feat(security): add missing endpoints to allowlist

.github/labeler.yml

@@ -67,11 +67,6 @@ provider/googleworkspace:
       - any-glob-to-any-file: "prowler/providers/googleworkspace/**"
       - any-glob-to-any-file: "tests/providers/googleworkspace/**"
 
-provider/vercel:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/vercel/**"
-      - any-glob-to-any-file: "tests/providers/vercel/**"
-
 github_actions:
   - changed-files:
       - any-glob-to-any-file: ".github/workflows/*"
@@ -107,8 +102,6 @@ mutelist:
       - any-glob-to-any-file: "tests/providers/openstack/lib/mutelist/**"
       - any-glob-to-any-file: "prowler/providers/googleworkspace/lib/mutelist/**"
       - any-glob-to-any-file: "tests/providers/googleworkspace/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/vercel/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/vercel/lib/mutelist/**"
 
 integration/s3:
   - changed-files:

.github/test-impact.yml

@@ -177,14 +177,6 @@ modules:
       - tests/providers/llm/**
     e2e: []
 
-  - name: sdk-vercel
-    match:
-      - prowler/providers/vercel/**
-      - prowler/compliance/vercel/**
-    tests:
-      - tests/providers/vercel/**
-    e2e: []
-
   # ============================================
   # SDK - Lib modules
   # ============================================

.github/workflows/api-code-quality.yml

@@ -50,7 +50,7 @@ jobs:
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             api/**

.github/workflows/api-container-build-push.yml

@@ -137,18 +137,18 @@ jobs:
           sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build and push API container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           push: true
@@ -178,11 +178,14 @@ jobs:
             auth.docker.io:443
             production.cloudflare.docker.com:443
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |

.github/workflows/api-container-checks.yml

@@ -42,7 +42,7 @@ jobs:
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: api/Dockerfile
 
@@ -104,7 +104,7 @@ jobs:
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: api/**
           files_ignore: |
@@ -115,11 +115,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ${{ env.API_WORKING_DIR }}
           push: false

.github/workflows/api-security.yml

@@ -53,7 +53,7 @@ jobs:
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             api/**
@@ -77,10 +77,9 @@ jobs:
 
       - name: Safety
         if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check --ignore 79023,79027,86217,71600
+        run: poetry run safety check --ignore 79023,79027,86217
         # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
         # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`
-        # TODO: 71600 CVE-2024-1135 false positive - fixed in gunicorn 22.0.0, project uses 23.0.0
 
       - name: Vulture
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/api-tests.yml

@@ -99,7 +99,7 @@ jobs:
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             api/**

.github/workflows/backport.yml

@@ -33,6 +33,8 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
+            f27ab01db9584e008c443b7137d16425.apm.europe-west2.gcp.elastic-cloud.com:443
+            github.com:443
 
       - name: Check labels
         id: label_check
@@ -46,7 +48,7 @@ jobs:
 
       - name: Backport PR
         if: steps.label_check.outputs.label_check == 'success'
-        uses: sorenlouv/backport-github-action@9460b7102fea25466026ce806c9ebf873ac48721 # v11.0.0
+        uses: sorenlouv/backport-github-action@516854e7c9f962b9939085c9a92ea28411d1ae90 # v10.2.0
         with:
           github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           auto_backport_label_prefix: ${{ env.BACKPORT_LABEL_PREFIX }}

.github/workflows/ci-zizmor.yml

@@ -49,6 +49,6 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
         with:
           token: ${{ github.token }}

.github/workflows/helm-chart-checks.yml

@@ -36,12 +36,12 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
 
       - name: Update chart dependencies
         run: helm dependency update ${{ env.CHART_PATH }}

.github/workflows/helm-chart-release.yml

@@ -29,12 +29,12 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
 
       - name: Set appVersion from release tag
         run: |

.github/workflows/issue-lock-on-close.yml

@@ -1,51 +0,0 @@
-name: 'Tools: Lock Issue on Close'
-
-on:
-  issues:
-    types:
-      - closed
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.issue.number }}
-  cancel-in-progress: false
-
-jobs:
-  lock:
-    if: |
-      github.repository == 'prowler-cloud/prowler' &&
-      github.event.issue.locked == false
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      issues: write
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
-      - name: Comment and lock issue
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        with:
-          script: |
-            const { owner, repo } = context.repo;
-            const issue_number = context.payload.issue.number;
-
-            try {
-              await github.rest.issues.createComment({
-                owner,
-                repo,
-                issue_number,
-                body: 'This issue is now locked as it has been closed. If you are still hitting a related problem, please open a new issue and link back to this one for context. Thanks!'
-              });
-            } catch (error) {
-              core.warning(`Failed to post lock comment on issue #${issue_number}: ${error.message}`);
-            }
-
-            const lockParams = { owner, repo, issue_number };
-            if (context.payload.issue.state_reason === 'completed') {
-              lockParams.lock_reason = 'resolved';
-            }
-            await github.rest.issues.lock(lockParams);

.github/workflows/issue-triage.lock.yml

@@ -772,7 +772,7 @@ jobs:
           SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload Safe Outputs
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: safe-output
           path: ${{ env.GH_AW_SAFE_OUTPUTS }}
@@ -793,13 +793,13 @@ jobs:
             await main();
       - name: Upload sanitized agent output
         if: always() && env.GH_AW_AGENT_OUTPUT
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: agent-output
           path: ${{ env.GH_AW_AGENT_OUTPUT }}
           if-no-files-found: warn
       - name: Upload engine output files
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: agent_outputs
           path: |
@@ -839,7 +839,7 @@ jobs:
       - name: Upload agent artifacts
         if: always()
         continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: agent-artifacts
           path: |
@@ -880,7 +880,7 @@ jobs:
           destination: /opt/gh-aw/actions
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-output
           path: /tmp/gh-aw/safeoutputs/
@@ -992,13 +992,13 @@ jobs:
           destination: /opt/gh-aw/actions
       - name: Download agent artifacts
         continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-artifacts
           path: /tmp/gh-aw/threat-detection/
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-output
           path: /tmp/gh-aw/threat-detection/
@@ -1071,7 +1071,7 @@ jobs:
             await main();
       - name: Upload threat detection log
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: threat-detection.log
           path: /tmp/gh-aw/threat-detection/detection.log
@@ -1174,7 +1174,7 @@ jobs:
           destination: /opt/gh-aw/actions
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-output
           path: /tmp/gh-aw/safeoutputs/

.github/workflows/labeler.yml

@@ -76,7 +76,6 @@ jobs:
             "StylusFrost"
             "toniblyx"
             "davidm4r"
-            "pfe-nazaries"
           )
 
           echo "Checking if $AUTHOR is a member of prowler-cloud organization"

.github/workflows/mcp-container-build-push.yml

@@ -123,18 +123,18 @@ jobs:
           persist-credentials: false
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build and push MCP container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           push: true
@@ -173,11 +173,14 @@ jobs:
             release-assets.githubusercontent.com:443
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |

.github/workflows/mcp-container-checks.yml

@@ -42,7 +42,7 @@ jobs:
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: mcp_server/Dockerfile
 
@@ -96,7 +96,7 @@ jobs:
 
       - name: Check for MCP changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: mcp_server/**
           files_ignore: |
@@ -105,11 +105,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build MCP container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ${{ env.MCP_WORKING_DIR }}
           push: false

.github/workflows/pr-check-changelog.yml

@@ -45,7 +45,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             api/**

.github/workflows/pr-check-compliance-mapping.yml

@@ -1,180 +0,0 @@
-name: 'Tools: Check Compliance Mapping'
-
-on:
-  pull_request:
-    types:
-      - 'opened'
-      - 'synchronize'
-      - 'reopened'
-      - 'labeled'
-      - 'unlabeled'
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  check-compliance-mapping:
-    if: contains(github.event.pull_request.labels.*.name, 'no-compliance-check') == false
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files: |
-            prowler/providers/**/services/**/*.metadata.json
-            prowler/compliance/**/*.json
-
-      - name: Check if new checks are mapped in compliance
-        id: compliance-check
-        run: |
-          ADDED_METADATA="${STEPS_CHANGED_FILES_OUTPUTS_ADDED_FILES}"
-          ALL_CHANGED="${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}"
-
-          # Filter only new metadata files (new checks)
-          new_checks=""
-          for f in $ADDED_METADATA; do
-            case "$f" in *.metadata.json) new_checks="$new_checks $f" ;; esac
-          done
-
-          if [ -z "$(echo "$new_checks" | tr -d ' ')" ]; then
-            echo "No new checks detected."
-            echo "has_new_checks=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # Collect compliance files changed in this PR
-          changed_compliance=""
-          for f in $ALL_CHANGED; do
-            case "$f" in prowler/compliance/*.json) changed_compliance="$changed_compliance $f" ;; esac
-          done
-
-          UNMAPPED=""
-          MAPPED=""
-
-          for metadata_file in $new_checks; do
-            check_dir=$(dirname "$metadata_file")
-            check_id=$(basename "$check_dir")
-            provider=$(echo "$metadata_file" | cut -d'/' -f3)
-
-            # Read CheckID from the metadata JSON for accuracy
-            if [ -f "$metadata_file" ]; then
-              json_check_id=$(python3 -c "import json; print(json.load(open('$metadata_file')).get('CheckID', ''))" 2>/dev/null || echo "")
-              if [ -n "$json_check_id" ]; then
-                check_id="$json_check_id"
-              fi
-            fi
-
-            # Search for the check ID in compliance files changed in this PR
-            found_in=""
-            for comp_file in $changed_compliance; do
-              if grep -q "\"${check_id}\"" "$comp_file" 2>/dev/null; then
-                found_in="${found_in}$(basename "$comp_file" .json), "
-              fi
-            done
-
-            if [ -n "$found_in" ]; then
-              found_in=$(echo "$found_in" | sed 's/, $//')
-              MAPPED="${MAPPED}- \`${check_id}\` (\`${provider}\`): ${found_in}"$'\n'
-            else
-              UNMAPPED="${UNMAPPED}- \`${check_id}\` (\`${provider}\`)"$'\n'
-            fi
-          done
-
-          echo "has_new_checks=true" >> "$GITHUB_OUTPUT"
-
-          if [ -n "$UNMAPPED" ]; then
-            echo "has_unmapped=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "has_unmapped=false" >> "$GITHUB_OUTPUT"
-          fi
-
-          {
-            echo "unmapped<<EOF"
-            echo -e "${UNMAPPED}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-          {
-            echo "mapped<<EOF"
-            echo -e "${MAPPED}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-        env:
-          STEPS_CHANGED_FILES_OUTPUTS_ADDED_FILES: ${{ steps.changed-files.outputs.added_files }}
-          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
-
-      - name: Manage compliance review label
-        if: steps.compliance-check.outputs.has_new_checks == 'true'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          HAS_UNMAPPED: ${{ steps.compliance-check.outputs.has_unmapped }}
-        run: |
-          LABEL_NAME="needs-compliance-review"
-
-          if [ "$HAS_UNMAPPED" = "true" ]; then
-            echo "Adding compliance review label to PR #${PR_NUMBER}..."
-            gh pr edit "$PR_NUMBER" --add-label "$LABEL_NAME" --repo "${{ github.repository }}" || true
-          else
-            echo "Removing compliance review label from PR #${PR_NUMBER}..."
-            gh pr edit "$PR_NUMBER" --remove-label "$LABEL_NAME" --repo "${{ github.repository }}" || true
-          fi
-
-      - name: Find existing compliance comment
-        if: steps.compliance-check.outputs.has_new_checks == 'true' && github.event.pull_request.head.repo.full_name == github.repository
-        id: find-comment
-        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-author: 'github-actions[bot]'
-          body-includes: '<!-- compliance-mapping-check -->'
-
-      - name: Create or update compliance comment
-        if: steps.compliance-check.outputs.has_new_checks == 'true' && github.event.pull_request.head.repo.full_name == github.repository
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-id: ${{ steps.find-comment.outputs.comment-id }}
-          edit-mode: replace
-          body: |
-            <!-- compliance-mapping-check -->
-            ## Compliance Mapping Review
-
-            This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.
-
-            ${{ steps.compliance-check.outputs.unmapped != '' && format('### New checks not mapped to any compliance framework in this PR
-
-            {0}
-
-            > Please review whether these checks should be added to compliance framework requirements in `prowler/compliance/<provider>/`. Each compliance JSON has a `Checks` array inside each requirement — add the check ID there if it satisfies that requirement.', steps.compliance-check.outputs.unmapped) || '' }}
-
-            ${{ steps.compliance-check.outputs.mapped != '' && format('### New checks already mapped in this PR
-
-            {0}', steps.compliance-check.outputs.mapped) || '' }}
-
-            Use the `no-compliance-check` label to skip this check.

.github/workflows/pr-conflict-checker.yml

@@ -39,7 +39,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: '**'
 

.github/workflows/prepare-release.yml

@@ -380,7 +380,7 @@ jobs:
           no-changelog
 
     - name: Create draft release
-      uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
       with:
         tag_name: ${{ env.PROWLER_VERSION }}
         name: Prowler ${{ env.PROWLER_VERSION }}

.github/workflows/sdk-code-quality.yml

@@ -46,7 +46,7 @@ jobs:
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: ./**
           files_ignore: |

.github/workflows/sdk-container-build-push.yml

@@ -42,7 +42,6 @@ env:
   # Container registries
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
-  TONIBLYX_DOCKERHUB_REPOSITORY: toniblyx
 
   # AWS configuration (for ECR)
   AWS_REGION: us-east-1
@@ -65,9 +64,10 @@ jobs:
         with:
           egress-policy: block
           allowed-endpoints: >
+            dc.services.visualstudio.com:443
+            files.pythonhosted.org:443
             github.com:443
             pypi.org:443
-            files.pythonhosted.org:443
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -175,21 +175,21 @@ jobs:
         with:
           egress-policy: block
           allowed-endpoints: >
-            api.ecr-public.us-east-1.amazonaws.com:443
-            public.ecr.aws:443
-            registry-1.docker.io:443
-            production.cloudflare.docker.com:443
-            auth.docker.io:443
-            debian.map.fastlydns.net:80
-            github.com:443
-            release-assets.githubusercontent.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            www.powershellgallery.com:443
-            aka.ms:443
-            cdn.powershellgallery.com:443
             _http._tcp.deb.debian.org:443
+            aka.ms:443
+            api.ecr-public.us-east-1.amazonaws.com:443
+            auth.docker.io:443
+            cdn.powershellgallery.com:443
+            debian.map.fastlydns.net:80
+            files.pythonhosted.org:443
+            github.com:443
             powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
+            production.cloudflare.docker.com:443
+            public.ecr.aws:443
+            pypi.org:443
+            registry-1.docker.io:443
+            release-assets.githubusercontent.com:443
+            www.powershellgallery.com:443
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -197,13 +197,13 @@ jobs:
           persist-credentials: false
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: public.ecr.aws
           username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -212,12 +212,12 @@ jobs:
           AWS_REGION: ${{ env.AWS_REGION }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build and push SDK container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: .
           file: ${{ env.DOCKERFILE_PATH }}
@@ -242,23 +242,23 @@ jobs:
         with:
           egress-policy: block
           allowed-endpoints: >
-            registry-1.docker.io:443
-            auth.docker.io:443
-            public.ecr.aws:443
-            production.cloudflare.docker.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
             api.ecr-public.us-east-1.amazonaws.com:443
+            auth.docker.io:443
+            github.com:443
+            production.cloudflare.docker.com:443
+            public.ecr.aws:443
+            registry-1.docker.io:443
+            release-assets.githubusercontent.com:443
 
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: public.ecr.aws
           username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -266,11 +266,15 @@ jobs:
         env:
           AWS_REGION: ${{ env.AWS_REGION }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |
           docker buildx imagetools create \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
             -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
@@ -281,10 +285,12 @@ jobs:
         if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         run: |
           docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
             -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
             -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
         env:
@@ -292,39 +298,6 @@ jobs:
           NEEDS_SETUP_OUTPUTS_STABLE_TAG: ${{ needs.setup.outputs.stable_tag }}
           NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }}
 
-      # Push to toniblyx/prowler only for current version (latest/stable/release tags)
-      - name: Login to DockerHub (toniblyx)
-        if: needs.setup.outputs.latest_tag == 'latest'
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          username: ${{ secrets.TONIBLYX_DOCKERHUB_USERNAME }}
-          password: ${{ secrets.TONIBLYX_DOCKERHUB_PASSWORD }}
-
-      - name: Push manifests to toniblyx for push event
-        if: needs.setup.outputs.latest_tag == 'latest' && github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.TONIBLYX_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:latest \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:latest
-
-      - name: Push manifests to toniblyx for release event
-        if: needs.setup.outputs.latest_tag == 'latest' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.TONIBLYX_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ env.TONIBLYX_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:stable \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:stable
-        env:
-          NEEDS_SETUP_OUTPUTS_PROWLER_VERSION: ${{ needs.setup.outputs.prowler_version }}
-
-      # Re-login as prowlercloud for cleanup of intermediate tags
-      - name: Login to DockerHub (prowlercloud)
-        if: always()
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Install regctl
         if: always()
         uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main

