Merge branch 'master' into PRWLR-5766-ensure-third-party-integrated-a…

…pplications-are-not-allowed
prowler-cloud · Feb 5, 2025 · 7f380d6 · 7f380d6
2 parents 96bd4e3 + 567c729
commit 7f380d6
Show file tree

Hide file tree

Showing 2,099 changed files with 130,912 additions and 12,781 deletions.
diff --git a/.env b/.env
@@ -0,0 +1,94 @@
+#### Important Note ####
+# This file is used to store environment variables for the Prowler App.
+# For production, it is recommended to use a secure method to store these variables and change the default secret keys.
+
+#### Prowler UI Configuration ####
+PROWLER_UI_VERSION="latest"
+SITE_URL=http://localhost:3000
+API_BASE_URL=http://prowler-api:8080/api/v1
+NEXT_PUBLIC_API_DOCS_URL=http://prowler-api:8080/api/v1/docs
+AUTH_TRUST_HOST=true
+UI_PORT=3000
+# openssl rand -base64 32
+AUTH_SECRET="N/c6mnaS5+SWq81+819OrzQZlmx1Vxtp/orjttJSmw8="
+
+#### Prowler API Configuration ####
+PROWLER_API_VERSION="stable"
+# PostgreSQL settings
+# If running Django and celery on host, use 'localhost', else use 'postgres-db'
+POSTGRES_HOST=postgres-db
+POSTGRES_PORT=5432
+POSTGRES_ADMIN_USER=prowler_admin
+POSTGRES_ADMIN_PASSWORD=postgres
+POSTGRES_USER=prowler
+POSTGRES_PASSWORD=postgres
+POSTGRES_DB=prowler_db
+
+# Valkey settings
+# If running Valkey and celery on host, use localhost, else use 'valkey'
+VALKEY_HOST=valkey
+VALKEY_PORT=6379
+VALKEY_DB=0
+
+# Django settings
+DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1,prowler-api
+DJANGO_BIND_ADDRESS=0.0.0.0
+DJANGO_PORT=8080
+DJANGO_DEBUG=False
+DJANGO_SETTINGS_MODULE=config.django.production
+# Select one of [ndjson|human_readable]
+DJANGO_LOGGING_FORMATTER=human_readable
+# Select one of [DEBUG|INFO|WARNING|ERROR|CRITICAL]
+# Applies to both Django and Celery Workers
+DJANGO_LOGGING_LEVEL=INFO
+# Defaults to the maximum available based on CPU cores if not set.
+DJANGO_WORKERS=4
+# Token lifetime is in minutes
+DJANGO_ACCESS_TOKEN_LIFETIME=30
+# Token lifetime is in minutes
+DJANGO_REFRESH_TOKEN_LIFETIME=1440
+DJANGO_CACHE_MAX_AGE=3600
+DJANGO_STALE_WHILE_REVALIDATE=60
+DJANGO_MANAGE_DB_PARTITIONS=True
+# openssl genrsa -out private.pem 2048
+DJANGO_TOKEN_SIGNING_KEY="-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDs4e+kt7SnUJek
+6V5r9zMGzXCoU5qnChfPiqu+BgANyawz+MyVZPs6RCRfeo6tlCknPQtOziyXYM2I
+7X+qckmuzsjqp8+u+o1mw3VvUuJew5k2SQLPYwsiTzuFNVJEOgRo3hywGiGwS2iv
+/5nh2QAl7fq2qLqZEXQa5+/xJlQggS1CYxOJgggvLyra50QZlBvPve/AxKJ/EV/Q
+irWTZU5lLNI8sH2iZR05vQeBsxZ0dCnGMT+vGl+cGkqrvzQzKsYbDmabMcfTYhYi
+78fpv6A4uharJFHayypYBjE39PwhMyyeycrNXlpm1jpq+03HgmDuDMHydk1tNwuT
+nEC7m7iNAgMBAAECggEAA2m48nJcJbn9SVi8bclMwKkWmbJErOnyEGEy2sTK3Of+
+NWx9BB0FmqAPNxn0ss8K7cANKOhDD7ZLF9E2MO4/HgfoMKtUzHRbM7MWvtEepldi
+nnvcUMEgULD8Dk4HnqiIVjt3BdmGiTv46OpBnRWrkSBV56pUL+7msZmMZTjUZvh2
+ZWv0+I3gtDIjo2Zo/FiwDV7CfwRjJarRpYUj/0YyuSA4FuOUYl41WAX1I301FKMH
