chore: resolve merge conflict in CHANGELOG.md

fix(github): use raw_data fallback for org attributes not exposed by PyGithub
fix(github): resolve flake8 errors and improve check metadata
2026-05-18 10:13:14 +00:00 · 2026-03-16 17:11:45 +01:00 · 2026-03-16 16:43:36 +01:00 · 2026-03-04 12:25:59 +01:00 · 2026-03-02 11:06:33 -06:00 · 2026-03-02 11:00:52 -06:00
693 changed files with 7300 additions and 23537 deletions
@@ -1,350 +0,0 @@
-#!/usr/bin/env bash
-#
-# Test script for E2E test path resolution logic from ui-e2e-tests-v2.yml.
-# Validates that the shell logic correctly transforms E2E_TEST_PATHS into
-# Playwright-compatible paths.
-#
-# Usage: .github/scripts/test-e2e-path-resolution.sh
-
-set -euo pipefail
-
-# -- Colors ------------------------------------------------------------------
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# -- Counters ----------------------------------------------------------------
-TOTAL=0
-PASSED=0
-FAILED=0
-
-# -- Temp directory setup & cleanup ------------------------------------------
-TMPDIR_ROOT="$(mktemp -d)"
-trap 'rm -rf "$TMPDIR_ROOT"' EXIT
-
-# ---------------------------------------------------------------------------
-# create_test_tree DIR [SUBDIRS_WITH_TESTS...]
-#
-# Creates a fake ui/tests/ tree inside DIR.
-# All standard subdirs are created (empty).
-# For each name in SUBDIRS_WITH_TESTS, a fake .spec.ts file is placed inside.
-# ---------------------------------------------------------------------------
-create_test_tree() {
-  local base="$1"; shift
-  local all_subdirs=(
-    auth home invitations profile providers scans
-    setups sign-in-base sign-up attack-paths findings
-    compliance browse manage-groups roles users overview
-    integrations
-  )
-
-  for d in "${all_subdirs[@]}"; do
-    mkdir -p "${base}/tests/${d}"
-  done
-
-  # Populate requested subdirs with a fake test file
-  for d in "$@"; do
-    mkdir -p "${base}/tests/${d}"
-    touch "${base}/tests/${d}/example.spec.ts"
-  done
-}
-
-# ---------------------------------------------------------------------------
-# resolve_paths E2E_TEST_PATHS WORKING_DIR
-#
-# Extracted EXACT logic from .github/workflows/ui-e2e-tests-v2.yml lines 212-250.
-# Outputs space-separated TEST_PATHS, or "SKIP" if no tests found.
-# Must be run with WORKING_DIR as the cwd equivalent (we cd into it).
-# ---------------------------------------------------------------------------
-resolve_paths() {
-  local E2E_TEST_PATHS="$1"
-  local WORKING_DIR="$2"
-
-  (
-    cd "$WORKING_DIR"
-
-    # --- Line 212-214: strip ui/ prefix, strip **, deduplicate ---------------
-    TEST_PATHS="${E2E_TEST_PATHS}"
-    TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u)
-
-    # --- Line 216: drop setup helpers ----------------------------------------
-    TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/' || true)
-
-    # --- Lines 219-230: safety net for bare tests/ --------------------------
-    if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-      SPECIFIC_DIRS=""
-      for dir in tests/*/; do
-        [[ "$dir" == "tests/setups/" ]] && continue
-        SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"$'\n'
-      done
-      TEST_PATHS=$(echo "$TEST_PATHS" | grep -vx 'tests/' || true)
-      TEST_PATHS="${TEST_PATHS}"$'\n'"${SPECIFIC_DIRS}"
-      TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^$' | sort -u)
-    fi
-
-    # --- Lines 231-234: bail if empty ----------------------------------------
-    if [[ -z "$TEST_PATHS" ]]; then
-      echo "SKIP"
-      return
-    fi
-
-    # --- Lines 236-245: filter dirs with no test files -----------------------
-    VALID_PATHS=""
-    while IFS= read -r p; do
-      [[ -z "$p" ]] && continue
-      if find "$p" -name '*.spec.ts' -o -name '*.test.ts' 2>/dev/null | head -1 | grep -q .; then
-        VALID_PATHS="${VALID_PATHS}${p}"$'\n'
-      fi
-    done <<< "$TEST_PATHS"
-    VALID_PATHS=$(echo "$VALID_PATHS" | grep -v '^$')
-
-    # --- Lines 246-249: bail if all empty ------------------------------------
-    if [[ -z "$VALID_PATHS" ]]; then
-      echo "SKIP"
-      return
-    fi
-
-    # --- Line 250: final output (space-separated) ---------------------------
-    echo "$VALID_PATHS" | tr '\n' ' ' | sed 's/ $//'
-  )
-}
-
-# ---------------------------------------------------------------------------
-# run_test NAME INPUT EXPECTED_TYPE [EXPECTED_VALUE]
-#
-# EXPECTED_TYPE is one of:
-#   "contains <path>"  — output must contain this path
-#   "equals <value>"   — output must exactly equal this value
-#   "skip"             — expect SKIP (no runnable tests)
-#   "not_contains <p>" — output must NOT contain this path
-#
-# Multiple expectations can be specified by calling assert_* after run_test.
-# For convenience, run_test supports a single assertion inline.
-# ---------------------------------------------------------------------------
-CURRENT_RESULT=""
-CURRENT_TEST_NAME=""
-
-run_test() {
-  local name="$1"
-  local input="$2"
-  local expect_type="$3"
-  local expect_value="${4:-}"
-
-  TOTAL=$((TOTAL + 1))
-  CURRENT_TEST_NAME="$name"
-
-  # Create a fresh temp tree per test
-  local test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-  mkdir -p "$test_dir"
-
-  # Default populated dirs: scans, providers, auth, home, profile, sign-up, sign-in-base
-  create_test_tree "$test_dir" scans providers auth home profile sign-up sign-in-base
-
-  CURRENT_RESULT=$(resolve_paths "$input" "$test_dir")
-
-  _check "$expect_type" "$expect_value"
-}
-
-# Like run_test but lets caller specify which subdirs have test files.
-run_test_custom_tree() {
-  local name="$1"
-  local input="$2"
-  local expect_type="$3"
-  local expect_value="${4:-}"
-  shift 4
-  local populated_dirs=("$@")
-
-  TOTAL=$((TOTAL + 1))
-  CURRENT_TEST_NAME="$name"
-
-  local test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-  mkdir -p "$test_dir"
-
-  create_test_tree "$test_dir" "${populated_dirs[@]}"
-
-  CURRENT_RESULT=$(resolve_paths "$input" "$test_dir")
-
-  _check "$expect_type" "$expect_value"
-}
-
-_check() {
-  local expect_type="$1"
-  local expect_value="$2"
-
-  case "$expect_type" in
-    skip)
-      if [[ "$CURRENT_RESULT" == "SKIP" ]]; then
-        _pass
-      else
-        _fail "expected SKIP, got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    contains)
-      if [[ "$CURRENT_RESULT" == *"$expect_value"* ]]; then
-        _pass
-      else
-        _fail "expected to contain '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    not_contains)
-      if [[ "$CURRENT_RESULT" != *"$expect_value"* ]]; then
-        _pass
-      else
-        _fail "expected NOT to contain '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    equals)
-      if [[ "$CURRENT_RESULT" == "$expect_value" ]]; then
-        _pass
-      else
-        _fail "expected exactly '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    *)
-      _fail "unknown expect_type: $expect_type"
-      ;;
-  esac
-}
-
-_pass() {
-  PASSED=$((PASSED + 1))
-  printf '%b  PASS%b %s\n' "$GREEN" "$RESET" "$CURRENT_TEST_NAME"
-}
-
-_fail() {
-  FAILED=$((FAILED + 1))
-  printf '%b  FAIL%b %s\n' "$RED" "$RESET" "$CURRENT_TEST_NAME"
-  printf "        %s\n" "$1"
-}
-
-# ===========================================================================
-# TEST CASES
-# ===========================================================================
-
-echo ""
-printf '%bE2E Path Resolution Tests%b\n' "$BOLD" "$RESET"
-echo "=========================================="
-
-# 1. Normal single module
-run_test \
-  "1. Normal single module" \
-  "ui/tests/scans/**" \
-  "contains" "tests/scans/"
-
-# 2. Multiple modules
-run_test \
-  "2. Multiple modules — scans present" \
-  "ui/tests/scans/** ui/tests/providers/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "2. Multiple modules — providers present" \
-  "ui/tests/scans/** ui/tests/providers/**" \
-  "contains" "tests/providers/"
-
-# 3. Broad pattern (many modules)
-run_test \
-  "3. Broad pattern — no bare tests/" \
-  "ui/tests/auth/** ui/tests/scans/** ui/tests/providers/** ui/tests/home/** ui/tests/profile/**" \
-  "not_contains" "tests/ "
-
-# 4. Empty directory
-run_test \
-  "4. Empty directory — skipped" \
-  "ui/tests/attack-paths/**" \
-  "skip"
-
-# 5. Mix of populated and empty dirs
-run_test \
-  "5. Mix populated+empty — scans present" \
-  "ui/tests/scans/** ui/tests/attack-paths/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "5. Mix populated+empty — attack-paths absent" \
-  "ui/tests/scans/** ui/tests/attack-paths/**" \
-  "not_contains" "tests/attack-paths/"
-
-# 6. All empty directories
-run_test \
-  "6. All empty directories" \
-  "ui/tests/attack-paths/** ui/tests/findings/**" \
-  "skip"
-
-# 7. Setup paths filtered
-run_test \
-  "7. Setup paths filtered out" \
-  "ui/tests/setups/**" \
-  "skip"
-
-# 8. Bare tests/ from broad pattern — safety net expands
-run_test \
-  "8. Bare tests/ expands — scans present" \
-  "ui/tests/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "8. Bare tests/ expands — setups excluded" \
-  "ui/tests/**" \
-  "not_contains" "tests/setups/"
-
-# 9. Bare tests/ with all empty subdirs (only setups has files)
-run_test_custom_tree \
-  "9. Bare tests/ — only setups has files" \
-  "ui/tests/**" \
-  "skip" "" \
-  setups
-
-# 10. Duplicate paths
-run_test \
-  "10. Duplicate paths — deduplicated" \
-  "ui/tests/scans/** ui/tests/scans/**" \
-  "equals" "tests/scans/"
-
-# 11. Empty input
-TOTAL=$((TOTAL + 1))
-CURRENT_TEST_NAME="11. Empty input"
-test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-mkdir -p "$test_dir"
-create_test_tree "$test_dir" scans providers
-CURRENT_RESULT=$(resolve_paths "" "$test_dir")
-_check "skip" ""
-
-# 12. Trailing/leading whitespace
-run_test \
-  "12. Whitespace handling" \
-  "  ui/tests/scans/**  " \
-  "contains" "tests/scans/"
-
-# 13. Path without ui/ prefix
-run_test \
-  "13. Path without ui/ prefix" \
-  "tests/scans/**" \
-  "contains" "tests/scans/"
-
-# 14. Setup mixed with valid paths — only valid pass through
-run_test \
-  "14. Setups + valid — setups filtered" \
-  "ui/tests/setups/** ui/tests/scans/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "14. Setups + valid — setups absent" \
-  "ui/tests/setups/** ui/tests/scans/**" \
-  "not_contains" "tests/setups/"
-
-# ===========================================================================
-# SUMMARY
-# ===========================================================================
-
-echo ""
-echo "=========================================="
-if [[ "$FAILED" -eq 0 ]]; then
-  printf '%b%bAll tests passed: %d/%d%b\n' "$GREEN" "$BOLD" "$PASSED" "$TOTAL" "$RESET"
-else
-  printf '%b%b%d/%d passed, %d FAILED%b\n' "$RED" "$BOLD" "$PASSED" "$TOTAL" "$FAILED" "$RESET"
-fi
-echo ""
-
-exit "$FAILED"
@@ -224,24 +224,8 @@ modules:
    tests:
      - api/src/backend/api/tests/test_views.py
    e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # API view changes can break UI
+      - ui/tests/**

  - name: api-serializers
    match:
@@ -250,24 +234,8 @@ modules:
    tests:
      - api/src/backend/api/tests/**
    e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # Serializer changes affect API responses → UI
+      - ui/tests/**

  - name: api-filters
    match:
@@ -439,24 +407,8 @@ modules:
      - ui/components/ui/**
    tests: []
    e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # Shared components can affect any E2E
+      - ui/tests/**

  - name: ui-attack-paths
    match:
@@ -28,7 +28,7 @@ jobs:
      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -80,7 +80,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -118,7 +118,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -137,7 +137,7 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
          persist-credentials: false
@@ -177,7 +177,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -205,7 +205,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -255,7 +255,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -33,14 +33,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -42,17 +42,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/api-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{ matrix.language }}'
@@ -57,7 +57,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -95,12 +95,12 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -111,7 +111,7 @@ jobs:
      - name: Build and push API container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -129,7 +129,7 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -161,7 +161,7 @@ jobs:

      - name: Install regctl
        if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@f61d18f46c86af724a9c804cb9ff2a6fec741c7c # main

      - name: Cleanup intermediate architecture tags
        if: always()
@@ -180,7 +180,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -28,14 +28,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: api/Dockerfile

@@ -66,14 +66,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: api/**
          files_ignore: |
@@ -88,7 +88,7 @@ jobs:

      - name: Build container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.API_WORKING_DIR }}
          push: false
@@ -33,14 +33,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -73,14 +73,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -34,7 +34,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -28,7 +28,7 @@ jobs:
      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -80,7 +80,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -114,7 +114,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for documentation update to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -137,7 +137,7 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
          persist-credentials: false
@@ -174,7 +174,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -205,7 +205,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -245,7 +245,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -23,7 +23,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -1,48 +0,0 @@
-name: 'Helm: Chart Checks'
-# DISCLAIMER: This workflow is not maintained by the Prowler team. Refer to contrib/k8s/helm/prowler-app for the source code.
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'contrib/k8s/helm/prowler-app/**'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'contrib/k8s/helm/prowler-app/**'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  CHART_PATH: contrib/k8s/helm/prowler-app
-
-jobs:
-  helm-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
-
-      - name: Update chart dependencies
-        run: helm dependency update ${{ env.CHART_PATH }}
-
-      - name: Lint Helm chart
-        run: helm lint ${{ env.CHART_PATH }}
-
-      - name: Validate Helm chart template rendering
-        run: helm template prowler ${{ env.CHART_PATH }}
@@ -1,54 +0,0 @@
-name: 'Helm: Chart Release'
-# DISCLAIMER: This workflow is not maintained by the Prowler team. Refer to contrib/k8s/helm/prowler-app for the source code.
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  CHART_PATH: contrib/k8s/helm/prowler-app
-
-jobs:
-  release-helm-chart:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Set up Helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
-
-      - name: Set appVersion from release tag
-        run: |
-          RELEASE_TAG="${GITHUB_EVENT_RELEASE_TAG_NAME}"
-          echo "Setting appVersion to ${RELEASE_TAG}"
-          sed -i "s/^appVersion:.*/appVersion: \"${RELEASE_TAG}\"/" ${{ env.CHART_PATH }}/Chart.yaml
-        env:
-          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
-
-      - name: Login to GHCR
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${GITHUB_ACTOR} --password-stdin
-
-      - name: Update chart dependencies
-        run: helm dependency update ${{ env.CHART_PATH }}
-
-      - name: Package Helm chart
-        run: helm package ${{ env.CHART_PATH }} --destination .helm-packages
-
-      - name: Push chart to GHCR
-        run: |
-          PACKAGE=$(ls .helm-packages/*.tgz)
-          helm push "$PACKAGE" oci://ghcr.io/${{ github.repository_owner }}/charts
@@ -56,7 +56,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -93,12 +93,12 @@ jobs:
      packages: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -109,7 +109,7 @@ jobs:
      - name: Build and push MCP container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -135,7 +135,7 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -186,7 +186,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -28,14 +28,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: mcp_server/Dockerfile

@@ -65,14 +65,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for MCP changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: mcp_server/**
          files_ignore: |
@@ -85,7 +85,7 @@ jobs:

      - name: Build MCP container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.MCP_WORKING_DIR }}
          push: false
@@ -60,7 +60,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -70,7 +70,7 @@ jobs:
          enable-cache: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          # zizmor: ignore[artipacked]
@@ -37,7 +37,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Checkout PR head
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
@@ -34,7 +34,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: '**'

@@ -27,14 +27,14 @@ jobs:
      pull-requests: write
    steps:
    - name: Checkout repository
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        fetch-depth: 0
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        persist-credentials: false

    - name: Set up Python
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
      with:
        python-version: '3.12'

@@ -345,7 +345,7 @@ jobs:

    - name: Create PR for API dependency update
      if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+      uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
      with:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
@@ -67,7 +67,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -96,7 +96,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -115,7 +115,7 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
          persist-credentials: false
@@ -148,7 +148,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -176,7 +176,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -211,7 +211,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -31,14 +31,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ./**
          files_ignore: |
@@ -67,7 +67,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'poetry'
@@ -49,17 +49,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/sdk-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{ matrix.language }}'
@@ -61,12 +61,12 @@ jobs:
      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -117,7 +117,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -155,18 +155,18 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -180,7 +180,7 @@ jobs:
      - name: Build and push SDK container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ${{ env.DOCKERFILE_PATH }}
@@ -199,13 +199,13 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -266,7 +266,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -27,14 +27,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: Dockerfile

@@ -65,14 +65,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ./**
          files_ignore: |
@@ -101,7 +101,7 @@ jobs:

      - name: Build SDK container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          push: false
@@ -59,7 +59,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -67,7 +67,7 @@ jobs:
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -92,7 +92,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -100,7 +100,7 @@ jobs:
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -25,13 +25,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: 'master'
          persist-credentials: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
@@ -40,7 +40,7 @@ jobs:
        run: pip install boto3

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -51,7 +51,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -23,13 +23,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: 'master'
          persist-credentials: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
@@ -48,7 +48,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -24,14 +24,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files:
            ./**
@@ -62,7 +62,7 @@ jobs:

      - name: Set up Python 3.12
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: '3.12'
          cache: 'poetry'
@@ -31,14 +31,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ./**
          files_ignore: |
@@ -67,7 +67,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'poetry'
@@ -80,7 +80,7 @@ jobs:
      - name: Check if AWS files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-aws
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/aws/**
@@ -122,7 +122,7 @@ jobs:
              "wafv2": ["cognito", "elbv2"],
          }

-          changed_raw = os.environ.get("STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES", "")
+          changed_raw = """${STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES}"""
          # all_changed_files is space-separated, not newline-separated
          # Strip leading "./" if present for consistent path handling
          changed_files = [Path(f.lstrip("./")) for f in changed_raw.split() if f]
@@ -210,7 +210,7 @@ jobs:
      - name: Check if Azure files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-azure
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/azure/**
@@ -234,7 +234,7 @@ jobs:
      - name: Check if GCP files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-gcp
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/gcp/**
@@ -258,7 +258,7 @@ jobs:
      - name: Check if Kubernetes files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-kubernetes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/kubernetes/**
@@ -282,7 +282,7 @@ jobs:
      - name: Check if GitHub files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-github
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/github/**
@@ -306,7 +306,7 @@ jobs:
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-nhn
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/nhn/**
@@ -330,7 +330,7 @@ jobs:
      - name: Check if M365 files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-m365
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/m365/**
@@ -354,7 +354,7 @@ jobs:
      - name: Check if IaC files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-iac
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/iac/**
@@ -378,7 +378,7 @@ jobs:
      - name: Check if MongoDB Atlas files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/mongodbatlas/**
@@ -402,7 +402,7 @@ jobs:
      - name: Check if OCI files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-oraclecloud
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/oraclecloud/**
@@ -426,7 +426,7 @@ jobs:
      - name: Check if OpenStack files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-openstack
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/openstack/**
@@ -450,7 +450,7 @@ jobs:
      - name: Check if Google Workspace files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-googleworkspace
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/googleworkspace/**
@@ -474,7 +474,7 @@ jobs:
      - name: Check if Lib files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-lib
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/lib/**
@@ -498,7 +498,7 @@ jobs:
      - name: Check if Config files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-config
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/config/**
@@ -48,17 +48,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1

      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: '3.12'

@@ -67,7 +67,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -95,7 +95,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -117,7 +117,7 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
          persist-credentials: false
@@ -149,7 +149,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -180,7 +180,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -214,7 +214,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -45,17 +45,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{ matrix.language }}'
@@ -59,7 +59,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -97,12 +97,12 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -113,7 +113,7 @@ jobs:
      - name: Build and push UI container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          build-args: |
@@ -134,7 +134,7 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -185,7 +185,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -28,14 +28,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ui/Dockerfile

@@ -66,14 +66,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ui/**
          files_ignore: |
@@ -87,7 +87,7 @@ jobs:

      - name: Build UI container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.UI_WORKING_DIR }}
          target: prod
@@ -78,7 +78,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -152,7 +152,7 @@ jobs:
          '

      - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version: '24.13.0'

@@ -166,7 +166,7 @@ jobs:
        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm and Next.js cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -186,7 +186,7 @@ jobs:
        run: pnpm run build

      - name: Cache Playwright browsers
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
@@ -214,40 +214,11 @@ jobs:
            TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u)
            # Drop auth setup helpers (not runnable test suites)
            TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/')
-            # Safety net: if bare "tests/" appears (from broad patterns like ui/tests/**),
-            # expand to specific subdirs to avoid Playwright discovering setup files
-            if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-              echo "Expanding bare 'tests/' to specific subdirs (excluding setups)..."
-              SPECIFIC_DIRS=""
-              for dir in tests/*/; do
-                [[ "$dir" == "tests/setups/" ]] && continue
-                SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"$'\n'
-              done
-              # Replace "tests/" with specific dirs, keep other paths
-              TEST_PATHS=$(echo "$TEST_PATHS" | grep -vx 'tests/')
-              TEST_PATHS="${TEST_PATHS}"$'\n'"${SPECIFIC_DIRS}"
-              TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^$' | sort -u)
-            fi
            if [[ -z "$TEST_PATHS" ]]; then
              echo "No runnable E2E test paths after filtering setups"
              exit 0
            fi
-            # Filter out directories that don't contain any test files
-            VALID_PATHS=""
-            while IFS= read -r p; do
-              [[ -z "$p" ]] && continue
-              if find "$p" -name '*.spec.ts' -o -name '*.test.ts' 2>/dev/null | head -1 | grep -q .; then
-                VALID_PATHS="${VALID_PATHS}${p}"$'\n'
-              else
-                echo "Skipping empty test directory: $p"
-              fi
-            done <<< "$TEST_PATHS"
-            VALID_PATHS=$(echo "$VALID_PATHS" | grep -v '^$' || true)
-            if [[ -z "$VALID_PATHS" ]]; then
-              echo "No test files found in any resolved paths — skipping E2E"
-              exit 0
-            fi
-            TEST_PATHS=$(echo "$VALID_PATHS" | tr '\n' ' ')
+            TEST_PATHS=$(echo "$TEST_PATHS" | tr '\n' ' ')
            echo "Resolved test paths: $TEST_PATHS"
            pnpm exec playwright test $TEST_PATHS
          fi
@@ -30,14 +30,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ui/**
@@ -50,7 +50,7 @@ jobs:
      - name: Get changed source files for targeted tests
        id: changed-source
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ui/**/*.ts
@@ -66,7 +66,7 @@ jobs:
      - name: Check for critical path changes (run all tests)
        id: critical-changes
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ui/lib/**
@@ -78,7 +78,7 @@ jobs:

      - name: Setup Node.js ${{ env.NODE_VERSION }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -96,7 +96,7 @@ jobs:

      - name: Setup pnpm and Next.js cache
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -46,8 +46,6 @@ Use these skills for detailed patterns on-demand:
 | `prowler-commit` | Professional commits (conventional-commits) | [SKILL.md](skills/prowler-commit/SKILL.md) |
 | `prowler-pr` | Pull request conventions | [SKILL.md](skills/prowler-pr/SKILL.md) |
 | `prowler-docs` | Documentation style guide | [SKILL.md](skills/prowler-docs/SKILL.md) |
-| `django-migration-psql` | Django migration best practices for PostgreSQL | [SKILL.md](skills/django-migration-psql/SKILL.md) |
-| `postgresql-indexing` | PostgreSQL indexing, EXPLAIN, monitoring, maintenance | [SKILL.md](skills/postgresql-indexing/SKILL.md) |
 | `prowler-attack-paths-query` | Create Attack Paths openCypher queries | [SKILL.md](skills/prowler-attack-paths-query/SKILL.md) |
 | `gh-aw` | GitHub Agentic Workflows (gh-aw) | [SKILL.md](skills/gh-aw/SKILL.md) |
 | `skill-creator` | Create new AI agent skills | [SKILL.md](skills/skill-creator/SKILL.md) |
@@ -87,15 +85,15 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Fixing bug | `tdd` |
 | General Prowler development questions | `prowler` |
 | Implementing JSON:API endpoints | `django-drf` |
-| Implementing feature | `tdd` |
 | Importing Copilot Custom Agents into workflows | `gh-aw` |
+| Implementing feature | `tdd` |
 | Inspect PR CI checks and gates (.github/workflows/*) | `prowler-ci` |
 | Inspect PR CI workflows (.github/workflows/*): conventional-commit, pr-check-changelog, pr-conflict-checker, labeler | `prowler-pr` |
 | Mapping checks to compliance controls | `prowler-compliance` |
 | Mocking AWS with moto in tests | `prowler-test-sdk` |
 | Modifying API responses | `jsonapi` |
-| Modifying component | `tdd` |
 | Modifying gh-aw workflow frontmatter or safe-outputs | `gh-aw` |
+| Modifying component | `tdd` |
 | Refactoring code | `tdd` |
 | Regenerate AGENTS.md Auto-invoke tables (sync.sh) | `skill-sync` |
 | Review PR requirements: template, title conventions, changelog gate | `prowler-pr` |
@@ -109,16 +109,14 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 | GCP | 100 | 13 | 15 | 11 | Official | UI, API, CLI |
 | Kubernetes | 83 | 7 | 7 | 9 | Official | UI, API, CLI |
 | GitHub | 21 | 2 | 1 | 2 | Official | UI, API, CLI |
-| M365 | 89 | 9 | 4 | 5 | Official | UI, API, CLI |
-| OCI | 48 | 13 | 3 | 10 | Official | UI, API, CLI |
+| M365 | 75 | 7 | 4 | 4 | Official | UI, API, CLI |
+| OCI | 51 | 13 | 3 | 12 | Official | UI, API, CLI |
 | Alibaba Cloud | 61 | 9 | 3 | 9 | Official | UI, API, CLI |
-| Cloudflare | 29 | 2 | 0 | 5 | Official | UI, API, CLI |
+| Cloudflare | 29 | 2 | 0 | 5 | Official | CLI, API |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
-| MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 3 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
-| Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 1 | 1 | 0 | 1 | Official | CLI |
-| OpenStack | 27 | 4 | 0 | 8 | Official | UI, API, CLI |
+| OpenStack | 1 | 1 | 0 | 2 | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
@@ -4,8 +4,6 @@
 > - [`prowler-api`](../skills/prowler-api/SKILL.md) - Models, Serializers, Views, RLS patterns
 > - [`prowler-test-api`](../skills/prowler-test-api/SKILL.md) - Testing patterns (pytest-django)
 > - [`prowler-attack-paths-query`](../skills/prowler-attack-paths-query/SKILL.md) - Attack Paths openCypher queries
-> - [`django-migration-psql`](../skills/django-migration-psql/SKILL.md) - Migration best practices for PostgreSQL
-> - [`postgresql-indexing`](../skills/postgresql-indexing/SKILL.md) - PostgreSQL indexing, EXPLAIN, monitoring, maintenance
 > - [`django-drf`](../skills/django-drf/SKILL.md) - Generic DRF patterns
 > - [`jsonapi`](../skills/jsonapi/SKILL.md) - Strict JSON:API v1.1 spec compliance
 > - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns
@@ -18,20 +16,14 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 |--------|-------|
 | Add changelog entry for a PR or feature | `prowler-changelog` |
 | Adding DRF pagination or permissions | `django-drf` |
-| Adding indexes or constraints to database tables | `django-migration-psql` |
 | Adding privilege escalation detection queries | `prowler-attack-paths-query` |
-| Analyzing query performance with EXPLAIN | `postgresql-indexing` |
 | Committing changes | `prowler-commit` |
 | Create PR that requires changelog entry | `prowler-changelog` |
 | Creating API endpoints | `jsonapi` |
 | Creating Attack Paths queries | `prowler-attack-paths-query` |
 | Creating ViewSets, serializers, or filters in api/ | `django-drf` |
 | Creating a git commit | `prowler-commit` |
-| Creating or modifying PostgreSQL indexes | `postgresql-indexing` |
-| Creating or reviewing Django migrations | `django-migration-psql` |
 | Creating/modifying models, views, serializers | `prowler-api` |
-| Debugging slow queries or missing indexes | `postgresql-indexing` |
-| Dropping or reindexing PostgreSQL indexes | `postgresql-indexing` |
 | Fixing bug | `tdd` |
 | Implementing JSON:API endpoints | `django-drf` |
 | Implementing feature | `tdd` |
@@ -40,14 +32,12 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Refactoring code | `tdd` |
 | Review changelog format and conventions | `prowler-changelog` |
 | Reviewing JSON:API compliance | `jsonapi` |
-| Running makemigrations or pgmakemigrations | `django-migration-psql` |
 | Testing RLS tenant isolation | `prowler-test-api` |
 | Update CHANGELOG.md in any component | `prowler-changelog` |
 | Updating existing Attack Paths queries | `prowler-attack-paths-query` |
 | Working on task | `tdd` |
 | Writing Prowler API tests | `prowler-test-api` |
 | Writing Python tests with pytest | `pytest` |
-| Writing data backfill or data migration | `django-migration-psql` |

 ---

@@ -2,21 +2,6 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.21.0] (Prowler v5.20.0)
-
-### 🔄 Changed
-
- Attack Paths: Migrate network exposure queries from APOC to standard openCypher for Neo4j and Neptune compatibility [(#10266)](https://github.com/prowler-cloud/prowler/pull/10266)
- `POST /api/v1/providers` returns `409 Conflict` if already exists [(#10293)](https://github.com/prowler-cloud/prowler/pull/10293)
-
-### 🐞 Fixed
-
- Attack Paths: Security hardening for custom query endpoint (Cypher blocklist, input validation, rate limiting, Helm lockdown) [(#10238)](https://github.com/prowler-cloud/prowler/pull/10238)
- Attack Paths: Missing logging for query execution and exception details in scan error handling [(#10269)](https://github.com/prowler-cloud/prowler/pull/10269)
- Attack Paths: Upgrade Cartography from 0.129.0 to 0.132.0, fixing `exposed_internet` not set on ELB/ELBv2 nodes [(#10272)](https://github.com/prowler-cloud/prowler/pull/10272)
-
---
-
 ## [1.20.0] (Prowler v5.19.0)

 ### 🚀 Added
@@ -26,7 +11,6 @@ All notable changes to the **Prowler API** are documented in this file.
 - PDF report for the CSA CCM compliance framework [(#10088)](https://github.com/prowler-cloud/prowler/pull/10088)
 - `image` provider support for container image scanning [(#10128)](https://github.com/prowler-cloud/prowler/pull/10128)
 - Attack Paths: Custom query and Cartography schema endpoints (temporarily blocked) [(#10149)](https://github.com/prowler-cloud/prowler/pull/10149)
- `googleworkspace` provider support [(#10247)](https://github.com/prowler-cloud/prowler/pull/10247)

 ### 🔄 Changed

@@ -45,7 +29,6 @@ All notable changes to the **Prowler API** are documented in this file.

 ### 🐞 Fixed

- PDF compliance reports consistency with UI: exclude resourceless findings and fix ENS MANUAL status handling [(#10270)](https://github.com/prowler-cloud/prowler/pull/10270)
 - Attack Paths: Orphaned temporary Neo4j databases are now cleaned up on scan failure and provider deletion [(#10101)](https://github.com/prowler-cloud/prowler/pull/10101)
 - Attack Paths: scan no longer raises `DatabaseError` when provider is deleted mid-scan [(#10116)](https://github.com/prowler-cloud/prowler/pull/10116)
 - Tenant compliance summaries recalculated after provider deletion [(#10172)](https://github.com/prowler-cloud/prowler/pull/10172)
@@ -24,6 +24,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    python3-dev \
    && rm -rf /var/lib/apt/lists/*

+# Cartography depends on `dockerfile` which has no pre-built arm64 wheel and requires Go to compile
+# hadolint ignore=DL3008
+RUN if [ "$(uname -m)" = "aarch64" ]; then \
+        apt-get update && apt-get install -y --no-install-recommends golang-go \
+        && rm -rf /var/lib/apt/lists/* ; \
+    fi
+
 # Install PowerShell
 RUN ARCH=$(uname -m) && \
    if [ "$ARCH" = "x86_64" ]; then \
@@ -1822,14 +1822,14 @@ crt = ["awscrt (==0.27.6)"]

 [[package]]
 name = "cartography"
-version = "0.132.0"
+version = "0.129.0"
 description = "Explore assets and their relationships across your technical infrastructure."
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "cartography-0.132.0-py3-none-any.whl", hash = "sha256:c070aa51d0ab4479cb043cae70b35e7df49f2fb5f1fa95ccf10000bbeb952262"},
-    {file = "cartography-0.132.0.tar.gz", hash = "sha256:7c6332bc57fd2629d7b83aee7bd95a7b2edb0d51ef746efa0461399e0b66625c"},
+    {file = "cartography-0.129.0-py3-none-any.whl", hash = "sha256:d42c840369be9e4d0ac4d024074e3732416e40bab3d9a3023b6a247918daed4c"},
+    {file = "cartography-0.129.0.tar.gz", hash = "sha256:cb47d603e652554a4cbcc1a868c96014eb02b3d5cc1affea0428b2ed7fa61699"},
 ]

 [package.dependencies]
@@ -1864,8 +1864,8 @@ boto3 = ">=1.15.1"
 botocore = ">=1.18.1"
 cloudflare = ">=4.1.0,<5.0.0"
 crowdstrike-falconpy = ">=0.5.1"
-cryptography = "*"
 dnspython = ">=1.15.0"
+dockerfile = ">=3.0.0"
 duo-client = "*"
 google-api-python-client = ">=1.7.8"
 google-auth = ">=2.37.0"
@@ -3095,6 +3095,21 @@ docs = ["myst-parser (==0.18.0)", "sphinx (==5.1.1)"]
 ssh = ["paramiko (>=2.4.3)"]
 websockets = ["websocket-client (>=1.3.0)"]

+[[package]]
+name = "dockerfile"
+version = "3.4.0"
+description = "Parse a dockerfile into a high-level representation using the official go parser."
+optional = false
+python-versions = ">=3.9"
+groups = ["main"]
+files = [
+    {file = "dockerfile-3.4.0-cp39-abi3-macosx_13_0_x86_64.whl", hash = "sha256:ed33446a76007cbb3f28c247f189cc06db34667d4f59a398a5c44912d7c13f36"},
+    {file = "dockerfile-3.4.0-cp39-abi3-macosx_14_0_arm64.whl", hash = "sha256:a4549d4f038483c25906d4fec56bb6ffe82ae26e0f80a15f2c0fedbb50712053"},
+    {file = "dockerfile-3.4.0-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:b95102bd82e6f67c836186b51c13114aa586a20e8cb6441bde24d4070542009d"},
+    {file = "dockerfile-3.4.0-cp39-abi3-win_amd64.whl", hash = "sha256:30202187f1885f99ac839fd41ca8150b2fd0a66fac12db0166361d0c4622e71a"},
+    {file = "dockerfile-3.4.0.tar.gz", hash = "sha256:238bb950985c55a525daef8bbfe994a0230aa0978c419f4caa4d9ce0a37343f1"},
+]
+
 [[package]]
 name = "dogpile-cache"
 version = "1.5.0"
@@ -9382,4 +9397,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "6e38c38b1f8dc05b881f49703fa445eec299527e6697992b18e4613534fbcdb6"
+content-hash = "42759b370c9e38da727e73f9d8ec0fa61bc6137eab18f11ccd7deff79a0dee69"
@@ -37,7 +37,7 @@ dependencies = [
  "matplotlib (>=3.10.6,<4.0.0)",
  "reportlab (>=4.4.4,<5.0.0)",
  "neo4j (>=6.0.0,<7.0.0)",
-  "cartography (==0.132.0)",
+  "cartography (==0.129.0)",
  "gevent (>=25.9.1,<26.0.0)",
  "werkzeug (>=3.1.4)",
  "sqlparse (>=0.5.4)",
@@ -49,7 +49,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.22.0"
+version = "1.20.0"

 [project.scripts]
 celery = "src.backend.config.settings.celery"
@@ -35,7 +35,6 @@ READ_EXCEPTION_CODES = [
    "Neo.ClientError.Statement.AccessMode",
    "Neo.ClientError.Procedure.ProcedureNotFound",
 ]
-CLIENT_STATEMENT_EXCEPTION_PREFIX = "Neo.ClientError.Statement."

 # Module-level process-wide driver singleton
 _driver: neo4j.Driver | None = None
@@ -109,7 +108,6 @@ def get_session(
    except neo4j.exceptions.Neo4jError as exc:
        if (
            default_access_mode == neo4j.READ_ACCESS
-            and exc.code
            and exc.code in READ_EXCEPTION_CODES
        ):
            message = "Read query not allowed"
@@ -117,10 +115,6 @@ def get_session(
            raise WriteQueryNotAllowedException(message=message, code=code)

        message = exc.message if exc.message is not None else str(exc)
-
-        if exc.code and exc.code.startswith(CLIENT_STATEMENT_EXCEPTION_PREFIX):
-            raise ClientStatementException(message=message, code=exc.code)
-
        raise GraphDatabaseQueryException(message=message, code=exc.code)

    finally:
@@ -233,7 +227,3 @@ class GraphDatabaseQueryException(Exception):

 class WriteQueryNotAllowedException(GraphDatabaseQueryException):
    pass
-
-
-class ClientStatementException(GraphDatabaseQueryException):
-    pass
@@ -16,7 +16,8 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(
    description="Detect EC2 instances with SSH exposed to the internet that can assume higher-privileged roles to read tagged sensitive S3 buckets despite bucket-level public access blocks.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        MATCH path_s3 = (aws:AWSAccount {{id: $provider_uid}})--(s3:S3Bucket)--(t:AWSTag)
        WHERE toLower(t.key) = toLower($tag_key) AND toLower(t.value) = toLower($tag_value)
@@ -31,7 +32,8 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(

        MATCH path_assume_role = (ec2)-[p:STS_ASSUMEROLE_ALLOW*1..9]-(r:AWSRole)

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
+        YIELD rel AS can_access

        UNWIND nodes(path_s3) + nodes(path_ec2) + nodes(path_role) + nodes(path_assume_role) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -179,12 +181,14 @@ AWS_EC2_INSTANCES_INTERNET_EXPOSED = AttackPathsQueryDefinition(
    description="Find EC2 instances flagged as exposed to the internet within the selected account.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)
        WHERE ec2.exposed_internet = true

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
+        YIELD rel AS can_access

        UNWIND nodes(path) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -201,14 +205,16 @@ AWS_SECURITY_GROUPS_OPEN_INTERNET_FACING = AttackPathsQueryDefinition(
    description="Find internet-facing resources associated with security groups that allow inbound access from '0.0.0.0/0'.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        // Match EC2 instances that are internet-exposed with open security groups (0.0.0.0/0)
        MATCH path_ec2 = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)--(sg:EC2SecurityGroup)--(ipi:IpPermissionInbound)--(ir:IpRange)
        WHERE ec2.exposed_internet = true
            AND ir.range = "0.0.0.0/0"

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
+        YIELD rel AS can_access

        UNWIND nodes(path_ec2) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -225,12 +231,14 @@ AWS_CLASSIC_ELB_INTERNET_EXPOSED = AttackPathsQueryDefinition(
    description="Find Classic Load Balancers exposed to the internet along with their listeners.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elb:LoadBalancer)--(listener:ELBListener)
        WHERE elb.exposed_internet = true

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elb)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, elb)
+        YIELD rel AS can_access

        UNWIND nodes(path) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -247,12 +255,14 @@ AWS_ELBV2_INTERNET_EXPOSED = AttackPathsQueryDefinition(
    description="Find ELBv2 load balancers exposed to the internet along with their listeners.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elbv2:LoadBalancerV2)--(listener:ELBV2Listener)
        WHERE elbv2.exposed_internet = true

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elbv2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, elbv2)
+        YIELD rel AS can_access

        UNWIND nodes(path) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -269,15 +279,31 @@ AWS_PUBLIC_IP_RESOURCE_LOOKUP = AttackPathsQueryDefinition(
    description="Given a public IP address, find the related AWS resource and its adjacent node within the selected account.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

-        MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x)-[q]-(y)
-        WHERE (x:EC2PrivateIp AND x.public_ip = $ip)
-           OR (x:EC2Instance AND x.publicipaddress = $ip)
-           OR (x:NetworkInterface AND x.public_ip = $ip)
-           OR (x:ElasticIPAddress AND x.public_ip = $ip)
+        CALL () {{
+            MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:EC2PrivateIp)-[q]-(y)
+            WHERE x.public_ip = $ip
+            RETURN path, x

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(x)
+            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:EC2Instance)-[q]-(y)
+            WHERE x.publicipaddress = $ip
+            RETURN path, x
+
+            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:NetworkInterface)-[q]-(y)
+            WHERE x.public_ip = $ip
+            RETURN path, x
+
+            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:ElasticIPAddress)-[q]-(y)
+            WHERE x.public_ip = $ip
+            RETURN path, x
+        }}
+
+        WITH path, x, internet
+
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, x)
+        YIELD rel AS can_access

        UNWIND nodes(path) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -1,5 +1,4 @@
 import logging
-import re

 from typing import Any, Iterable

@@ -118,38 +117,6 @@ def execute_query(

 # Custom query helpers

-# Patterns that indicate SSRF or dangerous procedure calls
-# Defense-in-depth layer - the primary control is `neo4j.READ_ACCESS`
-_BLOCKED_PATTERNS = [
-    re.compile(r"\bLOAD\s+CSV\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.load\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.import\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.export\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.cypher\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.systemdb\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.config\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.periodic\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.do\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.trigger\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.custom\b", re.IGNORECASE),
-]
-
-# Strip string literals so patterns inside quotes don't cause false positives
-# Handles escaped quotes (\' and \") inside strings
-_STRING_LITERALS = re.compile(r"'(?:[^'\\]|\\.)*'|\"(?:[^\"\\]|\\.)*\"")
-
-
-def validate_custom_query(cypher: str) -> None:
-    """Reject queries containing known SSRF or dangerous procedure patterns.
-
-    Raises ValidationError if a blocked pattern is found.
-    String literals are stripped before matching to avoid false positives.
-    """
-    stripped = _STRING_LITERALS.sub("", cypher)
-    for pattern in _BLOCKED_PATTERNS:
-        if pattern.search(stripped):
-            raise ValidationError({"query": "Query contains a blocked operation"})
-

 def normalize_custom_query_payload(raw_data):
    if not isinstance(raw_data, dict):
@@ -168,8 +135,6 @@ def execute_custom_query(
    cypher: str,
    provider_id: str,
 ) -> dict[str, Any]:
-    validate_custom_query(cypher)
-
    try:
        graph = graph_database.execute_read_query(
            database=database_name,
@@ -178,9 +143,6 @@ def execute_custom_query(
        serialized = _serialize_graph(graph, provider_id)
        return _truncate_graph(serialized)

-    except graph_database.ClientStatementException as exc:
-        raise ValidationError({"query": exc.message})
-
    except graph_database.WriteQueryNotAllowedException:
        raise PermissionDenied(
            "Attack Paths query execution failed: read-only queries are enforced"
@@ -265,12 +227,6 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
            },
        )

-    filtered_count = len(graph.nodes) - len(nodes)
-    if filtered_count > 0:
-        logger.debug(
-            f"Filtered {filtered_count} nodes without matching provider_id={provider_id}"
-        )
-
    relationships = []
    for relationship in graph.relationships:
        if relationship._properties.get("provider_id") != provider_id:
@@ -1,39 +0,0 @@
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0083_image_provider"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                    ("cloudflare", "Cloudflare"),
-                    ("openstack", "OpenStack"),
-                    ("image", "Image"),
-                    ("googleworkspace", "Google Workspace"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'googleworkspace';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]
@@ -293,7 +293,6 @@ class Provider(RowLevelSecurityProtectedModel):
        CLOUDFLARE = "cloudflare", _("Cloudflare")
        OPENSTACK = "openstack", _("OpenStack")
        IMAGE = "image", _("Image")
-        GOOGLEWORKSPACE = "googleworkspace", _("Google Workspace")

    @staticmethod
    def validate_aws_uid(value):
@@ -343,15 +342,6 @@ class Provider(RowLevelSecurityProtectedModel):
                pointer="/data/attributes/uid",
            )

-    @staticmethod
-    def validate_googleworkspace_uid(value):
-        if not re.match(r"^C[0-9a-zA-Z]+$", value):
-            raise ModelValidationError(
-                detail="Google Workspace Customer ID must start with 'C' followed by one or more alphanumeric characters (e.g., C01234abc, C12345678).",
-                code="googleworkspace-uid",
-                pointer="/data/attributes/uid",
-            )
-
    @staticmethod
    def validate_kubernetes_uid(value):
        if not re.match(
@@ -501,72 +501,6 @@ def test_execute_custom_query_wraps_graph_errors():
    mock_logger.error.assert_called_once()


-# -- validate_custom_query ------------------------------------------------
-
-
-@pytest.mark.parametrize(
-    "cypher",
-    [
-        "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
-        "load csv from 'http://evil.com' as row return row",
-        "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
-        "CALL apoc.load.csvParams('http://evil.com/', {}, null) YIELD list RETURN list",
-        "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
-        "CALL apoc.export.csv.all('file.csv', {})",
-        "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
-        "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
-        "CALL apoc.config.list() YIELD key, value RETURN key, value",
-        "CALL apoc.periodic.iterate('MATCH (n) RETURN n', 'DELETE n', {batchSize: 100})",
-        "CALL apoc.do.when(true, 'CREATE (n) RETURN n', '', {}) YIELD value RETURN value",
-        "CALL apoc.trigger.add('t', 'RETURN 1', {phase: 'before'})",
-        "CALL apoc.custom.asProcedure('myProc', 'RETURN 1')",
-    ],
-    ids=[
-        "LOAD_CSV",
-        "LOAD_CSV_lowercase",
-        "apoc.load.json",
-        "apoc.load.csvParams",
-        "apoc.import.csv",
-        "apoc.export.csv",
-        "apoc.cypher.run",
-        "apoc.systemdb.graph",
-        "apoc.config.list",
-        "apoc.periodic.iterate",
-        "apoc.do.when",
-        "apoc.trigger.add",
-        "apoc.custom.asProcedure",
-    ],
-)
-def test_validate_custom_query_rejects_blocked_patterns(cypher):
-    with pytest.raises(ValidationError) as exc:
-        views_helpers.validate_custom_query(cypher)
-
-    assert "blocked operation" in str(exc.value.detail)
-
-
-@pytest.mark.parametrize(
-    "cypher",
-    [
-        "MATCH (n:AWSAccount) RETURN n LIMIT 10",
-        "MATCH (a)-[r]->(b) RETURN a, r, b",
-        "MATCH (n) WHERE n.name CONTAINS 'load' RETURN n",
-        "CALL apoc.create.vNode(['Label'], {}) YIELD node RETURN node",
-        "MATCH (n) WHERE n.name = 'apoc.load.json' RETURN n",
-        'MATCH (n) WHERE n.description = "LOAD CSV is cool" RETURN n',
-    ],
-    ids=[
-        "simple_match",
-        "traversal",
-        "contains_load_substring",
-        "apoc_virtual_node",
-        "apoc_load_inside_single_quotes",
-        "load_csv_inside_double_quotes",
-    ],
-)
-def test_validate_custom_query_allows_clean_queries(cypher):
-    views_helpers.validate_custom_query(cypher)
-
-
 # -- _truncate_graph ----------------------------------------------------------


@@ -23,9 +23,6 @@ from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.cloudflare.cloudflare_provider import CloudflareProvider
 from prowler.providers.gcp.gcp_provider import GcpProvider
 from prowler.providers.github.github_provider import GithubProvider
-from prowler.providers.googleworkspace.googleworkspace_provider import (
-    GoogleworkspaceProvider,
-)
 from prowler.providers.iac.iac_provider import IacProvider
 from prowler.providers.image.image_provider import ImageProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
@@ -116,7 +113,6 @@ class TestReturnProwlerProvider:
        [
            (Provider.ProviderChoices.AWS.value, AwsProvider),
            (Provider.ProviderChoices.GCP.value, GcpProvider),
-            (Provider.ProviderChoices.GOOGLEWORKSPACE.value, GoogleworkspaceProvider),
            (Provider.ProviderChoices.AZURE.value, AzureProvider),
            (Provider.ProviderChoices.KUBERNETES.value, KubernetesProvider),
            (Provider.ProviderChoices.M365.value, M365Provider),
@@ -252,10 +248,6 @@ class TestGetProwlerProviderKwargs:
                Provider.ProviderChoices.GCP.value,
                {"project_ids": ["provider_uid"]},
            ),
-            (
-                Provider.ProviderChoices.GOOGLEWORKSPACE.value,
-                {},
-            ),
            (
                Provider.ProviderChoices.KUBERNETES.value,
                {"context": "provider_uid"},
@@ -1190,26 +1190,6 @@ class TestProviderViewSet:
                    "uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
                    "alias": "OpenStack Project",
                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "C01234abc",
-                    "alias": "Google Workspace Customer",
-                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "C12345678",
-                    "alias": "Google Workspace All Digits",
-                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "CABCDEF123",
-                    "alias": "Google Workspace Uppercase",
-                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "C12",
-                    "alias": "Google Workspace Minimum Length",
-                },
            ]
        ),
    )
@@ -1362,11 +1342,7 @@ class TestProviderViewSet:
        response = authenticated_client.post(
            reverse("provider-list"), data=provider_json_payload, format="json"
        )
-        assert response.status_code == status.HTTP_409_CONFLICT
-        error = response.json()["errors"][0]
-        assert error["detail"] == "Provider already exists."
-        assert error["code"] == "conflict"
-        assert error["source"]["pointer"] == "/data/attributes/uid"
+        assert response.status_code == status.HTTP_400_BAD_REQUEST

        mock_delete_task.reset_mock()
        mock_delete_task.return_value = task_mock
@@ -1658,36 +1634,6 @@ class TestProviderViewSet:
                    "min_length",
                    "uid",
                ),
-                # Google Workspace UID validation - missing 'C' prefix
-                (
-                    {
-                        "provider": "googleworkspace",
-                        "uid": "01234abc",
-                        "alias": "test",
-                    },
-                    "googleworkspace-uid",
-                    "uid",
-                ),
-                # Google Workspace UID validation - contains special characters
-                (
-                    {
-                        "provider": "googleworkspace",
-                        "uid": "C0123-abc",
-                        "alias": "test",
-                    },
-                    "googleworkspace-uid",
-                    "uid",
-                ),
-                # Google Workspace UID validation - lowercase 'c' prefix
-                (
-                    {
-                        "provider": "googleworkspace",
-                        "uid": "c12345678",
-                        "alias": "test",
-                    },
-                    "googleworkspace-uid",
-                    "uid",
-                ),
            ]
        ),
    )
@@ -1861,21 +1807,21 @@ class TestProviderViewSet:
                (
                    "uid.icontains",
                    "1",
-                    11,
+                    10,
                ),
                ("alias", "aws_testing_1", 1),
                ("alias.icontains", "aws", 2),
-                ("inserted_at", TODAY, 12),
+                ("inserted_at", TODAY, 11),
                (
                    "inserted_at.gte",
                    "2024-01-01",
-                    12,
+                    11,
                ),
                ("inserted_at.lte", "2024-01-01", 0),
                (
                    "updated_at.gte",
                    "2024-01-01",
-                    12,
+                    11,
                ),
                ("updated_at.lte", "2024-01-01", 0),
            ]
@@ -2491,15 +2437,6 @@ class TestProviderSecretViewSet:
                    "clouds_yaml_cloud": "mycloud",
                },
            ),
-            # Google Workspace with service account credentials
-            (
-                Provider.ProviderChoices.GOOGLEWORKSPACE.value,
-                ProviderSecret.TypeChoices.STATIC,
-                {
-                    "credentials_content": '{"type": "service_account", "project_id": "test-project", "private_key_id": "key123", "private_key": "-----BEGIN PRIVATE KEY-----\\ntest\\n-----END PRIVATE KEY-----\\n", "client_email": "test@test-project.iam.gserviceaccount.com", "client_id": "123456789"}',
-                    "delegated_user": "admin@example.com",
-                },
-            ),
        ],
    )
    def test_provider_secrets_create_valid(
@@ -3810,12 +3747,6 @@ class TestTaskViewSet:

@pytest.mark.django_db
 class TestAttackPathsScanViewSet:
-    @pytest.fixture(autouse=True)
-    def _clear_throttle_cache(self):
-        from django.core.cache import cache
-
-        cache.clear()
-
    @staticmethod
    def _run_payload(query_id="aws-rds", parameters=None):
        return {
@@ -4417,6 +4348,8 @@ class TestAttackPathsScanViewSet:
            }
        }

+    # TODO: Remove skip once queries/custom and schema endpoints are unblocked
+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_graph(
        self,
        authenticated_client,
@@ -4474,6 +4407,7 @@ class TestAttackPathsScanViewSet:
        assert attributes["total_nodes"] == 1
        assert attributes["truncated"] is False

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_text_when_accept_text_plain(
        self,
        authenticated_client,
@@ -4528,6 +4462,7 @@ class TestAttackPathsScanViewSet:
        assert "## Relationships (0)" in body
        assert "## Summary" in body

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_404_when_no_nodes(
        self,
        authenticated_client,
@@ -4569,6 +4504,7 @@ class TestAttackPathsScanViewSet:

        assert response.status_code == status.HTTP_404_NOT_FOUND

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_400_when_graph_not_ready(
        self,
        authenticated_client,
@@ -4595,6 +4531,7 @@ class TestAttackPathsScanViewSet:
        assert response.status_code == status.HTTP_400_BAD_REQUEST
        assert "not available" in response.json()["errors"][0]["detail"]

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_403_for_write_query(
        self,
        authenticated_client,
@@ -4632,343 +4569,9 @@ class TestAttackPathsScanViewSet:

        assert response.status_code == status.HTTP_403_FORBIDDEN

-    # -- SSRF blocklist (HTTP level) ----------------------------------------------
-
-    @pytest.mark.parametrize(
-        "cypher",
-        [
-            "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
-            "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
-            "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
-            "CALL apoc.export.csv.all('file.csv', {})",
-            "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
-            "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
-        ],
-        ids=[
-            "LOAD_CSV",
-            "apoc.load",
-            "apoc.import",
-            "apoc.export",
-            "apoc.cypher.run",
-            "apoc.systemdb",
-        ],
-    )
-    def test_run_custom_query_rejects_ssrf_patterns(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-        cypher,
-    ):
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        with patch(
-            "api.v1.views.graph_database.get_database_name",
-            return_value="db-test",
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(cypher),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-        assert "blocked" in response.json()["errors"][0]["detail"].lower()
-
-    # -- Cross-tenant isolation ---------------------------------------------------
-
-    def test_run_custom_query_returns_404_for_foreign_tenant(
-        self,
-        authenticated_client,
-        create_attack_paths_scan,
-    ):
-        from api.models import Provider, Tenant
-
-        foreign_tenant = Tenant.objects.create(name="foreign-tenant")
-        foreign_provider = Provider.objects.create(
-            tenant=foreign_tenant,
-            provider="aws",
-            uid="123456789999",
-        )
-        attack_paths_scan = create_attack_paths_scan(
-            foreign_provider,
-            graph_data_ready=True,
-        )
-
-        with patch(
-            "api.v1.views.graph_database.get_database_name",
-            return_value="db-test",
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_404_NOT_FOUND
-
-    def test_cartography_schema_returns_404_for_foreign_tenant(
-        self,
-        authenticated_client,
-        create_attack_paths_scan,
-    ):
-        from api.models import Provider, Tenant
-
-        foreign_tenant = Tenant.objects.create(name="foreign-tenant-schema")
-        foreign_provider = Provider.objects.create(
-            tenant=foreign_tenant,
-            provider="aws",
-            uid="123456789998",
-        )
-        attack_paths_scan = create_attack_paths_scan(
-            foreign_provider,
-            graph_data_ready=True,
-        )
-
-        response = authenticated_client.get(
-            reverse(
-                "attack-paths-scans-schema",
-                kwargs={"pk": attack_paths_scan.id},
-            )
-        )
-
-        assert response.status_code == status.HTTP_404_NOT_FOUND
-
-    # -- Authentication / authorization -------------------------------------------
-
-    def test_run_custom_query_returns_401_unauthenticated(
-        self,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.test import APIClient
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        unauthenticated = APIClient()
-        response = unauthenticated.post(
-            reverse(
-                "attack-paths-scans-queries-custom",
-                kwargs={"pk": attack_paths_scan.id},
-            ),
-            data=self._custom_query_payload(),
-            content_type=API_JSON_CONTENT_TYPE,
-        )
-
-        assert response.status_code == status.HTTP_401_UNAUTHORIZED
-
-    def test_cartography_schema_returns_401_unauthenticated(
-        self,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.test import APIClient
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        unauthenticated = APIClient()
-        response = unauthenticated.get(
-            reverse(
-                "attack-paths-scans-schema",
-                kwargs={"pk": attack_paths_scan.id},
-            )
-        )
-
-        assert response.status_code == status.HTTP_401_UNAUTHORIZED
-
-    def test_run_custom_query_returns_403_no_manage_scans(
-        self,
-        authenticated_client_no_permissions_rbac,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        response = authenticated_client_no_permissions_rbac.post(
-            reverse(
-                "attack-paths-scans-queries-custom",
-                kwargs={"pk": attack_paths_scan.id},
-            ),
-            data=self._custom_query_payload(),
-            content_type=API_JSON_CONTENT_TYPE,
-        )
-
-        assert response.status_code == status.HTTP_403_FORBIDDEN
-
-    # -- Error leakage ------------------------------------------------------------
-
-    def test_run_custom_query_does_not_leak_internals_on_error(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.exceptions import APIException
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        with (
-            patch(
-                "api.v1.views.attack_paths_views_helpers.execute_custom_query",
-                side_effect=APIException(
-                    "Attack Paths query execution failed due to a database error"
-                ),
-            ),
-            patch(
-                "api.v1.views.graph_database.get_database_name",
-                return_value="db-test",
-            ),
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_500_INTERNAL_SERVER_ERROR
-        body = json.dumps(response.json()).lower()
-        for forbidden_term in ["neo4j", "bolt://", "syntaxerror", "db-tenant-"]:
-            assert forbidden_term not in body
-
-    # -- Rate limiting (throttle) -------------------------------------------------
-
-    def test_run_custom_query_throttled_after_limit(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        mock_graph = {
-            "nodes": [{"id": "n1", "labels": ["Test"], "properties": {}}],
-            "relationships": [],
-            "total_nodes": 1,
-            "truncated": False,
-        }
-
-        url = reverse(
-            "attack-paths-scans-queries-custom",
-            kwargs={"pk": attack_paths_scan.id},
-        )
-        payload = self._custom_query_payload()
-
-        with (
-            patch(
-                "api.v1.views.attack_paths_views_helpers.execute_custom_query",
-                return_value=mock_graph,
-            ),
-            patch(
-                "api.v1.views.graph_database.get_database_name",
-                return_value="db-test",
-            ),
-            patch(
-                "api.v1.views.graph_database.clear_cache",
-            ),
-        ):
-            for i in range(11):
-                response = authenticated_client.post(
-                    url,
-                    data=payload,
-                    content_type=API_JSON_CONTENT_TYPE,
-                )
-                if i < 10:
-                    assert (
-                        response.status_code == status.HTTP_200_OK
-                    ), f"Request {i + 1} should succeed with 200 OK, got {response.status_code}"
-                else:
-                    assert (
-                        response.status_code == status.HTTP_429_TOO_MANY_REQUESTS
-                    ), f"Request {i + 1} should be throttled"
-
-    # -- Timeout simulation -------------------------------------------------------
-
-    def test_run_custom_query_returns_500_on_database_timeout(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.exceptions import APIException
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        with (
-            patch(
-                "api.v1.views.attack_paths_views_helpers.execute_custom_query",
-                side_effect=APIException(
-                    "Attack Paths query execution failed due to a database error"
-                ),
-            ),
-            patch(
-                "api.v1.views.graph_database.get_database_name",
-                return_value="db-test",
-            ),
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_500_INTERNAL_SERVER_ERROR
-
    # -- cartography_schema action ------------------------------------------------

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_cartography_schema_returns_urls(
        self,
        authenticated_client,
@@ -5018,6 +4621,7 @@ class TestAttackPathsScanViewSet:
        assert "schema.md" in attributes["schema_url"]
        assert "raw.githubusercontent.com" in attributes["raw_schema_url"]

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_cartography_schema_returns_404_when_no_metadata(
        self,
        authenticated_client,
@@ -5052,6 +4656,7 @@ class TestAttackPathsScanViewSet:
        assert response.status_code == status.HTTP_404_NOT_FOUND
        assert "No cartography schema metadata" in str(response.json())

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_cartography_schema_returns_400_when_graph_not_ready(
        self,
        authenticated_client,
@@ -27,9 +27,6 @@ if TYPE_CHECKING:
    from prowler.providers.cloudflare.cloudflare_provider import CloudflareProvider
    from prowler.providers.gcp.gcp_provider import GcpProvider
    from prowler.providers.github.github_provider import GithubProvider
-    from prowler.providers.googleworkspace.googleworkspace_provider import (
-        GoogleworkspaceProvider,
-    )
    from prowler.providers.iac.iac_provider import IacProvider
    from prowler.providers.image.image_provider import ImageProvider
    from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
@@ -86,7 +83,6 @@ def return_prowler_provider(
    | CloudflareProvider
    | GcpProvider
    | GithubProvider
-    | GoogleworkspaceProvider
    | IacProvider
    | ImageProvider
    | KubernetesProvider
@@ -101,7 +97,7 @@ def return_prowler_provider(
        provider (Provider): The provider object containing the provider type and associated secrets.

    Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | GoogleworkspaceProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: The corresponding provider class.
+        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: The corresponding provider class.

    Raises:
        ValueError: If the provider type specified in `provider.provider` is not supported.
@@ -115,12 +111,6 @@ def return_prowler_provider(
            from prowler.providers.gcp.gcp_provider import GcpProvider

            prowler_provider = GcpProvider
-        case Provider.ProviderChoices.GOOGLEWORKSPACE.value:
-            from prowler.providers.googleworkspace.googleworkspace_provider import (
-                GoogleworkspaceProvider,
-            )
-
-            prowler_provider = GoogleworkspaceProvider
        case Provider.ProviderChoices.AZURE.value:
            from prowler.providers.azure.azure_provider import AzureProvider

@@ -273,7 +263,6 @@ def initialize_prowler_provider(
    | CloudflareProvider
    | GcpProvider
    | GithubProvider
-    | GoogleworkspaceProvider
    | IacProvider
    | ImageProvider
    | KubernetesProvider
@@ -289,7 +278,7 @@ def initialize_prowler_provider(
        mutelist_processor (Processor): The mutelist processor object containing the mutelist configuration.

    Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | GoogleworkspaceProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: An instance of the corresponding provider class
+        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: An instance of the corresponding provider class
            initialized with the provider's secrets.
    """
    prowler_provider = return_prowler_provider(provider)
@@ -191,22 +191,6 @@ from rest_framework_json_api import serializers
                },
                "required": ["service_account_key"],
            },
-            {
-                "type": "object",
-                "title": "Google Workspace Service Account",
-                "properties": {
-                    "credentials_content": {
-                        "type": "string",
-                        "description": "The service account JSON credentials content for Google Workspace API access with domain-wide delegation enabled.",
-                    },
-                    "delegated_user": {
-                        "type": "string",
-                        "format": "email",
-                        "description": "The email address of the Google Workspace super admin user to impersonate for domain-wide delegation.",
-                    },
-                },
-                "required": ["credentials_content", "delegated_user"],
-            },
            {
                "type": "object",
                "title": "Kubernetes Static Credentials",
@@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth import authenticate
 from django.contrib.auth.models import update_last_login
 from django.contrib.auth.password_validation import validate_password
-from django.core.exceptions import ValidationError as DjangoValidationError
 from django.db import IntegrityError
 from drf_spectacular.utils import extend_schema_field
 from jwt.exceptions import InvalidKeyError
@@ -960,26 +959,6 @@ class ProviderCreateSerializer(RLSSerializer, BaseWriteSerializer):
            },
        }

-    def create(self, validated_data):
-        try:
-            return super().create(validated_data)
-        except DjangoValidationError as e:
-            if "unique_provider_uids" in str(e):
-                raise ConflictException(
-                    detail="Provider already exists.",
-                    pointer="/data/attributes/uid",
-                )
-            raise
-        except IntegrityError as e:
-            # Handle race conditions where the unique constraint is enforced at the DB level
-            # after validation has already passed.
-            if "unique_provider_uids" in str(e):
-                raise ConflictException(
-                    detail="Provider already exists.",
-                    pointer="/data/attributes/uid",
-                )
-            raise
-

 class ProviderUpdateSerializer(BaseWriteSerializer):
    """
@@ -1241,7 +1220,7 @@ class AttackPathsQueryRunRequestSerializer(BaseSerializerV1):


 class AttackPathsCustomQueryRunRequestSerializer(BaseSerializerV1):
-    query = serializers.CharField(max_length=10000, min_length=1, trim_whitespace=True)
+    query = serializers.CharField()

    class JSONAPIMeta:
        resource_name = "attack-paths-custom-query-run-requests"
@@ -1541,8 +1520,6 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                serializer = AzureProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.GCP.value:
                serializer = GCPProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.GOOGLEWORKSPACE.value:
-                serializer = GoogleWorkspaceProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.GITHUB.value:
                serializer = GithubProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.IAC.value:
@@ -1678,14 +1655,6 @@ class GCPServiceAccountProviderSecret(serializers.Serializer):
        resource_name = "provider-secrets"


-class GoogleWorkspaceProviderSecret(serializers.Serializer):
-    credentials_content = serializers.CharField()
-    delegated_user = serializers.EmailField()
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
 class MongoDBAtlasProviderSecret(serializers.Serializer):
    atlas_public_key = serializers.CharField()
    atlas_private_key = serializers.CharField()
@@ -51,13 +51,6 @@ from api.v1.views import (
 )


-# This helper view is used to block any endpoints that should not be available
-# To use it, add a new entry in the `urlpatterns` list, for example (old but real one):
-#     path(
-#         "attack-paths-scans/<uuid:pk>/queries/custom",
-#         _blocked_endpoint,
-#         name="attack-paths-scans-queries-custom-blocked",
-#     ),
@csrf_exempt
 def _blocked_endpoint(request, *args, **kwargs):
    return JsonResponse(
@@ -216,6 +209,17 @@ urlpatterns = [
    path("tokens/saml", SAMLTokenValidateView.as_view(), name="token-saml"),
    path("tokens/google", GoogleSocialLoginView.as_view(), name="token-google"),
    path("tokens/github", GithubSocialLoginView.as_view(), name="token-github"),
+    # TODO: Remove these blocked endpoints once they are properly tested
+    path(
+        "attack-paths-scans/<uuid:pk>/queries/custom",
+        _blocked_endpoint,
+        name="attack-paths-scans-queries-custom-blocked",
+    ),
+    path(
+        "attack-paths-scans/<uuid:pk>/schema",
+        _blocked_endpoint,
+        name="attack-paths-scans-schema-blocked",
+    ),
    path("", include(router.urls)),
    path("", include(tenants_router.urls)),
    path("", include(users_router.urls)),
@@ -3,7 +3,6 @@ import glob
 import json
 import logging
 import os
-import time

 from collections import defaultdict
 from copy import deepcopy
@@ -408,7 +407,7 @@ class SchemaView(SpectacularAPIView):

    def get(self, request, *args, **kwargs):
        spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.22.0"
+        spectacular_settings.VERSION = "1.20.0"
        spectacular_settings.DESCRIPTION = (
            "Prowler API specification.\n\nThis file is auto-generated."
        )
@@ -2452,11 +2451,6 @@ class AttackPathsScanViewSet(BaseRLSViewSet):
    # RBAC required permissions
    required_permissions = [Permissions.MANAGE_SCANS]

-    def get_throttles(self):
-        if self.action == "run_custom_attack_paths_query":
-            self.throttle_scope = "attack-paths-custom-query"
-        return super().get_throttles()
-
    def set_required_permissions(self):
        if self.request.method in SAFE_METHODS:
            self.required_permissions = []
@@ -2576,35 +2570,14 @@ class AttackPathsScanViewSet(BaseRLSViewSet):
            provider_id,
        )

-        start = time.monotonic()
        graph = attack_paths_views_helpers.execute_query(
            database_name,
            query_definition,
            parameters,
            provider_id,
        )
-        query_duration = time.monotonic() - start
        graph_database.clear_cache(database_name)

-        result_nodes = len(graph.get("nodes", []))
-        result_relationships = len(graph.get("relationships", []))
-        logger.info(
-            "attack_paths_query_run",
-            extra={
-                "user_id": str(request.user.id),
-                "tenant_id": str(attack_paths_scan.provider.tenant_id),
-                "metadata": {
-                    "query_id": query_definition.id,
-                    "provider": query_definition.provider,
-                    "scan_id": pk,
-                    "provider_id": provider_id,
-                    "result_nodes": result_nodes,
-                    "result_relationships": result_relationships,
-                    "query_duration": round(query_duration, 3),
-                },
-            },
-        )
-
        status_code = status.HTTP_200_OK
        if not graph.get("nodes"):
            status_code = status.HTTP_404_NOT_FOUND
@@ -2645,35 +2618,13 @@ class AttackPathsScanViewSet(BaseRLSViewSet):
        )
        provider_id = str(attack_paths_scan.provider_id)

-        start = time.monotonic()
        graph = attack_paths_views_helpers.execute_custom_query(
            database_name,
            serializer.validated_data["query"],
            provider_id,
        )
-        query_duration = time.monotonic() - start
        graph_database.clear_cache(database_name)

-        query_length = len(serializer.validated_data["query"])
-        result_nodes = len(graph.get("nodes", []))
-        result_relationships = len(graph.get("relationships", []))
-        logger.info(
-            "attack_paths_custom_query_run",
-            extra={
-                "user_id": str(request.user.id),
-                "tenant_id": str(attack_paths_scan.provider.tenant_id),
-                "metadata": {
-                    "provider": attack_paths_scan.provider.provider,
-                    "scan_id": pk,
-                    "provider_id": provider_id,
-                    "query_length": query_length,
-                    "result_nodes": result_nodes,
-                    "result_relationships": result_relationships,
-                    "query_duration": round(query_duration, 3),
-                },
-            },
-        )
-
        status_code = status.HTTP_200_OK
        if not graph.get("nodes"):
            status_code = status.HTTP_404_NOT_FOUND
@@ -2,7 +2,6 @@ import json
 import logging
 from enum import StrEnum

-
 from config.env import env
 from django_guid.log_filters import CorrelationId

@@ -63,8 +62,6 @@ class NDJSONFormatter(logging.Formatter):
            log_record["duration"] = record.duration
        if hasattr(record, "status_code"):
            log_record["status_code"] = record.status_code
-        if hasattr(record, "metadata"):
-            log_record["metadata"] = record.metadata

        if record.exc_info:
            log_record["exc_info"] = self.formatException(record.exc_info)
@@ -110,8 +107,6 @@ class HumanReadableFormatter(logging.Formatter):
            log_components.append(f"done in {record.duration}s:")
        if hasattr(record, "status_code"):
            log_components.append(f"{record.status_code}")
-        if hasattr(record, "metadata"):
-            log_components.append(f"metadata={record.metadata}")

        if record.exc_info:
            log_components.append(self.formatException(record.exc_info))
@@ -113,11 +113,8 @@ REST_FRAMEWORK = {
        "rest_framework.throttling.ScopedRateThrottle",
    ],
    "DEFAULT_THROTTLE_RATES": {
-        "dj_rest_auth": None,
        "token-obtain": env("DJANGO_THROTTLE_TOKEN_OBTAIN", default=None),
-        "attack-paths-custom-query": env(
-            "DJANGO_THROTTLE_ATTACK_PATHS_CUSTOM_QUERY", default="10/min"
-        ),
+        "dj_rest_auth": None,
    },
 }

