fix(threat detection): run single threat detection check (#7065)

MrCloudSec · web-flow · commit 9e7a0d41750f · 2025-02-28T13:51:07.000+01:00
diff --git a/prowler/lib/check/checks_loader.py b/prowler/lib/check/checks_loader.py
@@ -111,7 +111,7 @@ def load_checks_to_execute(
             ):
                 checks_to_execute.add(check_name)
         # Only execute threat detection checks if threat-detection category is set
-        if not categories or "threat-detection" not in categories:
+        if (not categories or "threat-detection" not in categories) and not check_list:
             for threat_detection_check in check_categories.get("threat-detection", []):
                 checks_to_execute.discard(threat_detection_check)
 
diff --git a/tests/lib/check/check_loader_test.py b/tests/lib/check/check_loader_test.py
@@ -253,12 +253,15 @@ def test_load_checks_to_execute_no_bulk_compliance_frameworks(self):
         bulk_checks_metatada = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
-        with patch(
-            "prowler.lib.check.checks_loader.CheckMetadata.get_bulk",
-            return_value=bulk_checks_metatada,
-        ), patch(
-            "prowler.lib.check.checks_loader.Compliance.get_bulk",
-            return_value=bulk_compliance_frameworks,
+        with (
+            patch(
+                "prowler.lib.check.checks_loader.CheckMetadata.get_bulk",
+                return_value=bulk_checks_metatada,
+            ),
+            patch(
+                "prowler.lib.check.checks_loader.Compliance.get_bulk",
+                return_value=bulk_compliance_frameworks,
+            ),
         ):
             assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
                 compliance_frameworks=compliance_frameworks,
@@ -302,3 +305,17 @@ def test_discard_threat_detection_checks(self):
             categories=categories,
             provider=self.provider,
         )
+
+    def test_threat_detection_single_check(self):
+        bulk_checks_metatada = {
+            CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME: self.get_threat_detection_check_metadata()
+        }
+        categories = {}
+        check_list = [CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME]
+
+        assert {CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME} == load_checks_to_execute(
+            bulk_checks_metadata=bulk_checks_metatada,
+            check_list=check_list,
+            categories=categories,
+            provider=self.provider,
+        )
