refactor(deletion): isolate steps to remove blocks

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.backportrc.json

@@ -0,0 +1,14 @@
+{
+  "repoOwner": "prowler-cloud",
+  "repoName": "prowler",
+  "targetPRLabels": [
+    "backport"
+  ],
+  "sourcePRLabels": [
+    "was-backported"
+  ],
+  "copySourcePRLabels": false,
+  "copySourcePRReviewers": true,
+  "prTitle": "{{sourcePullRequest.title}}",
+  "commitConflicts": true
+}

.dockerignore

@@ -1,5 +0,0 @@
-.git/
-
-# Ignore output directories
-output/
-junit-reports/

.env

@@ -0,0 +1,135 @@
+#### Important Note ####
+# This file is used to store environment variables for the Prowler App.
+# For production, it is recommended to use a secure method to store these variables and change the default secret keys.
+
+#### Prowler UI Configuration ####
+PROWLER_UI_VERSION="stable"
+AUTH_URL=http://localhost:3000
+API_BASE_URL=http://prowler-api:8080/api/v1
+NEXT_PUBLIC_API_DOCS_URL=http://prowler-api:8080/api/v1/docs
+AUTH_TRUST_HOST=true
+UI_PORT=3000
+# openssl rand -base64 32
+AUTH_SECRET="N/c6mnaS5+SWq81+819OrzQZlmx1Vxtp/orjttJSmw8="
+
+#### Prowler API Configuration ####
+PROWLER_API_VERSION="stable"
+# PostgreSQL settings
+# If running Django and celery on host, use 'localhost', else use 'postgres-db'
+POSTGRES_HOST=postgres-db
+POSTGRES_PORT=5432
+POSTGRES_ADMIN_USER=prowler_admin
+POSTGRES_ADMIN_PASSWORD=postgres
+POSTGRES_USER=prowler
+POSTGRES_PASSWORD=postgres
+POSTGRES_DB=prowler_db
+
+# Valkey settings
+# If running Valkey and celery on host, use localhost, else use 'valkey'
+VALKEY_HOST=valkey
+VALKEY_PORT=6379
+VALKEY_DB=0
+
+# API scan settings
+
+# The path to the directory where scan output should be stored
+DJANGO_TMP_OUTPUT_DIRECTORY="/tmp/prowler_api_output"
+
+# The maximum number of findings to process in a single batch
+DJANGO_FINDINGS_BATCH_SIZE=1000
+
+# The AWS access key to be used when uploading scan output to an S3 bucket
+# If left empty, default AWS credentials resolution behavior will be used
+DJANGO_OUTPUT_S3_AWS_ACCESS_KEY_ID=""
+
+# The AWS secret key to be used when uploading scan output to an S3 bucket
+DJANGO_OUTPUT_S3_AWS_SECRET_ACCESS_KEY=""
+
+# An optional AWS session token
+DJANGO_OUTPUT_S3_AWS_SESSION_TOKEN=""
+
+# The AWS region where your S3 bucket is located (e.g., "us-east-1")
+DJANGO_OUTPUT_S3_AWS_DEFAULT_REGION=""
+
+# The name of the S3 bucket where scan output should be stored
+DJANGO_OUTPUT_S3_AWS_OUTPUT_BUCKET=""
+
+# Django settings
+DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1,prowler-api
+DJANGO_BIND_ADDRESS=0.0.0.0
+DJANGO_PORT=8080
+DJANGO_DEBUG=False
+DJANGO_SETTINGS_MODULE=config.django.production
+# Select one of [ndjson|human_readable]
+DJANGO_LOGGING_FORMATTER=human_readable
+# Select one of [DEBUG|INFO|WARNING|ERROR|CRITICAL]
+# Applies to both Django and Celery Workers
+DJANGO_LOGGING_LEVEL=INFO
+# Defaults to the maximum available based on CPU cores if not set.
+DJANGO_WORKERS=4
+# Token lifetime is in minutes
+DJANGO_ACCESS_TOKEN_LIFETIME=30
+# Token lifetime is in minutes
+DJANGO_REFRESH_TOKEN_LIFETIME=1440
+DJANGO_CACHE_MAX_AGE=3600
+DJANGO_STALE_WHILE_REVALIDATE=60
+DJANGO_MANAGE_DB_PARTITIONS=True
+# openssl genrsa -out private.pem 2048
+DJANGO_TOKEN_SIGNING_KEY="-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDs4e+kt7SnUJek
+6V5r9zMGzXCoU5qnChfPiqu+BgANyawz+MyVZPs6RCRfeo6tlCknPQtOziyXYM2I
+7X+qckmuzsjqp8+u+o1mw3VvUuJew5k2SQLPYwsiTzuFNVJEOgRo3hywGiGwS2iv
+/5nh2QAl7fq2qLqZEXQa5+/xJlQggS1CYxOJgggvLyra50QZlBvPve/AxKJ/EV/Q
+irWTZU5lLNI8sH2iZR05vQeBsxZ0dCnGMT+vGl+cGkqrvzQzKsYbDmabMcfTYhYi
+78fpv6A4uharJFHayypYBjE39PwhMyyeycrNXlpm1jpq+03HgmDuDMHydk1tNwuT
+nEC7m7iNAgMBAAECggEAA2m48nJcJbn9SVi8bclMwKkWmbJErOnyEGEy2sTK3Of+
+NWx9BB0FmqAPNxn0ss8K7cANKOhDD7ZLF9E2MO4/HgfoMKtUzHRbM7MWvtEepldi
+nnvcUMEgULD8Dk4HnqiIVjt3BdmGiTv46OpBnRWrkSBV56pUL+7msZmMZTjUZvh2
+ZWv0+I3gtDIjo2Zo/FiwDV7CfwRjJarRpYUj/0YyuSA4FuOUYl41WAX1I301FKMH
+xo3jiAYi1s7IneJ16OtPpOA34Wg5F6ebm/UO0uNe+iD4kCXKaZmxYQPh5tfB0Qa3
+qj1T7GNpFNyvtG7VVdauhkb8iu8X/wl6PCwbg0RCKQKBgQD9HfpnpH0lDlHMRw9K
+X7Vby/1fSYy1BQtlXFEIPTN/btJ/asGxLmAVwJ2HAPXWlrfSjVAH7CtVmzN7v8oj
+HeIHfeSgoWEu1syvnv2AMaYSo03UjFFlfc/GUxF7DUScRIhcJUPCP8jkAROz9nFv
+DByNjUL17Q9r43DmDiRsy0IFqQKBgQDvlJ9Uhl+Sp7gRgKYwa/IG0+I4AduAM+Gz
+Dxbm52QrMGMTjaJFLmLHBUZ/ot+pge7tZZGws8YR8ufpyMJbMqPjxhIvRRa/p1Tf
+E3TQPW93FMsHUvxAgY3MV5MzXFPhlNAKb+akP/RcXUhetGAuZKLubtDCWa55ZQuL
+wj2OS+niRQKBgE7K8zUqNi6/22S8xhy/2GPgB1qPObbsABUofK0U6CAGLo6te+gc
+6Jo84IyzFtQbDNQFW2Fr+j1m18rw9AqkdcUhQndiZS9AfG07D+zFB86LeWHt4DS4
+ymIRX8Kvaak/iDcu/n3Mf0vCrhB6aetImObTj4GgrwlFvtJOmrYnO8EpAoGAIXXP
+Xt25gWD9OyyNiVu6HKwA/zN7NYeJcRmdaDhO7B1A6R0x2Zml4AfjlbXoqOLlvLAf
+zd79vcoAC82nH1eOPiSOq51plPDI0LMF8IN0CtyTkn1Lj7LIXA6rF1RAvtOqzppc
+SvpHpZK9pcRpXnFdtBE0BMDDtl6fYzCIqlP94UUCgYEAnhXbAQMF7LQifEm34Dx8
+BizRMOKcqJGPvbO2+Iyt50O5X6onU2ITzSV1QHtOvAazu+B1aG9pEuBFDQ+ASxEu
+L9ruJElkOkb/o45TSF6KCsHd55ReTZ8AqnRjf5R+lyzPqTZCXXb8KTcRvWT4zQa3
+VxyT2PnaSqEcexWUy4+UXoQ=
+-----END PRIVATE KEY-----"
+# openssl rsa -in private.pem -pubout -out public.pem
+DJANGO_TOKEN_VERIFYING_KEY="-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7OHvpLe0p1CXpOlea/cz
+Bs1wqFOapwoXz4qrvgYADcmsM/jMlWT7OkQkX3qOrZQpJz0LTs4sl2DNiO1/qnJJ
+rs7I6qfPrvqNZsN1b1LiXsOZNkkCz2MLIk87hTVSRDoEaN4csBohsEtor/+Z4dkA
+Je36tqi6mRF0Gufv8SZUIIEtQmMTiYIILy8q2udEGZQbz73vwMSifxFf0Iq1k2VO
+ZSzSPLB9omUdOb0HgbMWdHQpxjE/rxpfnBpKq780MyrGGw5mmzHH02IWIu/H6b+g
+OLoWqyRR2ssqWAYxN/T8ITMsnsnKzV5aZtY6avtNx4Jg7gzB8nZNbTcLk5xAu5u4
+jQIDAQAB
+-----END PUBLIC KEY-----"
+# openssl rand -base64 32
+DJANGO_SECRETS_ENCRYPTION_KEY="oE/ltOhp/n1TdbHjVmzcjDPLcLA41CVI/4Rk+UB5ESc="
+DJANGO_BROKER_VISIBILITY_TIMEOUT=86400
+DJANGO_SENTRY_DSN=
+
+# Sentry settings
+SENTRY_ENVIRONMENT=local
+SENTRY_RELEASE=local
+
+#### Prowler release version ####
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.5.0
+
+# Social login credentials
+SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
+SOCIAL_GOOGLE_OAUTH_CLIENT_ID=""
+SOCIAL_GOOGLE_OAUTH_CLIENT_SECRET=""
+
+SOCIAL_GITHUB_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/github"
+SOCIAL_GITHUB_OAUTH_CLIENT_ID=""
+SOCIAL_GITHUB_OAUTH_CLIENT_SECRET=""

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+/* @prowler-cloud/sdk
+/.github/ @prowler-cloud/sdk
+prowler @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+tests @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+api @prowler-cloud/api
+ui @prowler-cloud/ui

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,96 @@
+name: 🐞 Bug Report
+description: Create a report to help us improve
+labels: ["bug", "status/needs-triage"]
+
+body:
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to Reproduce
+      description: Steps to reproduce the behavior
+      placeholder: |-
+        1. What command are you running?
+        2. Cloud provider you are launching
+        3. Environment you have, like single account, multi-account, organizations, multi or single subscription, etc.
+        4. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: A clear and concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Result with Screenshots or Logs
+      description: If applicable, add screenshots to help explain your problem. Also, you can add logs (anonymize them first!). Here a command that may help to share a log `prowler <your arguments> --log-level ERROR --log-file $(date +%F)_error.log` then attach here the log file.
+    validations:
+      required: true
+  - type: dropdown
+    id: type
+    attributes:
+      label: How did you install Prowler?
+      options:
+        - Cloning the repository from github.com (git clone)
+        - From pip package (pip install prowler)
+        - From brew (brew install prowler)
+        - Docker (docker pull toniblyx/prowler)
+    validations:
+      required: true
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment Resource
+      description: From where are you running Prowler?
+      placeholder: |-
+        1. EC2 instance
+        2. Fargate task
+        3. Docker container locally
+        4. EKS
+        5. Cloud9
+        6. CodeBuild
+        7. Workstation
+        8. Other(please specify)
+    validations:
+      required: true
+  - type: textarea
+    id: os
+    attributes:
+      label: OS used
+      description: Which OS are you using?
+      placeholder: |-
+        1. Amazon Linux 2
+        2. MacOS
+        3. Alpine Linux
+        4. Windows
+        5. Other(please specify)
+    validations:
+      required: true
+  - type: input
+    id: prowler-version
+    attributes:
+      label: Prowler version
+      description: Which Prowler version are you using?
+      placeholder: |-
+        prowler --version
+    validations:
+      required: true
+  - type: input
+    id: pip-version
+    attributes:
+      label: Pip version
+      description: Which pip version are you using?
+      placeholder: |-
+        pip --version
+    validations:
+      required: true
+  - type: textarea
+    id: additional
+    attributes:
+      description: Additional context
+      label: Context
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,35 @@
+name: 💡 Feature Request
+description: Suggest an idea for this project
+labels: ["feature-request", "status/needs-triage"]
+
+body:
+  - type: textarea
+    id: Problem
+    attributes:
+      label: New feature motivation
+      description: Is your feature request related to a problem? Please describe
+      placeholder: |-
+        1. A clear and concise description of what the problem is. Ex. I'm always frustrated when
+    validations:
+      required: true
+  - type: textarea
+    id: Solution
+    attributes:
+      label: Solution Proposed
+      description: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: Alternatives
+    attributes:
+      label: Describe alternatives you've considered
+      description: A clear and concise description of any alternative solutions or features you've considered.
+    validations:
+      required: true
+  - type: textarea
+    id: Context
+    attributes:
+      label: Additional context
+      description: Add any other context or screenshots about the feature request here.
+    validations:
+      required: false

.github/codeql/api-codeql-config.yml

@@ -0,0 +1,3 @@
+name: "API - CodeQL Config"
+paths:
+  - "api/"

.github/codeql/sdk-codeql-config.yml

@@ -0,0 +1,4 @@
+name: "SDK - CodeQL Config"
+paths-ignore:
+  - "api/"
+  - "ui/"

.github/codeql/ui-codeql-config.yml

@@ -0,0 +1,3 @@
+name: "UI - CodeQL Config"
+paths:
+  - "ui/"

.github/dependabot.yml

@@ -0,0 +1,119 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # v5
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "pip"
+
+  # Dependabot Updates are temporary disabled - 2025/03/19
+  # - package-ecosystem: "pip"
+  #   directory: "/api"
+  #   schedule:
+  #     interval: "daily"
+  #   open-pull-requests-limit: 10
+  #   target-branch: master
+  #   labels:
+  #     - "dependencies"
+  #     - "pip"
+  #     - "component/api"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "github_actions"
+
+  # Dependabot Updates are temporary disabled - 2025/03/19
+  # - package-ecosystem: "npm"
+  #   directory: "/ui"
+  #   schedule:
+  #     interval: "daily"
+  #   open-pull-requests-limit: 10
+  #   target-branch: master
+  #   labels:
+  #     - "dependencies"
+  #     - "npm"
+  #     - "component/ui"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "docker"
+
+  # v4.6
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "pip"
+      - "v4"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "github_actions"
+      - "v4"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "docker"
+      - "v4"
+
+  # Dependabot Updates are temporary disabled - 2025/03/19
+  # v3
+  # - package-ecosystem: "pip"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "monthly"
+  #   open-pull-requests-limit: 10
+  #   target-branch: v3
+  #   labels:
+  #     - "dependencies"
+  #     - "pip"
+  #     - "v3"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 10
+    target-branch: v3
+    labels:
+      - "dependencies"
+      - "github_actions"
+      - "v3"

.github/labeler.yml

@@ -0,0 +1,104 @@
+documentation:
+  - changed-files:
+      - any-glob-to-any-file: "docs/**"
+
+provider/aws:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/aws/**"
+      - any-glob-to-any-file: "tests/providers/aws/**"
+
+provider/azure:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/azure/**"
+      - any-glob-to-any-file: "tests/providers/azure/**"
+
+provider/gcp:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/gcp/**"
+      - any-glob-to-any-file: "tests/providers/gcp/**"
+
+provider/kubernetes:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/kubernetes/**"
+      - any-glob-to-any-file: "tests/providers/kubernetes/**"
+
+provider/github:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/github/**"
+      - any-glob-to-any-file: "tests/providers/github/**"
+
+github_actions:
+  - changed-files:
+      - any-glob-to-any-file: ".github/workflows/*"
+
+cli:
+  - changed-files:
+      - any-glob-to-any-file: "cli/**"
+
+mutelist:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/aws/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/azure/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/gcp/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/kubernetes/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/aws/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/azure/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/gcp/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/kubernetes/lib/mutelist/**"
+
+integration/s3:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/aws/lib/s3/**"
+      - any-glob-to-any-file: "tests/providers/aws/lib/s3/**"
+
+integration/slack:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/slack/**"
+      - any-glob-to-any-file: "tests/lib/outputs/slack/**"
+
+integration/security-hub:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/aws/lib/security_hub/**"
+      - any-glob-to-any-file: "tests/providers/aws/lib/security_hub/**"
+      - any-glob-to-any-file: "prowler/lib/outputs/asff/**"
+      - any-glob-to-any-file: "tests/lib/outputs/asff/**"
+
+output/html:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/html/**"
+      - any-glob-to-any-file: "tests/lib/outputs/html/**"
+
+output/asff:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/asff/**"
+      - any-glob-to-any-file: "tests/lib/outputs/asff/**"
+
+output/ocsf:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/ocsf/**"
+      - any-glob-to-any-file: "tests/lib/outputs/ocsf/**"
+
+output/csv:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/csv/**"
+      - any-glob-to-any-file: "tests/lib/outputs/csv/**"
+
+component/api:
+  - changed-files:
+      - any-glob-to-any-file: "api/**"
+
+component/ui:
+  - changed-files:
+      - any-glob-to-any-file: "ui/**"
+
+compliance:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/compliance/**"
+      - any-glob-to-any-file: "prowler/lib/outputs/compliance/**"
+      - any-glob-to-any-file: "tests/lib/outputs/compliance/**"
+
+review-django-migrations:
+  - changed-files:
+      - any-glob-to-any-file: "api/src/backend/api/migrations/**"

.github/pull_request_template.md

@@ -1 +1,27 @@
+### Context
+
+Please include relevant motivation and context for this PR.
+
+If fixes an issue please add it with `Fix #XXXX`
+
+### Description
+
+Please include a summary of the change and which issue is fixed. List any dependencies that are required for this change.
+
+### Checklist
+
+- Are there new checks included in this PR? Yes / No
+    - If so, do we need to update permissions for the provider? Please review this carefully.
+- [ ] Review if the code is being covered by tests.
+- [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
+- [ ] Review if backport is needed.
+- [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
+
+#### API
+- [ ] Verify if API specs need to be regenerated.
+- [ ] Check if version updates are required (e.g., specs, Poetry, etc.).
+- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/api/CHANGELOG.md), if applicable.
+
+### License
+
 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/api-build-lint-push-containers.yml

@@ -0,0 +1,114 @@
+name: API - Build and Push containers
+
+on:
+  push:
+    branches:
+      - "master"
+    paths:
+      - "api/**"
+      - ".github/workflows/api-build-lint-push-containers.yml"
+
+  # Uncomment the code below to test this action on PRs
+  # pull_request:
+  #   branches:
+  #     - "master"
+  #   paths:
+  #     - "api/**"
+  #     - ".github/workflows/api-build-lint-push-containers.yml"
+
+  release:
+    types: [published]
+
+env:
+  # Tags
+  LATEST_TAG: latest
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  STABLE_TAG: stable
+
+  WORKING_DIRECTORY: ./api
+
+  # Container Registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
+
+jobs:
+  repository-check:
+    name: Repository check
+    runs-on: ubuntu-latest
+    outputs:
+      is_repo: ${{ steps.repository_check.outputs.is_repo }}
+    steps:
+      - name: Repository check
+        id: repository_check
+        working-directory: /tmp
+        run: |
+          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
+          then
+            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "This action only runs for prowler-cloud/prowler"
+            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+  # Build Prowler OSS container
+  container-build-push:
+    needs: repository-check
+    if: needs.repository-check.outputs.is_repo == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          shortSha=$(git rev-parse --short ${{ github.sha }})
+          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV
+
+      - name: Login to DockerHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Build and push container image (latest)
+        # Comment the following line for testing
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          # Set push: false for testing
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.SHORT_SHA }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push container image (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Trigger deployment
+        if: github.event_name == 'push'
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.CLOUD_DISPATCH }}
+          event-type: prowler-api-deploy
+          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ env.SHORT_SHA }}"}'

.github/workflows/api-codeql.yml

@@ -0,0 +1,59 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: API - CodeQL
+
+on:
+  push:
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - "api/**"
+  pull_request:
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - "api/**"
+  schedule:
+    - cron: '00 12 * * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      with:
+        languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/api-codeql-config.yml
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/api-pull-request.yml

@@ -0,0 +1,189 @@
+name: API - Pull Request
+
+on:
+  push:
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - ".github/workflows/api-pull-request.yml"
+      - "api/**"
+  pull_request:
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - "api/**"
+
+env:
+  POSTGRES_HOST: localhost
+  POSTGRES_PORT: 5432
+  POSTGRES_ADMIN_USER: prowler
+  POSTGRES_ADMIN_PASSWORD: S3cret
+  POSTGRES_USER: prowler_user
+  POSTGRES_PASSWORD: prowler
+  POSTGRES_DB: postgres-db
+  VALKEY_HOST: localhost
+  VALKEY_PORT: 6379
+  VALKEY_DB: 0
+  API_WORKING_DIR: ./api
+  IMAGE_NAME: prowler-api
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.12"]
+
+    # Service containers to run with `test`
+    services:
+      # Label used to access the service container
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
+          POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
+          POSTGRES_USER: ${{ env.POSTGRES_USER }}
+          POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
+          POSTGRES_DB: ${{ env.POSTGRES_DB }}
+        # Set health checks to wait until postgres has started
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+      valkey:
+        image: valkey/valkey:7-alpine3.19
+        env:
+          VALKEY_HOST: ${{ env.VALKEY_HOST }}
+          VALKEY_PORT: ${{ env.VALKEY_PORT }}
+          VALKEY_DB: ${{ env.VALKEY_DB }}
+        # Set health checks to wait until postgres has started
+        ports:
+          - 6379:6379
+        options: >-
+          --health-cmd "valkey-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Test if changes are in not ignored paths
+        id: are-non-ignored-files-changed
+        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
+        with:
+          files: api/**
+          files_ignore: |
+            api/.github/**
+            api/docs/**
+            api/permissions/**
+            api/README.md
+            api/mkdocs.yml
+
+      - name: Install poetry
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          python -m pip install --upgrade pip
+          pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "poetry"
+
+      - name: Install dependencies
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry install --no-root
+          poetry run pip list
+          VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \
+            grep '"tag_name":' | \
+            sed -E 's/.*"v([^"]+)".*/\1/' \
+            ) && curl -L -o /tmp/hadolint "https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64" \
+            && chmod +x /tmp/hadolint
+
+      - name: Poetry check
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry check --lock
+
+      - name: Lint with ruff
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run ruff check . --exclude contrib
+
+      - name: Check Format with ruff
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run ruff format --check . --exclude contrib
+
+      - name: Lint with pylint
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/
+
+      - name: Bandit
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
+
+      - name: Safety
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run safety check --ignore 70612,66963
+
+      - name: Vulture
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .
+
+      - name: Hadolint
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          /tmp/hadolint Dockerfile --ignore=DL3013
+
+      - name: Test with pytest
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest --cov=./src/backend --cov-report=xml src/backend
+
+      - name: Upload coverage reports to Codecov
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: api
+  test-container-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - name: Build Container
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: ${{ env.API_WORKING_DIR }}
+          push: false
+          tags: ${{ env.IMAGE_NAME }}:latest
+          outputs: type=docker
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/backport.yml

@@ -0,0 +1,47 @@
+name: Prowler - Automatic Backport
+
+on:
+  pull_request_target:
+    branches: ['master']
+    types: ['labeled', 'closed']
+
+env:
+  # The prefix of the label that triggers the backport must not contain the branch name
+  # so, for example, if the branch is 'master', the label should be 'backport-to-<branch>'
+  BACKPORT_LABEL_PREFIX: backport-to-
+  BACKPORT_LABEL_IGNORE: was-backported
+
+jobs:
+  backport:
+    name: Backport PR
+    if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport')) && !(contains(github.event.pull_request.labels.*.name, 'was-backported'))
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
+      contents: write
+    steps:
+      - name: Check labels
+        id: preview_label_check
+        uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
+        with:
+          allow_failure: true
+          prefix_mode: true
+          any_of: ${{ env.BACKPORT_LABEL_PREFIX }}
+          none_of: ${{ env.BACKPORT_LABEL_IGNORE }}
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Backport Action
+        if: steps.preview_label_check.outputs.label_check == 'success'
+        uses: sorenlouv/backport-github-action@ad888e978060bc1b2798690dd9d03c4036560947 # v9.5.1
+        with:
+          github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          auto_backport_label_prefix: ${{ env.BACKPORT_LABEL_PREFIX }}
+
+      - name: Info log
+        if: ${{ success() && steps.preview_label_check.outputs.label_check == 'success' }}
+        run: cat ~/.backport/backport.info.log
+
+      - name: Debug log
+        if: ${{ failure() && steps.preview_label_check.outputs.label_check == 'success' }}
+        run: cat ~/.backport/backport.debug.log

.github/workflows/build-documentation-on-pr.yml

@@ -0,0 +1,24 @@
+name: Prowler - Pull Request Documentation Link
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+      - 'v3'
+    paths:
+      - 'docs/**'
+
+env:
+  PR_NUMBER: ${{ github.event.pull_request.number }}
+
+jobs:
+  documentation-link:
+    name: Documentation Link
+    runs-on: ubuntu-latest
+    steps:
+      - name: Leave PR comment with the Prowler Documentation URI
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          body: |
+            You can check the documentation for this PR here -> [Prowler Documentation](https://prowler-prowler-docs--${{ env.PR_NUMBER }}.com.readthedocs.build/projects/prowler-open-source/en/${{ env.PR_NUMBER }}/)

.github/workflows/conventional-commit.yml

@@ -0,0 +1,23 @@
+name: Prowler - Conventional Commit
+
+on:
+  pull_request:
+    types:
+      - "opened"
+      - "edited"
+      - "synchronize"
+    branches:
+      - "master"
+      - "v3"
+      - "v4.*"
+      - "v5.*"
+
+jobs:
+  conventional-commit-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: conventional-commit-check
+        id: conventional-commit-check
+        uses: agenthunt/conventional-commit-checker-action@9e552d650d0e205553ec7792d447929fc78e012b # v2.0.0
+        with:
+            pr-title-regex: '^([^\s(]+)(?:\(([^)]+)\))?: (.+)'

.github/workflows/find-secrets.yml

@@ -0,0 +1,19 @@
+name: Prowler - Find secrets
+
+on: pull_request
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@ded5f45b92c00939718787ce586b520bbe795f3b # v3.88.18
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --only-verified

.github/workflows/labeler.yml

@@ -0,0 +1,17 @@
+name: Prowler - PR Labeler
+
+on:
+    pull_request_target:
+      branches:
+        - "master"
+        - "v3"
+        - "v4.*"
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0

.github/workflows/sdk-build-lint-push-containers.yml

@@ -0,0 +1,186 @@
+name: SDK - Build and Push containers
+
+on:
+  push:
+    branches:
+      # For `v3-latest`
+      - "v3"
+      # For `v4-latest`
+      - "v4.6"
+      # For `latest`
+      - "master"
+    paths-ignore:
+      - ".github/**"
+      - "README.md"
+      - "docs/**"
+      - "ui/**"
+      - "api/**"
+
+  release:
+    types: [published]
+
+env:
+  # AWS Configuration
+  AWS_REGION_STG: eu-west-1
+  AWS_REGION_PLATFORM: eu-west-1
+  AWS_REGION: us-east-1
+
+  # Container's configuration
+  IMAGE_NAME: prowler
+  DOCKERFILE_PATH: ./Dockerfile
+
+  # Tags
+  LATEST_TAG: latest
+  STABLE_TAG: stable
+  # The RELEASE_TAG is set during runtime in releases
+  RELEASE_TAG: ""
+  # The PROWLER_VERSION and PROWLER_VERSION_MAJOR are set during runtime in releases
+  PROWLER_VERSION: ""
+  PROWLER_VERSION_MAJOR: ""
+  # TEMPORARY_TAG: temporary
+
+  # Python configuration
+  PYTHON_VERSION: 3.12
+
+  # Container Registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
+
+jobs:
+  # Build Prowler OSS container
+  container-build-push:
+    # needs: dockerfile-linter
+    runs-on: ubuntu-latest
+    outputs:
+      prowler_version_major: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION_MAJOR }}
+      prowler_version: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION }}
+    env:
+      POETRY_VIRTUALENVS_CREATE: "false"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install Poetry
+        run: |
+          pipx install poetry==1.8.5
+          pipx inject poetry poetry-bumpversion
+
+      - name: Get Prowler version
+        id: get-prowler-version
+        run: |
+          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
+
+          # Store prowler version major just for the release
+          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
+
+          case ${PROWLER_VERSION_MAJOR} in
+          3)
+              echo "LATEST_TAG=v3-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}"
+              ;;
+
+
+          4)
+              echo "LATEST_TAG=v4-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v4-stable" >> "${GITHUB_ENV}"
+              ;;
+
+          5)
+              echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
+              ;;
+
+          *)
+              # Fallback if any other version is present
+              echo "Releasing another Prowler major version, aborting..."
+              exit 1
+              ;;
+          esac
+
+      - name: Login to DockerHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: ${{ env.AWS_REGION }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Build and push container image (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push container image (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          # Use local context to get changes
+          # https://github.com/docker/build-push-action#path-context
+          context: .
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.PROWLER_VERSION }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  dispatch-action:
+    needs: container-build-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get latest commit info (latest)
+        if: github.event_name == 'push'
+        run: |
+          LATEST_COMMIT_HASH=$(echo ${{ github.event.after }} | cut -b -7)
+          echo "LATEST_COMMIT_HASH=${LATEST_COMMIT_HASH}" >> $GITHUB_ENV
+
+      - name: Dispatch event (latest)
+        if: github.event_name == 'push' && needs.container-build-push.outputs.prowler_version_major == '3'
+        run: |
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --data '{"event_type":"dispatch","client_payload":{"version":"v3-latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'
+
+      - name: Dispatch event (release)
+        if: github.event_name == 'release' && needs.container-build-push.outputs.prowler_version_major == '3'
+        run: |
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ needs.container-build-push.outputs.prowler_version }}"}}'

.github/workflows/sdk-codeql.yml

@@ -0,0 +1,65 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: SDK - CodeQL
+
+on:
+  push:
+    branches:
+      - "master"
+      - "v3"
+      - "v4.*"
+      - "v5.*"
+    paths-ignore:
+      - 'ui/**'
+      - 'api/**'
+  pull_request:
+    branches:
+      - "master"
+      - "v3"
+      - "v4.*"
+      - "v5.*"
+    paths-ignore:
+      - 'ui/**'
+      - 'api/**'
+  schedule:
+    - cron: '00 12 * * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      with:
+        languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/sdk-codeql-config.yml
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/sdk-pull-request.yml

@@ -0,0 +1,120 @@
+name: SDK - Pull Request
+
+on:
+  push:
+    branches:
+      - "master"
+      - "v3"
+      - "v4.*"
+      - "v5.*"
+  pull_request:
+    branches:
+      - "master"
+      - "v3"
+      - "v4.*"
+      - "v5.*"
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Test if changes are in not ignored paths
+        id: are-non-ignored-files-changed
+        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
+        with:
+          files: ./**
+          files_ignore: |
+            .github/**
+            docs/**
+            permissions/**
+            api/**
+            ui/**
+            README.md
+            mkdocs.yml
+            .backportrc.json
+            .env
+            docker-compose*
+            examples/**
+            .gitignore
+
+      - name: Install poetry
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          python -m pip install --upgrade pip
+          pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "poetry"
+
+      - name: Install dependencies
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry install --no-root
+          poetry run pip list
+          VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \
+            grep '"tag_name":' | \
+            sed -E 's/.*"v([^"]+)".*/\1/' \
+            ) && curl -L -o /tmp/hadolint "https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64" \
+            && chmod +x /tmp/hadolint
+
+      - name: Poetry check
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry check --lock
+
+      - name: Lint with flake8
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api
+
+      - name: Checking format with black
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run black --exclude api ui --check .
+
+      - name: Lint with pylint
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
+
+      - name: Bandit
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r .
+
+      - name: Safety
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run safety check --ignore 70612 -r pyproject.toml
+
+      - name: Vulture
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .
+
+      - name: Hadolint
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          /tmp/hadolint Dockerfile --ignore=DL3013
+
+      - name: Test with pytest
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler --cov-report=xml tests
+
+      - name: Upload coverage reports to Codecov
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler

.github/workflows/sdk-pypi-release.yml

@@ -0,0 +1,98 @@
+name: SDK - PyPI release
+
+on:
+  release:
+    types: [published]
+
+env:
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  PYTHON_VERSION: 3.11
+  CACHE: "poetry"
+
+jobs:
+  repository-check:
+    name: Repository check
+    runs-on: ubuntu-latest
+    outputs:
+      is_repo: ${{ steps.repository_check.outputs.is_repo }}
+    steps:
+      - name: Repository check
+        id: repository_check
+        working-directory: /tmp
+        run: |
+          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
+          then
+            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "This action only runs for prowler-cloud/prowler"
+            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+  release-prowler-job:
+    runs-on: ubuntu-latest
+    needs: repository-check
+    if: needs.repository-check.outputs.is_repo == 'true'
+    env:
+      POETRY_VIRTUALENVS_CREATE: "false"
+    name: Release Prowler to PyPI
+    steps:
+      - name: Repository check
+        working-directory: /tmp
+        run: |
+              if [[ "${{ github.repository }}" != "prowler-cloud/prowler" ]]; then
+                  echo "This action only runs for prowler-cloud/prowler"
+                  exit 1
+              fi
+
+      - name: Get Prowler version
+        run: |
+          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
+
+          case ${PROWLER_VERSION%%.*} in
+          3)
+              echo "Releasing Prowler v3 with tag ${PROWLER_VERSION}"
+              ;;
+          4)
+              echo "Releasing Prowler v4 with tag ${PROWLER_VERSION}"
+              ;;
+          5)
+              echo "Releasing Prowler v5 with tag ${PROWLER_VERSION}"
+              ;;
+          *)
+              echo "Releasing another Prowler major version, aborting..."
+              exit 1
+              ;;
+          esac
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install dependencies
+        run: |
+          pipx install poetry==1.8.5
+
+      - name: Setup Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: ${{ env.CACHE }}
+
+      - name: Build Prowler package
+        run: |
+          poetry build
+
+      - name: Publish Prowler package to PyPI
+        run: |
+          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
+          poetry publish
+
+      - name: Replicate PyPI package
+        run: |
+          rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info
+          pip install toml
+          python util/replicate_pypi_package.py
+          poetry build
+
+      - name: Publish prowler-cloud package to PyPI
+        run: |
+          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
+          poetry publish

.github/workflows/sdk-refresh-aws-services-regions.yml

@@ -0,0 +1,68 @@
+# This is a basic workflow to help you get started with Actions
+
+name: SDK - Refresh AWS services' regions
+
+on:
+  schedule:
+    - cron: "0 9 * * *" #runs at 09:00 UTC everyday
+
+env:
+  GITHUB_BRANCH: "master"
+  AWS_REGION_DEV: us-east-1
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
+      contents: write
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ env.GITHUB_BRANCH }}
+
+      - name: setup python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.9 #install the python needed
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install boto3
+
+      - name: Configure AWS Credentials -- DEV
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          aws-region: ${{ env.AWS_REGION_DEV }}
+          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
+          role-session-name: refresh-AWS-regions-dev
+
+      # Runs a single command using the runners shell
+      - name: Run a one-line script
+        run: python3 util/update_aws_services_regions.py
+
+      # Create pull request
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          commit-message: "feat(regions_update): Update regions for AWS services"
+          branch: "aws-services-regions-updated-${{ github.sha }}"
+          labels: "status/waiting-for-revision, severity/low, provider/aws"
+          title: "chore(regions_update): Changes in regions for AWS services"
+          body: |
+            ### Description
+
+            This PR updates the regions for AWS services.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/ui-build-lint-push-containers.yml

@@ -0,0 +1,118 @@
+name: UI - Build and Push containers
+
+on:
+  push:
+    branches:
+      - "master"
+    paths:
+      - "ui/**"
+      - ".github/workflows/ui-build-lint-push-containers.yml"
+
+  # Uncomment the below code to test this action on PRs
+  # pull_request:
+  #   branches:
+  #     - "master"
+  #   paths:
+  #     - "ui/**"
+  #     - ".github/workflows/ui-build-lint-push-containers.yml"
+
+  release:
+    types: [published]
+
+env:
+  # Tags
+  LATEST_TAG: latest
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  STABLE_TAG: stable
+
+  WORKING_DIRECTORY: ./ui
+
+  # Container Registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-ui
+
+jobs:
+  repository-check:
+    name: Repository check
+    runs-on: ubuntu-latest
+    outputs:
+      is_repo: ${{ steps.repository_check.outputs.is_repo }}
+    steps:
+      - name: Repository check
+        id: repository_check
+        working-directory: /tmp
+        run: |
+          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
+          then
+            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "This action only runs for prowler-cloud/prowler"
+            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+  # Build Prowler OSS container
+  container-build-push:
+    needs: repository-check
+    if: needs.repository-check.outputs.is_repo == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          shortSha=$(git rev-parse --short ${{ github.sha }})
+          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV
+
+      - name: Login to DockerHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Build and push container image (latest)
+        # Comment the following line for testing
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          build-args: |
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ env.SHORT_SHA }}
+          # Set push: false for testing
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.SHORT_SHA }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push container image (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          build-args: |
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${{ env.RELEASE_TAG }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Trigger deployment
+        if: github.event_name == 'push'
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.CLOUD_DISPATCH }}
+          event-type: prowler-ui-deploy
+          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ env.SHORT_SHA }}"}'

.github/workflows/ui-codeql.yml

@@ -0,0 +1,59 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: UI - CodeQL
+
+on:
+  push:
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - "ui/**"
+  pull_request:
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - "ui/**"
+  schedule:
+    - cron: "00 12 * * *"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript"]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql/ui-codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/ui-pull-request.yml

@@ -0,0 +1,62 @@
+name: UI - Pull Request
+
+on:
+  push:
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - ".github/workflows/ui-pull-request.yml"
+      - "ui/**"
+  pull_request:
+    branches:
+      - master
+      - "v5.*"
+    paths:
+      - 'ui/**'
+env:
+  UI_WORKING_DIR: ./ui
+  IMAGE_NAME: prowler-ui
+
+jobs:
+  test-and-coverage:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        node-version: [20.x]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install dependencies
+        working-directory: ./ui
+        run: npm install
+      - name: Run Healthcheck
+        working-directory: ./ui
+        run: npm run healthcheck
+      - name: Build the application
+        working-directory: ./ui
+        run: npm run build
+  test-container-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - name: Build Container
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: ${{ env.UI_WORKING_DIR }}
+          # Always build using `prod` target
+          target: prod
+          push: false
+          tags: ${{ env.IMAGE_NAME }}:latest
+          outputs: type=docker
+          build-args: |
+            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX

.gitignore

@@ -5,6 +5,15 @@
 [._]ss[a-gi-z]
 [._]sw[a-p]
 
+# Python code
+__pycache__
+venv/
+build/
+/dist/
+*.egg-info/
+*/__pycache__/*.pyc
+.idea/
+
 # Session
 Session.vim
 Sessionx.vim
@@ -22,7 +31,7 @@ tags
 *.DS_Store
 
 # Prowler output
-output/
+/output
 
 # Prowler found secrets
 secrets-*/
@@ -33,8 +42,23 @@ junit-reports/
 # VSCode files
 .vscode/
 
-terraform-kickstarter/.terraform.lock.hcl
+# Terraform
+.terraform*
+*.tfstate
+*.tfstate.*
 
-terraform-kickstarter/.terraform/providers/registry.terraform.io/hashicorp/aws/3.56.0/darwin_amd64/terraform-provider-aws_v3.56.0_x5
+# .env
+ui/.env*
+api/.env*
+.env.local
 
-terraform-kickstarter/terraform.tfstate
+# Coverage
+.coverage*
+.coverage
+coverage*
+
+# Node
+node_modules
+
+# Persistent data
+_data/

.pre-commit-config.yaml

@@ -0,0 +1,126 @@
+repos:
+  ## GENERAL
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: check-merge-conflict
+      - id: check-yaml
+        args: ["--unsafe"]
+      - id: check-json
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: no-commit-to-branch
+      - id: pretty-format-json
+        args: ["--autofix", --no-sort-keys, --no-ensure-ascii]
+
+  ## TOML
+  - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
+    rev: v2.13.0
+    hooks:
+      - id: pretty-format-toml
+        args: [--autofix]
+        files: pyproject.toml
+
+  ## BASH
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.10.0
+    hooks:
+      - id: shellcheck
+        exclude: contrib
+
+  ## PYTHON
+  - repo: https://github.com/myint/autoflake
+    rev: v2.3.1
+    hooks:
+      - id: autoflake
+        args:
+          [
+            "--in-place",
+            "--remove-all-unused-imports",
+            "--remove-unused-variable",
+          ]
+
+  - repo: https://github.com/timothycrosley/isort
+    rev: 5.13.2
+    hooks:
+      - id: isort
+        args: ["--profile", "black"]
+
+  - repo: https://github.com/psf/black
+    rev: 24.4.2
+    hooks:
+      - id: black
+
+  - repo: https://github.com/pycqa/flake8
+    rev: 7.0.0
+    hooks:
+      - id: flake8
+        exclude: contrib
+        args: ["--ignore=E266,W503,E203,E501,W605"]
+
+  - repo: https://github.com/python-poetry/poetry
+    rev: 2.1.1
+    hooks:
+      - id: poetry-check
+        name: API - poetry-check
+        args: ["--directory=./api"]
+        pass_filenames: false
+
+      - id: poetry-lock
+        name: API - poetry-lock
+        args: ["--directory=./api"]
+        pass_filenames: false
+
+      - id: poetry-check
+        name: SDK - poetry-check
+        args: ["--directory=./"]
+        pass_filenames: false
+
+      - id: poetry-lock
+        name: SDK - poetry-lock
+        args: ["--directory=./"]
+        pass_filenames: false
+
+
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.13.0-beta
+    hooks:
+      - id: hadolint
+        args: ["--ignore=DL3013"]
+
+  - repo: local
+    hooks:
+      - id: pylint
+        name: pylint
+        entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
+        language: system
+        files: '.*\.py'
+
+      - id: trufflehog
+        name: TruffleHog
+        description: Detect secrets in your data.
+        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
+        # For running trufflehog in docker, use the following entry instead:
+        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
+        language: system
+        stages: ["pre-commit", "pre-push"]
+
+      - id: bandit
+        name: bandit
+        description: "Bandit is a tool for finding common security issues in Python code"
+        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r .'
+        language: system
+        files: '.*\.py'
+
+      - id: safety
+        name: safety
+        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
+        entry: bash -c 'safety check --ignore 70612,66963'
+        language: system
+
+      - id: vulture
+        name: vulture
+        description: "Vulture finds unused code in Python programs."
+        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/" --min-confidence 100 .'
+        language: system
+        files: '.*\.py'

.readthedocs.yaml

@@ -0,0 +1,25 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+build:
+  os: "ubuntu-22.04"
+  tools:
+    python: "3.11"
+  jobs:
+    post_create_environment:
+      # Install poetry
+      # https://python-poetry.org/docs/#installing-manually
+      - python -m pip install poetry
+    post_install:
+      # Install dependencies with 'docs' dependency group
+      # https://python-poetry.org/docs/managing-dependencies/#dependency-groups
+      # VIRTUAL_ENV needs to be set manually for now.
+      # See https://github.com/readthedocs/readthedocs.org/pull/11152/
+      - VIRTUAL_ENV=${READTHEDOCS_VIRTUALENV_PATH} python -m poetry install --only=docs
+
+mkdocs:
+  configuration: mkdocs.yml

CODE_OF_CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at community@prowler.cloud. All
+reported by contacting the project team at [support.prowler.com](https://customer.support.prowler.com/servicedesk/customer/portals). All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

CONTRIBUTING.md

@@ -0,0 +1,13 @@
+# Do you want to learn on how to...
+
+- Contribute with your code or fixes to Prowler
+- Create a new check for a provider
+- Create a new security compliance framework
+- Add a custom output format
+- Add a new integration
+- Contribute with documentation
+
+Want some swag as appreciation for your contribution?
+
+# Prowler Developer Guide
+https://docs.prowler.com/projects/prowler-open-source/en/latest/developer-guide/introduction/

Dockerfile

@@ -0,0 +1,42 @@
+FROM python:3.12.9-alpine3.20
+
+LABEL maintainer="https://github.com/prowler-cloud/prowler"
+
+# Update system dependencies and install essential tools
+#hadolint ignore=DL3018
+RUN apk --no-cache upgrade && apk --no-cache add curl git gcc python3-dev musl-dev linux-headers
+
+# Create non-root user
+RUN mkdir -p /home/prowler && \
+    echo 'prowler:x:1000:1000:prowler:/home/prowler:' > /etc/passwd && \
+    echo 'prowler:x:1000:' > /etc/group && \
+    chown -R prowler:prowler /home/prowler
+USER prowler
+
+# Copy necessary files
+WORKDIR /home/prowler
+COPY prowler/  /home/prowler/prowler/
+COPY dashboard/ /home/prowler/dashboard/
+COPY pyproject.toml /home/prowler
+COPY README.md /home/prowler/
+
+# Install Python dependencies
+ENV HOME='/home/prowler'
+ENV PATH="${HOME}/.local/bin:${PATH}"
+#hadolint ignore=DL3013
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir poetry
+
+# By default poetry does not compile Python source files to bytecode during installation.
+# This speeds up the installation process, but the first execution may take a little more
+# time because Python then compiles source files to bytecode automatically. If you want to
+# compile source files to bytecode during installation, you can use the --compile option
+RUN poetry install --compile && \
+    rm -rf ~/.cache/pip
+
+# Remove deprecated dash dependencies
+RUN pip uninstall dash-html-components -y && \
+    pip uninstall dash-core-components -y
+
+USER prowler
+ENTRYPOINT ["poetry", "run", "prowler"]

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-Copyright 2018 Netflix, Inc.
+   Copyright @ 2024 Toni de la Fuente
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -198,4 +198,4 @@ Copyright 2018 Netflix, Inc.
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

LIST_OF_CHECKS_AND_GROUPS.md

@@ -1,5 +0,0 @@
-```
-./prowler -l # to see all available checks and their groups.
-./prowler -L # to see all available groups only.
-./prowler -l -g groupname # to see checks in a particular group
-```

Makefile

@@ -0,0 +1,47 @@
+.DEFAULT_GOAL:=help
+
+##@ Testing
+test:   ## Test with pytest
+	rm -rf .coverage && \
+	pytest -n auto -vvv -s --cov=./prowler --cov-report=xml tests
+
+coverage: ## Show Test Coverage
+	coverage run --skip-covered -m pytest -v && \
+	coverage report -m && \
+	rm -rf .coverage && \
+	coverage report -m
+
+coverage-html: ## Show Test Coverage
+	rm -rf ./htmlcov && \
+	coverage html && \
+	open htmlcov/index.html
+
+##@ Linting
+format: ## Format Code
+	@echo "Running black..."
+	black .
+
+lint: ## Lint Code
+	@echo "Running flake8..."
+	flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib
+	@echo "Running black... "
+	black --check .
+	@echo "Running pylint..."
+	pylint --disable=W,C,R,E -j 0 prowler util
+
+##@ PyPI
+pypi-clean: ## Delete the distribution files
+	rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info
+
+pypi-build: ## Build package
+	$(MAKE) pypi-clean && \
+	poetry build
+
+pypi-upload: ## Upload package
+	python3 -m twine upload --repository pypi dist/*
+
+
+##@ Help
+help:     ## Show this help.
+	@echo "Prowler Makefile"
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

Pipfile

@@ -1,13 +0,0 @@
-[[source]]
-name = "pypi"
-url = "https://pypi.org/simple"
-verify_ssl = true
-
-[dev-packages]
-
-[packages]
-boto3 = ">=1.9.188"
-detect-secrets = "==1.0.3"
-
-[requires]
-python_version = "3.7"

README.md

@@ -1,701 +1,263 @@
 <p align="center">
-  <img src="https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png" />
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
+</p>
+<p align="center">
+  <b><i>Prowler Open Source</b> is as dynamic and adaptable as the environment they’re meant to protect. Trusted by the leaders in security.
+</p>
+<p align="center">
+<b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
 </p>
 
-# Prowler - AWS Security Tool
+<p align="center">
+<a href="https://goto.prowler.com/slack"><img width="30" height="30" alt="Prowler community on Slack" src="https://github.com/prowler-cloud/prowler/assets/38561120/3c8b4ec5-6849-41a5-b5e1-52bbb94af73a"></a>
+  <br>
+  <a href="https://goto.prowler.com/slack">Join our Prowler community!</a>
+</p>
+<hr>
+<p align="center">
+  <a href="https://goto.prowler.com/slack"><img alt="Slack Shield" src="https://img.shields.io/badge/slack-prowler-brightgreen.svg?logo=slack"></a>
+  <a href="https://pypi.org/project/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/v/prowler.svg"></a>
+  <a href="https://pypi.python.org/pypi/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/pyversions/prowler.svg"></a>
+  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Prowler Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=prowler%20downloads"></a>
+  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
+  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/cloud/build/toniblyx/prowler"></a>
+  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/image-size/toniblyx/prowler"></a>
+  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
+  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
+</p>
+<p align="center">
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="Repo size" src="https://img.shields.io/github/repo-size/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler/issues"><img alt="Issues" src="https://img.shields.io/github/issues/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/release-date/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="Contributors" src="https://img.shields.io/github/contributors-anon/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="License" src="https://img.shields.io/github/license/prowler-cloud/prowler"></a>
+  <a href="https://twitter.com/ToniBlyx"><img alt="Twitter" src="https://img.shields.io/twitter/follow/toniblyx?style=social"></a>
+  <a href="https://twitter.com/prowlercloud"><img alt="Twitter" src="https://img.shields.io/twitter/follow/prowlercloud?style=social"></a>
+</p>
+<hr>
+<p align="center">
+  <img align="center" src="/docs/img/prowler-cli-quick.gif" width="100%" height="100%">
+</p>
 
-[![Discord Shield](https://discordapp.com/api/guilds/807208614288818196/widget.png?style=shield)](https://discord.gg/UjSMCVnxSB) 
-[![Docker Pulls](https://img.shields.io/docker/pulls/toniblyx/prowler)](https://hub.docker.com/r/toniblyx/prowler)
-[![aws-ecr](https://user-images.githubusercontent.com/3985464/141164269-8cfeef0f-6b62-4c99-8fe9-4537986a1613.png)](https://gallery.ecr.aws/o4g1s5r6/prowler)
+# Description
 
-   
-## Table of Contents
+**Prowler** is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations! We have Prowler CLI (Command Line Interface) that we call Prowler Open Source and a service on top of it that we call <a href="https://prowler.com">Prowler Cloud</a>.
 
-- [Description](#description)
-- [Features](#features)
-- [High level architecture](#high-level-architecture)
-- [Requirements and Installation](#requirements-and-installation)
-- [Usage](#usage)
-- [Screenshots](#screenshots)
-- [Advanced Usage](#advanced-usage)
-- [Security Hub integration](#security-hub-integration)
-- [CodeBuild deployment](#codebuild-deployment)
-- [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources)
-- [Fix](#how-to-fix-every-fail)
-- [Troubleshooting](#troubleshooting)
-- [Extras](#extras)
-- [Forensics Ready Checks](#forensics-ready-checks)
-- [GDPR Checks](#gdpr-checks)
-- [HIPAA Checks](#hipaa-checks)
-- [Trust Boundaries Checks](#trust-boundaries-checks)
-- [Multi Account and Continuous Monitoring](util/org-multi-account/README.md)
-- [Add Custom Checks](#add-custom-checks)
-- [Third Party Integrations](#third-party-integrations)
-- [Full list of checks and groups](/LIST_OF_CHECKS_AND_GROUPS.md)
-- [License](#license)
+## Prowler App
 
-## Description
+Prowler App is a web application that allows you to run Prowler in your cloud provider accounts and visualize the results in a user-friendly interface.
 
-Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening and incident response.
+![Prowler App](docs/img/overview.png)
 
-It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 100 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.
+>More details at [Prowler App Documentation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-app-installation)
 
-Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
+## Prowler CLI
 
-## Features
+```console
+prowler <provider>
+```
+![Prowler CLI Execution](docs/img/short-display.png)
 
-+200 checks covering security best practices across all AWS regions and most of AWS services and related to the next groups:
+## Prowler Dashboard
 
-- Identity and Access Management [group1]
-- Logging  [group2]
-- Monitoring [group3]
-- Networking [group4]
-- CIS Level 1 [cislevel1]
-- CIS Level 2 [cislevel2]
-- Extras *see Extras section* [extras]
-- Forensics related group of checks [forensics-ready]
-- GDPR [gdpr] Read more [here](#gdpr-checks)
-- HIPAA [hipaa] Read more [here](#hipaa-checks)
-- Trust Boundaries [trustboundaries] Read more [here](#trust-boundaries-checks)
-- Secrets
-- Internet exposed resources
-- EKS-CIS
-- Also includes PCI-DSS, ISO-27001, FFIEC, SOC2, ENS (Esquema Nacional de Seguridad of Spain).
-- AWS FTR [FTR] Read more [here](#aws-ftr-checks)
+```console
+prowler dashboard
+```
+![Prowler Dashboard](docs/img/dashboard.png)
 
-With Prowler you can:
+It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks.
 
-- Get a direct colorful or monochrome report
-- A HTML, CSV, JUNIT, JSON or JSON ASFF format report
-- Send findings directly to Security Hub
-- Run specific checks and groups or create your own
-- Check multiple AWS accounts in parallel or sequentially
-- And more! Read examples below
+| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) |
+|---|---|---|---|---|
+| AWS | 564 | 82 | 33 | 10 |
+| GCP | 77 | 13 | 6 | 3 |
+| Azure | 140 | 18 | 7 | 3 |
+| Kubernetes | 83 | 7 | 4 | 7 |
+| Microsoft365 | 5 | 2 | 1 | 0 |
 
-## High level architecture
+> You can list the checks, services, compliance frameworks and categories with `prowler <provider> --list-checks`, `prowler <provider> --list-services`, `prowler <provider> --list-compliance` and `prowler <provider> --list-categories`.
 
-You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9.
+# 💻 Installation
 
-![Prowler high level architecture](https://user-images.githubusercontent.com/3985464/109143232-1488af80-7760-11eb-8d83-726790fda592.jpg)
-## Requirements and Installation
+## Prowler App
 
-Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.
+Prowler App can be installed in different ways, depending on your environment:
 
-- Make sure the latest version of AWS-CLI is installed on your workstation (it works with either v1 or v2), and other components needed, with Python pip already installed:
+> See how to use Prowler App in the [Prowler App Usage Guide](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/prowler-app/).
 
-    ```sh
-    pip install awscli
-    ```
+### Docker Compose
 
-    > NOTE: detect-secrets Yelp version is no longer supported the one from IBM is mantained now. Use the one mentioned below or the specific Yelp version 1.0.3 to make sure it works as expected (`pip install detect-secrets==1.0.3`):
-    ```sh
-    pip install "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
-    ```
+**Requirements**
 
-    AWS-CLI can be also installed it using "brew", "apt", "yum" or manually from <https://aws.amazon.com/cli/>, but `detect-secrets` has to be installed using `pip` or `pip3`. You will need to install `jq` to get the most from Prowler.
+* `Docker Compose` installed: https://docs.docker.com/compose/install/.
 
-- Make sure jq is installed: examples below with "apt" for Debian alike and "yum" for RedHat alike distros (like Amazon Linux):
+**Commands**
 
-    ```sh
-    sudo apt install jq
-    ```
-
-    ```sh
-    sudo yum install jq
-    ```
-
-- Previous steps, from your workstation:
-
-    ```sh
-    git clone https://github.com/toniblyx/prowler
-    cd prowler
-    ```
-
-- Since Prowler users AWS CLI under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence). Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or intance profile):
-
-    ```sh
-    aws configure
-    ```
-
-    or
-
-    ```sh
-    export AWS_ACCESS_KEY_ID="ASXXXXXXX"
-    export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
-    export AWS_SESSION_TOKEN="XXXXXXXXX"
-    ```
-
-- Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the AWS managed policies, SecurityAudit and ViewOnlyAccess, to the user or role being used.  Policy ARNs are:
-
-    ```sh
-    arn:aws:iam::aws:policy/SecurityAudit
-    arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
-    ```
-
-    > Additional permissions needed: to make sure Prowler can scan all services included in the group *Extras*, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/toniblyx/prowler/blob/master/iam/prowler-additions-policy.json) to the role you are using. If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/toniblyx/prowler/blob/master/iam/prowler-security-hub.json).
-
-## Usage
-
-1. Run the `prowler` command without options (it will use your environment variable credentials if they exist or will default to using the `~/.aws/credentials` file and run checks over all regions when needed. The default region is us-east-1):
-
-    ```sh
-    ./prowler
-    ```
-
-    Use `-l` to list all available checks and the groups (sections) that reference them. To list all groups use `-L` and to list content of a group use `-l -g <groupname>`.
-
-    If you want to avoid installing dependencies run it using Docker:
-
-    ```sh
-    docker run -ti --rm --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest
-    ```
-
-1. For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):
-
-    ```sh
-    ./prowler -p custom-profile -r us-east-1
-    ```
-
-1. For a single check use option `-c`:
-
-    ```sh
-    ./prowler -c check310
-    ```
-
-    With Docker:
-
-    ```sh
-    docker run -ti --rm --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest "-c check310"
-    ```
-
-    or multiple checks separated by comma:
-
-    ```sh
-    ./prowler -c check310,check722
-    ```
-
-    or all checks but some of them:
-
-    ```sh
-    ./prowler -E check42,check43
-    ```
-
-    or for custom profile and region:
-
-    ```sh
-    ./prowler -p custom-profile -r us-east-1 -c check11
-    ```
-
-    or for a group of checks use group name:
-
-    ```sh
-    ./prowler -g group1 # for iam related checks
-    ```
-
-    or exclude some checks in the group:
-
-    ```sh
-    ./prowler -g group4 -E check42,check43
-    ```
-
-    Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310
-
-### Regions
-
-By default, Prowler scans all opt-in regions available, that might take a long execution time depending on the number of resources and regions used. Same applies for GovCloud or China regions. See below Advance usage for examples.
-
-Prowler has two parameters related to regions: `-r` that is used query AWS services API endpoints (it uses `us-east-1` by default and required for GovCloud or China) and the option `-f` that is to filter those regions you only want to scan. For example if you want to scan Dublin only use `-f eu-west-1` and if you want to scan Dublin and Ohio `-f 'eu-west-1 us-east-s'`, note the single quotes and space between regions.
-
-## Screenshots
-
-- Sample screenshot of default console report first lines of command `./prowler`:
-
-    <img width="900" src="https://user-images.githubusercontent.com/3985464/141444529-84640bed-be0b-4112-80a2-2a43e3ebf53f.png">
-
-- Sample screenshot of the html output `-M html`:
-
-    <img width="900" alt="Prowler html" src="https://user-images.githubusercontent.com/3985464/141443976-41d32cc2-533d-405a-92cb-affc3995d6ec.png">
-
-- Sample screenshot of the Quicksight dashboard, see [https://quicksight-security-dashboard.workshop.aws](quicksight-security-dashboard.workshop.aws/):
-
-    <img width="900" alt="Prowler with Quicksight" src="https://user-images.githubusercontent.com/3985464/128932819-0156e838-286d-483c-b953-fda68a325a3d.png">
-
-- Sample screenshot of the junit-xml output in CodeBuild `-M junit-xml`:
-
-    <img width="900" src="https://user-images.githubusercontent.com/3985464/113942824-ca382b00-9801-11eb-84e5-d7731548a7a9.png">
-
-### Save your reports
-
-1. If you want to save your report for later analysis thare are different ways, natively (supported text, mono, csv, json, json-asff, junit-xml and html, see note below for more info):
-
-    ```sh
-    ./prowler -M csv
-    ```
-
-    or with multiple formats at the same time:
-
-    ```sh
-    ./prowler -M csv,json,json-asff,html
-    ```
-
-    or just a group of checks in multiple formats:
-
-    ```sh
-    ./prowler -g gdpr -M csv,json,json-asff
-    ```
-
-    or if you want a sorted and dynamic HTML report do:
-
-    ```sh
-    ./prowler -M html
-    ```
-
-    Now `-M` creates a file inside the prowler `output` directory named `prowler-output-AWSACCOUNTID-YYYYMMDDHHMMSS.format`. You don't have to specify anything else, no pipes, no redirects.
-
-    or just saving the output to a file like below:
-
-    ```sh
-    ./prowler -M mono > prowler-report.txt
-    ```
-
-    To generate JUnit report files, include the junit-xml format. This can be combined with any other format. Files are written inside a prowler root directory named `junit-reports`:
-
-    ```sh
-    ./prowler -M text,junit-xml
-    ```
-
-    >Note about output formats to use with `-M`: "text" is the default one with colors, "mono" is like default one but monochrome, "csv" is comma separated values, "json" plain basic json (without comma between lines) and "json-asff" is also json with Amazon Security Finding Format that you can ship to Security Hub using `-S`.
-
-    or save your report in an S3 bucket (this only works for text or mono. For csv, json or json-asff it has to be copied afterwards):
-
-    ```sh
-    ./prowler -M mono | aws s3 cp - s3://bucket-name/prowler-report.txt
-    ```
-
-    When generating multiple formats and running using Docker, to retrieve the reports, bind a local directory to the container, e.g.:
-
-    ```sh
-    docker run -ti --rm --name prowler --volume "$(pwd)":/prowler/output --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest -M csv,json
-    ```
-
-1. To perform an assessment based on CIS Profile Definitions you can use cislevel1 or cislevel2 with `-g` flag, more information about this [here, page 8](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf):
-
-    ```sh
-    ./prowler -g cislevel1
-    ```
-
-1. If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`) but you may want to read below in Advanced Usage section to do so assuming a role:
-
-    ```sh
-    grep -E '^\[([0-9A-Aa-z_-]+)\]'  ~/.aws/credentials | tr -d '][' | shuf |  \
-    xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv  2> /dev/null  >> all-accounts.csv
-    ```
-
-1. For help about usage run:
-
-    ```
-    ./prowler -h
-    ```
-
-## Advanced Usage
-
-### Assume Role:
-
-Prowler uses the AWS CLI underneath so it uses the same authentication methods. However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on eachg use case. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `./prowler -p your-custom-profile`. Additionally you can use `-A 123456789012` and `-R RemoteRoleToAssume` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account. To create a role to assume in multiple accounts easier eather as CFN Stack or StackSet, look at [this CloudFormation template](iam/create_role_to_assume_cfn.yaml) and adapt it.
-
-```sh
-./prowler -A 123456789012 -R ProwlerRole
+``` console
+curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml
+curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env
+docker compose up -d
 ```
 
-```sh
-./prowler -A 123456789012 -R ProwlerRole -I 123456
+> Containers are built for `linux/amd64`. If your workstation's architecture is different, please set `DOCKER_DEFAULT_PLATFORM=linux/amd64` in your environment or use the `--platform linux/amd64` flag in the docker command.
+> Enjoy Prowler App at http://localhost:3000 by signing up with your email and password.
+
+### From GitHub
+
+**Requirements**
+
+* `git` installed.
+* `poetry` v2 installed: [poetry installation](https://python-poetry.org/docs/#installation).
+* `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
+* `Docker Compose` installed: https://docs.docker.com/compose/install/.
+
+**Commands to run the API**
+
+``` console
+git clone https://github.com/prowler-cloud/prowler
+cd prowler/api
+poetry install
+eval $(poetry env activate)
+set -a
+source .env
+docker compose up postgres valkey -d
+cd src/backend
+python manage.py migrate --database admin
+gunicorn -c config/guniconf.py config.wsgi:application
+```
+> [!IMPORTANT]
+> Starting from Poetry v2.0.0, `poetry shell` has been deprecated in favor of `poetry env activate`.
+>
+> If your poetry version is below 2.0.0 you must keep using `poetry shell` to activate your environment.
+> In case you have any doubts, consult the Poetry environment activation guide: https://python-poetry.org/docs/managing-environments/#activating-the-environment
+
+> Now, you can access the API documentation at http://localhost:8080/api/v1/docs.
+
+**Commands to run the API Worker**
+
+``` console
+git clone https://github.com/prowler-cloud/prowler
+cd prowler/api
+poetry install
+eval $(poetry env activate)
+set -a
+source .env
+cd src/backend
+python -m celery -A config.celery worker -l info -E
 ```
 
-> *NOTE 1 about Session Duration*: By default it gets credentials valid for 1 hour (3600 seconds). Depending on the mount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option `-T <seconds>`  to allow up to 12h (43200 seconds). To allow more than 1h you need to modify *"Maximum CLI/API session duration"* for that particular role, read more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).
+**Commands to run the API Scheduler**
 
-> *NOTE 2 about Session Duration*: Bear in mind that if you are using roles assumed by role chaining there is a hard limit of 1 hour so consider not using role chaining if possible, read more about that, in foot note 1 below the table [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html).
-
-For example, if you want to get only the fails in CSV format from all checks regarding RDS without banner from the AWS Account 123456789012 assuming the role RemoteRoleToAssume and set a fixed session duration of 1h:
-
-```sh
-./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -b -M cvs -q -g rds
-```
-or with a given External ID:
-```sh
-./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -I 123456 -b -M cvs -q -g rds
+``` console
+git clone https://github.com/prowler-cloud/prowler
+cd prowler/api
+poetry install
+eval $(poetry env activate)
+set -a
+source .env
+cd src/backend
+python -m celery -A config.celery beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler
 ```
 
-### Assume Role and across all accounts in AWS Organizations or just a list of accounts:
+**Commands to run the UI**
 
-If you want to run Prowler or just a check or a group across all accounts of AWS Organizations you can do this:
-
-First get a list of accounts that are not suspended:
-```
-ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[?Status==`ACTIVE`].Id --output text)
-```
-Then run Prowler to assume a role (same in all members) per each account, in this example it is just running one particular check:
-```
-for accountId in $ACCOUNTS_IN_ORGS; do ./prowler -A $accountId -R RemoteRoleToAssume -c extra79; done
-```
-Usig the same for loop it can be scanned a list of accounts with a variable like `ACCOUNTS_LIST='11111111111 2222222222 333333333'`
-
-### GovCloud
-
-Prowler runs in GovCloud regions as well. To make sure it points to the right API endpoint use `-r` to either `us-gov-west-1` or `us-gov-east-1`. If not filter region is used it will look for resources in both GovCloud regions by default:
-```sh
-./prowler -r us-gov-west-1
-```
-> For Security Hub integration see below in Security Hub section.
-
-### Custom folder for custom checks
-
-Flag `-x /my/own/checks` will include any check in that particular directory. To see how to write checks see [Add Custom Checks](#add-custom-checks) section.
-
-### Show or log only FAILs
-
-In order to remove noise and get only FAIL findings there is a `-q` flag that makes Prowler to show and log only FAILs. 
-It can be combined with any other option.
-Will show WARNINGS when a resource is excluded, just to take into consideration.
-
-```sh
-# -q option combined with -M csv -b
-./prowler -q -M csv -b
+``` console
+git clone https://github.com/prowler-cloud/prowler
+cd prowler/ui
+npm install
+npm run build
+npm start
 ```
 
-### Set the entropy limit for detect-secrets
+> Enjoy Prowler App at http://localhost:3000 by signing up with your email and password.
 
-Sets the entropy limit for high entropy base64 strings from environment variable `BASE64_LIMIT`. Value must be between 0.0 and 8.0, defaults is 4.5.
-Sets the entropy limit for high entropy hex strings from environment variable `HEX_LIMIT`. Value must be between 0.0 and 8.0, defaults is 3.0.
+## Prowler CLI
+### Pip package
+Prowler CLI is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python > 3.9.1, < 3.13:
 
-```sh
-export BASE64_LIMIT=4.5
-export HEX_LIMIT=3.0
+```console
+pip install prowler
+prowler -v
 ```
-### Run Prowler using AWS CloudShell
+>More details at [https://docs.prowler.com](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-cli-installation)
 
-An easy way to run Prowler to scan your account is using AWS CloudShell. Read more and learn how to do it [here](util/cloudshell/README.md).
+### Containers
 
-## Security Hub integration
+The available versions of Prowler CLI are the following:
 
-Since October 30th 2020 (version v2.3RC5), Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and from Prowler for free. 
+- `latest`: in sync with `master` branch (bear in mind that it is not a stable version)
+- `v4-latest`: in sync with `v4` branch (bear in mind that it is not a stable version)
+- `v3-latest`: in sync with `v3` branch (bear in mind that it is not a stable version)
+- `<x.y.z>` (release): you can find the releases [here](https://github.com/prowler-cloud/prowler/releases), those are stable releases.
+- `stable`: this tag always point to the latest release.
+- `v4-stable`: this tag always point to the latest release for v4.
+- `v3-stable`: this tag always point to the latest release for v3.
 
-Before sending findings to Prowler, you need to perform next steps:
-1. Since Security Hub is a region based service, enable it in the region or regions you require. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
-    - `aws securityhub enable-security-hub --region <region>`.
-2. Enable Prowler as partner integration integration. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
-    - `aws securityhub enable-import-findings-for-product --region <region> --product-arn arn:aws:securityhub:<region>::product/prowler/prowler` (change region also inside the ARN).
-    - Using the AWS Management Console:
-    ![Screenshot 2020-10-29 at 10 26 02 PM](https://user-images.githubusercontent.com/3985464/97634660-5ade3400-1a36-11eb-9a92-4a45cc98c158.png)
-3. As mentioned in section "Custom IAM Policy", to allow Prowler to import its findings to AWS Security Hub you need to add the policy below to the role or user running Prowler:
-    - [iam/prowler-security-hub.json](iam/prowler-security-hub.json)
+The container images are available here:
+- Prowler CLI:
+    - [DockerHub](https://hub.docker.com/r/toniblyx/prowler/tags)
+    - [AWS Public ECR](https://gallery.ecr.aws/prowler-cloud/prowler)
+- Prowler App:
+    - [DockerHub - Prowler UI](https://hub.docker.com/r/prowlercloud/prowler-ui/tags)
+    - [DockerHub - Prowler API](https://hub.docker.com/r/prowlercloud/prowler-api/tags)
 
-Once it is enabled, it is as simple as running the command below (for all regions):
+### From GitHub
 
-```sh
-./prowler -M json-asff -S
+Python > 3.9.1, < 3.13 is required with pip and poetry:
+
+``` console
+git clone https://github.com/prowler-cloud/prowler
+cd prowler
+eval $(poetry env activate)
+poetry install
+python prowler-cli.py -v
 ```
-or for only one filtered region like eu-west-1:
-```sh
-./prowler -M json-asff -q -S -f eu-west-1
-```
-> Note 1: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command. 
+> [!IMPORTANT]
+> Starting from Poetry v2.0.0, `poetry shell` has been deprecated in favor of `poetry env activate`.
+>
+> If your poetry version is below 2.0.0 you must keep using `poetry shell` to activate your environment.
+> In case you have any doubts, consult the Poetry environment activation guide: https://python-poetry.org/docs/managing-environments/#activating-the-environment
 
-> Note 2: Since Prowler perform checks to all regions by defaults you may need to filter by region when runing Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f <region>` (if no region is used it will try to push findings in all regions hubs).
+> If you want to clone Prowler from Windows, use `git config core.longpaths true` to allow long file paths.
+# 📐✏️ High level architecture
 
-> Note 3: to have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.
+## Prowler App
+The **Prowler App** consists of three main components:
 
-Once you run findings for first time you will be able to see Prowler findings in Findings section:
+- **Prowler UI**: A user-friendly web interface for running Prowler and viewing results, powered by Next.js.
+- **Prowler API**: The backend API that executes Prowler scans and stores the results, built with Django REST Framework.
+- **Prowler SDK**: A Python SDK that integrates with the Prowler CLI for advanced functionality.
 
-![Screenshot 2020-10-29 at 10 29 05 PM](https://user-images.githubusercontent.com/3985464/97634676-66c9f600-1a36-11eb-9341-70feb06f6331.png)
+![Prowler App Architecture](docs/img/prowler-app-architecture.png)
 
-### Security Hub in GovCloud regions
+## Prowler CLI
+You can run Prowler from your workstation, a Kubernetes Job, a Google Compute Engine, an Azure VM, an EC2 instance, Fargate or any other container, CloudShell and many more.
 
-To use Prowler and Security Hub integration in GovCloud there is an additional requirement, usage of `-r` is needed to point the API queries to the right API endpoint. Here is a sample command that sends only failed findings to Security Hub in region `us-gov-west-1`:
-```
-./prowler -r us-gov-west-1 -f us-gov-west-1 -S -M csv,json-asff -q
-```
+![Architecture](docs/img/architecture.png)
 
-### Security Hub in China regions
+# Deprecations from v3
 
-To use Prowler and Security Hub integration in China regions there is an additional requirement, usage of `-r` is needed to point the API queries to the right API endpoint. Here is a sample command that sends only failed findings to Security Hub in region `cn-north-1`:
-```
-./prowler -r cn-north-1 -f cn-north-1 -q -S -M csv,json-asff
-```
+## General
+- `Allowlist` now is called `Mutelist`.
+- The `--quiet` option has been deprecated, now use the `--status` flag to select the finding's status you want to get from PASS, FAIL or MANUAL.
+- All `INFO` finding's status has changed to `MANUAL`.
+- The CSV output format is common for all the providers.
 
-## CodeBuild deployment
+We have deprecated some of our outputs formats:
+- The native JSON is replaced for the JSON [OCSF](https://schema.ocsf.io/) v1.1.0, common for all the providers.
 
-Either to run Prowler once or based on a schedule this template makes it pretty straight forward. This template will create a CodeBuild environment and run Prowler directly leaving all reports in a bucket and creating a report also inside CodeBuild basedon the JUnit output from Prowler. Scheduling can be cron based like `cron(0 22 * * ? *)` or rate based like `rate(5 hours)` since CloudWatch Event rules (or Eventbridge) is used here.
+## AWS
+- Deprecate the AWS flag --sts-endpoint-region since we use AWS STS regional tokens.
+- To send only FAILS to AWS Security Hub, now use either `--send-sh-only-fails` or `--security-hub --status FAIL`.
 
-The Cloud Formation template that helps you doing that is [here](https://github.com/toniblyx/prowler/blob/master/util/codebuild/codebuild-prowler-audit-account-cfn.yaml). 
 
-> This is a simple solution to monitor one account. For multiples accounts see [Multi Account and Continuous Monitoring](util/org-multi-account/README.md).
+# 📖 Documentation
 
-## Whitelist or allowlist or remove a fail from resources
+Install, Usage, Tutorials and Developer Guide is at https://docs.prowler.com/
 
-Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w whitelist_sample.txt` and add your resources as `checkID:resourcename` as in this command:
-
-```
-./prowler -w whitelist_sample.txt
-```
-
-Whitelist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`.
-
-## How to fix every FAIL
-
-Check your report and fix the issues following all specific guidelines per check in <https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf>
-
-## Troubleshooting
-
-### STS expired token
-
-If you are using an STS token for AWS-CLI and your session is expired you probably get this error:
-
-```sh
-A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired
-```
-
-To fix it, please renew your token by authenticating again to the AWS API, see next section below if you use MFA.
-
-### Run Prowler with MFA protected credentials
-
-To run Prowler using a profile that requires MFA you just need to get the session token before hand. Just make sure you use this command:
-
-```sh
-aws --profile <YOUR_AWS_PROFILE> sts get-session-token --duration 129600 --serial-number <ARN_OF_MFA> --token-code <MFA_TOKEN_CODE> --output text
-```
-
-Once you get your token you can export it as environment variable:
-
-```sh
-export AWS_PROFILE=YOUR_AWS_PROFILE
-export AWS_SESSION_TOKEN=YOUR_NEW_TOKEN
-AWS_SECRET_ACCESS_KEY=YOUR_SECRET
-export AWS_ACCESS_KEY_ID=YOUR_KEY
-```
-
-or set manually up your `~/.aws/credentials` file properly.
-
-There are some helpfull tools to save time in this process like [aws-mfa-script](https://github.com/asagage/aws-mfa-script) or [aws-cli-mfa](https://github.com/sweharris/aws-cli-mfa).
-
-### AWS Managed IAM Policies
-
-[ViewOnlyAccess](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_view-only-user)
-- Use case: This user can view a list of AWS resources and basic metadata in the account across all services. The user cannot read resource content or metadata that goes beyond the quota and list information for resources.
-- Policy description: This policy grants List*, Describe*, Get*, View*, and Lookup* access to resources for most AWS services. To see what actions this policy includes for each service, see [ViewOnlyAccess Permissions](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/ViewOnlyAccess)
-
-[SecurityAudit](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor)
-- Use case: This user monitors accounts for compliance with security requirements. This user can access logs and events to investigate potential security breaches or potential malicious activity.
-- Policy description: This policy grants permissions to view configuration data for many AWS services and to review their logs. To see what actions this policy includes for each service, see [SecurityAudit Permissions](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/SecurityAudit)
-
-### Custom IAM Policy
-
-[Prowler-Additions-Policy](iam/prowler-additions-policy.json)
-
-Some new and specific checks require Prowler to inherit more permissions than SecurityAudit and ViewOnlyAccess to work properly. In addition to the AWS managed policies, "SecurityAudit" and "ViewOnlyAccess", the user/role you use for checks may need to be granted a custom policy with a few more read-only permissions (to support additional services mostly). Here is an example policy with the additional rights, "Prowler-Additions-Policy" (see below bootstrap script for set it up):
-
-- [iam/prowler-additions-policy.json](iam/prowler-additions-policy.json)
-
-[Prowler-Security-Hub Policy](iam/prowler-security-hub.json)
-
-Allows Prowler to import its findings to [AWS Security Hub](https://aws.amazon.com/security-hub). More information in [Security Hub integration](#security-hub-integration):
-
-- [iam/prowler-security-hub.json](iam/prowler-security-hub.json)
-
-### Bootstrap Script
-
-Quick bash script to set up a "prowler" IAM user with "SecurityAudit" and "ViewOnlyAccess" group with the required permissions (including "Prowler-Additions-Policy"). To run the script below, you need user with administrative permissions; set the `AWS_DEFAULT_PROFILE` to use that account:
-
-```sh
-export AWS_DEFAULT_PROFILE=default
-export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' | tr -d '"')
-aws iam create-group --group-name Prowler
-aws iam create-policy --policy-name Prowler-Additions-Policy --policy-document file://$(pwd)/iam/prowler-additions-policy.json
-aws iam attach-group-policy --group-name Prowler --policy-arn arn:aws:iam::aws:policy/SecurityAudit
-aws iam attach-group-policy --group-name Prowler --policy-arn arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
-aws iam attach-group-policy --group-name Prowler --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/Prowler-Additions-Policy
-aws iam create-user --user-name prowler
-aws iam add-user-to-group --user-name prowler --group-name Prowler
-aws iam create-access-key --user-name prowler
-unset ACCOUNT_ID AWS_DEFAULT_PROFILE
-```
-
-The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with Prowler. This is the only time they secret key will be shown.  If you lose it, you will need to generate a replacement.
-
-> [This CloudFormation template](iam/create_role_to_assume_cfn.yaml) may also help you on that task.
-
-## Extras
-
-We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS, but we consider them very helpful to get to know each AWS account set up and find issues on it.
-
-Some of these checks look for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
-
-To list all existing checks in the extras group run the command below:
-
-```sh
-./prowler -l -g extras
-```
-
->There are some checks not included in that list, they are experimental or checks that takes long to run like `extra759` and `extra760` (search for secrets in Lambda function variables and code).
-
-To check all extras in one command:
-
-```sh
-./prowler -g extras
-```
-
-or to run just one of the checks:
-
-```sh
-./prowler -c extraNUMBER
-```
-
-or to run multiple extras in one go:
-
-```sh
-./prowler -c extraNumber,extraNumber
-```
-
-
-## Forensics Ready Checks
-
-With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded and collected for an eventual digital forensic investigation in case of incident. List of checks part of this group (you can also see all groups with `./prowler -L`). The list of checks can be seen in the group file at:
-
-[groups/group8_forensics](groups/group8_forensics)
-
-The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
-
-```sh
-./prowler -g forensics-ready
-```
-
-## GDPR Checks
-
-With this group of checks, Prowler shows result of checks related to GDPR, more information [here](https://github.com/toniblyx/prowler/issues/189). The list of checks can be seen in the group file at:
-
-[groups/group9_gdpr](groups/group9_gdpr)
-
-The `gdpr` group of checks uses existing and extra checks. To get a GDPR report, run this command:
-
-```sh
-./prowler -g gdpr
-```
-
-## AWS FTR Checks
-
-With this group of checks, Prowler shows result of checks related to the AWS Foundational Technical Review, more information [here](https://apn-checklists.s3.amazonaws.com/foundational/partner-hosted/partner-hosted/CVLHEC5X7.html). The list of checks can be seen in the group file at:
-
-[groups/group25_ftr](groups/group25_ftr)
-
-The `ftr` group of checks uses existing and extra checks. To get a AWS FTR report, run this command:
-
-```sh
-./prowler -g ftr
-```
-
-## HIPAA Checks
-
-With this group of checks, Prowler shows results of controls related to the "Security Rule" of the Health Insurance Portability and Accountability Act aka [HIPAA](https://www.hhs.gov/hipaa/for-professionals/security/index.html) as defined in [45 CFR Subpart C - Security Standards for the Protection of Electronic Protected Health Information](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C) within [PART 160 - GENERAL ADMINISTRATIVE REQUIREMENTS](https://www.law.cornell.edu/cfr/text/45/part-160) and [Subpart A](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-A) and [Subpart C](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C) of PART 164 - SECURITY AND PRIVACY
-
-More information on the original PR is [here](https://github.com/toniblyx/prowler/issues/227).
-
-### Note on Business Associate Addendum's (BAA)
-
-Under the HIPAA regulations, cloud service providers (CSPs) such as AWS are considered business associates. The Business Associate Addendum (BAA) is an AWS contract that is required under HIPAA rules to ensure that AWS appropriately safeguards protected health information (PHI). The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by AWS, based on the relationship between AWS and our customers, and the activities or services being performed by AWS. Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA-eligible services defined in the Business Associate Addendum (BAA). For the latest list of HIPAA-eligible AWS services, see [HIPAA Eligible Services Reference](https://aws.amazon.com/compliance/hipaa-eligible-services-reference/).
-
-More information on AWS & HIPAA can be found [here](https://aws.amazon.com/compliance/hipaa-compliance/)
-
-The list of checks showed by this group is as follows, they will be mostly relevant for Subsections [164.306 Security standards: General rules](https://www.law.cornell.edu/cfr/text/45/164.306) and [164.312 Technical safeguards](https://www.law.cornell.edu/cfr/text/45/164.312). Prowler is only able to make checks in the spirit of the technical requirements outlined in these Subsections, and cannot cover all procedural controls required. They be found in the group file at:
-
-[groups/group10_hipaa](groups/group10_hipaa)
-
-The `hipaa` group of checks uses existing and extra checks. To get a HIPAA report, run this command:
-
-```sh
-./prowler -g hipaa
-```
-
-## Trust Boundaries Checks
-
-### Definition and Terms
-
-The term "trust boundary" is originating from the threat modelling process and the most popular contributor Adam Shostack and author of "Threat Modeling: Designing for Security" defines it as following ([reference](https://adam.shostack.org/uncover.html)):
-
-> Trust boundaries are perhaps the most subjective of all: these represent the border between trusted and untrusted elements. Trust is complex. You might trust your mechanic with your car, your dentist with your teeth, and your banker with your money, but you probably don't trust your dentist to change your spark plugs.
-
-AWS is made to be flexible for service links within and between different AWS accounts, we all know that.
-
-This group of checks helps to analyse a particular AWS account (subject) on existing links to other AWS accounts across various AWS services, in order to identify untrusted links.
-
-### Run
-To give it a quick shot just call:
-
-```sh
-./prowler -g trustboundaries
-```
-
-### Scenarios
-
-Currently, this check group supports two different scenarios:
-
-1. Single account environment: no action required, the configuration is happening automatically for you.
-2. Multi account environment: in case you environment has multiple trusted and known AWS accounts you maybe want to append them manually to [groups/group16_trustboundaries](groups/group16_trustboundaries) as a space separated list into `GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS` variable, then just run prowler.
-
-### Coverage
-
-Current coverage of Amazon Web Service (AWS) taken from [here](https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html):
-| Topic                           | Service    | Trust Boundary                                                            |
-|---------------------------------|------------|---------------------------------------------------------------------------|
-| Networking and Content Delivery | Amazon VPC | VPC endpoints connections ([extra786](checks/check_extra786))             |
-|                                 |            | VPC endpoints whitelisted principals ([extra787](checks/check_extra787))  |
-
-All ideas or recommendations to extend this group are very welcome [here](https://github.com/toniblyx/prowler/issues/new/choose).
-
-### Detailed Explanation of the Concept
-
-The diagrams depict two common scenarios, single account and multi account environments.
-Every circle represents one AWS account.
-The dashed line represents the trust boundary, that separates trust and untrusted AWS accounts.
-The arrow simply describes the direction of the trust, however the data can potentially flow in both directions.
-
-Single Account environment assumes that only the AWS account subject to this analysis is trusted. However, there is a chance that two VPCs are existing within that one AWS account which are still trusted as a self reference.
-![single-account-environment](/docs/images/prowler-single-account-environment.png)
-
-Multi Account environments assumes a minimum of two trusted or known accounts. For this particular example all trusted and known accounts will be tested. Therefore `GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS` variable in [groups/group16_trustboundaries](groups/group16_trustboundaries) should include all trusted accounts Account #A, Account #B, Account #C, and Account #D in order to finally raise Account #E and Account #F for being untrusted or unknown.
-![multi-account-environment](/docs/images/prowler-multi-account-environment.png)
-
-## Add Custom Checks
-
-In order to add any new check feel free to create a new extra check in the extras group or other group. To do so, you will need to follow these steps:
-
-1. Follow structure in file `checks/check_sample`
-2. Name your check with a number part of an existing group or a new one
-3. Save changes and run it as `./prowler -c extraNN`
-4. Send me a pull request! :)
-
-## Add Custom Groups
-
-1. Follow structure in file `groups/groupN_sample`
-1. Name your group with a non existing number
-1. Save changes and run it as `./prowler -g extraNN`
-1. Send me a pull request! :)
-
-- You can also create a group with only the checks that you want to perform in your company, for instance a group named `group9_mycompany` with only the list of checks that you care or your particular compliance applies.
-
-## Third Party Integrations
-
-### Telegram
-
-Javier Pecete has done an awesome job integrating Prowler with Telegram, you have more details here <https://github.com/i4specete/ServerTelegramBot>
-
-### Cloud Security Suite
-
-The guys of SecurityFTW have added Prowler in their Cloud Security Suite along with other cool security tools <https://github.com/SecurityFTW/cs-suite>
-
-## License
+# 📃 License
 
 Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
 <http://www.apache.org/licenses/LICENSE-2.0>
-
-**I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**
-
-If you want to contact me visit <https://blyx.com/contact> or follow me on Twitter <https://twitter.com/toniblyx> my DMs are open.

SECURITY.md

@@ -0,0 +1,23 @@
+# Security Policy
+
+## Software Security
+As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (FTR)](https://aws.amazon.com/partners/foundational-technical-review/) and we use the following tools and automation to make sure our code is secure and dependencies up-to-dated:
+
+- `bandit` for code security review.
+- `safety` and `dependabot` for dependencies.
+- `hadolint` and `dockle` for our containers security.
+- `snyk` in Docker Hub.
+- `clair` in Amazon ECR.
+- `vulture`, `flake8`, `black` and `pylint` for formatting and best practices.
+
+## Reporting a Vulnerability
+
+If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to https://support.prowler.com.
+
+The information you share with ProwlerPro as part of this process is kept confidential within ProwlerPro. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
+
+We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
+
+You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability.
+
+We will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.

api/.env.example

@@ -0,0 +1,55 @@
+# Django settings
+DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1
+DJANGO_BIND_ADDRESS=0.0.0.0
+DJANGO_PORT=8000
+DJANGO_DEBUG=False
+# Select one of [production|devel]
+DJANGO_SETTINGS_MODULE=config.django.[production|devel]
+# Select one of [ndjson|human_readable]
+DJANGO_LOGGING_FORMATTER=[ndjson|human_readable]
+# Select one of [DEBUG|INFO|WARNING|ERROR|CRITICAL]
+# Applies to both Django and Celery Workers
+DJANGO_LOGGING_LEVEL=INFO
+DJANGO_WORKERS=4 # Defaults to the maximum available based on CPU cores if not set.
+DJANGO_TOKEN_SIGNING_KEY=""
+DJANGO_TOKEN_VERIFYING_KEY=""
+# Token lifetime is in minutes
+DJANGO_ACCESS_TOKEN_LIFETIME=30
+DJANGO_REFRESH_TOKEN_LIFETIME=1440
+DJANGO_CACHE_MAX_AGE=3600
+DJANGO_STALE_WHILE_REVALIDATE=60
+DJANGO_SECRETS_ENCRYPTION_KEY=""
+# Decide whether to allow Django manage database table partitions
+DJANGO_MANAGE_DB_PARTITIONS=[True|False]
+DJANGO_CELERY_DEADLOCK_ATTEMPTS=5
+DJANGO_BROKER_VISIBILITY_TIMEOUT=86400
+DJANGO_SENTRY_DSN=
+
+# PostgreSQL settings
+# If running django and celery on host, use 'localhost', else use 'postgres-db'
+POSTGRES_HOST=[localhost|postgres-db]
+POSTGRES_PORT=5432
+POSTGRES_ADMIN_USER=prowler
+POSTGRES_ADMIN_PASSWORD=S3cret
+POSTGRES_USER=prowler_user
+POSTGRES_PASSWORD=S3cret
+POSTGRES_DB=prowler_db
+
+# Valkey settings
+# If running django and celery on host, use localhost, else use 'valkey'
+VALKEY_HOST=[localhost|valkey]
+VALKEY_PORT=6379
+VALKEY_DB=0
+
+# Sentry settings
+SENTRY_ENVIRONMENT=local
+SENTRY_RELEASE=local
+
+# Social login credentials
+DJANGO_GOOGLE_OAUTH_CLIENT_ID=""
+DJANGO_GOOGLE_OAUTH_CLIENT_SECRET=""
+DJANGO_GOOGLE_OAUTH_CALLBACK_URL=""
+
+DJANGO_GITHUB_OAUTH_CLIENT_ID=""
+DJANGO_GITHUB_OAUTH_CLIENT_SECRET=""
+DJANGO_GITHUB_OAUTH_CALLBACK_URL=""

api/.gitignore

@@ -0,0 +1,168 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.pyc
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+/_data/
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
+.pdm.toml
+.pdm-python
+.pdm-build/
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+*.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+.idea/
+
+# VSCode
+.vscode/

api/.pre-commit-config.yaml

@@ -0,0 +1,91 @@
+repos:
+  ## GENERAL
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: check-merge-conflict
+      - id: check-yaml
+        args: ["--unsafe"]
+      - id: check-json
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: no-commit-to-branch
+      - id: pretty-format-json
+        args: ["--autofix", "--no-sort-keys", "--no-ensure-ascii"]
+        exclude: 'src/backend/api/fixtures/dev/.*\.json$'
+
+  ## TOML
+  - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
+    rev: v2.13.0
+    hooks:
+      - id: pretty-format-toml
+        args: [--autofix]
+        files: pyproject.toml
+
+  ## BASH
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.10.0
+    hooks:
+      - id: shellcheck
+        exclude: contrib
+  ## PYTHON
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    # Ruff version.
+    rev: v0.5.0
+    hooks:
+      # Run the linter.
+      - id: ruff
+        args: [ --fix ]
+      # Run the formatter.
+      - id: ruff-format
+
+  - repo: https://github.com/python-poetry/poetry
+    rev: 1.8.0
+    hooks:
+      - id: poetry-check
+        args: ["--directory=src"]
+      - id: poetry-lock
+        args: ["--no-update", "--directory=src"]
+
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.13.0-beta
+    hooks:
+      - id: hadolint
+        args: ["--ignore=DL3013", "Dockerfile"]
+
+  - repo: local
+    hooks:
+      - id: pylint
+        name: pylint
+        entry: bash -c 'poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/'
+        language: system
+        files: '.*\.py'
+
+      - id: trufflehog
+        name: TruffleHog
+        description: Detect secrets in your data.
+        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
+        # For running trufflehog in docker, use the following entry instead:
+        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
+        language: system
+        stages: ["commit", "push"]
+
+      - id: bandit
+        name: bandit
+        description: "Bandit is a tool for finding common security issues in Python code"
+        entry: bash -c 'poetry run bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r .'
+        language: system
+        files: '.*\.py'
+
+      - id: safety
+        name: safety
+        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
+        entry: bash -c 'poetry run safety check --ignore 70612,66963'
+        language: system
+
+      - id: vulture
+        name: vulture
+        description: "Vulture finds unused code in Python programs."
+        entry: bash -c 'poetry run vulture --exclude "contrib,.venv,tests,conftest.py" --min-confidence 100 .'
+        language: system
+        files: '.*\.py'

api/CHANGELOG.md

@@ -0,0 +1,46 @@
+# Prowler API Changelog
+
+All notable changes to the **Prowler API** are documented in this file.
+
+---
+
+## [v1.6.0] (Prowler UNRELEASED)
+
+### Added
+
+- Support for developing new integrations [(#7167)](https://github.com/prowler-cloud/prowler/pull/7167).
+- HTTP Security Headers [(#7289)](https://github.com/prowler-cloud/prowler/pull/7289).
+
+---
+
+## [v1.5.1] (Prowler v5.4.1)
+
+### Fixed
+- Added a handled response in case local files are missing [(#7183)](https://github.com/prowler-cloud/prowler/pull/7183).
+- Fixed a race condition when deleting export files after the S3 upload [(#7172)](https://github.com/prowler-cloud/prowler/pull/7172).
+- Handled exception when a provider has no secret in test connection [(#7283)](https://github.com/prowler-cloud/prowler/pull/7283).
+
+
+---
+
+## [v1.5.0] (Prowler v5.4.0)
+
+### Added
+- Social login integration with Google and GitHub [(#6906)](https://github.com/prowler-cloud/prowler/pull/6906)
+- Add API scan report system, now all scans launched from the API will generate a compressed file with the report in OCSF, CSV and HTML formats [(#6878)](https://github.com/prowler-cloud/prowler/pull/6878).
+- Configurable Sentry integration [(#6874)](https://github.com/prowler-cloud/prowler/pull/6874)
+
+### Changed
+- Optimized `GET /findings` endpoint to improve response time and size [(#7019)](https://github.com/prowler-cloud/prowler/pull/7019).
+
+---
+
+## [v1.4.0] (Prowler v5.3.0)
+
+### Changed
+- Daily scheduled scan instances are now created beforehand with `SCHEDULED` state [(#6700)](https://github.com/prowler-cloud/prowler/pull/6700).
+- Findings endpoints now require at least one date filter [(#6800)](https://github.com/prowler-cloud/prowler/pull/6800).
+- Findings metadata endpoint received a performance improvement [(#6863)](https://github.com/prowler-cloud/prowler/pull/6863).
+- Increased the allowed length of the provider UID for Kubernetes providers [(#6869)](https://github.com/prowler-cloud/prowler/pull/6869).
+
+---

api/Dockerfile

@@ -0,0 +1,47 @@
+FROM python:3.12.8-alpine3.20 AS build
+
+LABEL maintainer="https://github.com/prowler-cloud/api"
+
+# hadolint ignore=DL3018
+RUN apk --no-cache add gcc python3-dev musl-dev linux-headers curl-dev
+
+RUN apk --no-cache upgrade && \
+    addgroup -g 1000 prowler && \
+    adduser -D -u 1000 -G prowler prowler
+USER prowler
+
+WORKDIR /home/prowler
+
+COPY pyproject.toml ./
+
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir poetry
+
+COPY src/backend/  ./backend/
+
+ENV PATH="/home/prowler/.local/bin:$PATH"
+
+# Add `--no-root` to avoid installing the current project as a package
+RUN poetry install --no-root && \
+    rm -rf ~/.cache/pip
+
+COPY docker-entrypoint.sh ./docker-entrypoint.sh
+
+WORKDIR /home/prowler/backend
+
+# Development image
+# hadolint ignore=DL3006
+FROM build AS dev
+
+USER 0
+# hadolint ignore=DL3018
+RUN apk --no-cache add curl vim
+
+USER prowler
+
+ENTRYPOINT ["../docker-entrypoint.sh", "dev"]
+
+# Production image
+FROM build
+
+ENTRYPOINT ["../docker-entrypoint.sh", "prod"]

