chore(release): Bump versions to v5.30.2 (#11571)

Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>

.env

@@ -145,7 +145,7 @@ SENTRY_RELEASE=local
 NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}
 
 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.30.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.30.2
 
 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"

api/CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
+## [1.31.1] (Prowler v5.30.1)
+
+### 🐞 Fixed
+
+- `compliance-overviews/attributes` now resolves the provider from the scan, so multi-provider universal frameworks (e.g. CSA CCM) return the check IDs of the scan's provider and Azure/GCP requirement details show their findings instead of appearing empty [(#11546)](https://github.com/prowler-cloud/prowler/pull/11546)
+- Attack Paths: `drop_subgraph` now deletes relationships first and then nodes in batches, using less memory on Neo4j when clearing a dense provider graph [(#11557)](https://github.com/prowler-cloud/prowler/pull/11557)
+- OCI scans now use API key credentials with the configured region instead of falling back to `/home/prowler/.oci/config` [(#11558)](https://github.com/prowler-cloud/prowler/pull/11558)
+
+---
+
 ## [1.31.0] (Prowler v5.30.0)
 
 ### 🚀 Added
@@ -19,7 +29,7 @@ All notable changes to the **Prowler API** are documented in this file.
 
 - Workers now shut down gracefully on deploy or restart, finishing or re-queueing in-flight tasks instead of being force-killed and leaving them stuck [(#11416)](https://github.com/prowler-cloud/prowler/pull/11416)
 - Resource `name` is now stored and refreshed on every scan, so resources no longer keep an empty name [(#11476)](https://github.com/prowler-cloud/prowler/pull/11476)
-- Compliance catalog now warms in background during startup. `compliance-overviews/attributes` returns `503` while warming, so the first request after a deploy no longer trips the API timeout [(#4554)](https://github.com/prowler-cloud/prowler-cloud/pull/4554)
+- Compliance catalog now warms in background during startup. `compliance-overviews/attributes` returns `503` while warming, so the first request after a deploy no longer trips the API timeout [(#11530)](https://github.com/prowler-cloud/prowler/pull/11530)
 
 ### 🔐 Security
 

api/pyproject.toml

@@ -68,7 +68,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.31.0"
+version = "1.31.2"
 
 [tool.uv]
 # Transitive pins matching master to avoid silent drift; bump deliberately.

api/src/backend/api/attack_paths/database.py

@@ -175,7 +175,8 @@ def drop_subgraph(database: str, provider_id: str) -> int:
     """
     Delete all nodes for a provider from the tenant database.
 
-    Uses batched deletion to avoid memory issues with large graphs.
+    Deletes relationships then nodes in batches (not `DETACH DELETE`) so a dense
+    provider's graph cannot exceed Neo4j's transaction memory limit.
     Silently returns 0 if the database doesn't exist.
     """
     provider_label = get_provider_label(provider_id)
@@ -183,13 +184,28 @@ def drop_subgraph(database: str, provider_id: str) -> int:
 
     try:
         with get_session(database) as session:
+            # Phase 1: delete relationships incident to provider nodes in batches.
+            deleted_count = 1
+            while deleted_count > 0:
+                result = session.run(
+                    f"""
+                    MATCH (:`{provider_label}`)-[r]-()
+                    WITH DISTINCT r LIMIT $batch_size
+                    DELETE r
+                    RETURN COUNT(r) AS deleted_rels_count
+                    """,
+                    {"batch_size": BATCH_SIZE},
+                )
+                deleted_count = result.single().get("deleted_rels_count", 0)
+
+            # Phase 2: delete the now relationship-free nodes in batches.
             deleted_count = 1
             while deleted_count > 0:
                 result = session.run(
                     f"""
                     MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`)
                     WITH n LIMIT $batch_size
-                    DETACH DELETE n
+                    DELETE n
                     RETURN COUNT(n) AS deleted_nodes_count
                     """,
                     {"batch_size": BATCH_SIZE},

api/src/backend/api/specs/v1.yaml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: Prowler API
-  version: 1.31.0
+  version: 1.31.2
   description: |-
     Prowler API specification.
 

api/src/backend/api/tests/test_attack_paths_database.py

@@ -542,3 +542,84 @@ class TestHasProviderData:
         ):
             with pytest.raises(db_module.GraphDatabaseQueryException):
                 db_module.has_provider_data("db-tenant-abc", "provider-123")
+
+
+class TestDropSubgraph:
+    """Test drop_subgraph two-phase batched deletion of a provider's graph."""
+
+    @staticmethod
+    def _result(count):
+        result = MagicMock()
+        result.single.return_value.get.return_value = count
+        return result
+
+    @staticmethod
+    def _session_ctx(session):
+        ctx = MagicMock()
+        ctx.__enter__.return_value = session
+        ctx.__exit__.return_value = False
+        return ctx
+
+    def test_deletes_relationships_then_nodes_in_batches(self):
+        session = MagicMock()
+        # Phase 1 (relationships): one full batch then empty.
+        # Phase 2 (nodes): one full batch then empty.
+        session.run.side_effect = [
+            self._result(1000),
+            self._result(0),
+            self._result(1000),
+            self._result(0),
+        ]
+
+        with patch(
+            "api.attack_paths.database.get_session",
+            return_value=self._session_ctx(session),
+        ):
+            deleted = db_module.drop_subgraph("db-tenant-abc", "provider-123")
+
+        # Only phase-2 node counts contribute to the return value.
+        assert deleted == 1000
+        assert session.run.call_count == 4
+
+        queries = [call.args[0] for call in session.run.call_args_list]
+
+        # Regression guard: the memory blow-up was caused by DETACH DELETE.
+        assert all("DETACH DELETE" not in query for query in queries)
+
+        rel_queries = [query for query in queries if "DELETE r" in query]
+        node_queries = [query for query in queries if "DELETE n" in query]
+        assert rel_queries and node_queries
+        # DISTINCT avoids double-counting relationships matched from both ends.
+        assert all("DISTINCT r" in query for query in rel_queries)
+
+        # Relationships must be fully drained before nodes are deleted.
+        first_node = next(i for i, q in enumerate(queries) if "DELETE n" in q)
+        last_rel = max(i for i, q in enumerate(queries) if "DELETE r" in q)
+        assert last_rel < first_node
+
+    def test_returns_zero_when_database_not_found(self):
+        session_ctx = MagicMock()
+        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
+            message="Database does not exist",
+            code="Neo.ClientError.Database.DatabaseNotFound",
+        )
+
+        with patch(
+            "api.attack_paths.database.get_session",
+            return_value=session_ctx,
+        ):
+            assert db_module.drop_subgraph("db-tenant-gone", "provider-123") == 0
+
+    def test_raises_on_other_errors(self):
+        session_ctx = MagicMock()
+        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
+            message="Connection refused",
+            code="Neo.TransientError.General.UnknownError",
+        )
+
+        with patch(
+            "api.attack_paths.database.get_session",
+            return_value=session_ctx,
+        ):
+            with pytest.raises(db_module.GraphDatabaseQueryException):
+                db_module.drop_subgraph("db-tenant-abc", "provider-123")

api/src/backend/api/tests/test_utils.py

@@ -357,6 +357,30 @@ class TestGetProwlerProviderKwargs:
         expected_result = {**secret_dict, **expected_extra_kwargs}
         assert result == expected_result
 
+    def test_get_prowler_provider_kwargs_oraclecloud_converts_region_string_to_set(
+        self,
+    ):
+        secret_dict = {
+            "user": "ocid1.user.oc1..fake",
+            "fingerprint": "00:11:22:33:44:55:66:77",
+            "key_content": "-----BEGIN PRIVATE KEY-----\nfake\n-----END PRIVATE KEY-----",
+            "tenancy": "ocid1.tenancy.oc1..fake",
+            "region": "us-ashburn-1",
+            "pass_phrase": "fake-passphrase",
+        }
+        secret_mock = MagicMock()
+        secret_mock.secret = secret_dict
+
+        provider = MagicMock()
+        provider.provider = Provider.ProviderChoices.ORACLECLOUD.value
+        provider.secret = secret_mock
+        provider.uid = "ocid1.tenancy.oc1..fake"
+
+        result = get_prowler_provider_kwargs(provider)
+
+        expected_result = {**secret_dict, "region": {"us-ashburn-1"}}
+        assert result == expected_result
+
     def test_get_prowler_provider_kwargs_with_mutelist(self):
         provider_uid = "provider_uid"
         secret_dict = {"key": "value"}

api/src/backend/api/tests/test_views.py

@@ -9570,6 +9570,188 @@ class TestComplianceOverviewViewSet:
             assert "Category" in first_attr
             assert "AWSService" in first_attr
 
+    def test_compliance_overview_attributes_resolves_provider_from_scan(
+        self, authenticated_client, tenants_fixture, providers_fixture
+    ):
+        # csa_ccm_4.0 is a multi-provider universal framework: a single
+        # compliance_id whose requirements expose different checks per provider.
+        # Passing a scan must return the check IDs for that scan's provider,
+        # otherwise the endpoint defaults to the first provider that declares the
+        # framework and azure/gcp requirements end up with check IDs that match
+        # no findings.
+        tenant = tenants_fixture[0]
+        gcp_provider = providers_fixture[2]
+        azure_provider = providers_fixture[4]
+        assert gcp_provider.provider == Provider.ProviderChoices.GCP.value
+        assert azure_provider.provider == Provider.ProviderChoices.AZURE.value
+
+        now = datetime.now(timezone.utc)
+        gcp_scan = Scan.objects.create(
+            name="gcp scan",
+            provider=gcp_provider,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.COMPLETED,
+            tenant_id=tenant.id,
+            started_at=now,
+            completed_at=now,
+        )
+        azure_scan = Scan.objects.create(
+            name="azure scan",
+            provider=azure_provider,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.COMPLETED,
+            tenant_id=tenant.id,
+            started_at=now,
+            completed_at=now,
+        )
+
+        def request_attributes(scan_id=None):
+            params = {"filter[compliance_id]": "csa_ccm_4.0"}
+            if scan_id is not None:
+                params["filter[scan_id]"] = str(scan_id)
+            return authenticated_client.get(
+                reverse("complianceoverview-attributes"), params
+            )
+
+        def collect_check_ids(scan_id=None):
+            response = request_attributes(scan_id)
+            assert response.status_code == status.HTTP_200_OK
+            check_ids = set()
+            for item in response.json()["data"]:
+                check_ids.update(item["attributes"]["attributes"]["check_ids"])
+            return check_ids
+
+        gcp_check_ids = collect_check_ids(gcp_scan.id)
+        azure_check_ids = collect_check_ids(azure_scan.id)
+
+        # Each scan resolves to its own provider's checks, and they differ.
+        assert gcp_check_ids
+        assert azure_check_ids
+        assert gcp_check_ids != azure_check_ids
+
+        # The returned check IDs belong to the SDK's per-provider definition.
+        from api.compliance import get_prowler_provider_compliance
+
+        def expected_check_ids(provider_type):
+            framework = get_prowler_provider_compliance(provider_type)["csa_ccm_4.0"]
+            expected = set()
+            for requirement in framework.requirements:
+                expected.update(requirement.checks.get(provider_type, []))
+            return expected
+
+        assert gcp_check_ids <= expected_check_ids(Provider.ProviderChoices.GCP.value)
+        assert azure_check_ids <= expected_check_ids(
+            Provider.ProviderChoices.AZURE.value
+        )
+
+        # An explicit scan_id is authoritative: a non-existent scan must fail
+        # closed with 404 instead of silently falling back to another provider.
+        missing_response = request_attributes("00000000-0000-0000-0000-000000000000")
+        assert missing_response.status_code == status.HTTP_404_NOT_FOUND
+
+        # A malformed scan_id is rejected with 404 as well.
+        malformed_response = request_attributes("not-a-uuid")
+        assert malformed_response.status_code == status.HTTP_404_NOT_FOUND
+
+        # An empty value (filter[scan_id]=) must not fall back to the legacy
+        # provider picker: the explicit (if blank) selector fails closed.
+        empty_response = request_attributes("")
+        assert empty_response.status_code == status.HTTP_404_NOT_FOUND
