From 493fe2d52300b85143cb261214a004e435b5c24b Mon Sep 17 00:00:00 2001 From: Sergio Garcia Date: Mon, 9 Dec 2024 06:11:05 -0400 Subject: [PATCH 1/5] docs(env): move warning about env files (#6049) --- docs/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/index.md b/docs/index.md index 0d1792402c2..7779752fc78 100644 --- a/docs/index.md +++ b/docs/index.md @@ -29,7 +29,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe Prowler App can be installed in different ways, depending on your environment: -> See how to use Prowler App in the [Prowler App](tutorials/prowler-app.md) section. +> See how to use Prowler App in the [Prowler App Tutorial](tutorials/prowler-app.md) section. === "Docker Compose" @@ -65,6 +65,9 @@ Prowler App can be installed in different ways, depending on your environment: * `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm). * `Docker Compose` installed: https://docs.docker.com/compose/install/. + ???+ warning + Make sure to have `api/.env` and `ui/.env.local` files with the required environment variables. You can find the required environment variables in the [`api/.env.template`](https://github.com/prowler-cloud/prowler/blob/master/api/.env.example) and [`ui/.env.template`](https://github.com/prowler-cloud/prowler/blob/master/ui/.env.template) files. + _Commands to run the API_: ``` bash @@ -107,9 +110,6 @@ Prowler App can be installed in different ways, depending on your environment: > Enjoy Prowler App at http://localhost:3000 by signing up with your email and password. - ???+ warning - Make sure to have `api/.env` and `ui/.env.local` files with the required environment variables. You can find the required environment variables in the [`api/.env.template`](https://github.com/prowler-cloud/prowler/blob/master/api/.env.example) and [`ui/.env.template`](https://github.com/prowler-cloud/prowler/blob/master/ui/.env.template) files. - ???+ warning Google and GitHub authentication is only available in [Prowler Cloud](https://prowler.com). From fefe89a1ed14c464314082e8aa0615fa83654c39 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Mon, 9 Dec 2024 14:12:08 +0100 Subject: [PATCH 2/5] fix(backport): Add action to detect labels (#5270) --- .github/workflows/backport.yml | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 534f7d6d468..87dfd5eed6e 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -5,38 +5,41 @@ on: branches: ['master'] types: ['labeled', 'closed'] +env: + BACKPORT_LABEL_PREFIX: backport-to-v + BACKPORT_LABEL_IGNORE: was-backported + jobs: backport: name: Backport PR - if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport')) + if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport')) && !(contains(github.event.pull_request.labels.*.name, 'was-backported')) runs-on: ubuntu-latest permissions: id-token: write pull-requests: write contents: write steps: - # Workaround not to fail the workflow if the PR does not need a backport - # https://github.com/sorenlouv/backport-github-action/issues/127#issuecomment-2258561266 - - name: Check for backport labels - id: check_labels - run: |- - labels='${{ toJSON(github.event.pull_request.labels.*.name) }}' - echo "$labels" - matched=$(echo "${labels}" | jq '. | map(select(startswith("backport-to-"))) | length') - echo "matched=$matched" - echo "matched=$matched" >> $GITHUB_OUTPUT + - name: Check labels + id: preview_label_check + uses: docker://agilepathway/pull-request-label-checker:v1.6.55 + with: + allow_failure: true + prefix_mode: true + one_of: ${{ env.BACKPORT_LABEL_PREFIX}} + none_of: ${{ env.BACKPORT_LABEL_IGNORE}} + repo_token: ${{ secrets.GITHUB_TOKEN }} - name: Backport Action - if: fromJSON(steps.check_labels.outputs.matched) > 0 + if: steps.preview_label_check.outputs.label_check == 'success' uses: sorenlouv/backport-github-action@v9.5.1 with: github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }} - auto_backport_label_prefix: backport-to- + auto_backport_label_prefix: ${{ env.BACKPORT_LABEL_PREFIX}} - name: Info log - if: ${{ success() && fromJSON(steps.check_labels.outputs.matched) > 0 }} + if: ${{ success() && steps.preview_label_check.outputs.label_check == 'success' }} run: cat ~/.backport/backport.info.log - name: Debug log - if: ${{ failure() && fromJSON(steps.check_labels.outputs.matched) > 0 }} + if: ${{ failure() && steps.preview_label_check.outputs.label_check == 'success' }} run: cat ~/.backport/backport.debug.log From a8a567c588b49b69db79e53130bf5255faac5c88 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Mon, 9 Dec 2024 14:12:54 +0100 Subject: [PATCH 3/5] docs: Prowler SaaS -> Cloud and add missing compliance (#6061) --- README.md | 4 ++-- docs/index.md | 2 +- docs/security.md | 2 +- docs/tutorials/compliance.md | 28 ++++++++++++++++++++++------ mkdocs.yml | 3 +-- 5 files changed, 27 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 1a0944fb963..2e1a7cfeb5b 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@

- Prowler SaaS and Prowler Open Source are as dynamic and adaptable as the environment they’re meant to protect. Trusted by the leaders in security. + Prowler Open Source is as dynamic and adaptable as the environment they’re meant to protect. Trusted by the leaders in security.

