Confronted with lack of budget for proper security tooling, I decided to just create my own. We occasionally ran Prowler manually. The results were mostly ignored. There was no ownership tracking, no history, no breakdown by account or team, and no good way to correlate findings over time.
Basically the standard “we technically do security scans” setup.
So I built something myself.
The actual application itself is honestly not that interesting. It’s mostly a CRUD app written in Go and HTMX. It handles the usual things.
- Launch and schedule scans
- Store and display findings
- Track ownership
- Send Slack notifications
- Group findings by team/account/repository
- Show some basic graphs
The interesting part was the security model around the scanners themselves. Because the more I worked on it, the more I realized something uncomfortable: the scanners were actually some of the highest risk components in the entire environment.
Think about what these tools normally get:
- Unrestricted read access to AWS accounts
- Unrestricted read access to repositories
- Full internet access
- CI/CD integration
- Permissions to pull arbitrary images and dependencies
That is an absurd amount of trust.
Read More »
kichik's blog 