.github/workflows/sdk-container-checks.yml

@@ -41,7 +41,7 @@ jobs:
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: Dockerfile
 
@@ -102,7 +102,7 @@ jobs:
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: ./**
           files_ignore: |
@@ -127,11 +127,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build SDK container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: .
           push: false

.github/workflows/sdk-security.yml

@@ -44,7 +44,7 @@ jobs:
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files:
             ./**

.github/workflows/sdk-tests.yml

@@ -67,7 +67,7 @@ jobs:
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: ./**
           files_ignore: |
@@ -109,7 +109,7 @@ jobs:
       - name: Check if AWS files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-aws
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/aws/**
@@ -216,11 +216,11 @@ jobs:
           echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'"
 
           if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then
-            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
           elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then
             echo "No AWS service paths detected; skipping AWS tests."
           else
-            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
           fi
         env:
           STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }}
@@ -239,7 +239,7 @@ jobs:
       - name: Check if Azure files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-azure
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/azure/**
@@ -263,7 +263,7 @@ jobs:
       - name: Check if GCP files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-gcp
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/gcp/**
@@ -287,7 +287,7 @@ jobs:
       - name: Check if Kubernetes files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-kubernetes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/kubernetes/**
@@ -311,7 +311,7 @@ jobs:
       - name: Check if GitHub files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-github
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/github/**
@@ -335,7 +335,7 @@ jobs:
       - name: Check if NHN files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-nhn
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/nhn/**
@@ -359,7 +359,7 @@ jobs:
       - name: Check if M365 files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-m365
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/m365/**
@@ -383,7 +383,7 @@ jobs:
       - name: Check if IaC files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-iac
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/iac/**
@@ -407,7 +407,7 @@ jobs:
       - name: Check if MongoDB Atlas files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-mongodbatlas
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/mongodbatlas/**
@@ -431,7 +431,7 @@ jobs:
       - name: Check if OCI files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-oraclecloud
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/oraclecloud/**
@@ -455,7 +455,7 @@ jobs:
       - name: Check if OpenStack files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-openstack
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/openstack/**
@@ -479,7 +479,7 @@ jobs:
       - name: Check if Google Workspace files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-googleworkspace
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/**/googleworkspace/**
@@ -499,35 +499,11 @@ jobs:
           flags: prowler-py${{ matrix.python-version }}-googleworkspace
           files: ./googleworkspace_coverage.xml
 
-      # Vercel Provider
-      - name: Check if Vercel files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-vercel
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files: |
-            ./prowler/**/vercel/**
-            ./tests/**/vercel/**
-            ./poetry.lock
-
-      - name: Run Vercel tests
-        if: steps.changed-vercel.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/vercel --cov-report=xml:vercel_coverage.xml tests/providers/vercel
-
-      - name: Upload Vercel coverage to Codecov
-        if: steps.changed-vercel.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-vercel
-          files: ./vercel_coverage.xml
-
       # Lib
       - name: Check if Lib files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-lib
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/lib/**
@@ -551,7 +527,7 @@ jobs:
       - name: Check if Config files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-config
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ./prowler/config/**

.github/workflows/test-impact-analysis.yml

@@ -66,7 +66,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
 
       - name: Setup Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

.github/workflows/ui-container-build-push.yml

@@ -127,18 +127,18 @@ jobs:
           persist-credentials: false
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build and push UI container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           build-args: |
@@ -172,11 +172,14 @@ jobs:
             production.cloudflare.docker.com:443
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |

.github/workflows/ui-container-checks.yml

@@ -42,7 +42,7 @@ jobs:
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: ui/Dockerfile
 
@@ -98,7 +98,7 @@ jobs:
 
       - name: Check for UI changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: ui/**
           files_ignore: |
@@ -108,11 +108,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build UI container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ${{ env.UI_WORKING_DIR }}
           target: prod

.github/workflows/ui-e2e-tests-v2.yml

@@ -158,21 +158,21 @@ jobs:
           '
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: '24.13.0'
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
-          package_json_file: ui/package.json
+          version: 10
           run_install: false
 
       - name: Get pnpm store directory
         run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
 
       - name: Setup pnpm and Next.js cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ${{ env.STORE_PATH }}
@@ -192,7 +192,7 @@ jobs:
         run: pnpm run build
 
       - name: Cache Playwright browsers
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         id: playwright-cache
         with:
           path: ~/.cache/ms-playwright
@@ -259,7 +259,7 @@ jobs:
           fi
 
       - name: Upload test reports
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: failure()
         with:
           name: playwright-report

.github/workflows/ui-tests.yml

@@ -49,7 +49,7 @@ jobs:
 
       - name: Check for UI changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ui/**
@@ -62,7 +62,7 @@ jobs:
       - name: Get changed source files for targeted tests
         id: changed-source
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ui/**/*.ts
@@ -78,7 +78,7 @@ jobs:
       - name: Check for critical path changes (run all tests)
         id: critical-changes
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             ui/lib/**
@@ -90,15 +90,15 @@ jobs:
 
       - name: Setup Node.js ${{ env.NODE_VERSION }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: ${{ env.NODE_VERSION }}
 
       - name: Setup pnpm
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
-          package_json_file: ui/package.json
+          version: 10
           run_install: false
 
       - name: Get pnpm store directory
@@ -108,7 +108,7 @@ jobs:
 
       - name: Setup pnpm and Next.js cache
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ${{ env.STORE_PATH }}

.gitignore

@@ -60,7 +60,6 @@ htmlcov/
 **/mcp-config.json
 **/mcpServers.json
 .mcp/
-.mcp.json
 
 # AI Coding Assistants - Cursor
 .cursorignore

.pre-commit-config.yaml

@@ -128,8 +128,7 @@ repos:
         # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
         # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
         # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`
-        # TODO: 71600 CVE-2024-1135 false positive - fixed in gunicorn 22.0.0, project uses 23.0.0
-        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027,86217,71600'
+        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027,86217'
         language: system
 
       - id: vulture

README.md

@@ -3,7 +3,7 @@
   <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
 </p>
 <p align="center">
-  <b><i>Prowler</b> is the Open Cloud Security Platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
+  <b><i>Prowler</b> is the Open Cloud Security platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
 </p>
 <p align="center">
 <b>Secure ANY cloud at AI Speed at <a href="https://prowler.com">prowler.com</i></b>
@@ -41,7 +41,7 @@
 
 # Description
 
-**Prowler** is the world’s most widely used _Open-Source Cloud Security Platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY Cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
+**Prowler** is the world’s most widely used _open-source cloud security platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
 
 Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:
 
@@ -119,7 +119,6 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 | Image | N/A | N/A | N/A | N/A | Official | CLI, API |
 | Google Workspace | 1 | 1 | 0 | 1 | Official | CLI |
 | OpenStack | 27 | 4 | 0 | 8 | Official | UI, API, CLI |
-| Vercel | 30 | 6 | 0 | 5 | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |
 
 > [!Note]
@@ -240,21 +239,6 @@ pnpm start
 
 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
 
-**Pre-commit Hooks Setup**
-
-Some pre-commit hooks require tools installed on your system:
-
-1. **Install [TruffleHog](https://github.com/trufflesecurity/trufflehog#install)** (secret scanning) — see the [official installation options](https://github.com/trufflesecurity/trufflehog#install).
-
-2. **Install [Safety](https://github.com/pyupio/safety)** (dependency vulnerability checking):
-
-    ```console
-    # Requires a Python environment (e.g. via pyenv)
-    pip install safety
-    ```
-
-3. **Install [Hadolint](https://github.com/hadolint/hadolint#install)** (Dockerfile linting) — see the [official installation options](https://github.com/hadolint/hadolint#install).
-
 ## Prowler CLI
 ### Pip package
 Prowler CLI is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/). Consequently, it can be installed using pip with Python >=3.10, <3.13:
@@ -317,10 +301,7 @@ python prowler-cli.py -v
 - **Prowler SDK**: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.
 - **Prowler MCP Server**: A Model Context Protocol server that provides AI tools for Lighthouse, the AI-powered security assistant. This is a critical dependency for Lighthouse functionality.
 
-![Prowler App Architecture](docs/images/products/prowler-app-architecture.png)
-
-<!-- Diagram source: docs/images/products/prowler-app-architecture.mmd — edit there, re-render at https://mermaid.live, and replace the PNG. -->
-
+![Prowler App Architecture](docs/products/img/prowler-app-architecture.png)
 
 ## Prowler CLI
 

api/CHANGELOG.md

@@ -2,26 +2,19 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
-## [1.24.0] (Prowler v5.23.0)
+## [1.24.0] (Prowler UNRELEASED)
 
 ### 🚀 Added
 
-- RBAC role lookup filtered by `tenant_id` to prevent cross-tenant privilege leak [(#10491)](https://github.com/prowler-cloud/prowler/pull/10491)
 - `VALKEY_SCHEME`, `VALKEY_USERNAME`, and `VALKEY_PASSWORD` environment variables to configure Celery broker TLS/auth connection details for Valkey/ElastiCache [(#10420)](https://github.com/prowler-cloud/prowler/pull/10420)
-- `Vercel` provider support [(#10190)](https://github.com/prowler-cloud/prowler/pull/10190)
-- Finding groups list and latest endpoints support `sort=delta`, ordering by `new_count` then `changed_count` so groups with the most new findings rank highest [(#10606)](https://github.com/prowler-cloud/prowler/pull/10606)
-- Finding group resources endpoints (`/finding-groups/{check_id}/resources` and `/finding-groups/latest/{check_id}/resources`) now expose `finding_id` per row, pointing to the most recent matching Finding for each resource. UUIDv7 ordering guarantees `Max(finding__id)` resolves to the latest snapshot [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
-- Handle CIS and CISA SCuBA compliance framework from google workspace [(#10629)](https://github.com/prowler-cloud/prowler/pull/10629)
 
 ### 🔄 Changed
 
-- Finding groups list/latest/resources now expose `status` ∈ `{FAIL, PASS, MANUAL}` and `muted: bool` as orthogonal fields. The aggregated `status` reflects the underlying check outcome regardless of mute state, and `muted=true` signals that every finding in the group/resource is muted. New `manual_count` is exposed alongside `pass_count`/`fail_count`, plus `pass_muted_count`/`fail_muted_count`/`manual_muted_count` siblings so clients can isolate the muted half of each status. The `new_*`/`changed_*` deltas are now broken down by status and mute state via 12 new counters (`new_fail_count`, `new_fail_muted_count`, `new_pass_count`, `new_pass_muted_count`, `new_manual_count`, `new_manual_muted_count` and the matching `changed_*` set). New `filter[muted]=true|false` and `sort=status` (FAIL > PASS > MANUAL) / `sort=muted` are supported. `filter[status]=MUTED` is no longer accepted [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
 - Attack Paths: Periodic cleanup of stale scans with dead-worker detection via Celery inspect, marking orphaned `EXECUTING` scans as `FAILED` and recovering `graph_data_ready` [(#10387)](https://github.com/prowler-cloud/prowler/pull/10387)
 - Attack Paths: Replace `_provider_id` property with `_Provider_{uuid}` label for provider isolation, add regex-based label injection for custom queries [(#10402)](https://github.com/prowler-cloud/prowler/pull/10402)
 
 ### 🐞 Fixed
 
-- `reaggregate_all_finding_group_summaries_task` now refreshes finding group daily summaries for every `(provider, day)` combination instead of only the latest scan per provider, matching the unbounded scope of `mute_historical_findings_task`. Mute rule operations no longer leave older daily summaries drifting from the underlying muted findings [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
 - Finding groups list/latest now apply computed status/severity filters and finding-level prefilters (delta, region, service, category, resource group, scan, resource type), plus `check_title` support for sort/filter consistency [(#10428)](https://github.com/prowler-cloud/prowler/pull/10428)
 - Populate compliance data inside `check_metadata` for findings, which was always returned as `null` [(#10449)](https://github.com/prowler-cloud/prowler/pull/10449)
 - 403 error for admin users listing tenants due to roles query not using the admin database connection [(#10460)](https://github.com/prowler-cloud/prowler/pull/10460)
@@ -30,16 +23,10 @@ All notable changes to the **Prowler API** are documented in this file.
 - Finding groups muted filter, counters, metadata extraction and mute reaggregation [(#10477)](https://github.com/prowler-cloud/prowler/pull/10477)
 - Finding groups `check_title__icontains` resolution, `name__icontains` resource filter and `resource_group` field in `/resources` response [(#10486)](https://github.com/prowler-cloud/prowler/pull/10486)
 - Membership `post_delete` signal using raw FK ids to avoid `DoesNotExist` during cascade deletions [(#10497)](https://github.com/prowler-cloud/prowler/pull/10497)
-- Finding group resources endpoints returning false 404 when filters match no results, and `sort` parameter being ignored [(#10510)](https://github.com/prowler-cloud/prowler/pull/10510)
-- Jira integration failing with `JiraInvalidIssueTypeError` on non-English Jira instances due to hardcoded `"Task"` issue type; now dynamically fetches available issue types per project [(#10534)](https://github.com/prowler-cloud/prowler/pull/10534)
-- Finding group `first_seen_at` now reflects when a new finding appeared in the scan instead of the oldest carry-forward date across all unchanged findings [(#10595)](https://github.com/prowler-cloud/prowler/pull/10595)
-- Attack Paths: Remove `clear_cache` call from read-only query endpoints; cache clearing belongs to the scan/ingestion flow, not API queries [(#10586)](https://github.com/prowler-cloud/prowler/pull/10586)
 
 ### 🔐 Security
 
 - Pin all unpinned dependencies to exact versions to prevent supply chain attacks and ensure reproducible builds [(#10469)](https://github.com/prowler-cloud/prowler/pull/10469)
-- `authlib` bumped from 1.6.6 to 1.6.9 to fix CVE-2026-28802 (JWT `alg: none` validation bypass) [(#10579)](https://github.com/prowler-cloud/prowler/pull/10579)
-- `aiohttp` bumped from 3.13.3 to 3.13.5 to fix CVE-2026-34520 (the C parser accepted null bytes and control characters in response headers) [(#10538)](https://github.com/prowler-cloud/prowler/pull/10538)
 
 ---
 

api/pyproject.toml

@@ -25,7 +25,7 @@ dependencies = [
   "defusedxml==0.7.1",
   "gunicorn==23.0.0",
   "lxml==5.3.2",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@v5.23",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
   "psycopg2-binary==2.9.9",
   "pytest-celery[redis] (==1.3.0)",
   "sentry-sdk[django] (==2.56.0)",

api/src/backend/api/base_views.py

@@ -1,10 +1,10 @@
 from django.conf import settings
+from django.core.exceptions import ObjectDoesNotExist
 from django.db import transaction
 from rest_framework import permissions
 from rest_framework.exceptions import NotAuthenticated
 from rest_framework.filters import SearchFilter
 from rest_framework.permissions import SAFE_METHODS
-from rest_framework.response import Response
 from rest_framework_json_api import filters
 from rest_framework_json_api.views import ModelViewSet
 
@@ -12,7 +12,7 @@ from api.authentication import CombinedJWTOrAPIKeyAuthentication
 from api.db_router import MainRouter, reset_read_db_alias, set_read_db_alias
 from api.db_utils import POSTGRES_USER_VAR, rls_transaction
 from api.filters import CustomDjangoFilterBackend
-from api.models import Role, UserRoleRelationship
+from api.models import Role, Tenant
 from api.rbac.permissions import HasPermissions
 
 
@@ -113,22 +113,27 @@ class BaseTenantViewset(BaseViewSet):
             if request is not None:
                 request.db_alias = self.db_alias
 
