Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(detect_secrets): refactor logic for detect-secrets #6537

Merged
merged 2 commits into from
Jan 16, 2025
Merged

fix(detect_secrets): refactor logic for detect-secrets #6537

merged 2 commits into from
Jan 16, 2025

Conversation

pedrooot
Copy link
Member

@pedrooot pedrooot commented Jan 15, 2025
edited
Loading

Context

Fix #6467
Thanks @kagahd for the heads up! 🚀

Description

This PR change the logic from the checks: ecs_task_definitions_no_environment_secrets, awslambda_function_no_secrets_in_variables
The main problem here is that we are re-writing the ecs env vars into a format that Detect-Secrets could find them and we were using the line from the output to create the status_extended. That's why the line was incorrect (it was taking the lines from the re-written variables).

The new approach changes the status extended from:
...Secret keyword on line 2.
to
...Secret keyword on env var DB_PASSWORD.

This way, the user will have the env name on the output.

Checklist

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@pedrooot pedrooot requested review from a team as code owners January 15, 2025 15:04
@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label Jan 15, 2025
@kagahd
Copy link
Contributor

kagahd commented Jan 15, 2025

I like the fix because it will be easier spot the potential secret. However, I think other checks that use DetectSecrets may have the same problem if they refer to the line number, aren't they?

@pedrooot pedrooot added the no-merge Please, DO NOT MERGE this PR. label Jan 15, 2025
@pedrooot pedrooot changed the title fix(ecs): refactor logic for detect-secrets fix(detect_secrets): refactor logic for detect-secrets Jan 16, 2025
@pedrooot
Copy link
Member Author

@kagahd I've been reviewing the logic from the remaining checks using detect-secrets on the same way and the numbers from the lines are correct.
Also, I've modified the check awslambda_function_no_secrets_in_variables in order to apply the same logic when getting the env var name in the status_extended.

@codecov Codecov
Copy link

codecov bot commented Jan 16, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.47%. Comparing base (10a4c28) to head (53b2d43).
Report is 28 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #6537      +/-   ##
==========================================
- Coverage   93.67%   89.47%   -4.21%     
==========================================
  Files          66     1182    +1116     
  Lines        6338    33993   +27655     
==========================================
+ Hits         5937    30414   +24477     
- Misses        401     3579    +3178
Flag Coverage Δ
api ?
prowler 89.47% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
prowler 89.47% <100.00%> (∅)
api ∅ <ø> (∅)

@jfagoagas jfagoagas self-requested a review January 16, 2025 15:22
jfagoagas
jfagoagas approved these changes Jan 16, 2025
View reviewed changes
Copy link
Member

@jfagoagas jfagoagas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fantastic, what a great improvement 👏

@pedrooot pedrooot added backport-to-v4.5 Backport PR to the v4.5 branch backport-to-v5.0 Backport PR to the v5.0 branch and removed no-merge Please, DO NOT MERGE this PR. labels Jan 16, 2025
@jfagoagas jfagoagas added backport-to-v5.1 Backport PR to the v5.1 branch and removed backport-to-v4.5 Backport PR to the v4.5 branch backport-to-v5.0 Backport PR to the v5.0 branch labels Jan 16, 2025
@MrCloudSec MrCloudSec added the backport-to-v4.6 Backport PR to the v4.6 branch label Jan 16, 2025
@jfagoagas jfagoagas merged commit b960162 into master Jan 16, 2025
14 of 15 checks passed
@jfagoagas jfagoagas deleted the PRWLR-5924-report-of-detect-secrets-line-number-is-wrong-6467 branch January 16, 2025 15:30
@prowler-bot prowler-bot mentioned this pull request Jan 16, 2025
Merged
@prowler-bot prowler-bot added the was-backported The PR was successfully backported to the target branch label Jan 16, 2025
@prowler-bot prowler-bot mentioned this pull request Jan 16, 2025
Merged
@prowler-bot
Copy link
Collaborator

💚 All backports created successfully

Status Branch Result
v4.6
v5.1

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

@kagahd kagahd mentioned this pull request Jan 28, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jfagoagas jfagoagas jfagoagas approved these changes

Assignees
No one assigned
Labels
backport-to-v4.6 Backport PR to the v4.6 branch backport-to-v5.1 Backport PR to the v5.1 branch provider/aws Issues/PRs related with the AWS provider was-backported The PR was successfully backported to the target branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

report of DetectSecrets line number is wrong
5 participants
@pedrooot @kagahd @prowler-bot @jfagoagas @MrCloudSec