+
+        # A scan belonging to another tenant is not visible (RLS), so it must
+        # return 404 rather than leaking the fallback provider's check IDs.
+        other_tenant = Tenant.objects.create(name="Other Compliance Tenant")
+        foreign_provider = Provider.objects.create(
+            provider="gcp",
+            uid="foreign-gcp-test",
+            alias="foreign_gcp",
+            tenant_id=other_tenant.id,
+        )
+        foreign_scan = Scan.objects.create(
+            name="foreign scan",
+            provider=foreign_provider,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.COMPLETED,
+            tenant_id=other_tenant.id,
+            started_at=now,
+            completed_at=now,
+        )
+        foreign_response = request_attributes(foreign_scan.id)
+        assert foreign_response.status_code == status.HTTP_404_NOT_FOUND
+
+    def test_compliance_overview_attributes_scan_scoped_by_provider_group(
+        self,
+        authenticated_client_no_permissions_rbac,
+        providers_fixture,
+    ):
+        # A user with limited visibility (no UNLIMITED_VISIBILITY) must only be
+        # able to resolve scans for providers in its provider groups. Tenant RLS
+        # alone is not enough here: both scans belong to the same tenant, so the
+        # endpoint has to scope the scan lookup by provider group, otherwise a
+        # restricted user could read another provider's compliance metadata.
+        client = authenticated_client_no_permissions_rbac
+        limited_user = client.user
+        membership = Membership.objects.filter(user=limited_user).first()
+        tenant = membership.tenant
+
+        allowed_provider = providers_fixture[2]
+        denied_provider = providers_fixture[4]
+        assert allowed_provider.provider == Provider.ProviderChoices.GCP.value
+        assert denied_provider.provider == Provider.ProviderChoices.AZURE.value
+
+        provider_group = ProviderGroup.objects.create(
+            name="limited-compliance-group",
+            tenant_id=tenant.id,
+        )
+        ProviderGroupMembership.objects.create(
+            tenant_id=tenant.id,
+            provider_group=provider_group,
+            provider=allowed_provider,
+        )
+        RoleProviderGroupRelationship.objects.create(
+            tenant_id=tenant.id,
+            role=limited_user.roles.first(),
+            provider_group=provider_group,
+        )
+
+        now = datetime.now(timezone.utc)
+        allowed_scan = Scan.objects.create(
+            name="allowed scan",
+            provider=allowed_provider,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.COMPLETED,
+            tenant_id=tenant.id,
+            started_at=now,
+            completed_at=now,
+        )
+        denied_scan = Scan.objects.create(
+            name="denied scan",
+            provider=denied_provider,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.COMPLETED,
+            tenant_id=tenant.id,
+            started_at=now,
+            completed_at=now,
+        )
+
+        def request_attributes(scan_id):
+            return client.get(
+                reverse("complianceoverview-attributes"),
+                {
+                    "filter[compliance_id]": "csa_ccm_4.0",
+                    "filter[scan_id]": str(scan_id),
+                },
+            )
+
+        # The scan in the user's provider group resolves normally.
+        assert request_attributes(allowed_scan.id).status_code == status.HTTP_200_OK
+
+        # The scan outside the user's provider group is invisible, so it fails
+        # closed with 404 instead of leaking the other provider's check IDs.
+        assert (
+            request_attributes(denied_scan.id).status_code == status.HTTP_404_NOT_FOUND
+        )
+
     def test_compliance_overview_attributes_missing_compliance_id(
         self, authenticated_client
     ):

api/src/backend/api/utils.py

@@ -243,6 +243,12 @@ def get_prowler_provider_kwargs(
             **prowler_provider_kwargs,
             "filter_accounts": [provider.uid],
         }
+    elif provider.provider == Provider.ProviderChoices.ORACLECLOUD.value:
+        if isinstance(prowler_provider_kwargs.get("region"), str):
+            prowler_provider_kwargs = {
+                **prowler_provider_kwargs,
+                "region": {prowler_provider_kwargs["region"]},
+            }
     elif provider.provider == Provider.ProviderChoices.OPENSTACK.value:
         # clouds_yaml_content, clouds_yaml_cloud and provider_id are validated
         # in the provider itself, so it's not needed here.

api/src/backend/api/v1/views.py

@@ -30,6 +30,7 @@ from dj_rest_auth.registration.views import SocialLoginView
 from django.conf import settings as django_settings
 from django.contrib.postgres.aggregates import ArrayAgg, BoolAnd, StringAgg
 from django.contrib.postgres.search import SearchQuery
+from django.core.exceptions import ValidationError as DjangoValidationError
 from django.db import transaction
 from django.db.models import (
     BooleanField,
@@ -4644,6 +4645,16 @@ class RoleProviderGroupRelationshipView(RelationshipView, BaseRLSViewSet):
                 location=OpenApiParameter.QUERY,
                 description="Compliance framework ID to get attributes for.",
             ),
+            OpenApiParameter(
+                name="filter[scan_id]",
+                required=False,
+                type=OpenApiTypes.UUID,
+                location=OpenApiParameter.QUERY,
+                description="Scan ID used to resolve the provider for "
+                "multi-provider universal frameworks (e.g. CSA CCM), so "
+                "the returned check IDs match the scan's provider. When omitted, "
+                "the first provider that declares the framework is used.",
+            ),
         ],
         responses={
             200: OpenApiResponse(
@@ -5084,7 +5095,51 @@ class ComplianceOverviewViewSet(BaseRLSViewSet, TaskManagementMixin):
 
         provider_type = None
 
-        # If we couldn't determine from database, try each provider type
+        # When a scan is provided, resolve the provider from it. Multi-provider
+        # universal frameworks (e.g. CSA CCM) share a single compliance_id
+        # across providers but expose different checks per provider, so the
+        # metadata (and therefore the check IDs the UI uses to fetch findings)
+        # must be returned for the scan's provider. Without this, the endpoint
+        # falls back to the first provider that declares the framework and
+        # returns its check IDs, leaving azure/gcp/... requirements with no
+        # matching findings.
+        scan_id = request.query_params.get("filter[scan_id]")
+        if "filter[scan_id]" in request.query_params:
+            # An explicit scan_id is authoritative: fail closed instead of
+            # falling back to another provider. Otherwise an invalid, empty
+            # (filter[scan_id]=) or inaccessible scan would silently return the
+            # first provider's check IDs, recreating the multi-provider mismatch
+            # this endpoint fixes.
+            if not scan_id:
+                raise NotFound(detail=f"Scan '{scan_id}' not found.")
+
+            # Tenant isolation is already enforced by Postgres RLS on the
+            # connection (see BaseRLSViewSet). Scope the lookup by provider
+            # group as well so a user with limited visibility can't resolve
+            # another provider's scan and read its compliance metadata, mirroring
+            # the RBAC scoping get_queryset() applies to the rest of the ViewSet.
+            role = get_role(request.user, request.tenant_id)
+            if getattr(role, Permissions.UNLIMITED_VISIBILITY.value, False):
+                scan_queryset = Scan.objects.filter(tenant_id=request.tenant_id)
+            else:
+                scan_queryset = Scan.objects.filter(provider__in=get_providers(role))
+
+            try:
+                scan = scan_queryset.select_related("provider").get(id=scan_id)
+            except (Scan.DoesNotExist, DjangoValidationError, ValueError):
+                raise NotFound(detail=f"Scan '{scan_id}' not found.")
+
+            provider_type = scan.provider.provider
+            if compliance_id not in get_compliance_frameworks(provider_type):
+                raise NotFound(
+                    detail=(
+                        f"Compliance framework '{compliance_id}' is not "
+                        f"available for scan '{scan_id}'."
+                    )
+                )
+
+        # Fall back to the first provider that declares the framework. Keeps the
+        # endpoint working for provider-agnostic callers that omit the scan.
         if not provider_type:
             for pt in Provider.ProviderChoices.values:
                 if compliance_id in get_compliance_frameworks(pt):

api/uv.lock

@@ -4504,7 +4504,7 @@ dependencies = [
 
 [[package]]
 name = "prowler-api"
-version = "1.31.0"
+version = "1.31.2"
 source = { virtual = "." }
 dependencies = [
     { name = "cartography" },

prowler/config/config.py

@@ -49,7 +49,7 @@ class _MutableTimestamp:
 
 timestamp = _MutableTimestamp(datetime.today())
 timestamp_utc = _MutableTimestamp(datetime.now(timezone.utc))
-prowler_version = "5.30.0"
+prowler_version = "5.30.2"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 square_logo_img = "https://raw.githubusercontent.com/prowler-cloud/prowler/dc7d2d5aeb92fdf12e8604f42ef6472cd3e8e889/docs/img/prowler-logo-black.png"
 aws_logo = "https://user-images.githubusercontent.com/38561120/235953920-3e3fba08-0795-41dc-b480-9bea57db9f2e.png"

pyproject.toml

@@ -124,7 +124,7 @@ maintainers = [{name = "Prowler Engineering", email = "engineering@prowler.com"}
 name = "prowler"
 readme = "README.md"
 requires-python = ">=3.10,<3.13"
-version = "5.30.0"
+version = "5.30.2"
 
 [project.scripts]
 prowler = "prowler.__main__:prowler"

ui/CHANGELOG.md

@@ -2,6 +2,15 @@
 
 All notable changes to the **Prowler UI** are documented in this file.
 
+## [1.30.1] (Prowler v5.30.1)
+
+### 🐞 Fixed
+
+- Threat Map no longer shows an empty map for accounts that only have Okta or Google Workspace scans [(#11542)](https://github.com/prowler-cloud/prowler/pull/11542)
+- Compliance attributes requests now pass the selected scan, so multi-provider universal frameworks (e.g. CSA CCM) load the check IDs of the scan's provider and Azure/GCP requirement details show their findings instead of appearing empty [(#11546)](https://github.com/prowler-cloud/prowler/pull/11546)
+
+---
+
 ## [1.30.0] (Prowler v5.30.0)
 
 ### 🚀 Added
@@ -12,7 +21,7 @@ All notable changes to the **Prowler UI** are documented in this file.
 ### 🔄 Changed
 
 - Renamed "Customer Support" to "Support Desk" in the side menu, showing it only in Prowler Cloud/Enterprise, while "Community Support" now shows only in Prowler OSS [(#11508)](https://github.com/prowler-cloud/prowler/pull/11508)
-- Compliance detail page now shows a "still loading" retry state while the API warms its compliance catalog, instead of rendering an empty page [(#4554)](https://github.com/prowler-cloud/prowler-cloud/pull/4554)
+- Compliance detail page now shows a "still loading" retry state while the API warms its compliance catalog, instead of rendering an empty page [(#11530)](https://github.com/prowler-cloud/prowler/pull/11530)
 
 ### 🐞 Fixed
 

ui/actions/compliances/compliances.ts

@@ -73,12 +73,21 @@ export const getComplianceOverviewMetadataInfo = async ({
   }
 };
 
-export const getComplianceAttributes = async (complianceId: string) => {
+export const getComplianceAttributes = async (
+  complianceId: string,
+  scanId?: string,
+) => {
   const headers = await getAuthHeaders({ contentType: false });
 
   try {
     const url = new URL(`${apiBaseUrl}/compliance-overviews/attributes`);
     url.searchParams.append("filter[compliance_id]", complianceId);
+    // Pass the scan so multi-provider universal frameworks (e.g. CSA CCM)
+    // resolve the check IDs for the scan's provider instead of defaulting to
+    // the first provider that declares the framework.
+    if (scanId) {
+      url.searchParams.append("filter[scan_id]", scanId);
+    }
 
     const response = await fetch(url.toString(), {
       headers,

ui/actions/overview/regions/threat-map.adapter.test.ts

@@ -0,0 +1,62 @@
+import { describe, expect, it } from "vitest";
+
+import { adaptRegionsOverviewToThreatMap } from "./threat-map.adapter";
+import type { RegionsOverviewResponse } from "./types";
+
+function buildRegionsResponse(
+  rows: Array<{ providerType: string; region: string }>,
+): RegionsOverviewResponse {
+  return {
+    data: rows.map(({ providerType, region }, index) => ({
+      type: "regions-overview",
+      id: `region-${index}`,
+      attributes: {
+        provider_type: providerType,
+        region,
+        total: 10,
+        fail: 4,
+        muted: 0,
+        pass: 6,
+      },
+    })),
+    meta: { version: "v1" },
+  };
+}
+
+describe("adaptRegionsOverviewToThreatMap", () => {
+  it("maps okta regions to a global location", () => {
+    const response = buildRegionsResponse([
+      { providerType: "okta", region: "global" },
+    ]);
+
+    const result = adaptRegionsOverviewToThreatMap(response);
+
+    expect(result.locations).toHaveLength(1);
+    expect(result.locations[0]).toMatchObject({
+      providerType: "okta",
+      region: "global",
+      name: "Okta - Global",
+      totalFindings: 10,
+      failFindings: 4,
+    });
+    expect(result.regions).toEqual(["global"]);
+  });
+
+  it("maps googleworkspace regions to a global location", () => {
+    const response = buildRegionsResponse([
+      { providerType: "googleworkspace", region: "global" },
+    ]);
+
+    const result = adaptRegionsOverviewToThreatMap(response);
+
+    expect(result.locations).toHaveLength(1);
+    expect(result.locations[0]).toMatchObject({
+      providerType: "googleworkspace",
+      region: "global",
+      name: "Google Workspace - Global",
+      totalFindings: 10,
+      failFindings: 4,
+    });
+    expect(result.regions).toEqual(["global"]);
+  });
+});

ui/actions/overview/regions/threat-map.adapter.ts

@@ -261,6 +261,19 @@ const ALIBABACLOUD_COORDINATES: Record<string, { lat: number; lng: number }> = {
   global: { lat: 30.3, lng: 120.2 }, // Global fallback (Hangzhou HQ)
 };
 
+// Okta is a SaaS identity platform without user-facing regions
+const OKTA_COORDINATES: Record<string, { lat: number; lng: number }> = {
+  global: { lat: 37.8, lng: -122.4 }, // Global fallback (San Francisco HQ)
+};
+
+// Google Workspace is a SaaS suite without user-facing regions
+const GOOGLEWORKSPACE_COORDINATES: Record<
+  string,
+  { lat: number; lng: number }
+> = {
+  global: { lat: 37.4, lng: -122.1 }, // Global fallback (Mountain View HQ)
+};
+
 const PROVIDER_COORDINATES: Record<
   string,
   Record<string, { lat: number; lng: number }>
@@ -277,6 +290,8 @@ const PROVIDER_COORDINATES: Record<
   oraclecloud: ORACLECLOUD_COORDINATES,
   mongodbatlas: MONGODBATLAS_COORDINATES,
   alibabacloud: ALIBABACLOUD_COORDINATES,
+  okta: OKTA_COORDINATES,
+  googleworkspace: GOOGLEWORKSPACE_COORDINATES,
 };
 
 // Returns [lng, lat] format for D3/GeoJSON compatibility

ui/app/(prowler)/compliance/[compliancetitle]/page.tsx

@@ -87,7 +87,7 @@ export default async function ComplianceDetail({
           "filter[scan_id]": selectedScanId ?? undefined,
         },
       }),
-      getComplianceAttributes(complianceId),
+      getComplianceAttributes(complianceId, selectedScanId ?? undefined),
       selectedScanId
         ? getScan(selectedScanId, { include: "provider" })
         : Promise.resolve(null),

