Skip to content

[New Check]: Detect secrets in AWS Data Pipeline definitions #11818

Description

@danibarranqueroo

Existing check search

  • I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist.

Provider

AWS

New provider name

No response

Service or product area

datapipeline

Suggested check name

datapipeline_pipeline_no_secrets_in_definition

Context and goal

AWS Data Pipeline definitions with custom scripts / SQL commands commonly embed database credentials in plaintext.

Expected behavior

  • Resource or scope to evaluate: Each Data Pipeline definition.
  • PASS when: No secrets are detected.
  • FAIL when: A secret is detected (report the pipeline/object, not the value).

References

Suggested severity

High

Additional implementation notes

Requires adding a new datapipeline service to Prowler (does not exist yet). Scan the pipeline definition (pipelineObjects/parameter values) with the shared detect-secrets helper. Severity is High by default and becomes Critical if the secret is validated.

Metadata

Metadata

Assignees

Labels

feature-requestNew feature request for Prowler.good first issueIndicates a good issue for first-time contributorsnew-checkprovider/awsIssues/PRs related with the AWS provider

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions