ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(security): restructure security page into dedicated sections (#9836)

Browse Source
This commit is contained in:
Pepe Fagoaga
2026-01-20 15:27:29 +01:00
committed by GitHub
parent d1a7eed5fa
commit f39a82fdf4
8 changed files with 266 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/docs.json
View File

@@ -331,8 +331,22 @@
},
{
"tab": "Security",
"pages": [
"security"
"groups": [
{
"group": "Security & Compliance",
"pages": [
"security/index",
"security/software-security"
]
},
{
"group": "Prowler Cloud",
"pages": [
"security/encryption",
"security/data-regions",
"security/networking"
]
}
]
},
{

163
docs/security.mdx
View File

@@ -1,163 +0,0 @@
---
title: 'Security'
---
## Compliance and Trust
We publish our live SOC 2 Type 2 Compliance data at [https://trust.prowler.com](https://trust.prowler.com)
As an **AWS Partner**, we have passed the [AWS Foundation Technical Review (FTR)](https://aws.amazon.com/partners/foundational-technical-review/).
## Encryption (Prowler Cloud)
We use encryption everywhere possible. The data and communications used by **Prowler Cloud** are **encrypted at-rest** and **in-transit**.
## Data Retention Policy (Prowler Cloud)
Prowler Cloud is GDPR compliant in regards to personal data and the ["right to be forgotten"](https://gdpr.eu/right-to-be-forgotten/). When a user deletes their account their user information will be deleted from Prowler Cloud online and backup systems within 10 calendar days.
## Software Security
We follow a **security-by-design approach** throughout our software development lifecycle. All changes go through automated checks at every stage, from local development to production deployment.
We enforce [pre-commit](https://github.com/prowler-cloud/prowler/blob/master/.pre-commit-config.yaml) validations to catch issues early, and [our CI/CD pipelines](https://github.com/prowler-cloud/prowler/tree/master/.github) include multiple security gates to ensure code quality, secure configurations, and compliance with internal standards.
Our container registries are continuously scanned for vulnerabilities, with findings automatically reported to our security team for assessment and remediation. This process evolves alongside our stack as we adopt new languages, frameworks, and technologies, ensuring our security practices remain comprehensive, proactive, and adaptable.
### Static Application Security Testing (SAST)
We employ multiple SAST tools across our codebase to identify security vulnerabilities, code quality issues, and potential bugs during development:
#### CodeQL Analysis
- **Scope**: UI (JavaScript/TypeScript), API (Python), and SDK (Python)
- **Frequency**: On every push and pull request, plus daily scheduled scans
- **Integration**: Results uploaded to GitHub Security tab via SARIF format
- **Purpose**: Identifies security vulnerabilities, coding errors, and potential exploits in source code
#### Python Security Scanners
- **Bandit**: Detects common security issues in Python code (SQL injection, hardcoded passwords, etc.)
- Configured to ignore test files and report only high-severity issues
- Runs on both SDK and API codebases
- **Pylint**: Static code analysis with security-focused checks
- Integrated into pre-commit hooks and CI/CD pipelines
#### Code Quality & Dead Code Detection
- **Vulture**: Identifies unused code that could indicate incomplete implementations or security gaps
- **Flake8**: Style guide enforcement with security-relevant checks
- **Shellcheck**: Security and correctness checks for shell scripts
### Software Composition Analysis (SCA)
We continuously monitor our dependencies for known vulnerabilities and ensure timely updates:
#### Dependency Vulnerability Scanning
- **Safety**: Scans Python dependencies against known vulnerability databases
- Runs on every commit via pre-commit hooks
- Integrated into CI/CD for SDK and API
- Configured with selective ignores for tracked exceptions
- **Trivy**: Multi-purpose scanner for containers and dependencies
- Scans all container images (UI, API, SDK, MCP Server)
- Checks for vulnerabilities in OS packages and application dependencies
- Reports findings to GitHub Security tab
#### Automated Dependency Updates
- **Dependabot**: Automated pull requests for dependency updates
- **Python (pip)**: Monthly updates for SDK
- **GitHub Actions**: Monthly updates for workflow dependencies
- **Docker**: Monthly updates for base images
- Temporarily paused for API and UI to maintain stability during active development
- **Security-first approach**: Even when paused, Dependabot automatically creates pull requests for security vulnerabilities, ensuring critical security patches are never delayed
