistration.k8s.io"], + ) - assert not is_rule_allowing_permissions(rules, resources, verbs) + def test_rule_with_wildcard_api_group(self): + rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=["*"])] + assert is_rule_allowing_permissions(rules, ["pods"], ["get"]) + assert is_rule_allowing_permissions(rules, ["pods"], ["get"], ["apps"]) - def test_rule_with_relevant_api_groups(self): - # Test when a rule has apiGroups that are relevant - rules = [ - Rule(resources=["pods"], verbs=["get"], apiGroups=["", "v1"]), - Rule(resources=["services"], verbs=["list"], apiGroups=["test2"]), - ] - resources = ["pods"] - verbs = ["get"] + def test_rule_with_wildcard_resources(self): + rules = [Rule(resources=["*"], verbs=["get"], apiGroups=[""])] + assert is_rule_allowing_permissions(rules, ["pods"], ["get"]) - assert is_rule_allowing_permissions(rules, resources, verbs) + def test_rule_with_wildcard_verbs(self): + rules = [Rule(resources=["pods"], verbs=["*"], apiGroups=[""])] + assert is_rule_allowing_permissions(rules, ["pods"], ["get"]) diff --git a/ui/CHANGELOG.md b/ui/CHANGELOG.md index 4b63c9cd84..994c5c9116 100644 --- a/ui/CHANGELOG.md +++ b/ui/CHANGELOG.md @@ -2,7 +2,15 @@ All notable changes to the **Prowler UI** are documented in this file. -## [1.25.2] (Prowler UNRELEASED) +## [1.26.0] (Prowler UNRELEASED) + +### 🔄 Changed + +- Standardized "Providers" wording across UI and documentation, replacing legacy "Cloud Providers" / "Accounts" / "Account Groups" copy [(#10971)](https://github.com/prowler-cloud/prowler/pull/10971) + +--- + +## [1.25.2] (Prowler v5.25.2) ### 🔄 Changed diff --git a/ui/actions/manage-groups/manage-groups.ts b/ui/actions/manage-groups/manage-groups.ts index 8758b66f68..933dabbdbc 100644 --- a/ui/actions/manage-groups/manage-groups.ts +++ b/ui/actions/manage-groups/manage-groups.ts @@ -23,7 +23,7 @@ export const getProviderGroups = async ({ const headers = await getAuthHeaders({ contentType: false }); if (isNaN(Number(page)) || page < 1) - redirect("/providers?tab=account-groups"); + redirect("/providers?tab=provider-groups"); const url = new URL(`${apiBaseUrl}/provider-groups`); @@ -112,7 +112,7 @@ export const createProviderGroup = async (formData: FormData) => { body, }); - return await handleApiResponse(response, "/providers?tab=account-groups"); + return await handleApiResponse(response, "/providers?tab=provider-groups"); } catch (error) { handleApiError(error); } @@ -169,7 +169,7 @@ export const deleteProviderGroup = async (formData: FormData) => { if (!providerGroupId) { return { - errors: [{ detail: "Account Group ID is required." }], + errors: [{ detail: "Provider Group ID is required." }], }; } diff --git a/ui/app/(prowler)/_overview/_components/accounts-selector.tsx b/ui/app/(prowler)/_overview/_components/accounts-selector.tsx index e134625d98..7d20c96355 100644 --- a/ui/app/(prowler)/_overview/_components/accounts-selector.tsx +++ b/ui/app/(prowler)/_overview/_components/accounts-selector.tsx @@ -146,7 +146,7 @@ export function AccountsSelector({ const filterDescription = selectedProviderTypes && selectedProviderTypes.length > 0 ? `Accounts for ${selectedProviderTypes.map(getProviderDisplayName).join(", ")}` - : "All connected cloud provider accounts"; + : "All connected provider accounts"; return (
