mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
032499c29a
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: César Arroba <19954079+cesararroba@users.noreply.github.com> Co-authored-by: Alan Buscaglia <gentlemanprogramming@gmail.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Andoni Alonso <14891798+andoniaf@users.noreply.github.com> Co-authored-by: Rubén De la Torre Vico <ruben@prowler.com> Co-authored-by: HugoPBrito <hugopbrit@gmail.com> Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com> Co-authored-by: Pepe Fagoaga <pepe@prowler.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Chandrapal Badshah <Chan9390@users.noreply.github.com> Co-authored-by: Chandrapal Badshah <12944530+Chan9390@users.noreply.github.com> Co-authored-by: Adrián Peña <adrianjpr@gmail.com> Co-authored-by: Pedro Martín <pedromarting3@gmail.com> Co-authored-by: KonstGolfi <73020281+KonstGolfi@users.noreply.github.com> Co-authored-by: lydiavilchez <114735608+lydiavilchez@users.noreply.github.com> Co-authored-by: Prowler Bot <bot@prowler.com> Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com> Co-authored-by: StylusFrost <43682773+StylusFrost@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: alejandrobailo <alejandrobailo94@gmail.com> Co-authored-by: Alejandro Bailo <59607668+alejandrobailo@users.noreply.github.com> Co-authored-by: Víctor Fernández Poyatos <victor@prowler.com> Co-authored-by: bota4go <108249054+bota4go@users.noreply.github.com> Co-authored-by: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com> Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com> Co-authored-by: mchennai <50082780+mchennai@users.noreply.github.com> Co-authored-by: Ryan Nolette <sonofagl1tch@users.noreply.github.com> Co-authored-by: Ulissis Correa <123517149+ulissisc@users.noreply.github.com> Co-authored-by: Sergio Garcia <hello@mistercloudsec.com> Co-authored-by: Lee Trout <ltrout@watchpointlabs.com> Co-authored-by: Sergio Garcia <sergargar1@gmail.com> Co-authored-by: Alan-TheGentleman <alan@thegentleman.dev>
77 lines
2.9 KiB
Markdown
77 lines
2.9 KiB
Markdown
---
|
|
name: prowler-ci
|
|
description: >
|
|
Helps with Prowler repository CI and PR gates (GitHub Actions workflows).
|
|
Trigger: When investigating CI checks failing on a PR, PR title validation, changelog gate/no-changelog label,
|
|
conflict marker checks, secret scanning, CODEOWNERS/labeler automation, or anything under .github/workflows.
|
|
license: Apache-2.0
|
|
metadata:
|
|
author: prowler-cloud
|
|
version: "1.0"
|
|
scope: [root]
|
|
auto_invoke:
|
|
- "Inspect PR CI checks and gates (.github/workflows/*)"
|
|
- "Debug why a GitHub Actions job is failing"
|
|
- "Understand changelog gate and no-changelog label behavior"
|
|
- "Understand PR title conventional-commit validation"
|
|
- "Understand CODEOWNERS/labeler-based automation"
|
|
allowed-tools: Read, Edit, Write, Glob, Grep, Bash
|
|
---
|
|
|
|
## What this skill covers
|
|
|
|
Use this skill whenever you are:
|
|
|
|
- Reading or changing GitHub Actions workflows under `.github/workflows/`
|
|
- Explaining why a PR fails checks (title, changelog, conflict markers, secret scanning)
|
|
- Figuring out which workflows run for UI/API/SDK changes and why
|
|
- Diagnosing path-filtering behavior (why a workflow did/didn't run)
|
|
|
|
## Quick map (where to look)
|
|
|
|
- PR template: `.github/pull_request_template.md`
|
|
- PR title validation: `.github/workflows/conventional-commit.yml`
|
|
- Changelog gate: `.github/workflows/pr-check-changelog.yml`
|
|
- Conflict markers check: `.github/workflows/pr-conflict-checker.yml`
|
|
- Secret scanning: `.github/workflows/find-secrets.yml`
|
|
- Auto labels: `.github/workflows/labeler.yml` and `.github/labeler.yml`
|
|
- Review ownership: `.github/CODEOWNERS`
|
|
|
|
## Debug checklist (PR failing checks)
|
|
|
|
1. Identify which workflow/job is failing (name + file under `.github/workflows/`).
|
|
2. Check path filters: is the workflow supposed to run for your changed files?
|
|
3. If it's a title check: verify PR title matches Conventional Commits.
|
|
4. If it's changelog: verify the right `CHANGELOG.md` is updated OR apply `no-changelog` label.
|
|
5. If it's conflict checker: remove `<<<<<<<`, `=======`, `>>>>>>>` markers.
|
|
6. If it's secrets (TruffleHog): see section below.
|
|
|
|
## TruffleHog Secret Scanning
|
|
|
|
TruffleHog scans for leaked secrets. Common false positives in test files:
|
|
|
|
**Patterns that trigger TruffleHog:**
|
|
- `sk-*T3BlbkFJ*` - OpenAI API keys
|
|
- `AKIA[A-Z0-9]{16}` - AWS Access Keys
|
|
- `ghp_*` / `gho_*` - GitHub tokens
|
|
- Base64-encoded strings that look like credentials
|
|
|
|
**Fix for test files:**
|
|
```python
|
|
# BAD - looks like real OpenAI key
|
|
api_key = "sk-test1234567890T3BlbkFJtest1234567890"
|
|
|
|
# GOOD - obviously fake
|
|
api_key = "sk-fake-test-key-for-unit-testing-only"
|
|
```
|
|
|
|
**If TruffleHog flags a real secret:**
|
|
1. Remove the secret from the code immediately
|
|
2. Rotate the credential (it's now in git history)
|
|
3. Consider using `.trufflehog-ignore` for known false positives (rarely needed)
|
|
|
|
## Notes
|
|
|
|
- Keep `prowler-pr` focused on *creating* PRs and filling the template.
|
|
- Use `prowler-ci` for *CI policies and gates* that apply to PRs.
|