api/README.md

@@ -0,0 +1,334 @@
+# Description
+
+This repository contains the JSON API and Task Runner components for Prowler, which facilitate a complete backend that interacts with the Prowler SDK and is used by the Prowler UI.
+
+# Components
+The Prowler API is composed of the following components:
+
+- The JSON API, which is an API built with Django Rest Framework.
+- The Celery worker, which is responsible for executing the background tasks that are defined in the JSON API.
+- The PostgreSQL database, which is used to store the data.
+- The Valkey database, which is an in-memory database which is used as a message broker for the Celery workers.
+
+## Note about Valkey
+
+[Valkey](https://valkey.io/) is an open source (BSD) high performance key/value datastore.
+
+Valkey exposes a Redis 7.2 compliant API. Any service that exposes the Redis API can be used with Prowler API.
+
+# Modify environment variables
+
+Under the root path of the project, you can find a file called `.env.example`. This file shows all the environment variables that the project uses. You *must* create a new file called `.env` and set the values for the variables.
+
+## Local deployment
+Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the Poetry interpreter, not before. Otherwise, variables will not be loaded properly.
+
+To do this, you can run:
+
+```console
+poetry shell
+set -a
+source .env
+```
+
+# 🚀 Production deployment
+## Docker deployment
+
+This method requires `docker` and `docker compose`.
+
+### Clone the repository
+
+```console
+# HTTPS
+git clone https://github.com/prowler-cloud/api.git
+
+# SSH
+git clone git@github.com:prowler-cloud/api.git
+
+```
+
+### Build the base image
+
+```console
+docker compose --profile prod build
+```
+
+### Run the production service
+
+This command will start the Django production server and the Celery worker and also the Valkey and PostgreSQL databases.
+
+```console
+docker compose --profile prod up -d
+```
+
+You can access the server in `http://localhost:8080`.
+
+> **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.
+
+### View the Production Server Logs
+
+To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:
+
+```console
+docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
+
+## Local deployment
+
+To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `poetry` and `docker compose` are installed.
+
+### Clone the repository
+
+```console
+# HTTPS
+git clone https://github.com/prowler-cloud/api.git
+
+# SSH
+git clone git@github.com:prowler-cloud/api.git
+
+```
+### Install all dependencies with Poetry
+
+```console
+poetry install
+poetry shell
+```
+
+## Start the PostgreSQL Database and Valkey
+
+The PostgreSQL database (version 16.3) and Valkey (version 7) are required for the development environment. To make development easier, we have provided a `docker-compose` file that will start these components for you.
+
+**Note:** Make sure to use the specified versions, as there are features in our setup that may not be compatible with older versions of PostgreSQL and Valkey.
+
+
+```console
+docker compose up postgres valkey -d
+```
+
+## Deploy Django and the Celery worker
+
+### Run migrations
+
+For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:
+
+```console
+cd src/backend
+python manage.py migrate --database admin
+```
+
+### Run the Celery worker
+
+```console
+cd src/backend
+python -m celery -A config.celery worker -l info -E
+```
+
+### Run the Django server with Gunicorn
+
+```console
+cd src/backend
+gunicorn -c config/guniconf.py config.wsgi:application
+```
+
+> By default, the Gunicorn server will try to use as many workers as your machine can handle. You can manually change that in the `src/backend/config/guniconf.py` file.
+
+# 🧪 Development guide
+
+## Local deployment
+
+To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `poetry` and `docker compose` are installed.
+
+### Clone the repository
+
+```console
+# HTTPS
+git clone https://github.com/prowler-cloud/api.git
+
+# SSH
+git clone git@github.com:prowler-cloud/api.git
+
+```
+
+### Start the PostgreSQL Database and Valkey
+
+The PostgreSQL database (version 16.3) and Valkey (version 7) are required for the development environment. To make development easier, we have provided a `docker-compose` file that will start these components for you.
+
+**Note:** Make sure to use the specified versions, as there are features in our setup that may not be compatible with older versions of PostgreSQL and Valkey.
+
+
+```console
+docker compose up postgres valkey -d
+```
+
+### Install the Python dependencies
+
+> You must have Poetry installed
+
+```console
+poetry install
+poetry shell
+```
+
+### Apply migrations
+
+For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:
+
+```console
+cd src/backend
+python manage.py migrate --database admin
+```
+
+### Run the Django development server
+
+```console
+cd src/backend
+python manage.py runserver
+```
+
+You can access the server in `http://localhost:8000`.
+All changes in the code will be automatically reloaded in the server.
+
+### Run the Celery worker
+
+```console
+python -m celery -A config.celery worker -l info -E
+```
+
+The Celery worker does not detect and reload changes in the code, so you need to restart it manually when you make changes.
+
+## Docker deployment
+
+This method requires `docker` and `docker compose`.
+
+### Clone the repository
+
+```console
+# HTTPS
+git clone https://github.com/prowler-cloud/api.git
+
+# SSH
+git clone git@github.com:prowler-cloud/api.git
+
+```
+
+### Build the base image
+
+```console
+docker compose --profile dev build
+```
+
+### Run the development service
+
+This command will start the Django development server and the Celery worker and also the Valkey and PostgreSQL databases.
+
+```console
+docker compose --profile dev up -d
+```
+
+You can access the server in `http://localhost:8080`.
+All changes in the code will be automatically reloaded in the server.
+
+> **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.
+
+### View the development server logs
+
+To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:
+
+```console
+docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
+
+## Applying migrations
+
+For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:
+
+```console
+poetry shell
+cd src/backend
+python manage.py migrate --database admin
+```
+
+## Apply fixtures
+
+Fixtures are used to populate the database with initial development data.
+
+```console
+poetry shell
+cd src/backend
+python manage.py loaddata api/fixtures/0_dev_users.json --database admin
+```
+
+> The default credentials are `dev@prowler.com:thisisapassword123` or `dev2@prowler.com:thisisapassword123`
+
+## Run tests
+
+Note that the tests will fail if you use the same `.env` file as the development environment.
+
+For best results, run in a new shell with no environment variables set.
+
+```console
+poetry shell
+cd src/backend
+pytest
+```
+
+# Custom commands
+
+Django provides a way to create custom commands that can be run from the command line.
+
+> These commands can be found in: ```prowler/api/src/backend/api/management/commands```
+
+To run a custom command, you need to be in the `prowler/api/src/backend` directory and run:
+
+```console
+poetry shell
+python manage.py <command_name>
+```
+
+## Generate dummy data
+
+```console
+python manage.py findings --tenant
+<TENANT_ID> --findings <NUM_FINDINGS> --re
+sources <NUM_RESOURCES> --batch <TRANSACTION_BATCH_SIZE> --alias <ALIAS>
+```
+
+This command creates, for a given tenant, a provider, scan and a set of findings and resources related altogether.
+
+> Scan progress and state are updated in real time.
+> - 0-33%: Create resources.
+> - 33-66%: Create findings.
+> - 66%: Create resource-finding mapping.
+>
+> The last step is required to access the findings details, since the UI needs that to print all the information.
+
+### Example
+
+```console
+~/backend $ poetry run python manage.py findings --tenant
+fffb1893-3fc7-4623-a5d9-fae47da1c528 --findings 25000 --re
+sources 1000 --batch 5000 --alias test-script
+
+Starting data population
+	Tenant: fffb1893-3fc7-4623-a5d9-fae47da1c528
+	Alias: test-script
+	Resources: 1000
+	Findings: 25000
+	Batch size: 5000
+
+
+Creating resources...
+100%|███████████████████████| 1/1 [00:00<00:00,  7.72it/s]
+Resources created successfully.
+
+
+Creating findings...
+100%|███████████████████████| 5/5 [00:05<00:00,  1.09s/it]
+Findings created successfully.
+
+
+Creating resource-finding mappings...
+100%|███████████████████████| 5/5 [00:02<00:00,  1.81it/s]
+Resource-finding mappings created successfully.
+
+
+Successfully populated test data.
+```

api/docker-compose.yml

@@ -0,0 +1,125 @@
+services:
+  api:
+    build:
+      dockerfile: Dockerfile
+    image: prowler-api
+    env_file:
+      - path: ./.env
+        required: false
+    ports:
+      - "${DJANGO_PORT:-8000}:${DJANGO_PORT:-8000}"
+    profiles:
+      - prod
+    depends_on:
+      postgres:
+        condition: service_healthy
+      valkey:
+        condition: service_healthy
+    entrypoint:
+      - "../docker-entrypoint.sh"
+      - "prod"
+
+  api-dev:
+    build:
+      dockerfile: Dockerfile
+      target: dev
+    image: prowler-api-dev
+    environment:
+      - DJANGO_SETTINGS_MODULE=config.django.devel
+      - DJANGO_LOGGING_FORMATTER=human_readable
+    env_file:
+      - path: ./.env
+        required: false
+    ports:
+      - "${DJANGO_PORT:-8080}:${DJANGO_PORT:-8080}"
+    volumes:
+      - "./src/backend:/home/prowler/backend"
+      - "./pyproject.toml:/home/prowler/pyproject.toml"
+    profiles:
+      - dev
+    depends_on:
+      postgres:
+        condition: service_healthy
+      valkey:
+        condition: service_healthy
+    entrypoint:
+      - "../docker-entrypoint.sh"
+      - "dev"
+
+  postgres:
+    image: postgres:16.3-alpine
+    ports:
+      - "${POSTGRES_PORT:-5432}:${POSTGRES_PORT:-5432}"
+    hostname: "postgres-db"
+    volumes:
+      - ./_data/postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=${POSTGRES_ADMIN_USER:-prowler}
+      - POSTGRES_PASSWORD=${POSTGRES_ADMIN_PASSWORD:-S3cret}
+      - POSTGRES_DB=${POSTGRES_DB:-prowler_db}
+    env_file:
+      - path: ./.env
+        required: false
+    healthcheck:
+      test: ["CMD-SHELL", "sh -c 'pg_isready -U ${POSTGRES_ADMIN_USER:-prowler} -d ${POSTGRES_DB:-prowler_db}'"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  valkey:
+    image: valkey/valkey:7-alpine3.19
+    ports:
+      - "${VALKEY_PORT:-6379}:6379"
+    hostname: "valkey"
+    volumes:
+      - ./_data/valkey:/data
+    env_file:
+      - path: ./.env
+        required: false
+    healthcheck:
+      test: ["CMD-SHELL", "sh -c 'valkey-cli ping'"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+
+  worker:
+    build:
+      dockerfile: Dockerfile
+    image: prowler-worker
+    environment:
+      - DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE:-config.django.production}
+    env_file:
+      - path: ./.env
+        required: false
+    profiles:
+      - dev
+      - prod
+    depends_on:
+      valkey:
+        condition: service_healthy
+      postgres:
+        condition: service_healthy
+    entrypoint:
+      - "../docker-entrypoint.sh"
+      - "worker"
+
+  worker-beat:
+    build:
+      dockerfile: Dockerfile
+    image: prowler-worker
+    environment:
+      - DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE:-config.django.production}
+    env_file:
+      - path: ./.env
+        required: false
+    profiles:
+      - dev
+      - prod
+    depends_on:
+      valkey:
+        condition: service_healthy
+      postgres:
+        condition: service_healthy
+    entrypoint:
+      - "../docker-entrypoint.sh"
+      - "beat"

api/docker-entrypoint.sh

@@ -0,0 +1,71 @@
+#!/bin/sh
+
+
+apply_migrations() {
+  echo "Applying database migrations..."
+  poetry run python manage.py migrate --database admin
+}
+
+apply_fixtures() {
+  echo "Applying Django fixtures..."
+  for fixture in api/fixtures/dev/*.json; do
+    if [ -f "$fixture" ]; then
+      echo "Loading $fixture"
+      poetry run python manage.py loaddata "$fixture" --database admin
+    fi
+  done
+}
+
+start_dev_server() {
+  echo "Starting the development server..."
+  poetry run python manage.py runserver 0.0.0.0:"${DJANGO_PORT:-8080}"
+}
+
+start_prod_server() {
+  echo "Starting the Gunicorn server..."
+  poetry run gunicorn -c config/guniconf.py config.wsgi:application
+}
+
+start_worker() {
+  echo "Starting the worker..."
+  poetry run python -m celery -A config.celery worker -l "${DJANGO_LOGGING_LEVEL:-info}" -Q celery,scans,scan-reports,deletion -E --max-tasks-per-child 1
+}
+
+start_worker_beat() {
+  echo "Starting the worker-beat..."
+  sleep 15
+  poetry run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
+}
+
+manage_db_partitions() {
+  if [ "${DJANGO_MANAGE_DB_PARTITIONS}" = "True" ]; then
+    echo "Managing DB partitions..."
+    # For now we skip the deletion of partitions until we define the data retention policy
+    # --yes auto approves the operation without the need of an interactive terminal
+    poetry run python manage.py pgpartition --using admin --skip-delete --yes
+  fi
+}
+
+case "$1" in
+  dev)
+    apply_migrations
+    apply_fixtures
+    manage_db_partitions
+    start_dev_server
+    ;;
+  prod)
+    apply_migrations
+    manage_db_partitions
+    start_prod_server
+    ;;
+  worker)
+    start_worker
+    ;;
+  beat)
+    start_worker_beat
+    ;;
+  *)
+    echo "Usage: $0 {dev|prod|worker|beat}"
+    exit 1
+    ;;
+esac

api/docs/partitions.md

@@ -0,0 +1,65 @@
+# Partitions
+
+## Overview
+
+Partitions are used to split the data in a table into smaller chunks, allowing for more efficient querying and storage.
+
+The Prowler API uses partitions to store findings. The partitions are created based on the UUIDv7 `id` field.
+
+You can use the Prowler API without ever creating additional partitions. This documentation is only relevant if you want to manage partitions to gain additional query performance.
+
+### Required Postgres Configuration
+
+There are 3 configuration options that need to be set in the `postgres.conf` file to get the most performance out of the partitioning:
+
+- `enable_partition_pruning = on` (default is on)
+- `enable_partitionwise_join = on` (default is off)
+- `enable_partitionwise_aggregate = on` (default is off)
+
+For more information on these options, see the [Postgres documentation](https://www.postgresql.org/docs/current/runtime-config-query.html).
+
+## Partitioning Strategy
+
+The partitioning strategy is defined in the `api.partitions` module. The strategy is responsible for creating and deleting partitions based on the provided configuration.
+
+## Managing Partitions
+
+The application will run without any extra work on your part. If you want to add or delete partitions, you can use the following commands:
+
+To manage the partitions, run `python manage.py pgpartition --using admin`
+
+This command will generate a list of partitions to create and delete based on the provided configuration.
+
+By default, the command will prompt you to accept the changes before applying them.
+
+```shell
+Finding:
+   + 2024_nov
+      name: 2024_nov
+      from_values: 0192e505-9000-72c8-a47c-cce719d8fb93
+      to_values: 01937f84-5418-7eb8-b2a6-e3be749e839d
+      size_unit: months
+      size_value: 1
+   + 2024_dec
+      name: 2024_dec
+      from_values: 01937f84-5800-7b55-879c-9cdb46f023f6
+      to_values: 01941f29-7818-7f9f-b4be-20b05bb2f574
+      size_unit: months
+      size_value: 1
+
+0 partitions will be deleted
+2 partitions will be created
+```
+
+If you choose to apply the partitions, tables will be generated with the following format: `<table_name>_<year>_<month>`.
+
+For more info on the partitioning manager, see https://github.com/SectorLabs/django-postgres-extra
+
+### Changing the Partitioning Parameters
+
+There are 4 environment variables that can be used to change the partitioning parameters:
+
+- `DJANGO_MANAGE_DB_PARTITIONS`: Allow Django to manage database partitons. By default is set to `False`.
+- `FINDINGS_TABLE_PARTITION_MONTHS`: Set the months for each partition. Setting the partition monts to 1 will create partitions with a size of 1 natural month.
+- `FINDINGS_TABLE_PARTITION_COUNT`: Set the number of partitions to create
+- `FINDINGS_TABLE_PARTITION_MAX_AGE_MONTHS`: Set the number of months to keep partitions before deleting them. Setting this to `None` will keep partitions indefinitely.

api/pyproject.toml

@@ -0,0 +1,59 @@
+[build-system]
+build-backend = "poetry.core.masonry.api"
+requires = ["poetry-core"]
+
+[project]
+authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
+dependencies = [
+  "celery[pytest] (>=5.4.0,<6.0.0)",
+  "dj-rest-auth[with_social,jwt] (==7.0.1)",
+  "django==5.1.7",
+  "django-celery-beat (>=2.7.0,<3.0.0)",
+  "django-celery-results (>=2.5.1,<3.0.0)",
+  "django-cors-headers==4.4.0",
+  "django-environ==0.11.2",
+  "django-filter==24.3",
+  "django-guid==3.5.0",
+  "django-postgres-extra (>=2.0.8,<3.0.0)",
+  "djangorestframework==3.15.2",
+  "djangorestframework-jsonapi==7.0.2",
+  "djangorestframework-simplejwt (>=5.3.1,<6.0.0)",
+  "drf-nested-routers (>=0.94.1,<1.0.0)",
+  "drf-spectacular==0.27.2",
+  "drf-spectacular-jsonapi==0.5.1",
+  "gunicorn==23.0.0",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
+  "psycopg2-binary==2.9.9",
+  "pytest-celery[redis] (>=1.0.1,<2.0.0)",
+  "sentry-sdk[django] (>=2.20.0,<3.0.0)",
+  "uuid6==2024.7.10"
+]
+description = "Prowler's API (Django/DRF)"
+license = "Apache-2.0"
+name = "prowler-api"
+package-mode = false
+# Needed for the SDK compatibility
+requires-python = ">=3.11,<3.13"
+version = "1.6.0"
+
+[project.scripts]
+celery = "src.backend.config.settings.celery"
+
+[tool.poetry.group.dev.dependencies]
+bandit = "1.7.9"
+coverage = "7.5.4"
+django-silk = "5.3.2"
+docker = "7.1.0"
+freezegun = "1.5.1"
+mypy = "1.10.1"
+pylint = "3.2.5"
+pytest = "8.2.2"
+pytest-cov = "5.0.0"
+pytest-django = "4.8.0"
+pytest-env = "1.1.3"
+pytest-randomly = "3.15.0"
+pytest-xdist = "3.6.1"
+ruff = "0.5.0"
+safety = "3.2.9"
+tqdm = "4.67.1"
+vulture = "2.14"

api/src/backend/api/adapters.py

@@ -0,0 +1,61 @@
+from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
+from django.db import transaction
+
+from api.db_router import MainRouter
+from api.db_utils import rls_transaction
+from api.models import Membership, Role, Tenant, User, UserRoleRelationship
+
+
+class ProwlerSocialAccountAdapter(DefaultSocialAccountAdapter):
+    @staticmethod
+    def get_user_by_email(email: str):
+        try:
+            return User.objects.get(email=email)
+        except User.DoesNotExist:
+            return None
+
+    def pre_social_login(self, request, sociallogin):
+        # Link existing accounts with the same email address
+        email = sociallogin.account.extra_data.get("email")
+        if email:
+            existing_user = self.get_user_by_email(email)
+            if existing_user:
+                sociallogin.connect(request, existing_user)
+
+    def save_user(self, request, sociallogin, form=None):
+        """
+        Called after the user data is fully populated from the provider
+        and is about to be saved to the DB for the first time.
+        """
+        with transaction.atomic(using=MainRouter.admin_db):
+            user = super().save_user(request, sociallogin, form)
+            user.save(using=MainRouter.admin_db)
+            social_account_name = sociallogin.account.extra_data.get("name")
+            if social_account_name:
+                user.name = social_account_name
+                user.save(using=MainRouter.admin_db)
+
+            tenant = Tenant.objects.using(MainRouter.admin_db).create(
+                name=f"{user.email.split('@')[0]} default tenant"
+            )
+            with rls_transaction(str(tenant.id)):
+                Membership.objects.using(MainRouter.admin_db).create(
+                    user=user, tenant=tenant, role=Membership.RoleChoices.OWNER
+                )
+                role = Role.objects.using(MainRouter.admin_db).create(
+                    name="admin",
+                    tenant_id=tenant.id,
+                    manage_users=True,
+                    manage_account=True,
+                    manage_billing=True,
+                    manage_providers=True,
+                    manage_integrations=True,
+                    manage_scans=True,
+                    unlimited_visibility=True,
+                )
+                UserRoleRelationship.objects.using(MainRouter.admin_db).create(
+                    user=user,
+                    role=role,
+                    tenant_id=tenant.id,
+                )
+        return user

api/src/backend/api/admin.py

@@ -0,0 +1,3 @@
+# from django.contrib import admin
+
+# Register your models here.

api/src/backend/api/apps.py

@@ -0,0 +1,12 @@
+from django.apps import AppConfig
+
+
+class ApiConfig(AppConfig):
+    default_auto_field = "django.db.models.BigAutoField"
+    name = "api"
+
+    def ready(self):
+        from api import signals  # noqa: F401
+        from api.compliance import load_prowler_compliance
+
+        load_prowler_compliance()

api/src/backend/api/base_views.py

@@ -0,0 +1,152 @@
+from django.core.exceptions import ObjectDoesNotExist
+from django.db import transaction
+from rest_framework import permissions
+from rest_framework.exceptions import NotAuthenticated
+from rest_framework.filters import SearchFilter
+from rest_framework_json_api import filters
+from rest_framework_json_api.views import ModelViewSet
+from rest_framework_simplejwt.authentication import JWTAuthentication
+
+from api.db_router import MainRouter
+from api.db_utils import POSTGRES_USER_VAR, rls_transaction
+from api.filters import CustomDjangoFilterBackend
+from api.models import Role, Tenant
+from api.rbac.permissions import HasPermissions
+
+
+class BaseViewSet(ModelViewSet):
+    authentication_classes = [JWTAuthentication]
+    required_permissions = []
+    permission_classes = [permissions.IsAuthenticated, HasPermissions]
+    filter_backends = [
+        filters.QueryParameterValidationFilter,
+        filters.OrderingFilter,
+        CustomDjangoFilterBackend,
+        SearchFilter,
+    ]
+
+    filterset_fields = []
+    search_fields = []
+
+    ordering_fields = "__all__"
+    ordering = ["id"]
+
+    def initial(self, request, *args, **kwargs):
+        """
+        Sets required_permissions before permissions are checked.
+        """
+        self.set_required_permissions()
+        super().initial(request, *args, **kwargs)
+
+    def set_required_permissions(self):
+        """This is an abstract method that must be implemented by subclasses."""
+        NotImplemented
+
+    def get_queryset(self):
+        raise NotImplementedError
+
+
+class BaseRLSViewSet(BaseViewSet):
+    def dispatch(self, request, *args, **kwargs):
+        with transaction.atomic():
+            return super().dispatch(request, *args, **kwargs)
+
+    def initial(self, request, *args, **kwargs):
+        # Ideally, this logic would be in the `.setup()` method but DRF view sets don't call it
+        # https://docs.djangoproject.com/en/5.1/ref/class-based-views/base/#django.views.generic.base.View.setup
+        if request.auth is None:
+            raise NotAuthenticated
+
+        tenant_id = request.auth.get("tenant_id")
+        if tenant_id is None:
+            raise NotAuthenticated("Tenant ID is not present in token")
+
+        with rls_transaction(tenant_id):
+            self.request.tenant_id = tenant_id
+            return super().initial(request, *args, **kwargs)
+
+    def get_serializer_context(self):
+        context = super().get_serializer_context()
+        context["tenant_id"] = self.request.tenant_id
+        return context
+
+
+class BaseTenantViewset(BaseViewSet):
+    def dispatch(self, request, *args, **kwargs):
+        with transaction.atomic():
+            tenant = super().dispatch(request, *args, **kwargs)
+
+        try:
+            # If the request is a POST, create the admin role
+            if request.method == "POST":
+                isinstance(tenant, dict) and self._create_admin_role(tenant.data["id"])
+        except Exception as e:
+            self._handle_creation_error(e, tenant)
+            raise
+
+        return tenant
+
+    def _create_admin_role(self, tenant_id):
+        Role.objects.using(MainRouter.admin_db).create(
+            name="admin",
+            tenant_id=tenant_id,
+            manage_users=True,
+            manage_account=True,
+            manage_billing=True,
+            manage_providers=True,
+            manage_integrations=True,
+            manage_scans=True,
+            unlimited_visibility=True,
+        )
+
+    def _handle_creation_error(self, error, tenant):
+        if tenant.data.get("id"):
+            try:
+                Tenant.objects.using(MainRouter.admin_db).filter(
+                    id=tenant.data["id"]
+                ).delete()
+            except ObjectDoesNotExist:
+                pass  # Tenant might not exist, handle gracefully
+
+    def initial(self, request, *args, **kwargs):
+        if (
+            request.resolver_match.url_name != "tenant-detail"
+            and request.method != "DELETE"
+        ):
+            user_id = str(request.user.id)
+
+            with rls_transaction(value=user_id, parameter=POSTGRES_USER_VAR):
+                return super().initial(request, *args, **kwargs)
+
+        # TODO: DRY this when we have time
+        if request.auth is None:
+            raise NotAuthenticated
+
+        tenant_id = request.auth.get("tenant_id")
+        if tenant_id is None:
+            raise NotAuthenticated("Tenant ID is not present in token")
+
+        with rls_transaction(tenant_id):
+            self.request.tenant_id = tenant_id
+            return super().initial(request, *args, **kwargs)
+
+
+class BaseUserViewset(BaseViewSet):
+    def dispatch(self, request, *args, **kwargs):
+        with transaction.atomic():
+            return super().dispatch(request, *args, **kwargs)
+
+    def initial(self, request, *args, **kwargs):
+        # TODO refactor after improving RLS on users
+        if request.stream is not None and request.stream.method == "POST":
+            return super().initial(request, *args, **kwargs)
+        if request.auth is None:
+            raise NotAuthenticated
+
+        tenant_id = request.auth.get("tenant_id")
+        if tenant_id is None:
+            raise NotAuthenticated("Tenant ID is not present in token")
+
+        with rls_transaction(tenant_id):
+            self.request.tenant_id = tenant_id
+            return super().initial(request, *args, **kwargs)

api/src/backend/api/compliance.py

@@ -0,0 +1,209 @@
+from types import MappingProxyType
+
+from prowler.lib.check.compliance_models import Compliance
+from prowler.lib.check.models import CheckMetadata
+
+from api.models import Provider
+
+PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE = {}
+PROWLER_CHECKS = {}
+
+
+def get_prowler_provider_checks(provider_type: Provider.ProviderChoices):
+    """
+    Retrieve all check IDs for the specified provider type.
+
+    This function fetches the check metadata for the given cloud provider
+    and returns an iterable of check IDs.
+
+    Args:
+        provider_type (Provider.ProviderChoices): The provider type
+            (e.g., 'aws', 'azure') for which to retrieve check IDs.
+
+    Returns:
+        Iterable[str]: An iterable of check IDs associated with the specified provider type.
+    """
+    return CheckMetadata.get_bulk(provider_type).keys()
+
+
+def get_prowler_provider_compliance(provider_type: Provider.ProviderChoices) -> dict:
+    """
+    Retrieve the Prowler compliance data for a specified provider type.
+
+    This function fetches the compliance frameworks and their associated
+    requirements for the given cloud provider.
+
+    Args:
+        provider_type (Provider.ProviderChoices): The provider type
+            (e.g., 'aws', 'azure') for which to retrieve compliance data.
+
+    Returns:
+        dict: A dictionary mapping compliance framework names to their respective
+            Compliance objects for the specified provider.
+    """
+    return Compliance.get_bulk(provider_type)
+
+
+def load_prowler_compliance():
+    """
+    Load and initialize the Prowler compliance data and checks for all provider types.
+
+    This function retrieves compliance data for all supported provider types,
+    generates a compliance overview template, and populates the global variables
+    `PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE` and `PROWLER_CHECKS` with read-only mappings
+    of the compliance templates and checks, respectively.
+    """
+    global PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE
+    global PROWLER_CHECKS
+
+    prowler_compliance = {
+        provider_type: get_prowler_provider_compliance(provider_type)
+        for provider_type in Provider.ProviderChoices.values
+    }
+    template = generate_compliance_overview_template(prowler_compliance)
+    PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE = MappingProxyType(template)
+    PROWLER_CHECKS = MappingProxyType(load_prowler_checks(prowler_compliance))
+
+
+def load_prowler_checks(prowler_compliance):
+    """
+    Generate a mapping of checks to the compliance frameworks that include them.
+
+    This function processes the provided compliance data and creates a dictionary
+    mapping each provider type to a dictionary where each check ID maps to a set
+    of compliance names that include that check.
+
+    Args:
+        prowler_compliance (dict): The compliance data for all provider types,
+            as returned by `get_prowler_provider_compliance`.
+
+    Returns:
+        dict: A nested dictionary where the first-level keys are provider types,
+            and the values are dictionaries mapping check IDs to sets of compliance names.
+    """
+    checks = {}
+    for provider_type in Provider.ProviderChoices.values:
+        checks[provider_type] = {
+            check_id: set() for check_id in get_prowler_provider_checks(provider_type)
+        }
+        for compliance_name, compliance_data in prowler_compliance[
+            provider_type
+        ].items():
+            for requirement in compliance_data.Requirements:
+                for check in requirement.Checks:
+                    try:
+                        checks[provider_type][check].add(compliance_name)
+                    except KeyError:
+                        continue
+    return checks
+
+
+def generate_scan_compliance(
+    compliance_overview, provider_type: str, check_id: str, status: str
+):
+    """
+    Update the compliance overview with the status of a specific check.
+
+    This function updates the compliance overview by setting the status of the given check
+    within all compliance frameworks and requirements that include it. It then updates the
+    requirement status to 'FAIL' if any of its checks have failed, and adjusts the counts
+    of passed and failed requirements in the compliance overview.
+
+    Args:
+        compliance_overview (dict): The compliance overview data structure to update.
+        provider_type (str): The provider type (e.g., 'aws', 'azure') associated with the check.
+        check_id (str): The identifier of the check whose status is being updated.
+        status (str): The status of the check (e.g., 'PASS', 'FAIL', 'MUTED').
+
+    Returns:
+        None: This function modifies the compliance_overview in place.
+    """
+    for compliance_id in PROWLER_CHECKS[provider_type][check_id]:
+        for requirement in compliance_overview[compliance_id]["requirements"].values():
+            if check_id in requirement["checks"]:
+                requirement["checks"][check_id] = status
+                requirement["checks_status"][status.lower()] += 1
+
+            if requirement["status"] != "FAIL" and any(
+                value == "FAIL" for value in requirement["checks"].values()
+            ):
+                requirement["status"] = "FAIL"
+                compliance_overview[compliance_id]["requirements_status"]["passed"] -= 1
+                compliance_overview[compliance_id]["requirements_status"]["failed"] += 1
+
+
+def generate_compliance_overview_template(prowler_compliance: dict):
+    """
+    Generate a compliance overview template for all provider types.
+
+    This function creates a nested dictionary structure representing the compliance
+    overview template for each provider type, compliance framework, and requirement.
+    It initializes the status of all checks and requirements, and calculates initial
+    counts for requirements status.
+
+    Args:
+        prowler_compliance (dict): The compliance data for all provider types,
+            as returned by `get_prowler_provider_compliance`.
+
+    Returns:
+        dict: A nested dictionary representing the compliance overview template,
+            structured by provider type and compliance framework.
+    """
+    template = {}
+    for provider_type in Provider.ProviderChoices.values:
+        provider_compliance = template.setdefault(provider_type, {})
+        compliance_data_dict = prowler_compliance[provider_type]
+
+        for compliance_name, compliance_data in compliance_data_dict.items():
+            compliance_requirements = {}
+            requirements_status = {"passed": 0, "failed": 0, "manual": 0}
+            total_requirements = 0
+
+            for requirement in compliance_data.Requirements:
+                total_requirements += 1
+                total_checks = len(requirement.Checks)
+                checks_dict = {check: None for check in requirement.Checks}
+
+                # Build requirement dictionary
+                requirement_dict = {
+                    "name": requirement.Name or requirement.Id,
+                    "description": requirement.Description,
+                    "attributes": [
+                        dict(attribute) for attribute in requirement.Attributes
+                    ],
+                    "checks": checks_dict,
+                    "checks_status": {
+                        "pass": 0,
+                        "fail": 0,
+                        "manual": 0,
+                        "total": total_checks,
+                    },
+                    "status": "PASS",
+                }
+
+                # Update requirements status
+                if total_checks == 0:
+                    requirements_status["manual"] += 1
+
+                # Add requirement to compliance requirements
+                compliance_requirements[requirement.Id] = requirement_dict
+
+            # Calculate pending requirements
+            pending_requirements = total_requirements - requirements_status["manual"]
+            requirements_status["passed"] = pending_requirements
+
+            # Build compliance dictionary
+            compliance_dict = {
+                "framework": compliance_data.Framework,
+                "version": compliance_data.Version,
+                "provider": provider_type,
+                "description": compliance_data.Description,
+                "requirements": compliance_requirements,
+                "requirements_status": requirements_status,
+                "total_requirements": total_requirements,
+            }
+
+            # Add compliance to provider compliance
+            provider_compliance[compliance_name] = compliance_dict
+
+    return template

api/src/backend/api/db_router.py

@@ -0,0 +1,29 @@
+ALLOWED_APPS = ("django", "socialaccount", "account", "authtoken", "silk")
+
+
+class MainRouter:
+    default_db = "default"
+    admin_db = "admin"
+
+    def db_for_read(self, model, **hints):  # noqa: F841
+        model_table_name = model._meta.db_table
+        if model_table_name.startswith("django_") or any(
+            model_table_name.startswith(f"{app}_") for app in ALLOWED_APPS
+        ):
+            return self.admin_db
+        return None
+
+    def db_for_write(self, model, **hints):  # noqa: F841
+        model_table_name = model._meta.db_table
+        if any(model_table_name.startswith(f"{app}_") for app in ALLOWED_APPS):
+            return self.admin_db
+        return None
+
+    def allow_migrate(self, db, app_label, model_name=None, **hints):  # noqa: F841
+        return db == self.admin_db
+
+    def allow_relation(self, obj1, obj2, **hints):  # noqa: F841
+        # Allow relations if both objects are in either "default" or "admin" db connectors
+        if {obj1._state.db, obj2._state.db} <= {self.default_db, self.admin_db}:
+            return True
+        return None