Learn more at prowler.com @@ -43,7 +43,7 @@ # Description -**Prowler** is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations! We have Prowler CLI (Command Line Interface) that we call Prowler Open Source and a service on top of it that we call Prowler SaaS. +**Prowler** is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations! We have Prowler CLI (Command Line Interface) that we call Prowler Open Source and a service on top of it that we call Prowler Cloud. ## Prowler App diff --git a/docs/index.md b/docs/index.md index 7779752fc78..8dc5f08ffc1 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,4 +1,4 @@ -**Prowler** is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations! We have Prowler CLI (Command Line Interface) that we call Prowler Open Source and a service on top of it that we call Prowler SaaS. +**Prowler** is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations! We have Prowler CLI (Command Line Interface) that we call Prowler Open Source and a service on top of it that we call Prowler Cloud. ## Prowler App diff --git a/docs/security.md b/docs/security.md index ef85c357a8e..207b565378f 100644 --- a/docs/security.md +++ b/docs/security.md @@ -13,7 +13,7 @@ As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (F ## Reporting Vulnerabilities -If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or Prowler SaaS service, please submit the information by contacting to us via [**support.prowler.com**](http://support.prowler.com). +If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or Prowler Cloud service, please submit the information by contacting to us via [**support.prowler.com**](http://support.prowler.com). The information you share with the Prowler team as part of this process is kept confidential within Prowler. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you. diff --git a/docs/tutorials/compliance.md b/docs/tutorials/compliance.md index 629aec9b06d..b3424dbf27b 100644 --- a/docs/tutorials/compliance.md +++ b/docs/tutorials/compliance.md @@ -22,32 +22,31 @@ In order to see which compliance frameworks are cover by Prowler, you can use op ```sh prowler --list-compliance ``` -Currently, the available frameworks are: + +### AWS - `aws_account_security_onboarding_aws` - `aws_audit_manager_control_tower_guardrails_aws` - `aws_foundational_security_best_practices_aws` +- `aws_foundational_technical_review_aws` - `aws_well_architected_framework_reliability_pillar_aws` - `aws_well_architected_framework_security_pillar_aws` - `cis_1.4_aws` - `cis_1.5_aws` - `cis_2.0_aws` -- `cis_2.0_gcp` -- `cis_2.0_azure` -- `cis_2.1_azure` - `cis_3.0_aws` -- `cis_1.8_kubernetes` - `cisa_aws` - `ens_rd2022_aws` - `fedramp_low_revision_4_aws` - `fedramp_moderate_revision_4_aws` - `ffiec_aws` -- `aws_foundational_technical_review_aws` - `gdpr_aws` - `gxp_21_cfr_part_11_aws` - `gxp_eu_annex_11_aws` - `hipaa_aws` - `iso27001_2013_aws` +- `kisa_isms_p_2023_aws` +- `kisa_isms_p_2023_korean_aws` - `mitre_attack_aws` - `nist_800_171_revision_2_aws` - `nist_800_53_revision_4_aws` @@ -57,6 +56,23 @@ Currently, the available frameworks are: - `rbi_cyber_security_framework_aws` - `soc2_aws` +### Azure + +- `cis_2.0_azure` +- `cis_2.1_azure` +- `ens_rd2022_azure` +- `mitre_attack_azure` + +### GCP + +- `cis_2.0_gcp` +- `ens_rd2022_gcp` +- `mitre_attack_gcp` + +### Kubernetes + +- `cis_1.8_kubernetes` + ## List Requirements of Compliance Frameworks For each compliance framework, you can use option `--list-compliance-requirements` to list its requirements: ```sh diff --git a/mkdocs.yml b/mkdocs.yml index e3111466094..dd04e16881a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -34,7 +34,6 @@ theme: icon: material/weather-sunny name: Switch to light mode - plugins: - search - git-revision-date-localized: @@ -112,7 +111,7 @@ nav: - Contact Us: contact.md - Troubleshooting: troubleshooting.md - About: about.md - - Prowler SaaS: https://prowler.com + - Prowler Cloud: https://prowler.com # Customization extra: From 213a793fbcb94af0d502b0005c70ff4dbc684279 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Mon, 9 Dec 2024 14:14:06 +0100 Subject: [PATCH 4/5] chore(actions): standardize names (#6059) --- .github/codeql/api-codeql-config.yml | 4 ++-- .github/codeql/codeql-config.yml | 4 ---- .github/codeql/sdk-codeql-config.yml | 4 ++++ .github/codeql/ui-codeql-config.yml | 2 +- .github/workflows/api-codeql.yml | 6 +++--- .github/workflows/api-pull-request.yml | 2 +- .github/workflows/backport.yml | 2 +- .github/workflows/build-documentation-on-pr.yml | 2 +- .github/workflows/find-secrets.yml | 4 ++-- .github/workflows/labeler.yml | 2 +- ...-containers.yml => sdk-build-lint-push-containers.yml} | 6 +++--- .github/workflows/{codeql.yml => sdk-codeql.yml} | 8 ++++---- .../workflows/{pull-request.yml => sdk-pull-request.yml} | 2 +- .../workflows/{pypi-release.yml => sdk-pypi-release.yml} | 2 +- ...s_regions.yml => sdk-refresh-aws-services-regions.yml} | 2 +- .github/workflows/ui-codeql.yml | 2 +- .github/workflows/{ui-checks.yml => ui-pull-request.yml} | 4 ++-- 17 files changed, 29 insertions(+), 29 deletions(-) delete mode 100644 .github/codeql/codeql-config.yml create mode 100644 .github/codeql/sdk-codeql-config.yml rename .github/workflows/{build-lint-push-containers.yml => sdk-build-lint-push-containers.yml} (99%) rename .github/workflows/{codeql.yml => sdk-codeql.yml} (93%) rename .github/workflows/{pull-request.yml => sdk-pull-request.yml} (99%) rename .github/workflows/{pypi-release.yml => sdk-pypi-release.yml} (98%) rename .github/workflows/{refresh_aws_services_regions.yml => sdk-refresh-aws-services-regions.yml} (98%) rename .github/workflows/{ui-checks.yml => ui-pull-request.yml} (93%) diff --git a/.github/codeql/api-codeql-config.yml b/.github/codeql/api-codeql-config.yml index ac8ca6beb54..9ce26a36512 100644 --- a/.github/codeql/api-codeql-config.yml +++ b/.github/codeql/api-codeql-config.yml @@ -1,3 +1,3 @@ -name: "Custom CodeQL Config for API" +name: "API - CodeQL Config" paths: - - 'api/' \ No newline at end of file + - "api/" diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml deleted file mode 100644 index f31f68cba85..00000000000 --- a/.github/codeql/codeql-config.yml +++ /dev/null @@ -1,4 +0,0 @@ -name: "Custom CodeQL Config" -paths-ignore: - - 'api/' - - 'ui/' \ No newline at end of file diff --git a/.github/codeql/sdk-codeql-config.yml b/.github/codeql/sdk-codeql-config.yml new file mode 100644 index 00000000000..7982398f423 --- /dev/null +++ b/.github/codeql/sdk-codeql-config.yml @@ -0,0 +1,4 @@ +name: "SDK - CodeQL Config" +paths-ignore: + - "api/" + - "ui/" diff --git a/.github/codeql/ui-codeql-config.yml b/.github/codeql/ui-codeql-config.yml index 62ebee5617a..fa4f80cae5c 100644 --- a/.github/codeql/ui-codeql-config.yml +++ b/.github/codeql/ui-codeql-config.yml @@ -1,3 +1,3 @@ -name: "Custom CodeQL Config for UI" +name: "UI - CodeQL Config" paths: - "ui/" diff --git a/.github/workflows/api-codeql.yml b/.github/workflows/api-codeql.yml index ed9e0c3fd45..75d12109a60 100644 --- a/.github/workflows/api-codeql.yml +++ b/.github/workflows/api-codeql.yml @@ -9,11 +9,11 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "API - CodeQL" +name: API - CodeQL on: push: - branches: + branches: - "master" - "v3" - "v4.