feat(api): show only production URL in API reference playground

Merge branch 'master' into DEVREL-98-include-open-api-specification-in-mintlify
fix(compliance): handle check_id not in Prowler Checks (#9208 )
2026-06-10 21:42:29 +00:00 · 2025-11-12 09:47:28 +01:00 · 2025-11-12 09:22:08 +01:00 · 2025-11-12 09:11:34 +01:00 · 2025-11-12 08:39:20 +01:00 · 2025-11-12 08:23:25 +01:00
558 changed files with 73001 additions and 5472 deletions
@@ -10,13 +10,24 @@ NEXT_PUBLIC_API_BASE_URL=${API_BASE_URL}
 NEXT_PUBLIC_API_DOCS_URL=http://prowler-api:8080/api/v1/docs
 AUTH_TRUST_HOST=true
 UI_PORT=3000
-# Temp URL for feeds need to use actual
-RSS_FEED_URL=https://prowler.com/blog/rss
 # openssl rand -base64 32
 AUTH_SECRET="N/c6mnaS5+SWq81+819OrzQZlmx1Vxtp/orjttJSmw8="
 # Google Tag Manager ID
 NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID=""
+# Sentry
+SENTRY_DSN=
+NEXT_PUBLIC_SENTRY_DSN=
+SENTRY_ORG=
+SENTRY_PROJECT=
+SENTRY_AUTH_TOKEN=
+SENTRY_ENVIRONMENT=production
+NEXT_PUBLIC_SENTRY_ENVIRONMENT=production

+#### Code Review Configuration ####
+# Enable Claude Code standards validation on pre-push hook
+# Set to 'true' to validate changes against AGENTS.md standards via Claude Code
+# Set to 'false' to skip validation
+CODE_REVIEW_ENABLED=true

 #### Prowler API Configuration ####
 PROWLER_API_VERSION="stable"
@@ -126,3 +137,13 @@ LANGSMITH_TRACING=false
 LANGSMITH_ENDPOINT="https://api.smith.langchain.com"
 LANGSMITH_API_KEY=""
 LANGCHAIN_PROJECT=""
+
+# RSS Feed Configuration
+# Multiple feed sources can be configured as a JSON array (must be valid JSON, no trailing commas)
+# Each source requires: id, name, type (github_releases|blog|custom), url, and enabled flag
+# IMPORTANT: Must be a single line with valid JSON (no newlines, no trailing commas)
+# Example with one source:
+RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true}]'
+# Example with multiple sources (no trailing comma after last item):
+# RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true},{"id":"prowler-blog","name":"Prowler Blog","type":"blog","url":"https://prowler.com/blog/rss","enabled":false}]'
+
@@ -8,7 +8,7 @@ body:
    attributes:
      label: Feature search
      options:
-        - label: I have searched the existing issues and this feature has not been requested yet
+        - label: I have searched the existing issues and this feature has not been requested yet or is already in our [Public Roadmap](https://roadmap.prowler.com/roadmap)
          required: true
  - type: dropdown
    id: component
@@ -0,0 +1,198 @@
+# Slack Notification Action
+
+A generic and flexible GitHub composite action for sending Slack notifications using JSON template files. Supports both standalone messages and message updates, with automatic status detection.
+
+## Features
+
+- **Template-based**: All messages use JSON template files for consistency
+- **Automatic status detection**: Pass `step-outcome` to auto-calculate success/failure
+- **Message updates**: Supports updating existing messages (using `chat.update`)
+- **Simple API**: Clean and minimal interface
+- **Reusable**: Use across all workflows and scenarios
+- **Maintainable**: Centralized message templates
+
+## Use Cases
+
+1. **Container releases**: Track push start and completion with automatic status
+2. **Deployments**: Track deployment progress with rich Block Kit formatting
+3. **Custom notifications**: Any scenario where you need to notify Slack
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `slack-bot-token` | Slack bot token for authentication | Yes | - |
+| `payload-file-path` | Path to JSON file with the Slack message payload | Yes | - |
+| `update-ts` | Message timestamp to update (leave empty for new messages) | No | `''` |
+| `step-outcome` | Step outcome for automatic status detection (sets STATUS_EMOJI and STATUS_TEXT env vars) | No | `''` |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `ts` | Timestamp of the Slack message (use for updates) |
+
+## Usage Examples
+
+### Example 1: Container Release with Automatic Status Detection
+
+Using JSON template files with automatic status detection:
+
+```yaml
+# Send start notification
+- name: Notify container push started
+  if: github.event_name == 'release'
+  uses: ./.github/actions/slack-notification
+  env:
+    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
+    COMPONENT: API
+    RELEASE_TAG: ${{ env.RELEASE_TAG }}
+    GITHUB_SERVER_URL: ${{ github.server_url }}
+    GITHUB_REPOSITORY: ${{ github.repository }}
+    GITHUB_RUN_ID: ${{ github.run_id }}
+  with:
+    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
+
+# Do the work
+- name: Build and push container
+  if: github.event_name == 'release'
+  id: container-push
+  uses: docker/build-push-action@...
+  with:
+    push: true
+    tags: ...
+
+# Send completion notification with automatic status detection
+- name: Notify container push completed
+  if: github.event_name == 'release' && always()
+  uses: ./.github/actions/slack-notification
+  env:
+    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
+    COMPONENT: API
+    RELEASE_TAG: ${{ env.RELEASE_TAG }}
+    GITHUB_SERVER_URL: ${{ github.server_url }}
+    GITHUB_REPOSITORY: ${{ github.repository }}
+    GITHUB_RUN_ID: ${{ github.run_id }}
+  with:
+    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
+    step-outcome: ${{ steps.container-push.outcome }}
+```
+
+**Benefits:**
+- No status calculation needed in workflow
+- Reusable template files
+- Clean and concise
+- Automatic `STATUS_EMOJI` and `STATUS_TEXT` env vars set by action
+- Consistent message format across all workflows
+
+### Example 2: Deployment with Message Update Pattern
+
+```yaml
+# Send initial deployment message
+- name: Notify deployment started
+  id: slack-start
+  uses: ./.github/actions/slack-notification
+  env:
+    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
+    COMPONENT: API
+    ENVIRONMENT: PRODUCTION
+    COMMIT_HASH: ${{ github.sha }}
+    VERSION_DEPLOYED: latest
+    GITHUB_ACTOR: ${{ github.actor }}
+    GITHUB_WORKFLOW: ${{ github.workflow }}
+    GITHUB_SERVER_URL: ${{ github.server_url }}
+    GITHUB_REPOSITORY: ${{ github.repository }}
+    GITHUB_RUN_ID: ${{ github.run_id }}
+  with:
+    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload-file-path: "./.github/scripts/slack-messages/deployment-started.json"
+
+# Run deployment
+- name: Deploy
+  id: deploy
+  run: terraform apply -auto-approve
+
+# Determine additional status variables
+- name: Determine deployment status
+  if: always()
+  id: deploy-status
+  run: |
+    if [[ "${{ steps.deploy.outcome }}" == "success" ]]; then
+      echo "STATUS_COLOR=28a745" >> $GITHUB_ENV
+      echo "STATUS=Completed" >> $GITHUB_ENV
+    else
+      echo "STATUS_COLOR=fc3434" >> $GITHUB_ENV
+      echo "STATUS=Failed" >> $GITHUB_ENV
+    fi
+
+# Update the same message with final status
+- name: Update deployment notification
+  if: always()
+  uses: ./.github/actions/slack-notification
+  env:
+    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
+    MESSAGE_TS: ${{ steps.slack-start.outputs.ts }}
+    COMPONENT: API
+    ENVIRONMENT: PRODUCTION
+    COMMIT_HASH: ${{ github.sha }}
+    VERSION_DEPLOYED: latest
+    GITHUB_ACTOR: ${{ github.actor }}
+    GITHUB_WORKFLOW: ${{ github.workflow }}
+    GITHUB_SERVER_URL: ${{ github.server_url }}
+    GITHUB_REPOSITORY: ${{ github.repository }}
+    GITHUB_RUN_ID: ${{ github.run_id }}
+    STATUS: ${{ env.STATUS }}
+    STATUS_COLOR: ${{ env.STATUS_COLOR }}
+  with:
+    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+    update-ts: ${{ steps.slack-start.outputs.ts }}
+    payload-file-path: "./.github/scripts/slack-messages/deployment-completed.json"
+    step-outcome: ${{ steps.deploy.outcome }}
+```
+
+## Automatic Status Detection
+
+When you provide `step-outcome` input, the action automatically sets these environment variables:
+
+| Outcome | STATUS_EMOJI | STATUS_TEXT |
+|---------|--------------|-------------|
+| success | `[✓]` | `completed successfully!` |
+| failure | `[✗]` | `failed` |
+
+These variables are then available in your payload template files.
+
+## Template File Format
+
+All template files must be valid JSON and support environment variable substitution. Example:
+
+```json
+{
+  "channel": "$SLACK_CHANNEL_ID",
+  "text": "$STATUS_EMOJI $COMPONENT container release $RELEASE_TAG push $STATUS_TEXT <$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID|View run>"
+}
+```
+
+See available templates in [`.github/scripts/slack-messages/`](../../scripts/slack-messages/).
+
+## Requirements
+
+- Slack Bot Token with scopes: `chat:write`, `chat:write.public`
+- Slack Channel ID where messages will be posted
+- JSON template files for your messages
+
+## Benefits
+
+- **Consistency**: All notifications use standardized templates
+- **Automatic status handling**: No need to calculate success/failure in workflows
+- **Clean workflows**: Minimal boilerplate code
+- **Reusable templates**: One template for all components
+- **Easy to maintain**: Change template once, applies everywhere
+- **Version controlled**: All message formats in git
+
+## Related Resources
+
+- [Slack Block Kit Builder](https://app.slack.com/block-kit-builder)
+- [Slack API Method Documentation](https://docs.slack.dev/tools/slack-github-action/sending-techniques/sending-data-slack-api-method/)
+- [Message templates documentation](../../scripts/slack-messages/README.md)
@@ -0,0 +1,74 @@
+name: 'Slack Notification'
+description: 'Generic action to send Slack notifications with optional message updates and automatic status detection'
+inputs:
+  slack-bot-token:
+    description: 'Slack bot token for authentication'
+    required: true
+  payload-file-path:
+    description: 'Path to JSON file with the Slack message payload'
+    required: true
+  update-ts:
+    description: 'Message timestamp to update (only for updates, leave empty for new messages)'
+    required: false
+    default: ''
+  step-outcome:
+    description: 'Outcome of a step to determine status (success/failure) - automatically sets STATUS_TEXT and STATUS_COLOR env vars'
+    required: false
+    default: ''
+outputs:
+  ts:
+    description: 'Timestamp of the Slack message'
+    value: ${{ steps.slack-notification.outputs.ts }}
+runs:
+  using: 'composite'
+  steps:
+    - name: Determine status
+      id: status
+      shell: bash
+      run: |
+        if [[ "${{ inputs.step-outcome }}" == "success" ]]; then
+          echo "STATUS_TEXT=Completed" >> $GITHUB_ENV
+          echo "STATUS_COLOR=#6aa84f" >> $GITHUB_ENV
+        elif [[ "${{ inputs.step-outcome }}" == "failure" ]]; then
+          echo "STATUS_TEXT=Failed" >> $GITHUB_ENV
+          echo "STATUS_COLOR=#fc3434" >> $GITHUB_ENV
+        else
+          # No outcome provided - pending/in progress state
+          echo "STATUS_COLOR=#dbab09" >> $GITHUB_ENV
+        fi
+
+    - name: Send Slack notification (new message)
+      if: inputs.update-ts == ''
+      id: slack-notification-post
+      uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+      env:
+        SLACK_PAYLOAD_FILE_PATH: ${{ inputs.payload-file-path }}
+      with:
+        method: chat.postMessage
+        token: ${{ inputs.slack-bot-token }}
+        payload-file-path: ${{ inputs.payload-file-path }}
+        payload-templated: true
+        errors: true
+
+    - name: Update Slack notification
+      if: inputs.update-ts != ''
+      id: slack-notification-update
+      uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+      env:
+        SLACK_PAYLOAD_FILE_PATH: ${{ inputs.payload-file-path }}
+      with:
+        method: chat.update
+        token: ${{ inputs.slack-bot-token }}
+        payload-file-path: ${{ inputs.payload-file-path }}
+        payload-templated: true
+        errors: true
+
+    - name: Set output
+      id: slack-notification
+      shell: bash
+      run: |
+        if [[ "${{ inputs.update-ts }}" == "" ]]; then
+          echo "ts=${{ steps.slack-notification-post.outputs.ts }}" >> $GITHUB_OUTPUT
+        else
+          echo "ts=${{ inputs.update-ts }}" >> $GITHUB_OUTPUT
+        fi
@@ -1,4 +1,18 @@
-name: "SDK - CodeQL Config"
+name: 'SDK: CodeQL Config'
+paths:
+  - 'prowler/'
+
 paths-ignore:
-  - "api/"
-  - "ui/"
+  - 'api/'
+  - 'ui/'
+  - 'dashboard/'
+  - 'mcp_server/'
+  - 'tests/**'
+  - 'util/**'
+  - 'contrib/**'
+  - 'examples/**'
+  - 'prowler/**/__pycache__/**'
+  - 'prowler/**/*.md'
+
+queries:
+  - uses: security-and-quality
@@ -1,3 +1,17 @@
-name: "UI - CodeQL Config"
+name: 'UI: CodeQL Config'
 paths:
-  - "ui/"
+  - 'ui/'
+
+paths-ignore:
+  - 'ui/node_modules/**'
+  - 'ui/.next/**'
+  - 'ui/out/**'
+  - 'ui/tests/**'
+  - 'ui/**/*.test.ts'
+  - 'ui/**/*.test.tsx'
+  - 'ui/**/*.spec.ts'
+  - 'ui/**/*.spec.tsx'
+  - 'ui/**/*.md'
+
+queries:
+  - uses: security-and-quality
@@ -22,6 +22,13 @@ Please add a detailed description of how to review this PR.
 - [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
 - [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/prowler/CHANGELOG.md), if applicable.

+#### UI
+- [ ] All issue/task requirements work as expected on the UI
+- [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
+- [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
+- [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
+- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/ui/CHANGELOG.md), if applicable.
+
 #### API
 - [ ] Verify if API specs need to be regenerated.
 - [ ] Check if version updates are required (e.g., specs, Poetry, etc.).
@@ -0,0 +1,462 @@
+# Slack Message Templates
+
+This directory contains reusable message templates for Slack notifications sent from GitHub Actions workflows.
+
+## Usage
+
+These JSON templates are used with the `slackapi/slack-github-action` using the Slack API method (`chat.postMessage` and `chat.update`). All templates support rich Block Kit formatting and message updates.
+
+### Available Templates
+
+**Container Releases**
+- `container-release-started.json`: Simple one-line notification when container push starts
+- `container-release-completed.json`: Simple one-line notification when container release completes
+
+**Deployments**
+- `deployment-started.json`: Deployment start notification with Block Kit formatting
+- `deployment-completed.json`: Deployment completion notification (updates the start message)
+
+All templates use the Slack API method and require a Slack Bot Token.
+
+## Setup Requirements
+
+1. Create a Slack App (or use existing)
+2. Add Bot Token Scopes: `chat:write`, `chat:write.public`
+3. Install the app to your workspace
+4. Get the Bot Token from OAuth & Permissions page
+5. Add secrets:
+   - `SLACK_BOT_TOKEN`: Your bot token
+   - `SLACK_CHANNEL_ID`: The channel ID where messages will be posted
+
+Reference: [Sending data using a Slack API method](https://docs.slack.dev/tools/slack-github-action/sending-techniques/sending-data-slack-api-method/)
+
+## Environment Variables
+
+### Required Secrets (GitHub Secrets)
+- `SLACK_BOT_TOKEN`: Passed as `token` parameter to the action (not as env variable)
+- `SLACK_CHANNEL_ID`: Used in payload as env variable
+
+### Container Release Variables (configured as env)
+- `COMPONENT`: Component name (e.g., "API", "SDK", "UI", "MCP")
+- `RELEASE_TAG` / `PROWLER_VERSION`: The release tag or version being deployed
+- `GITHUB_SERVER_URL`: Provided by GitHub context
+- `GITHUB_REPOSITORY`: Provided by GitHub context
+- `GITHUB_RUN_ID`: Provided by GitHub context
+- `STATUS_EMOJI`: Status symbol (calculated: `[✓]` for success, `[✗]` for failure)
+- `STATUS_TEXT`: Status text (calculated: "completed successfully!" or "failed")
+
+### Deployment Variables (configured as env)
+- `COMPONENT`: Component name (e.g., "API", "SDK", "UI", "MCP")
+- `ENVIRONMENT`: Environment name (e.g., "DEVELOPMENT", "PRODUCTION")
+- `COMMIT_HASH`: Commit hash being deployed
+- `VERSION_DEPLOYED`: Version being deployed
+- `GITHUB_ACTOR`: User who triggered the workflow
+- `GITHUB_WORKFLOW`: Workflow name
+- `GITHUB_SERVER_URL`: Provided by GitHub context
+- `GITHUB_REPOSITORY`: Provided by GitHub context
+- `GITHUB_RUN_ID`: Provided by GitHub context
+
+All other variables (MESSAGE_TS, STATUS, STATUS_COLOR, STATUS_EMOJI, etc.) are calculated internally within the workflow and should NOT be configured as environment variables.
+
+## Example Workflow Usage
+
+### Using the Generic Slack Notification Action (Recommended)
+
+**Recommended approach**: Use the generic reusable action `.github/actions/slack-notification` which provides maximum flexibility:
+
+#### Example 1: Container Release (Start + Completion)
+
+```yaml
+# Send start notification
+- name: Notify container push started
+  if: github.event_name == 'release'
+  uses: ./.github/actions/slack-notification
+  with:
+    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload: |
+      {
+        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
+        "text": "API container release ${{ env.RELEASE_TAG }} push started... <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View run>"
+      }
+
+# Build and push container
+- name: Build and push container
+  if: github.event_name == 'release'
+  id: container-push
+  uses: docker/build-push-action@...
+  with:
+    push: true
+    tags: ...
+
+# Calculate status
+- name: Determine push status
+  if: github.event_name == 'release' && always()
+  id: push-status
+  run: |
+    if [[ "${{ steps.container-push.outcome }}" == "success" ]]; then
+      echo "emoji=[✓]" >> $GITHUB_OUTPUT
+      echo "text=completed successfully!" >> $GITHUB_OUTPUT
+    else
+      echo "emoji=[✗]" >> $GITHUB_OUTPUT
+      echo "text=failed" >> $GITHUB_OUTPUT
+    fi
+
+# Send completion notification
+- name: Notify container push completed
+  if: github.event_name == 'release' && always()
+  uses: ./.github/actions/slack-notification
+  with:
+    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload: |
+      {
+        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
+        "text": "${{ steps.push-status.outputs.emoji }} API container release ${{ env.RELEASE_TAG }} push ${{ steps.push-status.outputs.text }} <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View run>"
+      }
+```
+
+#### Example 2: Simple One-Time Message
+
+```yaml
+- name: Send notification
+  uses: ./.github/actions/slack-notification
+  with:
+    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload: |
+      {
+        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
+        "text": "Deployment completed successfully!"
+      }
+```
+
+#### Example 3: Deployment with Message Update Pattern
+
+```yaml
+# Send initial deployment message
+- name: Notify deployment started
+  id: slack-start
+  uses: ./.github/actions/slack-notification
+  with:
+    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload: |
+      {
+        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
+        "text": "API deployment to PRODUCTION started",
+        "attachments": [
+          {
+            "color": "dbab09",
+            "blocks": [
+              {
+                "type": "header",
+                "text": {
+                  "type": "plain_text",
+                  "text": "API | Deployment to PRODUCTION"
+                }
+              },
+              {
+                "type": "section",
+                "fields": [
+                  {
+                    "type": "mrkdwn",
+                    "text": "*Status:*\nIn Progress"
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      }
+
+# Run deployment
+- name: Deploy
+  id: deploy
+  run: terraform apply -auto-approve
+
+# Calculate status
+- name: Determine status
+  if: always()
+  id: status
+  run: |
+    if [[ "${{ steps.deploy.outcome }}" == "success" ]]; then
+      echo "color=28a745" >> $GITHUB_OUTPUT
+      echo "emoji=[✓]" >> $GITHUB_OUTPUT
+      echo "status=Completed" >> $GITHUB_OUTPUT
+    else
+      echo "color=fc3434" >> $GITHUB_OUTPUT
+      echo "emoji=[✗]" >> $GITHUB_OUTPUT
+      echo "status=Failed" >> $GITHUB_OUTPUT
+    fi
+
+# Update the same message with final status
+- name: Update deployment notification
+  if: always()
+  uses: ./.github/actions/slack-notification
+  with:
+    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+    update-ts: ${{ steps.slack-start.outputs.ts }}
+    payload: |
+      {
+        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
+        "ts": "${{ steps.slack-start.outputs.ts }}",
+        "text": "${{ steps.status.outputs.emoji }} API deployment to PRODUCTION ${{ steps.status.outputs.status }}",
+        "attachments": [
+          {
+            "color": "${{ steps.status.outputs.color }}",
+            "blocks": [
+              {
+                "type": "header",
+                "text": {
+                  "type": "plain_text",
+                  "text": "API | Deployment to PRODUCTION"
+                }
+              },
+              {
+                "type": "section",
+                "fields": [
+                  {
+                    "type": "mrkdwn",
+                    "text": "*Status:*\n${{ steps.status.outputs.emoji }} ${{ steps.status.outputs.status }}"
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      }
+```
+
+**Benefits of using the generic action:**
+- Maximum flexibility: Build any payload you need directly in the workflow
+- No template files needed: Everything inline
+- Supports all scenarios: one-time messages, start/update patterns, rich Block Kit
+- Easy to customize per use case
+- Generic: Works for containers, deployments, or any notification type
+
+For more details, see [Slack Notification Action](../../actions/slack-notification/README.md).
+
+### Using Message Templates (Alternative Approach)
+
+Simple one-line notifications for container releases:
+
+```yaml
+# Step 1: Notify when push starts
+- name: Notify container push started
+  if: github.event_name == 'release'
+  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+  env:
+    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
+    COMPONENT: API
+    RELEASE_TAG: ${{ env.RELEASE_TAG }}
+    GITHUB_SERVER_URL: ${{ github.server_url }}
+    GITHUB_REPOSITORY: ${{ github.repository }}
+    GITHUB_RUN_ID: ${{ github.run_id }}
+  with:
+    method: chat.postMessage
+    token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
+
+# Step 2: Build and push container
+- name: Build and push container
+  id: container-push
+  uses: docker/build-push-action@...
+  with:
+    push: true
+    tags: ...
+
+# Step 3: Determine push status
+- name: Determine push status
+  if: github.event_name == 'release' && always()
+  id: push-status
+  run: |
+    if [[ "${{ steps.container-push.outcome }}" == "success" ]]; then
+      echo "status-emoji=[✓]" >> $GITHUB_OUTPUT
+      echo "status-text=completed successfully!" >> $GITHUB_OUTPUT
+    else
+      echo "status-emoji=[✗]" >> $GITHUB_OUTPUT
+      echo "status-text=failed" >> $GITHUB_OUTPUT
+    fi
+
+# Step 4: Notify when push completes (success or failure)
+- name: Notify container push completed
+  if: github.event_name == 'release' && always()
+  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+  env:
+    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
+    COMPONENT: API
+    RELEASE_TAG: ${{ env.RELEASE_TAG }}
+    GITHUB_SERVER_URL: ${{ github.server_url }}
+    GITHUB_REPOSITORY: ${{ github.repository }}
+    GITHUB_RUN_ID: ${{ github.run_id }}
+    STATUS_EMOJI: ${{ steps.push-status.outputs.status-emoji }}
+    STATUS_TEXT: ${{ steps.push-status.outputs.status-text }}
+  with:
+    method: chat.postMessage
+    token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
+```
+
+### Deployment with Update Pattern
+
+For deployments that start with one message and update it with the final status:
+
+```yaml
+# Step 1: Send deployment start notification
+- name: Notify Deployment Start
+  id: slack-notification-start
+  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+  env:
+    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
+    COMPONENT: API
+    ENVIRONMENT: PRODUCTION
+    COMMIT_HASH: ${{ github.sha }}
+    VERSION_DEPLOYED: latest
+    GITHUB_ACTOR: ${{ github.actor }}
+    GITHUB_WORKFLOW: ${{ github.workflow }}
+    GITHUB_SERVER_URL: ${{ github.server_url }}
+    GITHUB_REPOSITORY: ${{ github.repository }}
+    GITHUB_RUN_ID: ${{ github.run_id }}
+  with:
+    method: chat.postMessage
+    token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload-file-path: "./.github/scripts/slack-messages/deployment-started.json"
+
+# Step 2: Run your deployment steps
+- name: Terraform Plan
+  id: terraform-plan
+  run: terraform plan
+
+- name: Terraform Apply
+  id: terraform-apply
+  run: terraform apply -auto-approve
+
+# Step 3: Determine status (calculated internally, not configured)
+- name: Determine Status
+  if: always()
+  id: determine-status
+  run: |
+    if [[ "${{ steps.terraform-apply.outcome }}" == "success" ]]; then
+      echo "status=Completed" >> $GITHUB_OUTPUT
+      echo "status-color=28a745" >> $GITHUB_OUTPUT
+      echo "status-emoji=[✓]" >> $GITHUB_OUTPUT
+      echo "plan-emoji=[✓]" >> $GITHUB_OUTPUT
+      echo "apply-emoji=[✓]" >> $GITHUB_OUTPUT
+    elif [[ "${{ steps.terraform-plan.outcome }}" == "failure" || "${{ steps.terraform-apply.outcome }}" == "failure" ]]; then
+      echo "status=Failed" >> $GITHUB_OUTPUT
+      echo "status-color=fc3434" >> $GITHUB_OUTPUT
+      echo "status-emoji=[✗]" >> $GITHUB_OUTPUT
+      if [[ "${{ steps.terraform-plan.outcome }}" == "failure" ]]; then
+        echo "plan-emoji=[✗]" >> $GITHUB_OUTPUT
+      else
+        echo "plan-emoji=[✓]" >> $GITHUB_OUTPUT
+      fi
+      if [[ "${{ steps.terraform-apply.outcome }}" == "failure" ]]; then
+        echo "apply-emoji=[✗]" >> $GITHUB_OUTPUT
+      else
+        echo "apply-emoji=[✓]" >> $GITHUB_OUTPUT
+      fi
+    else
+      echo "status=Failed" >> $GITHUB_OUTPUT
+      echo "status-color=fc3434" >> $GITHUB_OUTPUT
+      echo "status-emoji=[✗]" >> $GITHUB_OUTPUT
+      echo "plan-emoji=[?]" >> $GITHUB_OUTPUT
+      echo "apply-emoji=[?]" >> $GITHUB_OUTPUT
+    fi
+
+# Step 4: Update the same Slack message (using calculated values)
+- name: Notify Deployment Result
+  if: always()
+  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+  env:
+    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
+    MESSAGE_TS: ${{ steps.slack-notification-start.outputs.ts }}
+    COMPONENT: API
+    ENVIRONMENT: PRODUCTION
+    COMMIT_HASH: ${{ github.sha }}
+    VERSION_DEPLOYED: latest
+    GITHUB_ACTOR: ${{ github.actor }}
+    GITHUB_WORKFLOW: ${{ github.workflow }}
+    GITHUB_SERVER_URL: ${{ github.server_url }}
+    GITHUB_REPOSITORY: ${{ github.repository }}
+    GITHUB_RUN_ID: ${{ github.run_id }}
+    STATUS: ${{ steps.determine-status.outputs.status }}
+    STATUS_COLOR: ${{ steps.determine-status.outputs.status-color }}
+    STATUS_EMOJI: ${{ steps.determine-status.outputs.status-emoji }}
+    PLAN_EMOJI: ${{ steps.determine-status.outputs.plan-emoji }}
+    APPLY_EMOJI: ${{ steps.determine-status.outputs.apply-emoji }}
+    TERRAFORM_PLAN_OUTCOME: ${{ steps.terraform-plan.outcome }}
+    TERRAFORM_APPLY_OUTCOME: ${{ steps.terraform-apply.outcome }}
+  with:
+    method: chat.update
+    token: ${{ secrets.SLACK_BOT_TOKEN }}
+    payload-file-path: "./.github/scripts/slack-messages/deployment-completed.json"
+```
+
+**Note**: Variables like `STATUS`, `STATUS_COLOR`, `STATUS_EMOJI`, `PLAN_EMOJI`, `APPLY_EMOJI` are calculated by the `determine-status` step based on the outcomes of previous steps. They should NOT be manually configured.
+
+## Key Features
+
+### Benefits of Using Slack API Method
+
+- **Rich Block Kit Formatting**: Full support for Slack's Block Kit including headers, sections, fields, colors, and attachments
+- **Message Updates**: Update the same message instead of posting multiple messages (using `chat.update` with `ts`)
+- **Consistent Experience**: Same look and feel as Prowler Cloud notifications
+- **Flexible**: Easy to customize message appearance by editing JSON templates
+
+### Differences from Webhook Method
+
+| Feature | webhook-trigger | Slack API (chat.postMessage) |
+|---------|-----------------|------------------------------|
+| Setup | Workflow Builder webhook | Slack Bot Token + Channel ID |
+| Formatting | Plain text/simple | Full Block Kit support |
+| Message Update | No | Yes (with chat.update) |
+| Authentication | Webhook URL | Bot Token |
+| Scopes Required | None | chat:write, chat:write.public |
+
+## Message Appearance
+
+### Container Release (Simple One-Line)
+
+**Start message:**
+```
+API container release 4.5.0 push started... View run
+```
+
+**Completion message (success):**
+```
+[✓] API container release 4.5.0 push completed successfully! View run
+```
+
+**Completion message (failure):**
+```
+[✗] API container release 4.5.0 push failed View run
+```
+
+All messages are simple one-liners with a clickable "View run" link. The completion message adapts to show success `[✓]` or failure `[✗]` based on the outcome of the container push.
+
+### Deployment Start
+- Header: Component and environment
+- Yellow bar (color: `dbab09`)
+- Status: In Progress
+- Details: Commit, version, actor, workflow
+- Link: Direct link to deployment run
+
+### Deployment Completion
+- Header: Component and environment
+- Green bar for success (color: `28a745`) / Red bar for failure (color: `fc3434`)
+- Status: [✓] Completed or [✗] Failed
+- Details: All deployment info plus terraform outcomes
+- Link: Direct link to deployment run
+
+## Adding New Templates
+
+1. Create a new JSON file with Block Kit structure
+2. Use environment variable placeholders (e.g., `$VAR_NAME`)
+3. Include `channel` and `text` fields (required)
+4. Add `blocks` or `attachments` for rich formatting
+5. For update templates, include `ts` field as `$MESSAGE_TS`
+6. Document the template in this README
+7. Reference it in your workflow using `payload-file-path`
+
+## Reference
+
+- [Slack Block Kit Builder](https://app.slack.com/block-kit-builder)
+- [Slack API Method Documentation](https://docs.slack.dev/tools/slack-github-action/sending-techniques/sending-data-slack-api-method/)
@@ -0,0 +1,17 @@
+{
+  "channel": "${{ env.SLACK_CHANNEL_ID }}",
+  "attachments": [
+    {
+      "color": "${{ env.STATUS_COLOR }}",
+      "blocks": [
+        {
+          "type": "section",
+          "text": {
+            "type": "mrkdwn",
+            "text": "*Status:*\n${{ env.STATUS_TEXT }}\n\n${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push ${{ env.STATUS_TEXT }}\n\n<${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
+          }
+        }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,17 @@
+{
+  "channel": "${{ env.SLACK_CHANNEL_ID }}",
+  "attachments": [
+    {
+      "color": "${{ env.STATUS_COLOR }}",
+      "blocks": [
+        {
+          "type": "section",
+          "text": {
+            "type": "mrkdwn",
+            "text": "*Status:*\nStarted\n\n${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push started...\n\n<${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
+          }
+        }
+      ]
+    }
+  ]
+}
@@ -1,115 +0,0 @@
-name: API - Build and Push containers
-
-on:
-  push:
-    branches:
-      - "master"
-    paths:
-      - "api/**"
-      - "prowler/**"
-      - ".github/workflows/api-build-lint-push-containers.yml"
-
-  # Uncomment the code below to test this action on PRs
-  # pull_request:
-  #   branches:
-  #     - "master"
-  #   paths:
-  #     - "api/**"
-  #     - ".github/workflows/api-build-lint-push-containers.yml"
-
-  release:
-    types: [published]
-
-env:
-  # Tags
-  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name }}
-  STABLE_TAG: stable
-
-  WORKING_DIRECTORY: ./api
-
-  # Container Registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
-
-jobs:
-  repository-check:
-    name: Repository check
-    runs-on: ubuntu-latest
-    outputs:
-      is_repo: ${{ steps.repository_check.outputs.is_repo }}
-    steps:
-      - name: Repository check
-        id: repository_check
-        working-directory: /tmp
-        run: |
-          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
-          then
-            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
-          else
-            echo "This action only runs for prowler-cloud/prowler"
-            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
-          fi
-
-  # Build Prowler OSS container
-  container-build-push:
-    needs: repository-check
-    if: needs.repository-check.outputs.is_repo == 'true'
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ${{ env.WORKING_DIRECTORY }}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Set short git commit SHA
-        id: vars
-        run: |
-          shortSha=$(git rev-parse --short ${{ github.sha }})
-          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Build and push container image (latest)
-        # Comment the following line for testing
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.WORKING_DIRECTORY }}
-          # Set push: false for testing
-          push: true
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.SHORT_SHA }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Build and push container image (release)
-        if: github.event_name == 'release'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.WORKING_DIRECTORY }}
-          push: true
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Trigger deployment
-        if: github.event_name == 'push'
-        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.CLOUD_DISPATCH }}
-          event-type: prowler-api-deploy
-          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ env.SHORT_SHA }}"}'
@@ -45,12 +45,12 @@ jobs:
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/api-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
          category: '/language:${{ matrix.language }}'
@@ -0,0 +1,135 @@
+name: 'API: Container Build and Push'
+
+on:
+  push:
+    branches:
+      - 'master'
+    paths:
+      - 'api/**'
+      - 'prowler/**'
+      - '.github/workflows/api-build-lint-push-containers.yml'
+  release:
+    types:
+      - 'published'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  # Tags
+  LATEST_TAG: latest
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  STABLE_TAG: stable
+  WORKING_DIRECTORY: ./api
+
+  # Container registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
+
+jobs:
+  setup:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
+    steps:
+      - name: Calculate short SHA
+        id: set-short-sha
+        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+
+  container-build-push:
+    needs: setup
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push API container (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Notify container push started
+        if: github.event_name == 'release'
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: API
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
+
+      - name: Build and push API container (release)
+        if: github.event_name == 'release'
+        id: container-push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Notify container push completed
+        if: github.event_name == 'release' && always()
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: API
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
+          step-outcome: ${{ steps.container-push.outcome }}
+
+  trigger-deployment:
+    if: github.event_name == 'push'
+    needs: [setup, container-build-push]
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+
+    steps:
+      - name: Trigger API deployment
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.CLOUD_DISPATCH }}
+          event-type: api-prowler-deployment
+          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ needs.setup.outputs.short-sha }}"}'
@@ -7,8 +7,6 @@ on:
    types:
      - 'labeled'
      - 'closed'
-    paths:
-      - '.github/workflows/backport.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -40,7 +38,7 @@ jobs:

      - name: Backport PR
        if: steps.label_check.outputs.label_check == 'success'
-        uses: sorenlouv/backport-github-action@ad888e978060bc1b2798690dd9d03c4036560947 # v9.5.1
+        uses: sorenlouv/backport-github-action@516854e7c9f962b9939085c9a92ea28411d1ae90 # v10.2.0
        with:
          github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          auto_backport_label_prefix: ${{ env.BACKPORT_LABEL_PREFIX }}
@@ -26,6 +26,6 @@ jobs:

    steps:
      - name: Check PR title format
-        uses: agenthunt/conventional-commit-checker-action@9e552d650d0e205553ec7792d447929fc78e012b # v2.0.0
+        uses: agenthunt/conventional-commit-checker-action@f1823f632e95a64547566dcd2c7da920e67117ad # v2.0.1
        with:
          pr-title-regex: '^(feat|fix|docs|style|refactor|perf|test|chore|build|ci|revert)(\([^)]+\))?!?: .+'
@@ -28,6 +28,6 @@ jobs:
          fetch-depth: 0

      - name: Scan for secrets with TruffleHog
-        uses: trufflesecurity/trufflehog@ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690 # v3.90.11
+        uses: trufflesecurity/trufflehog@b84c3d14d189e16da175e2c27fa8136603783ffc # v3.90.12
        with:
          extra_args: '--results=verified,unknown'
@@ -27,3 +27,66 @@ jobs:
        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        with:
          sync-labels: true
+
+  label-community:
+    name: Add 'community' label if the PR is from a community contributor
+    needs: labeler
+    if: github.repository == 'prowler-cloud/prowler' && github.event.action == 'opened'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+
+    steps:
+      - name: Check if author is org member
+        id: check_membership
+        env:
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+        run: |
+          # Hardcoded list of prowler-cloud organization members
+          # This list includes members who have set their organization membership as private
+          ORG_MEMBERS=(
+            "AdriiiPRodri"
+            "Alan-TheGentleman"
+            "alejandrobailo"
+            "amitsharm"
+            "andoniaf"
+            "cesararroba"
+            "Chan9390"
+            "danibarranqueroo"
+            "HugoPBrito"
+            "jfagoagas"
+            "josemazo"
+            "lydiavilchez"
+            "mmuller88"
+            "MrCloudSec"
+            "pedrooot"
+            "prowler-bot"
+            "puchy22"
+            "rakan-pro"
+            "RosaRivasProwler"
+            "StylusFrost"
+            "toniblyx"
+            "vicferpoy"
+          )
+
+          echo "Checking if $AUTHOR is a member of prowler-cloud organization"
+
+          # Check if author is in the org members list
+          if printf '%s\n' "${ORG_MEMBERS[@]}" | grep -q "^${AUTHOR}$"; then
+            echo "is_member=true" >> $GITHUB_OUTPUT
+            echo "$AUTHOR is an organization member"
+          else
+            echo "is_member=false" >> $GITHUB_OUTPUT
+            echo "$AUTHOR is not an organization member"
+          fi
+
+      - name: Add community label
+        if: steps.check_membership.outputs.is_member == 'false'
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo "Adding 'community' label to PR #$PR_NUMBER"
+          gh api /repos/${{ github.repository }}/issues/${{ github.event.number }}/labels \
+            -X POST \
+            -f labels[]='community'
@@ -16,7 +16,7 @@ permissions:

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  cancel-in-progress: false

 env:
  # Tags
@@ -80,8 +80,23 @@ jobs:
          cache-from: type=gha
          cache-to: type=gha,mode=max

+      - name: Notify container push started
+        if: github.event_name == 'release'
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: MCP
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
+
      - name: Build and push MCP container (release)
        if: github.event_name == 'release'
+        id: container-push
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
@@ -100,8 +115,31 @@ jobs:
          cache-from: type=gha
          cache-to: type=gha,mode=max

+      - name: Notify container push completed
+        if: github.event_name == 'release' && always()
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: MCP
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
+          step-outcome: ${{ steps.container-push.outcome }}
+
+  trigger-deployment:
+    if: github.event_name == 'push'
+    needs: [setup, container-build-push]
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+
+    steps:
      - name: Trigger MCP deployment
-        if: github.event_name == 'push'
        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -83,7 +83,7 @@ jobs:

      - name: Update PR comment with changelog status
        if: github.event.pull_request.head.repo.full_name == github.repository
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-id: ${{ steps.find-comment.outputs.comment-id }}
@@ -97,7 +97,7 @@ jobs:
          body-includes: '<!-- conflict-checker-comment -->'

      - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
        with:
          comment-id: ${{ steps.find-comment.outputs.comment-id }}
          issue-number: ${{ github.event.pull_request.number }}
@@ -47,7 +47,7 @@ jobs:
        git config --global user.name 'prowler-bot'
        git config --global user.email '179230569+prowler-bot@users.noreply.github.com'

-    - name: Parse version and read changelogs
+    - name: Parse version and determine branch
      run: |
        # Validate version format (reusing pattern from sdk-bump-version.yml)
        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
@@ -64,66 +64,83 @@ jobs:
          BRANCH_NAME="v${MAJOR_VERSION}.${MINOR_VERSION}"
          echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_ENV}"

-          # Function to extract the latest version from changelog
-          extract_latest_version() {
-            local changelog_file="$1"
-            if [ -f "$changelog_file" ]; then
-              # Extract the first version entry (most recent) from changelog
-              # Format: ## [version] (1.2.3) or ## [vversion] (v1.2.3)
-              local version=$(grep -m 1 '^## \[' "$changelog_file" | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
-              echo "$version"
-            else
-              echo ""
-            fi
-          }
-
-          # Read actual versions from changelogs (source of truth)
-          UI_VERSION=$(extract_latest_version "ui/CHANGELOG.md")
-          API_VERSION=$(extract_latest_version "api/CHANGELOG.md")
-          SDK_VERSION=$(extract_latest_version "prowler/CHANGELOG.md")
-          MCP_VERSION=$(extract_latest_version "mcp_server/CHANGELOG.md")
-
-          echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
-          echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
-          echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
-          echo "MCP_VERSION=${MCP_VERSION}" >> "${GITHUB_ENV}"
-
-          if [ -n "$UI_VERSION" ]; then
-            echo "Read UI version from changelog: $UI_VERSION"
-          else
-            echo "Warning: No UI version found in ui/CHANGELOG.md"
-          fi
-
-          if [ -n "$API_VERSION" ]; then
-            echo "Read API version from changelog: $API_VERSION"
-          else
-            echo "Warning: No API version found in api/CHANGELOG.md"
-          fi
-
-          if [ -n "$SDK_VERSION" ]; then
-            echo "Read SDK version from changelog: $SDK_VERSION"
-          else
-            echo "Warning: No SDK version found in prowler/CHANGELOG.md"
-          fi
-
-          if [ -n "$MCP_VERSION" ]; then
-            echo "Read MCP version from changelog: $MCP_VERSION"
-          else
-            echo "Warning: No MCP version found in mcp_server/CHANGELOG.md"
-          fi
-
          echo "Prowler version: $PROWLER_VERSION"
          echo "Branch name: $BRANCH_NAME"
-          echo "UI version: $UI_VERSION"
-          echo "API version: $API_VERSION"
-          echo "SDK version: $SDK_VERSION"
-          echo "MCP version: $MCP_VERSION"
          echo "Is minor release: $([ $PATCH_VERSION -eq 0 ] && echo 'true' || echo 'false')"
        else
          echo "Invalid version syntax: '$PROWLER_VERSION' (must be N.N.N)" >&2
          exit 1
        fi

+    - name: Checkout release branch
+      run: |
+        echo "Checking out branch $BRANCH_NAME for release $PROWLER_VERSION..."
+        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists locally, checking out..."
+          git checkout "$BRANCH_NAME"
+        elif git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists remotely, checking out..."
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+        else
+          echo "ERROR: Branch $BRANCH_NAME does not exist. For minor releases (X.Y.0), create it manually first. For patch releases (X.Y.Z), the branch should already exist."
+          exit 1
+        fi
+
+    - name: Read changelog versions from release branch
+      run: |
+        # Function to extract the latest version from changelog
+        extract_latest_version() {
+          local changelog_file="$1"
+          if [ -f "$changelog_file" ]; then
+            # Extract the first version entry (most recent) from changelog
+            # Format: ## [version] (1.2.3) or ## [vversion] (v1.2.3)
+            local version=$(grep -m 1 '^## \[' "$changelog_file" | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
+            echo "$version"
+          else
+            echo ""
+          fi
+        }
+
+        # Read actual versions from changelogs (source of truth)
+        UI_VERSION=$(extract_latest_version "ui/CHANGELOG.md")
+        API_VERSION=$(extract_latest_version "api/CHANGELOG.md")
+        SDK_VERSION=$(extract_latest_version "prowler/CHANGELOG.md")
+        MCP_VERSION=$(extract_latest_version "mcp_server/CHANGELOG.md")
+
+        echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
+        echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
+        echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
+        echo "MCP_VERSION=${MCP_VERSION}" >> "${GITHUB_ENV}"
+
+        if [ -n "$UI_VERSION" ]; then
+          echo "Read UI version from changelog: $UI_VERSION"
+        else
+          echo "Warning: No UI version found in ui/CHANGELOG.md"
+        fi
+
+        if [ -n "$API_VERSION" ]; then
+          echo "Read API version from changelog: $API_VERSION"
+        else
+          echo "Warning: No API version found in api/CHANGELOG.md"
+        fi
+
+        if [ -n "$SDK_VERSION" ]; then
+          echo "Read SDK version from changelog: $SDK_VERSION"
+        else
+          echo "Warning: No SDK version found in prowler/CHANGELOG.md"
+        fi
+
+        if [ -n "$MCP_VERSION" ]; then
+          echo "Read MCP version from changelog: $MCP_VERSION"
+        else
+          echo "Warning: No MCP version found in mcp_server/CHANGELOG.md"
+        fi
+
+        echo "UI version: $UI_VERSION"
+        echo "API version: $API_VERSION"
+        echo "SDK version: $SDK_VERSION"
+        echo "MCP version: $MCP_VERSION"
+
    - name: Extract and combine changelog entries
      run: |
        set -e
@@ -150,8 +167,8 @@ jobs:
          # Remove --- separators
          sed -i '/^---$/d' "$output_file"

-          # Remove trailing empty lines
-          sed -i '/^$/d' "$output_file"
+          # Remove only trailing empty lines (not all empty lines)
+          sed -i -e :a -e '/^\s*$/d;N;ba' "$output_file"
        }

        # Calculate expected versions for this release
@@ -247,24 +264,14 @@ jobs:
          echo "" >> combined_changelog.md
        fi

+        # Add fallback message if no changelogs were added
+        if [ ! -s combined_changelog.md ]; then
+          echo "No component changes detected for this release." >> combined_changelog.md
+        fi
+
        echo "Combined changelog preview:"
        cat combined_changelog.md

-    - name: Checkout release branch for patch release
-      if: ${{ env.PATCH_VERSION != '0' }}
-      run: |
-        echo "Patch release detected, checking out existing branch $BRANCH_NAME..."
-        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME"; then
-          echo "Branch $BRANCH_NAME exists locally, checking out..."
-          git checkout "$BRANCH_NAME"
-        elif git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
-          echo "Branch $BRANCH_NAME exists remotely, checking out..."
-          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
-        else
-          echo "ERROR: Branch $BRANCH_NAME should exist for patch release $PROWLER_VERSION"
-          exit 1
-        fi
-
    - name: Verify SDK version in pyproject.toml
      run: |
        CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')
@@ -318,31 +325,12 @@ jobs:
        fi
        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"

-    - name: Checkout release branch for minor release
-      if: ${{ env.PATCH_VERSION == '0' }}
-      run: |
-        echo "Minor release detected (patch = 0), checking out existing branch $BRANCH_NAME..."
-        if git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
-          echo "Branch $BRANCH_NAME exists remotely, checking out..."
-          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
-        else
-          echo "ERROR: Branch $BRANCH_NAME should exist for minor release $PROWLER_VERSION. Please create it manually first."
-          exit 1
-        fi
-
    - name: Update API prowler dependency for minor release
      if: ${{ env.PATCH_VERSION == '0' }}
      run: |
        CURRENT_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
        BRANCH_NAME_TRIMMED=$(echo "$BRANCH_NAME" | tr -d '[:space:]')

-        # Create a temporary branch for the PR from the minor version branch
-        TEMP_BRANCH="update-api-dependency-$BRANCH_NAME_TRIMMED-$(date +%s)"
-        echo "TEMP_BRANCH=$TEMP_BRANCH" >> $GITHUB_ENV
-
-        # Create temp branch from the current minor version branch
-        git checkout -b "$TEMP_BRANCH"
-
        # Minor release: update the dependency to use the release branch
        echo "Updating prowler dependency from '$CURRENT_PROWLER_REF' to '$BRANCH_NAME_TRIMMED'"
        sed -i "s|prowler @ git+https://github.com/prowler-cloud/prowler.git@[^\"]*\"|prowler @ git+https://github.com/prowler-cloud/prowler.git@$BRANCH_NAME_TRIMMED\"|" api/pyproject.toml
@@ -360,11 +348,6 @@ jobs:
        poetry lock
        cd ..