+xo3jiAYi1s7IneJ16OtPpOA34Wg5F6ebm/UO0uNe+iD4kCXKaZmxYQPh5tfB0Qa3
+qj1T7GNpFNyvtG7VVdauhkb8iu8X/wl6PCwbg0RCKQKBgQD9HfpnpH0lDlHMRw9K
+X7Vby/1fSYy1BQtlXFEIPTN/btJ/asGxLmAVwJ2HAPXWlrfSjVAH7CtVmzN7v8oj
+HeIHfeSgoWEu1syvnv2AMaYSo03UjFFlfc/GUxF7DUScRIhcJUPCP8jkAROz9nFv
+DByNjUL17Q9r43DmDiRsy0IFqQKBgQDvlJ9Uhl+Sp7gRgKYwa/IG0+I4AduAM+Gz
+Dxbm52QrMGMTjaJFLmLHBUZ/ot+pge7tZZGws8YR8ufpyMJbMqPjxhIvRRa/p1Tf
+E3TQPW93FMsHUvxAgY3MV5MzXFPhlNAKb+akP/RcXUhetGAuZKLubtDCWa55ZQuL
+wj2OS+niRQKBgE7K8zUqNi6/22S8xhy/2GPgB1qPObbsABUofK0U6CAGLo6te+gc
+6Jo84IyzFtQbDNQFW2Fr+j1m18rw9AqkdcUhQndiZS9AfG07D+zFB86LeWHt4DS4
+ymIRX8Kvaak/iDcu/n3Mf0vCrhB6aetImObTj4GgrwlFvtJOmrYnO8EpAoGAIXXP
+Xt25gWD9OyyNiVu6HKwA/zN7NYeJcRmdaDhO7B1A6R0x2Zml4AfjlbXoqOLlvLAf
+zd79vcoAC82nH1eOPiSOq51plPDI0LMF8IN0CtyTkn1Lj7LIXA6rF1RAvtOqzppc
+SvpHpZK9pcRpXnFdtBE0BMDDtl6fYzCIqlP94UUCgYEAnhXbAQMF7LQifEm34Dx8
+BizRMOKcqJGPvbO2+Iyt50O5X6onU2ITzSV1QHtOvAazu+B1aG9pEuBFDQ+ASxEu
+L9ruJElkOkb/o45TSF6KCsHd55ReTZ8AqnRjf5R+lyzPqTZCXXb8KTcRvWT4zQa3
+VxyT2PnaSqEcexWUy4+UXoQ=
+-----END PRIVATE KEY-----"
+# openssl rsa -in private.pem -pubout -out public.pem
+DJANGO_TOKEN_VERIFYING_KEY="-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7OHvpLe0p1CXpOlea/cz
+Bs1wqFOapwoXz4qrvgYADcmsM/jMlWT7OkQkX3qOrZQpJz0LTs4sl2DNiO1/qnJJ
+rs7I6qfPrvqNZsN1b1LiXsOZNkkCz2MLIk87hTVSRDoEaN4csBohsEtor/+Z4dkA
+Je36tqi6mRF0Gufv8SZUIIEtQmMTiYIILy8q2udEGZQbz73vwMSifxFf0Iq1k2VO
+ZSzSPLB9omUdOb0HgbMWdHQpxjE/rxpfnBpKq780MyrGGw5mmzHH02IWIu/H6b+g
+OLoWqyRR2ssqWAYxN/T8ITMsnsnKzV5aZtY6avtNx4Jg7gzB8nZNbTcLk5xAu5u4
+jQIDAQAB
+-----END PUBLIC KEY-----"
+# openssl rand -base64 32
+DJANGO_SECRETS_ENCRYPTION_KEY="oE/ltOhp/n1TdbHjVmzcjDPLcLA41CVI/4Rk+UB5ESc="
+DJANGO_BROKER_VISIBILITY_TIMEOUT=86400
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,5 +1,6 @@
-* @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
-
-# To protect a repository fully against unauthorized changes, you also need to define an owner for the CODEOWNERS file itself.
-# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection
+/* @prowler-cloud/sdk
 /.github/ @prowler-cloud/sdk
+prowler @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+tests @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+api @prowler-cloud/api
+ui @prowler-cloud/ui
diff --git a/.github/codeql/api-codeql-config.yml b/.github/codeql/api-codeql-config.yml
@@ -0,0 +1,3 @@
+name: "API - CodeQL Config"
+paths:
+  - "api/"
diff --git a/.github/codeql/sdk-codeql-config.yml b/.github/codeql/sdk-codeql-config.yml
@@ -0,0 +1,4 @@
+name: "SDK - CodeQL Config"
+paths-ignore:
+  - "api/"
+  - "ui/"
diff --git a/.github/codeql/ui-codeql-config.yml b/.github/codeql/ui-codeql-config.yml
@@ -0,0 +1,3 @@
+name: "UI - CodeQL Config"
+paths:
+  - "ui/"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,6 +5,7 @@
 
