Skip to content

feat(okta): add authenticator STIG checks#11465

Merged
danibarranqueroo merged 14 commits into
masterfrom
PROWLER-1513-okta-stig-authenticator-service-password-policy-and-authenticator-checks-sdk
Jun 9, 2026
Merged

feat(okta): add authenticator STIG checks#11465
danibarranqueroo merged 14 commits into
masterfrom
PROWLER-1513-okta-stig-authenticator-service-password-policy-and-authenticator-checks-sdk

Conversation

@HugoPBrito

@HugoPBrito HugoPBrito commented Jun 4, 2026

Copy link
Copy Markdown
Member

Context

This PR adds Okta Authenticator STIG checks for password policy requirements, Smart Card activation, and Okta Verify FIPS compliance.

Related PR Context

master
 ├── #11463 Network Zone foundation
 │    └── #11464 API Token checks
 └── 📍 #11465 Authenticator checks

This PR is independent from the Network Zone / API Token stack.

Description

  • Adds the Okta authenticator service implementation for password policies and authenticators.
  • Adds password policy checks for lockout, length, complexity, age, history, and common-password validation.
  • Adds Smart Card active and Okta Verify FIPS-compliant device checks.
  • Extends Okta default scopes with okta.authenticators.read.
  • Adds SDK tests for service behavior and PASS/FAIL check behavior.

Changelog entry is pending until the PR number is added to the correct release block.

Steps to review

uv run pytest tests/providers/okta/services/authenticator/ -v
uv run python prowler-cli.py okta --list-checks | grep -E 'authenticator_password_|authenticator_smart_card_active|authenticator_okta_verify_fips_compliant'

Checklist

Community Checklist
  • This feature is tracked internally.
  • It is assigned and in progress.

SDK/CLI

  • Are there new checks included in this PR? Yes
    • If so, do we need to update permissions for the provider? Yes, adds okta.authenticators.read.

UI

  • Not applicable.

API

  • Not applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

- Add authenticator service models and password policy helpers
- Add password policy, Smart Card, and Okta Verify FIPS checks
- Cover authenticator service and checks with SDK tests
@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks not mapped to any compliance framework in this PR

  • authenticator_okta_verify_fips_compliant (okta)
  • authenticator_password_common_password_check (okta)
  • authenticator_password_complexity_lowercase (okta)
  • authenticator_password_complexity_number (okta)
  • authenticator_password_complexity_symbol (okta)
  • authenticator_password_complexity_uppercase (okta)
  • authenticator_password_history_5 (okta)
  • authenticator_password_lockout_threshold_3 (okta)
  • authenticator_password_maximum_age_60d (okta)
  • authenticator_password_minimum_age_24h (okta)
  • authenticator_password_minimum_length_15 (okta)
  • authenticator_smart_card_active (okta)

Please review whether these checks should be added to compliance framework requirements in prowler/compliance/<provider>/. Each compliance JSON has a Checks array inside each requirement — add the check ID there if it satisfies that requirement.

Use the no-compliance-check label to skip this check.

@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

✅ All necessary CHANGELOG.md files have been updated.

@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

@codecov

codecov Bot commented Jun 4, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 94.71264% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 94.90%. Comparing base (061fbaa) to head (6dbaeae).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #11465      +/-   ##
==========================================
+ Coverage   93.96%   94.90%   +0.93%     
==========================================
  Files         243       62     -181     
  Lines       35653     2592   -33061     
==========================================
- Hits        33503     2460   -31043     
+ Misses       2150      132    -2018     
Flag Coverage Δ
api ?
prowler-py3.10-okta 94.90% <94.71%> (?)
prowler-py3.11-okta 94.90% <94.71%> (?)
prowler-py3.12-okta 94.90% <94.71%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
prowler 94.90% <94.98%> (∅)
api ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

🔒 Container Security Scan

Image: prowler:5d742b2
Last scan: 2026-06-09 07:49:21 UTC

📊 Vulnerability Summary

Severity Count
🔴 Critical 13
Total 13

8 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

  • Review the detailed scan results
  • Update affected packages to patched versions
  • Consider using a different base image if updates are unavailable

📋 Resources:

- Emit MANUAL findings when authenticator scopes are missing
- Parse common-password enforcement from the SDK model correctly
- Paginate password policy retrieval and expand tests
- Format metadata narrative fields with Markdown emphasis

- Preserve check identity, URLs, and implementation logic
- Document the Authenticator OAuth scope in Okta setup

- Align CLI examples with provider default scopes
- Remove single-quote wrapping from password policy labels

- Avoid apostrophes in manual scope guidance
# Conflicts:
#	prowler/CHANGELOG.md
@HugoPBrito HugoPBrito marked this pull request as ready for review June 8, 2026 12:52
@HugoPBrito HugoPBrito requested a review from a team as a code owner June 8, 2026 12:52
HugoPBrito and others added 6 commits June 8, 2026 15:04
# Conflicts:
#	docs/user-guide/providers/okta/authentication.mdx
#	docs/user-guide/providers/okta/getting-started-okta.mdx
#	prowler/providers/okta/okta_provider.py
#	tests/providers/okta/okta_fixtures.py
…ce-password-policy-and-authenticator-checks-sdk

@danibarranqueroo danibarranqueroo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@danibarranqueroo danibarranqueroo merged commit 62955dd into master Jun 9, 2026
30 checks passed
@danibarranqueroo danibarranqueroo deleted the PROWLER-1513-okta-stig-authenticator-service-password-policy-and-authenticator-checks-sdk branch June 9, 2026 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants