Skip to content

Fix: [New Check]: Detect secrets in AWS Batch job definitions#11836

Closed
Deep070203 wants to merge 7 commits into
prowler-cloud:masterfrom
Deep070203:fix/auto-patch-1783100399107
Closed

Fix: [New Check]: Detect secrets in AWS Batch job definitions#11836
Deep070203 wants to merge 7 commits into
prowler-cloud:masterfrom
Deep070203:fix/auto-patch-1783100399107

Conversation

@Deep070203

@Deep070203 Deep070203 commented Jul 3, 2026

Copy link
Copy Markdown

Context

Fixes #11817, #11816

Description

This PR introduces comprehensive security auditing support for AWS Amplify and AWS Batch services within the Prowler SDK, including new checks targeting hardcoded secrets and workload misconfigurations.

1. AWS Amplify Service Integration

  • Adds full SDK/Service collector support for AWS Amplify (amplify:ListApps and amplify:ListBranches).
  • Introduces the amplify_app_no_secrets_in_environment check.
  • Scans Amplify application environment variables, branch-specific environment variables, and build settings (buildspec.yml) utilizing Prowler's shared secret-scanning helper.
  • Reports detailed line context, application names, and branch scopes without exposing raw sensitive strings.
  • Plugs natively into the existing verified-secret annotation pipeline, automatically escalating verified live secrets to Critical severity.

2. AWS Batch Service Integration

  • Adds full SDK/Service collector support for AWS Batch components.
  • Introduces the batch_job_definition_security_hardening check to evaluate container and job definitions for security risks.
  • Inspects job definitions for privileged container execution, elevated root privileges, container resource limitations, and insecure environment variables.

3. Policy & Infrastructure-as-Code Updates

  • Updates permissions/prowler-additions-policy.json to include the minimal read-only permissions required for cross-account scans.
  • Updates the Prowler scan role IAM policy CloudFormation templates.

Steps to review

  1. Review the new AWS Amplify and AWS Batch service collector.
  2. Review the new check metadata and secret line-context mapping.
  3. Run the following verification commands:
uv run pytest tests/providers/aws/services/amplify -q
uv run pytest tests/providers/aws/services/batch -q
uv run ruff check prowler/providers/aws/services/amplify tests/providers/aws/services/amplify
uv run ruff check prowler/providers/aws/services/batch tests/providers/aws/services/batch
uv run ruff format --check prowler/providers/aws/services/amplify tests/providers/aws/services/amplify
uv run ruff format --check prowler/providers/aws/services/batch tests/providers/aws/services/batch
python3 -m json.tool permissions/prowler-additions-policy.json

Checklist

Community Checklist
  • This feature/issue is listed in here or roadmap.prowler.com
  • Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack
  • Review if the code is being covered by tests.
  • Review if code is being documented following the Prowler specification.
  • Review if backport is needed.
  • Review if is needed to change the Readme.md
  • Ensure new entries are added to CHANGELOG.md.

SDK/CLI

  • Are there new checks included in this PR? Yes
    • If so, do we need to update permissions for the provider? Yes. Added amplify:ListApps and amplify:ListBranches, batch:DescribeJobDefinitions, batch:DescribeJobQueues, batch:ListJobDefinitions to the scan role additions

UI

  • All issue/task requirements work as expected on the UI
  • If this PR adds or updates npm dependencies, include package-health evidence.
  • Screenshots/Video of the functionality flow (if applicable).
  • Ensure new entries are added to CHANGELOG.md.

API

  • All issue/task requirements work as expected on the API
  • Endpoint response output (if applicable).
  • Performance test results (if applicable).
  • Verify if API specs need to be regenerated.
  • Ensure new entries are added to CHANGELOG.md.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features
    • Added AWS Amplify scanning to detect plaintext secrets in app environment variables, branch environment variables, and build settings.
    • Added AWS Batch scanning to detect plaintext secrets in job definition container environment variables and command parameters.
    • Expanded read-only IAM permissions to support additional Amplify listing actions.
  • Bug Fixes
    • When secret scanning encounters errors, results are now marked for manual review with error details.
  • Tests
    • Added unit test coverage for Amplify and Batch secret detection, including manual fallback scenarios.

Deep070203 and others added 4 commits July 2, 2026 11:41
- Materialize app payloads upfront to ensure line_context_by_app is fully populated upon scan failure
- Add test case verifying scanner error behaves correctly (reporting MANUAL instead of defaulting to PASS)
- Add AWS CLI update-app command to amplify_app_no_secrets_in_environment metadata
@Deep070203 Deep070203 requested a review from a team as a code owner July 3, 2026 17:40
@github-actions github-actions Bot added provider/aws Issues/PRs related with the AWS provider metadata-review community Opened by the Community labels Jul 3, 2026
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds AWS Amplify and AWS Batch service support, two new secret-scanning checks, matching tests, Amplify IAM read permissions, and a changelog entry.

Changes

Amplify secrets-scanning check

Layer / File(s) Summary
Amplify service resource model and listing
prowler/providers/aws/services/amplify/*
Adds App and Branch models and an Amplify service that lists apps and branches, plus the package and client wiring.
amplify_app_no_secrets_in_environment check and metadata
prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/*
Adds the Amplify secret-scan check, its payload builder, metadata, and package initializer.
Amplify service and check tests
tests/providers/aws/services/amplify/*
Adds tests for Amplify resource parsing and secret-scanning PASS, FAIL, and MANUAL outcomes.
IAM permissions and changelog for Amplify
permissions/prowler-additions-policy.json, permissions/templates/cloudformation/prowler-scan-role.yml, prowler/CHANGELOG.md
Adds Amplify read permissions and documents the new checks in the changelog.

Batch secrets-scanning check

Layer / File(s) Summary
Batch service resource model and job definition listing
prowler/providers/aws/services/batch/*
Adds JobDefinitionContainer and JobDefinition models and the Batch service that lists job definitions, plus the package and client wiring.
batch_job_definition_no_secrets check and metadata
prowler/providers/aws/services/batch/batch_job_definition_no_secrets/*
Adds the Batch secret-scan check, its payload builder, metadata, and package initializer.
Batch service and check tests
tests/providers/aws/services/batch/*
Adds tests for Batch resource parsing and secret-scanning PASS, FAIL, and MANUAL outcomes.

Estimated code review effort: 4 (Complex) | ~60 minutes

Possibly related issues

Possibly related PRs

  • prowler-cloud/prowler#11694: Introduced the shared batched secret-scanning and verification flow used by the new Amplify and Batch checks.

Suggested reviewers: danibarranqueroo, HugoPBrito

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning Batch service, Batch secret check, and Batch IAM permission updates are unrelated to the linked Amplify issue #11817. Move the Batch-related code and permission changes to a separate PR or add the corresponding Batch issue to the linked scope.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly references a real part of the change, but it only mentions Batch and omits the Amplify work.
Description check ✅ Passed The description matches the template well with context, summary, review steps, checklist, and license.
Linked Issues check ✅ Passed The Amplify changes add the requested service, check, permissions, and tests for app, branch, and buildSpec secret scanning.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the has-conflicts The PR has conflicts that needs to be resolved. label Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

No Conflicts

No conflict markers, and the branch merges cleanly into its base.

@Deep070203 Deep070203 marked this pull request as draft July 3, 2026 17:44
@github-actions github-actions Bot removed the has-conflicts The PR has conflicts that needs to be resolved. label Jul 3, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

♻️ Duplicate comments (1)
tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py (1)

1-1: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Remove test-folder __init__.py.

Same violation as tests/providers/aws/services/amplify/__init__.py — path instructions state test folders must not contain __init__.py.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py`
at line 1, Remove the test-folder __init__.py file from the
amplify_app_no_secrets_in_environment test package, since test directories must
not contain package initializers. Delete the __init__.py under the
amplify_app_no_secrets_in_environment path and keep the rest of the test module
structure unchanged; this matches the same cleanup needed for the parent amplify
test package.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py`:
- Around line 83-87: The add_line helper currently accepts value as str but
explicitly handles None, so its signature should match the actual contract.
Update add_line in amplify_app_no_secrets_in_environment.py to accept an
Optional[str] value, keeping the early return for None and preserving the
existing lines/json.dumps/line_context behavior so callers can pass missing
values without a type mismatch.

