Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MuteList not working when specifying resources using ResourceUid from report #6736

Open
KieranP opened this issue Jan 29, 2025 · 2 comments
Open

MuteList not working when specifying resources using ResourceUid from report #6736

KieranP opened this issue Jan 29, 2025 · 2 comments
Assignees
@pedrooot
Labels
status/awaiting-reponse Waiting response from Issue owner

Comments

@KieranP
Copy link

KieranP commented Jan 29, 2025
edited
Loading

Steps to Reproduce

I use a 3rd party service for scanning S3 files for viruses (bucketav). I want to mute all warnings related to it.

Using the CLI, when I generate the report and open in the dashboard, I get failures that include a ResourceUid and FindingUid value:

ResourceUid: arn:aws:iam::REDACTED:role/bucketav-quarantine-LambdaRole-REDACTED
FindingUid: prowler-aws-iam_role_cross_service_confused_deputy_prevention-REDACTED-us-east-1-bucketav-quarantine-LambdaRole-REDACTED

I want to disable all checks for this resource, so I created a mute list like this using the ResourceUid in the resources list:

Mutelist:
  Accounts:
    "*":
      Checks:
        "*":
          Regions:
            - "*"
          Resources:
            - "arn:aws:iam::REDACTED:role/bucketav-*"
            - "arn:aws:lambda:us-east-1:REDACTED:function:bucketav-*"

But this doesn't work. The failures are still showing up in the report.

I know the mute list is being loaded ok because I can get some other checks where Resources is "*" to be muted just fine.

I thought it might be the wildcard, but using the full ResourceUid doesn't work either.

I tried using the FindingUid, but this doesn't appear to be supported.

The mute list should be able to take ResourceUids in the resources list?

Expected behavior

Using ResourceUid from reports in the MuteList should work

Actual Result with Screenshots or Logs

Reports continue to include the resources

How did you install Prowler?

From brew (brew install prowler)

Environment Resource

See above

OS used

MacOS

Prowler version

Prowler 5.2.0 (latest is 5.2.1, upgrade for the latest features)

Pip version

NA

Context

No response
@KieranP KieranP added bug status/needs-triage Issue pending triage labels Jan 29, 2025
@pedrooot
Copy link
Member

Hey! @KieranP the problem here is that Prowler Mutelist won't delete this finding from the output, it will set the Muted field to true
You can have a look at Prowler Mutelist docs here: https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/mutelist/
Also, remember that mutelist use AND logic for resources names and you can use regex to filter these values.

Tell me if you need something else! Thanks!

@pedrooot pedrooot self-assigned this Jan 30, 2025
@pedrooot pedrooot added status/awaiting-reponse Waiting response from Issue owner and removed bug status/needs-triage Issue pending triage labels Jan 30, 2025
@KieranP
Copy link
Author

KieranP commented Jan 30, 2025

@pedrooot Sorry, I should have been clearer. On the dashboard, these resources are still showing up as "Fail", not "Fail (Muted)", which I'm guessing means Muted field is false in the output data.

I've tried various combinations of resource names, the only one that worked was *bucketav*. Anything more detailed than that seems to refuse to match against the ResourceUid of the finding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pedrooot pedrooot

Labels
status/awaiting-reponse Waiting response from Issue owner
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KieranP @pedrooot