fix(detect_secrets): refactor logic for detect-secrets (#6565)

Co-authored-by: Pedro Martín <[email protected]>

prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.py

@@ -1,3 +1,4 @@
+import hashlib
 import json
 
 from prowler.lib.check.models import Check, Check_Report_AWS
@@ -28,11 +29,19 @@ def execute(self):
                     data=json.dumps(function.environment, indent=2),
                     excluded_secrets=secrets_ignore_patterns,
                 )
+                original_env_vars = {}
+                for name, value in function.environment.items():
+                    original_env_vars.update(
+                        {
+                            hashlib.sha1(  # nosec B324 SHA1 is used here for non-security-critical unique identifiers
+                                value.encode("utf-8")
+                            ).hexdigest(): name
+                        }
+                    )
                 if detect_secrets_output:
-                    environment_variable_names = list(function.environment.keys())
                     secrets_string = ", ".join(
                         [
-                            f"{secret['type']} in variable {environment_variable_names[int(secret['line_number']) - 2]}"
+                            f"{secret['type']} in variable {original_env_vars[secret['hashed_secret']]}"
                             for secret in detect_secrets_output
                         ]
                     )

prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py

@@ -1,3 +1,4 @@
+import hashlib
 from json import dumps
 
 from prowler.lib.check.models import Check, Check_Report_AWS
@@ -25,8 +26,16 @@ def execute(self):
 
                 if container.environment:
                     dump_env_vars = {}
+                    original_env_vars = {}
                     for env_var in container.environment:
                         dump_env_vars.update({env_var.name: env_var.value})
+                        original_env_vars.update(
+                            {
+                                hashlib.sha1(  # nosec B324 SHA1 is used here for non-security-critical unique identifiers
+                                    env_var.value.encode("utf-8")
+                                ).hexdigest(): env_var.name
+                            }
+                        )
 
                     env_data = dumps(dump_env_vars, indent=2)
                     detect_secrets_output = detect_secrets_scan(
@@ -35,7 +44,7 @@ def execute(self):
                     if detect_secrets_output:
                         secrets_string = ", ".join(
                             [
-                                f"{secret['type']} on line {secret['line_number']}"
+                                f"{secret['type']} on the environment variable {original_env_vars[secret['hashed_secret']]}"
                                 for secret in detect_secrets_output
                             ]
                         )

tests/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets_test.py

@@ -132,7 +132,7 @@ def test_container_env_var_with_secrets(self):
             assert result[0].status == "FAIL"
             assert (
                 result[0].status_extended
-                == f"Potential secrets found in ECS task definition {TASK_NAME} with revision {TASK_REVISION}: Secrets in container test-container -> Secret Keyword on line 2."
+                == f"Potential secrets found in ECS task definition {TASK_NAME} with revision {TASK_REVISION}: Secrets in container test-container -> Secret Keyword on the environment variable DB_PASSWORD."
             )
             assert result[0].resource_id == f"{TASK_NAME}:{TASK_REVISION}"
             assert result[0].resource_arn == task_arn