### Container Security
All container images are scanned before deployment:
- **Trivy Vulnerability Scanning**:
- Scans images for vulnerabilities and misconfigurations
- Generates SARIF reports uploaded to GitHub Security tab
- Creates PR comments with scan summaries
- Configurable to fail builds on critical findings
- Reports include CVE counts and remediation guidance
- **Hadolint**: Dockerfile linting to enforce best practices
- Validates Dockerfile syntax and structure
- Ensures secure image building practices
### Secrets Detection
We protect against accidental exposure of sensitive credentials:
- **TruffleHog**: Scans entire codebase and Git history for secrets
- Runs on every push and pull request
- Pre-commit hook prevents committing secrets
- Detects high-entropy strings, API keys, tokens, and credentials
- Configured to report verified and unknown findings
### Security Monitoring
- **GitHub Security Tab**: Centralized view of all security findings from CodeQL, Trivy, and other SARIF-compatible tools
- **Artifact Retention**: Security scan reports retained for post-deployment analysis
- **PR Comments**: Automated security feedback on pull requests for rapid remediation
## Reporting Vulnerabilities
At Prowler, we consider the security of our open source software and systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our users, our clients and our systems.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
- Social engineering support or attacks requiring social engineering.
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring Man-In-The-Middle (MITM) or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept (PoC).
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of service (DoS).
- Rate limiting or brute force issues on non-authentication endpoints.
- Missing best practices in Content Security Policy (CSP).
- Missing HttpOnly or Secure flags on cookies.
- Configuration of or missing security headers.
- Missing email best practices, such as invalid, incomplete, or missing SPF/DKIM/DMARC records.
- Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind).
- Software version disclosure, banner identification issues, or descriptive error messages.
- Tabnabbing.
- Issues that require unlikely user interaction.
- Improper logout functionality and improper session timeout.
- CORS misconfiguration without an exploitation scenario.
- Broken link hijacking.
- Automated scanning results (e.g., sqlmap, Burp active scanner) that have not been manually verified.
- Content spoofing and text injection issues without a clear attack vector.
- Email spoofing without exploiting security flaws.
- Dead links or broken links.
- User enumeration.
Testing guidelines:
- Do not run automated scanners on other customer projects. Running automated scanners can run up costs for our users. Aggressively configured scanners might inadvertently disrupt services, exploit vulnerabilities, lead to system instability or breaches and violate Terms of Service from our upstream providers. Our own security systems won't be able to distinguish hostile reconnaissance from whitehat research. If you wish to run an automated scanner, notify us at support@prowler.com and only run it on your own Prowler app project. Do NOT attack Prowler in usage of other customers.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
Reporting guidelines:
- File a report through our Support Desk at https://support.prowler.com
- If it is about a lack of a security functionality, please file a feature request instead at https://github.com/prowler-cloud/prowler/issues
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible.
- If you have further questions and want direct interaction with the Prowler team, please contact us at via our Community Slack at goto.prowler.com/slack.
Disclosure guidelines:
- In order to protect our users and customers, do not reveal the problem to others until we have researched, addressed and informed our affected customers.
- If you want to publicly share your research about Prowler at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 30 days prior to the publication date. Please note that the following should not be included:
- Data regarding any Prowler user or customer projects.
- Prowler customers' data.
- Information about Prowler employees, contractors or partners.
What we promise:
- We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
- If you have followed the instructions above, we will not take any legal action against you in regard to the report.
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

25
docs/security/data-regions.mdx Normal file
View File

@@ -0,0 +1,25 @@
---
title: 'Data Regions & Availability'
---
Prowler Cloud runs on AWS with high availability built in.
## Regions
| Region | URL | Location |
|--------|-----|----------|
| **EU** | [cloud.prowler.com](https://cloud.prowler.com) | Ireland (`eu-west-1`) |
## Business Continuity
| Control | Details |
|---------|---------|
| **High Availability** | Multi-AZ databases and load-balanced stateless application layer on AWS |
| **Disaster Recovery** | Encrypted backups, tested regularly |
| **[RPO](https://en.wikipedia.org/wiki/Recovery_point_objective)** | 24 hours |
| **[RTO](https://en.wikipedia.org/wiki/Recovery_time_objective)** | 2 hours |
| **Status** | [status.prowler.com](https://status.prowler.com) — uptime history and incidents |
## Contact
For questions about data regions and availability, visit the [Support page](/support).

25
docs/security/encryption.mdx Normal file
View File

@@ -0,0 +1,25 @@
---
title: 'Encryption'
---
Prowler Cloud uses encryption everywhere possible. All data and communications are encrypted at rest and in transit.
## Encryption at Rest
All data stored in Prowler Cloud is encrypted at rest using AES-256 encryption, including:
- **Database contents:** All scan results, findings, and configuration data.
- **File storage:** Reports, exports, and uploaded files.
- **Backups:** All backup data is encrypted.
## Encryption in Transit
All communications with Prowler Cloud are encrypted in transit using TLS 1.2 or higher, including:
- **API requests:** All REST API communications.
- **Web application traffic:** Browser-to-server connections.
- **Internal service communication:** Service-to-service traffic within the platform.
## Contact
For questions regarding encryption, visit the [Support page](/support).

76
docs/security/index.mdx Normal file
View File

@@ -0,0 +1,76 @@
---
title: 'Security & Compliance'
---
**Prowler secures itself with Prowler.** As an open-source cloud security platform trusted by thousands of organizations, Prowler applies the same rigorous security standards internally that customers achieve externally.
All security tooling, configurations, and CI/CD pipelines are publicly available in the [Prowler GitHub repository](https://github.com/prowler-cloud/prowler). Transparency is fundamental to open-source security.
## Software Security
All Prowler code goes through the same security pipeline, whether running on Prowler Cloud or self-managed infrastructure: DAST, SAST, SCA, container scanning, and secrets detection on every build.
<Card title="Software Security" icon="code" href="/security/software-security">
Security tools and practices applied to all Prowler code.
</Card>
## Prowler Cloud vs Self-Managed
| | Prowler Cloud | Self-Managed |
|--|---------------|--------------|
| **Deployment** | Fully managed SaaS | Own infrastructure |
| **Region** | EU (Ireland) | Any region or provider |
| **Compliance** | SOC 2 Type II, AWS FTR | Organization responsibility |
| **Data Control** | Prowler managed | Full control |
| **Encryption** | AES-256 at rest, TLS 1.2+ in transit | Configurable |
| **Backups** | Automated | Organization responsibility |
| **Updates** | Automatic | Manual |
<Note>
Self-Managed includes Prowler App and Prowler CLI. They can run anywhere — any cloud provider, any region, on-premises, or air-gapped environments. Full control over data residency and infrastructure decisions. See the [Prowler App Installation Guide](/getting-started/installation/prowler-app) to get started.
</Note>
---
## Prowler Cloud
This section covers security and compliance for **Prowler Cloud**, the managed infrastructure.
### Trust & Compliance
Prowler Cloud holds compliance certifications and undergoes regular audits.
| Certification | Status |
|---------------|--------|
| **SOC 2 Type II** | [View on Trust Portal](https://trust.prowler.com) |
| **AWS Foundational Technical Review (FTR)** | Passed — [Details](https://aws.amazon.com/partners/foundational-technical-review/) |
Compliance data and reports: [trust.prowler.com](https://trust.prowler.com)
### Security
<Columns cols={3}>
<Card title="Encryption" icon="lock" href="/security/encryption">
Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
</Card>
<Card title="Data Regions" icon="globe" href="/security/data-regions">
EU-hosted infrastructure with high availability and disaster recovery.
</Card>
<Card title="Networking" icon="network-wired" href="/security/networking">
Static egress IPs for firewall allowlisting.
</Card>
</Columns>
### Privacy
Prowler Cloud is GDPR compliant in regard to the ["right to be forgotten"](https://gdpr.eu/right-to-be-forgotten/). When an account is deleted, user information is removed from online and backup systems within 10 calendar days.
---
## Report a Vulnerability
Found a security issue? Report it through the [responsible disclosure](https://prowler.com/.well-known/security.txt) process.
## Contact
For security inquiries or general support, visit the [Support page](/support).

21
docs/security/networking.mdx Normal file
View File

@@ -0,0 +1,21 @@
---
title: 'Networking'
---
## Egress IP Addresses
Prowler Cloud makes outbound API calls to scan cloud provider accounts and connect to integrations. Allowlist these IPs in firewalls or security groups to restrict access to Prowler Cloud only.
| Region | IP Address |
|--------|------------|
| EU (Ireland) | `52.48.254.174` |
Resolve the egress IP via DNS:
```bash
dig egress.prowler.com +short
```
## Contact
For questions about networking, visit the [Support page](/support).

97
docs/security/software-security.mdx Normal file
View File

@@ -0,0 +1,97 @@
---
title: 'Software Security'
---
Prowler follows a **security-by-design approach** throughout the software development lifecycle. All changes go through automated checks at every stage, from local development to production deployment.
[Pre-commit](https://github.com/prowler-cloud/prowler/blob/master/.pre-commit-config.yaml) validations catch issues early, and [CI/CD pipelines](https://github.com/prowler-cloud/prowler/tree/master/.github) include multiple security gates ensuring code quality, secure configurations, and compliance with internal standards.
Container registries are continuously scanned for vulnerabilities, with findings automatically reported to the security team for assessment and remediation. This process evolves alongside the stack as new languages, frameworks, and technologies are adopted, ensuring security practices remain comprehensive, proactive, and adaptable.
## Static Application Security Testing (SAST)
Multiple SAST tools are employed across the codebase to identify security vulnerabilities, code quality issues, and potential bugs during development.
### CodeQL Analysis
- **Scope:** UI (JavaScript/TypeScript), API (Python), and SDK (Python)
- **Frequency:** On every push and pull request, plus daily scheduled scans
- **Integration:** Results uploaded to GitHub Security tab via SARIF format
- **Purpose:** Identifies security vulnerabilities, coding errors, and potential exploits in source code
### Python Security Scanners
- **Bandit:** Detects common security issues in Python code (SQL injection, hardcoded passwords, etc.)
- Configured to ignore test files and report only high-severity issues
- Runs on both SDK and API codebases
- **Pylint:** Static code analysis with security-focused checks
- Integrated into pre-commit hooks and CI/CD pipelines
### Code Quality & Dead Code Detection
- **Vulture:** Identifies unused code that could indicate incomplete implementations or security gaps
- **Flake8:** Style guide enforcement with security-relevant checks
- **Shellcheck:** Security and correctness checks for shell scripts
## Software Composition Analysis (SCA)
Dependencies are continuously monitored for known vulnerabilities with timely updates ensured.
### Dependency Vulnerability Scanning
- **Safety:** Scans Python dependencies against known vulnerability databases
- Runs on every commit via pre-commit hooks
- Integrated into CI/CD for SDK and API
- Configured with selective ignores for tracked exceptions
- **Trivy:** Multi-purpose scanner for containers and dependencies
- Scans all container images (UI, API, SDK, MCP Server)
- Checks for vulnerabilities in OS packages and application dependencies
- Reports findings to GitHub Security tab
### Automated Dependency Updates
- **Dependabot:** Automated pull requests for dependency updates
- **Python (pip):** Monthly updates for SDK
- **GitHub Actions:** Monthly updates for workflow dependencies
- **Docker:** Monthly updates for base images
- Temporarily paused for API and UI to maintain stability during active development
- **Security-first approach:** Even when paused, Dependabot automatically creates pull requests for security vulnerabilities, ensuring critical security patches are never delayed
## Container Security
All container images are scanned before deployment.
### Trivy Vulnerability Scanning
- Scans images for vulnerabilities and misconfigurations
- Generates SARIF reports uploaded to GitHub Security tab
- Creates PR comments with scan summaries
- Configurable to fail builds on critical findings
- Reports include CVE counts and remediation guidance
### Hadolint
- Validates Dockerfile syntax and structure
- Ensures secure image building practices
## Secrets Detection
Prowler protects against accidental exposure of sensitive credentials.
### TruffleHog
- Scans entire codebase and Git history for secrets
- Runs on every push and pull request
- Pre-commit hook prevents committing secrets
- Detects high-entropy strings, API keys, tokens, and credentials
- Configured to report verified and unknown findings
## Security Monitoring
- **GitHub Security Tab:** Centralized view of all security findings from CodeQL, Trivy, and other SARIF-compatible tools
- **Artifact Retention:** Security scan reports retained for post-deployment analysis
- **PR Comments:** Automated security feedback on pull requests for rapid remediation
## Contact
For questions regarding software security, visit the [Support page](/support).

6
docs/support.mdx
View File

@@ -54,3 +54,9 @@ Join our Slack workspace to connect with the Prowler community, ask questions, a
Join our open calls to discuss what you're building, ask questions, and connect with the Prowler team and community.
Office Hours sessions are announced on [LinkedIn](https://www.linkedin.com/company/prowler-security/). Recordings of previous sessions are available on [YouTube](https://www.youtube.com/playlist?list=PLIwvjRXuMGkE-BDYXmUR2TXYQ7agxtuB1).
## Security
To report a vulnerability or for security-related inquiries, contact [security@prowler.com](mailto:security@prowler.com).
See also: [Responsible Disclosure](https://prowler.com/.well-known/security.txt)