prowler-sdk-check
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCheck Structure
检查结构
prowler/providers/{provider}/services/{service}/{check_name}/
├── __init__.py
├── {check_name}.py
└── {check_name}.metadata.jsonprowler/providers/{provider}/services/{service}/{check_name}/
├── __init__.py
├── {check_name}.py
└── {check_name}.metadata.jsonStep-by-Step Creation Process
分步创建流程
1. Prerequisites
1. 前置条件
- Verify check doesn't exist: Search
prowler/providers/{provider}/services/{service}/ - Ensure provider and service exist - create them first if not
- Confirm service has required methods - may need to add/modify service methods to get data
- 确认检查不存在:搜索
prowler/providers/{provider}/services/{service}/ - 确保服务商和服务已存在 - 若不存在请先创建
- 确认服务具备所需方法 - 可能需要添加/修改服务方法以获取数据
2. Create Check Files
2. 创建检查文件
bash
mkdir -p prowler/providers/{provider}/services/{service}/{check_name}
touch prowler/providers/{provider}/services/{service}/{check_name}/__init__.py
touch prowler/providers/{provider}/services/{service}/{check_name}/{check_name}.py
touch prowler/providers/{provider}/services/{service}/{check_name}/{check_name}.metadata.jsonbash
mkdir -p prowler/providers/{provider}/services/{service}/{check_name}
touch prowler/providers/{provider}/services/{service}/{check_name}/__init__.py
touch prowler/providers/{provider}/services/{service}/{check_name}/{check_name}.py
touch prowler/providers/{provider}/services/{service}/{check_name}/{check_name}.metadata.json3. Implement Check Logic
3. 实现检查逻辑
python
from prowler.lib.check.models import Check, Check_Report_{Provider}
from prowler.providers.{provider}.services.{service}.{service}_client import {service}_client
class {check_name}(Check):
"""Ensure that {resource} meets {security_requirement}."""
def execute(self) -> list[Check_Report_{Provider}]:
"""Execute the check logic.
Returns:
A list of reports containing the result of the check.
"""
findings = []
for resource in {service}_client.{resources}:
report = Check_Report_{Provider}(metadata=self.metadata(), resource=resource)
report.status = "PASS" if resource.is_compliant else "FAIL"
report.status_extended = f"Resource {resource.name} compliance status."
findings.append(report)
return findingspython
from prowler.lib.check.models import Check, Check_Report_{Provider}
from prowler.providers.{provider}.services.{service}.{service}_client import {service}_client
class {check_name}(Check):
"""Ensure that {resource} meets {security_requirement}."""
def execute(self) -> list[Check_Report_{Provider}]:
"""Execute the check logic.
Returns:
A list of reports containing the result of the check.
"""
findings = []
for resource in {service}_client.{resources}:
report = Check_Report_{Provider}(metadata=self.metadata(), resource=resource)
report.status = "PASS" if resource.is_compliant else "FAIL"
report.status_extended = f"Resource {resource.name} compliance status."
findings.append(report)
return findings4. Create Metadata File
4. 创建元数据文件
See complete schema below and folder for complete templates.
For detailed field documentation, see .
assets/references/metadata-docs.md请查看下方完整架构以及文件夹中的完整模板。有关字段的详细说明,请参阅。
assets/references/metadata-docs.md5. Verify Check Detection
5. 验证检查是否被检测到
bash
poetry run python prowler-cli.py {provider} --list-checks | grep {check_name}bash
poetry run python prowler-cli.py {provider} --list-checks | grep {check_name}6. Run Check Locally
6. 本地运行检查
bash
poetry run python prowler-cli.py {provider} --log-level ERROR --verbose --check {check_name}bash
poetry run python prowler-cli.py {provider} --log-level ERROR --verbose --check {check_name}7. Create Tests
7. 创建测试
See skill for test patterns (PASS, FAIL, no resources, error handling).
prowler-test-sdk请参阅技能了解测试模式(通过、失败、无资源、错误处理)。
prowler-test-sdkCheck Naming Convention
检查命名规范
{service}_{resource}_{security_control}Examples:
ec2_instance_public_ip_disableds3_bucket_encryption_enablediam_user_mfa_enabled
{service}_{resource}_{security_control}示例:
ec2_instance_public_ip_disableds3_bucket_encryption_enablediam_user_mfa_enabled
Metadata Schema (COMPLETE)
元数据架构(完整版)
json
{
"Provider": "aws",
"CheckID": "{check_name}",
"CheckTitle": "Human-readable title",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "{service}",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "low|medium|high|critical",
"ResourceType": "AwsEc2Instance|Other",
"ResourceGroup": "security|compute|storage|network",
"Description": "**Bold resource name**. Detailed explanation of what this check evaluates and why it matters.",
"Risk": "What happens if non-compliant. Explain attack vectors, data exposure risks, compliance impact.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/..."
],
"Remediation": {
"Code": {
"CLI": "aws {service} {command} --option value",
"NativeIaC": "```yaml\nResources:\n Resource:\n Type: AWS::{Service}::{Resource}\n Properties:\n Key: value # This line fixes the issue\n```",
"Other": "1. Console steps\n2. Step by step",
"Terraform": "```hcl\nresource \"aws_{service}_{resource}\" \"example\" {\n key = \"value\" # This line fixes the issue\n}\n```"
},
"Recommendation": {
"Text": "Detailed recommendation for remediation.",
"Url": "https://hub.prowler.com/check/{check_name}"
}
},
"Categories": [
"identity-access",
"encryption",
"logging",
"forensics-ready",
"internet-exposed",
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}json
{
"Provider": "aws",
"CheckID": "{check_name}",
"CheckTitle": "Human-readable title",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "{service}",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "low|medium|high|critical",
"ResourceType": "AwsEc2Instance|Other",
"ResourceGroup": "security|compute|storage|network",
"Description": "**Bold resource name**. Detailed explanation of what this check evaluates and why it matters.",
"Risk": "What happens if non-compliant. Explain attack vectors, data exposure risks, compliance impact.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/..."
],
"Remediation": {
"Code": {
"CLI": "aws {service} {command} --option value",
"NativeIaC": "```yaml\nResources:\n Resource:\n Type: AWS::{Service}::{Resource}\n Properties:\n Key: value # This line fixes the issue\n```",
"Other": "1. Console steps\n2. Step by step",
"Terraform": "```hcl\nresource \"aws_{service}_{resource}\" \"example\" {\n key = \"value\" # This line fixes the issue\n}\n```"
},
"Recommendation": {
"Text": "Detailed recommendation for remediation.",
"Url": "https://hub.prowler.com/check/{check_name}"
}
},
"Categories": [
"identity-access",
"encryption",
"logging",
"forensics-ready",
"internet-exposed",
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}Required Fields
必填字段
| Field | Description |
|---|---|
| Provider name: aws, azure, gcp, kubernetes, github, m365 |
| Must match class name and folder name |
| Human-readable title |
| |
| Service being checked |
| What the check evaluates |
| Security impact of non-compliance |
| CLI fix command |
| How to fix |
| 字段 | 描述 |
|---|---|
| 服务商名称:aws、azure、gcp、kubernetes、github、m365 |
| 必须与类名和文件夹名一致 |
| 易读的标题 |
| |
| 被检查的服务 |
| 该检查的评估内容 |
| 不合规的安全影响 |
| CLI修复命令 |
| 修复方法说明 |
Severity Guidelines
严重程度指南
| Severity | When to Use |
|---|---|
| Direct data exposure, RCE, privilege escalation |
| Significant security risk, compliance violation |
| Defense-in-depth, best practice |
| Informational, minor hardening |
| 严重程度 | 使用场景 |
|---|---|
| 直接数据暴露、远程代码执行(RCE)、权限提升 |
| 重大安全风险、合规违规 |
| 纵深防御、最佳实践 |
| 信息性提示、轻微加固 |
Check Report Statuses
检查报告状态
| Status | When to Use |
|---|---|
| Resource is compliant |
| Resource is non-compliant |
| Requires human verification |
| 状态 | 使用场景 |
|---|---|
| 资源符合合规要求 |
| 资源不符合合规要求 |
| 需要人工验证 |
Common Patterns
常见模式
AWS Check with Regional Resources
AWS区域资源检查
python
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.s3.s3_client import s3_client
class s3_bucket_encryption_enabled(Check):
def execute(self) -> list[Check_Report_AWS]:
findings = []
for bucket in s3_client.buckets.values():
report = Check_Report_AWS(metadata=self.metadata(), resource=bucket)
if bucket.encryption:
report.status = "PASS"
report.status_extended = f"S3 bucket {bucket.name} has encryption enabled."
else:
report.status = "FAIL"
report.status_extended = f"S3 bucket {bucket.name} does not have encryption enabled."
findings.append(report)
return findingspython
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.s3.s3_client import s3_client
class s3_bucket_encryption_enabled(Check):
def execute(self) -> list[Check_Report_AWS]:
findings = []
for bucket in s3_client.buckets.values():
report = Check_Report_AWS(metadata=self.metadata(), resource=bucket)
if bucket.encryption:
report.status = "PASS"
report.status_extended = f"S3 bucket {bucket.name} has encryption enabled."
else:
report.status = "FAIL"
report.status_extended = f"S3 bucket {bucket.name} does not have encryption enabled."
findings.append(report)
return findingsCheck with Multiple Conditions
多条件检查
python
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.ec2.ec2_client import ec2_client
class ec2_instance_hardened(Check):
def execute(self) -> list[Check_Report_AWS]:
findings = []
for instance in ec2_client.instances:
report = Check_Report_AWS(metadata=self.metadata(), resource=instance)
issues = []
if instance.public_ip:
issues.append("has public IP")
if not instance.metadata_options.http_tokens == "required":
issues.append("IMDSv2 not enforced")
if issues:
report.status = "FAIL"
report.status_extended = f"Instance {instance.id} {', '.join(issues)}."
else:
report.status = "PASS"
report.status_extended = f"Instance {instance.id} is properly hardened."
findings.append(report)
return findingspython
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.ec2.ec2_client import ec2_client
class ec2_instance_hardened(Check):
def execute(self) -> list[Check_Report_AWS]:
findings = []
for instance in ec2_client.instances:
report = Check_Report_AWS(metadata=self.metadata(), resource=instance)
issues = []
if instance.public_ip:
issues.append("has public IP")
if not instance.metadata_options.http_tokens == "required":
issues.append("IMDSv2 not enforced")
if issues:
report.status = "FAIL"
report.status_extended = f"Instance {instance.id} {', '.join(issues)}."
else:
report.status = "PASS"
report.status_extended = f"Instance {instance.id} is properly hardened."
findings.append(report)
return findingsCommands
命令
bash
undefinedbash
undefinedVerify detection
验证检测情况
poetry run python prowler-cli.py {provider} --list-checks | grep {check_name}
poetry run python prowler-cli.py {provider} --list-checks | grep {check_name}
Run check
运行检查
poetry run python prowler-cli.py {provider} --log-level ERROR --verbose --check {check_name}
poetry run python prowler-cli.py {provider} --log-level ERROR --verbose --check {check_name}
Run with specific profile/credentials
使用特定配置文件/凭证运行
poetry run python prowler-cli.py aws --profile myprofile --check {check_name}
poetry run python prowler-cli.py aws --profile myprofile --check {check_name}
Run multiple checks
运行多个检查
poetry run python prowler-cli.py {provider} --check {check1} {check2} {check3}
undefinedpoetry run python prowler-cli.py {provider} --check {check1} {check2} {check3}
undefinedResources
资源
- Templates: See assets/ for complete check and metadata templates (AWS, Azure, GCP)
- Documentation: See references/metadata-docs.md for official Prowler Developer Guide links
- 模板:请查看assets/获取完整的检查和元数据模板(AWS、Azure、GCP)
- 文档:请参阅references/metadata-docs.md获取官方Prowler开发者指南链接