make DetectSecrets detectors configurable

[kagahd]

New feature motivation

Instead to have all the detectors hard coded in utils.py, they could/should be in config.yaml. This would make it easier to deactivate detectors aka plugins.

Solution Proposed

For example, the KeywordDetector finds a lot of false-positives because even if the keyword is suspicious (e.g. DB_PASSWORD) the value may be harmless (e.g. the ARN to the secret in AWS secrets manager). Even worse, the user could only mitigate the "potential risk" by renaming the keyword, not its value, to make the check pass.
However, I wouldn't wipe the KeywordDetector one for all because it can be used for manual audits. Thus, making the used detectors configurable would be a good solution.

Describe alternatives you've considered

None so far

Additional context

No response

[pedrooot]

Hey! @kagahd

Thanks for your feature request! I'll discuss this with the team and I'll be back with a solution.

[pedrooot]

@kagahd on this PR you can see the solution!

[kagahd]

Hi @pedrooot thanks for the quick implementation! Looks good to me! 👍

[kagahd]

Btw. I opened a PR on Yelp/DetectSecrets to add a new detector for Aiven tokens. However, I doubt that it will be merged soon considering all the open, unmerged other PR's for new detectors.
Do you mind integrating the AivenTokenDetector into Prowler? It's just copying detect_secrets/plugins/aiven_token.py to the site-packages folder. That would save me patching the Prowler image.

[jfagoagas]

Hello @kagahd we are trying to push the detect-secrets team to increase the release frequency since we sent 2 PRs to improve things that are merged but not released yet. I recommend you doing the same since we don't have bandwidth to have like a fork and maintain it.

We are exploring several options since we can't be blocked by having a dependency without an active maintenance.