Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

report of DetectSecrets line number is wrong #6467

Closed
kagahd opened this issue Jan 13, 2025 · 1 comment · Fixed by #6537
Closed

report of DetectSecrets line number is wrong #6467

kagahd opened this issue Jan 13, 2025 · 1 comment · Fixed by #6537
Assignees
@pedrooot
Labels
bug status/waiting-for-revision Waiting for maintainer's revision

Comments

@kagahd
Copy link
Contributor

kagahd commented Jan 13, 2025
edited
Loading

Steps to Reproduce

Run a check which uses DetectSecrets e.g. ecs_task_definitions_no_environment_secrets on a resource with potential secrets. The check will report the line number where the potential secret was found.
Prowler's ecs_task_definitions_no_environment_secrets metadata states:

If a secret is detected, the line number shown in the finding matches with the environment variable Name attribute starting to count at the environment key from the ECS Task Definition in JSON format.

Given the following example the key environment of a AWS ECS task definition in json format which is shown in AWS console as follows:

"environment": [
  {
      "name": "FIRST_PARAM",
      "value": "first value"
  },
  {
      "name": "SECOND_PARAM",
      "value": "second value"
  },
  {
      "name": "POTENTIAL_SECRET",
      "value": "potential secret"
  }
]

If the third entry of the environment key of the task definition contains a potential secret, the check would indicate line number four. Why is it so? Because the json that prowler is passing to DetectSecrets is transformed as follows:

{
  "FIRST_PARAM": "first value",
  "SECOND_PARAM": "second value",
  "POTENTIAL_SECRET": "potential secret",
}

Obviously, DetectSecrets counts the opening curly bracket from the json expression as line number one.

Expected behavior

I'd expect to read the correct line number in prowler's report.

Actual Result with Screenshots or Logs

doesn't matter

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

Docker container locally

OS used

MacOS

Prowler version

5.0.5

Pip version

doesn't matter

Context

No response
@kagahd kagahd added bug status/needs-triage Issue pending triage labels Jan 13, 2025
@pedrooot pedrooot self-assigned this Jan 13, 2025
@pedrooot
Copy link
Member

Hey @kagahd thanks for the heads up!
We'll review the detect-secrets behaviour and we'll ping you with the solution when we find it.

@pedrooot pedrooot added status/waiting-for-revision Waiting for maintainer's revision and removed status/needs-triage Issue pending triage labels Jan 13, 2025
@pedrooot pedrooot mentioned this issue Jan 15, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pedrooot pedrooot

Labels
bug status/waiting-for-revision Waiting for maintainer's revision
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(detect_secrets): refactor logic for detect-secrets prowler-cloud/prowler
2 participants
@kagahd @pedrooot