ui/components/graphs/threat-map.test.tsx

@@ -0,0 +1,93 @@
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it, vi } from "vitest";
+
+import { ThreatMap } from "./threat-map";
+import type { ThreatMapData } from "./threat-map.types";
+
+vi.mock("next/navigation", () => ({
+  useRouter: () => ({ push: vi.fn() }),
+  useSearchParams: () => new URLSearchParams(),
+}));
+
+vi.mock("./horizontal-bar-chart", () => ({
+  HorizontalBarChart: () => <div data-testid="bar-chart" />,
+}));
+
+function buildLocation(providerType: string, region: string) {
+  return {
+    id: `${providerType}-${region}`,
+    name: `${providerType} - ${region}`,
+    region,
+    regionCode: region,
+    providerType,
+    coordinates: [-122.4, 37.8] as [number, number],
+    totalFindings: 10,
+    failFindings: 4,
+    riskLevel: "high" as const,
+    severityData: [
+      { name: "Fail", value: 4, percentage: 40 },
+      { name: "Pass", value: 6, percentage: 60 },
+    ],
+  };
+}
+
+describe("ThreatMap region selector", () => {
+  it("auto-selects the region when it is the only one available", () => {
+    const data: ThreatMapData = {
+      locations: [
+        buildLocation("okta", "global"),
+        buildLocation("googleworkspace", "global"),
+      ],
+      regions: ["global"],
+    };
+
+    render(<ThreatMap data={data} />);
+
+    const select = screen.getByRole("combobox", {
+      name: "Filter threat map by region",
+    });
+    expect(select).toHaveValue("global");
+    expect(screen.getByText("Global Regions")).toBeInTheDocument();
+    expect(
+      screen.queryByText("Select a location on the map to view details"),
+    ).not.toBeInTheDocument();
+  });
+
+  it("keeps All Regions as default when there are multiple regions", () => {
+    const data: ThreatMapData = {
+      locations: [
+        buildLocation("aws", "us-east-1"),
+        buildLocation("okta", "global"),
+      ],
+      regions: ["global", "us-east-1"],
+    };
+
+    render(<ThreatMap data={data} />);
+
+    const select = screen.getByRole("combobox", {
+      name: "Filter threat map by region",
+    });
+    expect(select).toHaveValue("All Regions");
+    expect(
+      screen.getByRole("option", { name: "All Regions" }),
+    ).toBeInTheDocument();
+  });
+
+  it("shows the global option capitalized while keeping its filter value", () => {
+    const data: ThreatMapData = {
+      locations: [
+        buildLocation("aws", "us-east-1"),
+        buildLocation("okta", "global"),
+      ],
+      regions: ["global", "us-east-1"],
+    };
+
+    render(<ThreatMap data={data} />);
+
+    const globalOption = screen.getByRole("option", { name: "Global" });
+    expect(globalOption).toHaveValue("global");
+    expect(
+      screen.getByRole("option", { name: "us-east-1" }),
+    ).toBeInTheDocument();
+  });
+});

ui/components/graphs/threat-map.tsx

@@ -124,7 +124,11 @@ export function ThreatMap({
     x: number;
     y: number;
   } | null>(null);
-  const [selectedRegion, setSelectedRegion] = useState("All Regions");
+  // With a single region "All Regions" adds nothing, so it starts selected
+  const hasSingleRegion = data.regions.length === 1;
+  const [selectedRegion, setSelectedRegion] = useState(
+    hasSingleRegion ? data.regions[0] : "All Regions",
+  );
   const [worldData, setWorldData] = useState<FeatureCollection | null>(null);
   const [isLoadingMap, setIsLoadingMap] = useState(true);
   const [dimensions, setDimensions] = useState<{
@@ -424,10 +428,12 @@ export function ThreatMap({
                   onChange={(e) => setSelectedRegion(e.target.value)}
                   className="border-border-neutral-primary bg-bg-neutral-secondary text-text-neutral-primary appearance-none rounded-lg border px-4 py-2 pr-10 text-sm focus:outline-none focus-visible:ring-2 focus-visible:ring-offset-2"
                 >
-                  <option value="All Regions">All Regions</option>
+                  {!hasSingleRegion && (
+                    <option value="All Regions">All Regions</option>
+                  )}
                   {sortedRegions.map((region) => (
                     <option key={region} value={region}>
-                      {region}
+                      {region.toLowerCase() === "global" ? "Global" : region}
                     </option>
                   ))}
                 </select>
@@ -467,7 +473,7 @@ export function ThreatMap({
                   <div className="border-border-neutral-primary bg-bg-neutral-secondary absolute bottom-4 left-4 flex items-center gap-2 rounded-full border px-3 py-1.5">
                     <div
                       aria-hidden="true"
-                      className="bg-data-critical h-3 w-3 rounded"
+                      className="bg-bg-data-critical h-3 w-3 rounded"
                     />
                     <span className="text-text-neutral-primary text-sm font-medium">
                       {locationCount} Locations

uv.lock

@@ -3245,7 +3245,7 @@ wheels = [
 
 [[package]]
 name = "prowler"
-version = "5.30.0"
+version = "5.30.2"
 source = { editable = "." }
 dependencies = [
     { name = "alibabacloud-actiontrail20200706" },