-        # Commit and push the temporary branch
-        git add api/pyproject.toml api/poetry.lock
-        git commit -m "chore(api): update prowler dependency to $BRANCH_NAME_TRIMMED for release $PROWLER_VERSION"
-        git push origin "$TEMP_BRANCH"
-
        echo "✓ Prepared prowler dependency update to: $UPDATED_PROWLER_REF"

    - name: Create PR for API dependency update
@@ -372,8 +355,12 @@ jobs:
      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
      with:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-        branch: ${{ env.TEMP_BRANCH }}
+        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
+        branch: update-api-dependency-${{ env.BRANCH_NAME }}-${{ github.run_number }}
        base: ${{ env.BRANCH_NAME }}
+        add-paths: |
+          api/pyproject.toml
+          api/poetry.lock
        title: "chore(api): Update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}"
        body: |
          ### Description
@@ -395,7 +382,7 @@ jobs:
          no-changelog

    - name: Create draft release
-      uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
+      uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
      with:
        tag_name: ${{ env.PROWLER_VERSION }}
        name: Prowler ${{ env.PROWLER_VERSION }}
@@ -406,5 +393,6 @@ jobs:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: Clean up temporary files
+      if: always()
      run: |
        rm -f prowler_changelog.md api_changelog.md ui_changelog.md mcp_changelog.md combined_changelog.md
@@ -1,202 +0,0 @@
-name: SDK - Build and Push containers
-
-on:
-  push:
-    branches:
-      # For `v3-latest`
-      - "v3"
-      # For `v4-latest`
-      - "v4.6"
-      # For `latest`
-      - "master"
-    paths-ignore:
-      - ".github/**"
-      - "README.md"
-      - "docs/**"
-      - "ui/**"
-      - "api/**"
-
-  release:
-    types: [published]
-
-env:
-  # AWS Configuration
-  AWS_REGION_STG: eu-west-1
-  AWS_REGION_PLATFORM: eu-west-1
-  AWS_REGION: us-east-1
-
-  # Container's configuration
-  IMAGE_NAME: prowler
-  DOCKERFILE_PATH: ./Dockerfile
-
-  # Tags
-  LATEST_TAG: latest
-  STABLE_TAG: stable
-  # The RELEASE_TAG is set during runtime in releases
-  RELEASE_TAG: ""
-  # The PROWLER_VERSION and PROWLER_VERSION_MAJOR are set during runtime in releases
-  PROWLER_VERSION: ""
-  PROWLER_VERSION_MAJOR: ""
-  # TEMPORARY_TAG: temporary
-
-  # Python configuration
-  PYTHON_VERSION: 3.12
-
-  # Container Registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
-
-jobs:
-  # Build Prowler OSS container
-  container-build-push:
-    # needs: dockerfile-linter
-    runs-on: ubuntu-latest
-    outputs:
-      prowler_version_major: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION_MAJOR }}
-      prowler_version: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION }}
-    env:
-      POETRY_VIRTUALENVS_CREATE: "false"
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Setup Python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install Poetry
-        run: |
-          pipx install poetry==2.*
-          pipx inject poetry poetry-bumpversion
-
-      - name: Get Prowler version
-        id: get-prowler-version
-        run: |
-          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
-          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
-          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Store prowler version major just for the release
-          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
-          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_ENV}"
-          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
-
-          case ${PROWLER_VERSION_MAJOR} in
-          3)
-              echo "LATEST_TAG=v3-latest" >> "${GITHUB_ENV}"
-              echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}"
-              ;;
-
-
-          4)
-              echo "LATEST_TAG=v4-latest" >> "${GITHUB_ENV}"
-              echo "STABLE_TAG=v4-stable" >> "${GITHUB_ENV}"
-              ;;
-
-          5)
-              echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
-              echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
-              ;;
-
-          *)
-              # Fallback if any other version is present
-              echo "Releasing another Prowler major version, aborting..."
-              exit 1
-              ;;
-          esac
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
-        env:
-          AWS_REGION: ${{ env.AWS_REGION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Build and push container image (latest)
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          push: true
-          tags: |
-            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
-            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
-          file: ${{ env.DOCKERFILE_PATH }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Build and push container image (release)
-        if: github.event_name == 'release'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          # Use local context to get changes
-          # https://github.com/docker/build-push-action#path-context
-          context: .
-          push: true
-          tags: |
-            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
-            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
-            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
-            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.PROWLER_VERSION }}
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
-          file: ${{ env.DOCKERFILE_PATH }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-#      - name: Push README to Docker Hub (toniblyx)
-#        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
-#        with:
-#          username: ${{ secrets.DOCKERHUB_USERNAME }}
-#          password: ${{ secrets.DOCKERHUB_TOKEN }}
-#          repository: ${{ env.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}
-#          readme-filepath: ./README.md
-#
-#      - name: Push README to Docker Hub (prowlercloud)
-#        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
-#        with:
-#          username: ${{ secrets.DOCKERHUB_USERNAME }}
-#          password: ${{ secrets.DOCKERHUB_TOKEN }}
-#          repository: ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}
-#          readme-filepath: ./README.md
-
-  dispatch-action:
-    needs: container-build-push
-    runs-on: ubuntu-latest
-    steps:
-      - name: Get latest commit info (latest)
-        if: github.event_name == 'push'
-        run: |
-          LATEST_COMMIT_HASH=$(echo ${{ github.event.after }} | cut -b -7)
-          echo "LATEST_COMMIT_HASH=${LATEST_COMMIT_HASH}" >> $GITHUB_ENV
-
-      - name: Dispatch event (latest)
-        if: github.event_name == 'push' && needs.container-build-push.outputs.prowler_version_major == '3'
-        run: |
-          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            --data '{"event_type":"dispatch","client_payload":{"version":"v3-latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'
-
-      - name: Dispatch event (release)
-        if: github.event_name == 'release' && needs.container-build-push.outputs.prowler_version_major == '3'
-        run: |
-          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ needs.container-build-push.outputs.prowler_version }}"}}'
@@ -1,146 +1,218 @@
-name: SDK - Bump Version
+name: 'SDK: Bump Version'

 on:
  release:
-    types: [published]
+    types:
+      - 'published'

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false

 env:
  PROWLER_VERSION: ${{ github.event.release.tag_name }}
  BASE_BRANCH: master

 jobs:
-  bump-version:
-    name: Bump Version
+  detect-release-type:
    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Get Prowler version
-        shell: bash
+      - name: Detect release type and parse version
+        id: detect
        run: |
          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
            MAJOR_VERSION=${BASH_REMATCH[1]}
            MINOR_VERSION=${BASH_REMATCH[2]}
-            FIX_VERSION=${BASH_REMATCH[3]}
+            PATCH_VERSION=${BASH_REMATCH[3]}

-            # Export version components to GitHub environment
-            echo "MAJOR_VERSION=${MAJOR_VERSION}" >> "${GITHUB_ENV}"
-            echo "MINOR_VERSION=${MINOR_VERSION}" >> "${GITHUB_ENV}"
-            echo "FIX_VERSION=${FIX_VERSION}" >> "${GITHUB_ENV}"
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"

-            if (( MAJOR_VERSION == 5 )); then
-                if (( FIX_VERSION == 0 )); then
-                  echo "Minor Release: $PROWLER_VERSION"
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi

-                  # Set up next minor version for master
-                  BUMP_VERSION_TO=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).${FIX_VERSION}
-                  echo "BUMP_VERSION_TO=${BUMP_VERSION_TO}" >> "${GITHUB_ENV}"
-
-                  TARGET_BRANCH=${BASE_BRANCH}
-                  echo "TARGET_BRANCH=${TARGET_BRANCH}" >> "${GITHUB_ENV}"
-
-                  # Set up patch version for version branch
-                  PATCH_VERSION_TO=${MAJOR_VERSION}.${MINOR_VERSION}.1
-                  echo "PATCH_VERSION_TO=${PATCH_VERSION_TO}" >> "${GITHUB_ENV}"
-
-                  VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-                  echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-                  echo "Bumping to next minor version: ${BUMP_VERSION_TO} in branch ${TARGET_BRANCH}"
-                  echo "Bumping to next patch version: ${PATCH_VERSION_TO} in branch ${VERSION_BRANCH}"
-                else
-                  echo "Patch Release: $PROWLER_VERSION"
-
-                  BUMP_VERSION_TO=${MAJOR_VERSION}.${MINOR_VERSION}.$((FIX_VERSION + 1))
-                  echo "BUMP_VERSION_TO=${BUMP_VERSION_TO}" >> "${GITHUB_ENV}"
-
-                  TARGET_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-                  echo "TARGET_BRANCH=${TARGET_BRANCH}" >> "${GITHUB_ENV}"
-
-                  echo "Bumping to next patch version: ${BUMP_VERSION_TO} in branch ${TARGET_BRANCH}"
-                fi
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
            else
-                echo "Releasing another Prowler major version, aborting..."
-                exit 1
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
            fi
          else
-            echo "Invalid version syntax: '$PROWLER_VERSION' (must be N.N.N)" >&2
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
            exit 1
          fi

-      - name: Bump versions in files
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Calculate next minor version
        run: |
-            echo "Using PROWLER_VERSION=$PROWLER_VERSION"
-            echo "Using BUMP_VERSION_TO=$BUMP_VERSION_TO"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}

-            set -e
+          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"

-            echo "Bumping version in pyproject.toml ..."
-            sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${BUMP_VERSION_TO}\"|" pyproject.toml
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next minor version: $NEXT_MINOR_VERSION"

-            echo "Bumping version in prowler/config/config.py ..."
-            sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${BUMP_VERSION_TO}\"|" prowler/config/config.py
+      - name: Bump versions in files for master
+        run: |
+          set -e

-            echo "Bumping version in .env ..."
-            sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${BUMP_VERSION_TO}|" .env
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env

-            git --no-pager diff
+          echo "Files modified:"
+          git --no-pager diff

-      - name: Create Pull Request
+      - name: Create PR for next minor version to master
        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
-            author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-            token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-            base: ${{ env.TARGET_BRANCH }}
-            commit-message: "chore(release): Bump version to v${{ env.BUMP_VERSION_TO }}"
-            branch: "version-bump-to-v${{ env.BUMP_VERSION_TO }}"
-            title: "chore(release): Bump version to v${{ env.BUMP_VERSION_TO }}"
-            labels: no-changelog
-            body: |
-              ### Description
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          branch: version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
+          title: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          labels: no-changelog
+          body: |
+            ### Description

-              Bump Prowler version to v${{ env.BUMP_VERSION_TO }}
+            Bump Prowler version to v${{ env.NEXT_MINOR_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.

-              ### License
+            ### License

-              By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

-      - name: Handle patch version for minor release
-        if: env.FIX_VERSION == '0'
+      - name: Checkout version branch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Calculate first patch version
        run: |
-            echo "Using PROWLER_VERSION=$PROWLER_VERSION"
-            echo "Using PATCH_VERSION_TO=$PATCH_VERSION_TO"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}

-            set -e
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}

-            echo "Bumping version in pyproject.toml ..."
-            sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${PATCH_VERSION_TO}\"|" pyproject.toml
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"

-            echo "Bumping version in prowler/config/config.py ..."
-            sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${PATCH_VERSION_TO}\"|" prowler/config/config.py
+          echo "First patch version: $FIRST_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"

-            echo "Bumping version in .env ..."
-            sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PATCH_VERSION_TO}|" .env
+      - name: Bump versions in files for version branch
+        run: |
+          set -e

-            git --no-pager diff
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env

-      - name: Create Pull Request for patch version
-        if: env.FIX_VERSION == '0'
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first patch version to version branch
        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
-            author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-            token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-            base: ${{ env.VERSION_BRANCH }}
-            commit-message: "chore(release): Bump version to v${{ env.PATCH_VERSION_TO }}"
-            branch: "version-bump-to-v${{ env.PATCH_VERSION_TO }}"
-            title: "chore(release): Bump version to v${{ env.PATCH_VERSION_TO }}"
-            labels: no-changelog
-            body: |
-              ### Description
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          labels: no-changelog
+          body: |
+            ### Description

-              Bump Prowler version to v${{ env.PATCH_VERSION_TO }}
+            Bump Prowler version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing v${{ env.PROWLER_VERSION }}.

-              ### License
+            ### License

-              By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Calculate next patch version
+        run: |
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
+
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next patch version: $NEXT_PATCH_VERSION"
+          echo "Target branch: $VERSION_BRANCH"
+
+      - name: Bump versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next patch version to version branch
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          labels: no-changelog
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.NEXT_PATCH_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -1,45 +1,41 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: SDK - CodeQL
+name: 'SDK: CodeQL'

 on:
  push:
    branches:
-      - "master"
-      - "v3"
-      - "v4.*"
-      - "v5.*"
-    paths-ignore:
-      - 'ui/**'
-      - 'api/**'
-      - '.github/**'
+      - 'master'
+      - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - '.github/workflows/sdk-codeql.yml'
+      - '.github/codeql/sdk-codeql-config.yml'
+      - '!prowler/CHANGELOG.md'
  pull_request:
    branches:
-      - "master"
-      - "v3"
-      - "v4.*"
-      - "v5.*"
-    paths-ignore:
-      - 'ui/**'
-      - 'api/**'
-      - '.github/**'
+      - 'master'
+      - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - '.github/workflows/sdk-codeql.yml'
+      - '.github/codeql/sdk-codeql-config.yml'
+      - '!prowler/CHANGELOG.md'
  schedule:
    - cron: '00 12 * * *'

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
  sdk-analyze:
    if: github.repository == 'prowler-cloud/prowler'
    name: CodeQL Security Analysis
    runs-on: ubuntu-latest
+    timeout-minutes: 30
    permissions:
      actions: read
      contents: read
@@ -48,21 +44,20 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        language: [ 'python' ]
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+        language:
+          - 'python'

    steps:
-    - name: Checkout repository
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
-      with:
-        languages: ${{ matrix.language }}
-        config-file: ./.github/codeql/sdk-codeql-config.yml
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql/sdk-codeql-config.yml

-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
-      with:
-        category: "/language:${{matrix.language}}"
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        with:
+          category: '/language:${{ matrix.language }}'
@@ -0,0 +1,217 @@
+name: 'SDK: Container Build and Push'
+
+on:
+  push:
+    branches:
+      - 'v3'      # For v3-latest
+      - 'v4.6'    # For v4-latest
+      - 'master'  # For latest
+    paths-ignore:
+      - '.github/**'
+      - '!.github/workflows/sdk-container-build-push.yml'
+      - 'README.md'
+      - 'docs/**'
+      - 'ui/**'
+      - 'api/**'
+  release:
+    types:
+      - 'published'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  # Container configuration
+  IMAGE_NAME: prowler
+  DOCKERFILE_PATH: ./Dockerfile
+
+  # Python configuration
+  PYTHON_VERSION: '3.12'
+
+  # Tags (dynamically set based on version)
+  LATEST_TAG: latest
+  STABLE_TAG: stable
+
+  # Container registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
+
+  # AWS configuration (for ECR)
+  AWS_REGION: us-east-1
+
+jobs:
+  container-build-push:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }}
+      prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
+    env:
+      POETRY_VIRTUALENVS_CREATE: 'false'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install Poetry
+        run: |
+          pipx install poetry==2.1.1
+          pipx inject poetry poetry-bumpversion
+
+      - name: Get Prowler version and set tags
+        id: get-prowler-version
+        run: |
+          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
+          echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
+
+          # Extract major version
+          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
+          echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_ENV}"
+
+          # Set version-specific tags
+          case ${PROWLER_VERSION_MAJOR} in
+            3)
+              echo "LATEST_TAG=v3-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}"
+              echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable"
+              ;;
+            4)
+              echo "LATEST_TAG=v4-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v4-stable" >> "${GITHUB_ENV}"
+              echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable"
+              ;;
+            5)
+              echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
+              echo "✓ Prowler v5 detected - tags: latest, stable"
+              ;;
+            *)
+              echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}"
+              exit 1
+              ;;
+          esac
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: ${{ env.AWS_REGION }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push SDK container (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: ${{ env.DOCKERFILE_PATH }}
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Notify container push started
+        if: github.event_name == 'release'
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: SDK
+          RELEASE_TAG: ${{ env.PROWLER_VERSION }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
+
+      - name: Build and push SDK container (release)
+        if: github.event_name == 'release'
+        id: container-push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: ${{ env.DOCKERFILE_PATH }}
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.PROWLER_VERSION }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Notify container push completed
+        if: github.event_name == 'release' && always()
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: SDK
+          RELEASE_TAG: ${{ env.PROWLER_VERSION }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
+          step-outcome: ${{ steps.container-push.outcome }}
+
+  dispatch-v3-deployment:
+    if: needs.container-build-push.outputs.prowler_version_major == '3'
+    needs: container-build-push
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+
+    steps:
+      - name: Calculate short SHA
+        id: short-sha
+        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+
+      - name: Dispatch v3 deployment (latest)
+        if: github.event_name == 'push'
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
+          event-type: dispatch
+          client-payload: '{"version":"v3-latest","tag":"${{ steps.short-sha.outputs.short_sha }}"}'
+
+      - name: Dispatch v3 deployment (release)
+        if: github.event_name == 'release'
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
+          event-type: dispatch
+          client-payload: '{"version":"release","tag":"${{ needs.container-build-push.outputs.prowler_version }}"}'
@@ -1,98 +1,119 @@
-name: SDK - PyPI release
+name: 'SDK: PyPI Release'

 on:
  release:
-    types: [published]
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false

 env:
  RELEASE_TAG: ${{ github.event.release.tag_name }}
-  PYTHON_VERSION: 3.11
-  # CACHE: "poetry"
+  PYTHON_VERSION: '3.12'

 jobs:
-  repository-check:
-    name: Repository check
+  validate-release:
+    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
    outputs:
-      is_repo: ${{ steps.repository_check.outputs.is_repo }}
-    steps:
-      - name: Repository check
-        id: repository_check
-        working-directory: /tmp
-        run: |
-          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
-          then
-            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
-          else
-            echo "This action only runs for prowler-cloud/prowler"
-            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
-          fi
+      prowler_version: ${{ steps.parse-version.outputs.version }}
+      major_version: ${{ steps.parse-version.outputs.major }}

-  release-prowler-job:
-    runs-on: ubuntu-latest
-    needs: repository-check
-    if: needs.repository-check.outputs.is_repo == 'true'
-    env:
-      POETRY_VIRTUALENVS_CREATE: "false"
-    name: Release Prowler to PyPI
    steps:
-      - name: Repository check
-        working-directory: /tmp
-        run: |
-              if [[ "${{ github.repository }}" != "prowler-cloud/prowler" ]]; then
-                  echo "This action only runs for prowler-cloud/prowler"
-                  exit 1
-              fi
-
-      - name: Get Prowler version
+      - name: Parse and validate version
+        id: parse-version
        run: |
          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
+          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"

-          case ${PROWLER_VERSION%%.*} in
-          3)
-              echo "Releasing Prowler v3 with tag ${PROWLER_VERSION}"
+          # Extract major version
+          MAJOR_VERSION="${PROWLER_VERSION%%.*}"
+          echo "major=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+
+          # Validate major version
+          case ${MAJOR_VERSION} in
+            3|4|5)
+              echo "✓ Releasing Prowler v${MAJOR_VERSION} with tag ${PROWLER_VERSION}"
              ;;
-          4)
-              echo "Releasing Prowler v4 with tag ${PROWLER_VERSION}"
-              ;;
-          5)
-              echo "Releasing Prowler v5 with tag ${PROWLER_VERSION}"
-              ;;
-          *)
-              echo "Releasing another Prowler major version, aborting..."
+            *)
+              echo "::error::Unsupported Prowler major version: ${MAJOR_VERSION}"
              exit 1
              ;;
          esac

-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+  publish-prowler:
+    needs: validate-release
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      id-token: write
+    environment:
+      name: pypi-prowler
+      url: https://pypi.org/project/prowler/${{ needs.validate-release.outputs.prowler_version }}/

-      - name: Install dependencies
-        run: |
-          pipx install poetry==2.1.1
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

-      - name: Setup Python
+      - name: Install Poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
-          # cache: ${{ env.CACHE }}
+          cache: 'poetry'

      - name: Build Prowler package
-        run: |
-          poetry build
+        run: poetry build

      - name: Publish Prowler package to PyPI
-        run: |
-          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
-          poetry publish
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        with:
+          print-hash: true

-      - name: Replicate PyPI package
+  publish-prowler-cloud:
+    needs: validate-release
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      id-token: write
+    environment:
+      name: pypi-prowler-cloud
+      url: https://pypi.org/project/prowler-cloud/${{ needs.validate-release.outputs.prowler_version }}/
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Install Poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'poetry'
+
+      - name: Install toml package
+        run: pip install toml
+
+      - name: Replicate PyPI package for prowler-cloud
        run: |
-          rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info
-          pip install toml
+          rm -rf ./dist ./build prowler.egg-info
          python util/replicate_pypi_package.py
-          poetry build
+
+      - name: Build prowler-cloud package
+        run: poetry build

      - name: Publish prowler-cloud package to PyPI
-        run: |
-          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
-          poetry publish
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        with:
+          print-hash: true
@@ -1,68 +1,90 @@
-# This is a basic workflow to help you get started with Actions
-
-name: SDK - Refresh AWS services' regions
+name: 'SDK: Refresh AWS Regions'

 on:
  schedule:
-    - cron: "0 9 * * 1" # runs at 09:00 UTC every Monday
+    - cron: '0 9 * * 1' # Every Monday at 09:00 UTC
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false

 env:
-  GITHUB_BRANCH: "master"
-  AWS_REGION_DEV: us-east-1
+  PYTHON_VERSION: '3.12'
+  AWS_REGION: 'us-east-1'

-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
-  build:
-    # The type of runner that the job will run on
+  refresh-aws-regions:
+    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    permissions:
      id-token: write
      pull-requests: write
      contents: write
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          ref: ${{ env.GITHUB_BRANCH }}

-      - name: setup python
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: 'master'
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
-          python-version: 3.9 #install the python needed
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'pip'

      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install boto3
+        run: pip install boto3

-      - name: Configure AWS Credentials -- DEV
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
        with:
-          aws-region: ${{ env.AWS_REGION_DEV }}
+          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
-          role-session-name: refresh-AWS-regions-dev
+          role-session-name: prowler-refresh-aws-regions

-      # Runs a single command using the runners shell
-      - name: Run a one-line script
-        run: python3 util/update_aws_services_regions.py
+      - name: Update AWS services regions
+        run: python util/update_aws_services_regions.py

-      # Create pull request
-      - name: Create Pull Request
+      - name: Create pull request
+        id: create-pr
        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          commit-message: "feat(regions_update): Update regions for AWS services"
-          branch: "aws-services-regions-updated-${{ github.sha }}"
-          labels: "status/waiting-for-revision, severity/low, provider/aws, no-changelog"
-          title: "chore(regions_update): Changes in regions for AWS services"
+          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
+          committer: 'github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>'
+          commit-message: 'feat(aws): update regions for AWS services'
+          branch: 'aws-regions-update-${{ github.run_number }}'
+          title: 'feat(aws): Update regions for AWS services'
+          labels: |
+            status/waiting-for-revision
+            severity/low
+            provider/aws
+            no-changelog
          body: |
            ### Description

-            This PR updates the regions for AWS services.
+            Automated update of AWS service regions from the official AWS IP ranges.
+
+            **Trigger:** ${{ github.event_name == 'schedule' && 'Scheduled (weekly)' || github.event_name == 'workflow_dispatch' && 'Manual' || 'Workflow update' }}
+            **Run:** [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
+
+            ### Checklist
+
+            - [x] This is an automated update from AWS official sources
+            - [x] No manual review of region data required

            ### License

            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: PR creation result
+        run: |
+          if [[ "${{ steps.create-pr.outputs.pull-request-number }}" ]]; then
+            echo "✓ Pull request #${{ steps.create-pr.outputs.pull-request-number }} created successfully"
+            echo "URL: ${{ steps.create-pr.outputs.pull-request-url }}"
+          else
+            echo "✓ No changes detected - AWS regions are up to date"
+          fi
@@ -1,121 +0,0 @@
-name: UI - Build and Push containers
-
-on:
-  push:
-    branches:
-      - "master"
-    paths:
-      - "ui/**"
-      - ".github/workflows/ui-build-lint-push-containers.yml"
-
-  # Uncomment the below code to test this action on PRs
-  # pull_request:
-  #   branches:
-  #     - "master"
-  #   paths:
-  #     - "ui/**"
-  #     - ".github/workflows/ui-build-lint-push-containers.yml"
-
-  release:
-    types: [published]
-
-env:
-  # Tags
-  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name }}
-  STABLE_TAG: stable
-
-  WORKING_DIRECTORY: ./ui
-
-  # Container Registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-ui
-  NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1
-
-jobs:
-  repository-check:
-    name: Repository check
-    runs-on: ubuntu-latest
-    outputs:
-      is_repo: ${{ steps.repository_check.outputs.is_repo }}
-    steps:
-      - name: Repository check
-        id: repository_check
-        working-directory: /tmp
-        run: |
-          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
-          then
-            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
-          else
-            echo "This action only runs for prowler-cloud/prowler"
-            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
-          fi
-
-  # Build Prowler OSS container
-  container-build-push:
-    needs: repository-check
-    if: needs.repository-check.outputs.is_repo == 'true'
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ${{ env.WORKING_DIRECTORY }}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Set short git commit SHA
-        id: vars
-        run: |
-          shortSha=$(git rev-parse --short ${{ github.sha }})
-          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Build and push container image (latest)
-        # Comment the following line for testing
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.WORKING_DIRECTORY }}
-          build-args: |
-            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ env.SHORT_SHA }}
-            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
-          # Set push: false for testing
-          push: true
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.SHORT_SHA }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Build and push container image (release)
-        if: github.event_name == 'release'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.WORKING_DIRECTORY }}
-          build-args: |
-            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${{ env.RELEASE_TAG }}
-            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
-          push: true
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Trigger deployment
-        if: github.event_name == 'push'
-        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.CLOUD_DISPATCH }}
-          event-type: prowler-ui-deploy
-          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ env.SHORT_SHA }}"}'
@@ -1,37 +1,37 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: UI - CodeQL
+name: 'UI: CodeQL'

 on:
  push:
    branches:
-      - "master"
-      - "v5.*"
+      - 'master'
+      - 'v5.*'
    paths:
-      - "ui/**"
+      - 'ui/**'
+      - '.github/workflows/ui-codeql.yml'
+      - '.github/codeql/ui-codeql-config.yml'
+      - '!ui/CHANGELOG.md'
  pull_request:
    branches:
-      - "master"
-      - "v5.*"
+      - 'master'
+      - 'v5.*'
    paths:
-      - "ui/**"
+      - 'ui/**'
+      - '.github/workflows/ui-codeql.yml'
+      - '.github/codeql/ui-codeql-config.yml'
+      - '!ui/CHANGELOG.md'
  schedule:
-    - cron: "00 12 * * *"
+    - cron: '00 12 * * *'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

 jobs:
  ui-analyze:
    if: github.repository == 'prowler-cloud/prowler'
    name: CodeQL Security Analysis
    runs-on: ubuntu-latest
+    timeout-minutes: 30
    permissions:
      actions: read
      contents: read
@@ -40,21 +40,20 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        language: ["javascript"]
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+        language:
+          - 'javascript-typescript'

    steps:
      - name: Checkout repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

-      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
-          category: "/language:${{matrix.language}}"
+          category: '/language:${{ matrix.language }}'
@@ -0,0 +1,143 @@
+name: 'UI: Container Build and Push'
+
+on:
+  push:
+    branches:
+      - 'master'
+    paths:
+      - 'ui/**'
+      - '.github/workflows/ui-container-build-push.yml'
+  release:
+    types:
+      - 'published'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  # Tags
+  LATEST_TAG: latest
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  STABLE_TAG: stable
+  WORKING_DIRECTORY: ./ui
+
+  # Container registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-ui
+
+  # Build args
+  NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1
+
+jobs:
+  setup:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
+    steps:
+      - name: Calculate short SHA
+        id: set-short-sha
+        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+
+  container-build-push:
+    needs: setup
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push UI container (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          build-args: |
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ needs.setup.outputs.short-sha }}
+            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Notify container push started
+        if: github.event_name == 'release'
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: UI
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
+
+      - name: Build and push UI container (release)
+        if: github.event_name == 'release'
+        id: container-push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          build-args: |
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${{ env.RELEASE_TAG }}
+            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Notify container push completed
+        if: github.event_name == 'release' && always()
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: UI
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
+          step-outcome: ${{ steps.container-push.outcome }}
+
+  trigger-deployment:
+    if: github.event_name == 'push'
+    needs: [setup, container-build-push]
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+
+    steps:
+      - name: Trigger UI deployment
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.CLOUD_DISPATCH }}
+          event-type: ui-prowler-deployment
+          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ needs.setup.outputs.short-sha }}"}'
@@ -18,6 +18,22 @@ jobs:
      AUTH_TRUST_HOST: true
      NEXTAUTH_URL: 'http://localhost:3000'
      NEXT_PUBLIC_API_BASE_URL: 'http://localhost:8080/api/v1'
+      E2E_ADMIN_USER: ${{ secrets.E2E_ADMIN_USER }}
+      E2E_ADMIN_PASSWORD: ${{ secrets.E2E_ADMIN_PASSWORD }}
+      E2E_AWS_PROVIDER_ACCOUNT_ID: ${{ secrets.E2E_AWS_PROVIDER_ACCOUNT_ID }}
+      E2E_AWS_PROVIDER_ACCESS_KEY: ${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}
+      E2E_AWS_PROVIDER_SECRET_KEY: ${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}
+      E2E_AWS_PROVIDER_ROLE_ARN: ${{ secrets.E2E_AWS_PROVIDER_ROLE_ARN }}
+      E2E_AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }}
+      E2E_AZURE_CLIENT_ID: ${{ secrets.E2E_AZURE_CLIENT_ID }}
+      E2E_AZURE_SECRET_ID: ${{ secrets.E2E_AZURE_SECRET_ID }}
+      E2E_AZURE_TENANT_ID: ${{ secrets.E2E_AZURE_TENANT_ID }}
+      E2E_M365_DOMAIN_ID: ${{ secrets.E2E_M365_DOMAIN_ID }}
+      E2E_M365_CLIENT_ID: ${{ secrets.E2E_M365_CLIENT_ID }}
+      E2E_M365_SECRET_ID: ${{ secrets.E2E_M365_SECRET_ID }}
+      E2E_M365_TENANT_ID: ${{ secrets.E2E_M365_TENANT_ID }}
+      E2E_M365_CERTIFICATE_CONTENT: ${{ secrets.E2E_M365_CERTIFICATE_CONTENT }}
+      E2E_NEW_PASSWORD: ${{ secrets.E2E_NEW_PASSWORD }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -59,7 +75,7 @@ jobs:
            echo "All database fixtures loaded successfully!"
          '
      - name: Setup Node.js environment
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version: '20.x'
          cache: 'npm'
@@ -39,6 +39,12 @@ secrets-*/
 # JUnit Reports
 junit-reports/

+# Test and coverage artifacts
+*_coverage.xml
+pytest_*.xml
+.coverage
+htmlcov/
+
 # VSCode files
 .vscode/

@@ -64,7 +70,6 @@ junit-reports/
 ui/.env*
 api/.env*
 mcp_server/.env*
-.env.local

 # Coverage
 .coverage*
@@ -10,4 +10,4 @@
 Want some swag as appreciation for your contribution?

 # Prowler Developer Guide
-https://docs.prowler.com/projects/prowler-open-source/en/latest/developer-guide/introduction/
+https://goto.prowler.com/devguide
@@ -56,7 +56,7 @@ Prowler includes hundreds of built-in controls to ensure compliance with standar

 Prowler App is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.

-![Prowler App](docs/products/img/overview.png)
+![Prowler App](docs/images/products/overview.png)

 >For more details, refer to the [Prowler App Documentation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-app-installation)

@@ -73,26 +73,26 @@ prowler <provider>
 ```console
 prowler dashboard
 ```
-![Prowler Dashboard](docs/products/img/dashboard.png)
+![Prowler Dashboard](docs/images/products/dashboard.png)

 # Prowler at a Glance
 > [!Tip]
 > For the most accurate and up-to-date information about checks, services, frameworks, and categories, visit [**Prowler Hub**](https://hub.prowler.com).


-| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Stage | Interface |
-|---|---|---|---|---|---|---|---|
-| AWS | 576 | 82 | 38 | 10 | Official | Stable | UI, API, CLI |
-| GCP | 79 | 13 | 11 | 3 | Official | Stable | UI, API, CLI |
-| Azure | 162 | 19 | 12 | 4 | Official | Stable | UI, API, CLI |
-| Kubernetes | 83 | 7 | 5 | 7 | Official | Stable | UI, API, CLI |
+| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
+|---|---|---|---|---|---|---|
+| AWS | 576 | 82 | 39 | 10 | Official | UI, API, CLI |
+| GCP | 79 | 13 | 13 | 3 | Official | UI, API, CLI |
+| Azure | 162 | 19 | 13 | 4 | Official | UI, API, CLI |
+| Kubernetes | 83 | 7 | 5 | 7 | Official | UI, API, CLI |
 | GitHub | 17 | 2 | 1 | 0 | Official | Stable | UI, API, CLI |
-| M365 | 70 | 7 | 3 | 2 | Official | Stable | UI, API, CLI |
-| OCI | 51 | 13 | 1 | 10 | Official | Stable | CLI |
-| IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | Beta | CLI |
-| MongoDB Atlas | 10 | 3 | 0 | 0 | Official | Beta | CLI |
-| LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | Beta | CLI |
-| NHN | 6 | 2 | 1 | 0 | Unofficial | Beta | CLI |
+| M365 | 70 | 7 | 3 | 2 | Official | UI, API, CLI |
+| OCI | 51 | 13 | 1 | 10 | Official | UI, API, CLI |
+| IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 0 | Official | CLI, API |
+| LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
+| NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
 > The numbers in the table are updated periodically.
@@ -2,6 +2,33 @@

 All notable changes to the **Prowler API** are documented in this file.

+## [1.15.0] (Prowler UNRELEASED)
+
+### Added
+- IaC (Infrastructure as Code) provider support for remote repositories [(#8751)](https://github.com/prowler-cloud/prowler/pull/8751)
+- Extend `GET /api/v1/providers` with provider-type filters and optional pagination disable to support the new Overview filters [(#8975)](https://github.com/prowler-cloud/prowler/pull/8975)
+- New endpoint to retrieve the number of providers grouped by provider type [(#8975)](https://github.com/prowler-cloud/prowler/pull/8975)
+- Support for configuring multiple LLM providers [(#8772)](https://github.com/prowler-cloud/prowler/pull/8772)
+- Support C5 compliance framework for Azure provider [(#9081)](https://github.com/prowler-cloud/prowler/pull/9081)
+- Support for Oracle Cloud Infrastructure (OCI) provider [(#8927)](https://github.com/prowler-cloud/prowler/pull/8927)
+- Support muting findings based on simple rules with custom reason [(#9051)](https://github.com/prowler-cloud/prowler/pull/9051)
+- Support C5 compliance framework for the GCP provider [(#9097)](https://github.com/prowler-cloud/prowler/pull/9097)
+- Support for Amazon Bedrock and OpenAI compatible providers in Lighthouse AI [(#8957)](https://github.com/prowler-cloud/prowler/pull/8957)
+- OpenAPI schema integration with Mintlify documentation including compatibility fixes and dynamic server URL configuration [(#9168)](https://github.com/prowler-cloud/prowler/pull/9168)
+- Tenant-wide ThreatScore overview aggregation and snapshot persistence with backfill support [(#9148)](https://github.com/prowler-cloud/prowler/pull/9148)
+- Support for MongoDB Atlas provider [(#9167)](https://github.com/prowler-cloud/prowler/pull/9167)
+
+### Security
+- Django updated to the latest 5.1 security release, 5.1.14, due to problems with potential [SQL injection](https://github.com/prowler-cloud/prowler/security/dependabot/113) and [denial-of-service vulnerability](https://github.com/prowler-cloud/prowler/security/dependabot/114) [(#9176)](https://github.com/prowler-cloud/prowler/pull/9176)
+
+---
+
+## [1.14.2] (Prowler UNRELEASED)
+
+### Fixed
+- Update unique constraint for `Provider` model to exclude soft-deleted entries, resolving duplicate errors when re-deleting providers.[(#9054)](https://github.com/prowler-cloud/prowler/pull/9054)
+- Remove compliance generation for providers without compliance frameworks [(#9208)](https://github.com/prowler-cloud/prowler/pull/9208)
+
 ## [1.14.1] (Prowler 5.13.1)

 ### Fixed
@@ -5,6 +5,9 @@ LABEL maintainer="https://github.com/prowler-cloud/api"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}

+ARG TRIVY_VERSION=0.66.0
+ENV TRIVY_VERSION=${TRIVY_VERSION}
+
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
    wget \
@@ -36,6 +39,24 @@ RUN ARCH=$(uname -m) && \
    ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
    rm /tmp/powershell.tar.gz

+# Install Trivy for IaC scanning
+RUN ARCH=$(uname -m) && \
+    if [ "$ARCH" = "x86_64" ]; then \
+        TRIVY_ARCH="Linux-64bit" ; \
+    elif [ "$ARCH" = "aarch64" ]; then \
+        TRIVY_ARCH="Linux-ARM64" ; \
+    else \
+        echo "Unsupported architecture for Trivy: $ARCH" && exit 1 ; \
+    fi && \
+    wget --progress=dot:giga "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz && \
+    tar zxf /tmp/trivy.tar.gz -C /tmp && \
+    mv /tmp/trivy /usr/local/bin/trivy && \
+    chmod +x /usr/local/bin/trivy && \
+    rm /tmp/trivy.tar.gz && \
+    # Create trivy cache directory with proper permissions
+    mkdir -p /tmp/.cache/trivy && \
+    chmod 777 /tmp/.cache/trivy
+
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.1.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.1.4 and should not be changed by hand.

 [[package]]
 name = "about-time"
@@ -1164,18 +1164,6 @@ files = [
    {file = "charset_normalizer-3.4.3.tar.gz", hash = "sha256:6fce4b8500244f6fcb71465d4a4930d132ba9ab8e71a7859e6a5d59851068d14"},
 ]

-[[package]]
-name = "circuitbreaker"
-version = "2.1.3"
-description = "Python Circuit Breaker pattern implementation"
-optional = false
-python-versions = "*"
-groups = ["main"]
-files = [
-    {file = "circuitbreaker-2.1.3-py3-none-any.whl", hash = "sha256:87ba6a3ed03fdc7032bc175561c2b04d52ade9d5faf94ca2b035fbdc5e6b1dd1"},
-    {file = "circuitbreaker-2.1.3.tar.gz", hash = "sha256:1a4baee510f7bea3c91b194dcce7c07805fe96c4423ed5594b75af438531d084"},
-]
-
 [[package]]
 name = "click"
 version = "8.2.1"
@@ -1683,14 +1671,14 @@ with-social = ["django-allauth[socialaccount] (>=64.0.0)"]

 [[package]]
 name = "django"
-version = "5.1.13"
+version = "5.1.14"
 description = "A high-level Python web framework that encourages rapid development and clean, pragmatic design."
 optional = false
 python-versions = ">=3.10"
 groups = ["main", "dev"]
 files = [
-    {file = "django-5.1.13-py3-none-any.whl", hash = "sha256:06f257f79dc4c17f3f9e23b106a4c5ed1335abecbe731e83c598c941d14fbeed"},
-    {file = "django-5.1.13.tar.gz", hash = "sha256:543ff21679f15e80edfc01fe7ea35f8291b6d4ea589433882913626a7c1cf929"},
+    {file = "django-5.1.14-py3-none-any.whl", hash = "sha256:2a4b9c20404fd1bf50aaaa5542a19d860594cba1354f688f642feb271b91df27"},
+    {file = "django-5.1.14.tar.gz", hash = "sha256:b98409fb31fdd6e8c3a6ba2eef3415cc5c0020057b43b21ba7af6eff5f014831"},
 ]

 [package.dependencies]
@@ -4058,29 +4046,6 @@ rsa = ["cryptography (>=3.0.0)"]
 signals = ["blinker (>=1.4.0)"]
 signedtoken = ["cryptography (>=3.0.0)", "pyjwt (>=2.0.0,<3)"]

-[[package]]
-name = "oci"
-version = "2.160.3"
-description = "Oracle Cloud Infrastructure Python SDK"
-optional = false
-python-versions = "*"
-groups = ["main"]
-files = [
-    {file = "oci-2.160.3-py3-none-any.whl", hash = "sha256:858bff3e697098bdda44833d2476bfb4632126f0182178e7dbde4dbd156d71f0"},
-    {file = "oci-2.160.3.tar.gz", hash = "sha256:57514889be3b713a8385d86e3ba8a33cf46e3563c2a7e29a93027fb30b8a2537"},
-]
-
-[package.dependencies]
-certifi = "*"
-circuitbreaker = {version = ">=1.3.1,<3.0.0", markers = "python_version >= \"3.7\""}
-cryptography = ">=3.2.1,<46.0.0"
-pyOpenSSL = ">=17.5.0,<25.0.0"
-python-dateutil = ">=2.5.3,<3.0.0"
-pytz = ">=2016.10"
-
-[package.extras]
-adk = ["docstring-parser (>=0.16) ; python_version >= \"3.10\" and python_version < \"4\"", "mcp (>=1.6.0) ; python_version >= \"3.10\" and python_version < \"4\"", "pydantic (>=2.10.6) ; python_version >= \"3.10\" and python_version < \"4\"", "rich (>=13.9.4) ; python_version >= \"3.10\" and python_version < \"4\""]
-
 [[package]]
 name = "openai"
 version = "1.101.0"
@@ -4669,7 +4634,6 @@ markdown = "3.9.0"
 microsoft-kiota-abstractions = "1.9.2"
 msgraph-sdk = "1.23.0"
 numpy = "2.0.2"
-oci = "2.160.3"
 pandas = "2.2.3"
 py-iam-expand = "0.1.0"
 py-ocsf-models = "0.5.0"
@@ -4686,8 +4650,8 @@ tzlocal = "5.3.1"
 [package.source]
 type = "git"
 url = "https://github.com/prowler-cloud/prowler.git"
-reference = "v5.13"
-resolved_reference = "b1856e42f0143a64e8cc26c7aa3c7643bd1083d3"
+reference = "master"
+resolved_reference = "a52697bfdfee83d14a49c11dcbe96888b5cd767e"

 [[package]]
 name = "psutil"
@@ -5172,25 +5136,6 @@ cffi = ">=1.4.1"
 docs = ["sphinx (>=1.6.5)", "sphinx-rtd-theme"]
 tests = ["hypothesis (>=3.27.0)", "pytest (>=3.2.1,!=3.3.0)"]

-[[package]]
-name = "pyopenssl"
-version = "24.3.0"
-description = "Python wrapper module around the OpenSSL library"
-optional = false
-python-versions = ">=3.7"
-groups = ["main"]
-files = [
-    {file = "pyOpenSSL-24.3.0-py3-none-any.whl", hash = "sha256:e474f5a473cd7f92221cc04976e48f4d11502804657a08a989fb3be5514c904a"},
-    {file = "pyopenssl-24.3.0.tar.gz", hash = "sha256:49f7a019577d834746bc55c5fce6ecbcec0f2b4ec5ce1cf43a9a173b8138bb36"},
-]
-
-[package.dependencies]
-cryptography = ">=41.0.5,<45"
-
-[package.extras]
-docs = ["sphinx (!=5.2.0,!=5.2.0.post0,!=7.2.5)", "sphinx_rtd_theme"]
-test = ["pretend", "pytest (>=3.0.1)", "pytest-rerunfailures"]
-
 [[package]]
 name = "pyparsing"
 version = "3.2.3"
@@ -6841,4 +6786,4 @@ type = ["pytest-mypy"]
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "8fcb616e55530e7940019d3da33e955b026b9105e1216a3c5f39b411c015b6d7"
+content-hash = "943e2cd6b87229704550d4e140b36509fb9f58896ebb5834b9fbabe28a9ee92f"
@@ -7,7 +7,7 @@ authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
 dependencies = [
  "celery[pytest] (>=5.4.0,<6.0.0)",
  "dj-rest-auth[with_social,jwt] (==7.0.1)",
-  "django (==5.1.13)",
+  "django (==5.1.14)",
  "django-allauth[saml] (>=65.8.0,<66.0.0)",
  "django-celery-beat (>=2.7.0,<3.0.0)",
  "django-celery-results (>=2.5.1,<3.0.0)",
@@ -24,7 +24,7 @@ dependencies = [
  "drf-spectacular-jsonapi==0.5.1",
  "gunicorn==23.0.0",
  "lxml==5.3.2",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@v5.13",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
  "psycopg2-binary==2.9.9",
  "pytest-celery[redis] (>=1.0.1,<2.0.0)",
  "sentry-sdk[django] (>=2.20.0,<3.0.0)",
@@ -43,7 +43,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.14.1"
+version = "1.15.0"

 [project.scripts]
 celery = "src.backend.config.settings.celery"
@@ -1,3 +0,0 @@
-# from django.contrib import admin
-
-# Register your models here.
@@ -144,6 +144,7 @@ def generate_scan_compliance(
    Returns:
        None: This function modifies the compliance_overview in place.
    """
+
    for compliance_id in PROWLER_CHECKS[provider_type][check_id]:
        for requirement in compliance_overview[compliance_id]["requirements"].values():
            if check_id in requirement["checks"]:
@@ -27,7 +27,10 @@ from api.models import (
    Finding,
    Integration,
    Invitation,
+    LighthouseProviderConfiguration,
+    LighthouseProviderModels,
    Membership,
+    MuteRule,
    OverviewStatusChoices,
    PermissionChoices,
    Processor,
@@ -44,6 +47,7 @@ from api.models import (
    StatusChoices,
    Task,
    TenantAPIKey,
+    ThreatScoreSnapshot,
    User,
 )
 from api.rls import Tenant
@@ -245,6 +249,14 @@ class ProviderFilter(FilterSet):
        choices=Provider.ProviderChoices.choices,
        lookup_expr="in",
    )
+    provider_type = ChoiceFilter(
+        choices=Provider.ProviderChoices.choices, field_name="provider"
+    )
+    provider_type__in = ChoiceInFilter(
+        field_name="provider",
+        choices=Provider.ProviderChoices.choices,
+        lookup_expr="in",
+    )

    class Meta:
        model = Provider
@@ -928,3 +940,95 @@ class TenantApiKeyFilter(FilterSet):
            "revoked": ["exact"],
            "name": ["exact", "icontains"],
        }
+
+
+class LighthouseProviderConfigFilter(FilterSet):
+    provider_type = ChoiceFilter(
+        choices=LighthouseProviderConfiguration.LLMProviderChoices.choices
+    )
+    provider_type__in = ChoiceInFilter(
+        choices=LighthouseProviderConfiguration.LLMProviderChoices.choices,
+        field_name="provider_type",
+        lookup_expr="in",
+    )
+    is_active = BooleanFilter()
+
+    class Meta:
+        model = LighthouseProviderConfiguration
+        fields = {
+            "provider_type": ["exact", "in"],
+            "is_active": ["exact"],
+        }
+
+
+class LighthouseProviderModelsFilter(FilterSet):
+    provider_type = ChoiceFilter(
+        choices=LighthouseProviderConfiguration.LLMProviderChoices.choices,
+        field_name="provider_configuration__provider_type",
+    )
+    provider_type__in = ChoiceInFilter(
+        choices=LighthouseProviderConfiguration.LLMProviderChoices.choices,
+        field_name="provider_configuration__provider_type",
+        lookup_expr="in",
+    )
+
+    # Allow filtering by model id
+    model_id = CharFilter(field_name="model_id", lookup_expr="exact")
+    model_id__icontains = CharFilter(field_name="model_id", lookup_expr="icontains")
+    model_id__in = CharInFilter(field_name="model_id", lookup_expr="in")
+
+    class Meta:
+        model = LighthouseProviderModels
+        fields = {
+            "model_id": ["exact", "icontains", "in"],
+        }
+
+
+class MuteRuleFilter(FilterSet):
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+    created_by = UUIDFilter(field_name="created_by__id", lookup_expr="exact")
+
+    class Meta:
+        model = MuteRule
+        fields = {
+            "id": ["exact", "in"],
+            "name": ["exact", "icontains"],
+            "reason": ["icontains"],
+            "enabled": ["exact"],
+            "inserted_at": ["gte", "lte"],
+            "updated_at": ["gte", "lte"],
+        }
+
+
+class ThreatScoreSnapshotFilter(FilterSet):
+    """
+    Filter for ThreatScore snapshots.
+    Allows filtering by scan, provider, compliance_id, and date ranges.
+    """
+
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    scan_id = UUIDFilter(field_name="scan__id", lookup_expr="exact")
+    scan_id__in = UUIDInFilter(field_name="scan__id", lookup_expr="in")
+    provider_id = UUIDFilter(field_name="provider__id", lookup_expr="exact")
+    provider_id__in = UUIDInFilter(field_name="provider__id", lookup_expr="in")
+    provider_type = ChoiceFilter(
+        field_name="provider__provider", choices=Provider.ProviderChoices.choices
+    )
+    provider_type__in = ChoiceInFilter(
+        field_name="provider__provider",
+        choices=Provider.ProviderChoices.choices,
+        lookup_expr="in",
+    )
+    compliance_id = CharFilter(field_name="compliance_id", lookup_expr="exact")
+    compliance_id__in = CharInFilter(field_name="compliance_id", lookup_expr="in")
+
+    class Meta:
+        model = ThreatScoreSnapshot
+        fields = {
+            "scan": ["exact", "in"],
+            "provider": ["exact", "in"],
+            "compliance_id": ["exact", "in"],
+            "inserted_at": ["date", "gte", "lte"],
+            "overall_score": ["exact", "gte", "lte"],
+        }
@@ -0,0 +1,266 @@
+# Generated by Django 5.1.12 on 2025-10-09 07:50
+
+import json
+import logging
+import uuid
+
+import django.db.models.deletion
+from config.custom_logging import BackendLogger
+from cryptography.fernet import Fernet
+from django.conf import settings
+from django.db import migrations, models
+
+import api.rls
+from api.db_router import MainRouter
+
+logger = logging.getLogger(BackendLogger.API)
+
+
+def migrate_lighthouse_configs_forward(apps, schema_editor):
+    """
+    Migrate data from old LighthouseConfiguration to new multi-provider models.
+    Old system: one LighthouseConfiguration per tenant (always OpenAI).
+    """
+    LighthouseConfiguration = apps.get_model("api", "LighthouseConfiguration")
+    LighthouseProviderConfiguration = apps.get_model(
+        "api", "LighthouseProviderConfiguration"
+    )
+    LighthouseTenantConfiguration = apps.get_model(
+        "api", "LighthouseTenantConfiguration"
+    )
+    LighthouseProviderModels = apps.get_model("api", "LighthouseProviderModels")
+
+    fernet = Fernet(settings.SECRETS_ENCRYPTION_KEY.encode())
+
+    # Migrate only tenants that actually have a LighthouseConfiguration
+    for old_config in (
+        LighthouseConfiguration.objects.using(MainRouter.admin_db)
+        .select_related("tenant")
+        .all()
+    ):
+        tenant = old_config.tenant
+        tenant_id = str(tenant.id)
+
+        try:
+            # Create OpenAI provider configuration for this tenant
+            api_key_decrypted = fernet.decrypt(bytes(old_config.api_key)).decode()
+            credentials_encrypted = fernet.encrypt(
+                json.dumps({"api_key": api_key_decrypted}).encode()
+            )
+            provider_config = LighthouseProviderConfiguration.objects.using(
+                MainRouter.admin_db
+            ).create(
+                tenant=tenant,
+                provider_type="openai",
+                credentials=credentials_encrypted,
+                is_active=old_config.is_active,
+            )
+
+            # Create tenant configuration from old values
+            LighthouseTenantConfiguration.objects.using(MainRouter.admin_db).create(
+                tenant=tenant,
+                business_context=old_config.business_context or "",
+                default_provider="openai",
+                default_models={"openai": old_config.model},
+            )
+
+            # Create initial provider model record
+            LighthouseProviderModels.objects.using(MainRouter.admin_db).create(
+                tenant=tenant,
+                provider_configuration=provider_config,
+                model_id=old_config.model,
+                model_name=old_config.model,
+                default_parameters={},
+            )
+
+        except Exception:
+            logger.exception(
+                "Failed to migrate lighthouse config for tenant %s", tenant_id
+            )
+            continue
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0049_compliancerequirementoverview_passed_failed_findings"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="LighthouseProviderConfiguration",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                (
+                    "provider_type",
+                    models.CharField(
+                        choices=[("openai", "OpenAI")],
+                        help_text="LLM provider name",
+                        max_length=50,
+                    ),
+                ),
+                ("base_url", models.URLField(blank=True, null=True)),
+                (
+                    "credentials",
+                    models.BinaryField(
+                        help_text="Encrypted JSON credentials for the provider"
+                    ),
+                ),
+                ("is_active", models.BooleanField(default=True)),
+            ],
+            options={
+                "db_table": "lighthouse_provider_configurations",
+                "abstract": False,
+            },
+        ),
+        migrations.CreateModel(
+            name="LighthouseProviderModels",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                ("model_id", models.CharField(max_length=100)),
+                ("model_name", models.CharField(max_length=100)),
+                ("default_parameters", models.JSONField(blank=True, default=dict)),
+            ],
+            options={
+                "db_table": "lighthouse_provider_models",
+                "abstract": False,
+            },
+        ),
+        migrations.CreateModel(
+            name="LighthouseTenantConfiguration",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                ("business_context", models.TextField(blank=True, default="")),
+                ("default_provider", models.CharField(blank=True, max_length=50)),
+                ("default_models", models.JSONField(blank=True, default=dict)),
+            ],
+            options={
+                "db_table": "lighthouse_tenant_config",
+                "abstract": False,
+            },
+        ),
+        migrations.AddField(
+            model_name="lighthouseproviderconfiguration",
+            name="tenant",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+            ),
+        ),
+        migrations.AddField(
+            model_name="lighthouseprovidermodels",
+            name="provider_configuration",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="available_models",
+                to="api.lighthouseproviderconfiguration",
+            ),
+        ),
+        migrations.AddField(
+            model_name="lighthouseprovidermodels",
+            name="tenant",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+            ),
+        ),
+        migrations.AddField(
+            model_name="lighthousetenantconfiguration",
+            name="tenant",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="lighthouseproviderconfiguration",
+            index=models.Index(
+                fields=["tenant_id", "provider_type"], name="lh_pc_tenant_type_idx"
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="lighthouseproviderconfiguration",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_lighthouseproviderconfiguration",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="lighthouseproviderconfiguration",
+            constraint=models.UniqueConstraint(
+                fields=("tenant_id", "provider_type"),
+                name="unique_provider_config_per_tenant",
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="lighthouseprovidermodels",
+            index=models.Index(
+                fields=["tenant_id", "provider_configuration"],
+                name="lh_prov_models_cfg_idx",
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="lighthouseprovidermodels",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_lighthouseprovidermodels",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="lighthouseprovidermodels",
+            constraint=models.UniqueConstraint(
+                fields=("tenant_id", "provider_configuration", "model_id"),
+                name="unique_provider_model_per_configuration",
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="lighthousetenantconfiguration",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_lighthousetenantconfiguration",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="lighthousetenantconfiguration",
+            constraint=models.UniqueConstraint(
+                fields=("tenant_id",), name="unique_tenant_lighthouse_config"
+            ),
+        ),
+        # Migrate data from old LighthouseConfiguration to new tables
+        # This runs after all tables, indexes, and constraints are created
+        # The old Lighthouse configuration table is not removed, so reverse_code is noop
+        # During rollbacks, the old Lighthouse configuration remains intact while the new tables are removed
+        migrations.RunPython(
+            migrate_lighthouse_configs_forward,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
@@ -0,0 +1,34 @@
+# Generated by Django 5.1.7 on 2025-10-14 00:00
+
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0050_lighthouse_multi_llm"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="provider",
+            field=api.db_utils.ProviderEnumField(
+                choices=[
+                    ("aws", "AWS"),
+                    ("azure", "Azure"),
+                    ("gcp", "GCP"),
+                    ("kubernetes", "Kubernetes"),
+                    ("m365", "M365"),
+                    ("github", "GitHub"),
+                    ("oraclecloud", "Oracle Cloud Infrastructure"),
+                ],
+                default="aws",
+            ),
+        ),
+        migrations.RunSQL(
+            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'oraclecloud';",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+    ]
@@ -0,0 +1,117 @@
+# Generated by Django 5.1.13 on 2025-10-22 11:56
+
+import uuid
+
+import django.contrib.postgres.fields
+import django.core.validators
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+import api.rls
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0051_oraclecloud_provider"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="MuteRule",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                (
+                    "name",
+                    models.CharField(
+                        help_text="Human-readable name for this rule",
+                        max_length=100,
+                        validators=[django.core.validators.MinLengthValidator(3)],
+                    ),
+                ),
+                (
+                    "reason",
+                    models.TextField(
+                        help_text="Reason for muting",
+                        max_length=500,
+                        validators=[django.core.validators.MinLengthValidator(3)],
+                    ),
+                ),
+                (
+                    "enabled",
+                    models.BooleanField(
+                        default=True, help_text="Whether this rule is currently enabled"
+                    ),
+                ),
+                (
+                    "finding_uids",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.CharField(max_length=255),
+                        help_text="List of finding UIDs to mute",
+                        size=None,
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "mute_rules",
+                "abstract": False,
+            },
+        ),
+        migrations.AddField(
+            model_name="finding",
+            name="muted_at",
+            field=models.DateTimeField(
+                blank=True, help_text="Timestamp when this finding was muted", null=True
+            ),
+        ),
+        migrations.AlterField(
+            model_name="tenantapikey",
+            name="name",
+            field=models.CharField(
+                max_length=100,
+                validators=[django.core.validators.MinLengthValidator(3)],
+            ),
+        ),
+        migrations.AddField(
+            model_name="muterule",
+            name="created_by",
+            field=models.ForeignKey(
+                help_text="User who created this rule",
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="created_mute_rules",
+                to=settings.AUTH_USER_MODEL,
+            ),
+        ),
+        migrations.AddField(
+            model_name="muterule",
+            name="tenant",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="muterule",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_muterule",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="muterule",
+            constraint=models.UniqueConstraint(
+                fields=("tenant_id", "name"), name="unique_mute_rule_name_per_tenant"
+            ),
+        ),
+    ]
@@ -0,0 +1,25 @@
+# Generated by Django 5.1.12 on 2025-10-14 11:46
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0052_mute_rules"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="lighthouseproviderconfiguration",
+            name="provider_type",
+            field=models.CharField(
+                choices=[
+                    ("openai", "OpenAI"),
+                    ("bedrock", "AWS Bedrock"),
+                    ("openai_compatible", "OpenAI Compatible"),
+                ],
+                help_text="LLM provider name",
+                max_length=50,
+            ),
+        )
+    ]
@@ -0,0 +1,35 @@
+# Generated by Django 5.1.10 on 2025-09-09 09:25
+
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0053_lighthouse_bedrock_openai_compatible"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="provider",
+            field=api.db_utils.ProviderEnumField(
+                choices=[
+                    ("aws", "AWS"),
+                    ("azure", "Azure"),
+                    ("gcp", "GCP"),
+                    ("kubernetes", "Kubernetes"),
+                    ("m365", "M365"),
+                    ("github", "GitHub"),
+                    ("oci", "Oracle Cloud Infrastructure"),
+                    ("iac", "IaC"),
+                ],
+                default="aws",
+            ),
+        ),
+        migrations.RunSQL(
+            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'iac';",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+    ]
@@ -0,0 +1,32 @@
+# Generated by Django 5.1.13 on 2025-11-05 08:37
+
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0054_iac_provider"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="provider",
+            field=api.db_utils.ProviderEnumField(
+                choices=[
+                    ("aws", "AWS"),
+                    ("azure", "Azure"),
+                    ("gcp", "GCP"),
+                    ("kubernetes", "Kubernetes"),
+                    ("m365", "M365"),
+                    ("github", "GitHub"),
+                    ("mongodbatlas", "MongoDB Atlas"),
+                    ("iac", "IaC"),
+                    ("oraclecloud", "Oracle Cloud Infrastructure"),
+                ],
+                default="aws",
+            ),
+        ),
+    ]
@@ -0,0 +1,24 @@
+# Generated by Django 5.1.13 on 2025-11-06 09:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0055_mongodbatlas_provider"),
+    ]
+
+    operations = [
+        migrations.RemoveConstraint(
+            model_name="provider",
+            name="unique_provider_uids",
+        ),
+        migrations.AddConstraint(
+            model_name="provider",
+            constraint=models.UniqueConstraint(
+                condition=models.Q(("is_deleted", False)),
+                fields=("tenant_id", "provider", "uid"),
+                name="unique_provider_uids",
+            ),
+        ),
+    ]
@@ -0,0 +1,170 @@
+# Generated by Django 5.1.13 on 2025-10-31 09:04
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import api.rls
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0056_remove_provider_unique_provider_uids_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="ThreatScoreSnapshot",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                (
+                    "compliance_id",
+                    models.CharField(
+                        help_text="Compliance framework ID (e.g., 'prowler_threatscore_aws')",
+                        max_length=100,
+                    ),
+                ),
+                (
+                    "overall_score",
+                    models.DecimalField(
+                        decimal_places=2,
+                        help_text="Overall ThreatScore percentage (0-100)",
+                        max_digits=5,
+                    ),
+                ),
+                (
+                    "score_delta",
+                    models.DecimalField(
+                        blank=True,
+                        decimal_places=2,
+                        help_text="Score change compared to previous snapshot (positive = improvement)",
+                        max_digits=5,
+                        null=True,
+                    ),
+                ),
+                (
+                    "section_scores",
+                    models.JSONField(
+                        blank=True,
+                        default=dict,
+                        help_text="ThreatScore breakdown by section",
+                    ),
+                ),
+                (
+                    "critical_requirements",
+                    models.JSONField(
+                        blank=True,
+                        default=list,
+                        help_text="List of critical failed requirements (risk >= 4)",
+                    ),
+                ),
+                (
+                    "total_requirements",
+                    models.IntegerField(
+                        default=0, help_text="Total number of requirements evaluated"
+                    ),
+                ),
+                (
+                    "passed_requirements",
+                    models.IntegerField(
+                        default=0, help_text="Number of requirements with PASS status"
+                    ),
+                ),
+                (
+                    "failed_requirements",
+                    models.IntegerField(
+                        default=0, help_text="Number of requirements with FAIL status"
+                    ),
+                ),
+                (
+                    "manual_requirements",
+                    models.IntegerField(
+                        default=0, help_text="Number of requirements with MANUAL status"
+                    ),
+                ),
+                (
+                    "total_findings",
+                    models.IntegerField(
+                        default=0,
+                        help_text="Total number of findings across all requirements",
+                    ),
+                ),
+                (
+                    "passed_findings",
+                    models.IntegerField(
+                        default=0, help_text="Number of findings with PASS status"
+                    ),
+                ),
+                (
+                    "failed_findings",
+                    models.IntegerField(
+                        default=0, help_text="Number of findings with FAIL status"
+                    ),
+                ),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="threatscore_snapshots",
+                        related_query_name="threatscore_snapshot",
+                        to="api.provider",
+                    ),
+                ),
+                (
+                    "scan",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="threatscore_snapshots",
+                        related_query_name="threatscore_snapshot",
+                        to="api.scan",
+                    ),
+                ),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "threatscore_snapshots",
+                "abstract": False,
+            },
+        ),
+        migrations.AddIndex(
+            model_name="threatscoresnapshot",
+            index=models.Index(
+                fields=["tenant_id", "scan_id"], name="threatscore_snap_t_scan_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="threatscoresnapshot",
+            index=models.Index(
+                fields=["tenant_id", "provider_id"], name="threatscore_snap_t_prov_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="threatscoresnapshot",
+            index=models.Index(
+                fields=["tenant_id", "inserted_at"], name="threatscore_snap_t_time_idx"
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="threatscoresnapshot",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_threatscoresnapshot",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+    ]
@@ -284,6 +284,9 @@ class Provider(RowLevelSecurityProtectedModel):
        KUBERNETES = "kubernetes", _("Kubernetes")
        M365 = "m365", _("M365")
        GITHUB = "github", _("GitHub")
+        MONGODBATLAS = "mongodbatlas", _("MongoDB Atlas")
+        IAC = "iac", _("IaC")
+        ORACLECLOUD = "oraclecloud", _("Oracle Cloud Infrastructure")

    @staticmethod
    def validate_aws_uid(value):
@@ -354,6 +357,40 @@ class Provider(RowLevelSecurityProtectedModel):
                pointer="/data/attributes/uid",
            )

+    @staticmethod
+    def validate_iac_uid(value):
+        # Validate that it's a valid repository URL (git URL format)
+        if not re.match(
+            r"^(https?://|git@|ssh://)[^\s/]+[^\s]*\.git$|^(https?://)[^\s/]+[^\s]*$",
+            value,
+        ):
+            raise ModelValidationError(
+                detail="IaC provider ID must be a valid repository URL (e.g., https://github.com/user/repo or https://github.com/user/repo.git).",
+                code="iac-uid",
+                pointer="/data/attributes/uid",
+            )
+
+    @staticmethod
+    def validate_oraclecloud_uid(value):
+        if not re.match(
+            r"^ocid1\.([a-z0-9_-]+)\.([a-z0-9_-]+)\.([a-z0-9_-]*)\.([a-z0-9]+)$", value
+        ):
+            raise ModelValidationError(
+                detail="Oracle Cloud Infrastructure provider ID must be a valid tenancy OCID in the format: "
+                "ocid1.<resource_type>.<realm>.<region>.<unique_id>",
+                code="oraclecloud-uid",
+                pointer="/data/attributes/uid",
+            )
+
+    @staticmethod
+    def validate_mongodbatlas_uid(value):
+        if not re.match(r"^[0-9a-fA-F]{24}$", value):
+            raise ModelValidationError(
+                detail="MongoDB Atlas organization ID must be a 24-character hexadecimal string.",
+                code="mongodbatlas-uid",
+                pointer="/data/attributes/uid",
+            )
+
    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
    updated_at = models.DateTimeField(auto_now=True, editable=False)
@@ -388,7 +425,8 @@ class Provider(RowLevelSecurityProtectedModel):

        constraints = [
            models.UniqueConstraint(
-                fields=("tenant_id", "provider", "uid", "is_deleted"),
+                fields=("tenant_id", "provider", "uid"),
+                condition=Q(is_deleted=False),
                name="unique_provider_uids",
            ),
            RowLevelSecurityConstraint(
@@ -810,6 +848,9 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
    muted_reason = models.TextField(
        blank=True, null=True, validators=[MinLengthValidator(3)], max_length=500
    )
+    muted_at = models.DateTimeField(
+        null=True, blank=True, help_text="Timestamp when this finding was muted"
+    )
    compliance = models.JSONField(default=dict, null=True, blank=True)

    # Denormalize resource data for performance
@@ -1873,22 +1914,6 @@ class LighthouseConfiguration(RowLevelSecurityProtectedModel):
    def clean(self):
        super().clean()

-        # Validate temperature
-        if not 0 <= self.temperature <= 1:
-            raise ModelValidationError(
-                detail="Temperature must be between 0 and 1",
-                code="invalid_temperature",
-                pointer="/data/attributes/temperature",
-            )
-
-        # Validate max_tokens
-        if not 500 <= self.max_tokens <= 5000:
-            raise ModelValidationError(
-                detail="Max tokens must be between 500 and 5000",
-                code="invalid_max_tokens",
-                pointer="/data/attributes/max_tokens",
-            )
-
    @property
    def api_key_decoded(self):
        """Return the decrypted API key, or None if unavailable or invalid."""
@@ -1913,15 +1938,6 @@ class LighthouseConfiguration(RowLevelSecurityProtectedModel):
                code="invalid_api_key",
                pointer="/data/attributes/api_key",
            )
-
-        # Validate OpenAI API key format
-        openai_key_pattern = r"^sk-[\w-]+T3BlbkFJ[\w-]+$"
-        if not re.match(openai_key_pattern, value):
-            raise ModelValidationError(
-                detail="Invalid OpenAI API key format.",
-                code="invalid_api_key",
-                pointer="/data/attributes/api_key",
-            )
        self.api_key = fernet.encrypt(value.encode())

    def save(self, *args, **kwargs):
@@ -1947,6 +1963,59 @@ class LighthouseConfiguration(RowLevelSecurityProtectedModel):
        resource_name = "lighthouse-configurations"


+class MuteRule(RowLevelSecurityProtectedModel):
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+
+    # Rule metadata
+    name = models.CharField(
+        max_length=100,
+        validators=[MinLengthValidator(3)],
+        help_text="Human-readable name for this rule",
+    )
+    reason = models.TextField(
+        validators=[MinLengthValidator(3)],
+        max_length=500,
+        help_text="Reason for muting",
+    )
+    enabled = models.BooleanField(
+        default=True, help_text="Whether this rule is currently enabled"
+    )
+
+    # Audit fields
+    created_by = models.ForeignKey(
+        User,
+        on_delete=models.SET_NULL,
+        null=True,
+        related_name="created_mute_rules",
+        help_text="User who created this rule",
+    )
+
+    # Rule criteria - array of finding UIDs
+    finding_uids = ArrayField(
+        models.CharField(max_length=255), help_text="List of finding UIDs to mute"
+    )
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "mute_rules"
+
+        constraints = [
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+            models.UniqueConstraint(
+                fields=("tenant_id", "name"),
+                name="unique_mute_rule_name_per_tenant",
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "mute-rules"
+
+
 class Processor(RowLevelSecurityProtectedModel):
    class ProcessorChoices(models.TextChoices):
        MUTELIST = "mutelist", _("Mutelist")
@@ -1984,3 +2053,323 @@ class Processor(RowLevelSecurityProtectedModel):

    class JSONAPIMeta:
        resource_name = "processors"
+
+
+class LighthouseProviderConfiguration(RowLevelSecurityProtectedModel):
+    """
+    Per-tenant configuration for an LLM provider (credentials, base URL, activation).
+
+    One configuration per provider type per tenant.
+    """
+
+    class LLMProviderChoices(models.TextChoices):
+        OPENAI = "openai", _("OpenAI")
+        BEDROCK = "bedrock", _("AWS Bedrock")
+        OPENAI_COMPATIBLE = "openai_compatible", _("OpenAI Compatible")
+
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+
+    provider_type = models.CharField(
+        max_length=50,
+        choices=LLMProviderChoices.choices,
+        help_text="LLM provider name",
+    )
+
+    # For OpenAI-compatible providers
+    base_url = models.URLField(blank=True, null=True)
+
+    # Encrypted JSON for provider-specific auth
+    credentials = models.BinaryField(
+        blank=False, null=False, help_text="Encrypted JSON credentials for the provider"
+    )
+
+    is_active = models.BooleanField(default=True)
+
+    def __str__(self):
+        return f"{self.get_provider_type_display()} ({self.tenant_id})"
+
+    def clean(self):
+        super().clean()
+
+    @property
+    def credentials_decoded(self):
+        if not self.credentials:
+            return None
+        try:
+            decrypted_data = fernet.decrypt(bytes(self.credentials))
+            return json.loads(decrypted_data.decode())
+        except (InvalidToken, json.JSONDecodeError) as e:
+            logger.warning("Failed to decrypt provider credentials: %s", e)
+            return None
+        except Exception as e:
+            logger.exception(
+                "Unexpected error while decrypting provider credentials: %s", e
+            )
+            return None
+
+    @credentials_decoded.setter
+    def credentials_decoded(self, value):
+        """
+        Set and encrypt credentials (assumes serializer performed validation).
+        """
+        if not value:
+            raise ModelValidationError(
+                detail="Credentials are required",
+                code="invalid_credentials",
+                pointer="/data/attributes/credentials",
+            )
+        self.credentials = fernet.encrypt(json.dumps(value).encode())
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "lighthouse_provider_configurations"
+
+        constraints = [
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+            models.UniqueConstraint(
+                fields=["tenant_id", "provider_type"],
+                name="unique_provider_config_per_tenant",
+            ),
+        ]
+
+        indexes = [
+            models.Index(
+                fields=["tenant_id", "provider_type"],
+                name="lh_pc_tenant_type_idx",
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "lighthouse-providers"
+
+
+class LighthouseTenantConfiguration(RowLevelSecurityProtectedModel):
+    """
+    Tenant-level Lighthouse settings (business context and defaults).
+    One record per tenant.
+    """
+
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+
+    business_context = models.TextField(blank=True, default="")
+
+    # Preferred provider key (e.g., "openai", "bedrock", "openai_compatible")
+    default_provider = models.CharField(max_length=50, blank=True)
+
+    # Mapping of provider -> model id, e.g., {"openai": "gpt-4o", "bedrock": "anthropic.claude-v2"}
+    default_models = models.JSONField(default=dict, blank=True)
+
+    def __str__(self):
+        return f"Lighthouse Tenant Config for {self.tenant_id}"
+
+    def clean(self):
+        super().clean()
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "lighthouse_tenant_config"
+
+        constraints = [
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+            models.UniqueConstraint(
+                fields=["tenant_id"], name="unique_tenant_lighthouse_config"
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "lighthouse-configurations"
+
+
+class LighthouseProviderModels(RowLevelSecurityProtectedModel):
+    """
+    Per-tenant, per-provider configuration list of available LLM models.
+    RLS-protected; populated via provider API using tenant-scoped credentials.
+    """
+
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+
+    # Scope to a specific provider configuration within a tenant
+    provider_configuration = models.ForeignKey(
+        LighthouseProviderConfiguration,
+        on_delete=models.CASCADE,
+        related_name="available_models",
+    )
+    model_id = models.CharField(max_length=100)
+
+    # Human-friendly model name
+    model_name = models.CharField(max_length=100)
+
+    # Model-specific default parameters (e.g., temperature, max_tokens)
+    default_parameters = models.JSONField(default=dict, blank=True)
+
+    def __str__(self):
+        return f"{self.provider_configuration.provider_type}:{self.model_id} ({self.tenant_id})"
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "lighthouse_provider_models"
+        constraints = [
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+            models.UniqueConstraint(
+                fields=["tenant_id", "provider_configuration", "model_id"],
+                name="unique_provider_model_per_configuration",
+            ),
+        ]
+        indexes = [
+            models.Index(
+                fields=["tenant_id", "provider_configuration"],
+                name="lh_prov_models_cfg_idx",
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "lighthouse-models"
+
+
+class ThreatScoreSnapshot(RowLevelSecurityProtectedModel):
+    """
+    Stores historical ThreatScore metrics for a given scan.
+    Snapshots are created automatically after each ThreatScore report generation.
+    """
+
+    objects = models.Manager()
+    all_objects = models.Manager()
+
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+
+    scan = models.ForeignKey(
+        Scan,
+        on_delete=models.CASCADE,
+        related_name="threatscore_snapshots",
+        related_query_name="threatscore_snapshot",
+    )
+
+    provider = models.ForeignKey(
+        Provider,
+        on_delete=models.CASCADE,
+        related_name="threatscore_snapshots",
+        related_query_name="threatscore_snapshot",
+    )
+
+    compliance_id = models.CharField(
+        max_length=100,
+        blank=False,
+        null=False,
+        help_text="Compliance framework ID (e.g., 'prowler_threatscore_aws')",
+    )
+
+    # Overall ThreatScore metrics
+    overall_score = models.DecimalField(
+        max_digits=5,
+        decimal_places=2,
+        help_text="Overall ThreatScore percentage (0-100)",
+    )
+
+    # Score improvement/degradation compared to previous snapshot
+    score_delta = models.DecimalField(
+        max_digits=5,
+        decimal_places=2,
+        null=True,
+        blank=True,
+        help_text="Score change compared to previous snapshot (positive = improvement)",
+    )
+
+    # Section breakdown stored as JSON
+    # Format: {"1. IAM": 85.5, "2. Attack Surface": 92.3, ...}
+    section_scores = models.JSONField(
+        default=dict,
+        blank=True,
+        help_text="ThreatScore breakdown by section",
+    )
+
+    # Critical requirements metadata stored as JSON
+    # Format: [{"requirement_id": "...", "risk_level": 5, "weight": 150, ...}, ...]
+    critical_requirements = models.JSONField(
+        default=list,
+        blank=True,
+        help_text="List of critical failed requirements (risk >= 4)",
+    )
+
+    # Summary statistics
+    total_requirements = models.IntegerField(
+        default=0,
+        help_text="Total number of requirements evaluated",
+    )
+
+    passed_requirements = models.IntegerField(
+        default=0,
+        help_text="Number of requirements with PASS status",
+    )
+
+    failed_requirements = models.IntegerField(
+        default=0,
+        help_text="Number of requirements with FAIL status",
+    )
+
+    manual_requirements = models.IntegerField(
+        default=0,
+        help_text="Number of requirements with MANUAL status",
+    )
+
+    total_findings = models.IntegerField(
+        default=0,
+        help_text="Total number of findings across all requirements",
+    )
+
+    passed_findings = models.IntegerField(
+        default=0,
+        help_text="Number of findings with PASS status",
+    )
+
+    failed_findings = models.IntegerField(
+        default=0,
+        help_text="Number of findings with FAIL status",
+    )
+
+    def __str__(self):
+        return f"ThreatScore {self.overall_score}% for scan {self.scan_id} ({self.inserted_at})"
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "threatscore_snapshots"
+
+        constraints = [
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ]
+
+        indexes = [
+            models.Index(
+                fields=["tenant_id", "scan_id"],
+                name="threatscore_snap_t_scan_idx",
+            ),
+            models.Index(
+                fields=["tenant_id", "provider_id"],
+                name="threatscore_snap_t_prov_idx",
+            ),
+            models.Index(
+                fields=["tenant_id", "inserted_at"],
+                name="threatscore_snap_t_time_idx",
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "threatscore-snapshots"
@@ -36,6 +36,143 @@ def _extract_task_example_from_components(components):
    }


+def fix_empty_id_fields(result, generator, request, public):  # noqa: F841
+    """
+    Fix empty id fields in JSON:API request schemas.
+    drf-spectacular-jsonapi sometimes generates empty id field definitions ({})
+    which cause validation errors in Mintlify and other OpenAPI validators.
+    """
+    if not isinstance(result, dict):
+        return result
+
+    components = result.get("components", {}) or {}
+    schemas = components.get("schemas", {}) or {}
+
+    for schema_name, schema in schemas.items():
+        if not isinstance(schema, dict):
+            continue
+
+        # Check if this is a JSON:API request schema with a data object
+        properties = schema.get("properties", {})
+        if not isinstance(properties, dict):
+            continue
+
+        data_prop = properties.get("data")
+        if not isinstance(data_prop, dict):
+            continue
+
+        data_properties = data_prop.get("properties", {})
+        if not isinstance(data_properties, dict):
+            continue
+
+        # Fix empty id field
+        id_field = data_properties.get("id")
+        if id_field == {} or (isinstance(id_field, dict) and not id_field):
+            data_properties["id"] = {
+                "type": "string",
+                "format": "uuid",
+                "description": "Unique identifier for this resource object.",
+            }
+
+    return result
+
+
+def convert_pattern_properties_to_additional(obj):
+    """
+    Recursively convert patternProperties to additionalProperties.
+    OpenAPI 3.0.x doesn't support patternProperties (only available in 3.1+).
+    """
+    if isinstance(obj, dict):
+        if "patternProperties" in obj:
+            # Get the pattern and its schema
+            pattern_props = obj.pop("patternProperties")
+            # Use the first pattern's schema as additionalProperties
+            if pattern_props:
+                first_pattern_schema = next(iter(pattern_props.values()))
+                obj["additionalProperties"] = first_pattern_schema
+
+        # Recursively process all nested objects
+        for key, value in obj.items():
+            obj[key] = convert_pattern_properties_to_additional(value)
+    elif isinstance(obj, list):
+        return [convert_pattern_properties_to_additional(item) for item in obj]
+
+    return obj
+
+
+def fix_pattern_properties(result, generator, request, public):  # noqa: F841
+    """
+    Convert patternProperties to additionalProperties for OpenAPI 3.0 compatibility.
+    patternProperties is only supported in OpenAPI 3.1+, but drf-spectacular
+    generates OpenAPI 3.0.x specs.
+    """
+    if not isinstance(result, dict):
+        return result
+
+    return convert_pattern_properties_to_additional(result)
+
+
+def fix_invalid_types(obj):
+    """
+    Recursively fix invalid type values in OpenAPI schemas.
+    Converts invalid types like "email" to proper OpenAPI format.
+    """
+    if isinstance(obj, dict):
+        # Fix invalid "type" values
+        if "type" in obj:
+            type_value = obj["type"]
+            if type_value == "email":
+                obj["type"] = "string"
+                obj["format"] = "email"
+            elif type_value == "url":
+                obj["type"] = "string"
+                obj["format"] = "uri"
+            elif type_value == "uuid":
+                obj["type"] = "string"
+                obj["format"] = "uuid"
+
+        # Recursively process all nested objects
+        for key, value in list(obj.items()):
+            obj[key] = fix_invalid_types(value)
+    elif isinstance(obj, list):
+        return [fix_invalid_types(item) for item in obj]
+
+    return obj
+
+
+def fix_type_formats(result, generator, request, public):  # noqa: F841
+    """
+    Fix invalid type values in OpenAPI schemas.
+    drf-spectacular sometimes generates invalid type values like "email"
+    instead of "type": "string" with "format": "email".
+    """
+    if not isinstance(result, dict):
+        return result
+
+    return fix_invalid_types(result)
+
+
+def add_api_servers(result, generator, request, public):  # noqa: F841
+    """
+    Add servers configuration to OpenAPI spec for Mintlify API playground.
+    This enables the "Try it out" feature in the documentation.
+    Only adds the production URL to ensure consistent documentation.
+    """
+    if not isinstance(result, dict):
+        return result
+
+    # Add servers array if not already present
+    if "servers" not in result:
+        result["servers"] = [
+            {
+                "url": "https://api.prowler.com",
+                "description": "Prowler Cloud API",
+            }
+        ]
+
+    return result
+
+
 def attach_task_202_examples(result, generator, request, public):  # noqa: F841
    if not isinstance(result, dict):
        return result
@@ -6,7 +6,14 @@ from django.dispatch import receiver
 from django_celery_results.backends.database import DatabaseBackend

 from api.db_utils import delete_related_daily_task
-from api.models import Membership, Provider, TenantAPIKey, User
+from api.models import (
+    LighthouseProviderConfiguration,
+    LighthouseTenantConfiguration,
+    Membership,
+    Provider,
+    TenantAPIKey,
+    User,
+)


 def create_task_result_on_publish(sender=None, headers=None, **kwargs):  # noqa: F841
@@ -56,3 +63,33 @@ def revoke_membership_api_keys(sender, instance, **kwargs):  # noqa: F841
    TenantAPIKey.objects.filter(
        entity=instance.user, tenant_id=instance.tenant.id
    ).update(revoked=True)
+
+
+@receiver(pre_delete, sender=LighthouseProviderConfiguration)
+def cleanup_lighthouse_defaults_before_delete(sender, instance, **kwargs):  # noqa: F841
+    """
+    Ensure tenant Lighthouse defaults do not reference a soon-to-be-deleted provider.
+
+    This runs for both per-instance deletes and queryset (bulk) deletes.
+    """
+    try:
+        tenant_cfg = LighthouseTenantConfiguration.objects.get(
+            tenant_id=instance.tenant_id
+        )
+    except LighthouseTenantConfiguration.DoesNotExist:
+        return
+
+    updated = False
+    defaults = tenant_cfg.default_models or {}
+
+    if instance.provider_type in defaults:
+        defaults.pop(instance.provider_type, None)
+        tenant_cfg.default_models = defaults
+        updated = True
+
+    if tenant_cfg.default_provider == instance.provider_type:
+        tenant_cfg.default_provider = ""
+        updated = True
+
+    if updated:
+        tenant_cfg.save()
@@ -20,8 +20,11 @@ from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHubConnection
 from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.gcp.gcp_provider import GcpProvider
+from prowler.providers.github.github_provider import GithubProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
 from prowler.providers.m365.m365_provider import M365Provider
+from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
+from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider


 class TestMergeDicts:
@@ -108,6 +111,9 @@ class TestReturnProwlerProvider:
            (Provider.ProviderChoices.AZURE.value, AzureProvider),
            (Provider.ProviderChoices.KUBERNETES.value, KubernetesProvider),
            (Provider.ProviderChoices.M365.value, M365Provider),
+            (Provider.ProviderChoices.GITHUB.value, GithubProvider),
+            (Provider.ProviderChoices.MONGODBATLAS.value, MongodbatlasProvider),
+            (Provider.ProviderChoices.ORACLECLOUD.value, OraclecloudProvider),
        ],
    )
    def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -203,6 +209,14 @@ class TestGetProwlerProviderKwargs:
                Provider.ProviderChoices.GITHUB.value,
                {"organizations": ["provider_uid"]},
            ),
+            (
+                Provider.ProviderChoices.ORACLECLOUD.value,
+                {},
+            ),
+            (
+                Provider.ProviderChoices.MONGODBATLAS.value,
+                {"atlas_organization_id": "provider_uid"},
+            ),
        ],
    )
    def test_get_prowler_provider_kwargs(self, provider_type, expected_extra_kwargs):
@@ -18,8 +18,11 @@ from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.common.models import Connection
 from prowler.providers.gcp.gcp_provider import GcpProvider
 from prowler.providers.github.github_provider import GithubProvider
+from prowler.providers.iac.iac_provider import IacProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
 from prowler.providers.m365.m365_provider import M365Provider
+from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
+from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider


 class CustomOAuth2Client(OAuth2Client):
@@ -65,8 +68,11 @@ def return_prowler_provider(
    | AzureProvider
    | GcpProvider
    | GithubProvider
+    | IacProvider
    | KubernetesProvider
    | M365Provider
+    | MongodbatlasProvider
+    | OraclecloudProvider
 ]:
    """Return the Prowler provider class based on the given provider type.

@@ -74,7 +80,7 @@ def return_prowler_provider(
        provider (Provider): The provider object containing the provider type and associated secrets.

    Returns:
-        AwsProvider | AzureProvider | GcpProvider | GithubProvider | KubernetesProvider | M365Provider: The corresponding provider class.
+        AwsProvider | AzureProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | OraclecloudProvider | MongodbatlasProvider: The corresponding provider class.

    Raises:
        ValueError: If the provider type specified in `provider.provider` is not supported.
@@ -92,6 +98,12 @@ def return_prowler_provider(
            prowler_provider = M365Provider
        case Provider.ProviderChoices.GITHUB.value:
            prowler_provider = GithubProvider
+        case Provider.ProviderChoices.MONGODBATLAS.value:
+            prowler_provider = MongodbatlasProvider
+        case Provider.ProviderChoices.IAC.value:
+            prowler_provider = IacProvider
+        case Provider.ProviderChoices.ORACLECLOUD.value:
+            prowler_provider = OraclecloudProvider
        case _:
            raise ValueError(f"Provider type {provider.provider} not supported")
    return prowler_provider
@@ -128,6 +140,21 @@ def get_prowler_provider_kwargs(
                **prowler_provider_kwargs,
                "organizations": [provider.uid],
            }
+    elif provider.provider == Provider.ProviderChoices.IAC.value:
+        # For IaC provider, uid contains the repository URL
+        # Extract the access token if present in the secret
+        prowler_provider_kwargs = {
+            "scan_repository_url": provider.uid,
+        }
+        if "access_token" in provider.secret.secret:
+            prowler_provider_kwargs["oauth_app_token"] = provider.secret.secret[
+                "access_token"
+            ]
+    elif provider.provider == Provider.ProviderChoices.MONGODBATLAS.value:
+        prowler_provider_kwargs = {
+            **prowler_provider_kwargs,
+            "atlas_organization_id": provider.uid,
+        }

    if mutelist_processor:
        mutelist_content = mutelist_processor.configuration.get("Mutelist", {})
@@ -145,8 +172,11 @@ def initialize_prowler_provider(
    | AzureProvider
    | GcpProvider
    | GithubProvider
+    | IacProvider
    | KubernetesProvider
    | M365Provider
+    | MongodbatlasProvider
+    | OraclecloudProvider
 ):
    """Initialize a Prowler provider instance based on the given provider type.

@@ -155,8 +185,8 @@ def initialize_prowler_provider(
        mutelist_processor (Processor): The mutelist processor object containing the mutelist configuration.

    Returns:
-        AwsProvider | AzureProvider | GcpProvider | GithubProvider | KubernetesProvider | M365Provider: An instance of the corresponding provider class
-            (`AwsProvider`, `AzureProvider`, `GcpProvider`, `GithubProvider`, `KubernetesProvider` or `M365Provider`) initialized with the
+        AwsProvider | AzureProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | OraclecloudProvider | MongodbatlasProvider: An instance of the corresponding provider class
+            (`AwsProvider`, `AzureProvider`, `GcpProvider`, `GithubProvider`, `IacProvider`, `KubernetesProvider`, `M365Provider`, `OraclecloudProvider` or `MongodbatlasProvider`) initialized with the
            provider's secrets.
    """
    prowler_provider = return_prowler_provider(provider)
@@ -180,9 +210,23 @@ def prowler_provider_connection_test(provider: Provider) -> Connection:
    except Provider.secret.RelatedObjectDoesNotExist as secret_error:
        return Connection(is_connected=False, error=secret_error)

-    return prowler_provider.test_connection(
-        **prowler_provider_kwargs, provider_id=provider.uid, raise_on_exception=False
-    )
+    # For IaC provider, construct the kwargs properly for test_connection
+    if provider.provider == Provider.ProviderChoices.IAC.value:
+        # Don't pass repository_url from secret, use scan_repository_url with the UID
+        iac_test_kwargs = {
+            "scan_repository_url": provider.uid,
+            "raise_on_exception": False,
+        }
+        # Add access_token if present in the secret
+        if "access_token" in prowler_provider_kwargs:
+            iac_test_kwargs["access_token"] = prowler_provider_kwargs["access_token"]
+        return prowler_provider.test_connection(**iac_test_kwargs)
+    else:
+        return prowler_provider.test_connection(
+            **prowler_provider_kwargs,
+            provider_id=provider.uid,
+            raise_on_exception=False,
+        )


 def prowler_integration_connection_test(integration: Integration) -> Connection:
@@ -12,6 +12,24 @@ from api.models import StateChoices, Task
 from api.v1.serializers import TaskSerializer


+class DisablePaginationMixin:
+    disable_pagination_query_param = "page[disable]"
+    disable_pagination_truthy_values = {"true"}
+
+    def should_disable_pagination(self) -> bool:
+        if not hasattr(self, "request"):
+            return False
+        value = self.request.query_params.get(self.disable_pagination_query_param)
+        if value is None:
+            return False
+        return str(value).lower() in self.disable_pagination_truthy_values
+
+    def paginate_queryset(self, queryset):
+        if self.should_disable_pagination():
+            return None
+        return super().paginate_queryset(queryset)
+
+
 class PaginateByPkMixin:
    """
    Mixin to paginate on a list of PKs (cheaper than heavy JOINs),
@@ -0,0 +1,209 @@
+import re
+
+from drf_spectacular.utils import extend_schema_field
+from rest_framework_json_api import serializers
+
+
+class OpenAICredentialsSerializer(serializers.Serializer):
+    api_key = serializers.CharField()
+
+    def validate_api_key(self, value: str) -> str:
+        pattern = r"^sk-[\w-]+$"
+        if not re.match(pattern, value or ""):
+            raise serializers.ValidationError("Invalid OpenAI API key format.")
+        return value
+
+    def to_internal_value(self, data):
+        """Check for unknown fields before DRF filters them out."""
+        if not isinstance(data, dict):
+            raise serializers.ValidationError(
+                {"non_field_errors": ["Credentials must be an object"]}
+            )
+
+        allowed_fields = set(self.fields.keys())
+        provided_fields = set(data.keys())
+        extra_fields = provided_fields - allowed_fields
+
+        if extra_fields:
+            raise serializers.ValidationError(
+                {
+                    "non_field_errors": [
+                        f"Unknown fields in credentials: {', '.join(sorted(extra_fields))}"
+                    ]
+                }
+            )
+
+        return super().to_internal_value(data)
+
+
+class BedrockCredentialsSerializer(serializers.Serializer):
+    """
+    Serializer for AWS Bedrock credentials validation.
+
+    Validates long-term AWS credentials (AKIA) and region format.
+    """
+
+    access_key_id = serializers.CharField()
+    secret_access_key = serializers.CharField()
+    region = serializers.CharField()
+
+    def validate_access_key_id(self, value: str) -> str:
+        """Validate AWS access key ID format (AKIA for long-term credentials)."""
+        pattern = r"^AKIA[0-9A-Z]{16}$"
+        if not re.match(pattern, value or ""):
+            raise serializers.ValidationError(
+                "Invalid AWS access key ID format. Must be AKIA followed by 16 alphanumeric characters."
+            )
+        return value
+
+    def validate_secret_access_key(self, value: str) -> str:
+        """Validate AWS secret access key format (40 base64 characters)."""
+        pattern = r"^[A-Za-z0-9/+=]{40}$"
+        if not re.match(pattern, value or ""):
+            raise serializers.ValidationError(
+                "Invalid AWS secret access key format. Must be 40 base64 characters."
+            )
+        return value
+
+    def validate_region(self, value: str) -> str:
+        """Validate AWS region format."""
+        pattern = r"^[a-z]{2}-[a-z]+-\d+$"
+        if not re.match(pattern, value or ""):
+            raise serializers.ValidationError(
+                "Invalid AWS region format. Expected format like 'us-east-1' or 'eu-west-2'."
+            )
+        return value
+
+    def to_internal_value(self, data):
+        """Check for unknown fields before DRF filters them out."""
+        if not isinstance(data, dict):
+            raise serializers.ValidationError(
+                {"non_field_errors": ["Credentials must be an object"]}
+            )
+
+        allowed_fields = set(self.fields.keys())
+        provided_fields = set(data.keys())
+        extra_fields = provided_fields - allowed_fields
+
+        if extra_fields:
+            raise serializers.ValidationError(
+                {
+                    "non_field_errors": [
+                        f"Unknown fields in credentials: {', '.join(sorted(extra_fields))}"
+                    ]
+                }
+            )
+
+        return super().to_internal_value(data)
+
+
+class BedrockCredentialsUpdateSerializer(BedrockCredentialsSerializer):
+    """
+    Serializer for AWS Bedrock credentials during UPDATE operations.
+
+    Inherits all validation logic from BedrockCredentialsSerializer but makes
+    all fields optional to support partial updates.
+    """
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        # Make all fields optional for updates
+        for field in self.fields.values():
+            field.required = False
+
+
+class OpenAICompatibleCredentialsSerializer(serializers.Serializer):
+    """
+    Minimal serializer for OpenAI-compatible credentials.
+
+    Many OpenAI-compatible providers do not use the same key format as OpenAI.
+    We only require a non-empty API key string. Additional fields can be added later
+    without breaking existing configurations.
+    """
+
+    api_key = serializers.CharField()
+
+    def validate_api_key(self, value: str) -> str:
+        if not isinstance(value, str) or not value.strip():
+            raise serializers.ValidationError("API key is required.")
+        return value.strip()
+
+    def to_internal_value(self, data):
+        """Check for unknown fields before DRF filters them out."""
+        if not isinstance(data, dict):
+            raise serializers.ValidationError(
+                {"non_field_errors": ["Credentials must be an object"]}
+            )
+
+        allowed_fields = set(self.fields.keys())
+        provided_fields = set(data.keys())
+        extra_fields = provided_fields - allowed_fields
+
+        if extra_fields:
+            raise serializers.ValidationError(
+                {
+                    "non_field_errors": [
+                        f"Unknown fields in credentials: {', '.join(sorted(extra_fields))}"
+                    ]
+                }
+            )
+
+        return super().to_internal_value(data)
+
+
+@extend_schema_field(
+    {
+        "oneOf": [
+            {
+                "type": "object",
+                "title": "OpenAI Credentials",
+                "properties": {
+                    "api_key": {
+                        "type": "string",
+                        "description": "OpenAI API key. Must start with 'sk-' followed by alphanumeric characters, "
+                        "hyphens, or underscores.",
+                        "pattern": "^sk-[\\w-]+$",
+                    }
+                },
+                "required": ["api_key"],
+            },
+            {
+                "type": "object",
+                "title": "AWS Bedrock Credentials",
+                "properties": {
+                    "access_key_id": {
+                        "type": "string",
+                        "description": "AWS access key ID.",
+                        "pattern": "^AKIA[0-9A-Z]{16}$",
+                    },
+                    "secret_access_key": {
+                        "type": "string",
+                        "description": "AWS secret access key.",
+                        "pattern": "^[A-Za-z0-9/+=]{40}$",
+                    },
+                    "region": {
+                        "type": "string",
+                        "description": "AWS region identifier where Bedrock is available. Examples: us-east-1, "
+                        "us-west-2, eu-west-1, ap-northeast-1.",
+                        "pattern": "^[a-z]{2}-[a-z]+-\\d+$",
+                    },
+                },
+                "required": ["access_key_id", "secret_access_key", "region"],
+            },
+            {
+                "type": "object",
+                "title": "OpenAI Compatible Credentials",
+                "properties": {
+                    "api_key": {
+                        "type": "string",
+                        "description": "API key for OpenAI-compatible provider. The format varies by provider. "
+                        "Note: The 'base_url' field (separate from credentials) is required when using this provider type.",
+                    }
+                },
+                "required": ["api_key"],
+            },
+        ]
+    }
+)
+class LighthouseCredentialsField(serializers.JSONField):
+    pass
@@ -239,6 +239,71 @@ from rest_framework_json_api import serializers
                },
                "required": ["github_app_id", "github_app_key"],
            },
+            {
+                "type": "object",
+                "title": "IaC Repository Credentials",
+                "properties": {
+                    "repository_url": {
+                        "type": "string",
+                        "description": "Repository URL to scan for IaC files.",
+                    },
+                    "access_token": {
+                        "type": "string",
+                        "description": "Optional access token for private repositories.",
+                    },
+                },
+                "required": ["repository_url"],
+            },
+            {
+                "type": "object",
+                "title": "Oracle Cloud Infrastructure (OCI) API Key Credentials",
+                "properties": {
+                    "user": {
+                        "type": "string",
+                        "description": "The OCID of the user to authenticate with.",
+                    },
+                    "fingerprint": {
+                        "type": "string",
+                        "description": "The fingerprint of the API signing key.",
+                    },
+                    "key_file": {
+                        "type": "string",
+                        "description": "The path to the private key file for API signing. Either key_file or key_content must be provided.",
+                    },
+                    "key_content": {
+                        "type": "string",
+                        "description": "The content of the private key for API signing (base64 encoded). Either key_file or key_content must be provided.",
+                    },
+                    "tenancy": {
+                        "type": "string",
+                        "description": "The OCID of the tenancy.",
+                    },
+                    "region": {
+                        "type": "string",
+                        "description": "The OCI region identifier (e.g., us-ashburn-1, us-phoenix-1).",
+                    },
+                    "pass_phrase": {
+                        "type": "string",
+                        "description": "The passphrase for the private key, if encrypted.",
+                    },
+                },
+                "required": ["user", "fingerprint", "tenancy", "region"],
+            },
+            {
+                "type": "object",
+                "title": "MongoDB Atlas API Key",
+                "properties": {
+                    "atlas_public_key": {
+                        "type": "string",
+                        "description": "MongoDB Atlas API public key.",
+                    },
+                    "atlas_private_key": {
+                        "type": "string",
+                        "description": "MongoDB Atlas API private key.",
+                    },
+                },
+                "required": ["atlas_public_key", "atlas_private_key"],
+            },
        ]
    }
 )
@@ -6,8 +6,10 @@ from django.conf import settings
 from django.contrib.auth import authenticate
 from django.contrib.auth.models import update_last_login
 from django.contrib.auth.password_validation import validate_password
+from django.db import IntegrityError
 from drf_spectacular.utils import extend_schema_field
 from jwt.exceptions import InvalidKeyError
+from rest_framework.reverse import reverse
 from rest_framework.validators import UniqueTogetherValidator
 from rest_framework_json_api import serializers
 from rest_framework_json_api.relations import SerializerMethodResourceRelatedField
@@ -25,7 +27,11 @@ from api.models import (
    Invitation,
    InvitationRoleRelationship,
    LighthouseConfiguration,
+    LighthouseProviderConfiguration,
+    LighthouseProviderModels,
+    LighthouseTenantConfiguration,
    Membership,
+    MuteRule,
    Processor,
    Provider,
    ProviderGroup,
@@ -41,6 +47,7 @@ from api.models import (
    StatusChoices,
    Task,
    TenantAPIKey,
+    ThreatScoreSnapshot,
    User,
    UserRoleRelationship,
 )
@@ -54,6 +61,13 @@ from api.v1.serializer_utils.integrations import (
    S3ConfigSerializer,
    SecurityHubConfigSerializer,
 )
+from api.v1.serializer_utils.lighthouse import (
+    BedrockCredentialsSerializer,
+    BedrockCredentialsUpdateSerializer,
+    LighthouseCredentialsField,
+    OpenAICompatibleCredentialsSerializer,
+    OpenAICredentialsSerializer,
+)
 from api.v1.serializer_utils.processors import ProcessorConfigField
 from api.v1.serializer_utils.providers import ProviderSecretField
 from prowler.lib.mutelist.mutelist import Mutelist
@@ -1349,10 +1363,16 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                serializer = GCPProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.GITHUB.value:
                serializer = GithubProviderSecret(data=secret)
+            elif provider_type == Provider.ProviderChoices.IAC.value:
+                serializer = IacProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.KUBERNETES.value:
                serializer = KubernetesProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.M365.value:
                serializer = M365ProviderSecret(data=secret)
+            elif provider_type == Provider.ProviderChoices.ORACLECLOUD.value:
+                serializer = OracleCloudProviderSecret(data=secret)
+            elif provider_type == Provider.ProviderChoices.MONGODBATLAS.value:
+                serializer = MongoDBAtlasProviderSecret(data=secret)
            else:
                raise serializers.ValidationError(
                    {"provider": f"Provider type not supported {provider_type}"}
@@ -1449,6 +1469,14 @@ class GCPServiceAccountProviderSecret(serializers.Serializer):
        resource_name = "provider-secrets"


+class MongoDBAtlasProviderSecret(serializers.Serializer):
+    atlas_public_key = serializers.CharField()
+    atlas_private_key = serializers.CharField()
+
+    class Meta:
+        resource_name = "provider-secrets"
+
+
 class KubernetesProviderSecret(serializers.Serializer):
    kubeconfig_content = serializers.CharField()

@@ -1466,6 +1494,27 @@ class GithubProviderSecret(serializers.Serializer):
        resource_name = "provider-secrets"


+class IacProviderSecret(serializers.Serializer):
+    repository_url = serializers.CharField()
+    access_token = serializers.CharField(required=False)
+
+    class Meta:
+        resource_name = "provider-secrets"
+
+
+class OracleCloudProviderSecret(serializers.Serializer):
+    user = serializers.CharField()
+    fingerprint = serializers.CharField()
+    key_file = serializers.CharField(required=False)
+    key_content = serializers.CharField(required=False)
+    tenancy = serializers.CharField()
+    region = serializers.CharField()
+    pass_phrase = serializers.CharField(required=False)
+
+    class Meta:
+        resource_name = "provider-secrets"
+
+
 class AWSRoleAssumptionProviderSecret(serializers.Serializer):
    role_arn = serializers.CharField()
    external_id = serializers.CharField()
@@ -2099,6 +2148,17 @@ class OverviewProviderSerializer(serializers.Serializer):
        }


+class OverviewProviderCountSerializer(serializers.Serializer):
+    id = serializers.CharField(source="provider")
+    count = serializers.IntegerField()
+
+    class JSONAPIMeta:
+        resource_name = "providers-count-overview"
+
+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}
+
+
 class OverviewFindingSerializer(serializers.Serializer):
    id = serializers.CharField(default="n/a")
    new = serializers.IntegerField()
@@ -2750,6 +2810,16 @@ class LighthouseConfigCreateSerializer(RLSSerializer, BaseWriteSerializer):
            "updated_at": {"read_only": True},
        }

+    def validate_temperature(self, value):
+        if not 0 <= value <= 1:
+            raise ValidationError("Temperature must be between 0 and 1.")
+        return value
+
+    def validate_max_tokens(self, value):
+        if not 500 <= value <= 5000:
+            raise ValidationError("Max tokens must be between 500 and 5000.")
+        return value
+
    def validate(self, attrs):
        tenant_id = self.context.get("request").tenant_id
        if LighthouseConfiguration.objects.filter(tenant_id=tenant_id).exists():
@@ -2758,6 +2828,11 @@ class LighthouseConfigCreateSerializer(RLSSerializer, BaseWriteSerializer):
                    "tenant_id": "Lighthouse configuration already exists for this tenant."
                }
            )
+        api_key = attrs.get("api_key")
+        if api_key is not None:
+            OpenAICredentialsSerializer(data={"api_key": api_key}).is_valid(
+                raise_exception=True
+            )
        return super().validate(attrs)

    def create(self, validated_data):
@@ -2802,6 +2877,24 @@ class LighthouseConfigUpdateSerializer(BaseWriteSerializer):
            "max_tokens": {"required": False},
        }

+    def validate_temperature(self, value):
+        if not 0 <= value <= 1:
+            raise ValidationError("Temperature must be between 0 and 1.")
+        return value
+
+    def validate_max_tokens(self, value):
+        if not 500 <= value <= 5000:
+            raise ValidationError("Max tokens must be between 500 and 5000.")
+        return value
+
+    def validate(self, attrs):
+        api_key = attrs.get("api_key", None)
+        if api_key is not None:
+            OpenAICredentialsSerializer(data={"api_key": api_key}).is_valid(
+                raise_exception=True
+            )
+        return super().validate(attrs)
+
    def update(self, instance, validated_data):
        api_key = validated_data.pop("api_key", None)
        instance = super().update(instance, validated_data)
@@ -2931,3 +3024,667 @@ class TenantApiKeyUpdateSerializer(RLSSerializer, BaseWriteSerializer):
        ):
            raise ValidationError("An API key with this name already exists.")
        return value
+
+
+# Lighthouse: Provider configurations
+
+
+class LighthouseProviderConfigSerializer(RLSSerializer):
+    """
+    Read serializer for LighthouseProviderConfiguration.
+    """
+
+    # Decrypted credentials are only returned in to_representation when requested
+    credentials = serializers.JSONField(required=False, read_only=True)
+
+    class Meta:
+        model = LighthouseProviderConfiguration
+        fields = [
+            "id",
+            "inserted_at",
+            "updated_at",
+            "provider_type",
+            "base_url",
+            "is_active",
+            "credentials",
+            "url",
+        ]
+        extra_kwargs = {
+            "id": {"read_only": True},
+            "inserted_at": {"read_only": True},
+            "updated_at": {"read_only": True},
+            "is_active": {"read_only": True},
+            "url": {"read_only": True, "view_name": "lighthouse-providers-detail"},
+        }
+
+    class JSONAPIMeta:
+        resource_name = "lighthouse-providers"
+
+    def to_representation(self, instance):
+        data = super().to_representation(instance)
+        # Support JSON:API fields filter: fields[lighthouse-providers]=credentials,base_url
+        fields_param = self.context.get("request", None) and self.context[
+            "request"
+        ].query_params.get("fields[lighthouse-providers]", "")
+
+        creds = instance.credentials_decoded
+
+        requested_fields = (
+            [f.strip() for f in fields_param.split(",")] if fields_param else []
+        )
+
+        if "credentials" in requested_fields:
+            # Return full decrypted credentials JSON
+            data["credentials"] = creds
+        else:
+            # Return masked credentials by default
+            def mask_value(value):
+                if isinstance(value, str):
+                    return "*" * len(value)
+                if isinstance(value, dict):
+                    return {k: mask_value(v) for k, v in value.items()}
+                if isinstance(value, list):
+                    return [mask_value(v) for v in value]
+                return value
+
+            # Always return masked credentials, even if creds is None
+            if creds is not None:
+                data["credentials"] = mask_value(creds)
+            else:
+                # If credentials_decoded returns None, return None for credentials field
+                data["credentials"] = None
+
+        return data
+
+
+class LighthouseProviderConfigCreateSerializer(RLSSerializer, BaseWriteSerializer):
+    """
+    Create serializer for LighthouseProviderConfiguration.
+    Accepts credentials as JSON; stored encrypted via credentials_decoded.
+    """
+
+    credentials = LighthouseCredentialsField(write_only=True, required=True)
+    base_url = serializers.URLField(
+        required=False,
+        allow_null=True,
+        help_text="Base URL for the LLM provider API. Required for 'openai_compatible' provider type.",
+    )
+
+    class Meta:
+        model = LighthouseProviderConfiguration
+        fields = [
+            "provider_type",
+            "base_url",
+            "credentials",
+            "is_active",
+        ]
+        extra_kwargs = {
+            "is_active": {"required": False},
+            "provider_type": {
+                "help_text": "LLM provider type. Determines which credential format to use. "
+                "See 'credentials' field documentation for provider-specific requirements."
+            },
+        }
+
+    def create(self, validated_data):
+        credentials = validated_data.pop("credentials")
+
+        instance = LighthouseProviderConfiguration(**validated_data)
+        instance.tenant_id = self.context.get("tenant_id")
+        instance.credentials_decoded = credentials
+
+        try:
+            instance.save()
+            return instance
+        except IntegrityError:
+            raise ValidationError(
+                {
+                    "provider_type": "Configuration for this provider already exists for the tenant."
+                }
+            )
+
+    def validate(self, attrs):
+        provider_type = attrs.get("provider_type")
+        credentials = attrs.get("credentials") or {}
+        base_url = attrs.get("base_url")
+
+        if provider_type == LighthouseProviderConfiguration.LLMProviderChoices.OPENAI:
+            try:
+                OpenAICredentialsSerializer(data=credentials).is_valid(
+                    raise_exception=True
+                )
+            except ValidationError as e:
+                details = e.detail.copy()
+                for key, value in details.items():
+                    e.detail[f"credentials/{key}"] = value
+                    del e.detail[key]
+                raise e
+        elif (
+            provider_type == LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK
+        ):
+            try:
+                BedrockCredentialsSerializer(data=credentials).is_valid(
+                    raise_exception=True
+                )
+            except ValidationError as e:
+                details = e.detail.copy()
+                for key, value in details.items():
+                    e.detail[f"credentials/{key}"] = value
+                    del e.detail[key]
+                raise e
+        elif (
+            provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.OPENAI_COMPATIBLE
+        ):
+            if not base_url:
+                raise ValidationError({"base_url": "Base URL is required."})
+            try:
+                OpenAICompatibleCredentialsSerializer(data=credentials).is_valid(
+                    raise_exception=True
+                )
+            except ValidationError as e:
+                details = e.detail.copy()
+                for key, value in details.items():
+                    e.detail[f"credentials/{key}"] = value
+                    del e.detail[key]
+                raise e
+
+        return super().validate(attrs)
+
+
+class LighthouseProviderConfigUpdateSerializer(BaseWriteSerializer):
+    """
+    Update serializer for LighthouseProviderConfiguration.
+    """
+
+    credentials = LighthouseCredentialsField(write_only=True, required=False)
+    base_url = serializers.URLField(
+        required=False,
+        allow_null=True,
+        help_text="Base URL for the LLM provider API. Required for 'openai_compatible' provider type.",
+    )
+
+    class Meta:
+        model = LighthouseProviderConfiguration
+        fields = [
+            "id",
+            "provider_type",
+            "base_url",
+            "credentials",
+            "is_active",
+        ]
+        extra_kwargs = {
+            "id": {"read_only": True},
+            "provider_type": {"read_only": True},
+            "is_active": {"required": False},
+        }
+
+    def update(self, instance, validated_data):
+        credentials = validated_data.pop("credentials", None)
+
+        for attr, value in validated_data.items():
+            setattr(instance, attr, value)
+
+        if credentials is not None:
+            # Merge partial credentials with existing ones
+            # New values overwrite existing ones, but unspecified fields are preserved
+            existing_credentials = instance.credentials_decoded or {}
+            merged_credentials = {**existing_credentials, **credentials}
+            instance.credentials_decoded = merged_credentials
+
+        instance.save()
+        return instance
+
+    def validate(self, attrs):
+        provider_type = getattr(self.instance, "provider_type", None)
+        credentials = attrs.get("credentials", None)
+        base_url = attrs.get("base_url", None)
+
+        if (
+            credentials is not None
+            and provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.OPENAI
+        ):
+            try:
+                OpenAICredentialsSerializer(data=credentials).is_valid(
+                    raise_exception=True
+                )
+            except ValidationError as e:
+                details = e.detail.copy()
+                for key, value in details.items():
+                    e.detail[f"credentials/{key}"] = value
+                    del e.detail[key]
+                raise e
+        elif (
+            credentials is not None
+            and provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK
+        ):
+            try:
+                BedrockCredentialsUpdateSerializer(data=credentials).is_valid(
+                    raise_exception=True
+                )
+            except ValidationError as e:
+                details = e.detail.copy()
+                for key, value in details.items():
+                    e.detail[f"credentials/{key}"] = value
+                    del e.detail[key]
+                raise e
+        elif (
+            credentials is not None
+            and provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.OPENAI_COMPATIBLE
+        ):
+            if base_url is None:
+                pass
+            elif not base_url:
+                raise ValidationError({"base_url": "Base URL cannot be empty."})
+            try:
+                OpenAICompatibleCredentialsSerializer(data=credentials).is_valid(
+                    raise_exception=True
+                )
+            except ValidationError as e:
+                details = e.detail.copy()
+                for key, value in details.items():
+                    e.detail[f"credentials/{key}"] = value
+                    del e.detail[key]
+                raise e
+
+        return super().validate(attrs)
+
+
+# Lighthouse: Tenant configuration
+
+
+class LighthouseTenantConfigSerializer(RLSSerializer):
+    """
+    Read serializer for LighthouseTenantConfiguration.
+    """
+
+    # Build singleton URL without pk
+    url = serializers.SerializerMethodField()
+
+    def get_url(self, obj):
+        request = self.context.get("request")
+        return reverse("lighthouse-configurations", request=request)
+
+    class Meta:
+        model = LighthouseTenantConfiguration
+        fields = [
+            "id",
+            "inserted_at",
+            "updated_at",
+            "business_context",
+            "default_provider",
+            "default_models",
+            "url",
+        ]
+        extra_kwargs = {
+            "id": {"read_only": True},
+            "inserted_at": {"read_only": True},
+            "updated_at": {"read_only": True},
+            "url": {"read_only": True},
+        }
+
+
+class LighthouseTenantConfigUpdateSerializer(BaseWriteSerializer):
+    class Meta:
+        model = LighthouseTenantConfiguration
+        fields = [
+            "id",
+            "business_context",
+            "default_provider",
+            "default_models",
+        ]
+        extra_kwargs = {
+            "id": {"read_only": True},
+        }
+
+    def validate(self, attrs):
+        request = self.context.get("request")
+        tenant_id = self.context.get("tenant_id") or (
+            getattr(request, "tenant_id", None) if request else None
+        )
+
+        default_provider = attrs.get(
+            "default_provider", getattr(self.instance, "default_provider", "")
+        )
+        default_models = attrs.get(
+            "default_models", getattr(self.instance, "default_models", {})
+        )
+
+        if default_provider:
+            supported = set(LighthouseProviderConfiguration.LLMProviderChoices.values)
+            if default_provider not in supported:
+                raise ValidationError(
+                    {"default_provider": f"Unsupported provider '{default_provider}'."}
+                )
+            if not LighthouseProviderConfiguration.objects.filter(
+                tenant_id=tenant_id, provider_type=default_provider, is_active=True
+            ).exists():
+                raise ValidationError(
+                    {
+                        "default_provider": f"No active configuration found for '{default_provider}'."
+                    }
+                )
+
+        if default_models is not None and not isinstance(default_models, dict):
+            raise ValidationError(
+                {"default_models": "Must be an object mapping provider -> model_id."}
+            )
+
+        for provider_type, model_id in (default_models or {}).items():
+            provider_cfg = LighthouseProviderConfiguration.objects.filter(
+                tenant_id=tenant_id, provider_type=provider_type, is_active=True
+            ).first()
+            if not provider_cfg:
+                raise ValidationError(
+                    {
+                        "default_models": f"No active configuration for provider '{provider_type}'."
+                    }
+                )
+            if not LighthouseProviderModels.objects.filter(
+                tenant_id=tenant_id,
+                provider_configuration=provider_cfg,
+                model_id=model_id,
+            ).exists():
+                raise ValidationError(
+                    {
+                        "default_models": f"Invalid model '{model_id}' for provider '{provider_type}'."
+                    }
+                )
+
+        return super().validate(attrs)
+
+
+# Lighthouse: Provider models
+
+
+class LighthouseProviderModelsSerializer(RLSSerializer):
+    """
+    Read serializer for LighthouseProviderModels.
+    """
+
+    provider_configuration = serializers.ResourceRelatedField(read_only=True)
+
+    class Meta:
+        model = LighthouseProviderModels
+        fields = [
+            "id",
+            "inserted_at",
+            "updated_at",
+            "provider_configuration",
+            "model_id",
+            "model_name",
+            "default_parameters",
+            "url",
+        ]
+        extra_kwargs = {
+            "id": {"read_only": True},
+            "inserted_at": {"read_only": True},
+            "updated_at": {"read_only": True},
+            "url": {"read_only": True, "view_name": "lighthouse-models-detail"},
+        }
+
+
+class LighthouseProviderModelsCreateSerializer(RLSSerializer, BaseWriteSerializer):
+    provider_configuration = serializers.ResourceRelatedField(
+        queryset=LighthouseProviderConfiguration.objects.all()
+    )
+
+    class Meta:
+        model = LighthouseProviderModels
+        fields = [
+            "provider_configuration",
+            "model_id",
+            "default_parameters",
+        ]
+        extra_kwargs = {
+            "default_parameters": {"required": False},
+        }
+
+
+class LighthouseProviderModelsUpdateSerializer(BaseWriteSerializer):
+    class Meta:
+        model = LighthouseProviderModels
+        fields = [
+            "id",
+            "default_parameters",
+        ]
+        extra_kwargs = {
+            "id": {"read_only": True},
+        }
+
+
+# Mute Rules
+
+
+class MuteRuleSerializer(RLSSerializer):
+    """
+    Serializer for reading MuteRule instances.
+    """
+
+    finding_uids = serializers.ListField(
+        child=serializers.CharField(),
+        read_only=True,
+        help_text="List of finding UIDs that are muted by this rule",
+    )
+
+    class Meta:
+        model = MuteRule
+        fields = [
+            "id",
+            "inserted_at",
+            "updated_at",
+            "name",
+            "reason",
+            "enabled",
+            "created_by",
+            "finding_uids",
+        ]
+
+    included_serializers = {
+        "created_by": "api.v1.serializers.UserIncludeSerializer",
+    }
+
+
+class MuteRuleCreateSerializer(RLSSerializer, BaseWriteSerializer):
+    """
+    Serializer for creating new MuteRule instances.
+
+    Accepts finding_ids in the request, converts them to UIDs, and stores in finding_uids.
+    """
+
+    finding_ids = serializers.ListField(
+        child=serializers.UUIDField(),
+        write_only=True,
+        required=True,
+        help_text="List of Finding IDs to mute (will be converted to UIDs)",
+    )
+    finding_uids = serializers.ListField(
+        child=serializers.CharField(),
+        read_only=True,
+        help_text="List of finding UIDs that are muted by this rule",
+    )
+
+    class Meta:
+        model = MuteRule
+        fields = [
+            "id",
+            "inserted_at",
+            "updated_at",
+            "name",
+            "reason",
+            "enabled",
+            "created_by",
+            "finding_ids",
+            "finding_uids",
+        ]
+        extra_kwargs = {
+            "id": {"read_only": True},
+            "inserted_at": {"read_only": True},
+            "updated_at": {"read_only": True},
+            "enabled": {"read_only": True},
+            "created_by": {"read_only": True},
+        }
+
+    def validate_name(self, value):
+        """Validate that the name is unique within the tenant."""
+        tenant_id = self.context.get("tenant_id")
+        if MuteRule.objects.filter(tenant_id=tenant_id, name=value).exists():
+            raise ValidationError("A mute rule with this name already exists.")
+        return value
+
+    def validate_finding_ids(self, value):
+        """Validate that all finding IDs exist and belong to the tenant."""
+        if not value:
+            raise ValidationError("At least one finding_id must be provided.")
+
+        tenant_id = self.context.get("tenant_id")
+
+        # Check that all findings exist and belong to this tenant
+        findings = Finding.all_objects.filter(tenant_id=tenant_id, id__in=value)
+        found_ids = set(findings.values_list("id", flat=True))
+        provided_ids = set(value)
+
+        missing_ids = provided_ids - found_ids
+        if missing_ids:
+            raise ValidationError(
+                f"The following finding IDs do not exist or do not belong to your tenant: {missing_ids}"
+            )
+
+        return value
+
+    def validate(self, data):
+        """Validate the entire mute rule, including overlap detection."""
+        data = super().validate(data)
+
+        tenant_id = self.context.get("tenant_id")
+        finding_ids = data.get("finding_ids", [])
+
+        if not finding_ids:
+            return data
+
+        # Convert finding IDs to UIDs (deduplicate in case multiple findings have same UID)
+        findings = Finding.all_objects.filter(id__in=finding_ids, tenant_id=tenant_id)
+        finding_uids = list(set(findings.values_list("uid", flat=True)))
+
+        # Check for overlaps with existing enabled rules
+        existing_rules = MuteRule.objects.filter(tenant_id=tenant_id, enabled=True)
+
+        for rule in existing_rules:
+            overlap = set(finding_uids) & set(rule.finding_uids)
+            if overlap:
+                raise ConflictException(
+                    detail=f"The following finding UIDs are already muted by rule '{rule.name}': {overlap}"
+                )
+
+        # Store finding_uids in validated_data for create
+        data["finding_uids"] = finding_uids
+
+        return data
+
+    def create(self, validated_data):
+        """Create a new mute rule and set created_by."""
+        # Remove finding_ids from validated_data (we've already converted to finding_uids)
+        validated_data.pop("finding_ids", None)
+
+        # Set created_by to the current user
+        request = self.context.get("request")
+        if request and hasattr(request, "user"):
+            validated_data["created_by"] = request.user
+
+        return super().create(validated_data)
+
+
+class MuteRuleUpdateSerializer(BaseWriteSerializer):
+    """
+    Serializer for updating MuteRule instances.
+    """
+
+    class Meta:
+        model = MuteRule
+        fields = [
+            "id",
+            "name",
+            "reason",
+            "enabled",
+        ]
+        extra_kwargs = {
+            "id": {"read_only": True},
+            "name": {"required": False},
+            "reason": {"required": False},
+            "enabled": {"required": False},
+        }
+
+    def validate_name(self, value):
+        """Validate that the name is unique within the tenant, excluding current instance."""
+        tenant_id = self.context.get("tenant_id")
+        if (
+            MuteRule.objects.filter(tenant_id=tenant_id, name=value)
+            .exclude(id=self.instance.id)
+            .exists()
+        ):
+            raise ValidationError("A mute rule with this name already exists.")
+        return value
+
+
+# ThreatScore Snapshots
+
+
+class ThreatScoreSnapshotSerializer(RLSSerializer):
+    """
+    Serializer for ThreatScore snapshots.
+    Read-only serializer for retrieving historical ThreatScore metrics.
+    """
+
+    id = serializers.SerializerMethodField()
+
+    class Meta:
+        model = ThreatScoreSnapshot
+        fields = [
+            "id",
+            "inserted_at",
+            "scan",
+            "provider",
+            "compliance_id",
+            "overall_score",
+            "score_delta",
+            "section_scores",
+            "critical_requirements",
+            "total_requirements",
+            "passed_requirements",
+            "failed_requirements",
+            "manual_requirements",
+            "total_findings",
+            "passed_findings",
+            "failed_findings",
+        ]
+        extra_kwargs = {
+            "id": {"read_only": True},
+            "inserted_at": {"read_only": True},
+            "scan": {"read_only": True},
+            "provider": {"read_only": True},
+            "compliance_id": {"read_only": True},
+            "overall_score": {"read_only": True},
+            "score_delta": {"read_only": True},
+            "section_scores": {"read_only": True},
+            "critical_requirements": {"read_only": True},
+            "total_requirements": {"read_only": True},
+            "passed_requirements": {"read_only": True},
+            "failed_requirements": {"read_only": True},
+            "manual_requirements": {"read_only": True},
+            "total_findings": {"read_only": True},
+            "passed_findings": {"read_only": True},
+            "failed_findings": {"read_only": True},
+        }
+
+    included_serializers = {
+        "scan": "api.v1.serializers.ScanIncludeSerializer",
+        "provider": "api.v1.serializers.ProviderIncludeSerializer",
+    }
+
+    def get_id(self, obj):
+        if getattr(obj, "_aggregated", False):
+            return "n/a"
+        return str(obj.id)
@@ -17,7 +17,11 @@ from api.v1.views import (
    InvitationAcceptViewSet,
    InvitationViewSet,
    LighthouseConfigViewSet,
+    LighthouseProviderConfigViewSet,
+    LighthouseProviderModelsViewSet,
+    LighthouseTenantConfigViewSet,
    MembershipViewSet,
+    MuteRuleViewSet,
    OverviewViewSet,
    ProcessorViewSet,
    ProviderGroupProvidersRelationshipView,
@@ -34,12 +38,12 @@ from api.v1.views import (
    ScheduleViewSet,
    SchemaView,
    TaskViewSet,
+    TenantApiKeyViewSet,
    TenantFinishACSView,
    TenantMembersViewSet,
    TenantViewSet,
    UserRoleRelationshipView,
    UserViewSet,
-    TenantApiKeyViewSet,
 )

 router = routers.DefaultRouter(trailing_slash=False)
@@ -67,6 +71,17 @@ router.register(
    basename="lighthouseconfiguration",
 )
 router.register(r"api-keys", TenantApiKeyViewSet, basename="api-key")
+router.register(
+    r"lighthouse/providers",
+    LighthouseProviderConfigViewSet,
+    basename="lighthouse-providers",
+)
+router.register(
+    r"lighthouse/models",
+    LighthouseProviderModelsViewSet,
+    basename="lighthouse-models",
+)
+router.register(r"mute-rules", MuteRuleViewSet, basename="mute-rule")

 tenants_router = routers.NestedSimpleRouter(router, r"tenants", lookup="tenant")
 tenants_router.register(
@@ -137,6 +152,13 @@ urlpatterns = [
        ),
        name="provider_group-providers-relationship",
    ),
+    path(
+        "lighthouse/configuration",
+        LighthouseTenantConfigViewSet.as_view(
+            {"get": "list", "patch": "partial_update"}
+        ),
+        name="lighthouse-configurations",
+    ),
    # API endpoint to start SAML SSO flow
    path(
        "auth/saml/initiate/", SAMLInitiateAPIView.as_view(), name="api_saml_initiate"
@@ -1,8 +1,12 @@
 import fnmatch
 import glob
+import json
 import logging
 import os
+from collections import defaultdict
+from copy import deepcopy
 from datetime import datetime, timedelta, timezone
+from decimal import ROUND_HALF_UP, Decimal, InvalidOperation
 from urllib.parse import urljoin

 import sentry_sdk
@@ -23,9 +27,23 @@ from django.conf import settings as django_settings
 from django.contrib.postgres.aggregates import ArrayAgg
 from django.contrib.postgres.search import SearchQuery
 from django.db import transaction
-from django.db.models import Count, F, Prefetch, Q, Subquery, Sum
+from django.db.models import (
+    Case,
+    Count,
+    DecimalField,
+    ExpressionWrapper,
+    F,
+    IntegerField,
+    Max,
+    Prefetch,
+    Q,
+    Subquery,
+    Sum,
+    Value,
+    When,
+)
 from django.db.models.functions import Coalesce
-from django.http import HttpResponse
+from django.http import HttpResponse, QueryDict
 from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.dateparse import parse_date
@@ -60,11 +78,14 @@ from tasks.tasks import (
    backfill_scan_resource_summaries_task,
    check_integration_connection_task,
    check_lighthouse_connection_task,
+    check_lighthouse_provider_connection_task,
    check_provider_connection_task,
    delete_provider_task,
    delete_tenant_task,
    jira_integration_task,
+    mute_historical_findings_task,
    perform_scan_task,
+    refresh_lighthouse_provider_models_task,
 )

 from api.base_views import BaseRLSViewSet, BaseTenantViewset, BaseUserViewset
@@ -84,7 +105,10 @@ from api.filters import (
    InvitationFilter,
    LatestFindingFilter,
    LatestResourceFilter,
+    LighthouseProviderConfigFilter,
+    LighthouseProviderModelsFilter,
    MembershipFilter,
+    MuteRuleFilter,
    ProcessorFilter,
    ProviderFilter,
    ProviderGroupFilter,
@@ -98,6 +122,7 @@ from api.filters import (
    TaskFilter,
    TenantApiKeyFilter,
    TenantFilter,
+    ThreatScoreSnapshotFilter,
    UserFilter,
 )
 from api.models import (
@@ -106,7 +131,11 @@ from api.models import (
    Integration,
    Invitation,
    LighthouseConfiguration,
+    LighthouseProviderConfiguration,
+    LighthouseProviderModels,
+    LighthouseTenantConfiguration,
    Membership,
+    MuteRule,
    Processor,
    Provider,
    ProviderGroup,
@@ -127,6 +156,7 @@ from api.models import (
    StateChoices,
    Task,
    TenantAPIKey,
+    ThreatScoreSnapshot,
    User,
    UserRoleRelationship,
 )
@@ -139,7 +169,7 @@ from api.utils import (
    validate_invitation,
 )
 from api.uuid_utils import datetime_to_uuid7, uuid7_start
-from api.v1.mixins import PaginateByPkMixin, TaskManagementMixin
+from api.v1.mixins import DisablePaginationMixin, PaginateByPkMixin, TaskManagementMixin
 from api.v1.serializers import (
    ComplianceOverviewAttributesSerializer,
    ComplianceOverviewDetailSerializer,
@@ -160,8 +190,18 @@ from api.v1.serializers import (
    LighthouseConfigCreateSerializer,
    LighthouseConfigSerializer,
    LighthouseConfigUpdateSerializer,
+    LighthouseProviderConfigCreateSerializer,
+    LighthouseProviderConfigSerializer,
+    LighthouseProviderConfigUpdateSerializer,
+    LighthouseProviderModelsSerializer,
+    LighthouseTenantConfigSerializer,
+    LighthouseTenantConfigUpdateSerializer,
    MembershipSerializer,
+    MuteRuleCreateSerializer,
+    MuteRuleSerializer,
+    MuteRuleUpdateSerializer,
    OverviewFindingSerializer,
+    OverviewProviderCountSerializer,
    OverviewProviderSerializer,
    OverviewServiceSerializer,
    OverviewSeveritySerializer,
@@ -197,6 +237,7 @@ from api.v1.serializers import (
    TenantApiKeySerializer,
    TenantApiKeyUpdateSerializer,
    TenantSerializer,
+    ThreatScoreSnapshotSerializer,
    TokenRefreshSerializer,
    TokenSerializer,
    TokenSocialLoginSerializer,
@@ -307,7 +348,7 @@ class SchemaView(SpectacularAPIView):

    def get(self, request, *args, **kwargs):
        spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.14.1"
+        spectacular_settings.VERSION = "1.15.0"
        spectacular_settings.DESCRIPTION = (
            "Prowler API specification.\n\nThis file is auto-generated."
        )
@@ -399,6 +440,12 @@ class SchemaView(SpectacularAPIView):
                "description": "Endpoints for API keys management. These can be used as an alternative to JWT "
                "authorization.",
            },
+            {
+                "name": "Mute Rules",
+                "description": "Endpoints for simple mute rules management. These can be used as an alternative to the"
+                " Mutelist Processor if you need to mute specific findings across your tenant with a "
+                "specific reason.",
+            },
        ]
        return super().get(request, *args, **kwargs)

@@ -1417,7 +1464,7 @@ class ProviderGroupProvidersRelationshipView(RelationshipView, BaseRLSViewSet):
 )
@method_decorator(CACHE_DECORATOR, name="list")
@method_decorator(CACHE_DECORATOR, name="retrieve")
-class ProviderViewSet(BaseRLSViewSet):
+class ProviderViewSet(DisablePaginationMixin, BaseRLSViewSet):
    queryset = Provider.objects.all()
    serializer_class = ProviderSerializer
    http_method_names = ["get", "post", "patch", "delete"]
@@ -3677,6 +3724,13 @@ class ComplianceOverviewViewSet(BaseRLSViewSet, TaskManagementMixin):
            "each provider are considered in the aggregation to ensure accurate and up-to-date insights."
        ),
    ),
+    providers_count=extend_schema(
+        summary="Get provider counts grouped by type",
+        description=(
+            "Retrieve the number of providers grouped by provider type. "
+            "This endpoint counts every provider in the tenant, including those without completed scans."
+        ),
+    ),
    findings=extend_schema(
        summary="Get aggregated findings data",
        description=(
@@ -3728,12 +3782,16 @@ class OverviewViewSet(BaseRLSViewSet):
    def get_serializer_class(self):
        if self.action == "providers":
            return OverviewProviderSerializer
+        elif self.action == "providers_count":
+            return OverviewProviderCountSerializer
        elif self.action == "findings":
            return OverviewFindingSerializer
        elif self.action == "findings_severity":
            return OverviewSeveritySerializer
        elif self.action == "services":
            return OverviewServiceSerializer
+        elif self.action == "threatscore":
+            return ThreatScoreSnapshotSerializer
        return super().get_serializer_class()

    def get_filterset_class(self):
@@ -3815,6 +3873,36 @@ class OverviewViewSet(BaseRLSViewSet):
            status=status.HTTP_200_OK,
        )

+    @action(
+        detail=False,
+        methods=["get"],
+        url_path="providers/count",
+        url_name="providers-count",
+    )
+    def providers_count(self, request):
+        tenant_id = self.request.tenant_id
+        providers_qs = Provider.objects.filter(tenant_id=tenant_id)
+
+        if hasattr(self, "allowed_providers"):
+            allowed_ids = list(self.allowed_providers.values_list("id", flat=True))
+            if not allowed_ids:
+                overview = []
+                return Response(
+                    self.get_serializer(overview, many=True).data,
+                    status=status.HTTP_200_OK,
+                )
+            providers_qs = providers_qs.filter(id__in=allowed_ids)
+
+        overview = (
+            providers_qs.values("provider")
+            .annotate(count=Count("id"))
+            .order_by("provider")
+        )
+        return Response(
+            self.get_serializer(overview, many=True).data,
+            status=status.HTTP_200_OK,
+        )
+
    @action(detail=False, methods=["get"], url_name="findings")
    def findings(self, request):
        tenant_id = self.request.tenant_id
@@ -3945,6 +4033,332 @@ class OverviewViewSet(BaseRLSViewSet):

        return Response(serializer.data, status=status.HTTP_200_OK)

+    @extend_schema(
+        summary="Get ThreatScore snapshots",
+        description=(
+            "Retrieve ThreatScore metrics. By default, returns the latest snapshot for each provider. "
+            "Use snapshot_id to retrieve a specific historical snapshot."
+        ),
+        tags=["Overviews"],
+        parameters=[
+            OpenApiParameter(
+                name="snapshot_id",
+                type=OpenApiTypes.UUID,
+                location=OpenApiParameter.QUERY,
+                description="Retrieve a specific snapshot by ID. If not provided, returns latest snapshots.",
+            ),
+            OpenApiParameter(
+                name="provider_id",
+                type=OpenApiTypes.UUID,
+                location=OpenApiParameter.QUERY,
+                description="Filter by specific provider ID",
+            ),
+            OpenApiParameter(
+                name="provider_id__in",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                description="Filter by multiple provider IDs (comma-separated UUIDs)",
+            ),
+            OpenApiParameter(
+                name="provider_type",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                description="Filter by provider type (aws, azure, gcp, etc.)",
+            ),
+            OpenApiParameter(
+                name="provider_type__in",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                description="Filter by multiple provider types (comma-separated)",
+            ),
+        ],
+    )
+    @action(detail=False, methods=["get"], url_name="threatscore")
+    def threatscore(self, request):
+        """
+        Get ThreatScore snapshots.
+
+        Default behavior: Returns the latest snapshot for each provider.
+        With snapshot_id: Returns the specific snapshot requested.
+        """
+        tenant_id = self.request.tenant_id
+        snapshot_id = request.query_params.get("snapshot_id")
+
+        # Base queryset with RLS
+        base_queryset = ThreatScoreSnapshot.objects.filter(tenant_id=tenant_id)
+
+        # Apply RBAC filtering
+        if hasattr(self, "allowed_providers"):
+            base_queryset = base_queryset.filter(provider__in=self.allowed_providers)
+
+        # Case 1: Specific snapshot requested
+        if snapshot_id:
+            try:
+                snapshot = base_queryset.get(id=snapshot_id)
+                serializer = ThreatScoreSnapshotSerializer(
+                    snapshot, context={"request": request}
+                )
+                return Response(serializer.data, status=status.HTTP_200_OK)
+            except ThreatScoreSnapshot.DoesNotExist:
+                raise NotFound(detail="ThreatScore snapshot not found")
+
+        # Case 2: Latest snapshot per provider (default)
+        # Apply filters manually: this @action is outside the standard list endpoint flow,
+        # so DRF's filter backends don't execute and we must flatten JSON:API params ourselves.
+        normalized_params = QueryDict(mutable=True)
+        for param_key, values in request.query_params.lists():
+            normalized_key = param_key
+            if param_key.startswith("filter[") and param_key.endswith("]"):
+                normalized_key = param_key[7:-1]
+            if normalized_key == "snapshot_id":
+                continue
+            normalized_params.setlist(normalized_key, values)
+
+        filterset = ThreatScoreSnapshotFilter(normalized_params, queryset=base_queryset)
+        filtered_queryset = filterset.qs
+
+        # Get distinct provider IDs from filtered queryset
+        # Pick the latest snapshot per provider using Postgres DISTINCT ON pattern.
+        # This avoids issuing one query per provider (N+1) when the filtered dataset is large.
+        latest_snapshot_ids = list(
+            filtered_queryset.order_by("provider_id", "-inserted_at")
+            .distinct("provider_id")
+            .values_list("id", flat=True)
+        )
+        latest_snapshot_map = {
+            snapshot.id: snapshot
+            for snapshot in filtered_queryset.filter(id__in=latest_snapshot_ids)
+        }
+        latest_snapshots = [
+            latest_snapshot_map[snapshot_id]
+            for snapshot_id in latest_snapshot_ids
+            if snapshot_id in latest_snapshot_map
+        ]
+
+        if len(latest_snapshots) <= 1:
+            serializer = ThreatScoreSnapshotSerializer(
+                latest_snapshots, many=True, context={"request": request}
+            )
+            return Response(serializer.data, status=status.HTTP_200_OK)
+
+        snapshot_ids = [
+            snapshot.id for snapshot in latest_snapshots if snapshot and snapshot.id
+        ]
+        aggregated_snapshot = self._build_threatscore_overview_snapshot(
+            snapshot_ids, tenant_id
+        )
+        serializer = ThreatScoreSnapshotSerializer(
+            [aggregated_snapshot], many=True, context={"request": request}
+        )
+        return Response(serializer.data, status=status.HTTP_200_OK)
+
+    def _build_threatscore_overview_snapshot(self, snapshot_ids, tenant_id):
+        """
+        Aggregate the latest snapshots into a single overview snapshot for the tenant.
+        """
+        if not snapshot_ids:
+            raise ValueError(
+                "Snapshot id list cannot be empty when aggregating threatscore overview"
+            )
+
+        base_queryset = ThreatScoreSnapshot.objects.filter(
+            tenant_id=tenant_id, id__in=snapshot_ids
+        )
+
+        annotated_queryset = (
+            base_queryset.annotate(
+                active_requirements=ExpressionWrapper(
+                    F("total_requirements") - F("manual_requirements"),
+                    output_field=IntegerField(),
+                )
+            )
+            .annotate(
+                weight=Case(
+                    When(total_findings__gt=0, then=F("total_findings")),
+                    When(
+                        active_requirements__gt=0,
+                        then=F("active_requirements"),
+                    ),
+                    default=Value(1, output_field=IntegerField()),
+                    output_field=IntegerField(),
+                )
+            )
+            .order_by()
+        )
+
+        aggregated_metrics = annotated_queryset.aggregate(
+            total_requirements=Sum("total_requirements"),
+            passed_requirements=Sum("passed_requirements"),
+            failed_requirements=Sum("failed_requirements"),
+            manual_requirements=Sum("manual_requirements"),
+            total_findings=Sum("total_findings"),
+            passed_findings=Sum("passed_findings"),
+            failed_findings=Sum("failed_findings"),
+            weighted_overall_sum=Sum(
+                ExpressionWrapper(
+                    F("overall_score") * F("weight"),
+                    output_field=DecimalField(max_digits=14, decimal_places=4),
+                )
+            ),
+            overall_weight=Sum("weight"),
+            unweighted_overall_sum=Sum("overall_score"),
+            weighted_delta_sum=Sum(
+                Case(
+                    When(
+                        score_delta__isnull=False,
+                        then=ExpressionWrapper(
+                            F("score_delta") * F("weight"),
+                            output_field=DecimalField(max_digits=14, decimal_places=4),
+                        ),
+                    ),
+                    default=Value(
+                        Decimal("0"),
+                        output_field=DecimalField(max_digits=14, decimal_places=4),
+                    ),
+                    output_field=DecimalField(max_digits=14, decimal_places=4),
+                )
+            ),
+            delta_weight=Sum(
+                Case(
+                    When(score_delta__isnull=False, then=F("weight")),
+                    default=Value(0, output_field=IntegerField()),
+                    output_field=IntegerField(),
+                )
+            ),
+            provider_count=Count("id"),
+            latest_inserted_at=Max("inserted_at"),
+        )
+
+        total_requirements = aggregated_metrics["total_requirements"] or 0
+        passed_requirements = aggregated_metrics["passed_requirements"] or 0
+        failed_requirements = aggregated_metrics["failed_requirements"] or 0
+        manual_requirements = aggregated_metrics["manual_requirements"] or 0
+        total_findings = aggregated_metrics["total_findings"] or 0
+        passed_findings = aggregated_metrics["passed_findings"] or 0
+        failed_findings = aggregated_metrics["failed_findings"] or 0
+
+        weighted_overall_sum = aggregated_metrics["weighted_overall_sum"]
+        if weighted_overall_sum is None:
+            weighted_overall_sum = Decimal("0")
+        unweighted_overall_sum = aggregated_metrics["unweighted_overall_sum"]
+        if unweighted_overall_sum is None:
+            unweighted_overall_sum = Decimal("0")
+
+        overall_weight = aggregated_metrics["overall_weight"] or 0
+        provider_count = aggregated_metrics["provider_count"] or 0
+
+        weighted_delta_sum = aggregated_metrics["weighted_delta_sum"]
+        if weighted_delta_sum is None:
+            weighted_delta_sum = Decimal("0")
+        delta_weight = aggregated_metrics["delta_weight"] or 0
+
+        if overall_weight > 0:
+            overall_score = (weighted_overall_sum / Decimal(overall_weight)).quantize(
+                Decimal("0.01"), rounding=ROUND_HALF_UP
+            )
+        elif provider_count > 0:
+            overall_score = (unweighted_overall_sum / Decimal(provider_count)).quantize(
+                Decimal("0.01"), rounding=ROUND_HALF_UP
+            )
+        else:
+            overall_score = Decimal("0.00")
+
+        if delta_weight > 0:
+            score_delta = (weighted_delta_sum / Decimal(delta_weight)).quantize(
+                Decimal("0.01"), rounding=ROUND_HALF_UP
+            )
+        else:
+            score_delta = None
+
+        section_weighted_sums = defaultdict(lambda: Decimal("0"))
+        section_weights = defaultdict(lambda: Decimal("0"))
+
+        combined_critical_requirements = {}
+
+        snapshots_with_weight = list(annotated_queryset)
+
+        for snapshot in snapshots_with_weight:
+            weight_value = getattr(snapshot, "weight", None)
+            try:
+                weight_decimal = Decimal(weight_value)
+            except (InvalidOperation, TypeError):
+                weight_decimal = Decimal("1")
+            if weight_decimal <= 0:
+                weight_decimal = Decimal("1")
+
+            section_scores = snapshot.section_scores or {}
+            for section, score in section_scores.items():
+                try:
+                    score_decimal = Decimal(str(score))
+                except (InvalidOperation, TypeError):
+                    continue
+                section_weighted_sums[section] += score_decimal * weight_decimal
+                section_weights[section] += weight_decimal
+
+            for requirement in snapshot.critical_requirements or []:
+                key = requirement.get("requirement_id") or requirement.get("title")
+                if not key:
+                    continue
+                existing = combined_critical_requirements.get(key)
+
+                def requirement_sort_key(item):
+                    return (
+                        item.get("risk_level") or 0,
+                        item.get("weight") or 0,
+                    )
+
+                if existing is None or requirement_sort_key(
+                    requirement
+                ) > requirement_sort_key(existing):
+                    combined_critical_requirements[key] = deepcopy(requirement)
+
+        aggregated_section_scores = {}
+        for section, total in section_weighted_sums.items():
+            weight_total = section_weights[section]
+            if weight_total > 0:
+                aggregated_section_scores[section] = str(
+                    (total / weight_total).quantize(
+                        Decimal("0.01"), rounding=ROUND_HALF_UP
+                    )
+                )
+
+        aggregated_section_scores = dict(sorted(aggregated_section_scores.items()))
+
+        aggregated_critical_requirements = sorted(
+            combined_critical_requirements.values(),
+            key=lambda item: (
+                item.get("risk_level") or 0,
+                item.get("weight") or 0,
+            ),
+            reverse=True,
+        )
+
+        aggregated_snapshot = ThreatScoreSnapshot(
+            tenant_id=tenant_id,
+            scan=None,
+            provider=None,
+            compliance_id="prowler_threatscore_overview",
+            overall_score=overall_score,
+            score_delta=score_delta,
+            section_scores=aggregated_section_scores,
+            critical_requirements=aggregated_critical_requirements,
+            total_requirements=total_requirements,
+            passed_requirements=passed_requirements,
+            failed_requirements=failed_requirements,
+            manual_requirements=manual_requirements,
+            total_findings=total_findings,
+            passed_findings=passed_findings,
+            failed_findings=failed_findings,
+        )
+
+        latest_inserted_at = aggregated_metrics["latest_inserted_at"]
+        if latest_inserted_at is not None:
+            aggregated_snapshot.inserted_at = latest_inserted_at
+
+        aggregated_snapshot._aggregated = True
+
+        return aggregated_snapshot
+

@extend_schema(tags=["Schedule"])
@extend_schema_view(
@@ -4177,21 +4591,25 @@ class IntegrationJiraViewSet(BaseRLSViewSet):
        tags=["Lighthouse AI"],
        summary="List all Lighthouse AI configurations",
        description="Retrieve a list of all Lighthouse AI configurations.",
+        deprecated=True,
    ),
    create=extend_schema(
        tags=["Lighthouse AI"],
        summary="Create a new Lighthouse AI configuration",
        description="Create a new Lighthouse AI configuration with the specified details.",
+        deprecated=True,
    ),
    partial_update=extend_schema(
        tags=["Lighthouse AI"],
        summary="Partially update a Lighthouse AI configuration",
        description="Update certain fields of an existing Lighthouse AI configuration.",
+        deprecated=True,
    ),
    destroy=extend_schema(
        tags=["Lighthouse AI"],
        summary="Delete a Lighthouse AI configuration",
        description="Remove a Lighthouse AI configuration by its ID.",
+        deprecated=True,
    ),
    connection=extend_schema(
        tags=["Lighthouse AI"],
@@ -4199,6 +4617,7 @@ class IntegrationJiraViewSet(BaseRLSViewSet):
        description="Verify the connection to the OpenAI API for a specific Lighthouse AI configuration.",
        request=None,
        responses={202: OpenApiResponse(response=TaskSerializer)},
+        deprecated=True,
    ),
 )
 class LighthouseConfigViewSet(BaseRLSViewSet):
@@ -4249,6 +4668,255 @@ class LighthouseConfigViewSet(BaseRLSViewSet):
        )


+@extend_schema_view(
+    list=extend_schema(
+        tags=["Lighthouse AI"],
+        summary="List all LLM provider configurations",
+        description="Retrieve all LLM provider configurations for the current tenant",
+    ),
+    retrieve=extend_schema(
+        tags=["Lighthouse AI"],
+        summary="Retrieve LLM provider configuration",
+        description="Get details for a specific provider configuration in the current tenant.",
+    ),
+    create=extend_schema(
+        tags=["Lighthouse AI"],
+        summary="Create LLM provider configuration",
+        description="Create a per-tenant configuration for an LLM provider. Only one configuration per provider type "
+        "is allowed per tenant.",
+    ),
+    partial_update=extend_schema(
+        tags=["Lighthouse AI"],
+        summary="Update LLM provider configuration",
+        description="Partially update a provider configuration (e.g., base_url, is_active).",
+    ),
+    destroy=extend_schema(
+        tags=["Lighthouse AI"],
+        summary="Delete LLM provider configuration",
+        description="Delete a provider configuration. Any tenant defaults that reference this provider are cleared "
+        "during deletion.",
+    ),
+)
+class LighthouseProviderConfigViewSet(BaseRLSViewSet):
+    queryset = LighthouseProviderConfiguration.objects.all()
+    serializer_class = LighthouseProviderConfigSerializer
+    http_method_names = ["get", "post", "patch", "delete"]
+    filterset_class = LighthouseProviderConfigFilter
+
+    def get_queryset(self):
+        if getattr(self, "swagger_fake_view", False):
+            return LighthouseProviderConfiguration.objects.none()
+        return LighthouseProviderConfiguration.objects.filter(
+            tenant_id=self.request.tenant_id
+        )
+
+    def get_serializer_class(self):
+        if self.action == "create":
+            return LighthouseProviderConfigCreateSerializer
+        elif self.action == "partial_update":
+            return LighthouseProviderConfigUpdateSerializer
+        elif self.action in ["connection", "refresh_models"]:
+            return TaskSerializer
+        return super().get_serializer_class()
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        instance = serializer.save()
+
+        read_serializer = LighthouseProviderConfigSerializer(
+            instance, context=self.get_serializer_context()
+        )
+        headers = self.get_success_headers(read_serializer.data)
+        return Response(
+            data=read_serializer.data,
+            status=status.HTTP_201_CREATED,
+            headers=headers,
+        )
+
+    def partial_update(self, request, *args, **kwargs):
+        instance = self.get_object()
+        serializer = self.get_serializer(
+            instance,
+            data=request.data,
+            partial=True,
+            context=self.get_serializer_context(),
+        )
+        serializer.is_valid(raise_exception=True)
+        serializer.save()
+        read_serializer = LighthouseProviderConfigSerializer(
+            instance, context=self.get_serializer_context()
+        )
+        return Response(data=read_serializer.data, status=status.HTTP_200_OK)
+
+    @extend_schema(
+        tags=["Lighthouse AI"],
+        summary="Check LLM provider connection",
+        description="Validate provider credentials asynchronously and toggle is_active.",
+        request=None,
+        responses={202: OpenApiResponse(response=TaskSerializer)},
+    )
+    @action(detail=True, methods=["post"], url_name="connection")
+    def connection(self, request, pk=None):
+        instance = self.get_object()
+
+        with transaction.atomic():
+            task = check_lighthouse_provider_connection_task.delay(
+                provider_config_id=str(instance.id), tenant_id=self.request.tenant_id
+            )
+
+        prowler_task = Task.objects.get(id=task.id)
+        serializer = TaskSerializer(prowler_task)
+        return Response(
+            data=serializer.data,
+            status=status.HTTP_202_ACCEPTED,
+            headers={
+                "Content-Location": reverse(
+                    "task-detail", kwargs={"pk": prowler_task.id}
+                )
+            },
+        )
+
+    @extend_schema(
+        tags=["Lighthouse AI"],
+        summary="Refresh LLM models catalog",
+        description="Fetch available models for this provider configuration and upsert into catalog. Supports OpenAI, OpenAI-compatible, and AWS Bedrock providers.",
+        request=None,
+        responses={202: OpenApiResponse(response=TaskSerializer)},
+    )
+    @action(
+        detail=True,
+        methods=["post"],
+        url_path="refresh-models",
+        url_name="refresh-models",
+    )
+    def refresh_models(self, request, pk=None):
+        instance = self.get_object()
+
+        with transaction.atomic():
+            task = refresh_lighthouse_provider_models_task.delay(
+                provider_config_id=str(instance.id), tenant_id=self.request.tenant_id
+            )
+
+        prowler_task = Task.objects.get(id=task.id)
+        serializer = TaskSerializer(prowler_task)
+        return Response(
+            data=serializer.data,
+            status=status.HTTP_202_ACCEPTED,
+            headers={
+                "Content-Location": reverse(
+                    "task-detail", kwargs={"pk": prowler_task.id}
+                )
+            },
+        )
+
+
+@extend_schema_view(
+    list=extend_schema(
+        tags=["Lighthouse AI"],
+        summary="Get Lighthouse AI Tenant config",
+        description="Retrieve current tenant-level Lighthouse AI settings. Returns a single configuration object.",
+    ),
+    partial_update=extend_schema(
+        tags=["Lighthouse AI"],
+        summary="Update Lighthouse AI Tenant config",
+        description="Update tenant-level settings. Validates that the default provider is configured and active and that default model IDs exist for the chosen providers. Auto-creates configuration if it doesn't exist.",
+    ),
+)
+class LighthouseTenantConfigViewSet(BaseRLSViewSet):
+    """
+    Singleton endpoint for tenant-level Lighthouse AI configuration.
+
+    This viewset implements a true singleton pattern:
+    - GET returns the single configuration object (or 404 if not found)
+    - PATCH updates/creates the configuration (upsert semantics)
+    - No ID is required in the URL
+    """
+
+    queryset = LighthouseTenantConfiguration.objects.all()
+    serializer_class = LighthouseTenantConfigSerializer
+    http_method_names = ["get", "patch"]
+
+    def get_queryset(self):
+        if getattr(self, "swagger_fake_view", False):
+            return LighthouseTenantConfiguration.objects.none()
+        return LighthouseTenantConfiguration.objects.filter(
+            tenant_id=self.request.tenant_id
+        )
+
+    def get_serializer_class(self):
+        if self.action == "partial_update":
+            return LighthouseTenantConfigUpdateSerializer
+        return super().get_serializer_class()
+
+    def get_object(self):
+        """Retrieve the singleton instance for the current tenant."""
+        obj = LighthouseTenantConfiguration.objects.filter(
+            tenant_id=self.request.tenant_id
+        ).first()
+        if obj is None:
+            raise NotFound("Tenant Lighthouse configuration not found")
+        self.check_object_permissions(self.request, obj)
+        return obj
+
+    def list(self, request, *args, **kwargs):
+        """GET endpoint for singleton - returns single object, not an array."""
+        instance = self.get_object()
+        serializer = self.get_serializer(instance)
+        return Response(serializer.data)
+
+    def partial_update(self, request, *args, **kwargs):
+        """PATCH endpoint for singleton - no pk required. Auto-creates if not exists."""
+        # Auto-create tenant config if it doesn't exist (upsert semantics)
+        instance, created = LighthouseTenantConfiguration.objects.get_or_create(
+            tenant_id=self.request.tenant_id,
+            defaults={},
+        )
+
+        # Extract attributes from JSON:API payload
+        try:
+            payload = json.loads(request.body)
+            attributes = payload.get("data", {}).get("attributes", {})
+        except (json.JSONDecodeError, AttributeError):
+            raise ValidationError("Invalid JSON:API payload")
+
+        serializer = self.get_serializer(instance, data=attributes, partial=True)
+        serializer.is_valid(raise_exception=True)
+        serializer.save()
+        read_serializer = LighthouseTenantConfigSerializer(
+            instance, context=self.get_serializer_context()
+        )
+        return Response(read_serializer.data, status=status.HTTP_200_OK)
+
+
+@extend_schema_view(
+    list=extend_schema(
+        tags=["Lighthouse AI"],
+        summary="List all LLM models",
+        description="List available LLM models per configured provider for the current tenant.",
+    ),
+    retrieve=extend_schema(
+        tags=["Lighthouse AI"],
+        summary="Retrieve LLM model details",
+        description="Get details for a specific LLM model.",
+    ),
+)
+class LighthouseProviderModelsViewSet(BaseRLSViewSet):
+    queryset = LighthouseProviderModels.objects.all()
+    serializer_class = LighthouseProviderModelsSerializer
+    filterset_class = LighthouseProviderModelsFilter
+    # Expose as read-only catalog collection
+    http_method_names = ["get"]
+
+    def get_queryset(self):
+        if getattr(self, "swagger_fake_view", False):
+            return LighthouseProviderModels.objects.none()
+        return LighthouseProviderModels.objects.filter(tenant_id=self.request.tenant_id)
+
+    def get_serializer_class(self):
+        return super().get_serializer_class()
+
+
@extend_schema_view(
    list=extend_schema(
        tags=["Processor"],
@@ -4379,3 +5047,95 @@ class TenantApiKeyViewSet(BaseRLSViewSet):

        serializer = self.get_serializer(instance)
        return Response(data=serializer.data, status=status.HTTP_200_OK)
+
+
+# MuteRules
+@extend_schema_view(
+    list=extend_schema(
+        tags=["Mute Rules"],
+        summary="List all mute rules",
+        description="Retrieve a list of all mute rules with filtering options.",
+    ),
+    retrieve=extend_schema(
+        tags=["Mute Rules"],
+        summary="Retrieve a mute rule",
+        description="Fetch detailed information about a specific mute rule by ID.",
+    ),
+    create=extend_schema(
+        tags=["Mute Rules"],
+        summary="Create a new mute rule",
+        description="Create a new mute rule by providing finding IDs, name, and reason. "
+        "The rule will immediately mute the selected findings and launch a background task "
+        "to mute all historical findings with matching UIDs.",
+        request=MuteRuleCreateSerializer,
+    ),
+    partial_update=extend_schema(
+        tags=["Mute Rules"],
+        summary="Partially update a mute rule",
+        description="Update certain fields of an existing mute rule (e.g., name, reason, enabled).",
+        request=MuteRuleUpdateSerializer,
+        responses={200: MuteRuleSerializer},
+    ),
+    destroy=extend_schema(
+        tags=["Mute Rules"],
+        summary="Delete a mute rule",
+        description="Remove a mute rule from the system. Note: Previously muted findings remain muted.",
+    ),
+)
+class MuteRuleViewSet(BaseRLSViewSet):
+    queryset = MuteRule.objects.all()
+    serializer_class = MuteRuleSerializer
+    filterset_class = MuteRuleFilter
+    http_method_names = ["get", "post", "patch", "delete"]
+    search_fields = ["name", "reason"]
+    ordering = ["-inserted_at"]
+    ordering_fields = [
+        "name",
+        "enabled",
+        "inserted_at",
+        "updated_at",
+    ]
+    required_permissions = [Permissions.MANAGE_SCANS]
+
+    def get_queryset(self):
+        queryset = MuteRule.objects.filter(tenant_id=self.request.tenant_id)
+        return queryset.select_related("created_by")
+
+    def get_serializer_class(self):
+        if self.action == "create":
+            return MuteRuleCreateSerializer
+        elif self.action == "partial_update":
+            return MuteRuleUpdateSerializer
+        return super().get_serializer_class()
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+
+        # Create the mute rule
+        mute_rule = serializer.save()
+
+        tenant_id = str(request.tenant_id)
+        finding_ids = request.data.get("finding_ids", [])
+
+        # Immediately mute the selected findings
+        Finding.all_objects.filter(
+            id__in=finding_ids, tenant_id=tenant_id, muted=False
+        ).update(
+            muted=True,
+            muted_at=mute_rule.inserted_at,
+            muted_reason=mute_rule.reason,
+        )
+
+        # Launch background task for historical muting
+        with transaction.atomic():
+            mute_historical_findings_task.apply_async(
+                kwargs={"tenant_id": tenant_id, "mute_rule_id": str(mute_rule.id)}
+            )
+
+        # Return the created mute rule
+        serializer = self.get_serializer(mute_rule)
+        return Response(
+            data=serializer.data,
+            status=status.HTTP_201_CREATED,
+        )
@@ -125,6 +125,10 @@ SPECTACULAR_SETTINGS = {
        "drf_spectacular_jsonapi.hooks.fix_nested_path_parameters",
    ],
    "POSTPROCESSING_HOOKS": [
+        "api.schema_hooks.fix_empty_id_fields",
+        "api.schema_hooks.fix_pattern_properties",
+        "api.schema_hooks.fix_type_formats",
+        "api.schema_hooks.add_api_servers",
        "api.schema_hooks.attach_task_202_examples",
    ],
    "TITLE": "API Reference - Prowler",
@@ -1,7 +1,5 @@
-from django.contrib import admin
 from django.urls import include, path

 urlpatterns = [
-    path("admin/", admin.site.urls),
    path("api/v1/", include("api.v1.urls")),
 ]
@@ -23,6 +23,7 @@ from api.models import (
    Invitation,
    LighthouseConfiguration,
    Membership,
+    MuteRule,
    Processor,
    Provider,
    ProviderGroup,
@@ -499,8 +500,29 @@ def providers_fixture(tenants_fixture):
        alias="m365_testing",
        tenant_id=tenant.id,
    )
+    provider7 = Provider.objects.create(
+        provider="oraclecloud",
+        uid="ocid1.tenancy.oc1..aaaaaaaa3dwoazoox4q7wrvriywpokp5grlhgnkwtyt6dmwyou7no6mdmzda",
+        alias="oci_testing",
+        tenant_id=tenant.id,
+    )
+    provider8 = Provider.objects.create(
+        provider="mongodbatlas",
+        uid="64b1d3c0e4b03b1234567890",
+        alias="mongodbatlas_testing",
+        tenant_id=tenant.id,
+    )

-    return provider1, provider2, provider3, provider4, provider5, provider6
+    return (
+        provider1,
+        provider2,
+        provider3,
+        provider4,
+        provider5,
+        provider6,
+        provider7,
+        provider8,
+    )


@pytest.fixture
@@ -1419,6 +1441,34 @@ def api_keys_fixture(tenants_fixture, create_test_user):
    return [api_key1, api_key2, api_key3]


+@pytest.fixture
+def mute_rules_fixture(tenants_fixture, create_test_user, findings_fixture):
+    """Create test mute rules for testing."""
+    tenant = tenants_fixture[0]
+    user = create_test_user
+
+    # Create two mute rules: one enabled, one disabled
+    mute_rule1 = MuteRule.objects.create(
+        tenant_id=tenant.id,
+        name="Test Rule 1",
+        reason="Security exception for testing",
+        enabled=True,
+        created_by=user,
+        finding_uids=[findings_fixture[0].uid],
+    )
+
+    mute_rule2 = MuteRule.objects.create(
+        tenant_id=tenant.id,
+        name="Test Rule 2",
+        reason="Compliance exception approved",
+        enabled=False,
+        created_by=user,
+        finding_uids=[findings_fixture[1].uid],
+    )
+
+    return mute_rule1, mute_rule2
+
+
 def get_authorization_header(access_token: str) -> dict:
    return {"Authorization": f"Bearer {access_token}"}

@@ -21,6 +21,8 @@ from prowler.lib.outputs.compliance.aws_well_architected.aws_well_architected im
    AWSWellArchitected,
 )
 from prowler.lib.outputs.compliance.c5.c5_aws import AWSC5
+from prowler.lib.outputs.compliance.c5.c5_azure import AzureC5
+from prowler.lib.outputs.compliance.c5.c5_gcp import GCPC5
 from prowler.lib.outputs.compliance.ccc.ccc_aws import CCC_AWS
 from prowler.lib.outputs.compliance.ccc.ccc_azure import CCC_Azure
 from prowler.lib.outputs.compliance.ccc.ccc_gcp import CCC_GCP
@@ -30,6 +32,7 @@ from prowler.lib.outputs.compliance.cis.cis_gcp import GCPCIS
 from prowler.lib.outputs.compliance.cis.cis_github import GithubCIS
 from prowler.lib.outputs.compliance.cis.cis_kubernetes import KubernetesCIS
 from prowler.lib.outputs.compliance.cis.cis_m365 import M365CIS
+from prowler.lib.outputs.compliance.cis.cis_oraclecloud import OracleCloudCIS
 from prowler.lib.outputs.compliance.ens.ens_aws import AWSENS
 from prowler.lib.outputs.compliance.ens.ens_azure import AzureENS
 from prowler.lib.outputs.compliance.ens.ens_gcp import GCPENS
@@ -87,6 +90,7 @@ COMPLIANCE_CLASS_MAP = {
        (lambda name: name.startswith("iso27001_"), AzureISO27001),
        (lambda name: name == "ccc_azure", CCC_Azure),
        (lambda name: name == "prowler_threatscore_azure", ProwlerThreatScoreAzure),
+        (lambda name: name == "c5_azure", AzureC5),
    ],
    "gcp": [
        (lambda name: name.startswith("cis_"), GCPCIS),
@@ -95,6 +99,7 @@ COMPLIANCE_CLASS_MAP = {
        (lambda name: name.startswith("iso27001_"), GCPISO27001),
        (lambda name: name == "prowler_threatscore_gcp", ProwlerThreatScoreGCP),
        (lambda name: name == "ccc_gcp", CCC_GCP),
+        (lambda name: name == "c5_gcp", GCPC5),
    ],
    "kubernetes": [
        (lambda name: name.startswith("cis_"), KubernetesCIS),
@@ -108,6 +113,13 @@ COMPLIANCE_CLASS_MAP = {
    "github": [
        (lambda name: name.startswith("cis_"), GithubCIS),
    ],
+    "iac": [
+        # IaC provider doesn't have specific compliance frameworks yet
+        # Trivy handles its own compliance checks
+    ],
+    "oraclecloud": [
+        (lambda name: name.startswith("cis_"), OracleCloudCIS),
+    ],
 }


@@ -0,0 +1,452 @@
+from typing import Dict
+
+import boto3
+import openai
+from botocore.exceptions import BotoCoreError, ClientError
+from celery.utils.log import get_task_logger
+
+from api.models import LighthouseProviderConfiguration, LighthouseProviderModels
+
+logger = get_task_logger(__name__)
+
+
+def _extract_openai_api_key(
+    provider_cfg: LighthouseProviderConfiguration,
+) -> str | None:
+    """
+    Safely extract the OpenAI API key from a provider configuration.
+
+    Args:
+        provider_cfg (LighthouseProviderConfiguration): The provider configuration instance
+            containing the credentials.
+
+    Returns:
+        str | None: The API key string if present and valid, otherwise None.
+    """
+    creds = provider_cfg.credentials_decoded
+    if not isinstance(creds, dict):
+        return None
+    api_key = creds.get("api_key")
+    if not isinstance(api_key, str) or not api_key:
+        return None
+    return api_key
+
+
+def _extract_openai_compatible_params(
+    provider_cfg: LighthouseProviderConfiguration,
+) -> Dict[str, str] | None:
+    """
+    Extract base_url and api_key for OpenAI-compatible providers.
+    """
+    creds = provider_cfg.credentials_decoded
+    base_url = provider_cfg.base_url
+    if not isinstance(creds, dict):
+        return None
+    api_key = creds.get("api_key")
+    if not isinstance(api_key, str) or not api_key:
+        return None
+    if not isinstance(base_url, str) or not base_url:
+        return None
+    return {"base_url": base_url, "api_key": api_key}
+
+
+def _extract_bedrock_credentials(
+    provider_cfg: LighthouseProviderConfiguration,
+) -> Dict[str, str] | None:
+    """
+    Safely extract AWS Bedrock credentials from a provider configuration.
+
+    Args:
+        provider_cfg (LighthouseProviderConfiguration): The provider configuration instance
+            containing the credentials.
+
+    Returns:
+        Dict[str, str] | None: Dictionary with 'access_key_id', 'secret_access_key', and
+            'region' if present and valid, otherwise None.
+    """
+    creds = provider_cfg.credentials_decoded
+    if not isinstance(creds, dict):
+        return None
+
+    access_key_id = creds.get("access_key_id")
+    secret_access_key = creds.get("secret_access_key")
+    region = creds.get("region")
+
+    # Validate all required fields are present and are strings
+    if (
+        not isinstance(access_key_id, str)
+        or not access_key_id
+        or not isinstance(secret_access_key, str)
+        or not secret_access_key
+        or not isinstance(region, str)
+        or not region
+    ):
+        return None
+
+    return {
+        "access_key_id": access_key_id,
+        "secret_access_key": secret_access_key,
+        "region": region,
+    }
+
+
+def check_lighthouse_provider_connection(provider_config_id: str) -> Dict:
+    """
+    Validate a Lighthouse provider configuration by calling the provider API and
+    toggle its active state accordingly.
+
+    Args:
+        provider_config_id: The primary key of the `LighthouseProviderConfiguration`
+            to validate.
+
+    Returns:
+        dict: A result dictionary with the following keys:
+            - "connected" (bool): Whether the provider credentials are valid.
+            - "error" (str | None): The error message when not connected, otherwise None.
+
+    Side Effects:
+        - Updates and persists `is_active` on the `LighthouseProviderConfiguration`.
+
+    Raises:
+        LighthouseProviderConfiguration.DoesNotExist: If no configuration exists with the given ID.
+    """
+    provider_cfg = LighthouseProviderConfiguration.objects.get(pk=provider_config_id)
+
+    try:
+        if (
+            provider_cfg.provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.OPENAI
+        ):
+            api_key = _extract_openai_api_key(provider_cfg)
+            if not api_key:
+                provider_cfg.is_active = False
+                provider_cfg.save()
+                return {"connected": False, "error": "API key is invalid or missing"}
+
+            # Test connection by listing models
+            client = openai.OpenAI(api_key=api_key)
+            _ = client.models.list()
+
+        elif (
+            provider_cfg.provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK
+        ):
+            bedrock_creds = _extract_bedrock_credentials(provider_cfg)
+            if not bedrock_creds:
+                provider_cfg.is_active = False
+                provider_cfg.save()
+                return {
+                    "connected": False,
+                    "error": "AWS credentials are invalid or missing",
+                }
+
+            # Test connection by listing foundation models
+            bedrock_client = boto3.client(
+                "bedrock",
+                aws_access_key_id=bedrock_creds["access_key_id"],
+                aws_secret_access_key=bedrock_creds["secret_access_key"],
+                region_name=bedrock_creds["region"],
+            )
+            _ = bedrock_client.list_foundation_models()
+
+        elif (
+            provider_cfg.provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.OPENAI_COMPATIBLE
+        ):
+            params = _extract_openai_compatible_params(provider_cfg)
+            if not params:
+                provider_cfg.is_active = False
+                provider_cfg.save()
+                return {
+                    "connected": False,
+                    "error": "Base URL or API key is invalid or missing",
+                }
+
+            # Test connection using OpenAI SDK with custom base_url
+            # Note: base_url should include version (e.g., https://openrouter.ai/api/v1)
+            client = openai.OpenAI(
+                api_key=params["api_key"],
+                base_url=params["base_url"],
+            )
+            _ = client.models.list()
+
+        else:
+            return {"connected": False, "error": "Unsupported provider type"}
+
+        # Connection successful
+        provider_cfg.is_active = True
+        provider_cfg.save()
+        return {"connected": True, "error": None}
+
+    except Exception as e:
+        logger.warning(
+            "%s connection check failed: %s", provider_cfg.provider_type, str(e)
+        )
+        provider_cfg.is_active = False
+        provider_cfg.save()
+        return {"connected": False, "error": str(e)}
+
+
+def _fetch_openai_models(api_key: str) -> Dict[str, str]:
+    """
+    Fetch available models from OpenAI API.
+
+    Args:
+        api_key: OpenAI API key for authentication.
+
+    Returns:
+        Dict mapping model_id to model_name. For OpenAI, both are the same
+        as the API doesn't provide separate display names.
+
+    Raises:
+        Exception: If the API call fails.
+    """
+    client = openai.OpenAI(api_key=api_key)
+    models = client.models.list()
+    # OpenAI uses model.id for both ID and display name
+    return {m.id: m.id for m in getattr(models, "data", [])}
+
+
+def _fetch_openai_compatible_models(base_url: str, api_key: str) -> Dict[str, str]:
+    """
+    Fetch available models from an OpenAI-compatible API using the OpenAI SDK.
+
+    Returns a mapping of model_id -> model_name. Prefers the 'name' attribute
+    if available (e.g., from OpenRouter), otherwise falls back to 'id'.
+
+    Note: base_url should include version (e.g., https://openrouter.ai/api/v1)
+    """
+    client = openai.OpenAI(api_key=api_key, base_url=base_url)
+    models = client.models.list()
+
+    available_models: Dict[str, str] = {}
+    for model in models.data:
+        model_id = model.id
+        # Prefer provider-supplied human-friendly name when available
+        name = getattr(model, "name", None)
+        if name:
+            available_models[model_id] = name
+        else:
+            available_models[model_id] = model_id
+
+    return available_models
+
+
+def _fetch_bedrock_models(bedrock_creds: Dict[str, str]) -> Dict[str, str]:
+    """
+    Fetch available models from AWS Bedrock with entitlement verification.
+
+    This function:
+    1. Lists foundation models with TEXT modality support
+    2. Lists inference profiles with TEXT modality support
+    3. Verifies user has entitlement access to each model
+
+    Args:
+        bedrock_creds: Dictionary with 'access_key_id', 'secret_access_key', and 'region'.
+
+    Returns:
+        Dict mapping model_id to model_name for all accessible models.
+
+    Raises:
+        BotoCoreError, ClientError: If AWS API calls fail.
+    """
+    bedrock_client = boto3.client(
+        "bedrock",
+        aws_access_key_id=bedrock_creds["access_key_id"],
+        aws_secret_access_key=bedrock_creds["secret_access_key"],
+        region_name=bedrock_creds["region"],
+    )
+
+    models_to_check: Dict[str, str] = {}
+
+    # Step 1: Get foundation models with TEXT modality
+    foundation_response = bedrock_client.list_foundation_models()
+    model_summaries = foundation_response.get("modelSummaries", [])
+
+    for model in model_summaries:
+        # Check if model supports TEXT input and output modality
+        input_modalities = model.get("inputModalities", [])
+        output_modalities = model.get("outputModalities", [])
+
+        if "TEXT" not in input_modalities or "TEXT" not in output_modalities:
+            continue
+
+        model_id = model.get("modelId")
+        if not model_id:
+            continue
+
+        inference_types = model.get("inferenceTypesSupported", [])
+
+        # Only include models with ON_DEMAND inference support
+        if "ON_DEMAND" in inference_types:
+            models_to_check[model_id] = model["modelName"]
+
+    # Step 2: Get inference profiles
+    try:
+        inference_profiles_response = bedrock_client.list_inference_profiles()
+        inference_profiles = inference_profiles_response.get(
+            "inferenceProfileSummaries", []
+        )
+
+        for profile in inference_profiles:
+            # Check if profile supports TEXT modality
+            input_modalities = profile.get("inputModalities", [])
+            output_modalities = profile.get("outputModalities", [])
+
+            if "TEXT" not in input_modalities or "TEXT" not in output_modalities:
+                continue
+
+            profile_id = profile.get("inferenceProfileId")
+            if profile_id:
+                models_to_check[profile_id] = profile["inferenceProfileName"]
+
+    except (BotoCoreError, ClientError) as e:
+        logger.info(
+            "Could not fetch inference profiles in %s: %s",
+            bedrock_creds["region"],
+            str(e),
+        )
+
+    # Step 3: Verify entitlement availability for each model
+    available_models: Dict[str, str] = {}
+
+    for model_id, model_name in models_to_check.items():
+        try:
+            availability = bedrock_client.get_foundation_model_availability(
+                modelId=model_id
+            )
+
+            entitlement = availability.get("entitlementAvailability")
+
+            # Only include models user has access to
+            if entitlement == "AVAILABLE":
+                available_models[model_id] = model_name
+            else:
+                logger.debug(
+                    "Skipping model %s - entitlement status: %s", model_id, entitlement
+                )
+
+        except (BotoCoreError, ClientError) as e:
+            logger.debug(
+                "Could not check availability for model %s: %s", model_id, str(e)
+            )
+            continue
+
+    return available_models
+
+
+def refresh_lighthouse_provider_models(provider_config_id: str) -> Dict:
+    """
+    Refresh the catalog of models for a Lighthouse provider configuration.
+
+    Fetches the current list of models from the provider, upserts entries into
+    `LighthouseProviderModels`, and deletes stale entries no longer returned.
+
+    Args:
+        provider_config_id: The primary key of the `LighthouseProviderConfiguration`
+            whose models should be refreshed.
+
+    Returns:
+        dict: A result dictionary with the following keys on success:
+            - "created" (int): Number of new model rows created.
+            - "updated" (int): Number of existing model rows updated.
+            - "deleted" (int): Number of stale model rows removed.
+        If an error occurs, the dictionary will contain an "error" (str) field instead.
+
+    Raises:
+        LighthouseProviderConfiguration.DoesNotExist: If no configuration exists with the given ID.
+    """
+    provider_cfg = LighthouseProviderConfiguration.objects.get(pk=provider_config_id)
+    fetched_models: Dict[str, str] = {}
+
+    # Fetch models from the appropriate provider
+    try:
+        if (
+            provider_cfg.provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.OPENAI
+        ):
+            api_key = _extract_openai_api_key(provider_cfg)
+            if not api_key:
+                return {
+                    "created": 0,
+                    "updated": 0,
+                    "deleted": 0,
+                    "error": "API key is invalid or missing",
+                }
+            fetched_models = _fetch_openai_models(api_key)
+
+        elif (
+            provider_cfg.provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK
+        ):
+            bedrock_creds = _extract_bedrock_credentials(provider_cfg)
+            if not bedrock_creds:
+                return {
+                    "created": 0,
+                    "updated": 0,
+                    "deleted": 0,
+                    "error": "AWS credentials are invalid or missing",
+                }
+            fetched_models = _fetch_bedrock_models(bedrock_creds)
+
+        elif (
+            provider_cfg.provider_type
+            == LighthouseProviderConfiguration.LLMProviderChoices.OPENAI_COMPATIBLE
+        ):
+            params = _extract_openai_compatible_params(provider_cfg)
+            if not params:
+                return {
+                    "created": 0,
+                    "updated": 0,
+                    "deleted": 0,
+                    "error": "Base URL or API key is invalid or missing",
+                }
+            fetched_models = _fetch_openai_compatible_models(
+                params["base_url"], params["api_key"]
+            )
+
+        else:
+            return {
+                "created": 0,
+                "updated": 0,
+                "deleted": 0,
+                "error": "Unsupported provider type",
+            }
+
+    except Exception as e:
+        logger.warning(
+            "Unexpected error refreshing %s models: %s",
+            provider_cfg.provider_type,
+            str(e),
+        )
+        return {"created": 0, "updated": 0, "deleted": 0, "error": str(e)}
+
+    # Upsert models into the catalog
+    created = 0
+    updated = 0
+
+    for model_id, model_name in fetched_models.items():
+        obj, was_created = LighthouseProviderModels.objects.update_or_create(
+            tenant_id=provider_cfg.tenant_id,
+            provider_configuration=provider_cfg,
+            model_id=model_id,
+            defaults={
+                "model_name": model_name,
+                "default_parameters": {},
+            },
+        )
+        if was_created:
+            created += 1
+        else:
+            updated += 1
+
+    # Delete stale models not present anymore
+    deleted, _ = (
+        LighthouseProviderModels.objects.filter(
+            tenant_id=provider_cfg.tenant_id, provider_configuration=provider_cfg
+        )
+        .exclude(model_id__in=fetched_models.keys())
+        .delete()
+    )
+
+    return {"created": created, "updated": updated, "deleted": deleted}
@@ -0,0 +1,64 @@
+from celery.utils.log import get_task_logger
+from config.django.base import DJANGO_FINDINGS_BATCH_SIZE
+from tasks.utils import batched
+
+from api.db_utils import rls_transaction
+from api.models import Finding, MuteRule
+
+logger = get_task_logger(__name__)
+
+
+def mute_historical_findings(tenant_id: str, mute_rule_id: str):
+    """
+    Mute historical findings that match the given mute rule.
+
+    This function processes findings in batches, updating their muted status
+    and adding the mute reason.
+
+    Args:
+        tenant_id (str): The tenant ID for RLS context
+        mute_rule_id (str): The ID of the mute rule to apply
+
+    Returns:
+        dict: Summary of the muting operation with findings_muted count
+    """
+    findings_muted_count = 0
+
+    # Get the list of UIDs to mute and the reason
+    with rls_transaction(tenant_id):
+        mute_rule = MuteRule.objects.get(id=mute_rule_id, tenant_id=tenant_id)
+        finding_uids = mute_rule.finding_uids
+        mute_reason = mute_rule.reason
+        muted_at = mute_rule.inserted_at
+
+    # Query findings that match the UIDs and are not already muted
+    with rls_transaction(tenant_id):
+        findings_to_mute = Finding.objects.filter(
+            tenant_id=tenant_id, uid__in=finding_uids, muted=False
+        )
+        total_findings = findings_to_mute.count()
+
+        logger.info(
+            f"Processing {total_findings} findings for mute rule {mute_rule_id}"
+        )
+
+        if total_findings > 0:
+            for batch, is_last in batched(
+                findings_to_mute.iterator(), DJANGO_FINDINGS_BATCH_SIZE
+            ):
+                batch_ids = [f.id for f in batch]
+                updated_count = Finding.all_objects.filter(
+                    id__in=batch_ids, tenant_id=tenant_id
+                ).update(
+                    muted=True,
+                    muted_at=muted_at,
+                    muted_reason=mute_reason,
+                )
+                findings_muted_count += updated_count
+
+    logger.info(f"Muted {findings_muted_count} findings for rule {mute_rule_id}")
+
+    return {
+        "findings_muted": findings_muted_count,
+        "rule_id": mute_rule_id,
+    }
@@ -7,7 +7,6 @@ from shutil import rmtree
 import matplotlib.pyplot as plt
 from celery.utils.log import get_task_logger
 from config.django.base import DJANGO_FINDINGS_BATCH_SIZE, DJANGO_TMP_OUTPUT_DIRECTORY
-from django.db.models import Count, Q
 from reportlab.lib import colors
 from reportlab.lib.enums import TA_CENTER
 from reportlab.lib.pagesizes import letter
@@ -26,11 +25,22 @@ from reportlab.platypus import (
    TableStyle,
 )
 from tasks.jobs.export import _generate_output_directory, _upload_to_s3
+from tasks.jobs.threatscore import compute_threatscore_metrics
+from tasks.jobs.threatscore_utils import (
+    _aggregate_requirement_statistics_from_database,
+    _calculate_requirements_data_from_statistics,
+)
 from tasks.utils import batched

 from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
-from api.models import Finding, Provider, ScanSummary, StatusChoices
+from api.models import (
+    Finding,
+    Provider,
+    ScanSummary,
+    StatusChoices,
+    ThreatScoreSnapshot,
+)
 from api.utils import initialize_prowler_provider
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.finding import Finding as FindingOutput
@@ -434,56 +444,6 @@ def _add_pdf_footer(canvas_obj: canvas.Canvas, doc: SimpleDocTemplate) -> None:
    canvas_obj.drawString(width - text_width - 30, 20, powered_text)


-def _aggregate_requirement_statistics_from_database(
-    tenant_id: str, scan_id: str
-) -> dict[str, dict[str, int]]:
-    """
-    Aggregate finding statistics by check_id using database aggregation.
-
-    This function uses Django ORM aggregation to calculate pass/fail statistics
-    entirely in the database, avoiding the need to load findings into memory.
-
-    Args:
-        tenant_id (str): The tenant ID for Row-Level Security context.
-        scan_id (str): The ID of the scan to retrieve findings for.
-
-    Returns:
-        dict[str, dict[str, int]]: Dictionary mapping check_id to statistics:
-            - 'passed' (int): Number of passed findings for this check
-            - 'total' (int): Total number of findings for this check
-
-    Example:
-        {
-            'aws_iam_user_mfa_enabled': {'passed': 10, 'total': 15},
-            'aws_s3_bucket_public_access': {'passed': 0, 'total': 5}
-        }
-    """
-    requirement_statistics_by_check_id = {}
-
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        # Use database aggregation to calculate stats without loading findings into memory
-        aggregated_statistics_queryset = (
-            Finding.all_objects.filter(tenant_id=tenant_id, scan_id=scan_id)
-            .values("check_id")
-            .annotate(
-                total_findings=Count("id"),
-                passed_findings=Count("id", filter=Q(status=StatusChoices.PASS)),
-            )
-        )
-
-        for aggregated_stat in aggregated_statistics_queryset:
-            check_id = aggregated_stat["check_id"]
-            requirement_statistics_by_check_id[check_id] = {
-                "passed": aggregated_stat["passed_findings"],
-                "total": aggregated_stat["total_findings"],
-            }
-
-    logger.info(
-        f"Aggregated statistics for {len(requirement_statistics_by_check_id)} unique checks"
-    )
-    return requirement_statistics_by_check_id
-
-
 def _load_findings_for_requirement_checks(
    tenant_id: str, scan_id: str, check_ids: list[str], prowler_provider
 ) -> dict[str, list[FindingOutput]]:
@@ -544,84 +504,6 @@ def _load_findings_for_requirement_checks(
    return dict(findings_by_check_id)


-def _calculate_requirements_data_from_statistics(
-    compliance_obj, requirement_statistics_by_check_id: dict[str, dict[str, int]]
-) -> tuple[dict[str, dict], list[dict]]:
-    """
-    Calculate requirement status and statistics using pre-aggregated database statistics.
-
-    This function uses O(n) lookups with pre-aggregated statistics from the database,
-    avoiding the need to iterate over all findings for each requirement.
-
-    Args:
-        compliance_obj: The compliance framework object containing requirements.
-        requirement_statistics_by_check_id (dict[str, dict[str, int]]): Pre-aggregated statistics
-            mapping check_id to {'passed': int, 'total': int} counts.
-
-    Returns:
-        tuple[dict[str, dict], list[dict]]: A tuple containing:
-            - attributes_by_requirement_id: Dictionary mapping requirement IDs to their attributes.
-            - requirements_list: List of requirement dictionaries with status and statistics.
-    """
-    attributes_by_requirement_id = {}
-    requirements_list = []
-
-    compliance_framework = getattr(compliance_obj, "Framework", "N/A")
-    compliance_version = getattr(compliance_obj, "Version", "N/A")
-
-    for requirement in compliance_obj.Requirements:
-        requirement_id = requirement.Id
-        requirement_description = getattr(requirement, "Description", "")
-        requirement_checks = getattr(requirement, "Checks", [])
-        requirement_attributes = getattr(requirement, "Attributes", [])
-
-        # Store requirement metadata for later use
-        attributes_by_requirement_id[requirement_id] = {
-            "attributes": {
-                "req_attributes": requirement_attributes,
-                "checks": requirement_checks,
-            },
-            "description": requirement_description,
-        }
-
-        # Calculate aggregated passed and total findings for this requirement
-        total_passed_findings = 0
-        total_findings_count = 0
-
-        for check_id in requirement_checks:
-            if check_id in requirement_statistics_by_check_id:
-                check_statistics = requirement_statistics_by_check_id[check_id]
-                total_findings_count += check_statistics["total"]
-                total_passed_findings += check_statistics["passed"]
-
-        # Determine overall requirement status based on findings
-        if total_findings_count > 0:
-            if total_passed_findings == total_findings_count:
-                requirement_status = StatusChoices.PASS
-            else:
-                # Partial pass or complete fail both count as FAIL
-                requirement_status = StatusChoices.FAIL
-        else:
-            # No findings means manual review required
-            requirement_status = StatusChoices.MANUAL
-
-        requirements_list.append(
-            {
-                "id": requirement_id,
-                "attributes": {
-                    "framework": compliance_framework,
-                    "version": compliance_version,
-                    "status": requirement_status,
-                    "description": requirement_description,
-                    "passed_findings": total_passed_findings,
-                    "total_findings": total_findings_count,
-                },
-            }
-        )
-
-    return attributes_by_requirement_id, requirements_list
-
-
 def generate_threatscore_report(
    tenant_id: str,
    scan_id: str,
@@ -1262,8 +1144,9 @@ def generate_threatscore_report_job(
    2. Checks provider type compatibility
    3. Generates the output directory
    4. Calls generate_threatscore_report to create the PDF
-    5. Uploads the PDF to S3
-    6. Cleans up temporary files
+    5. Computes and stores ThreatScore metrics snapshot
+    6. Uploads the PDF to S3
+    7. Cleans up temporary files

    Args:
        tenant_id (str): The tenant ID for Row-Level Security context.
@@ -1317,6 +1200,66 @@ def generate_threatscore_report_job(
        min_risk_level=4,
    )

+    # Compute and store ThreatScore metrics snapshot
+    logger.info(f"Computing ThreatScore metrics for scan {scan_id}")
+    try:
+        metrics = compute_threatscore_metrics(
+            tenant_id=tenant_id,
+            scan_id=scan_id,
+            provider_id=provider_id,
+            compliance_id=compliance_id,
+            min_risk_level=4,
+        )
+
+        # Create snapshot in database
+        with rls_transaction(tenant_id):
+            # Get previous snapshot for the same provider to calculate delta
+            previous_snapshot = (
+                ThreatScoreSnapshot.objects.filter(
+                    tenant_id=tenant_id,
+                    provider_id=provider_id,
+                    compliance_id=compliance_id,
+                )
+                .order_by("-inserted_at")
+                .first()
+            )
+
+            # Calculate score delta (improvement)
+            score_delta = None
+            if previous_snapshot:
+                score_delta = metrics["overall_score"] - float(
+                    previous_snapshot.overall_score
+                )
+
+            snapshot = ThreatScoreSnapshot.objects.create(
+                tenant_id=tenant_id,
+                scan_id=scan_id,
+                provider_id=provider_id,
+                compliance_id=compliance_id,
+                overall_score=metrics["overall_score"],
+                score_delta=score_delta,
+                section_scores=metrics["section_scores"],
+                critical_requirements=metrics["critical_requirements"],
+                total_requirements=metrics["total_requirements"],
+                passed_requirements=metrics["passed_requirements"],
+                failed_requirements=metrics["failed_requirements"],
+                manual_requirements=metrics["manual_requirements"],
+                total_findings=metrics["total_findings"],
+                passed_findings=metrics["passed_findings"],
+                failed_findings=metrics["failed_findings"],
+            )
+
+            delta_msg = (
+                f" (delta: {score_delta:+.2f}%)" if score_delta is not None else ""
+            )
+            logger.info(
+                f"ThreatScore snapshot created with ID {snapshot.id} "
+                f"(score: {snapshot.overall_score}%{delta_msg})"
+            )
+    except Exception as e:
+        # Log error but don't fail the job if snapshot creation fails
+        logger.error(f"Error creating ThreatScore snapshot: {e}")
+
    upload_uri = _upload_to_s3(
        tenant_id,
        scan_id,
@@ -30,6 +30,7 @@ from api.exceptions import ProviderConnectionError
 from api.models import (
    ComplianceRequirementOverview,
    Finding,
+    MuteRule,
    Processor,
    Provider,
    Resource,
@@ -301,6 +302,20 @@ def perform_prowler_scan(
            logger.error(f"Error processing mutelist rules: {e}")
            mutelist_processor = None

+    # Load enabled mute rules for this tenant
+    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
+        try:
+            active_mute_rules = MuteRule.objects.filter(
+                tenant_id=tenant_id, enabled=True
+            ).values_list("finding_uids", "reason")
+
+            mute_rules_cache = {}
+            for finding_uids, reason in active_mute_rules:
+                for uid in finding_uids:
+                    mute_rules_cache[uid] = reason
+        except Exception as e:
+            logger.error(f"Error loading mute rules: {e}")
+            mute_rules_cache = {}
    try:
        with rls_transaction(tenant_id):
            try:
@@ -449,11 +464,22 @@ def perform_prowler_scan(
                    if not last_first_seen_at:
                        last_first_seen_at = datetime.now(tz=timezone.utc)

-                    # If the finding is muted at this time the reason must be the configured Mutelist
-                    muted_reason = "Muted by mutelist" if finding.muted else None
+                    # Determine if finding should be muted and why
+                    # Priority: mutelist processor (highest) > manual mute rules
+                    is_muted = False
+                    muted_reason = None
+
+                    # Check mutelist processor first (highest priority)
+                    if finding.muted:
+                        is_muted = True
+                        muted_reason = "Muted by mutelist"
+                    # If not muted by mutelist, check manual mute rules
+                    elif finding_uid in mute_rules_cache:
+                        is_muted = True
+                        muted_reason = mute_rules_cache[finding_uid]

                    # Increment failed_findings_count cache if the finding status is FAIL and not muted
-                    if status == FindingStatus.FAIL and not finding.muted:
+                    if status == FindingStatus.FAIL and not is_muted:
                        resource_uid = finding.resource_uid
                        resource_failed_findings_cache[resource_uid] += 1

@@ -472,7 +498,8 @@ def perform_prowler_scan(
                        check_id=finding.check_id,
                        scan=scan_instance,
                        first_seen_at=last_first_seen_at,
-                        muted=finding.muted,
+                        muted=is_muted,
+                        muted_at=datetime.now(tz=timezone.utc) if is_muted else None,
                        muted_reason=muted_reason,
                        compliance=finding.compliance,
                    )
@@ -735,9 +762,9 @@ def create_compliance_requirements(tenant_id: str, scan_id: str):
            provider_instance = scan_instance.provider
            prowler_provider = return_prowler_provider(provider_instance)

-        compliance_template = PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE[
-            provider_instance.provider
-        ]
+        compliance_template = PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE.get(
+            provider_instance.provider, {}
+        )
        modeled_threatscore_compliance_id = "ProwlerThreatScore-1.0"
        threatscore_requirements_by_check: dict[str, set[str]] = {}
        threatscore_framework = compliance_template.get(
@@ -809,63 +836,68 @@ def create_compliance_requirements(tenant_id: str, scan_id: str):
            region: deepcopy(compliance_template) for region in regions
        }

-        # Apply check statuses to compliance data
-        for region, check_status in check_status_by_region.items():
-            compliance_data = compliance_overview_by_region.setdefault(
-                region, deepcopy(compliance_template)
-            )
-            for check_name, status in check_status.items():
-                generate_scan_compliance(
-                    compliance_data,
-                    provider_instance.provider,
-                    check_name,
-                    status,
-                )
-
-        # Prepare compliance requirement rows
        compliance_requirement_rows: list[dict[str, Any]] = []
-        utc_datetime_now = datetime.now(tz=timezone.utc)
-        for region, compliance_data in compliance_overview_by_region.items():
-            for compliance_id, compliance in compliance_data.items():
-                modeled_compliance_id = _normalized_compliance_key(
-                    compliance["framework"], compliance["version"]
+
+        # Skip if provider has no compliance frameworks
+        if compliance_template:
+            # Apply check statuses to compliance data
+            for region, check_status in check_status_by_region.items():
+                compliance_data = compliance_overview_by_region.setdefault(
+                    region, deepcopy(compliance_template)
                )
-                # Create an overview record for each requirement within each compliance framework
-                for requirement_id, requirement in compliance["requirements"].items():
-                    checks_status = requirement["checks_status"]
-                    compliance_requirement_rows.append(
-                        {
-                            "id": uuid.uuid4(),
-                            "tenant_id": tenant_id,
-                            "inserted_at": utc_datetime_now,
-                            "compliance_id": compliance_id,
-                            "framework": compliance["framework"],
-                            "version": compliance["version"] or "",
-                            "description": requirement.get("description") or "",
-                            "region": region,
-                            "requirement_id": requirement_id,
-                            "requirement_status": requirement["status"],
-                            "passed_checks": checks_status["pass"],
-                            "failed_checks": checks_status["fail"],
-                            "total_checks": checks_status["total"],
-                            "scan_id": scan_instance.id,
-                            "passed_findings": findings_count_by_compliance.get(
-                                region, {}
-                            )
-                            .get(modeled_compliance_id, {})
-                            .get(requirement_id, {})
-                            .get("pass", 0),
-                            "total_findings": findings_count_by_compliance.get(
-                                region, {}
-                            )
-                            .get(modeled_compliance_id, {})
-                            .get(requirement_id, {})
-                            .get("total", 0),
-                        }
+                for check_name, status in check_status.items():
+                    generate_scan_compliance(
+                        compliance_data,
+                        provider_instance.provider,
+                        check_name,
+                        status,
                    )

-        # Bulk create requirement records using PostgreSQL COPY
-        _persist_compliance_requirement_rows(tenant_id, compliance_requirement_rows)
+            # Prepare compliance requirement rows
+            utc_datetime_now = datetime.now(tz=timezone.utc)
+            for region, compliance_data in compliance_overview_by_region.items():
+                for compliance_id, compliance in compliance_data.items():
+                    modeled_compliance_id = _normalized_compliance_key(
+                        compliance["framework"], compliance["version"]
+                    )
+                    # Create an overview record for each requirement within each compliance framework
+                    for requirement_id, requirement in compliance[
+                        "requirements"
+                    ].items():
+                        checks_status = requirement["checks_status"]
+                        compliance_requirement_rows.append(
+                            {
+                                "id": uuid.uuid4(),
+                                "tenant_id": tenant_id,
+                                "inserted_at": utc_datetime_now,
+                                "compliance_id": compliance_id,
+                                "framework": compliance["framework"],
+                                "version": compliance["version"] or "",
+                                "description": requirement.get("description") or "",
+                                "region": region,
+                                "requirement_id": requirement_id,
+                                "requirement_status": requirement["status"],
+                                "passed_checks": checks_status["pass"],
+                                "failed_checks": checks_status["fail"],
+                                "total_checks": checks_status["total"],
+                                "scan_id": scan_instance.id,
+                                "passed_findings": findings_count_by_compliance.get(
+                                    region, {}
+                                )
+                                .get(modeled_compliance_id, {})
+                                .get(requirement_id, {})
+                                .get("pass", 0),
+                                "total_findings": findings_count_by_compliance.get(
+                                    region, {}
+                                )
+                                .get(modeled_compliance_id, {})
+                                .get(requirement_id, {})
+                                .get("total", 0),
+                            }
+                        )
+
+            # Bulk create requirement records using PostgreSQL COPY
+            _persist_compliance_requirement_rows(tenant_id, compliance_requirement_rows)

        return {
            "requirements_created": len(compliance_requirement_rows),
@@ -0,0 +1,214 @@
+from celery.utils.log import get_task_logger
+from tasks.jobs.threatscore_utils import (
+    _aggregate_requirement_statistics_from_database,
+    _calculate_requirements_data_from_statistics,
+)
+
+from api.db_router import READ_REPLICA_ALIAS
+from api.db_utils import rls_transaction
+from api.models import Provider, StatusChoices
+from prowler.lib.check.compliance_models import Compliance
+
+logger = get_task_logger(__name__)
+
+
+def compute_threatscore_metrics(
+    tenant_id: str,
+    scan_id: str,
+    provider_id: str,
+    compliance_id: str,
+    min_risk_level: int = 4,
+) -> dict:
+    """
+    Compute ThreatScore metrics for a given scan.
+
+    This function calculates all the metrics needed for a ThreatScore snapshot:
+    - Overall ThreatScore percentage
+    - Section-by-section scores
+    - Critical failed requirements (risk >= min_risk_level)
+    - Summary statistics (requirements and findings counts)
+
+    Args:
+        tenant_id (str): The tenant ID for Row-Level Security context.
+        scan_id (str): The ID of the scan to analyze.
+        provider_id (str): The ID of the provider used in the scan.
+        compliance_id (str): Compliance framework ID (e.g., "prowler_threatscore_aws").
+        min_risk_level (int): Minimum risk level for critical requirements. Defaults to 4.
+
+    Returns:
+        dict: A dictionary containing:
+            - overall_score (float): Overall ThreatScore percentage (0-100)
+            - section_scores (dict): Section name -> score percentage mapping
+            - critical_requirements (list): List of critical failed requirement dicts
+            - total_requirements (int): Total number of requirements
+            - passed_requirements (int): Number of PASS requirements
+            - failed_requirements (int): Number of FAIL requirements
+            - manual_requirements (int): Number of MANUAL requirements
+            - total_findings (int): Total findings count
+            - passed_findings (int): Passed findings count
+            - failed_findings (int): Failed findings count
+
+    Example:
+        >>> metrics = compute_threatscore_metrics(
+        ...     tenant_id="tenant-123",
+        ...     scan_id="scan-456",
+        ...     provider_id="provider-789",
+        ...     compliance_id="prowler_threatscore_aws"
+        ... )
+        >>> print(f"Overall ThreatScore: {metrics['overall_score']:.2f}%")
+    """
+    # Get provider and compliance information
+    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
+        provider_obj = Provider.objects.get(id=provider_id)
+        provider_type = provider_obj.provider
+
+        frameworks_bulk = Compliance.get_bulk(provider_type)
+        compliance_obj = frameworks_bulk[compliance_id]
+
+    # Aggregate requirement statistics from database
+    requirement_statistics_by_check_id = (
+        _aggregate_requirement_statistics_from_database(tenant_id, scan_id)
+    )
+
+    # Calculate requirements data using aggregated statistics
+    attributes_by_requirement_id, requirements_list = (
+        _calculate_requirements_data_from_statistics(
+            compliance_obj, requirement_statistics_by_check_id
+        )
+    )
+
+    # Initialize metrics
+    overall_numerator = 0
+    overall_denominator = 0
+    overall_has_findings = False
+
+    sections_data = {}
+
+    total_requirements = len(requirements_list)
+    passed_requirements = 0
+    failed_requirements = 0
+    manual_requirements = 0
+    total_findings = 0
+    passed_findings = 0
+    failed_findings = 0
+
+    critical_requirements_list = []
+
+    # Process each requirement
+    for requirement in requirements_list:
+        requirement_id = requirement["id"]
+        requirement_status = requirement["attributes"]["status"]
+        requirement_attributes = attributes_by_requirement_id.get(requirement_id, {})
+
+        # Count requirements by status
+        if requirement_status == StatusChoices.PASS:
+            passed_requirements += 1
+        elif requirement_status == StatusChoices.FAIL:
+            failed_requirements += 1
+        elif requirement_status == StatusChoices.MANUAL:
+            manual_requirements += 1
+
+        # Get findings data
+        req_passed_findings = requirement["attributes"].get("passed_findings", 0)
+        req_total_findings = requirement["attributes"].get("total_findings", 0)
+
+        # Accumulate findings counts
+        total_findings += req_total_findings
+        passed_findings += req_passed_findings
+        failed_findings += req_total_findings - req_passed_findings
+
+        # Skip requirements with no findings
+        if req_total_findings == 0:
+            continue
+
+        overall_has_findings = True
+
+        # Get requirement metadata
+        metadata = requirement_attributes.get("attributes", {}).get(
+            "req_attributes", []
+        )
+        if not metadata or len(metadata) == 0:
+            continue
+
+        m = metadata[0]
+        risk_level = getattr(m, "LevelOfRisk", 0)
+        weight = getattr(m, "Weight", 0)
+        section = getattr(m, "Section", "Unknown")
+
+        # Calculate ThreatScore components using formula from UI
+        rate_i = req_passed_findings / req_total_findings
+        rfac_i = 1 + 0.25 * risk_level
+
+        # Update overall score
+        overall_numerator += rate_i * req_total_findings * weight * rfac_i
+        overall_denominator += req_total_findings * weight * rfac_i
+
+        # Update section scores
+        if section not in sections_data:
+            sections_data[section] = {
+                "numerator": 0,
+                "denominator": 0,
+                "has_findings": False,
+            }
+
+        sections_data[section]["has_findings"] = True
+        sections_data[section]["numerator"] += (
+            rate_i * req_total_findings * weight * rfac_i
+        )
+        sections_data[section]["denominator"] += req_total_findings * weight * rfac_i
+
+        # Identify critical failed requirements
+        if requirement_status == StatusChoices.FAIL and risk_level >= min_risk_level:
+            critical_requirements_list.append(
+                {
+                    "requirement_id": requirement_id,
+                    "title": getattr(m, "Title", "N/A"),
+                    "section": section,
+                    "subsection": getattr(m, "SubSection", "N/A"),
+                    "risk_level": risk_level,
+                    "weight": weight,
+                    "passed_findings": req_passed_findings,
+                    "total_findings": req_total_findings,
+                    "description": getattr(m, "AttributeDescription", "N/A"),
+                }
+            )
+
+    # Calculate overall ThreatScore
+    if not overall_has_findings:
+        overall_score = 100.0
+    elif overall_denominator > 0:
+        overall_score = (overall_numerator / overall_denominator) * 100
+    else:
+        overall_score = 0.0
+
+    # Calculate section scores
+    section_scores = {}
+    for section, data in sections_data.items():
+        if data["has_findings"] and data["denominator"] > 0:
+            section_scores[section] = (data["numerator"] / data["denominator"]) * 100
+        else:
+            section_scores[section] = 100.0
+
+    # Sort critical requirements by risk level (desc) and weight (desc)
+    critical_requirements_list.sort(
+        key=lambda x: (x["risk_level"], x["weight"]), reverse=True
+    )
+
+    logger.info(
+        f"ThreatScore computed: {overall_score:.2f}% "
+        f"({passed_requirements}/{total_requirements} requirements passed, "
+        f"{len(critical_requirements_list)} critical failures)"
+    )
+
+    return {
+        "overall_score": round(overall_score, 2),
+        "section_scores": {k: round(v, 2) for k, v in section_scores.items()},
+        "critical_requirements": critical_requirements_list,
+        "total_requirements": total_requirements,
+        "passed_requirements": passed_requirements,
+        "failed_requirements": failed_requirements,
+        "manual_requirements": manual_requirements,
+        "total_findings": total_findings,
+        "passed_findings": passed_findings,
+        "failed_findings": failed_findings,
+    }
@@ -0,0 +1,127 @@
+from celery.utils.log import get_task_logger
+from django.db.models import Count, Q
+
+from api.db_router import READ_REPLICA_ALIAS
+from api.db_utils import rls_transaction
+from api.models import Finding, StatusChoices
+
+logger = get_task_logger(__name__)
+
+
+def _aggregate_requirement_statistics_from_database(
+    tenant_id: str, scan_id: str
+) -> dict[str, dict[str, int]]:
+    """
+    Aggregate finding statistics by check_id using database aggregation.
+
+    This function uses Django ORM aggregation to calculate pass/fail statistics
+    entirely in the database, avoiding the need to load findings into memory.
+
+    Args:
+        tenant_id (str): The tenant ID for Row-Level Security context.
+        scan_id (str): The ID of the scan to retrieve findings for.
+
+    Returns:
+        dict[str, dict[str, int]]: Dictionary mapping check_id to statistics:
+            - 'passed' (int): Number of passed findings for this check
+            - 'total' (int): Total number of findings for this check
+
+    Example:
+        {
+            'aws_iam_user_mfa_enabled': {'passed': 10, 'total': 15},
+            'aws_s3_bucket_public_access': {'passed': 0, 'total': 5}
+        }
+    """
+    requirement_statistics_by_check_id = {}
+
+    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
+        aggregated_statistics_queryset = (
+            Finding.all_objects.filter(tenant_id=tenant_id, scan_id=scan_id)
+            .values("check_id")
+            .annotate(
+                total_findings=Count("id"),
+                passed_findings=Count("id", filter=Q(status=StatusChoices.PASS)),
+            )
+        )
+
+        for aggregated_stat in aggregated_statistics_queryset:
+            check_id = aggregated_stat["check_id"]
+            requirement_statistics_by_check_id[check_id] = {
+                "passed": aggregated_stat["passed_findings"],
+                "total": aggregated_stat["total_findings"],
+            }
+
+    logger.info(
+        f"Aggregated statistics for {len(requirement_statistics_by_check_id)} unique checks"
+    )
+    return requirement_statistics_by_check_id
+
+
+def _calculate_requirements_data_from_statistics(
+    compliance_obj, requirement_statistics_by_check_id: dict[str, dict[str, int]]
+) -> tuple[dict[str, dict], list[dict]]:
+    """
+    Calculate requirement status and statistics using pre-aggregated database statistics.
+
+    Args:
+        compliance_obj: The compliance framework object containing requirements.
+        requirement_statistics_by_check_id (dict[str, dict[str, int]]): Pre-aggregated statistics
+            mapping check_id to {'passed': int, 'total': int} counts.
+
+    Returns:
+        tuple[dict[str, dict], list[dict]]: A tuple containing:
+            - attributes_by_requirement_id: Dictionary mapping requirement IDs to their attributes.
+            - requirements_list: List of requirement dictionaries with status and statistics.
+    """
+    attributes_by_requirement_id = {}
+    requirements_list = []
+
+    compliance_framework = getattr(compliance_obj, "Framework", "N/A")
+    compliance_version = getattr(compliance_obj, "Version", "N/A")
+
+    for requirement in compliance_obj.Requirements:
+        requirement_id = requirement.Id
+        requirement_description = getattr(requirement, "Description", "")
+        requirement_checks = getattr(requirement, "Checks", [])
+        requirement_attributes = getattr(requirement, "Attributes", [])
+
+        attributes_by_requirement_id[requirement_id] = {
+            "attributes": {
+                "req_attributes": requirement_attributes,
+                "checks": requirement_checks,
+            },
+            "description": requirement_description,
+        }
+
+        total_passed_findings = 0
+        total_findings_count = 0
+
+        for check_id in requirement_checks:
+            if check_id in requirement_statistics_by_check_id:
+                check_statistics = requirement_statistics_by_check_id[check_id]
+                total_findings_count += check_statistics["total"]
+                total_passed_findings += check_statistics["passed"]
+
+        if total_findings_count > 0:
+            if total_passed_findings == total_findings_count:
+                requirement_status = StatusChoices.PASS
+            else:
+                requirement_status = StatusChoices.FAIL
+        else:
+            requirement_status = StatusChoices.MANUAL
+
+        requirements_list.append(
+            {
+                "id": requirement_id,
+                "attributes": {
+                    "framework": compliance_framework,
+                    "version": compliance_version,
+                    "status": requirement_status,
+                    "description": requirement_description,
+                    "passed_findings": total_passed_findings,
+                    "total_findings": total_findings_count,
+                },
+            }
+        )
+
+    return attributes_by_requirement_id, requirements_list
@@ -27,6 +27,11 @@ from tasks.jobs.integrations import (
    upload_s3_integration,
    upload_security_hub_integration,
 )
+from tasks.jobs.lighthouse_providers import (
+    check_lighthouse_provider_connection,
+    refresh_lighthouse_provider_models,
+)
+from tasks.jobs.muting import mute_historical_findings
 from tasks.jobs.report import generate_threatscore_report_job
 from tasks.jobs.scan import (
    aggregate_findings,
@@ -524,6 +529,24 @@ def check_lighthouse_connection_task(lighthouse_config_id: str, tenant_id: str =
    return check_lighthouse_connection(lighthouse_config_id=lighthouse_config_id)


+@shared_task(base=RLSTask, name="lighthouse-provider-connection-check")
+@set_tenant
+def check_lighthouse_provider_connection_task(
+    provider_config_id: str, tenant_id: str | None = None
+) -> dict:
+    """Task wrapper to validate provider credentials and set is_active."""
+    return check_lighthouse_provider_connection(provider_config_id=provider_config_id)
+
+
+@shared_task(base=RLSTask, name="lighthouse-provider-models-refresh")
+@set_tenant
+def refresh_lighthouse_provider_models_task(
+    provider_config_id: str, tenant_id: str | None = None
+) -> dict:
+    """Task wrapper to refresh provider models catalog for the given configuration."""
+    return refresh_lighthouse_provider_models(provider_config_id=provider_config_id)
+
+
@shared_task(name="integration-check")
 def check_integrations_task(tenant_id: str, provider_id: str, scan_id: str = None):
    """
@@ -659,3 +682,25 @@ def generate_threatscore_report_task(tenant_id: str, scan_id: str, provider_id:
    return generate_threatscore_report_job(
        tenant_id=tenant_id, scan_id=scan_id, provider_id=provider_id
    )
+
+
+@shared_task(name="findings-mute-historical")
+def mute_historical_findings_task(tenant_id: str, mute_rule_id: str):
+    """
+    Background task to mute all historical findings matching a mute rule.
+
+    This task processes findings in batches to avoid memory issues with large datasets.
+    It updates the Finding.muted, Finding.muted_at, and Finding.muted_reason fields
+    for all findings whose UID is in the mute rule's finding_uids list.
+
+    Args:
+        tenant_id (str): The tenant ID for RLS context.
+        mute_rule_id (str): The primary key of the MuteRule to apply.
+
+    Returns:
+        dict: A dictionary containing:
+            - 'findings_muted' (int): Total number of findings muted.
+            - 'rule_id' (str): The mute rule ID.
+            - 'status' (str): Final status ('completed').
+    """
+    return mute_historical_findings(tenant_id, mute_rule_id)
@@ -0,0 +1,532 @@
+from datetime import datetime, timezone
+from uuid import uuid4
+
+import pytest
+from django.core.exceptions import ObjectDoesNotExist
+from tasks.jobs.muting import mute_historical_findings
+
+from api.models import Finding, MuteRule
+from prowler.lib.check.models import Severity
+from prowler.lib.outputs.finding import Status
+
+
+@pytest.mark.django_db
+class TestMuteHistoricalFindings:
+    """
+    Test suite for the mute_historical_findings function.
+
+    This class tests the batch processing of findings to update their muted status
+    based on MuteRule criteria.
+    """
+
+    @pytest.fixture(scope="function")
+    def test_user(self, create_test_user):
+        """Create a test user for mute rule creation."""
+        return create_test_user
+
+    @pytest.fixture(scope="function")
+    def mute_rule_with_findings(self, tenants_fixture, findings_fixture, test_user):
+        """
+        Create a mute rule that targets the first finding in the fixture.
+        """
+        tenant = tenants_fixture[0]
+        finding = findings_fixture[0]
+
+        mute_rule = MuteRule.objects.create(
+            tenant_id=tenant.id,
+            name="Test Mute Rule",
+            reason="Testing mute functionality",
+            enabled=True,
+            created_by=test_user,
+            finding_uids=[finding.uid],
+        )
+
+        return mute_rule
+
+    @pytest.fixture(scope="function")
+    def mute_rule_multiple_findings(self, scans_fixture, test_user):
+        """
+        Create multiple unmuted findings and a mute rule targeting all of them.
+        """
+        scan = scans_fixture[0]
+        tenant_id = scan.tenant_id
+
+        # Create 5 unmuted findings
+        finding_uids = []
+        for i in range(5):
+            finding = Finding.objects.create(
+                tenant_id=tenant_id,
+                uid=f"test_finding_uid_mute_{i}",
+                scan=scan,
+                status=Status.FAIL,
+                status_extended=f"Test status {i}",
+                impact=Severity.high,
+                severity=Severity.high,
+                raw_result={
+                    "status": Status.FAIL,
+                    "impact": Severity.high,
+                    "severity": Severity.high,
+                },
+                check_id=f"test_check_id_{i}",
+                check_metadata={
+                    "CheckId": f"test_check_id_{i}",
+                    "Description": f"Test description {i}",
+                },
+                muted=False,
+            )
+            finding_uids.append(finding.uid)
+
+        # Create mute rule targeting all findings
+        mute_rule = MuteRule.objects.create(
+            tenant_id=tenant_id,
+            name="Test Multiple Findings Mute Rule",
+            reason="Testing batch muting",
+            enabled=True,
+            created_by=test_user,
+            finding_uids=finding_uids,
+        )
+
+        return mute_rule, finding_uids
+
+    @pytest.fixture(scope="function")
+    def mute_rule_already_muted(self, findings_fixture, test_user):
+        """
+        Create a mute rule that targets an already-muted finding.
+        """
+        tenant_id = findings_fixture[1].tenant_id
+        already_muted_finding = findings_fixture[1]
+
+        mute_rule = MuteRule.objects.create(
+            tenant_id=tenant_id,
+            name="Test Already Muted Rule",
+            reason="Testing already muted findings",
+            enabled=True,
+            created_by=test_user,
+            finding_uids=[already_muted_finding.uid],
+        )
+
+        return mute_rule
+
+    @pytest.fixture(scope="function")
+    def mute_rule_mixed_findings(self, scans_fixture, test_user):
+        """
+        Create a mute rule with a mix of muted and unmuted findings.
+        """
+        scan = scans_fixture[0]
+        tenant_id = scan.tenant_id
+
+        # Create 3 unmuted findings
+        unmuted_uids = []
+        for i in range(3):
+            finding = Finding.objects.create(
+                tenant_id=tenant_id,
+                uid=f"unmuted_finding_{i}",
+                scan=scan,
+                status=Status.FAIL,
+                status_extended=f"Unmuted status {i}",
+                impact=Severity.medium,
+                severity=Severity.medium,
+                raw_result={
+                    "status": Status.FAIL,
+                    "impact": Severity.medium,
+                    "severity": Severity.medium,
+                },
+                check_id=f"unmuted_check_{i}",
+                check_metadata={
+                    "CheckId": f"unmuted_check_{i}",
+                    "Description": f"Unmuted description {i}",
+                },
+                muted=False,
+            )
+            unmuted_uids.append(finding.uid)
+
+        # Create 2 already muted findings
+        muted_uids = []
+        for i in range(2):
+            finding = Finding.objects.create(
+                tenant_id=tenant_id,
+                uid=f"muted_finding_{i}",
+                scan=scan,
+                status=Status.FAIL,
+                status_extended=f"Muted status {i}",
+                impact=Severity.low,
+                severity=Severity.low,
+                raw_result={
+                    "status": Status.FAIL,
+                    "impact": Severity.low,
+                    "severity": Severity.low,
+                },
+                check_id=f"muted_check_{i}",
+                check_metadata={
+                    "CheckId": f"muted_check_{i}",
+                    "Description": f"Muted description {i}",
+                },
+                muted=True,
+                muted_at=datetime.now(timezone.utc),
+                muted_reason="Already muted",
+            )
+            muted_uids.append(finding.uid)
+
+        # Create mute rule targeting all findings
+        all_uids = unmuted_uids + muted_uids
+        mute_rule = MuteRule.objects.create(
+            tenant_id=tenant_id,
+            name="Test Mixed Findings Rule",
+            reason="Testing mixed muted/unmuted findings",
+            enabled=True,
+            created_by=test_user,
+            finding_uids=all_uids,
+        )
+
+        return mute_rule, unmuted_uids, muted_uids
+
+    @pytest.fixture(scope="function")
+    def mute_rule_batch_test(self, scans_fixture, test_user):
+        """
+        Create enough findings to test batch processing (>1000 for default batch size).
+        """
+        scan = scans_fixture[0]
+        tenant_id = scan.tenant_id
+
+        # Create 1500 findings to exceed default batch size of 1000
+        finding_uids = []
+        for i in range(1500):
+            finding = Finding.objects.create(
+                tenant_id=tenant_id,
+                uid=f"batch_test_finding_{i}",
+                scan=scan,
+                status=Status.FAIL,
+                status_extended=f"Batch test status {i}",
+                impact=Severity.critical,
+                severity=Severity.critical,
+                raw_result={
+                    "status": Status.FAIL,
+                    "impact": Severity.critical,
+                    "severity": Severity.critical,
+                },
+                check_id=f"batch_test_check_{i}",
+                check_metadata={
+                    "CheckId": f"batch_test_check_{i}",
+                    "Description": f"Batch test description {i}",
+                },
+                muted=False,
+            )
+            finding_uids.append(finding.uid)
+
+        # Create mute rule targeting all findings
+        mute_rule = MuteRule.objects.create(
+            tenant_id=tenant_id,
+            name="Test Batch Processing Rule",
+            reason="Testing batch processing functionality",
+            enabled=True,
+            created_by=test_user,
+            finding_uids=finding_uids,
+        )
+
+        return mute_rule, finding_uids
+
+    def test_mute_historical_findings_single_finding(
+        self, mute_rule_with_findings, findings_fixture
+    ):
+        """
+        Test muting a single historical finding.
+        """
+        mute_rule = mute_rule_with_findings
+        tenant_id = str(mute_rule.tenant_id)
+        finding = findings_fixture[0]
+
+        # Ensure the finding is not muted before execution
+        finding.refresh_from_db()
+        assert finding.muted is False
+        assert finding.muted_at is None
+        assert finding.muted_reason is None
+
+        # Execute the muting function
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify return value
+        assert result["findings_muted"] == 1
+        assert result["rule_id"] == str(mute_rule.id)
+
+        # Verify the finding was muted
+        finding.refresh_from_db()
+        assert finding.muted is True
+        assert finding.muted_at == mute_rule.inserted_at
+        assert finding.muted_reason == mute_rule.reason
+
+    def test_mute_historical_findings_multiple_findings(
+        self, mute_rule_multiple_findings
+    ):
+        """
+        Test muting multiple historical findings.
+        """
+        mute_rule, finding_uids = mute_rule_multiple_findings
+        tenant_id = str(mute_rule.tenant_id)
+
+        # Verify all findings are unmuted
+        findings = Finding.objects.filter(tenant_id=tenant_id, uid__in=finding_uids)
+        assert findings.count() == 5
+        for finding in findings:
+            assert finding.muted is False
+
+        # Execute the muting function
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify return value
+        assert result["findings_muted"] == 5
+        assert result["rule_id"] == str(mute_rule.id)
+
+        # Verify all findings were muted
+        findings = Finding.objects.filter(tenant_id=tenant_id, uid__in=finding_uids)
+        for finding in findings:
+            assert finding.muted is True
+            assert finding.muted_at == mute_rule.inserted_at
+            assert finding.muted_reason == mute_rule.reason
+
+    def test_mute_historical_findings_already_muted(
+        self, mute_rule_already_muted, findings_fixture
+    ):
+        """
+        Test that already-muted findings are not counted or updated.
+        """
+        mute_rule = mute_rule_already_muted
+        tenant_id = str(mute_rule.tenant_id)
+        finding = findings_fixture[1]
+
+        # Verify the finding is already muted
+        finding.refresh_from_db()
+        assert finding.muted is True
+        original_muted_at = finding.muted_at
+        original_muted_reason = finding.muted_reason
+
+        # Execute the muting function
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify no findings were muted
+        assert result["findings_muted"] == 0
+        assert result["rule_id"] == str(mute_rule.id)
+
+        # Verify the finding's mute status did not change
+        finding.refresh_from_db()
+        assert finding.muted is True
+        assert finding.muted_at == original_muted_at
+        assert finding.muted_reason == original_muted_reason
+
+    def test_mute_historical_findings_mixed_status(self, mute_rule_mixed_findings):
+        """
+        Test muting when some findings are already muted and others are not.
+        """
+        mute_rule, unmuted_uids, muted_uids = mute_rule_mixed_findings
+        tenant_id = str(mute_rule.tenant_id)
+
+        # Execute the muting function
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify only unmuted findings were counted
+        assert result["findings_muted"] == 3
+        assert result["rule_id"] == str(mute_rule.id)
+
+        # Verify unmuted findings are now muted
+        unmuted_findings = Finding.objects.filter(
+            tenant_id=tenant_id, uid__in=unmuted_uids
+        )
+        for finding in unmuted_findings:
+            assert finding.muted is True
+            assert finding.muted_at == mute_rule.inserted_at
+            assert finding.muted_reason == mute_rule.reason
+
+        # Verify already-muted findings remained unchanged
+        already_muted_findings = Finding.objects.filter(
+            tenant_id=tenant_id, uid__in=muted_uids
+        )
+        for finding in already_muted_findings:
+            assert finding.muted is True
+            assert finding.muted_reason == "Already muted"
+
+    def test_mute_historical_findings_nonexistent_rule(self, tenants_fixture):
+        """
+        Test that a nonexistent mute rule raises ObjectDoesNotExist.
+        """
+        tenant_id = str(tenants_fixture[0].id)
+        nonexistent_rule_id = str(uuid4())
+
+        with pytest.raises(ObjectDoesNotExist):
+            mute_historical_findings(tenant_id, nonexistent_rule_id)
+
+    def test_mute_historical_findings_no_matching_findings(
+        self, tenants_fixture, test_user
+    ):
+        """
+        Test muting when no findings match the rule's UIDs.
+        """
+        tenant_id = str(tenants_fixture[0].id)
+
+        # Create a mute rule with non-existent finding UIDs
+        mute_rule = MuteRule.objects.create(
+            tenant_id=tenant_id,
+            name="Test No Match Rule",
+            reason="Testing no matching findings",
+            enabled=True,
+            created_by=test_user,
+            finding_uids=[
+                "nonexistent_uid_1",
+                "nonexistent_uid_2",
+                "nonexistent_uid_3",
+            ],
+        )
+
+        # Execute the muting function
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify no findings were muted
+        assert result["findings_muted"] == 0
+        assert result["rule_id"] == str(mute_rule.id)
+
+    def test_mute_historical_findings_batch_processing(self, mute_rule_batch_test):
+        """
+        Test that large numbers of findings are processed in batches correctly.
+        """
+        mute_rule, finding_uids = mute_rule_batch_test
+        tenant_id = str(mute_rule.tenant_id)
+
+        # Verify all findings exist and are unmuted
+        findings = Finding.objects.filter(tenant_id=tenant_id, uid__in=finding_uids)
+        assert findings.count() == 1500
+        for finding in findings:
+            assert finding.muted is False
+
+        # Execute the muting function
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify return value
+        assert result["findings_muted"] == 1500
+        assert result["rule_id"] == str(mute_rule.id)
+
+        # Verify all findings were muted
+        findings = Finding.objects.filter(tenant_id=tenant_id, uid__in=finding_uids)
+        for finding in findings:
+            assert finding.muted is True
+            assert finding.muted_at == mute_rule.inserted_at
+            assert finding.muted_reason == mute_rule.reason
+
+    def test_mute_historical_findings_preserves_muted_at_timestamp(
+        self, mute_rule_with_findings, findings_fixture
+    ):
+        """
+        Test that muted_at is set to the rule's inserted_at, not the current time.
+        """
+        mute_rule = mute_rule_with_findings
+        tenant_id = str(mute_rule.tenant_id)
+        finding = findings_fixture[0]
+
+        # Execute the muting function
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify the finding was muted
+        assert result["findings_muted"] == 1
+
+        # Verify muted_at matches the rule's inserted_at timestamp
+        finding.refresh_from_db()
+        assert finding.muted_at == mute_rule.inserted_at
+        assert finding.muted_at is not None
+
+    def test_mute_historical_findings_partial_match(self, scans_fixture, test_user):
+        """
+        Test muting when only some of the rule's UIDs exist as findings.
+        """
+        scan = scans_fixture[0]
+        tenant_id = str(scan.tenant_id)
+
+        # Create 3 findings
+        existing_uids = []
+        for i in range(3):
+            finding = Finding.objects.create(
+                tenant_id=tenant_id,
+                uid=f"partial_match_finding_{i}",
+                scan=scan,
+                status=Status.FAIL,
+                status_extended=f"Partial match status {i}",
+                impact=Severity.high,
+                severity=Severity.high,
+                raw_result={
+                    "status": Status.FAIL,
+                    "impact": Severity.high,
+                    "severity": Severity.high,
+                },
+                check_id=f"partial_match_check_{i}",
+                check_metadata={
+                    "CheckId": f"partial_match_check_{i}",
+                    "Description": f"Partial match description {i}",
+                },
+                muted=False,
+            )
+            existing_uids.append(finding.uid)
+
+        # Create a mute rule with both existing and non-existing UIDs
+        all_uids = existing_uids + [
+            "nonexistent_uid_1",
+            "nonexistent_uid_2",
+        ]
+        mute_rule = MuteRule.objects.create(
+            tenant_id=tenant_id,
+            name="Test Partial Match Rule",
+            reason="Testing partial matching",
+            enabled=True,
+            created_by=test_user,
+            finding_uids=all_uids,
+        )
+
+        # Execute the muting function
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify only existing findings were muted
+        assert result["findings_muted"] == 3
+        assert result["rule_id"] == str(mute_rule.id)
+
+        # Verify the existing findings were muted
+        findings = Finding.objects.filter(tenant_id=tenant_id, uid__in=existing_uids)
+        assert findings.count() == 3
+        for finding in findings:
+            assert finding.muted is True
+            assert finding.muted_at == mute_rule.inserted_at
+            assert finding.muted_reason == mute_rule.reason
+
+    def test_mute_historical_findings_empty_uids(self, tenants_fixture, test_user):
+        """
+        Test muting when the rule has an empty finding_uids array.
+        """
+        tenant_id = str(tenants_fixture[0].id)
+
+        # Create a mute rule with empty finding_uids
+        mute_rule = MuteRule.objects.create(
+            tenant_id=tenant_id,
+            name="Test Empty UIDs Rule",
+            reason="Testing empty UIDs",
+            enabled=True,
+            created_by=test_user,
+            finding_uids=[],
+        )
+
+        # Execute the muting function
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify no findings were muted
+        assert result["findings_muted"] == 0
+        assert result["rule_id"] == str(mute_rule.id)
+
+    def test_mute_historical_findings_return_format(self, mute_rule_with_findings):
+        """
+        Test that the return value has the correct format and fields.
+        """
+        mute_rule = mute_rule_with_findings
+        tenant_id = str(mute_rule.tenant_id)
+
+        result = mute_historical_findings(tenant_id, str(mute_rule.id))
+
+        # Verify return value structure
+        assert isinstance(result, dict)
+        assert "findings_muted" in result
+        assert "rule_id" in result
+        assert isinstance(result["findings_muted"], int)
+        assert isinstance(result["rule_id"], str)
+        assert result["rule_id"] == str(mute_rule.id)
@@ -1,19 +1,25 @@
 import uuid
+from datetime import timedelta
+from decimal import Decimal
 from pathlib import Path
 from unittest.mock import MagicMock, patch

 import matplotlib
 import pytest
+from django.utils import timezone
+from freezegun import freeze_time
 from tasks.jobs.report import (
-    _aggregate_requirement_statistics_from_database,
-    _calculate_requirements_data_from_statistics,
    _load_findings_for_requirement_checks,
    generate_threatscore_report,
    generate_threatscore_report_job,
 )
+from tasks.jobs.threatscore_utils import (
+    _aggregate_requirement_statistics_from_database,
+    _calculate_requirements_data_from_statistics,
+)
 from tasks.tasks import generate_threatscore_report_task

-from api.models import Finding, StatusChoices
+from api.models import Finding, Scan, StateChoices, StatusChoices, ThreatScoreSnapshot
 from prowler.lib.check.models import Severity

 matplotlib.use("Agg")  # Use non-interactive backend for tests
@@ -39,6 +45,7 @@ class TestGenerateThreatscoreReport:
            assert result == {"upload": False}
            mock_filter.assert_called_once_with(scan_id=self.scan_id)

+    @patch("tasks.jobs.report.ThreatScoreSnapshot.objects.create")
    @patch("tasks.jobs.report.rmtree")
    @patch("tasks.jobs.report._upload_to_s3")
    @patch("tasks.jobs.report.generate_threatscore_report")
@@ -53,6 +60,7 @@ class TestGenerateThreatscoreReport:
        mock_generate_report,
        mock_upload,
        mock_rmtree,
+        mock_snapshot_create,
    ):
        mock_scan_summary_filter.return_value.exists.return_value = True

@@ -95,8 +103,10 @@ class TestGenerateThreatscoreReport:
            Path("/tmp/threatscore_path_threatscore_report.pdf").parent,
            ignore_errors=True,
        )
+        mock_snapshot_create.assert_called_once()

-    def test_generate_threatscore_report_fails_upload(self):
+    @patch("tasks.jobs.report.ThreatScoreSnapshot.objects.create")
+    def test_generate_threatscore_report_fails_upload(self, mock_snapshot_create):
        with (
            patch("tasks.jobs.report.ScanSummary.objects.filter") as mock_filter,
            patch("tasks.jobs.report.Provider.objects.get") as mock_provider_get,
@@ -125,8 +135,12 @@ class TestGenerateThreatscoreReport:
            )

            assert result == {"upload": False}
+            mock_snapshot_create.assert_called_once()

-    def test_generate_threatscore_report_logs_rmtree_exception(self, caplog):
+    @patch("tasks.jobs.report.ThreatScoreSnapshot.objects.create")
+    def test_generate_threatscore_report_logs_rmtree_exception(
+        self, mock_snapshot_create, caplog
+    ):
        with (
            patch("tasks.jobs.report.ScanSummary.objects.filter") as mock_filter,
            patch("tasks.jobs.report.Provider.objects.get") as mock_provider_get,
@@ -160,8 +174,10 @@ class TestGenerateThreatscoreReport:
                    provider_id=self.provider_id,
                )
                assert "Error deleting output files" in caplog.text
+                mock_snapshot_create.assert_called_once()

-    def test_generate_threatscore_report_azure_provider(self):
+    @patch("tasks.jobs.report.ThreatScoreSnapshot.objects.create")
+    def test_generate_threatscore_report_azure_provider(self, mock_snapshot_create):
        with (
            patch("tasks.jobs.report.ScanSummary.objects.filter") as mock_filter,
            patch("tasks.jobs.report.Provider.objects.get") as mock_provider_get,
@@ -200,6 +216,135 @@ class TestGenerateThreatscoreReport:
                only_failed=True,
                min_risk_level=4,
            )
+            mock_snapshot_create.assert_called_once()
+
+    @patch("tasks.jobs.report.rmtree")
+    @patch(
+        "tasks.jobs.report._upload_to_s3",
+        return_value="s3://bucket/threatscore/threatscore_report.pdf",
+    )
+    @patch("tasks.jobs.report.generate_threatscore_report")
+    @patch("tasks.jobs.report._generate_output_directory")
+    @patch("tasks.jobs.report.ScanSummary.objects.filter")
+    @patch("tasks.jobs.report.compute_threatscore_metrics")
+    @pytest.mark.django_db
+    @freeze_time("2025-01-10T12:00:00Z")
+    def test_generate_threatscore_report_persists_snapshot_and_delta(
+        self,
+        mock_compute_metrics,
+        mock_scan_summary_filter,
+        mock_generate_output_directory,
+        mock_generate_report,
+        mock_upload,
+        mock_rmtree,
+        tenants_fixture,
+        providers_fixture,
+    ):
+        tenant = tenants_fixture[0]
+        provider = providers_fixture[0]
+
+        scan_previous = Scan.objects.create(
+            tenant=tenant,
+            provider=provider,
+            name="previous-threatscore-scan",
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.COMPLETED,
+            started_at=timezone.now() - timedelta(hours=4),
+            completed_at=timezone.now() - timedelta(hours=3),
+        )
+        ThreatScoreSnapshot.objects.create(
+            tenant=tenant,
+            scan=scan_previous,
+            provider=provider,
+            compliance_id="prowler_threatscore_aws",
+            overall_score=Decimal("70.00"),
+            score_delta=None,
+            section_scores={"1. IAM": "65.00"},
+            critical_requirements=[],
+            total_requirements=50,
+            passed_requirements=35,
+            failed_requirements=15,
+            manual_requirements=0,
+            total_findings=40,
+            passed_findings=25,
+            failed_findings=15,
+        )
+
+        scan_current = Scan.objects.create(
+            tenant=tenant,
+            provider=provider,
+            name="current-threatscore-scan",
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.COMPLETED,
+            started_at=timezone.now() - timedelta(hours=2),
+            completed_at=timezone.now() - timedelta(hours=1),
+        )
+
+        mock_scan_summary_filter.return_value.exists.return_value = True
+        mock_generate_output_directory.return_value = (
+            "/tmp/output",
+            "/tmp/compressed",
+            "/tmp/threatscore_path",
+        )
+
+        metrics = {
+            "overall_score": 85.5,
+            "score_delta": 10.0,
+            "section_scores": {"1. IAM": 82.3, "2. Attack Surface": 60.0},
+            "critical_requirements": [
+                {
+                    "requirement_id": "req_new",
+                    "title": "New high-risk requirement",
+                    "section": "1. IAM",
+                    "subsection": "Root Account",
+                    "risk_level": 5,
+                    "weight": 150,
+                    "passed_findings": 7,
+                    "total_findings": 10,
+                    "description": "Critical requirement description",
+                }
+            ],
+            "total_requirements": 140,
+            "passed_requirements": 100,
+            "failed_requirements": 40,
+            "manual_requirements": 0,
+            "total_findings": 200,
+            "passed_findings": 150,
+            "failed_findings": 50,
+        }
+        mock_compute_metrics.return_value = metrics
+
+        result = generate_threatscore_report_job(
+            tenant_id=str(tenant.id),
+            scan_id=str(scan_current.id),
+            provider_id=str(provider.id),
+        )
+
+        assert result == {"upload": True}
+        mock_compute_metrics.assert_called_once_with(
+            tenant_id=str(tenant.id),
+            scan_id=str(scan_current.id),
+            provider_id=str(provider.id),
+            compliance_id="prowler_threatscore_aws",
+            min_risk_level=4,
+        )
+        mock_generate_report.assert_called_once()
+        mock_upload.assert_called_once()
+        mock_rmtree.assert_called_once()
+
+        snapshots = ThreatScoreSnapshot.objects.filter(
+            tenant=tenant, provider=provider
+        ).order_by("inserted_at")
+        assert snapshots.count() == 2
+
+        new_snapshot = ThreatScoreSnapshot.objects.get(scan=scan_current)
+        assert new_snapshot.compliance_id == "prowler_threatscore_aws"
+        assert Decimal(new_snapshot.overall_score) == Decimal("85.50")
+        assert Decimal(new_snapshot.score_delta) == Decimal("15.50")
+        assert new_snapshot.section_scores == metrics["section_scores"]
+        assert new_snapshot.critical_requirements == metrics["critical_requirements"]
+        assert new_snapshot.total_requirements == metrics["total_requirements"]
+        assert new_snapshot.total_findings == metrics["total_findings"]


@pytest.mark.django_db
@@ -18,7 +18,15 @@ from tasks.utils import CustomEncoder

 from api.db_router import MainRouter
 from api.exceptions import ProviderConnectionError
-from api.models import Finding, Provider, Resource, Scan, StateChoices, StatusChoices
+from api.models import (
+    Finding,
+    MuteRule,
+    Provider,
+    Resource,
+    Scan,
+    StateChoices,
+    StatusChoices,
+)
 from prowler.lib.check.models import Severity


@@ -739,6 +747,561 @@ class TestPerformScan:
        # Assert that failed_findings_count was reset to 0 during the scan
        assert resource.failed_findings_count == 0

+    def test_perform_prowler_scan_with_active_mute_rules(
+        self,
+        tenants_fixture,
+        scans_fixture,
+        providers_fixture,
+    ):
+        """Test active MuteRule mutes findings with correct reason"""
+        with (
+            patch("api.db_utils.rls_transaction"),
+            patch(
+                "tasks.jobs.scan.initialize_prowler_provider"
+            ) as mock_initialize_prowler_provider,
+            patch("tasks.jobs.scan.ProwlerScan") as mock_prowler_scan_class,
+            patch(
+                "tasks.jobs.scan.PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE",
+                new_callable=dict,
+            ),
+            patch("api.compliance.PROWLER_CHECKS", new_callable=dict),
+        ):
+            tenant = tenants_fixture[0]
+            scan = scans_fixture[0]
+            provider = providers_fixture[0]
+
+            provider.provider = Provider.ProviderChoices.AWS
+            provider.save()
+
+            tenant_id = str(tenant.id)
+            scan_id = str(scan.id)
+            provider_id = str(provider.id)
+
+            # Create active MuteRule with specific finding UIDs
+            mute_rule_reason = "Accepted risk - production exception"
+            finding_uid_1 = "finding_to_mute_1"
+            finding_uid_2 = "finding_to_mute_2"
+
+            MuteRule.objects.create(
+                tenant_id=tenant_id,
+                name="Production Exception Rule",
+                reason=mute_rule_reason,
+                enabled=True,
+                finding_uids=[finding_uid_1, finding_uid_2],
+            )
+
+            # Mock findings: one FAIL and one PASS, both should be muted
+            muted_fail_finding = MagicMock()
+            muted_fail_finding.uid = finding_uid_1
+            muted_fail_finding.status = StatusChoices.FAIL
+            muted_fail_finding.status_extended = "muted fail"
+            muted_fail_finding.severity = Severity.high
+            muted_fail_finding.check_id = "muted_fail_check"
+            muted_fail_finding.get_metadata.return_value = {"key": "value"}
+            muted_fail_finding.resource_uid = "resource_uid_1"
+            muted_fail_finding.resource_name = "resource_1"
+            muted_fail_finding.region = "us-east-1"
+            muted_fail_finding.service_name = "ec2"
+            muted_fail_finding.resource_type = "instance"
+            muted_fail_finding.resource_tags = {}
+            muted_fail_finding.muted = False
+            muted_fail_finding.raw = {}
+            muted_fail_finding.resource_metadata = {}
+            muted_fail_finding.resource_details = {}
+            muted_fail_finding.partition = "aws"
+            muted_fail_finding.compliance = {}
+
+            muted_pass_finding = MagicMock()
+            muted_pass_finding.uid = finding_uid_2
+            muted_pass_finding.status = StatusChoices.PASS
+            muted_pass_finding.status_extended = "muted pass"
+            muted_pass_finding.severity = Severity.medium
+            muted_pass_finding.check_id = "muted_pass_check"
+            muted_pass_finding.get_metadata.return_value = {"key": "value"}
+            muted_pass_finding.resource_uid = "resource_uid_2"
+            muted_pass_finding.resource_name = "resource_2"
+            muted_pass_finding.region = "us-east-1"
+            muted_pass_finding.service_name = "s3"
+            muted_pass_finding.resource_type = "bucket"
+            muted_pass_finding.resource_tags = {}
+            muted_pass_finding.muted = False
+            muted_pass_finding.raw = {}
+            muted_pass_finding.resource_metadata = {}
+            muted_pass_finding.resource_details = {}
+            muted_pass_finding.partition = "aws"
+            muted_pass_finding.compliance = {}
+
+            # Mock the ProwlerScan instance
+            mock_prowler_scan_instance = MagicMock()
+            mock_prowler_scan_instance.scan.return_value = [
+                (100, [muted_fail_finding, muted_pass_finding])
+            ]
+            mock_prowler_scan_class.return_value = mock_prowler_scan_instance
+
+            # Mock prowler_provider
+            mock_prowler_provider_instance = MagicMock()
+            mock_prowler_provider_instance.get_regions.return_value = ["us-east-1"]
+            mock_initialize_prowler_provider.return_value = (
+                mock_prowler_provider_instance
+            )
+
+            # Call the function under test
+            perform_prowler_scan(tenant_id, scan_id, provider_id, [])
+
+        # Verify findings are muted with correct reason
+        fail_finding_db = Finding.objects.get(uid=finding_uid_1)
+        pass_finding_db = Finding.objects.get(uid=finding_uid_2)
+
+        assert fail_finding_db.muted
+        assert fail_finding_db.muted_reason == mute_rule_reason
+        assert fail_finding_db.muted_at is not None
+
+        assert pass_finding_db.muted
+        assert pass_finding_db.muted_reason == mute_rule_reason
+        assert pass_finding_db.muted_at is not None
+
+        # Verify failed_findings_count is 0 for muted FAIL finding
+        resource_1 = Resource.objects.get(uid="resource_uid_1")
+        assert resource_1.failed_findings_count == 0
+
+    def test_perform_prowler_scan_with_inactive_mute_rules(
+        self,
+        tenants_fixture,
+        scans_fixture,
+        providers_fixture,
+    ):
+        """Test inactive MuteRule does not mute findings"""
+        with (
+            patch("api.db_utils.rls_transaction"),
+            patch(
+                "tasks.jobs.scan.initialize_prowler_provider"
+            ) as mock_initialize_prowler_provider,
+            patch("tasks.jobs.scan.ProwlerScan") as mock_prowler_scan_class,
+            patch(
+                "tasks.jobs.scan.PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE",
+                new_callable=dict,
+            ),
+            patch("api.compliance.PROWLER_CHECKS", new_callable=dict),
+        ):
+            tenant = tenants_fixture[0]
+            scan = scans_fixture[0]
+            provider = providers_fixture[0]
+
+            provider.provider = Provider.ProviderChoices.AWS
+            provider.save()
+
+            tenant_id = str(tenant.id)
+            scan_id = str(scan.id)
+            provider_id = str(provider.id)
+
+            # Create inactive MuteRule
+            finding_uid = "finding_inactive_rule"
+            MuteRule.objects.create(
+                tenant_id=tenant_id,
+                name="Inactive Rule",
+                reason="Should not apply",
+                enabled=False,
+                finding_uids=[finding_uid],
+            )
+
+            # Mock FAIL finding
+            fail_finding = MagicMock()
+            fail_finding.uid = finding_uid
+            fail_finding.status = StatusChoices.FAIL
+            fail_finding.status_extended = "test fail"
+            fail_finding.severity = Severity.high
+            fail_finding.check_id = "fail_check"
+            fail_finding.get_metadata.return_value = {"key": "value"}
+            fail_finding.resource_uid = "resource_uid_inactive"
+            fail_finding.resource_name = "resource_inactive"
+            fail_finding.region = "us-east-1"
+            fail_finding.service_name = "ec2"
+            fail_finding.resource_type = "instance"
+            fail_finding.resource_tags = {}
+            fail_finding.muted = False
+            fail_finding.raw = {}
+            fail_finding.resource_metadata = {}
+            fail_finding.resource_details = {}
+            fail_finding.partition = "aws"
+            fail_finding.compliance = {}
+
+            # Mock the ProwlerScan instance
+            mock_prowler_scan_instance = MagicMock()
+            mock_prowler_scan_instance.scan.return_value = [(100, [fail_finding])]
+            mock_prowler_scan_class.return_value = mock_prowler_scan_instance
+
+            # Mock prowler_provider
+            mock_prowler_provider_instance = MagicMock()
+            mock_prowler_provider_instance.get_regions.return_value = ["us-east-1"]
+            mock_initialize_prowler_provider.return_value = (
+                mock_prowler_provider_instance
+            )
+
+            # Call the function under test
+            perform_prowler_scan(tenant_id, scan_id, provider_id, [])
+
+        # Verify finding is NOT muted
+        finding_db = Finding.objects.get(uid=finding_uid)
+        assert not finding_db.muted
+        assert finding_db.muted_reason is None
+        assert finding_db.muted_at is None
+
+        # Verify failed_findings_count increments for FAIL finding
+        resource = Resource.objects.get(uid="resource_uid_inactive")
+        assert resource.failed_findings_count == 1
+
+    def test_perform_prowler_scan_mutelist_overrides_mute_rules(
+        self,
+        tenants_fixture,
+        scans_fixture,
+        providers_fixture,
+    ):
+        """Test mutelist processor takes precedence over MuteRule"""
+        with (
+            patch("api.db_utils.rls_transaction"),
+            patch(
+                "tasks.jobs.scan.initialize_prowler_provider"
+            ) as mock_initialize_prowler_provider,
+            patch("tasks.jobs.scan.ProwlerScan") as mock_prowler_scan_class,
+            patch(
+                "tasks.jobs.scan.PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE",
+                new_callable=dict,
+            ),
+            patch("api.compliance.PROWLER_CHECKS", new_callable=dict),
+        ):
+            tenant = tenants_fixture[0]
+            scan = scans_fixture[0]
+            provider = providers_fixture[0]
+
+            provider.provider = Provider.ProviderChoices.AWS
+            provider.save()
+
+            tenant_id = str(tenant.id)
+            scan_id = str(scan.id)
+            provider_id = str(provider.id)
+
+            # Create active MuteRule
+            finding_uid = "finding_both_rules"
+            MuteRule.objects.create(
+                tenant_id=tenant_id,
+                name="Manual Mute Rule",
+                reason="Muted by manual rule",
+                enabled=True,
+                finding_uids=[finding_uid],
+            )
+
+            # Mock finding with mutelist processor muted=True
+            muted_finding = MagicMock()
+            muted_finding.uid = finding_uid
+            muted_finding.status = StatusChoices.FAIL
+            muted_finding.status_extended = "test"
+            muted_finding.severity = Severity.high
+            muted_finding.check_id = "test_check"
+            muted_finding.get_metadata.return_value = {"key": "value"}
+            muted_finding.resource_uid = "resource_both"
+            muted_finding.resource_name = "resource_both"
+            muted_finding.region = "us-east-1"
+            muted_finding.service_name = "ec2"
+            muted_finding.resource_type = "instance"
+            muted_finding.resource_tags = {}
+            muted_finding.muted = True
+            muted_finding.raw = {}
+            muted_finding.resource_metadata = {}
+            muted_finding.resource_details = {}
+            muted_finding.partition = "aws"
+            muted_finding.compliance = {}
+
+            # Mock the ProwlerScan instance
+            mock_prowler_scan_instance = MagicMock()
+            mock_prowler_scan_instance.scan.return_value = [(100, [muted_finding])]
+            mock_prowler_scan_class.return_value = mock_prowler_scan_instance
+
+            # Mock prowler_provider
+            mock_prowler_provider_instance = MagicMock()
+            mock_prowler_provider_instance.get_regions.return_value = ["us-east-1"]
+            mock_initialize_prowler_provider.return_value = (
+                mock_prowler_provider_instance
+            )
+
+            # Call the function under test
+            perform_prowler_scan(tenant_id, scan_id, provider_id, [])
+
+        # Verify mutelist reason takes precedence
+        finding_db = Finding.objects.get(uid=finding_uid)
+        assert finding_db.muted
+        assert finding_db.muted_reason == "Muted by mutelist"
+        assert finding_db.muted_at is not None
+
+        # Verify failed_findings_count is 0
+        resource = Resource.objects.get(uid="resource_both")
+        assert resource.failed_findings_count == 0
+
+    def test_perform_prowler_scan_mute_rules_multiple_findings(
+        self,
+        tenants_fixture,
+        scans_fixture,
+        providers_fixture,
+    ):
+        """Test MuteRule with multiple finding UIDs mutes all findings"""
+        with (
+            patch("api.db_utils.rls_transaction"),
+            patch(
+                "tasks.jobs.scan.initialize_prowler_provider"
+            ) as mock_initialize_prowler_provider,
+            patch("tasks.jobs.scan.ProwlerScan") as mock_prowler_scan_class,
+            patch(
+                "tasks.jobs.scan.PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE",
+                new_callable=dict,
+            ),
+            patch("api.compliance.PROWLER_CHECKS", new_callable=dict),
+        ):
+            tenant = tenants_fixture[0]
+            scan = scans_fixture[0]
+            provider = providers_fixture[0]
+
+            provider.provider = Provider.ProviderChoices.AWS
+            provider.save()
+
+            tenant_id = str(tenant.id)
+            scan_id = str(scan.id)
+            provider_id = str(provider.id)
+
+            # Create MuteRule with multiple finding UIDs
+            mute_rule_reason = "Bulk exception for dev environment"
+            finding_uids = [
+                "bulk_finding_1",
+                "bulk_finding_2",
+                "bulk_finding_3",
+                "bulk_finding_4",
+            ]
+            MuteRule.objects.create(
+                tenant_id=tenant_id,
+                name="Bulk Mute Rule",
+                reason=mute_rule_reason,
+                enabled=True,
+                finding_uids=finding_uids,
+            )
+
+            # Mock multiple findings with mixed statuses
+            findings = []
+            for i, uid in enumerate(finding_uids):
+                finding = MagicMock()
+                finding.uid = uid
+                finding.status = (
+                    StatusChoices.FAIL if i % 2 == 0 else StatusChoices.PASS
+                )
+                finding.status_extended = f"test {i}"
+                finding.severity = Severity.medium
+                finding.check_id = f"check_{i}"
+                finding.get_metadata.return_value = {"key": f"value_{i}"}
+                finding.resource_uid = f"resource_bulk_{i}"
+                finding.resource_name = f"resource_{i}"
+                finding.region = "us-west-2"
+                finding.service_name = "lambda"
+                finding.resource_type = "function"
+                finding.resource_tags = {}
+                finding.muted = False
+                finding.raw = {}
+                finding.resource_metadata = {}
+                finding.resource_details = {}
+                finding.partition = "aws"
+                finding.compliance = {}
+                findings.append(finding)
+
+            # Mock the ProwlerScan instance
+            mock_prowler_scan_instance = MagicMock()
+            mock_prowler_scan_instance.scan.return_value = [(100, findings)]
+            mock_prowler_scan_class.return_value = mock_prowler_scan_instance
+
+            # Mock prowler_provider
+            mock_prowler_provider_instance = MagicMock()
+            mock_prowler_provider_instance.get_regions.return_value = ["us-west-2"]
+            mock_initialize_prowler_provider.return_value = (
+                mock_prowler_provider_instance
+            )
+
+            # Call the function under test
+            perform_prowler_scan(tenant_id, scan_id, provider_id, [])
+
+        # Verify all findings are muted with same reason
+        for uid in finding_uids:
+            finding_db = Finding.objects.get(uid=uid)
+            assert finding_db.muted
+            assert finding_db.muted_reason == mute_rule_reason
+            assert finding_db.muted_at is not None
+
+        # Verify all resources have failed_findings_count = 0
+        for i in range(len(finding_uids)):
+            resource = Resource.objects.get(uid=f"resource_bulk_{i}")
+            assert resource.failed_findings_count == 0
+
+    def test_perform_prowler_scan_mute_rules_error_handling(
+        self,
+        tenants_fixture,
+        scans_fixture,
+        providers_fixture,
+    ):
+        """Test scan continues when MuteRule loading fails"""
+        with (
+            patch("api.db_utils.rls_transaction"),
+            patch(
+                "tasks.jobs.scan.initialize_prowler_provider"
+            ) as mock_initialize_prowler_provider,
+            patch("tasks.jobs.scan.ProwlerScan") as mock_prowler_scan_class,
+            patch(
+                "tasks.jobs.scan.PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE",
+                new_callable=dict,
+            ),
+            patch("api.compliance.PROWLER_CHECKS", new_callable=dict),
+            patch("api.models.MuteRule.objects.filter") as mock_mute_rule_filter,
+        ):
+            tenant = tenants_fixture[0]
+            scan = scans_fixture[0]
+            provider = providers_fixture[0]
+
+            provider.provider = Provider.ProviderChoices.AWS
+            provider.save()
+
+            tenant_id = str(tenant.id)
+            scan_id = str(scan.id)
+            provider_id = str(provider.id)
+
+            # Mock MuteRule.objects.filter to raise exception
+            mock_mute_rule_filter.side_effect = Exception("Database error")
+
+            # Mock finding
+            finding = MagicMock()
+            finding.uid = "finding_error_handling"
+            finding.status = StatusChoices.FAIL
+            finding.status_extended = "test"
+            finding.severity = Severity.high
+            finding.check_id = "test_check"
+            finding.get_metadata.return_value = {"key": "value"}
+            finding.resource_uid = "resource_error"
+            finding.resource_name = "resource_error"
+            finding.region = "us-east-1"
+            finding.service_name = "ec2"
+            finding.resource_type = "instance"
+            finding.resource_tags = {}
+            finding.muted = False
+            finding.raw = {}
+            finding.resource_metadata = {}
+            finding.resource_details = {}
+            finding.partition = "aws"
+            finding.compliance = {}
+
+            # Mock the ProwlerScan instance
+            mock_prowler_scan_instance = MagicMock()
+            mock_prowler_scan_instance.scan.return_value = [(100, [finding])]
+            mock_prowler_scan_class.return_value = mock_prowler_scan_instance
+
+            # Mock prowler_provider
+            mock_prowler_provider_instance = MagicMock()
+            mock_prowler_provider_instance.get_regions.return_value = ["us-east-1"]
+            mock_initialize_prowler_provider.return_value = (
+                mock_prowler_provider_instance
+            )
+
+            # Call the function under test - should not raise
+            perform_prowler_scan(tenant_id, scan_id, provider_id, [])
+
+        # Verify scan completed successfully
+        scan.refresh_from_db()
+        assert scan.state == StateChoices.COMPLETED
+
+        # Verify finding is not muted (mute_rules_cache was empty dict)
+        finding_db = Finding.objects.get(uid="finding_error_handling")
+        assert not finding_db.muted
+        assert finding_db.muted_reason is None
+
+        # Verify failed_findings_count increments
+        resource = Resource.objects.get(uid="resource_error")
+        assert resource.failed_findings_count == 1
+
+    def test_perform_prowler_scan_muted_at_timestamp(
+        self,
+        tenants_fixture,
+        scans_fixture,
+        providers_fixture,
+    ):
+        """Test muted_at timestamp is set correctly for muted findings"""
+        with (
+            patch("api.db_utils.rls_transaction"),
+            patch(
+                "tasks.jobs.scan.initialize_prowler_provider"
+            ) as mock_initialize_prowler_provider,
+            patch("tasks.jobs.scan.ProwlerScan") as mock_prowler_scan_class,
+            patch(
+                "tasks.jobs.scan.PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE",
+                new_callable=dict,
+            ),
+            patch("api.compliance.PROWLER_CHECKS", new_callable=dict),
+        ):
+            tenant = tenants_fixture[0]
+            scan = scans_fixture[0]
+            provider = providers_fixture[0]
+
+            provider.provider = Provider.ProviderChoices.AWS
+            provider.save()
+
+            tenant_id = str(tenant.id)
+            scan_id = str(scan.id)
+            provider_id = str(provider.id)
+
+            # Create active MuteRule
+            finding_uid = "finding_timestamp_test"
+            MuteRule.objects.create(
+                tenant_id=tenant_id,
+                name="Timestamp Test Rule",
+                reason="Testing timestamp",
+                enabled=True,
+                finding_uids=[finding_uid],
+            )
+
+            # Mock finding
+            finding = MagicMock()
+            finding.uid = finding_uid
+            finding.status = StatusChoices.FAIL
+            finding.status_extended = "test"
+            finding.severity = Severity.high
+            finding.check_id = "test_check"
+            finding.get_metadata.return_value = {"key": "value"}
+            finding.resource_uid = "resource_timestamp"
+            finding.resource_name = "resource_timestamp"
+            finding.region = "us-east-1"
+            finding.service_name = "ec2"
+            finding.resource_type = "instance"
+            finding.resource_tags = {}
+            finding.muted = False
+            finding.raw = {}
+            finding.resource_metadata = {}
+            finding.resource_details = {}
+            finding.partition = "aws"
+            finding.compliance = {}
+
+            # Mock the ProwlerScan instance
+            mock_prowler_scan_instance = MagicMock()
+            mock_prowler_scan_instance.scan.return_value = [(100, [finding])]
+            mock_prowler_scan_class.return_value = mock_prowler_scan_instance
+
+            # Mock prowler_provider
+            mock_prowler_provider_instance = MagicMock()
+            mock_prowler_provider_instance.get_regions.return_value = ["us-east-1"]
+            mock_initialize_prowler_provider.return_value = (
+                mock_prowler_provider_instance
+            )
+
+            # Capture time before and after scan
+            before_scan = datetime.now(timezone.utc)
+            perform_prowler_scan(tenant_id, scan_id, provider_id, [])
+            after_scan = datetime.now(timezone.utc)
+
+        # Verify muted_at is within the scan time window
+        finding_db = Finding.objects.get(uid=finding_uid)
+        assert finding_db.muted
+        assert finding_db.muted_at is not None
+        assert before_scan <= finding_db.muted_at <= after_scan
+

 # TODO Add tests for aggregations

@@ -1,16 +1,24 @@
 import uuid
 from unittest.mock import MagicMock, patch

+import openai
 import pytest
+from botocore.exceptions import ClientError
 from tasks.tasks import (
    _perform_scan_complete_tasks,
    check_integrations_task,
+    check_lighthouse_provider_connection_task,
    generate_outputs_task,
+    refresh_lighthouse_provider_models_task,
    s3_integration_task,
    security_hub_integration_task,
 )

-from api.models import Integration
+from api.models import (
+    Integration,
+    LighthouseProviderConfiguration,
+    LighthouseProviderModels,
+)


 # TODO Move this to outputs/reports jobs
@@ -1097,3 +1105,363 @@ class TestCheckIntegrationsTask:

        assert result is False
        mock_upload.assert_called_once_with(self.tenant_id, self.provider_id, scan_id)
+
+
+@pytest.mark.django_db
+class TestCheckLighthouseProviderConnectionTask:
+    def setup_method(self):
+        self.tenant_id = str(uuid.uuid4())
+
+    @pytest.mark.parametrize(
+        "provider_type,credentials,base_url,expected_result",
+        [
+            (
+                LighthouseProviderConfiguration.LLMProviderChoices.OPENAI,
+                {"api_key": "sk-test123"},
+                None,
+                {"connected": True, "error": None},
+            ),
+            (
+                LighthouseProviderConfiguration.LLMProviderChoices.OPENAI_COMPATIBLE,
+                {"api_key": "sk-test123"},
+                "https://openrouter.ai/api/v1",
+                {"connected": True, "error": None},
+            ),
+            (
+                LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
+                {
+                    "access_key_id": "AKIA123",
+                    "secret_access_key": "secret",
+                    "region": "us-east-1",
+                },
+                None,
+                {"connected": True, "error": None},
+            ),
+        ],
+    )
+    def test_check_connection_success_all_providers(
+        self, tenants_fixture, provider_type, credentials, base_url, expected_result
+    ):
+        """Test successful connection check for all provider types."""
+        # Create provider configuration
+        provider_cfg = LighthouseProviderConfiguration(
+            tenant_id=tenants_fixture[0].id,
+            provider_type=provider_type,
+            base_url=base_url,
+            is_active=False,
+        )
+        provider_cfg.credentials_decoded = credentials
+        provider_cfg.save()
+
+        # Mock the appropriate API calls
+        with (
+            patch("tasks.jobs.lighthouse_providers.openai.OpenAI") as mock_openai,
+            patch("tasks.jobs.lighthouse_providers.boto3.client") as mock_boto3,
+        ):
+            mock_client = MagicMock()
+            mock_client.models.list.return_value = MagicMock()
+            mock_client.list_foundation_models.return_value = {}
+            mock_openai.return_value = mock_client
+            mock_boto3.return_value = mock_client
+
+            # Execute
+            result = check_lighthouse_provider_connection_task(
+                provider_config_id=str(provider_cfg.id),
+                tenant_id=str(tenants_fixture[0].id),
+            )
+
+            # Assert
+            assert result == expected_result
+            provider_cfg.refresh_from_db()
+            assert provider_cfg.is_active is True
+
+    @pytest.mark.parametrize(
+        "provider_type,credentials,base_url,exception_to_raise",
+        [
+            (
+                LighthouseProviderConfiguration.LLMProviderChoices.OPENAI,
+                {"api_key": "sk-invalid"},
+                None,
+                openai.AuthenticationError(
+                    "Invalid API key", response=MagicMock(), body=None
+                ),
+            ),
+            (
+                LighthouseProviderConfiguration.LLMProviderChoices.OPENAI_COMPATIBLE,
+                {"api_key": "sk-invalid"},
+                "https://openrouter.ai/api/v1",
+                openai.APIConnectionError(request=MagicMock()),
+            ),
+            (
+                LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
+                {
+                    "access_key_id": "AKIA123",
+                    "secret_access_key": "secret",
+                    "region": "us-east-1",
+                },
+                None,
+                ClientError(
+                    {"Error": {"Code": "AccessDenied", "Message": "Access Denied"}},
+                    "list_foundation_models",
+                ),
+            ),
+        ],
+    )
+    def test_check_connection_api_failure(
+        self,
+        tenants_fixture,
+        provider_type,
+        credentials,
+        base_url,
+        exception_to_raise,
+    ):
+        """Test connection check when API calls fail."""
+        # Create provider configuration
+        provider_cfg = LighthouseProviderConfiguration(
+            tenant_id=tenants_fixture[0].id,
+            provider_type=provider_type,
+            base_url=base_url,
+            is_active=True,
+        )
+        provider_cfg.credentials_decoded = credentials
+        provider_cfg.save()
+
+        # Mock the API to raise exception
+        with (
+            patch("tasks.jobs.lighthouse_providers.openai.OpenAI") as mock_openai,
+            patch("tasks.jobs.lighthouse_providers.boto3.client") as mock_boto3,
+        ):
+            mock_client = MagicMock()
+            if (
+                provider_type
+                == LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK
+            ):
+                mock_client.list_foundation_models.side_effect = exception_to_raise
+                mock_boto3.return_value = mock_client
+            else:
+                mock_client.models.list.side_effect = exception_to_raise
+                mock_openai.return_value = mock_client
+
+            # Execute
+            result = check_lighthouse_provider_connection_task(
+                provider_config_id=str(provider_cfg.id),
+                tenant_id=str(tenants_fixture[0].id),
+            )
+
+            # Assert
+            assert result["connected"] is False
+            assert result["error"] is not None
+            provider_cfg.refresh_from_db()
+            assert provider_cfg.is_active is False
+
+    def test_check_connection_updates_active_status(self, tenants_fixture):
+        """Test that connection check toggles is_active from True to False on failure."""
+        # Create provider with is_active=True
+        provider_cfg = LighthouseProviderConfiguration(
+            tenant_id=tenants_fixture[0].id,
+            provider_type=LighthouseProviderConfiguration.LLMProviderChoices.OPENAI,
+            base_url=None,
+            is_active=True,
+        )
+        provider_cfg.credentials_decoded = {"api_key": "sk-test123"}
+        provider_cfg.save()
+
+        # Mock API to fail
+        with patch("tasks.jobs.lighthouse_providers.openai.OpenAI") as mock_openai:
+            mock_client = MagicMock()
+            mock_client.models.list.side_effect = openai.AuthenticationError(
+                "Invalid", response=MagicMock(), body=None
+            )
+            mock_openai.return_value = mock_client
+
+            # Execute
+            result = check_lighthouse_provider_connection_task(
+                provider_config_id=str(provider_cfg.id),
+                tenant_id=str(tenants_fixture[0].id),
+            )
+
+            # Assert status changed
+            assert result["connected"] is False
+            provider_cfg.refresh_from_db()
+            assert provider_cfg.is_active is False
+
+    def test_check_connection_provider_does_not_exist(self, tenants_fixture):
+        """Test that checking non-existent provider raises DoesNotExist."""
+        non_existent_id = str(uuid.uuid4())
+
+        with pytest.raises(LighthouseProviderConfiguration.DoesNotExist):
+            check_lighthouse_provider_connection_task(
+                provider_config_id=non_existent_id,
+                tenant_id=str(tenants_fixture[0].id),
+            )
+
+
+@pytest.mark.django_db
+class TestRefreshLighthouseProviderModelsTask:
+    def setup_method(self):
+        self.tenant_id = str(uuid.uuid4())
+
+    @pytest.mark.parametrize(
+        "provider_type,credentials,base_url,mock_models,expected_count",
+        [
+            (
+                LighthouseProviderConfiguration.LLMProviderChoices.OPENAI,
+                {"api_key": "sk-test123"},
+                None,
+                {"gpt-5": "gpt-5", "gpt-4o": "gpt-4o"},
+                2,
+            ),
+            (
+                LighthouseProviderConfiguration.LLMProviderChoices.OPENAI_COMPATIBLE,
+                {"api_key": "sk-test123"},
+                "https://openrouter.ai/api/v1",
+                {"model-1": "Model One", "model-2": "Model Two"},
+                2,
+            ),
+            (
+                LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
+                {
+                    "access_key_id": "AKIA123",
+                    "secret_access_key": "secret",
+                    "region": "us-east-1",
+                },
+                None,
+                {"openai.gpt-oss-120b-1:0": "gpt-oss-120b"},
+                1,
+            ),
+        ],
+    )
+    def test_refresh_models_create_new(
+        self,
+        tenants_fixture,
+        provider_type,
+        credentials,
+        base_url,
+        mock_models,
+        expected_count,
+    ):
+        """Test creating new models for all provider types."""
+        # Create provider configuration
+        provider_cfg = LighthouseProviderConfiguration(
+            tenant_id=tenants_fixture[0].id,
+            provider_type=provider_type,
+            base_url=base_url,
+            is_active=True,
+        )
+        provider_cfg.credentials_decoded = credentials
+        provider_cfg.save()
+
+        # Mock the fetch functions
+        with (
+            patch(
+                "tasks.jobs.lighthouse_providers._fetch_openai_models",
+                return_value=mock_models,
+            ),
+            patch(
+                "tasks.jobs.lighthouse_providers._fetch_openai_compatible_models",
+                return_value=mock_models,
+            ),
+            patch(
+                "tasks.jobs.lighthouse_providers._fetch_bedrock_models",
+                return_value=mock_models,
+            ),
+        ):
+            # Execute
+            result = refresh_lighthouse_provider_models_task(
+                provider_config_id=str(provider_cfg.id),
+                tenant_id=str(tenants_fixture[0].id),
+            )
+
+            # Assert
+            assert result["created"] == expected_count
+            assert result["updated"] == 0
+            assert result["deleted"] == 0
+            assert (
+                LighthouseProviderModels.objects.filter(
+                    provider_configuration=provider_cfg
+                ).count()
+                == expected_count
+            )
+
+    def test_refresh_models_mixed_operations(self, tenants_fixture):
+        """Test mixed create, update, and delete operations."""
+        # Create provider configuration
+        provider_cfg = LighthouseProviderConfiguration(
+            tenant_id=tenants_fixture[0].id,
+            provider_type=LighthouseProviderConfiguration.LLMProviderChoices.OPENAI,
+            base_url=None,
+            is_active=True,
+        )
+        provider_cfg.credentials_decoded = {"api_key": "sk-test123"}
+        provider_cfg.save()
+
+        # Create 2 existing models (A, B)
+        LighthouseProviderModels.objects.create(
+            tenant_id=tenants_fixture[0].id,
+            provider_configuration=provider_cfg,
+            model_id="model-a",
+            model_name="Model A",
+        )
+        LighthouseProviderModels.objects.create(
+            tenant_id=tenants_fixture[0].id,
+            provider_configuration=provider_cfg,
+            model_id="model-b",
+            model_name="Model B",
+        )
+
+        # Mock API to return models B (existing), C (new) - A will be deleted
+        mock_models = {"model-b": "Model B", "model-c": "Model C"}
+        with patch(
+            "tasks.jobs.lighthouse_providers._fetch_openai_models",
+            return_value=mock_models,
+        ):
+            # Execute
+            result = refresh_lighthouse_provider_models_task(
+                provider_config_id=str(provider_cfg.id),
+                tenant_id=str(tenants_fixture[0].id),
+            )
+
+            # Assert
+            assert result["created"] == 1  # model-c created
+            assert result["updated"] == 1  # model-b updated
+            assert result["deleted"] == 1  # model-a deleted
+
+            # Verify only B and C exist
+            remaining_models = LighthouseProviderModels.objects.filter(
+                provider_configuration=provider_cfg
+            )
+            assert remaining_models.count() == 2
+            assert set(remaining_models.values_list("model_id", flat=True)) == {
+                "model-b",
+                "model-c",
+            }
+
+    def test_refresh_models_api_exception(self, tenants_fixture):
+        """Test refresh when API raises an exception."""
+        # Create provider configuration
+        provider_cfg = LighthouseProviderConfiguration(
+            tenant_id=tenants_fixture[0].id,
+            provider_type=LighthouseProviderConfiguration.LLMProviderChoices.OPENAI,
+            base_url=None,
+            is_active=True,
+        )
+        provider_cfg.credentials_decoded = {"api_key": "sk-test123"}
+        provider_cfg.save()
+
+        # Mock fetch to raise exception
+        with patch(
+            "tasks.jobs.lighthouse_providers._fetch_openai_models",
+            side_effect=openai.APIError("API Error", request=MagicMock(), body=None),
+        ):
+            # Execute
+            result = refresh_lighthouse_provider_models_task(
+                provider_config_id=str(provider_cfg.id),
+                tenant_id=str(tenants_fixture[0].id),
+            )
+
+            # Assert
+            assert result["created"] == 0
+            assert result["updated"] == 0
+            assert result["deleted"] == 0
+            assert "error" in result
+            assert result["error"] is not None
@@ -35,7 +35,8 @@ dashboard = dash.Dash(

 # Logo
 prowler_logo = html.Img(
-    src="https://prowler.com/wp-content/uploads/logo-dashboard.png", alt="Prowler Logo"
+    src="https://cdn.prod.website-files.com/68c4ec3f9fb7b154fbcb6e36/68ffb46d40ed7faa37a592a5_prowler-logo.png",
+    alt="Prowler Logo",
 )

 menu_icons = {
@@ -0,0 +1,43 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_3_levels
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    data["REQUIREMENTS_DESCRIPTION"] = (
+        data["REQUIREMENTS_ID"] + " - " + data["REQUIREMENTS_DESCRIPTION"]
+    )
+
+    data["REQUIREMENTS_DESCRIPTION"] = data["REQUIREMENTS_DESCRIPTION"].apply(
+        lambda x: x[:150] + "..." if len(str(x)) > 150 else x
+    )
+
+    data["REQUIREMENTS_ATTRIBUTES_SECTION"] = data[
+        "REQUIREMENTS_ATTRIBUTES_SECTION"
+    ].apply(lambda x: x[:80] + "..." if len(str(x)) > 80 else x)
+
+    data["REQUIREMENTS_ATTRIBUTES_SUBSECTION"] = data[
+        "REQUIREMENTS_ATTRIBUTES_SUBSECTION"
+    ].apply(lambda x: x[:150] + "..." if len(str(x)) > 150 else x)
+
+    aux = data[
+        [
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "REQUIREMENTS_ATTRIBUTES_SUBSECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ]
+
+    return get_section_containers_3_levels(
+        aux,
+        "REQUIREMENTS_ATTRIBUTES_SECTION",
+        "REQUIREMENTS_ATTRIBUTES_SUBSECTION",
+        "REQUIREMENTS_DESCRIPTION",
+    )
@@ -0,0 +1,46 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_cis
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    # Shorten the long FedRAMP KSI descriptions for better display
+    ksi_short_names = {
+        "A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
+        "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
+        "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
+        "A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
+        "A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
+        "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
+        "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
+        "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
+        "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
+        "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
+    }
+
+    # Replace long descriptions with short names - use contains for partial matching
+    if not aux.empty:
+        for long_desc, short_name in ksi_short_names.items():
+            mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
+                long_desc, na=False, regex=False
+            )
+            aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
+
+    return get_section_containers_cis(
+        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -0,0 +1,46 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_cis
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    # Shorten the long FedRAMP KSI descriptions for better display
+    ksi_short_names = {
+        "A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
+        "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
+        "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
+        "A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
+        "A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
+        "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
+        "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
+        "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
+        "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
+        "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
+    }
+
+    # Replace long descriptions with short names - use contains for partial matching
+    if not aux.empty:
+        for long_desc, short_name in ksi_short_names.items():
+            mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
+                long_desc, na=False, regex=False
+            )
+            aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
+
+    return get_section_containers_cis(
+        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -0,0 +1,46 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_cis
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    # Shorten the long FedRAMP KSI descriptions for better display
+    ksi_short_names = {
+        "A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
+        "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
+        "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
+        "A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
+        "A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
+        "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
+        "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
+        "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
+        "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
+        "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
+    }
+
+    # Replace long descriptions with short names - use contains for partial matching
+    if not aux.empty:
+        for long_desc, short_name in ksi_short_names.items():
+            mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
+                long_desc, na=False, regex=False
+            )
+            aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
+
+    return get_section_containers_cis(
+        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -0,0 +1,25 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format3
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "REQUIREMENTS_DESCRIPTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_format3(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
+    )
@@ -0,0 +1,24 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format3
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "REQUIREMENTS_DESCRIPTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_format3(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
+    )
@@ -125,11 +125,11 @@ Each check **must** populate the `report.status` and `report.status_extended` fi

 The severity of each check is defined in the metadata file using the `Severity` field. Severity values are always lowercase and must be one of the predefined categories below.

- `critical` – Issue that must be addressed immediately.
- `high` – Issue that should be addressed as soon as possible.
- `medium` – Issue that should be addressed within a reasonable timeframe.
- `low` – Issue that can be addressed in the future.
- `informational` – Not an issue but provides valuable information.
+- `critical` – Highest potential impact with broad exposure that could affect core security boundaries or business operations.
+- `high` – Substantial potential impact with significant exposure that could affect important security controls or resources.
+- `medium` – Moderate potential impact with limited exposure that weakens defense layers but has contained scope.
+- `low` – Minimal potential impact with negligible exposure that represents minor gaps in security posture.
+- `informational` – Provides valuable information but does not affect the security posture.

 If the check involves multiple scenarios that may alter its severity, adjustments can be made dynamically within the check's logic using the severity `report.check_metadata.Severity` attribute:

@@ -4,7 +4,26 @@ title: 'Contributing to Documentation'

 Prowler documentation is built using [Mintlify](https://www.mintlify.com/docs), allowing contributors to easily add or enhance documentation.

-## Installation and Setup
+## Documentation Structure
+
+The Prowler documentation is organized into several sections. The main ones are:
+
+- **Getting Started**: Provides an overview of the Prowler platform and its different solutions, including Prowler Cloud/App, Prowler CLI, Prowler MCP Server, Prowler Hub, and Prowler Lighthouse AI. This section helps new users understand which Prowler solution best fits their needs and includes product comparisons.
+
+- **Guides**: Contains practical tutorials and how-to guides organized by product (Prowler Cloud/App, CLI) and provider (AWS, Azure, GCP, Kubernetes, Microsoft 365, GitHub, etc.). This section covers authentication, integrations, compliance, and advanced usage scenarios.
+
+- **Developer Guide**: Documentation for contributors looking to extend Prowler functionality. This includes guides on creating providers, services, checks, output formats, integrations, and compliance frameworks. Provider-specific implementation details and testing strategies are also covered here.
+
+- **Troubleshooting**: Common issues, error messages, and their solutions. This section helps users resolve problems encountered during installation, configuration, or execution.
+
+
+## AI-Driven Documentation
+
+As mentioned in the [Introduction](/developer-guide/introduction#ai-driven-contributions), we have specialized resources to enhance AI-driven development.
+
+This includes the [AGENTS.md](https://github.com/prowler-cloud/prowler/blob/master/docs/AGENTS.md) file that contains the guidelines and style guide for the AI agents in the Prowler documentation.
+
+## Local Development

 <Steps>
  <Step title="Install Mintlify CLI">
@@ -33,10 +52,10 @@ Prowler documentation is built using [Mintlify](https://www.mintlify.com/docs),
  </Step>

  <Step title="Submit Changes">
-    Once documentation updates are complete, submit a pull request for review.
+    Once documentation updates are complete, [submit a pull request for review](/developer-guide/introduction#sending-the-pull-request).

    The Prowler team will assess and merge contributions.
  </Step>
 </Steps>

-Your efforts help improve Prowler documentation—thank you for contributing!
+Your efforts help improve Prowler documentation. Thank you for contributing! 🤘
@@ -2,19 +2,70 @@
 title: 'Introduction to developing in Prowler'
 ---

-Extending Prowler
+Thanks for your interest in contributing to Prowler!

-Prowler can be extended in various ways, with common use cases including:
+Prowler can be extended in various ways. This guide provides the different ways to contribute and how to get started.

- New security checks
- New compliance frameworks
- New output formats
- New integrations
- New proposed features
+## Contributing to Prowler

-All the relevant information for these cases is included in this guide.
+### Review Current Issues
+Check out our [GitHub Issues](https://github.com/prowler-cloud/prowler/issues) page for ideas to contribute.
+<Columns cols={2}>
+  <Card title="Good First Issue" icon="github" href="https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc%20is%3Aissue%20is%3Aopen%20label%3A%22good%20first%20issue%22">
+    We tag issues as `good first issue` for new contributors. These are typically well-defined and manageable in scope.
+  </Card>
+  <Card title="Help Wanted" icon="github" href="https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc%20is%3Aissue%20is%3Aopen%20label%3A%22help%20wanted%22">
+    We tag issues as `help wanted` for other issues that require more time to complete.
+  </Card>
+</Columns>

-## Getting the Code and Installing All Dependencies
+### Expand Prowler's Capabilities
+Prowler is constantly evolving. Contributions to checks, services, or integrations help improve the tool for everyone. Here is how to get involved:
+
+<Columns cols={2}>
+  <Card title="Adding New Checks" icon="shield" href="/developer-guide/checks">
+    Want to improve Prowler's detection capabilities for your favorite cloud provider? You can contribute by writing new checks.
+  </Card>
+  <Card title="Adding New Services" icon="server" href="/developer-guide/services">
+    One key service for your favorite cloud provider is missing? Add it to Prowler! Do not forget to include relevant checks to validate functionality.
+  </Card>
+  <Card title="Adding New Providers" icon="cloud" href="/developer-guide/provider">
+    If you would like to extend Prowler to work with a new cloud provider, this typically involves setting up new services and checks to ensure compatibility.
+  </Card>
+  <Card title="Adding New Output Formats" icon="file" href="/developer-guide/outputs">
+    Want to tailor how results are displayed or exported? You can add custom output formats.
+  </Card>
+  <Card title="Adding New Integrations" icon="link" href="/developer-guide/integrations">
+    Prowler can work with other tools and platforms through integrations.
+  </Card>
+  <Card title="Proposing or Implementing Features" icon="lightbulb" href="https://github.com/prowler-cloud/prowler/issues/new?template=feature-request.yml">
+    Propose brand-new features or enhancements to existing ones, or help implement community-requested improvements.
+  </Card>
+</Columns>
+
+### Improve Documentation
+Help make Prowler more accessible by enhancing our documentation, fixing typos, or adding examples/tutorials.
+
+<Columns cols={2}>
+  <Card title="Documentation Guide" icon="book" href="/developer-guide/documentation">
+    Enhance our documentation, fix typos, or add examples/tutorials.
+  </Card>
+</Columns>
+
+### Bug Fixes
+If you find any issues or bugs, you can report them in the [GitHub Issues](https://github.com/prowler-cloud/prowler/issues) page and if you want you can also fix them.
+
+<Columns cols={2}>
+  <Card title="Report a Bug" icon="bug" href="https://github.com/prowler-cloud/prowler/issues/new?template=bug_report.yml">
+    Report or fix issues or bugs.
+  </Card>
+</Columns>
+
+Remember, our community is here to help! If you need guidance, do not hesitate to ask questions in the issues or join our [<Icon icon="slack" /> Slack workspace](https://goto.prowler.com/slack).
+
+
+
+## Setting up your development environment

 ### Prerequisites

@@ -26,11 +77,11 @@ Before proceeding, ensure the following:

 ### Forking the Prowler Repository

-To contribute to Prowler, fork the Prowler GitHub repository. This allows you to propose changes, submit new features, and fix bugs. For guidance on forking, refer to the [official GitHub documentation](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo?tool=webui#forking-a-repository).
+Fork the Prowler GitHub repository to contribute to Prowler. This allows proposing changes, submitting new features, and fixing bugs. For guidance on forking, refer to the [official GitHub documentation](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo?tool=webui#forking-a-repository).

 ### Cloning Your Forked Repository

-Once your fork is created, clone it using the following commands:
+Once your fork is created, clone it using the following commands (replace `<your-github-user>` with your GitHub username):

 ```
 git clone https://github.com/<your-github-user>/prowler
@@ -56,39 +107,7 @@ If your poetry version is below 2.0.0 you must keep using `poetry shell` to acti
 In case you have any doubts, consult the [Poetry environment activation guide](https://python-poetry.org/docs/managing-environments/#activating-the-environment).

 </Warning>
-## Contributing to Prowler

-### Ways to Contribute
-
-Here are some ideas for collaborating with Prowler:
-
-1. **Review Current Issues**: Check out our [GitHub Issues](https://github.com/prowler-cloud/prowler/issues) page. We often tag issues as `good first issue` - these are perfect for new contributors as they are typically well-defined and manageable in scope.
-
-2. **Expand Prowler's Capabilities**: Prowler is constantly evolving, and you can be a part of its growth. Whether you are adding checks, supporting new services, or introducing integrations, your contributions help improve the tool for everyone. Here is how you can get involved:
-
-    - **Adding New Checks**
-    Want to improve Prowler's detection capabilities for your favorite cloud provider? You can contribute by writing new checks. To get started, follow the [create a new check guide](/developer-guide/checks).
-
-    - **Adding New Services**
-    One key service for your favorite cloud provider is missing? Add it to Prowler! To add a new service, check out the [create a new service guide](/developer-guide/services). Do not forget to include relevant checks to validate functionality.
-
-    - **Adding New Providers**
-    If you would like to extend Prowler to work with a new cloud provider, follow the [create a new provider guide](/developer-guide/provider). This typically involves setting up new services and checks to ensure compatibility.
-
-    - **Adding New Output Formats**
-    Want to tailor how results are displayed or exported? You can add custom output formats by following the [create a new output format guide](/developer-guide/outputs).
-
-    - **Adding New Integrations**
-    Prowler can work with other tools and platforms through integrations. If you would like to add one, see the [create a new integration guide](/developer-guide/integrations).
-
-    - **Proposing or Implementing Features**
-    Got an idea to make Prowler better? Whether it is a brand-new feature or an enhancement to an existing one, you are welcome to propose it or help implement community-requested improvements.
-
-3. **Improve Documentation**: Help make Prowler more accessible by enhancing our documentation, fixing typos, or adding examples/tutorials. See the tutorial of how we write our documentation [here](/developer-guide/documentation).
-
-4. **Bug Fixes**: If you find any issues or bugs, you can report them in the [GitHub Issues](https://github.com/prowler-cloud/prowler/issues) page and if you want you can also fix them.
-
-Remember, our community is here to help! If you need guidance, do not hesitate to ask questions in the issues or join our [Slack workspace](https://goto.prowler.com/slack).

 ### Pre-Commit Hooks

@@ -121,6 +140,16 @@ These should have been already installed if `poetry install --with dev` was alre

 Additionally, ensure the latest version of [`TruffleHog`](https://github.com/trufflesecurity/trufflehog) is installed to scan for sensitive data in the code. Follow the official [installation guide](https://github.com/trufflesecurity/trufflehog?tab=readme-ov-file#floppy_disk-installation) for setup.

+### AI-Driven Contributions
+
+If you are using AI assistants to help with your contributions, Prowler provides specialized resources to enhance AI-driven development:
+
+- **Prowler MCP Server**: The [Prowler MCP Server](/getting-started/products/prowler-mcp) provides AI assistants with access to the entire Prowler ecosystem, including security checks, compliance frameworks, documentation, and more. This enables AI tools to better understand Prowler's architecture and help you create contributions that align with project standards.
+
+- **AGENTS.md Files**: Each component of the Prowler monorepo includes an `AGENTS.md` file that contains specific guidelines for AI agents working on that component. These files provide context about project structure, coding standards, and best practices. When working on a specific component, refer to the relevant `AGENTS.md` file (e.g., `prowler/AGENTS.md`, `ui/AGENTS.md`, `api/AGENTS.md`) to ensure your AI assistant follows the appropriate guidelines.
+
+These resources help ensure that AI-assisted contributions maintain consistency with Prowler's codebase and development practices.
+
 ### Dependency Management

 All dependencies are listed in the `pyproject.toml` file.
@@ -133,7 +162,7 @@ If you encounter issues when committing to the Prowler repository, use the `--no
 </Note>
 ### Repository Folder Structure

-Understanding the layout of the Prowler codebase will help you quickly find where to add new features, checks, or integrations. The following is a high-level overview from the root of the repository:
+The Prowler codebase layout helps quickly locate where to add new features, checks, or integrations. The following is a high-level overview from the root of the repository:

 ```
 prowler/
@@ -148,7 +177,7 @@ prowler/
 ├── permissions/       # Permission-related files and policies
 ├── contrib/           # Community-contributed scripts or modules
 ├── kubernetes/        # Kubernetes deployment files
-├── .github/           # GitHub related files (workflows, issue templates, etc.)
+├── .github/           # GitHub-related files (workflows, issue templates, etc.)
 ├── pyproject.toml     # Python project configuration (Poetry)
 ├── poetry.lock        # Poetry lock file
 ├── README.md          # Project overview and getting started
@@ -158,19 +187,23 @@ prowler/
 └── ...                # Other supporting files
 ```

-## Pull Request Checklist
+## Sending the Pull Request

-When creating or reviewing a pull request in https://github.com/prowler-cloud/prowler, follow [this checklist](https://github.com/prowler-cloud/prowler/blob/master/.github/pull_request_template.md#checklist).
+When creating or reviewing a pull request in <Icon icon="github" /> [Prowler](https://github.com/prowler-cloud/prowler), follow [this template](https://github.com/prowler-cloud/prowler/blob/master/.github/pull_request_template.md) and fill it with the relevant information:
+
+- **Context** and **Description** of the change: This will help the reviewers to understand the change and the purpose of the pull request.
+- **Steps to review**: A detailed description of how to review the change.
+- **Checklist**: A mandatory checklist of the things that should be reviewed before merging the pull request.

 ## Contribution Appreciation

-If you enjoy swag, we’d love to thank you for your contribution with laptop stickers or other Prowler merchandise!
+If you enjoy swag, we'd love to thank you for your contribution with laptop stickers or other Prowler merchandise!

 To request swag: Share your pull request details in our [Slack workspace](https://goto.prowler.com/slack).

 You can also reach out to Toni de la Fuente on [Twitter](https://twitter.com/ToniBlyx)—his DMs are open!

-# Testing a Pull Request from a Specific Branch
+## Testing a Pull Request from a Specific Branch

 To test Prowler from a specific branch (for example, to try out changes from a pull request before it is merged), you can use `pipx` to install directly from GitHub:

@@ -179,3 +212,5 @@ pipx install "git+https://github.com/prowler-cloud/prowler.git@branch-name"
 ```

 Replace `branch-name` with the name of the branch you want to test. This will install Prowler in an isolated environment, allowing you to try out the changes safely.
+
+For more details on testing go to the [Testing section](/developer-guide/unit-testing) of this documentation.
@@ -4,7 +4,7 @@ title: 'Kubernetes Provider'

 This page details the [Kubernetes](https://kubernetes.io/) provider implementation in Prowler.

-By default, Prowler will audit all namespaces in the Kubernetes cluster accessible by the configured context. To configure it, see the [In-Cluster Execution](/user-guide/providers/kubernetes/in-cluster) or [Non In-Cluster Execution](/user-guide/providers/kubernetes/outside-cluster) guides.
+By default, Prowler will audit all namespaces in the Kubernetes cluster accessible by the configured context. To configure it, see the [In-Cluster Execution](/user-guide/providers/kubernetes/getting-started-k8s#in-cluster-execution) or [Non In-Cluster Execution](/user-guide/providers/kubernetes/getting-started-k8s#non-in-cluster-execution) guides.

 ## Kubernetes Provider Classes Architecture

@@ -98,7 +98,7 @@
                ]
              },
              "user-guide/tutorials/prowler-app-rbac",
-              "user-guide/providers/prowler-app-api-keys",
+              "user-guide/tutorials/prowler-app-api-keys",
              "user-guide/tutorials/prowler-app-mute-findings",
              {
                "group": "Integrations",
@@ -110,6 +110,7 @@
                ]
              },
              "user-guide/tutorials/prowler-app-lighthouse",
+              "user-guide/tutorials/prowler-cloud-public-ips",
              {
                "group": "Tutorials",
                "pages": [
@@ -194,8 +195,7 @@
              {
                "group": "Kubernetes",
                "pages": [
-                  "user-guide/providers/kubernetes/in-cluster",
-                  "user-guide/providers/kubernetes/outside-cluster",
+                  "user-guide/providers/kubernetes/getting-started-k8s",
                  "user-guide/providers/kubernetes/misc"
                ]
              },
@@ -329,6 +329,10 @@
      {
        "tab": "Public Roadmap",
        "href": "https://roadmap.prowler.com/"
+      },
+      {
+        "tab": "API Reference",
+        "openapi": "api-reference/openapi.yml"
      }
    ],
    "global": {
@@ -4,33 +4,29 @@ title: "Configuration"

 Configure your MCP client to connect to Prowler MCP Server.

-## Step 1: Get Your API Key (Optional)
+## Step 1: Get Your API Key

 <Note>
 **Authentication is optional**: Prowler Hub and Prowler Documentation features work without authentication. An API key is only required for Prowler Cloud and Prowler App (Self-Managed) features.
 </Note>

-To use Prowler Cloud or Prowler App (Self-Managed) features. To get the API key, please refer to the [API Keys](/user-guide/providers/prowler-app-api-keys) guide.
+To use Prowler Cloud or Prowler App (Self-Managed) features. To get the API key, please refer to the [API Keys](/user-guide/tutorials/prowler-app-api-keys) guide.

 <Warning>
 Keep the API key secure. Never share it publicly or commit it to version control.
 </Warning>

-## Step 2: Configure Your MCP Client
+## Step 2: Configure Your MCP Host/Client

 Choose the configuration based on your deployment:

- **STDIO Mode**: Local installation only (runs as subprocess).
 - **HTTP Mode**: Prowler Cloud MCP Server or self-hosted Prowler MCP Server.
+- **STDIO Mode**: Local installation only (runs as subprocess of your MCP client).

-### HTTP Mode (Prowler Cloud MCP Server or self-hosted Prowler MCP Server)
+### HTTP Mode

 <Tabs>
-  <Tab title="Native HTTP Support (Cursor, VSCode)">
-    **Clients that support HTTP with custom headers natively**
-
-    For example: Cursor, VSCode, LobeChat, etc.
-
+  <Tab title="Generic Native HTTP Support">
    **Configuration:**
    ```json
    {
@@ -38,20 +34,15 @@ Choose the configuration based on your deployment:
        "prowler": {
          "url": "https://mcp.prowler.com/mcp", // or your self-hosted Prowler MCP Server URL
          "headers": {
-            "Authorization": "Bearer pk_your_api_key_here"
+            "Authorization": "Bearer <your-api-key-here>"
          }
        }
      }
    }
    ```
-
  </Tab>

-  <Tab title="Using mcp-remote (Claude Desktop)">
-    **For clients without native HTTP support (like Claude Desktop)**
-
-    For example: Claude Desktop.
-
+  <Tab title="Generic without Native HTTP Support">
    **Configuration:**
    ```json
    {
@@ -65,26 +56,79 @@ Choose the configuration based on your deployment:
            "Authorization: Bearer ${PROWLER_APP_API_KEY}"
          ],
          "env": {
-            "PROWLER_APP_API_KEY": "pk_your_api_key_here"
+            "PROWLER_APP_API_KEY": "<your-api-key-here>"
          }
        }
      }
    }
    ```
-
    <Info>
    The `mcp-remote` tool acts as a bridge for clients that don't support HTTP natively. Learn more at [mcp-remote on npm](https://www.npmjs.com/package/mcp-remote).
    </Info>
-
  </Tab>
+
+  <Tab title="Claude Desktop">
+    1. Open Claude Desktop settings
+    2. Go to "Developer" tab
+    3. Click in "Edit Config" button
+    4. Edit the `claude_desktop_config.json` file with your favorite editor
+    5. Add the following configuration:
+    ```json
+    {
+      "mcpServers": {
+        "prowler": {
+          "command": "npx",
+          "args": [
+            "mcp-remote",
+            "https://mcp.prowler.com/mcp",
+            "--header",
+            "Authorization: Bearer ${PROWLER_APP_API_KEY}"
+          ],
+          "env": {
+            "PROWLER_APP_API_KEY": "<your-api-key-here>"
+          }
+        }
+      }
+    }
+    ```
+  </Tab>
+
+  <Tab title="Claude Code">
+    Run the following command:
+    ```bash
+    export PROWLER_APP_API_KEY="<your-api-key-here>"
+    claude mcp add --transport http prowler https://mcp.prowler.com/mcp --header "Authorization: Bearer $PROWLER_APP_API_KEY" --scope user
+    ```
+  </Tab>
+
+  <Tab title="Cursor">
+    1. Open Cursor settings
+    2. Go to "Tools & MCP"
+    3. Click in "New MCP Server" button
+    4. Add to the JSON Configuration the following:
+    ```json
+    {
+      "mcpServers": {
+        "prowler": {
+          "url": "https://mcp.prowler.com/mcp",
+          "headers": {
+            "Authorization": "Bearer <your-api-key-here>"
+          }
+        }
+      }
+    }
+    ```
+  </Tab>
+
+
 </Tabs>

-### STDIO Mode (Local Installation Only)
+### STDIO Mode

 STDIO mode is only available when running the MCP server locally.

 <Tabs>
-  <Tab title="Using uvx">
+  <Tab title="Generic uvx installation">
    **Run from source or local installation**

    ```json
@@ -94,7 +138,7 @@ STDIO mode is only available when running the MCP server locally.
          "command": "uvx",
          "args": ["/absolute/path/to/prowler/mcp_server/"],
          "env": {
-            "PROWLER_APP_API_KEY": "pk_your_api_key_here",
+            "PROWLER_APP_API_KEY": "<your-api-key-here>",
            "PROWLER_API_BASE_URL": "https://api.prowler.com"
          }
        }
@@ -108,7 +152,7 @@ STDIO mode is only available when running the MCP server locally.

  </Tab>

-  <Tab title="Using Docker">
+  <Tab title="Generic Docker installation">
    **Run with Docker image**

    ```json
@@ -121,7 +165,7 @@ STDIO mode is only available when running the MCP server locally.
            "--rm",
            "-i",
            "--env",
-            "PROWLER_APP_API_KEY=pk_your_api_key_here",
+            "PROWLER_APP_API_KEY=<your-api-key-here>",
            "--env",
            "PROWLER_API_BASE_URL=https://api.prowler.com",
            "prowlercloud/prowler-mcp"
@@ -154,7 +198,7 @@ Prowler MCP Server supports two authentication methods to connect to Prowler Clo
 Use your Prowler API key directly in the Bearer token:

 ```
-Authorization: Bearer pk_your_api_key_here
+Authorization: Bearer <your-api-key-here>
 ```

 This is the recommended method for most users.
@@ -1,5 +1,5 @@
 ---
-title: 'Installation'
+title: "Installation"
 ---

 ### Installation
@@ -9,41 +9,40 @@ Prowler App supports multiple installation methods based on your environment.
 Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detailed usage instructions.

 <Warning>
-Prowler configuration is based in `.env` files. Every version of Prowler can have differences on that file, so, please, use the file that corresponds with that version or repository branch or tag.
-
+  Prowler configuration is based in `.env` files. Every version of Prowler can have differences on that file, so, please, use the file that corresponds with that version or repository branch or tag.
 </Warning>
+
 <Tabs>
  <Tab title="Docker Compose">
    _Requirements_:

-    * `Docker Compose` installed: https://docs.docker.com/compose/install/.
+    - `Docker Compose` installed: https://docs.docker.com/compose/install/.

    _Commands_:

-    ``` bash
-    curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml
-    curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env
+    ```bash
+    VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
+    curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/docker-compose.yml"
+    curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/.env"
    docker compose up -d
    ```

    > Containers are built for `linux/amd64`. If your workstation's architecture is different, please set `DOCKER_DEFAULT_PLATFORM=linux/amd64` in your environment or use the `--platform linux/amd64` flag in the docker command.
-
  </Tab>
  <Tab title="GitHub">
    _Requirements_:

-    * `git` installed.
-    * `poetry` installed: [poetry installation](https://python-poetry.org/docs/#installation).
-    * `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
-    * `Docker Compose` installed: https://docs.docker.com/compose/install/.
+    - `git` installed.
+    - `poetry` installed: [poetry installation](https://python-poetry.org/docs/#installation).
+    - `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
+    - `Docker Compose` installed: https://docs.docker.com/compose/install/.

    <Warning>
-    Make sure to have `api/.env` and `ui/.env.local` files with the required environment variables. You can find the required environment variables in the [`api/.env.template`](https://github.com/prowler-cloud/prowler/blob/master/api/.env.example) and [`ui/.env.template`](https://github.com/prowler-cloud/prowler/blob/master/ui/.env.template) files.
+      Make sure to have `api/.env` and `ui/.env.local` files with the required environment variables. You can find the required environment variables in the [`api/.env.template`](https://github.com/prowler-cloud/prowler/blob/master/api/.env.example) and [`ui/.env.template`](https://github.com/prowler-cloud/prowler/blob/master/ui/.env.template) files.
    </Warning>
-
    _Commands to run the API_:

-    ``` bash
+    ```bash
    git clone https://github.com/prowler-cloud/prowler \
    cd prowler/api \
    poetry install \
@@ -57,17 +56,15 @@ Prowler configuration is based in `.env` files. Every version of Prowler can hav
    ```

    <Warning>
-    Starting from Poetry v2.0.0, `poetry shell` has been deprecated in favor of `poetry env activate`.
+      Starting from Poetry v2.0.0, `poetry shell` has been deprecated in favor of `poetry env activate`.

-    If your poetry version is below 2.0.0 you must keep using `poetry shell` to activate your environment.
-    In case you have any doubts, consult the Poetry environment activation guide: https://python-poetry.org/docs/managing-environments/#activating-the-environment
+      If your poetry version is below 2.0.0 you must keep using `poetry shell` to activate your environment. In case you have any doubts, consult the Poetry environment activation guide: https://python-poetry.org/docs/managing-environments/#activating-the-environment
    </Warning>
-
    > Now, you can access the API documentation at http://localhost:8080/api/v1/docs.

    _Commands to run the API Worker_:

-    ``` bash
+    ```bash
    git clone https://github.com/prowler-cloud/prowler \
    cd prowler/api \
    poetry install \
@@ -80,7 +77,7 @@ Prowler configuration is based in `.env` files. Every version of Prowler can hav

    _Commands to run the API Scheduler_:

-    ``` bash
+    ```bash
    git clone https://github.com/prowler-cloud/prowler \
    cd prowler/api \
    poetry install \
@@ -93,7 +90,7 @@ Prowler configuration is based in `.env` files. Every version of Prowler can hav

    _Commands to run the UI_:

-    ``` bash
+    ```bash
    git clone https://github.com/prowler-cloud/prowler \
    cd prowler/ui \
    npm install \
@@ -104,10 +101,11 @@ Prowler configuration is based in `.env` files. Every version of Prowler can hav
    > Enjoy Prowler App at http://localhost:3000 by signing up with your email and password.

    <Warning>
-    Google and GitHub authentication is only available in [Prowler Cloud](https://prowler.com).
+      Google and GitHub authentication is only available in [Prowler Cloud](https://prowler.com).
    </Warning>
  </Tab>
 </Tabs>
+
 ### Update Prowler App

 Upgrade Prowler App installation using one of two options:
@@ -129,13 +127,12 @@ docker compose pull --policy always

 The `--policy always` flag ensures that Docker pulls the latest images even if they already exist locally.

-
 <Note>
-**What Gets Preserved During Upgrade**
-
-Everything is preserved, nothing will be deleted after the update.
+  **What Gets Preserved During Upgrade**

+  Everything is preserved, nothing will be deleted after the update.
 </Note>
+
 ### Troubleshooting

 If containers don't start, check logs for errors:
@@ -155,7 +152,6 @@ docker compose pull
 docker compose up -d
 ```

-
 ### Container versions

 The available versions of Prowler CLI are the following:
@@ -171,6 +167,5 @@ The available versions of Prowler CLI are the following:
 The container images are available here:

 - Prowler App:
-
-    - [DockerHub - Prowler UI](https://hub.docker.com/r/prowlercloud/prowler-ui/tags)
-    - [DockerHub - Prowler API](https://hub.docker.com/r/prowlercloud/prowler-api/tags)
+  - [DockerHub - Prowler UI](https://hub.docker.com/r/prowlercloud/prowler-ui/tags)
+  - [DockerHub - Prowler API](https://hub.docker.com/r/prowlercloud/prowler-api/tags)
@@ -5,7 +5,7 @@ title: "Overview"
 **Prowler MCP Server** brings the entire Prowler ecosystem to AI assistants through the Model Context Protocol (MCP). It enables seamless integration with AI tools like Claude Desktop, Cursor, and other MCP clients, allowing interaction with Prowler's security capabilities through natural language.

 <Warning>
-**Preview Feature**: This MCP server is currently in preview and under active development. Features and functionality may change. We welcome your feedback—please report any issues on [GitHub](https://github.com/prowler-cloud/prowler/issues) or join our [Slack community](https://goto.prowler.com/slack) to discuss and share your thoughts.
+**Preview Feature**: This MCP server is currently under active development. Features and functionality may change. We welcome your feedback—please report any issues on [GitHub](https://github.com/prowler-cloud/prowler/issues) or join our [Slack community](https://goto.prowler.com/slack) to discuss and share your thoughts.
 </Warning>

 ## What is the Model Context Protocol?
@@ -42,6 +42,15 @@ Search and retrieve official Prowler documentation:
 - **Contextual Results**: Get relevant documentation pages with highlighted snippets.
 - **Document Retrieval**: Access complete markdown content of any documentation file.

+## MCP Server Architecture
+
+The following diagram illustrates the Prowler MCP Server architecture and its integration points:
+
+<img className="block dark:hidden" src="/images/prowler_mcp_schema_light.png" alt="Prowler MCP Server Schema" />
+<img className="hidden dark:block" src="/images/prowler_mcp_schema_dark.png" alt="Prowler MCP Server Schema" />
+
+The architecture shows how AI assistants connect through the MCP protocol to access Prowler's three main components: Prowler Cloud/App for security operations, Prowler Hub for security knowledge, and Prowler Documentation for guidance and reference.
+
 ## Use Cases

 The Prowler MCP Server enables powerful workflows through AI assistants:
@@ -61,6 +70,59 @@ The Prowler MCP Server enables powerful workflows through AI assistants:
 - "What authentication methods does Prowler support for Azure?"
 - "How can I contribute with a new security check to Prowler?"

+### Example: Creating a custom dashboard with Prowler extracted data
+
+In the next example you can see how to create a dashboard using Prowler MCP Server and Claude Desktop.
+
+**Used Prompt:**
+```
+Generate me a security dashboard for the Prowler open source project using live data from Prowler MCP tools.
+
+REQUIREMENTS:
+1. Fetch real-time data from Prowler Findings using MCP tools
+2. Create a single self-contained HTML file and display it
+3. Dashboard must be production-ready with modern design
+
+DATA TO FETCH:
+Use these MCP tools in this order:
+1. Prowler app list providers - To get all available configured provider in the account
+2. Prowler app get latest findings - To get findings information, if there are so many you can use the filter_fields to get less information, or pagination to get in different batches
+3. For most critical findings you can get more context and remediation with Prowler Hub to get remediations for example
+
+DESIGN REQUIREMENTS:
+- Dark theme (gradient background: #0a0e27 to #131830)
+- Card-based layout with glassmorphism effects
+- Color scheme:
+ * Primary green
+ * Secondary purple
+- Modern, professional look
+- Animated "LIVE DATA" indicator (pulsing green badge)
+- Hover effects on all cards (lift, glow, border color change)
+- Responsive grid layout
+- Mobile-responsive breakpoints at 768px
+- Single HTML file with all CSS and JavaScript embedded
+- No external dependencies
+
+SPECIFIC DETAILS TO INCLUDE:
+- Show actual counts from the data (don't hardcode numbers)
+- Add timestamp showing when dashboard was generated
+- Link to GitHub repository: https://github.com/prowler-cloud/prowler
+
+OUTPUT:
+Generate the complete HTML file and display it
+```
+
+**Video:**
+<iframe
+  className="w-full aspect-video rounded-xl"
+  src="https://www.youtube.com/embed/li29KNmYd4g?si=P3m6eB2z0Cqqse_H"
+  title="Prowler MCP Server - Creating a dashboard"
+  frameBorder="0"
+  allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
+  allowFullScreen
+></iframe>
+
+
 ## Deployment Options

 Prowler MCP Server can be used in three ways:
@@ -28,12 +28,12 @@ The supported providers right now are:
 | [AWS](/user-guide/providers/aws/getting-started-aws)                             | Official   | UI, API, CLI |
 | [Azure](/user-guide/providers/azure/getting-started-azure)                       | Official   | UI, API, CLI |
 | [Google Cloud](/user-guide/providers/gcp/getting-started-gcp)                    | Official   | UI, API, CLI |
-| [Kubernetes](/user-guide/providers/kubernetes/in-cluster)                        | Official   | UI, API, CLI |
+| [Kubernetes](/user-guide/providers/kubernetes/getting-started-k8s)               | Official   | UI, API, CLI |
 | [M365](/user-guide/providers/microsoft365/getting-started-m365)                  | Official   | UI, API, CLI |
 | [Github](/user-guide/providers/github/getting-started-github)                    | Official   | UI, API, CLI |
-| [Oracle Cloud](/user-guide/providers/oci/getting-started-oci)                    | Official   | CLI          |
-| [Infra as Code](/user-guide/providers/iac/getting-started-iac)                   | Official   | CLI          |
-| [MongoDB Atlas](/user-guide/providers/mongodbatlas/getting-started-mongodbatlas) | Official   | CLI          |
+| [Oracle Cloud](/user-guide/providers/oci/getting-started-oci)                    | Official   | UI, API, CLI |
+| [Infra as Code](/user-guide/providers/iac/getting-started-iac)                   | Official   | UI, API, CLI |
+| [MongoDB Atlas](/user-guide/providers/mongodbatlas/getting-started-mongodbatlas) | Official   | CLI, API     |
 | [LLM](/user-guide/providers/llm/getting-started-llm)                             | Official   | CLI          |
 | **NHN**                                                                          | Unofficial | CLI          |

@@ -48,4 +48,4 @@ For more information about the checks and compliance of each provider visit [Pro
  <Card title="Development Guide" icon="pen-to-square" href="/developer-guide/introduction">
    Interested in contributing to Prowler?
  </Card>
-</Columns>
+</Columns>
--- a/Show More
+++ b/Show More