In
`@prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.py`:
- Around line 15-78: Add a Google-style docstring to the `execute` method in
`batch_job_definition_no_secrets.py`. Document that `execute()` scans Batch job
definitions for secrets, returns a list of `Check_Report_AWS`, and note the
behavior around `detect_secrets_scan_batch`, `SecretsScanError`, and the
MANUAL/PASS/FAIL report outcomes. Keep the docstring concise and place it
directly above the `execute(self) -> list[Check_Report_AWS]` definition.
- Line 81: The helper _build_job_definition_payload currently annotates its
return type but leaves the jd parameter untyped. Add an explicit type hint for
jd (for example, the appropriate JobDefinition model/type used in this module)
so the function signature is consistent and supports IDE/type-checking; update
only the parameter annotation and keep the existing return annotation unchanged.

In
`@tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py`:
- Line 52: The Amplify test fixture contains a fake JWT-like string that still
triggers TruffleHog in diff scans, so update the test setup to avoid scanning
this value by adding an explicit allowlist/exception for the fixture or
relocating the JWT fixture outside the scanned test path. Make the change in the
Amplify no-secrets test around the db_pass fixture so the secret-scan gate no
longer flags these intended test tokens.

---

Duplicate comments:
In
`@tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py`:
- Line 1: Remove the test-folder __init__.py file from the
amplify_app_no_secrets_in_environment test package, since test directories must
not contain package initializers. Delete the __init__.py under the
amplify_app_no_secrets_in_environment path and keep the rest of the test module
structure unchanged; this matches the same cleanup needed for the parent amplify
test package.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 2c06e703-85b0-4e95-9774-bf16d5b2b2c2

📥 Commits

Reviewing files that changed from the base of the PR and between efb86bb and 25c19b7.

📒 Files selected for processing (23)
  • permissions/prowler-additions-policy.json
  • permissions/templates/cloudformation/prowler-scan-role.yml
  • prowler/CHANGELOG.md
  • prowler/providers/aws/services/amplify/__init__.py
  • prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py
  • prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.metadata.json
  • prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py
  • prowler/providers/aws/services/amplify/amplify_client.py
  • prowler/providers/aws/services/amplify/amplify_service.py
  • prowler/providers/aws/services/batch/__init__.py
  • prowler/providers/aws/services/batch/batch_client.py
  • prowler/providers/aws/services/batch/batch_job_definition_no_secrets/__init__.py
  • prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.metadata.json
  • prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.py
  • prowler/providers/aws/services/batch/batch_service.py
  • tests/providers/aws/services/amplify/__init__.py
  • tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/__init__.py
  • tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py
  • tests/providers/aws/services/amplify/amplify_service_test.py
  • tests/providers/aws/services/batch/__init__.py
  • tests/providers/aws/services/batch/batch_job_definition_no_secrets/__init__.py
  • tests/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets_test.py
  • tests/providers/aws/services/batch/batch_service_test.py

Comment on lines +83 to +87
def add_line(context: str, value: str) -> None:
if value is None:
return
lines.append(json.dumps({context: value}))
line_context[len(lines)] = context

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Type hint doesn't match the None-handling contract.

value: str declares required str, but the function explicitly early-returns on None (line 84), meaning callers may legitimately pass None. Should be Optional[str].

♻️ Proposed fix
+from typing import Optional
+
 ...
-    def add_line(context: str, value: str) -> None:
+    def add_line(context: str, value: Optional[str]) -> None:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
def add_line(context: str, value: str) -> None:
if value is None:
return
lines.append(json.dumps({context: value}))
line_context[len(lines)] = context
def add_line(context: str, value: Optional[str]) -> None:
if value is None:
return
lines.append(json.dumps({context: value}))
line_context[len(lines)] = context
🧰 Tools
🪛 ast-grep (0.44.0)

[info] 85-85: use jsonify instead of json.dumps for JSON output
Context: json.dumps({context: value})
Note: [CWE-116] Improper Encoding or Escaping of Output.

