chore(merge): Merge master with Prowler 4.0 (prowler-cloud#3467)

Co-authored-by: Sergio Garcia <[email protected]>
CloudGeometry · Feb 29, 2024 · f0c027f · f0c027f
1 parent b0f2f34
commit f0c027f
Show file tree

Hide file tree

Showing 932 changed files with 38,774 additions and 20,001 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -13,3 +13,8 @@ updates:
     labels:
       - "dependencies"
       - "pip"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: master
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -0,0 +1,27 @@
+documentation:
+  - changed-files:
+      - any-glob-to-any-file: "docs/**"
+
+provider/aws:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/aws/**"
+      - any-glob-to-any-file: "tests/providers/aws/**"
+
+provider/azure:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/azure/**"
+      - any-glob-to-any-file: "tests/providers/azure/**"
+
+provider/gcp:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/gcp/**"
+      - any-glob-to-any-file: "tests/providers/gcp/**"
+
+provider/kubernetes:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/kubernetes/**"
+      - any-glob-to-any-file: "tests/providers/kubernetes/**"
+
+github_actions:
+  - changed-files:
+      - any-glob-to-any-file: ".github/workflows/*"
diff --git a/.github/workflows/build-documentation-on-pr.yml b/.github/workflows/build-documentation-on-pr.yml
@@ -0,0 +1,24 @@
+name: Pull Request Documentation Link
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+      - 'prowler-4.0-dev'
+    paths:
+      - 'docs/**'
+
+env:
+  PR_NUMBER: ${{ github.event.pull_request.number }}
+
+jobs:
+  documentation-link:
+    name: Documentation Link
+    runs-on: ubuntu-latest
+    steps:
+      - name: Leave PR comment with the SaaS Documentation URI
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          body: |
+            You can check the documentation for this PR here -> [SaaS Documentation](https://prowler-prowler-docs--${{ env.PR_NUMBER }}.com.readthedocs.build/projects/prowler-open-source/en/${{ env.PR_NUMBER }}/)
diff --git a/.github/workflows/build-lint-push-containers.yml b/.github/workflows/build-lint-push-containers.yml
@@ -32,11 +32,11 @@ jobs:
       POETRY_VIRTUALENVS_CREATE: "false"
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup python (release)
         if: github.event_name == 'release'
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -52,13 +52,13 @@ jobs:
           poetry version ${{ github.event.release.tag_name }}
 
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: public.ecr.aws
           username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -67,11 +67,11 @@ jobs:
           AWS_REGION: ${{ env.AWS_REGION }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push container image (latest)
         if: github.event_name == 'push'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: |
@@ -83,7 +83,7 @@ jobs:
 
       - name: Build and push container image (release)
         if: github.event_name == 'release'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           # Use local context to get changes
           # https://github.com/docker/build-push-action#path-context

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,6 +52,6 @@ jobs:
         # queries: security-extended,security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml
@@ -7,11 +7,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@v3.4.4
+        uses: trufflesecurity/trufflehog@v3.68.2
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -0,0 +1,16 @@
+name: "Pull Request Labeler"
+
+on:
+    pull_request_target:
+      branches:
+        - "master"
+        - "prowler-4.0-dev"
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/labeler@v5
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -14,28 +14,29 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11"]
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Test if changes are in not ignored paths
         id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@v39
+        uses: tj-actions/changed-files@v42
         with:
           files: ./**
           files_ignore: |
             .github/**
             README.md
             docs/**
             permissions/**
+            mkdocs.yml
       - name: Install poetry
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           python -m pip install --upgrade pip
           pipx install poetry
       - name: Set up Python ${{ matrix.python-version }}
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
@@ -87,6 +88,6 @@ jobs:
           poetry run pytest -n auto --cov=./prowler --cov-report=xml tests
       - name: Upload coverage reports to Codecov
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
@@ -16,15 +16,15 @@ jobs:
     name: Release Prowler to PyPI
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ env.GITHUB_BRANCH }}
       - name: Install dependencies
         run: |
           pipx install poetry
           pipx inject poetry poetry-bumpversion
       - name: setup python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.9
           cache: 'poetry'
@@ -44,7 +44,7 @@ jobs:
           poetry publish
       # Create pull request with new version
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
           commit-message: "chore(release): update Prowler Version to ${{ env.RELEASE_TAG }}."

diff --git a/.github/workflows/refresh_aws_services_regions.yml b/.github/workflows/refresh_aws_services_regions.yml
@@ -23,12 +23,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ env.GITHUB_BRANCH }}
 
       - name: setup python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: 3.9 #install the python needed
 
@@ -38,7 +38,7 @@ jobs:
           pip install boto3
 
       - name: Configure AWS Credentials -- DEV
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: ${{ env.AWS_REGION_DEV }}
           role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -50,12 +50,12 @@ jobs:
 
       # Create pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
           commit-message: "feat(regions_update): Update regions for AWS services."
           branch: "aws-services-regions-updated-${{ github.sha }}"
-          labels: "status/waiting-for-revision, severity/low"
+          labels: "status/waiting-for-revision, severity/low, provider/aws"
           title: "chore(regions_update): Changes in regions for AWS services."
           body: |
             ### Description

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 repos:
   ## GENERAL
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-merge-conflict
       - id: check-yaml
@@ -15,7 +15,7 @@ repos:
 
   ## TOML
   - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.10.0
+    rev: v2.12.0
     hooks:
       - id: pretty-format-toml
         args: [--autofix]
@@ -28,7 +28,7 @@ repos:
       - id: shellcheck
   ## PYTHON
   - repo: https://github.com/myint/autoflake
-    rev: v2.2.0
+    rev: v2.2.1
     hooks:
       - id: autoflake
         args:
@@ -39,25 +39,25 @@ repos:
           ]
 
   - repo: https://github.com/timothycrosley/isort
-    rev: 5.12.0
+    rev: 5.13.2
     hooks:
       - id: isort
         args: ["--profile", "black"]
 
   - repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 24.1.1
     hooks:
       - id: black
 
   - repo: https://github.com/pycqa/flake8
-    rev: 6.1.0
+    rev: 7.0.0
     hooks:
       - id: flake8
         exclude: contrib
         args: ["--ignore=E266,W503,E203,E501,W605"]
 
   - repo: https://github.com/python-poetry/poetry
-    rev: 1.6.0 # add version here
+    rev: 1.7.0
     hooks:
       - id: poetry-check
       - id: poetry-lock
@@ -80,18 +80,12 @@ repos:
       - id: trufflehog
         name: TruffleHog
         description: Detect secrets in your data.
-        # entry: bash -c 'trufflehog git file://. --only-verified --fail'
+        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
         # For running trufflehog in docker, use the following entry instead:
-        entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
+        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
         language: system
         stages: ["commit", "push"]
 
-      - id: pytest-check
-        name: pytest-check
-        entry: bash -c 'pytest tests -n auto'
-        language: system
-        files: '.*\.py'
-
       - id: bandit
         name: bandit
         description: "Bandit is a tool for finding common security issues in Python code"

diff --git a/.readthedocs.yaml b/.readthedocs.yaml
@@ -8,16 +8,18 @@ version: 2
 build:
   os: "ubuntu-22.04"
   tools:
-    python: "3.9"
+    python: "3.11"
   jobs:
     post_create_environment:
       # Install poetry
       # https://python-poetry.org/docs/#installing-manually
-      - pip install poetry
-      # Tell poetry to not use a virtual environment
-      - poetry config virtualenvs.create false
+      - python -m pip install poetry
     post_install:
-      - poetry install -E docs
+      # Install dependencies with 'docs' dependency group
+      # https://python-poetry.org/docs/managing-dependencies/#dependency-groups
+      # VIRTUAL_ENV needs to be set manually for now.
+      # See https://github.com/readthedocs/readthedocs.org/pull/11152/
+      - VIRTUAL_ENV=${READTHEDOCS_VIRTUALENV_PATH} python -m poetry install --only=docs
 
 mkdocs:
   configuration: mkdocs.yml
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at community@prowler.cloud. All
+reported by contacting the project team at [support.prowler.com](https://customer.support.prowler.com/servicedesk/customer/portals). All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.