Merge branch 'master' into prowler-inventory

feat(elasticbeanstalk): Add new service ElasticBeanstalk (#5322 )
Co-authored-by: Sergio <sergio@prowler.com>
2026-05-09 00:47:04 +00:00 · 2024-10-09 17:09:19 +02:00 · 2024-10-09 09:29:19 -04:00 · 2024-10-09 08:56:39 -04:00 · 2024-10-09 11:46:38 +02:00 · 2024-10-09 11:12:39 +02:00
3748 changed files with 302784 additions and 32019 deletions
@@ -0,0 +1,14 @@
+{
+  "repoOwner": "prowler-cloud",
+  "repoName": "prowler",
+  "targetPRLabels": [
+    "backport"
+  ],
+  "sourcePRLabels": [
+    "was-backported"
+  ],
+  "copySourcePRLabels": false,
+  "copySourcePRReviewers": true,
+  "prTitle": "{{sourcePullRequest.title}}",
+  "commitConflicts": true
+}
@@ -1 +1,5 @@
-* @prowler-cloud/prowler-team
+* @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+
+# To protect a repository fully against unauthorized changes, you also need to define an owner for the CODEOWNERS file itself.
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection
+/.github/ @prowler-cloud/sdk
@@ -1,52 +0,0 @@
---
-name: Bug report
-about: Create a report to help us improve
-title: "[Bug]: "
-labels: bug, status/needs-triage
-assignees: ''
-
---
-
-<!--
-Please use this template to create your bug report. By providing as much info as possible you help us understand the issue, reproduce it and resolve it for you quicker. Therefore, take a couple of extra minutes to make sure you have provided all info needed.
-
-PROTIP: record your screen and attach it as a gif to showcase the issue.
-
- How to record and attach gif: https://bit.ly/2Mi8T6K
-->
-
-**What happened?**
-A clear and concise description of what the bug is or what is not working as expected
-
-
-**How to reproduce it**
-Steps to reproduce the behavior:
-1. What command are you running?
-2. Cloud provider you are launching
-3. Environment you have like single account, multi-account, organizations, multi or single subsctiption, etc.
-4. See error
-
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-
-**Screenshots or Logs**
-If applicable, add screenshots to help explain your problem.
-Also, you can add logs (anonymize them first!). Here a command that may help to share a log
-`prowler <your arguments> --log-level DEBUG --log-file $(date +%F)_debug.log` then attach here the log file.
-
-
-**From where are you running Prowler?**
-Please, complete the following information:
- - Resource: (e.g. EC2 instance, Fargate task, Docker container manually, EKS, Cloud9, CodeBuild, workstation, etc.)
- - OS: [e.g. Amazon Linux 2, Mac, Alpine, Windows, etc. ]
- - Prowler Version [`./prowler --version`]:
- - Python version [`python --version`]:
- - Pip version [`pip --version`]:
- - Installation method (Are you running it from pip package or cloning the github repo?):
- - Others:
-
-
-**Additional context**
-Add any other context about the problem here.
@@ -0,0 +1,96 @@
+name: 🐞 Bug Report
+description: Create a report to help us improve
+labels: ["bug", "status/needs-triage"]
+
+body:
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to Reproduce
+      description: Steps to reproduce the behavior
+      placeholder: |-
+        1. What command are you running?
+        2. Cloud provider you are launching
+        3. Environment you have, like single account, multi-account, organizations, multi or single subscription, etc.
+        4. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: A clear and concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Result with Screenshots or Logs
+      description: If applicable, add screenshots to help explain your problem. Also, you can add logs (anonymize them first!). Here a command that may help to share a log `prowler <your arguments> --log-level ERROR --log-file $(date +%F)_error.log` then attach here the log file.
+    validations:
+      required: true
+  - type: dropdown
+    id: type
+    attributes:
+      label: How did you install Prowler?
+      options:
+        - Cloning the repository from github.com (git clone)
+        - From pip package (pip install prowler)
+        - From brew (brew install prowler)
+        - Docker (docker pull toniblyx/prowler)
+    validations:
+      required: true
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment Resource
+      description: From where are you running Prowler?
+      placeholder: |-
+        1. EC2 instance
+        2. Fargate task
+        3. Docker container locally
+        4. EKS
+        5. Cloud9
+        6. CodeBuild
+        7. Workstation
+        8. Other(please specify)
+    validations:
+      required: true
+  - type: textarea
+    id: os
+    attributes:
+      label: OS used
+      description: Which OS are you using?
+      placeholder: |-
+        1. Amazon Linux 2
+        2. MacOS
+        3. Alpine Linux
+        4. Windows
+        5. Other(please specify)
+    validations:
+      required: true
+  - type: input
+    id: prowler-version
+    attributes:
+      label: Prowler version
+      description: Which Prowler version are you using?
+      placeholder: |-
+        prowler --version
+    validations:
+      required: true
+  - type: input
+    id: pip-version
+    attributes:
+      label: Pip version
+      description: Which pip version are you using?
+      placeholder: |-
+        pip --version
+    validations:
+      required: true
+  - type: textarea
+    id: additional
+    attributes:
+      description: Additional context
+      label: Context
+    validations:
+      required: false
@@ -0,0 +1,35 @@
+name: 💡 Feature Request
+description: Suggest an idea for this project
+labels: ["feature-request", "status/needs-triage"]
+
+body:
+  - type: textarea
+    id: Problem
+    attributes:
+      label: New feature motivation
+      description: Is your feature request related to a problem? Please describe
+      placeholder: |-
+        1. A clear and concise description of what the problem is. Ex. I'm always frustrated when
+    validations:
+      required: true
+  - type: textarea
+    id: Solution
+    attributes:
+      label: Solution Proposed
+      description: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: Alternatives
+    attributes:
+      label: Describe alternatives you've considered
+      description: A clear and concise description of any alternative solutions or features you've considered.
+    validations:
+      required: true
+  - type: textarea
+    id: Context
+    attributes:
+      label: Additional context
+      description: Add any other context or screenshots about the feature request here.
+    validations:
+      required: false
@@ -1,20 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: enhancement, status/needs-triage
-assignees: ''
-
---
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.
@@ -5,11 +5,38 @@

 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "pip"
+    directory: "/"
    schedule:
      interval: "daily"
+    open-pull-requests-limit: 10
    target-branch: master
    labels:
      - "dependencies"
      - "pip"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    target-branch: master
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    target-branch: v3
+    labels:
+      - "dependencies"
+      - "pip"
+      - "v3"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    target-branch: v3
+    labels:
+      - "github_actions"
+      - "v3"
@@ -0,0 +1,81 @@
+documentation:
+  - changed-files:
+      - any-glob-to-any-file: "docs/**"
+
+provider/aws:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/aws/**"
+      - any-glob-to-any-file: "tests/providers/aws/**"
+
+provider/azure:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/azure/**"
+      - any-glob-to-any-file: "tests/providers/azure/**"
+
+provider/gcp:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/gcp/**"
+      - any-glob-to-any-file: "tests/providers/gcp/**"
+
+provider/kubernetes:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/kubernetes/**"
+      - any-glob-to-any-file: "tests/providers/kubernetes/**"
+
+github_actions:
+  - changed-files:
+      - any-glob-to-any-file: ".github/workflows/*"
+
+cli:
+  - changed-files:
+      - any-glob-to-any-file: "cli/**"
+
+mutelist:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/aws/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/azure/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/gcp/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/kubernetes/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/aws/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/azure/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/gcp/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/kubernetes/lib/mutelist/**"
+
+integration/s3:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/aws/lib/s3/**"
+      - any-glob-to-any-file: "tests/providers/aws/lib/s3/**"
+
+integration/slack:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/slack/**"
+      - any-glob-to-any-file: "tests/lib/outputs/slack/**"
+
+integration/security-hub:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/aws/lib/security_hub/**"
+      - any-glob-to-any-file: "tests/providers/aws/lib/security_hub/**"
+      - any-glob-to-any-file: "prowler/lib/outputs/asff/**"
+      - any-glob-to-any-file: "tests/lib/outputs/asff/**"
+
+output/html:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/html/**"
+      - any-glob-to-any-file: "tests/lib/outputs/html/**"
+
+output/asff:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/asff/**"
+      - any-glob-to-any-file: "tests/lib/outputs/asff/**"
+
+output/ocsf:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/ocsf/**"
+      - any-glob-to-any-file: "tests/lib/outputs/ocsf/**"
+
+output/csv:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/csv/**"
+      - any-glob-to-any-file: "tests/lib/outputs/csv/**"
@@ -2,11 +2,19 @@

 Please include relevant motivation and context for this PR.

+If fixes an issue please add it with `Fix #XXXX`

 ### Description

 Please include a summary of the change and which issue is fixed. List any dependencies that are required for this change.

+### Checklist
+
+- Are there new checks included in this PR? Yes / No
+    - If so, do we need to update permissions for the provider? Please review this carefully.
+- [ ] Review if the code is being covered by tests.
+- [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
+- [ ] Review if backport is needed.

 ### License

@@ -0,0 +1,42 @@
+name: Automatic Backport
+
+on:
+  pull_request_target:
+    branches: ['master']
+    types: ['labeled', 'closed']
+
+jobs:
+  backport:
+    name: Backport PR
+    if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport'))
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
+      contents: write
+    steps:
+      # Workaround not to fail the workflow if the PR does not need a backport
+      # https://github.com/sorenlouv/backport-github-action/issues/127#issuecomment-2258561266
+      - name: Check for backport labels
+        id: check_labels
+        run: |-
+          labels='${{ toJSON(github.event.pull_request.labels.*.name) }}'
+          echo "$labels"
+          matched=$(echo "${labels}" | jq '. | map(select(startswith("backport-to-"))) | length')
+          echo "matched=$matched"
+          echo "matched=$matched" >> $GITHUB_OUTPUT
+
+      - name: Backport Action
+        if: fromJSON(steps.check_labels.outputs.matched) > 0
+        uses: sorenlouv/backport-github-action@v9.5.1
+        with:
+          github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          auto_backport_label_prefix: backport-to-
+
+      - name: Info log
+        if: ${{ success() && fromJSON(steps.check_labels.outputs.matched) > 0 }}
+        run: cat ~/.backport/backport.info.log
+
+      - name: Debug log
+        if: ${{ failure() && fromJSON(steps.check_labels.outputs.matched) > 0 }}
+        run: cat ~/.backport/backport.debug.log
@@ -0,0 +1,24 @@
+name: Pull Request Documentation Link
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+      - 'v3'
+    paths:
+      - 'docs/**'
+
+env:
+  PR_NUMBER: ${{ github.event.pull_request.number }}
+
+jobs:
+  documentation-link:
+    name: Documentation Link
+    runs-on: ubuntu-latest
+    steps:
+      - name: Leave PR comment with the Prowler Documentation URI
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          body: |
+            You can check the documentation for this PR here -> [Prowler Documentation](https://prowler-prowler-docs--${{ env.PR_NUMBER }}.com.readthedocs.build/projects/prowler-open-source/en/${{ env.PR_NUMBER }}/)
@@ -3,190 +3,165 @@ name: build-lint-push-containers
 on:
  push:
    branches:
+      - "v3"
      - "master"
    paths-ignore:
      - ".github/**"
      - "README.md"
+      - "docs/**"

  release:
-    types: [published, edited]
+    types: [published]

 env:
+  # AWS Configuration
  AWS_REGION_STG: eu-west-1
  AWS_REGION_PLATFORM: eu-west-1
-  AWS_REGION_PRO: us-east-1
+  AWS_REGION: us-east-1
+
+  # Container's configuration
  IMAGE_NAME: prowler
-  LATEST_TAG: latest
-  STABLE_TAG: stable
-  TEMPORARY_TAG: temporary
  DOCKERFILE_PATH: ./Dockerfile

-jobs:
-  # Lint Dockerfile using Hadolint
-  # dockerfile-linter:
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     -
-  #       name: Checkout
-  #       uses: actions/checkout@v3
-  #     -
-  #       name: Install Hadolint
-  #       run: |
-  #         VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \
-  #           grep '"tag_name":' | \
-  #           sed -E 's/.*"v([^"]+)".*/\1/' \
-  #           ) && curl -L -o /tmp/hadolint https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 \
-  #           && chmod +x /tmp/hadolint
-  #     -
-  #       name: Run Hadolint
-  #       run: |
-  #         /tmp/hadolint util/Dockerfile
+  # Tags
+  LATEST_TAG: latest
+  STABLE_TAG: stable
+  # The RELEASE_TAG is set during runtime in releases
+  RELEASE_TAG: ""
+  # The PROWLER_VERSION and PROWLER_VERSION_MAJOR are set during runtime in releases
+  PROWLER_VERSION: ""
+  PROWLER_VERSION_MAJOR: ""
+  # TEMPORARY_TAG: temporary

+  # Python configuration
+  PYTHON_VERSION: 3.12
+
+jobs:
  # Build Prowler OSS container
-  container-build:
+  container-build-push:
    # needs: dockerfile-linter
    runs-on: ubuntu-latest
+    outputs:
+      prowler_version_major: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION_MAJOR }}
+      prowler_version: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION }}
+    env:
+      POETRY_VIRTUALENVS_CREATE: "false"
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Build
-        uses: docker/build-push-action@v2
-        with:
-          # Without pushing to registries
-          push: false
-          tags: ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }}
-          file: ${{ env.DOCKERFILE_PATH }}
-          outputs: type=docker,dest=/tmp/${{ env.IMAGE_NAME }}.tar
-      - name: Share image between jobs
-        uses: actions/upload-artifact@v2
-        with:
-          name: ${{ env.IMAGE_NAME }}.tar
-          path: /tmp/${{ env.IMAGE_NAME }}.tar
+        uses: actions/checkout@v4

-  # Lint Prowler OSS container using Dockle
-  # container-linter:
-  #   needs: container-build
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     -
-  #       name: Get container image from shared
-  #       uses: actions/download-artifact@v2
-  #       with:
-  #         name: ${{ env.IMAGE_NAME }}.tar
-  #         path: /tmp
-  #     -
-  #       name: Load Docker image
-  #       run: |
-  #         docker load --input /tmp/${{ env.IMAGE_NAME }}.tar
-  #         docker image ls -a
-  #     -
-  #       name: Install Dockle
-  #       run: |
-  #         VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
-  #           grep '"tag_name":' | \
-  #           sed -E 's/.*"v([^"]+)".*/\1/' \
-  #           ) && curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb \
-  #           && sudo dpkg -i dockle.deb && rm dockle.deb
-  #     -
-  #       name: Run Dockle
-  #       run: dockle ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }}
-
-  # Push Prowler OSS container to registries
-  container-push:
-    # needs: container-linter
-    needs: container-build
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read # This is required for actions/checkout
-    steps:
-      - name: Get container image from shared
-        uses: actions/download-artifact@v2
+      - name: Setup Python
+        uses: actions/setup-python@v5
        with:
-          name: ${{ env.IMAGE_NAME }}.tar
-          path: /tmp
-      - name: Load Docker image
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install Poetry
        run: |
-          docker load --input /tmp/${{ env.IMAGE_NAME }}.tar
-          docker image ls -a
+          pipx install poetry
+          pipx inject poetry poetry-bumpversion
+
+      - name: Get Prowler version
+        id: get-prowler-version
+        run: |
+          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
+
+          # Store prowler version major just for the release
+          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
+
+          case ${PROWLER_VERSION_MAJOR} in
+          3)
+              echo "LATEST_TAG=v3-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}"
+              ;;
+
+          4)
+              echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
+              ;;
+
+          *)
+              # Fallback if any other version is present
+              echo "Releasing another Prowler major version, aborting..."
+              exit 1
+              ;;
+          esac
+
      - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
      - name: Login to Public ECR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
        env:
-          AWS_REGION: ${{ env.AWS_REGION_PRO }}
-      - name: Configure AWS Credentials -- STG
-        if: github.event_name == 'push'
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-region: ${{ env.AWS_REGION_STG }}
-          role-to-assume: ${{ secrets.STG_IAM_ROLE_ARN }}
-          role-session-name: build-lint-containers-stg
-      - name: Login to ECR -- STG
-        if: github.event_name == 'push'
-        uses: docker/login-action@v2
-        with:
-          registry: ${{ secrets.STG_ECR }}
-      - name: Configure AWS Credentials -- PLATFORM
-        if: github.event_name == 'release'
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-region: ${{ env.AWS_REGION_PLATFORM }}
-          role-to-assume: ${{ secrets.STG_IAM_ROLE_ARN }}
-          role-session-name: build-lint-containers-pro
-      - name: Login to ECR -- PLATFORM
-        if: github.event_name == 'release'
-        uses: docker/login-action@v2
-        with:
-          registry: ${{ secrets.PLATFORM_ECR }}
-      - # Push to master branch - push "latest" tag
-        name: Tag (latest)
-        if: github.event_name == 'push'
-        run: |
-          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PLATFORM_ECR }}/${{ secrets.PLATFORM_ECR_REPOSITORY }}:${{ env.LATEST_TAG }}
-          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
-          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
-      - # Push to master branch - push "latest" tag
-        name: Push (latest)
-        if: github.event_name == 'push'
-        run: |
-          docker push ${{ secrets.PLATFORM_ECR }}/${{ secrets.PLATFORM_ECR_REPOSITORY }}:${{ env.LATEST_TAG }}
-          docker push ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
-          docker push ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
-      - # Tag the new release (stable and release tag)
-        name: Tag (release)
-        if: github.event_name == 'release'
-        run: |
-          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PLATFORM_ECR }}/${{ secrets.PLATFORM_ECR_REPOSITORY }}:${{ github.event.release.tag_name }}
-          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
-          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+          AWS_REGION: ${{ env.AWS_REGION }}

-          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PLATFORM_ECR }}/${{ secrets.PLATFORM_ECR_REPOSITORY }}:${{ env.STABLE_TAG }}
-          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
-          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3

-      - # Push the new release (stable and release tag)
-        name: Push (release)
-        if: github.event_name == 'release'
-        run: |
-          docker push ${{ secrets.PLATFORM_ECR }}/${{ secrets.PLATFORM_ECR_REPOSITORY }}:${{ github.event.release.tag_name }}
-          docker push ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
-          docker push ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
-
-          docker push ${{ secrets.PLATFORM_ECR }}/${{ secrets.PLATFORM_ECR_REPOSITORY }}:${{ env.STABLE_TAG }}
-          docker push ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
-          docker push ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
-      - name: Delete artifacts
-        if: always()
-        uses: geekyeggo/delete-artifact@v1
+      - name: Build and push container image (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
        with:
-          name: ${{ env.IMAGE_NAME }}.tar
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push container image (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@v6
+        with:
+          # Use local context to get changes
+          # https://github.com/docker/build-push-action#path-context
+          context: .
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  dispatch-action:
+    needs: container-build-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get latest commit info (latest)
+        if: github.event_name == 'push'
+        run: |
+          LATEST_COMMIT_HASH=$(echo ${{ github.event.after }} | cut -b -7)
+          echo "LATEST_COMMIT_HASH=${LATEST_COMMIT_HASH}" >> $GITHUB_ENV
+
+      - name: Dispatch event (latest)
+        if: github.event_name == 'push' && needs.container-build-push.outputs.prowler_version_major == '3'
+        run: |
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --data '{"event_type":"dispatch","client_payload":{"version":"v3-latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'
+
+      - name: Dispatch event (release)
+        if: github.event_name == 'release' && needs.container-build-push.outputs.prowler_version_major == '3'
+        run: |
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ needs.container-build-push.outputs.prowler_version }}"}}'
@@ -0,0 +1,57 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master", "v3", "v4.*" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master", "v3", "v4.*" ]
+  schedule:
+    - cron: '00 12 * * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
@@ -7,12 +7,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@v3.4.4
+        uses: trufflesecurity/trufflehog@v3.82.7
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
          head: HEAD
+          extra_args: --only-verified
@@ -0,0 +1,17 @@
+name: "Pull Request Labeler"
+
+on:
+    pull_request_target:
+      branches:
+        - "master"
+        - "v3"
+        - "v4.*"
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/labeler@v5
@@ -4,55 +4,93 @@ on:
  push:
    branches:
      - "master"
+      - "v3"
+      - "v4.*"
  pull_request:
    branches:
      - "master"
-
+      - "v3"
+      - "v4.*"
 jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        python-version: ["3.9"]
+        python-version: ["3.9", "3.10", "3.11", "3.12"]

    steps:
-      - uses: actions/checkout@v3
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - name: Test if changes are in not ignored paths
+        id: are-non-ignored-files-changed
+        uses: tj-actions/changed-files@v45
        with:
-          python-version: ${{ matrix.python-version }}
-      - name: Install dependencies
+          files: ./**
+          files_ignore: |
+            .github/**
+            README.md
+            docs/**
+            permissions/**
+            mkdocs.yml
+            .backportrc.json
+      - name: Install poetry
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
          python -m pip install --upgrade pip
-          pip install pipenv
-          pipenv install --dev
-          pipenv run pip list
+          pipx install poetry
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "poetry"
+      - name: Install dependencies
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry install
+          poetry run pip list
          VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \
            grep '"tag_name":' | \
            sed -E 's/.*"v([^"]+)".*/\1/' \
            ) && curl -L -o /tmp/hadolint "https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64" \
            && chmod +x /tmp/hadolint
+      - name: Poetry check
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry lock --check
      - name: Lint with flake8
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
-          pipenv run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib
+          poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib
      - name: Checking format with black
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
-          pipenv run black --check .
+          poetry run black --check .
      - name: Lint with pylint
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
-          pipenv run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
+          poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
      - name: Bandit
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
-          pipenv run bandit -q -lll -x '*_test.py,./contrib/' -r .
+          poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
      - name: Safety
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
-          pipenv run safety check
+          poetry run safety check --ignore 70612
      - name: Vulture
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
-          pipenv run vulture --exclude "contrib" --min-confidence 100 .
+          poetry run vulture --exclude "contrib" --min-confidence 100 .
      - name: Hadolint
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
          /tmp/hadolint Dockerfile --ignore=DL3013
      - name: Test with pytest
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
-          pipenv run pytest tests -n auto
+          poetry run pytest -n auto --cov=./prowler --cov-report=xml tests
+      - name: Upload coverage reports to Codecov
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@v4
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
@@ -0,0 +1,67 @@
+name: pypi-release
+
+on:
+  release:
+    types: [published]
+
+env:
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  PYTHON_VERSION: 3.11
+  CACHE: "poetry"
+
+jobs:
+  release-prowler-job:
+    runs-on: ubuntu-latest
+    env:
+      POETRY_VIRTUALENVS_CREATE: "false"
+    name: Release Prowler to PyPI
+    steps:
+      - name: Get Prowler version
+        run: |
+          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
+
+          case ${PROWLER_VERSION%%.*} in
+          3)
+              echo "Releasing Prowler v3 with tag ${PROWLER_VERSION}"
+              ;;
+          4)
+              echo "Releasing Prowler v4 with tag ${PROWLER_VERSION}"
+              ;;
+          *)
+              echo "Releasing another Prowler major version, aborting..."
+              exit 1
+              ;;
+          esac
+
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          pipx install poetry
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: ${{ env.CACHE }}
+
+      - name: Build Prowler package
+        run: |
+          poetry build
+
+      - name: Publish Prowler package to PyPI
+        run: |
+          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
+          poetry publish
+
+      - name: Replicate PyPI package
+        run: |
+          rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info
+          pip install toml
+          python util/replicate_pypi_package.py
+          poetry build
+
+      - name: Publish prowler-cloud package to PyPI
+        run: |
+          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
+          poetry publish
@@ -19,15 +19,16 @@ jobs:
    permissions:
      id-token: write
      pull-requests: write
+      contents: write
    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          ref: ${{ env.GITHUB_BRANCH }}

      - name: setup python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
        with:
          python-version: 3.9 #install the python needed

@@ -37,7 +38,7 @@ jobs:
          pip install boto3

      - name: Configure AWS Credentials -- DEV
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ env.AWS_REGION_DEV }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -49,13 +50,13 @@ jobs:

      # Create pull request
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v7
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: "feat(regions_update): Update regions for AWS services."
-          branch: "aws-services-regions-updated"
-          labels: "status/waiting-for-revision, severity/low"
-          title: "feat(regions_update): Changes in regions for AWS services."
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          commit-message: "feat(regions_update): Update regions for AWS services"
+          branch: "aws-services-regions-updated-${{ github.sha }}"
+          labels: "status/waiting-for-revision, severity/low, provider/aws, backport-to-v3"
+          title: "chore(regions_update): Changes in regions for AWS services"
          body: |
            ### Description

@@ -9,8 +9,9 @@
 __pycache__
 venv/
 build/
-dist/
+/dist/
 *.egg-info/
+*/__pycache__/*.pyc

 # Session
 Session.vim
@@ -46,3 +47,11 @@ junit-reports/

 # .env
 .env*
+
+# Coverage
+.coverage*
+.coverage
+coverage*
+
+# Node
+node_modules
@@ -1,7 +1,7 @@
 repos:
  ## GENERAL
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.6.0
    hooks:
      - id: check-merge-conflict
      - id: check-yaml
@@ -13,14 +13,23 @@ repos:
      - id: pretty-format-json
        args: ["--autofix", --no-sort-keys, --no-ensure-ascii]

+  ## TOML
+  - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
+    rev: v2.13.0
+    hooks:
+      - id: pretty-format-toml
+        args: [--autofix]
+        files: pyproject.toml
+
  ## BASH
  - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.8.0
+    rev: v0.10.0
    hooks:
      - id: shellcheck
+        exclude: contrib
  ## PYTHON
  - repo: https://github.com/myint/autoflake
-    rev: v1.7.7
+    rev: v2.3.1
    hooks:
      - id: autoflake
        args:
@@ -31,30 +40,32 @@ repos:
          ]

  - repo: https://github.com/timothycrosley/isort
-    rev: 5.10.1
+    rev: 5.13.2
    hooks:
      - id: isort
        args: ["--profile", "black"]

  - repo: https://github.com/psf/black
-    rev: 22.10.0
+    rev: 24.4.2
    hooks:
      - id: black

  - repo: https://github.com/pycqa/flake8
-    rev: 5.0.4
+    rev: 7.0.0
    hooks:
      - id: flake8
        exclude: contrib
        args: ["--ignore=E266,W503,E203,E501,W605"]

-  - repo: https://github.com/haizaar/check-pipfile-lock
-    rev: v0.0.5
+  - repo: https://github.com/python-poetry/poetry
+    rev: 1.8.0
    hooks:
-      - id: check-pipfile-lock
+      - id: poetry-check
+      - id: poetry-lock
+        args: ["--no-update"]

  - repo: https://github.com/hadolint/hadolint
-    rev: v2.12.0
+    rev: v2.13.0-beta
    hooks:
      - id: hadolint
        args: ["--ignore=DL3013"]
@@ -65,22 +76,28 @@ repos:
        name: pylint
        entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
        language: system
+        files: '.*\.py'

-      - id: pytest-check
-        name: pytest-check
-        entry: bash -c 'pytest tests -n auto'
+      - id: trufflehog
+        name: TruffleHog
+        description: Detect secrets in your data.
+        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
+        # For running trufflehog in docker, use the following entry instead:
+        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
        language: system
+        stages: ["commit", "push"]

      - id: bandit
        name: bandit
        description: "Bandit is a tool for finding common security issues in Python code"
        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/' -r .'
        language: system
+        files: '.*\.py'

      - id: safety
        name: safety
        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
-        entry: bash -c 'safety check'
+        entry: bash -c 'safety check --ignore 70612'
        language: system

      - id: vulture
@@ -88,3 +105,4 @@ repos:
        description: "Vulture finds unused code in Python programs."
        entry: bash -c 'vulture --exclude "contrib" --min-confidence 100 .'
        language: system
+        files: '.*\.py'
@@ -0,0 +1,25 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+build:
+  os: "ubuntu-22.04"
+  tools:
+    python: "3.11"
+  jobs:
+    post_create_environment:
+      # Install poetry
+      # https://python-poetry.org/docs/#installing-manually
+      - python -m pip install poetry
+    post_install:
+      # Install dependencies with 'docs' dependency group
+      # https://python-poetry.org/docs/managing-dependencies/#dependency-groups
+      # VIRTUAL_ENV needs to be set manually for now.
+      # See https://github.com/readthedocs/readthedocs.org/pull/11152/
+      - VIRTUAL_ENV=${READTHEDOCS_VIRTUALENV_PATH} python -m poetry install --only=docs
+
+mkdocs:
+  configuration: mkdocs.yml
@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement

 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at community@prowler.cloud. All
+reported by contacting the project team at [support.prowler.com](https://customer.support.prowler.com/servicedesk/customer/portals). All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
@@ -0,0 +1,13 @@
+# Do you want to learn on how to...
+
+- Contribute with your code or fixes to Prowler
+- Create a new check for a provider
+- Create a new security compliance framework
+- Add a custom output format
+- Add a new integration
+- Contribute with documentation
+
+Want some swag as appreciation for your contribution?
+
+# Prowler Developer Guide
+https://docs.prowler.com/projects/prowler-open-source/en/latest/developer-guide/introduction/
@@ -1,9 +1,10 @@
-FROM python:3.9-alpine
+FROM python:3.12-alpine

 LABEL maintainer="https://github.com/prowler-cloud/prowler"

-# Update system dependencies
-RUN apk --no-cache upgrade
+# Update system dependencies and install essential tools
+#hadolint ignore=DL3018
+RUN apk --no-cache upgrade && apk --no-cache add curl git

 # Create nonroot user
 RUN mkdir -p /home/prowler && \
@@ -12,16 +13,26 @@ RUN mkdir -p /home/prowler && \
    chown -R prowler:prowler /home/prowler
 USER prowler

-# Copy necessary files
+# Copy necessary files
 WORKDIR /home/prowler
-COPY prowler/ /home/prowler/prowler/
+COPY prowler/  /home/prowler/prowler/
+COPY dashboard/ /home/prowler/dashboard/
 COPY pyproject.toml /home/prowler
+COPY README.md /home/prowler

-# Install dependencies
+# Install Python dependencies
 ENV HOME='/home/prowler'
 ENV PATH="$HOME/.local/bin:$PATH"
-#hadolint ignore=DL3013
-RUN pip install --no-cache-dir --upgrade pip && \
+RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \
    pip install --no-cache-dir .

+# Remove deprecated dash dependencies
+RUN pip uninstall dash-html-components -y && \
+    pip uninstall dash-core-components -y
+
+# Remove Prowler directory and build files
+USER 0
+RUN rm -rf /home/prowler/prowler /home/prowler/pyproject.toml /home/prowler/README.md /home/prowler/build /home/prowler/prowler.egg-info
+
+USER prowler
 ENTRYPOINT ["prowler"]
@@ -186,7 +186,7 @@
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

-Copyright 2018 Netflix, Inc.
+   Copyright @ 2024 Toni de la Fuente

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@@ -2,12 +2,19 @@

 ##@ Testing
 test:   ## Test with pytest
-	pytest -n auto -vvv -s -x
+	rm -rf .coverage && \
+	pytest -n auto -vvv -s --cov=./prowler --cov-report=xml tests

 coverage: ## Show Test Coverage
 	coverage run --skip-covered -m pytest -v && \
 	coverage report -m && \
-	rm -rf .coverage
+	rm -rf .coverage && \
+	coverage report -m
+
+coverage-html: ## Show Test Coverage
+	rm -rf ./htmlcov && \
+	coverage html && \
+	open htmlcov/index.html

 ##@ Linting
 format: ## Format Code
@@ -20,15 +27,15 @@ lint: ## Lint Code
 	@echo "Running black... "
 	black --check .
 	@echo "Running pylint..."
-	pylint --disable=W,C,R,E -j 0 providers lib util config
+	pylint --disable=W,C,R,E -j 0 prowler util

 ##@ PyPI
 pypi-clean: ## Delete the distribution files
-	rm -rf ./dist && rm -rf ./build && rm -rf prowler_cloud.egg-info
+	rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info

 pypi-build: ## Build package
 	$(MAKE) pypi-clean && \
-	python3 -m build
+	poetry build

 pypi-upload: ## Upload package
 	python3 -m twine upload --repository pypi dist/*
@@ -1,41 +0,0 @@
-[[source]]
-url = "https://pypi.org/simple"
-verify_ssl = true
-name = "pypi"
-
-[packages]
-colorama = "0.4.4"
-boto3 = "1.26.3"
-arnparse = "0.0.2"
-botocore = "1.27.8"
-pydantic = "1.9.1"
-shodan = "1.28.0"
-detect-secrets = "1.4.0"
-alive-progress = "2.4.1"
-tabulate = "0.9.0"
-azure-identity = "1.12.0"
-azure-storage-blob = "12.14.1"
-msgraph-core = "0.2.2"
-azure-mgmt-subscription = "3.1.1"
-azure-mgmt-authorization = "3.0.0"
-azure-mgmt-security = "3.0.0"
-azure-mgmt-storage = "21.0.0"
-
-[dev-packages]
-black = "22.10.0"
-pylint = "2.15.9"
-flake8 = "5.0.4"
-bandit = "1.7.4"
-safety = "2.3.1"
-vulture = "2.6"
-moto = "4.0.13"
-docker = "6.0.0"
-openapi-spec-validator = "0.5.1"
-pytest = "7.1.2"
-pytest-xdist = "2.5.0"
-coverage = "7.0.3"
-sure = "2.0.0"
-freezegun = "1.2.1"
-
-[requires]
-python_version = "3.9"
@@ -1,22 +1,30 @@
 <p align="center">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/prowler-pro-dark.png?raw=True#gh-dark-mode-only" width="150" height="36">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/prowler-pro-light.png?raw=True#gh-light-mode-only" width="15%" height="15%">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
 </p>
 <p align="center">
-  <b><i>See all the things you and your team can do with ProwlerPro at <a href="https://prowler.pro">prowler.pro</a></i></b>
+  <b><i>Prowler SaaS </b> and <b>Prowler Open Source</b> are as dynamic and adaptable as the environment they’re meant to protect. Trusted by the leaders in security.
+</p>
+<p align="center">
+<b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
+</p>
+
+<p align="center">
+<a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog"><img width="30" height="30" alt="Prowler community on Slack" src="https://github.com/prowler-cloud/prowler/assets/38561120/3c8b4ec5-6849-41a5-b5e1-52bbb94af73a"></a>
+  <br>
+  <a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-2oinmgmw6-cl7gOrljSEqo_aoripVPFA">Join our Prowler community!</a>
 </p>
 <hr>
-<p align="center">
-  <img src="https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png" />
-</p>
 <p align="center">
  <a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog"><img alt="Slack Shield" src="https://img.shields.io/badge/slack-prowler-brightgreen.svg?logo=slack"></a>
-  <a href="https://pypi.org/project/prowler-cloud/"><img alt="Python Version" src="https://img.shields.io/pypi/v/prowler-cloud.svg"></a>
-  <a href="https://pypi.python.org/pypi/prowler-cloud/"><img alt="Python Version" src="https://img.shields.io/pypi/pyversions/prowler-cloud.svg"></a>
+  <a href="https://pypi.org/project/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/v/prowler.svg"></a>
+  <a href="https://pypi.python.org/pypi/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/pyversions/prowler.svg"></a>
+  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Prowler Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=prowler%20downloads"></a>
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/cloud/build/toniblyx/prowler"></a>
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/image-size/toniblyx/prowler"></a>
-  <a href="https://gallery.ecr.aws/o4g1s5r6/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
+  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
+  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
 </p>
 <p align="center">
  <a href="https://github.com/prowler-cloud/prowler"><img alt="Repo size" src="https://img.shields.io/github/repo-size/prowler-cloud/prowler"></a>
@@ -28,218 +36,101 @@
  <a href="https://twitter.com/ToniBlyx"><img alt="Twitter" src="https://img.shields.io/twitter/follow/toniblyx?style=social"></a>
  <a href="https://twitter.com/prowlercloud"><img alt="Twitter" src="https://img.shields.io/twitter/follow/prowlercloud?style=social"></a>
 </p>
+<hr>
+<p align="center">
+  <img align="center" src="/docs/img/prowler-cli-quick.gif" width="100%" height="100%">
+</p>

 # Description

-`Prowler` is an Open Source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
+**Prowler** is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations! We have Prowler CLI (Command Line Interface) that we call Prowler Open Source and a service on top of it that we call <a href="https://prowler.com">Prowler SaaS</a>.

-It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
-
-## Looking for Prowler v2 documentation?
-For Prowler v2 Documentation, please go to https://github.com/prowler-cloud/prowler/tree/2.12.1.
-# ⚙️ Install
-
-## Pip package
-Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python >= 3.9:
+## Prowler CLI

 ```console
-pip install prowler-cloud
+prowler <provider>
+```
+![Prowler CLI Execution](docs/img/short-display.png)
+
+## Prowler Dashboard
+
+```console
+prowler dashboard
+```
+![Prowler Dashboard](docs/img/dashboard.png)
+
+It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks.
+
+| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) |
+|---|---|---|---|---|
+| AWS | 457 | 67 -> `prowler aws --list-services` | 30 -> `prowler aws --list-compliance` | 9 -> `prowler aws --list-categories` |
+| GCP | 77 | 13 -> `prowler gcp --list-services` | 2 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
+| Azure | 136 | 17 -> `prowler azure --list-services` | 3 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
+| Kubernetes | 83 | 7 -> `prowler kubernetes --list-services` | 1 -> `prowler kubernetes --list-compliance` | 7 -> `prowler kubernetes --list-categories` |
+
+# 💻 Installation
+
+## Pip package
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python >= 3.9, < 3.13:
+
+```console
+pip install prowler
 prowler -v
 ```
+>More details at [https://docs.prowler.com](https://docs.prowler.com/projects/prowler-open-source/en/latest/)

 ## Containers

 The available versions of Prowler are the following:

- `latest`: in sync with master branch (bear in mind that it is not a stable version)
+- `latest`: in sync with `master` branch (bear in mind that it is not a stable version)
+- `v3-latest`: in sync with `v3` branch (bear in mind that it is not a stable version)
 - `<x.y.z>` (release): you can find the releases [here](https://github.com/prowler-cloud/prowler/releases), those are stable releases.
 - `stable`: this tag always point to the latest release.
+- `v3-stable`: this tag always point to the latest release for v3.

 The container images are available here:

 - [DockerHub](https://hub.docker.com/r/toniblyx/prowler/tags)
- [AWS Public ECR](https://gallery.ecr.aws/o4g1s5r6/prowler)
+- [AWS Public ECR](https://gallery.ecr.aws/prowler-cloud/prowler)

-## From Github
+## From GitHub

-Python >= 3.9 is required with pip and pipenv:
+Python >= 3.9, < 3.13 is required with pip and poetry:

 ```
 git clone https://github.com/prowler-cloud/prowler
 cd prowler
-pipenv shell
-pipenv install
+poetry shell
+poetry install
 python prowler.py -v
 ```
+> If you want to clone Prowler from Windows, use `git config core.longpaths true` to allow long file paths.
+# 📐✏️ High level architecture
+
+You can run Prowler from your workstation, a Kubernetes Job, a Google Compute Engine, an Azure VM, an EC2 instance, Fargate or any other container, CloudShell and many more.
+
+![Architecture](docs/img/architecture.png)
+
+# Deprecations from v3
+
+## General
+- `Allowlist` now is called `Mutelist`.
+- The `--quiet` option has been deprecated, now use the `--status` flag to select the finding's status you want to get from PASS, FAIL or MANUAL.
+- All `INFO` finding's status has changed to `MANUAL`.
+- The CSV output format is common for all the providers.
+
+We have deprecated some of our outputs formats:
+- The native JSON is replaced for the JSON [OCSF](https://schema.ocsf.io/) v1.1.0, common for all the providers.
+
+## AWS
+- Deprecate the AWS flag --sts-endpoint-region since we use AWS STS regional tokens.
+- To send only FAILS to AWS Security Hub, now use either `--send-sh-only-fails` or `--security-hub --status FAIL`.
+

 # 📖 Documentation

-The full documentation now can be found at [https://docs.prowler.cloud](https://docs.prowler.cloud)
-
-
-# 📐✏️ High level architecture
-
-You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9.
-
-![Architecture](https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/architecture.png?raw=True)
-
-# 📝 Requirements
-
-Prowler has been written in Python using the [AWS SDK (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html#) and [Azure SDK](https://azure.github.io/azure-sdk-for-python/).
-## AWS
-
-Since Prowler uses AWS Credentials under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence).
-Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
-
-  ```console
-  aws configure
-  ```
-
-  or
-
-  ```console
-  export AWS_ACCESS_KEY_ID="ASXXXXXXX"
-  export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
-  export AWS_SESSION_TOKEN="XXXXXXXXX"
-  ```
-
-Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
-
-  - arn:aws:iam::aws:policy/SecurityAudit
-  - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
-
-  > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
-
-  > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
-
-  ## Azure
-
-  Prowler for Azure supports the following authentication types:
-
- Service principal authentication by environment variables (Enterprise Application)
- Current az cli credentials stored
- Interactive browser authentication
- Managed identity authentication
-
-### Service Principal authentication
-
-To allow Prowler assume the service principal identity to start the scan it is needed to configure the following environment variables:
-
-```console
-export AZURE_CLIENT_ID="XXXXXXXXX"
-export AZURE_TENANT_ID="XXXXXXXXX"
-export AZURE_CLIENT_SECRET="XXXXXXX"
-```
-
-If you try to execute Prowler with the `--sp-env-auth` flag and those variables are empty or not exported, the execution is going to fail.
-### AZ CLI / Browser / Managed Identity authentication
-
-The other three cases does not need additional configuration, `--az-cli-auth` and `--managed-identity-auth` are automated options, `--browser-auth` needs the user to authenticate using the default browser to start the scan.
-
-### Permissions
-
-To use each one you need to pass the proper flag to the execution. Prowler for Azure handles two types of permission scopes, which are:
-
- **Azure Active Directory permissions**: Used to retrieve metadata from the identity assumed by Prowler and future AAD checks (not mandatory to have access to execute the tool)
- **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool.
-
-
-#### Azure Active Directory scope
-
-Azure Active Directory (AAD) permissions required by the tool are the following:
-
- `Directory.Read.All`
- `Policy.Read.All`
-
-
-#### Subscriptions scope
-
-Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription  to the entity that is going to be assumed by the tool:
-
- `Security Reader`
- `Reader`
-
-
-# 💻 Basic Usage
-
-To run prowler, you will need to specify the provider (e.g aws or azure):
-
-```console
-prowler <provider>
-```
-
-![Prowler Execution](https://github.com/prowler-cloud/prowler/blob/b91b0103ff38e66a915c8a0ed84905a07e4aae1d/docs/img/short-display.png?raw=True)
-
-> Running the `prowler` command without options will use your environment variable credentials.
-
-By default, prowler will generate a CSV, a JSON and a HTML report, however you can generate JSON-ASFF (only for AWS Security Hub) report with `-M` or `--output-modes`:
-
-```console
-prowler <provider> -M csv json json-asff html
-```
-
-The html report will be located in the `output` directory as the other files and it will look like:
-
-![Prowler Execution](https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/html-output.png?raw=True)
-
-You can use `-l`/`--list-checks` or `--list-services` to list all available checks or services within the provider.
-
-```console
-prowler <provider> --list-checks
-prowler <provider> --list-services
-```
-
-For executing specific checks or services you can use options `-c`/`--checks` or `-s`/`--services`:
-
-```console
-prowler aws --checks s3_bucket_public_access
-prowler aws --services s3 ec2
-```
-
-Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`:
-
-```console
-prowler aws --excluded-checks s3_bucket_public_access
-prowler aws --excluded-services s3 ec2
-```
-
-You can always use `-h`/`--help` to access to the usage information and all the possible options:
-
-```console
-prowler -h
-```
-
-## Checks Configurations
-Several Prowler's checks have user configurable variables that can be modified in a common **configuration file**.
-This file can be found in the following path:
-```
-prowler/config/config.yaml
-```
-
-## AWS
-
-Use a custom AWS profile with `-p`/`--profile` and/or AWS regions which you want to audit with `-f`/`--filter-region`:
-
-```console
-prowler aws --profile custom-profile -f us-east-1 eu-south-2
-```
-> By default, `prowler` will scan all AWS regions.
-
-## Azure
-
-With Azure you need to specify which auth method is going to be used:
-
-```console
-prowler azure [--sp-env-auth, --az-cli-auth, --browser-auth, --managed-identity-auth]
-```
-> By default, `prowler` will scan all Azure subscriptions.
-
-# 🎉 New Features
-
- Python: we got rid of all bash and it is now all in Python.
- Faster: huge performance improvements (same account from 2.5 hours to 4 minutes).
- Developers and community: we have made it easier to contribute with new checks and new compliance frameworks. We also included unit tests.
- Multi-cloud: in addition to AWS, we have added Azure, we plan to include GCP and OCI soon, let us know if you want to contribute!
+Install, Usage, Tutorials and Developer Guide is at https://docs.prowler.com/

 # 📃 License

@@ -0,0 +1,23 @@
+# Security Policy
+
+## Software Security
+As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (FTR)](https://aws.amazon.com/partners/foundational-technical-review/) and we use the following tools and automation to make sure our code is secure and dependencies up-to-dated:
+
+- `bandit` for code security review.
+- `safety` and `dependabot` for dependencies.
+- `hadolint` and `dockle` for our containers security.
+- `snyk` in Docker Hub.
+- `clair` in Amazon ECR.
+- `vulture`, `flake8`, `black` and `pylint` for formatting and best practices.
+
+## Reporting a Vulnerability
+
+If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to https://support.prowler.com.
+
+The information you share with ProwlerPro as part of this process is kept confidential within ProwlerPro. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
+
+We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
+
+You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability.
+
+We will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.
@@ -1,43 +0,0 @@
-{
-  "Provider": "aws",
-  "CheckID": "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
-  "CheckTitle": "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH port 22.",
-  "CheckType": "Data Protection",
-  "ServiceName": "ec2",
-  "SubServiceName": "securitygroup",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-  "Severity": "low",
-  "ResourceType": "AwsEc2SecurityGroup",
-  "Description": "Extended Description",
-  "Risk": "If Security groups are not properly configured the attack surface is increased.",
-  "RelatedUrl": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
-  "Remediation": {
-    "Code": {
-      "CLI": "cli command or URL to the cli command location.",
-      "NativeIaC": "code or URL to the code location.",
-      "Other": "cli command or URL to the cli command location.",
-      "Terraform": "code or URL to the code location."
-    },
-    "Recommendation": {
-      "Text": "Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.",
-      "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html"
-    }
-  },
-  "Categories": [
-    "cat1",
-    "cat2"
-  ],
-  "Tags": {
-    "Tag1Key": "value",
-    "Tag2Key": "value"
-  },
-  "DependsOn": [
-    "othercheck1",
-    "othercheck2"
-  ],
-  "RelatedTo": [
-    "othercheck3",
-    "othercheck4"
-  ],
-  "Notes": "additional information"
-}
@@ -14,4 +14,4 @@ cd ~ || exit
 python3.9 -m pip install prowler-cloud
 prowler -v
 # Run Prowler
-prowler
+prowler aws
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+sudo bash
+adduser prowler
+su prowler
+pip install prowler
+cd /tmp
+prowler aws
@@ -0,0 +1,399 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates a CodeBuild project to audit an AWS account with Prowler Version 2 and stores the html report in a S3 bucket. This will run onece at the beginning and on a schedule afterwards. Partial contribution from https://github.com/stevecjones
+Parameters:
+  ServiceName:
+    Description: 'Specifies the service name used within component naming'
+    Type: String
+    Default: 'prowler'
+
+  LogsRetentionInDays:
+    Description: 'Specifies the number of days you want to retain CodeBuild run log events in the specified log group. Junit reports are kept for 30 days, HTML reports in S3 are not deleted'
+    Type: Number
+    Default: 3
+    AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 180, 365]
+
+  ProwlerOptions:
+    Description: 'Options to pass to Prowler command, use -f to filter specific regions, -c for specific checks, -s for specific services, for SecurityHub integration use "-f shub_region -S", for more options see -h. For a complete assessment leave this empty.'
+    Type: String
+    # Prowler command below runs a set of checks, configure it base on your needs, no options will run all regions all checks.
+    Default: -f eu-west-1 -s s3 iam ec2
+
+  ProwlerScheduler:
+    Description: The time when Prowler will run in cron format. Default is daily at 22:00h or 10PM 'cron(0 22 * * ? *)', for every 5 hours also works 'rate(5 hours)'. More info here https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html.
+    Type: String
+    Default: 'cron(0 22 * * ? *)'
+
+Resources:
+  CodeBuildStartBuild:
+    Type: 'Custom::CodeBuildStartBuild'
+    DependsOn:
+      - CodeBuildLogPolicy
+      - CodeBuildStartLogPolicy
+    Properties:
+      Build: !Ref ProwlerCodeBuild
+      ServiceToken: !GetAtt CodeBuildStartBuildLambda.Arn
+
+  CodeBuildStartBuildLambdaRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: !Sub lambda.${AWS::URLSuffix}
+            Action: 'sts:AssumeRole'
+      Description: !Sub 'DO NOT DELETE - Used by Lambda. Created by CloudFormation Stack ${AWS::StackId}'
+      Policies:
+        - PolicyName: StartBuildInline
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action: 'codebuild:StartBuild'
+                Resource: !GetAtt ProwlerCodeBuild.Arn
+
+  CodeBuildStartBuildLambda:
+    Type: 'AWS::Lambda::Function'
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W58
+            reason: 'This Lambda has permissions to write Logs'
+          - id: W89
+            reason: 'VPC is not needed'
+          - id: W92
+            reason: 'ReservedConcurrentExecutions not needed'
+    Properties:
+      Handler: index.lambda_handler
+      MemorySize: 128
+      Role: !Sub ${CodeBuildStartBuildLambdaRole.Arn}
+      Timeout: 120
+      Runtime: python3.9
+      Code:
+        ZipFile: |
+          import boto3
+          import cfnresponse
+          from botocore.exceptions import ClientError
+
+          def lambda_handler(event,context):
+            props = event['ResourceProperties']
+            codebuild_client = boto3.client('codebuild')
+
+            if (event['RequestType'] == 'Create' or event['RequestType'] == 'Update'):
+              try:
+                  response = codebuild_client.start_build(projectName=props['Build'])
+                  print(response)
+                  print("Respond: SUCCESS")
+                  cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
+              except Exception as ex:
+                  print(ex.response['Error']['Message'])
+                  cfnresponse.send(event, context, cfnresponse.FAILED, ex.response)
+            else:
+              cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
+
+  CodeBuildStartLogGroup:
+    Type: 'AWS::Logs::LogGroup'
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: 'KMS encryption is not needed.'
+    Properties:
+      LogGroupName: !Sub '/aws/lambda/${CodeBuildStartBuildLambda}'
+      RetentionInDays: !Ref LogsRetentionInDays
+
+  CodeBuildStartLogPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action:
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource: !GetAtt CodeBuildStartLogGroup.Arn
+      PolicyName: LogGroup
+      Roles:
+        - !Ref CodeBuildStartBuildLambdaRole
+
+  ArtifactBucket:
+    Type: AWS::S3::Bucket
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W35
+            reason: 'S3 Access Logging is not needed'
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Sub '${ServiceName}-${AWS::AccountId}-S3-Prowler-${AWS::StackName}'
+      BucketName: !Sub '${ServiceName}-reports-${AWS::Region}-prowler-${AWS::AccountId}'
+      AccessControl: LogDeliveryWrite
+      VersioningConfiguration:
+        Status: Enabled
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+
+  ArtifactBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref ArtifactBucket
+      PolicyDocument:
+        Id: Content
+        Version: '2012-10-17'
+        Statement:
+          - Action: '*'
+            Condition:
+              Bool:
+                aws:SecureTransport: false
+            Effect: Deny
+            Principal: '*'
+            Resource: !Sub '${ArtifactBucket.Arn}/*'
+            Sid: S3ForceSSL
+          - Action: 's3:PutObject'
+            Condition:
+              'Null':
+                s3:x-amz-server-side-encryption: true
+            Effect: Deny
+            Principal: '*'
+            Resource: !Sub '${ArtifactBucket.Arn}/*'
+            Sid: DenyUnEncryptedObjectUploads
+
+  CodeBuildServiceRole:
+    Type: AWS::IAM::Role
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W11
+            reason: 'Role complies with the least privilege principle.'
+    Properties:
+      Description: !Sub 'DO NOT DELETE - Used by CodeBuild. Created by CloudFormation Stack ${AWS::StackId}'
+      ManagedPolicyArns:
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/job-function/SupportUser'
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess'
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/SecurityAudit'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: !Sub codebuild.${AWS::URLSuffix}
+      Policies:
+        - PolicyName: S3
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                  - s3:PutObject
+                  - s3:GetObject
+                  - s3:GetObjectVersion
+                  - s3:GetBucketAcl
+                  - s3:GetBucketLocation
+                Effect: Allow
+                Resource: !Sub '${ArtifactBucket.Arn}/*'
+        - PolicyName: ProwlerAdditions
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                - account:Get*
+                - appstream:Describe*
+                - codeartifact:List*
+                - codebuild:BatchGet*
+                - cognito-idp:GetUserPoolMfaConfig
+                - ds:Get*
+                - ds:Describe*
+                - ds:List*
+                - ec2:GetEbsEncryptionByDefault
+                - ecr:Describe*
+                - elasticfilesystem:DescribeBackupPolicy
+                - glue:GetConnections
+                - glue:GetSecurityConfiguration*
+                - glue:SearchTables
+                - lambda:GetFunction*
+                - macie2:GetMacieSession
+                - s3:GetAccountPublicAccessBlock
+                - s3:GetPublicAccessBlock
+                - shield:DescribeProtection
+                - shield:GetSubscriptionState
+                - securityhub:BatchImportFindings
+                - securityhub:GetFindings
+                - ssm:GetDocument
+                - support:Describe*
+                - tag:GetTagKeys
+                Effect: Allow
+                Resource: '*'
+        - PolicyName: ProwlerAdditionsApiGW
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                - apigateway:GET
+                Effect: Allow
+                Resource: 'arn:aws:apigateway:*::/restapis/*'
+        - PolicyName: CodeBuild
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                  - codebuild:CreateReportGroup
+                  - codebuild:CreateReport
+                  - codebuild:UpdateReport
+                  - codebuild:BatchPutTestCases
+                  - codebuild:BatchPutCodeCoverages
+                Effect: Allow
+                Resource: !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*'
+        - PolicyName: SecurityHubBatchImportFindings
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action: securityhub:BatchImportFindings
+                Effect: Allow
+                Resource: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::product/prowler/prowler'
+
+  CodeBuildLogPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action:
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource: !GetAtt ProwlerLogGroup.Arn
+      PolicyName: LogGroup
+      Roles:
+        - !Ref CodeBuildServiceRole
+
+  CodeBuildAssumePolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Resource: !GetAtt CodeBuildServiceRole.Arn
+      PolicyName: AssumeRole
+      Roles:
+        - !Ref CodeBuildServiceRole
+
+  ProwlerCodeBuild:
+    Type: AWS::CodeBuild::Project
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W32
+            reason: 'KMS encryption is not needed.'
+    Properties:
+      Artifacts:
+        Type: NO_ARTIFACTS
+      ConcurrentBuildLimit: 1
+      Source:
+        Type: NO_SOURCE
+        BuildSpec: |
+          version: 0.2
+          phases:
+            install:
+              runtime-versions:
+                python: 3.9
+              commands:
+                - echo "Installing Prowler..."
+                - pip3 install prowler
+            build:
+              commands:
+                - echo "Running Prowler as prowler $PROWLER_OPTIONS"
+                - prowler $PROWLER_OPTIONS
+            post_build:
+              commands:
+                - echo "Uploading reports to S3..."
+                - aws s3 cp --sse AES256 output/ s3://$BUCKET_REPORT/ --recursive
+                - echo "Done!"
+          # Currently not supported in Version 3
+          # reports:
+          #   prowler:
+          #     files:
+          #       - '**/*'
+          #     base-directory: 'junit-reports'
+          #     file-format: JunitXml
+      Environment:
+        # AWS CodeBuild free tier includes 100 build minutes of BUILD_GENERAL1_SMALL per month.
+        # BUILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. $0.005/minute.
+        # BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. $0.01/minute.
+        # BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. $0.02/minute.
+        # BUILD_GENERAL1_2XLARGE: Use up to 144 GB memory and 72 vCPUs for builds. $0.20/minute.
+        ComputeType: "BUILD_GENERAL1_SMALL"
+        Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+        Type: "LINUX_CONTAINER"
+        EnvironmentVariables:
+          - Name: BUCKET_REPORT
+            Value: !Ref ArtifactBucket
+            Type: PLAINTEXT
+          - Name: PROWLER_OPTIONS
+            Value: !Ref ProwlerOptions
+            Type: PLAINTEXT
+      Description: Run Prowler assessment
+      ServiceRole: !GetAtt CodeBuildServiceRole.Arn
+      TimeoutInMinutes: 300
+
+  ProwlerLogGroup:
+    Type: 'AWS::Logs::LogGroup'
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: 'KMS encryption is not needed.'
+    Properties:
+      LogGroupName: !Sub '/aws/codebuild/${ProwlerCodeBuild}'
+      RetentionInDays: !Ref LogsRetentionInDays
+
+  EventBridgeServiceRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: !Sub 'DO NOT DELETE - Used by EventBridge. Created by CloudFormation Stack ${AWS::StackId}'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: !Sub events.${AWS::URLSuffix}
+      Policies:
+        - PolicyName: CodeBuild
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action: 'codebuild:StartBuild'
+                Resource: !GetAtt ProwlerCodeBuild.Arn
+
+  ProwlerSchedule:
+    Type: 'AWS::Events::Rule'
+    Properties:
+      Description: A schedule to trigger Prowler in CodeBuild
+      ScheduleExpression: !Ref ProwlerScheduler
+      State: ENABLED
+      Targets:
+        - Arn: !GetAtt ProwlerCodeBuild.Arn
+          Id: ProwlerSchedule
+          RoleArn: !GetAtt EventBridgeServiceRole.Arn
+
+Outputs:
+  ArtifactBucketName:
+    Description: Artifact Bucket Name
+    Value: !Ref ArtifactBucket
@@ -0,0 +1,24 @@
+# Build command
+# docker build --platform=linux/amd64  --no-cache -t prowler:latest .
+
+ARG PROWLER_VERSION=latest
+
+FROM toniblyx/prowler:${PROWLER_VERSION}
+
+USER 0
+# hadolint ignore=DL3018
+RUN apk --no-cache add bash aws-cli jq
+
+ARG MULTI_ACCOUNT_SECURITY_HUB_PATH=/home/prowler/multi-account-securityhub
+
+USER prowler
+
+# Move script and environment variables
+RUN mkdir "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"
+COPY --chown=prowler:prowler .awsvariables run-prowler-securityhub.sh  "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"/
+RUN chmod 500 "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"/run-prowler-securityhub.sh & \
+    chmod 400 "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"/.awsvariables
+
+WORKDIR ${MULTI_ACCOUNT_SECURITY_HUB_PATH}
+
+ENTRYPOINT ["./run-prowler-securityhub.sh"]
@@ -12,7 +12,11 @@ Originally based on [org-multi-account](https://github.com/prowler-cloud/prowler

 ## Architecture Explanation

- The solution is designed to be very simple. Prowler is run via an ECS Task definition that launches a single Fargate container. This Task Definition is executed on a schedule using an EventBridge Rule.
+The solution is designed to be very simple. Prowler is run via an ECS Task definition that launches a single Fargate container. This Task Definition is executed on a schedule using an EventBridge Rule.
+
+## Prerequisites
+
+This solution assumes that you have a VPC architecture with two redundant subnets that can reach the AWS API endpoints (e.g. PrivateLink, NAT Gateway, etc.).

 ## CloudFormation Templates

@@ -59,9 +63,9 @@ The logs that are generated and sent to Cloudwatch are error logs, and assessmen

 ## Instructions
 1. Create a Private ECR Repository in the account that will host the Prowler container. The Audit account is recommended, but any account can be used.
- 2.  Configure the .awsvariables file. Note the ROLE name chosen as it will be the CrossAccountRole.
- 3. Follow the steps from "View Push Commands" to build and upload the container image. You need to have Docker and AWS CLI installed, and use the cli to login to the account first.  After upload note the Image URI, as it is required for the CF-Prowler-ECS template.
- 4.  Make sure SecurityHub is enabled in every account in AWS Organizations, and that the SecurityHub integration is enabled as explained in [Prowler - Security Hub Integration](https://github.com/prowler-cloud/prowler#security-hub-integration)
+ 2. Configure the .awsvariables file. Note the ROLE name chosen as it will be the CrossAccountRole.
+ 3. Follow the steps from "View Push Commands" to build and upload the container image. Substitute step 2 with the build command provided in the Dockerfile. You need to have Docker and AWS CLI installed, and use the cli to login to the account first.  After upload note the Image URI, as it is required for the CF-Prowler-ECS template. Ensure that you pay attention to the architecture while performing the docker build command. A common mistake is not specifying the architecture and then building on Apple silicon. Your task will fail with  *exec /home/prowler/.local/bin/prowler: exec format error*. 
+ 4. Make sure SecurityHub is enabled in every account in AWS Organizations, and that the SecurityHub integration is enabled as explained in [Prowler - Security Hub Integration](https://github.com/prowler-cloud/prowler#security-hub-integration)
 5. Deploy **CF-Prowler-CrossAccountRole.yml** in the Master Account as a single stack. You will have to choose the CrossAccountRole name (ProwlerXA-Role by default) and the ProwlerTaskRoleName (ProwlerECSTask-Role by default)
 6. Deploy **CF-Prowler-CrossAccountRole.yml** in every Member Account as a StackSet. Choose the same CrossAccountName and ProwlerTaskRoleName as the previous step.
 7. Deploy **CF-Prowler-IAM.yml** in the account that will host the Prowler container (the same from step 1).  The following template parameters must be provided:
@@ -91,4 +95,4 @@ If you permission find errors in the CloudWatch logs, the culprit might be a [Se
 ## Upgrading Prowler

 Prowler version is controlled by the PROWLERVER argument in the Dockerfile, change it to the desired version and follow the ECR Push Commands to update the container image.
-Old images can be deleted from the ECR Repository after the new image is confirmed to work. They will show as "untagged" as only one image can hold the "latest" tag.
+Old images can be deleted from the ECR Repository after the new image is confirmed to work. They will show as "untagged" as only one image can hold the "latest" tag.
@@ -0,0 +1,83 @@
+#!/bin/bash
+# Run Prowler against All AWS Accounts in an AWS Organization
+
+# Show Prowler Version
+prowler -v
+
+# Source .awsvariables
+# shellcheck disable=SC1091
+source .awsvariables
+
+# Get Values from Environment Variables
+echo "ROLE:               ${ROLE}"
+echo "PARALLEL_ACCOUNTS:  ${PARALLEL_ACCOUNTS}"
+echo "REGION:             ${REGION}"
+
+# Function to unset AWS Profile Variables
+unset_aws() {
+    unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+unset_aws
+
+# Find THIS Account AWS Number
+CALLER_ARN=$(aws sts get-caller-identity --output text --query "Arn")
+PARTITION=$(echo "${CALLER_ARN}" | cut -d: -f2)
+THISACCOUNT=$(echo "${CALLER_ARN}" | cut -d: -f5)
+echo "THISACCOUNT:    ${THISACCOUNT}"
+echo "PARTITION:      ${PARTITION}"
+
+# Function to Assume Role to THIS Account & Create Session
+this_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"${PARTITION}":iam::"${THISACCOUNT}":role/"${ROLE}" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "${role_credentials}" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "${role_credentials}" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "${role_credentials}" | jq -r .Credentials.SessionToken)
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Find AWS Master Account
+this_account_session
+AWSMASTER=$(aws organizations describe-organization --query Organization.MasterAccountId --output text)
+echo "AWSMASTER:      ${AWSMASTER}"
+
+# Function to Assume Role to Master Account & Create Session
+master_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"${PARTITION}":iam::"${AWSMASTER}":role/"${ROLE}" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "${role_credentials}" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "${role_credentials}" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "${role_credentials}" | jq -r .Credentials.SessionToken)
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Lookup All Accounts in AWS Organization
+master_account_session
+ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text)
+
+# Run Prowler against Accounts in AWS Organization
+echo "AWS Accounts in Organization"
+echo "${ACCOUNTS_IN_ORGS}"
+for accountId in ${ACCOUNTS_IN_ORGS}; do
+    # shellcheck disable=SC2015
+    test "$(jobs | wc -l)" -ge "${PARALLEL_ACCOUNTS}" && wait -n || true
+    {
+        START_TIME=${SECONDS}
+        # Unset AWS Profile Variables
+        unset_aws
+        # Run Prowler
+        echo -e "Assessing AWS Account: ${accountId}, using Role: ${ROLE} on $(date)"
+        # Pipe stdout to /dev/null to reduce unnecessary Cloudwatch logs
+        prowler aws -R arn:"${PARTITION}":iam::"${accountId}":role/"${ROLE}" --security-hub --send-sh-only-fails -f "${REGION}" > /dev/null
+        TOTAL_SEC=$((SECONDS - START_TIME))
+        printf "Completed AWS Account: ${accountId} in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60))
+        echo ""
+    } &
+done
+
+# Wait for All Prowler Processes to finish
+wait
+echo "Prowler Assessments Completed against All Accounts in AWS Organization"
+
+# Unset AWS Profile Variables
+unset_aws
@@ -60,24 +60,42 @@ Resources:
                Effect: Allow
                Resource: "*"
                Action:
-                  - ds:ListAuthorizedApplications
+                  - account:Get*
+                  - appstream:Describe*
+                  - appstream:List*
+                  - backup:List*
+                  - cloudtrail:GetInsightSelectors
+                  - codeartifact:List*
+                  - codebuild:BatchGet*
+                  - cognito-idp:GetUserPoolMfaConfig
+                  - dlm:Get*
+                  - drs:Describe*
+                  - ds:Describe*
+                  - ds:Get*
+                  - ds:List*
+                  - dynamodb:GetResourcePolicy
                  - ec2:GetEbsEncryptionByDefault
+                  - ec2:GetSnapshotBlockPublicAccessState
+                  - ec2:GetInstanceMetadataDefaults
                  - ecr:Describe*
+                  - ecr:GetRegistryScanningConfiguration
                  - elasticfilesystem:DescribeBackupPolicy
                  - glue:GetConnections
-                  - glue:GetSecurityConfiguration
+                  - glue:GetSecurityConfiguration*
                  - glue:SearchTables
-                  - lambda:GetFunction
+                  - lambda:GetFunction*
+                  - logs:FilterLogEvents
+                  - lightsail:GetRelationalDatabases
+                  - macie2:GetMacieSession
                  - s3:GetAccountPublicAccessBlock
                  - shield:DescribeProtection
                  - shield:GetSubscriptionState
                  - ssm:GetDocument
+                  - ssm-incidents:List*
                  - support:Describe*
                  - tag:GetTagKeys
-        - PolicyName: Prowler-Security-Hub
-          PolicyDocument:
-            Version: 2012-10-17
-            Statement:
+                  - wellarchitected:List*
+
              - Sid: AllowProwlerSecurityHub
                Effect: Allow
                Resource: "*"
@@ -62,7 +62,7 @@ Resources:
              awslogs-stream-prefix: ecs
      Cpu: 1024
      ExecutionRoleArn: !Ref ECSExecutionRole
-      Memory: 2048
+      Memory: 8192
      NetworkMode: awsvpc
      TaskRoleArn: !Ref ProwlerTaskRole
      Family: SecurityHubProwlerTask
@@ -97,9 +97,15 @@ Outputs:
  ECSExecutionRoleARN:
    Description: ARN of the ECS Task Execution Role
    Value: !GetAtt ECSExecutionRole.Arn
+    Export:
+      Name: ECSExecutionRoleArn
  ProwlerTaskRoleARN:
    Description: ARN of the ECS Prowler Task Role
    Value: !GetAtt ProwlerTaskRole.Arn
+    Export:
+      Name: ProwlerTaskRoleArn
  ECSEventRoleARN:
    Description: ARN of the Eventbridge Task Role
    Value: !GetAtt ECSEventRole.Arn
+    Export:
+      Name: ECSEventRoleARN
@@ -1,6 +1,6 @@
 # Organizational Prowler with Serverless

-Langage: [Korean](README_kr.md)
+Language: [Korean](README_kr.md)

 This project is created to apply prowler in a multi-account environment within AWS Organizations.
 CloudWatch triggers CodeBuild every fixed time.
@@ -18,12 +18,12 @@ For more information on how to use prowler, see [here](https://github.com/prowle
 2. **Master Account**
   1. Deploy [ProwlerRole.yaml](templates/ProwlerRole.yaml) stack to CloudFormation in a bid to create resources to master account itself.
      (The template will be also deployed for other member accounts as a StackSet)
-      - ProwlerCodeBuildAccount :  Audit Acccount ID where CodeBuild resides. (preferably Audit/Security account)
+      - ProwlerCodeBuildAccount :  Audit Account ID where CodeBuild resides. (preferably Audit/Security account)
      - ProwlerCodeBuildRole : Role name to use in CodeBuild service
      - ProwlerCrossAccountRole : Role name to assume for Cross account
      - ProwlerS3 : The S3 bucket name where reports will be put
   1. Create **StackSet** with [ProwlerRole.yaml](templates/ProwlerRole.yaml) to deploy Role into member accounts in AWS Organizations.
-      - ProwlerCodeBuildAccount :  Audit Acccount ID where CodeBuild resides. (preferably Audit/Security account)
+      - ProwlerCodeBuildAccount :  Audit Account ID where CodeBuild resides. (preferably Audit/Security account)
      - ProwlerCodeBuildRole : Role name to use in CodeBuild service
      - ProwlerCrossAccountRole : Role name to assume for Cross account
      - ProwlerS3 : The S3 bucket name where reports will be put
@@ -45,4 +45,4 @@ For more information on how to use prowler, see [here](https://github.com/prowle
      - ProwlerReportS3Account : The account where the report S3 bucket resides.
   1. If you'd like to change the scheduled time,
      1. You can change the cron expression of ScheduleExpression within [ProwlerCodeBuildStack.yaml](templates/ProwlerCodeBuildStack.yaml).
-      2. Alternatively, you can make changes directrly from Events > Rules > ProwlerExecuteRule > Actions > Edit in CloudWatch console.
+      2. Alternatively, you can make changes directly from Events > Rules > ProwlerExecuteRule > Actions > Edit in CloudWatch console.
@@ -1,6 +1,6 @@
 # Organizational Prowler with Serverless

-Langage: [English](README.md)
+Language: [English](README.md)

 이 문서는 AWS Organization 내의 multi account 환경에서 prowler 를 적용하기 위해 작성된 문서입니다.
 일정 시간마다 CloudWatch는 CodeBuild 를 트리거합니다.
@@ -22,7 +22,7 @@ prowler 의 자세한 사용방법은 [이 곳](https://github.com/prowler-cloud

      [ProwlerRole.yaml](templates/ProwlerRole.yaml)

-      - ProwlerCodeBuildAccount : CodeBuild 가 있는 Audit Acccount ID
+      - ProwlerCodeBuildAccount : CodeBuild 가 있는 Audit Account ID
      - ProwlerCodeBuildRole : CodeBuild의 생성될 Role 이름
      - ProwlerCrossAccountRole : Cross account 용 Assume할 Role 이름
      - ProwlerS3 : report 가 저장될 S3 bucket 명
@@ -30,7 +30,7 @@ prowler 의 자세한 사용방법은 [이 곳](https://github.com/prowler-cloud

      [ProwlerRole.yaml](templates/ProwlerRole.yaml)

-      - ProwlerCodeBuildAccount : CodeBuild 가 있는 Audit Acccount
+      - ProwlerCodeBuildAccount : CodeBuild 가 있는 Audit Account
      - ProwlerCodeBuildRole : CodeBuild에서 사용할 Role 이름
      - ProwlerCrossAccountRole : Cross account 용 Assume할 Role 이름
      - ProwlerS3 : report 가 저장될 S3 bucket 명
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-# Install system dependencies
-sudo yum -y install openssl-devel bzip2-devel libffi-devel gcc
-# Upgrade to Python 3.9
-cd /tmp && wget https://www.python.org/ftp/python/3.9.13/Python-3.9.13.tgz
-tar zxf Python-3.9.13.tgz
-cd Python-3.9.13/ || exit
-./configure --enable-optimizations
-sudo make altinstall
-python3.9 --version
-# Install Prowler
-cd ~ || exit
-python3.9 -m pip install prowler-cloud
-prowler -v
-# Run Prowler
-prowler
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# List of project IDs
+PROJECT_IDS=(
+    "project-id-1"
+    "project-id-2"
+    "project-id-3"
+    # Add more project IDs as needed
+)
+
+# List of Prowler APIs to enable
+APIS=(
+    "apikeys.googleapis.com"
+    "artifactregistry.googleapis.com"
+    "bigquery.googleapis.com"
+    "sqladmin.googleapis.com"  # Cloud SQL
+    "storage.googleapis.com"  # Cloud Storage
+    "compute.googleapis.com"
+    "dataproc.googleapis.com"
+    "dns.googleapis.com"
+    "containerregistry.googleapis.com"  # GCR (Google Container Registry)
+    "container.googleapis.com"  # GKE (Google Kubernetes Engine)
+    "iam.googleapis.com"
+    "cloudkms.googleapis.com"  # KMS (Key Management Service)
+    "logging.googleapis.com"
+)
+
+# Function to enable APIs for a given project
+enable_apis_for_project() {
+    local PROJECT_ID=$1
+
+    echo "Enabling APIs for project: ${PROJECT_ID}"
+
+    for API in "${APIS[@]}"; do
+        echo "Enabling API: $API for project: ${PROJECT_ID}"
+        if gcloud services enable "${API}" --project="${PROJECT_ID}"; then
+            echo "Successfully enabled API $API for project ${PROJECT_ID}."
+        else
+            echo "Failed to enable API $API for project ${PROJECT_ID}."
+        fi
+    done
+}
+
+# Loop over each project and enable the APIs
+for PROJECT_ID in "${PROJECT_IDS[@]}"; do
+    enable_apis_for_project "${PROJECT_ID}"
+done
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: prowler
+description: Prowler Security Tool Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
@@ -0,0 +1,78 @@
+# prowler
+
+![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+Prowler Security Tool Helm chart for Kubernetes
+
+# Prowler Helm Chart Deployment
+
+This guide provides step-by-step instructions for deploying the Prowler Helm chart.
+
+## Prerequisites
+
+Before you begin, ensure you have the following:
+
+1. A running Kubernetes cluster.
+2. Helm installed on your local machine. If you don't have Helm installed, you can follow the [Helm installation guide](https://helm.sh/docs/intro/install/).
+3. Proper access to your Kubernetes cluster (e.g., `kubectl` is configured and working).
+
+## Deployment Steps
+
+### 1. Clone the Repository
+
+Clone the repository containing the Helm chart to your local machine.
+
+```sh
+git clone git@github.com:prowler-cloud/prowler.git
+cd prowler/contrib/k8s/helm
+```
+
+### 2. Deploy the helm chart
+
+```
+helm install prowler .
+```
+
+### 3. Verify the deployment
+
+```
+helm status prowler
+kubectl get all -n prowler-ns
+```
+
+### 4. Clean Up
+To uninstall the Helm release and clean up the resources, run:
+
+```helm uninstall prowler
+kubectl delete namespace prowler-ns
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| clusterRole.name | string | `"prowler-read-cluster"` |  |
+| clusterRoleBinding.name | string | `"prowler-read-cluster-binding"` |  |
+| configMap.name | string | `"prowler-hostpaths"` |  |
+| configMapData.etcCniNetd | string | `"/etc/cni/net.d"` |  |
+| configMapData.etcKubernetes | string | `"/etc/kubernetes"` |  |
+| configMapData.etcSystemd | string | `"/etc/systemd"` |  |
+| configMapData.libSystemd | string | `"/lib/systemd"` |  |
+| configMapData.optCniBin | string | `"/opt/cni/bin"` |  |
+| configMapData.usrBin | string | `"/usr/bin"` |  |
+| configMapData.varLibCni | string | `"/var/lib/cni"` |  |
+| configMapData.varLibEtcd | string | `"/var/lib/etcd"` |  |
+| configMapData.varLibKubeControllerManager | string | `"/var/lib/kube-controller-manager"` |  |
+| configMapData.varLibKubeScheduler | string | `"/var/lib/kube-scheduler"` |  |
+| configMapData.varLibKubelet | string | `"/var/lib/kubelet"` |  |
+| cronjob.hostPID | bool | `true` |  |
+| cronjob.name | string | `"prowler"` |  |
+| cronjob.schedule | string | `"0 0 * * *"` |  |
+| image.pullPolicy | string | `"Always"` |  |
+| image.repository | string | `"toniblyx/prowler"` |  |
+| image.tag | string | `"stable"` |  |
+| namespace.name | string | `"prowler"` |  |
+| serviceAccount.name | string | `"prowler"` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3)
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.clusterRole.name }}
+rules:
+- apiGroups: [""]
+  resources: ["pods", "configmaps", "nodes", "namespaces"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterrolebindings", "rolebindings", "clusterroles", "roles"]
+  verbs: ["get", "list", "watch"]
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.configMap.name }}
+  namespace: {{ .Values.namespace.name }}
+data:
+  varLibCni: "{{ .Values.configMap.data.varLibCni }}"
+  varLibEtcd: "{{ .Values.configMap.data.varLibEtcd }}"
+  varLibKubelet: "{{ .Values.configMap.data.varLibKubelet }}"
+  varLibKubeScheduler: "{{ .Values.configMap.data.varLibKubeScheduler }}"
+  varLibKubeControllerManager: "{{ .Values.configMap.data.varLibKubeControllerManager }}"
+  etcSystemd: "{{ .Values.configMap.data.etcSystemd }}"
+  libSystemd: "{{ .Values.configMap.data.libSystemd }}"
+  etcKubernetes: "{{ .Values.configMap.data.etcKubernetes }}"
+  usrBin: "{{ .Values.configMap.data.usrBin }}"
+  etcCniNetd: "{{ .Values.configMap.data.etcCniNetd }}"
+  optCniBin: "{{ .Values.configMap.data.optCniBin }}"
+  srvKubernetes: "{{ .Values.configMap.data.srvKubernetes }}"
@@ -0,0 +1,42 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Values.cronjob.name }}
+  namespace: {{ .Values.namespace.name }}
+spec:
+  schedule: "{{ .Values.cronjob.schedule }}"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: prowler
+        spec:
+          serviceAccountName: {{ .Values.serviceAccount.name }}
+          containers:
+          - name: prowler
+            image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+            command: ["prowler"]
+            args: ["kubernetes", "-z", "-b"]
+            imagePullPolicy: {{ .Values.image.pullPolicy }}
+            volumeMounts:
+            {{- range $key, $value := .Values.configMap.data }}
+              {{- if and (eq $.Values.clusterType "gke") (eq $key "srvKubernetes") }}
+              {{- else }}
+              - name: {{ $key | lower }}
+                mountPath: {{ $value }}
+                readOnly: true
+              {{- end }}
+            {{- end }}
+          hostPID: {{ .Values.cronjob.hostPID }}
+          restartPolicy: Never
+          volumes:
+          {{- range $key, $value := .Values.configMap.data }}
+            {{- if and (eq $.Values.clusterType "gke") (eq $key "srvKubernetes") }}
+            {{- else }}
+            - name: {{ $key | lower }}
+              hostPath:
+                path: {{ $value }}
+            {{- end }}
+          {{- end }}
+
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespace.name }}
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.clusterRoleBinding.name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.clusterRole.name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Values.namespace.name }}
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Values.namespace.name }}
@@ -0,0 +1,40 @@
+namespace:
+  name: prowler-ns
+
+cronjob:
+  name: prowler
+  schedule: "0 0 * * *"
+  hostPID: true
+
+serviceAccount:
+  name: prowler-sa
+
+image:
+  repository: toniblyx/prowler
+  tag: stable
+  pullPolicy: Always
+
+clusterType:
+
+configMap:
+  name: prowler-config
+  data:
+    varLibCni: "/var/lib/cni"
+    varLibEtcd: "/var/lib/etcd"
+    varLibKubelet: "/var/lib/kubelet"
+    varLibKubeScheduler: "/var/lib/kube-scheduler"
+    varLibKubeControllerManager: "/var/lib/kube-controller-manager"
+    etcSystemd: "/etc/systemd"
+    libSystemd: "/lib/systemd"
+    etcKubernetes: "/etc/kubernetes"
+    usrBin: "/usr/bin"
+    etcCniNetd: "/etc/cni/net.d"
+    optCniBin: "/opt/cni/bin"
+    srvKubernetes: "/srv/kubernetes"
+
+clusterRole:
+  name: prowler-read-cluster
+
+clusterRoleBinding:
+  name: prowler-read-cluster-binding
+  roleName: prowler-read-cluster
@@ -1,45 +0,0 @@
-# Build command
-# docker build --platform=linux/amd64  --no-cache -t prowler:latest .
-
-FROM public.ecr.aws/amazonlinux/amazonlinux:2022
-
-ARG PROWLERVER=2.9.0
-ARG USERNAME=prowler
-ARG USERID=34000
-
-# Install Dependencies
-RUN \
-    dnf update -y && \
-    dnf install -y bash file findutils git jq python3 python3-pip \
-                   python3-setuptools python3-wheel shadow-utils tar unzip which && \
-    dnf remove -y awscli && \
-    dnf clean all && \
-    useradd -l -s /bin/sh -U -u ${USERID} ${USERNAME} && \
-    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
-    unzip awscliv2.zip && \
-    ./aws/install && \
-    pip3 install --no-cache-dir --upgrade pip && \
-    pip3 install --no-cache-dir "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets" && \
-    rm -rf aws awscliv2.zip /var/cache/dnf
-
-# Place script and env vars
-COPY .awsvariables run-prowler-securityhub.sh /
-
-# Installs prowler and change permissions
-RUN \
-    curl -L "https://github.com/prowler-cloud/prowler/archive/refs/tags/${PROWLERVER}.tar.gz" -o "prowler.tar.gz" && \
-    tar xvzf prowler.tar.gz && \
-    rm -f prowler.tar.gz && \
-    mv prowler-${PROWLERVER} prowler && \
-    chown ${USERNAME}:${USERNAME} /run-prowler-securityhub.sh && \
-    chmod 500 /run-prowler-securityhub.sh && \
-    chown ${USERNAME}:${USERNAME} /.awsvariables && \
-    chmod 400 /.awsvariables && \
-    chown ${USERNAME}:${USERNAME} -R /prowler && \
-    chmod +x /prowler/prowler
-
-# Drop to user
-USER ${USERNAME}
-
-# Run script
-ENTRYPOINT ["/run-prowler-securityhub.sh"]
@@ -1,86 +0,0 @@
-#!/bin/bash
-# Run Prowler against All AWS Accounts in an AWS Organization
-
-# Change Directory (rest of the script, assumes you're in the root directory)
-cd / || exit
-
-# Show Prowler Version
-./prowler/prowler -V
-
-# Source .awsvariables
-# shellcheck disable=SC1091
-source .awsvariables
-
-# Get Values from Environment Variables
-echo "ROLE:               $ROLE"
-echo "PARALLEL_ACCOUNTS:  $PARALLEL_ACCOUNTS"
-echo "REGION:             $REGION"
-
-# Function to unset AWS Profile Variables
-unset_aws() {
-    unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
-}
-unset_aws
-
-# Find THIS Account AWS Number
-CALLER_ARN=$(aws sts get-caller-identity --output text --query "Arn")
-PARTITION=$(echo "$CALLER_ARN" | cut -d: -f2)
-THISACCOUNT=$(echo "$CALLER_ARN" | cut -d: -f5)
-echo "THISACCOUNT:    $THISACCOUNT"
-echo "PARTITION:      $PARTITION"
-
-# Function to Assume Role to THIS Account & Create Session
-this_account_session() {
-    unset_aws
-    role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$THISACCOUNT":role/"$ROLE" --role-session-name ProwlerRun --output json)
-    AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId)
-    AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey)
-    AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken)
-    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
-}
-
-# Find AWS Master Account
-this_account_session
-AWSMASTER=$(aws organizations describe-organization --query Organization.MasterAccountId --output text)
-echo "AWSMASTER:      $AWSMASTER"
-
-# Function to Assume Role to Master Account & Create Session
-master_account_session() {
-    unset_aws
-    role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$AWSMASTER":role/"$ROLE" --role-session-name ProwlerRun --output json)
-    AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId)
-    AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey)
-    AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken)
-    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
-}
-
-# Lookup All Accounts in AWS Organization
-master_account_session
-ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text)
-
-# Run Prowler against Accounts in AWS Organization
-echo "AWS Accounts in Organization"
-echo "$ACCOUNTS_IN_ORGS"
-for accountId in $ACCOUNTS_IN_ORGS; do
-    # shellcheck disable=SC2015
-    test "$(jobs | wc -l)" -ge $PARALLEL_ACCOUNTS && wait -n || true
-    {
-        START_TIME=$SECONDS
-        # Unset AWS Profile Variables
-        unset_aws
-        # Run Prowler
-        echo -e "Assessing AWS Account: $accountId, using Role: $ROLE on $(date)"
-        # Pipe stdout to /dev/null to reduce unnecessary Cloudwatch logs
-        ./prowler/prowler -R "$ROLE" -A "$accountId" -M json-asff -q -S -f "$REGION" > /dev/null
-        TOTAL_SEC=$((SECONDS - START_TIME))
-        printf "Completed AWS Account: $accountId in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60))
-        echo ""
-    } &
-done
-
-# Wait for All Prowler Processes to finish
-wait
-echo "Prowler Assessments Completed against All Accounts in AWS Organization"
-
-# Unset AWS Profile Variables
-unset_aws
@@ -2,7 +2,7 @@

 ## Introduction

-The following demonstartes how to quickly install the resources necessary to perform a security baseline using Prowler.  The speed is based on the prebuilt terraform module that can configure all the resources necessuary to run Prowler with the findings being sent to AWS Security Hub.
+The following demonstrates how to quickly install the resources necessary to perform a security baseline using Prowler.  The speed is based on the prebuilt terraform module that can configure all the resources necessary to run Prowler with the findings being sent to AWS Security Hub.

 ## Install

@@ -24,7 +24,7 @@ Installing Prowler with Terraform is simple and can be completed in under 1 minu

  ![Prowler Install](https://prowler-docs.s3.amazonaws.com/Prowler-Terraform-Install.gif)

-   - It is likely an error will return related to the SecurityHub subscription.  This appears to be Terraform related and you can validate the configuration by navigating to the SecurityHub console.  Click Integreations and search for Prowler. Take note of the green check where it says *Accepting findings*
+   - It is likely an error will return related to the SecurityHub subscription.  This appears to be Terraform related and you can validate the configuration by navigating to the SecurityHub console.  Click Integrations and search for Prowler. Take note of the green check where it says *Accepting findings*

  ![Prowler Subscription](https://prowler-docs.s3.amazonaws.com/Validate-Prowler-Subscription.gif)

@@ -92,7 +92,7 @@ To make sure rules are working fine, run `/var/ossec/bin/ossec-logtest` and copy
 ```
 You must see 3 phases goin on.

-To check if there is any error you can enable the debug mode of `modulesd` setting the `wazuh_modules.debug=0` variable to 2 in `/var/ossec/etc/internal_options.conf` file. Restart wazun-manager and errors should appear in the `/var/ossec/logs/ossec.log` file.
+To check if there is any error you can enable the debug mode of `modulesd` setting the `wazuh_modules.debug=0` variable to 2 in `/var/ossec/etc/internal_options.conf` file. Restart wazuh-manager and errors should appear in the `/var/ossec/logs/ossec.log` file.

 ## Thanks

@@ -0,0 +1,2 @@
+DASHBOARD_PORT = 11666
+DASHBOARD_ARGS = {"debug": True, "port": DASHBOARD_PORT, "use_reloader": False}
@@ -0,0 +1,179 @@
+# Importing Packages
+import sys
+import warnings
+
+import click
+import dash
+import dash_bootstrap_components as dbc
+from colorama import Fore, Style
+from dash import dcc, html
+from dash.dependencies import Input, Output
+
+from dashboard.config import folder_path_overview
+from prowler.config.config import orange_color
+from prowler.lib.banner import print_banner
+
+warnings.filterwarnings("ignore")
+
+cli = sys.modules["flask.cli"]
+print_banner()
+print(
+    f"{Fore.GREEN}Loading all CSV files from the folder {folder_path_overview} ...\n{Style.RESET_ALL}"
+)
+cli.show_server_banner = lambda *x: click.echo(
+    f"{Fore.YELLOW}NOTE:{Style.RESET_ALL} If you are using {Fore.GREEN}{Style.BRIGHT}Prowler SaaS{Style.RESET_ALL} with the S3 integration or that integration \nfrom {Fore.CYAN}{Style.BRIGHT}Prowler Open Source{Style.RESET_ALL} and you want to use your data from your S3 bucket,\nrun: `{orange_color}aws s3 cp s3://<your-bucket>/output/csv ./output --recursive{Style.RESET_ALL}`\nand then run `prowler dashboard` again to load the new files."
+)
+
+# Initialize the app - incorporate css
+dashboard = dash.Dash(
+    __name__,
+    external_stylesheets=[dbc.themes.FLATLY],
+    use_pages=True,
+    suppress_callback_exceptions=True,
+    title="Prowler Dashboard",
+)
+
+# Logo
+prowler_logo = html.Img(
+    src="https://prowler.com/wp-content/uploads/logo-dashboard.png", alt="Prowler Logo"
+)
+
+menu_icons = {
+    "overview": "/assets/images/icons/overview.svg",
+    "compliance": "/assets/images/icons/compliance.svg",
+}
+
+
+# Function to generate navigation links
+def generate_nav_links(current_path):
+    nav_links = []
+    for page in dash.page_registry.values():
+        # Gets the icon URL based on the page name
+        icon_url = menu_icons.get(page["name"].lower())
+        is_active = (
+            " bg-prowler-stone-950 border-r-4 border-solid border-prowler-lime"
+            if current_path == page["relative_path"]
+            else ""
+        )
+        link_class = f"block hover:bg-prowler-stone-950 hover:border-r-4 hover:border-solid hover:border-prowler-lime{is_active}"
+
+        link_content = html.Span(
+            [
+                html.Img(src=icon_url, className="w-5"),
+                html.Span(
+                    page["name"], className="font-medium text-base leading-6 text-white"
+                ),
+            ],
+            className="flex justify-center lg:justify-normal items-center gap-x-3 py-2 px-3",
+        )
+
+        nav_link = html.Li(
+            dcc.Link(link_content, href=page["relative_path"], className=link_class)
+        )
+        nav_links.append(nav_link)
+    return nav_links
+
+
+def generate_help_menu():
+    help_links = [
+        {
+            "title": "Help",
+            "url": "https://github.com/prowler-cloud/prowler/issues",
+            "icon": "/assets/images/icons/help.png",
+        },
+        {
+            "title": "Docs",
+            "url": "https://docs.prowler.com",
+            "icon": "/assets/images/icons/docs.png",
+        },
+    ]
+
+    link_class = "block hover:bg-prowler-stone-950 hover:border-r-4 hover:border-solid hover:border-prowler-lime"
+
+    menu_items = []
+    for link in help_links:
+        menu_item = html.Li(
+            html.A(
+                html.Span(
+                    [
+                        html.Img(src=link["icon"], className="w-5"),
+                        html.Span(
+                            link["title"],
+                            className="font-medium text-base leading-6 text-white",
+                        ),
+                    ],
+                    className="flex items-center gap-x-3 py-2 px-3",
+                ),
+                href=link["url"],
+                target="_blank",
+                className=link_class,
+            )
+        )
+        menu_items.append(menu_item)
+
+    return menu_items
+
+
+# Layout
+dashboard.layout = html.Div(
+    [
+        dcc.Location(id="url", refresh=False),
+        html.Link(rel="icon", href="assets/favicon.ico"),
+        # Placeholder for dynamic navigation bar
+        html.Div(
+            [
+                html.Div(
+                    id="navigation-bar", className="bg-prowler-stone-900 min-w-36 z-10"
+                ),
+                html.Div(
+                    [
+                        dash.page_container,
+                    ],
+                    id="content_select",
+                    className="bg-prowler-white w-full col-span-11 h-screen mx-auto overflow-y-scroll no-scrollbar px-10 py-7",
+                ),
+            ],
+            className="grid custom-grid 2xl:custom-grid-large h-screen",
+        ),
+    ],
+    className="h-screen mx-auto",
+)
+
+
+# Callback to update navigation bar
+@dashboard.callback(Output("navigation-bar", "children"), [Input("url", "pathname")])
+def update_nav_bar(pathname):
+    return html.Div(
+        [
+            html.Div([prowler_logo], className="mb-8 px-3"),
+            html.H6(
+                "Dashboards",
+                className="px-3 text-prowler-stone-500 text-sm opacity-90 font-regular mb-2",
+            ),
+            html.Nav(
+                [html.Ul(generate_nav_links(pathname), className="")],
+                className="flex flex-col gap-y-6",
+            ),
+            html.Nav(
+                [
+                    html.A(
+                        [
+                            html.Span(
+                                [
+                                    html.Img(src="assets/favicon.ico", className="w-5"),
+                                    "Subscribe to prowler SaaS",
+                                ],
+                                className="flex items-center gap-x-3 text-white",
+                            ),
+                        ],
+                        href="https://prowler.com/",
+                        target="_blank",
+                        className="block p-3 uppercase text-xs hover:bg-prowler-stone-950 hover:border-r-4 hover:border-solid hover:border-prowler-lime",
+                    ),
+                    html.Ul(generate_help_menu(), className=""),
+                ],
+                className="flex flex-col gap-y-6 mt-auto",
+            ),
+        ],
+        className="flex flex-col bg-prowler-stone-900 py-7 h-full",
+    )
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" shape-rendering="geometricPrecision" text-rendering="geometricPrecision" image-rendering="optimizeQuality" fill-rule="evenodd" clip-rule="evenodd" viewBox="0 0 443 511.62"><path fill-rule="nonzero" d="M152.93 286.97c0 17.1-13.87 30.97-30.97 30.97-17.11 0-30.98-13.87-30.98-30.97v-177.4l-37.45 40.31c-11.63 12.5-31.19 13.2-43.68 1.57-12.49-11.62-13.19-31.18-1.57-43.68L99.33 9.79l2.06-1.94c12.69-11.35 32.2-10.26 43.55 2.43l91.05 101.47c11.35 12.69 10.26 32.2-2.43 43.55-12.68 11.36-32.19 10.27-43.55-2.42l-37.08-41.33v175.42zm236.24 71.77c11.35-12.69 30.86-13.78 43.55-2.43 12.69 11.36 13.78 30.87 2.42 43.56L344.1 501.34c-11.36 12.69-30.87 13.78-43.55 2.42l-2.02-1.97-91.09-97.95c-11.63-12.49-10.93-32.05 1.57-43.67 12.49-11.63 32.05-10.93 43.67 1.57l37.46 40.31V231.53c0-17.11 13.87-30.97 30.97-30.97s30.97 13.86 30.97 30.97v168.54l37.09-41.33z"/></svg>
@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" fill="#FFF" aria-hidden="true" class="h-5 w-5" viewBox="0 0 24 24">
+  <path fill-rule="evenodd" d="M9 1.5H5.625c-1.036 0-1.875.84-1.875 1.875v17.25c0 1.035.84 1.875 1.875 1.875h12.75c1.035 0 1.875-.84 1.875-1.875V12.75A3.75 3.75 0 0 0 16.5 9h-1.875a1.875 1.875 0 0 1-1.875-1.875V5.25A3.75 3.75 0 0 0 9 1.5zm6.61 10.936a.75.75 0 1 0-1.22-.872l-3.236 4.53L9.53 14.47a.75.75 0 0 0-1.06 1.06l2.25 2.25a.75.75 0 0 0 1.14-.094l3.75-5.25z" clip-rule="evenodd"/>
+  <path d="M12.971 1.816A5.23 5.23 0 0 1 14.25 5.25v1.875c0 .207.168.375.375.375H16.5a5.23 5.23 0 0 1 3.434 1.279 9.768 9.768 0 0 0-6.963-6.963z"/>
+</svg>
@@ -0,0 +1 @@
+<svg class="svg-icon" style="width: 1.001953125em; height: 1em;vertical-align: middle;fill: currentColor;overflow: hidden;" viewBox="0 0 1026 1024" version="1.1" xmlns="http://www.w3.org/2000/svg"><path d="M1013.7 90.8C997.8 75.5 972.4 76 957.1 92L510.9 557.1 73.2 90.8C58 74.7 32.7 73.9 16.6 89 0.5 104.1-0.3 129.4 14.8 145.5l466.6 497.1 1.5 1.5c0.2 0.2 0.4 0.4 0.7 0.6 0.3 0.3 0.6 0.5 0.9 0.8 0.3 0.3 0.6 0.5 0.9 0.7 0.2 0.2 0.4 0.4 0.7 0.6 0.3 0.2 0.6 0.5 0.9 0.7 0.2 0.2 0.5 0.4 0.7 0.5l0.9 0.6c0.3 0.2 0.5 0.4 0.8 0.5 0.3 0.2 0.6 0.3 0.9 0.5 0.3 0.2 0.6 0.3 0.9 0.5 0.3 0.2 0.5 0.3 0.8 0.4 0.3 0.2 0.6 0.3 1 0.5 0.3 0.1 0.5 0.3 0.8 0.4 0.3 0.2 0.7 0.3 1 0.5 0.2 0.1 0.5 0.2 0.7 0.3 0.4 0.2 0.7 0.3 1.1 0.4 0.2 0.1 0.5 0.2 0.7 0.3 0.4 0.1 0.8 0.3 1.2 0.4 0.2 0.1 0.5 0.1 0.7 0.2l1.2 0.3c0.2 0.1 0.4 0.1 0.7 0.2 0.4 0.1 0.8 0.2 1.3 0.3 0.2 0 0.4 0.1 0.6 0.1 0.4 0.1 0.9 0.2 1.3 0.2 0.2 0 0.4 0.1 0.6 0.1 0.5 0.1 0.9 0.1 1.4 0.2 0.2 0 0.4 0 0.6 0.1 0.5 0 1 0.1 1.5 0.1h4.6c0.5 0 1-0.1 1.5-0.1 0.2 0 0.4 0 0.5-0.1 0.5 0 0.9-0.1 1.4-0.2 0.2 0 0.4-0.1 0.6-0.1 0.4-0.1 0.9-0.1 1.3-0.2 0.2 0 0.4-0.1 0.6-0.1l1.2-0.3c0.2-0.1 0.4-0.1 0.7-0.2l1.2-0.3c0.2-0.1 0.5-0.1 0.7-0.2 0.4-0.1 0.8-0.2 1.1-0.4 0.2-0.1 0.5-0.2 0.7-0.3 0.4-0.1 0.7-0.3 1.1-0.4 0.3-0.1 0.5-0.2 0.8-0.3 0.3-0.1 0.7-0.3 1-0.5 0.3-0.1 0.5-0.2 0.8-0.4 0.3-0.2 0.6-0.3 0.9-0.5 0.3-0.1 0.6-0.3 0.8-0.4 0.3-0.2 0.6-0.3 0.8-0.5 0.3-0.2 0.6-0.3 0.9-0.5 0.3-0.2 0.5-0.3 0.8-0.5l0.9-0.6c0.2-0.2 0.4-0.3 0.7-0.5 0.3-0.2 0.6-0.5 1-0.7 0.2-0.1 0.4-0.3 0.6-0.5 0.3-0.3 0.7-0.5 1-0.8 0.2-0.1 0.3-0.3 0.5-0.5 0.5-0.5 1-0.9 1.5-1.4l0.9-0.9 475.4-495.6c15.3-15.7 14.7-41.1-1.2-56.3z" fill="#898989" /></svg>
@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" fill="#FFF" aria-hidden="true" class="h-5 w-5" viewBox="0 0 24 24">
+  <path fill-rule="evenodd" d="M2.25 13.5a8.25 8.25 0 0 1 8.25-8.25.75.75 0 0 1 .75.75v6.75H18a.75.75 0 0 1 .75.75 8.25 8.25 0 0 1-16.5 0z" clip-rule="evenodd"/>
+  <path fill-rule="evenodd" d="M12.75 3a.75.75 0 0 1 .75-.75 8.25 8.25 0 0 1 8.25 8.25.75.75 0 0 1-.75.75h-7.5a.75.75 0 0 1-.75-.75V3z" clip-rule="evenodd"/>
+</svg>
@@ -0,0 +1,23 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format2
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_format2(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
+    )
@@ -0,0 +1,23 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format1
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_format1(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
+    )
@@ -0,0 +1,23 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format1
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_format1(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
+    )
@@ -0,0 +1,23 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format1
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_format1(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
+    )
@@ -0,0 +1,22 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format2
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ATTRIBUTES_NAME",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ]
+    return get_section_containers_format2(
+        aux, "REQUIREMENTS_ATTRIBUTES_NAME", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -0,0 +1,23 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format2
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ATTRIBUTES_NAME",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ]
+
+    return get_section_containers_format2(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ATTRIBUTES_NAME"
+    )
@@ -0,0 +1,24 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_cis
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_cis(
+        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -0,0 +1,24 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_cis
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_cis(
+        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -0,0 +1,24 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_cis
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_cis(
+        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -0,0 +1,24 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_cis
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_cis(
+        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -0,0 +1,24 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_cis
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_cis(
+        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				<svg xmlns="http://www.w3.org/2000/svg" shape-rendering="geometricPrecision" text-rendering="geometricPrecision" image-rendering="optimizeQuality" fill-rule="evenodd" clip-rule="evenodd" viewBox="0 0 443 511.62"><path fill-rule="nonzero" d="M152.93 286.97c0 17.1-13.87 30.97-30.97 30.97-17.11 0-30.98-13.87-30.98-30.97v-177.4l-37.45 40.31c-11.63 12.5-31.19 13.2-43.68 1.57-12.49-11.62-13.19-31.18-1.57-43.68L99.33 9.79l2.06-1.94c12.69-11.35 32.2-10.26 43.55 2.43l91.05 101.47c11.35 12.69 10.26 32.2-2.43 43.55-12.68 11.36-32.19 10.27-43.55-2.42l-37.08-41.33v175.42zm236.24 71.77c11.35-12.69 30.86-13.78 43.55-2.43 12.69 11.36 13.78 30.87 2.42 43.56L344.1 501.34c-11.36 12.69-30.87 13.78-43.55 2.42l-2.02-1.97-91.09-97.95c-11.63-12.49-10.93-32.05 1.57-43.67 12.49-11.63 32.05-10.93 43.67 1.57l37.46 40.31V231.53c0-17.11 13.87-30.97 30.97-30.97s30.97 13.86 30.97 30.97v168.54l37.09-41.33z"/></svg>
				`@@ -0,0 +1 @@`
				<svg class="svg-icon" style="width: 1.001953125em; height: 1em;vertical-align: middle;fill: currentColor;overflow: hidden;" viewBox="0 0 1026 1024" version="1.1" xmlns="http://www.w3.org/2000/svg"><path d="M1013.7 90.8C997.8 75.5 972.4 76 957.1 92L510.9 557.1 73.2 90.8C58 74.7 32.7 73.9 16.6 89 0.5 104.1-0.3 129.4 14.8 145.5l466.6 497.1 1.5 1.5c0.2 0.2 0.4 0.4 0.7 0.6 0.3 0.3 0.6 0.5 0.9 0.8 0.3 0.3 0.6 0.5 0.9 0.7 0.2 0.2 0.4 0.4 0.7 0.6 0.3 0.2 0.6 0.5 0.9 0.7 0.2 0.2 0.5 0.4 0.7 0.5l0.9 0.6c0.3 0.2 0.5 0.4 0.8 0.5 0.3 0.2 0.6 0.3 0.9 0.5 0.3 0.2 0.6 0.3 0.9 0.5 0.3 0.2 0.5 0.3 0.8 0.4 0.3 0.2 0.6 0.3 1 0.5 0.3 0.1 0.5 0.3 0.8 0.4 0.3 0.2 0.7 0.3 1 0.5 0.2 0.1 0.5 0.2 0.7 0.3 0.4 0.2 0.7 0.3 1.1 0.4 0.2 0.1 0.5 0.2 0.7 0.3 0.4 0.1 0.8 0.3 1.2 0.4 0.2 0.1 0.5 0.1 0.7 0.2l1.2 0.3c0.2 0.1 0.4 0.1 0.7 0.2 0.4 0.1 0.8 0.2 1.3 0.3 0.2 0 0.4 0.1 0.6 0.1 0.4 0.1 0.9 0.2 1.3 0.2 0.2 0 0.4 0.1 0.6 0.1 0.5 0.1 0.9 0.1 1.4 0.2 0.2 0 0.4 0 0.6 0.1 0.5 0 1 0.1 1.5 0.1h4.6c0.5 0 1-0.1 1.5-0.1 0.2 0 0.4 0 0.5-0.1 0.5 0 0.9-0.1 1.4-0.2 0.2 0 0.4-0.1 0.6-0.1 0.4-0.1 0.9-0.1 1.3-0.2 0.2 0 0.4-0.1 0.6-0.1l1.2-0.3c0.2-0.1 0.4-0.1 0.7-0.2l1.2-0.3c0.2-0.1 0.5-0.1 0.7-0.2 0.4-0.1 0.8-0.2 1.1-0.4 0.2-0.1 0.5-0.2 0.7-0.3 0.4-0.1 0.7-0.3 1.1-0.4 0.3-0.1 0.5-0.2 0.8-0.3 0.3-0.1 0.7-0.3 1-0.5 0.3-0.1 0.5-0.2 0.8-0.4 0.3-0.2 0.6-0.3 0.9-0.5 0.3-0.1 0.6-0.3 0.8-0.4 0.3-0.2 0.6-0.3 0.8-0.5 0.3-0.2 0.6-0.3 0.9-0.5 0.3-0.2 0.5-0.3 0.8-0.5l0.9-0.6c0.2-0.2 0.4-0.3 0.7-0.5 0.3-0.2 0.6-0.5 1-0.7 0.2-0.1 0.4-0.3 0.6-0.5 0.3-0.3 0.7-0.5 1-0.8 0.2-0.1 0.3-0.3 0.5-0.5 0.5-0.5 1-0.9 1.5-1.4l0.9-0.9 475.4-495.6c15.3-15.7 14.7-41.1-1.2-56.3z" fill="#898989" /></svg>