@@ -155,8 +155,8 @@ export function AccountsSelector({ className="sr-only" id="accounts-label" > - Filter by cloud provider account. {filterDescription}. Select one or - more accounts to view findings. + Filter by provider account. {filterDescription}. Select one or more + accounts to view findings. - Filter by cloud provider type. Select one or more providers to view - findings. + Filter by provider type. Select one or more providers to view findings. ( - + ), cell: ({ row }) => ( { ); const source = readFileSync(columnsPath, "utf8"); - // Account is fixed, Account Groups is fluid (no explicit size) + // Provider is fixed, Provider Groups is fluid (no explicit size) expect(source).toContain("size: 420"); expect(source).toContain("size: 160"); expect(source).toContain("size: 140"); diff --git a/ui/app/(prowler)/providers/page.tsx b/ui/app/(prowler)/providers/page.tsx index 8cbdfb3459..cb2dae2e8b 100644 --- a/ui/app/(prowler)/providers/page.tsx +++ b/ui/app/(prowler)/providers/page.tsx @@ -7,7 +7,7 @@ import { ContentLayout } from "@/components/ui"; import { FilterTransitionWrapper } from "@/contexts"; import { SearchParamsProps } from "@/types"; -import { AccountGroupsContent } from "./account-groups-content"; +import { ProviderGroupsContent } from "./provider-groups-content"; import { ProviderPageTabs } from "./provider-page-tabs"; import { getProviderTab } from "./provider-page-tabs.shared"; import { loadProvidersAccountsViewData } from "./providers-page.utils"; @@ -25,24 +25,24 @@ export default async function Providers({ const searchParamsKey = JSON.stringify(paramsWithoutTab); return ( - + } > - + } - accountGroupsContent={ + providerGroupsContent={ } + fallback={} > - + } /> @@ -59,7 +59,7 @@ const ProvidersTableFallback = () => { {/* Organizations filter */} - {/* Account Groups filter */} + {/* Provider Groups filter */} {/* Status filter */} @@ -74,7 +74,7 @@ const ProvidersTableFallback = () => { ); }; -const AccountGroupsFallback = () => { +const ProviderGroupsFallback = () => { return (
@@ -95,7 +95,7 @@ const AccountGroupsFallback = () => { ); }; -const ProvidersAccountsContent = async ({ +const ProvidersTabContent = async ({ searchParams, }: { searchParams: SearchParamsProps; diff --git a/ui/app/(prowler)/providers/account-groups-content.tsx b/ui/app/(prowler)/providers/provider-groups-content.tsx similarity index 93% rename from ui/app/(prowler)/providers/account-groups-content.tsx rename to ui/app/(prowler)/providers/provider-groups-content.tsx index f171f521f9..2bb4cd9ae8 100644 --- a/ui/app/(prowler)/providers/account-groups-content.tsx +++ b/ui/app/(prowler)/providers/provider-groups-content.tsx @@ -9,7 +9,7 @@ import { ColumnGroups } from "@/components/manage-groups/table"; import { DataTable } from "@/components/ui/table"; import { ProviderProps, Role, SearchParamsProps } from "@/types"; -export const AccountGroupsContent = async ({ +export const ProviderGroupsContent = async ({ searchParams, }: { searchParams: SearchParamsProps; @@ -57,10 +57,10 @@ export const AccountGroupsContent = async ({ ) : (

- Create a new account group + Create a new provider group

- Create a new account group to manage the providers and roles. + Create a new provider group to manage the providers and roles.

@@ -127,9 +127,9 @@ const EditGroupSection = ({ return (
-

Edit account group

+

Edit provider group

- Edit the account group to manage the providers and roles. + Edit the provider group to manage the providers and roles.

{ pushMock.mockClear(); }); - it("falls back to accounts when tab search params are invalid", () => { - expect(getProviderTab(undefined)).toBe(PROVIDER_TAB.ACCOUNTS); - expect(getProviderTab(["account-groups"])).toBe(PROVIDER_TAB.ACCOUNTS); - expect(getProviderTab("invalid-tab")).toBe(PROVIDER_TAB.ACCOUNTS); - expect(getProviderTab(PROVIDER_TAB.ACCOUNT_GROUPS)).toBe( - PROVIDER_TAB.ACCOUNT_GROUPS, + it("falls back to providers when tab search params are invalid", () => { + expect(getProviderTab(undefined)).toBe(PROVIDER_TAB.PROVIDERS); + expect(getProviderTab(["provider-groups"])).toBe(PROVIDER_TAB.PROVIDERS); + expect(getProviderTab("invalid-tab")).toBe(PROVIDER_TAB.PROVIDERS); + expect(getProviderTab(PROVIDER_TAB.PROVIDER_GROUPS)).toBe( + PROVIDER_TAB.PROVIDER_GROUPS, ); }); - it("shows the accounts tab when the route changes back to accounts", () => { + it("shows the providers tab when the route changes back to providers", () => { const { rerender } = render( Accounts content
} - accountGroupsContent={
Account groups content
} + activeTab={PROVIDER_TAB.PROVIDER_GROUPS} + providersContent={
Providers content
} + providerGroupsContent={
Provider groups content
} />, ); - expect(screen.getByRole("tab", { name: "Account Groups" })).toHaveAttribute( - "data-state", - "active", - ); + expect( + screen.getByRole("tab", { name: "Provider Groups" }), + ).toHaveAttribute("data-state", "active"); rerender( Accounts content
} - accountGroupsContent={
Account groups content
} + activeTab={PROVIDER_TAB.PROVIDERS} + providersContent={
Providers content
} + providerGroupsContent={
Provider groups content
} />, ); - expect(screen.getByRole("tab", { name: "Accounts" })).toHaveAttribute( + expect(screen.getByRole("tab", { name: "Providers" })).toHaveAttribute( "data-state", "active", ); - expect(screen.getByText("Accounts content")).toBeVisible(); + expect(screen.getByText("Providers content")).toBeVisible(); }); it("does not switch the active tab before navigation updates the route", async () => { @@ -63,21 +62,21 @@ describe("ProviderPageTabs", () => { render( Accounts content
} - accountGroupsContent={
Account groups content
} + activeTab={PROVIDER_TAB.PROVIDERS} + providersContent={
Providers content
} + providerGroupsContent={
Provider groups content
} />, ); - await user.click(screen.getByRole("tab", { name: "Account Groups" })); + await user.click(screen.getByRole("tab", { name: "Provider Groups" })); - expect(pushMock).toHaveBeenCalledWith("/providers?tab=account-groups"); - expect(screen.getByRole("tab", { name: "Accounts" })).toHaveAttribute( + expect(pushMock).toHaveBeenCalledWith("/providers?tab=provider-groups"); + expect(screen.getByRole("tab", { name: "Providers" })).toHaveAttribute( "data-state", "active", ); expect( - screen.getByRole("tab", { name: "Account Groups" }), + screen.getByRole("tab", { name: "Provider Groups" }), ).not.toHaveAttribute("data-state", "active"); }); }); diff --git a/ui/app/(prowler)/providers/provider-page-tabs.tsx b/ui/app/(prowler)/providers/provider-page-tabs.tsx index 437c8b6da0..61934fbdf0 100644 --- a/ui/app/(prowler)/providers/provider-page-tabs.tsx +++ b/ui/app/(prowler)/providers/provider-page-tabs.tsx @@ -9,14 +9,14 @@ import { PROVIDER_TAB, type ProviderTab } from "./provider-page-tabs.shared"; interface ProviderPageTabsProps { activeTab: ProviderTab; - accountsContent: ReactNode; - accountGroupsContent: ReactNode; + providersContent: ReactNode; + providerGroupsContent: ReactNode; } export const ProviderPageTabs = ({ activeTab, - accountsContent, - accountGroupsContent, + providersContent, + providerGroupsContent, }: ProviderPageTabsProps) => { const router = useRouter(); @@ -27,7 +27,7 @@ export const ProviderPageTabs = ({ return; } - if (typedTab === PROVIDER_TAB.ACCOUNTS) { + if (typedTab === PROVIDER_TAB.PROVIDERS) { router.push("/providers"); } else { router.push(`/providers?tab=${typedTab}`); @@ -41,18 +41,18 @@ export const ProviderPageTabs = ({ className="flex w-full flex-col gap-6" > - Accounts - - Account Groups + Providers + + Provider Groups - - {accountsContent} + + {providersContent} - - {accountGroupsContent} + + {providerGroupsContent} ); diff --git a/ui/components/compliance/compliance-card.test.tsx b/ui/components/compliance/compliance-card.test.tsx index c7a199a7fc..996c8cb979 100644 --- a/ui/components/compliance/compliance-card.test.tsx +++ b/ui/components/compliance/compliance-card.test.tsx @@ -13,9 +13,9 @@ describe("ComplianceCard", () => { expect(source).toContain('variant="base"'); }); - it("uses a responsive stacked layout for narrow screens", () => { + it("uses a single-column stacked layout", () => { expect(source).toContain("flex-col"); - expect(source).toContain("sm:flex-row"); + expect(source).not.toContain("sm:flex-row"); }); it("uses the shadcn progress component instead of Hero UI", () => { diff --git a/ui/components/filters/data-filters.ts b/ui/components/filters/data-filters.ts index 0baf89a3df..2457b1a8b2 100644 --- a/ui/components/filters/data-filters.ts +++ b/ui/components/filters/data-filters.ts @@ -24,7 +24,7 @@ export const filterProviders: FilterOption[] = [ }, { key: "provider__in", - labelCheckboxGroup: "Cloud Provider", + labelCheckboxGroup: "Provider", values: [...PROVIDER_TYPES], valueLabelMapping: PROVIDER_TYPE_MAPPING, }, @@ -34,7 +34,7 @@ export const filterProviders: FilterOption[] = [ export const filterScans = [ { key: "provider_type__in", - labelCheckboxGroup: "Cloud Provider", + labelCheckboxGroup: "Provider", values: [...PROVIDER_TYPES], valueLabelMapping: PROVIDER_TYPE_MAPPING, index: 0, diff --git a/ui/components/findings/table/column-standalone-findings.tsx b/ui/components/findings/table/column-standalone-findings.tsx index 59e30ea6a3..0f457140f1 100644 --- a/ui/components/findings/table/column-standalone-findings.tsx +++ b/ui/components/findings/table/column-standalone-findings.tsx @@ -169,7 +169,7 @@ export function getStandaloneFindingColumns({ { accessorKey: "provider", header: ({ column }) => ( - + ), cell: ({ row }) => { const provider = getProviderData(row, "provider"); diff --git a/ui/components/manage-groups/forms/delete-group-form.tsx b/ui/components/manage-groups/forms/delete-group-form.tsx index 7f79817440..0504178cb7 100644 --- a/ui/components/manage-groups/forms/delete-group-form.tsx +++ b/ui/components/manage-groups/forms/delete-group-form.tsx @@ -48,7 +48,7 @@ export const DeleteGroupForm = ({ title: "Success!", description: "The provider group was removed successfully.", }); - router.push("/providers?tab=account-groups"); + router.push("/providers?tab=provider-groups"); } setIsOpen(false); // Close the modal on success } diff --git a/ui/components/manage-groups/forms/edit-group-form.tsx b/ui/components/manage-groups/forms/edit-group-form.tsx index 907e372b0e..02503940f1 100644 --- a/ui/components/manage-groups/forms/edit-group-form.tsx +++ b/ui/components/manage-groups/forms/edit-group-form.tsx @@ -130,7 +130,7 @@ export const EditGroupForm = ({ title: "Success!", description: "The group was updated successfully.", }); - router.push("/providers?tab=account-groups"); + router.push("/providers?tab=provider-groups"); } } catch (_error) { toast({ @@ -263,7 +263,7 @@ export const EditGroupForm = ({ type="button" variant="ghost" onClick={() => { - router.push("/providers?tab=account-groups"); + router.push("/providers?tab=provider-groups"); }} disabled={isLoading} > diff --git a/ui/components/manage-groups/manage-groups-button.tsx b/ui/components/manage-groups/manage-groups-button.tsx index 3b08f5d8eb..48dc1d42c1 100644 --- a/ui/components/manage-groups/manage-groups-button.tsx +++ b/ui/components/manage-groups/manage-groups-button.tsx @@ -10,7 +10,7 @@ export const ManageGroupsButton = () => { ); diff --git a/ui/components/manage-groups/table/data-table-row-actions.tsx b/ui/components/manage-groups/table/data-table-row-actions.tsx index 6787897450..e05a16c807 100644 --- a/ui/components/manage-groups/table/data-table-row-actions.tsx +++ b/ui/components/manage-groups/table/data-table-row-actions.tsx @@ -41,15 +41,15 @@ export function DataTableRowActions({ } - label="Edit Account Group" + label="Edit Provider Group" onSelect={() => - router.push(`/providers?tab=account-groups&groupId=${groupId}`) + router.push(`/providers?tab=provider-groups&groupId=${groupId}`) } /> } - label="Delete Account Group" + label="Delete Provider Group" destructive onSelect={() => setIsDeleteOpen(true)} /> diff --git a/ui/components/overview/new-findings-table/table/skeleton-table-new-findings.tsx b/ui/components/overview/new-findings-table/table/skeleton-table-new-findings.tsx index df5017712e..76c7851d30 100644 --- a/ui/components/overview/new-findings-table/table/skeleton-table-new-findings.tsx +++ b/ui/components/overview/new-findings-table/table/skeleton-table-new-findings.tsx @@ -85,7 +85,7 @@ export const SkeletonTableNewFindings = () => { - {/* Cloud Provider */} + {/* Provider */} diff --git a/ui/components/providers/table/column-providers.tsx b/ui/components/providers/table/column-providers.tsx index 1203234a31..ec5766f491 100644 --- a/ui/components/providers/table/column-providers.tsx +++ b/ui/components/providers/table/column-providers.tsx @@ -140,7 +140,7 @@ export function getColumnProviders(
@@ -200,7 +200,7 @@ export function getColumnProviders( accessorKey: "groupNames", size: 160, header: ({ column }) => ( - + ), cell: ({ row }) => { if (isProvidersOrganizationRow(row.original)) { @@ -251,7 +251,7 @@ export function getColumnProviders( if (isProvidersOrganizationRow(row.original)) { return ( - {row.original.providerCount} Accounts + {row.original.providerCount} Providers ); } diff --git a/ui/components/providers/table/skeleton-table-provider.tsx b/ui/components/providers/table/skeleton-table-provider.tsx index 7d57112291..1fe557b808 100644 --- a/ui/components/providers/table/skeleton-table-provider.tsx +++ b/ui/components/providers/table/skeleton-table-provider.tsx @@ -3,7 +3,7 @@ import { Skeleton } from "@/components/shadcn/skeleton/skeleton"; const SkeletonTableRow = () => { return ( - {/* Account: provider logo + alias + UID */} + {/* Provider: logo + alias + UID */}
@@ -13,7 +13,7 @@ const SkeletonTableRow = () => {
- {/* Account Groups: badge chips */} + {/* Provider Groups: badge chips */}
@@ -68,11 +68,11 @@ export const SkeletonTableProviders = () => { - {/* Account */} + {/* Provider */} - {/* Account Groups */} + {/* Provider Groups */} diff --git a/ui/components/providers/wizard/provider-wizard-modal.tsx b/ui/components/providers/wizard/provider-wizard-modal.tsx index 706045a829..d731ca5786 100644 --- a/ui/components/providers/wizard/provider-wizard-modal.tsx +++ b/ui/components/providers/wizard/provider-wizard-modal.tsx @@ -93,7 +93,7 @@ export function ProviderWizardModal({
- For assistance connecting a Cloud Provider visit + For assistance connecting a Provider visit