*" @@ -21,7 +21,7 @@ on: paths: - "api/**" pull_request: - branches: + branches: - "master" - "v3" - "v4.*" diff --git a/.github/workflows/api-pull-request.yml b/.github/workflows/api-pull-request.yml index 0c220c38fed..896be36f7ab 100644 --- a/.github/workflows/api-pull-request.yml +++ b/.github/workflows/api-pull-request.yml @@ -1,4 +1,4 @@ -name: "API - Pull Request" +name: API - Pull Request on: push: diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 87dfd5eed6e..6639b526fb9 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -1,4 +1,4 @@ -name: Automatic Backport +name: Prowler - Automatic Backport on: pull_request_target: diff --git a/.github/workflows/build-documentation-on-pr.yml b/.github/workflows/build-documentation-on-pr.yml index a1ed22a0718..7ae58b9c854 100644 --- a/.github/workflows/build-documentation-on-pr.yml +++ b/.github/workflows/build-documentation-on-pr.yml @@ -1,4 +1,4 @@ -name: Pull Request Documentation Link +name: Prowler - Pull Request Documentation Link on: pull_request: diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml index f8d0b8c5f34..c89d9d0fae7 100644 --- a/.github/workflows/find-secrets.yml +++ b/.github/workflows/find-secrets.yml @@ -1,4 +1,4 @@ -name: Find secrets +name: Prowler - Find secrets on: pull_request @@ -16,4 +16,4 @@ jobs: path: ./ base: ${{ github.event.repository.default_branch }} head: HEAD - extra_args: --only-verified \ No newline at end of file + extra_args: --only-verified diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index d7162a00584..199b17962db 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,4 +1,4 @@ -name: "Pull Request Labeler" +name: Prowler - PR Labeler on: pull_request_target: diff --git a/.github/workflows/build-lint-push-containers.yml b/.github/workflows/sdk-build-lint-push-containers.yml similarity index 99% rename from .github/workflows/build-lint-push-containers.yml rename to .github/workflows/sdk-build-lint-push-containers.yml index af17eeb1936..b502af0ba48 100644 --- a/.github/workflows/build-lint-push-containers.yml +++ b/.github/workflows/sdk-build-lint-push-containers.yml @@ -1,4 +1,4 @@ -name: Build and Push containers +name: SDK - Build and Push containers on: push: @@ -85,8 +85,8 @@ jobs: echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}" ;; - - 4) + + 4) echo "LATEST_TAG=v4-latest" >> "${GITHUB_ENV}" echo "STABLE_TAG=v4-stable" >> "${GITHUB_ENV}" ;; diff --git a/.github/workflows/codeql.yml b/.github/workflows/sdk-codeql.yml similarity index 93% rename from .github/workflows/codeql.yml rename to .github/workflows/sdk-codeql.yml index c0e319e07e9..043aeb041b7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/sdk-codeql.yml @@ -9,11 +9,11 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL" +name: SDK - CodeQL on: push: - branches: + branches: - "master" - "v3" - "v4.*" @@ -21,7 +21,7 @@ on: - 'ui/**' - 'api/**' pull_request: - branches: + branches: - "master" - "v3" - "v4.*" @@ -55,7 +55,7 @@ jobs: uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} - config-file: ./.github/codeql/codeql-config.yml + config-file: ./.github/codeql/sdk-codeql-config.yml - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/pull-request.yml b/.github/workflows/sdk-pull-request.yml similarity index 99% rename from .github/workflows/pull-request.yml rename to .github/workflows/sdk-pull-request.yml index 8512f201958..fc49b8311b4 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/sdk-pull-request.yml @@ -1,4 +1,4 @@ -name: "Pull Request" +name: SDK - Pull Request on: push: diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/sdk-pypi-release.yml similarity index 98% rename from .github/workflows/pypi-release.yml rename to .github/workflows/sdk-pypi-release.yml index 2c8ae5e659b..4d9c91d6904 100644 --- a/.github/workflows/pypi-release.yml +++ b/.github/workflows/sdk-pypi-release.yml @@ -1,4 +1,4 @@ -name: PyPI release +name: SDK - PyPI release on: release: diff --git a/.github/workflows/refresh_aws_services_regions.yml b/.github/workflows/sdk-refresh-aws-services-regions.yml similarity index 98% rename from .github/workflows/refresh_aws_services_regions.yml rename to .github/workflows/sdk-refresh-aws-services-regions.yml index 548f8d56007..bf7af302e2f 100644 --- a/.github/workflows/refresh_aws_services_regions.yml +++ b/.github/workflows/sdk-refresh-aws-services-regions.yml @@ -1,6 +1,6 @@ # This is a basic workflow to help you get started with Actions -name: Refresh regions of AWS services +name: SDK - Refresh AWS services' regions on: schedule: diff --git a/.github/workflows/ui-codeql.yml b/.github/workflows/ui-codeql.yml index 2765921cf62..30586f43e79 100644 --- a/.github/workflows/ui-codeql.yml +++ b/.github/workflows/ui-codeql.yml @@ -9,7 +9,7 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "UI - CodeQL" +name: UI - CodeQL on: push: diff --git a/.github/workflows/ui-checks.yml b/.github/workflows/ui-pull-request.yml similarity index 93% rename from .github/workflows/ui-checks.yml rename to .github/workflows/ui-pull-request.yml index f0556fc61f8..28e5d32e0aa 100644 --- a/.github/workflows/ui-checks.yml +++ b/.github/workflows/ui-pull-request.yml @@ -1,4 +1,4 @@ -name: "UI - Pull Request" +name: UI - Pull Request on: pull_request: @@ -31,4 +31,4 @@ jobs: run: npm run healthcheck - name: Build the application working-directory: ./ui - run: npm run build \ No newline at end of file + run: npm run build From cdd044d12071c6af38079fe02bb10ec5e89b7d2a Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Mon, 9 Dec 2024 14:15:03 +0100 Subject: [PATCH 5/5] chore(dependabot): Update for UI and v4 (#6062) --- .github/dependabot.yml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7b06e0da7a2..4be019726a4 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,7 @@ version: 2 updates: + # v5 - package-ecosystem: "pip" directory: "/" schedule: @@ -14,6 +15,7 @@ updates: labels: - "dependencies" - "pip" + - package-ecosystem: "github-actions" directory: "/" schedule: @@ -23,7 +25,41 @@ updates: labels: - "dependencies" - "github_actions" + + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 10 + target-branch: master + labels: + - "dependencies" + - "npm" + + # v4.6 + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 10 + target-branch: v4.6 + labels: + - "dependencies" + - "pip" + - "v4" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 10 + target-branch: v3 + labels: + - "dependencies" + - "github_actions" + - "v4" + # v3 - package-ecosystem: "pip" directory: "/" schedule: @@ -34,6 +70,7 @@ updates: - "dependencies" - "pip" - "v3" + - package-ecosystem: "github-actions" directory: "/" schedule: