fix(ui): centralize action error messages

test(ui): reuse alert permission copy
fix(ui): show alert permission errors
2026-06-17 13:03:14 +00:00 · 2026-06-17 14:38:41 +02:00 · 2026-06-17 13:32:17 +02:00 · 2026-06-17 13:25:56 +02:00 · 2026-06-17 13:18:39 +02:00 · 2026-06-17 13:02:20 +02:00
1325 changed files with 88499 additions and 48847 deletions
@@ -0,0 +1,17 @@
+{
+  "name": "prowler-plugins",
+  "description": "Prowler Cloud Security for Claude Code",
+  "owner": {
+    "name": "Prowler",
+    "email": "support@prowler.com"
+  },
+  "plugins": [
+    {
+      "name": "prowler",
+      "source": "./claude_plugins/prowler",
+      "description": "Prowler for Claude Code — cloud security and compliance skills powered by the Prowler MCP server. Bundles compliance triage and remediation; more skills coming.",
+      "category": "security",
+      "homepage": "https://prowler.com"
+    }
+  ]
+}
@@ -11,7 +11,14 @@ envs = "wt step copy-ignored"
 [[pre-start]]
 deps = "uv sync"

-# Block 3: reminder - last visible output before `wt switch` returns.
+# Block 3: prepare pnpm via corepack.
+[[pre-start]]
+corepack-enable = "corepack enable"
+
+[[pre-start]]
+corepack-install = "cd ui && corepack install"
+
+# Block 4: reminder - last visible output before `wt switch` returns.
 # Hooks can't mutate the parent shell, so venv activation is manual.
 [[pre-start]]
 reminder = "echo '>> Reminder: activate the venv in this shell with: source .venv/bin/activate'"
@@ -145,7 +145,7 @@ SENTRY_RELEASE=local
 NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}

 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.27.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.31.0

 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -1,5 +1,5 @@
 name: 'OSV-Scanner'
-description: 'Install osv-scanner and scan a lockfile, failing on HIGH/CRITICAL/UNKNOWN severity findings. Posts/updates a PR comment with findings on pull_request events (requires pull-requests: write).'
+description: 'Install osv-scanner and scan a lockfile, failing on CRITICAL severity findings. Posts/updates a PR comment with findings on pull_request events (requires pull-requests: write).'
 author: 'Prowler'

 inputs:
@@ -7,9 +7,9 @@ inputs:
    description: 'Path to the lockfile to scan, relative to the repository root (e.g. uv.lock, api/uv.lock, ui/pnpm-lock.yaml).'
    required: true
  severity-levels:
-    description: 'Comma-separated severity levels that fail the scan. Default: HIGH,CRITICAL,UNKNOWN.'
+    description: 'Comma-separated severity levels that fail the scan. Default: CRITICAL.'
    required: false
-    default: 'HIGH,CRITICAL,UNKNOWN'
+    default: 'CRITICAL'
  version:
    description: 'osv-scanner release tag to install. When overriding, you MUST also override binary-sha256.'
    required: false
@@ -43,8 +43,17 @@ runs:
      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
      run: |
-        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
+        LATEST_COMMIT=$(curl -sf \
+          -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+          -H "Accept: application/vnd.github+json" \
+          "https://api.github.com/repos/prowler-cloud/prowler/commits/master" \
+          | jq -er '.sha') || {
+          echo "::error::Failed to fetch latest prowler/master commit from the GitHub API (HTTP error or missing .sha). Check the GITHUB_TOKEN and API rate limits."
+          exit 1
+        }
        echo "Latest commit hash: $LATEST_COMMIT"
        sed -i "s|\(git = \"https://github\.com/prowler-cloud/prowler\.git?rev=master\)#[a-f0-9]\{40\}\"|\1#${LATEST_COMMIT}\"|g" uv.lock
        echo "Updated uv.lock entry:"
@@ -54,8 +63,17 @@ runs:
      if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'prowler-cloud/prowler'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
      run: |
-        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
+        LATEST_COMMIT=$(curl -sf \
+          -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+          -H "Accept: application/vnd.github+json" \
+          "https://api.github.com/repos/prowler-cloud/prowler/commits/master" \
+          | jq -er '.sha') || {
+          echo "::error::Failed to fetch latest prowler/master commit from the GitHub API (HTTP error or missing .sha). Check the GITHUB_TOKEN and API rate limits."
+          exit 1
+        }
        echo "Latest commit hash: $LATEST_COMMIT"
        sed -i "s|\(git = \"https://github\.com/prowler-cloud/prowler\.git?rev=master\)#[a-f0-9]\{40\}\"|\1#${LATEST_COMMIT}\"|g" uv.lock
        echo "Updated uv.lock entry:"
@@ -63,7 +63,7 @@ runs:
        exit-code: '0'
        scanners: 'vuln'
        timeout: '5m'
-        version: 'v0.69.2'
+        version: 'v0.71.0'

    - name: Run Trivy vulnerability scan (SARIF)
      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
@@ -76,7 +76,7 @@ runs:
        exit-code: '0'
        scanners: 'vuln'
        timeout: '5m'
-        version: 'v0.69.2'
+        version: 'v0.71.0'

    - name: Upload Trivy results to GitHub Security tab
      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
@@ -6,17 +6,17 @@
 version: 2
 updates:
  # v5
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 25
-    target-branch: master
-    labels:
-      - "dependencies"
-      - "pip"
-    cooldown:
-      default-days: 7
+  # - package-ecosystem: "pip"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "monthly"
+  #   open-pull-requests-limit: 25
+  #   target-branch: master
+  #   labels:
+  #     - "dependencies"
+  #     - "pip"
+  #   cooldown:
+  #     default-days: 7

  # Dependabot Updates are temporary disabled - 2025/03/19
  # - package-ecosystem: "pip"
@@ -66,17 +66,17 @@ updates:
    cooldown:
      default-days: 7

-  - package-ecosystem: "pre-commit"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 25
-    target-branch: master
-    labels:
-      - "dependencies"
-      - "pre-commit"
-    cooldown:
-      default-days: 7
+  # - package-ecosystem: "pre-commit"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "monthly"
+  #   open-pull-requests-limit: 25
+  #   target-branch: master
+  #   labels:
+  #     - "dependencies"
+  #     - "pre-commit"
+  #   cooldown:
+  #     default-days: 7

  # Dependabot Updates are temporary disabled - 2025/04/15
  # v4.6
@@ -0,0 +1,140 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:best-practices",
+    ":enablePreCommit",
+    ":semanticCommits",
+    ":enableVulnerabilityAlertsWithLabel(security)",
+    "docker:enableMajor",
+    "helpers:pinGitHubActionDigestsToSemver",
+    "helpers:disableTypesNodeMajor",
+    "security:openssf-scorecard",
+    "customManagers:githubActionsVersions",
+    "customManagers:dockerfileVersions"
+  ],
+  "timezone": "Europe/Madrid",
+  "baseBranchPatterns": [
+    "master"
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "dependencyDashboardTitle": "Dependency Dashboard",
+  "prConcurrentLimit": 20,
+  "prHourlyLimit": 10,
+  "vulnerabilityAlerts": {
+    "prHourlyLimit": 0,
+    "prConcurrentLimit": 0
+  },
+  "configMigration": true,
+  "minimumReleaseAge": "7 days",
+  "rangeStrategy": "pin",
+  "packageRules": [
+    {
+      "description": "Patches: 1st of every month, Madrid overnight window (22:00-06:00)",
+      "matchUpdateTypes": [
+        "patch"
+      ],
+      "schedule": [
+        "* 22-23,0-5 1 * *"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "Minors: 8th of every 3 months, Madrid overnight window (22:00-06:00)",
+      "matchUpdateTypes": [
+        "minor"
+      ],
+      "schedule": [
+        "* 22-23,0-5 8 */3 *"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "Majors: 15th of every 3 months, Madrid overnight window",
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "schedule": [
+        "* 22-23,0-5 15 */3 *"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "GitHub Actions - single grouped PR, no changelog, scope=ci",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "groupName": "github-actions",
+      "semanticCommitScope": "ci",
+      "addLabels": [
+        "no-changelog"
+      ]
+    },
+    {
+      "description": "Docker images - single grouped PR, no changelog, scope=docker",
+      "matchManagers": [
+        "dockerfile",
+        "docker-compose"
+      ],
+      "groupName": "docker",
+      "semanticCommitScope": "docker",
+      "addLabels": [
+        "no-changelog"
+      ]
+    },
+    {
+      "description": "Pre-commit hooks - single grouped PR, scope=pre-commit",
+      "matchManagers": [
+        "pre-commit"
+      ],
+      "groupName": "pre-commit hooks",
+      "semanticCommitScope": "pre-commit",
+      "addLabels": [
+        "no-changelog"
+      ]
+    },
+    {
+      "description": "UI - scope=ui",
+      "matchFileNames": [
+        "ui/**"
+      ],
+      "semanticCommitScope": "ui"
+    },
+    {
+      "description": "API - scope=api",
+      "matchFileNames": [
+        "api/**"
+      ],
+      "semanticCommitScope": "api"
+    },
+    {
+      "description": "MCP server - scope=mcp",
+      "matchFileNames": [
+        "mcp_server/**"
+      ],
+      "semanticCommitScope": "mcp"
+    },
+    {
+      "description": "Python SDK (root) - scope=sdk",
+      "matchFileNames": [
+        "pyproject.toml",
+        "poetry.lock",
+        "util/prowler-bulk-provisioning/**"
+      ],
+      "semanticCommitScope": "sdk"
+    },
+    {
+      "description": "UI devDependencies - no changelog",
+      "matchFileNames": [
+        "ui/**"
+      ],
+      "matchDepTypes": [
+        "devDependencies"
+      ],
+      "addLabels": [
+        "no-changelog"
+      ]
+    }
+  ]
+}
@@ -6,8 +6,7 @@
 #   - .github/workflows/api-security.yml, sdk-security.yml, ui-security.yml
 #
 # Severity levels (comma-separated) are read from OSV_SEVERITY_LEVELS.
-# Default: HIGH,CRITICAL,UNKNOWN — preserves prior .safety-policy.yml policy
-#   (ignore-cvss-severity-below: 7 + ignore-cvss-unknown-severity: False).
+# Default: CRITICAL — only CVSS >= 9.0 findings fail the scan.
 # osv-scanner has no native CVSS threshold (google/osv-scanner#1400, closed
 # not-planned). Severity is derived from $group.max_severity (numeric CVSS
 # score string) which osv-scanner emits per group.
@@ -33,7 +32,7 @@ set -euo pipefail

 ROOT="$(git rev-parse --show-toplevel)"
 CONFIG="${ROOT}/osv-scanner.toml"
-SEVERITY_LEVELS="${OSV_SEVERITY_LEVELS:-HIGH,CRITICAL,UNKNOWN}"
+SEVERITY_LEVELS="${OSV_SEVERITY_LEVELS:-CRITICAL}"

 for bin in osv-scanner jq; do
  if ! command -v "${bin}" >/dev/null 2>&1; then
@@ -35,7 +35,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -53,7 +53,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -61,12 +61,12 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/api-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          category: '/language:${{ matrix.language }}'
@@ -46,7 +46,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block

@@ -65,7 +65,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -108,7 +108,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -122,6 +122,7 @@ jobs:
            github.com:443
            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            pypi.org:443
            registry-1.docker.io:443
            release-assets.githubusercontent.com:443
@@ -132,14 +133,18 @@ jobs:
        with:
          persist-credentials: false

-      - name: Pin prowler SDK to latest master commit
-        if: github.event_name == 'push'
+      - name: Refresh prowler SDK pin to current branch tip
        run: |
-          LATEST_SHA=$(git ls-remote https://github.com/prowler-cloud/prowler.git refs/heads/master | cut -f1)
-          sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml
+          # api/pyproject.toml has `@master` on master and `@v5.X` on release
+          # branches (set by prepare-release.yml). uv lock --upgrade-package
+          # re-resolves whichever ref is present against the current branch tip
+          # and writes the SHA into api/uv.lock. The Dockerfile runs
+          # `uv sync --locked`, which is what actually drives the install.
+          pip install --no-cache-dir "uv==0.11.14"
+          (cd api && uv lock --upgrade-package prowler)

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -150,7 +155,7 @@ jobs:
      - name: Build and push API container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -170,7 +175,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -179,8 +184,9 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -230,7 +236,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -277,7 +283,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -12,9 +12,6 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'api/**'
-      - '.github/workflows/api-container-checks.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -36,7 +33,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -50,7 +47,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: api/Dockerfile

@@ -72,7 +69,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -83,6 +80,7 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            debian.map.fastlydns.net:80
            release-assets.githubusercontent.com:443
            objects.githubusercontent.com:443
@@ -103,7 +101,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: api/**
          files_ignore: |
@@ -118,7 +116,7 @@ jobs:

      - name: Build container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.API_WORKING_DIR }}
          push: false
@@ -133,5 +131,5 @@ jobs:
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ github.sha }}
-          fail-on-critical: 'false'
+          fail-on-critical: 'true'
          severity: 'CRITICAL'
@@ -16,13 +16,6 @@ on:
    branches:
      - "master"
      - "v5.*"
-    paths:
-      - 'api/**'
-      - '.github/workflows/api-tests.yml'
-      - '.github/workflows/api-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -50,7 +43,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -73,7 +66,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -78,7 +78,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -102,7 +102,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -30,7 +30,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -29,7 +29,7 @@ jobs:
      patch_version: ${{ steps.detect.outputs.patch_version }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -75,7 +75,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -139,6 +139,17 @@ jobs:
          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml

+      - name: Regenerate lockfiles after version bump
+        run: |
+          set -e
+          # The bumps above edit pyproject.toml / api/pyproject.toml but leave
+          # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in
+          # the container builds. Refresh both with the uv version the images
+          # pin (plain `uv lock`, no --upgrade: only the version line changes).
+          pip install --no-cache-dir "uv==0.11.14"
+          uv lock
+          (cd api && uv lock)
+
      - name: Bump UI version (.env)
        run: |
          set -e
@@ -155,7 +166,7 @@ jobs:
        run: git --no-pager diff

      - name: Create PR for next versions to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -191,7 +202,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -240,6 +251,17 @@ jobs:
          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml

+      - name: Regenerate lockfiles after version bump
+        run: |
+          set -e
+          # The bumps above edit pyproject.toml / api/pyproject.toml but leave
+          # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in
+          # the container builds. Refresh both with the uv version the images
+          # pin (plain `uv lock`, no --upgrade: only the version line changes).
+          pip install --no-cache-dir "uv==0.11.14"
+          uv lock
+          (cd api && uv lock)
+
      - name: Bump UI version (.env)
        run: |
          set -e
@@ -249,7 +271,7 @@ jobs:
        run: git --no-pager diff

      - name: Create PR for first patch versions to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -285,7 +307,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -341,6 +363,17 @@ jobs:
          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml

+      - name: Regenerate lockfiles after version bump
+        run: |
+          set -e
+          # The bumps above edit pyproject.toml / api/pyproject.toml but leave
+          # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in
+          # the container builds. Refresh both with the uv version the images
+          # pin (plain `uv lock`, no --upgrade: only the version line changes).
+          pip install --no-cache-dir "uv==0.11.14"
+          uv lock
+          (cd api && uv lock)
+
      - name: Bump UI version (.env)
        run: |
          set -e
@@ -350,7 +383,7 @@ jobs:
        run: git --no-pager diff

      - name: Create PR for next patch versions to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -51,6 +51,6 @@ jobs:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@a16621b09c6db4281f81a93cb393b05dcd7b7165 # v0.5.5
        with:
          token: ${{ github.token }}
@@ -22,7 +22,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          # We can't block as Trufflehog needs to verify secrets against vendors
          egress-policy: audit
@@ -44,6 +44,6 @@ jobs:

      - name: Scan diff for secrets with TruffleHog
        # Action auto-injects --since-commit/--branch from event payload; passing them in extra_args produces duplicate flags.
-        uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
+        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3
        with:
          extra_args: --results=verified,unknown
@@ -33,7 +33,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -22,7 +22,7 @@ jobs:
      issues: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -66,12 +66,12 @@ jobs:
      title: ${{ steps.compute-text.outputs.title }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Check workflow file timestamps
@@ -135,12 +135,12 @@ jobs:
      secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Checkout repository
@@ -870,12 +870,12 @@ jobs:
      total_count: ${{ steps.missing_tool.outputs.total_count }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Download agent output artifact
@@ -982,12 +982,12 @@ jobs:
      success: ${{ steps.parse_results.outputs.success }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Download agent artifacts
@@ -1091,12 +1091,12 @@ jobs:
      activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_rate_limit.outputs.rate_limit_ok == 'true') }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Add eyes reaction for immediate feedback
@@ -1164,12 +1164,12 @@ jobs:
      process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Download agent output artifact
@@ -27,12 +27,12 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Apply labels to PR
-        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
+        uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
        with:
          sync-labels: true

@@ -46,7 +46,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -0,0 +1,60 @@
+name: 'Docs: Markdown Lint'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  markdown-lint:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            registry.npmjs.org:443
+            release-assets.githubusercontent.com:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: ui/.nvmrc
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          package_json_file: ui/package.json
+          run_install: false
+
+      - name: Run markdownlint
+        # Pin must match .pre-commit-config.yaml so prek and CI behave identically.
+        # pnpm dlx doesn't accept --ignore-scripts as a flag; the env var
+        # disables postinstall scripts on transitives the same way.
+        env:
+          pnpm_config_ignore_scripts: 'true'
+        run: pnpm dlx markdownlint-cli@0.45.0 '**/*.md'
@@ -45,7 +45,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block

@@ -64,7 +64,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -106,7 +106,7 @@ jobs:
      packages: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -114,6 +114,7 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            ghcr.io:443
            pkg-containers.githubusercontent.com:443
            files.pythonhosted.org:443
@@ -125,7 +126,7 @@ jobs:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -136,7 +137,7 @@ jobs:
      - name: Build and push MCP container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -164,18 +165,19 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            github.com:443
            release-assets.githubusercontent.com:443

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -225,7 +227,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -272,7 +274,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -12,9 +12,6 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'mcp_server/**'
-      - '.github/workflows/mcp-container-checks.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -36,7 +33,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -50,7 +47,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: mcp_server/Dockerfile

@@ -71,7 +68,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -99,7 +96,7 @@ jobs:

      - name: Check for MCP changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: mcp_server/**
          files_ignore: |
@@ -112,7 +109,7 @@ jobs:

      - name: Build MCP container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.MCP_WORKING_DIR }}
          push: false
@@ -127,5 +124,5 @@ jobs:
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ github.sha }}
-          fail-on-critical: 'false'
+          fail-on-critical: 'true'
          severity: 'CRITICAL'
@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -67,7 +67,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -113,7 +113,7 @@ jobs:

      - name: Publish prowler-mcp package to PyPI
        if: steps.pypi-check.outputs.skip != 'true'
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
        with:
          packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/
          print-hash: true
@@ -0,0 +1,68 @@
+name: 'MCP: Security'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+    paths:
+      - 'mcp_server/pyproject.toml'
+      - 'mcp_server/uv.lock'
+      - '.github/workflows/mcp-security.yml'
+      - '.github/actions/osv-scanner/**'
+      - '.github/scripts/osv-scan.sh'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  mcp-security-scans:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write # osv-scanner action posts/updates a PR comment with findings
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+            objects.githubusercontent.com:443
+            release-assets.githubusercontent.com:443
+            api.osv.dev:443
+            api.deps.dev:443
+            osv-vulnerabilities.storage.googleapis.com:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # zizmor: ignore[artipacked]
+          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+
+      - name: Check for MCP dependency changes
+        id: check-changes
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        with:
+          files: |
+            mcp_server/pyproject.toml
+            mcp_server/uv.lock
+            .github/workflows/mcp-security.yml
+            .github/actions/osv-scanner/**
+            .github/scripts/osv-scan.sh
+
+      - name: Dependency vulnerability scan with osv-scanner
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: ./.github/actions/osv-scanner
+        with:
+          lockfile: mcp_server/uv.lock
@@ -48,7 +48,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -61,7 +61,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Build ${{ matrix.component }} container (linux/arm64)
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ matrix.context }}
          file: ${{ matrix.dockerfile }}
@@ -83,7 +83,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -31,7 +31,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -52,7 +52,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -35,7 +35,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -56,7 +56,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            prowler/providers/**/services/**/*.metadata.json
@@ -28,7 +28,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -47,7 +47,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: '**'

@@ -26,7 +26,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -29,7 +29,7 @@ jobs:
      pull-requests: write
    steps:
    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
      with:
        egress-policy: audit

@@ -338,7 +338,7 @@ jobs:

    - name: Create PR for API dependency update
      if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
      with:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
@@ -0,0 +1,57 @@
+name: 'CI: Renovate Config Validate'
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+    paths:
+      - '.github/renovate.json'
+      - '.pre-commit-config.yaml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions: {}
+
+env:
+  # renovate: datasource=pypi depName=prek
+  PREK_VERSION: '0.4.0'
+
+jobs:
+  validate:
+    name: Validate Renovate config
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            codeload.github.com:443
+            release-assets.githubusercontent.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            registry.npmjs.org:443
+            nodejs.org:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+
+      - name: Install prek
+        run: uv tool install "prek==${PREK_VERSION}"
+
+      - name: Validate Renovate config
+        run: prek run renovate-config-validator --files .github/renovate.json
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -29,10 +29,11 @@ jobs:
          - '3.10'
          - '3.11'
          - '3.12'
+          - '3.13'

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -48,7 +49,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ./**
          files_ignore: |
@@ -51,7 +51,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -66,12 +66,12 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/sdk-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          category: '/language:${{ matrix.language }}'
@@ -60,7 +60,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -98,7 +98,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -141,7 +141,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -149,6 +149,7 @@ jobs:
            public.ecr.aws:443
            registry-1.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            auth.docker.io:443
            debian.map.fastlydns.net:80
            github.com:443
@@ -167,13 +168,13 @@ jobs:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -187,7 +188,7 @@ jobs:
      - name: Build and push SDK container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          file: ${{ env.DOCKERFILE_PATH }}
@@ -208,7 +209,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -216,19 +217,20 @@ jobs:
            auth.docker.io:443
            public.ecr.aws:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            github.com:443
            release-assets.githubusercontent.com:443
            api.ecr-public.us-east-1.amazonaws.com:443


      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -265,7 +267,7 @@ jobs:
      # Push to toniblyx/prowler only for current version (latest/stable/release tags)
      - name: Login to DockerHub (toniblyx)
        if: needs.setup.outputs.latest_tag == 'latest'
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.TONIBLYX_DOCKERHUB_USERNAME }}
          password: ${{ secrets.TONIBLYX_DOCKERHUB_PASSWORD }}
@@ -290,7 +292,7 @@ jobs:
      # Re-login as prowlercloud for cleanup of intermediate tags
      - name: Login to DockerHub (prowlercloud)
        if: always()
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -318,7 +320,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -15,12 +15,6 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'Dockerfile*'
-      - 'pyproject.toml'
-      - 'uv.lock'
-      - '.github/workflows/sdk-container-checks.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -41,7 +35,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -55,7 +49,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: Dockerfile

@@ -77,7 +71,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -85,6 +79,7 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            api.github.com:443
            mirror.gcr.io:443
            check.trivy.dev:443
@@ -108,27 +103,16 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
-          files: ./**
+          files: |
+            prowler/**
+            Dockerfile*
+            pyproject.toml
+            uv.lock
+            .github/workflows/sdk-container-checks.yml
          files_ignore: |
-            .github/**
            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            skills/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
            **/AGENTS.md

      - name: Set up Docker Buildx
@@ -137,7 +121,7 @@ jobs:

      - name: Build SDK container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          push: false
@@ -152,5 +136,5 @@ jobs:
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ github.sha }}
-          fail-on-critical: 'false'
+          fail-on-critical: 'true'
          severity: 'CRITICAL'
@@ -28,7 +28,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -66,7 +66,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -85,7 +85,7 @@ jobs:
        run: uv build

      - name: Publish Prowler package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
        with:
          print-hash: true

@@ -102,7 +102,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -129,6 +129,6 @@ jobs:
        run: uv build

      - name: Publish prowler-cloud package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
        with:
          print-hash: true
@@ -27,7 +27,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -47,7 +47,7 @@ jobs:
        run: pip install boto3

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -58,7 +58,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -55,7 +55,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -19,16 +19,6 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'tests/**'
-      - 'pyproject.toml'
-      - 'uv.lock'
-      - '.github/workflows/sdk-tests.yml'
-      - '.github/workflows/sdk-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -47,7 +37,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -69,29 +59,20 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
-          files:
-            ./**
+          files: |
+            prowler/**
+            tests/**
+            pyproject.toml
+            uv.lock
+            .github/workflows/sdk-tests.yml
            .github/workflows/sdk-security.yml
+            .github/actions/setup-python-uv/**
+            .github/actions/osv-scanner/**
+            .github/scripts/osv-scan.sh
          files_ignore: |
-            .github/**
            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            skills/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
            **/AGENTS.md

      - name: Setup Python with uv
@@ -29,10 +29,11 @@ jobs:
          - '3.10'
          - '3.11'
          - '3.12'
+          - '3.13'

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -46,6 +47,7 @@ jobs:
            schema.ocsf.io:443
            registry-1.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
            o26192.ingest.us.sentry.io:443
            management.azure.com:443
@@ -69,7 +71,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ./**
          files_ignore: |
@@ -102,7 +104,7 @@ jobs:
      - name: Check if AWS files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-aws
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/aws/**
@@ -232,7 +234,7 @@ jobs:
      - name: Check if Azure files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-azure
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/azure/**
@@ -256,7 +258,7 @@ jobs:
      - name: Check if GCP files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-gcp
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/gcp/**
@@ -280,7 +282,7 @@ jobs:
      - name: Check if Kubernetes files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-kubernetes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/kubernetes/**
@@ -304,7 +306,7 @@ jobs:
      - name: Check if GitHub files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-github
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/github/**
@@ -328,7 +330,7 @@ jobs:
      - name: Check if Okta files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-okta
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/okta/**
@@ -352,7 +354,7 @@ jobs:
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-nhn
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/nhn/**
@@ -376,7 +378,7 @@ jobs:
      - name: Check if M365 files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-m365
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/m365/**
@@ -400,7 +402,7 @@ jobs:
      - name: Check if IaC files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-iac
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/iac/**
@@ -424,7 +426,7 @@ jobs:
      - name: Check if MongoDB Atlas files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/mongodbatlas/**
@@ -448,7 +450,7 @@ jobs:
      - name: Check if OCI files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-oraclecloud
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/oraclecloud/**
@@ -472,7 +474,7 @@ jobs:
      - name: Check if OpenStack files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-openstack
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/openstack/**
@@ -496,7 +498,7 @@ jobs:
      - name: Check if Google Workspace files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-googleworkspace
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/googleworkspace/**
@@ -520,7 +522,7 @@ jobs:
      - name: Check if Vercel files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-vercel
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/vercel/**
@@ -540,11 +542,86 @@ jobs:
          flags: prowler-py${{ matrix.python-version }}-vercel
          files: ./vercel_coverage.xml

+      # Scaleway Provider
+      - name: Check if Scaleway files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-scaleway
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        with:
+          files: |
+            ./prowler/**/scaleway/**
+            ./tests/**/scaleway/**
+            ./uv.lock
+
+      - name: Run Scaleway tests
+        if: steps.changed-scaleway.outputs.any_changed == 'true'
+        run: uv run pytest -n auto --cov=./prowler/providers/scaleway --cov-report=xml:scaleway_coverage.xml tests/providers/scaleway
+
+      - name: Upload Scaleway coverage to Codecov
+        if: steps.changed-scaleway.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-scaleway
+          files: ./scaleway_coverage.xml
+
+      # StackIT Provider
+      - name: Check if StackIT files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-stackit
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        with:
+          files: |
+            ./prowler/**/stackit/**
+            ./tests/**/stackit/**
+            ./uv.lock
+
+      - name: Run StackIT tests
+        if: steps.changed-stackit.outputs.any_changed == 'true'
+        run: uv run pytest -n auto --cov=./prowler/providers/stackit --cov-report=xml:stackit_coverage.xml tests/providers/stackit
+
+      - name: Upload StackIT coverage to Codecov
+        if: steps.changed-stackit.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-stackit
+          files: ./stackit_coverage.xml
+
+      # External Provider (dynamic loading)
+      - name: Check if External Provider files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-external
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        with:
+          files: |
+            ./prowler/providers/common/**
+            ./prowler/config/**
+            ./prowler/lib/**
+            ./tests/providers/external/**
+            ./uv.lock
+
+      - name: Run External Provider tests
+        if: steps.changed-external.outputs.any_changed == 'true'
+        run: uv run pytest -n auto --cov=./prowler/providers/common --cov=./prowler/config --cov=./prowler/lib --cov-report=xml:external_coverage.xml tests/providers/external
+
+      - name: Upload External Provider coverage to Codecov
+        if: steps.changed-external.outputs.any_changed == 'true'
+
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-external
+          files: ./external_coverage.xml
+
      # Lib
      - name: Check if Lib files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-lib
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/lib/**
@@ -568,7 +645,7 @@ jobs:
      - name: Check if Config files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-config
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/config/**
@@ -52,7 +52,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -68,7 +68,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6

      - name: Setup Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -47,7 +47,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -62,12 +62,12 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          category: '/language:${{ matrix.language }}'
@@ -48,7 +48,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -67,7 +67,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -110,12 +110,13 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
            registry-1.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            auth.docker.io:443
            registry.npmjs.org:443
            dl-cdn.alpinelinux.org:443
@@ -129,7 +130,7 @@ jobs:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -140,7 +141,7 @@ jobs:
      - name: Build and push UI container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          build-args: |
@@ -163,7 +164,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -172,9 +173,10 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -224,7 +226,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -271,7 +273,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -12,9 +12,6 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'ui/**'
-      - '.github/workflows/ui-container-checks.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -36,7 +33,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -50,7 +47,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ui/Dockerfile

@@ -72,7 +69,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -100,7 +97,7 @@ jobs:

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ui/**
          files_ignore: |
@@ -114,7 +111,7 @@ jobs:

      - name: Build UI container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.UI_WORKING_DIR }}
          target: prod
@@ -132,5 +129,5 @@ jobs:
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ github.sha }}
-          fail-on-critical: 'false'
+          fail-on-critical: 'true'
          severity: 'CRITICAL'
@@ -77,6 +77,11 @@ jobs:
      E2E_ALIBABACLOUD_ACCESS_KEY_ID: ${{ secrets.E2E_ALIBABACLOUD_ACCESS_KEY_ID }}
      E2E_ALIBABACLOUD_ACCESS_KEY_SECRET: ${{ secrets.E2E_ALIBABACLOUD_ACCESS_KEY_SECRET }}
      E2E_ALIBABACLOUD_ROLE_ARN: ${{ secrets.E2E_ALIBABACLOUD_ROLE_ARN }}
+      E2E_GOOGLEWORKSPACE_CUSTOMER_ID: ${{ secrets.E2E_GOOGLEWORKSPACE_CUSTOMER_ID }}
+      E2E_GOOGLEWORKSPACE_SERVICE_ACCOUNT_JSON: ${{ secrets.E2E_GOOGLEWORKSPACE_SERVICE_ACCOUNT_JSON }}
+      E2E_GOOGLEWORKSPACE_DELEGATED_USER: ${{ secrets.E2E_GOOGLEWORKSPACE_DELEGATED_USER }}
+      E2E_VERCEL_TEAM_ID: ${{ secrets.E2E_VERCEL_TEAM_ID }}
+      E2E_VERCEL_API_TOKEN: ${{ secrets.E2E_VERCEL_API_TOKEN }}
      # Pass E2E paths from impact analysis
      E2E_TEST_PATHS: ${{ needs.impact-analysis.outputs.ui-e2e }}
      RUN_ALL_TESTS: ${{ needs.impact-analysis.outputs.run-all }}
@@ -85,7 +90,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -134,7 +139,17 @@ jobs:
        # docker-compose.yml references prowlercloud/prowler-api:latest from the registry,
        # which lags behind PR changes; build locally so E2E exercises the API image
        # produced by this PR.
-        run: docker build -t prowlercloud/prowler-api:latest ./api
+        #
+        # The image installs the SDK from git@master (api/uv.lock), so a PR changing BOTH the SDK
+        # and the API would run against the OLD SDK and crash on startup. Overlay the checkout's
+        # SDK source so both run together. New SDK dependencies still need an api/uv.lock bump.
+        run: |
+          docker build -t prowlercloud/prowler-api:pr-base ./api
+          docker build -t prowlercloud/prowler-api:latest -f - prowler <<'DOCKERFILE'
+          FROM prowlercloud/prowler-api:pr-base
+          RUN rm -rf /home/prowler/.venv/lib/python3.12/site-packages/prowler
+          COPY --chown=prowler:prowler . /home/prowler/.venv/lib/python3.12/site-packages/prowler
+          DOCKERFILE

      - name: Start API services
        run: |
@@ -172,7 +187,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: '24.13.0'
+          node-version-file: 'ui/.nvmrc'

      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
@@ -184,7 +199,7 @@ jobs:
        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm and Next.js cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -204,7 +219,7 @@ jobs:
        run: pnpm run build

      - name: Cache Playwright browsers
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
@@ -295,7 +310,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -15,12 +15,6 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'ui/package.json'
-      - 'ui/pnpm-lock.yaml'
-      - '.github/workflows/ui-security.yml'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -30,7 +24,6 @@ permissions: {}

 jobs:
  ui-security-scans:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
@@ -39,7 +32,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -59,7 +52,7 @@ jobs:

      - name: Check for UI dependency changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/package.json
@@ -16,7 +16,6 @@ concurrency:

 env:
  UI_WORKING_DIR: ./ui
-  NODE_VERSION: "24.13.0"

 permissions: {}

@@ -32,7 +31,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -54,7 +53,7 @@ jobs:

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/**
@@ -67,7 +66,7 @@ jobs:
      - name: Get changed source files for targeted tests
        id: changed-source
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/**/*.ts
@@ -83,7 +82,7 @@ jobs:
      - name: Check for critical path changes (run all tests)
        id: critical-changes
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/lib/**
@@ -93,11 +92,11 @@ jobs:
            ui/vitest.config.ts
            ui/vitest.setup.ts

-      - name: Setup Node.js ${{ env.NODE_VERSION }}
+      - name: Setup Node.js
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: ${{ env.NODE_VERSION }}
+          node-version-file: 'ui/.nvmrc'

      - name: Setup pnpm
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -113,7 +112,7 @@ jobs:

      - name: Setup pnpm and Next.js cache
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -132,6 +131,10 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        run: pnpm run healthcheck

+      - name: Check product-tour alignment
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: pnpm run tour:check
+
      - name: Run pnpm audit
        if: steps.check-changes.outputs.any_changed == 'true'
        run: pnpm run audit
@@ -162,7 +165,7 @@ jobs:
      - name: Cache Playwright browsers
        if: steps.check-changes.outputs.any_changed == 'true'
        id: playwright-cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-chromium-${{ hashFiles('ui/pnpm-lock.yaml') }}
@@ -60,7 +60,6 @@ htmlcov/
 **/mcp-config.json
 **/mcpServers.json
 .mcp/
-.mcp.json

 # AI Coding Assistants - Cursor
 .cursorignore
@@ -0,0 +1,10 @@
+{
+  "extends": "markdownlint/style/prettier",
+  "first-line-h1": false,
+  "no-duplicate-heading": {
+    "siblings_only": true
+  },
+  "no-inline-html": false,
+  "line-length": false,
+  "no-bare-urls": false
+}
@@ -0,0 +1,16 @@
+node_modules/
+ui/node_modules/
+.git/
+.venv/
+**/.venv/
+dist/
+build/
+htmlcov/
+.next/
+ui/.next/
+ui/out/
+contrib/
+
+# Auto-generated content (keepachangelog format legitimately repeats section headings).
+# Revisit with the team — see beads task on markdownlint rule triage.
+**/CHANGELOG.md
@@ -7,6 +7,10 @@
 #   P50 — dependency validation

 default_install_hook_types: [pre-commit]
+# Hooks run on commit only by default;
+# NOTE: default_stages does NOT override a hook's manifest stages, so fixers shipping pre-push in their
+# manifest need an explicit stages: ["pre-commit"] below to stay off push.
+default_stages: [pre-commit]

 repos:
  ## GENERAL (prek built-in — no external repo needed)
@@ -21,13 +25,16 @@ repos:
      - id: check-json
        priority: 10
      - id: end-of-file-fixer
+        stages: ["pre-commit"]
        priority: 0
      - id: trailing-whitespace
+        stages: ["pre-commit"]
        priority: 0
      - id: no-commit-to-branch
        priority: 10
      - id: pretty-format-json
        args: ["--autofix", --no-sort-keys, --no-ensure-ascii]
+        stages: ["pre-commit"]
        priority: 10

  ## TOML
@@ -49,6 +56,14 @@ repos:
        files: ^\.github/(workflows|actions)/.+\.ya?ml$|^\.github/dependabot\.ya?ml$
        priority: 30

+  ## RENOVATE
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 43.150.0
+    hooks:
+      - id: renovate-config-validator
+        files: ^\.github/renovate\.json$
+        priority: 10
+
  ## BASH
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.11.0
@@ -74,6 +89,7 @@ repos:
        name: "SDK - isort"
        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
        args: ["--profile", "black"]
+        stages: ["pre-commit"]
        priority: 20

  - repo: https://github.com/psf/black
@@ -125,6 +141,13 @@ repos:
        pass_filenames: false
        priority: 50

+  ## MARKDOWN
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.45.0
+    hooks:
+      - id: markdownlint
+        priority: 30
+
  ## CONTAINERS
  - repo: https://github.com/hadolint/hadolint
    rev: v2.14.0
@@ -0,0 +1,85 @@
+# Trivy ignore file for prowlercloud/prowler SDK container image.
+# Each entry below documents (a) the affected package and why it ships in the
+# image, (b) why the CVE is not exploitable in Prowler's runtime, and (c) the
+# upstream fix status. Entries carry an expiry so they auto-force re-review.
+# Entries are scoped per-package so suppressions cannot drift onto unrelated
+# packages that may be assigned the same CVE in the future.
+#
+# Scanned by: .github/actions/trivy-scan via .github/workflows/sdk-container-checks.yml
+
+# CVE-2026-42496 — perl-archive-tar path traversal via crafted symlinks.
+# CVE-2026-8376  — perl heap buffer overflow when compiling regex.
+# Packages: perl, perl-base, perl-modules-5.36, libperl5.36.
+# Why ignored: perl-base is part of Debian's "Essential: yes" set; it cannot be
+# removed without breaking dpkg. The Prowler SDK does not invoke perl at runtime;
+# neither vulnerable code path (Archive::Tar parsing or regex compilation of
+# attacker-controlled input) is reachable from Prowler. No Debian bookworm fix
+# is available yet.
+CVE-2026-42496 pkg:perl exp:2026-07-15
+CVE-2026-42496 pkg:perl-base exp:2026-07-15
+CVE-2026-42496 pkg:perl-modules-5.36 exp:2026-07-15
+CVE-2026-42496 pkg:libperl5.36 exp:2026-07-15
+CVE-2026-8376 pkg:perl exp:2026-07-15
+CVE-2026-8376 pkg:perl-base exp:2026-07-15
+CVE-2026-8376 pkg:perl-modules-5.36 exp:2026-07-15
+CVE-2026-8376 pkg:libperl5.36 exp:2026-07-15
+
+# CVE-2025-7458 — SQLite integer overflow.
+# Package: libsqlite3-0.
+# Why ignored: transitive dependency of CPython's stdlib sqlite3 module. The
+# Prowler SDK does not open user-supplied SQLite databases; SQLite usage is
+# internal and bounded. No Debian bookworm fix is available.
+CVE-2025-7458 pkg:libsqlite3-0 exp:2026-07-15
+
+# CVE-2026-43185 — Linux kernel ksmbd signedness bug.
+# Package: linux-libc-dev.
+# Why ignored: linux-libc-dev ships kernel headers for build-time compilation,
+# not a running kernel. Containers execute against the host kernel, so these
+# headers are inert at runtime. The upstream fix landed in kernel 7.0-rc2 and
+# has not been backported to Debian's 6.1 LTS line.
+CVE-2026-43185 pkg:linux-libc-dev exp:2026-07-15
+
+# CVE-2023-45853 — zlib MiniZip integer overflow / heap overflow in
+# zipOpenNewFileInZip4_64.
+# Packages: zlib1g, zlib1g-dev.
+# Why ignored: Debian Security Tracker status for bookworm is <ignored>, with
+# the published rationale "contrib/minizip not built and src:zlib not producing
+# binary packages" — i.e. the vulnerable symbol is not present in the libz.so
+# shipped by Debian. Real-not-affected, not unpatched. Upstream fix is in
+# zlib 1.3.1, available in Debian trixie (13); migrating the base image would
+# clear it fully.
+# Ref: https://security-tracker.debian.org/tracker/CVE-2023-45853
+CVE-2023-45853 pkg:zlib1g exp:2026-07-15
+CVE-2023-45853 pkg:zlib1g-dev exp:2026-07-15
+
+# --- API container image (api/Dockerfile) ---
+# The entries below are specific to the Prowler API image, which ships
+# PowerShell and additional build tooling on top of the same bookworm base.
+
+# CVE-2026-7210 — CPython/Expat hash-flooding denial of service in
+# `xml.parsers.expat` and `xml.etree.ElementTree`.
+# Packages: the Debian system Python 3.11 (python3.11*, libpython3.11*).
+# Why ignored: the API runs under the Python 3.12 interpreter shipped in its
+# `.venv`; the system `python3.11` is only present because `python3-dev` is
+# pulled in to compile native extensions (xmlsec, lxml) and is never executed
+# at runtime. The vulnerable path requires parsing attacker-controlled XML with
+# the affected interpreter, which Prowler does not do with the system Python.
+# Full mitigation also needs libexpat >= 2.8.0; no Debian bookworm fix yet.
+CVE-2026-7210 pkg:python3.11 exp:2026-07-15
+CVE-2026-7210 pkg:python3.11-dev exp:2026-07-15
+CVE-2026-7210 pkg:python3.11-minimal exp:2026-07-15
+CVE-2026-7210 pkg:libpython3.11 exp:2026-07-15
+CVE-2026-7210 pkg:libpython3.11-dev exp:2026-07-15
+CVE-2026-7210 pkg:libpython3.11-minimal exp:2026-07-15
+CVE-2026-7210 pkg:libpython3.11-stdlib exp:2026-07-15
+
+# CVE-2026-33278 — Unbound DNSSEC validator use-after-free (DoS, possible RCE).
+# CVE-2026-42960 — Unbound DNS cache poisoning via promiscuous additional records.
+# Package: libunbound8.
+# Why ignored: libunbound8 is a transitive apt dependency of the TLS/networking
+# stack (GnuTLS DANE support); only the shared library ships in the image. Both
+# vulnerabilities require operating a live Unbound recursive DNSSEC validator
+# that processes attacker-influenced DNS responses. Prowler never starts an
+# Unbound resolver, so neither code path is reachable. No Debian bookworm fix yet.
+CVE-2026-33278 pkg:libunbound8 exp:2026-07-15
+CVE-2026-42960 pkg:libunbound8 exp:2026-07-15
@@ -1,2 +1,3 @@
 .envrc
 ui/.env.local
+openspec/
@@ -11,6 +11,7 @@
 Use these skills for detailed patterns on-demand:

 ### Generic Skills (Any Project)
+
 | Skill | Description | URL |
 |-------|-------------|-----|
 | `typescript` | Const types, flat interfaces, utility types | [SKILL.md](skills/typescript/SKILL.md) |
@@ -28,6 +29,7 @@ Use these skills for detailed patterns on-demand:
 | `tdd` | Test-Driven Development workflow | [SKILL.md](skills/tdd/SKILL.md) |

 ### Prowler-Specific Skills
+
 | Skill | Description | URL |
 |-------|-------------|-----|
 | `prowler` | Project overview, component navigation | [SKILL.md](skills/prowler/SKILL.md) |
@@ -49,6 +51,7 @@ Use these skills for detailed patterns on-demand:
 | `django-migration-psql` | Django migration best practices for PostgreSQL | [SKILL.md](skills/django-migration-psql/SKILL.md) |
 | `postgresql-indexing` | PostgreSQL indexing, EXPLAIN, monitoring, maintenance | [SKILL.md](skills/postgresql-indexing/SKILL.md) |
 | `prowler-attack-paths-query` | Create Attack Paths openCypher queries | [SKILL.md](skills/prowler-attack-paths-query/SKILL.md) |
+| `prowler-tour` | Keep product-tour definitions aligned with the UI | [SKILL.md](skills/prowler-tour/SKILL.md) |
 | `gh-aw` | GitHub Agentic Workflows (gh-aw) | [SKILL.md](skills/gh-aw/SKILL.md) |
 | `skill-creator` | Create new AI agent skills | [SKILL.md](skills/skill-creator/SKILL.md) |

@@ -65,10 +68,12 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Adding new providers | `prowler-provider` |
 | Adding privilege escalation detection queries | `prowler-attack-paths-query` |
 | Adding services to existing providers | `prowler-provider` |
+| Adding, updating, or removing a tour definition (*.tour.ts) | `prowler-tour` |
 | After creating/modifying a skill | `skill-sync` |
 | App Router / Server Actions | `nextjs-16` |
 | Auditing check-to-requirement mappings as a cloud auditor | `prowler-compliance` |
 | Building AI chat features | `ai-sdk-5` |
+| Changing button labels or section headings on a tour-covered page | `prowler-tour` |
 | Committing changes | `prowler-commit` |
 | Configuring MCP servers in agentic workflows | `gh-aw` |
 | Create PR that requires changelog entry | `prowler-changelog` |
@@ -87,6 +92,7 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Creating/updating compliance frameworks | `prowler-compliance` |
 | Debug why a GitHub Actions job is failing | `prowler-ci` |
 | Debugging gh-aw compilation errors | `gh-aw` |
+| Editing a UI file containing data-tour-id attributes | `prowler-tour` |
 | Fill .github/pull_request_template.md (Context/Description/Steps to review/Checklist) | `prowler-pr` |
 | Fixing bug | `tdd` |
 | Fixing compliance JSON bugs (duplicate IDs, empty Section, stale refs) | `prowler-compliance` |
@@ -103,6 +109,8 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Modifying gh-aw workflow frontmatter or safe-outputs | `gh-aw` |
 | Refactoring code | `tdd` |
 | Regenerate AGENTS.md Auto-invoke tables (sync.sh) | `skill-sync` |
+| Renaming or removing a data-tour-id attribute value | `prowler-tour` |
+| Restructuring routes or layouts covered by a tour | `prowler-tour` |
 | Review PR requirements: template, title conventions, changelog gate | `prowler-pr` |
 | Review changelog format and conventions | `prowler-changelog` |
 | Reviewing JSON:API compliance | `jsonapi` |
@@ -1,4 +1,4 @@
-# Do you want to learn on how to...
+# Do you want to learn on how to

 - [Contribute with your code or fixes to Prowler](https://docs.prowler.com/developer-guide/introduction)
 - [Create a new provider](https://docs.prowler.com/developer-guide/provider)
@@ -32,5 +32,6 @@ Provider-specific developer notes:

 Want some swag as appreciation for your contribution?

-# Prowler Developer Guide
-https://goto.prowler.com/devguide
+## Prowler Developer Guide
+
+<https://goto.prowler.com/devguide>
@@ -1,4 +1,4 @@
-FROM python:3.12.11-slim-bookworm@sha256:519591d6871b7bc437060736b9f7456b8731f1499a57e22e6c285135ae657bf7 AS build
+FROM python:3.12.13-slim-bookworm@sha256:76d4b7b6305788c6b4c6a19d6a22a3921bf802e9af4d5e1e5bd771208dba74bf AS build

 LABEL maintainer="https://github.com/prowler-cloud/prowler"
 LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
@@ -6,7 +6,7 @@ LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}

-ARG TRIVY_VERSION=0.70.0
+ARG TRIVY_VERSION=0.71.0
 ENV TRIVY_VERSION=${TRIVY_VERSION}

 ARG ZIZMOR_VERSION=1.24.1
@@ -76,11 +76,11 @@ USER prowler
 WORKDIR /home/prowler

 # Copy necessary files
-COPY prowler/  /home/prowler/prowler/
-COPY dashboard/ /home/prowler/dashboard/
-COPY pyproject.toml uv.lock /home/prowler/
-COPY README.md /home/prowler/
-COPY prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py
+COPY --chown=prowler:prowler prowler/  /home/prowler/prowler/
+COPY --chown=prowler:prowler dashboard/ /home/prowler/dashboard/
+COPY --chown=prowler:prowler pyproject.toml uv.lock /home/prowler/
+COPY --chown=prowler:prowler README.md /home/prowler/
+COPY --chown=prowler:prowler prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py

 # Install Python dependencies
 ENV HOME='/home/prowler'
@@ -89,7 +89,7 @@ ENV PATH="${HOME}/.local/bin:${PATH}"
 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir uv==0.11.14

-RUN uv sync --compile-bytecode && \
+RUN uv sync --locked --compile-bytecode && \
    rm -rf ~/.cache/uv

 # Install PowerShell modules
@@ -100,4 +100,4 @@ RUN pip uninstall dash-html-components -y && \
    pip uninstall dash-core-components -y

 USER prowler
-ENTRYPOINT [".venv/bin/prowler"]
+ENTRYPOINT ["/home/prowler/.venv/bin/prowler"]
@@ -1,6 +1,6 @@
 <p align="center">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
+  <img align="center" alt="Prowler logo" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
+  <img align="center" alt="Prowler logo" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
 </p>
 <p align="center">
  <b><i>Prowler</b> is the Open Cloud Security Platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
@@ -22,8 +22,8 @@
  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=downloads"></a>
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
-  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
-  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
+  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img alt="Codecov coverage" src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
+  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img alt="Linux Foundation insights health score" src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
 </p>
 <p align="center">
    <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
@@ -36,7 +36,7 @@
 </p>
 <hr>
 <p align="center">
-  <img align="center" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
+  <img align="center" alt="Prowler Cloud demo" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
 </p>

 # Description
@@ -122,6 +122,7 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 | Vercel | 26 | 6 | 0 | 8 | Official | UI, API, CLI |
 | Okta | 1 | 1 | 0 | 1 | Official | CLI |
 | Scaleway [Contact us](https://prowler.com/contact) | 1 | 1 | 0 | 1 | Unofficial | CLI |
+| StackIT [Contact us](https://prowler.com/contact) | 7 | 2 | 0 | 3 | Unofficial | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
@@ -146,11 +147,13 @@ Prowler App offers flexible installation methods tailored to various environment

 ### Docker Compose

-**Requirements**
+#### Requirements

-* `Docker Compose` installed: https://docs.docker.com/compose/install/.
+- `Docker Compose` installed: https://docs.docker.com/compose/install/.

-**Commands**
+#### Commands
+
+_macOS/Linux:_

 ``` console
 VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
@@ -160,6 +163,16 @@ curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${V
 docker compose up -d
 ```

+_Windows PowerShell:_
+
+``` powershell
+$VERSION = (Invoke-RestMethod -Uri "https://api.github.com/repos/prowler-cloud/prowler/releases/latest").tag_name
+Invoke-WebRequest -Uri "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/$VERSION/docker-compose.yml" -OutFile "docker-compose.yml"
+# Environment variables can be customized in the .env file. Using default values in production environments is not recommended.
+Invoke-WebRequest -Uri "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/$VERSION/.env" -OutFile ".env"
+docker compose up -d
+```
+
 > [!WARNING]
 > 🔒 For a secure setup, the API auto-generates a unique key pair, `DJANGO_TOKEN_SIGNING_KEY` and `DJANGO_TOKEN_VERIFYING_KEY`, and stores it in `~/.config/prowler-api` (non-container) or the bound Docker volume in `_data/api` (container). Never commit or reuse static/default keys. To rotate keys, delete the stored key files and restart the API.

@@ -175,14 +188,14 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md

 ### From GitHub

-**Requirements**
+#### Requirements

-* `git` installed.
-* `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
-* `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
-* `Docker Compose` installed: https://docs.docker.com/compose/install/.
+- `git` installed.
+- `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
+- `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
+- `Docker Compose` installed: https://docs.docker.com/compose/install/.

-**Commands to run the API**
+#### Commands to run the API

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -199,7 +212,7 @@ gunicorn -c config/guniconf.py config.wsgi:application

 > After completing the setup, access the API documentation at http://localhost:8080/api/v1/docs.

-**Commands to run the API Worker**
+#### Commands to run the API Worker

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -212,7 +225,7 @@ cd src/backend
 python -m celery -A config.celery worker -l info -E
 ```

-**Commands to run the API Scheduler**
+#### Commands to run the API Scheduler

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -225,7 +238,7 @@ cd src/backend
 python -m celery -A config.celery beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler
 ```

-**Commands to run the UI**
+#### Commands to run the UI

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -237,7 +250,7 @@ pnpm start

 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.

-**Pre-commit Hooks Setup**
+#### Pre-commit Hooks Setup

 Some pre-commit hooks require tools installed on your system:

@@ -257,14 +270,14 @@ prowler -v

 ### Containers

-**Available Versions of Prowler CLI**
+#### Available Versions of Prowler CLI

 The following versions of Prowler CLI are available, depending on your requirements:

 - `latest`: Synchronizes with the `master` branch. Note that this version is not stable.
 - `v4-latest`: Synchronizes with the `v4` branch. Note that this version is not stable.
 - `v3-latest`: Synchronizes with the `v3` branch. Note that this version is not stable.
- `<x.y.z>` (release): Stable releases corresponding to specific versions. You can find the complete list of releases [here](https://github.com/prowler-cloud/prowler/releases).
+- `<x.y.z>` (release): Stable releases corresponding to specific versions. See the [complete list of Prowler releases](https://github.com/prowler-cloud/prowler/releases).
 - `stable`: Always points to the latest release.
 - `v4-stable`: Always points to the latest release for v4.
 - `v3-stable`: Always points to the latest release for v3.
@@ -293,7 +306,7 @@ python prowler-cli.py -v

 # 🛡️ GitHub Action

-The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.
+The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.

 ```yaml
 name: Prowler IaC Scan
@@ -338,7 +351,7 @@ Full configuration, per-provider authentication, and SARIF examples: [Prowler Gi

 ## Prowler CLI

-**Running Prowler**
+### Running Prowler

 Prowler can be executed across various environments, offering flexibility to meet your needs. It can be run from:

@@ -22,7 +22,7 @@ inputs:
    required: false
    default: json-ocsf
  push-to-cloud:
-    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli
+    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-import-findings#using-the-cli
    required: false
    default: "false"
  flags:
@@ -299,7 +299,7 @@ runs:
            echo ""
            echo "**Get started in 3 steps:**"
            echo "1. Create an account at [cloud.prowler.com](https://cloud.prowler.com)"
-            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli))"
+            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-import-findings#using-the-cli))"
            echo "3. Add \`PROWLER_CLOUD_API_KEY\` to your GitHub secrets and set \`push-to-cloud: true\` on this action"
            echo ""
            echo "See [prowler.com/pricing](https://prowler.com/pricing) for plan details."
@@ -10,7 +10,7 @@
 > - [`jsonapi`](../skills/jsonapi/SKILL.md) - Strict JSON:API v1.1 spec compliance
 > - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns

-### Auto-invoke Skills
+## Auto-invoke Skills

 When performing these actions, ALWAYS invoke the corresponding skill FIRST:

@@ -81,7 +81,7 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 ## DECISION TREES

 ### Serializer Selection
-```
+```text
 Read → <Model>Serializer
 Create → <Model>CreateSerializer
 Update → <Model>UpdateSerializer
@@ -89,7 +89,7 @@ Nested read → <Model>IncludeSerializer
 ```

 ### Task vs View
-```
+```text
 < 100ms → View
 > 100ms or external API → Celery task
 Needs retry → Celery task
@@ -105,7 +105,7 @@ Django 5.1.x | DRF 3.15.x | djangorestframework-jsonapi 7.x | Celery 5.4.x | Pos

 ## PROJECT STRUCTURE

-```
+```text
 api/src/backend/
 ├── api/                    # Main Django app
 │   ├── v1/                # API version 1 (views, serializers, urls)
@@ -2,6 +2,109 @@

 All notable changes to the **Prowler API** are documented in this file.

+## [1.32.0] (Prowler UNRELEASED)
+
+### 🚀 Added
+
+- Provider group filters for API endpoints that support cloud provider filtering, including exact and `__in` variants [(#11573)](https://github.com/prowler-cloud/prowler/pull/11573)
+- Provider filters for `GET /api/v1/compliance-overviews`, `/metadata`, and `/requirements`, using latest completed scans per matching provider [(#11587)](https://github.com/prowler-cloud/prowler/pull/11587)
+- Server-Sent Events (SSE) infrastructure for the API: a base viewset, a tenant-aware channel manager, and channel-name helpers backed by `django-eventstream` over Valkey Pub/Sub and served through the Gunicorn ASGI worker, so feature endpoints can stream events to clients over a single long-lived connection [(#11556)](https://github.com/prowler-cloud/prowler/pull/11556)
+
+### 🔐 Security
+
+- `aiohttp` to 3.14.0 and `idna` to 3.15, patching known CVEs [(#11596)](https://github.com/prowler-cloud/prowler/pull/11596)
+- Container base image to `python:3.12.13-slim-bookworm` and `trivy` to 0.71.0, patching OS and Go module CVEs [(#11596)](https://github.com/prowler-cloud/prowler/pull/11596)
+- `trivy` binary bumped to 0.71.0 patching embedded `golang.org/x/crypto`, `golang.org/x/net`, and Go `stdlib` CVEs [(#11592)](https://github.com/prowler-cloud/prowler/pull/11592)
+
+---
+
+## [1.31.2] (Prowler v5.30.2)
+
+### 🔄 Changed
+
+- `scan-compliance-overviews` task now streams the findings aggregation and the requirement-row writes so it runs faster and its peak memory no longer grows with the number of regions and frameworks [(#11591)](https://github.com/prowler-cloud/prowler/pull/11591)
+
+---
+
+## [1.31.1] (Prowler v5.30.1)
+
+### 🐞 Fixed
+
+- `compliance-overviews/attributes` now resolves the provider from the scan, so multi-provider universal frameworks (e.g. CSA CCM) return the check IDs of the scan's provider and Azure/GCP requirement details show their findings instead of appearing empty [(#11546)](https://github.com/prowler-cloud/prowler/pull/11546)
+- Attack Paths: `drop_subgraph` now deletes relationships first and then nodes in batches, using less memory on Neo4j when clearing a dense provider graph [(#11557)](https://github.com/prowler-cloud/prowler/pull/11557)
+- OCI scans now use API key credentials with the configured region instead of falling back to `/home/prowler/.oci/config` [(#11558)](https://github.com/prowler-cloud/prowler/pull/11558)
+
+---
+
+## [1.31.0] (Prowler v5.30.0)
+
+### 🚀 Added
+
+- Opt-in automatic recovery of allowlisted idempotent background tasks whose worker died during a deploy or crash: when enabled via `DJANGO_TASK_RECOVERY_ENABLED` (off by default), stuck summary and deletion tasks are detected and re-run instead of staying pending forever (scan and Jira tasks are excluded), with a `reconcile_orphan_tasks` management command for on-demand recovery [(#11416)](https://github.com/prowler-cloud/prowler/pull/11416)
+- DORA compliance framework support [(#11131)](https://github.com/prowler-cloud/prowler/pull/11131)
+- Label Postgres connections with `application_name="<component>:<alias>"` (component injected per process via `DJANGO_APP_COMPONENT`) so connections are attributable by component in `pg_stat_activity` [(#11494)](https://github.com/prowler-cloud/prowler/pull/11494)
+- DISA Okta IDaaS STIG V1R2 compliance framework export support for the Okta provider [(#11428)](https://github.com/prowler-cloud/prowler/pull/11428)
+
+### 🔄 Changed
+
+- Allowlisted idempotent background tasks are no longer lost when a worker is stopped or crashes mid-task; tasks with external side effects are marked terminal instead of blindly re-running [(#11416)](https://github.com/prowler-cloud/prowler/pull/11416)
+- SAML logins no longer wipe a user's roles when the IdP does not send the `userType` attribute; existing roles are kept, and when `userType` names a role that does not exist it is now created with read-only access (visibility over all providers, no management permissions) instead of no permissions at all [(#11520)](https://github.com/prowler-cloud/prowler/pull/11520)
+
+### 🐞 Fixed
+
+- Workers now shut down gracefully on deploy or restart, finishing or re-queueing in-flight tasks instead of being force-killed and leaving them stuck [(#11416)](https://github.com/prowler-cloud/prowler/pull/11416)
+- Resource `name` is now stored and refreshed on every scan, so resources no longer keep an empty name [(#11476)](https://github.com/prowler-cloud/prowler/pull/11476)
+- Compliance catalog now warms in background during startup. `compliance-overviews/attributes` returns `503` while warming, so the first request after a deploy no longer trips the API timeout [(#11530)](https://github.com/prowler-cloud/prowler/pull/11530)
+
+### 🔐 Security
+
+- `dulwich` from 0.23.0 to 1.2.5 and `pyjwt` from 2.12.1 to 2.13.0, patching `GHSA-897w-fcg9-f6xj` (arbitrary file write) and `PYSEC-2026-179` (HMAC/JWK key confusion) [(#11499)](https://github.com/prowler-cloud/prowler/pull/11499)
+
+---
+
+## [1.30.3] (Prowler v5.29.3)
+
+### 🐞 Fixed
+
+- API startup no longer crashes when Neo4j is unreachable, as the Neo4j driver now connects lazily on first use rather than during app initialization [(#11491)](https://github.com/prowler-cloud/prowler/pull/11491)
+
+---
+
+## [1.30.1] (Prowler v5.29.1)
+
+### 🐞 Fixed
+
+- `GET /api/v1/findings` N+1 query loading `resources__tags` when listing findings [(#11420)](https://github.com/prowler-cloud/prowler/pull/11420)
+- Clean up the scan tmp output directory when `scan-report` fails so partial files do not accumulate and fill the worker disk (`No space left on device`) [(#11421)](https://github.com/prowler-cloud/prowler/pull/11421)
+
+---
+
+## [1.30.0] (Prowler v5.29.0)
+
+### 🔄 Changed
+
+- Scan finding ingestion: bulk-resolve `Resource`/`ResourceTag` rows, replace per-mapping `SELECT FOR UPDATE` with deferred `ResourceTagMapping.bulk_create(ignore_conflicts=True)`, wrap each micro-batch in a single `rls_transaction`, and raise `SCAN_DB_BATCH_SIZE` to 1000 [(#11249)](https://github.com/prowler-cloud/prowler/pull/11249)
+- Faster `GET /api/v1/finding-groups/latest` aggregation on tenants where one recent scan holds most findings [(#11380)](https://github.com/prowler-cloud/prowler/pull/11380)
+
+---
+
+## [1.29.1] (Prowler v5.28.1)
+
+### 🐞 Fixed
+
+- `finding-groups` slow response with finding-level filters such as `region`; check title and description are now read from the daily summaries, which drops sorting by `check_title` [(#11326)](https://github.com/prowler-cloud/prowler/pull/11326)
+
+---
+
+## [1.29.0] (Prowler v5.28.0)
+
+### 🚀 Added
+
+- `okta` provider support [(#11184)](https://github.com/prowler-cloud/prowler/pull/11184)
+- `resource.metadata` attribute included in `/api/v1/findings?include=resources` [(#11187)](https://github.com/prowler-cloud/prowler/pull/11187)
+
+---
+
 ## [1.28.0] (Prowler v5.27.0)

 ### 🚀 Added
@@ -20,7 +123,6 @@ All notable changes to the **Prowler API** are documented in this file.
 - `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
 - Attack Paths: `BEDROCK-001` and `BEDROCK-002` now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)

-
 ---

 ## [1.27.1] (Prowler v5.26.1)
@@ -1,11 +1,11 @@
-FROM python:3.12.10-slim-bookworm@sha256:fd95fa221297a88e1cf49c55ec1828edd7c5a428187e67b5d1805692d11588db AS build
+FROM python:3.12.13-slim-bookworm@sha256:76d4b7b6305788c6b4c6a19d6a22a3921bf802e9af4d5e1e5bd771208dba74bf AS build

 LABEL maintainer="https://github.com/prowler-cloud/api"

 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}

-ARG TRIVY_VERSION=0.70.0
+ARG TRIVY_VERSION=0.71.0
 ENV TRIVY_VERSION=${TRIVY_VERSION}

 ARG ZIZMOR_VERSION=1.24.1
@@ -89,7 +89,7 @@ WORKDIR /home/prowler
 # Ensure output directory exists
 RUN mkdir -p /tmp/prowler_api_output

-COPY pyproject.toml uv.lock ./
+COPY --chown=prowler:prowler pyproject.toml uv.lock ./

 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir uv==0.11.14
@@ -97,13 +97,13 @@ RUN pip install --no-cache-dir --upgrade pip && \
 ENV PATH="/home/prowler/.local/bin:$PATH"

 # Add `--no-install-project` to avoid installing the current project as a package
-RUN uv sync --no-install-project && \
+RUN uv sync --locked --no-install-project && \
    rm -rf ~/.cache/uv

 RUN .venv/bin/python .venv/lib/python3.12/site-packages/prowler/providers/m365/lib/powershell/m365_powershell.py

-COPY src/backend/ ./backend/
-COPY docker-entrypoint.sh ./docker-entrypoint.sh
+COPY --chown=prowler:prowler src/backend/ ./backend/
+COPY --chown=prowler:prowler docker-entrypoint.sh ./docker-entrypoint.sh

 WORKDIR /home/prowler/backend

@@ -2,7 +2,7 @@

 This repository contains the JSON API and Task Runner components for Prowler, which facilitate a complete backend that interacts with the Prowler SDK and is used by the Prowler UI.

-# Components
+## Components
 The Prowler API is composed of the following components:

 - The JSON API, which is an API built with Django Rest Framework.
@@ -10,13 +10,13 @@ The Prowler API is composed of the following components:
 - The PostgreSQL database, which is used to store the data.
 - The Valkey database, which is an in-memory database which is used as a message broker for the Celery workers.

-## Note about Valkey
+### Note about Valkey

 [Valkey](https://valkey.io/) is an open source (BSD) high performance key/value datastore.

 Valkey exposes a Redis 7.2 compliant API. Any service that exposes the Redis API can be used with Prowler API.

-# Modify environment variables
+## Modify environment variables

 Under the root path of the project, you can find a file called `.env`. This file shows all the environment variables that the project uses. You should review it and set the values for the variables you want to change.

@@ -24,7 +24,7 @@ If you don’t set `DJANGO_TOKEN_SIGNING_KEY` or `DJANGO_TOKEN_VERIFYING_KEY`, t

 **Important note**: Every Prowler version (or repository branches and tags) could have different variables set in its `.env` file. Please use the `.env` file that corresponds with each version.

-## Local deployment
+### Local deployment
 Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the virtual environment, not before. Otherwise, variables will not be loaded properly.

 To do this, you can run:
@@ -34,12 +34,12 @@ set -a
 source .env
 ```

-# 🚀 Production deployment
-## Docker deployment
+## 🚀 Production deployment
+### Docker deployment

 This method requires `docker` and `docker compose`.

-### Clone the repository
+#### Clone the repository

 ```console
 # HTTPS
@@ -50,13 +50,13 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-### Build the base image
+#### Build the base image

 ```console
 docker compose --profile prod build
 ```

-### Run the production service
+#### Run the production service

 This command will start the Django production server and the Celery worker and also the Valkey and PostgreSQL databases.

@@ -68,7 +68,7 @@ You can access the server in `http://localhost:8080`.

 > **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.

-### View the Production Server Logs
+#### View the Production Server Logs

 To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:

@@ -133,13 +133,13 @@ gunicorn -c config/guniconf.py config.wsgi:application

 > By default, the Gunicorn server will try to use as many workers as your machine can handle. You can manually change that in the `src/backend/config/guniconf.py` file.

-# 🧪 Development guide
+## 🧪 Development guide

-## Local deployment
+### Local deployment

 To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `uv` and `docker compose` are installed.

-### Clone the repository
+#### Clone the repository

 ```console
 # HTTPS
@@ -150,7 +150,7 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-### Start the PostgreSQL Database and Valkey
+#### Start the PostgreSQL Database and Valkey

 The PostgreSQL database (version 16.3) and Valkey (version 7) are required for the development environment. To make development easier, we have provided a `docker-compose` file that will start these components for you.

@@ -161,7 +161,7 @@ The PostgreSQL database (version 16.3) and Valkey (version 7) are required for t
 docker compose up postgres valkey -d
 ```

-### Install the Python dependencies
+#### Install the Python dependencies

 > You must have uv installed

@@ -169,7 +169,7 @@ docker compose up postgres valkey -d
 uv sync
 ```

-### Apply migrations
+#### Apply migrations

 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

@@ -178,7 +178,7 @@ cd src/backend
 python manage.py migrate --database admin
 ```

-### Run the Django development server
+#### Run the Django development server

 ```console
 cd src/backend
@@ -188,7 +188,7 @@ python manage.py runserver
 You can access the server in `http://localhost:8000`.
 All changes in the code will be automatically reloaded in the server.

-### Run the Celery worker
+#### Run the Celery worker

 ```console
 python -m celery -A config.celery worker -l info -E
@@ -196,11 +196,11 @@ python -m celery -A config.celery worker -l info -E

 The Celery worker does not detect and reload changes in the code, so you need to restart it manually when you make changes.

-## Docker deployment
+### Docker deployment

 This method requires `docker` and `docker compose`.

-### Clone the repository
+#### Clone the repository

 ```console
 # HTTPS
@@ -211,13 +211,13 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-### Build the base image
+#### Build the base image

 ```console
 docker compose --profile dev build
 ```

-### Run the development service
+#### Run the development service

 This command will start the Django development server and the Celery worker and also the Valkey and PostgreSQL databases.

@@ -230,7 +230,7 @@ All changes in the code will be automatically reloaded in the server.

 > **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.

-### View the development server logs
+#### View the development server logs

 To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:

@@ -238,7 +238,7 @@ To view the logs for any component (e.g., Django, Celery worker), you can use th
 docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
 ```

-## Applying migrations
+### Applying migrations

 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

@@ -247,7 +247,7 @@ cd src/backend
 uv run python manage.py migrate --database admin
 ```

-## Apply fixtures
+### Apply fixtures

 Fixtures are used to populate the database with initial development data.

@@ -258,7 +258,7 @@ uv run python manage.py loaddata api/fixtures/0_dev_users.json --database admin

 > The default credentials are `dev@prowler.com:Thisisapassword123@` or `dev2@prowler.com:Thisisapassword123@`

-## Run tests
+### Run tests

 Note that the tests will fail if you use the same `.env` file as the development environment.

@@ -269,7 +269,7 @@ cd src/backend
 uv run pytest
 ```

-# Custom commands
+## Custom commands

 Django provides a way to create custom commands that can be run from the command line.

@@ -281,7 +281,7 @@ To run a custom command, you need to be in the `prowler/api/src/backend` directo
 uv run python manage.py <command_name>
 ```

-## Generate dummy data
+### Generate dummy data

 ```console
 python manage.py findings --tenant
@@ -298,7 +298,7 @@ This command creates, for a given tenant, a provider, scan and a set of findings
 >
 > The last step is required to access the findings details, since the UI needs that to print all the information.

-### Example
+#### Example

 ```console
 ~/backend $ uv run python manage.py findings --tenant
@@ -21,13 +21,19 @@ apply_fixtures() {
 }

 start_dev_server() {
-  echo "Starting the development server..."
-  uv run python manage.py runserver 0.0.0.0:"${DJANGO_PORT:-8080}"
+  echo "Starting the development server (Gunicorn ASGI, debug + reload)..."
+  # Same server/worker as prod (config.asgi via the native `asgi` worker), so
+  # SSE streams run on the event loop exactly as they do in production. DEBUG is
+  # on so guniconf's `reload = DEBUG` hot-reloads edited code (and flips
+  # `preload_app` off so reload actually takes).
+  export DJANGO_DEBUG="${DJANGO_DEBUG:-True}"
+  export DJANGO_BIND_ADDRESS="${DJANGO_BIND_ADDRESS:-0.0.0.0}"
+  exec uv run gunicorn -c config/guniconf.py config.asgi:application
 }

 start_prod_server() {
  echo "Starting the Gunicorn server..."
-  uv run gunicorn -c config/guniconf.py config.wsgi:application
+  exec uv run gunicorn -c config/guniconf.py config.asgi:application
 }

 resolve_worker_hostname() {
@@ -47,7 +53,7 @@ resolve_worker_hostname() {

 start_worker() {
  echo "Starting the worker..."
-  uv run python -m celery -A config.celery worker \
+  exec uv run python -m celery -A config.celery worker \
    -n "$(resolve_worker_hostname)" \
    -l "${DJANGO_LOGGING_LEVEL:-info}" \
    -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans \
@@ -56,7 +62,7 @@ start_worker() {

 start_worker_beat() {
  echo "Starting the worker-beat..."
-  uv run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
+  exec uv run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
 }

 manage_db_partitions() {
@@ -68,6 +74,15 @@ manage_db_partitions() {
  fi
 }

+# Identify this process to Postgres (application_name=<component>:<alias>) so
+# connections are attributable by component in pg_stat_activity. Web tiers
+# report "api"; everything else uses the launch subcommand.
+case "$1" in
+  prod|dev) DJANGO_APP_COMPONENT="api" ;;
+  *)        DJANGO_APP_COMPONENT="$1" ;;
+esac
+export DJANGO_APP_COMPONENT
+
 case "$1" in
  dev)
    apply_migrations
@@ -0,0 +1,105 @@
+# Orphan Celery task recovery
+
+When a worker is terminated mid-task (a deploy, an OOM kill, a node eviction), the
+task it was running can be left non-terminal forever: the `TaskResult` stays
+`STARTED` and nothing re-runs it. This page describes the mechanisms that detect and
+recover allowlisted idempotent orphans so pending-task alerts do not fire. Scan tasks
+are not auto-recovered (re-running a scan is not safe to do automatically); the
+watchdog covers the summary/aggregation and deletion tasks.
+
+## How recovery works
+
+1. **Durable delivery.** The broker is configured so a task message is acknowledged
+   only after the task finishes (`task_acks_late`), one task is reserved at a time
+   (`worker_prefetch_multiplier = 1`), and an abruptly-lost worker re-queues its task
+   (`task_reject_on_worker_lost`). On `SIGTERM` the worker is given a soft-shutdown
+   window (`worker_soft_shutdown_timeout`) to finish or re-queue in-flight work
+   before it is force-killed. `scan-perform`, `scan-perform-scheduled` and
+   `integration-jira` opt out of redelivery with `acks_late=False`, so a crash drops
+   them rather than re-running and duplicating findings or Jira issues. Other
+   non-recovered side-effect tasks keep `acks_late=True`, so the broker can still
+   re-deliver them after a worker loss: the S3 upload rebuilds from worker-local files
+   that did not survive the crash and so no-ops, but Security Hub re-reads findings from
+   the DB and re-sends them to AWS.
+
+2. **Periodic watchdog.** A Beat task, `reconcile-orphan-tasks`, runs every couple of
+   minutes (a `django_celery_beat` periodic task created by migration). For each
+   in-flight task result with an allowlisted idempotent task name, it pings the
+   worker recorded on the task's `TaskResult`:
+   - worker responds -> the task is still running, leave it alone;
+   - worker is gone (and the task started before a short grace window) -> it is a
+     real orphan: the stale task is revoked and marked terminal (clearing the
+     pending/started alert), and the task is re-enqueued from its stored name and
+     kwargs.
+
+   The re-run is safe because only tasks with proven idempotency are allowlisted: the
+   summary/aggregation tasks clear and re-write their own rows, and deletions are
+   idempotent. Scan tasks and external side effects are excluded: re-running a scan is
+   not safe to do automatically, Jira sends would create duplicate issues, the S3
+   upload rebuilds from worker-local files that do not survive a crash, and
+   report/Security Hub recovery is out of scope.
+
+3. **Recovery cap.** A per-task Valkey counter limits how often the same task is
+   re-enqueued. After `--max-attempts` recoveries (default 3) the orphan is marked
+   terminal instead of re-enqueued, so a task that repeatedly kills its worker cannot
+   loop forever.
+
+A Postgres advisory lock ensures that, even with multiple API/worker replicas, only
+one reconciliation runs at a time; the others no-op.
+
+## On-demand command
+
+The same logic is available as a management command, useful right after a deploy or
+for manual intervention:
+
+```bash
+python manage.py reconcile_orphan_tasks            # recover now
+python manage.py reconcile_orphan_tasks --dry-run  # report orphans, change nothing
+python manage.py reconcile_orphan_tasks --grace-minutes 5 --max-attempts 3
+```
+
+## Configuration
+
+All settings have safe defaults; override via environment variables.
+
+| Env var | Default | Purpose |
+| --- | --- | --- |
+| `DJANGO_CELERY_WORKER_PREFETCH_MULTIPLIER` | `1` | Tasks reserved per worker process. |
+| `DJANGO_CELERY_WORKER_SOFT_SHUTDOWN_TIMEOUT` | `60` | Seconds the worker drains/re-queues on `SIGTERM` before force-kill. |
+| `DJANGO_CELERY_TASK_TIME_LIMIT` | `21600` (6h) | Hard limit for most tasks; connection checks are capped at 120s. |
+| `DJANGO_CELERY_TASK_SOFT_TIME_LIMIT` | hard - 600 | Soft limit; raises `SoftTimeLimitExceeded` for cleanup. |
+| `DJANGO_CELERY_LONG_TASK_TIME_LIMIT` | `172800` (48h) | Hard limit for scans and provider/tenant deletions, which can legitimately run for more than a day. |
+| `DJANGO_CELERY_LONG_TASK_SOFT_TIME_LIMIT` | long hard - 600 | Soft limit for the long-running tasks above. |
+| `DJANGO_TASK_RECOVERY_ENABLED` | `false` | Master switch for orphan-task recovery, disabled by default (opt-in); set to `true` to enable. When off, no orphan is detected, marked terminal, or re-enqueued (attack-paths stale cleanup still runs). |
+| `DJANGO_TASK_RECOVERY_SUMMARIES_ENABLED` | `true` | Auto re-enqueue orphaned scan summary/aggregation tasks. |
+| `DJANGO_TASK_RECOVERY_DELETIONS_ENABLED` | `true` | Auto re-enqueue orphaned provider/tenant deletion tasks. |
+
+Recovery is opt-in: with the master flag off (the default) the sweep does nothing.
+Once enabled, the per-group flags default to on, so every group recovers unless you
+turn one off; a task whose group flag is off is marked terminal instead of
+re-enqueued.
+
+Turning recovery off only disables this watchdog sweep; it does not change Celery's
+broker-level redelivery (`task_acks_late`/`task_reject_on_worker_lost`), which still
+re-delivers tasks that keep `acks_late=True` on worker loss, independently of this flag.
+
+`task_acks_late` and `task_reject_on_worker_lost` are enabled in `config/celery.py`.
+
+## Deployment requirement
+
+Two conditions must both hold for the soft shutdown to actually drain work:
+
+1. **The worker must receive `SIGTERM`.** The container entrypoint `exec`s the
+   Celery process so it runs as PID 1; otherwise `SIGTERM` from `docker stop`/ECS
+   hits the entrypoint shell, never reaches Celery, and the worker is hard-killed
+   (SIGKILL) at the grace deadline without draining. Custom entrypoints must
+   preserve the `exec`.
+2. **The orchestrator must give the worker enough time** before force-killing it.
+   Set the stop grace period to exceed `DJANGO_CELERY_WORKER_SOFT_SHUTDOWN_TIMEOUT`
+   plus a margin:
+   - **docker-compose:** `stop_grace_period` on the worker services (set to `120s`).
+   - **AWS ECS:** the worker container `stopTimeout` (configured in the deployment
+     repository).
+
+If either condition is missing, long tasks are still recovered by the watchdog,
+but they are cut mid-run on every deploy instead of draining.
@@ -41,7 +41,9 @@ dependencies = [
  "drf-spectacular==0.27.2",
  "drf-spectacular-jsonapi==0.5.1",
  "defusedxml==0.7.1",
-  "gunicorn==23.0.0",
+  "django-eventstream==5.3.3",
+  "gunicorn==26.0.0",
+  "uvloop==0.22.1",
  "lxml==6.1.0",
  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
  "psycopg2-binary==2.9.9",
@@ -68,7 +70,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.28.0"
+version = "1.32.0"

 [tool.uv]
 # Transitive pins matching master to avoid silent drift; bump deliberately.
@@ -79,7 +81,7 @@ constraint-dependencies = [
  "aiobotocore==2.25.1",
  "aiofiles==24.1.0",
  "aiohappyeyeballs==2.6.1",
-  "aiohttp==3.13.5",
+  "aiohttp==3.14.0",
  "aioitertools==0.13.0",
  "aiosignal==1.4.0",
  "alibabacloud-actiontrail20200706==2.4.1",
@@ -124,9 +126,8 @@ constraint-dependencies = [
  "astroid==3.2.4",
  "async-timeout==5.0.1",
  "attrs==25.4.0",
-  "authlib==1.6.9",
+  "authlib==1.6.12",
  "autopep8==2.3.2",
-  "awsipranges==0.3.3",
  "azure-cli-core==2.83.0",
  "azure-cli-telemetry==1.1.0",
  "azure-common==1.1.28",
@@ -209,6 +210,7 @@ constraint-dependencies = [
  "django-celery-results==2.6.0",
  "django-cors-headers==4.4.0",
  "django-environ==0.11.2",
+  "django-eventstream==5.3.3",
  "django-filter==24.3",
  "django-guid==3.5.0",
  "django-postgres-extra==2.0.9",
@@ -226,7 +228,7 @@ constraint-dependencies = [
  "drf-simple-apikey==2.2.1",
  "drf-spectacular==0.27.2",
  "drf-spectacular-jsonapi==0.5.1",
-  "dulwich==0.23.0",
+  "dulwich==1.2.5",
  "duo-client==5.5.0",
  "durationpy==0.10",
  "email-validator==2.2.0",
@@ -253,7 +255,7 @@ constraint-dependencies = [
  "grpc-google-iam-v1==0.14.3",
  "grpcio==1.76.0",
  "grpcio-status==1.76.0",
-  "gunicorn==23.0.0",
+  "gunicorn==26.0.0",
  "h11==0.16.0",
  "h2==4.3.0",
  "hpack==4.1.0",
@@ -262,8 +264,8 @@ constraint-dependencies = [
  "httpx==0.28.1",
  "humanfriendly==10.0",
  "hyperframe==6.1.0",
-  "iamdata==0.1.202602021",
-  "idna==3.11",
+  "iamdata==0.1.202605131",
+  "idna==3.15",
  "importlib-metadata==8.7.1",
  "inflection==0.5.1",
  "iniconfig==2.3.0",
@@ -315,7 +317,7 @@ constraint-dependencies = [
  "neo4j==6.1.0",
  "nest-asyncio==1.6.0",
  "nltk==3.9.4",
-  "numpy==2.0.2",
+  "numpy==2.2.6",
  "oauthlib==3.3.1",
  "oci==2.169.0",
  "openai==1.109.1",
@@ -344,7 +346,7 @@ constraint-dependencies = [
  "psutil==7.2.2",
  "psycopg2-binary==2.9.9",
  "py-deviceid==0.1.1",
-  "py-iam-expand==0.1.0",
+  "py-iam-expand==0.3.0",
  "py-ocsf-models==0.8.1",
  "pyasn1==0.6.3",
  "pyasn1-modules==0.4.2",
@@ -354,7 +356,7 @@ constraint-dependencies = [
  "pydantic-core==2.41.5",
  "pygithub==2.8.0",
  "pygments==2.20.0",
-  "pyjwt==2.12.1",
+  "pyjwt==2.13.0",
  "pylint==3.2.5",
  "pymsalruntime==0.18.1",
  "pynacl==1.6.2",
@@ -420,6 +422,7 @@ constraint-dependencies = [
  "uritemplate==4.2.0",
  "urllib3==2.7.0",
  "uuid6==2024.7.10",
+  "uvloop==0.22.1",
  "vine==5.1.0",
  "vulture==2.14",
  "wcwidth==0.5.3",
@@ -443,7 +446,17 @@ constraint-dependencies = [
 # The microsoft-kiota-http security bump to 1.9.9 (GHSA-7j59-v9qr-6fq9) requires
 # microsoft-kiota-abstractions>=1.9.9, which a constraint cannot satisfy against the
 # SDK's hard pin; override it to the patched, kiota-aligned version.
+#
+# prowler@master hard-pins dulwich==0.23.0 and pyjwt==2.12.1 in [project.dependencies].
+# dulwich 1.2.5 patches GHSA-897w-fcg9-f6xj (arbitrary file write) and pyjwt 2.13.0
+# patches PYSEC-2026-179 (HMAC/JWK key-confusion); a constraint cannot satisfy these
+# against the SDK's hard pins, so override them to the patched versions until the SDK
+# bump propagates to the pinned master rev. pyjwt keeps the [crypto] extra because an
+# override replaces the whole requirement; bare pyjwt would drop it from the consumers
+# that request pyjwt[crypto] and leave cryptography (needed for RS256) only transitive.
 override-dependencies = [
  "okta==3.4.2",
-  "microsoft-kiota-abstractions==1.9.9"
+  "microsoft-kiota-abstractions==1.9.9",
+  "dulwich==1.2.5",
+  "pyjwt[crypto]==2.13.0"
 ]
@@ -1,12 +1,14 @@
 import logging
 import os
 import sys
+
 from pathlib import Path

+from django.apps import AppConfig
+from django.conf import settings
+
 from config.custom_logging import BackendLogger
 from config.env import env
-from django.apps import AppConfig
-from django.conf import settings

 logger = logging.getLogger(BackendLogger.API)

@@ -30,7 +32,6 @@ class ApiConfig(AppConfig):
    def ready(self):
        from api import schema_extensions  # noqa: F401
        from api import signals  # noqa: F401
-        from api.attack_paths import database as graph_database

        # Generate required cryptographic keys if not present, but only if:
        #   `"manage.py" not in sys.argv[0]`: If an external server (e.g., Gunicorn) is running the app
@@ -41,37 +42,8 @@ class ApiConfig(AppConfig):
        ):
            self._ensure_crypto_keys()

-        # Commands that don't need Neo4j
-        SKIP_NEO4J_DJANGO_COMMANDS = [
-            "makemigrations",
-            "migrate",
-            "pgpartition",
-            "check",
-            "help",
-            "showmigrations",
-            "check_and_fix_socialaccount_sites_migration",
-        ]
-
-        # Skip eager Neo4j init for tests, some Django commands, and Celery (prefork pool: driver must stay lazy, no post_fork hook)
-        if getattr(settings, "TESTING", False) or (
-            len(sys.argv) > 1
-            and (
-                (
-                    "manage.py" in sys.argv[0]
-                    and sys.argv[1] in SKIP_NEO4J_DJANGO_COMMANDS
-                )
-                or "celery" in sys.argv[0]
-            )
-        ):
-            logger.info(
-                "Skipping eager Neo4j init: tests, some Django commands, or Celery prefork pool (driver stays lazy)"
-            )
-
-        else:
-            graph_database.init_driver()
-
-        # Neo4j driver is initialized at API startup (see api.attack_paths.database)
-        # It remains lazy for Celery workers and selected Django commands
+        # Neo4j driver is created lazily on first use (see api.attack_paths.database).
+        # App init never contacts Neo4j, so a Neo4j outage cannot block API startup.

    def _ensure_crypto_keys(self):
        """
@@ -1,22 +1,24 @@
 import atexit
 import logging
 import threading
+
 from contextlib import contextmanager
 from typing import Any, Iterator
 from uuid import UUID

 import neo4j
 import neo4j.exceptions
+
 from config.env import env
 from django.conf import settings
+
+from api.attack_paths.retryable_session import RetryableSession
 from tasks.jobs.attack_paths.config import (
    BATCH_SIZE,
    PROVIDER_RESOURCE_LABEL,
    get_provider_label,
 )

-from api.attack_paths.retryable_session import RetryableSession
-
 # Without this Celery goes crazy with Neo4j logging
 logging.getLogger("neo4j").setLevel(logging.ERROR)
 logging.getLogger("neo4j").propagate = False
@@ -28,6 +30,9 @@ READ_QUERY_TIMEOUT_SECONDS = env.int(
    "ATTACK_PATHS_READ_QUERY_TIMEOUT_SECONDS", default=30
 )
 MAX_CUSTOM_QUERY_NODES = env.int("ATTACK_PATHS_MAX_CUSTOM_QUERY_NODES", default=250)
+# Shorter than CONN_ACQUISITION_TIMEOUT — the driver requires acquisition to be
+# the longer of the two (it may include opening a new connection).
+CONNECTION_TIMEOUT = env.int("NEO4J_CONNECTION_TIMEOUT", default=5)
 CONN_ACQUISITION_TIMEOUT = env.int("NEO4J_CONN_ACQUISITION_TIMEOUT", default=15)
 READ_EXCEPTION_CODES = [
    "Neo.ClientError.Statement.AccessMode",
@@ -58,15 +63,24 @@ def init_driver() -> neo4j.Driver:
            uri = get_uri()
            config = settings.DATABASES["neo4j"]

-            _driver = neo4j.GraphDatabase.driver(
+            driver = neo4j.GraphDatabase.driver(
                uri,
                auth=(config["USER"], config["PASSWORD"]),
                keep_alive=True,
                max_connection_lifetime=7200,
+                connection_timeout=CONNECTION_TIMEOUT,
                connection_acquisition_timeout=CONN_ACQUISITION_TIMEOUT,
                max_connection_pool_size=50,
            )
-            _driver.verify_connectivity()
+            # Publish the singleton only after connectivity is verified so a
+            # failed probe does not leave an unverified driver behind. Close the
+            # driver on failure so a repeatedly-probed outage cannot leak pools.
+            try:
+                driver.verify_connectivity()
+            except Exception:
+                driver.close()
+                raise
+            _driver = driver

            # Register cleanup handler (only runs once since we're inside the _driver is None block)
            atexit.register(close_driver)
@@ -161,7 +175,8 @@ def drop_subgraph(database: str, provider_id: str) -> int:
    """
    Delete all nodes for a provider from the tenant database.

-    Uses batched deletion to avoid memory issues with large graphs.
+    Deletes relationships then nodes in batches (not `DETACH DELETE`) so a dense
+    provider's graph cannot exceed Neo4j's transaction memory limit.
    Silently returns 0 if the database doesn't exist.
    """
    provider_label = get_provider_label(provider_id)
@@ -169,13 +184,28 @@ def drop_subgraph(database: str, provider_id: str) -> int:

    try:
        with get_session(database) as session:
+            # Phase 1: delete relationships incident to provider nodes in batches.
+            deleted_count = 1
+            while deleted_count > 0:
+                result = session.run(
+                    f"""
+                    MATCH (:`{provider_label}`)-[r]-()
+                    WITH DISTINCT r LIMIT $batch_size
+                    DELETE r
+                    RETURN COUNT(r) AS deleted_rels_count
+                    """,
+                    {"batch_size": BATCH_SIZE},
+                )
+                deleted_count = result.single().get("deleted_rels_count", 0)
+
+            # Phase 2: delete the now relationship-free nodes in batches.
            deleted_count = 1
            while deleted_count > 0:
                result = session.run(
                    f"""
                    MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`)
                    WITH n LIMIT $batch_size
-                    DETACH DELETE n
+                    DELETE n
                    RETURN COUNT(n) AS deleted_nodes_count
                    """,
                    {"batch_size": BATCH_SIZE},
@@ -93,3 +93,30 @@ class CombinedJWTOrAPIKeyAuthentication(BaseAuthentication):

        # Default fallback
        return self.jwt_auth.authenticate(request)
+
+
+class SSEAuthentication(CombinedJWTOrAPIKeyAuthentication):
+    """JWT/API-Key auth that also accepts `?access_token=<jwt>`.
+
+    Browser `EventSource` is the only widely available SSE client API
+    and it cannot set the `Authorization` header (its constructor takes
+    only a URL and `withCredentials`). To keep browser SSE clients on
+    the same auth stack as the rest of the API, SSE endpoints additionally
+    accept a JWT via the `?access_token=<jwt>` query parameter — the
+    standard parameter name defined in RFC 6750 Section 2.3 for bearer tokens.
+    """
+
+    def authenticate(self, request: Request):
+        auth_header = request.headers.get("Authorization", "")
+        if auth_header:
+            return super().authenticate(request)
+
+        raw_token = request.query_params.get("access_token")
+        if not raw_token:
+            # No header and no query token — let the default path raise
+            # the canonical AuthenticationFailed via the parent class.
+            return super().authenticate(request)
+
+        validated_token = self.jwt_auth.get_validated_token(raw_token)
+        user = self.jwt_auth.get_user(validated_token)
+        return user, validated_token
@@ -1,11 +1,26 @@
+import logging
+import threading
 from collections.abc import Iterable, Mapping

 from api.models import Provider
-from prowler.lib.check.compliance_models import Compliance
+from prowler.lib.check.compliance_models import (
+    get_bulk_compliance_frameworks_universal,
+)
 from prowler.lib.check.models import CheckMetadata

+logger = logging.getLogger(__name__)
+
 AVAILABLE_COMPLIANCE_FRAMEWORKS = {}

+# Per-process readiness flags for the background compliance warm-up.
+# `STARTED` is set as soon as warming begins (only happens under Gunicorn via
+# the post_fork hook); `WARMED` is set when it finishes. The attributes
+# endpoint checks both: it returns 503 only while warming is in progress.
+# Under `runserver` warming never runs, so `STARTED` stays clear and the
+# endpoint keeps lazy-loading as before.
+COMPLIANCE_WARMING_STARTED = threading.Event()
+COMPLIANCE_WARMED = threading.Event()
+

 class LazyComplianceTemplate(Mapping):
    """Lazy-load compliance templates per provider on first access."""
@@ -94,25 +109,22 @@ PROWLER_CHECKS = LazyChecksMapping()


 def get_compliance_frameworks(provider_type: Provider.ProviderChoices) -> list[str]:
-    """List compliance frameworks the API can load for `provider_type`.
+    """List compliance framework identifiers available for `provider_type`.

-    The list is sourced from `Compliance.get_bulk` so that the names
-    returned here are guaranteed to be loadable by the bulk loader. This
-    prevents downstream key mismatches (e.g. CSV report generation iterating
-    framework names and looking them up in the bulk dict).
+    Includes both per-provider frameworks and universal top-level frameworks
+    (e.g. ``dora``, ``csa_ccm_4.0``).

    Args:
-        provider_type (Provider.ProviderChoices): The cloud provider type for which to retrieve
-            available compliance frameworks (e.g., "aws", "azure", "gcp", "m365").
+        provider_type (Provider.ProviderChoices): The cloud provider type
+            (e.g., "aws", "azure", "gcp", "m365").

    Returns:
-        list[str]: A list of framework identifiers (e.g., "cis_1.4_aws", "mitre_attack_azure") available
-        for the given provider.
+        list[str]: Framework identifiers (e.g., "cis_1.4_aws", "dora").
    """
    global AVAILABLE_COMPLIANCE_FRAMEWORKS
    if provider_type not in AVAILABLE_COMPLIANCE_FRAMEWORKS:
        AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type] = list(
-            Compliance.get_bulk(provider_type).keys()
+            get_bulk_compliance_frameworks_universal(provider_type).keys()
        )

    return AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type]
@@ -139,18 +151,14 @@ def get_prowler_provider_compliance(provider_type: Provider.ProviderChoices) ->
    """
    Retrieve the Prowler compliance data for a specified provider type.

-    This function fetches the compliance frameworks and their associated
-    requirements for the given cloud provider.
-
    Args:
        provider_type (Provider.ProviderChoices): The provider type
            (e.g., 'aws', 'azure') for which to retrieve compliance data.

    Returns:
-        dict: A dictionary mapping compliance framework names to their respective
-            Compliance objects for the specified provider.
+        dict: Mapping of framework name to `ComplianceFramework` for the provider.
    """
-    return Compliance.get_bulk(provider_type)
+    return get_bulk_compliance_frameworks_universal(provider_type)


 def _load_provider_assets(provider_type: Provider.ProviderChoices) -> tuple[dict, dict]:
@@ -179,6 +187,56 @@ def _ensure_provider_loaded(provider_type: Provider.ProviderChoices) -> None:
        PROWLER_CHECKS._cache[provider_type] = checks


+def warm_compliance_caches(
+    provider_types: Iterable[str] | None = None,
+) -> list[str]:
+    """
+    Eagerly populate the per-process compliance caches at server startup.
+
+    Moves the cold-cache catalog load off the request thread so the first
+    request does not trip the Gunicorn worker timeout. Reads only on-disk
+    metadata (no database access). Each provider is warmed in isolation;
+    failures are logged and fall back to lazy loading.
+
+    Args:
+        provider_types (Iterable[str] | None): Subset to warm. Defaults to all.
+
+    Returns:
+        list[str]: Provider types that could not be warmed.
+    """
+    if provider_types is None:
+        provider_types = Provider.ProviderChoices.values
+    provider_types = list(provider_types)
+
+    COMPLIANCE_WARMING_STARTED.set()
+    logger.info("Compliance cache warm-up started for providers: %s", provider_types)
+
+    failed = []
+    for provider_type in provider_types:
+        try:
+            get_compliance_frameworks(provider_type)
+            _ensure_provider_loaded(provider_type)
+        # Prowler check loading may sys.exit (SystemExit, not Exception).
+        except (Exception, SystemExit):
+            logger.warning(
+                "Failed to warm compliance caches for provider '%s'; "
+                "loading lazily on first request",
+                provider_type,
+                exc_info=True,
+            )
+            failed.append(provider_type)
+
+    # Mark as warmed even when some providers failed: a failed provider falls
+    # back to a single-provider lazy load, which stays under the worker timeout.
+    COMPLIANCE_WARMED.set()
+    logger.info(
+        "Compliance cache warm-up finished (providers warmed: %d, failed: %s)",
+        len(provider_types) - len(failed),
+        failed,
+    )
+    return failed
+
+
 def load_prowler_checks(
    prowler_compliance, provider_types: Iterable[str] | None = None
 ):
@@ -209,8 +267,8 @@ def load_prowler_checks(
        for compliance_name, compliance_data in prowler_compliance.get(
            provider_type, {}
        ).items():
-            for requirement in compliance_data.Requirements:
-                for check in requirement.Checks:
+            for requirement in compliance_data.requirements:
+                for check in requirement.checks.get(provider_type, []):
                    try:
                        checks[provider_type][check].add(compliance_name)
                    except KeyError:
@@ -290,24 +348,40 @@ def generate_compliance_overview_template(
            requirements_status = {"passed": 0, "failed": 0, "manual": 0}
            total_requirements = 0

-            for requirement in compliance_data.Requirements:
+            for requirement in compliance_data.requirements:
                total_requirements += 1
-                total_checks = len(requirement.Checks)
-                checks_dict = {check: None for check in requirement.Checks}
+                provider_check_list = list(requirement.checks.get(provider_type, []))
+                total_checks = len(provider_check_list)
+                checks_dict = {check: None for check in provider_check_list}

                req_status_val = "MANUAL" if total_checks == 0 else "PASS"

+                # MITRE attrs are wrapped under `_raw_attributes` by the
+                # universal adapter — unwrap so consumers see the flat list.
+                requirement_attributes = requirement.attributes
+                if (
+                    isinstance(requirement_attributes, dict)
+                    and "_raw_attributes" in requirement_attributes
+                ):
+                    attributes_payload = list(requirement_attributes["_raw_attributes"])
+                elif isinstance(requirement_attributes, dict):
+                    attributes_payload = (
+                        [dict(requirement_attributes)] if requirement_attributes else []
+                    )
+                else:
+                    attributes_payload = [
+                        dict(attribute) for attribute in requirement_attributes
+                    ]
+
                # Build requirement dictionary
                requirement_dict = {
-                    "name": requirement.Name or requirement.Id,
-                    "description": requirement.Description,
-                    "tactics": getattr(requirement, "Tactics", []),
-                    "subtechniques": getattr(requirement, "SubTechniques", []),
-                    "platforms": getattr(requirement, "Platforms", []),
-                    "technique_url": getattr(requirement, "TechniqueURL", ""),
-                    "attributes": [
-                        dict(attribute) for attribute in requirement.Attributes
-                    ],
+                    "name": requirement.name or requirement.id,
+                    "description": requirement.description,
+                    "tactics": requirement.tactics or [],
+                    "subtechniques": requirement.sub_techniques or [],
+                    "platforms": requirement.platforms or [],
+                    "technique_url": requirement.technique_url or "",
+                    "attributes": attributes_payload,
                    "checks": checks_dict,
                    "checks_status": {
                        "pass": 0,
@@ -325,15 +399,15 @@ def generate_compliance_overview_template(
                    requirements_status["passed"] += 1

                # Add requirement to compliance requirements
-                compliance_requirements[requirement.Id] = requirement_dict
+                compliance_requirements[requirement.id] = requirement_dict

            # Build compliance dictionary
            compliance_dict = {
-                "framework": compliance_data.Framework,
-                "name": compliance_data.Name,
-                "version": compliance_data.Version,
+                "framework": compliance_data.framework,
+                "name": compliance_data.name,
+                "version": compliance_data.version,
                "provider": provider_type,
-                "description": compliance_data.Description,
+                "description": compliance_data.description,
                "requirements": compliance_requirements,
                "requirements_status": requirements_status,
                "total_requirements": total_requirements,
@@ -187,6 +187,32 @@ class UpstreamServiceUnavailableError(APIException):
        )


+class ComplianceWarmingError(APIException):
+    """Compliance catalog is still warming (503 Service Unavailable).
+
+    Returned by the compliance attributes endpoint while the per-process
+    catalog warm-up is in progress, so the request thread never triggers the
+    slow cold load that would trip the Gunicorn worker timeout.
+    """
+
+    status_code = status.HTTP_503_SERVICE_UNAVAILABLE
+    default_detail = (
+        "Compliance data is still loading. Please try again in a few seconds."
+    )
+    default_code = "compliance_warming"
+
+    def __init__(self, detail=None):
+        super().__init__(
+            detail=[
+                {
+                    "detail": detail or self.default_detail,
+                    "status": str(self.status_code),
+                    "code": self.default_code,
+                }
+            ]
+        )
+
+
 class UpstreamInternalError(APIException):
    """Unexpected error communicating with provider (500 Internal Server Error).

@@ -102,7 +102,7 @@ class BaseProviderFilter(FilterSet):
    """
    Abstract base filter for models with direct FK to Provider.

-    Provides standard provider_id and provider_type filters.
+    Provides standard provider_id, provider_type, and provider_groups filters.
    Subclasses must define Meta.model.
    """

@@ -116,6 +116,16 @@ class BaseProviderFilter(FilterSet):
        choices=Provider.ProviderChoices.choices,
        lookup_expr="in",
    )
+    provider_groups = UUIDFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )

    class Meta:
        abstract = True
@@ -126,7 +136,7 @@ class BaseScanProviderFilter(FilterSet):
    """
    Abstract base filter for models with FK to Scan (and Scan has FK to Provider).

-    Provides standard provider_id and provider_type filters via scan relationship.
+    Provides standard provider_id, provider_type, and provider_groups filters via scan relationship.
    Subclasses must define Meta.model.
    """

@@ -140,6 +150,16 @@ class BaseScanProviderFilter(FilterSet):
        choices=Provider.ProviderChoices.choices,
        lookup_expr="in",
    )
+    provider_groups = UUIDFilter(
+        field_name="scan__provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="scan__provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )

    class Meta:
        abstract = True
@@ -160,6 +180,16 @@ class CommonFindingFilters(FilterSet):
    provider_type__in = ChoiceInFilter(
        choices=Provider.ProviderChoices.choices, field_name="scan__provider__provider"
    )
+    provider_groups = UUIDFilter(
+        field_name="scan__provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="scan__provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )
    provider_uid = CharFilter(field_name="scan__provider__uid", lookup_expr="exact")
    provider_uid__in = CharInFilter(field_name="scan__provider__uid", lookup_expr="in")
    provider_uid__icontains = CharFilter(
@@ -370,6 +400,12 @@ class ProviderFilter(FilterSet):
        choices=Provider.ProviderChoices.choices,
        lookup_expr="in",
    )
+    provider_groups = UUIDFilter(
+        field_name="provider_groups__id", lookup_expr="exact", distinct=True
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="provider_groups__id", lookup_expr="in", distinct=True
+    )

    class Meta:
        model = Provider
@@ -395,6 +431,16 @@ class ProviderRelationshipFilterSet(FilterSet):
    provider_type__in = ChoiceInFilter(
        choices=Provider.ProviderChoices.choices, field_name="provider__provider"
    )
+    provider_groups = UUIDFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )
    provider_uid = CharFilter(field_name="provider__uid", lookup_expr="exact")
    provider_uid__in = CharInFilter(field_name="provider__uid", lookup_expr="in")
    provider_uid__icontains = CharFilter(
@@ -1001,6 +1047,16 @@ class FindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
        field_name="provider__provider", choices=Provider.ProviderChoices.choices
    )
    provider_type__in = CharInFilter(field_name="provider__provider", lookup_expr="in")
+    provider_groups = UUIDFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )

    class Meta:
        model = FindingGroupDailySummary
@@ -1101,6 +1157,16 @@ class LatestFindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
        field_name="provider__provider", choices=Provider.ProviderChoices.choices
    )
    provider_type__in = CharInFilter(field_name="provider__provider", lookup_expr="in")
+    provider_groups = UUIDFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )

    class Meta:
        model = FindingGroupDailySummary
@@ -1280,12 +1346,19 @@ class RoleFilter(FilterSet):
        }


-class ComplianceOverviewFilter(FilterSet):
+class ComplianceOverviewFilter(BaseScanProviderFilter):
+    """
+    Keep provider filters in the schema while runtime filtering resolves scans first.
+
+    Compliance overview provider filters are applied to the latest completed scans
+    in the viewset, then this filterset handles the remaining compliance fields.
+    """
+
    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    scan_id = UUIDFilter(field_name="scan_id", required=True)
+    scan_id = UUIDFilter(field_name="scan_id")
    region = CharFilter(field_name="region")

-    class Meta:
+    class Meta(BaseScanProviderFilter.Meta):
        model = ComplianceRequirementOverview
        fields = {
            "inserted_at": ["date", "gte", "lte"],
@@ -1306,6 +1379,16 @@ class ScanSummaryFilter(FilterSet):
    provider_type__in = ChoiceInFilter(
        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
    )
+    provider_groups = UUIDFilter(
+        field_name="scan__provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="scan__provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )
    region = CharFilter(field_name="region")

    class Meta:
@@ -1329,6 +1412,16 @@ class DailySeveritySummaryFilter(FilterSet):
    provider_type__in = ChoiceInFilter(
        field_name="provider__provider", choices=Provider.ProviderChoices.choices
    )
+    provider_groups = UUIDFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )
    date_from = DateFilter(method="filter_noop")
    date_to = DateFilter(method="filter_noop")

@@ -1585,6 +1678,16 @@ class ThreatScoreSnapshotFilter(FilterSet):
        choices=Provider.ProviderChoices.choices,
        lookup_expr="in",
    )
+    provider_groups = UUIDFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )
    compliance_id = CharFilter(field_name="compliance_id", lookup_expr="exact")
    compliance_id__in = CharInFilter(field_name="compliance_id", lookup_expr="in")

@@ -1628,6 +1731,16 @@ class ResourceGroupOverviewFilter(FilterSet):
        choices=Provider.ProviderChoices.choices,
        lookup_expr="in",
    )
+    provider_groups = UUIDFilter(
+        field_name="scan__provider__provider_groups__id",
+        lookup_expr="exact",
+        distinct=True,
+    )
+    provider_groups__in = UUIDInFilter(
+        field_name="scan__provider__provider_groups__id",
+        lookup_expr="in",
+        distinct=True,
+    )
    resource_group = CharFilter(field_name="resource_group", lookup_expr="exact")
    resource_group__in = CharInFilter(field_name="resource_group", lookup_expr="in")

@@ -0,0 +1,59 @@
+from django.core.management.base import BaseCommand
+
+from tasks.jobs.orphan_recovery import reconcile_orphans
+
+
+class Command(BaseCommand):
+    help = (
+        "Recover orphaned allowlisted Celery tasks whose worker is gone and mark "
+        "other stale task results terminal. Single-flight via a Postgres advisory lock."
+    )
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--grace-minutes",
+            type=int,
+            default=2,
+            help="Skip tasks started within this window (worker may still register).",
+        )
+        parser.add_argument(
+            "--max-attempts",
+            type=int,
+            default=3,
+            help="Give up re-running a task after this many recovery attempts; it is then left terminal instead of re-enqueued.",
+        )
+        parser.add_argument(
+            "--dry-run",
+            action="store_true",
+            help="Detect and report orphans without revoking or re-enqueuing.",
+        )
+
+    def handle(self, *args, **options):
+        result = reconcile_orphans(
+            grace_minutes=options["grace_minutes"],
+            max_attempts=options["max_attempts"],
+            dry_run=options["dry_run"],
+        )
+
+        if not result.get("acquired"):
+            self.stdout.write("Reconcile skipped: another run holds the lock.")
+            return
+
+        if result.get("enabled") is False:
+            message = (
+                "Task recovery is disabled (DJANGO_TASK_RECOVERY_ENABLED is off); "
+                "no orphans were recovered."
+            )
+            if result.get("attack_paths") is not None:
+                message += " Attack-paths stale cleanup still ran."
+            self.stdout.write(message)
+            return
+
+        self.stdout.write(
+            self.style.SUCCESS(
+                "Orphan reconcile complete: "
+                f"recovered={len(result.get('recovered', []))} "
+                f"failed={len(result.get('failed', []))} "
+                f"skipped(in-flight)={len(result.get('skipped', []))}"
+            )
+        )
@@ -0,0 +1,41 @@
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0092_findings_arrays_gin_index_parent"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="provider",
+            field=api.db_utils.ProviderEnumField(
+                choices=[
+                    ("aws", "AWS"),
+                    ("azure", "Azure"),
+                    ("gcp", "GCP"),
+                    ("kubernetes", "Kubernetes"),
+                    ("m365", "M365"),
+                    ("github", "GitHub"),
+                    ("mongodbatlas", "MongoDB Atlas"),
+                    ("iac", "IaC"),
+                    ("oraclecloud", "Oracle Cloud Infrastructure"),
+                    ("alibabacloud", "Alibaba Cloud"),
+                    ("cloudflare", "Cloudflare"),
+                    ("openstack", "OpenStack"),
+                    ("image", "Image"),
+                    ("googleworkspace", "Google Workspace"),
+                    ("vercel", "Vercel"),
+                    ("okta", "Okta"),
+                ],
+                default="aws",
+            ),
+        ),
+        migrations.RunSQL(
+            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'okta';",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+    ]
@@ -0,0 +1,49 @@
+from django.db import migrations
+
+
+TASK_NAME = "reconcile-orphan-tasks"
+INTERVAL_MINUTES = 2
+
+
+def create_periodic_task(apps, schema_editor):
+    IntervalSchedule = apps.get_model("django_celery_beat", "IntervalSchedule")
+    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
+
+    schedule, _ = IntervalSchedule.objects.get_or_create(
+        every=INTERVAL_MINUTES,
+        period="minutes",
+    )
+
+    PeriodicTask.objects.update_or_create(
+        name=TASK_NAME,
+        defaults={
+            "task": TASK_NAME,
+            "interval": schedule,
+            "enabled": True,
+        },
+    )
+
+
+def delete_periodic_task(apps, schema_editor):
+    IntervalSchedule = apps.get_model("django_celery_beat", "IntervalSchedule")
+    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
+
+    PeriodicTask.objects.filter(name=TASK_NAME).delete()
+
+    # Clean up the schedule if no other task references it
+    IntervalSchedule.objects.filter(
+        every=INTERVAL_MINUTES,
+        period="minutes",
+        periodictask__isnull=True,
+    ).delete()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0093_okta_provider"),
+        ("django_celery_beat", "0019_alter_periodictasks_options"),
+    ]
+
+    operations = [
+        migrations.RunPython(create_periodic_task, delete_periodic_task),
+    ]
@@ -296,6 +296,7 @@ class Provider(RowLevelSecurityProtectedModel):
        IMAGE = "image", _("Image")
        GOOGLEWORKSPACE = "googleworkspace", _("Google Workspace")
        VERCEL = "vercel", _("Vercel")
+        OKTA = "okta", _("Okta")

    @staticmethod
    def validate_aws_uid(value):
@@ -354,6 +355,26 @@ class Provider(RowLevelSecurityProtectedModel):
                pointer="/data/attributes/uid",
            )

+    @staticmethod
+    def validate_okta_uid(value):
+        if not re.match(
+            r"^[a-z0-9][a-z0-9-]*\.("
+            r"okta\.com|oktapreview\.com|okta-emea\.com|"
+            r"okta-gov\.com|okta\.mil|okta-miltest\.com|trex-govcloud\.com"
+            r")$",
+            value,
+        ):
+            raise ModelValidationError(
+                detail=(
+                    "Okta provider ID must be a valid Okta-managed org domain "
+                    "(e.g., acme.okta.com, also .oktapreview.com / .okta-emea.com "
+                    "/ .okta-gov.com / .okta.mil / .okta-miltest.com / "
+                    ".trex-govcloud.com), without scheme or path."
+                ),
+                code="okta-uid",
+                pointer="/data/attributes/uid",
+            )
+
    @staticmethod
    def validate_kubernetes_uid(value):
        if not re.match(
@@ -480,6 +501,12 @@ class Provider(RowLevelSecurityProtectedModel):

    def clean(self):
        super().clean()
+        if self.provider == self.ProviderChoices.OKTA and self.uid:
+            # Mirror the SDK, which lowercases the org domain before connecting.
+            # Without this the API would reject Acme.okta.com even though the
+            # SDK would accept it, and stored uids could disagree with the
+            # authenticated org domain.
+            self.uid = self.uid.strip().lower()
        getattr(self, f"validate_{self.provider}_uid")(self.uid)

    def save(self, *args, **kwargs):
@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: Prowler API
-  version: 1.28.0
+  version: 1.32.0
  description: |-
    Prowler API specification.

@@ -373,6 +373,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -389,6 +390,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -412,6 +414,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -430,6 +433,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -1453,6 +1457,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -1469,6 +1474,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -1491,6 +1497,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -1509,6 +1516,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -1997,6 +2005,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -2013,6 +2022,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -2035,6 +2045,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -2053,6 +2064,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -2584,6 +2596,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -2600,6 +2613,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -2622,6 +2636,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -2640,6 +2655,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -3134,6 +3150,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -3150,6 +3167,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -3173,6 +3191,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -3191,6 +3210,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -3740,6 +3760,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -3756,6 +3777,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -3779,6 +3801,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -3797,6 +3820,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -4254,6 +4278,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -4270,6 +4295,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -4293,6 +4319,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -4311,6 +4338,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -4766,6 +4794,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -4782,6 +4811,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -4805,6 +4835,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -4823,6 +4854,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -5266,6 +5298,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -5282,6 +5315,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -5305,6 +5339,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -5323,6 +5358,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -7156,6 +7192,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7172,6 +7209,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7195,6 +7233,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7213,6 +7252,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -7335,6 +7375,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7351,6 +7392,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7374,6 +7416,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7392,6 +7435,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -7503,6 +7547,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7519,6 +7564,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7541,6 +7587,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7559,6 +7606,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -7702,6 +7750,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7718,6 +7767,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7741,6 +7791,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7759,6 +7810,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -7915,6 +7967,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7931,6 +7984,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7954,6 +8008,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7972,6 +8027,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -8122,6 +8178,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8138,6 +8195,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8160,6 +8218,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8178,6 +8237,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -8370,6 +8430,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8386,6 +8447,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8409,6 +8471,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8427,6 +8490,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -8548,6 +8612,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8564,6 +8629,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8587,6 +8653,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8605,6 +8672,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -8750,6 +8818,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8766,6 +8835,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8789,6 +8859,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8807,6 +8878,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -9593,6 +9665,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -9609,6 +9682,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider__in]
        schema:
@@ -9632,6 +9706,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -9650,6 +9725,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -9673,6 +9749,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -9689,6 +9766,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -9712,6 +9790,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -9730,6 +9809,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -10400,6 +10480,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -10416,6 +10497,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -10439,6 +10521,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -10457,6 +10540,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -10951,6 +11035,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -10967,6 +11052,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -10990,6 +11076,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -11008,6 +11095,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -11315,6 +11403,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -11331,6 +11420,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -11354,6 +11444,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -11372,6 +11463,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -11685,6 +11777,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -11701,6 +11794,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -11724,6 +11818,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -11742,6 +11837,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -12580,6 +12676,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -12596,6 +12693,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -12619,6 +12717,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -12637,6 +12736,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -13037,8 +13137,59 @@ paths:
      responses:
        '200':
          description: CSV file containing the compliance report
+        '202':
+          description: The task is in progress
+        '403':
+          description: There is a problem with credentials
        '404':
-          description: Compliance report not found
+          description: Compliance report not found, or the scan has no reports yet
+  /api/v1/scans/{id}/compliance/{name}/ocsf:
+    get:
+      operationId: scans_compliance_ocsf_retrieve
+      description: Download a specific compliance report as an OCSF JSON file. Only
+        universal frameworks that declare an output configuration produce this artifact
+        (currently 'dora' and 'csa_ccm_4.0'); any other framework returns 404.
+      summary: Retrieve compliance report as OCSF JSON
+      parameters:
+      - in: query
+        name: fields[scan-reports]
+        schema:
+          type: array
+          items:
+            type: string
+            enum:
+            - id
+            - name
+        description: endpoint return only specific fields in the response on a per-type
+          basis by including a fields[TYPE] query parameter.
+        explode: false
+      - in: path
+        name: id
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this scan.
+        required: true
+      - in: path
+        name: name
+        schema:
+          type: string
+        description: The compliance report name, like 'dora'
+        required: true
+      tags:
+      - Scan
+      security:
+      - JWT or API Key: []
+      responses:
+        '200':
+          description: OCSF JSON file containing the compliance report
+        '202':
+          description: The task is in progress
+        '403':
+          description: There is a problem with credentials
+        '404':
+          description: Compliance report not found, the framework does not provide
+            an OCSF export, or the scan has no reports yet
  /api/v1/scans/{id}/csa:
    get:
      operationId: scans_csa_retrieve
@@ -20115,6 +20266,23 @@ components:
                    required:
                    - clouds_yaml_content
                    - clouds_yaml_cloud
+                  - type: object
+                    title: Okta OAuth Credentials
+                    properties:
+                      okta_client_id:
+                        type: string
+                        description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
+                      okta_private_key:
+                        type: string
+                        description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
+                      okta_scopes:
+                        type: array
+                        items:
+                          type: string
+                        description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
+                    required:
+                      - okta_client_id
+                      - okta_private_key
                  - type: object
                    title: Vercel API Token
                    properties:
@@ -21127,6 +21295,7 @@ components:
              - image
              - googleworkspace
              - vercel
+              - okta
              type: string
              description: |-
                * `aws` - AWS
@@ -21144,6 +21313,7 @@ components:
                * `image` - Image
                * `googleworkspace` - Google Workspace
                * `vercel` - Vercel
+                * `okta` - Okta
              x-spec-enum-id: 91f917e0c3ab97e8
            uid:
              type: string
@@ -21265,6 +21435,7 @@ components:
              - image
              - googleworkspace
              - vercel
+              - okta
              type: string
              x-spec-enum-id: 91f917e0c3ab97e8
              description: |-
@@ -21285,6 +21456,7 @@ components:
                * `image` - Image
                * `googleworkspace` - Google Workspace
                * `vercel` - Vercel
+                * `okta` - Okta
            uid:
              type: string
              title: Unique identifier for the provider, set by the provider
@@ -21337,6 +21509,7 @@ components:
                  - image
                  - googleworkspace
                  - vercel
+                  - okta
                  type: string
                  x-spec-enum-id: 91f917e0c3ab97e8
                  description: |-
@@ -21357,6 +21530,7 @@ components:
                    * `image` - Image
                    * `googleworkspace` - Google Workspace
                    * `vercel` - Vercel
+                    * `okta` - Okta
                uid:
                  type: string
                  minLength: 3
@@ -22206,6 +22380,23 @@ components:
                required:
                - clouds_yaml_content
                - clouds_yaml_cloud
+              - type: object
+                title: Okta OAuth Credentials
+                properties:
+                  okta_client_id:
+                    type: string
+                    description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
+                  okta_private_key:
+                    type: string
+                    description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
+                  okta_scopes:
+                    type: array
+                    items:
+                      type: string
+                    description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
+                required:
+                  - okta_client_id
+                  - okta_private_key
              - type: object
                title: Vercel API Token
                properties:
@@ -22631,6 +22822,23 @@ components:
                    required:
                    - clouds_yaml_content
                    - clouds_yaml_cloud
+                  - type: object
+                    title: Okta OAuth Credentials
+                    properties:
+                      okta_client_id:
+                        type: string
+                        description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
+                      okta_private_key:
+                        type: string
+                        description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
+                      okta_scopes:
+                        type: array
+                        items:
+                          type: string
+                        description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
+                    required:
+                      - okta_client_id
+                      - okta_private_key
                  - type: object
                    title: Vercel API Token
                    properties:
@@ -23066,6 +23274,23 @@ components:
                required:
                - clouds_yaml_content
                - clouds_yaml_cloud
+              - type: object
+                title: Okta OAuth Credentials
+                properties:
+                  okta_client_id:
+                    type: string
+                    description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
+                  okta_private_key:
+                    type: string
+                    description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
+                  okta_scopes:
+                    type: array
+                    items:
+                      type: string
+                    description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
+                required:
+                  - okta_client_id
+                  - okta_private_key
              - type: object
                title: Vercel API Token
                properties:
@@ -0,0 +1,13 @@
+"""Platform Server-Sent Events (SSE) infrastructure.
+
+Wires `django-eventstream` into the API: a base viewset features
+subclass to expose an SSE endpoint
+(:class:`api.sse.base_views.BaseSSEViewSet`), the channel manager that
+enforces the tenant gate (:class:`api.sse.channelmanager.SSEChannelManager`),
+and the channel-name helpers (:func:`api.sse.utils.make_channel_name`).
+"""
+
+from api.sse.utils import make_channel_name
+from api.sse.base_views import BaseSSEViewSet
+
+__all__ = ["BaseSSEViewSet", "make_channel_name"]
@@ -0,0 +1,46 @@
+"""Base view class for SSE endpoints."""
+
+from api.authentication import SSEAuthentication
+from api.base_views import BaseRLSViewSet
+from django_eventstream.renderers import SSEEventRenderer
+from django_eventstream.views import events
+
+
+class BaseSSEViewSet(BaseRLSViewSet):
+    """Base class for platform SSE endpoints.
+
+    Subclasses override method `get_channels` to declare the channel
+    names the connection should subscribe to — the same way a regular
+    DRF viewset overrides method `get_queryset`. The channel manager
+    reads the result from `request.sse_channels`; there is no other
+    coupling between platform and feature.
+    """
+
+    authentication_classes = [SSEAuthentication]
+    # Pin the SSE renderer so content negotiation accepts the browser's
+    # `Accept: text/event-stream`.
+    renderer_classes = [SSEEventRenderer]
+
+    def get_channels(self) -> set[str]:
+        """Return the channels this connection subscribes to.
+
+        Implementations MUST raise the relevant DRF exceptions
+        (`NotAuthenticated`, `PermissionDenied`, `NotFound`) when
+        authorization fails. Returning an empty set would surface as
+        django-eventstream's "No channels specified" which masks the
+        real cause.
+        """
+        raise NotImplementedError
+
+    def get_queryset(self):
+        # Most SSE viewsets only need `get_channels` and never call
+        # `get_queryset` (the SSE list path bypasses serialization
+        # entirely). Subclasses that perform their own queryset lookup
+        # inside `get_channels` should override; the default raises
+        # the same error a missing override on a ModelViewSet would.
+        raise NotImplementedError
+
+    def list(self, request, *_args, **kwargs):
+        """Resolve channels under the regular DRF stack and stream."""
+        request.sse_channels = self.get_channels()
+        return events(request, **kwargs)
@@ -0,0 +1,75 @@
+"""Channel manager that wires `django-eventstream` to platform SSE views."""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+from uuid import UUID
+
+from django_eventstream.channelmanager import DefaultChannelManager
+from rest_framework.request import Request
+
+from api.sse.utils import tenant_id_from_channel
+
+if TYPE_CHECKING:
+    from api.models import User
+
+
+class SSEChannelManager(DefaultChannelManager):
+    """Connect `django-eventstream` to the platform's SSE viewsets."""
+
+    def get_channels_for_request(self, request: Request, view_kwargs: dict) -> set[str]:  # noqa: vulture
+        """Return the request's channels scoped to the active JWT tenant.
+
+        Args:
+            request: The authenticated DRF request, carrying `tenant_id`
+                (set by `BaseRLSViewSet`) and `sse_channels` (set by
+                `BaseSSEViewSet.list`).
+            view_kwargs: URL keyword arguments from django-eventstream;
+                unused because channels are resolved on the request.
+
+        Returns:
+            The subset of `request.sse_channels` whose embedded tenant
+            matches the active request tenant.
+        """
+        try:
+            request_tenant_id = UUID(str(getattr(request, "tenant_id", None)))
+        except (TypeError, ValueError):
+            return set()
+        return {
+            channel
+            for channel in getattr(request, "sse_channels", set())
+            if tenant_id_from_channel(channel) == request_tenant_id
+        }
+
+    def can_read_channel(self, user: "User | None", channel: str) -> bool:
+        """Re-verify tenant membership once the stream is established.
+
+        Args:
+            user: The connection's authenticated `User`, or `None` for an
+                anonymous connection — django-eventstream passes `None`
+                rather than an `AnonymousUser`.
+            channel: The channel name being read, in the canonical
+                `<prefix>:<tenant_id>:<resource_id>` format.
+
+        Returns:
+            `True` only when `user` is authenticated and a member of the
+            tenant embedded in `channel`; `False` otherwise, including for
+            anonymous connections and malformed channel names.
+        """
+        if user is None or not user.is_authenticated:
+            return False
+        tenant_id = tenant_id_from_channel(channel)
+        if tenant_id is None:
+            return False
+        return user.is_member_of_tenant(tenant_id)
+
+    def is_channel_reliable(self, channel: str) -> bool:
+        """Report whether the channel keeps a server-side replay buffer.
+
+        Args:
+            channel: The channel name being queried.
+
+        Returns:
+            `False`, unconditionally. Replay storage is not configured
+        """
+        return False
@@ -0,0 +1,51 @@
+"""Channel-name convention shared by SSE publishers, consumers, and the
+channel manager. The format is `<prefix>:<tenant_id>:<resource_id>`.
+"""
+
+from __future__ import annotations
+
+import uuid
+
+CHANNEL_SEPARATOR = ":"
+
+
+def make_channel_name(
+    prefix: str,
+    tenant_id: str | uuid.UUID,
+    resource_id: str | uuid.UUID,
+) -> str:
+    """Build the canonical channel name for a resource.
+
+    Args:
+        prefix: Feature-owned prefix (e.g. `"lighthouse-session"`).
+        tenant_id: Tenant the resource belongs to.
+        resource_id: Resource identifier within the tenant.
+
+    Raises:
+        ValueError: If any segment contains `CHANNEL_SEPARATOR`, which
+            would break the `<prefix>:<tenant_id>:<resource_id>` contract
+            and let a crafted name smuggle extra segments past the parser.
+    """
+    segments = (str(prefix), str(tenant_id), str(resource_id))
+    if any(CHANNEL_SEPARATOR in segment for segment in segments):
+        raise ValueError(
+            f"Channel segments must not contain '{CHANNEL_SEPARATOR}': {segments!r}"
+        )
+    return CHANNEL_SEPARATOR.join(segments)
+
+
+def tenant_id_from_channel(channel: str) -> uuid.UUID | None:
+    """Return the tenant UUID embedded in *channel*, or `None` if
+    *channel* does not follow the platform convention.
+
+    A `None` result MUST be treated by callers as "not authorized" or
+    a malformed channel cannot be safely read.
+    """
+    segments = channel.split(CHANNEL_SEPARATOR)
+    if len(segments) != 3:
+        # Reject non-canonical names
+        return None
+    try:
+        return uuid.UUID(segments[1])
+    except ValueError:
+        return None
@@ -182,23 +182,19 @@ def _make_app():
    return ApiConfig("api", api)


-def test_ready_initializes_driver_for_api_process(monkeypatch):
+@pytest.mark.parametrize(
+    "argv",
+    [
+        ["gunicorn"],
+        ["celery", "-A", "api"],
+        ["manage.py", "migrate"],
+    ],
+    ids=["api", "celery", "manage_py"],
+)
+def test_ready_never_eagerly_initializes_neo4j_driver(monkeypatch, argv):
+    """ready() must never contact Neo4j; the driver is created lazily on first use."""
    config = _make_app()
-    _set_argv(monkeypatch, ["gunicorn"])
-    _set_testing(monkeypatch, False)
-
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
-        config.ready()
-
-    init_driver.assert_called_once()
-
-
-def test_ready_skips_driver_for_celery(monkeypatch):
-    config = _make_app()
-    _set_argv(monkeypatch, ["celery", "-A", "api"])
+    _set_argv(monkeypatch, argv)
    _set_testing(monkeypatch, False)

    with (
@@ -208,31 +204,3 @@ def test_ready_skips_driver_for_celery(monkeypatch):
        config.ready()

    init_driver.assert_not_called()
-
-
-def test_ready_skips_driver_for_manage_py_skip_command(monkeypatch):
-    config = _make_app()
-    _set_argv(monkeypatch, ["manage.py", "migrate"])
-    _set_testing(monkeypatch, False)
-
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
-        config.ready()
-
-    init_driver.assert_not_called()
-
-
-def test_ready_skips_driver_when_testing(monkeypatch):
-    config = _make_app()
-    _set_argv(monkeypatch, ["gunicorn"])
-    _set_testing(monkeypatch, True)
-
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
-        config.ready()
-
-    init_driver.assert_not_called()
@@ -1,15 +1,16 @@
 """
 Tests for Neo4j database lazy initialization.

-The Neo4j driver connects on first use by default. API processes may
-eagerly initialize the driver during app startup, while Celery workers
-remain lazy. These tests validate the database module behavior itself.
+The Neo4j driver is created on first use for every process type; app startup
+never contacts Neo4j. These tests validate the database module behavior itself.
 """

 import threading
+
 from unittest.mock import MagicMock, patch

 import neo4j
+import neo4j.exceptions
 import pytest

 import api.attack_paths.database as db_module
@@ -59,6 +60,32 @@ class TestLazyInitialization:
        assert result is mock_driver
        assert db_module._driver is mock_driver

+    @patch("api.attack_paths.database.settings")
+    @patch("api.attack_paths.database.neo4j.GraphDatabase.driver")
+    def test_init_driver_leaves_driver_none_when_verify_fails(
+        self, mock_driver_factory, mock_settings
+    ):
+        """A failed verify_connectivity() must not publish or leak the driver."""
+        mock_driver = MagicMock()
+        mock_driver.verify_connectivity.side_effect = (
+            neo4j.exceptions.ServiceUnavailable("down")
+        )
+        mock_driver_factory.return_value = mock_driver
+        mock_settings.DATABASES = {
+            "neo4j": {
+                "HOST": "localhost",
+                "PORT": 7687,
+                "USER": "neo4j",
+                "PASSWORD": "password",
+            }
+        }
+
+        with pytest.raises(neo4j.exceptions.ServiceUnavailable):
+            db_module.init_driver()
+
+        assert db_module._driver is None
+        mock_driver.close.assert_called_once()
+
    @patch("api.attack_paths.database.settings")
    @patch("api.attack_paths.database.neo4j.GraphDatabase.driver")
    def test_init_driver_returns_cached_driver_on_subsequent_calls(
@@ -116,21 +143,23 @@ class TestConnectionAcquisitionTimeout:
    @pytest.fixture(autouse=True)
    def reset_module_state(self):
        original_driver = db_module._driver
-        original_timeout = db_module.CONN_ACQUISITION_TIMEOUT
+        original_acq_timeout = db_module.CONN_ACQUISITION_TIMEOUT
+        original_conn_timeout = db_module.CONNECTION_TIMEOUT

        db_module._driver = None

        yield

        db_module._driver = original_driver
-        db_module.CONN_ACQUISITION_TIMEOUT = original_timeout
+        db_module.CONN_ACQUISITION_TIMEOUT = original_acq_timeout
+        db_module.CONNECTION_TIMEOUT = original_conn_timeout

    @patch("api.attack_paths.database.settings")
    @patch("api.attack_paths.database.neo4j.GraphDatabase.driver")
    def test_driver_receives_configured_timeout(
        self, mock_driver_factory, mock_settings
    ):
-        """init_driver() should pass CONN_ACQUISITION_TIMEOUT to the neo4j driver."""
+        """init_driver() should pass the configured timeouts to the neo4j driver."""
        mock_driver_factory.return_value = MagicMock()
        mock_settings.DATABASES = {
            "neo4j": {
@@ -141,11 +170,13 @@ class TestConnectionAcquisitionTimeout:
            }
        }
        db_module.CONN_ACQUISITION_TIMEOUT = 42
+        db_module.CONNECTION_TIMEOUT = 7

        db_module.init_driver()

        _, kwargs = mock_driver_factory.call_args
        assert kwargs["connection_acquisition_timeout"] == 42
+        assert kwargs["connection_timeout"] == 7


 class TestAtexitRegistration:
@@ -511,3 +542,84 @@ class TestHasProviderData:
        ):
            with pytest.raises(db_module.GraphDatabaseQueryException):
                db_module.has_provider_data("db-tenant-abc", "provider-123")
+
+
+class TestDropSubgraph:
+    """Test drop_subgraph two-phase batched deletion of a provider's graph."""
+
+    @staticmethod
+    def _result(count):
+        result = MagicMock()
+        result.single.return_value.get.return_value = count
+        return result
+
+    @staticmethod
+    def _session_ctx(session):
+        ctx = MagicMock()
+        ctx.__enter__.return_value = session
+        ctx.__exit__.return_value = False
+        return ctx
+
+    def test_deletes_relationships_then_nodes_in_batches(self):
+        session = MagicMock()
+        # Phase 1 (relationships): one full batch then empty.
+        # Phase 2 (nodes): one full batch then empty.
+        session.run.side_effect = [
+            self._result(1000),
+            self._result(0),
+            self._result(1000),
+            self._result(0),
+        ]
+
+        with patch(
+            "api.attack_paths.database.get_session",
+            return_value=self._session_ctx(session),
+        ):
+            deleted = db_module.drop_subgraph("db-tenant-abc", "provider-123")
+
+        # Only phase-2 node counts contribute to the return value.
+        assert deleted == 1000
+        assert session.run.call_count == 4
+
+        queries = [call.args[0] for call in session.run.call_args_list]
+
+        # Regression guard: the memory blow-up was caused by DETACH DELETE.
+        assert all("DETACH DELETE" not in query for query in queries)
+
+        rel_queries = [query for query in queries if "DELETE r" in query]
+        node_queries = [query for query in queries if "DELETE n" in query]
+        assert rel_queries and node_queries
+        # DISTINCT avoids double-counting relationships matched from both ends.
+        assert all("DISTINCT r" in query for query in rel_queries)
+
+        # Relationships must be fully drained before nodes are deleted.
+        first_node = next(i for i, q in enumerate(queries) if "DELETE n" in q)
+        last_rel = max(i for i, q in enumerate(queries) if "DELETE r" in q)
+        assert last_rel < first_node
+
+    def test_returns_zero_when_database_not_found(self):
+        session_ctx = MagicMock()
+        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
+            message="Database does not exist",
+            code="Neo.ClientError.Database.DatabaseNotFound",
+        )
+
+        with patch(
+            "api.attack_paths.database.get_session",
+            return_value=session_ctx,
+        ):
+            assert db_module.drop_subgraph("db-tenant-gone", "provider-123") == 0
+
+    def test_raises_on_other_errors(self):
+        session_ctx = MagicMock()
+        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
+            message="Connection refused",
+            code="Neo.TransientError.General.UnknownError",
+        )
+
+        with patch(
+            "api.attack_paths.database.get_session",
+            return_value=session_ctx,
+        ):
+            with pytest.raises(db_module.GraphDatabaseQueryException):
+                db_module.drop_subgraph("db-tenant-abc", "provider-123")
@@ -1,13 +1,13 @@
 import time
 from datetime import datetime, timedelta, timezone
-from unittest.mock import patch
+from unittest.mock import MagicMock, patch
 from uuid import uuid4

 import pytest
 from django.test import RequestFactory
 from rest_framework.exceptions import AuthenticationFailed

-from api.authentication import TenantAPIKeyAuthentication
+from api.authentication import SSEAuthentication, TenantAPIKeyAuthentication
 from api.db_router import MainRouter
 from api.models import TenantAPIKey

@@ -382,3 +382,62 @@ class TestTenantAPIKeyAuthentication:
            auth_backend.authenticate(request)

        assert str(exc_info.value.detail) == "API Key has already expired."
+
+
+class TestSSEAuthentication:
+    """`SSEAuthentication` adds an `?access_token=<jwt>` fallback for
+    browser `EventSource` clients while keeping the standard
+    `Authorization` header as the authoritative source."""
+
+    def test_header_present_delegates_to_super(self):
+        request = MagicMock()
+        request.headers = {"Authorization": "Bearer header-token"}
+        with patch.object(
+            SSEAuthentication.__bases__[0], "authenticate", return_value=("user", "tok")
+        ) as super_auth:
+            result = SSEAuthentication().authenticate(request)
+        super_auth.assert_called_once_with(request)
+        assert result == ("user", "tok")
+
+    def test_no_header_no_query_token_delegates_to_super(self):
+        request = MagicMock()
+        request.headers = {}
+        request.query_params = {}
+        with patch.object(
+            SSEAuthentication.__bases__[0], "authenticate", return_value=None
+        ) as super_auth:
+            result = SSEAuthentication().authenticate(request)
+        super_auth.assert_called_once_with(request)
+        assert result is None
+
+    def test_query_token_used_only_as_fallback(self):
+        request = MagicMock()
+        request.headers = {}
+        request.query_params = {"access_token": "query-jwt"}
+
+        jwt_instance = MagicMock()
+        jwt_instance.get_validated_token.return_value = "validated"
+        jwt_instance.get_user.return_value = "query-user"
+
+        with patch.object(SSEAuthentication, "jwt_auth", jwt_instance):
+            user, token = SSEAuthentication().authenticate(request)
+
+        jwt_instance.get_validated_token.assert_called_once_with("query-jwt")
+        assert user == "query-user"
+        assert token == "validated"
+
+    def test_query_token_invalid_raises_authentication_failed(self):
+        request = MagicMock()
+        request.headers = {}
+        request.query_params = {"access_token": "bad-token"}
+
+        jwt_instance = MagicMock()
+        jwt_instance.get_validated_token.side_effect = AuthenticationFailed(
+            "Invalid token"
+        )
+
+        with patch.object(SSEAuthentication, "jwt_auth", jwt_instance):
+            with pytest.raises(AuthenticationFailed):
+                SSEAuthentication().authenticate(request)
+
+        jwt_instance.get_validated_token.assert_called_once_with("bad-token")
@@ -10,9 +10,12 @@ from api.compliance import (
    get_prowler_provider_checks,
    get_prowler_provider_compliance,
    load_prowler_checks,
+    warm_compliance_caches,
 )
 from api.models import Provider
-from prowler.lib.check.compliance_models import Compliance
+from prowler.lib.check.compliance_models import (
+    get_bulk_compliance_frameworks_universal,
+)


 class TestCompliance:
@@ -28,16 +31,16 @@ class TestCompliance:
        assert set(checks) == {"check1", "check2", "check3"}
        mock_check_metadata.get_bulk.assert_called_once_with(provider_type)

-    @patch("api.compliance.Compliance")
-    def test_get_prowler_provider_compliance(self, mock_compliance):
+    @patch("api.compliance.get_bulk_compliance_frameworks_universal")
+    def test_get_prowler_provider_compliance(self, mock_get_bulk):
        provider_type = Provider.ProviderChoices.AWS
-        mock_compliance.get_bulk.return_value = {
+        mock_get_bulk.return_value = {
            "compliance1": MagicMock(),
            "compliance2": MagicMock(),
        }
        compliance_data = get_prowler_provider_compliance(provider_type)
-        assert compliance_data == mock_compliance.get_bulk.return_value
-        mock_compliance.get_bulk.assert_called_once_with(provider_type)
+        assert compliance_data == mock_get_bulk.return_value
+        mock_get_bulk.assert_called_once_with(provider_type)

    @patch("api.compliance.get_prowler_provider_checks")
    @patch("api.models.Provider.ProviderChoices")
@@ -51,9 +54,9 @@ class TestCompliance:
        prowler_compliance = {
            "aws": {
                "compliance1": MagicMock(
-                    Requirements=[
+                    requirements=[
                        MagicMock(
-                            Checks=["check1", "check2"],
+                            checks={"aws": ["check1", "check2"]},
                        ),
                    ],
                ),
@@ -167,35 +170,38 @@ class TestCompliance:
    def test_generate_compliance_overview_template(self, mock_provider_choices):
        mock_provider_choices.values = ["aws"]

+        # ``name`` is a reserved MagicMock kwarg (it labels the mock for repr,
+        # it does NOT set a ``.name`` attribute), so it must be assigned
+        # explicitly after construction.
        requirement1 = MagicMock(
-            Id="requirement1",
-            Name="Requirement 1",
-            Description="Description of requirement 1",
-            Attributes=[],
-            Checks=["check1", "check2"],
-            Tactics=["tactic1"],
-            SubTechniques=["subtechnique1"],
-            Platforms=["platform1"],
-            TechniqueURL="https://example.com",
+            id="requirement1",
+            description="Description of requirement 1",
+            attributes=[],
+            checks={"aws": ["check1", "check2"]},
+            tactics=["tactic1"],
+            sub_techniques=["subtechnique1"],
+            platforms=["platform1"],
+            technique_url="https://example.com",
        )
+        requirement1.name = "Requirement 1"
        requirement2 = MagicMock(
-            Id="requirement2",
-            Name="Requirement 2",
-            Description="Description of requirement 2",
-            Attributes=[],
-            Checks=[],
-            Tactics=[],
-            SubTechniques=[],
-            Platforms=[],
-            TechniqueURL="",
+            id="requirement2",
+            description="Description of requirement 2",
+            attributes=[],
+            checks={"aws": []},
+            tactics=[],
+            sub_techniques=[],
+            platforms=[],
+            technique_url="",
        )
+        requirement2.name = "Requirement 2"
        compliance1 = MagicMock(
-            Requirements=[requirement1, requirement2],
-            Framework="Framework 1",
-            Version="1.0",
-            Description="Description of compliance1",
-            Name="Compliance 1",
+            requirements=[requirement1, requirement2],
+            framework="Framework 1",
+            version="1.0",
+            description="Description of compliance1",
        )
+        compliance1.name = "Compliance 1"
        prowler_compliance = {"aws": {"compliance1": compliance1}}

        template = generate_compliance_overview_template(prowler_compliance)
@@ -262,33 +268,43 @@ def reset_compliance_cache():
    """Reset the module-level cache so each test starts cold."""
    previous = dict(compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS)
    compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.clear()
+    # The warming flags are module-global; clear them so they do not leak
+    # between tests that call warm_compliance_caches.
+    compliance_module.COMPLIANCE_WARMING_STARTED.clear()
+    compliance_module.COMPLIANCE_WARMED.clear()
    try:
        yield
    finally:
        compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.clear()
        compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.update(previous)
+        compliance_module.COMPLIANCE_WARMING_STARTED.clear()
+        compliance_module.COMPLIANCE_WARMED.clear()


 class TestGetComplianceFrameworks:
    def test_returns_keys_from_compliance_get_bulk(self, reset_compliance_cache):
-        with patch("api.compliance.Compliance") as mock_compliance:
-            mock_compliance.get_bulk.return_value = {
+        with patch(
+            "api.compliance.get_bulk_compliance_frameworks_universal"
+        ) as mock_get_bulk:
+            mock_get_bulk.return_value = {
                "cis_1.4_aws": MagicMock(),
                "mitre_attack_aws": MagicMock(),
            }
            result = get_compliance_frameworks(Provider.ProviderChoices.AWS)

        assert sorted(result) == ["cis_1.4_aws", "mitre_attack_aws"]
-        mock_compliance.get_bulk.assert_called_once_with(Provider.ProviderChoices.AWS)
+        mock_get_bulk.assert_called_once_with(Provider.ProviderChoices.AWS)

    def test_caches_result_per_provider(self, reset_compliance_cache):
-        with patch("api.compliance.Compliance") as mock_compliance:
-            mock_compliance.get_bulk.return_value = {"cis_1.4_aws": MagicMock()}
+        with patch(
+            "api.compliance.get_bulk_compliance_frameworks_universal"
+        ) as mock_get_bulk:
+            mock_get_bulk.return_value = {"cis_1.4_aws": MagicMock()}
            get_compliance_frameworks(Provider.ProviderChoices.AWS)
            get_compliance_frameworks(Provider.ProviderChoices.AWS)

        # Cached after first call.
-        assert mock_compliance.get_bulk.call_count == 1
+        assert mock_get_bulk.call_count == 1

    @pytest.mark.parametrize(
        "provider_type",
@@ -296,17 +312,105 @@ class TestGetComplianceFrameworks:
    )
    def test_listing_is_subset_of_bulk(self, reset_compliance_cache, provider_type):
        """Regression for CLOUD-API-40S: every name returned by
-        ``get_compliance_frameworks`` must be loadable via ``Compliance.get_bulk``.
+        ``get_compliance_frameworks`` must be loadable via
+        ``get_bulk_compliance_frameworks_universal``.

        A divergence here is what produced ``KeyError: 'csa_ccm_4.0'`` in
        ``generate_outputs_task`` after universal/multi-provider compliance
        JSONs were introduced at the top-level ``prowler/compliance/`` path.
        """
-        bulk_keys = set(Compliance.get_bulk(provider_type).keys())
+        bulk_keys = set(get_bulk_compliance_frameworks_universal(provider_type).keys())
        listed = set(get_compliance_frameworks(provider_type))

        missing = listed - bulk_keys
        assert not missing, (
            f"get_compliance_frameworks({provider_type!r}) returned names not "
-            f"loadable by Compliance.get_bulk: {sorted(missing)}"
+            f"loadable by get_bulk_compliance_frameworks_universal: "
+            f"{sorted(missing)}"
        )
+
+
+class TestWarmComplianceCaches:
+    def test_warms_all_provider_types_by_default(self, reset_compliance_cache):
+        provider_types = list(Provider.ProviderChoices.values)
+        with (
+            patch("api.compliance.get_compliance_frameworks") as mock_frameworks,
+            patch("api.compliance._ensure_provider_loaded") as mock_ensure,
+        ):
+            warm_compliance_caches()
+
+        warmed = {call.args[0] for call in mock_frameworks.call_args_list}
+        assert warmed == set(provider_types)
+        assert mock_frameworks.call_count == len(provider_types)
+        assert mock_ensure.call_count == len(provider_types)
+
+    def test_warms_only_requested_provider_types(self, reset_compliance_cache):
+        with (
+            patch("api.compliance.get_compliance_frameworks") as mock_frameworks,
+            patch("api.compliance._ensure_provider_loaded") as mock_ensure,
+        ):
+            warm_compliance_caches([Provider.ProviderChoices.AWS])
+
+        mock_frameworks.assert_called_once_with(Provider.ProviderChoices.AWS)
+        mock_ensure.assert_called_once_with(Provider.ProviderChoices.AWS)
+
+    def test_populates_module_cache(self, reset_compliance_cache):
+        with (
+            patch(
+                "api.compliance.get_bulk_compliance_frameworks_universal"
+            ) as mock_get_bulk,
+            patch("api.compliance._ensure_provider_loaded"),
+        ):
+            mock_get_bulk.return_value = {"cis_1.4_aws": MagicMock()}
+            warm_compliance_caches([Provider.ProviderChoices.AWS])
+
+        assert (
+            Provider.ProviderChoices.AWS
+            in compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS
+        )
+
+    def test_failing_provider_does_not_abort_the_rest(self, reset_compliance_cache):
+        """A failing provider (even on SystemExit) is isolated; others warm."""
+        providers = [Provider.ProviderChoices.AWS, Provider.ProviderChoices.OKTA]
+
+        def fake_frameworks(provider_type):
+            if provider_type == Provider.ProviderChoices.OKTA:
+                raise SystemExit(1)
+            return []
+
+        with (
+            patch(
+                "api.compliance.get_compliance_frameworks", side_effect=fake_frameworks
+            ),
+            patch("api.compliance._ensure_provider_loaded") as mock_ensure,
+        ):
+            failed = warm_compliance_caches(providers)
+
+        assert failed == [Provider.ProviderChoices.OKTA]
+        mock_ensure.assert_called_once_with(Provider.ProviderChoices.AWS)
+
+    def test_sets_readiness_flags(self, reset_compliance_cache):
+        assert not compliance_module.COMPLIANCE_WARMING_STARTED.is_set()
+        assert not compliance_module.COMPLIANCE_WARMED.is_set()
+
+        with (
+            patch("api.compliance.get_compliance_frameworks"),
+            patch("api.compliance._ensure_provider_loaded"),
+        ):
+            warm_compliance_caches([Provider.ProviderChoices.AWS])
+
+        assert compliance_module.COMPLIANCE_WARMING_STARTED.is_set()
+        assert compliance_module.COMPLIANCE_WARMED.is_set()
+
+    def test_marks_warmed_even_when_a_provider_fails(self, reset_compliance_cache):
+        """A failed provider still leaves the caches flagged as warmed."""
+        with (
+            patch(
+                "api.compliance.get_compliance_frameworks",
+                side_effect=SystemExit(1),
+            ),
+            patch("api.compliance._ensure_provider_loaded"),
+        ):
+            warm_compliance_caches([Provider.ProviderChoices.AWS])
+
+        assert compliance_module.COMPLIANCE_WARMED.is_set()
@@ -0,0 +1,55 @@
+from config.django.base import label_postgres_connections
+
+
+class TestLabelPostgresConnections:
+    def test_labels_postgres_and_skips_neo4j(self, monkeypatch):
+        monkeypatch.setenv("DJANGO_APP_COMPONENT", "scan")
+        databases = {
+            "default": {"ENGINE": "psqlextra.backend"},
+            "neo4j": {"HOST": "neo4j", "PORT": "7687"},
+        }
+
+        label_postgres_connections(databases)
+
+        assert databases["default"]["OPTIONS"]["application_name"] == "scan:default"
+        assert "OPTIONS" not in databases["neo4j"]
+
+    def test_labels_plain_postgresql_backend(self, monkeypatch):
+        monkeypatch.setenv("DJANGO_APP_COMPONENT", "api")
+        databases = {"saas": {"ENGINE": "django.db.backends.postgresql"}}
+
+        label_postgres_connections(databases)
+
+        assert databases["saas"]["OPTIONS"]["application_name"] == "api:saas"
+
+    def test_defaults_component_to_api_when_unset(self, monkeypatch):
+        monkeypatch.delenv("DJANGO_APP_COMPONENT", raising=False)
+        databases = {"default": {"ENGINE": "psqlextra.backend"}}
+
+        label_postgres_connections(databases)
+
+        assert databases["default"]["OPTIONS"]["application_name"] == "api:default"
+
+    def test_preserves_existing_options(self, monkeypatch):
+        monkeypatch.setenv("DJANGO_APP_COMPONENT", "worker")
+        databases = {
+            "replica": {
+                "ENGINE": "psqlextra.backend",
+                "OPTIONS": {"sslmode": "require"},
+            }
+        }
+
+        label_postgres_connections(databases)
+
+        assert databases["replica"]["OPTIONS"] == {
+            "sslmode": "require",
+            "application_name": "worker:replica",
+        }
+
+    def test_truncates_application_name_to_63_bytes(self, monkeypatch):
+        monkeypatch.setenv("DJANGO_APP_COMPONENT", "c" * 80)
+        databases = {"default": {"ENGINE": "psqlextra.backend"}}
+
+        label_postgres_connections(databases)
+
+        assert len(databases["default"]["OPTIONS"]["application_name"]) == 63
@@ -0,0 +1,191 @@
+"""Tests for the platform SSE infrastructure (``api.sse``).
+
+Cover the two security-critical platform pieces — the channel-name
+convention (:mod:`api.sse.utils`) and the tenant gate enforced by
+:class:`api.sse.channelmanager.SSEChannelManager`. The SSE authentication
+class lives in :mod:`api.authentication` with the rest of the auth stack,
+so its tests live in ``test_authentication.py``. Per-feature SSE endpoints
+add their own tests on top of these.
+"""
+
+import uuid
+from unittest.mock import MagicMock
+
+import pytest
+from django.http import StreamingHttpResponse
+from rest_framework.test import APIRequestFactory, force_authenticate
+
+from api.sse.base_views import BaseSSEViewSet
+from api.sse.channelmanager import SSEChannelManager
+from api.sse.utils import make_channel_name, tenant_id_from_channel
+
+
+class TestMakeChannel:
+    def test_round_trips_tenant_id(self):
+        tenant_id = uuid.uuid4()
+        channel = make_channel_name("lighthouse-session", tenant_id, uuid.uuid4())
+        assert tenant_id_from_channel(channel) == tenant_id
+
+    def test_accepts_str_arguments(self):
+        tenant_id = uuid.uuid4()
+        channel = make_channel_name("lighthouse-session", str(tenant_id), "resource-1")
+        assert channel == f"lighthouse-session:{tenant_id}:resource-1"
+
+    def test_prefix_with_hyphen_is_not_split(self):
+        # Prefixes contain hyphens but never colons, so the tenant id is
+        # always the second colon-separated segment.
+        tenant_id = uuid.uuid4()
+        channel = make_channel_name("a-long-hyphenated-prefix", tenant_id, "res")
+        assert tenant_id_from_channel(channel) == tenant_id
+
+    @pytest.mark.parametrize(
+        "prefix, tenant_id, resource_id",
+        [
+            ("evil:prefix", uuid.uuid4(), "res"),
+            ("prefix", uuid.uuid4(), "res:extra"),
+            ("prefix", "tenant:smuggled", "res"),
+        ],
+    )
+    def test_rejects_separator_injection(self, prefix, tenant_id, resource_id):
+        # A colon in any segment would let a crafted name smuggle extra
+        # segments past the parser, so construction must fail loudly.
+        with pytest.raises(ValueError):
+            make_channel_name(prefix, tenant_id, resource_id)
+
+
+class TestTenantIdFromChannel:
+    def test_returns_none_for_too_few_segments(self):
+        assert tenant_id_from_channel("prefix:only") is None
+        assert tenant_id_from_channel("garbage") is None
+
+    def test_returns_none_for_too_many_segments(self):
+        # A valid tenant UUID in position 1 must not authorize a
+        # non-canonical name that carries extra segments.
+        tenant_id = uuid.uuid4()
+        assert tenant_id_from_channel(f"prefix:{tenant_id}:resource:extra") is None
+
+    def test_returns_none_for_non_uuid_tenant_segment(self):
+        assert tenant_id_from_channel("prefix:not-a-uuid:resource") is None
+
+    def test_parses_valid_channel(self):
+        tenant_id = uuid.uuid4()
+        assert tenant_id_from_channel(f"prefix:{tenant_id}:resource") == tenant_id
+
+
+@pytest.mark.django_db
+class TestSSEChannelManager:
+    def test_member_can_read_own_tenant_channel(
+        self, create_test_user, tenants_fixture
+    ):
+        tenant = tenants_fixture[0]
+        channel = make_channel_name("lighthouse-session", tenant.id, uuid.uuid4())
+        assert SSEChannelManager().can_read_channel(create_test_user, channel)
+
+    def test_non_member_cannot_read_other_tenant_channel(
+        self, create_test_user, tenants_fixture
+    ):
+        # create_test_user is a member of tenant1 and tenant2 but not tenant3.
+        foreign_tenant = tenants_fixture[2]
+        channel = make_channel_name(
+            "lighthouse-session", foreign_tenant.id, uuid.uuid4()
+        )
+        assert not SSEChannelManager().can_read_channel(create_test_user, channel)
+
+    def test_anonymous_user_is_rejected(self, tenants_fixture):
+        channel = make_channel_name(
+            "lighthouse-session", tenants_fixture[0].id, uuid.uuid4()
+        )
+        assert not SSEChannelManager().can_read_channel(None, channel)
+
+        anon = MagicMock(is_authenticated=False)
+        assert not SSEChannelManager().can_read_channel(anon, channel)
+
+    def test_malformed_channel_is_rejected(self, create_test_user, tenants_fixture):
+        assert not SSEChannelManager().can_read_channel(create_test_user, "garbage")
+
+    def test_get_channels_for_request_returns_active_tenant_channels(self):
+        tenant_id = uuid.uuid4()
+        own = make_channel_name("prefix", tenant_id, "resource")
+        request = MagicMock()
+        request.tenant_id = str(tenant_id)
+        request.sse_channels = {own}
+        assert SSEChannelManager().get_channels_for_request(request, {}) == {own}
+
+    def test_get_channels_for_request_drops_other_tenant_channels(self):
+        # Fail-closed: a channel for a tenant other than the active JWT
+        # tenant is dropped before reaching django-eventstream, even if the
+        # viewset mistakenly stashed it. This is the primary tenant gate that
+        # binds authorization to request.tenant_id, not just membership.
+        active_tenant = uuid.uuid4()
+        own = make_channel_name("prefix", active_tenant, "resource")
+        foreign = make_channel_name("prefix", uuid.uuid4(), "resource")
+        request = MagicMock()
+        request.tenant_id = str(active_tenant)
+        request.sse_channels = {own, foreign}
+        assert SSEChannelManager().get_channels_for_request(request, {}) == {own}
+
+    def test_get_channels_for_request_drops_malformed_channels(self):
+        request = MagicMock()
+        request.tenant_id = str(uuid.uuid4())
+        request.sse_channels = {"garbage", "prefix:not-a-uuid:resource"}
+        assert SSEChannelManager().get_channels_for_request(request, {}) == set()
+
+    def test_get_channels_for_request_without_tenant_returns_empty(self):
+        # No active tenant on the request (auth/RLS never ran) → fail closed,
+        # regardless of any channels stashed on it.
+        request = MagicMock(spec=[])
+        assert SSEChannelManager().get_channels_for_request(request, {}) == set()
+
+    def test_get_channels_for_request_defaults_to_empty(self):
+        # A request that never went through BaseSSEViewSet.list has no
+        # sse_channels attribute; the manager must not raise.
+        request = object()
+        assert SSEChannelManager().get_channels_for_request(request, {}) == set()
+
+    def test_channel_is_not_reliable(self):
+        # v1 ships without server-side replay storage.
+        assert (
+            SSEChannelManager().is_channel_reliable("prefix:tenant:resource") is False
+        )
+
+
+@pytest.mark.django_db
+class TestBaseSSEViewSet:
+    """End-to-end check that the base viewset opens a stream.
+
+    ``BaseSSEViewSet.list`` hands the DRF ``Request`` straight to
+    django-eventstream's ``events()``, which is written for a plain
+    Django request. This drives a real request through the full DRF
+    stack (authentication, RLS, content negotiation, channel manager)
+    and asserts the result is an SSE stream, so the DRF/Django request
+    mismatch cannot regress silently.
+    """
+
+    def test_list_opens_event_stream(self, create_test_user, tenants_fixture):
+        tenant = tenants_fixture[0]
+        channel = make_channel_name("test-sse", tenant.id, uuid.uuid4())
+        seen_tenant_ids = []
+
+        class _StreamingSSEViewSet(BaseSSEViewSet):
+            def get_channels(self):
+                # Reached only after dispatch/initial ran, so the RLS
+                # tenant context is already on the request.
+                seen_tenant_ids.append(self.request.tenant_id)
+                return {channel}
+
+        request = APIRequestFactory().get("/api/v1/test-sse/stream")
+        force_authenticate(
+            request, user=create_test_user, token={"tenant_id": str(tenant.id)}
+        )
+
+        view = _StreamingSSEViewSet.as_view({"get": "list"})
+        response = view(request)
+
+        # A StreamingHttpResponse (not the plain HttpResponse used for SSE
+        # error envelopes) means events() accepted the DRF request, the
+        # channel manager handed it a non-empty channel set, and the
+        # stream was opened end to end.
+        assert isinstance(response, StreamingHttpResponse)
+        assert response.status_code == 200
+        assert response["Content-Type"] == "text/event-stream"
+        assert seen_tenant_ids == [str(tenant.id)]
@@ -31,6 +31,7 @@ from prowler.providers.image.image_provider import ImageProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
 from prowler.providers.m365.m365_provider import M365Provider
 from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
+from prowler.providers.okta.okta_provider import OktaProvider
 from prowler.providers.openstack.openstack_provider import OpenstackProvider
 from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
 from prowler.providers.vercel.vercel_provider import VercelProvider
@@ -130,6 +131,7 @@ class TestReturnProwlerProvider:
            (Provider.ProviderChoices.OPENSTACK.value, OpenstackProvider),
            (Provider.ProviderChoices.IMAGE.value, ImageProvider),
            (Provider.ProviderChoices.VERCEL.value, VercelProvider),
+            (Provider.ProviderChoices.OKTA.value, OktaProvider),
        ],
    )
    def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -238,6 +240,31 @@ class TestProwlerProviderConnectionTest:
            raise_on_exception=False,
        )

+    @patch("api.utils.return_prowler_provider")
+    def test_prowler_provider_connection_test_okta_provider(
+        self, mock_return_prowler_provider
+    ):
+        """Test connection test for Okta provider passes org domain and provider_id."""
+        provider = MagicMock()
+        provider.uid = "acme.okta.com"
+        provider.provider = Provider.ProviderChoices.OKTA.value
+        provider.secret.secret = {
+            "okta_client_id": "0oa123456789abcdef",
+            "okta_private_key": "-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----",
+            "okta_scopes": ["okta.policies.read"],
+        }
+        mock_return_prowler_provider.return_value = MagicMock()
+
+        prowler_provider_connection_test(provider)
+        mock_return_prowler_provider.return_value.test_connection.assert_called_once_with(
+            okta_client_id="0oa123456789abcdef",
+            okta_private_key="-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----",
+            okta_scopes=["okta.policies.read"],
+            okta_org_domain="acme.okta.com",
+            provider_id="acme.okta.com",
+            raise_on_exception=False,
+        )
+
    @patch("api.utils.return_prowler_provider")
    def test_prowler_provider_connection_test_image_provider_no_creds(
        self, mock_return_prowler_provider
@@ -308,6 +335,10 @@ class TestGetProwlerProviderKwargs:
                Provider.ProviderChoices.VERCEL.value,
                {"team_id": "provider_uid"},
            ),
+            (
+                Provider.ProviderChoices.OKTA.value,
+                {"okta_org_domain": "provider_uid"},
+            ),
        ],
    )
    def test_get_prowler_provider_kwargs(self, provider_type, expected_extra_kwargs):
@@ -326,6 +357,30 @@ class TestGetProwlerProviderKwargs:
        expected_result = {**secret_dict, **expected_extra_kwargs}
        assert result == expected_result

+    def test_get_prowler_provider_kwargs_oraclecloud_converts_region_string_to_set(
+        self,
+    ):
+        secret_dict = {
+            "user": "ocid1.user.oc1..fake",
+            "fingerprint": "00:11:22:33:44:55:66:77",
+            "key_content": "-----BEGIN PRIVATE KEY-----\nfake\n-----END PRIVATE KEY-----",
+            "tenancy": "ocid1.tenancy.oc1..fake",
+            "region": "us-ashburn-1",
+            "pass_phrase": "fake-passphrase",
+        }
+        secret_mock = MagicMock()
+        secret_mock.secret = secret_dict
+
+        provider = MagicMock()
+        provider.provider = Provider.ProviderChoices.ORACLECLOUD.value
+        provider.secret = secret_mock
+        provider.uid = "ocid1.tenancy.oc1..fake"
+
+        result = get_prowler_provider_kwargs(provider)
+
+        expected_result = {**secret_dict, "region": {"us-ashburn-1"}}
+        assert result == expected_result
+
    def test_get_prowler_provider_kwargs_with_mutelist(self):
        provider_uid = "provider_uid"
        secret_dict = {"key": "value"}
@@ -37,6 +37,7 @@ if TYPE_CHECKING:
    from prowler.providers.mongodbatlas.mongodbatlas_provider import (
        MongodbatlasProvider,
    )
+    from prowler.providers.okta.okta_provider import OktaProvider
    from prowler.providers.openstack.openstack_provider import OpenstackProvider
    from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
    from prowler.providers.vercel.vercel_provider import VercelProvider
@@ -93,6 +94,7 @@ def return_prowler_provider(
    | KubernetesProvider
    | M365Provider
    | MongodbatlasProvider
+    | OktaProvider
    | OpenstackProvider
    | OraclecloudProvider
    | VercelProvider
@@ -181,6 +183,10 @@ def return_prowler_provider(
            from prowler.providers.vercel.vercel_provider import VercelProvider

            prowler_provider = VercelProvider
+        case Provider.ProviderChoices.OKTA.value:
+            from prowler.providers.okta.okta_provider import OktaProvider
+
+            prowler_provider = OktaProvider
        case _:
            raise ValueError(f"Provider type {provider.provider} not supported")
    return prowler_provider
@@ -237,6 +243,12 @@ def get_prowler_provider_kwargs(
            **prowler_provider_kwargs,
            "filter_accounts": [provider.uid],
        }
+    elif provider.provider == Provider.ProviderChoices.ORACLECLOUD.value:
+        if isinstance(prowler_provider_kwargs.get("region"), str):
+            prowler_provider_kwargs = {
+                **prowler_provider_kwargs,
+                "region": {prowler_provider_kwargs["region"]},
+            }
    elif provider.provider == Provider.ProviderChoices.OPENSTACK.value:
        # clouds_yaml_content, clouds_yaml_cloud and provider_id are validated
        # in the provider itself, so it's not needed here.
@@ -246,6 +258,11 @@ def get_prowler_provider_kwargs(
            **prowler_provider_kwargs,
            "team_id": provider.uid,
        }
+    elif provider.provider == Provider.ProviderChoices.OKTA.value:
+        prowler_provider_kwargs = {
+            **prowler_provider_kwargs,
+            "okta_org_domain": provider.uid,
+        }
    elif provider.provider == Provider.ProviderChoices.IMAGE.value:
        # Detect whether uid is a registry URL (e.g. "docker.io/andoniaf") or
        # a concrete image reference (e.g. "docker.io/andoniaf/myimage:latest").
@@ -290,6 +307,7 @@ def initialize_prowler_provider(
    | KubernetesProvider
    | M365Provider
    | MongodbatlasProvider
+    | OktaProvider
    | OpenstackProvider
    | OraclecloudProvider
    | VercelProvider
@@ -351,6 +369,14 @@ def prowler_provider_connection_test(provider: Provider) -> Connection:
            "raise_on_exception": False,
        }
        return prowler_provider.test_connection(**vercel_kwargs)
+    elif provider.provider == Provider.ProviderChoices.OKTA.value:
+        okta_kwargs = {
+            **prowler_provider_kwargs,
+            "okta_org_domain": provider.uid,
+            "provider_id": provider.uid,
+            "raise_on_exception": False,
+        }
+        return prowler_provider.test_connection(**okta_kwargs)
    elif provider.provider == Provider.ProviderChoices.IMAGE.value:
        image_kwargs = {
            "image": provider.uid,
@@ -1,6 +1,10 @@
+import uuid
+
+from django.http import QueryDict
 from django.urls import reverse
 from django_celery_results.models import TaskResult
 from rest_framework import status
+from rest_framework.exceptions import ValidationError
 from rest_framework.response import Response

 from api.exceptions import (
@@ -8,7 +12,7 @@ from api.exceptions import (
    TaskInProgressException,
    TaskNotFoundException,
 )
-from api.models import StateChoices, Task
+from api.models import Provider, StateChoices, Task
 from api.v1.serializers import TaskSerializer


@@ -74,6 +78,162 @@ class PaginateByPkMixin:
        return self.get_paginated_response(serialized)


+class JsonApiFilterMixin:
+    """Shared helpers for manually applying django-filter to JSON:API params."""
+
+    jsonapi_filter_replace_dots = False
+
+    def _normalize_jsonapi_params(
+        self,
+        query_params,
+        exclude_keys=None,
+        replace_dots=None,
+    ):
+        exclude_keys = exclude_keys or set()
+        if replace_dots is None:
+            replace_dots = self.jsonapi_filter_replace_dots
+
+        normalized = QueryDict(mutable=True)
+        for key, values in query_params.lists():
+            normalized_key = (
+                key[7:-1] if key.startswith("filter[") and key.endswith("]") else key
+            )
+            if replace_dots:
+                normalized_key = normalized_key.replace(".", "__")
+            if normalized_key not in exclude_keys:
+                normalized.setlist(normalized_key, values)
+        return normalized
+
+    def _apply_filterset(
+        self,
+        queryset,
+        filterset_class,
+        exclude_keys=None,
+        replace_dots=None,
+    ):
+        normalized_params = self._normalize_jsonapi_params(
+            self.request.query_params,
+            exclude_keys=set(exclude_keys or []),
+            replace_dots=replace_dots,
+        )
+        filterset = filterset_class(normalized_params, queryset=queryset)
+        if not filterset.is_valid():
+            raise ValidationError(filterset.errors)
+        return filterset.qs
+
+
+class ProviderFilterParamsMixin(JsonApiFilterMixin):
+    """Shared extraction of provider filters from JSON:API query params."""
+
+    PROVIDER_FILTER_KEYS = frozenset(
+        {
+            "provider_id",
+            "provider_id__in",
+            "provider_type",
+            "provider_type__in",
+            "provider_groups",
+            "provider_groups__in",
+        }
+    )
+    PROVIDER_FILTER_DOT_ALIAS_KEYS = frozenset(
+        {
+            "provider_id.in",
+            "provider_type.in",
+            "provider_groups.in",
+        }
+    )
+    PROVIDER_FILTER_QUERY_KEYS = PROVIDER_FILTER_KEYS | PROVIDER_FILTER_DOT_ALIAS_KEYS
+
+    def _csv_filter_values(self, value):
+        return [item.strip() for item in value.split(",") if item.strip()]
+
+    def _validate_uuid_filter_values(self, field_name, values):
+        try:
+            for value in values:
+                uuid.UUID(str(value))
+        except (TypeError, ValueError, AttributeError):
+            raise ValidationError({field_name: ["Enter a valid UUID."]})
+
+    def _has_provider_filters(self, include_dot_aliases=False):
+        provider_filter_keys = (
+            self.PROVIDER_FILTER_QUERY_KEYS
+            if include_dot_aliases
+            else self.PROVIDER_FILTER_KEYS
+        )
+        return any(
+            self.request.query_params.get(f"filter[{key}]")
+            for key in provider_filter_keys
+        )
+
+    def _extract_provider_filters_from_params(
+        self,
+        *,
+        validate_uuids=False,
+        include_dot_aliases=False,
+    ):
+        params = self.request.query_params
+        filters = {}
+        valid_provider_types = {
+            choice[0] for choice in Provider.ProviderChoices.choices
+        }
+
+        provider_id = params.get("filter[provider_id]")
+        if provider_id:
+            if validate_uuids:
+                self._validate_uuid_filter_values("provider_id", [provider_id])
+            filters["provider_id"] = provider_id
+
+        provider_id_in = params.get("filter[provider_id__in]")
+        if include_dot_aliases:
+            provider_id_in = provider_id_in or params.get("filter[provider_id.in]")
+        if provider_id_in:
+            values = self._csv_filter_values(provider_id_in)
+            if validate_uuids:
+                self._validate_uuid_filter_values("provider_id__in", values)
+            filters["provider_id__in"] = values
+
+        provider_type = params.get("filter[provider_type]")
+        if provider_type:
+            if provider_type not in valid_provider_types:
+                raise ValidationError(
+                    {"provider_type": f"Invalid choice: {provider_type}"}
+                )
+            filters["provider__provider"] = provider_type
+
+        provider_type_in = params.get("filter[provider_type__in]")
+        if include_dot_aliases:
+            provider_type_in = provider_type_in or params.get(
+                "filter[provider_type.in]"
+            )
+        if provider_type_in:
+            values = self._csv_filter_values(provider_type_in)
+            invalid = [value for value in values if value not in valid_provider_types]
+            if invalid:
+                raise ValidationError(
+                    {"provider_type__in": f"Invalid choices: {', '.join(invalid)}"}
+                )
+            filters["provider__provider__in"] = values
+
+        provider_groups = params.get("filter[provider_groups]")
+        if provider_groups:
+            if validate_uuids:
+                self._validate_uuid_filter_values("provider_groups", [provider_groups])
+            filters["provider__provider_groups__id"] = provider_groups
+
+        provider_groups_in = params.get("filter[provider_groups__in]")
+        if include_dot_aliases:
+            provider_groups_in = provider_groups_in or params.get(
+                "filter[provider_groups.in]"
+            )
+        if provider_groups_in:
+            values = self._csv_filter_values(provider_groups_in)
+            if validate_uuids:
+                self._validate_uuid_filter_values("provider_groups__in", values)
+            filters["provider__provider_groups__id__in"] = values
+
+        return filters
+
+
 class TaskManagementMixin:
    """
    Mixin to manage task status checking.
@@ -404,6 +404,26 @@ from rest_framework_json_api import serializers
                },
                "required": ["clouds_yaml_content", "clouds_yaml_cloud"],
            },
+            {
+                "type": "object",
+                "title": "Okta OAuth Credentials",
+                "properties": {
+                    "okta_client_id": {
+                        "type": "string",
+                        "description": "Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.",
+                    },
+                    "okta_private_key": {
+                        "type": "string",
+                        "description": "PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.",
+                    },
+                    "okta_scopes": {
+                        "type": "array",
+                        "items": {"type": "string"},
+                        "description": "OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.",
+                    },
+                },
+                "required": ["okta_client_id", "okta_private_key"],
+            },
            {
                "type": "object",
                "title": "Vercel API Token",
--- a/Show More
+++ b/Show More