feat(sdk): add AWS Amplify app secret scanning check#11825
Conversation
|
✅ No Conflicts No conflict markers, and the branch merges cleanly into its base. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds Amplify service support, a new check that scans app and branch environment data for secrets, IAM permission updates, metadata, changelog entries, and tests. ChangesAmplify secret scanning feature
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant AmplifyService
participant AWSAmplifyAPI
participant Check as amplify_app_no_secrets_in_environment
participant Scanner as detect_secrets_scan_batch
AmplifyService->>AWSAmplifyAPI: list_apps / list_branches
AWSAmplifyAPI-->>AmplifyService: apps and branches
Check->>AmplifyService: read Amplify apps
Check->>Check: build per-app payloads
Check->>Scanner: scan batch payloads
Scanner-->>Check: findings or SecretsScanError
Check->>Check: emit PASS / FAIL / MANUAL reports
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py (1)
1-2: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick winRemove
__init__.pyfrom test folder.As per path instructions,
prowler/**test folders must not contain__init__.py. This file should be deleted.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py` around lines 1 - 2, The test folder currently contains an unwanted __init__.py, which violates the path rules for prowler/** test directories. Delete the __init__.py file from the amplify_app_no_secrets_in_environment test package and ensure no test-only package initializer remains in that folder.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.json`:
- Around line 24-30: Populate Remediation.Code.CLI in the
amplify_app_no_secrets_in_environment metadata with a non-empty CLI remediation
path, matching the style used by the other Remediation.Code entries; use the
existing remediation guidance from Remediation.Code.Other as the basis and add
the corresponding AWS CLI steps in the Remediation.Code.CLI field so the check
metadata satisfies the non-empty requirement.
In
`@prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py`:
- Around line 21-38: The app scan can incorrectly leave later apps as PASS when
detect_secrets_scan_batch raises SecretsScanError because line_context_by_app is
only filled lazily through the payloads generator. In
amplify_app_no_secrets_in_environment, materialize all app payloads up front
before calling detect_secrets_scan_batch so _build_app_payload is executed for
every app and line_context_by_app is fully populated regardless of scan
failures. Then keep the existing error handling so any scan failure still marks
affected/unscanned apps as MANUAL instead of defaulting to PASS.
---
Outside diff comments:
In
`@tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py`:
- Around line 1-2: The test folder currently contains an unwanted __init__.py,
which violates the path rules for prowler/** test directories. Delete the
__init__.py file from the amplify_app_no_secrets_in_environment test package and
ensure no test-only package initializer remains in that folder.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 1291153f-b5d6-40d4-b58d-78e29bd18862
📒 Files selected for processing (13)
permissions/prowler-additions-policy.jsonpermissions/templates/cloudformation/prowler-scan-role.ymlprowler/CHANGELOG.mdprowler/providers/aws/services/amplify/__init__.pyprowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.pyprowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.jsonprowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.pyprowler/providers/aws/services/amplify/amplify_client.pyprowler/providers/aws/services/amplify/amplify_service.pytests/providers/aws/services/amplify/__init__.pytests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.pytests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.pytests/providers/aws/services/amplify/amplify_service_test.py
- Materialize app payloads upfront to ensure line_context_by_app is fully populated upon scan failure - Add test case verifying scanner error behaves correctly (reporting MANUAL instead of defaulting to PASS)
- Add AWS CLI update-app command to amplify_app_no_secrets_in_environment metadata
Context
Fixes #11817
Description
Adds AWS Amplify service support to the SDK and a new
amplify_app_no_secrets_in_environmentcheck. The check scans Amplify app environment variables, branch environment variables, and build settings (build spec YAML) with the shared secret-scanning helper. It reports the app/branch/line context without exposing secret values, and uses the existing verified-secret annotation path so live secrets are raised to critical.Also updates the Prowler scan role additions policy and CloudFormation template with the read-only Amplify permissions (
amplify:ListAppsandamplify:ListBranches) needed for collection.Steps to review
Checklist
Community Checklist
SDK/CLI
amplify:ListAppsandamplify:ListBranchesto the scan role additions.UI
API
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Summary by CodeRabbit