Skip to content

feat(sdk): add AWS Amplify app secret scanning check#11825

Open
Deep070203 wants to merge 3 commits into
prowler-cloud:masterfrom
Deep070203:deep070203/amplify-app-secrets-check
Open

feat(sdk): add AWS Amplify app secret scanning check#11825
Deep070203 wants to merge 3 commits into
prowler-cloud:masterfrom
Deep070203:deep070203/amplify-app-secrets-check

Conversation

@Deep070203

@Deep070203 Deep070203 commented Jul 2, 2026

Copy link
Copy Markdown

Context

Fixes #11817

Description

Adds AWS Amplify service support to the SDK and a new amplify_app_no_secrets_in_environment check. The check scans Amplify app environment variables, branch environment variables, and build settings (build spec YAML) with the shared secret-scanning helper. It reports the app/branch/line context without exposing secret values, and uses the existing verified-secret annotation path so live secrets are raised to critical.

Also updates the Prowler scan role additions policy and CloudFormation template with the read-only Amplify permissions (amplify:ListApps and amplify:ListBranches) needed for collection.

Steps to review

  1. Review the new AWS Amplify service collector.
  2. Review the new check metadata and secret line-context mapping.
  3. Run the following verification commands:
uv run pytest tests/providers/aws/services/amplify -q
uv run ruff check prowler/providers/aws/services/amplify tests/providers/aws/services/amplify
uv run ruff format --check prowler/providers/aws/services/amplify tests/providers/aws/services/amplify
python3 -m json.tool permissions/prowler-additions-policy.json

Checklist

Community Checklist
  • This feature/issue is listed in here or roadmap.prowler.com
  • Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack
  • Review if the code is being covered by tests.
  • Review if code is being documented following the Prowler specification.
  • Review if backport is needed.
  • Review if is needed to change the Readme.md
  • Ensure new entries are added to CHANGELOG.md.

SDK/CLI

  • Are there new checks included in this PR? Yes
    • If so, do we need to update permissions for the provider? Yes. Added amplify:ListApps and amplify:ListBranches to the scan role additions.

UI

  • All issue/task requirements work as expected on the UI
  • If this PR adds or updates npm dependencies, include package-health evidence.
  • Screenshots/Video of the functionality flow (if applicable).
  • Ensure new entries are added to CHANGELOG.md.

API

  • All issue/task requirements work as expected on the API
  • Endpoint response output (if applicable).
  • Performance test results (if applicable).
  • Verify if API specs need to be regenerated.
  • Ensure new entries are added to CHANGELOG.md.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

  • New Features
    • Added AWS Amplify discovery for apps and branches.
    • Introduced a new Amplify security check to detect plaintext secrets in app and branch environment variables and build configuration.
    • Expanded the Amplify read-only IAM permissions used by scan roles.
  • Tests
    • Added automated coverage for Amplify service discovery and the new secret-detection scenarios, including manual fallback behavior when scanning can’t complete.

@Deep070203 Deep070203 requested a review from a team as a code owner July 2, 2026 15:50
@github-actions github-actions Bot added provider/aws Issues/PRs related with the AWS provider metadata-review community Opened by the Community labels Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

No Conflicts

No conflict markers, and the branch merges cleanly into its base.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 876aec3b-3a82-4bbd-a8e8-2c0159ca9f32

📥 Commits

Reviewing files that changed from the base of the PR and between 6a2754d and bd3bd9f.

📒 Files selected for processing (1)
  • prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.json

📝 Walkthrough

Walkthrough

Adds Amplify service support, a new check that scans app and branch environment data for secrets, IAM permission updates, metadata, changelog entries, and tests.

Changes

Amplify secret scanning feature

Layer / File(s) Summary
IAM permissions and changelog updates
permissions/prowler-additions-policy.json, permissions/templates/cloudformation/prowler-scan-role.yml, prowler/CHANGELOG.md
Adds amplify:ListApps and amplify:ListBranches to read-only IAM policies and records the new Amplify check in the changelog.
Amplify service and data models
prowler/providers/aws/services/amplify/__init__.py, prowler/providers/aws/services/amplify/amplify_service.py, prowler/providers/aws/services/amplify/amplify_client.py, tests/providers/aws/services/amplify/__init__.py, tests/providers/aws/services/amplify/amplify_service_test.py
Defines App and Branch, lists Amplify apps and branches, wires a global client, and tests parsed service data with mocked API responses.
Secrets-in-environment check
prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py, prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.json, prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py
Adds the Amplify secret-scanning check, its metadata, and payload-building/reporting logic for app, branch, and build spec content.
Check tests
tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py, tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py
Adds tests covering empty, pass, fail, and scan-error outcomes for the new Amplify check.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant AmplifyService
  participant AWSAmplifyAPI
  participant Check as amplify_app_no_secrets_in_environment
  participant Scanner as detect_secrets_scan_batch

  AmplifyService->>AWSAmplifyAPI: list_apps / list_branches
  AWSAmplifyAPI-->>AmplifyService: apps and branches
  Check->>AmplifyService: read Amplify apps
  Check->>Check: build per-app payloads
  Check->>Scanner: scan batch payloads
  Scanner-->>Check: findings or SecretsScanError
  Check->>Check: emit PASS / FAIL / MANUAL reports
Loading

Possibly related PRs

Suggested reviewers: danibarranqueroo, HugoPBrito

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: a new AWS Amplify secret-scanning check.
Description check ✅ Passed The description includes context, a change summary, review steps, and a checklist with the linked fix reference.
Linked Issues check ✅ Passed Implements #11817 by adding Amplify support and the new secret-scanning check with app, branch, and buildSpec coverage plus High-to-Critical handling.
Out of Scope Changes check ✅ Passed The changed permissions, changelog, service code, and tests all support the requested Amplify secret-scanning feature.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot added the slop label Jul 2, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py (1)

1-2: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Remove __init__.py from test folder.

As per path instructions, prowler/** test folders must not contain __init__.py. This file should be deleted.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py`
around lines 1 - 2, The test folder currently contains an unwanted __init__.py,
which violates the path rules for prowler/** test directories. Delete the
__init__.py file from the amplify_app_no_secrets_in_environment test package and
ensure no test-only package initializer remains in that folder.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.json`:
- Around line 24-30: Populate Remediation.Code.CLI in the
amplify_app_no_secrets_in_environment metadata with a non-empty CLI remediation
path, matching the style used by the other Remediation.Code entries; use the
existing remediation guidance from Remediation.Code.Other as the basis and add
the corresponding AWS CLI steps in the Remediation.Code.CLI field so the check
metadata satisfies the non-empty requirement.

In
`@prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py`:
- Around line 21-38: The app scan can incorrectly leave later apps as PASS when
detect_secrets_scan_batch raises SecretsScanError because line_context_by_app is
only filled lazily through the payloads generator. In
amplify_app_no_secrets_in_environment, materialize all app payloads up front
before calling detect_secrets_scan_batch so _build_app_payload is executed for
every app and line_context_by_app is fully populated regardless of scan
failures. Then keep the existing error handling so any scan failure still marks
affected/unscanned apps as MANUAL instead of defaulting to PASS.

---

Outside diff comments:
In
`@tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py`:
- Around line 1-2: The test folder currently contains an unwanted __init__.py,
which violates the path rules for prowler/** test directories. Delete the
__init__.py file from the amplify_app_no_secrets_in_environment test package and
ensure no test-only package initializer remains in that folder.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 1291153f-b5d6-40d4-b58d-78e29bd18862

📥 Commits

Reviewing files that changed from the base of the PR and between 2e37188 and d82a4db.

📒 Files selected for processing (13)
  • permissions/prowler-additions-policy.json
  • permissions/templates/cloudformation/prowler-scan-role.yml
  • prowler/CHANGELOG.md
  • prowler/providers/aws/services/amplify/__init__.py
  • prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py
  • prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.json
  • prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py
  • prowler/providers/aws/services/amplify/amplify_client.py
  • prowler/providers/aws/services/amplify/amplify_service.py
  • tests/providers/aws/services/amplify/__init__.py
  • tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py
  • tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py
  • tests/providers/aws/services/amplify/amplify_service_test.py

- Materialize app payloads upfront to ensure line_context_by_app is fully populated upon scan failure
- Add test case verifying scanner error behaves correctly (reporting MANUAL instead of defaulting to PASS)
- Add AWS CLI update-app command to amplify_app_no_secrets_in_environment metadata
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

community Opened by the Community metadata-review new-check provider/aws Issues/PRs related with the AWS provider slop

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[New Check]: Detect secrets in AWS Amplify app environment variables

2 participants