-            if request.method == "POST":
-                with transaction.atomic(using=MainRouter.admin_db):
-                    tenant = super().dispatch(request, *args, **kwargs)
-                    if isinstance(tenant, Response) and tenant.status_code == 201:
-                        self._create_admin_role(tenant.data["id"])
-                    return tenant
-            else:
-                with transaction.atomic(using=self.db_alias):
-                    return super().dispatch(request, *args, **kwargs)
+            with transaction.atomic(using=self.db_alias):
+                tenant = super().dispatch(request, *args, **kwargs)
+
+            try:
+                # If the request is a POST, create the admin role
+                if request.method == "POST":
+                    isinstance(tenant, dict) and self._create_admin_role(
+                        tenant.data["id"]
+                    )
+            except Exception as e:
+                self._handle_creation_error(e, tenant)
+                raise
+
+            return tenant
         finally:
             if alias_token is not None:
                 reset_read_db_alias(alias_token)
             self.db_alias = MainRouter.default_db
 
     def _create_admin_role(self, tenant_id):
-        admin_role = Role.objects.using(MainRouter.admin_db).create(
+        Role.objects.using(MainRouter.admin_db).create(
             name="admin",
             tenant_id=tenant_id,
             manage_users=True,
@@ -139,11 +144,15 @@ class BaseTenantViewset(BaseViewSet):
             manage_scans=True,
             unlimited_visibility=True,
         )
-        UserRoleRelationship.objects.using(MainRouter.admin_db).create(
-            user=self.request.user,
-            role=admin_role,
-            tenant_id=tenant_id,
-        )
+
+    def _handle_creation_error(self, error, tenant):
+        if tenant.data.get("id"):
+            try:
+                Tenant.objects.using(MainRouter.admin_db).filter(
+                    id=tenant.data["id"]
+                ).delete()
+            except ObjectDoesNotExist:
+                pass  # Tenant might not exist, handle gracefully
 
     def initial(self, request, *args, **kwargs):
         if request.auth is None:

api/src/backend/api/filters.py

@@ -434,7 +434,6 @@ class ScanFilter(ProviderRelationshipFilterSet):
     class Meta:
         model = Scan
         fields = {
-            "id": ["exact", "in"],
             "provider": ["exact", "in"],
             "name": ["exact", "icontains"],
             "started_at": ["gte", "lte"],
@@ -1115,14 +1114,13 @@ class FindingGroupAggregatedComputedFilter(FilterSet):
     STATUS_CHOICES = (
         ("FAIL", "Fail"),
         ("PASS", "Pass"),
-        ("MANUAL", "Manual"),
+        ("MUTED", "Muted"),
     )
 
     status = ChoiceFilter(method="filter_status", choices=STATUS_CHOICES)
     status__in = CharInFilter(method="filter_status_in", lookup_expr="in")
     severity = ChoiceFilter(method="filter_severity", choices=SeverityChoices)
     severity__in = CharInFilter(method="filter_severity_in", lookup_expr="in")
-    muted = BooleanFilter(field_name="muted")
     include_muted = BooleanFilter(method="filter_include_muted")
 
     def filter_status(self, queryset, name, value):
@@ -1199,7 +1197,7 @@ class FindingGroupAggregatedComputedFilter(FilterSet):
         if value is True:
             return queryset
         # include_muted=false: exclude fully-muted groups
-        return queryset.exclude(muted=True)
+        return queryset.exclude(fail_count=0, pass_count=0, muted_count__gt=0)
 
 
 class ProviderSecretFilter(FilterSet):

api/src/backend/api/migrations/0087_vercel_provider.py

@@ -1,40 +0,0 @@
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0086_attack_paths_cleanup_periodic_task"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                    ("cloudflare", "Cloudflare"),
-                    ("openstack", "OpenStack"),
-                    ("image", "Image"),
-                    ("googleworkspace", "Google Workspace"),
-                    ("vercel", "Vercel"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'vercel';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]

api/src/backend/api/migrations/0088_finding_group_status_muted_fields.py

@@ -1,95 +0,0 @@
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0087_vercel_provider"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="manual_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="pass_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="fail_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="manual_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="muted",
-            field=models.BooleanField(default=False),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_fail_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_fail_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_pass_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_pass_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_manual_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_manual_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_fail_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_fail_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_pass_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_pass_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_manual_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_manual_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-    ]

api/src/backend/api/migrations/0089_backfill_finding_group_status_muted.py

@@ -1,31 +0,0 @@
-from django.db import migrations
-from tasks.tasks import backfill_finding_group_summaries_task
-
-from api.db_router import MainRouter
-from api.rls import Tenant
-
-
-def trigger_backfill_task(apps, schema_editor):
-    """
-    Re-dispatch the finding-group backfill task for every tenant so the new
-    `manual_count` and `muted` columns added in 0088 get populated from the
-    last 10 days of completed scans.
-
-    The aggregator (`aggregate_finding_group_summaries`) recomputes every
-    column on each call, so it back-populates the new fields without touching
-    the existing ones beyond a normal upsert.
-    """
-    tenant_ids = Tenant.objects.using(MainRouter.admin_db).values_list("id", flat=True)
-
-    for tenant_id in tenant_ids:
-        backfill_finding_group_summaries_task.delay(tenant_id=str(tenant_id), days=10)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0088_finding_group_status_muted_fields"),
-    ]
-
-    operations = [
-        migrations.RunPython(trigger_backfill_task, migrations.RunPython.noop),
-    ]

api/src/backend/api/models.py

@@ -4,11 +4,11 @@ import re
 from datetime import datetime, timedelta, timezone
 from uuid import UUID, uuid4
 
-import defusedxml
 from allauth.socialaccount.models import SocialApp
 from config.custom_logging import BackendLogger
 from config.settings.social_login import SOCIALACCOUNT_PROVIDERS
 from cryptography.fernet import Fernet, InvalidToken
+import defusedxml
 from defusedxml import ElementTree as ET
 from django.conf import settings
 from django.contrib.auth.models import AbstractBaseUser
@@ -295,7 +295,6 @@ class Provider(RowLevelSecurityProtectedModel):
         OPENSTACK = "openstack", _("OpenStack")
         IMAGE = "image", _("Image")
         GOOGLEWORKSPACE = "googleworkspace", _("Google Workspace")
-        VERCEL = "vercel", _("Vercel")
 
     @staticmethod
     def validate_aws_uid(value):
@@ -439,15 +438,6 @@ class Provider(RowLevelSecurityProtectedModel):
                 pointer="/data/attributes/uid",
             )
 
-    @staticmethod
-    def validate_vercel_uid(value):
-        if not re.match(r"^team_[a-zA-Z0-9]{16,32}$", value):
-            raise ModelValidationError(
-                detail="Vercel provider ID must be a valid Vercel Team ID (e.g., team_xxxxxxxxxxxxxxxxxxxxxxxx).",
-                code="vercel-uid",
-                pointer="/data/attributes/uid",
-            )
-
     @staticmethod
     def validate_image_uid(value):
         if not re.match(r"^[a-zA-Z0-9][a-zA-Z0-9._/:@-]{2,249}$", value):
@@ -1748,45 +1738,15 @@ class FindingGroupDailySummary(RowLevelSecurityProtectedModel):
     # Severity stored as integer for MAX aggregation (5=critical, 4=high, etc.)
     severity_order = models.SmallIntegerField(default=1)
 
-    # Finding counts (inclusive of muted findings; use the `muted` flag to
-    # tell whether the group has any actionable findings).
+    # Finding counts
     pass_count = models.IntegerField(default=0)
     fail_count = models.IntegerField(default=0)
-    manual_count = models.IntegerField(default=0)
     muted_count = models.IntegerField(default=0)
 
-    # Status counts restricted to muted findings, so clients can isolate the
-    # muted half of each status (e.g. `pass_count - pass_muted_count` gives the
-    # actionable PASS findings).
-    pass_muted_count = models.IntegerField(default=0)
-    fail_muted_count = models.IntegerField(default=0)
-    manual_muted_count = models.IntegerField(default=0)
-
-    # Whether every finding for this (provider, check, day) is muted.
-    muted = models.BooleanField(default=False)
-
-    # Delta counts (non-muted, kept for convenience and as a "total" view).
+    # Delta counts
     new_count = models.IntegerField(default=0)
     changed_count = models.IntegerField(default=0)
 
-    # Delta breakdown by (status, muted) so clients can answer questions like
-    # "how many new failing findings appeared in this scan?" without scanning
-    # the underlying findings table. Mirrors the existing pass/fail/manual
-    # naming, with `_muted_count` siblings tracking the muted half of each
-    # bucket explicitly.
-    new_fail_count = models.IntegerField(default=0)
-    new_fail_muted_count = models.IntegerField(default=0)
-    new_pass_count = models.IntegerField(default=0)
-    new_pass_muted_count = models.IntegerField(default=0)
-    new_manual_count = models.IntegerField(default=0)
-    new_manual_muted_count = models.IntegerField(default=0)
-    changed_fail_count = models.IntegerField(default=0)
-    changed_fail_muted_count = models.IntegerField(default=0)
-    changed_pass_count = models.IntegerField(default=0)
-    changed_pass_muted_count = models.IntegerField(default=0)
-    changed_manual_count = models.IntegerField(default=0)
-    changed_manual_muted_count = models.IntegerField(default=0)
-
     # Resource counts
     resources_fail = models.IntegerField(default=0)
     resources_total = models.IntegerField(default=0)

api/src/backend/api/rbac/permissions.py

@@ -1,7 +1,7 @@
 from enum import Enum
+from typing import Optional
 
 from django.db.models import QuerySet
-from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import BasePermission
 
 from api.db_router import MainRouter
@@ -29,17 +29,11 @@ class HasPermissions(BasePermission):
         if not required_permissions:
             return True
 
-        tenant_id = getattr(request, "tenant_id", None)
-        if not tenant_id:
-            tenant_id = request.auth.get("tenant_id") if request.auth else None
-        if not tenant_id:
-            return False
-
         user_roles = (
             User.objects.using(MainRouter.admin_db)
             .get(id=request.user.id)
             .roles.using(MainRouter.admin_db)
-            .filter(tenant_id=tenant_id)
+            .all()
         )
         if not user_roles:
             return False
@@ -51,17 +45,14 @@ class HasPermissions(BasePermission):
         return True
 
 
-def get_role(user: User, tenant_id: str) -> Role:
+def get_role(user: User) -> Optional[Role]:
     """
-    Retrieve the role assigned to the given user in the specified tenant.
+    Retrieve the first role assigned to the given user.
 
-    Raises:
-        PermissionDenied: If the user has no role in the given tenant.
+    Returns:
+        The user's first Role instance if the user has any roles, otherwise None.
     """
-    role = user.roles.using(MainRouter.admin_db).filter(tenant_id=tenant_id).first()
-    if role is None:
-        raise PermissionDenied("User has no role in this tenant.")
-    return role
+    return user.roles.first()
 
 
 def get_providers(role: Role) -> QuerySet[Provider]:

api/src/backend/api/specs/v1.yaml

@@ -372,7 +372,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -388,7 +387,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -411,7 +409,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -429,7 +426,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -1355,7 +1351,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -1371,7 +1366,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -1833,7 +1827,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -1849,7 +1842,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -1872,7 +1864,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -1890,7 +1881,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -2439,7 +2429,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -2455,7 +2444,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -2478,7 +2466,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -2496,7 +2483,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -2953,7 +2939,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -2969,7 +2954,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -2992,7 +2976,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -3010,7 +2993,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -3465,7 +3447,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -3481,7 +3462,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -3504,7 +3484,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -3522,7 +3501,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -3965,7 +3943,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -3981,7 +3958,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -4004,7 +3980,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -4022,7 +3997,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -5806,7 +5780,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -5822,7 +5795,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -5845,7 +5817,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -5863,7 +5834,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -5985,7 +5955,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6001,7 +5970,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -6024,7 +5992,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6042,7 +6009,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -6153,7 +6119,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6169,7 +6134,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -6191,7 +6155,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6209,7 +6172,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -6352,7 +6314,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6368,7 +6329,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -6391,7 +6351,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6409,7 +6368,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -6565,7 +6523,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6581,7 +6538,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -6604,7 +6560,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6622,7 +6577,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -6772,7 +6726,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6788,7 +6741,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -6810,7 +6762,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6828,7 +6779,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -7020,7 +6970,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -7036,7 +6985,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -7059,7 +7007,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -7077,7 +7024,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -7198,7 +7144,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -7214,7 +7159,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -7237,7 +7181,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -7255,7 +7198,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -7400,7 +7342,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -7416,7 +7357,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -7439,7 +7379,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -7457,7 +7396,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -8243,7 +8181,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -8259,7 +8196,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider__in]
         schema:
@@ -8282,7 +8218,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -8300,7 +8235,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -8323,7 +8257,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -8339,7 +8272,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -8362,7 +8294,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -8380,7 +8311,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -9050,7 +8980,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -9066,7 +8995,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -9089,7 +9017,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -9107,7 +9034,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -9601,7 +9527,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -9617,7 +9542,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -9640,7 +9564,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -9658,7 +9581,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -9965,7 +9887,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -9981,7 +9902,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -10004,7 +9924,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -10022,7 +9941,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -10335,7 +10253,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -10351,7 +10268,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -10374,7 +10290,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -10392,7 +10307,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -11215,7 +11129,6 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
-          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -11231,7 +11144,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -11254,7 +11166,6 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
-            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -11272,7 +11183,6 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
-          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -18553,15 +18463,6 @@ components:
                     required:
                     - clouds_yaml_content
                     - clouds_yaml_cloud
-                  - type: object
-                    title: Vercel API Token
-                    properties:
-                      api_token:
-                        type: string
-                        description: Vercel API token for authentication. Can be scoped
-                          to a specific team.
-                    required:
-                    - api_token
                   writeOnly: true
               required:
               - secret
@@ -19564,7 +19465,6 @@ components:
               - openstack
               - image
               - googleworkspace
-              - vercel
               type: string
               description: |-
                 * `aws` - AWS
@@ -19581,7 +19481,6 @@ components:
                 * `openstack` - OpenStack
                 * `image` - Image
                 * `googleworkspace` - Google Workspace
-                * `vercel` - Vercel
               x-spec-enum-id: c0d56cad8ab9abe5
             uid:
               type: string
@@ -19702,7 +19601,6 @@ components:
               - openstack
               - image
               - googleworkspace
-              - vercel
               type: string
               x-spec-enum-id: c0d56cad8ab9abe5
               description: |-
@@ -19722,7 +19620,6 @@ components:
                 * `openstack` - OpenStack
                 * `image` - Image
                 * `googleworkspace` - Google Workspace
-                * `vercel` - Vercel
             uid:
               type: string
               title: Unique identifier for the provider, set by the provider
@@ -19774,7 +19671,6 @@ components:
                   - openstack
                   - image
                   - googleworkspace
-                  - vercel
                   type: string
                   x-spec-enum-id: c0d56cad8ab9abe5
                   description: |-
@@ -19794,7 +19690,6 @@ components:
                     * `openstack` - OpenStack
                     * `image` - Image
                     * `googleworkspace` - Google Workspace
-                    * `vercel` - Vercel
                 uid:
                   type: string
                   minLength: 3
@@ -20644,15 +20539,6 @@ components:
                 required:
                 - clouds_yaml_content
                 - clouds_yaml_cloud
-              - type: object
-                title: Vercel API Token
-                properties:
-                  api_token:
-                    type: string
-                    description: Vercel API token for authentication. Can be scoped
-                      to a specific team.
-                required:
-                - api_token
               writeOnly: true
           required:
           - secret_type
@@ -21069,15 +20955,6 @@ components:
                     required:
                     - clouds_yaml_content
                     - clouds_yaml_cloud
-                  - type: object
-                    title: Vercel API Token
-                    properties:
-                      api_token:
-                        type: string
-                        description: Vercel API token for authentication. Can be scoped
-                          to a specific team.
-                    required:
-                    - api_token
                   writeOnly: true
               required:
               - secret_type
@@ -21504,15 +21381,6 @@ components:
                 required:
                 - clouds_yaml_content
                 - clouds_yaml_cloud
-              - type: object
-                title: Vercel API Token
-                properties:
-                  api_token:
-                    type: string
-                    description: Vercel API token for authentication. Can be scoped
-                      to a specific team.
-                required:
-                - api_token
               writeOnly: true
           required:
           - secret

api/src/backend/api/tests/integration/test_authentication.py

@@ -215,21 +215,6 @@ class TestTokenSwitchTenant:
         tenant_id = tenants_fixture[0].id
         user_instance = User.objects.get(email=test_user)
         Membership.objects.create(user=user_instance, tenant_id=tenant_id)
-        # Assign an admin role in the target tenant so the user can access resources
-        target_role = Role.objects.create(
-            name="admin",
-            tenant_id=tenant_id,
-            manage_users=True,
-            manage_account=True,
-            manage_billing=True,
-            manage_providers=True,
-            manage_integrations=True,
-            manage_scans=True,
-            unlimited_visibility=True,
-        )
-        UserRoleRelationship.objects.create(
-            user=user_instance, role=target_role, tenant_id=tenant_id
-        )
 
         # Check that using our new user's credentials we can authenticate and get the providers
         access_token, _ = get_api_tokens(client, test_user, test_password)

api/src/backend/api/tests/test_rbac.py

@@ -2,7 +2,7 @@ import json
 from unittest.mock import ANY, Mock, patch
 
 import pytest
-from conftest import TEST_PASSWORD, TODAY
+from conftest import TODAY
 from django.urls import reverse
 from rest_framework import status
 
@@ -830,66 +830,3 @@ class TestUserRoleLinkPermissions:
         )
 
         assert response.status_code == status.HTTP_403_FORBIDDEN
-
-
-@pytest.mark.django_db
-class TestCrossTenantRoleLeak:
-    """Regression tests for get_role() cross-tenant privilege leak.
-
-    get_role() must query admin_db (bypassing RLS) so that a user with a role
-    in tenant A cannot accidentally pass role checks when authenticated against
-    tenant B where they have no role.
-    """
-
-    def test_user_with_role_in_tenant_a_denied_in_tenant_b(self, tenants_fixture):
-        """User has admin role in tenant A, membership in tenant B but no role.
-        Hitting an RBAC-protected endpoint with a tenant-B token must return 403."""
-        from rest_framework.test import APIClient
-
-        tenant_a = tenants_fixture[0]
-        tenant_b = tenants_fixture[1]
-
-        user = User.objects.create_user(
-            name="cross_tenant_user",
-            email="cross_tenant@test.com",
-            password=TEST_PASSWORD,
-        )
-        Membership.objects.create(
-            user=user, tenant=tenant_a, role=Membership.RoleChoices.OWNER
-        )
-        Membership.objects.create(
-            user=user, tenant=tenant_b, role=Membership.RoleChoices.OWNER
-        )
-
-        # Role only in tenant A
-        role = Role.objects.create(
-            name="admin",
-            tenant_id=tenant_a.id,
-            manage_users=True,
-            manage_account=True,
-            manage_billing=True,
-            manage_providers=True,
-            manage_integrations=True,
-            manage_scans=True,
-            unlimited_visibility=True,
-        )
-        UserRoleRelationship.objects.create(user=user, role=role, tenant_id=tenant_a.id)
-
-        # Mint token scoped to tenant B (where user has NO role)
-        serializer = TokenSerializer(
-            data={
-                "type": "tokens",
-                "email": "cross_tenant@test.com",
-                "password": TEST_PASSWORD,
-                "tenant_id": tenant_b.id,
-            }
-        )
-        serializer.is_valid(raise_exception=True)
-        access_token = serializer.validated_data["access"]
-
-        client = APIClient()
-        client.defaults["HTTP_AUTHORIZATION"] = f"Bearer {access_token}"
-
-        # user-list requires manage_users permission via HasPermissions
-        response = client.get(reverse("user-list"))
-        assert response.status_code == status.HTTP_403_FORBIDDEN

api/src/backend/api/tests/test_utils.py

@@ -33,7 +33,6 @@ from prowler.providers.m365.m365_provider import M365Provider
 from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
 from prowler.providers.openstack.openstack_provider import OpenstackProvider
 from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
-from prowler.providers.vercel.vercel_provider import VercelProvider
 
 
 class TestMergeDicts:
@@ -129,7 +128,6 @@ class TestReturnProwlerProvider:
             (Provider.ProviderChoices.CLOUDFLARE.value, CloudflareProvider),
             (Provider.ProviderChoices.OPENSTACK.value, OpenstackProvider),
             (Provider.ProviderChoices.IMAGE.value, ImageProvider),
-            (Provider.ProviderChoices.VERCEL.value, VercelProvider),
         ],
     )
     def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -220,24 +218,6 @@ class TestProwlerProviderConnectionTest:
             registry_token="tok123",
         )
 
-    @patch("api.utils.return_prowler_provider")
-    def test_prowler_provider_connection_test_vercel_provider(
-        self, mock_return_prowler_provider
-    ):
-        """Test connection test for Vercel provider passes team_id."""
-        provider = MagicMock()
-        provider.uid = "team_abcdef1234567890"
-        provider.provider = Provider.ProviderChoices.VERCEL.value
-        provider.secret.secret = {"api_token": "vercel_token_123"}
-        mock_return_prowler_provider.return_value = MagicMock()
-
-        prowler_provider_connection_test(provider)
-        mock_return_prowler_provider.return_value.test_connection.assert_called_once_with(
-            api_token="vercel_token_123",
-            team_id="team_abcdef1234567890",
-            raise_on_exception=False,
-        )
-
     @patch("api.utils.return_prowler_provider")
     def test_prowler_provider_connection_test_image_provider_no_creds(
         self, mock_return_prowler_provider
@@ -304,10 +284,6 @@ class TestGetProwlerProviderKwargs:
                 Provider.ProviderChoices.OPENSTACK.value,
                 {},
             ),
-            (
-                Provider.ProviderChoices.VERCEL.value,
-                {"team_id": "provider_uid"},
-            ),
         ],
     )
     def test_get_prowler_provider_kwargs(self, provider_type, expected_extra_kwargs):
@@ -806,15 +782,11 @@ class TestProwlerIntegrationConnectionTest:
         }
         integration.configuration = {}
 
-        # Mock successful JIRA connection with projects and issue types
+        # Mock successful JIRA connection with projects
         mock_connection = MagicMock()
         mock_connection.is_connected = True
         mock_connection.error = None
         mock_connection.projects = {"PROJ1": "Project 1", "PROJ2": "Project 2"}
-        mock_connection.issue_types = {
-            "PROJ1": ["Task", "Bug"],
-            "PROJ2": ["Task", "Story"],
-        }
         mock_jira_class.test_connection.return_value = mock_connection
 
         # Mock rls_transaction context manager
@@ -843,12 +815,6 @@ class TestProwlerIntegrationConnectionTest:
             "PROJ2": "Project 2",
         }
 
-        # Verify issue types were saved to integration configuration
-        assert integration.configuration["issue_types"] == {
-            "PROJ1": ["Task", "Bug"],
-            "PROJ2": ["Task", "Story"],
-        }
-
         # Verify integration.save() was called
         integration.save.assert_called_once()
 
@@ -872,7 +838,6 @@ class TestProwlerIntegrationConnectionTest:
         mock_connection.is_connected = False
         mock_connection.error = Exception("Authentication failed: Invalid credentials")
         mock_connection.projects = {}  # Empty projects when connection fails
-        mock_connection.issue_types = {}  # Empty issue types when connection fails
         mock_jira_class.test_connection.return_value = mock_connection
 
         # Mock rls_transaction context manager
@@ -898,9 +863,6 @@ class TestProwlerIntegrationConnectionTest:
         # Verify empty projects dict was saved to integration configuration
         assert integration.configuration["projects"] == {}
 
-        # Verify empty issue types dict was saved to integration configuration
-        assert integration.configuration["issue_types"] == {}
-
         # Verify integration.save() was called even on connection failure
         integration.save.assert_called_once()
 
@@ -919,11 +881,11 @@ class TestProwlerIntegrationConnectionTest:
             "domain": "example.atlassian.net",
         }
         integration.configuration = {
-            "issue_types": {"OLD_PROJ": ["Task"]},  # Existing configuration
+            "issue_types": ["Task"],  # Existing configuration
             "projects": {"OLD_PROJ": "Old Project"},  # Will be overwritten
         }
 
-        # Mock successful JIRA connection with new projects and issue types
+        # Mock successful JIRA connection with new projects
         mock_connection = MagicMock()
         mock_connection.is_connected = True
         mock_connection.error = None
@@ -931,10 +893,6 @@ class TestProwlerIntegrationConnectionTest:
             "NEW_PROJ1": "New Project 1",
             "NEW_PROJ2": "New Project 2",
         }
-        mock_connection.issue_types = {
-            "NEW_PROJ1": ["Task", "Bug"],
-            "NEW_PROJ2": ["Story"],
-        }
         mock_jira_class.test_connection.return_value = mock_connection
 
         # Mock rls_transaction context manager
@@ -952,11 +910,8 @@ class TestProwlerIntegrationConnectionTest:
             "NEW_PROJ2": "New Project 2",
         }
 
-        # Verify issue types were also updated
-        assert integration.configuration["issue_types"] == {
-            "NEW_PROJ1": ["Task", "Bug"],
-            "NEW_PROJ2": ["Story"],
-        }
+        # Verify other configuration fields were preserved
+        assert integration.configuration["issue_types"] == ["Task"]
 
         # Verify integration.save() was called
         integration.save.assert_called_once()

api/src/backend/api/tests/test_views.py

@@ -516,13 +516,6 @@ class TestTenantViewSet:
             response.json()["data"]["attributes"]["name"]
             == valid_tenant_payload["name"]
         )
-        new_tenant_id = response.json()["data"]["id"]
-        user = authenticated_client.user
-        assert UserRoleRelationship.objects.filter(
-            user=user,
-            tenant_id=new_tenant_id,
-            role__name="admin",
-        ).exists()
 
     def test_tenants_invalid_create(self, authenticated_client, invalid_tenant_payload):
         response = authenticated_client.post(
@@ -582,66 +575,22 @@ class TestTenantViewSet:
             Tenant.objects.filter(pk=kwargs.get("tenant_id")).delete()
 
         delete_tenant_mock.side_effect = _delete_tenant
-        # Use tenant2 where the user is OWNER
-        _, tenant2, _ = tenants_fixture
-        response = authenticated_client.delete(
-            reverse("tenant-detail", kwargs={"pk": tenant2.id})
-        )
-        assert response.status_code == status.HTTP_204_NO_CONTENT
-        assert Membership.objects.filter(tenant_id=tenant2.id).count() == 0
-        # User is not deleted because it has another membership (tenant1)
-        assert User.objects.count() == 1
-
-    @patch("api.v1.views.delete_tenant_task.apply_async")
-    def test_tenants_delete_as_member_forbidden(
-        self, delete_tenant_mock, authenticated_client, tenants_fixture
-    ):
-        # tenant1: user is MEMBER, not OWNER -> should be forbidden
         tenant1, *_ = tenants_fixture
         response = authenticated_client.delete(
             reverse("tenant-detail", kwargs={"pk": tenant1.id})
         )
-        assert response.status_code == status.HTTP_403_FORBIDDEN
-        delete_tenant_mock.assert_not_called()
-
-    @patch("api.v1.views.delete_tenant_task.apply_async")
-    def test_tenants_delete_cross_tenant(
-        self, delete_tenant_mock, authenticated_client, tenants_fixture
-    ):
-        # tenant3: user has no membership -> should be 404
-        _, _, tenant3 = tenants_fixture
-        response = authenticated_client.delete(
-            reverse("tenant-detail", kwargs={"pk": tenant3.id})
-        )
-        assert response.status_code == status.HTTP_404_NOT_FOUND
-        delete_tenant_mock.assert_not_called()
-
-    @patch("api.v1.views.delete_tenant_task.apply_async")
-    def test_tenants_delete_only_removes_exclusive_users(
-        self, delete_tenant_mock, authenticated_client, tenants_fixture, extra_users
-    ):
-        def _delete_tenant(kwargs):
-            Tenant.objects.filter(pk=kwargs.get("tenant_id")).delete()
-
-        delete_tenant_mock.side_effect = _delete_tenant
-        _, tenant2, _ = tenants_fixture
-        # extra_users adds user2 (OWNER in tenant2) and user3 (MEMBER in tenant2)
-        # user2 and user3 are ONLY in tenant2, so they should be deleted
-        # The test user is in tenant1 + tenant2, so should NOT be deleted
-        initial_user_count = User.objects.count()  # test_user + user2 + user3 = 3
-        assert initial_user_count == 3
-
-        response = authenticated_client.delete(
-            reverse("tenant-detail", kwargs={"pk": tenant2.id})
-        )
         assert response.status_code == status.HTTP_204_NO_CONTENT
-        # user2 and user3 are deleted (no other memberships), test_user remains
+        assert Tenant.objects.count() == len(tenants_fixture) - 1
+        assert Membership.objects.filter(tenant_id=tenant1.id).count() == 0
+        # User is not deleted because it has another membership
         assert User.objects.count() == 1
 
     def test_tenants_delete_invalid(self, authenticated_client):
         response = authenticated_client.delete(
             reverse("tenant-detail", kwargs={"pk": "random_id"})
         )
+        # To change if we implement RBAC
+        # (user might not have permissions to see if the tenant exists or not -> 200 empty)
         assert response.status_code == status.HTTP_404_NOT_FOUND
 
     def test_tenants_list_filter_search(self, authenticated_client, tenants_fixture):
@@ -745,6 +694,7 @@ class TestTenantViewSet:
         # Test user + 2 extra users for tenant 2
         assert len(response.json()["data"]) == 3
 
+    @patch("api.v1.views.TenantMembersViewSet.required_permissions", [])
     def test_tenants_list_memberships_as_member(
         self, authenticated_client, tenants_fixture, extra_users
     ):
@@ -857,30 +807,6 @@ class TestTenantViewSet:
         )
         assert response.status_code == status.HTTP_404_NOT_FOUND
 
-    def test_tenants_delete_membership_cross_tenant(
-        self, authenticated_client, tenants_fixture
-    ):
-        # Create a tenant with a different user's membership
-        other_tenant = Tenant.objects.create(name="Other Tenant")
-        other_user = User.objects.create_user(
-            name="other", password=TEST_PASSWORD, email="other@test.com"
-        )
-        other_membership = Membership.objects.create(
-            user=other_user,
-            tenant=other_tenant,
-            role=Membership.RoleChoices.OWNER,
-        )
-
-        # Authenticated user is NOT a member of other_tenant -> 404
-        response = authenticated_client.delete(
-            reverse(
-                "tenant-membership-detail",
-                kwargs={"tenant_pk": other_tenant.id, "pk": other_membership.id},
-            )
-        )
-        assert response.status_code == status.HTTP_404_NOT_FOUND
-        assert Membership.objects.filter(id=other_membership.id).exists()
-
     def test_tenants_list_no_permissions(
         self, authenticated_client_no_permissions_rbac, tenants_fixture
     ):
@@ -1789,46 +1715,6 @@ class TestProviderViewSet:
                     "min_length",
                     "uid",
                 ),
-                # Vercel UID validation - missing team_ prefix
-                (
-                    {
-                        "provider": "vercel",
-                        "uid": "abcdef1234567890abcdef12",
-                        "alias": "test",
-                    },
-                    "vercel-uid",
-                    "uid",
-                ),
-                # Vercel UID validation - too short after prefix
-                (
-                    {
-                        "provider": "vercel",
-                        "uid": "team_abc123",
-                        "alias": "test",
-                    },
-                    "vercel-uid",
-                    "uid",
-                ),
-                # Vercel UID validation - contains special characters
-                (
-                    {
-                        "provider": "vercel",
-                        "uid": "team_abcdef-1234567890ab",
-                        "alias": "test",
-                    },
-                    "vercel-uid",
-                    "uid",
-                ),
-                # Vercel UID validation - too long (33 chars after prefix)
-                (
-                    {
-                        "provider": "vercel",
-                        "uid": "team_abcdefghijklmnopqrstuvwxyz1234567",
-                        "alias": "test",
-                    },
-                    "vercel-uid",
-                    "uid",
-                ),
                 # Google Workspace UID validation - missing 'C' prefix
                 (
                     {
@@ -2032,21 +1918,21 @@ class TestProviderViewSet:
                 (
                     "uid.icontains",
                     "1",
-                    12,
+                    11,
                 ),
                 ("alias", "aws_testing_1", 1),
                 ("alias.icontains", "aws", 2),
-                ("inserted_at", TODAY, 13),
+                ("inserted_at", TODAY, 12),
                 (
                     "inserted_at.gte",
                     "2024-01-01",
-                    13,
+                    12,
                 ),
                 ("inserted_at.lte", "2024-01-01", 0),
                 (
                     "updated_at.gte",
                     "2024-01-01",
-                    13,
+                    12,
                 ),
                 ("updated_at.lte", "2024-01-01", 0),
             ]
@@ -2671,14 +2557,6 @@ class TestProviderSecretViewSet:
                     "delegated_user": "admin@example.com",
                 },
             ),
-            # Vercel with API Token
-            (
-                Provider.ProviderChoices.VERCEL.value,
-                ProviderSecret.TypeChoices.STATIC,
-                {
-                    "api_token": "fake-vercel-api-token-for-testing",
-                },
-            ),
         ],
     )
     def test_provider_secrets_create_valid(
@@ -3357,29 +3235,6 @@ class TestScanViewSet:
         assert response.status_code == status.HTTP_200_OK
         assert len(response.json()["data"]) == 3
 
-    def test_scan_filter_by_id_exact(self, authenticated_client, scans_fixture):
-        scan1, *_ = scans_fixture
-        response = authenticated_client.get(
-            reverse("scan-list"),
-            {"filter[id]": str(scan1.id)},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-        assert data[0]["id"] == str(scan1.id)
-
-    def test_scan_filter_by_id_in(self, authenticated_client, scans_fixture):
-        scan1, scan2, *_ = scans_fixture
-        response = authenticated_client.get(
-            reverse("scan-list"),
-            {"filter[id.in]": f"{scan1.id},{scan2.id}"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 2
-        returned_ids = {item["id"] for item in data}
-        assert returned_ids == {str(scan1.id), str(scan2.id)}
-
     def test_scans_filter_state_failed(self, authenticated_client, scans_fixture):
         """Ensure state filter matches only FAILED scans."""
         scan1, *_ = scans_fixture
@@ -4287,6 +4142,7 @@ class TestAttackPathsScanViewSet:
                 "api.v1.views.attack_paths_views_helpers.execute_query",
                 return_value=graph_payload,
             ) as mock_execute,
+            patch("api.v1.views.graph_database.clear_cache") as mock_clear_cache,
         ):
             response = authenticated_client.post(
                 reverse(
@@ -4313,6 +4169,7 @@ class TestAttackPathsScanViewSet:
             prepared_parameters,
             provider_id,
         )
+        mock_clear_cache.assert_called_once_with(expected_db_name)
         result = response.json()["data"]
         attributes = result["attributes"]
         assert attributes["nodes"] == graph_payload["nodes"]
@@ -4367,6 +4224,7 @@ class TestAttackPathsScanViewSet:
                 "api.v1.views.attack_paths_views_helpers.execute_query",
                 return_value=graph_payload,
             ),
+            patch("api.v1.views.graph_database.clear_cache"),
         ):
             response = authenticated_client.post(
                 reverse(
@@ -4450,6 +4308,7 @@ class TestAttackPathsScanViewSet:
                     "truncated": False,
                 },
             ),
+            patch("api.v1.views.graph_database.clear_cache"),
             patch(
                 "api.v1.views.graph_database.get_database_name", return_value="db-test"
             ),
@@ -4504,6 +4363,7 @@ class TestAttackPathsScanViewSet:
                     "truncated": False,
                 },
             ),
+            patch("api.v1.views.graph_database.clear_cache"),
             patch(
                 "api.v1.views.graph_database.get_database_name", return_value="db-test"
             ),
@@ -4583,6 +4443,7 @@ class TestAttackPathsScanViewSet:
                     "truncated": False,
                 },
             ),
+            patch("api.v1.views.graph_database.clear_cache"),
         ):
             response = authenticated_client.post(
                 reverse(
@@ -4648,6 +4509,7 @@ class TestAttackPathsScanViewSet:
                 "api.v1.views.graph_database.get_database_name",
                 return_value="db-test",
             ),
+            patch("api.v1.views.graph_database.clear_cache"),
         ):
             response = authenticated_client.post(
                 reverse(
@@ -4704,6 +4566,7 @@ class TestAttackPathsScanViewSet:
                 "api.v1.views.graph_database.get_database_name",
                 return_value="db-test",
             ),
+            patch("api.v1.views.graph_database.clear_cache"),
         ):
             response = authenticated_client.post(
                 reverse(
@@ -4750,6 +4613,7 @@ class TestAttackPathsScanViewSet:
                 "api.v1.views.graph_database.get_database_name",
                 return_value="db-test",
             ),
+            patch("api.v1.views.graph_database.clear_cache"),
         ):
             response = authenticated_client.post(
                 reverse(
@@ -5100,6 +4964,9 @@ class TestAttackPathsScanViewSet:
                 "api.v1.views.graph_database.get_database_name",
                 return_value="db-test",
             ),
+            patch(
+                "api.v1.views.graph_database.clear_cache",
+            ),
         ):
             for i in range(11):
                 response = authenticated_client.post(
@@ -8230,8 +8097,6 @@ class TestUserRoleRelationshipViewSet:
             manage_scans=False,
             unlimited_visibility=False,
         )
-        # Assign the role to the user
-        UserRoleRelationship.objects.create(user=user, role=only_role, tenant=tenant)
 
         # Switch token to this tenant
         serializer = TokenSerializer(
@@ -15445,16 +15310,10 @@ class TestFindingGroupViewSet:
         # iam_password_policy has only PASS findings
         assert data[0]["attributes"]["status"] == "PASS"
 
-    def test_finding_groups_fully_muted_group_reflects_underlying_status(
+    def test_finding_groups_status_muted_all(
         self, authenticated_client, finding_groups_fixture
     ):
-        """A fully-muted group still surfaces its underlying status (no MUTED).
-
-        rds_encryption has 2 muted FAIL findings, so the group must report
-        status=FAIL (the orthogonal `muted` boolean signals it isn't actionable).
-        The status×muted breakdown lets clients answer 'how many failing
-        findings are muted in this group'.
-        """
+        """Test that MUTED status returned when all findings are muted."""
         response = authenticated_client.get(
             reverse("finding-group-list"),
             {"filter[inserted_at]": TODAY, "filter[check_id]": "rds_encryption"},
@@ -15462,21 +15321,8 @@ class TestFindingGroupViewSet:
         assert response.status_code == status.HTTP_200_OK
         data = response.json()["data"]
         assert len(data) == 1
-        attrs = data[0]["attributes"]
-        assert attrs["status"] == "FAIL"
-        assert attrs["muted"] is True
-        assert attrs["fail_count"] == 2
-        assert attrs["fail_muted_count"] == 2
-        assert attrs["pass_muted_count"] == 0
-        assert attrs["manual_muted_count"] == 0
-        assert attrs["muted_count"] == 2
-        # Sanity: the per-status muted counts must add up to muted_count.
-        assert (
-            attrs["pass_muted_count"]
-            + attrs["fail_muted_count"]
-            + attrs["manual_muted_count"]
-            == attrs["muted_count"]
-        )
+        # rds_encryption has all muted findings
+        assert data[0]["attributes"]["status"] == "MUTED"
 
     def test_finding_groups_status_filter(
         self, authenticated_client, finding_groups_fixture
@@ -15968,7 +15814,7 @@ class TestFindingGroupViewSet:
         "extra_filters",
         [
             {},
-            {"filter[delta]": "new"},
+            {"filter[muted]": "include"},
         ],
         ids=["summary_path", "finding_level_path"],
     )
@@ -15986,8 +15832,7 @@ class TestFindingGroupViewSet:
 
         Parametrized to cover both aggregation paths:
         - summary_path: default, uses _CheckTitleToCheckIdMixin on summaries
-        - finding_level_path: filter[delta]=new forces _aggregate_findings via
-          CommonFindingFilters (delta is finding-level, not summary-level)
+        - finding_level_path: filter[muted]=include forces CommonFindingFilters
         """
         params = {
             "filter[inserted_at]": TODAY,
@@ -16166,191 +16011,6 @@ class TestFindingGroupViewSet:
         # Should still return the 2 resources within the date range
         assert len(response.json()["data"]) == 2
 
-    def test_resources_status_filter_returns_empty_not_404(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test that filtering by status on a valid check returns empty list, not 404."""
-        # s3_bucket_public_access has only FAIL findings, filtering by PASS should return []
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-resources", kwargs={"pk": "s3_bucket_public_access"}
-            ),
-            {"filter[inserted_at]": TODAY, "filter[status]": "PASS"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert response.json()["data"] == []
-
-    def test_resources_nonexistent_check_still_404(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test that a truly nonexistent check_id still returns 404."""
-        response = authenticated_client.get(
-            reverse("finding-group-resources", kwargs={"pk": "totally_fake_check"}),
-            {"filter[inserted_at]": TODAY},
-        )
-        assert response.status_code == status.HTTP_404_NOT_FOUND
-
-    def test_resources_sort_by_status_ascending(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test sort=status returns PASS before FAIL."""
-        # ec2_instance_public_ip has 1 PASS (resource1) and 1 FAIL (resource2)
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-resources",
-                kwargs={"pk": "ec2_instance_public_ip"},
-            ),
-            {"filter[inserted_at]": TODAY, "sort": "status"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 2
-        assert data[0]["attributes"]["status"] == "PASS"
-        assert data[1]["attributes"]["status"] == "FAIL"
-
-    def test_resources_sort_by_status_descending(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test sort=-status returns FAIL before PASS."""
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-resources",
-                kwargs={"pk": "ec2_instance_public_ip"},
-            ),
-            {"filter[inserted_at]": TODAY, "sort": "-status"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 2
-        assert data[0]["attributes"]["status"] == "FAIL"
-        assert data[1]["attributes"]["status"] == "PASS"
-
-    def test_resources_sort_invalid_field_returns_400(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test that an invalid sort field returns 400."""
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-resources", kwargs={"pk": "s3_bucket_public_access"}
-            ),
-            {"filter[inserted_at]": TODAY, "sort": "invalid_field"},
-        )
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-
-    def test_latest_resources_status_filter_returns_empty_not_404(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test latest resources with status filter on valid check returns empty, not 404."""
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-latest_resources",
-                kwargs={"check_id": "s3_bucket_public_access"},
-            ),
-            {"filter[status]": "PASS"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert response.json()["data"] == []
-
-    def test_latest_resources_sort_by_status(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test latest resources sort=status returns PASS before FAIL."""
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-latest_resources",
-                kwargs={"check_id": "ec2_instance_public_ip"},
-            ),
-            {"sort": "status"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 2
-        assert data[0]["attributes"]["status"] == "PASS"
-        assert data[1]["attributes"]["status"] == "FAIL"
-
-    def test_resources_nonexistent_check_missing_date_returns_400(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Nonexistent check_id with missing required date filter returns 400, not 404."""
-        response = authenticated_client.get(
-            reverse("finding-group-resources", kwargs={"pk": "totally_fake_check"}),
-        )
-        # FindingGroupFilter requires inserted_at — validation fires before existence check
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-
-    def test_resources_nonexistent_check_invalid_sort_returns_400(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Nonexistent check_id with invalid sort returns 400, not 404."""
-        response = authenticated_client.get(
-            reverse("finding-group-resources", kwargs={"pk": "totally_fake_check"}),
-            {"filter[inserted_at]": TODAY, "sort": "invalid_field"},
-        )
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-
-    def test_resources_empty_sort_falls_back_to_default_order(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Degenerate sort values should behave like no sort, not raise 500."""
-        all_ids = set()
-        for page_num in (1, 2):
-            response = authenticated_client.get(
-                reverse(
-                    "finding-group-resources",
-                    kwargs={"pk": "s3_bucket_public_access"},
-                ),
-                {
-                    "filter[inserted_at]": TODAY,
-                    "sort": ",",
-                    "page[size]": 1,
-                    "page[number]": page_num,
-                },
-            )
-            assert response.status_code == status.HTTP_200_OK
-            data = response.json()["data"]
-            assert len(data) == 1
-            all_ids.add(data[0]["id"])
-        assert len(all_ids) == 2
-
-    def test_resources_sort_pagination_stability(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Sort with small page size returns all resources without duplicates or gaps."""
-        # s3_bucket_public_access has 2 resources, both FAIL — they tie on status
-        all_ids = set()
-        for page_num in (1, 2):
-            response = authenticated_client.get(
-                reverse(
-                    "finding-group-resources",
-                    kwargs={"pk": "s3_bucket_public_access"},
-                ),
-                {
-                    "filter[inserted_at]": TODAY,
-                    "sort": "status",
-                    "page[size]": 1,
-                    "page[number]": page_num,
-                },
-            )
-            assert response.status_code == status.HTTP_200_OK
-            data = response.json()["data"]
-            assert len(data) == 1
-            all_ids.add(data[0]["id"])
-        # Both pages should return different resources (no duplicates)
-        assert len(all_ids) == 2
-
-    def test_latest_resources_nonexistent_check_invalid_sort_returns_400(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Nonexistent check_id with invalid sort on latest returns 400, not 404."""
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-latest_resources",
-                kwargs={"check_id": "totally_fake_check"},
-            ),
-            {"sort": "invalid_field"},
-        )
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-
     # Test provider_id filter actually filters data
     def test_finding_groups_provider_id_filter_actually_filters(
         self, authenticated_client, finding_groups_fixture, providers_fixture
@@ -16859,39 +16519,6 @@ class TestFindingGroupViewSet:
         data = response.json()["data"]
         assert len(data) > 0
 
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    def test_finding_groups_sort_by_delta(
-        self,
-        authenticated_client,
-        finding_groups_fixture,
-        endpoint_name,
-    ):
-        """Sort by delta orders by new_count then changed_count (lexicographic)."""
-        params = {"sort": "-delta"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-
-        def delta_key(item):
-            attrs = item["attributes"]
-            return (attrs.get("new_count", 0), attrs.get("changed_count", 0))
-
-        desc_keys = [delta_key(item) for item in data]
-        assert desc_keys == sorted(desc_keys, reverse=True)
-
-        # Ascending order produces the inverse arrangement
-        params["sort"] = "delta"
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        asc_keys = [delta_key(item) for item in response.json()["data"]]
-        assert asc_keys == sorted(asc_keys)
-
     def test_finding_groups_latest_ignores_date_filters(
         self, authenticated_client, finding_groups_fixture
     ):
@@ -16905,287 +16532,3 @@ class TestFindingGroupViewSet:
         data = response.json()["data"]
         # Should still return data, not filtered by the old date
         assert len(data) == 5
-
-    def test_finding_groups_status_choices_no_muted(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Every returned group must have status ∈ {FAIL, PASS, MANUAL}."""
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {"filter[inserted_at]": TODAY},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        statuses = {item["attributes"]["status"] for item in response.json()["data"]}
-        assert statuses, "fixture should produce at least one group"
-        assert statuses <= {"FAIL", "PASS", "MANUAL"}
-        assert "MUTED" not in statuses
-
-    def test_finding_groups_serializer_exposes_muted_and_manual_count(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """The /finding-groups payload must expose `muted`, `manual_count` and
-        the per-status muted siblings (`pass_muted_count`/`fail_muted_count`/
-        `manual_muted_count`)."""
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {"filter[inserted_at]": TODAY, "filter[check_id]": "iam_password_policy"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        attrs = response.json()["data"][0]["attributes"]
-        assert "muted" in attrs and isinstance(attrs["muted"], bool)
-        assert "manual_count" in attrs and isinstance(attrs["manual_count"], int)
-        assert attrs["muted"] is False  # iam_password_policy has only non-muted PASS
-        assert attrs["manual_count"] == 0
-        assert attrs["pass_muted_count"] == 0
-        assert attrs["fail_muted_count"] == 0
-        assert attrs["manual_muted_count"] == 0
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    def test_finding_groups_filter_status_muted_is_rejected(
-        self, authenticated_client, finding_groups_fixture, endpoint_name
-    ):
-        """`filter[status]=MUTED` is no longer a valid status value."""
-        params = {"filter[status]": "MUTED"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    def test_finding_groups_filter_muted_true(
-        self, authenticated_client, finding_groups_fixture, endpoint_name
-    ):
-        """`filter[muted]=true` returns only fully-muted groups."""
-        params = {"filter[muted]": "true"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        check_ids = {item["id"] for item in data}
-        # Only rds_encryption is fully muted in the fixture
-        assert check_ids == {"rds_encryption"}
-        assert all(item["attributes"]["muted"] is True for item in data)
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    def test_finding_groups_filter_muted_false(
-        self, authenticated_client, finding_groups_fixture, endpoint_name
-    ):
-        """`filter[muted]=false` returns only groups with actionable findings."""
-        params = {"filter[muted]": "false"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        check_ids = {item["id"] for item in data}
-        assert "rds_encryption" not in check_ids
-        assert check_ids == {
-            "s3_bucket_public_access",
-            "ec2_instance_public_ip",
-            "iam_password_policy",
-            "cloudtrail_enabled",
-        }
-        assert all(item["attributes"]["muted"] is False for item in data)
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    def test_finding_groups_sort_by_status(
-        self, authenticated_client, finding_groups_fixture, endpoint_name
-    ):
-        """sort=status orders by aggregated status (FAIL > PASS > MANUAL)."""
-        priority = {"FAIL": 3, "PASS": 2, "MANUAL": 1}
-        params = {"sort": "-status"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert data, "fixture should produce groups"
-
-        desc_keys = [priority[item["attributes"]["status"]] for item in data]
-        assert desc_keys == sorted(desc_keys, reverse=True)
-
-        params["sort"] = "status"
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        asc_keys = [
-            priority[item["attributes"]["status"]] for item in response.json()["data"]
-        ]
-        assert asc_keys == sorted(asc_keys)
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    def test_finding_groups_sort_by_muted(
-        self, authenticated_client, finding_groups_fixture, endpoint_name
-    ):
-        """sort=muted orders by the boolean muted attribute."""
-        # Need include_muted=true so the fully-muted group is part of the result
-        params = {"sort": "-muted", "filter[include_muted]": "true"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert data, "fixture should produce groups"
-
-        muted_values = [item["attributes"]["muted"] for item in data]
-        # Descending boolean: True (1) before False (0)
-        assert muted_values == sorted(muted_values, reverse=True)
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    def test_finding_groups_delta_status_breakdown(
-        self, authenticated_client, finding_groups_fixture, endpoint_name
-    ):
-        """`new_*` and `changed_*` counters split by status and mute state.
-
-        s3_bucket_public_access has 1 new FAIL and 1 changed FAIL (both
-        non-muted) so the breakdown must reflect exactly that and the totals
-        must equal the sum of the buckets.
-        """
-        params = {"filter[check_id]": "s3_bucket_public_access"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-        attrs = data[0]["attributes"]
-
-        assert attrs["new_fail_count"] == 1
-        assert attrs["new_fail_muted_count"] == 0
-        assert attrs["new_pass_count"] == 0
-        assert attrs["new_pass_muted_count"] == 0
-        assert attrs["new_manual_count"] == 0
-        assert attrs["new_manual_muted_count"] == 0
-        assert attrs["changed_fail_count"] == 1
-        assert attrs["changed_fail_muted_count"] == 0
-        assert attrs["changed_pass_count"] == 0
-        assert attrs["changed_pass_muted_count"] == 0
-        assert attrs["changed_manual_count"] == 0
-        assert attrs["changed_manual_muted_count"] == 0
-
-        new_total = (
-            attrs["new_fail_count"]
-            + attrs["new_fail_muted_count"]
-            + attrs["new_pass_count"]
-            + attrs["new_pass_muted_count"]
-            + attrs["new_manual_count"]
-            + attrs["new_manual_muted_count"]
-        )
-        changed_total = (
-            attrs["changed_fail_count"]
-            + attrs["changed_fail_muted_count"]
-            + attrs["changed_pass_count"]
-            + attrs["changed_pass_muted_count"]
-            + attrs["changed_manual_count"]
-            + attrs["changed_manual_muted_count"]
-        )
-        # The non-muted variants of the breakdown must sum to the legacy
-        # totals (new_count/changed_count are stored as non-muted).
-        assert (
-            attrs["new_fail_count"]
-            + attrs["new_pass_count"]
-            + attrs["new_manual_count"]
-            == attrs["new_count"]
-        )
-        assert (
-            attrs["changed_fail_count"]
-            + attrs["changed_pass_count"]
-            + attrs["changed_manual_count"]
-            == attrs["changed_count"]
-        )
-        # And the *full* breakdown (including the muted halves) is exposed
-        # so clients can also count muted-only deltas without losing data.
-        assert new_total >= attrs["new_count"]
-        assert changed_total >= attrs["changed_count"]
-
-    def test_finding_groups_resources_serializer_exposes_muted(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """The /finding-groups/<id>/resources payload must expose `muted`."""
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-resources",
-                kwargs={"pk": "rds_encryption"},
-            ),
-            {"filter[inserted_at]": TODAY},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert data, "rds_encryption should expose its resources"
-        for item in data:
-            attrs = item["attributes"]
-            assert "muted" in attrs and isinstance(attrs["muted"], bool)
-            # rds_encryption has all muted findings
-            assert attrs["muted"] is True
-            # Status reflects the underlying check outcome (FAIL), not MUTED
-            assert attrs["status"] == "FAIL"
-
-    def test_finding_groups_resources_exposes_finding_id(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """The /resources payload exposes the most recent matching finding_id.
-
-        rds_encryption has 2 findings, one per resource. Each resource row must
-        report the UUID of its corresponding Finding (UUIDv7 ordering means
-        Max(finding__id) resolves to the latest snapshot in time).
-        """
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-resources",
-                kwargs={"pk": "rds_encryption"},
-            ),
-            {"filter[inserted_at]": TODAY},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert data, "rds_encryption should expose its resources"
-
-        rds_finding_ids = {
-            str(f.id) for f in finding_groups_fixture if f.check_id == "rds_encryption"
-        }
-        assert rds_finding_ids, "fixture sanity"
-
-        for item in data:
-            attrs = item["attributes"]
-            assert "finding_id" in attrs
-            assert attrs["finding_id"] in rds_finding_ids
-
-    def test_finding_groups_latest_resources_exposes_finding_id(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """The /latest/.../resources payload also exposes finding_id."""
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-latest_resources",
-                kwargs={"check_id": "rds_encryption"},
-            ),
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert data, "rds_encryption should expose its resources via /latest"
-
-        rds_finding_ids = {
-            str(f.id) for f in finding_groups_fixture if f.check_id == "rds_encryption"
-        }
-        for item in data:
-            attrs = item["attributes"]
-            assert "finding_id" in attrs
-            assert attrs["finding_id"] in rds_finding_ids

