Skip to content

feat(glue): add glue_catalog_connection_no_secrets check#11839

Open
UTKARSH698 wants to merge 7 commits into
prowler-cloud:masterfrom
UTKARSH698:feat-glue-secrets-check
Open

feat(glue): add glue_catalog_connection_no_secrets check#11839
UTKARSH698 wants to merge 7 commits into
prowler-cloud:masterfrom
UTKARSH698:feat-glue-secrets-check

Conversation

@UTKARSH698

@UTKARSH698 UTKARSH698 commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Context

AWS Glue Data Catalog connections often store hardcoded database credentials in plaintext connection properties (ConnectionProperties), which is a gap in Prowler'''s existing secret-scanning coverage for Glue.

Fix #11814

Description

Adds glue_catalog_connection_no_secrets, scanning each Data Catalog connection'''s ConnectionProperties for hardcoded secrets. Follows the same batched Kingfisher secret-scanning structure as glue_etl_jobs_no_secrets_in_arguments (the reference check linked from the issue): one payload per connection property, keyed by (connection_index, property_name), scanned via detect_secrets_scan_batch.

  • PASS when no secrets are found in a connection'''s properties.
  • FAIL when a secret is detected, naming the connection and property (not the value).
  • MANUAL when the batch scan itself errors, so no connection is silently skipped.
  • Severity is High by default, escalated to Critical when annotate_verified_secrets confirms a live secret (matches the issue'''s suggested severity).

Reuses the existing Connection model in glue_service.py (properties already populated from get_connections), so no service-layer changes were needed.

Steps to review

pytest tests/providers/aws/services/glue/glue_catalog_connection_no_secrets/ -v

4 tests covering: no connections, connection with no secrets, connection with a secret in properties, and a connection with empty properties. All pass locally, along with the full existing tests/providers/aws/services/glue/ suite (68 passed) and ruff format/ruff check.

Checklist

  • This feature/issue is listed as open in the repo
  • Review if the code is being covered by tests
  • Review if code is being documented following the docstring style guide
  • Added a CHANGELOG.md entry

SDK/CLI

  • Are there new checks included in this PR? Yes
    • No new permissions needed — reuses the existing glue:GetConnections read used by glue_database_connections_ssl_enabled.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

  • New Features
    • Added a new AWS Glue security check to detect hardcoded secrets in Data Catalog connection properties.
    • Included guidance for resolving findings across supported deployment methods.
  • Documentation
    • Updated the unreleased changelog with the new check and its coverage.
  • Tests
    • Added test coverage for empty, clean, secret-containing, and no-connection scenarios.

@UTKARSH698 UTKARSH698 requested a review from a team as a code owner July 4, 2026 06:42
@github-actions github-actions Bot added provider/aws Issues/PRs related with the AWS provider metadata-review community Opened by the Community labels Jul 4, 2026
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new AWS Prowler check, glue_catalog_connection_no_secrets, that scans Glue Data Catalog connection properties for hardcoded secrets using batched secret scanning. Includes check metadata, implementation with PASS/FAIL/MANUAL reporting, a comprehensive test suite, and a changelog entry.

Changes

Glue catalog connection secret scan check

Layer / File(s) Summary
Check metadata
prowler/providers/aws/services/glue/glue_catalog_connection_no_secrets/glue_catalog_connection_no_secrets.metadata.json
Defines check identity, severity, description, remediation guidance, and related URLs.
Check implementation
prowler/providers/aws/services/glue/glue_catalog_connection_no_secrets/glue_catalog_connection_no_secrets.py
Implements execute() to batch-scan connection properties via detect_secrets_scan_batch, handles SecretsScanError as MANUAL, and reports PASS/FAIL with verified secret annotations.
Test suite
tests/providers/aws/services/glue/glue_catalog_connection_no_secrets/glue_catalog_connection_no_secrets_test.py
Covers no connections, connection without secrets, connection with a PASSWORD secret, and empty properties scenarios using moto-mocked Glue.
Changelog entry
prowler/CHANGELOG.md
Documents the new check under the 5.31.0 Added section.

Estimated code review effort: 2 (Simple) | ~15 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Check as glue_catalog_connection_no_secrets
  participant GlueClient as glue_client
  participant Scanner as detect_secrets_scan_batch

  Check->>GlueClient: get connections and audit_config
  Check->>Scanner: scan batched connection properties
  Scanner-->>Check: detections or SecretsScanError
  alt scan succeeded
    Check->>Check: build PASS or FAIL report per connection
  else scan failed
    Check->>Check: mark connection as MANUAL
  end
  Check-->>GlueClient: return findings list
Loading

Possibly related issues

Possibly related PRs

  • prowler-cloud/prowler#11694: Introduces the kingfisher-based secret-scanning stack (detect_secrets_scan_batch, secrets_validate, annotate_verified_secrets) reused directly by this new check.

Suggested reviewers: danibarranqueroo

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly names the new Glue catalog secret-scanning check and matches the main change.
Description check ✅ Passed The PR description follows the template and includes context, summary, review steps, checklist, and issue reference.
Linked Issues check ✅ Passed The implementation matches #11814: Data Catalog connections are scanned for secrets, report connection names, and use High/Critical severity.
Out of Scope Changes check ✅ Passed Only the new check, its metadata, tests, and changelog entry were added, with no unrelated changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
⚔️ Resolve merge conflicts
  • Resolve merge conflict in branch feat-glue-secrets-check

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the has-conflicts The PR has conflicts that needs to be resolved. label Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

No Conflicts

No conflict markers, and the branch merges cleanly into its base.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@prowler/providers/aws/services/glue/glue_catalog_connection_no_secrets/glue_catalog_connection_no_secrets.py`:
- Line 20: The public method execute in glue_catalog_connection_no_secrets lacks
the required type hint and Google-style docstring. Update execute to include an
explicit return type annotation and add a concise docstring describing what the
method does, following the style used by other methods in the same class/module.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: fee18b8e-e92a-4289-8668-c609c6decd17

📥 Commits

Reviewing files that changed from the base of the PR and between efb86bb and 8d09026.

📒 Files selected for processing (5)
  • prowler/CHANGELOG.md
  • prowler/providers/aws/services/glue/glue_catalog_connection_no_secrets/__init__.py
  • prowler/providers/aws/services/glue/glue_catalog_connection_no_secrets/glue_catalog_connection_no_secrets.metadata.json
  • prowler/providers/aws/services/glue/glue_catalog_connection_no_secrets/glue_catalog_connection_no_secrets.py
  • tests/providers/aws/services/glue/glue_catalog_connection_no_secrets/glue_catalog_connection_no_secrets_test.py

should be stored in Secrets Manager or Parameter Store instead.
"""

def execute(self):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Add return type hint and docstring to execute().

As per coding guidelines, prowler/**/*.py requires "Type hints are required for all public functions" and "Docstrings are required for all classes and methods... following Google style documentation". execute() has neither.

♻️ Proposed fix
-    def execute(self):
+    def execute(self) -> list[Check_Report_AWS]:
+        """Scan every Glue Data Catalog connection's properties for secrets.
+
+        Returns:
+            list[Check_Report_AWS]: One report per connection with status
+            PASS, FAIL, or MANUAL.
+        """
         findings = []
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
def execute(self):
def execute(self) -> list[Check_Report_AWS]:
"""Scan every Glue Data Catalog connection's properties for secrets.
Returns:
list[Check_Report_AWS]: One report per connection with status
PASS, FAIL, or MANUAL.
"""
findings = []
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@prowler/providers/aws/services/glue/glue_catalog_connection_no_secrets/glue_catalog_connection_no_secrets.py`
at line 20, The public method execute in glue_catalog_connection_no_secrets
lacks the required type hint and Google-style docstring. Update execute to
include an explicit return type annotation and add a concise docstring
describing what the method does, following the style used by other methods in
the same class/module.

Source: Coding guidelines

Detects secrets in AWS Glue Data Catalog connection properties
(ConnectionProperties), following the same batched Kingfisher
secret-scanning pattern as glue_etl_jobs_no_secrets_in_arguments.

Closes prowler-cloud#11814.
@UTKARSH698 UTKARSH698 force-pushed the feat-glue-secrets-check branch from 8d09026 to d15db5c Compare July 4, 2026 15:58
@github-actions github-actions Bot removed the has-conflicts The PR has conflicts that needs to be resolved. label Jul 4, 2026
The offline Kingfisher scanner ignores bare high-entropy placeholder
values, so the previous fake key was not flagged and the with-secrets
test failed in CI. Use the same valid JWT the apigateway stage-variable
secrets test relies on.
Kingfisher did not flag a secret embedded in a compact single-line
per-property payload, so the with-secrets test failed in CI. Mirror the
apigateway stage-variables check: scan each connection's properties as a
single indented-JSON document (one value per line) and map a finding back
to its property via the finding's line number.
…t failure

get_connections in moto 5.1.11 (the pinned CI version) omits
ConnectionProperties, so the secret never reached the scanner and the
check returned PASS instead of FAIL. Set the properties directly on the
built service so the test is deterministic across moto versions.
@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.85%. Comparing base (398a0a4) to head (936d914).
⚠️ Report is 1 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (398a0a4) and HEAD (936d914). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (398a0a4) HEAD (936d914)
api 1 0
Additional details and impacted files
@@             Coverage Diff             @@
##           master   #11839       +/-   ##
===========================================
- Coverage   93.80%    3.85%   -89.96%     
===========================================
  Files         261      877      +616     
  Lines       38141    26201    -11940     
===========================================
- Hits        35779     1010    -34769     
- Misses       2362    25191    +22829     
Flag Coverage Δ
api ?
prowler-py3.10-aws 3.85% <100.00%> (?)
prowler-py3.11-aws 3.85% <100.00%> (?)
prowler-py3.12-aws 3.85% <100.00%> (?)
prowler-py3.13-aws 3.85% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
prowler 3.85% <100.00%> (∅)
api ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Add a test that forces detect_secrets_scan_batch to raise
SecretsScanError, exercising the previously-uncovered MANUAL branch and
bringing the check to 100% patch coverage.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

community Opened by the Community metadata-review new-check provider/aws Issues/PRs related with the AWS provider

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[New Check]: Detect secrets in AWS Glue Data Catalog connections

2 participants