api/src/backend/api/db_utils.py

@@ -0,0 +1,332 @@
+import secrets
+import uuid
+from contextlib import contextmanager
+from datetime import datetime, timedelta, timezone
+
+from django.conf import settings
+from django.contrib.auth.models import BaseUserManager
+from django.db import connection, models, transaction
+from psycopg2 import connect as psycopg2_connect
+from psycopg2.extensions import AsIs, new_type, register_adapter, register_type
+from rest_framework_json_api.serializers import ValidationError
+
+DB_USER = settings.DATABASES["default"]["USER"] if not settings.TESTING else "test"
+DB_PASSWORD = (
+    settings.DATABASES["default"]["PASSWORD"] if not settings.TESTING else "test"
+)
+DB_PROWLER_USER = (
+    settings.DATABASES["prowler_user"]["USER"] if not settings.TESTING else "test"
+)
+DB_PROWLER_PASSWORD = (
+    settings.DATABASES["prowler_user"]["PASSWORD"] if not settings.TESTING else "test"
+)
+TASK_RUNNER_DB_TABLE = "django_celery_results_taskresult"
+POSTGRES_TENANT_VAR = "api.tenant_id"
+POSTGRES_USER_VAR = "api.user_id"
+
+SET_CONFIG_QUERY = "SELECT set_config(%s, %s::text, TRUE);"
+
+
+@contextmanager
+def psycopg_connection(database_alias: str):
+    psycopg2_connection = None
+    try:
+        admin_db = settings.DATABASES[database_alias]
+
+        psycopg2_connection = psycopg2_connect(
+            dbname=admin_db["NAME"],
+            user=admin_db["USER"],
+            password=admin_db["PASSWORD"],
+            host=admin_db["HOST"],
+            port=admin_db["PORT"],
+        )
+        yield psycopg2_connection
+    finally:
+        if psycopg2_connection is not None:
+            psycopg2_connection.close()
+
+
+@contextmanager
+def rls_transaction(value: str, parameter: str = POSTGRES_TENANT_VAR):
+    """
+    Creates a new database transaction setting the given configuration value for Postgres RLS. It validates the
+    if the value is a valid UUID.
+
+    Args:
+        value (str): Database configuration parameter value.
+        parameter (str): Database configuration parameter name, by default is 'api.tenant_id'.
+    """
+    with transaction.atomic():
+        with connection.cursor() as cursor:
+            try:
+                # just in case the value is an UUID object
+                uuid.UUID(str(value))
+            except ValueError:
+                raise ValidationError("Must be a valid UUID")
+            cursor.execute(SET_CONFIG_QUERY, [parameter, value])
+            yield cursor
+
+
+class CustomUserManager(BaseUserManager):
+    def create_user(self, email, password=None, **extra_fields):
+        if not email:
+            raise ValueError("The email field must be set")
+        email = self.normalize_email(email)
+        user = self.model(email=email, **extra_fields)
+        user.set_password(password)
+        user.save(using=self._db)
+        return user
+
+    def get_by_natural_key(self, email):
+        return self.get(email__iexact=email)
+
+
+def enum_to_choices(enum_class):
+    """
+    This function converts a Python Enum to a list of tuples, where the first element is the value and the second element is the name.
+
+    It's for use with Django's `choices` attribute, which expects a list of tuples.
+    """
+    return [(item.value, item.name.replace("_", " ").title()) for item in enum_class]
+
+
+def one_week_from_now():
+    """
+    Return a datetime object with a date one week from now.
+    """
+    return datetime.now(timezone.utc) + timedelta(days=7)
+
+
+def generate_random_token(length: int = 14, symbols: str | None = None) -> str:
+    """
+    Generate a random token with the specified length.
+    """
+    _symbols = "23456789ABCDEFGHJKMNPQRSTVWXYZ"
+    return "".join(secrets.choice(symbols or _symbols) for _ in range(length))
+
+
+def batch_delete(queryset, batch_size=5000):
+    """
+    Deletes objects in batches and returns the total number of deletions and a summary.
+
+    Args:
+        queryset (QuerySet): The queryset of objects to delete.
+        batch_size (int): The number of objects to delete in each batch.
+
+    Returns:
+        tuple: (total_deleted, deletion_summary)
+    """
+    total_deleted = 0
+    deletion_summary = {}
+
+    while True:
+        # Get a batch of IDs to delete
+        batch_ids = set(
+            queryset.values_list("id", flat=True).order_by("id")[:batch_size]
+        )
+        if not batch_ids:
+            # No more objects to delete
+            break
+
+        deleted_count, deleted_info = queryset.filter(id__in=batch_ids).delete()
+
+        total_deleted += deleted_count
+        for model_label, count in deleted_info.items():
+            deletion_summary[model_label] = deletion_summary.get(model_label, 0) + count
+
+    return total_deleted, deletion_summary
+
+
+# Postgres Enums
+
+
+class PostgresEnumMigration:
+    def __init__(self, enum_name: str, enum_values: tuple):
+        self.enum_name = enum_name
+        self.enum_values = enum_values
+
+    def create_enum_type(self, apps, schema_editor):  # noqa: F841
+        string_enum_values = ", ".join([f"'{value}'" for value in self.enum_values])
+        with schema_editor.connection.cursor() as cursor:
+            cursor.execute(
+                f"CREATE TYPE {self.enum_name} AS ENUM ({string_enum_values});"
+            )
+
+    def drop_enum_type(self, apps, schema_editor):  # noqa: F841
+        with schema_editor.connection.cursor() as cursor:
+            cursor.execute(f"DROP TYPE {self.enum_name};")
+
+
+class PostgresEnumField(models.Field):
+    def __init__(self, enum_type_name, *args, **kwargs):
+        self.enum_type_name = enum_type_name
+        super().__init__(*args, **kwargs)
+
+    def db_type(self, connection):
+        return self.enum_type_name
+
+    def from_db_value(self, value, expression, connection):  # noqa: F841
+        return value
+
+    def to_python(self, value):
+        if isinstance(value, EnumType):
+            return value.value
+        return value
+
+    def get_prep_value(self, value):
+        if isinstance(value, EnumType):
+            return value.value
+        return value
+
+
+class EnumType:
+    def __init__(self, value):
+        self.value = value
+
+    def __str__(self):
+        return self.value
+
+
+def enum_adapter(enum_obj):
+    return AsIs(f"'{enum_obj.value}'::{enum_obj.__class__.enum_type_name}")
+
+
+def get_enum_oid(connection, enum_type_name: str):
+    with connection.cursor() as cursor:
+        cursor.execute("SELECT oid FROM pg_type WHERE typname = %s;", (enum_type_name,))
+        result = cursor.fetchone()
+    if result is None:
+        raise ValueError(f"Enum type '{enum_type_name}' not found")
+    return result[0]
+
+
+def register_enum(apps, schema_editor, enum_class):  # noqa: F841
+    with psycopg_connection(schema_editor.connection.alias) as connection:
+        enum_oid = get_enum_oid(connection, enum_class.enum_type_name)
+        enum_instance = new_type(
+            (enum_oid,),
+            enum_class.enum_type_name,
+            lambda value, cur: value,  # noqa: F841
+        )
+        register_type(enum_instance, connection)
+        register_adapter(enum_class, enum_adapter)
+
+
+# Postgres enum definition for member role
+
+
+class MemberRoleEnum(EnumType):
+    enum_type_name = "member_role"
+
+
+class MemberRoleEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("member_role", *args, **kwargs)
+
+
+# Postgres enum definition for Provider.provider
+
+
+class ProviderEnum(EnumType):
+    enum_type_name = "provider"
+
+
+class ProviderEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("provider", *args, **kwargs)
+
+
+# Postgres enum definition for Scan.type
+
+
+class ScanTriggerEnum(EnumType):
+    enum_type_name = "scan_trigger"
+
+
+class ScanTriggerEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("scan_trigger", *args, **kwargs)
+
+
+# Postgres enum definition for state
+
+
+class StateEnum(EnumType):
+    enum_type_name = "state"
+
+
+class StateEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("state", *args, **kwargs)
+
+
+# Postgres enum definition for Finding.Delta
+
+
+class FindingDeltaEnum(EnumType):
+    enum_type_name = "finding_delta"
+
+
+class FindingDeltaEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("finding_delta", *args, **kwargs)
+
+
+# Postgres enum definition for Severity
+
+
+class SeverityEnum(EnumType):
+    enum_type_name = "severity"
+
+
+class SeverityEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("severity", *args, **kwargs)
+
+
+# Postgres enum definition for Status
+
+
+class StatusEnum(EnumType):
+    enum_type_name = "status"
+
+
+class StatusEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("status", *args, **kwargs)
+
+
+# Postgres enum definition for Provider secrets type
+
+
+class ProviderSecretTypeEnum(EnumType):
+    enum_type_name = "provider_secret_type"
+
+
+class ProviderSecretTypeEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("provider_secret_type", *args, **kwargs)
+
+
+# Postgres enum definition for Provider secrets type
+
+
+class InvitationStateEnum(EnumType):
+    enum_type_name = "invitation_state"
+
+
+class InvitationStateEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("invitation_state", *args, **kwargs)
+
+
+# Postgres enum definition for Integration type
+
+
+class IntegrationTypeEnum(EnumType):
+    enum_type_name = "integration_type"
+
+
+class IntegrationTypeEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("integration_type", *args, **kwargs)

api/src/backend/api/decorators.py

@@ -0,0 +1,68 @@
+import uuid
+from functools import wraps
+
+from django.db import connection, transaction
+from rest_framework_json_api.serializers import ValidationError
+
+from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY
+
+
+def set_tenant(func=None, *, keep_tenant=False):
+    """
+    Decorator to set the tenant context for a Celery task based on the provided tenant_id.
+
+    This decorator extracts the `tenant_id` from the task's keyword arguments,
+    and uses it to set the tenant context for the current database session.
+    The `tenant_id` is then removed from the kwargs before the task function
+    is executed. If `tenant_id` is not provided, a KeyError is raised.
+
+    Args:
+        func (function): The Celery task function to be decorated.
+
+    Raises:
+        KeyError: If `tenant_id` is not found in the task's keyword arguments.
+
+    Returns:
+        function: The wrapped function with tenant context set.
+
+    Example:
+        # This decorator MUST be defined the last in the decorator chain
+
+        @shared_task
+        @set_tenant
+        def some_task(arg1, **kwargs):
+            # Task logic here
+            pass
+
+        # When calling the task
+        some_task.delay(arg1, tenant_id="8db7ca86-03cc-4d42-99f6-5e480baf6ab5")
+
+        # The tenant context will be set before the task logic executes.
+    """
+
+    def decorator(func):
+        @wraps(func)
+        @transaction.atomic
+        def wrapper(*args, **kwargs):
+            try:
+                if not keep_tenant:
+                    tenant_id = kwargs.pop("tenant_id")
+                else:
+                    tenant_id = kwargs["tenant_id"]
+            except KeyError:
+                raise KeyError("This task requires the tenant_id")
+            try:
+                uuid.UUID(tenant_id)
+            except ValueError:
+                raise ValidationError("Tenant ID must be a valid UUID")
+            with connection.cursor() as cursor:
+                cursor.execute(SET_CONFIG_QUERY, [POSTGRES_TENANT_VAR, tenant_id])
+
+            return func(*args, **kwargs)
+
+        return wrapper
+
+    if func is None:
+        return decorator
+    else:
+        return decorator(func)

api/src/backend/api/exceptions.py

@@ -0,0 +1,45 @@
+from django.core.exceptions import ValidationError as django_validation_error
+from rest_framework import status
+from rest_framework.exceptions import APIException
+from rest_framework_json_api.exceptions import exception_handler
+from rest_framework_json_api.serializers import ValidationError
+from rest_framework_simplejwt.exceptions import TokenError, InvalidToken
+
+
+class ModelValidationError(ValidationError):
+    def __init__(
+        self,
+        detail: str | None = None,
+        code: str | None = None,
+        pointer: str | None = None,
+        status_code: int = 400,
+    ):
+        super().__init__(
+            detail=[
+                {
+                    "detail": detail,
+                    "status": str(status_code),
+                    "source": {"pointer": pointer},
+                    "code": code,
+                }
+            ]
+        )
+
+
+class InvitationTokenExpiredException(APIException):
+    status_code = status.HTTP_410_GONE
+    default_detail = "The invitation token has expired and is no longer valid."
+    default_code = "token_expired"
+
+
+def custom_exception_handler(exc, context):
+    if isinstance(exc, django_validation_error):
+        if hasattr(exc, "error_dict"):
+            exc = ValidationError(exc.message_dict)
+        else:
+            exc = ValidationError(detail=exc.messages[0], code=exc.code)
+    elif isinstance(exc, (TokenError, InvalidToken)):
+        exc.detail["messages"] = [
+            message_item["message"] for message_item in exc.detail["messages"]
+        ]
+    return exception_handler(exc, context)

api/src/backend/api/filters.py

@@ -0,0 +1,667 @@
+from datetime import date, datetime, timedelta, timezone
+
+from django.conf import settings
+from django.db.models import Q
+from django_filters.rest_framework import (
+    BaseInFilter,
+    BooleanFilter,
+    CharFilter,
+    ChoiceFilter,
+    DateFilter,
+    FilterSet,
+    UUIDFilter,
+)
+from rest_framework_json_api.django_filters.backends import DjangoFilterBackend
+from rest_framework_json_api.serializers import ValidationError
+
+from api.db_utils import (
+    FindingDeltaEnumField,
+    InvitationStateEnumField,
+    ProviderEnumField,
+    SeverityEnumField,
+    StatusEnumField,
+)
+from api.models import (
+    ComplianceOverview,
+    Finding,
+    Integration,
+    Invitation,
+    Membership,
+    PermissionChoices,
+    Provider,
+    ProviderGroup,
+    ProviderSecret,
+    Resource,
+    ResourceTag,
+    Role,
+    Scan,
+    ScanSummary,
+    SeverityChoices,
+    StateChoices,
+    StatusChoices,
+    Task,
+    User,
+)
+from api.rls import Tenant
+from api.uuid_utils import (
+    datetime_to_uuid7,
+    transform_into_uuid7,
+    uuid7_end,
+    uuid7_range,
+    uuid7_start,
+)
+from api.v1.serializers import TaskBase
+
+
+class CustomDjangoFilterBackend(DjangoFilterBackend):
+    def to_html(self, _request, _queryset, _view):
+        """Override this method to use the Browsable API in dev environments.
+
+        This disables the HTML render for the default filter.
+        """
+        return None
+
+    def get_filterset_class(self, view, queryset=None):
+        # Check if the view has 'get_filterset_class' method
+        if hasattr(view, "get_filterset_class"):
+            return view.get_filterset_class()
+        # Fallback to the default implementation
+        return super().get_filterset_class(view, queryset)
+
+
+class UUIDInFilter(BaseInFilter, UUIDFilter):
+    pass
+
+
+class CharInFilter(BaseInFilter, CharFilter):
+    pass
+
+
+class ChoiceInFilter(BaseInFilter, ChoiceFilter):
+    pass
+
+
+class TenantFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+
+    class Meta:
+        model = Tenant
+        fields = {
+            "name": ["exact", "icontains"],
+            "inserted_at": ["date", "gte", "lte"],
+            "updated_at": ["gte", "lte"],
+        }
+
+
+class MembershipFilter(FilterSet):
+    date_joined = DateFilter(field_name="date_joined", lookup_expr="date")
+    role = ChoiceFilter(choices=Membership.RoleChoices.choices)
+
+    class Meta:
+        model = Membership
+        fields = {
+            "tenant": ["exact"],
+            "role": ["exact"],
+            "date_joined": ["date", "gte", "lte"],
+        }
+
+
+class ProviderFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+    connected = BooleanFilter()
+    provider = ChoiceFilter(choices=Provider.ProviderChoices.choices)
+
+    class Meta:
+        model = Provider
+        fields = {
+            "provider": ["exact", "in"],
+            "id": ["exact", "in"],
+            "uid": ["exact", "icontains", "in"],
+            "alias": ["exact", "icontains", "in"],
+            "inserted_at": ["gte", "lte"],
+            "updated_at": ["gte", "lte"],
+        }
+        filter_overrides = {
+            ProviderEnumField: {
+                "filter_class": CharFilter,
+            },
+        }
+
+
+class ProviderRelationshipFilterSet(FilterSet):
+    provider_type = ChoiceFilter(
+        choices=Provider.ProviderChoices.choices, field_name="provider__provider"
+    )
+    provider_type__in = ChoiceInFilter(
+        choices=Provider.ProviderChoices.choices, field_name="provider__provider"
+    )
+    provider_uid = CharFilter(field_name="provider__uid", lookup_expr="exact")
+    provider_uid__in = CharInFilter(field_name="provider__uid", lookup_expr="in")
+    provider_uid__icontains = CharFilter(
+        field_name="provider__uid", lookup_expr="icontains"
+    )
+    provider_alias = CharFilter(field_name="provider__alias", lookup_expr="exact")
+    provider_alias__in = CharInFilter(field_name="provider__alias", lookup_expr="in")
+    provider_alias__icontains = CharFilter(
+        field_name="provider__alias", lookup_expr="icontains"
+    )
+
+
+class ProviderGroupFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+
+    class Meta:
+        model = ProviderGroup
+        fields = {
+            "id": ["exact", "in"],
+            "name": ["exact", "in"],
+            "inserted_at": ["gte", "lte"],
+            "updated_at": ["gte", "lte"],
+        }
+
+
+class ScanFilter(ProviderRelationshipFilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    completed_at = DateFilter(field_name="completed_at", lookup_expr="date")
+    started_at = DateFilter(field_name="started_at", lookup_expr="date")
+    next_scan_at = DateFilter(field_name="next_scan_at", lookup_expr="date")
+    trigger = ChoiceFilter(choices=Scan.TriggerChoices.choices)
+    state = ChoiceFilter(choices=StateChoices.choices)
+    state__in = ChoiceInFilter(
+        field_name="state", choices=StateChoices.choices, lookup_expr="in"
+    )
+
+    class Meta:
+        model = Scan
+        fields = {
+            "provider": ["exact", "in"],
+            "name": ["exact", "icontains"],
+            "started_at": ["gte", "lte"],
+            "next_scan_at": ["gte", "lte"],
+            "trigger": ["exact"],
+        }
+
+
+class TaskFilter(FilterSet):
+    name = CharFilter(field_name="task_runner_task__task_name", lookup_expr="exact")
+    name__icontains = CharFilter(
+        field_name="task_runner_task__task_name", lookup_expr="icontains"
+    )
+    state = ChoiceFilter(
+        choices=StateChoices.choices, method="filter_state", lookup_expr="exact"
+    )
+    task_state_inverse_mapping_values = {
+        v: k for k, v in TaskBase.state_mapping.items()
+    }
+
+    def filter_state(self, queryset, name, value):
+        if value not in StateChoices:
+            raise ValidationError(
+                f"Invalid provider value: '{value}'. Valid values are: "
+                f"{', '.join(StateChoices)}"
+            )
+
+        return queryset.filter(
+            task_runner_task__status=self.task_state_inverse_mapping_values[value]
+        )
+
+    class Meta:
+        model = Task
+        fields = []
+
+
+class ResourceTagFilter(FilterSet):
+    class Meta:
+        model = ResourceTag
+        fields = {
+            "key": ["exact", "icontains"],
+            "value": ["exact", "icontains"],
+        }
+        search = ["text_search"]
+
+
+class ResourceFilter(ProviderRelationshipFilterSet):
+    tag_key = CharFilter(method="filter_tag_key")
+    tag_value = CharFilter(method="filter_tag_value")
+    tag = CharFilter(method="filter_tag")
+    tags = CharFilter(method="filter_tag")
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+
+    class Meta:
+        model = Resource
+        fields = {
+            "provider": ["exact", "in"],
+            "uid": ["exact", "icontains"],
+            "name": ["exact", "icontains"],
+            "region": ["exact", "icontains", "in"],
+            "service": ["exact", "icontains", "in"],
+            "type": ["exact", "icontains", "in"],
+            "inserted_at": ["gte", "lte"],
+            "updated_at": ["gte", "lte"],
+        }
+
+    def filter_tag_key(self, queryset, name, value):
+        return queryset.filter(Q(tags__key=value) | Q(tags__key__icontains=value))
+
+    def filter_tag_value(self, queryset, name, value):
+        return queryset.filter(Q(tags__value=value) | Q(tags__value__icontains=value))
+
+    def filter_tag(self, queryset, name, value):
+        # We won't know what the user wants to filter on just based on the value,
+        # and we don't want to build special filtering logic for every possible
+        # provider tag spec, so we'll just do a full text search
+        return queryset.filter(tags__text_search=value)
+
+
+class FindingFilter(FilterSet):
+    # We filter providers from the scan in findings
+    provider = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
+    provider__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
+    provider_type = ChoiceFilter(
+        choices=Provider.ProviderChoices.choices, field_name="scan__provider__provider"
+    )
+    provider_type__in = ChoiceInFilter(
+        choices=Provider.ProviderChoices.choices, field_name="scan__provider__provider"
+    )
+    provider_uid = CharFilter(field_name="scan__provider__uid", lookup_expr="exact")
+    provider_uid__in = CharInFilter(field_name="scan__provider__uid", lookup_expr="in")
+    provider_uid__icontains = CharFilter(
+        field_name="scan__provider__uid", lookup_expr="icontains"
+    )
+    provider_alias = CharFilter(field_name="scan__provider__alias", lookup_expr="exact")
+    provider_alias__in = CharInFilter(
+        field_name="scan__provider__alias", lookup_expr="in"
+    )
+    provider_alias__icontains = CharFilter(
+        field_name="scan__provider__alias", lookup_expr="icontains"
+    )
+
+    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+
+    uid = CharFilter(field_name="uid")
+    delta = ChoiceFilter(choices=Finding.DeltaChoices.choices)
+    status = ChoiceFilter(choices=StatusChoices.choices)
+    severity = ChoiceFilter(choices=SeverityChoices)
+    impact = ChoiceFilter(choices=SeverityChoices)
+
+    resources = UUIDInFilter(field_name="resource__id", lookup_expr="in")
+
+    region = CharFilter(field_name="resources__region")
+    region__in = CharInFilter(field_name="resources__region", lookup_expr="in")
+    region__icontains = CharFilter(
+        field_name="resources__region", lookup_expr="icontains"
+    )
+
+    service = CharFilter(field_name="resources__service")
+    service__in = CharInFilter(field_name="resources__service", lookup_expr="in")
+    service__icontains = CharFilter(
+        field_name="resources__service", lookup_expr="icontains"
+    )
+
+    resource_uid = CharFilter(field_name="resources__uid")
+    resource_uid__in = CharInFilter(field_name="resources__uid", lookup_expr="in")
+    resource_uid__icontains = CharFilter(
+        field_name="resources__uid", lookup_expr="icontains"
+    )
+
+    resource_name = CharFilter(field_name="resources__name")
+    resource_name__in = CharInFilter(field_name="resources__name", lookup_expr="in")
+    resource_name__icontains = CharFilter(
+        field_name="resources__name", lookup_expr="icontains"
+    )
+
+    resource_type = CharFilter(field_name="resources__type")
+    resource_type__in = CharInFilter(field_name="resources__type", lookup_expr="in")
+    resource_type__icontains = CharFilter(
+        field_name="resources__type", lookup_expr="icontains"
+    )
+
+    # Temporarily disabled until we implement tag filtering in the UI
+    # resource_tag_key = CharFilter(field_name="resources__tags__key")
+    # resource_tag_key__in = CharInFilter(
+    #     field_name="resources__tags__key", lookup_expr="in"
+    # )
+    # resource_tag_key__icontains = CharFilter(
+    #     field_name="resources__tags__key", lookup_expr="icontains"
+    # )
+    # resource_tag_value = CharFilter(field_name="resources__tags__value")
+    # resource_tag_value__in = CharInFilter(
+    #     field_name="resources__tags__value", lookup_expr="in"
+    # )
+    # resource_tag_value__icontains = CharFilter(
+    #     field_name="resources__tags__value", lookup_expr="icontains"
+    # )
+    # resource_tags = CharInFilter(
+    #     method="filter_resource_tag",
+    #     lookup_expr="in",
+    #     help_text="Filter by resource tags `key:value` pairs.\nMultiple values may be "
+    #     "separated by commas.",
+    # )
+
+    scan = UUIDFilter(method="filter_scan_id")
+    scan__in = UUIDInFilter(method="filter_scan_id_in")
+
+    inserted_at = DateFilter(method="filter_inserted_at", lookup_expr="date")
+    inserted_at__date = DateFilter(method="filter_inserted_at", lookup_expr="date")
+    inserted_at__gte = DateFilter(
+        method="filter_inserted_at_gte",
+        help_text=f"Maximum date range is {settings.FINDINGS_MAX_DAYS_IN_RANGE} days.",
+    )
+    inserted_at__lte = DateFilter(
+        method="filter_inserted_at_lte",
+        help_text=f"Maximum date range is {settings.FINDINGS_MAX_DAYS_IN_RANGE} days.",
+    )
+
+    class Meta:
+        model = Finding
+        fields = {
+            "id": ["exact", "in"],
+            "uid": ["exact", "in"],
+            "scan": ["exact", "in"],
+            "delta": ["exact", "in"],
+            "status": ["exact", "in"],
+            "severity": ["exact", "in"],
+            "impact": ["exact", "in"],
+            "check_id": ["exact", "in", "icontains"],
+            "inserted_at": ["date", "gte", "lte"],
+            "updated_at": ["gte", "lte"],
+        }
+        filter_overrides = {
+            FindingDeltaEnumField: {
+                "filter_class": CharFilter,
+            },
+            StatusEnumField: {
+                "filter_class": CharFilter,
+            },
+            SeverityEnumField: {
+                "filter_class": CharFilter,
+            },
+        }
+
+    def filter_queryset(self, queryset):
+        if not (self.data.get("scan") or self.data.get("scan__in")) and not (
+            self.data.get("inserted_at")
+            or self.data.get("inserted_at__date")
+            or self.data.get("inserted_at__gte")
+            or self.data.get("inserted_at__lte")
+        ):
+            raise ValidationError(
+                [
+                    {
+                        "detail": "At least one date filter is required: filter[inserted_at], filter[inserted_at.gte], "
+                        "or filter[inserted_at.lte].",
+                        "status": 400,
+                        "source": {"pointer": "/data/attributes/inserted_at"},
+                        "code": "required",
+                    }
+                ]
+            )
+
+        gte_date = (
+            datetime.strptime(self.data.get("inserted_at__gte"), "%Y-%m-%d").date()
+            if self.data.get("inserted_at__gte")
+            else datetime.now(timezone.utc).date()
+        )
+        lte_date = (
+            datetime.strptime(self.data.get("inserted_at__lte"), "%Y-%m-%d").date()
+            if self.data.get("inserted_at__lte")
+            else datetime.now(timezone.utc).date()
+        )
+
+        if abs(lte_date - gte_date) > timedelta(
+            days=settings.FINDINGS_MAX_DAYS_IN_RANGE
+        ):
+            raise ValidationError(
+                [
+                    {
+                        "detail": f"The date range cannot exceed {settings.FINDINGS_MAX_DAYS_IN_RANGE} days.",
+                        "status": 400,
+                        "source": {"pointer": "/data/attributes/inserted_at"},
+                        "code": "invalid",
+                    }
+                ]
+            )
+
+        return super().filter_queryset(queryset)
+
+    #  Convert filter values to UUIDv7 values for use with partitioning
+    def filter_scan_id(self, queryset, name, value):
+        try:
+            value_uuid = transform_into_uuid7(value)
+            start = uuid7_start(value_uuid)
+            end = uuid7_end(value_uuid, settings.FINDINGS_TABLE_PARTITION_MONTHS)
+        except ValidationError as validation_error:
+            detail = str(validation_error.detail[0])
+            raise ValidationError(
+                [
+                    {
+                        "detail": detail,
+                        "status": 400,
+                        "source": {"pointer": "/data/relationships/scan"},
+                        "code": "invalid",
+                    }
+                ]
+            )
+
+        return (
+            queryset.filter(id__gte=start).filter(id__lt=end).filter(scan_id=value_uuid)
+        )
+
+    def filter_scan_id_in(self, queryset, name, value):
+        try:
+            uuid_list = [
+                transform_into_uuid7(value_uuid)
+                for value_uuid in value
+                if value_uuid is not None
+            ]
+
+            start, end = uuid7_range(uuid_list)
+        except ValidationError as validation_error:
+            detail = str(validation_error.detail[0])
+            raise ValidationError(
+                [
+                    {
+                        "detail": detail,
+                        "status": 400,
+                        "source": {"pointer": "/data/relationships/scan"},
+                        "code": "invalid",
+                    }
+                ]
+            )
+        if start == end:
+            return queryset.filter(id__gte=start).filter(scan_id__in=uuid_list)
+        else:
+            return (
+                queryset.filter(id__gte=start)
+                .filter(id__lt=end)
+                .filter(scan_id__in=uuid_list)
+            )
+
+    def filter_inserted_at(self, queryset, name, value):
+        datetime_value = self.maybe_date_to_datetime(value)
+        start = uuid7_start(datetime_to_uuid7(datetime_value))
+        end = uuid7_start(datetime_to_uuid7(datetime_value + timedelta(days=1)))
+
+        return queryset.filter(id__gte=start, id__lt=end)
+
+    def filter_inserted_at_gte(self, queryset, name, value):
+        datetime_value = self.maybe_date_to_datetime(value)
+        start = uuid7_start(datetime_to_uuid7(datetime_value))
+
+        return queryset.filter(id__gte=start)
+
+    def filter_inserted_at_lte(self, queryset, name, value):
+        datetime_value = self.maybe_date_to_datetime(value)
+        end = uuid7_start(datetime_to_uuid7(datetime_value + timedelta(days=1)))
+
+        return queryset.filter(id__lt=end)
+
+    def filter_resource_tag(self, queryset, name, value):
+        overall_query = Q()
+        for key_value_pair in value:
+            tag_key, tag_value = key_value_pair.split(":", 1)
+            overall_query |= Q(
+                resources__tags__key__icontains=tag_key,
+                resources__tags__value__icontains=tag_value,
+            )
+        return queryset.filter(overall_query).distinct()
+
+    @staticmethod
+    def maybe_date_to_datetime(value):
+        dt = value
+        if isinstance(value, date):
+            dt = datetime.combine(value, datetime.min.time(), tzinfo=timezone.utc)
+        return dt
+
+
+class ProviderSecretFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+    provider = UUIDFilter(field_name="provider__id", lookup_expr="exact")
+
+    class Meta:
+        model = ProviderSecret
+        fields = {
+            "name": ["exact", "icontains"],
+        }
+
+
+class InvitationFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+    expires_at = DateFilter(field_name="expires_at", lookup_expr="date")
+    state = ChoiceFilter(choices=Invitation.State.choices)
+    state__in = ChoiceInFilter(choices=Invitation.State.choices, lookup_expr="in")
+
+    class Meta:
+        model = Invitation
+        fields = {
+            "email": ["exact", "icontains"],
+            "inserted_at": ["date", "gte", "lte"],
+            "updated_at": ["date", "gte", "lte"],
+            "expires_at": ["date", "gte", "lte"],
+            "inviter": ["exact"],
+        }
+        filter_overrides = {
+            InvitationStateEnumField: {
+                "filter_class": CharFilter,
+            }
+        }
+
+
+class UserFilter(FilterSet):
+    date_joined = DateFilter(field_name="date_joined", lookup_expr="date")
+
+    class Meta:
+        model = User
+        fields = {
+            "name": ["exact", "icontains"],
+            "email": ["exact", "icontains"],
+            "company_name": ["exact", "icontains"],
+            "date_joined": ["date", "gte", "lte"],
+            "is_active": ["exact"],
+        }
+
+
+class RoleFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+    permission_state = ChoiceFilter(
+        choices=PermissionChoices.choices, method="filter_permission_state"
+    )
+
+    def filter_permission_state(self, queryset, name, value):
+        return Role.filter_by_permission_state(queryset, value)
+
+    class Meta:
+        model = Role
+        fields = {
+            "id": ["exact", "in"],
+            "name": ["exact", "in"],
+            "inserted_at": ["gte", "lte"],
+            "updated_at": ["gte", "lte"],
+        }
+
+
+class ComplianceOverviewFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    provider_type = ChoiceFilter(choices=Provider.ProviderChoices.choices)
+    provider_type__in = ChoiceInFilter(choices=Provider.ProviderChoices.choices)
+    scan_id = UUIDFilter(field_name="scan__id")
+
+    class Meta:
+        model = ComplianceOverview
+        fields = {
+            "inserted_at": ["date", "gte", "lte"],
+            "compliance_id": ["exact", "icontains"],
+            "framework": ["exact", "iexact", "icontains"],
+            "version": ["exact", "icontains"],
+            "region": ["exact", "icontains", "in"],
+        }
+
+
+class ScanSummaryFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
+    provider_type = ChoiceFilter(
+        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
+    )
+    provider_type__in = ChoiceInFilter(
+        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
+    )
+    region = CharFilter(field_name="region")
+    muted_findings = BooleanFilter(method="filter_muted_findings")
+
+    def filter_muted_findings(self, queryset, name, value):
+        if not value:
+            return queryset.exclude(muted__gt=0)
+        return queryset
+
+    class Meta:
+        model = ScanSummary
+        fields = {
+            "inserted_at": ["date", "gte", "lte"],
+            "region": ["exact", "icontains", "in"],
+        }
+
+
+class ServiceOverviewFilter(ScanSummaryFilter):
+    muted_findings = None
+
+    def is_valid(self):
+        # Check if at least one of the inserted_at filters is present
+        inserted_at_filters = [
+            self.data.get("inserted_at"),
+            self.data.get("inserted_at__gte"),
+            self.data.get("inserted_at__lte"),
+        ]
+        if not any(inserted_at_filters):
+            raise ValidationError(
+                {
+                    "inserted_at": [
+                        "At least one of filter[inserted_at], filter[inserted_at__gte], or "
+                        "filter[inserted_at__lte] is required."
+                    ]
+                }
+            )
+        return super().is_valid()
+
+
+class IntegrationFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    integration_type = ChoiceFilter(choices=Integration.IntegrationChoices.choices)
+    integration_type__in = ChoiceInFilter(
+        choices=Integration.IntegrationChoices.choices,
+        field_name="integration_type",
+        lookup_expr="in",
+    )
+
+    class Meta:
+        model = Integration
+        fields = {
+            "inserted_at": ["date", "gte", "lte"],
+        }

api/src/backend/api/fixtures/dev/0_dev_users.json

@@ -0,0 +1,28 @@
+[
+  {
+    "model": "api.user",
+    "pk": "8b38e2eb-6689-4f1e-a4ba-95b275130200",
+    "fields": {
+      "password": "pbkdf2_sha256$720000$vA62S78kog2c2ytycVQdke$Fp35GVLLMyy5fUq3krSL9I02A+ocQ+RVa4S22LIAO5s=",
+      "last_login": null,
+      "name": "Devie Prowlerson",
+      "email": "dev@prowler.com",
+      "company_name": "Prowler Developers",
+      "is_active": true,
+      "date_joined": "2024-09-17T09:04:20.850Z"
+    }
+  },
+  {
+    "model": "api.user",
+    "pk": "b6493a3a-c997-489b-8b99-278bf74de9f6",
+    "fields": {
+      "password": "pbkdf2_sha256$720000$vA62S78kog2c2ytycVQdke$Fp35GVLLMyy5fUq3krSL9I02A+ocQ+RVa4S22LIAO5s=",
+      "last_login": null,
+      "name": "Devietoo Prowlerson",
+      "email": "dev2@prowler.com",
+      "company_name": "Prowler Developers",
+      "is_active": true,
+      "date_joined": "2024-09-18T09:04:20.850Z"
+    }
+  }
+]

api/src/backend/api/fixtures/dev/1_dev_tenants.json

@@ -0,0 +1,50 @@
+[
+  {
+    "model": "api.tenant",
+    "pk": "12646005-9067-4d2a-a098-8bb378604362",
+    "fields": {
+      "inserted_at": "2024-03-21T23:00:00Z",
+      "updated_at": "2024-03-21T23:00:00Z",
+      "name": "Tenant1"
+    }
+  },
+  {
+    "model": "api.tenant",
+    "pk": "0412980b-06e3-436a-ab98-3c9b1d0333d3",
+    "fields": {
+      "inserted_at": "2024-03-21T23:00:00Z",
+      "updated_at": "2024-03-21T23:00:00Z",
+      "name": "Tenant2"
+    }
+  },
+  {
+    "model": "api.membership",
+    "pk": "2b0db93a-7e0b-4edf-a851-ea448676b7eb",
+    "fields": {
+      "user": "8b38e2eb-6689-4f1e-a4ba-95b275130200",
+      "tenant": "0412980b-06e3-436a-ab98-3c9b1d0333d3",
+      "role": "owner",
+      "date_joined": "2024-09-19T11:03:59.712Z"
+    }
+  },
+  {
+    "model": "api.membership",
+    "pk": "797d7cee-abc9-4598-98bb-4bf4bfb97f27",
+    "fields": {
+      "user": "8b38e2eb-6689-4f1e-a4ba-95b275130200",
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "role": "owner",
+      "date_joined": "2024-09-19T11:02:59.712Z"
+    }
+  },
+  {
+    "model": "api.membership",
+    "pk": "dea37563-7009-4dcf-9f18-25efb41462a7",
+    "fields": {
+      "user": "b6493a3a-c997-489b-8b99-278bf74de9f6",
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "role": "member",
+      "date_joined": "2024-09-19T11:03:59.712Z"
+    }
+  }
+]

api/src/backend/api/fixtures/dev/2_dev_providers.json

@@ -0,0 +1,193 @@
+[
+  {
+    "model": "api.provider",
+    "pk": "37b065f8-26b0-4218-a665-0b23d07b27d9",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-08-01T17:20:27.050Z",
+      "updated_at": "2024-08-01T17:20:27.050Z",
+      "provider": "gcp",
+      "uid": "a12322-test321",
+      "alias": "gcp_testing_2",
+      "connected": null,
+      "connection_last_checked_at": null,
+      "metadata": {}
+    }
+  },
+  {
+    "model": "api.provider",
+    "pk": "8851db6b-42e5-4533-aa9e-30a32d67e875",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-08-01T17:19:42.453Z",
+      "updated_at": "2024-08-01T17:19:42.453Z",
+      "provider": "gcp",
+      "uid": "a12345-test123",
+      "alias": "gcp_testing_1",
+      "connected": null,
+      "connection_last_checked_at": null,
+      "metadata": {}
+    }
+  },
+  {
+    "model": "api.provider",
+    "pk": "b85601a8-4b45-4194-8135-03fb980ef428",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-08-01T17:19:09.556Z",
+      "updated_at": "2024-08-01T17:19:09.556Z",
+      "provider": "aws",
+      "uid": "123456789020",
+      "alias": "aws_testing_2",
+      "connected": null,
+      "connection_last_checked_at": null,
+      "metadata": {}
+    }
+  },
+  {
+    "model": "api.provider",
+    "pk": "baa7b895-8bac-4f47-b010-4226d132856e",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-08-01T17:20:16.962Z",
+      "updated_at": "2024-08-01T17:20:16.962Z",
+      "provider": "gcp",
+      "uid": "a12322-test123",
+      "alias": "gcp_testing_3",
+      "connected": null,
+      "connection_last_checked_at": null,
+      "metadata": {}
+    }
+  },
+  {
+    "model": "api.provider",
+    "pk": "d7c7ea89-d9af-423b-a364-1290dcad5a01",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-08-01T17:18:58.132Z",
+      "updated_at": "2024-08-01T17:18:58.132Z",
+      "provider": "aws",
+      "uid": "123456789015",
+      "alias": "aws_testing_1",
+      "connected": null,
+      "connection_last_checked_at": null,
+      "metadata": {}
+    }
+  },
+  {
+    "model": "api.provider",
+    "pk": "1b59e032-3eb6-4694-93a5-df84cd9b3ce2",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-08-06T16:03:26.176Z",
+      "updated_at": "2024-08-06T16:03:26.176Z",
+      "provider": "azure",
+      "uid": "8851db6b-42e5-4533-aa9e-30a32d67e875",
+      "alias": "azure_testing",
+      "connected": null,
+      "connection_last_checked_at": null,
+      "metadata": {},
+      "scanner_args": {}
+    }
+  },
+  {
+    "model": "api.provider",
+    "pk": "26e55a24-cb2c-4cef-ac87-6f91fddb2c97",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-08-06T16:03:07.037Z",
+      "updated_at": "2024-08-06T16:03:07.037Z",
+      "provider": "kubernetes",
+      "uid": "kubernetes-test-12345",
+      "alias": "k8s_testing",
+      "connected": null,
+      "connection_last_checked_at": null,
+      "metadata": {},
+      "scanner_args": {}
+    }
+  },
+  {
+    "model": "api.provider",
+    "pk": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:45:26.352Z",
+      "updated_at": "2024-10-18T11:16:23.533Z",
+      "provider": "aws",
+      "uid": "106908755759",
+      "alias": "real testing aws provider",
+      "connected": true,
+      "connection_last_checked_at": "2024-10-18T11:16:23.503Z",
+      "metadata": {},
+      "scanner_args": {}
+    }
+  },
+  {
+    "model": "api.provider",
+    "pk": "7791914f-d646-4fe2-b2ed-73f2c6499a36",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:45:26.352Z",
+      "updated_at": "2024-10-18T11:16:23.533Z",
+      "provider": "kubernetes",
+      "uid": "gke_lucky-coast-419309_us-central1_autopilot-cluster-2",
+      "alias": "k8s_testing_2",
+      "connected": true,
+      "connection_last_checked_at": "2024-10-18T11:16:23.503Z",
+      "metadata": {},
+      "scanner_args": {}
+    }
+  },
+  {
+    "model": "api.providersecret",
+    "pk": "11491b47-75ae-4f71-ad8d-3e630a72182e",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-11T08:03:05.026Z",
+      "updated_at": "2024-10-11T08:04:47.033Z",
+      "name": "GCP static secrets",
+      "secret_type": "static",
+      "_secret": "Z0FBQUFBQm5DTndmZW9KakRZUHM2UHhQN2V3RzN0QmM1cERham8yMHp5cnVTT0lzdGFyS1FuVmJXUlpYSGsyU0cxR3RMMEdQYXlYMUVsaWtqLU1OZWlaVUp6OFREYlotZTVBY3BuTlZYbm9YcUJydzAxV2p5dkpLamI1Y2tUYzA0MmJUNWxsNTBRM0E1SDRCa0pPQWVlb05YU3dfeUhkLTRmOEh3dGczOGh1ZGhQcVdZdVAtYmtoSWlwNXM4VGFoVmF3dno2X1hrbk5GZjZTWjVuWEdEZUFXeHJSQjEzbTlVakhNdzYyWTdiVEpvUEc2MTNpRzUtczhEank1eGI0b3MyMlAyaGN6dlByZmtUWHByaDNUYWFqYS1tYnNBUkRKTzBacFNSRjFuVmd5bUtFUEJhd1ZVS1ZDd2xSUV9PaEtLTnc0XzVkY2lhM01WTjQwaWdJSk9wNUJSXzQ4RUNQLXFPNy1VdzdPYkZyWkVkU3RyQjVLTS1MVHN0R3k4THNKZ2NBNExaZnl3Q1EwN2dwNGRsUXptMjB0LXUzTUpzTDE2Q1hmS0ZSN2g1ZjBPeV8taFoxNUwxc2FEcktXX0dCM1IzeUZTTHNiTmNxVXBvNWViZTJScUVWV2VYTFQ4UHlid21PY1A0UjdNMGtERkZCd0lLMlJENDMzMVZUM09DQ0twd1N3VHlZd09XLUctOWhYcFJIR1p5aUlZeEUzejc2dWRYdGNsd0xOODNqRUFEczhSTWNtWU0tdFZ1ZTExaHNHUVYtd0Zxdld1LTdKVUNINzlZTGdHODhKeVVpQmRZMHRUNTJRRWhwS1F1Y3I2X2Iwc0c1NHlXSVRLZWxreEt0dVRnOTZFMkptU2VMS1dWXzdVOVRzMUNUWXM2aFlxVDJXdGo3d2cxSVZGWlI2ZWhIZzZBcEl4bEJ6UnVHc0RYWVNHcjFZUHI5ZUYyWG9rSlo0QUVSUkFCX3h2UmtJUTFzVXJUZ25vTmk2VzdoTTNta05ucmNfTi0yR1ZxN1E2MnZJOVVKOGxmMXMzdHMxVndmSVhQbUItUHgtMVpVcHJwMU5JVHJLb0Y1aHV5OEEwS0kzQkEtcFJkdkRnWGxmZnprNFhndWg1TmQyd09yTFdTRmZ3d2ZvZFUtWXp4a2VYb3JjckFIcE13MDUzX0RHSnlzM0N2ZE5IRzJzMXFMc0k4MDRyTHdLZFlWOG9SaFF0LU43Ynd6VFlEcVNvdFZ0emJEVk10aEp4dDZFTFNFNzk0UUo2WTlVLWRGYm1fanZHaFZreHBIMmtzVjhyS0xPTk9fWHhiVTJHQXZwVlVuY3JtSjFUYUdHQzhEaHFNZXhwUHBmY0kxaUVrOHo4a0FYOTdpZVJDbFRvdFlQeWo3eFZHX1ZMZ1Myc3prU3o2c3o2eXNja1U4N0Y1T0d1REVjZFRGNTByUkgyemVCSjlQYkY2bmJ4YTZodHB0cUNzd2xZcENycUdsczBIaEZPbG1jVUlqNlM2cEE3aGpVaWswTzBDLVFGUHM5UHhvM09saWNtaDhaNVlsc3FZdktKeWlheDF5OGhTODE2N3JWamdTZG5Fa3JSQ2ZUSEVfRjZOZXdreXRZLTBZRFhleVFFeC1YUzc0cWhYeEhobGxvdnZ3Rm15WFlBWXp0dm1DeTA5eExLeEFRRXVRSXBXdTNEaWdZZ3JDenItdDhoZlFiTzI0SGZ1c01FR1FNaFVweVBKR1YxWGRUMW1Mc2JVdW9raWR6UHk2ZTBnS05pV3oyZVBjREdkY3k4ZHZPUWE5S281MkJRSHF3NnpTclZ5bl90bk1wUEh6Tkp5dXlDcE5paWRqcVhxRFVObWIzRldWOGJ2aC1CRHZpbFZrb0hjNGpCMm5POGRiS2lETUpMLUVfQlhCdTZPLW9USW1LTFlTSF9zRUJYZ1NKeFFEQjNOR215ZXJDbkFndmcxWl9rWlk9",
+      "provider": "8851db6b-42e5-4533-aa9e-30a32d67e875"
+    }
+  },
+  {
+    "model": "api.providersecret",
+    "pk": "40191ad5-d8c2-40a9-826d-241397626b68",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-10T11:11:44.515Z",
+      "updated_at": "2024-10-11T07:59:56.102Z",
+      "name": "AWS static secrets",
+      "secret_type": "static",
+      "_secret": "Z0FBQUFBQm5DTnI4Y1RyV19UWEJzc3kzQUExcU5tdlQzbFVLeDdZMWd1MzkwWkl2UF9oZGhiVEJHVWpSMXV4MjYyN3g2OVpvNVpkQUQ3S0VGaGdQLTFhQWE3MkpWZUt2cnVhODc4d3FpY3FVZkpwdHJzNUJPeFRwZ3N4bGpPZTlkNWRNdFlwTHU3aTNWR3JjSzJwLWRITHdfQWpXb1F0c1l3bVFxbnFrTEpPTGgxcnF1VUprSzZ5dGRQU2VGYmZhTTlwbVpsNFBNWlFhVW9RbjJyYnZ5N0oweE5kV0ZEaUdpUUpNVExOa3oyQ2dNREVSenJ0TEFZc0RrRWpXNUhyMmtybGNLWDVOR0FabEl4QVR1bkZyb2hBLWc1MFNIekVyeXI0SmVreHBjRnJ1YUlVdXpVbW9JZkk0aEgxYlM1VGhSRlhtcS14YzdTYUhXR2xodElmWjZuNUVwaHozX1RVTG1QWHdPZWd4clNHYnAyOTBsWEl5UU83RGxZb0RKWjdadjlsTmJtSHQ0Yl9uaDJoODB0QV9sWmFYbFAxcjA1bmhNVlNqc2xEeHlvcUJFbVZvY250ZENnMnZLT1psb1JDclB3WVR6NGdZb2pzb3U4Ny04QlB0UTZub0dMOXZEUTZEcVJhZldCWEZZSDdLTy02UVZqck5zVTZwS3pObGlOejNJeHUzbFRabFM2V2xaekZVRjZtX3VzZlplendnOWQzT01WMFd3ejNadHVlTFlqRGR2dk5Da29zOFYwOUdOaEc4OHhHRnJFMmJFMk12VDNPNlBBTGlsXy13cUM1QkVYb0o1Z2U4ZXJnWXpZdm1sWjA5bzQzb2NFWC1xbmIycGZRbGtCaGNaOWlkX094UUNNampwbkZoREctNWI4QnZRaE8zM3BEQ1BwNzA1a3BzOGczZXdIM2s1NHFGN1ZTbmJhZkc4RVdfM0ZIZU5udTBYajd1RGxpWXZpRWdSMmhHa2RKOEIzbmM0X2F1OGxrN2p6LW9UVldDOFVpREoxZ1UzcTBZX19OQ0xJb0syWlhNSlQ4MzQwdzRtVG94Y01GS3FMLV95UVlxOTFORk8zdjE5VGxVaXdhbGlzeHdoYWNzazZWai1GUGtUM2gzR0ZWTTY4SThWeVFnZldIaklOTTJqTTg1VkhEYW5wNmdEVllXMmJCV2tpVmVYeUV2c0E1T00xbHJRNzgzVG9wb0Q1cV81UEhqYUFsQ2p1a0VpRDVINl9SVkpyZVRNVnVXQUxwY3NWZnJrNmRVREpiLWNHYUpXWmxkQlhNbWhuR1NmQ1BaVDlidUxCWHJMaHhZbk1FclVBaEVZeWg1ZlFoenZzRHlKbV8wa3lmMGZrd3NmTDZjQkE0UXNSUFhpTWtUUHBrX29BVzc4QzEtWEJIQW1GMGFuZVlXQWZIOXJEamloeGFCeHpYMHNjMFVfNXpQdlJfSkk2bzFROU5NU0c1SHREWW1nbkFNZFZ0UjdPRGdjaF96RGplY1hjdFFzLVR6MTVXYlRjbHIxQ2JRejRpVko5NWhBU0ZHR3ZvczU5elljRGpHRTdIc0FsSm5fUHEwT1gtTS1lN3M3X3ZZRnlkYUZoZXRQeEJsZlhLdFdTUzU1NUl4a29aOWZIdTlPM0Fnak1xYWVkYTNiMmZXUHlXS2lwUVBZLXQyaUxuRmtQNFFieE9SVmdZVW9WTHlzbnBPZlNIdGVHOE1LNVNESjN3cGtVSHVpT1NJWHE1ZzNmUTVTOC0xX3NGSmJqU19IbjZfQWtMRG1YNUQtRy13TUJIZFlyOXJkQzFQbkdZVXVzM2czbS1HWHFBT1pXdVd3N09tcG82SVhnY1ZtUWxqTEg2UzJCUmllb2pweVN2aGwwS1FVRUhjNEN2amRMc3MwVU4zN3dVMWM5Slg4SERtenFaQk1yMWx0LWtxVWtLZVVtbU4yejVEM2h6TEt0RGdfWE09",
+      "provider": "b85601a8-4b45-4194-8135-03fb980ef428"
+    }
+  },
+  {
+    "model": "api.providersecret",
+    "pk": "ed89d1ea-366a-4d12-a602-f2ab77019742",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-10T11:11:44.515Z",
+      "updated_at": "2024-10-11T07:59:56.102Z",
+      "name": "Azure static secrets",
+      "secret_type": "static",
+      "_secret": "Z0FBQUFBQm5DTnI4Y1RyV19UWEJzc3kzQUExcU5tdlQzbFVLeDdZMWd1MzkwWkl2UF9oZGhiVEJHVWpSMXV4MjYyN3g2OVpvNVpkQUQ3S0VGaGdQLTFhQWE3MkpWZUt2cnVhODc4d3FpY3FVZkpwdHJzNUJPeFRwZ3N4bGpPZTlkNWRNdFlwTHU3aTNWR3JjSzJwLWRITHdfQWpXb1F0c1l3bVFxbnFrTEpPTGgxcnF1VUprSzZ5dGRQU2VGYmZhTTlwbVpsNFBNWlFhVW9RbjJyYnZ5N0oweE5kV0ZEaUdpUUpNVExOa3oyQ2dNREVSenJ0TEFZc0RrRWpXNUhyMmtybGNLWDVOR0FabEl4QVR1bkZyb2hBLWc1MFNIekVyeXI0SmVreHBjRnJ1YUlVdXpVbW9JZkk0aEgxYlM1VGhSRlhtcS14YzdTYUhXR2xodElmWjZuNUVwaHozX1RVTG1QWHdPZWd4clNHYnAyOTBsWEl5UU83RGxZb0RKWjdadjlsTmJtSHQ0Yl9uaDJoODB0QV9sWmFYbFAxcjA1bmhNVlNqc2xEeHlvcUJFbVZvY250ZENnMnZLT1psb1JDclB3WVR6NGdZb2pzb3U4Ny04QlB0UTZub0dMOXZEUTZEcVJhZldCWEZZSDdLTy02UVZqck5zVTZwS3pObGlOejNJeHUzbFRabFM2V2xaekZVRjZtX3VzZlplendnOWQzT01WMFd3ejNadHVlTFlqRGR2dk5Da29zOFYwOUdOaEc4OHhHRnJFMmJFMk12VDNPNlBBTGlsXy13cUM1QkVYb0o1Z2U4ZXJnWXpZdm1sWjA5bzQzb2NFWC1xbmIycGZRbGtCaGNaOWlkX094UUNNampwbkZoREctNWI4QnZRaE8zM3BEQ1BwNzA1a3BzOGczZXdIM2s1NHFGN1ZTbmJhZkc4RVdfM0ZIZU5udTBYajd1RGxpWXZpRWdSMmhHa2RKOEIzbmM0X2F1OGxrN2p6LW9UVldDOFVpREoxZ1UzcTBZX19OQ0xJb0syWlhNSlQ4MzQwdzRtVG94Y01GS3FMLV95UVlxOTFORk8zdjE5VGxVaXdhbGlzeHdoYWNzazZWai1GUGtUM2gzR0ZWTTY4SThWeVFnZldIaklOTTJqTTg1VkhEYW5wNmdEVllXMmJCV2tpVmVYeUV2c0E1T00xbHJRNzgzVG9wb0Q1cV81UEhqYUFsQ2p1a0VpRDVINl9SVkpyZVRNVnVXQUxwY3NWZnJrNmRVREpiLWNHYUpXWmxkQlhNbWhuR1NmQ1BaVDlidUxCWHJMaHhZbk1FclVBaEVZeWg1ZlFoenZzRHlKbV8wa3lmMGZrd3NmTDZjQkE0UXNSUFhpTWtUUHBrX29BVzc4QzEtWEJIQW1GMGFuZVlXQWZIOXJEamloeGFCeHpYMHNjMFVfNXpQdlJfSkk2bzFROU5NU0c1SHREWW1nbkFNZFZ0UjdPRGdjaF96RGplY1hjdFFzLVR6MTVXYlRjbHIxQ2JRejRpVko5NWhBU0ZHR3ZvczU5elljRGpHRTdIc0FsSm5fUHEwT1gtTS1lN3M3X3ZZRnlkYUZoZXRQeEJsZlhLdFdTUzU1NUl4a29aOWZIdTlPM0Fnak1xYWVkYTNiMmZXUHlXS2lwUVBZLXQyaUxuRmtQNFFieE9SVmdZVW9WTHlzbnBPZlNIdGVHOE1LNVNESjN3cGtVSHVpT1NJWHE1ZzNmUTVTOC0xX3NGSmJqU19IbjZfQWtMRG1YNUQtRy13TUJIZFlyOXJkQzFQbkdZVXVzM2czbS1HWHFBT1pXdVd3N09tcG82SVhnY1ZtUWxqTEg2UzJCUmllb2pweVN2aGwwS1FVRUhjNEN2amRMc3MwVU4zN3dVMWM5Slg4SERtenFaQk1yMWx0LWtxVWtLZVVtbU4yejVEM2h6TEt0RGdfWE09",
+      "provider": "1b59e032-3eb6-4694-93a5-df84cd9b3ce2"
+    }
+  },
+  {
+    "model": "api.providersecret",
+    "pk": "ae48ecde-75cd-4814-92ab-18f48719e5d9",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:45:26.412Z",
+      "updated_at": "2024-10-18T10:45:26.412Z",
+      "name": "Valid AWS Credentials",
+      "secret_type": "static",
+      "_secret": "Z0FBQUFBQm5FanhHa3dXS0I3M2NmWm56SktiaGNqdDZUN0xQU1QwUi15QkhLZldFUmRENk1BXzlscG9JSUxVSTF5ekxuMkdEanlJNjhPUS1VSV9wVTBvU2l4ZnNGOVJhYW93RC1LTEhmc2pyOTJvUWwyWnpFY19WN1pRQk5IdDYwYnBDQnF1eU9nUzdwTGU3QU5qMGFyX1E4SXdpSk9paGVLcVpOVUhwb3duaXgxZ0ZxME5Pcm40QzBGWEZKY2lmRVlCMGFuVFVzemxuVjVNalZVQ2JsY2ZqNWt3Z01IYUZ0dk92YkdtSUZ5SlBvQWZoVU5DWlRFWmExNnJGVEY4Q1Bnd2VJUW9TSWdRcG9rSDNfREQwRld3Q1RYVnVYWVJLWWIxZmpsWGpwd0xQM0dtLTlYUjdHOVhhNklLWXFGTHpFQUVyVmNhYW9CU0tocGVyX3VjMkVEcVdjdFBfaVpsLTBzaUxrWTlta3dpelNtTG9xYVhBUHUzNUE4RnI1WXdJdHcxcFVfaG1XRHhDVFBKamxJb1FaQ2lsQ3FzRmxZbEJVemVkT1E2aHZfbDJqWDJPT3ViOWJGYzQ3eTNWNlFQSHBWRDFiV2tneDM4SmVqMU9Bd01TaXhPY2dmWG5RdENURkM2b2s5V3luVUZQcnFKNldnWEdYaWE2MnVNQkEwMHd6cUY5cVJkcGw4bHBtNzhPeHhkREdwSXNEc1JqQkxUR1FYRTV0UFNwbVlVSWF5LWgtbVhJZXlPZ0Q4cG9HX2E0Qld0LTF1TTFEVy1XNGdnQTRpLWpQQmFJUEdaOFJGNDVoUVJnQ25YVU5DTENMaTY4YmxtYWJFRERXTjAydVN2YnBDb3RkUE0zSDRlN1A3TXc4d2h1Wmd0LWUzZEcwMUstNUw2YnFyS2Z0NEVYMXllQW5GLVBpeU55SkNhczFIeFhrWXZpVXdwSFVrTDdiQjQtWHZJdERXVThzSnJsT2FNZzJDaUt6Y2NXYUZhUlo3VkY0R1BrSHNHNHprTmxjYmp1TXVKakRha0VtNmRFZWRmZHJWdnRCOVNjVGFVWjVQM3RwWWl4SkNmOU1pb2xqMFdOblhNY3Y3aERpOHFlWjJRc2dtRDkzZm1Qc29wdk5OQmJPbGk5ZUpGM1I2YzRJN2gxR3FEMllXR1pma1k0emVqSjZyMUliMGZsc3NfSlVDbGt4QzJTc3hHOU9FRHlZb09zVnlvcDR6WC1uclRSenI0Yy13WlFWNzJWRkwydjhmSjFZdnZ5X3NmZVF6UWRNMXo5STVyV3B0d09UUlFtOURITGhXSDVIUl9zYURJc05KWUNxekVyYkxJclNFNV9leEk4R2xsMGJod3lYeFIwaXR2dllwLTZyNWlXdDRpRkxVYkxWZFdvYUhKck5aeElBZUtKejNKS2tYVW1rTnVrRjJBQmdlZmV6ckozNjNwRmxLS1FaZzRVTTBZYzFFYi1idjBpZkQ3bWVvbEdRZXJrWFNleWZmSmFNdG1wQlp0YmxjWDV5T0tEbHRsYnNHbjRPRjl5MkttOUhRWlJtd1pmTnY4Z1lPRlZoTzFGVDdTZ0RDY1ByV0RndTd5LUNhcHNXUnNIeXdLMEw3WS1tektRTWFLQy1zakpMLWFiM3FOakE1UWU4LXlOX2VPbmd4MTZCRk9OY3Z4UGVDSWxhRlg4eHI4X1VUTDZZM0pjV0JDVi1UUjlTUl85cm1LWlZ0T1dzU0lpdWUwbXgtZ0l6eHNSNExRTV9MczJ6UkRkVElnRV9Rc0RoTDFnVHRZSEFPb2paX200TzZiRzVmRE5hOW5CTjh5Qi1WaEtueEpqRzJDY1luVWZtX1pseUpQSE5lQ0RrZ05EbWo5cU9MZ0ZkcXlqUll4UUkyejRfY2p4RXdEeC1PS1JIQVNUcmNIdkRJbzRiUktMWEQxUFM3aGNzeVFWUDdtcm5xNHlOYUU9",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555"
+    }
+  }
+]

api/src/backend/api/fixtures/dev/3_dev_scans.json

@@ -0,0 +1,256 @@
+[
+  {
+    "model": "api.scan",
+    "pk": "0191e280-9d2f-71c8-9b18-487a23ba185e",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "37b065f8-26b0-4218-a665-0b23d07b27d9",
+      "trigger": "manual",
+      "name": "test scan 1",
+      "state": "completed",
+      "unique_resource_count": 1,
+      "duration": 5,
+      "scanner_args": {
+        "checks_to_execute": ["accessanalyzer_enabled"]
+      },
+      "inserted_at": "2024-09-01T17:25:27.050Z",
+      "started_at": "2024-09-01T17:25:27.050Z",
+      "updated_at": "2024-09-01T17:25:27.050Z",
+      "completed_at": "2024-09-01T17:25:32.050Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "01920573-aa9c-73c9-bcda-f2e35c9b19d2",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "b85601a8-4b45-4194-8135-03fb980ef428",
+      "trigger": "manual",
+      "name": "test aws scan 2",
+      "state": "completed",
+      "unique_resource_count": 1,
+      "duration": 20,
+      "scanner_args": {
+        "checks_to_execute": ["accessanalyzer_enabled"]
+      },
+      "inserted_at": "2024-09-02T17:24:27.050Z",
+      "started_at": "2024-09-02T17:24:27.050Z",
+      "updated_at": "2024-09-02T17:24:27.050Z",
+      "completed_at": "2024-09-01T17:24:37.050Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "01920573-ea5b-77fd-a93f-1ed2ae12f728",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "baa7b895-8bac-4f47-b010-4226d132856e",
+      "trigger": "manual",
+      "name": "test gcp scan",
+      "state": "completed",
+      "unique_resource_count": 10,
+      "duration": 10,
+      "scanner_args": {
+        "checks_to_execute": ["cloudsql_instance_automated_backups"]
+      },
+      "inserted_at": "2024-09-02T19:26:27.050Z",
+      "started_at": "2024-09-02T19:26:27.050Z",
+      "updated_at": "2024-09-02T19:26:27.050Z",
+      "completed_at": "2024-09-01T17:26:37.050Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "01920573-ea5b-77fd-a93f-1ed2ae12f728",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "b85601a8-4b45-4194-8135-03fb980ef428",
+      "trigger": "manual",
+      "name": "test aws scan",
+      "state": "completed",
+      "unique_resource_count": 1,
+      "duration": 35,
+      "scanner_args": {
+        "checks_to_execute": ["accessanalyzer_enabled"]
+      },
+      "inserted_at": "2024-09-02T19:27:27.050Z",
+      "started_at": "2024-09-02T19:27:27.050Z",
+      "updated_at": "2024-09-02T19:27:27.050Z",
+      "completed_at": "2024-09-01T17:27:37.050Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "c281c924-23f3-4fcc-ac63-73a22154b7de",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "b85601a8-4b45-4194-8135-03fb980ef428",
+      "trigger": "scheduled",
+      "name": "test scheduled aws scan",
+      "state": "available",
+      "scanner_args": {
+        "checks_to_execute": ["cloudformation_stack_outputs_find_secrets"]
+      },
+      "scheduled_at": "2030-09-02T19:20:27.050Z",
+      "inserted_at": "2024-09-02T19:24:27.050Z",
+      "updated_at": "2024-09-02T19:24:27.050Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "25c8907c-b26e-4ec0-966b-a1f53a39d8e6",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "b85601a8-4b45-4194-8135-03fb980ef428",
+      "trigger": "scheduled",
+      "name": "test scheduled aws scan 2",
+      "state": "available",
+      "scanner_args": {
+        "checks_to_execute": [
+          "accessanalyzer_enabled",
+          "cloudformation_stack_outputs_find_secrets"
+        ]
+      },
+      "scheduled_at": "2030-08-02T19:31:27.050Z",
+      "inserted_at": "2024-09-02T19:38:27.050Z",
+      "updated_at": "2024-09-02T19:38:27.050Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "25c8907c-b26e-4ec0-966b-a1f53a39d8e6",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "baa7b895-8bac-4f47-b010-4226d132856e",
+      "trigger": "scheduled",
+      "name": "test scheduled gcp scan",
+      "state": "available",
+      "scanner_args": {
+        "checks_to_execute": [
+          "cloudsql_instance_automated_backups",
+          "iam_audit_logs_enabled"
+        ]
+      },
+      "scheduled_at": "2030-07-02T19:30:27.050Z",
+      "inserted_at": "2024-09-02T19:29:27.050Z",
+      "updated_at": "2024-09-02T19:29:27.050Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "25c8907c-b26e-4ec0-966b-a1f53a39d8e6",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "1b59e032-3eb6-4694-93a5-df84cd9b3ce2",
+      "trigger": "scheduled",
+      "name": "test scheduled azure scan",
+      "state": "available",
+      "scanner_args": {
+        "checks_to_execute": [
+          "aks_cluster_rbac_enabled",
+          "defender_additional_email_configured_with_a_security_contact"
+        ]
+      },
+      "scheduled_at": "2030-08-05T19:32:27.050Z",
+      "inserted_at": "2024-09-02T19:29:27.050Z",
+      "updated_at": "2024-09-02T19:29:27.050Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "01929f3b-ed2e-7623-ad63-7c37cd37828f",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "name": "real scan 1",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "trigger": "manual",
+      "state": "completed",
+      "unique_resource_count": 19,
+      "progress": 100,
+      "scanner_args": {
+        "checks_to_execute": ["accessanalyzer_enabled"]
+      },
+      "duration": 7,
+      "scheduled_at": null,
+      "inserted_at": "2024-10-18T10:45:57.678Z",
+      "updated_at": "2024-10-18T10:46:05.127Z",
+      "started_at": "2024-10-18T10:45:57.909Z",
+      "completed_at": "2024-10-18T10:46:05.127Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "6dd8925f-a52d-48de-a546-d2d90db30ab1",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "name": "real scan azure",
+      "provider": "1b59e032-3eb6-4694-93a5-df84cd9b3ce2",
+      "trigger": "manual",
+      "state": "completed",
+      "unique_resource_count": 20,
+      "progress": 100,
+      "scanner_args": {
+        "checks_to_execute": [
+          "accessanalyzer_enabled",
+          "account_security_contact_information_is_registered"
+        ]
+      },
+      "duration": 4,
+      "scheduled_at": null,
+      "inserted_at": "2024-10-18T11:16:21.358Z",
+      "updated_at": "2024-10-18T11:16:26.060Z",
+      "started_at": "2024-10-18T11:16:21.593Z",
+      "completed_at": "2024-10-18T11:16:26.060Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "4ca7ce89-3236-41a8-a369-8937bc152af5",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "name": "real scan k8s",
+      "provider": "7791914f-d646-4fe2-b2ed-73f2c6499a36",
+      "trigger": "manual",
+      "state": "completed",
+      "unique_resource_count": 20,
+      "progress": 100,
+      "scanner_args": {
+        "checks_to_execute": [
+          "accessanalyzer_enabled",
+          "account_security_contact_information_is_registered"
+        ]
+      },
+      "duration": 4,
+      "scheduled_at": null,
+      "inserted_at": "2024-10-18T11:16:21.358Z",
+      "updated_at": "2024-10-18T11:16:26.060Z",
+      "started_at": "2024-10-18T11:16:21.593Z",
+      "completed_at": "2024-10-18T11:16:26.060Z"
+    }
+  },
+  {
+    "model": "api.scan",
+    "pk": "01929f57-c0ee-7553-be0b-cbde006fb6f7",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "name": "real scan 2",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "trigger": "manual",
+      "state": "completed",
+      "unique_resource_count": 20,
+      "progress": 100,
+      "scanner_args": {
+        "checks_to_execute": [
+          "accessanalyzer_enabled",
+          "account_security_contact_information_is_registered"
+        ]
+      },
+      "duration": 4,
+      "scheduled_at": null,
+      "inserted_at": "2024-10-18T11:16:21.358Z",
+      "updated_at": "2024-10-18T11:16:26.060Z",
+      "started_at": "2024-10-18T11:16:21.593Z",
+      "completed_at": "2024-10-18T11:16:26.060Z"
+    }
+  }
+]

api/src/backend/api/fixtures/dev/4_dev_resources.json

@@ -0,0 +1,322 @@
+[
+  {
+    "model": "api.resource",
+    "pk": "0234477d-0b8e-439f-87d3-ce38dff3a434",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.772Z",
+      "updated_at": "2024-10-18T11:16:24.466Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root",
+      "name": "",
+      "region": "eu-south-2",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'2':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'eu':7C 'eu-south':6C 'iam':3A 'other':11 'root':5A 'south':8C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "17ce30a3-6e77-42a5-bb08-29dfcad7396a",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.882Z",
+      "updated_at": "2024-10-18T11:16:24.533Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root2",
+      "name": "",
+      "region": "eu-west-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'eu':7C 'eu-west':6C 'iam':3A 'other':11 'root':5A 'west':8C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "1f9de587-ba5b-415a-b9b0-ceed4c6c9f32",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:05.091Z",
+      "updated_at": "2024-10-18T11:16:24.637Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root3",
+      "name": "",
+      "region": "ap-northeast-2",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'2':9C '112233445566':4A 'accessanalyzer':10 'ap':7C 'ap-northeast':6C 'arn':1A 'aws':2A 'iam':3A 'northeast':8C 'other':11 'root':5A"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "29b35668-6dad-411d-bfec-492311889892",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:05.008Z",
+      "updated_at": "2024-10-18T11:16:24.600Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root4",
+      "name": "",
+      "region": "us-west-2",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'2':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'iam':3A 'other':11 'root':5A 'us':7C 'us-west':6C 'west':8C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "30505514-01d4-42bb-8b0c-471bbab27460",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T11:16:26.014Z",
+      "updated_at": "2024-10-18T11:16:26.023Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root5",
+      "name": "",
+      "region": "us-east-1",
+      "service": "account",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'account':10 'arn':1A 'aws':2A 'east':8C 'iam':3A 'other':11 'root':5A 'us':7C 'us-east':6C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "372932f0-e4df-4968-9721-bb4f6236fae4",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.848Z",
+      "updated_at": "2024-10-18T11:16:24.516Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root6",
+      "name": "",
+      "region": "eu-west-3",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'3':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'eu':7C 'eu-west':6C 'iam':3A 'other':11 'root':5A 'west':8C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "3a37d124-7637-43f6-9df7-e9aa7ef98c53",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.979Z",
+      "updated_at": "2024-10-18T11:16:24.585Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root7",
+      "name": "",
+      "region": "sa-east-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'east':8C 'iam':3A 'other':11 'root':5A 'sa':7C 'sa-east':6C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "3c49318e-03c6-4f12-876f-40451ce7de3d",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:05.072Z",
+      "updated_at": "2024-10-18T11:16:24.630Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root8",
+      "name": "",
+      "region": "ap-southeast-2",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'2':9C '112233445566':4A 'accessanalyzer':10 'ap':7C 'ap-southeast':6C 'arn':1A 'aws':2A 'iam':3A 'other':11 'root':5A 'southeast':8C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "430bf313-8733-4bc5-ac70-5402adfce880",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.994Z",
+      "updated_at": "2024-10-18T11:16:24.593Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root9",
+      "name": "",
+      "region": "eu-north-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'eu':7C 'eu-north':6C 'iam':3A 'north':8C 'other':11 'root':5A"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "78bd2a52-82f9-45df-90a9-4ad78254fdc4",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:05.055Z",
+      "updated_at": "2024-10-18T11:16:24.622Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root10",
+      "name": "",
+      "region": "ap-northeast-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'accessanalyzer':10 'ap':7C 'ap-northeast':6C 'arn':1A 'aws':2A 'iam':3A 'northeast':8C 'other':11 'root':5A"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "7973e332-795e-4a74-b4d4-a53a21c98c80",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.896Z",
+      "updated_at": "2024-10-18T11:16:24.542Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root11",
+      "name": "",
+      "region": "us-east-2",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'2':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'east':8C 'iam':3A 'other':11 'root':5A 'us':7C 'us-east':6C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "8ca0a188-5699-436e-80fd-e566edaeb259",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.938Z",
+      "updated_at": "2024-10-18T11:16:24.565Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root12",
+      "name": "",
+      "region": "ca-central-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'ca':7C 'ca-central':6C 'central':8C 'iam':3A 'other':11 'root':5A"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "8fe4514f-71d7-46ab-b0dc-70cef23b4d13",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.965Z",
+      "updated_at": "2024-10-18T11:16:24.578Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root13",
+      "name": "",
+      "region": "eu-west-2",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'2':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'eu':7C 'eu-west':6C 'iam':3A 'other':11 'root':5A 'west':8C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "9ab35225-dc7c-4ebd-bbc0-d81fb5d9de77",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.909Z",
+      "updated_at": "2024-10-18T11:16:24.549Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root14",
+      "name": "",
+      "region": "ap-south-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'accessanalyzer':10 'ap':7C 'ap-south':6C 'arn':1A 'aws':2A 'iam':3A 'other':11 'root':5A 'south':8C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "9be26c1d-adf0-4ba8-9ca9-c740f4a0dc4e",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.863Z",
+      "updated_at": "2024-10-18T11:16:24.524Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root15",
+      "name": "",
+      "region": "eu-central-2",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'2':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'central':8C 'eu':7C 'eu-central':6C 'iam':3A 'other':11 'root':5A"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "ba108c01-bcad-44f1-b211-c1d8985da89d",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:05.110Z",
+      "updated_at": "2024-10-18T11:16:24.644Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root16",
+      "name": "",
+      "region": "ap-northeast-3",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'3':9C '112233445566':4A 'accessanalyzer':10 'ap':7C 'ap-northeast':6C 'arn':1A 'aws':2A 'iam':3A 'northeast':8C 'other':11 'root':5A"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "dc6cfb5d-6835-4c7b-9152-c18c734a6eaa",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:05.038Z",
+      "updated_at": "2024-10-18T11:16:24.615Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root17",
+      "name": "",
+      "region": "eu-central-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'central':8C 'eu':7C 'eu-central':6C 'iam':3A 'other':11 'root':5A"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "e0664164-cfda-44a4-b743-acee1c69386c",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.924Z",
+      "updated_at": "2024-10-18T11:16:24.557Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root18",
+      "name": "",
+      "region": "us-west-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'accessanalyzer':10 'arn':1A 'aws':2A 'iam':3A 'other':11 'root':5A 'us':7C 'us-west':6C 'west':8C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "e1929daa-a984-4116-8131-492a48321dba",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:05.023Z",
+      "updated_at": "2024-10-18T11:16:24.607Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:iam::112233445566:root19",
+      "name": "",
+      "region": "ap-southeast-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9C '112233445566':4A 'accessanalyzer':10 'ap':7C 'ap-southeast':6C 'arn':1A 'aws':2A 'iam':3A 'other':11 'root':5A 'southeast':8C"
+    }
+  },
+  {
+    "model": "api.resource",
+    "pk": "e37bb1f1-1669-4bb3-be86-e3378ddfbcba",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "inserted_at": "2024-10-18T10:46:04.952Z",
+      "updated_at": "2024-10-18T11:16:24.571Z",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "uid": "arn:aws:access-analyzer:us-east-1:112233445566:analyzer/ConsoleAnalyzer-83b66ad7-d024-454e-b851-52d11cc1cf7c",
+      "name": "",
+      "region": "us-east-1",
+      "service": "accessanalyzer",
+      "type": "Other",
+      "text_search": "'1':9A,15C '112233445566':10A 'access':4A 'access-analyzer':3A 'accessanalyzer':16 'analyzer':5A 'analyzer/consoleanalyzer-83b66ad7-d024-454e-b851-52d11cc1cf7c':11A 'arn':1A 'aws':2A 'east':8A,14C 'other':17 'us':7A,13C 'us-east':6A,12C"
+    }
+  }
+]

api/src/backend/api/fixtures/dev/6_dev_rbac.json

@@ -0,0 +1,153 @@
+[
+  {
+    "model": "api.providergroup",
+    "pk": "3fe28fb8-e545-424c-9b8f-69aff638f430",
+    "fields": {
+      "name": "first_group",
+      "inserted_at": "2024-11-13T11:36:19.503Z",
+      "updated_at": "2024-11-13T11:36:19.503Z",
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362"
+    }
+  },
+  {
+    "model": "api.providergroup",
+    "pk": "525e91e7-f3f3-4254-bbc3-27ce1ade86b1",
+    "fields": {
+      "name": "second_group",
+      "inserted_at": "2024-11-13T11:36:25.421Z",
+      "updated_at": "2024-11-13T11:36:25.421Z",
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362"
+    }
+  },
+  {
+    "model": "api.providergroup",
+    "pk": "481769f5-db2b-447b-8b00-1dee18db90ec",
+    "fields": {
+      "name": "third_group",
+      "inserted_at": "2024-11-13T11:36:37.603Z",
+      "updated_at": "2024-11-13T11:36:37.603Z",
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362"
+    }
+  },
+  {
+    "model": "api.providergroupmembership",
+    "pk": "13625bd3-f428-4021-ac1b-b0bd41b6e02f",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "1b59e032-3eb6-4694-93a5-df84cd9b3ce2",
+      "provider_group": "3fe28fb8-e545-424c-9b8f-69aff638f430",
+      "inserted_at": "2024-11-13T11:55:17.138Z"
+    }
+  },
+  {
+    "model": "api.providergroupmembership",
+    "pk": "54784ebe-42d2-4937-aa6a-e21c62879567",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "provider_group": "3fe28fb8-e545-424c-9b8f-69aff638f430",
+      "inserted_at": "2024-11-13T11:55:17.138Z"
+    }
+  },
+  {
+    "model": "api.providergroupmembership",
+    "pk": "c8bd52d5-42a5-48fe-8e0a-3eef154b8ebe",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "provider": "15fce1fa-ecaa-433f-a9dc-62553f3a2555",
+      "provider_group": "525e91e7-f3f3-4254-bbc3-27ce1ade86b1",
+      "inserted_at": "2024-11-13T11:55:41.237Z"
+    }
+  },
+  {
+    "model": "api.role",
+    "pk": "3f01e759-bdf9-4a99-8888-1ab805b79f93",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "name": "admin_test",
+      "manage_users": true,
+      "manage_account": true,
+      "manage_billing": true,
+      "manage_providers": true,
+      "manage_integrations": true,
+      "manage_scans": true,
+      "unlimited_visibility": true,
+      "inserted_at": "2024-11-20T15:32:42.402Z",
+      "updated_at": "2024-11-20T15:32:42.402Z"
+    }
+  },
+  {
+    "model": "api.role",
+    "pk": "845ff03a-87ef-42ba-9786-6577c70c4df0",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "name": "first_role",
+      "manage_users": true,
+      "manage_account": true,
+      "manage_billing": true,
+      "manage_providers": true,
+      "manage_integrations": false,
+      "manage_scans": false,
+      "unlimited_visibility": true,
+      "inserted_at": "2024-11-20T15:31:53.239Z",
+      "updated_at": "2024-11-20T15:31:53.239Z"
+    }
+  },
+  {
+    "model": "api.role",
+    "pk": "902d726c-4bd5-413a-a2a4-f7b4754b6b20",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "name": "third_role",
+      "manage_users": false,
+      "manage_account": false,
+      "manage_billing": false,
+      "manage_providers": false,
+      "manage_integrations": false,
+      "manage_scans": true,
+      "unlimited_visibility": false,
+      "inserted_at": "2024-11-20T15:34:05.440Z",
+      "updated_at": "2024-11-20T15:34:05.440Z"
+    }
+  },
+  {
+    "model": "api.roleprovidergrouprelationship",
+    "pk": "57fd024a-0a7f-49b4-a092-fa0979a07aaf",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "role": "3f01e759-bdf9-4a99-8888-1ab805b79f93",
+      "provider_group": "3fe28fb8-e545-424c-9b8f-69aff638f430",
+      "inserted_at": "2024-11-20T15:32:42.402Z"
+    }
+  },
+  {
+    "model": "api.roleprovidergrouprelationship",
+    "pk": "a3cd0099-1c13-4df1-a5e5-ecdfec561b35",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "role": "3f01e759-bdf9-4a99-8888-1ab805b79f93",
+      "provider_group": "481769f5-db2b-447b-8b00-1dee18db90ec",
+      "inserted_at": "2024-11-20T15:32:42.402Z"
+    }
+  },
+  {
+    "model": "api.roleprovidergrouprelationship",
+    "pk": "cfd84182-a058-40c2-af3c-0189b174940f",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "role": "3f01e759-bdf9-4a99-8888-1ab805b79f93",
+      "provider_group": "525e91e7-f3f3-4254-bbc3-27ce1ade86b1",
+      "inserted_at": "2024-11-20T15:32:42.402Z"
+    }
+  },
+  {
+    "model": "api.userrolerelationship",
+    "pk": "92339663-e954-4fd8-98fb-8bfe15949975",
+    "fields": {
+      "tenant": "12646005-9067-4d2a-a098-8bb378604362",
+      "role": "3f01e759-bdf9-4a99-8888-1ab805b79f93",
+      "user": "8b38e2eb-6689-4f1e-a4ba-95b275130200",
+      "inserted_at": "2024-11-20T15:36:14.302Z"
+    }
+  }
+]

api/src/backend/api/management/commands/findings.py

@@ -0,0 +1,237 @@
+import random
+from datetime import datetime, timezone
+from math import ceil
+from uuid import uuid4
+
+from django.core.management.base import BaseCommand
+from tqdm import tqdm
+
+from api.db_utils import rls_transaction
+from api.models import (
+    Finding,
+    Provider,
+    Resource,
+    ResourceFindingMapping,
+    Scan,
+    StatusChoices,
+)
+from prowler.lib.check.models import CheckMetadata
+
+
+class Command(BaseCommand):
+    help = "Populates the database with test data for performance testing."
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--tenant",
+            type=str,
+            required=True,
+            help="Tenant id for which the data will be populated.",
+        )
+        parser.add_argument(
+            "--resources",
+            type=int,
+            required=True,
+            help="The number of resources to create.",
+        )
+        parser.add_argument(
+            "--findings",
+            type=int,
+            required=True,
+            help="The number of findings to create.",
+        )
+        parser.add_argument(
+            "--batch", type=int, required=True, help="The batch size for bulk creation."
+        )
+        parser.add_argument(
+            "--alias",
+            type=str,
+            required=False,
+            help="Optional alias for the provider and scan",
+        )
+
+    def handle(self, *args, **options):
+        tenant_id = options["tenant"]
+        num_resources = options["resources"]
+        num_findings = options["findings"]
+        batch_size = options["batch"]
+        alias = options["alias"] or "Testing"
+        uid_token = str(uuid4())
+
+        self.stdout.write(self.style.NOTICE("Starting data population"))
+        self.stdout.write(self.style.NOTICE(f"\tTenant: {tenant_id}"))
+        self.stdout.write(self.style.NOTICE(f"\tAlias: {alias}"))
+        self.stdout.write(self.style.NOTICE(f"\tResources: {num_resources}"))
+        self.stdout.write(self.style.NOTICE(f"\tFindings: {num_findings}"))
+        self.stdout.write(self.style.NOTICE(f"\tBatch size: {batch_size}\n\n"))
+
+        # Resource metadata
+        possible_regions = [
+            "us-east-1",
+            "us-east-2",
+            "us-west-1",
+            "us-west-2",
+            "ca-central-1",
+            "eu-central-1",
+            "eu-west-1",
+            "eu-west-2",
+            "eu-west-3",
+            "ap-southeast-1",
+            "ap-southeast-2",
+            "ap-northeast-1",
+            "ap-northeast-2",
+            "ap-south-1",
+            "sa-east-1",
+        ]
+        possible_services = []
+        possible_types = []
+
+        bulk_check_metadata = CheckMetadata.get_bulk(provider="aws")
+        for check_metadata in bulk_check_metadata.values():
+            if check_metadata.ServiceName not in possible_services:
+                possible_services.append(check_metadata.ServiceName)
+            if (
+                check_metadata.ResourceType
+                and check_metadata.ResourceType not in possible_types
+            ):
+                possible_types.append(check_metadata.ResourceType)
+
+        with rls_transaction(tenant_id):
+            provider, _ = Provider.all_objects.get_or_create(
+                tenant_id=tenant_id,
+                provider="aws",
+                connected=True,
+                uid=str(random.randint(100000000000, 999999999999)),
+                defaults={
+                    "alias": alias,
+                },
+            )
+
+        with rls_transaction(tenant_id):
+            scan = Scan.all_objects.create(
+                tenant_id=tenant_id,
+                provider=provider,
+                name=alias,
+                trigger="manual",
+                state="executing",
+                progress=0,
+                started_at=datetime.now(timezone.utc),
+            )
+        scan_state = "completed"
+
+        try:
+            # Create resources
+            resources = []
+
+            for i in range(num_resources):
+                resources.append(
+                    Resource(
+                        tenant_id=tenant_id,
+                        provider_id=provider.id,
+                        uid=f"testing-{uid_token}-{i}",
+                        name=f"Testing {uid_token}-{i}",
+                        region=random.choice(possible_regions),
+                        service=random.choice(possible_services),
+                        type=random.choice(possible_types),
+                    )
+                )
+
+            num_batches = ceil(len(resources) / batch_size)
+            self.stdout.write(self.style.WARNING("Creating resources..."))
+            for i in tqdm(range(0, len(resources), batch_size), total=num_batches):
+                with rls_transaction(tenant_id):
+                    Resource.all_objects.bulk_create(resources[i : i + batch_size])
+            self.stdout.write(self.style.SUCCESS("Resources created successfully.\n\n"))
+
+            with rls_transaction(tenant_id):
+                scan.progress = 33
+                scan.save()
+
+            # Create Findings
+            findings = []
+            possible_deltas = ["new", "changed", None]
+            possible_severities = ["critical", "high", "medium", "low"]
+            findings_resources_mapping = []
+
+            for i in range(num_findings):
+                severity = random.choice(possible_severities)
+                check_id = random.randint(1, 1000)
+                assigned_resource_num = random.randint(0, len(resources) - 1)
+                assigned_resource = resources[assigned_resource_num]
+                findings_resources_mapping.append(assigned_resource_num)
+
+                findings.append(
+                    Finding(
+                        tenant_id=tenant_id,
+                        scan=scan,
+                        uid=f"testing-{uid_token}-{i}",
+                        delta=random.choice(possible_deltas),
+                        check_id=f"check-{check_id}",
+                        status=random.choice(list(StatusChoices)),
+                        severity=severity,
+                        impact=severity,
+                        raw_result={},
+                        check_metadata={
+                            "checktitle": f"Test title for check {check_id}",
+                            "risk": f"Testing risk {uid_token}-{i}",
+                            "provider": "aws",
+                            "severity": severity,
+                            "categories": ["category1", "category2", "category3"],
+                            "description": "This is a random description that should not matter for testing purposes.",
+                            "servicename": assigned_resource.service,
+                            "resourcetype": assigned_resource.type,
+                        },
+                    )
+                )
+
+            num_batches = ceil(len(findings) / batch_size)
+            self.stdout.write(self.style.WARNING("Creating findings..."))
+            for i in tqdm(range(0, len(findings), batch_size), total=num_batches):
+                with rls_transaction(tenant_id):
+                    Finding.all_objects.bulk_create(findings[i : i + batch_size])
+            self.stdout.write(self.style.SUCCESS("Findings created successfully.\n\n"))
+
+            with rls_transaction(tenant_id):
+                scan.progress = 66
+                scan.save()
+
+            # Create ResourceFindingMapping
+            mappings = []
+            for index, f in enumerate(findings):
+                mappings.append(
+                    ResourceFindingMapping(
+                        tenant_id=tenant_id,
+                        resource=resources[findings_resources_mapping[index]],
+                        finding=f,
+                    )
+                )
+
+            num_batches = ceil(len(mappings) / batch_size)
+            self.stdout.write(
+                self.style.WARNING("Creating resource-finding mappings...")
+            )
+            for i in tqdm(range(0, len(mappings), batch_size), total=num_batches):
+                with rls_transaction(tenant_id):
+                    ResourceFindingMapping.objects.bulk_create(
+                        mappings[i : i + batch_size]
+                    )
+            self.stdout.write(
+                self.style.SUCCESS(
+                    "Resource-finding mappings created successfully.\n\n"
+                )
+            )
+        except Exception as e:
+            self.stdout.write(self.style.ERROR(f"Failed to populate test data: {e}"))
+            scan_state = "failed"
+        finally:
+            scan.completed_at = datetime.now(timezone.utc)
+            scan.duration = int(
+                (datetime.now(timezone.utc) - scan.started_at).total_seconds()
+            )
+            scan.progress = 100
+            scan.state = scan_state
+            scan.unique_resource_count = num_resources
+            with rls_transaction(tenant_id):
+                scan.save()
+
+        self.stdout.write(self.style.NOTICE("Successfully populated test data."))

api/src/backend/api/middleware.py

@@ -0,0 +1,49 @@
+import logging
+import time
+
+from config.custom_logging import BackendLogger
+
+
+def extract_auth_info(request) -> dict:
+    if getattr(request, "auth", None) is not None:
+        tenant_id = request.auth.get("tenant_id", "N/A")
+        user_id = request.auth.get("sub", "N/A")
+    else:
+        tenant_id, user_id = "N/A", "N/A"
+    return {"tenant_id": tenant_id, "user_id": user_id}
+
+
+class APILoggingMiddleware:
+    """
+    Middleware for logging API requests.
+
+    This middleware logs details of API requests, including the typical request metadata among other useful information.
+
+    Args:
+        get_response (Callable): A callable to get the response, typically the next middleware or view.
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.logger = logging.getLogger(BackendLogger.API)
+
+    def __call__(self, request):
+        request_start_time = time.time()
+
+        response = self.get_response(request)
+        duration = time.time() - request_start_time
+        auth_info = extract_auth_info(request)
+        self.logger.info(
+            "",
+            extra={
+                "user_id": auth_info["user_id"],
+                "tenant_id": auth_info["tenant_id"],
+                "method": request.method,
+                "path": request.path,
+                "query_params": request.GET.dict(),
+                "status_code": response.status_code,
+                "duration": duration,
+            },
+        )
+
+        return response

api/src/backend/api/migrations/0002_token_migrations.py

@@ -0,0 +1,23 @@
+from django.conf import settings
+from django.db import migrations
+
+from api.db_utils import DB_PROWLER_USER
+
+DB_NAME = settings.DATABASES["default"]["NAME"]
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0001_initial"),
+        ("token_blacklist", "0012_alter_outstandingtoken_user"),
+    ]
+
+    operations = [
+        migrations.RunSQL(
+            f"""
+            GRANT SELECT, INSERT, UPDATE, DELETE ON token_blacklist_blacklistedtoken TO {DB_PROWLER_USER};
+            GRANT SELECT, INSERT, UPDATE, DELETE ON token_blacklist_outstandingtoken TO {DB_PROWLER_USER};
+            GRANT SELECT, DELETE ON django_admin_log TO {DB_PROWLER_USER};
+            """
+        ),
+    ]

api/src/backend/api/migrations/0003_update_provider_unique_constraint_with_is_deleted.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.1.1 on 2024-12-20 13:16
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0002_token_migrations"),
+    ]
+
+    operations = [
+        migrations.RemoveConstraint(
+            model_name="provider",
+            name="unique_provider_uids",
+        ),
+        migrations.AddConstraint(
+            model_name="provider",
+            constraint=models.UniqueConstraint(
+                fields=("tenant_id", "provider", "uid", "is_deleted"),
+                name="unique_provider_uids",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0004_rbac.py

@@ -0,0 +1,248 @@
+# Generated by Django 5.1.1 on 2024-12-05 12:29
+
+import uuid
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+import api.rls
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0003_update_provider_unique_constraint_with_is_deleted"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Role",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("name", models.CharField(max_length=255)),
+                ("manage_users", models.BooleanField(default=False)),
+                ("manage_account", models.BooleanField(default=False)),
+                ("manage_billing", models.BooleanField(default=False)),
+                ("manage_providers", models.BooleanField(default=False)),
+                ("manage_integrations", models.BooleanField(default=False)),
+                ("manage_scans", models.BooleanField(default=False)),
+                ("unlimited_visibility", models.BooleanField(default=False)),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "roles",
+            },
+        ),
+        migrations.CreateModel(
+            name="RoleProviderGroupRelationship",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "role_provider_group_relationship",
+            },
+        ),
+        migrations.CreateModel(
+            name="UserRoleRelationship",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "role_user_relationship",
+            },
+        ),
+        migrations.AddField(
+            model_name="roleprovidergrouprelationship",
+            name="provider_group",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE, to="api.providergroup"
+            ),
+        ),
+        migrations.AddField(
+            model_name="roleprovidergrouprelationship",
+            name="role",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE, to="api.role"
+            ),
+        ),
+        migrations.AddField(
+            model_name="role",
+            name="provider_groups",
+            field=models.ManyToManyField(
+                related_name="roles",
+                through="api.RoleProviderGroupRelationship",
+                to="api.providergroup",
+            ),
+        ),
+        migrations.AddField(
+            model_name="userrolerelationship",
+            name="role",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE, to="api.role"
+            ),
+        ),
+        migrations.AddField(
+            model_name="userrolerelationship",
+            name="user",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+            ),
+        ),
+        migrations.AddField(
+            model_name="role",
+            name="users",
+            field=models.ManyToManyField(
+                related_name="roles",
+                through="api.UserRoleRelationship",
+                to=settings.AUTH_USER_MODEL,
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="roleprovidergrouprelationship",
+            constraint=models.UniqueConstraint(
+                fields=("role_id", "provider_group_id"),
+                name="unique_role_provider_group_relationship",
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="roleprovidergrouprelationship",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_roleprovidergrouprelationship",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="userrolerelationship",
+            constraint=models.UniqueConstraint(
+                fields=("role_id", "user_id"), name="unique_role_user_relationship"
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="userrolerelationship",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_userrolerelationship",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="role",
+            constraint=models.UniqueConstraint(
+                fields=("tenant_id", "name"), name="unique_role_per_tenant"
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="role",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_role",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.CreateModel(
+            name="InvitationRoleRelationship",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                (
+                    "invitation",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.invitation"
+                    ),
+                ),
+                (
+                    "role",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.role"
+                    ),
+                ),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "role_invitation_relationship",
+            },
+        ),
+        migrations.AddConstraint(
+            model_name="invitationrolerelationship",
+            constraint=models.UniqueConstraint(
+                fields=("role_id", "invitation_id"),
+                name="unique_role_invitation_relationship",
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="invitationrolerelationship",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_invitationrolerelationship",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddField(
+            model_name="role",
+            name="invitations",
+            field=models.ManyToManyField(
+                related_name="roles",
+                through="api.InvitationRoleRelationship",
+                to="api.invitation",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0005_rbac_missing_admin_roles.py

@@ -0,0 +1,44 @@
+from django.db import migrations
+
+from api.db_router import MainRouter
+
+
+def create_admin_role(apps, schema_editor):
+    Tenant = apps.get_model("api", "Tenant")
+    Role = apps.get_model("api", "Role")
+    User = apps.get_model("api", "User")
+    UserRoleRelationship = apps.get_model("api", "UserRoleRelationship")
+
+    for tenant in Tenant.objects.using(MainRouter.admin_db).all():
+        admin_role, _ = Role.objects.using(MainRouter.admin_db).get_or_create(
+            name="admin",
+            tenant=tenant,
+            defaults={
+                "manage_users": True,
+                "manage_account": True,
+                "manage_billing": True,
+                "manage_providers": True,
+                "manage_integrations": True,
+                "manage_scans": True,
+                "unlimited_visibility": True,
+            },
+        )
+        users = User.objects.using(MainRouter.admin_db).filter(
+            membership__tenant=tenant
+        )
+        for user in users:
+            UserRoleRelationship.objects.using(MainRouter.admin_db).get_or_create(
+                user=user,
+                role=admin_role,
+                tenant=tenant,
+            )
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0004_rbac"),
+    ]
+
+    operations = [
+        migrations.RunPython(create_admin_role),
+    ]

api/src/backend/api/migrations/0006_findings_first_seen.py

@@ -0,0 +1,15 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0005_rbac_missing_admin_roles"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="finding",
+            name="first_seen_at",
+            field=models.DateTimeField(editable=False, null=True),
+        ),
+    ]

api/src/backend/api/migrations/0007_scan_and_scan_summaries_indexes.py

@@ -0,0 +1,25 @@
+# Generated by Django 5.1.5 on 2025-01-28 15:03
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0006_findings_first_seen"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="scan",
+            index=models.Index(
+                fields=["tenant_id", "provider_id", "state", "inserted_at"],
+                name="scans_prov_state_insert_idx",
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="scansummary",
+            index=models.Index(
+                fields=["tenant_id", "scan_id"], name="scan_summaries_tenant_scan_idx"
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0008_daily_scheduled_tasks_update.py

@@ -0,0 +1,64 @@
+import json
+from datetime import datetime, timedelta, timezone
+
+import django.db.models.deletion
+from django.db import migrations, models
+from django_celery_beat.models import PeriodicTask
+
+from api.db_utils import rls_transaction
+from api.models import Scan, StateChoices
+
+
+def migrate_daily_scheduled_scan_tasks(apps, schema_editor):
+    for daily_scheduled_scan_task in PeriodicTask.objects.filter(
+        task="scan-perform-scheduled"
+    ):
+        task_kwargs = json.loads(daily_scheduled_scan_task.kwargs)
+        tenant_id = task_kwargs["tenant_id"]
+        provider_id = task_kwargs["provider_id"]
+
+        current_time = datetime.now(timezone.utc)
+        scheduled_time_today = datetime.combine(
+            current_time.date(),
+            daily_scheduled_scan_task.start_time.time(),
+            tzinfo=timezone.utc,
+        )
+
+        if current_time < scheduled_time_today:
+            next_scan_date = scheduled_time_today
+        else:
+            next_scan_date = scheduled_time_today + timedelta(days=1)
+
+        with rls_transaction(tenant_id):
+            Scan.objects.create(
+                tenant_id=tenant_id,
+                name="Daily scheduled scan",
+                provider_id=provider_id,
+                trigger=Scan.TriggerChoices.SCHEDULED,
+                state=StateChoices.SCHEDULED,
+                scheduled_at=next_scan_date,
+                scheduler_task_id=daily_scheduled_scan_task.id,
+            )
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0007_scan_and_scan_summaries_indexes"),
+        ("django_celery_beat", "0019_alter_periodictasks_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="scan",
+            name="scheduler_task",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="django_celery_beat.periodictask",
+            ),
+        ),
+        migrations.RunPython(migrate_daily_scheduled_scan_tasks),
+    ]

api/src/backend/api/migrations/0009_increase_provider_uid_maximum_length.py

@@ -0,0 +1,22 @@
+# Generated by Django 5.1.5 on 2025-02-07 09:42
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0008_daily_scheduled_tasks_update"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="uid",
+            field=models.CharField(
+                max_length=250,
+                validators=[django.core.validators.MinLengthValidator(3)],
+                verbose_name="Unique identifier for the provider, set by the provider",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0010_findings_performance_indexes_partitions.py

@@ -0,0 +1,109 @@
+from functools import partial
+
+from django.db import connection, migrations
+
+
+def create_index_on_partitions(
+    apps, schema_editor, parent_table: str, index_name: str, index_details: str
+):
+    with connection.cursor() as cursor:
+        cursor.execute(
+            """
+            SELECT inhrelid::regclass::text
+            FROM pg_inherits
+            WHERE inhparent = %s::regclass;
+        """,
+            [parent_table],
+        )
+        partitions = [row[0] for row in cursor.fetchall()]
+    # Iterate over partitions and create index concurrently.
+    # Note: PostgreSQL does not allow CONCURRENTLY inside a transaction,
+    # so we need atomic = False for this migration.
+    for partition in partitions:
+        sql = (
+            f"CREATE INDEX CONCURRENTLY IF NOT EXISTS {partition.replace('.', '_')}_{index_name} ON {partition} "
+            f"{index_details};"
+        )
+        schema_editor.execute(sql)
+
+
+def drop_index_on_partitions(apps, schema_editor, parent_table: str, index_name: str):
+    with schema_editor.connection.cursor() as cursor:
+        cursor.execute(
+            """
+            SELECT inhrelid::regclass::text
+            FROM pg_inherits
+            WHERE inhparent = %s::regclass;
+        """,
+            [parent_table],
+        )
+        partitions = [row[0] for row in cursor.fetchall()]
+
+    # Iterate over partitions and drop index concurrently.
+    for partition in partitions:
+        partition_index = f"{partition.replace('.', '_')}_{index_name}"
+        sql = f"DROP INDEX CONCURRENTLY IF EXISTS {partition_index};"
+        schema_editor.execute(sql)
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0009_increase_provider_uid_maximum_length"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            partial(
+                create_index_on_partitions,
+                parent_table="findings",
+                index_name="findings_tenant_and_id_idx",
+                index_details="(tenant_id, id)",
+            ),
+            reverse_code=partial(
+                drop_index_on_partitions,
+                parent_table="findings",
+                index_name="findings_tenant_and_id_idx",
+            ),
+        ),
+        migrations.RunPython(
+            partial(
+                create_index_on_partitions,
+                parent_table="findings",
+                index_name="find_tenant_scan_idx",
+                index_details="(tenant_id, scan_id)",
+            ),
+            reverse_code=partial(
+                drop_index_on_partitions,
+                parent_table="findings",
+                index_name="find_tenant_scan_idx",
+            ),
+        ),
+        migrations.RunPython(
+            partial(
+                create_index_on_partitions,
+                parent_table="findings",
+                index_name="find_tenant_scan_id_idx",
+                index_details="(tenant_id, scan_id, id)",
+            ),
+            reverse_code=partial(
+                drop_index_on_partitions,
+                parent_table="findings",
+                index_name="find_tenant_scan_id_idx",
+            ),
+        ),
+        migrations.RunPython(
+            partial(
+                create_index_on_partitions,
+                parent_table="findings",
+                index_name="find_delta_new_idx",
+                index_details="(tenant_id, id) where delta = 'new'",
+            ),
+            reverse_code=partial(
+                drop_index_on_partitions,
+                parent_table="findings",
+                index_name="find_delta_new_idx",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0011_findings_performance_indexes_parent.py

@@ -0,0 +1,49 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0010_findings_performance_indexes_partitions"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="finding",
+            index=models.Index(
+                fields=["tenant_id", "id"], name="findings_tenant_and_id_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="finding",
+            index=models.Index(
+                fields=["tenant_id", "scan_id"], name="find_tenant_scan_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="finding",
+            index=models.Index(
+                fields=["tenant_id", "scan_id", "id"], name="find_tenant_scan_id_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="finding",
+            index=models.Index(
+                condition=models.Q(("delta", "new")),
+                fields=["tenant_id", "id"],
+                name="find_delta_new_idx",
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="resourcetagmapping",
+            index=models.Index(
+                fields=["tenant_id", "resource_id"], name="resource_tag_tenant_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="resource",
+            index=models.Index(
+                fields=["tenant_id", "service", "region", "type"],
+                name="resource_tenant_metadata_idx",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0012_scan_report_output.py

@@ -0,0 +1,15 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0011_findings_performance_indexes_parent"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="scan",
+            name="output_location",
+            field=models.CharField(blank=True, max_length=200, null=True),
+        ),
+    ]

api/src/backend/api/migrations/0013_integrations_enum.py

@@ -0,0 +1,35 @@
+# Generated by Django 5.1.5 on 2025-03-03 15:46
+
+from functools import partial
+
+from django.db import migrations
+
+from api.db_utils import IntegrationTypeEnum, PostgresEnumMigration, register_enum
+from api.models import Integration
+
+IntegrationTypeEnumMigration = PostgresEnumMigration(
+    enum_name="integration_type",
+    enum_values=tuple(
+        integration_type[0]
+        for integration_type in Integration.IntegrationChoices.choices
+    ),
+)
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0012_scan_report_output"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            IntegrationTypeEnumMigration.create_enum_type,
+            reverse_code=IntegrationTypeEnumMigration.drop_enum_type,
+        ),
+        migrations.RunPython(
+            partial(register_enum, enum_class=IntegrationTypeEnum),
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]

api/src/backend/api/migrations/0014_integrations.py

@@ -0,0 +1,131 @@
+# Generated by Django 5.1.5 on 2025-03-03 15:46
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import api.db_utils
+import api.rls
+from api.rls import RowLevelSecurityConstraint
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0013_integrations_enum"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Integration",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                ("enabled", models.BooleanField(default=False)),
+                ("connected", models.BooleanField(blank=True, null=True)),
+                (
+                    "connection_last_checked_at",
+                    models.DateTimeField(blank=True, null=True),
+                ),
+                (
+                    "integration_type",
+                    api.db_utils.IntegrationTypeEnumField(
+                        choices=[
+                            ("amazon_s3", "Amazon S3"),
+                            ("saml", "SAML"),
+                            ("aws_security_hub", "AWS Security Hub"),
+                            ("jira", "JIRA"),
+                            ("slack", "Slack"),
+                        ]
+                    ),
+                ),
+                ("configuration", models.JSONField(default=dict)),
+                ("_credentials", models.BinaryField(db_column="credentials")),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={"db_table": "integrations", "abstract": False},
+        ),
+        migrations.AddConstraint(
+            model_name="integration",
+            constraint=RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_integration",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.CreateModel(
+            name="IntegrationProviderRelationship",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                (
+                    "integration",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="api.integration",
+                    ),
+                ),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.provider"
+                    ),
+                ),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "integration_provider_mappings",
+                "constraints": [
+                    models.UniqueConstraint(
+                        fields=("integration_id", "provider_id"),
+                        name="unique_integration_provider_rel",
+                    ),
+                ],
+            },
+        ),
+        migrations.AddConstraint(
+            model_name="IntegrationProviderRelationship",
+            constraint=RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_integrationproviderrelationship",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddField(
+            model_name="integration",
+            name="providers",
+            field=models.ManyToManyField(
+                blank=True,
+                related_name="integrations",
+                through="api.IntegrationProviderRelationship",
+                to="api.provider",
+            ),
+        ),
+    ]

api/src/backend/api/pagination.py

@@ -0,0 +1,6 @@
+from rest_framework_json_api.pagination import JsonApiPageNumberPagination
+
+
+class ComplianceOverviewPagination(JsonApiPageNumberPagination):
+    page_size = 50
+    max_page_size = 100

api/src/backend/api/partitions.py

@@ -0,0 +1,203 @@
+from datetime import datetime, timezone
+from typing import Generator, Optional
+
+from dateutil.relativedelta import relativedelta
+from django.conf import settings
+from psqlextra.partitioning import (
+    PostgresPartitioningManager,
+    PostgresRangePartition,
+    PostgresRangePartitioningStrategy,
+    PostgresTimePartitionSize,
+    PostgresPartitioningError,
+)
+from psqlextra.partitioning.config import PostgresPartitioningConfig
+from uuid6 import UUID
+
+from api.models import Finding, ResourceFindingMapping
+from api.rls import RowLevelSecurityConstraint
+from api.uuid_utils import datetime_to_uuid7
+
+
+class PostgresUUIDv7RangePartition(PostgresRangePartition):
+    def __init__(
+        self,
+        from_values: UUID,
+        to_values: UUID,
+        size: PostgresTimePartitionSize,
+        name_format: Optional[str] = None,
+        **kwargs,
+    ) -> None:
+        self.from_values = from_values
+        self.to_values = to_values
+        self.size = size
+        self.name_format = name_format
+
+        self.rls_statements = None
+        if "rls_statements" in kwargs:
+            self.rls_statements = kwargs["rls_statements"]
+
+        start_timestamp_ms = self.from_values.time
+
+        self.start_datetime = datetime.fromtimestamp(
+            start_timestamp_ms / 1000, timezone.utc
+        )
+
+    def name(self) -> str:
+        if not self.name_format:
+            raise PostgresPartitioningError("Unknown size/unit")
+
+        return self.start_datetime.strftime(self.name_format).lower()
+
+    def deconstruct(self) -> dict:
+        return {
+            **super().deconstruct(),
+            "size_unit": self.size.unit.value,
+            "size_value": self.size.value,
+        }
+
+    def create(
+        self,
+        model,
+        schema_editor,
+        comment,
+    ) -> None:
+        super().create(model, schema_editor, comment)
+
+        # if this model has RLS statements, add them to the partition
+        if isinstance(self.rls_statements, list):
+            schema_editor.add_constraint(
+                model,
+                constraint=RowLevelSecurityConstraint(
+                    "tenant_id",
+                    name=f"rls_on_{self.name()}",
+                    partition_name=self.name(),
+                    statements=self.rls_statements,
+                ),
+            )
+
+
+class PostgresUUIDv7PartitioningStrategy(PostgresRangePartitioningStrategy):
+    def __init__(
+        self,
+        size: PostgresTimePartitionSize,
+        count: int,
+        start_date: datetime = None,
+        max_age: Optional[relativedelta] = None,
+        name_format: Optional[str] = None,
+        **kwargs,
+    ) -> None:
+        self.start_date = start_date.replace(
+            day=1, hour=0, minute=0, second=0, microsecond=0
+        )
+        self.size = size
+        self.count = count
+        self.max_age = max_age
+        self.name_format = name_format
+
+        self.rls_statements = None
+        if "rls_statements" in kwargs:
+            self.rls_statements = kwargs["rls_statements"]
+
+    def to_create(self) -> Generator[PostgresUUIDv7RangePartition, None, None]:
+        current_datetime = (
+            self.start_date if self.start_date else self.get_start_datetime()
+        )
+
+        for _ in range(self.count):
+            end_datetime = (
+                current_datetime + self.size.as_delta() - relativedelta(microseconds=1)
+            )
+            start_uuid7 = datetime_to_uuid7(current_datetime)
+            end_uuid7 = datetime_to_uuid7(end_datetime)
+
+            yield PostgresUUIDv7RangePartition(
+                from_values=start_uuid7,
+                to_values=end_uuid7,
+                size=self.size,
+                name_format=self.name_format,
+                rls_statements=self.rls_statements,
+            )
+
+            current_datetime += self.size.as_delta()
+
+    def to_delete(self) -> Generator[PostgresUUIDv7RangePartition, None, None]:
+        if not self.max_age:
+            return
+
+        current_datetime = self.get_start_datetime() - self.max_age
+
+        while True:
+            end_datetime = current_datetime + self.size.as_delta()
+            start_uuid7 = datetime_to_uuid7(current_datetime)
+            end_uuid7 = datetime_to_uuid7(end_datetime)
+
+            # dropping table will delete indexes and policies
+            yield PostgresUUIDv7RangePartition(
+                from_values=start_uuid7,
+                to_values=end_uuid7,
+                size=self.size,
+                name_format=self.name_format,
+            )
+
+            current_datetime -= self.size.as_delta()
+
+    def get_start_datetime(self) -> datetime:
+        """
+        Gets the start of the current month in UTC timezone.
+
+        This function returns a `datetime` object set to the first day of the current
+        month, at midnight (00:00:00), in UTC.
+
+        Returns:
+            datetime: A `datetime` object representing the start of the current month in UTC.
+        """
+        return datetime.now(timezone.utc).replace(
+            day=1, hour=0, minute=0, second=0, microsecond=0
+        )
+
+
+def relative_days_or_none(value):
+    if value is None:
+        return None
+    return relativedelta(days=value)
+
+
+#
+# To manage the partitions, run `python manage.py pgpartition --using admin`
+#
+# For more info on the partitioning manager, see https://github.com/SectorLabs/django-postgres-extra
+manager = PostgresPartitioningManager(
+    [
+        PostgresPartitioningConfig(
+            model=Finding,
+            strategy=PostgresUUIDv7PartitioningStrategy(
+                start_date=datetime.now(timezone.utc),
+                size=PostgresTimePartitionSize(
+                    months=settings.FINDINGS_TABLE_PARTITION_MONTHS
+                ),
+                count=settings.FINDINGS_TABLE_PARTITION_COUNT,
+                max_age=relative_days_or_none(
+                    settings.FINDINGS_TABLE_PARTITION_MAX_AGE_MONTHS
+                ),
+                name_format="%Y_%b",
+                rls_statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        # ResourceFindingMapping should always follow the Finding partitioning
+        PostgresPartitioningConfig(
+            model=ResourceFindingMapping,
+            strategy=PostgresUUIDv7PartitioningStrategy(
+                start_date=datetime.now(timezone.utc),
+                size=PostgresTimePartitionSize(
+                    months=settings.FINDINGS_TABLE_PARTITION_MONTHS
+                ),
+                count=settings.FINDINGS_TABLE_PARTITION_COUNT,
+                max_age=relative_days_or_none(
+                    settings.FINDINGS_TABLE_PARTITION_MAX_AGE_MONTHS
+                ),
+                name_format="%Y_%b",
+                rls_statements=["SELECT"],
+            ),
+        ),
+    ]
+)

api/src/backend/api/rbac/permissions.py

@@ -0,0 +1,75 @@
+from enum import Enum
+from typing import Optional
+
+from django.db.models import QuerySet
+from rest_framework.permissions import BasePermission
+
+from api.db_router import MainRouter
+from api.models import Provider, Role, User
+
+
+class Permissions(Enum):
+    MANAGE_USERS = "manage_users"
+    MANAGE_ACCOUNT = "manage_account"
+    MANAGE_BILLING = "manage_billing"
+    MANAGE_PROVIDERS = "manage_providers"
+    MANAGE_INTEGRATIONS = "manage_integrations"
+    MANAGE_SCANS = "manage_scans"
+    UNLIMITED_VISIBILITY = "unlimited_visibility"
+
+
+class HasPermissions(BasePermission):
+    """
+    Custom permission to check if the user's role has the required permissions.
+    The required permissions should be specified in the view as a list in `required_permissions`.
+    """
+
+    def has_permission(self, request, view):
+        required_permissions = getattr(view, "required_permissions", [])
+        if not required_permissions:
+            return True
+
+        user_roles = (
+            User.objects.using(MainRouter.admin_db).get(id=request.user.id).roles.all()
+        )
+        if not user_roles:
+            return False
+
+        for perm in required_permissions:
+            if not getattr(user_roles[0], perm.value, False):
+                return False
+
+        return True
+
+
+def get_role(user: User) -> Optional[Role]:
+    """
+    Retrieve the first role assigned to the given user.
+
+    Returns:
+        The user's first Role instance if the user has any roles, otherwise None.
+    """
+    return user.roles.first()
+
+
+def get_providers(role: Role) -> QuerySet[Provider]:
+    """
+    Return a distinct queryset of Providers accessible by the given role.
+
+    If the role has no associated provider groups, an empty queryset is returned.
+
+    Args:
+        role: A Role instance.
+
+    Returns:
+        A QuerySet of Provider objects filtered by the role's provider groups.
+        If the role has no provider groups, returns an empty queryset.
+    """
+    tenant = role.tenant
+    provider_groups = role.provider_groups.all()
+    if not provider_groups.exists():
+        return Provider.objects.none()
+
+    return Provider.objects.filter(
+        tenant=tenant, provider_groups__in=provider_groups
+    ).distinct()

api/src/backend/api/renderers.py

@@ -0,0 +1,23 @@
+from contextlib import nullcontext
+
+from rest_framework_json_api.renderers import JSONRenderer
+
+from api.db_utils import rls_transaction
+
+
+class APIJSONRenderer(JSONRenderer):
+    """JSONRenderer override to apply tenant RLS when there are included resources in the request."""
+
+    def render(self, data, accepted_media_type=None, renderer_context=None):
+        request = renderer_context.get("request")
+        tenant_id = getattr(request, "tenant_id", None) if request else None
+        include_param_present = "include" in request.query_params if request else False
+
+        # Use rls_transaction if needed for included resources, otherwise do nothing
+        context_manager = (
+            rls_transaction(tenant_id)
+            if tenant_id and include_param_present
+            else nullcontext()
+        )
+        with context_manager:
+            return super().render(data, accepted_media_type, renderer_context)

api/src/backend/api/rls.py

@@ -0,0 +1,189 @@
+from typing import Any
+from uuid import uuid4
+
+from django.core.exceptions import ValidationError
+from django.db import DEFAULT_DB_ALIAS, models
+from django.db.backends.ddl_references import Statement, Table
+
+from api.db_utils import DB_USER, POSTGRES_TENANT_VAR
+
+
+class Tenant(models.Model):
+    """
+    The Tenant is the basic grouping in the system. It is used to separate data between customers.
+    """
+
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+    name = models.CharField(max_length=100)
+
+    class Meta:
+        db_table = "tenants"
+
+    class JSONAPIMeta:
+        resource_name = "tenants"
+
+
+class RowLevelSecurityConstraint(models.BaseConstraint):
+    """
+    Model constraint to enforce row-level security on a tenant based model, in addition to the least privileges.
+
+    The constraint can be applied to a partitioned table by specifying the `partition_name` keyword argument.
+    """
+
+    rls_sql_query = """
+        ALTER TABLE %(table_name)s ENABLE ROW LEVEL SECURITY;
+        ALTER TABLE %(table_name)s FORCE ROW LEVEL SECURITY;
+    """
+
+    policy_sql_query = """
+        CREATE POLICY %(db_user)s_%(table_name)s_{statement}
+        ON %(table_name)s
+        FOR {statement}
+        TO %(db_user)s
+        {clause} (
+            CASE
+                WHEN current_setting('%(tenant_setting)s', True) IS NULL THEN FALSE
+                ELSE %(field_column)s = current_setting('%(tenant_setting)s')::uuid
+            END
+        );
+    """
+
+    grant_sql_query = """
+        GRANT {statement} ON %(table_name)s TO %(db_user)s;
+    """
+
+    drop_sql_query = """
+        ALTER TABLE %(table_name)s NO FORCE ROW LEVEL SECURITY;
+        ALTER TABLE %(table_name)s DISABLE ROW LEVEL SECURITY;
+        REVOKE ALL ON TABLE %(table_name)s FROM %(db_user)s;
+    """
+
+    drop_policy_sql_query = """
+        DROP POLICY IF EXISTS %(db_user)s_%(raw_table_name)s_{statement} ON %(table_name)s;
+    """
+
+    def __init__(
+        self, field: str, name: str, statements: list | None = None, **kwargs
+    ) -> None:
+        super().__init__(name=name)
+        self.target_field: str = field
+        self.statements = statements or ["SELECT"]
+        self.partition_name = None
+        if "partition_name" in kwargs:
+            self.partition_name = kwargs["partition_name"]
+
+    def create_sql(self, model: Any, schema_editor: Any) -> Any:
+        field_column = schema_editor.quote_name(self.target_field)
+
+        policy_queries = ""
+        grant_queries = ""
+        for statement in self.statements:
+            clause = f"{'WITH CHECK' if statement == 'INSERT' else 'USING'}"
+            policy_queries = f"{policy_queries}{self.policy_sql_query.format(statement=statement, clause=clause)}"
+            grant_queries = (
+                f"{grant_queries}{self.grant_sql_query.format(statement=statement)}"
+            )
+
+        full_create_sql_query = f"{self.rls_sql_query}{policy_queries}{grant_queries}"
+
+        table_name = model._meta.db_table
+        if self.partition_name:
+            table_name = f"{table_name}_{self.partition_name}"
+
+        return Statement(
+            full_create_sql_query,
+            table_name=table_name,
+            field_column=field_column,
+            db_user=DB_USER,
+            tenant_setting=POSTGRES_TENANT_VAR,
+            partition_name=self.partition_name,
+        )
+
+    def remove_sql(self, model: Any, schema_editor: Any) -> Any:
+        field_column = schema_editor.quote_name(self.target_field)
+        raw_table_name = model._meta.db_table
+        table_name = raw_table_name
+        if self.partition_name:
+            raw_table_name = f"{raw_table_name}_{self.partition_name}"
+            table_name = raw_table_name
+
+        full_drop_sql_query = (
+            f"{self.drop_sql_query}"
+            f"{''.join([self.drop_policy_sql_query.format(statement=statement) for statement in self.statements])}"
+        )
+        return Statement(
+            full_drop_sql_query,
+            table_name=Table(table_name, schema_editor.quote_name),
+            raw_table_name=raw_table_name,
+            field_column=field_column,
+            db_user=DB_USER,
+            partition_name=self.partition_name,
+        )
+
+    def __eq__(self, other: object) -> bool:
+        if isinstance(other, RowLevelSecurityConstraint):
+            return self.name == other.name and self.target_field == other.target_field
+        return super().__eq__(other)
+
+    def deconstruct(self) -> tuple[str, tuple, dict]:
+        path, _, kwargs = super().deconstruct()
+        return (path, (self.target_field,), kwargs)
+
+    def validate(self, model, instance, exclude=None, using=DEFAULT_DB_ALIAS):  # noqa: F841
+        if not hasattr(instance, "tenant_id"):
+            raise ValidationError(f"{model.__name__} does not have a tenant_id field.")
+
+
+class BaseSecurityConstraint(models.BaseConstraint):
+    """Model constraint to grant the least privileges to the API database user."""
+
+    grant_sql_query = """
+        GRANT {statement} ON %(table_name)s TO %(db_user)s;
+    """
+
+    drop_sql_query = """
+        REVOKE ALL ON TABLE %(table_name) TO %(db_user)s;
+    """
+
+    def __init__(self, name: str, statements: list | None = None) -> None:
+        super().__init__(name=name)
+        self.statements = statements or ["SELECT"]
+
+    def create_sql(self, model: Any, schema_editor: Any) -> Any:
+        grant_queries = ""
+        for statement in self.statements:
+            grant_queries = (
+                f"{grant_queries}{self.grant_sql_query.format(statement=statement)}"
+            )
+
+        return Statement(
+            grant_queries,
+            table_name=model._meta.db_table,
+            db_user=DB_USER,
+        )
+
+    def remove_sql(self, model: Any, schema_editor: Any) -> Any:
+        return Statement(
+            self.drop_sql_query,
+            table_name=Table(model._meta.db_table, schema_editor.quote_name),
+            db_user=DB_USER,
+        )
+
+    def __eq__(self, other: object) -> bool:
+        if isinstance(other, BaseSecurityConstraint):
+            return self.name == other.name
+        return super().__eq__(other)
+
+    def deconstruct(self) -> tuple[str, tuple, dict]:
+        path, args, kwargs = super().deconstruct()
+        return path, args, kwargs
+
+
+class RowLevelSecurityProtectedModel(models.Model):
+    tenant = models.ForeignKey("Tenant", on_delete=models.CASCADE)
+
+    class Meta:
+        abstract = True

api/src/backend/api/signals.py

@@ -0,0 +1,35 @@
+from celery import states
+from celery.signals import before_task_publish
+from django.db.models.signals import post_delete
+from django.dispatch import receiver
+from django_celery_beat.models import PeriodicTask
+from django_celery_results.backends.database import DatabaseBackend
+
+from api.models import Provider
+from config.celery import celery_app
+
+
+def create_task_result_on_publish(sender=None, headers=None, **kwargs):  # noqa: F841
+    """Celery signal to store TaskResult entries when tasks reach the broker."""
+    db_result_backend = DatabaseBackend(celery_app)
+    request = type("request", (object,), headers)
+
+    db_result_backend.store_result(
+        headers["id"],
+        None,
+        states.PENDING,
+        traceback=None,
+        request=request,
+    )
+
+
+before_task_publish.connect(
+    create_task_result_on_publish, dispatch_uid="create_task_result_on_publish"
+)
+
+
+@receiver(post_delete, sender=Provider)
+def delete_provider_scan_task(sender, instance, **kwargs):  # noqa: F841
+    # Delete the associated periodic task when the provider is deleted
+    task_name = f"scan-perform-scheduled-{instance.id}"
+    PeriodicTask.objects.filter(name=task_name).delete()

api/src/backend/api/tests/integration/test_authentication.py

@@ -0,0 +1,300 @@
+import pytest
+from conftest import TEST_PASSWORD, get_api_tokens, get_authorization_header
+from django.urls import reverse
+from rest_framework.test import APIClient
+
+from api.models import Membership, User
+
+
+@pytest.mark.django_db
+def test_basic_authentication():
+    client = APIClient()
+
+    test_user = "test_email@prowler.com"
+    test_password = "test_password"
+
+    # Check that a 401 is returned when no basic authentication is provided
+    no_auth_response = client.get(reverse("provider-list"))
+    assert no_auth_response.status_code == 401
+
+    # Check that we can create a new user without any kind of authentication
+    user_creation_response = client.post(
+        reverse("user-list"),
+        data={
+            "data": {
+                "type": "users",
+                "attributes": {
+                    "name": "test",
+                    "email": test_user,
+                    "password": test_password,
+                },
+            }
+        },
+        format="vnd.api+json",
+    )
+    assert user_creation_response.status_code == 201
+
+    # Check that using our new user's credentials we can authenticate and get the providers
+    access_token, _ = get_api_tokens(client, test_user, test_password)
+    auth_headers = get_authorization_header(access_token)
+
+    auth_response = client.get(
+        reverse("provider-list"),
+        headers=auth_headers,
+    )
+    assert auth_response.status_code == 200
+
+
+@pytest.mark.django_db
+def test_refresh_token(create_test_user, tenants_fixture):
+    client = APIClient()
+
+    # Assert that we can obtain a new access token using the refresh one
+    access_token, refresh_token = get_api_tokens(
+        client, create_test_user.email, TEST_PASSWORD
+    )
+    valid_refresh_response = client.post(
+        reverse("token-refresh"),
+        data={
+            "data": {
+                "type": "tokens-refresh",
+                "attributes": {"refresh": refresh_token},
+            }
+        },
+        format="vnd.api+json",
+    )
+    assert valid_refresh_response.status_code == 200
+    assert (
+        valid_refresh_response.json()["data"]["attributes"]["refresh"] != refresh_token
+    )
+
+    # Assert the former refresh token gets invalidated
+    invalid_refresh_response = client.post(
+        reverse("token-refresh"),
+        data={
+            "data": {
+                "type": "tokens-refresh",
+                "attributes": {"refresh": refresh_token},
+            }
+        },
+        format="vnd.api+json",
+    )
+    assert invalid_refresh_response.status_code == 400
+
+    # Assert that the new refresh token could be used
+    new_refresh_response = client.post(
+        reverse("token-refresh"),
+        data={
+            "data": {
+                "type": "tokens-refresh",
+                "attributes": {
+                    "refresh": valid_refresh_response.json()["data"]["attributes"][
+                        "refresh"
+                    ]
+                },
+            }
+        },
+        format="vnd.api+json",
+    )
+    assert new_refresh_response.status_code == 200
+
+
+@pytest.mark.django_db
+def test_user_me_when_inviting_users(create_test_user, tenants_fixture, roles_fixture):
+    client = APIClient()
+
+    role = roles_fixture[0]
+
+    user1_email = "user1@testing.com"
+    user2_email = "user2@testing.com"
+
+    password = "thisisapassword123"
+
+    user1_response = client.post(
+        reverse("user-list"),
+        data={
+            "data": {
+                "type": "users",
+                "attributes": {
+                    "name": "user1",
+                    "email": user1_email,
+                    "password": password,
+                },
+            }
+        },
+        format="vnd.api+json",
+    )
+    assert user1_response.status_code == 201
+
+    user1_access_token, _ = get_api_tokens(client, user1_email, password)
+    user1_headers = get_authorization_header(user1_access_token)
+
+    user2_invitation = client.post(
+        reverse("invitation-list"),
+        data={
+            "data": {
+                "type": "invitations",
+                "attributes": {"email": user2_email},
+                "relationships": {
+                    "roles": {
+                        "data": [
+                            {
+                                "type": "roles",
+                                "id": str(role.id),
+                            }
+                        ]
+                    }
+                },
+            }
+        },
+        format="vnd.api+json",
+        headers=user1_headers,
+    )
+    assert user2_invitation.status_code == 201
+    invitation_token = user2_invitation.json()["data"]["attributes"]["token"]
+
+    user2_response = client.post(
+        reverse("user-list") + f"?invitation_token={invitation_token}",
+        data={
+            "data": {
+                "type": "users",
+                "attributes": {
+                    "name": "user2",
+                    "email": user2_email,
+                    "password": password,
+                },
+            }
+        },
+        format="vnd.api+json",
+    )
+    assert user2_response.status_code == 201
+
+    user2_access_token, _ = get_api_tokens(client, user2_email, password)
+    user2_headers = get_authorization_header(user2_access_token)
+
+    user1_me = client.get(reverse("user-me"), headers=user1_headers)
+    assert user1_me.status_code == 200
+    assert user1_me.json()["data"]["attributes"]["email"] == user1_email
+
+    user2_me = client.get(reverse("user-me"), headers=user2_headers)
+    assert user2_me.status_code == 200
+    assert user2_me.json()["data"]["attributes"]["email"] == user2_email
+
+
+@pytest.mark.django_db
+class TestTokenSwitchTenant:
+    def test_switch_tenant_with_valid_token(self, tenants_fixture, providers_fixture):
+        client = APIClient()
+
+        test_user = "test_email@prowler.com"
+        test_password = "test_password"
+
+        # Check that we can create a new user without any kind of authentication
+        user_creation_response = client.post(
+            reverse("user-list"),
+            data={
+                "data": {
+                    "type": "users",
+                    "attributes": {
+                        "name": "test",
+                        "email": test_user,
+                        "password": test_password,
+                    },
+                }
+            },
+            format="vnd.api+json",
+        )
+        assert user_creation_response.status_code == 201
+
+        # Create a new relationship between this user and another tenant
+        tenant_id = tenants_fixture[0].id
+        user_instance = User.objects.get(email=test_user)
+        Membership.objects.create(user=user_instance, tenant_id=tenant_id)
+
+        # Check that using our new user's credentials we can authenticate and get the providers
+        access_token, _ = get_api_tokens(client, test_user, test_password)
+        auth_headers = get_authorization_header(access_token)
+
+        user_me_response = client.get(
+            reverse("user-me"),
+            headers=auth_headers,
+        )
+        assert user_me_response.status_code == 200
+        # Assert this user belongs to two tenants
+        assert (
+            user_me_response.json()["data"]["relationships"]["memberships"]["meta"][
+                "count"
+            ]
+            == 2
+        )
+
+        provider_response = client.get(
+            reverse("provider-list"),
+            headers=auth_headers,
+        )
+        assert provider_response.status_code == 200
+        # Empty response since there are no providers in this tenant
+        assert not provider_response.json()["data"]
+
+        switch_tenant_response = client.post(
+            reverse("token-switch"),
+            data={
+                "data": {
+                    "type": "tokens-switch-tenant",
+                    "attributes": {"tenant_id": tenant_id},
+                }
+            },
+            headers=auth_headers,
+        )
+        assert switch_tenant_response.status_code == 200
+        new_access_token = switch_tenant_response.json()["data"]["attributes"]["access"]
+        new_auth_headers = get_authorization_header(new_access_token)
+
+        provider_response = client.get(
+            reverse("provider-list"),
+            headers=new_auth_headers,
+        )
+        assert provider_response.status_code == 200
+        # Now it must be data because we switched to another tenant with providers
+        assert provider_response.json()["data"]
+
+    def test_switch_tenant_with_invalid_token(self, create_test_user, tenants_fixture):
+        client = APIClient()
+
+        access_token, refresh_token = get_api_tokens(
+            client, create_test_user.email, TEST_PASSWORD
+        )
+        auth_headers = get_authorization_header(access_token)
+
+        invalid_token_response = client.post(
+            reverse("token-switch"),
+            data={
+                "data": {
+                    "type": "tokens-switch-tenant",
+                    "attributes": {"tenant_id": "invalid_tenant_id"},
+                }
+            },
+            headers=auth_headers,
+        )
+        assert invalid_token_response.status_code == 400
+        assert invalid_token_response.json()["errors"][0]["code"] == "invalid"
+        assert (
+            invalid_token_response.json()["errors"][0]["detail"]
+            == "Must be a valid UUID."
+        )
+
+        invalid_tenant_response = client.post(
+            reverse("token-switch"),
+            data={
+                "data": {
+                    "type": "tokens-switch-tenant",
+                    "attributes": {"tenant_id": tenants_fixture[-1].id},
+                }
+            },
+            headers=auth_headers,
+        )
+        assert invalid_tenant_response.status_code == 400
+        assert invalid_tenant_response.json()["errors"][0]["code"] == "invalid"
+        assert invalid_tenant_response.json()["errors"][0]["detail"] == (
+            "Tenant does not exist or user is not a " "member."
+        )