api/src/backend/api/utils.py

@@ -39,7 +39,6 @@ if TYPE_CHECKING:
     )
     from prowler.providers.openstack.openstack_provider import OpenstackProvider
     from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
-    from prowler.providers.vercel.vercel_provider import VercelProvider
 
 
 class CustomOAuth2Client(OAuth2Client):
@@ -95,7 +94,6 @@ def return_prowler_provider(
     | MongodbatlasProvider
     | OpenstackProvider
     | OraclecloudProvider
-    | VercelProvider
 ):
     """Return the Prowler provider class based on the given provider type.
 
@@ -177,10 +175,6 @@ def return_prowler_provider(
             from prowler.providers.image.image_provider import ImageProvider
 
             prowler_provider = ImageProvider
-        case Provider.ProviderChoices.VERCEL.value:
-            from prowler.providers.vercel.vercel_provider import VercelProvider
-
-            prowler_provider = VercelProvider
         case _:
             raise ValueError(f"Provider type {provider.provider} not supported")
     return prowler_provider
@@ -241,11 +235,6 @@ def get_prowler_provider_kwargs(
         # clouds_yaml_content, clouds_yaml_cloud and provider_id are validated
         # in the provider itself, so it's not needed here.
         pass
-    elif provider.provider == Provider.ProviderChoices.VERCEL.value:
-        prowler_provider_kwargs = {
-            **prowler_provider_kwargs,
-            "team_id": provider.uid,
-        }
     elif provider.provider == Provider.ProviderChoices.IMAGE.value:
         # Detect whether uid is a registry URL (e.g. "docker.io/andoniaf") or
         # a concrete image reference (e.g. "docker.io/andoniaf/myimage:latest").
@@ -292,7 +281,6 @@ def initialize_prowler_provider(
     | MongodbatlasProvider
     | OpenstackProvider
     | OraclecloudProvider
-    | VercelProvider
 ):
     """Initialize a Prowler provider instance based on the given provider type.
 
@@ -344,13 +332,6 @@ def prowler_provider_connection_test(provider: Provider) -> Connection:
             "raise_on_exception": False,
         }
         return prowler_provider.test_connection(**openstack_kwargs)
-    elif provider.provider == Provider.ProviderChoices.VERCEL.value:
-        vercel_kwargs = {
-            **prowler_provider_kwargs,
-            "team_id": provider.uid,
-            "raise_on_exception": False,
-        }
-        return prowler_provider.test_connection(**vercel_kwargs)
     elif provider.provider == Provider.ProviderChoices.IMAGE.value:
         image_kwargs = {
             "image": provider.uid,
@@ -434,12 +415,8 @@ def prowler_integration_connection_test(integration: Integration) -> Connection:
             raise_on_exception=False,
         )
         project_keys = jira_connection.projects if jira_connection.is_connected else {}
-        issue_types = (
-            jira_connection.issue_types if jira_connection.is_connected else {}
-        )
         with rls_transaction(str(integration.tenant_id)):
             integration.configuration["projects"] = project_keys
-            integration.configuration["issue_types"] = issue_types
             integration.save()
         return jira_connection
     elif integration.integration_type == Integration.IntegrationChoices.SLACK:

api/src/backend/api/v1/serializer_utils/integrations.py

@@ -69,10 +69,8 @@ class SecurityHubConfigSerializer(BaseValidateSerializer):
 
 class JiraConfigSerializer(BaseValidateSerializer):
     domain = serializers.CharField(read_only=True)
-    issue_types = serializers.DictField(
-        read_only=True,
-        child=serializers.ListField(child=serializers.CharField()),
-        default={},
+    issue_types = serializers.ListField(
+        read_only=True, child=serializers.CharField(), default=["Task"]
     )
     projects = serializers.DictField(read_only=True)
 

api/src/backend/api/v1/serializer_utils/providers.py

@@ -404,17 +404,6 @@ from rest_framework_json_api import serializers
                 },
                 "required": ["clouds_yaml_content", "clouds_yaml_cloud"],
             },
-            {
-                "type": "object",
-                "title": "Vercel API Token",
-                "properties": {
-                    "api_token": {
-                        "type": "string",
-                        "description": "Vercel API token for authentication. Can be scoped to a specific team.",
-                    },
-                },
-                "required": ["api_token"],
-            },
         ]
     }
 )

api/src/backend/api/v1/serializers.py

@@ -1573,8 +1573,6 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                 serializer = OpenStackCloudsYamlProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.IMAGE.value:
                 serializer = ImageProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.VERCEL.value:
-                serializer = VercelProviderSecret(data=secret)
             else:
                 raise serializers.ValidationError(
                     {"provider": f"Provider type not supported {provider_type}"}
@@ -1781,13 +1779,6 @@ class ImageProviderSecret(serializers.Serializer):
         return attrs
 
 
-class VercelProviderSecret(serializers.Serializer):
-    api_token = serializers.CharField()
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
 class AlibabaCloudProviderSecret(serializers.Serializer):
     access_key_id = serializers.CharField()
     access_key_secret = serializers.CharField()
@@ -2722,11 +2713,11 @@ class BaseWriteIntegrationSerializer(BaseWriteSerializer):
                 )
             config_serializer = JiraConfigSerializer
             # Create non-editable configuration for JIRA integration
-            # issue_types will be populated per project when connection is tested
+            default_jira_issue_types = ["Task"]
             configuration.update(
                 {
                     "projects": {},
-                    "issue_types": {},
+                    "issue_types": default_jira_issue_types,
                     "domain": credentials.get("domain"),
                 }
             )
@@ -2941,25 +2932,13 @@ class IntegrationUpdateSerializer(BaseWriteIntegrationSerializer):
         return representation
 
 
-class IntegrationJiraIssueTypesSerializer(BaseSerializerV1):
-    """
-    Serializer for Jira issue types response.
-    """
-
-    project_key = serializers.CharField(read_only=True)
-    issue_types = serializers.ListField(child=serializers.CharField(), read_only=True)
-
-    class JSONAPIMeta:
-        resource_name = "jira-issue-types"
-
-
 class IntegrationJiraDispatchSerializer(BaseSerializerV1):
     """
     Serializer for dispatching findings to JIRA integration.
     """
 
     project_key = serializers.CharField(required=True)
-    issue_type = serializers.CharField(required=True)
+    issue_type = serializers.ChoiceField(required=True, choices=["Task"])
 
     class JSONAPIMeta:
         resource_name = "integrations-jira-dispatches"
@@ -2988,23 +2967,6 @@ class IntegrationJiraDispatchSerializer(BaseSerializerV1):
                 }
             )
 
-        issue_type = attrs.get("issue_type")
-        available_issue_types = integration_instance.configuration.get(
-            "issue_types", {}
-        )
-        # Handle old format where issue_types was a flat list (e.g., ["Task"])
-        if not isinstance(available_issue_types, dict):
-            available_issue_types = {}
-        project_issue_types = available_issue_types.get(project_key, [])
-        if project_issue_types and issue_type not in project_issue_types:
-            raise ValidationError(
-                {
-                    "issue_type": f"The issue type '{issue_type}' is not available for project '{project_key}'. "
-                    f"Available types: {', '.join(project_issue_types)}. "
-                    "Refresh the connection if this is an error."
-                }
-            )
-
         return validated_attrs
 
 
@@ -4185,7 +4147,6 @@ class FindingGroupSerializer(BaseSerializerV1):
     check_description = serializers.CharField(required=False, allow_null=True)
     severity = serializers.CharField()
     status = serializers.CharField()
-    muted = serializers.BooleanField()
     impacted_providers = serializers.ListField(
         child=serializers.CharField(), required=False
     )
@@ -4193,25 +4154,9 @@ class FindingGroupSerializer(BaseSerializerV1):
     resources_total = serializers.IntegerField()
     pass_count = serializers.IntegerField()
     fail_count = serializers.IntegerField()
-    manual_count = serializers.IntegerField()
-    pass_muted_count = serializers.IntegerField()
-    fail_muted_count = serializers.IntegerField()
-    manual_muted_count = serializers.IntegerField()
     muted_count = serializers.IntegerField()
     new_count = serializers.IntegerField()
     changed_count = serializers.IntegerField()
-    new_fail_count = serializers.IntegerField()
-    new_fail_muted_count = serializers.IntegerField()
-    new_pass_count = serializers.IntegerField()
-    new_pass_muted_count = serializers.IntegerField()
-    new_manual_count = serializers.IntegerField()
-    new_manual_muted_count = serializers.IntegerField()
-    changed_fail_count = serializers.IntegerField()
-    changed_fail_muted_count = serializers.IntegerField()
-    changed_pass_count = serializers.IntegerField()
-    changed_pass_muted_count = serializers.IntegerField()
-    changed_manual_count = serializers.IntegerField()
-    changed_manual_muted_count = serializers.IntegerField()
     first_seen_at = serializers.DateTimeField(required=False, allow_null=True)
     last_seen_at = serializers.DateTimeField(required=False, allow_null=True)
     failing_since = serializers.DateTimeField(required=False, allow_null=True)
@@ -4231,11 +4176,8 @@ class FindingGroupResourceSerializer(BaseSerializerV1):
     id = serializers.UUIDField(source="resource_id")
     resource = serializers.SerializerMethodField()
     provider = serializers.SerializerMethodField()
-    finding_id = serializers.UUIDField()
     status = serializers.CharField()
     severity = serializers.CharField()
-    muted = serializers.BooleanField()
-    delta = serializers.CharField(required=False, allow_null=True)
     first_seen_at = serializers.DateTimeField(required=False, allow_null=True)
     last_seen_at = serializers.DateTimeField(required=False, allow_null=True)
     muted_reason = serializers.CharField(required=False, allow_null=True)

api/src/backend/conftest.py

@@ -565,12 +565,6 @@ def providers_fixture(tenants_fixture):
         alias="googleworkspace_testing",
         tenant_id=tenant.id,
     )
-    provider13 = Provider.objects.create(
-        provider="vercel",
-        uid="team_abcdef1234567890ab",
-        alias="vercel_testing",
-        tenant_id=tenant.id,
-    )
 
     return (
         provider1,
@@ -585,7 +579,6 @@ def providers_fixture(tenants_fixture):
         provider10,
         provider11,
         provider12,
-        provider13,
     )
 
 

api/src/backend/tasks/jobs/export.py

@@ -32,13 +32,9 @@ from prowler.lib.outputs.compliance.cis.cis_aws import AWSCIS
 from prowler.lib.outputs.compliance.cis.cis_azure import AzureCIS
 from prowler.lib.outputs.compliance.cis.cis_gcp import GCPCIS
 from prowler.lib.outputs.compliance.cis.cis_github import GithubCIS
-from prowler.lib.outputs.compliance.cis.cis_googleworkspace import GoogleWorkspaceCIS
 from prowler.lib.outputs.compliance.cis.cis_kubernetes import KubernetesCIS
 from prowler.lib.outputs.compliance.cis.cis_m365 import M365CIS
 from prowler.lib.outputs.compliance.cis.cis_oraclecloud import OracleCloudCIS
-from prowler.lib.outputs.compliance.cisa_scuba.cisa_scuba_googleworkspace import (
-    GoogleWorkspaceCISASCuBA,
-)
 from prowler.lib.outputs.compliance.csa.csa_alibabacloud import AlibabaCloudCSA
 from prowler.lib.outputs.compliance.csa.csa_aws import AWSCSA
 from prowler.lib.outputs.compliance.csa.csa_azure import AzureCSA
@@ -97,7 +93,7 @@ COMPLIANCE_CLASS_MAP = {
         (lambda name: name.startswith("iso27001_"), AWSISO27001),
         (lambda name: name.startswith("kisa"), AWSKISAISMSP),
         (lambda name: name == "prowler_threatscore_aws", ProwlerThreatScoreAWS),
-        (lambda name: name.startswith("ccc_"), CCC_AWS),
+        (lambda name: name == "ccc_aws", CCC_AWS),
         (lambda name: name.startswith("c5_"), AWSC5),
         (lambda name: name.startswith("csa_"), AWSCSA),
     ],
@@ -106,7 +102,7 @@ COMPLIANCE_CLASS_MAP = {
         (lambda name: name == "mitre_attack_azure", AzureMitreAttack),
         (lambda name: name.startswith("ens_"), AzureENS),
         (lambda name: name.startswith("iso27001_"), AzureISO27001),
-        (lambda name: name.startswith("ccc_"), CCC_Azure),
+        (lambda name: name == "ccc_azure", CCC_Azure),
         (lambda name: name == "prowler_threatscore_azure", ProwlerThreatScoreAzure),
         (lambda name: name == "c5_azure", AzureC5),
         (lambda name: name.startswith("csa_"), AzureCSA),
@@ -117,7 +113,7 @@ COMPLIANCE_CLASS_MAP = {
         (lambda name: name.startswith("ens_"), GCPENS),
         (lambda name: name.startswith("iso27001_"), GCPISO27001),
         (lambda name: name == "prowler_threatscore_gcp", ProwlerThreatScoreGCP),
-        (lambda name: name.startswith("ccc_"), CCC_GCP),
+        (lambda name: name == "ccc_gcp", CCC_GCP),
         (lambda name: name == "c5_gcp", GCPC5),
         (lambda name: name.startswith("csa_"), GCPCSA),
     ],
@@ -137,10 +133,6 @@ COMPLIANCE_CLASS_MAP = {
     "github": [
         (lambda name: name.startswith("cis_"), GithubCIS),
     ],
-    "googleworkspace": [
-        (lambda name: name.startswith("cis_"), GoogleWorkspaceCIS),
-        (lambda name: name.startswith("cisa_scuba_"), GoogleWorkspaceCISASCuBA),
-    ],
     "iac": [
         # IaC provider doesn't have specific compliance frameworks yet
         # Trivy handles its own compliance checks

api/src/backend/tasks/jobs/scan.py

@@ -1803,12 +1803,7 @@ def aggregate_finding_group_summaries(tenant_id: str, scan_id: str):
             output_field=IntegerField(),
         )
 
-        # Aggregate findings by check_id for this scan.
-        # `pass_count`, `fail_count` and `manual_count` count *every* finding
-        # in this group, regardless of mute state, so the aggregated `status`
-        # always reflects the underlying check outcome (FAIL > PASS > MANUAL)
-        # even when the group is fully muted. The orthogonal `muted` flag is
-        # what tells whether the group has any actionable (non-muted) findings.
+        # Aggregate findings by check_id for this scan
         aggregated = (
             Finding.objects.filter(
                 tenant_id=tenant_id,
@@ -1817,52 +1812,11 @@ def aggregate_finding_group_summaries(tenant_id: str, scan_id: str):
             .values("check_id")
             .annotate(
                 severity_order=Max(severity_case),
-                pass_count=Count("id", filter=Q(status="PASS")),
-                fail_count=Count("id", filter=Q(status="FAIL")),
-                manual_count=Count("id", filter=Q(status="MANUAL")),
-                pass_muted_count=Count("id", filter=Q(status="PASS", muted=True)),
-                fail_muted_count=Count("id", filter=Q(status="FAIL", muted=True)),
-                manual_muted_count=Count("id", filter=Q(status="MANUAL", muted=True)),
+                pass_count=Count("id", filter=Q(status="PASS", muted=False)),
+                fail_count=Count("id", filter=Q(status="FAIL", muted=False)),
                 muted_count=Count("id", filter=Q(muted=True)),
-                nonmuted_count=Count("id", filter=Q(muted=False)),
                 new_count=Count("id", filter=Q(delta="new", muted=False)),
                 changed_count=Count("id", filter=Q(delta="changed", muted=False)),
-                new_fail_count=Count(
-                    "id", filter=Q(delta="new", status="FAIL", muted=False)
-                ),
-                new_fail_muted_count=Count(
-                    "id", filter=Q(delta="new", status="FAIL", muted=True)
-                ),
-                new_pass_count=Count(
-                    "id", filter=Q(delta="new", status="PASS", muted=False)
-                ),
-                new_pass_muted_count=Count(
-                    "id", filter=Q(delta="new", status="PASS", muted=True)
-                ),
-                new_manual_count=Count(
-                    "id", filter=Q(delta="new", status="MANUAL", muted=False)
-                ),
-                new_manual_muted_count=Count(
-                    "id", filter=Q(delta="new", status="MANUAL", muted=True)
-                ),
-                changed_fail_count=Count(
-                    "id", filter=Q(delta="changed", status="FAIL", muted=False)
-                ),
-                changed_fail_muted_count=Count(
-                    "id", filter=Q(delta="changed", status="FAIL", muted=True)
-                ),
-                changed_pass_count=Count(
-                    "id", filter=Q(delta="changed", status="PASS", muted=False)
-                ),
-                changed_pass_muted_count=Count(
-                    "id", filter=Q(delta="changed", status="PASS", muted=True)
-                ),
-                changed_manual_count=Count(
-                    "id", filter=Q(delta="changed", status="MANUAL", muted=False)
-                ),
-                changed_manual_muted_count=Count(
-                    "id", filter=Q(delta="changed", status="MANUAL", muted=True)
-                ),
                 resources_total=Count("resources__id", distinct=True),
                 resources_fail=Count(
                     "resources__id",
@@ -1870,9 +1824,7 @@ def aggregate_finding_group_summaries(tenant_id: str, scan_id: str):
                     filter=Q(status="FAIL", muted=False),
                 ),
                 # Use prefixed names to avoid conflict with model field names
-                agg_first_seen_at=Min(
-                    "first_seen_at", filter=Q(delta="new", muted=False)
-                ),
+                agg_first_seen_at=Min("first_seen_at"),
                 agg_last_seen_at=Max("inserted_at"),
                 agg_failing_since=Min(
                     "first_seen_at", filter=Q(status="FAIL", muted=False)
@@ -1941,26 +1893,9 @@ def aggregate_finding_group_summaries(tenant_id: str, scan_id: str):
                     severity_order=row["severity_order"] or 1,
                     pass_count=row["pass_count"],
                     fail_count=row["fail_count"],
-                    manual_count=row["manual_count"],
-                    pass_muted_count=row["pass_muted_count"],
-                    fail_muted_count=row["fail_muted_count"],
-                    manual_muted_count=row["manual_muted_count"],
                     muted_count=row["muted_count"],
-                    muted=row["nonmuted_count"] == 0,
                     new_count=row["new_count"],
                     changed_count=row["changed_count"],
-                    new_fail_count=row["new_fail_count"],
-                    new_fail_muted_count=row["new_fail_muted_count"],
-                    new_pass_count=row["new_pass_count"],
-                    new_pass_muted_count=row["new_pass_muted_count"],
-                    new_manual_count=row["new_manual_count"],
-                    new_manual_muted_count=row["new_manual_muted_count"],
-                    changed_fail_count=row["changed_fail_count"],
-                    changed_fail_muted_count=row["changed_fail_muted_count"],
-                    changed_pass_count=row["changed_pass_count"],
-                    changed_pass_muted_count=row["changed_pass_muted_count"],
-                    changed_manual_count=row["changed_manual_count"],
-                    changed_manual_muted_count=row["changed_manual_muted_count"],
                     resources_total=row["resources_total"],
                     resources_fail=row["resources_fail"],
                     first_seen_at=row["agg_first_seen_at"],
@@ -1980,26 +1915,9 @@ def aggregate_finding_group_summaries(tenant_id: str, scan_id: str):
                     "severity_order",
                     "pass_count",
                     "fail_count",
-                    "manual_count",
-                    "pass_muted_count",
-                    "fail_muted_count",
-                    "manual_muted_count",
                     "muted_count",
-                    "muted",
                     "new_count",
                     "changed_count",
-                    "new_fail_count",
-                    "new_fail_muted_count",
-                    "new_pass_count",
-                    "new_pass_muted_count",
-                    "new_manual_count",
-                    "new_manual_muted_count",
-                    "changed_fail_count",
-                    "changed_fail_muted_count",
-                    "changed_pass_count",
-                    "changed_pass_muted_count",
-                    "changed_manual_count",
-                    "changed_manual_muted_count",
                     "resources_total",
                     "resources_fail",
                     "first_seen_at",

api/src/backend/tasks/tasks.py

@@ -771,49 +771,26 @@ def aggregate_finding_group_summaries_task(tenant_id: str, scan_id: str):
 )
 @set_tenant(keep_tenant=True)
 def reaggregate_all_finding_group_summaries_task(tenant_id: str):
-    """Reaggregate finding group summaries for every (provider, day) combination.
-
-    Mirrors the unbounded scope of `mute_historical_findings_task`: that task
-    rewrites every Finding row whose UID matches a mute rule, with no time
-    limit. To keep the daily summaries consistent with that update, this task
-    re-runs the aggregator on the latest completed scan of every (provider,
-    day) pair that exists in the database. Tasks are dispatched in parallel
-    via a Celery group so the wallclock scales with the worker pool, not with
-    the number of pairs.
-    """
-    completed_scans = list(
-        Scan.objects.filter(
-            tenant_id=tenant_id,
-            state=StateChoices.COMPLETED,
-            completed_at__isnull=False,
-        )
-        .order_by("-completed_at")
-        .values("id", "completed_at", "provider_id")
+    """Reaggregate finding group summaries for all providers' latest completed scans."""
+    latest_scan_ids = list(
+        Scan.objects.filter(tenant_id=tenant_id, state=StateChoices.COMPLETED)
+        .order_by("provider_id", "-completed_at", "-inserted_at")
+        .distinct("provider_id")
+        .values_list("id", flat=True)
     )
-
-    # Keep the latest scan per (provider, day) pair so the daily summary row
-    # the aggregator writes is the most recent snapshot of that day for that
-    # provider. Iterating from most recent to oldest means the first scan we
-    # see for a given key wins.
-    latest_scans: dict[tuple, str] = {}
-    for scan in completed_scans:
-        key = (scan["provider_id"], scan["completed_at"].date())
-        if key not in latest_scans:
-            latest_scans[key] = str(scan["id"])
-
-    scan_ids = list(latest_scans.values())
-    if scan_ids:
+    if latest_scan_ids:
         logger.info(
-            "Reaggregating finding group summaries for %d scans (provider x day)",
-            len(scan_ids),
+            "Reaggregating finding group summaries for %d scans: %s",
+            len(latest_scan_ids),
+            latest_scan_ids,
         )
         group(
             aggregate_finding_group_summaries_task.si(
-                tenant_id=tenant_id, scan_id=scan_id
+                tenant_id=tenant_id, scan_id=str(scan_id)
             )
-            for scan_id in scan_ids
+            for scan_id in latest_scan_ids
         ).apply_async()
-    return {"scans_reaggregated": len(scan_ids)}
+    return {"scans_reaggregated": len(latest_scan_ids)}
 
 
 @shared_task(base=RLSTask, name="lighthouse-connection-check")

api/src/backend/tasks/tests/test_tasks.py

@@ -1,6 +1,6 @@
 import uuid
 from contextlib import contextmanager
-from datetime import datetime, timedelta, timezone
+from datetime import datetime, timezone
 from unittest.mock import MagicMock, patch
 
 import openai
@@ -2362,96 +2362,35 @@ class TestReaggregateAllFindingGroupSummaries:
     @patch("tasks.tasks.group")
     @patch("tasks.tasks.aggregate_finding_group_summaries_task")
     @patch("tasks.tasks.Scan.objects.filter")
-    def test_dispatches_subtasks_for_each_provider_per_day(
+    def test_dispatches_subtasks_for_each_provider(
         self, mock_scan_filter, mock_agg_task, mock_group
     ):
-        provider_id_1 = uuid.uuid4()
-        provider_id_2 = uuid.uuid4()
-        scan_id_today_p1 = uuid.uuid4()
-        scan_id_yesterday_p1 = uuid.uuid4()
-        scan_id_today_p2 = uuid.uuid4()
-        today = datetime.now(tz=timezone.utc)
-        yesterday = today - timedelta(days=1)
-
+        scan_id_1 = uuid.uuid4()
+        scan_id_2 = uuid.uuid4()
         mock_group_result = MagicMock()
         mock_group.side_effect = lambda gen: (list(gen), mock_group_result)[1]
 
-        mock_scan_filter.return_value.order_by.return_value.values.return_value = [
-            {
-                "id": scan_id_today_p1,
-                "completed_at": today,
-                "provider_id": provider_id_1,
-            },
-            {
-                "id": scan_id_today_p2,
-                "completed_at": today,
-                "provider_id": provider_id_2,
-            },
-            {
-                "id": scan_id_yesterday_p1,
-                "completed_at": yesterday,
-                "provider_id": provider_id_1,
-            },
+        mock_scan_filter.return_value.order_by.return_value.distinct.return_value.values_list.return_value = [
+            scan_id_1,
+            scan_id_2,
         ]
 
         result = reaggregate_all_finding_group_summaries_task(tenant_id=self.tenant_id)
 
-        assert result == {"scans_reaggregated": 3}
-        assert mock_agg_task.si.call_count == 3
+        assert result == {"scans_reaggregated": 2}
+        assert mock_agg_task.si.call_count == 2
         mock_agg_task.si.assert_any_call(
-            tenant_id=self.tenant_id, scan_id=str(scan_id_today_p1)
+            tenant_id=self.tenant_id, scan_id=str(scan_id_1)
         )
         mock_agg_task.si.assert_any_call(
-            tenant_id=self.tenant_id, scan_id=str(scan_id_today_p2)
-        )
-        mock_agg_task.si.assert_any_call(
-            tenant_id=self.tenant_id, scan_id=str(scan_id_yesterday_p1)
-        )
-        mock_group_result.apply_async.assert_called_once()
-
-    @patch("tasks.tasks.group")
-    @patch("tasks.tasks.aggregate_finding_group_summaries_task")
-    @patch("tasks.tasks.Scan.objects.filter")
-    def test_dedupes_scans_to_latest_per_provider_per_day(
-        self, mock_scan_filter, mock_agg_task, mock_group
-    ):
-        """When several scans run on the same day for the same provider, only
-        the latest one is dispatched (matching the daily summary unique key)."""
-        provider_id = uuid.uuid4()
-        latest_scan_today = uuid.uuid4()
-        earlier_scan_today = uuid.uuid4()
-        today_late = datetime.now(tz=timezone.utc)
-        today_early = today_late - timedelta(hours=4)
-
-        mock_group_result = MagicMock()
-        mock_group.side_effect = lambda gen: (list(gen), mock_group_result)[1]
-
-        # Returned ordered by `-completed_at`, so the most recent comes first.
-        mock_scan_filter.return_value.order_by.return_value.values.return_value = [
-            {
-                "id": latest_scan_today,
-                "completed_at": today_late,
-                "provider_id": provider_id,
-            },
-            {
-                "id": earlier_scan_today,
-                "completed_at": today_early,
-                "provider_id": provider_id,
-            },
-        ]
-
-        result = reaggregate_all_finding_group_summaries_task(tenant_id=self.tenant_id)
-
-        assert result == {"scans_reaggregated": 1}
-        mock_agg_task.si.assert_called_once_with(
-            tenant_id=self.tenant_id, scan_id=str(latest_scan_today)
+            tenant_id=self.tenant_id, scan_id=str(scan_id_2)
         )
         mock_group_result.apply_async.assert_called_once()
 
     @patch("tasks.tasks.group")
     @patch("tasks.tasks.Scan.objects.filter")
     def test_no_completed_scans_skips_dispatch(self, mock_scan_filter, mock_group):
-        mock_scan_filter.return_value.order_by.return_value.values.return_value = []
+        mock_scan_filter.return_value.order_by.return_value.distinct.return_value.values_list.return_value = []
 
         result = reaggregate_all_finding_group_summaries_task(tenant_id=self.tenant_id)
 

docs/developer-guide/introduction.mdx

@@ -163,8 +163,6 @@ These resources help ensure that AI-assisted contributions maintain consistency
 
 All dependencies are listed in the `pyproject.toml` file.
 
-The SDK keeps direct dependencies pinned to exact versions, while `poetry.lock` records the full resolved dependency tree and the artifact hashes for every package. Use `poetry install` from the lock file instead of ad-hoc `pip` installs when you need a reproducible environment.
-
 For proper code documentation, refer to the following and follow the code documentation practices presented there: [Google Python Style Guide - Comments and Docstrings](https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings).
 