(use-jsonify)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@prowler/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment.py`
around lines 83 - 87, The add_line helper currently accepts value as str but
explicitly handles None, so its signature should match the actual contract.
Update add_line in amplify_app_no_secrets_in_environment.py to accept an
Optional[str] value, keeping the early return for None and preserving the
existing lines/json.dumps/line_context behavior so callers can pass missing
values without a type mismatch.

return findings


def _build_job_definition_payload(jd) -> tuple[str, dict[int, str]]:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Add a type hint for the jd parameter.

The function's return type is annotated but jd is not; consider annotating it (e.g., jd: JobDefinition) for consistency and IDE/type-checker support.

🧹 Proposed fix
-def _build_job_definition_payload(jd) -> tuple[str, dict[int, str]]:
+def _build_job_definition_payload(jd: "JobDefinition") -> tuple[str, dict[int, str]]:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
def _build_job_definition_payload(jd) -> tuple[str, dict[int, str]]:
def _build_job_definition_payload(jd: "JobDefinition") -> tuple[str, dict[int, str]]:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@prowler/providers/aws/services/batch/batch_job_definition_no_secrets/batch_job_definition_no_secrets.py`
at line 81, The helper _build_job_definition_payload currently annotates its
return type but leaves the jd parameter untyped. Add an explicit type hint for
jd (for example, the appropriate JobDefinition model/type used in this module)
so the function signature is consistent and supports IDE/type-checking; update
only the parameter annotation and keep the existing return annotation unchanged.

- Add Google-style docstring to batch_job_definition_no_secrets execute method
- Fix batch_job_definition_no_secrets_test to mock provider during resolution
@Deep070203 Deep070203 marked this pull request as ready for review July 3, 2026 18:04
@Deep070203

Copy link
Copy Markdown
Author

I have added Batch Job secrets check as well here. You can disregard #11825 pull request and check this PR. It has both the changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py (1)

112-142: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Drop the extra provider mock in test_app_scan_error_marks_manual_execute_check already patches Provider.get_global_provider with set_mocked_aws_provider([AWS_REGION_US_EAST_1]), so the local provider setup here is redundant. Keeping only the detect_secrets_scan_batch failure stub would make the test easier to read.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py`
around lines 112 - 142, The test test_app_scan_error_marks_manual has a
redundant Provider.get_global_provider patch because _execute_check already uses
set_mocked_aws_provider([AWS_REGION_US_EAST_1]) to provide the AWS provider.
Remove the extra provider mock from the local patch block and keep only the
detect_secrets_scan_batch side effect setup so the test focuses on the scan
failure path.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py`:
- Around line 112-142: The test test_app_scan_error_marks_manual has a redundant
Provider.get_global_provider patch because _execute_check already uses
set_mocked_aws_provider([AWS_REGION_US_EAST_1]) to provide the AWS provider.
Remove the extra provider mock from the local patch block and keep only the
detect_secrets_scan_batch side effect setup so the test focuses on the scan
failure path.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 85178456-4daa-4d2e-90bc-bb804c2df167

📥 Commits

Reviewing files that changed from the base of the PR and between 9bd3d4c and 28dee53.

📒 Files selected for processing (1)
  • tests/providers/aws/services/amplify/amplify_app_no_secrets_in_environment/amplify_app_no_secrets_in_environment_test.py

@Deep070203 Deep070203 closed this Jul 3, 2026
@Deep070203

Copy link
Copy Markdown
Author

Closed it since I don't want to add both checks in one PR.

@Deep070203 Deep070203 deleted the fix/auto-patch-1783100399107 branch July 3, 2026 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

community Opened by the Community metadata-review provider/aws Issues/PRs related with the AWS provider

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[New Check]: Detect secrets in AWS Amplify app environment variables

1 participant