 version: 2
 updates:
+  # v5
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
@@ -14,6 +15,18 @@ updates:
     labels:
       - "dependencies"
       - "pip"
+
+  - package-ecosystem: "pip"
+    directory: "/api"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "pip"
+      - "component/api"
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -24,20 +37,77 @@ updates:
       - "dependencies"
       - "github_actions"
 
+  - package-ecosystem: "npm"
+    directory: "/ui"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "npm"
+      - "component/ui"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "docker"
+
+  # v4.6
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "pip"
+      - "v4"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "github_actions"
+      - "v4"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "docker"
+      - "v4"
+
+  # v3
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
     open-pull-requests-limit: 10
     target-branch: v3
     labels:
       - "dependencies"
       - "pip"
       - "v3"
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "monthly"
     open-pull-requests-limit: 10
     target-branch: v3
     labels:

diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -22,6 +22,11 @@ provider/kubernetes:
       - any-glob-to-any-file: "prowler/providers/kubernetes/**"
       - any-glob-to-any-file: "tests/providers/kubernetes/**"
 
+provider/github:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/github/**"
+      - any-glob-to-any-file: "tests/providers/github/**"
+
 github_actions:
   - changed-files:
       - any-glob-to-any-file: ".github/workflows/*"
@@ -79,3 +84,11 @@ output/csv:
   - changed-files:
       - any-glob-to-any-file: "prowler/lib/outputs/csv/**"
       - any-glob-to-any-file: "tests/lib/outputs/csv/**"
+
+component/api:
+  - changed-files:
+      - any-glob-to-any-file: "api/**"
+
+component/ui:
+  - changed-files:
+      - any-glob-to-any-file: "ui/**"
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -15,6 +15,7 @@ Please include a summary of the change and which issue is fixed. List any depend
 - [ ] Review if the code is being covered by tests.
 - [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
 - [ ] Review if backport is needed.
+- [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
 
 ### License
 

diff --git a/.github/workflows/api-build-lint-push-containers.yml b/.github/workflows/api-build-lint-push-containers.yml
@@ -0,0 +1,98 @@
+name: API - Build and Push containers
+
+on:
+  push:
+    branches:
+      - "master"
+    paths:
+      - "api/**"
+      - ".github/workflows/api-build-lint-push-containers.yml"
+
+  # Uncomment the code below to test this action on PRs
+  # pull_request:
+  #   branches:
+  #     - "master"
+  #   paths:
+  #     - "api/**"
+  #     - ".github/workflows/api-build-lint-push-containers.yml"
+
+  release:
+    types: [published]
+
+env:
+  # Tags
+  LATEST_TAG: latest
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  STABLE_TAG: stable
+
+  WORKING_DIRECTORY: ./api
+
+  # Container Registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
+
+jobs:
+  repository-check:
+    name: Repository check
+    runs-on: ubuntu-latest
+    outputs:
+      is_repo: ${{ steps.repository_check.outputs.is_repo }}
+    steps:
+      - name: Repository check
+        id: repository_check
+        working-directory: /tmp
+        run: |
+          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
+          then
+            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "This action only runs for prowler-cloud/prowler"
+            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+  # Build Prowler OSS container
+  container-build-push:
+    needs: repository-check
+    if: needs.repository-check.outputs.is_repo == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push container image (latest)
+        # Comment the following line for testing
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          # Set push: false for testing
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push container image (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/codeql.yml → .github/workflows/api-codeql.yml b/.github/workflows/codeql.yml → .github/workflows/api-codeql.yml
@@ -9,14 +9,21 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
-name: "CodeQL"
+name: API - CodeQL
 
 on:
   push:
-    branches: [ "master", "v3", "v4.*" ]
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - "api/**"
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ "master", "v3", "v4.*" ]
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - "api/**"
   schedule:
     - cron: '00 12 * * *'
 
@@ -44,12 +51,7 @@ jobs:
       uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
+        config-file: ./.github/codeql/api-codeql-config.yml
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3