@@ -543,12 +543,6 @@ def providers_fixture(tenants_fixture):
        alias="openstack_testing",
        tenant_id=tenant.id,
    )
-    provider12 = Provider.objects.create(
-        provider="googleworkspace",
-        uid="C12345678",
-        alias="googleworkspace_testing",
-        tenant_id=tenant.id,
-    )

    return (
        provider1,
@@ -562,7 +556,6 @@ def providers_fixture(tenants_fixture):
        provider9,
        provider10,
        provider11,
-        provider12,
    )


@@ -43,7 +43,6 @@ def start_aws_ingestion(
        "aws_guardduty_severity_threshold": cartography_config.aws_guardduty_severity_threshold,
        "aws_cloudtrail_management_events_lookback_hours": cartography_config.aws_cloudtrail_management_events_lookback_hours,
        "experimental_aws_inspector_batch": cartography_config.experimental_aws_inspector_batch,
-        "aws_tagging_api_cleanup_batch": cartography_config.aws_tagging_api_cleanup_batch,
    }

    boto3_session = get_boto3_session(prowler_api_provider, prowler_sdk_provider)
@@ -117,30 +116,6 @@ def start_aws_ingestion(
        neo4j_session,
        common_job_parameters,
    )
-
-    if all(
-        s in requested_syncs
-        for s in ["ecs", "ec2:load_balancer_v2", "ec2:load_balancer_v2:expose"]
-    ):
-        logger.info(
-            f"Syncing lb_container_exposure scoped analysis for AWS account {prowler_api_provider.uid}"
-        )
-        cartography_aws.run_scoped_analysis_job(
-            "aws_lb_container_exposure.json",
-            neo4j_session,
-            common_job_parameters,
-        )
-
-    if all(s in requested_syncs for s in ["ec2:network_acls", "ec2:load_balancer_v2"]):
-        logger.info(
-            f"Syncing lb_nacl_direct scoped analysis for AWS account {prowler_api_provider.uid}"
-        )
-        cartography_aws.run_scoped_analysis_job(
-            "aws_lb_nacl_direct.json",
-            neo4j_session,
-            common_job_parameters,
-        )
-
    db_utils.update_attack_paths_scan_progress(attack_paths_scan, 91)

    logger.info(f"Syncing metadata for AWS account {prowler_api_provider.uid}")
@@ -264,9 +239,8 @@ def sync_aws_account(
                failed_syncs[func_name] = exception_message

                logger.warning(
-                    f"Caught exception syncing function {func_name} from AWS account {prowler_api_provider.uid}: {e}. "
-                    "Continuing to the next AWS sync function.",
-                    exc_info=True,
+                    f"Caught exception syncing function {func_name} from AWS account {prowler_api_provider.uid}. We "
+                    "are continuing on to the next AWS sync function.",
                )

                continue
@@ -1,58 +1,3 @@
-"""
-Attack Paths scan orchestrator.
-
-Runs the full scan lifecycle for a single provider, called from a Celery task.
-The idea is simple: ingest everything into a throwaway Neo4j database, enrich
-it with Prowler-specific data, then swap it into the tenant's long-lived
-database so queries never see a half-built graph.
-
-Two databases are involved:
- Temporary (db-tmp-scan-<attack_paths_scan_id>): short-lived, single-provider, dropped after sync.
- Tenant (db-tenant-<tenant_uuid>): long-lived, multi-provider, what the API queries against.
-
-Pipeline steps:
-
-1. Resolve the Prowler provider and SDK credentials from the scan ID.
-   Retrieve or create the AttackPathsScan row. Exit early if the provider
-   type has no ingestion function (only AWS is supported today).
-
-2. Create a fresh temporary Neo4j database and set up Cartography indexes
-   plus ProwlerFinding indexes before writing any data.
-
-3. Run the provider-specific Cartography ingestion (e.g. aws.start_aws_ingestion).
-   This iterates over cloud services and writes the standard Cartography nodes
-   (AWSAccount, EC2Instance, IAMRole, etc.) and relationships (RESOURCE,
-   POLICY, STATEMENT, TRUSTS_AWS_PRINCIPAL, ...) into the temp database.
-   Wrapped in call_within_event_loop because some Cartography modules use async.
-
-4. Run Cartography post-processing: ontology for label propagation and
-   analysis for derived relationships.
-
-5. Create an Internet singleton node and add CAN_ACCESS relationships to
-   internet-exposed resources (EC2Instance, LoadBalancer, LoadBalancerV2).
-
-6. Stream Prowler findings from Postgres in batches. Each finding becomes a
-   ProwlerFinding node linked to its cloud-resource node via HAS_FINDING.
-   Before that, an _AWSResource label (provider-specific) is added to all
-   nodes connected to the AWSAccount so finding lookups can use an index.
-   Stale findings from previous scans are cleaned up.
-
-7. Sync the temp database into the tenant database:
-   - Drop the old provider subgraph (matched by _provider_id property).
-     graph_data_ready is set to False for all scans of this provider while
-     the swap happens so the API doesn't serve partial data.
-   - Copy nodes and relationships in batches. Every synced node gets a
-     _ProviderResource label and _provider_id / _provider_element_id
-     properties for multi-provider isolation.
-   - Set graph_data_ready back to True.
-
-8. Drop the temporary database, mark the AttackPathsScan as COMPLETED.
-
-On failure the temp database is dropped, the scan is marked FAILED, and the
-exception propagates to Celery.
-
-"""
-
 import logging
 import time

@@ -267,20 +212,18 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
        try:
            graph_database.drop_database(tmp_cartography_config.neo4j_database)

-        except Exception as e:
+        except Exception:
            logger.error(
-                f"Failed to drop temporary Neo4j database {tmp_cartography_config.neo4j_database} during cleanup: {e}",
-                exc_info=True,
+                f"Failed to drop temporary Neo4j database {tmp_cartography_config.neo4j_database} during cleanup"
            )

        try:
            db_utils.finish_attack_paths_scan(
                attack_paths_scan, StateChoices.FAILED, ingestion_exceptions
            )
-        except Exception as e:
-            logger.error(
-                f"Could not mark attack paths scan {attack_paths_scan.id} as FAILED (row may have been deleted): {e}",
-                exc_info=True,
+        except Exception:
+            logger.warning(
+                f"Could not mark attack paths scan {attack_paths_scan.id} as FAILED (row may have been deleted)"
            )

        raise
@@ -336,6 +336,7 @@ class ENSReportGenerator(BaseComplianceReportGenerator):
        for req in data.requirements:
            if req.status == StatusChoices.MANUAL:
                continue
+
            m = get_requirement_metadata(req.id, data.attributes_by_requirement_id)
            if m:
                marco = getattr(m, "Marco", "Otros")
@@ -364,12 +365,9 @@ class ENSReportGenerator(BaseComplianceReportGenerator):
                elements.append(Paragraph(f"{categoria_name}", self.styles["h3"]))

                for req in reqs:
-                    if req["status"] == StatusChoices.PASS:
-                        status_indicator = "✓"
-                    elif req["status"] == StatusChoices.MANUAL:
-                        status_indicator = "⊙"
-                    else:
-                        status_indicator = "✗"
+                    status_indicator = (
+                        "✓" if req["status"] == StatusChoices.PASS else "✗"
+                    )
                    nivel_badge = f"[{req['nivel'].upper()}]" if req["nivel"] else ""
                    elements.append(
                        Paragraph(
@@ -843,14 +841,11 @@ class ENSReportGenerator(BaseComplianceReportGenerator):
            elements.append(Spacer(1, 0.15 * inch))

            # Status and Nivel badges row
-            status_text = str(req.status).upper()
-            status_color = (
-                COLOR_HIGH_RISK if req.status == StatusChoices.FAIL else COLOR_GRAY
-            )
+            status_color = COLOR_HIGH_RISK  # FAIL
            nivel_color = nivel_colors.get(nivel, COLOR_GRAY)

            badges_row1 = [
-                ["State:", status_text, "", f"Nivel: {nivel.upper()}"],
+                ["State:", "FAIL", "", f"Nivel: {nivel.upper()}"],
            ]
            badges_table1 = Table(
                badges_row1,
@@ -35,27 +35,19 @@ def _aggregate_requirement_statistics_from_database(
        }
    """
    requirement_statistics_by_check_id = {}
-    # TODO: take into account that now the relation is 1 finding == 1 resource, review this when the logic changes
+
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
        aggregated_statistics_queryset = (
            Finding.all_objects.filter(
-                tenant_id=tenant_id,
-                scan_id=scan_id,
-                muted=False,
-                resources__provider__is_deleted=False,
+                tenant_id=tenant_id, scan_id=scan_id, muted=False
            )
            .values("check_id")
            .annotate(
                total_findings=Count(
                    "id",
-                    distinct=True,
                    filter=Q(status__in=[StatusChoices.PASS, StatusChoices.FAIL]),
                ),
-                passed_findings=Count(
-                    "id",
-                    distinct=True,
-                    filter=Q(status=StatusChoices.PASS),
-                ),
+                passed_findings=Count("id", filter=Q(status=StatusChoices.PASS)),
            )
        )

@@ -29,7 +29,7 @@ from tasks.jobs.threatscore_utils import (
    _load_findings_for_requirement_checks,
 )

-from api.models import Finding, Resource, ResourceFindingMapping, StatusChoices
+from api.models import Finding, StatusChoices
 from prowler.lib.check.models import Severity

 matplotlib.use("Agg")  # Use non-interactive backend for tests
@@ -39,50 +39,43 @@ matplotlib.use("Agg")  # Use non-interactive backend for tests
 class TestAggregateRequirementStatistics:
    """Test suite for _aggregate_requirement_statistics_from_database function."""

-    def _create_finding_with_resource(
-        self, tenant, scan, uid, check_id, status, severity=Severity.high
-    ):
-        """Helper to create a finding linked to a resource (matching scan processing behavior)."""
-        finding = Finding.objects.create(
-            tenant_id=tenant.id,
-            scan=scan,
-            uid=uid,
-            check_id=check_id,
-            status=status,
-            severity=severity,
-            impact=severity,
-            check_metadata={},
-            raw_result={},
-        )
-        resource = Resource.objects.create(
-            tenant_id=tenant.id,
-            provider=scan.provider,
-            uid=f"resource-{uid}",
-            name=f"resource-{uid}",
-            region="us-east-1",
-            service="test",
-            type="test::resource",
-        )
-        ResourceFindingMapping.objects.create(
-            tenant_id=tenant.id,
-            finding=finding,
-            resource=resource,
-        )
-        return finding
-
    def test_aggregates_findings_correctly(self, tenants_fixture, scans_fixture):
        """Verify correct pass/total counts per check are aggregated from database."""
        tenant = tenants_fixture[0]
        scan = scans_fixture[0]

-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-1",
+            check_id="check_1",
+            status=StatusChoices.PASS,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
        )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-2", "check_1", StatusChoices.FAIL
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-2",
+            check_id="check_1",
+            status=StatusChoices.FAIL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
        )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-3", "check_2", StatusChoices.PASS, Severity.medium
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-3",
+            check_id="check_2",
+            status=StatusChoices.PASS,
+            severity=Severity.medium,
+            impact=Severity.medium,
+            check_metadata={},
+            raw_result={},
        )

        result = _aggregate_requirement_statistics_from_database(
@@ -113,73 +106,17 @@ class TestAggregateRequirementStatistics:
        tenant = tenants_fixture[0]
        scan = scans_fixture[0]

-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.FAIL
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-1",
+            check_id="check_1",
+            status=StatusChoices.FAIL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
        )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-2", "check_1", StatusChoices.FAIL
-        )
-
-        result = _aggregate_requirement_statistics_from_database(
-            str(tenant.id), str(scan.id)
-        )
-
-        assert result["check_1"]["passed"] == 0
-        assert result["check_1"]["total"] == 2
-
-    def test_multiple_findings_same_check(self, tenants_fixture, scans_fixture):
-        """Verify multiple findings for same check are correctly aggregated."""
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        for i in range(5):
-            self._create_finding_with_resource(
-                tenant,
-                scan,
-                f"finding-{i}",
-                "check_1",
-                StatusChoices.PASS if i % 2 == 0 else StatusChoices.FAIL,
-            )
-
-        result = _aggregate_requirement_statistics_from_database(
-            str(tenant.id), str(scan.id)
-        )
-
-        assert result["check_1"]["passed"] == 3
-        assert result["check_1"]["total"] == 5
-
-    def test_mixed_statuses(self, tenants_fixture, scans_fixture):
-        """Verify MANUAL status is not counted in total or passed."""
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
-        )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-2", "check_1", StatusChoices.MANUAL
-        )
-
-        result = _aggregate_requirement_statistics_from_database(
-            str(tenant.id), str(scan.id)
-        )
-
-        # MANUAL findings are excluded from the aggregation query
-        # since it only counts PASS and FAIL statuses
-        assert result["check_1"]["passed"] == 1
-        assert result["check_1"]["total"] == 1
-
-    def test_excludes_findings_without_resources(self, tenants_fixture, scans_fixture):
-        """Verify findings without resources are excluded from aggregation."""
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        # Finding WITH resource → should be counted
-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
-        )
-
-        # Finding WITHOUT resource → should be EXCLUDED
        Finding.objects.create(
            tenant_id=tenant.id,
            scan=scan,
@@ -196,15 +133,40 @@ class TestAggregateRequirementStatistics:
            str(tenant.id), str(scan.id)
        )

-        assert result["check_1"]["passed"] == 1
-        assert result["check_1"]["total"] == 1
+        assert result["check_1"]["passed"] == 0
+        assert result["check_1"]["total"] == 2

-    def test_multiple_resources_no_double_count(self, tenants_fixture, scans_fixture):
-        """Verify a finding with multiple resources is only counted once."""
+    def test_multiple_findings_same_check(self, tenants_fixture, scans_fixture):
+        """Verify multiple findings for same check are correctly aggregated."""
        tenant = tenants_fixture[0]
        scan = scans_fixture[0]

-        finding = Finding.objects.create(
+        for i in range(5):
+            Finding.objects.create(
+                tenant_id=tenant.id,
+                scan=scan,
+                uid=f"finding-{i}",
+                check_id="check_1",
+                status=StatusChoices.PASS if i % 2 == 0 else StatusChoices.FAIL,
+                severity=Severity.high,
+                impact=Severity.high,
+                check_metadata={},
+                raw_result={},
+            )
+
+        result = _aggregate_requirement_statistics_from_database(
+            str(tenant.id), str(scan.id)
+        )
+
+        assert result["check_1"]["passed"] == 3
+        assert result["check_1"]["total"] == 5
+
+    def test_mixed_statuses(self, tenants_fixture, scans_fixture):
+        """Verify MANUAL status is counted in total but not passed."""
+        tenant = tenants_fixture[0]
+        scan = scans_fixture[0]
+
+        Finding.objects.create(
            tenant_id=tenant.id,
            scan=scan,
            uid="finding-1",
@@ -215,27 +177,24 @@ class TestAggregateRequirementStatistics:
            check_metadata={},
            raw_result={},
        )
-        # Link two resources to the same finding
-        for i in range(2):
-            resource = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"resource-{i}",
-                name=f"resource-{i}",
-                region="us-east-1",
-                service="test",
-                type="test::resource",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id,
-                finding=finding,
-                resource=resource,
-            )
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-2",
+            check_id="check_1",
+            status=StatusChoices.MANUAL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
+        )

        result = _aggregate_requirement_statistics_from_database(
            str(tenant.id), str(scan.id)
        )

+        # MANUAL findings are excluded from the aggregation query
+        # since it only counts PASS and FAIL statuses
        assert result["check_1"]["passed"] == 1
        assert result["check_1"]["total"] == 1

@@ -1 +0,0 @@
-charts/
@@ -13,8 +13,6 @@ keywords:
  - gcp
  - kubernetes
 maintainers:
-  - name: Dani
-    email: andre.gomes@promptlyhealth.com
  - name: Mihai
    email: mihai.legat@gmail.com
 dependencies:
@@ -558,9 +558,9 @@ neo4j:
  # Neo4j Configuration (yaml format)
  config:
    dbms_security_procedures_allowlist: "apoc.*"
-    dbms_security_procedures_unrestricted: ""
+    dbms_security_procedures_unrestricted: "apoc.*"

  apoc_config:
-    apoc.export.file.enabled: "false"
-    apoc.import.file.enabled: "false"
+    apoc.export.file.enabled: "true"
+    apoc.import.file.enabled: "true"
    apoc.import.file.use_neo4j_config: "true"
@@ -21,7 +21,7 @@ print(
    f"{Fore.GREEN}Loading all CSV files from the folder {folder_path_overview} ...\n{Style.RESET_ALL}"
 )
 cli.show_server_banner = lambda *x: click.echo(
-    f"{Fore.YELLOW}NOTE:{Style.RESET_ALL} If you are using {Fore.GREEN}{Style.BRIGHT}Prowler Cloud{Style.RESET_ALL} with the S3 integration or that integration \nfrom {Fore.CYAN}{Style.BRIGHT}Prowler CLI{Style.RESET_ALL} and you want to use your data from your S3 bucket,\nrun: `{orange_color}aws s3 cp s3://<your-bucket>/output/csv ./output --recursive{Style.RESET_ALL}`\nand then run `prowler dashboard` again to load the new files."
+    f"{Fore.YELLOW}NOTE:{Style.RESET_ALL} If you are using {Fore.GREEN}{Style.BRIGHT}Prowler SaaS{Style.RESET_ALL} with the S3 integration or that integration \nfrom {Fore.CYAN}{Style.BRIGHT}Prowler Open Source{Style.RESET_ALL} and you want to use your data from your S3 bucket,\nrun: `{orange_color}aws s3 cp s3://<your-bucket>/output/csv ./output --recursive{Style.RESET_ALL}`\nand then run `prowler dashboard` again to load the new files."
 )

 # Initialize the app - incorporate css
@@ -211,7 +211,7 @@ Also is important to keep all code examples as short as possible, including the
 | email-security          | Ensures detection and protection against phishing, spam, spoofing, etc.                                                                                                                            |
 | forensics-ready         | Ensures systems are instrumented to support post-incident investigations. Any digital trace or evidence (logs, volume snapshots, memory dumps, network captures, etc.) preserved immutably and accompanied by integrity guarantees, which can be used in a forensic analysis |
 | software-supply-chain   | Detects or prevents tampering, unauthorized packages, or third-party risks in software supply chain                                                                                               |
-| e3                      | M365 and Azure Entra checks enabled by or dependent on an E3 license (e.g., baseline security policies, conditional access)                                                                            |
-| e5                      | M365 and Azure Entra checks enabled by or dependent on an E5 license (e.g., advanced threat protection, audit, DLP, and eDiscovery)                                                                    |
+| e3                      | M365-specific controls enabled by or dependent on an E3 license (e.g., baseline security policies, conditional access)                                                                            |
+| e5                      | M365-specific controls enabled by or dependent on an E5 license (e.g., advanced threat protection, audit, DLP, and eDiscovery)                                                                    |
 | privilege-escalation    | Detects IAM policies or permissions that allow identities to elevate their privileges beyond their intended scope, potentially gaining administrator or higher-level access through specific action combinations |
-| ec2-imdsv1              | Identifies EC2 instances using Instance Metadata Service version 1 (IMDSv1), which is vulnerable to SSRF attacks and should be replaced with IMDSv2 for enhanced security                        |
+| ec2-imdsv1              | Identifies EC2 instances using Instance Metadata Service version 1 (IMDSv1), which is vulnerable to SSRF attacks and should be replaced with IMDSv2 for enhanced security                        |
@@ -315,7 +315,6 @@ The type of resource being audited. This field helps categorize and organize fin
 - **Kubernetes**: Use types shown under `KIND` from `kubectl api-resources`.
 - **Oracle Cloud Infrastructure**: Use types from [Oracle Cloud Infrastructure documentation](https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/Search/Tasks/queryingresources_topic-Listing_Supported_Resource_Types.htm).
 - **OpenStack**: Use types from [OpenStack Heat resource types](https://docs.openstack.org/heat/latest/template_guide/openstack.html).
- **Alibaba Cloud**: Use types from [Alibaba Cloud ROS resource types](https://www.alibabacloud.com/help/en/ros/developer-reference/list-of-resource-types-by-service).
 - **Any other provider**: Use `NotDefined` due to lack of standardized resource types in their SDK or documentation.

 #### ResourceGroup
@@ -3406,40 +3406,6 @@ Use existing providers as templates, this will help you to understand better the

    - **Use Rules**: Use rules to ensure the code generated by AI is following the way of working in Prowler.

---
-
-## OCSF Field Requirements for Prowler Cloud Integration
-
-When implementing a new provider that supports the `--push-to-cloud` feature, specific OCSF fields must be correctly populated to ensure proper findings ingestion into Prowler Cloud.
-
-### Required OCSF Fields
-
-The following fields in the OCSF output are critical for successful ingestion:
-
-| Field | Requirement | Description |
-|-------|-------------|-------------|
-| `provider_uid` | Must match the UID used when registering the provider in the API | This identifier links findings to the correct provider in Prowler Cloud |
-| `provider` | Must be the provider name | The name of the provider (e.g., `aws`, `azure`, `gcp`, `googleworkspace`) |
-| `finding_info.uid` | Must be unique | Each finding must have a unique identifier to avoid duplicates |
-| `resources.uid` | Must have a value | The resource UID cannot be empty; it identifies the specific resource being assessed |
-
-### Implementation Reference
-
-These fields are set in the OCSF output generation. See the [OCSF output implementation](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/outputs/ocsf/ocsf.py) for reference.
-
-### Validation Checklist
-
-Before releasing a new provider with `--push-to-cloud` support:
-
- [ ] Verify `provider_uid` matches the UID used in the API to register the provider
- [ ] Confirm `provider` field contains the correct provider name
- [ ] Ensure all `finding_info.uid` values are unique across findings
- [ ] Validate that `resources.uid` is populated for every finding
-
-<Tip>
-  Use `python scripts/validate_ocsf_output.py output/*.ocsf.json` to automate these checks.
-</Tip>
-
 ## Checklist for New Providers

 ### CLI Integration Only
@@ -1,315 +0,0 @@
---
-title: 'Test Impact Analysis'
---
-
-Test impact analysis (TIA) determines which tests to run based on the files changed in a pull request. Instead of running the full test suite on every pull request, TIA maps changed files to the specific Prowler SDK, API, and end-to-end (E2E) tests that cover them. This approach reduces continuous integration (CI) time and resource usage while maintaining confidence that relevant code paths are tested.
-
-## Architecture
-
-### Components
-
-| Component | Path | Role |
-|-----------|------|------|
-| Configuration | `.github/test-impact.yml` | Defines ignored, critical, and module path mappings |
-| Analysis engine | `.github/scripts/test-impact.py` | Python script that evaluates changed files against the configuration |
-| Reusable workflow | `.github/workflows/test-impact-analysis.yml` | GitHub Actions reusable workflow that orchestrates the analysis |
-| E2E consumer | `.github/workflows/ui-e2e-tests-v2.yml` | Consumes TIA outputs to run targeted Playwright tests |
-
-### Flow Diagram
-
-```
-PR opened/updated
-       |
-       v
-+-------------------------------+
-| tj-actions/changed-files      |  Gets list of changed files from PR
-+-------------------------------+
-       |
-       v
-+-------------------------------+
-| test-impact.py                |
-|                               |
-|  1. Filter ignored paths      |  docs/**, *.md, .gitignore, etc.
-|  2. Check critical paths      |  prowler/lib/**, ui/lib/**, .github/workflows/**
-|  3. Match modules             |  Map remaining files to module definitions
-|  4. Categorize tests          |  Split into sdk-tests, api-tests, ui-e2e
-+-------------------------------+
-       |
-       v
-+-------------------------------+
-| GitHub Actions Outputs        |
-|                               |
-|  run-all: true/false          |
-|  sdk-tests: "tests/providers/aws/**"
-|  api-tests: "api/src/backend/api/tests/**"
-|  ui-e2e: "ui/tests/providers/**"
-|  modules: "sdk-aws,ui-providers"
-|  has-tests: true/false        |
-|  has-sdk-tests: true/false    |
-|  has-api-tests: true/false    |
-|  has-ui-e2e: true/false       |
-+-------------------------------+
-       |
-       v
-+-------------------------------+
-| Consumer Workflows            |
-|                               |
-|  ui-e2e-tests-v2.yml:         |
-|    - Path resolution pipeline |
-|    - Playwright execution     |
-+-------------------------------+
-```
-
-## Configuration Reference
-
-The configuration lives in `.github/test-impact.yml` and contains three sections.
-
-### `ignored` — Paths That Never Trigger Tests
-
-Files matching these patterns are filtered out before any analysis takes place. This section is intended for non-code files.
-
-```yaml
-ignored:
-  paths:
-    - docs/**
-    - "*.md"
-    - .gitignore
-    - skills/**
-    - ui/tests/setups/**   # E2E auth setup helpers (not runnable tests)
-```
-
-### `critical` — Paths That Trigger All Tests
-
-If any changed file matches a critical path, the system short-circuits and outputs `run-all: true`. All downstream consumers then run their complete test suites.
-
-```yaml
-critical:
-  paths:
-    - prowler/lib/**           # SDK core
-    - ui/lib/**                # UI shared utilities
-    - ui/playwright.config.ts  # Test infrastructure
-    - .github/workflows/**     # CI changes
-    - .github/test-impact.yml  # This config itself
-```
-
-### `modules` — Path-to-Test Mappings
-
-Each module maps source file patterns to the tests that cover them.
-
-```yaml
- name: ui-providers           # Unique identifier
-  match:                       # Source file glob patterns
-    - ui/components/providers/**
-    - ui/actions/providers/**
-    - ui/app/**/providers/**
-    - ui/tests/providers/**    # Test file changes also trigger themselves
-  tests: []                    # SDK/API unit test patterns (empty for UI modules)
-  e2e:                         # Playwright E2E test patterns
-    - ui/tests/providers/**
-```
-
-#### Module Schema
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `name` | `string` | Unique module identifier (for example, `sdk-aws`, `ui-providers`, `api-views`) |
-| `match` | `list[glob]` | Source file patterns that trigger this module |
-| `tests` | `list[glob]` | Prowler SDK (`tests/`) or API (`api/`) unit test patterns to run |
-| `e2e` | `list[glob]` | UI E2E test patterns (`ui/tests/`) to run |
-
-#### Module Categories
-
- **`sdk-*`:** Provider and lib modules. These only produce `tests` output, not `e2e`.
- **`api-*`:** API views, serializers, filters, and role-based access control (RBAC). These produce `tests` and sometimes `e2e` (API changes can affect UI flows).
- **`ui-*`:** UI feature modules. These only produce `e2e` output, not `tests`.
-
-## Path Resolution Pipeline
-
-The E2E consumer workflow (`.github/workflows/ui-e2e-tests-v2.yml`, lines 202–253) transforms the `ui-e2e` output from glob patterns into paths that Playwright can execute. This transformation follows a multi-step shell pipeline.
-
-### Step 1: Check Run Mode
-
-```bash
-if [[ "${RUN_ALL_TESTS}" == "true" ]]; then
-  pnpm run test:e2e    # Run everything, skip pipeline
-fi
-```
-
-### Step 2: Strip the `ui/` Prefix and `**` Suffix
-
-```bash
-# "ui/tests/providers/**" -> "tests/providers/"
-TEST_PATHS=$(echo "$E2E_TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g')
-```
-
-### Step 3: Filter Out Setup Paths
-
-```bash
-# Remove auth setup helpers (not runnable test suites)
-TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/')
-```
-
-### Step 4: Safety Net for Bare `tests/`
-
-If the pattern `ui/tests/**` was present in the output (from a critical path or a broad module like `ui-shadcn`), it resolves to bare `tests/` after stripping. This would cause Playwright to discover setup files in `tests/setups/`, so it gets expanded instead:
-
-```bash
-if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-  # Expand to specific subdirs, excluding tests/setups/
-  for dir in tests/*/; do
-    [[ "$dir" == "tests/setups/" ]] && continue
-    SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"
-  done
-fi
-```
-
-### Step 5: Empty Directory Check
-
-Directories that do not contain any `.spec.ts` or `.test.ts` files are skipped. This handles forward-looking patterns where a module is configured but tests have not been written yet.
-
-```bash
-if find "$p" -name '*.spec.ts' -o -name '*.test.ts' | head -1 | grep -q .; then
-  VALID_PATHS="${VALID_PATHS}${p}"
-else
-  echo "Skipping empty test directory: $p"
-fi
-```
-
-### Step 6: Execute Playwright
-
-```bash
-pnpm exec playwright test $TEST_PATHS
-# For example: pnpm exec playwright test tests/providers/ tests/scans/
-```
-
-## Playwright Project Mapping
-
-Playwright discovers tests by scanning the directories passed to it. The `playwright.config.ts` file defines projects with `testMatch` patterns that control which spec files each project claims:
-
-```
-tests/providers/providers.spec.ts  -> "providers" project  -> depends on admin.auth.setup
-tests/scans/scans.spec.ts          -> "scans" project      -> depends on admin.auth.setup
-tests/sign-in-base/*.spec.ts       -> "sign-in-base"       -> no auth dependency
-tests/auth/*.spec.ts               -> "auth"               -> no auth dependency
-tests/sign-up/sign-up.spec.ts      -> "sign-up"            -> no auth dependency
-tests/invitations/invitations.spec.ts -> "invitations"      -> depends on admin.auth.setup
-```
-
-Auth setup projects (`admin.auth.setup`, `manage-scans.auth.setup`, and others) create authenticated browser state files. Projects that declare them as `dependencies` wait for the setup to complete before running.
-
-When TIA runs only `tests/providers/`, Playwright still automatically runs `admin.auth.setup` because the `providers` project declares it as a dependency.
-
-## Edge Cases and Known Considerations
-
-### Forward-Looking Patterns (Empty Test Directories)
-
-A module can reference `ui/tests/attack-paths/**` before any tests exist there. The empty directory check (step 5) gracefully skips it instead of failing.
-
-### Broad Patterns and the Safety Net
-
-Modules like `ui-shadcn` and `api-views` list every E2E test suite explicitly to avoid using `ui/tests/**`. If a broad pattern does produce bare `tests/`, the safety net expands it to specific subdirectories, excluding `tests/setups/`.
-
-### Setup Files and Auth Dependencies
-
-`ui/tests/setups/**` is listed in the `ignored` section and also filtered in the path resolution pipeline. This double protection ensures setup files are never passed as test targets to Playwright. Auth setups run only when declared as project dependencies.
-
-### Critical Path Triggering Run-All
-
-Changes to `.github/workflows/**` or `.github/test-impact.yml` trigger `run-all: true`. This means editing any workflow file (even unrelated ones) runs the full test suite. This behavior is intentional — CI infrastructure changes should be validated broadly.
-
-### Unmatched Files
-
-Files that do not match any ignored, critical, or module pattern produce no test output. The `has-tests` flag is set to `false` and consumer workflows skip entirely via the `skip-e2e` job.
-
-## Adding New Test Modules
-
-To add tests for a new UI feature (for example, `dashboards`):
-
-1. **Add the module to `.github/test-impact.yml`:**
-
-```yaml
- name: ui-dashboards
-  match:
-    - ui/components/dashboards/**
-    - ui/actions/dashboards/**
-    - ui/app/**/dashboards/**
-    - ui/tests/dashboards/**
-  tests: []
-  e2e:
-    - ui/tests/dashboards/**
-```
-
-2. **Create the test directory and spec file:**
-
-```
-ui/tests/dashboards/dashboards.spec.ts
-```
-
-3. **Add a Playwright project in `ui/playwright.config.ts`:**
-
-```typescript
-{
-  name: "dashboards",
-  testMatch: "dashboards.spec.ts",
-  dependencies: ["admin.auth.setup"],  // if tests need auth
-},
-```
-
-4. **Register E2E paths in shared UI modules (if applicable):**
-
-   If the feature uses shared UI components, add the E2E path to the `ui-shadcn` module so that changes to shared components also trigger dashboard tests:
-
-```yaml
- name: ui-shadcn
-  match:
-    - ui/components/shadcn/**
-    - ui/components/ui/**
-  e2e:
-    - ui/tests/dashboards/**   # Add here
-    # ... existing paths
-```
-
-5. **Register E2E paths in API modules (if applicable):**
-
-   If API changes affect this feature, add the E2E path to the relevant `api-*` module (for example, `api-views`).
-
-## Troubleshooting
-
-### Tests Not Running When Expected
-
-1. Check whether the changed file matches an `ignored` pattern. The script logs `[IGNORED]` to stderr.
-2. Verify the file matches a module's `match` pattern. To test locally, run:
-   ```bash
-   python .github/scripts/test-impact.py path/to/changed/file.ts
-   ```
-3. Confirm the module has non-empty `e2e` (for E2E) or `tests` (for unit tests).
-4. Check the `has-ui-e2e` output — the consumer workflow gates on this flag.
-
-### Unexpected Auth Setup Errors
-
-Auth setup projects run automatically when a test project declares them as `dependencies`. If auth failures occur:
-
- **Verify secrets:** Confirm that the `E2E_ADMIN_USER` and `E2E_ADMIN_PASSWORD` secrets are set.
- **Check setup file existence:** Ensure the auth setup file exists in `ui/tests/setups/`.
- **Validate test match patterns:** Ensure the `testMatch` pattern in `playwright.config.ts` correctly matches the setup file.
-
-### "No Tests Found" Errors
-
-This typically means the path resolution pipeline produced valid directories but Playwright could not match any spec files to a project:
-
- **Check project configuration:** Verify that `playwright.config.ts` has a project with a `testMatch` pattern for the spec files in that directory.
- **Verify file naming:** Confirm the spec file naming matches the expected pattern (for example, `feature.spec.ts`).
-
-### "No Runnable E2E Test Paths After Filtering Setups"
-
-All resolved paths were under `tests/setups/`. This indicates the module's `e2e` patterns only point to setup files, which is a configuration error. The module should be updated to point to actual test directories.
-
-### Debugging Locally
-
-```bash
-# See what the analysis engine produces for specific files
-python .github/scripts/test-impact.py ui/components/providers/some-file.tsx
-
-# Output goes to stderr (analysis log) and GITHUB_OUTPUT (structured output)
-# Without the GITHUB_OUTPUT env var, results print to stderr only
-```
@@ -131,7 +131,6 @@
                  "user-guide/tutorials/prowler-app-lighthouse-multi-llm"
                ]
              },
-              "user-guide/tutorials/prowler-app-attack-paths",
              "user-guide/tutorials/prowler-cloud-public-ips",
              {
                "group": "Tutorials",
@@ -10,7 +10,7 @@ Complete reference guide for all tools available in the Prowler MCP Server. Tool
 |----------|------------|------------------------|
 | Prowler Hub | 10 tools | No |
 | Prowler Documentation | 2 tools | No |
-| Prowler Cloud/App | 27 tools | Yes |
+| Prowler Cloud/App | 24 tools | Yes |

 ## Tool Naming Convention

@@ -80,14 +80,6 @@ Tools for managing finding muting, including pattern-based bulk muting (mutelist
 - **`prowler_app_update_mute_rule`** - Update a mute rule's name, reason, or enabled status
 - **`prowler_app_delete_mute_rule`** - Delete a mute rule from the system

-### Attack Paths Analysis
-
-Tools for analyzing privilege escalation chains and security misconfigurations using graph-based analysis. Attack Paths maps relationships between cloud resources, permissions, and security findings to detect how privileges can be escalated and how misconfigurations can be exploited.
-
- **`prowler_app_list_attack_paths_scans`** - List Attack Paths scans with filtering by provider, provider type, and scan state (available, scheduled, executing, completed, failed, cancelled)
- **`prowler_app_list_attack_paths_queries`** - Discover available Attack Paths queries for a completed scan, including query names, descriptions, and required parameters
- **`prowler_app_run_attack_paths_query`** - Execute an Attack Paths query against a completed scan and retrieve graph results with nodes (cloud resources, findings, virtual nodes) and relationships (access paths, role assumptions, security group memberships)
-
 ### Compliance Management

 Tools for viewing compliance status and framework details across all cloud providers.
@@ -121,8 +121,8 @@ To update the environment file:
 Edit the `.env` file and change version values:

 ```env
-PROWLER_UI_VERSION="5.20.0"
-PROWLER_API_VERSION="5.20.0"
+PROWLER_UI_VERSION="5.18.0"
+PROWLER_API_VERSION="5.18.0"
 ```

 <Note>
@@ -24,7 +24,6 @@ Full access to Prowler Cloud platform and self-managed Prowler App for:
 - **Scan Orchestration**: Trigger on-demand scans and schedule recurring security assessments
 - **Resource Inventory**: Search and view detailed information about your audited resources
 - **Muting Management**: Create and manage muting lists/rules to suppress non-relevant findings
- **Attack Paths Analysis**: Analyze privilege escalation chains and security misconfigurations through graph-based analysis of cloud resource relationships

 ### 2. Prowler Hub

@@ -62,7 +61,6 @@ The Prowler MCP Server enables powerful workflows through AI assistants:
 - "Show me all critical findings from my AWS production accounts"
 - "Register my new AWS account in Prowler and run a scheduled scan every day"
 - "List all muted findings and detect what findgings are muted by a not enough good reason in relation to their severity"
- "Run an attack paths query to find EC2 instances exposed to the Internet with access to sensitive S3 buckets"

 **Security Research**
 - "Explain what the S3 bucket public access Prowler check does"
@@ -14,8 +14,8 @@
  <text x="140" y="107" text-anchor="middle" font-size="16" font-weight="700" fill="#fff">1</text>
  <text x="140" y="145" text-anchor="middle" font-size="15" font-weight="700" fill="#1a1a2e">Create Management</text>
  <text x="140" y="165" text-anchor="middle" font-size="15" font-weight="700" fill="#1a1a2e">Account Role</text>
-  <rect x="60" y="185" width="160" height="24" rx="12" fill="#E8F0FE"/>
-  <text x="140" y="201" text-anchor="middle" font-size="11" font-weight="600" fill="#4285F4">Quick Create or Manual</text>
+  <rect x="80" y="185" width="120" height="24" rx="12" fill="#E8F0FE"/>
+  <text x="140" y="201" text-anchor="middle" font-size="11" font-weight="600" fill="#4285F4">Manually in IAM</text>
  <text x="140" y="232" text-anchor="middle" font-size="12" fill="#5f6368">Allows Prowler to</text>
  <text x="140" y="248" text-anchor="middle" font-size="12" fill="#5f6368">discover your org</text>
  <text x="140" y="264" text-anchor="middle" font-size="12" fill="#5f6368">structure</text>
@@ -46,8 +46,8 @@
  <text x="82" y="384" font-size="11" fill="#4285F4" font-weight="600">organizations:ListTagsForResource</text>

  <!-- Deploy badge -->
-  <rect x="115" y="400" width="270" height="28" rx="14" fill="#FFF3E0" stroke="#F9AB00" stroke-width="1.5"/>
-  <text x="250" y="419" text-anchor="middle" font-size="12" font-weight="700" fill="#E65100">Deploy: Quick Create link or Manual</text>
+  <rect x="145" y="400" width="210" height="28" rx="14" fill="#FFF3E0" stroke="#F9AB00" stroke-width="1.5"/>
+  <text x="250" y="419" text-anchor="middle" font-size="12" font-weight="700" fill="#E65100">Deploy: MANUALLY in IAM Console</text>

  <!-- ===== Prowler Cloud connector ===== -->
  <rect x="490" y="195" width="120" height="36" rx="8" fill="#F5F5F5" stroke="#E0E0E0" stroke-width="1"/>
@@ -33,13 +33,12 @@ The supported providers right now are:
 | [Github](/user-guide/providers/github/getting-started-github)                    | Official   | Organizations / Repositories | UI, API, CLI |
 | [Oracle Cloud](/user-guide/providers/oci/getting-started-oci)                             | Official   | Tenancies / Compartments     | UI, API, CLI |
 | [Alibaba Cloud](/user-guide/providers/alibabacloud/getting-started-alibabacloud)          | Official   | Accounts                     | UI, API, CLI |
-| [Cloudflare](/user-guide/providers/cloudflare/getting-started-cloudflare)                 | Official   | Accounts                     | UI, API, CLI |
+| [Cloudflare](/user-guide/providers/cloudflare/getting-started-cloudflare)                 | Official   | Accounts                     | CLI          |
 | [Infra as Code](/user-guide/providers/iac/getting-started-iac)                            | Official   | Repositories                 | UI, API, CLI |
 | [MongoDB Atlas](/user-guide/providers/mongodbatlas/getting-started-mongodbatlas)           | Official   | Organizations                | UI, API, CLI |
-| [OpenStack](/user-guide/providers/openstack/getting-started-openstack)                     | Official   | Projects                     | UI, API, CLI |
+| [OpenStack](/user-guide/providers/openstack/getting-started-openstack)                     | Official   | Projects                     | CLI          |
 | [LLM](/user-guide/providers/llm/getting-started-llm)                                     | Official   | Models                       | CLI          |
-| [Image](/user-guide/providers/image/getting-started-image)                                | Official   | Container Images             | CLI, API     |
-| [Google Workspace](/user-guide/providers/googleworkspace/getting-started-googleworkspace)  | Official   | Domains                      | CLI          |
+| [Image](/user-guide/providers/image/getting-started-image)                                | Official   | Container Images             | CLI          |
 | **NHN**                                                                                   | Unofficial | Tenants                      | CLI          |

 For more information about the checks and compliance of each provider visit [Prowler Hub](https://hub.prowler.com).
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Andoni A.	afeb6a6158	chore: resolve merge conflict in CHANGELOG.md	2026-03-16 17:11:45 +01:00
Andoni A.	5691777fd2	fix(github): use raw_data fallback for org attributes not exposed by PyGithub	2026-03-16 16:43:36 +01:00
Andoni A.	717ec39280	fix(github): resolve flake8 errors and improve check metadata Fix E225 (missing whitespace around =) in provider.py and W292 (missing trailing newline) in check file. Update metadata CheckTitle to describe PASS state and Recommendation URL to point to Prowler Hub.	2026-03-04 12:25:59 +01:00
shria :))	7ac39b1576	Merge branch 'master' into feat/github-organization-repository-deletion-limited	2026-03-02 11:06:33 -06:00
Shria Halkoda	7fd5385d7a	docs: add organization_repository_deletion_limited to CHANGELOG	2026-03-02 11:00:52 -06:00
Shria Halkoda	d62ca3046c	fix(github): restructuring json fields	2026-03-02 11:00:04 -06:00
shria :))	82fefaa31f	Update prowler/providers/github/services/organization/organization_repository_deletion_limited/organization_repository_deletion_limited.py Co-authored-by: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>	2026-03-02 10:51:51 -06:00
shria :))	ebfff16684	Update prowler/providers/github/services/organization/organization_repository_deletion_limited/organization_repository_deletion_limited.metadata.json Co-authored-by: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>	2026-03-02 10:50:47 -06:00
Shria Halkoda	ae8a407580	test(github): add tests for organization_repository_deletion_limited check Add comprehensive test coverage for repository deletion limitation check: - Test no organizations scenario - Test repository deletion disabled (PASS) - Test repository deletion enabled (FAIL) - Test setting not available (skip) - Test multiple organizations with mixed settings	2026-02-26 20:53:11 -06:00
Shria Halkoda	99234003dc	feat(github): normalize repositories and organizations to lists in provider Handle cases where argparse passes single strings instead of lists for repository and organization flags.	2026-02-26 20:29:41 -06:00
Shria Halkoda	4079c5c3cd	feat(compliance): map organization_repository_deletion_limited to CIS 1.2.3 Add check mapping for CIS GitHub 1.2.3 control to ensure only trusted users can delete repositories.	2026-02-26 20:26:38 -06:00
Shria Halkoda	804528be8f	feat(github): add members_can_delete_repositories to organization service - Add members_can_delete_repositories field to Org model - Extract members_can_delete_repositories setting from GitHub API - Improve organization/repository argument handling in provider - Deduplicate organizations and repositories lists	2026-02-26 20:12:11 -06:00
Shria Halkoda	4128d6ab78	feat(github): add organization_repository_deletion_limited dir and checks	2026-02-26 03:22:47 -06:00