Skip to content

[New Check]: Detect secrets in AWS Lambda layer contents #11811

Description

@danibarranqueroo

Existing check search

  • I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist.

Provider

AWS

New provider name

No response

Service or product area

awslambda

Suggested check name

awslambda_layer_no_secrets_in_content

Context and goal

AWS Lambda layers package shared code and dependencies pulled into functions. Secrets baked into a layer are as sensitive as those in function code, but are not covered by the existing function-code check.

Expected behavior

  • Resource or scope to evaluate: Each Lambda layer version's content.
  • PASS when: No secrets are detected in the layer content.
  • FAIL when: A secret is detected (report layer name/version and file, not the value).

References

Suggested severity

High

Additional implementation notes

Mirror awslambda_function_no_secrets_in_code: download the layer content zip to a temp file, scan with detect-secrets, and clean up. Reuse the existing awslambda service. Severity is High by default and becomes Critical if the secret is validated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestNew feature request for Prowler.good first issueIndicates a good issue for first-time contributorsnew-checkprovider/awsIssues/PRs related with the AWS provider

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions