'Potential secret found in variables of ECS task definition...' gives incorrect line numbers

[trigger1919]

In scan results I found out the the scan type 'Potential secret found in variables of ECS task definition...' gives incorrect line numbers, like 'Base64 High Entropy String on line 4, Secret Keyword on line 4' etc.

When I look into the 'task_definition.json' file I do not see any secrets on those lines.

How should I count those line numbers? Maybe there is a base for that 'line 4' like I need to start from the 'environment' key line?

[jfagoagas]

Hi @trigger1919, these line numbers starts at the environment key of your ECS Task Definition and matches the environment.Name. Can you check that these lines are correct now?

Thanks for using Prowler 🚀

[trigger1919]

Not really if you look at the file in UI. Should each separate list entry in 'environment' be treated as one line? So like secret in the first key:value pair will give a line 2?

[trigger1919]

I also filed a bug #2620.
I guess this should be fixed. At least explained in the title or description clearly. Now it is really confusing.

[jfagoagas]

Each entry in the task definition is transformed right, so:

• Task Definition:

"environment": [
  {
      "name": "Super_Secret_Password",
      "value": "password"
  },
]

• Prowler temporary file:

{
  "Super_Secret_Password": "password"
}

You are right, we have to check it because I'm not sure if the library we use to detect secrets can work with the Task Definition environment format.

Thanks!