feat(apigateway): add check for secrets in REST API stage variables

[chirag1206]

Adds a new check apigateway_restapi_no_secrets_in_stage_variables that scans API Gateway REST API stage variables for hardcoded secrets such as API keys, passwords, and tokens using the detect-secrets library.

Also extends the Stage model in apigateway_service.py to capture and store stage variables from the AWS API response.

Relates to #3085

Context

API Gateway stage variables are key-value pairs referenced in integration requests and mapping templates. Developers sometimes hardcode credentials directly into these variables instead of using Secrets Manager, leaving them exposed in plaintext in the AWS control plane. This check detects those hardcoded secrets using the same detect-secrets pattern already used across Lambda, CodeBuild, Step Functions, and other services.

Description

• apigateway_service.py: Added variables: Optional[dict] = {} field to the Stage model and populated it via stage.get("variables", {}) in _get_stages() — 2 line change, no new API calls needed since get_stages already returns variables in its response
• New check apigateway_restapi_no_secrets_in_stage_variables: iterates all REST API stages, scans the variables dict using detect_secrets_scan with json.dumps, follows the same pattern as awslambda_function_no_secrets_in_variables and the recently merged Step Functions check (feat(stepfunctions): add check for secrets in state machine definition #10570)

Steps to review

1. prowler/providers/aws/services/apigateway/apigateway_service.py — 2 line change adding variables field to Stage model
2. prowler/providers/aws/services/apigateway/apigateway_restapi_no_secrets_in_stage_variables/ — new check folder with 3 files (__init__.py, check .py, metadata .json)
3. tests/providers/aws/services/apigateway/apigateway_restapi_no_secrets_in_stage_variables/ — 4 tests covering: no REST APIs, stage with no variables (PASS), stage with safe variables (PASS), stage with hardcoded AWS key AKIAIOSFODNN7EXAMPLE (FAIL)
4. Run pytest tests/providers/aws/services/apigateway/ -v to verify — 43 passed, 0 failed

Checklist

Community Checklist

• This feature/issue is listed in here — Implement more secrets checks #3085
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed. (not needed — new check, no existing behaviour changed)
• Review if is needed to change the Readme.md (not needed)
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • No permission changes needed — apigateway:GetStages is already invoked by the existing service. Stage variables are returned in the same API response, so no additional IAM permissions are required.

UI

• All issue/task requirements work as expected on the UI — Not applicable, this is a CLI/SDK check only
• If this PR adds or updates npm dependencies, include package-health evidence — Not applicable
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px) — Not applicable
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px) — Not applicable
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px) — Not applicable
• Ensure new entries are added to CHANGELOG.md, if applicable. — Not applicable

API

• All issue/task requirements work as expected on the API — Not applicable
• Endpoint response output (if applicable) — Not applicable
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable) — Not applicable
• Performance test results (if applicable) — Not applicable
• Any other relevant evidence of the implementation (if applicable) — Not applicable
• Verify if API specs need to be regenerated. — Not applicable
• Check if version updates are required (e.g., specs, uv, etc.). — Not applicable
• Ensure new entries are added to CHANGELOG.md, if applicable. — Not applicable

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.