 <Note>

docs/developer-guide/provider.mdx

@@ -750,35 +750,6 @@ def init_parser(self):
     # More arguments for the provider.
 ```
 
-##### Sensitive CLI Arguments
-
-CLI flags that accept secrets (tokens, passwords, API keys) require special handling to protect credentials from leaking in HTML output and process listings:
-
-1. **Use `nargs="?"` with `default=None`** so the flag works both with and without an inline value. This allows the provider to fall back to an environment variable when no value is passed.
-2. **Add a `SENSITIVE_ARGUMENTS` frozenset** at the top of the `arguments.py` file listing every flag that accepts secret values:
-
-    ```python
-    SENSITIVE_ARGUMENTS = frozenset({"--your-provider-password", "--your-provider-token"})
-    ```
-
-    Prowler automatically discovers these frozensets and uses them to redact values in HTML output and warn users who pass secrets directly on the command line.
-
-3. **Document the environment variable** in the `help` text so users know the recommended alternative:
-
-    ```python
-    <provider_name>_parser.add_argument(
-        "--your-provider-password",
-        nargs="?",
-        default=None,
-        metavar="PASSWORD",
-        help="Password for authentication. We recommend using the YOUR_PROVIDER_PASSWORD environment variable instead.",
-    )
-    ```
-
-<Warning>
-Do not add new arguments that require passing secrets as CLI values without an environment variable fallback. Prowler CLI warns users when sensitive flags receive explicit values on the command line.
-</Warning>
-
 #### Step 5: Implement Mutelist
 
 **Explanation:**

docs/docs.json

@@ -98,7 +98,6 @@
                 ]
               },
               "user-guide/tutorials/prowler-app-rbac",
-              "user-guide/tutorials/prowler-app-multi-tenant",
               "user-guide/tutorials/prowler-app-api-keys",
               "user-guide/tutorials/prowler-app-import-findings",
               {
@@ -138,7 +137,6 @@
                 "group": "Tutorials",
                 "pages": [
                   "user-guide/tutorials/prowler-app-sso-entra",
-                  "user-guide/tutorials/prowler-app-sso-google-workspace",
                   "user-guide/tutorials/bulk-provider-provisioning",
                   "user-guide/tutorials/aws-organizations-bulk-provisioning"
                 ]
@@ -276,8 +274,7 @@
               {
                 "group": "Image",
                 "pages": [
-                  "user-guide/providers/image/getting-started-image",
-                  "user-guide/providers/image/authentication"
+                  "user-guide/providers/image/getting-started-image"
                 ]
               },
               {
@@ -299,13 +296,6 @@
                   "user-guide/providers/openstack/getting-started-openstack",
                   "user-guide/providers/openstack/authentication"
                 ]
-              },
-              {
-                "group": "Vercel",
-                "pages": [
-                  "user-guide/providers/vercel/getting-started-vercel",
-                  "user-guide/providers/vercel/authentication"
-                ]
               }
             ]
           },

docs/getting-started/basic-usage/prowler-mcp-tools.mdx

@@ -10,7 +10,7 @@ Complete reference guide for all tools available in the Prowler MCP Server. Tool
 |----------|------------|------------------------|
 | Prowler Hub | 10 tools | No |
 | Prowler Documentation | 2 tools | No |
-| Prowler Cloud/App | 29 tools | Yes |
+| Prowler Cloud/App | 27 tools | Yes |
 
 ## Tool Naming Convention
 
@@ -60,7 +60,6 @@ Tools for searching, viewing, and analyzing cloud resources discovered by Prowle
 
 - **`prowler_app_list_resources`** - List and filter cloud resources with advanced filtering options (provider, region, service, resource type, tags)
 - **`prowler_app_get_resource`** - Get comprehensive details about a specific resource including configuration, metadata, and finding relationships
-- **`prowler_app_get_resource_events`** - Get the timeline of cloud API actions performed on a resource (AWS CloudTrail). Shows who did what and when, with full request/response payloads
 - **`prowler_app_get_resources_overview`** - Get aggregate statistics about cloud resources as a markdown report
 
 ### Muting Management
@@ -88,7 +87,6 @@ Tools for analyzing privilege escalation chains and security misconfigurations u
 - **`prowler_app_list_attack_paths_scans`** - List Attack Paths scans with filtering by provider, provider type, and scan state (available, scheduled, executing, completed, failed, cancelled)
 - **`prowler_app_list_attack_paths_queries`** - Discover available Attack Paths queries for a completed scan, including query names, descriptions, and required parameters
 - **`prowler_app_run_attack_paths_query`** - Execute an Attack Paths query against a completed scan and retrieve graph results with nodes (cloud resources, findings, virtual nodes) and relationships (access paths, role assumptions, security group memberships)
-- **`prowler_app_get_attack_paths_cartography_schema`** - Retrieve the Cartography graph schema (node labels, relationships, properties) for writing accurate custom openCypher queries
 
 ### Compliance Management
 

docs/getting-started/products/prowler-app.mdx

@@ -11,19 +11,16 @@ Prowler App is a web application that simplifies running Prowler. It provides:
 
 ## Components
 
-Prowler App consists of four main components:
+Prowler App consists of three main components:
 
 - **Prowler UI**: User-friendly web interface for running Prowler and viewing results, powered by Next.js
 - **Prowler API**: Backend API that executes Prowler scans and stores results, built with Django REST Framework
 - **Prowler SDK**: Python SDK that integrates with Prowler CLI for advanced functionality
-- **Prowler MCP Server**: Model Context Protocol server that exposes AI tools for Lighthouse, the AI-powered security assistant. Required dependency for Lighthouse.
 
 Supporting infrastructure includes:
 
 - **PostgreSQL**: Persistent storage of scan results
 - **Celery Workers**: Asynchronous execution of Prowler scans
-- **Celery Beat (API Scheduler)**: Schedules recurring scans and enqueues jobs on the broker
 - **Valkey**: In-memory database serving as message broker for Celery workers
-- **Neo4j**: Graph database used by the Attack Paths feature to combine cloud inventory with Prowler findings (currently populated by AWS scans)
 
 ![Prowler App Architecture](/images/products/prowler-app-architecture.png)

docs/images/products/prowler-app-architecture.mmd

@@ -1,37 +0,0 @@
-flowchart TB
-    user([User / Security Team])
-    cli([Prowler CLI])
-
-    subgraph APP["Prowler App"]
-        ui["Prowler UI<br/>(Next.js)"]
-        api["Prowler API<br/>(Django REST Framework)"]
-        worker["API Worker<br/>(Celery)"]
-        beat["API Scheduler<br/>(Celery Beat)"]
-        mcp["Prowler MCP Server<br/>(Lighthouse AI tools)"]
-    end
-
-    sdk["Prowler SDK<br/>(Python)"]
-
-    subgraph DATA["Data Layer"]
-        pg[("PostgreSQL")]
-        valkey[("Valkey / Redis")]
-        neo4j[("Neo4j")]
-    end
-
-    providers["Providers"]
-
-    user --> ui
-    user --> cli
-    ui -->|REST| api
-    api --> pg
-    api --> valkey
-    beat -->|enqueue jobs| valkey
-    valkey -->|dispatch| worker
-    worker --> pg
-    worker -->|Attack Paths| neo4j
-    worker -->|invokes| sdk
-    cli --> sdk
-    api -. AI tools .-> mcp
-    mcp -. context .-> api
-
-    sdk --> providers

docs/introduction.mdx

@@ -21,57 +21,28 @@
 
 ## Supported Providers
 
-Prowler supports a wide range of providers organized by category:
+The supported providers right now are:
 
-### Cloud Service Providers (Infrastructure)
+| Provider                                                                         | Support    | Audit Scope/Entities         | Interface    |
+| -------------------------------------------------------------------------------- | ---------- | ---------------------------- | ------------ |
+| [AWS](/user-guide/providers/aws/getting-started-aws)                             | Official   | Accounts                     | UI, API, CLI |
+| [Azure](/user-guide/providers/azure/getting-started-azure)                       | Official   | Subscriptions                | UI, API, CLI |
+| [Google Cloud](/user-guide/providers/gcp/getting-started-gcp)                    | Official   | Projects                     | UI, API, CLI |
+| [Kubernetes](/user-guide/providers/kubernetes/getting-started-k8s)               | Official   | Clusters                     | UI, API, CLI |
+| [M365](/user-guide/providers/microsoft365/getting-started-m365)                  | Official   | Tenants                      | UI, API, CLI |
+| [Github](/user-guide/providers/github/getting-started-github)                    | Official   | Organizations / Repositories | UI, API, CLI |
+| [Oracle Cloud](/user-guide/providers/oci/getting-started-oci)                             | Official   | Tenancies / Compartments     | UI, API, CLI |
+| [Alibaba Cloud](/user-guide/providers/alibabacloud/getting-started-alibabacloud)          | Official   | Accounts                     | UI, API, CLI |
+| [Cloudflare](/user-guide/providers/cloudflare/getting-started-cloudflare)                 | Official   | Accounts                     | UI, API, CLI |
+| [Infra as Code](/user-guide/providers/iac/getting-started-iac)                            | Official   | Repositories                 | UI, API, CLI |
+| [MongoDB Atlas](/user-guide/providers/mongodbatlas/getting-started-mongodbatlas)           | Official   | Organizations                | UI, API, CLI |
+| [OpenStack](/user-guide/providers/openstack/getting-started-openstack)                     | Official   | Projects                     | UI, API, CLI |
+| [LLM](/user-guide/providers/llm/getting-started-llm)                                     | Official   | Models                       | CLI          |
+| [Image](/user-guide/providers/image/getting-started-image)                                | Official   | Container Images             | CLI, API     |
+| [Google Workspace](/user-guide/providers/googleworkspace/getting-started-googleworkspace)  | Official   | Domains                      | CLI          |
+| **NHN**                                                                                   | Unofficial | Tenants                      | CLI          |
 
-| Provider                                                                         | Support    | Audit Scope/Entities     | Interface    |
-| -------------------------------------------------------------------------------- | ---------- | ------------------------ | ------------ |
-| [Alibaba Cloud](/user-guide/providers/alibabacloud/getting-started-alibabacloud) | Official   | Accounts                 | UI, API, CLI |
-| [AWS](/user-guide/providers/aws/getting-started-aws)                             | Official   | Accounts                 | UI, API, CLI |
-| [Azure](/user-guide/providers/azure/getting-started-azure)                       | Official   | Subscriptions            | UI, API, CLI |
-| [Cloudflare](/user-guide/providers/cloudflare/getting-started-cloudflare)        | Official   | Accounts                 | UI, API, CLI |
-| [Google Cloud](/user-guide/providers/gcp/getting-started-gcp)                    | Official   | Projects                 | UI, API, CLI |
-| **NHN**                                                                          | Unofficial | Tenants                  | CLI          |
-| [OpenStack](/user-guide/providers/openstack/getting-started-openstack)           | Official   | Projects                 | UI, API, CLI |
-| [Oracle Cloud](/user-guide/providers/oci/getting-started-oci)                    | Official   | Tenancies / Compartments | UI, API, CLI |
-
-### Infrastructure as Code Providers
-
-| Provider                                                              | Support  | Audit Scope/Entities | Interface    |
-| --------------------------------------------------------------------- | -------- | -------------------- | ------------ |
-| [Infra as Code](/user-guide/providers/iac/getting-started-iac)        | Official | Repositories         | UI, API, CLI |
-
-### Software as a Service (SaaS) Providers
-
-| Provider                                                                                  | Support  | Audit Scope/Entities         | Interface    |
-| ----------------------------------------------------------------------------------------- | -------- | ---------------------------- | ------------ |
-| [GitHub](/user-guide/providers/github/getting-started-github)                             | Official | Organizations / Repositories | UI, API, CLI |
-| [Google Workspace](/user-guide/providers/googleworkspace/getting-started-googleworkspace)  | Official | Domains                      | CLI          |
-| [LLM](/user-guide/providers/llm/getting-started-llm)                                     | Official | Models                       | CLI          |
-| [M365](/user-guide/providers/microsoft365/getting-started-m365)                           | Official | Tenants                      | UI, API, CLI |
-| [MongoDB Atlas](/user-guide/providers/mongodbatlas/getting-started-mongodbatlas)           | Official | Organizations                | UI, API, CLI |
-| [Vercel](/user-guide/providers/vercel/getting-started-vercel)                             | Official | Teams / Projects             | CLI          |
-
-### Kubernetes
-
-| Provider                                                                   | Support  | Audit Scope/Entities | Interface    |
-| -------------------------------------------------------------------------- | -------- | -------------------- | ------------ |
-| [Kubernetes](/user-guide/providers/kubernetes/getting-started-k8s)         | Official | Clusters             | UI, API, CLI |
-
-### Containers
-
-| Provider                                                            | Support  | Audit Scope/Entities | Interface |
-| ------------------------------------------------------------------- | -------- | -------------------- | --------- |
-| [Image](/user-guide/providers/image/getting-started-image)          | Official | Container Images / Registries | CLI, API  |
-
-### Custom Providers (Prowler Cloud Enterprise Only)
-
-| Provider             | Support  | Audit Scope/Entities | Interface |
-| -------------------- | -------- | -------------------- | --------- |
-| VMware/Broadcom VCF  | Official | Infrastructure       | CLI       |
-
-For more information about the checks and compliance of each provider, visit [Prowler Hub](https://hub.prowler.com).
+For more information about the checks and compliance of each provider visit [Prowler Hub](https://hub.prowler.com).
 
 ## Where to go next?
 

docs/user-guide/cli/tutorials/configuration_file.mdx

@@ -141,22 +141,6 @@ The following list includes all the GitHub checks with configurable variables th
 |--------------------------------------------|---------------------------------------------|---------|
 | `repository_inactive_not_archived`         | `inactive_not_archived_days_threshold`        | Integer |
 
-## Vercel
-
-### Configurable Checks
-The following list includes all the Vercel checks with configurable variables that can be changed in the configuration YAML file:
-
-| Check Name                                          | Value                              | Type            |
-|-----------------------------------------------------|------------------------------------|-----------------|
-| `authentication_no_stale_tokens`                    | `stale_token_threshold_days`       | Integer         |
-| `authentication_token_not_expired`                  | `days_to_expire_threshold`         | Integer         |
-| `deployment_production_uses_stable_target`          | `stable_branches`                  | List of Strings |
-| `domain_ssl_certificate_valid`                      | `days_to_expire_threshold`         | Integer         |
-| `project_environment_no_secrets_in_plain_type`      | `secret_suffixes`                  | List of Strings |
-| `team_member_role_least_privilege`                   | `max_owner_percentage`             | Integer         |
-| `team_member_role_least_privilege`                   | `max_owners`                       | Integer         |
-| `team_no_stale_invitations`                         | `stale_invitation_threshold_days`  | Integer         |
-
 ## Config YAML File Structure
 
 <Note>
@@ -640,29 +624,5 @@ github:
   # github.repository_inactive_not_archived
   inactive_not_archived_days_threshold: 180
 
-# Vercel Configuration
-vercel:
-  # vercel.deployment_production_uses_stable_target
-  stable_branches:
-    - "main"
-    - "master"
-  # vercel.authentication_token_not_expired & vercel.domain_ssl_certificate_valid
-  days_to_expire_threshold: 7
-  # vercel.authentication_no_stale_tokens
-  stale_token_threshold_days: 90
-  # vercel.team_no_stale_invitations
-  stale_invitation_threshold_days: 30
-  # vercel.team_member_role_least_privilege
-  max_owner_percentage: 20
-  max_owners: 3
-  # vercel.project_environment_no_secrets_in_plain_type
-  secret_suffixes:
-    - "_KEY"
-    - "_SECRET"
-    - "_TOKEN"
-    - "_PASSWORD"
-    - "_API_KEY"
-    - "_PRIVATE_KEY"
-
 
 ```

docs/user-guide/cli/tutorials/pentesting.mdx

@@ -66,38 +66,22 @@ prowler <provider> --categories internet-exposed
 
 ### Shodan
 
-Prowler can check whether any public IPs in cloud environments are exposed in Shodan using the `-N`/`--shodan` option.
+Prowler allows you check if any public IPs in your Cloud environments are exposed in Shodan with the `-N`/`--shodan <shodan_api_key>` option:
 
-#### Using the Environment Variable (Recommended)
-
-Set the `SHODAN_API_KEY` environment variable to avoid exposing the API key in process listings and shell history:
+For example, you can check if any of your AWS Elastic Compute Cloud (EC2) instances has an elastic IP exposed in Shodan:
 
 ```console
-export SHODAN_API_KEY=<shodan_api_key>
+prowler aws -N/--shodan <shodan_api_key> -c ec2_elastic_ip_shodan
 ```
 
-Then run Prowler with the `--shodan` flag (no value needed):
+Also, you can check if any of your Azure Subscription has an public IP exposed in Shodan:
 
 ```console
-prowler aws --shodan -c ec2_elastic_ip_shodan
+prowler azure -N/--shodan <shodan_api_key> -c network_public_ip_shodan
 ```
 
+And finally, you can check if any of your GCP projects has an public IP address exposed in Shodan:
+
 ```console
-prowler azure --shodan -c network_public_ip_shodan
+prowler gcp -N/--shodan <shodan_api_key> -c compute_public_address_shodan
 ```
-
-```console
-prowler gcp --shodan -c compute_public_address_shodan
-```
-
-#### Using the CLI Flag
-
-Alternatively, pass the API key directly on the command line:
-
-```console
-prowler aws --shodan <shodan_api_key> -c ec2_elastic_ip_shodan
-```
-
-<Warning>
-Passing secret values directly on the command line exposes them in process listings and shell history. Prowler CLI displays a warning when this pattern is detected. Use the `SHODAN_API_KEY` environment variable instead.
-</Warning>