Allow secrets to be output when explicitly asked for using a flag about prowler HOT 3 OPEN

Hi @Fennerr, we've talked internally about this possibility:

1. The detect-secrets library has not the ability to show the detected secrets in plaintext. We could extract it from the source code using the line reported by the library.
2. We think is not a good practice to output the detected secret in the Prowler output.
3. We think is enough to have the secret type and the line number for the auditor because you can pass that information to the code owner to fix the issue in a secret manner.

What do you think?

from prowler.

@jfagoagas that makes sense. I did notice that detect-secrets didnt actually store the the secret as plaintext, and thought about extracting it from the temp file it flagged on. But it could make the output very messy, especially if there are very long lines (such as a block of high entropy base64 encoded data).

What about having an option to store the lambda function's code in a detect-secrets-output folder within the output folder?

The last account I was looking at, the check flagged for ~180 lambda functions. It takes a while cross-referencing prowler to the lambda in the account (and switching regions), and since the code was already downloaded when prowler ran, it would be nice to have an option to preserve the code.

This would be an opt in option.

It could also be part of how secrets scanning is handled in general in the future (with a multiprocessing pool for secrets detection checks - as these checks are often CPU intensive and don't benefit from multithreading pools)

from prowler.

@Fennerr I'm not sure about saving code locally even with an option. I'm still don't get the benefits of having the source code just if it contains some plaintext secrets, but for sure you find value in that so we can discuss about it.

from prowler.