You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened?
We use sst.dev to configure and deploy our Cloudformation stacks. Therefore our Cloudformation stack outputs contain metadata used by SST which contains multiple uuids. These uuids are being detected as secrets even though they are not secrets.
How to reproduce it
Steps to reproduce the behavior:
What command are you running?
Use sst.dev to deploy your application to AWS.
Expected behavior
These checks should pass as there are no actual secrets being passed in. After looking more into the issues, it looks like Prowler is flagging uuids created by sst.dev in the process of deploying the application to AWS as secrets. Is there a way to mark this as non secrets?
From where are you running Prowler?
Please, complete the following information:
Resource: CloudFormation & Lambda
OS: Mac
Prowler Version [prowler --version]: 3.1.4
Python version [python --version]: 3.9.6
Pip version [pip --version]: 23.0
Installation method (Are you running it from pip package or cloning the github repo?): pip package
Others:
The text was updated successfully, but these errors were encountered:
akunap2
changed the title
[Bug]: Failing cloudformation_outputs_find_secrets & awslambda_function_no_secrets_in_variables due to uuids created by set.dev
[Bug]: Failing cloudformation_outputs_find_secrets due to uuids created by set.dev
Feb 24, 2023
Hi @akunap2, as @JeffreySouza points Prowler use detect_secrets to look for secrets into source code, to avoid getting those results as FAILS we recommend you to whitelist that resources for that check
What happened?
We use sst.dev to configure and deploy our Cloudformation stacks. Therefore our Cloudformation stack outputs contain metadata used by SST which contains multiple uuids. These uuids are being detected as secrets even though they are not secrets.
How to reproduce it
Steps to reproduce the behavior:
Use sst.dev to deploy your application to AWS.
run:
prowler aws --checks cloudformation_outputs_find_secrets
Cloud provider you are launching
AWS
See the above checks failing.
Expected behavior
These checks should pass as there are no actual secrets being passed in. After looking more into the issues, it looks like Prowler is flagging uuids created by sst.dev in the process of deploying the application to AWS as secrets. Is there a way to mark this as non secrets?
From where are you running Prowler?
Please, complete the following information:
prowler --version
]: 3.1.4python --version
]: 3.9.6pip --version
]: 23.0The text was updated successfully, but these errors were encountered: