feat(aws): new check bedrock_api_key_no_long_term_credentials (#8396)

Co-authored-by: Chandrapal Badshah <12944530+Chan9390@users.noreply.github.com>
Co-authored-by: Pablo Lara <larabjj@gmail.com>

.github/workflows/api-build-lint-push-containers.yml

@@ -6,6 +6,7 @@ on:
       - "master"
     paths:
       - "api/**"
+      - "prowler/**"
       - ".github/workflows/api-build-lint-push-containers.yml"
 
   # Uncomment the code below to test this action on PRs

.github/workflows/prowler-release-preparation.yml

@@ -0,0 +1,257 @@
+name: Prowler Release Preparation
+
+run-name: Prowler Release Preparation for ${{ inputs.prowler_version }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      prowler_version:
+        description: 'Prowler version to release (e.g., 5.9.0)'
+        required: true
+        type: string
+
+env:
+  PROWLER_VERSION: ${{ github.event.inputs.prowler_version }}
+
+jobs:
+  prepare-release:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        fetch-depth: 0
+
+    - name: Set up Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: '3.12'
+
+    - name: Install Poetry
+      run: |
+        python3 -m pip install --user poetry
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: Parse version and determine branch
+      run: |
+        # Validate version format (reusing pattern from sdk-bump-version.yml)
+        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+          MAJOR_VERSION=${BASH_REMATCH[1]}
+          MINOR_VERSION=${BASH_REMATCH[2]}
+          PATCH_VERSION=${BASH_REMATCH[3]}
+
+          # Export version components to environment
+          echo "MAJOR_VERSION=${MAJOR_VERSION}" >> "${GITHUB_ENV}"
+          echo "MINOR_VERSION=${MINOR_VERSION}" >> "${GITHUB_ENV}"
+          echo "PATCH_VERSION=${PATCH_VERSION}" >> "${GITHUB_ENV}"
+
+          # Determine branch name (format: v5.9)
+          BRANCH_NAME="v${MAJOR_VERSION}.${MINOR_VERSION}"
+          echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_ENV}"
+
+          # Calculate UI version (1.X.X format - matches Prowler minor version)
+          UI_VERSION="1.${MINOR_VERSION}.${PATCH_VERSION}"
+          echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
+
+          # Calculate API version (1.X.X format - one minor version ahead)
+          API_MINOR_VERSION=$((MINOR_VERSION + 1))
+          API_VERSION="1.${API_MINOR_VERSION}.${PATCH_VERSION}"
+          echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Prowler version: $PROWLER_VERSION"
+          echo "Branch name: $BRANCH_NAME"
+          echo "UI version: $UI_VERSION"
+          echo "API version: $API_VERSION"
+          echo "Is minor release: $([ $PATCH_VERSION -eq 0 ] && echo 'true' || echo 'false')"
+        else
+          echo "Invalid version syntax: '$PROWLER_VERSION' (must be N.N.N)" >&2
+          exit 1
+        fi
+
+    - name: Checkout existing branch for patch release
+      if: ${{ env.PATCH_VERSION != '0' }}
+      run: |
+        echo "Patch release detected, checking out existing branch $BRANCH_NAME..."
+        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists locally, checking out..."
+          git checkout "$BRANCH_NAME"
+        elif git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists remotely, checking out..."
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+        else
+          echo "ERROR: Branch $BRANCH_NAME should exist for patch release $PROWLER_VERSION"
+          exit 1
+        fi
+
+    - name: Verify version in pyproject.toml
+      run: |
+        CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')
+        PROWLER_VERSION_TRIMMED=$(echo "$PROWLER_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_VERSION" != "$PROWLER_VERSION_TRIMMED" ]; then
+          echo "ERROR: Version mismatch in pyproject.toml (expected: '$PROWLER_VERSION_TRIMMED', found: '$CURRENT_VERSION')"
+          exit 1
+        fi
+        echo "✓ pyproject.toml version: $CURRENT_VERSION"
+
+    - name: Verify version in prowler/config/config.py
+      run: |
+        CURRENT_VERSION=$(grep '^prowler_version = ' prowler/config/config.py | sed -E 's/prowler_version = "([^"]+)"/\1/' | tr -d '[:space:]')
+        PROWLER_VERSION_TRIMMED=$(echo "$PROWLER_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_VERSION" != "$PROWLER_VERSION_TRIMMED" ]; then
+          echo "ERROR: Version mismatch in prowler/config/config.py (expected: '$PROWLER_VERSION_TRIMMED', found: '$CURRENT_VERSION')"
+          exit 1
+        fi
+        echo "✓ prowler/config/config.py version: $CURRENT_VERSION"
+
+    - name: Verify version in api/pyproject.toml
+      run: |
+        CURRENT_API_VERSION=$(grep '^version = ' api/pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')
+        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
+          echo "ERROR: API version mismatch in api/pyproject.toml (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
+          exit 1
+        fi
+        echo "✓ api/pyproject.toml version: $CURRENT_API_VERSION"
+
+    - name: Verify prowler dependency in api/pyproject.toml
+      if: ${{ env.PATCH_VERSION != '0' }}
+      run: |
+        CURRENT_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
+        BRANCH_NAME_TRIMMED=$(echo "$BRANCH_NAME" | tr -d '[:space:]')
+        if [ "$CURRENT_PROWLER_REF" != "$BRANCH_NAME_TRIMMED" ]; then
+          echo "ERROR: Prowler dependency mismatch in api/pyproject.toml (expected: '$BRANCH_NAME_TRIMMED', found: '$CURRENT_PROWLER_REF')"
+          exit 1
+        fi
+        echo "✓ api/pyproject.toml prowler dependency: $CURRENT_PROWLER_REF"
+
+    - name: Verify version in api/src/backend/api/v1/views.py
+      run: |
+        CURRENT_API_VERSION=$(grep 'spectacular_settings.VERSION = ' api/src/backend/api/v1/views.py | sed -E 's/.*spectacular_settings.VERSION = "([^"]+)".*/\1/' | tr -d '[:space:]')
+        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
+          echo "ERROR: API version mismatch in views.py (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
+          exit 1
+        fi
+        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"
+
+    - name: Create release branch for minor release
+      if: ${{ env.PATCH_VERSION == '0' }}
+      run: |
+        echo "Minor release detected (patch = 0), creating new branch $BRANCH_NAME..."
+        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME" || git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
+          echo "ERROR: Branch $BRANCH_NAME already exists for minor release $PROWLER_VERSION"
+          exit 1
+        fi
+        git checkout -b "$BRANCH_NAME"
+
+    - name: Update prowler dependency in api/pyproject.toml
+      if: ${{ env.PATCH_VERSION == '0' }}
+      run: |
+        CURRENT_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
+        BRANCH_NAME_TRIMMED=$(echo "$BRANCH_NAME" | tr -d '[:space:]')
+
+        # Minor release: update the dependency to use the new branch
+        echo "Minor release detected - updating prowler dependency from '$CURRENT_PROWLER_REF' to '$BRANCH_NAME_TRIMMED'"
+        sed -i "s|prowler @ git+https://github.com/prowler-cloud/prowler.git@[^\"]*\"|prowler @ git+https://github.com/prowler-cloud/prowler.git@$BRANCH_NAME_TRIMMED\"|" api/pyproject.toml
+
+        # Verify the change was made
+        UPDATED_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
+        if [ "$UPDATED_PROWLER_REF" != "$BRANCH_NAME_TRIMMED" ]; then
+          echo "ERROR: Failed to update prowler dependency in api/pyproject.toml"
+          exit 1
+        fi
+
+        # Update poetry lock file
+        echo "Updating poetry.lock file..."
+        cd api
+        poetry lock --no-update
+        cd ..
+
+        # Commit and push the changes
+        git add api/pyproject.toml api/poetry.lock
+        git commit -m "chore(api): update prowler dependency to $BRANCH_NAME_TRIMMED for release $PROWLER_VERSION"
+        git push origin "$BRANCH_NAME"
+
+        echo "✓ api/pyproject.toml prowler dependency updated to: $UPDATED_PROWLER_REF"
+
+    - name: Extract changelog entries
+      run: |
+        set -e
+
+        # Function to extract changelog for a specific version
+        extract_changelog() {
+          local file="$1"
+          local version="$2"
+          local output_file="$3"
+
+          if [ ! -f "$file" ]; then
+            echo "Warning: $file not found, skipping..."
+            touch "$output_file"
+            return
+          fi
+
+          # Extract changelog section for this version
+          awk -v version="$version" '
+            /^## \[v?'"$version"'\]/ { found=1; next }
+            found && /^## \[v?[0-9]+\.[0-9]+\.[0-9]+\]/ { found=0 }
+            found && !/^## \[v?'"$version"'\]/ { print }
+          ' "$file" > "$output_file"
+
+          # Remove --- separators
+          sed -i '/^---$/d' "$output_file"
+
+          # Remove trailing empty lines
+          sed -i '/^$/d' "$output_file"
+        }
+
+        # Extract changelogs
+        echo "Extracting changelog entries..."
+        extract_changelog "prowler/CHANGELOG.md" "$PROWLER_VERSION" "prowler_changelog.md"
+        extract_changelog "api/CHANGELOG.md" "$API_VERSION" "api_changelog.md"
+        extract_changelog "ui/CHANGELOG.md" "$UI_VERSION" "ui_changelog.md"
+
+        # Combine changelogs in order: UI, API, SDK
+        > combined_changelog.md
+
+        if [ -s "ui_changelog.md" ]; then
+          echo "## UI" >> combined_changelog.md
+          echo "" >> combined_changelog.md
+          cat ui_changelog.md >> combined_changelog.md
+          echo "" >> combined_changelog.md
+        fi
+
+        if [ -s "api_changelog.md" ]; then
+          echo "## API" >> combined_changelog.md
+          echo "" >> combined_changelog.md
+          cat api_changelog.md >> combined_changelog.md
+          echo "" >> combined_changelog.md
+        fi
+
+        if [ -s "prowler_changelog.md" ]; then
+          echo "## SDK" >> combined_changelog.md
+          echo "" >> combined_changelog.md
+          cat prowler_changelog.md >> combined_changelog.md
+          echo "" >> combined_changelog.md
+        fi
+
+        echo "Combined changelog preview:"
+        cat combined_changelog.md
+
+    - name: Create draft release
+      uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+      with:
+        tag_name: ${{ env.PROWLER_VERSION }}
+        name: Prowler ${{ env.PROWLER_VERSION }}
+        body_path: combined_changelog.md
+        draft: true
+        target_commitish: ${{ env.PATCH_VERSION == '0' && 'master' || env.BRANCH_NAME }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Clean up temporary files
+      run: |
+        rm -f prowler_changelog.md api_changelog.md ui_changelog.md combined_changelog.md

.github/workflows/sdk-bump-version.yml

@@ -12,7 +12,6 @@ env:
 jobs:
   bump-version:
     name: Bump Version
-    if: github.repository == 'prowler-cloud/prowler'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/sdk-pull-request.yml

@@ -102,8 +102,15 @@ jobs:
         run: |
           poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .
 
+      - name: Dockerfile - Check if Dockerfile has changed
+        id: dockerfile-changed-files
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        with:
+          files: |
+            Dockerfile
+
       - name: Hadolint
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        if: steps.dockerfile-changed-files.outputs.any_changed == 'true'
         run: |
           /tmp/hadolint Dockerfile --ignore=DL3013
 

.github/workflows/ui-e2e-tests.yml

@@ -0,0 +1,98 @@
+name: UI - E2E Tests
+
+on:
+  pull_request:
+    branches:
+      - master
+      - "v5.*"
+    paths:
+      - '.github/workflows/ui-e2e-tests.yml'
+      - 'ui/**'
+
+jobs:
+  e2e-tests:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    env:
+      AUTH_SECRET: 'fallback-ci-secret-for-testing'
+      AUTH_TRUST_HOST: true
+      NEXTAUTH_URL: 'http://localhost:3000'
+      NEXT_PUBLIC_API_BASE_URL: 'http://localhost:8080/api/v1'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Start API services
+        run: |
+          # Override docker-compose image tag to use latest instead of stable
+          # This overrides any PROWLER_API_VERSION set in .env file
+          export PROWLER_API_VERSION=latest
+          echo "Using PROWLER_API_VERSION=${PROWLER_API_VERSION}"
+          docker compose up -d api worker worker-beat
+      - name: Wait for API to be ready
+        run: |
+          echo "Waiting for prowler-api..."
+          timeout=150  # 5 minutes max
+          elapsed=0
+          while [ $elapsed -lt $timeout ]; do
+            if curl -s ${NEXT_PUBLIC_API_BASE_URL}/docs >/dev/null 2>&1; then
+              echo "Prowler API is ready!"
+              exit 0
+            fi
+            echo "Waiting for prowler-api... (${elapsed}s elapsed)"
+            sleep 5
+            elapsed=$((elapsed + 5))
+          done
+          echo "Timeout waiting for prowler-api to start"
+          exit 1
+      - name: Load database fixtures for E2E tests
+        run: |
+          docker compose exec -T api sh -c '
+            echo "Loading all fixtures from api/fixtures/dev/..."
+            for fixture in api/fixtures/dev/*.json; do
+              if [ -f "$fixture" ]; then
+                echo "Loading $fixture"
+                poetry run python manage.py loaddata "$fixture" --database admin
+              fi
+            done
+            echo "All database fixtures loaded successfully!"
+          '
+      - name: Setup Node.js environment
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '20.x'
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'
+      - name: Install UI dependencies
+        working-directory: ./ui
+        run: npm ci
+      - name: Build UI application
+        working-directory: ./ui
+        run: npm run build
+      - name: Cache Playwright browsers
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        id: playwright-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+      - name: Install Playwright browsers
+        working-directory: ./ui
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
+        run: npm run test:e2e:install
+      - name: Run E2E tests
+        working-directory: ./ui
+        run: npm run test:e2e
+      - name: Upload test reports
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        if: failure()
+        with:
+          name: playwright-report
+          path: ui/playwright-report/
+          retention-days: 30
+      - name: Cleanup services
+        if: always()
+        run: |
+          echo "Shutting down services..."
+          docker compose down -v || true
+          echo "Cleanup completed"

.github/workflows/ui-pull-request.yml

@@ -46,52 +46,6 @@ jobs:
         working-directory: ./ui
         run: npm run build
 
-  e2e-tests:
-    runs-on: ubuntu-latest
-    env:
-      AUTH_SECRET: 'fallback-ci-secret-for-testing'
-      AUTH_TRUST_HOST: true
-      NEXTAUTH_URL: http://localhost:3000
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-      - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-        with:
-          node-version: '20.x'
-          cache: 'npm'
-          cache-dependency-path: './ui/package-lock.json'
-      - name: Install dependencies
-        working-directory: ./ui
-        run: npm ci
-      - name: Cache Playwright browsers
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        id: playwright-cache
-        with:
-          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-
-      - name: Install Playwright browsers
-        working-directory: ./ui
-        if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: npm run test:e2e:install
-      - name: Build the application
-        working-directory: ./ui
-        run: npm run build
-      - name: Run Playwright tests
-        working-directory: ./ui
-        run: npm run test:e2e
-      - name: Upload Playwright report
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
-        if: failure()
-        with:
-          name: playwright-report
-          path: ui/playwright-report/
-          retention-days: 30
-
   test-container-build:
     runs-on: ubuntu-latest
     steps:

README.md

@@ -88,7 +88,7 @@ prowler dashboard
 |---|---|---|---|---|
 | AWS | 567 | 82 | 36 | 10 |
 | GCP | 79 | 13 | 10 | 3 |
-| Azure | 142 | 18 | 10 | 3 |
+| Azure | 142 | 18 | 11 | 3 |
 | Kubernetes | 83 | 7 | 5 | 7 |
 | GitHub | 16 | 2 | 1 | 0 |
 | M365 | 69 | 7 | 3 | 2 |
@@ -136,6 +136,14 @@ If your workstation's architecture is incompatible, you can resolve this by:
 
 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
 
+### Common Issues with Docker Pull Installation
+
+> [!Note]
+  If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local `.aws` directory into the container as a volume (e.g., `- "${HOME}/.aws:/home/prowler/.aws:ro"`). There are several ways to configure credentials for Docker containers. See the [Troubleshooting](./docs/troubleshooting.md) section for more details and examples.
+
+You can find more information in the [Troubleshooting](./docs/troubleshooting.md) section.
+
+
 ### From GitHub
 
 **Requirements**

api/CHANGELOG.md

@@ -2,15 +2,47 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
-## [v1.10.0] (Prowler UNRELEASED)
+## [1.11.0] (Prowler UNRELEASED)
 
 ### Added
+- Github provider support [(#8271)](https://github.com/prowler-cloud/prowler/pull/8271)
 
+---
+
+## [1.10.2] (Prowler v5.9.2)
+
+### Changed
+- Optimized queries for resources views [(#8336)](https://github.com/prowler-cloud/prowler/pull/8336)
+
+---
+
+## [v1.10.1] (Prowler v5.9.1)
+
+### Fixed
+- Calculate failed findings during scans to prevent heavy database queries [(#8322)](https://github.com/prowler-cloud/prowler/pull/8322)
+
+---
+
+## [v1.10.0] (Prowler v5.9.0)
+
+### Added
 - SSO with SAML support [(#8175)](https://github.com/prowler-cloud/prowler/pull/8175)
+- `GET /resources/metadata`, `GET /resources/metadata/latest` and `GET /resources/latest` to expose resource metadata and latest scan results [(#8112)](https://github.com/prowler-cloud/prowler/pull/8112)
+
+### Changed
 - `/processors` endpoints to post-process findings. Currently, only the Mutelist processor is supported to allow to mute findings.
+- Optimized the underlying queries for resources endpoints [(#8112)](https://github.com/prowler-cloud/prowler/pull/8112)
+- Optimized include parameters for resources view [(#8229)](https://github.com/prowler-cloud/prowler/pull/8229)
+- Optimized overview background tasks [(#8300)](https://github.com/prowler-cloud/prowler/pull/8300)
+
+### Fixed
+- Search filter for findings and resources [(#8112)](https://github.com/prowler-cloud/prowler/pull/8112)
+- RBAC is now applied to `GET /overviews/providers` [(#8277)](https://github.com/prowler-cloud/prowler/pull/8277)
+
+### Changed
+- `POST /schedules/daily` returns a `409 CONFLICT` if already created [(#8258)](https://github.com/prowler-cloud/prowler/pull/8258)
 
 ### Security
-
 - Enhanced password validation to enforce 12+ character passwords with special characters, uppercase, lowercase, and numbers [(#8225)](https://github.com/prowler-cloud/prowler/pull/8225)
 
 ---

api/poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.1.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.1.1 and should not be changed by hand.
 
 [[package]]
 name = "about-time"
@@ -26,98 +26,103 @@ files = [
 
 [[package]]
 name = "aiohttp"
-version = "3.11.18"
+version = "3.12.14"
 description = "Async http client/server framework (asyncio)"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "aiohttp-3.11.18-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:96264854fedbea933a9ca4b7e0c745728f01380691687b7365d18d9e977179c4"},
-    {file = "aiohttp-3.11.18-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:9602044ff047043430452bc3a2089743fa85da829e6fc9ee0025351d66c332b6"},
-    {file = "aiohttp-3.11.18-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:5691dc38750fcb96a33ceef89642f139aa315c8a193bbd42a0c33476fd4a1609"},
-    {file = "aiohttp-3.11.18-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:554c918ec43f8480b47a5ca758e10e793bd7410b83701676a4782672d670da55"},
-    {file = "aiohttp-3.11.18-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8a4076a2b3ba5b004b8cffca6afe18a3b2c5c9ef679b4d1e9859cf76295f8d4f"},
-    {file = "aiohttp-3.11.18-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:767a97e6900edd11c762be96d82d13a1d7c4fc4b329f054e88b57cdc21fded94"},
-    {file = "aiohttp-3.11.18-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f0ddc9337a0fb0e727785ad4f41163cc314376e82b31846d3835673786420ef1"},
-    {file = "aiohttp-3.11.18-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f414f37b244f2a97e79b98d48c5ff0789a0b4b4609b17d64fa81771ad780e415"},
-    {file = "aiohttp-3.11.18-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:fdb239f47328581e2ec7744ab5911f97afb10752332a6dd3d98e14e429e1a9e7"},
-    {file = "aiohttp-3.11.18-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:f2c50bad73ed629cc326cc0f75aed8ecfb013f88c5af116f33df556ed47143eb"},
-    {file = "aiohttp-3.11.18-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:0a8d8f20c39d3fa84d1c28cdb97f3111387e48209e224408e75f29c6f8e0861d"},
-    {file = "aiohttp-3.11.18-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:106032eaf9e62fd6bc6578c8b9e6dc4f5ed9a5c1c7fb2231010a1b4304393421"},
-    {file = "aiohttp-3.11.18-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:b491e42183e8fcc9901d8dcd8ae644ff785590f1727f76ca86e731c61bfe6643"},
-    {file = "aiohttp-3.11.18-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:ad8c745ff9460a16b710e58e06a9dec11ebc0d8f4dd82091cefb579844d69868"},
-    {file = "aiohttp-3.11.18-cp310-cp310-win32.whl", hash = "sha256:8e57da93e24303a883146510a434f0faf2f1e7e659f3041abc4e3fb3f6702a9f"},
-    {file = "aiohttp-3.11.18-cp310-cp310-win_amd64.whl", hash = "sha256:cc93a4121d87d9f12739fc8fab0a95f78444e571ed63e40bfc78cd5abe700ac9"},
-    {file = "aiohttp-3.11.18-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:427fdc56ccb6901ff8088544bde47084845ea81591deb16f957897f0f0ba1be9"},
-    {file = "aiohttp-3.11.18-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:2c828b6d23b984255b85b9b04a5b963a74278b7356a7de84fda5e3b76866597b"},
-    {file = "aiohttp-3.11.18-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5c2eaa145bb36b33af1ff2860820ba0589e165be4ab63a49aebfd0981c173b66"},
-    {file = "aiohttp-3.11.18-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3d518ce32179f7e2096bf4e3e8438cf445f05fedd597f252de9f54c728574756"},
-    {file = "aiohttp-3.11.18-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0700055a6e05c2f4711011a44364020d7a10fbbcd02fbf3e30e8f7e7fddc8717"},
-    {file = "aiohttp-3.11.18-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8bd1cde83e4684324e6ee19adfc25fd649d04078179890be7b29f76b501de8e4"},
-    {file = "aiohttp-3.11.18-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:73b8870fe1c9a201b8c0d12c94fe781b918664766728783241a79e0468427e4f"},
-    {file = "aiohttp-3.11.18-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:25557982dd36b9e32c0a3357f30804e80790ec2c4d20ac6bcc598533e04c6361"},
-    {file = "aiohttp-3.11.18-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:7e889c9df381a2433802991288a61e5a19ceb4f61bd14f5c9fa165655dcb1fd1"},
-    {file = "aiohttp-3.11.18-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:9ea345fda05bae217b6cce2acf3682ce3b13d0d16dd47d0de7080e5e21362421"},
-    {file = "aiohttp-3.11.18-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:9f26545b9940c4b46f0a9388fd04ee3ad7064c4017b5a334dd450f616396590e"},
-    {file = "aiohttp-3.11.18-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:3a621d85e85dccabd700294494d7179ed1590b6d07a35709bb9bd608c7f5dd1d"},
-    {file = "aiohttp-3.11.18-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:9c23fd8d08eb9c2af3faeedc8c56e134acdaf36e2117ee059d7defa655130e5f"},
-    {file = "aiohttp-3.11.18-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:d9e6b0e519067caa4fd7fb72e3e8002d16a68e84e62e7291092a5433763dc0dd"},
-    {file = "aiohttp-3.11.18-cp311-cp311-win32.whl", hash = "sha256:122f3e739f6607e5e4c6a2f8562a6f476192a682a52bda8b4c6d4254e1138f4d"},
-    {file = "aiohttp-3.11.18-cp311-cp311-win_amd64.whl", hash = "sha256:e6f3c0a3a1e73e88af384b2e8a0b9f4fb73245afd47589df2afcab6b638fa0e6"},
-    {file = "aiohttp-3.11.18-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:63d71eceb9cad35d47d71f78edac41fcd01ff10cacaa64e473d1aec13fa02df2"},
-    {file = "aiohttp-3.11.18-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:d1929da615840969929e8878d7951b31afe0bac883d84418f92e5755d7b49508"},
-    {file = "aiohttp-3.11.18-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:7d0aebeb2392f19b184e3fdd9e651b0e39cd0f195cdb93328bd124a1d455cd0e"},
-    {file = "aiohttp-3.11.18-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3849ead845e8444f7331c284132ab314b4dac43bfae1e3cf350906d4fff4620f"},
-    {file = "aiohttp-3.11.18-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5e8452ad6b2863709f8b3d615955aa0807bc093c34b8e25b3b52097fe421cb7f"},
-    {file = "aiohttp-3.11.18-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3b8d2b42073611c860a37f718b3d61ae8b4c2b124b2e776e2c10619d920350ec"},
-    {file = "aiohttp-3.11.18-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:40fbf91f6a0ac317c0a07eb328a1384941872f6761f2e6f7208b63c4cc0a7ff6"},
-    {file = "aiohttp-3.11.18-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:44ff5625413fec55216da5eaa011cf6b0a2ed67a565914a212a51aa3755b0009"},
-    {file = "aiohttp-3.11.18-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:7f33a92a2fde08e8c6b0c61815521324fc1612f397abf96eed86b8e31618fdb4"},
-    {file = "aiohttp-3.11.18-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:11d5391946605f445ddafda5eab11caf310f90cdda1fd99865564e3164f5cff9"},
-    {file = "aiohttp-3.11.18-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:3cc314245deb311364884e44242e00c18b5896e4fe6d5f942e7ad7e4cb640adb"},
-    {file = "aiohttp-3.11.18-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:0f421843b0f70740772228b9e8093289924359d306530bcd3926f39acbe1adda"},
-    {file = "aiohttp-3.11.18-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:e220e7562467dc8d589e31c1acd13438d82c03d7f385c9cd41a3f6d1d15807c1"},
-    {file = "aiohttp-3.11.18-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:ab2ef72f8605046115bc9aa8e9d14fd49086d405855f40b79ed9e5c1f9f4faea"},
-    {file = "aiohttp-3.11.18-cp312-cp312-win32.whl", hash = "sha256:12a62691eb5aac58d65200c7ae94d73e8a65c331c3a86a2e9670927e94339ee8"},
-    {file = "aiohttp-3.11.18-cp312-cp312-win_amd64.whl", hash = "sha256:364329f319c499128fd5cd2d1c31c44f234c58f9b96cc57f743d16ec4f3238c8"},
-    {file = "aiohttp-3.11.18-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:474215ec618974054cf5dc465497ae9708543cbfc312c65212325d4212525811"},
-    {file = "aiohttp-3.11.18-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:6ced70adf03920d4e67c373fd692123e34d3ac81dfa1c27e45904a628567d804"},
-    {file = "aiohttp-3.11.18-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:2d9f6c0152f8d71361905aaf9ed979259537981f47ad099c8b3d81e0319814bd"},
-    {file = "aiohttp-3.11.18-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a35197013ed929c0aed5c9096de1fc5a9d336914d73ab3f9df14741668c0616c"},
-    {file = "aiohttp-3.11.18-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:540b8a1f3a424f1af63e0af2d2853a759242a1769f9f1ab053996a392bd70118"},
-    {file = "aiohttp-3.11.18-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f9e6710ebebfce2ba21cee6d91e7452d1125100f41b906fb5af3da8c78b764c1"},
-    {file = "aiohttp-3.11.18-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f8af2ef3b4b652ff109f98087242e2ab974b2b2b496304063585e3d78de0b000"},
-    {file = "aiohttp-3.11.18-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:28c3f975e5ae3dbcbe95b7e3dcd30e51da561a0a0f2cfbcdea30fc1308d72137"},
-    {file = "aiohttp-3.11.18-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:c28875e316c7b4c3e745172d882d8a5c835b11018e33432d281211af35794a93"},
-    {file = "aiohttp-3.11.18-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:13cd38515568ae230e1ef6919e2e33da5d0f46862943fcda74e7e915096815f3"},
-    {file = "aiohttp-3.11.18-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:0e2a92101efb9f4c2942252c69c63ddb26d20f46f540c239ccfa5af865197bb8"},
-    {file = "aiohttp-3.11.18-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:e6d3e32b8753c8d45ac550b11a1090dd66d110d4ef805ffe60fa61495360b3b2"},
-    {file = "aiohttp-3.11.18-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:ea4cf2488156e0f281f93cc2fd365025efcba3e2d217cbe3df2840f8c73db261"},
-    {file = "aiohttp-3.11.18-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:9d4df95ad522c53f2b9ebc07f12ccd2cb15550941e11a5bbc5ddca2ca56316d7"},
-    {file = "aiohttp-3.11.18-cp313-cp313-win32.whl", hash = "sha256:cdd1bbaf1e61f0d94aced116d6e95fe25942f7a5f42382195fd9501089db5d78"},
-    {file = "aiohttp-3.11.18-cp313-cp313-win_amd64.whl", hash = "sha256:bdd619c27e44382cf642223f11cfd4d795161362a5a1fc1fa3940397bc89db01"},
-    {file = "aiohttp-3.11.18-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:469ac32375d9a716da49817cd26f1916ec787fc82b151c1c832f58420e6d3533"},
-    {file = "aiohttp-3.11.18-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:3cec21dd68924179258ae14af9f5418c1ebdbba60b98c667815891293902e5e0"},
-    {file = "aiohttp-3.11.18-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:b426495fb9140e75719b3ae70a5e8dd3a79def0ae3c6c27e012fc59f16544a4a"},
-    {file = "aiohttp-3.11.18-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ad2f41203e2808616292db5d7170cccf0c9f9c982d02544443c7eb0296e8b0c7"},
-    {file = "aiohttp-3.11.18-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5bc0ae0a5e9939e423e065a3e5b00b24b8379f1db46046d7ab71753dfc7dd0e1"},
-    {file = "aiohttp-3.11.18-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:fe7cdd3f7d1df43200e1c80f1aed86bb36033bf65e3c7cf46a2b97a253ef8798"},
-    {file = "aiohttp-3.11.18-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5199be2a2f01ffdfa8c3a6f5981205242986b9e63eb8ae03fd18f736e4840721"},
-    {file = "aiohttp-3.11.18-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7ccec9e72660b10f8e283e91aa0295975c7bd85c204011d9f5eb69310555cf30"},
-    {file = "aiohttp-3.11.18-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:1596ebf17e42e293cbacc7a24c3e0dc0f8f755b40aff0402cb74c1ff6baec1d3"},
-    {file = "aiohttp-3.11.18-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:eab7b040a8a873020113ba814b7db7fa935235e4cbaf8f3da17671baa1024863"},
-    {file = "aiohttp-3.11.18-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:5d61df4a05476ff891cff0030329fee4088d40e4dc9b013fac01bc3c745542c2"},
-    {file = "aiohttp-3.11.18-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:46533e6792e1410f9801d09fd40cbbff3f3518d1b501d6c3c5b218f427f6ff08"},
-    {file = "aiohttp-3.11.18-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:c1b90407ced992331dd6d4f1355819ea1c274cc1ee4d5b7046c6761f9ec11829"},
-    {file = "aiohttp-3.11.18-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:a2fd04ae4971b914e54fe459dd7edbbd3f2ba875d69e057d5e3c8e8cac094935"},
-    {file = "aiohttp-3.11.18-cp39-cp39-win32.whl", hash = "sha256:b2f317d1678002eee6fe85670039fb34a757972284614638f82b903a03feacdc"},
-    {file = "aiohttp-3.11.18-cp39-cp39-win_amd64.whl", hash = "sha256:5e7007b8d1d09bce37b54111f593d173691c530b80f27c6493b928dabed9e6ef"},
-    {file = "aiohttp-3.11.18.tar.gz", hash = "sha256:ae856e1138612b7e412db63b7708735cff4d38d0399f6a5435d3dac2669f558a"},
+    {file = "aiohttp-3.12.14-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:906d5075b5ba0dd1c66fcaaf60eb09926a9fef3ca92d912d2a0bbdbecf8b1248"},
+    {file = "aiohttp-3.12.14-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c875bf6fc2fd1a572aba0e02ef4e7a63694778c5646cdbda346ee24e630d30fb"},
+    {file = "aiohttp-3.12.14-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:fbb284d15c6a45fab030740049d03c0ecd60edad9cd23b211d7e11d3be8d56fd"},
+    {file = "aiohttp-3.12.14-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:38e360381e02e1a05d36b223ecab7bc4a6e7b5ab15760022dc92589ee1d4238c"},
+    {file = "aiohttp-3.12.14-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:aaf90137b5e5d84a53632ad95ebee5c9e3e7468f0aab92ba3f608adcb914fa95"},
+    {file = "aiohttp-3.12.14-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e532a25e4a0a2685fa295a31acf65e027fbe2bea7a4b02cdfbbba8a064577663"},
+    {file = "aiohttp-3.12.14-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:eab9762c4d1b08ae04a6c77474e6136da722e34fdc0e6d6eab5ee93ac29f35d1"},
+    {file = "aiohttp-3.12.14-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:abe53c3812b2899889a7fca763cdfaeee725f5be68ea89905e4275476ffd7e61"},
+    {file = "aiohttp-3.12.14-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5760909b7080aa2ec1d320baee90d03b21745573780a072b66ce633eb77a8656"},
+    {file = "aiohttp-3.12.14-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:02fcd3f69051467bbaa7f84d7ec3267478c7df18d68b2e28279116e29d18d4f3"},
+    {file = "aiohttp-3.12.14-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:4dcd1172cd6794884c33e504d3da3c35648b8be9bfa946942d353b939d5f1288"},
+    {file = "aiohttp-3.12.14-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:224d0da41355b942b43ad08101b1b41ce633a654128ee07e36d75133443adcda"},
+    {file = "aiohttp-3.12.14-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:e387668724f4d734e865c1776d841ed75b300ee61059aca0b05bce67061dcacc"},
+    {file = "aiohttp-3.12.14-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:dec9cde5b5a24171e0b0a4ca064b1414950904053fb77c707efd876a2da525d8"},
+    {file = "aiohttp-3.12.14-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:bbad68a2af4877cc103cd94af9160e45676fc6f0c14abb88e6e092b945c2c8e3"},
+    {file = "aiohttp-3.12.14-cp310-cp310-win32.whl", hash = "sha256:ee580cb7c00bd857b3039ebca03c4448e84700dc1322f860cf7a500a6f62630c"},
+    {file = "aiohttp-3.12.14-cp310-cp310-win_amd64.whl", hash = "sha256:cf4f05b8cea571e2ccc3ca744e35ead24992d90a72ca2cf7ab7a2efbac6716db"},
+    {file = "aiohttp-3.12.14-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:f4552ff7b18bcec18b60a90c6982049cdb9dac1dba48cf00b97934a06ce2e597"},
+    {file = "aiohttp-3.12.14-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:8283f42181ff6ccbcf25acaae4e8ab2ff7e92b3ca4a4ced73b2c12d8cd971393"},
+    {file = "aiohttp-3.12.14-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:040afa180ea514495aaff7ad34ec3d27826eaa5d19812730fe9e529b04bb2179"},
+    {file = "aiohttp-3.12.14-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b413c12f14c1149f0ffd890f4141a7471ba4b41234fe4fd4a0ff82b1dc299dbb"},
+    {file = "aiohttp-3.12.14-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:1d6f607ce2e1a93315414e3d448b831238f1874b9968e1195b06efaa5c87e245"},
+    {file = "aiohttp-3.12.14-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:565e70d03e924333004ed101599902bba09ebb14843c8ea39d657f037115201b"},
+    {file = "aiohttp-3.12.14-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4699979560728b168d5ab63c668a093c9570af2c7a78ea24ca5212c6cdc2b641"},
+    {file = "aiohttp-3.12.14-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ad5fdf6af93ec6c99bf800eba3af9a43d8bfd66dce920ac905c817ef4a712afe"},
+    {file = "aiohttp-3.12.14-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4ac76627c0b7ee0e80e871bde0d376a057916cb008a8f3ffc889570a838f5cc7"},
+    {file = "aiohttp-3.12.14-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:798204af1180885651b77bf03adc903743a86a39c7392c472891649610844635"},
+    {file = "aiohttp-3.12.14-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:4f1205f97de92c37dd71cf2d5bcfb65fdaed3c255d246172cce729a8d849b4da"},
+    {file = "aiohttp-3.12.14-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:76ae6f1dd041f85065d9df77c6bc9c9703da9b5c018479d20262acc3df97d419"},
+    {file = "aiohttp-3.12.14-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:a194ace7bc43ce765338ca2dfb5661489317db216ea7ea700b0332878b392cab"},
+    {file = "aiohttp-3.12.14-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:16260e8e03744a6fe3fcb05259eeab8e08342c4c33decf96a9dad9f1187275d0"},
+    {file = "aiohttp-3.12.14-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:8c779e5ebbf0e2e15334ea404fcce54009dc069210164a244d2eac8352a44b28"},
+    {file = "aiohttp-3.12.14-cp311-cp311-win32.whl", hash = "sha256:a289f50bf1bd5be227376c067927f78079a7bdeccf8daa6a9e65c38bae14324b"},
+    {file = "aiohttp-3.12.14-cp311-cp311-win_amd64.whl", hash = "sha256:0b8a69acaf06b17e9c54151a6c956339cf46db4ff72b3ac28516d0f7068f4ced"},
+    {file = "aiohttp-3.12.14-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:a0ecbb32fc3e69bc25efcda7d28d38e987d007096cbbeed04f14a6662d0eee22"},
+    {file = "aiohttp-3.12.14-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:0400f0ca9bb3e0b02f6466421f253797f6384e9845820c8b05e976398ac1d81a"},
+    {file = "aiohttp-3.12.14-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:a56809fed4c8a830b5cae18454b7464e1529dbf66f71c4772e3cfa9cbec0a1ff"},
+    {file = "aiohttp-3.12.14-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:27f2e373276e4755691a963e5d11756d093e346119f0627c2d6518208483fb6d"},
+    {file = "aiohttp-3.12.14-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:ca39e433630e9a16281125ef57ece6817afd1d54c9f1bf32e901f38f16035869"},
+    {file = "aiohttp-3.12.14-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9c748b3f8b14c77720132b2510a7d9907a03c20ba80f469e58d5dfd90c079a1c"},
+    {file = "aiohttp-3.12.14-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0a568abe1b15ce69d4cc37e23020720423f0728e3cb1f9bcd3f53420ec3bfe7"},
+    {file = "aiohttp-3.12.14-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9888e60c2c54eaf56704b17feb558c7ed6b7439bca1e07d4818ab878f2083660"},
+    {file = "aiohttp-3.12.14-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3006a1dc579b9156de01e7916d38c63dc1ea0679b14627a37edf6151bc530088"},
+    {file = "aiohttp-3.12.14-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:aa8ec5c15ab80e5501a26719eb48a55f3c567da45c6ea5bb78c52c036b2655c7"},
+    {file = "aiohttp-3.12.14-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:39b94e50959aa07844c7fe2206b9f75d63cc3ad1c648aaa755aa257f6f2498a9"},
+    {file = "aiohttp-3.12.14-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:04c11907492f416dad9885d503fbfc5dcb6768d90cad8639a771922d584609d3"},
+    {file = "aiohttp-3.12.14-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:88167bd9ab69bb46cee91bd9761db6dfd45b6e76a0438c7e884c3f8160ff21eb"},
+    {file = "aiohttp-3.12.14-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:791504763f25e8f9f251e4688195e8b455f8820274320204f7eafc467e609425"},
+    {file = "aiohttp-3.12.14-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:2785b112346e435dd3a1a67f67713a3fe692d288542f1347ad255683f066d8e0"},
+    {file = "aiohttp-3.12.14-cp312-cp312-win32.whl", hash = "sha256:15f5f4792c9c999a31d8decf444e79fcfd98497bf98e94284bf390a7bb8c1729"},
+    {file = "aiohttp-3.12.14-cp312-cp312-win_amd64.whl", hash = "sha256:3b66e1a182879f579b105a80d5c4bd448b91a57e8933564bf41665064796a338"},
+    {file = "aiohttp-3.12.14-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:3143a7893d94dc82bc409f7308bc10d60285a3cd831a68faf1aa0836c5c3c767"},
+    {file = "aiohttp-3.12.14-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:3d62ac3d506cef54b355bd34c2a7c230eb693880001dfcda0bf88b38f5d7af7e"},
+    {file = "aiohttp-3.12.14-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:48e43e075c6a438937c4de48ec30fa8ad8e6dfef122a038847456bfe7b947b63"},
+    {file = "aiohttp-3.12.14-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:077b4488411a9724cecc436cbc8c133e0d61e694995b8de51aaf351c7578949d"},
+    {file = "aiohttp-3.12.14-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:d8c35632575653f297dcbc9546305b2c1133391089ab925a6a3706dfa775ccab"},
+    {file = "aiohttp-3.12.14-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6b8ce87963f0035c6834b28f061df90cf525ff7c9b6283a8ac23acee6502afd4"},
+    {file = "aiohttp-3.12.14-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0a2cf66e32a2563bb0766eb24eae7e9a269ac0dc48db0aae90b575dc9583026"},
+    {file = "aiohttp-3.12.14-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cdea089caf6d5cde975084a884c72d901e36ef9c2fd972c9f51efbbc64e96fbd"},
+    {file = "aiohttp-3.12.14-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8a7865f27db67d49e81d463da64a59365ebd6b826e0e4847aa111056dcb9dc88"},
+    {file = "aiohttp-3.12.14-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:0ab5b38a6a39781d77713ad930cb5e7feea6f253de656a5f9f281a8f5931b086"},
+    {file = "aiohttp-3.12.14-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:9b3b15acee5c17e8848d90a4ebc27853f37077ba6aec4d8cb4dbbea56d156933"},
+    {file = "aiohttp-3.12.14-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:e4c972b0bdaac167c1e53e16a16101b17c6d0ed7eac178e653a07b9f7fad7151"},
+    {file = "aiohttp-3.12.14-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:7442488b0039257a3bdbc55f7209587911f143fca11df9869578db6c26feeeb8"},
+    {file = "aiohttp-3.12.14-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:f68d3067eecb64c5e9bab4a26aa11bd676f4c70eea9ef6536b0a4e490639add3"},
+    {file = "aiohttp-3.12.14-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:f88d3704c8b3d598a08ad17d06006cb1ca52a1182291f04979e305c8be6c9758"},
+    {file = "aiohttp-3.12.14-cp313-cp313-win32.whl", hash = "sha256:a3c99ab19c7bf375c4ae3debd91ca5d394b98b6089a03231d4c580ef3c2ae4c5"},
+    {file = "aiohttp-3.12.14-cp313-cp313-win_amd64.whl", hash = "sha256:3f8aad695e12edc9d571f878c62bedc91adf30c760c8632f09663e5f564f4baa"},
+    {file = "aiohttp-3.12.14-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:b8cc6b05e94d837bcd71c6531e2344e1ff0fb87abe4ad78a9261d67ef5d83eae"},
+    {file = "aiohttp-3.12.14-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:d1dcb015ac6a3b8facd3677597edd5ff39d11d937456702f0bb2b762e390a21b"},
+    {file = "aiohttp-3.12.14-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:3779ed96105cd70ee5e85ca4f457adbce3d9ff33ec3d0ebcdf6c5727f26b21b3"},
+    {file = "aiohttp-3.12.14-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:717a0680729b4ebd7569c1dcd718c46b09b360745fd8eb12317abc74b14d14d0"},
+    {file = "aiohttp-3.12.14-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:b5dd3a2ef7c7e968dbbac8f5574ebeac4d2b813b247e8cec28174a2ba3627170"},
+    {file = "aiohttp-3.12.14-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4710f77598c0092239bc12c1fcc278a444e16c7032d91babf5abbf7166463f7b"},
+    {file = "aiohttp-3.12.14-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f3e9f75ae842a6c22a195d4a127263dbf87cbab729829e0bd7857fb1672400b2"},
+    {file = "aiohttp-3.12.14-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5f9c8d55d6802086edd188e3a7d85a77787e50d56ce3eb4757a3205fa4657922"},
+    {file = "aiohttp-3.12.14-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:79b29053ff3ad307880d94562cca80693c62062a098a5776ea8ef5ef4b28d140"},
+    {file = "aiohttp-3.12.14-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:23e1332fff36bebd3183db0c7a547a1da9d3b4091509f6d818e098855f2f27d3"},
+    {file = "aiohttp-3.12.14-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:a564188ce831fd110ea76bcc97085dd6c625b427db3f1dbb14ca4baa1447dcbc"},
+    {file = "aiohttp-3.12.14-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:a7a1b4302f70bb3ec40ca86de82def532c97a80db49cac6a6700af0de41af5ee"},
+    {file = "aiohttp-3.12.14-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:1b07ccef62950a2519f9bfc1e5b294de5dd84329f444ca0b329605ea787a3de5"},
+    {file = "aiohttp-3.12.14-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:938bd3ca6259e7e48b38d84f753d548bd863e0c222ed6ee6ace3fd6752768a84"},
+    {file = "aiohttp-3.12.14-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:8bc784302b6b9f163b54c4e93d7a6f09563bd01ff2b841b29ed3ac126e5040bf"},
+    {file = "aiohttp-3.12.14-cp39-cp39-win32.whl", hash = "sha256:a3416f95961dd7d5393ecff99e3f41dc990fb72eda86c11f2a60308ac6dcd7a0"},
+    {file = "aiohttp-3.12.14-cp39-cp39-win_amd64.whl", hash = "sha256:196858b8820d7f60578f8b47e5669b3195c21d8ab261e39b1d705346458f445f"},
+    {file = "aiohttp-3.12.14.tar.gz", hash = "sha256:6e06e120e34d93100de448fd941522e11dafa78ef1a893c179901b7d66aa29f2"},
 ]
 
 [package.dependencies]
-aiohappyeyeballs = ">=2.3.0"
-aiosignal = ">=1.1.2"
+aiohappyeyeballs = ">=2.5.0"
+aiosignal = ">=1.4.0"
 attrs = ">=17.3.0"
 frozenlist = ">=1.1.1"
 multidict = ">=4.5,<7.0"
@@ -125,22 +130,23 @@ propcache = ">=0.2.0"
 yarl = ">=1.17.0,<2.0"
 
 [package.extras]
-speedups = ["Brotli ; platform_python_implementation == \"CPython\"", "aiodns (>=3.2.0) ; sys_platform == \"linux\" or sys_platform == \"darwin\"", "brotlicffi ; platform_python_implementation != \"CPython\""]
+speedups = ["Brotli ; platform_python_implementation == \"CPython\"", "aiodns (>=3.3.0)", "brotlicffi ; platform_python_implementation != \"CPython\""]
 
 [[package]]
 name = "aiosignal"
-version = "1.3.2"
+version = "1.4.0"
 description = "aiosignal: a list of registered asynchronous callbacks"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "aiosignal-1.3.2-py2.py3-none-any.whl", hash = "sha256:45cde58e409a301715980c2b01d0c28bdde3770d8290b5eb2173759d9acb31a5"},
-    {file = "aiosignal-1.3.2.tar.gz", hash = "sha256:a8c255c66fafb1e499c9351d0bf32ff2d8a0321595ebac3b93713656d2436f54"},
+    {file = "aiosignal-1.4.0-py3-none-any.whl", hash = "sha256:053243f8b92b990551949e63930a839ff0cf0b0ebbe0597b0f3fb19e1a0fe82e"},
+    {file = "aiosignal-1.4.0.tar.gz", hash = "sha256:f47eecd9468083c2029cc99945502cb7708b082c232f9aca65da147157b251c7"},
 ]
 
 [package.dependencies]
 frozenlist = ">=1.1.0"
+typing-extensions = {version = ">=4.2", markers = "python_version < \"3.13\""}
 
 [[package]]
 name = "alive-progress"
@@ -4988,6 +4994,7 @@ files = [
     {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f66efbc1caa63c088dead1c4170d148eabc9b80d95fb75b6c92ac0aad2437d76"},
     {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6"},
     {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:932205970b9f9991b34f55136be327501903f7c66830e9760a8ffb15b07f05cd"},
+    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a"},
     {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-win32.whl", hash = "sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da"},
     {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-win_amd64.whl", hash = "sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28"},
     {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6"},
@@ -4996,6 +5003,7 @@ files = [
     {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:811ea1594b8a0fb466172c384267a4e5e367298af6b228931f273b111f17ef52"},
     {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:cf12567a7b565cbf65d438dec6cfbe2917d3c1bdddfce84a9930b7d35ea59642"},
     {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:7dd5adc8b930b12c8fc5b99e2d535a09889941aa0d0bd06f4749e9a9397c71d2"},
+    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3"},
     {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-win32.whl", hash = "sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4"},
     {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-win_amd64.whl", hash = "sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb"},
     {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-macosx_14_0_arm64.whl", hash = "sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632"},
@@ -5004,6 +5012,7 @@ files = [
     {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:749c16fcc4a2b09f28843cda5a193e0283e47454b63ec4b81eaa2242f50e4ccd"},
     {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:bf165fef1f223beae7333275156ab2022cffe255dcc51c27f066b4370da81e31"},
     {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680"},
+    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d"},
     {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-win32.whl", hash = "sha256:e8c4ebfcfd57177b572e2040777b8abc537cdef58a2120e830124946aa9b42c5"},
     {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-win_amd64.whl", hash = "sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4"},
     {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-macosx_14_0_arm64.whl", hash = "sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a"},
@@ -5012,6 +5021,7 @@ files = [
     {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6"},
     {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_1_i686.whl", hash = "sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf"},
     {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:e188d2699864c11c36cdfdada94d781fd5d6b0071cd9c427bceb08ad3d7c70e1"},
+    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01"},
     {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-win32.whl", hash = "sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6"},
     {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-win_amd64.whl", hash = "sha256:e5b8daf27af0b90da7bb903a876477a9e6d7270be6146906b276605997c7e9a3"},
     {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-macosx_12_0_arm64.whl", hash = "sha256:fc4b630cd3fa2cf7fce38afa91d7cfe844a9f75d7f0f36393fa98815e911d987"},
@@ -5020,6 +5030,7 @@ files = [
     {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e2f1c3765db32be59d18ab3953f43ab62a761327aafc1594a2a1fbe038b8b8a7"},
     {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:d85252669dc32f98ebcd5d36768f5d4faeaeaa2d655ac0473be490ecdae3c285"},
     {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:e143ada795c341b56de9418c58d028989093ee611aa27ffb9b7f609c00d813ed"},
+    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7"},
     {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-win32.whl", hash = "sha256:beffaed67936fbbeffd10966a4eb53c402fafd3d6833770516bf7314bc6ffa12"},
     {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-win_amd64.whl", hash = "sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b"},
     {file = "ruamel.yaml.clib-0.2.12.tar.gz", hash = "sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f"},

api/pyproject.toml

@@ -38,7 +38,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.9.0"
+version = "1.10.2"
 
 [project.scripts]
 celery = "src.backend.config.settings.celery"

api/src/backend/api/adapters.py

@@ -65,5 +65,7 @@ class ProwlerSocialAccountAdapter(DefaultSocialAccountAdapter):
                         role=role,
                         tenant_id=tenant.id,
                     )
+            else:
+                request.session["saml_user_created"] = str(user.id)
 
         return user

api/src/backend/api/db_utils.py

@@ -175,6 +175,29 @@ def create_objects_in_batches(
             model.objects.bulk_create(chunk, batch_size)
 
 
+def update_objects_in_batches(
+    tenant_id: str, model, objects: list, fields: list, batch_size: int = 500
+):
+    """
+    Bulk-update model instances in repeated, per-tenant RLS transactions.
+
+    All chunks execute in their own transaction, so no single transaction
+    grows too large.
+
+    Args:
+        tenant_id (str): UUID string of the tenant under which to set RLS.
+        model: Django model class whose `.objects.bulk_update()` will be called.
+        objects (list): List of model instances (saved) to bulk-update.
+        fields (list): List of field names to update.
+        batch_size (int): Maximum number of objects per bulk_update call.
+    """
+    total = len(objects)
+    for start in range(0, total, batch_size):
+        chunk = objects[start : start + batch_size]
+        with rls_transaction(value=tenant_id, parameter=POSTGRES_TENANT_VAR):
+            model.objects.bulk_update(chunk, fields, batch_size)
+
+
 # Postgres Enums
 
 

api/src/backend/api/exceptions.py

@@ -78,3 +78,21 @@ def custom_exception_handler(exc, context):
                 message_item["message"] for message_item in exc.detail["messages"]
             ]
     return exception_handler(exc, context)
+
+
+class ConflictException(APIException):
+    status_code = status.HTTP_409_CONFLICT
+    default_detail = "A conflict occurred. The resource already exists."
+    default_code = "conflict"
+
+    def __init__(self, detail=None, code=None, pointer=None):
+        error_detail = {
+            "detail": detail or self.default_detail,
+            "status": self.status_code,
+            "code": self.default_code,
+        }
+
+        if pointer:
+            error_detail["source"] = {"pointer": pointer}
+
+        super().__init__(detail=[error_detail])

api/src/backend/api/filters.py

@@ -1,5 +1,6 @@
 from datetime import date, datetime, timedelta, timezone
 
+from dateutil.parser import parse
 from django.conf import settings
 from django.db.models import Q
 from django_filters.rest_framework import (
@@ -339,6 +340,8 @@ class ResourceFilter(ProviderRelationshipFilterSet):
     tags = CharFilter(method="filter_tag")
     inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
     updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+    scan = UUIDFilter(field_name="provider__scan", lookup_expr="exact")
+    scan__in = UUIDInFilter(field_name="provider__scan", lookup_expr="in")
 
     class Meta:
         model = Resource
@@ -353,6 +356,82 @@ class ResourceFilter(ProviderRelationshipFilterSet):
             "updated_at": ["gte", "lte"],
         }
 
+    def filter_queryset(self, queryset):
+        if not (self.data.get("scan") or self.data.get("scan__in")) and not (
+            self.data.get("updated_at")
+            or self.data.get("updated_at__date")
+            or self.data.get("updated_at__gte")
+            or self.data.get("updated_at__lte")
+        ):
+            raise ValidationError(
+                [
+                    {
+                        "detail": "At least one date filter is required: filter[updated_at], filter[updated_at.gte], "
+                        "or filter[updated_at.lte].",
+                        "status": 400,
+                        "source": {"pointer": "/data/attributes/updated_at"},
+                        "code": "required",
+                    }
+                ]
+            )
+
+        gte_date = (
+            parse(self.data.get("updated_at__gte")).date()
+            if self.data.get("updated_at__gte")
+            else datetime.now(timezone.utc).date()
+        )
+        lte_date = (
+            parse(self.data.get("updated_at__lte")).date()
+            if self.data.get("updated_at__lte")
+            else datetime.now(timezone.utc).date()
+        )
+
+        if abs(lte_date - gte_date) > timedelta(
+            days=settings.FINDINGS_MAX_DAYS_IN_RANGE
+        ):
+            raise ValidationError(
+                [
+                    {
+                        "detail": f"The date range cannot exceed {settings.FINDINGS_MAX_DAYS_IN_RANGE} days.",
+                        "status": 400,
+                        "source": {"pointer": "/data/attributes/updated_at"},
+                        "code": "invalid",
+                    }
+                ]
+            )
+
+        return super().filter_queryset(queryset)
+
+    def filter_tag_key(self, queryset, name, value):
+        return queryset.filter(Q(tags__key=value) | Q(tags__key__icontains=value))
+
+    def filter_tag_value(self, queryset, name, value):
+        return queryset.filter(Q(tags__value=value) | Q(tags__value__icontains=value))
+
+    def filter_tag(self, queryset, name, value):
+        # We won't know what the user wants to filter on just based on the value,
+        # and we don't want to build special filtering logic for every possible
+        # provider tag spec, so we'll just do a full text search
+        return queryset.filter(tags__text_search=value)
+
+
+class LatestResourceFilter(ProviderRelationshipFilterSet):
+    tag_key = CharFilter(method="filter_tag_key")
+    tag_value = CharFilter(method="filter_tag_value")
+    tag = CharFilter(method="filter_tag")
+    tags = CharFilter(method="filter_tag")
+
+    class Meta:
+        model = Resource
+        fields = {
+            "provider": ["exact", "in"],
+            "uid": ["exact", "icontains"],
+            "name": ["exact", "icontains"],
+            "region": ["exact", "icontains", "in"],
+            "service": ["exact", "icontains", "in"],
+            "type": ["exact", "icontains", "in"],
+        }
+
     def filter_tag_key(self, queryset, name, value):
         return queryset.filter(Q(tags__key=value) | Q(tags__key__icontains=value))
 

api/src/backend/api/fixtures/dev/0_dev_users.json

@@ -24,5 +24,18 @@
       "is_active": true,
       "date_joined": "2024-09-18T09:04:20.850Z"
     }
+  },
+  {
+    "model": "api.user",
+    "pk": "6d4f8a91-3c2e-4b5a-8f7d-1e9c5b2a4d6f",
+    "fields": {
+      "password": "pbkdf2_sha256$870000$Z63pGJ7nre48hfcGbk5S0O$rQpKczAmijs96xa+gPVJifpT3Fetb8DOusl5Eq6gxac=",
+      "last_login": null,
+      "name": "E2E Test User",
+      "email": "e2e@prowler.com",
+      "company_name": "Prowler E2E Tests",
+      "is_active": true,
+      "date_joined": "2024-01-01T00:00:00.850Z"
+    }
   }
 ]

api/src/backend/api/fixtures/dev/1_dev_tenants.json

@@ -46,5 +46,24 @@
       "role": "member",
       "date_joined": "2024-09-19T11:03:59.712Z"
     }
+  },
+  {
+    "model": "api.tenant",
+    "pk": "7c8f94a3-e2d1-4b3a-9f87-2c4d5e6f1a2b",
+    "fields": {
+      "inserted_at": "2024-01-01T00:00:00Z",
+      "updated_at": "2024-01-01T00:00:00Z",
+      "name": "E2E Test Tenant"
+    }
+  },
+  {
+    "model": "api.membership",
+    "pk": "9b1a2c3d-4e5f-6789-abc1-23456789def0",
+    "fields": {
+      "user": "6d4f8a91-3c2e-4b5a-8f7d-1e9c5b2a4d6f",
+      "tenant": "7c8f94a3-e2d1-4b3a-9f87-2c4d5e6f1a2b",
+      "role": "owner",
+      "date_joined": "2024-01-01T00:00:00.000Z"
+    }
   }
 ]

api/src/backend/api/fixtures/dev/6_dev_rbac.json

@@ -149,5 +149,32 @@
       "user": "8b38e2eb-6689-4f1e-a4ba-95b275130200",
       "inserted_at": "2024-11-20T15:36:14.302Z"
     }
+  },
+  {
+    "model": "api.role",
+    "pk": "a5b6c7d8-9e0f-1234-5678-90abcdef1234",
+    "fields": {
+      "tenant": "7c8f94a3-e2d1-4b3a-9f87-2c4d5e6f1a2b",
+      "name": "e2e_admin",
+      "manage_users": true,
+      "manage_account": true,
+      "manage_billing": true,
+      "manage_providers": true,
+      "manage_integrations": true,
+      "manage_scans": true,
+      "unlimited_visibility": true,
+      "inserted_at": "2024-01-01T00:00:00.000Z",
+      "updated_at": "2024-01-01T00:00:00.000Z"
+    }
+  },
+  {
+    "model": "api.userrolerelationship",
+    "pk": "f1e2d3c4-b5a6-9876-5432-10fedcba9876",
+    "fields": {
+      "tenant": "7c8f94a3-e2d1-4b3a-9f87-2c4d5e6f1a2b",
+      "role": "a5b6c7d8-9e0f-1234-5678-90abcdef1234",
+      "user": "6d4f8a91-3c2e-4b5a-8f7d-1e9c5b2a4d6f",
+      "inserted_at": "2024-01-01T00:00:00.000Z"
+    }
   }
 ]

api/src/backend/api/migrations/0036_rfm_tenant_finding_index_partitions.py

@@ -0,0 +1,30 @@
+from functools import partial
+
+from django.db import migrations
+
+from api.db_utils import create_index_on_partitions, drop_index_on_partitions
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0035_finding_muted_reason"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            partial(
+                create_index_on_partitions,
+                parent_table="resource_finding_mappings",
+                index_name="rfm_tenant_finding_idx",
+                columns="tenant_id, finding_id",
+                method="BTREE",
+            ),
+            reverse_code=partial(
+                drop_index_on_partitions,
+                parent_table="resource_finding_mappings",
+                index_name="rfm_tenant_finding_idx",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0037_rfm_tenant_finding_index_parent.py

@@ -0,0 +1,17 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0036_rfm_tenant_finding_index_partitions"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="resourcefindingmapping",
+            index=models.Index(
+                fields=["tenant_id", "finding_id"],
+                name="rfm_tenant_finding_idx",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0038_resource_failed_findings_count.py

@@ -0,0 +1,15 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0037_rfm_tenant_finding_index_parent"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="resource",
+            name="failed_findings_count",
+            field=models.IntegerField(default=0),
+        )
+    ]

api/src/backend/api/migrations/0039_resource_resources_failed_findings_idx.py

@@ -0,0 +1,20 @@
+from django.contrib.postgres.operations import AddIndexConcurrently
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0038_resource_failed_findings_count"),
+    ]
+
+    operations = [
+        AddIndexConcurrently(
+            model_name="resource",
+            index=models.Index(
+                fields=["tenant_id", "-failed_findings_count", "id"],
+                name="resources_failed_findings_idx",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0040_rfm_tenant_resource_index_partitions.py

@@ -0,0 +1,30 @@
+from functools import partial
+
+from django.db import migrations
+
+from api.db_utils import create_index_on_partitions, drop_index_on_partitions
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0039_resource_resources_failed_findings_idx"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            partial(
+                create_index_on_partitions,
+                parent_table="resource_finding_mappings",
+                index_name="rfm_tenant_resource_idx",
+                columns="tenant_id, resource_id",
+                method="BTREE",
+            ),
+            reverse_code=partial(
+                drop_index_on_partitions,
+                parent_table="resource_finding_mappings",
+                index_name="rfm_tenant_resource_idx",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0041_rfm_tenant_resource_parent_partitions.py

@@ -0,0 +1,17 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0040_rfm_tenant_resource_index_partitions"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="resourcefindingmapping",
+            index=models.Index(
+                fields=["tenant_id", "resource_id"],
+                name="rfm_tenant_resource_idx",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0042_scan_scans_prov_ins_desc_idx.py

@@ -0,0 +1,23 @@
+from django.contrib.postgres.operations import AddIndexConcurrently
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0041_rfm_tenant_resource_parent_partitions"),
+        ("django_celery_beat", "0019_alter_periodictasks_options"),
+    ]
+
+    operations = [
+        AddIndexConcurrently(
+            model_name="scan",
+            index=models.Index(
+                condition=models.Q(("state", "completed")),
+                fields=["tenant_id", "provider_id", "-inserted_at"],
+                include=("id",),
+                name="scans_prov_ins_desc_idx",
+            ),
+        ),
+    ]

api/src/backend/api/migrations/0043_github_provider.py

@@ -0,0 +1,33 @@
+# Generated by Django 5.1.7 on 2025-07-09 14:44
+
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0042_scan_scans_prov_ins_desc_idx"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="provider",
+            field=api.db_utils.ProviderEnumField(
+                choices=[
+                    ("aws", "AWS"),
+                    ("azure", "Azure"),
+                    ("gcp", "GCP"),
+                    ("kubernetes", "Kubernetes"),
+                    ("m365", "M365"),
+                    ("github", "GitHub"),
+                ],
+                default="aws",
+            ),
+        ),
+        migrations.RunSQL(
+            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'github';",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+    ]

api/src/backend/api/models.py

@@ -205,6 +205,7 @@ class Provider(RowLevelSecurityProtectedModel):
         GCP = "gcp", _("GCP")
         KUBERNETES = "kubernetes", _("Kubernetes")
         M365 = "m365", _("M365")
+        GITHUB = "github", _("GitHub")
 
     @staticmethod
     def validate_aws_uid(value):
@@ -265,6 +266,16 @@ class Provider(RowLevelSecurityProtectedModel):
                 pointer="/data/attributes/uid",
             )
 
+    @staticmethod
+    def validate_github_uid(value):
+        if not re.match(r"^[a-zA-Z0-9][a-zA-Z0-9-]{0,38}$", value):
+            raise ModelValidationError(
+                detail="GitHub provider ID must be a valid GitHub username or organization name (1-39 characters, "
+                "starting with alphanumeric, containing only alphanumeric characters and hyphens).",
+                code="github-uid",
+                pointer="/data/attributes/uid",
+            )
+
     id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
     inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
     updated_at = models.DateTimeField(auto_now=True, editable=False)
@@ -476,6 +487,13 @@ class Scan(RowLevelSecurityProtectedModel):
                 condition=Q(state=StateChoices.COMPLETED),
                 name="scans_prov_state_ins_desc_idx",
             ),
+            # TODO This might replace `scans_prov_state_ins_desc_idx` completely. Review usage
+            models.Index(
+                fields=["tenant_id", "provider_id", "-inserted_at"],
+                condition=Q(state=StateChoices.COMPLETED),
+                include=["id"],
+                name="scans_prov_ins_desc_idx",
+            ),
         ]
 
     class JSONAPIMeta:
@@ -561,6 +579,8 @@ class Resource(RowLevelSecurityProtectedModel):
     details = models.TextField(blank=True, null=True)
     partition = models.TextField(blank=True, null=True)
 
+    failed_findings_count = models.IntegerField(default=0)
+
     # Relationships
     tags = models.ManyToManyField(
         ResourceTag,
@@ -607,6 +627,10 @@ class Resource(RowLevelSecurityProtectedModel):
                 fields=["tenant_id", "provider_id"],
                 name="resources_tenant_provider_idx",
             ),
+            models.Index(
+                fields=["tenant_id", "-failed_findings_count", "id"],
+                name="resources_failed_findings_idx",
+            ),
         ]
 
         constraints = [
@@ -849,6 +873,16 @@ class ResourceFindingMapping(PostgresPartitionedModel, RowLevelSecurityProtected
         #   - tenant_id
         #   - id
 
+        indexes = [
+            models.Index(
+                fields=["tenant_id", "finding_id"],
+                name="rfm_tenant_finding_idx",
+            ),
+            models.Index(
+                fields=["tenant_id", "resource_id"],
+                name="rfm_tenant_resource_idx",
+            ),
+        ]
         constraints = [
             models.UniqueConstraint(
                 fields=("tenant_id", "resource_id", "finding_id"),

api/src/backend/api/tests/test_adapters.py

@@ -1,4 +1,4 @@
-from unittest.mock import MagicMock
+from unittest.mock import MagicMock, patch
 
 import pytest
 from allauth.socialaccount.models import SocialLogin
@@ -54,3 +54,24 @@ class TestProwlerSocialAccountAdapter:
         adapter.pre_social_login(rf.get("/"), sociallogin)
 
         sociallogin.connect.assert_not_called()
+
+    def test_save_user_saml_sets_session_flag(self, rf):
+        adapter = ProwlerSocialAccountAdapter()
+        request = rf.get("/")
+        request.session = {}
+
+        sociallogin = MagicMock(spec=SocialLogin)
+        sociallogin.provider = MagicMock()
+        sociallogin.provider.id = "saml"
+        sociallogin.account = MagicMock()
+        sociallogin.account.extra_data = {}
+
+        mock_user = MagicMock()
+        mock_user.id = 123
+
+        with patch("api.adapters.super") as mock_super:
+            with patch("api.adapters.transaction"):
+                with patch("api.adapters.MainRouter"):
+                    mock_super.return_value.save_user.return_value = mock_user
+                    adapter.save_user(request, sociallogin)
+                    assert request.session["saml_user_created"] == "123"

api/src/backend/api/tests/test_db_utils.py

@@ -13,6 +13,7 @@ from api.db_utils import (
     enum_to_choices,
     generate_random_token,
     one_week_from_now,
+    update_objects_in_batches,
 )
 from api.models import Provider
 
@@ -227,3 +228,88 @@ class TestCreateObjectsInBatches:
 
         qs = Provider.objects.filter(tenant=tenant)
         assert qs.count() == total
+
+
+@pytest.mark.django_db
+class TestUpdateObjectsInBatches:
+    @pytest.fixture
+    def tenant(self, tenants_fixture):
+        return tenants_fixture[0]
+
+    def make_provider_instances(self, tenant, count):
+        """
+        Return a list of `count` unsaved Provider instances for the given tenant.
+        """
+        base_uid = 2000
+        return [
+            Provider(
+                tenant=tenant,
+                uid=str(base_uid + i),
+                provider=Provider.ProviderChoices.AWS,
+            )
+            for i in range(count)
+        ]
+
+    def test_exact_multiple_of_batch(self, tenant):
+        total = 6
+        batch_size = 3
+        objs = self.make_provider_instances(tenant, total)
+        create_objects_in_batches(str(tenant.id), Provider, objs, batch_size=batch_size)
+
+        # Fetch them back, mutate the `uid` field, then update in batches
+        providers = list(Provider.objects.filter(tenant=tenant))
+        for p in providers:
+            p.uid = f"{p.uid}_upd"
+
+        update_objects_in_batches(
+            tenant_id=str(tenant.id),
+            model=Provider,
+            objects=providers,
+            fields=["uid"],
+            batch_size=batch_size,
+        )
+
+        qs = Provider.objects.filter(tenant=tenant, uid__endswith="_upd")
+        assert qs.count() == total
+
+    def test_non_multiple_of_batch(self, tenant):
+        total = 7
+        batch_size = 3
+        objs = self.make_provider_instances(tenant, total)
+        create_objects_in_batches(str(tenant.id), Provider, objs, batch_size=batch_size)
+
+        providers = list(Provider.objects.filter(tenant=tenant))
+        for p in providers:
+            p.uid = f"{p.uid}_upd"
+
+        update_objects_in_batches(
+            tenant_id=str(tenant.id),
+            model=Provider,
+            objects=providers,
+            fields=["uid"],
+            batch_size=batch_size,
+        )
+
+        qs = Provider.objects.filter(tenant=tenant, uid__endswith="_upd")
+        assert qs.count() == total
+
+    def test_batch_size_default(self, tenant):
+        default_size = settings.DJANGO_DELETION_BATCH_SIZE
+        total = default_size + 2
+        objs = self.make_provider_instances(tenant, total)
+        create_objects_in_batches(str(tenant.id), Provider, objs)
+
+        providers = list(Provider.objects.filter(tenant=tenant))
+        for p in providers:
+            p.uid = f"{p.uid}_upd"
+
+        # Update without specifying batch_size (uses default)
+        update_objects_in_batches(
+            tenant_id=str(tenant.id),
+            model=Provider,
+            objects=providers,
+            fields=["uid"],
+        )
+
+        qs = Provider.objects.filter(tenant=tenant, uid__endswith="_upd")
+        assert qs.count() == total

api/src/backend/api/tests/test_rbac.py

@@ -1,6 +1,7 @@
 from unittest.mock import ANY, Mock, patch
 
 import pytest
+from conftest import TODAY
 from django.urls import reverse
 from rest_framework import status
 
@@ -409,3 +410,87 @@ class TestLimitedVisibility:
         assert (
             response.json()["data"]["relationships"]["providers"]["meta"]["count"] == 1
         )
+
+    def test_overviews_providers(
+        self,
+        authenticated_client_rbac_limited,
+        scan_summaries_fixture,
+        providers_fixture,
+    ):
+        # By default, the associated provider is the one which has the overview data
+        response = authenticated_client_rbac_limited.get(reverse("overview-providers"))
+
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) > 0
+
+        # Changing the provider visibility, no data should be returned
+        # Only the associated provider to that group is changed
+        new_provider = providers_fixture[1]
+        ProviderGroupMembership.objects.all().update(provider=new_provider)
+
+        response = authenticated_client_rbac_limited.get(reverse("overview-providers"))
+
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) == 0
+
+    @pytest.mark.parametrize(
+        "endpoint_name",
+        [
+            "findings",
+            "findings_severity",
+        ],
+    )
+    def test_overviews_findings(
+        self,
+        endpoint_name,
+        authenticated_client_rbac_limited,
+        scan_summaries_fixture,
+        providers_fixture,
+    ):
+        # By default, the associated provider is the one which has the overview data
+        response = authenticated_client_rbac_limited.get(
+            reverse(f"overview-{endpoint_name}")
+        )
+
+        assert response.status_code == status.HTTP_200_OK
+        values = response.json()["data"]["attributes"].values()
+        assert any(value > 0 for value in values)
+
+        # Changing the provider visibility, no data should be returned
+        # Only the associated provider to that group is changed
+        new_provider = providers_fixture[1]
+        ProviderGroupMembership.objects.all().update(provider=new_provider)
+
+        response = authenticated_client_rbac_limited.get(
+            reverse(f"overview-{endpoint_name}")
+        )
+
+        assert response.status_code == status.HTTP_200_OK
+        data = response.json()["data"]["attributes"].values()
+        assert all(value == 0 for value in data)
+
+    def test_overviews_services(
+        self,
+        authenticated_client_rbac_limited,
+        scan_summaries_fixture,
+        providers_fixture,
+    ):
+        # By default, the associated provider is the one which has the overview data
+        response = authenticated_client_rbac_limited.get(
+            reverse("overview-services"), {"filter[inserted_at]": TODAY}
+        )
+
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) > 0
+
+        # Changing the provider visibility, no data should be returned
+        # Only the associated provider to that group is changed
+        new_provider = providers_fixture[1]
+        ProviderGroupMembership.objects.all().update(provider=new_provider)
+
+        response = authenticated_client_rbac_limited.get(
+            reverse("overview-services"), {"filter[inserted_at]": TODAY}
+        )
+
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) == 0

api/src/backend/api/tests/test_views.py

@@ -14,7 +14,13 @@ import jwt
 import pytest
 from allauth.socialaccount.models import SocialAccount, SocialApp
 from botocore.exceptions import ClientError, NoCredentialsError
-from conftest import API_JSON_CONTENT_TYPE, TEST_PASSWORD, TEST_USER
+from conftest import (
+    API_JSON_CONTENT_TYPE,
+    TEST_PASSWORD,
+    TEST_USER,
+    TODAY,
+    today_after_n_days,
+)
 from django.conf import settings
 from django.http import JsonResponse
 from django.test import RequestFactory
@@ -47,14 +53,6 @@ from api.models import (
 from api.rls import Tenant
 from api.v1.views import ComplianceOverviewViewSet, TenantFinishACSView
 
-TODAY = str(datetime.today().date())
-
-
-def today_after_n_days(n_days: int) -> str:
-    return datetime.strftime(
-        datetime.today().date() + timedelta(days=n_days), "%Y-%m-%d"
-    )
-
 
 class TestViewSet:
     def test_security_headers(self, client):
@@ -968,6 +966,31 @@ class TestProviderViewSet:
                     "uid": "subdomain1.subdomain2.subdomain3.subdomain4.domain.net",
                     "alias": "test",
                 },
+                {
+                    "provider": "github",
+                    "uid": "test-user",
+                    "alias": "test",
+                },
+                {
+                    "provider": "github",
+                    "uid": "test-organization",
+                    "alias": "GitHub Org",
+                },
+                {
+                    "provider": "github",
+                    "uid": "prowler-cloud",
+                    "alias": "Prowler",
+                },
+                {
+                    "provider": "github",
+                    "uid": "microsoft",
+                    "alias": "Microsoft",
+                },
+                {
+                    "provider": "github",
+                    "uid": "a12345678901234567890123456789012345678",
+                    "alias": "Long Username",
+                },
             ]
         ),
     )
@@ -1081,6 +1104,42 @@ class TestProviderViewSet:
                     "m365-uid",
                     "uid",
                 ),
+                (
+                    {
+                        "provider": "github",
+                        "uid": "-invalid-start",
+                        "alias": "test",
+                    },
+                    "github-uid",
+                    "uid",
+                ),
+                (
+                    {
+                        "provider": "github",
+                        "uid": "invalid@username",
+                        "alias": "test",
+                    },
+                    "github-uid",
+                    "uid",
+                ),
+                (
+                    {
+                        "provider": "github",
+                        "uid": "invalid_username",
+                        "alias": "test",
+                    },
+                    "github-uid",
+                    "uid",
+                ),
+                (
+                    {
+                        "provider": "github",
+                        "uid": "a" * 40,
+                        "alias": "test",
+                    },
+                    "github-uid",
+                    "uid",
+                ),
             ]
         ),
     )
@@ -2966,12 +3025,21 @@ class TestTaskViewSet:
 @pytest.mark.django_db
 class TestResourceViewSet:
     def test_resources_list_none(self, authenticated_client):
-        response = authenticated_client.get(reverse("resource-list"))
+        response = authenticated_client.get(
+            reverse("resource-list"), {"filter[updated_at]": TODAY}
+        )
         assert response.status_code == status.HTTP_200_OK
         assert len(response.json()["data"]) == 0
 
-    def test_resources_list(self, authenticated_client, resources_fixture):
+    def test_resources_list_no_date_filter(self, authenticated_client):
         response = authenticated_client.get(reverse("resource-list"))
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
+        assert response.json()["errors"][0]["code"] == "required"
+
+    def test_resources_list(self, authenticated_client, resources_fixture):
+        response = authenticated_client.get(
+            reverse("resource-list"), {"filter[updated_at]": TODAY}
+        )
         assert response.status_code == status.HTTP_200_OK
         assert len(response.json()["data"]) == len(resources_fixture)
 
@@ -2992,7 +3060,8 @@ class TestResourceViewSet:
         findings_fixture,
     ):
         response = authenticated_client.get(
-            reverse("resource-list"), {"include": include_values}
+            reverse("resource-list"),
+            {"include": include_values, "filter[updated_at]": TODAY},
         )
         assert response.status_code == status.HTTP_200_OK
         assert len(response.json()["data"]) == len(resources_fixture)
@@ -3020,8 +3089,9 @@ class TestResourceViewSet:
                 ("region.icontains", "west", 1),
                 ("service", "ec2", 2),
                 ("service.icontains", "ec", 2),
-                ("inserted_at.gte", "2024-01-01 00:00:00", 3),
-                ("updated_at.lte", "2024-01-01 00:00:00", 0),
+                ("inserted_at.gte", today_after_n_days(-1), 3),
+                ("updated_at.gte", today_after_n_days(-1), 3),
+                ("updated_at.lte", today_after_n_days(1), 3),
                 ("type.icontains", "prowler", 2),
                 # provider filters
                 ("provider_type", "aws", 3),
@@ -3041,7 +3111,8 @@ class TestResourceViewSet:
                 ("tags", "multi word", 1),
                 # full text search on resource
                 ("search", "arn", 3),
-                ("search", "def1", 1),
+                # To improve search efficiency, full text search is not fully applicable
+                # ("search", "def1", 1),
                 # full text search on resource tags
                 ("search", "multi word", 1),
                 ("search", "key2", 2),
@@ -3056,14 +3127,42 @@ class TestResourceViewSet:
         filter_value,
         expected_count,
     ):
+        filters = {f"filter[{filter_name}]": filter_value}
+        if "updated_at" not in filter_name:
+            filters["filter[updated_at]"] = TODAY
         response = authenticated_client.get(
             reverse("resource-list"),
-            {f"filter[{filter_name}]": filter_value},
+            filters,
         )
 
         assert response.status_code == status.HTTP_200_OK
         assert len(response.json()["data"]) == expected_count
 
+    def test_resource_filter_by_scan_id(
+        self, authenticated_client, resources_fixture, scans_fixture
+    ):
+        response = authenticated_client.get(
+            reverse("resource-list"),
+            {"filter[scan]": scans_fixture[0].id},
+        )
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) == 2
+
+    def test_resource_filter_by_scan_id_in(
+        self, authenticated_client, resources_fixture, scans_fixture
+    ):
+        response = authenticated_client.get(
+            reverse("resource-list"),
+            {
+                "filter[scan.in]": [
+                    scans_fixture[0].id,
+                    scans_fixture[1].id,
+                ]
+            },
+        )
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) == 2
+
     def test_resource_filter_by_provider_id_in(
         self, authenticated_client, resources_fixture
     ):
@@ -3073,7 +3172,8 @@ class TestResourceViewSet:
                 "filter[provider.in]": [
                     resources_fixture[0].provider.id,
                     resources_fixture[1].provider.id,
-                ]
+                ],
+                "filter[updated_at]": TODAY,
             },
         )
         assert response.status_code == status.HTTP_200_OK
@@ -3110,13 +3210,13 @@ class TestResourceViewSet:
     )
     def test_resources_sort(self, authenticated_client, sort_field):
         response = authenticated_client.get(
-            reverse("resource-list"), {"sort": sort_field}
+            reverse("resource-list"), {"filter[updated_at]": TODAY, "sort": sort_field}
         )
         assert response.status_code == status.HTTP_200_OK
 
     def test_resources_sort_invalid(self, authenticated_client):
         response = authenticated_client.get(
-            reverse("resource-list"), {"sort": "invalid"}
+            reverse("resource-list"), {"filter[updated_at]": TODAY, "sort": "invalid"}
         )
         assert response.status_code == status.HTTP_400_BAD_REQUEST
         assert response.json()["errors"][0]["code"] == "invalid"
@@ -3149,6 +3249,100 @@ class TestResourceViewSet:
         )
         assert response.status_code == status.HTTP_404_NOT_FOUND
 
+    def test_resources_metadata_retrieve(
+        self, authenticated_client, resources_fixture, backfill_scan_metadata_fixture
+    ):
+        resource_1, *_ = resources_fixture
+        response = authenticated_client.get(
+            reverse("resource-metadata"),
+            {"filter[updated_at]": resource_1.updated_at.strftime("%Y-%m-%d")},
+        )
+        data = response.json()
+
+        expected_services = {"ec2", "s3"}
+        expected_regions = {"us-east-1", "eu-west-1"}
+        expected_resource_types = {"prowler-test"}
+
+        assert data["data"]["type"] == "resources-metadata"
+        assert data["data"]["id"] is None
+        assert set(data["data"]["attributes"]["services"]) == expected_services
+        assert set(data["data"]["attributes"]["regions"]) == expected_regions
+        assert set(data["data"]["attributes"]["types"]) == expected_resource_types
+
+    def test_resources_metadata_resource_filter_retrieve(
+        self, authenticated_client, resources_fixture, backfill_scan_metadata_fixture
+    ):
+        resource_1, *_ = resources_fixture
+        response = authenticated_client.get(
+            reverse("resource-metadata"),
+            {
+                "filter[region]": "eu-west-1",
+                "filter[updated_at]": resource_1.updated_at.strftime("%Y-%m-%d"),
+            },
+        )
+        data = response.json()
+
+        expected_services = {"s3"}
+        expected_regions = {"eu-west-1"}
+        expected_resource_types = {"prowler-test"}
+
+        assert data["data"]["type"] == "resources-metadata"
+        assert data["data"]["id"] is None
+        assert set(data["data"]["attributes"]["services"]) == expected_services
+        assert set(data["data"]["attributes"]["regions"]) == expected_regions
+        assert set(data["data"]["attributes"]["types"]) == expected_resource_types
+
+    def test_resources_metadata_future_date(self, authenticated_client):
+        response = authenticated_client.get(
+            reverse("resource-metadata"),
+            {"filter[updated_at]": "2048-01-01"},
+        )
+        data = response.json()
+        assert data["data"]["type"] == "resources-metadata"
+        assert data["data"]["id"] is None
+        assert data["data"]["attributes"]["services"] == []
+        assert data["data"]["attributes"]["regions"] == []
+        assert data["data"]["attributes"]["types"] == []
+
+    def test_resources_metadata_invalid_date(self, authenticated_client):
+        response = authenticated_client.get(
+            reverse("resource-metadata"),
+            {"filter[updated_at]": "2048-01-011"},
+        )
+        assert response.json() == {
+            "errors": [
+                {
+                    "detail": "Enter a valid date.",
+                    "status": "400",
+                    "source": {"pointer": "/data/attributes/updated_at"},
+                    "code": "invalid",
+                }
+            ]
+        }
+
+    def test_resources_latest(self, authenticated_client, latest_scan_resource):
+        response = authenticated_client.get(
+            reverse("resource-latest"),
+        )
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) == 1
+        assert (
+            response.json()["data"][0]["attributes"]["uid"] == latest_scan_resource.uid
+        )
+
+    def test_resources_metadata_latest(
+        self, authenticated_client, latest_scan_resource
+    ):
+        response = authenticated_client.get(
+            reverse("resource-metadata_latest"),
+        )
+        assert response.status_code == status.HTTP_200_OK
+        attributes = response.json()["data"]["attributes"]
+
+        assert attributes["services"] == [latest_scan_resource.service]
+        assert attributes["regions"] == [latest_scan_resource.region]
+        assert attributes["types"] == [latest_scan_resource.type]
+
 
 @pytest.mark.django_db
 class TestFindingViewSet:
@@ -3247,7 +3441,7 @@ class TestFindingViewSet:
                 ("search", "dev-qa", 1),
                 ("search", "orange juice", 1),
                 # full text search on resource
-                ("search", "ec2", 2),
+                ("search", "ec2", 1),
                 # full text search on finding tags (disabled for now)
                 # ("search", "value2", 2),
                 # Temporary disabled until we implement tag filtering in the UI
@@ -5055,6 +5249,8 @@ class TestComplianceOverviewViewSet:
             assert "description" in attributes
             assert "status" in attributes
 
+    # TODO: This test may fail randomly because requirements are not ordered
+    @pytest.mark.xfail
     def test_compliance_overview_requirements_manual(
         self, authenticated_client, compliance_requirements_overviews_fixture
     ):
@@ -5361,6 +5557,30 @@ class TestScheduleViewSet:
         )
         assert response.status_code == status.HTTP_404_NOT_FOUND
 
+    @patch("api.v1.views.Task.objects.get")
+    def test_schedule_daily_already_scheduled(
+        self,
+        mock_task_get,
+        authenticated_client,
+        providers_fixture,
+        tasks_fixture,
+    ):
+        provider, *_ = providers_fixture
+        prowler_task = tasks_fixture[0]
+        mock_task_get.return_value = prowler_task
+        json_payload = {
+            "provider_id": str(provider.id),
+        }
+        response = authenticated_client.post(
+            reverse("schedule-daily"), data=json_payload, format="json"
+        )
+        assert response.status_code == status.HTTP_202_ACCEPTED
+
+        response = authenticated_client.post(
+            reverse("schedule-daily"), data=json_payload, format="json"
+        )
+        assert response.status_code == status.HTTP_409_CONFLICT
+
 
 @pytest.mark.django_db
 class TestIntegrationViewSet:
@@ -5984,6 +6204,7 @@ class TestTenantFinishACSView:
             reverse("saml_finish_acs", kwargs={"organization_slug": "testtenant"})
         )
         request.user = type("Anonymous", (), {"is_authenticated": False})()
+        request.session = {}
 
         with patch(
             "allauth.socialaccount.providers.saml.views.get_app_or_404"
@@ -6006,6 +6227,7 @@ class TestTenantFinishACSView:
             reverse("saml_finish_acs", kwargs={"organization_slug": "testtenant"})
         )
         request.user = users_fixture[0]
+        request.session = {}
 
         with patch(
             "allauth.socialaccount.providers.saml.views.get_app_or_404"
@@ -6047,6 +6269,7 @@ class TestTenantFinishACSView:
             reverse("saml_finish_acs", kwargs={"organization_slug": "testtenant"})
         )
         request.user = user
+        request.session = {}
 
         with (
             patch(
@@ -6113,6 +6336,44 @@ class TestTenantFinishACSView:
         user.company_name = original_company
         user.save()
 
+    def test_rollback_saml_user_when_error_occurs(self, users_fixture, monkeypatch):
+        """Test that a user is properly deleted when created during SAML flow and an error occurs"""
+        monkeypatch.setenv("AUTH_URL", "http://localhost")
+
+        # Create a test user to simulate one created during SAML flow
+        test_user = User.objects.using(MainRouter.admin_db).create(
+            email="testuser@example.com", name="Test User"
+        )
+
+        request = RequestFactory().get(
+            reverse("saml_finish_acs", kwargs={"organization_slug": "testtenant"})
+        )
+        request.user = users_fixture[0]
+        request.session = {"saml_user_created": test_user.id}
+
+        # Force an exception to trigger rollback
+        with patch(
+            "allauth.socialaccount.providers.saml.views.get_app_or_404"
+        ) as mock_get_app:
+            mock_get_app.side_effect = Exception("Test error")
+
+            view = TenantFinishACSView.as_view()
+            response = view(request, organization_slug="testtenant")
+
+            # Verify the user was deleted
+            assert (
+                not User.objects.using(MainRouter.admin_db)
+                .filter(id=test_user.id)
+                .exists()
+            )
+
+            # Verify session was cleaned up
+            assert "saml_user_created" not in request.session
+
+            # Verify proper redirect
+            assert response.status_code == 302
+            assert "sso_saml_failed=true" in response.url
+
 
 @pytest.mark.django_db
 class TestLighthouseConfigViewSet:

api/src/backend/api/utils.py

@@ -13,6 +13,7 @@ from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.common.models import Connection
 from prowler.providers.gcp.gcp_provider import GcpProvider
+from prowler.providers.github.github_provider import GithubProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
 from prowler.providers.m365.m365_provider import M365Provider
 
@@ -55,14 +56,21 @@ def merge_dicts(default_dict: dict, replacement_dict: dict) -> dict:
 
 def return_prowler_provider(
     provider: Provider,
-) -> [AwsProvider | AzureProvider | GcpProvider | KubernetesProvider | M365Provider]:
+) -> [
+    AwsProvider
+    | AzureProvider
+    | GcpProvider
+    | GithubProvider
+    | KubernetesProvider
+    | M365Provider
+]:
     """Return the Prowler provider class based on the given provider type.
 
     Args:
         provider (Provider): The provider object containing the provider type and associated secrets.
 
     Returns:
-        AwsProvider | AzureProvider | GcpProvider | KubernetesProvider | M365Provider: The corresponding provider class.
+        AwsProvider | AzureProvider | GcpProvider | GithubProvider | KubernetesProvider | M365Provider: The corresponding provider class.
 
     Raises:
         ValueError: If the provider type specified in `provider.provider` is not supported.
@@ -78,6 +86,8 @@ def return_prowler_provider(
             prowler_provider = KubernetesProvider
         case Provider.ProviderChoices.M365.value:
             prowler_provider = M365Provider
+        case Provider.ProviderChoices.GITHUB.value:
+            prowler_provider = GithubProvider
         case _:
             raise ValueError(f"Provider type {provider.provider} not supported")
     return prowler_provider
@@ -120,7 +130,14 @@ def get_prowler_provider_kwargs(
 def initialize_prowler_provider(
     provider: Provider,
     mutelist_processor: Processor | None = None,
-) -> AwsProvider | AzureProvider | GcpProvider | KubernetesProvider | M365Provider:
+) -> (
+    AwsProvider
+    | AzureProvider
+    | GcpProvider
+    | GithubProvider
+    | KubernetesProvider
+    | M365Provider
+):
     """Initialize a Prowler provider instance based on the given provider type.
 
     Args:
@@ -128,8 +145,8 @@ def initialize_prowler_provider(
         mutelist_processor (Processor): The mutelist processor object containing the mutelist configuration.
 
     Returns:
-        AwsProvider | AzureProvider | GcpProvider | KubernetesProvider | M365Provider: An instance of the corresponding provider class
-            (`AwsProvider`, `AzureProvider`, `GcpProvider`, `KubernetesProvider` or `M365Provider`) initialized with the
+        AwsProvider | AzureProvider | GcpProvider | GithubProvider | KubernetesProvider | M365Provider: An instance of the corresponding provider class
+            (`AwsProvider`, `AzureProvider`, `GcpProvider`, `GithubProvider`, `KubernetesProvider` or `M365Provider`) initialized with the
             provider's secrets.
     """
     prowler_provider = return_prowler_provider(provider)

api/src/backend/api/v1/mixins.py

@@ -24,20 +24,32 @@ class PaginateByPkMixin:
         request,  # noqa: F841
         base_queryset,
         manager,
-        select_related: list[str] | None = None,
-        prefetch_related: list[str] | None = None,
+        select_related: list | None = None,
+        prefetch_related: list | None = None,
     ) -> Response:
+        """
+        Paginate a queryset by primary key.
+
+        This method is useful when you want to paginate a queryset that has been
+        filtered or annotated in a way that would be lost if you used the default
+        pagination method.
+        """
         pk_list = base_queryset.values_list("id", flat=True)
         page = self.paginate_queryset(pk_list)
         if page is None:
             return Response(self.get_serializer(base_queryset, many=True).data)
 
         queryset = manager.filter(id__in=page)
+
         if select_related:
             queryset = queryset.select_related(*select_related)
         if prefetch_related:
             queryset = queryset.prefetch_related(*prefetch_related)
 
+        # Optimize tags loading, if applicable
+        if hasattr(self, "_optimize_tags_loading"):
+            queryset = self._optimize_tags_loading(queryset)
+
         queryset = sorted(queryset, key=lambda obj: page.index(obj.id))
 
         serialized = self.get_serializer(queryset, many=True).data

api/src/backend/api/v1/serializer_utils/providers.py

@@ -176,6 +176,43 @@ from rest_framework_json_api import serializers
                 },
                 "required": ["kubeconfig_content"],
             },
+            {
+                "type": "object",
+                "title": "GitHub Personal Access Token",
+                "properties": {
+                    "personal_access_token": {
+                        "type": "string",
+                        "description": "GitHub personal access token for authentication.",
+                    }
+                },
+                "required": ["personal_access_token"],
+            },
+            {
+                "type": "object",
+                "title": "GitHub OAuth App Token",
+                "properties": {
+                    "oauth_app_token": {
+                        "type": "string",
+                        "description": "GitHub OAuth App token for authentication.",
+                    }
+                },
+                "required": ["oauth_app_token"],
+            },
+            {
+                "type": "object",
+                "title": "GitHub App Credentials",
+                "properties": {
+                    "github_app_id": {
+                        "type": "integer",
+                        "description": "GitHub App ID for authentication.",
+                    },
+                    "github_app_key": {
+                        "type": "string",
+                        "description": "Path to the GitHub App private key file.",
+                    },
+                },
+                "required": ["github_app_id", "github_app_key"],
+            },
         ]
     }
 )

api/src/backend/api/v1/serializers.py

@@ -9,6 +9,7 @@ from drf_spectacular.utils import extend_schema_field
 from jwt.exceptions import InvalidKeyError
 from rest_framework.validators import UniqueTogetherValidator
 from rest_framework_json_api import serializers
+from rest_framework_json_api.relations import SerializerMethodResourceRelatedField
 from rest_framework_json_api.serializers import ValidationError
 from rest_framework_simplejwt.exceptions import TokenError
 from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
@@ -999,8 +1000,12 @@ class ResourceSerializer(RLSSerializer):
 
     tags = serializers.SerializerMethodField()
     type_ = serializers.CharField(read_only=True)
+    failed_findings_count = serializers.IntegerField(read_only=True)
 
-    findings = serializers.ResourceRelatedField(many=True, read_only=True)
+    findings = SerializerMethodResourceRelatedField(
+        many=True,
+        read_only=True,
+    )
 
     class Meta:
         model = Resource
@@ -1016,6 +1021,7 @@ class ResourceSerializer(RLSSerializer):
             "tags",
             "provider",
             "findings",
+            "failed_findings_count",
             "url",
         ]
         extra_kwargs = {
@@ -1037,6 +1043,10 @@ class ResourceSerializer(RLSSerializer):
         }
     )
     def get_tags(self, obj):
+        # Use prefetched tags if available to avoid N+1 queries
+        if hasattr(obj, "prefetched_tags"):
+            return {tag.key: tag.value for tag in obj.prefetched_tags}
+        # Fallback to the original method if prefetch is not available
         return obj.get_tags(self.context.get("tenant_id"))
 
     def get_fields(self):
@@ -1046,6 +1056,13 @@ class ResourceSerializer(RLSSerializer):
         fields["type"] = type_
         return fields
 
+    def get_findings(self, obj):
+        return (
+            obj.latest_findings
+            if hasattr(obj, "latest_findings")
+            else obj.findings.all()
+        )
+
 
 class ResourceIncludeSerializer(RLSSerializer):
     """
@@ -1082,6 +1099,10 @@ class ResourceIncludeSerializer(RLSSerializer):
         }
     )
     def get_tags(self, obj):
+        # Use prefetched tags if available to avoid N+1 queries
+        if hasattr(obj, "prefetched_tags"):
+            return {tag.key: tag.value for tag in obj.prefetched_tags}
+        # Fallback to the original method if prefetch is not available
         return obj.get_tags(self.context.get("tenant_id"))
 
     def get_fields(self):
@@ -1092,6 +1113,17 @@ class ResourceIncludeSerializer(RLSSerializer):
         return fields
 
 
+class ResourceMetadataSerializer(serializers.Serializer):
+    services = serializers.ListField(child=serializers.CharField(), allow_empty=True)
+    regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)
+    types = serializers.ListField(child=serializers.CharField(), allow_empty=True)
+    # Temporarily disabled until we implement tag filtering in the UI
+    # tags = serializers.JSONField(help_text="Tags are described as key-value pairs.")
+
+    class Meta:
+        resource_name = "resources-metadata"
+
+
 class FindingSerializer(RLSSerializer):
     """
     Serializer for the Finding model.
@@ -1185,6 +1217,8 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                 serializer = AzureProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.GCP.value:
                 serializer = GCPProviderSecret(data=secret)
+            elif provider_type == Provider.ProviderChoices.GITHUB.value:
+                serializer = GithubProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.KUBERNETES.value:
                 serializer = KubernetesProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.M365.value:
@@ -1264,6 +1298,16 @@ class KubernetesProviderSecret(serializers.Serializer):
         resource_name = "provider-secrets"
 
 
+class GithubProviderSecret(serializers.Serializer):
+    personal_access_token = serializers.CharField(required=False)
+    oauth_app_token = serializers.CharField(required=False)
+    github_app_id = serializers.IntegerField(required=False)
+    github_app_key_content = serializers.CharField(required=False)
+
+    class Meta:
+        resource_name = "provider-secrets"
+
+
 class AWSRoleAssumptionProviderSecret(serializers.Serializer):
     role_arn = serializers.CharField()
     external_id = serializers.CharField()

api/src/backend/api/v1/views.py

@@ -1,4 +1,5 @@
 import glob
+import logging
 import os
 from datetime import datetime, timedelta, timezone
 from urllib.parse import urljoin
@@ -10,6 +11,7 @@ from allauth.socialaccount.providers.google.views import GoogleOAuth2Adapter
 from allauth.socialaccount.providers.saml.views import FinishACSView, LoginView
 from botocore.exceptions import ClientError, NoCredentialsError, ParamValidationError
 from celery.result import AsyncResult
+from config.custom_logging import BackendLogger
 from config.env import env
 from config.settings.social_login import (
     GITHUB_OAUTH_CALLBACK_URL,
@@ -20,7 +22,7 @@ from django.conf import settings as django_settings
 from django.contrib.postgres.aggregates import ArrayAgg
 from django.contrib.postgres.search import SearchQuery
 from django.db import transaction
-from django.db.models import Count, Exists, F, OuterRef, Prefetch, Q, Sum
+from django.db.models import Count, F, Prefetch, Q, Subquery, Sum
 from django.db.models.functions import Coalesce
 from django.http import HttpResponse
 from django.shortcuts import redirect
@@ -76,6 +78,7 @@ from api.filters import (
     IntegrationFilter,
     InvitationFilter,
     LatestFindingFilter,
+    LatestResourceFilter,
     MembershipFilter,
     ProcessorFilter,
     ProviderFilter,
@@ -91,7 +94,6 @@ from api.filters import (
     UserFilter,
 )
 from api.models import (
-    ComplianceOverview,
     ComplianceRequirementOverview,
     Finding,
     Integration,
@@ -106,6 +108,7 @@ from api.models import (
     Resource,
     ResourceFindingMapping,
     ResourceScanSummary,
+    ResourceTag,
     Role,
     RoleProviderGroupRelationship,
     SAMLConfiguration,
@@ -165,6 +168,7 @@ from api.v1.serializers import (
     ProviderSecretUpdateSerializer,
     ProviderSerializer,
     ProviderUpdateSerializer,
+    ResourceMetadataSerializer,
     ResourceSerializer,
     RoleCreateSerializer,
     RoleProviderGroupRelationshipSerializer,
@@ -190,6 +194,8 @@ from api.v1.serializers import (
     UserUpdateSerializer,
 )
 
+logger = logging.getLogger(BackendLogger.API)
+
 CACHE_DECORATOR = cache_control(
     max_age=django_settings.CACHE_MAX_AGE,
     stale_while_revalidate=django_settings.CACHE_STALE_WHILE_REVALIDATE,
@@ -286,7 +292,7 @@ class SchemaView(SpectacularAPIView):
 
     def get(self, request, *args, **kwargs):
         spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.9.0"
+        spectacular_settings.VERSION = "1.10.2"
         spectacular_settings.DESCRIPTION = (
             "Prowler API specification.\n\nThis file is auto-generated."
         )
@@ -559,10 +565,25 @@ class SAMLConfigurationViewSet(BaseRLSViewSet):
 
 
 class TenantFinishACSView(FinishACSView):
+    def _rollback_saml_user(self, request):
+        """Helper function to rollback SAML user if it was just created and validation fails"""
+        saml_user_id = request.session.get("saml_user_created")
+        if saml_user_id:
+            User.objects.using(MainRouter.admin_db).filter(id=saml_user_id).delete()
+            request.session.pop("saml_user_created", None)
+
     def dispatch(self, request, organization_slug):
-        super().dispatch(request, organization_slug)
+        try:
+            super().dispatch(request, organization_slug)
+        except Exception as e:
+            logger.error(f"SAML dispatch failed: {e}")
+            self._rollback_saml_user(request)
+            callback_url = env.str("AUTH_URL")
+            return redirect(f"{callback_url}?sso_saml_failed=true")
+
         user = getattr(request, "user", None)
         if not user or not user.is_authenticated:
+            self._rollback_saml_user(request)
             callback_url = env.str("AUTH_URL")
             return redirect(f"{callback_url}?sso_saml_failed=true")
 
@@ -585,7 +606,9 @@ class TenantFinishACSView(FinishACSView):
             SocialApp.DoesNotExist,
             SocialAccount.DoesNotExist,
             User.DoesNotExist,
-        ):
+        ) as e:
+            logger.error(f"SAML user is not authenticated: {e}")
+            self._rollback_saml_user(request)
             callback_url = env.str("AUTH_URL")
             return redirect(f"{callback_url}?sso_saml_failed=true")
 
@@ -659,6 +682,7 @@ class TenantFinishACSView(FinishACSView):
         )
         callback_url = env.str("SAML_SSO_CALLBACK_URL")
         redirect_url = f"{callback_url}?id={saml_token.id}"
+        request.session.pop("saml_user_created", None)
 
         return redirect(redirect_url)
 
@@ -1861,6 +1885,14 @@ class TaskViewSet(BaseRLSViewSet):
         summary="List all resources",
         description="Retrieve a list of all resources with options for filtering by various criteria. Resources are "
         "objects that are discovered by Prowler. They can be anything from a single host to a whole VPC.",
+        parameters=[
+            OpenApiParameter(
+                name="filter[updated_at]",
+                description="At least one of the variations of the `filter[updated_at]` filter must be provided.",
+                required=True,
+                type=OpenApiTypes.DATE,
+            )
+        ],
     ),
     retrieve=extend_schema(
         tags=["Resource"],
@@ -1868,15 +1900,43 @@ class TaskViewSet(BaseRLSViewSet):
         description="Fetch detailed information about a specific resource by their ID. A Resource is an object that "
         "is discovered by Prowler. It can be anything from a single host to a whole VPC.",
     ),
+    metadata=extend_schema(
+        tags=["Resource"],
+        summary="Retrieve metadata values from resources",
+        description="Fetch unique metadata values from a set of resources. This is useful for dynamic filtering.",
+        parameters=[
+            OpenApiParameter(
+                name="filter[updated_at]",
+                description="At least one of the variations of the `filter[updated_at]` filter must be provided.",
+                required=True,
+                type=OpenApiTypes.DATE,
+            )
+        ],
+        filters=True,
+    ),
+    latest=extend_schema(
+        tags=["Resource"],
+        summary="List the latest resources",
+        description="Retrieve a list of the latest resources from the latest scans for each provider with options for "
+        "filtering by various criteria.",
+        filters=True,
+    ),
+    metadata_latest=extend_schema(
+        tags=["Resource"],
+        summary="Retrieve metadata values from the latest resources",
+        description="Fetch unique metadata values from a set of resources from the latest scans for each provider. "
+        "This is useful for dynamic filtering.",
+        filters=True,
+    ),
 )
 @method_decorator(CACHE_DECORATOR, name="list")
 @method_decorator(CACHE_DECORATOR, name="retrieve")
-class ResourceViewSet(BaseRLSViewSet):
-    queryset = Resource.objects.all()
+class ResourceViewSet(PaginateByPkMixin, BaseRLSViewSet):
+    queryset = Resource.all_objects.all()
     serializer_class = ResourceSerializer
     http_method_names = ["get"]
     filterset_class = ResourceFilter
-    ordering = ["-inserted_at"]
+    ordering = ["-failed_findings_count", "-updated_at"]
     ordering_fields = [
         "provider_uid",
         "uid",
@@ -1887,6 +1947,14 @@ class ResourceViewSet(BaseRLSViewSet):
         "inserted_at",
         "updated_at",
     ]
+    prefetch_for_includes = {
+        "__all__": [],
+        "provider": [
+            Prefetch(
+                "provider", queryset=Provider.all_objects.select_related("resources")
+            )
+        ],
+    }
     # RBAC required permissions (implicit -> MANAGE_PROVIDERS enable unlimited visibility or check the visibility of
     # the provider through the provider group)
     required_permissions = []
@@ -1895,41 +1963,284 @@ class ResourceViewSet(BaseRLSViewSet):
         user_roles = get_role(self.request.user)
         if user_roles.unlimited_visibility:
             # User has unlimited visibility, return all scans
-            queryset = Resource.objects.filter(tenant_id=self.request.tenant_id)
+            queryset = Resource.all_objects.filter(tenant_id=self.request.tenant_id)
         else:
             # User lacks permission, filter providers based on provider groups associated with the role
-            queryset = Resource.objects.filter(
+            queryset = Resource.all_objects.filter(
                 tenant_id=self.request.tenant_id, provider__in=get_providers(user_roles)
             )
 
         search_value = self.request.query_params.get("filter[search]", None)
         if search_value:
-            # Django's ORM will build a LEFT JOIN and OUTER JOIN on the "through" table, resulting in duplicates
-            # The duplicates then require a `distinct` query
             search_query = SearchQuery(
                 search_value, config="simple", search_type="plain"
             )
             queryset = queryset.filter(
-                Q(tags__key=search_value)
-                | Q(tags__value=search_value)
-                | Q(tags__text_search=search_query)
-                | Q(tags__key__contains=search_value)
-                | Q(tags__value__contains=search_value)
-                | Q(uid=search_value)
-                | Q(name=search_value)
-                | Q(region=search_value)
-                | Q(service=search_value)
-                | Q(type=search_value)
-                | Q(text_search=search_query)
-                | Q(uid__contains=search_value)
-                | Q(name__contains=search_value)
-                | Q(region__contains=search_value)
-                | Q(service__contains=search_value)
-                | Q(type__contains=search_value)
+                Q(text_search=search_query) | Q(tags__text_search=search_query)
             ).distinct()
 
         return queryset
 
+    def _optimize_tags_loading(self, queryset):
+        """Optimize tags loading with prefetch_related to avoid N+1 queries"""
+        # Use prefetch_related to load all tags in a single query
+        return queryset.prefetch_related(
+            Prefetch(
+                "tags",
+                queryset=ResourceTag.objects.filter(
+                    tenant_id=self.request.tenant_id
+                ).select_related(),
+                to_attr="prefetched_tags",
+            )
+        )
+
+    def _should_prefetch_findings(self) -> bool:
+        fields_param = self.request.query_params.get("fields[resources]", "")
+        include_param = self.request.query_params.get("include", "")
+        return (
+            fields_param == ""
+            or "findings" in fields_param.split(",")
+            or "findings" in include_param.split(",")
+        )
+
+    def _get_findings_prefetch(self):
+        findings_queryset = Finding.all_objects.defer("scan", "resources").filter(
+            tenant_id=self.request.tenant_id
+        )
+        return [Prefetch("findings", queryset=findings_queryset)]
+
+    def get_serializer_class(self):
+        if self.action in ["metadata", "metadata_latest"]:
+            return ResourceMetadataSerializer
+        return super().get_serializer_class()
+
+    def get_filterset_class(self):
+        if self.action in ["latest", "metadata_latest"]:
+            return LatestResourceFilter
+        return ResourceFilter
+
+    def filter_queryset(self, queryset):
+        # Do not apply filters when retrieving specific resource
+        if self.action == "retrieve":
+            return queryset
+        return super().filter_queryset(queryset)
+
+    def list(self, request, *args, **kwargs):
+        filtered_queryset = self.filter_queryset(self.get_queryset())
+        return self.paginate_by_pk(
+            request,
+            filtered_queryset,
+            manager=Resource.all_objects,
+            select_related=["provider"],
+            prefetch_related=(
+                self._get_findings_prefetch()
+                if self._should_prefetch_findings()
+                else []
+            ),
+        )
+
+    def retrieve(self, request, *args, **kwargs):
+        queryset = self._optimize_tags_loading(self.get_queryset())
+        instance = get_object_or_404(queryset, pk=kwargs.get("pk"))
+        mapping_ids = list(
+            ResourceFindingMapping.objects.filter(
+                resource=instance, tenant_id=request.tenant_id
+            ).values_list("finding_id", flat=True)
+        )
+        latest_findings = (
+            Finding.all_objects.filter(id__in=mapping_ids, tenant_id=request.tenant_id)
+            .order_by("uid", "-inserted_at")
+            .distinct("uid")
+        )
+        setattr(instance, "latest_findings", latest_findings)
+        serializer = self.get_serializer(instance)
+        return Response(serializer.data, status=status.HTTP_200_OK)
+
+    @action(detail=False, methods=["get"], url_name="latest")
+    def latest(self, request):
+        tenant_id = request.tenant_id
+        filtered_queryset = self.filter_queryset(self.get_queryset())
+
+        latest_scans = (
+            Scan.all_objects.filter(
+                tenant_id=tenant_id,
+                state=StateChoices.COMPLETED,
+            )
+            .order_by("provider_id", "-inserted_at")
+            .distinct("provider_id")
+            .values("provider_id")
+        )
+
+        filtered_queryset = filtered_queryset.filter(
+            provider_id__in=Subquery(latest_scans)
+        )
+
+        return self.paginate_by_pk(
+            request,
+            filtered_queryset,
+            manager=Resource.all_objects,
+            select_related=["provider"],
+            prefetch_related=(
+                self._get_findings_prefetch()
+                if self._should_prefetch_findings()
+                else []
+            ),
+        )
+
+    @action(detail=False, methods=["get"], url_name="metadata")
+    def metadata(self, request):
+        # Force filter validation
+        self.filter_queryset(self.get_queryset())
+
+        tenant_id = request.tenant_id
+        query_params = request.query_params
+
+        queryset = ResourceScanSummary.objects.filter(tenant_id=tenant_id)
+
+        if scans := query_params.get("filter[scan__in]") or query_params.get(
+            "filter[scan]"
+        ):
+            queryset = queryset.filter(scan_id__in=scans.split(","))
+        else:
+            exact = query_params.get("filter[inserted_at]")
+            gte = query_params.get("filter[inserted_at__gte]")
+            lte = query_params.get("filter[inserted_at__lte]")
+
+            date_filters = {}
+            if exact:
+                date = parse_date(exact)
+                datetime_start = datetime.combine(
+                    date, datetime.min.time(), tzinfo=timezone.utc
+                )
+                datetime_end = datetime_start + timedelta(days=1)
+                date_filters["scan_id__gte"] = uuid7_start(
+                    datetime_to_uuid7(datetime_start)
+                )
+                date_filters["scan_id__lt"] = uuid7_start(
+                    datetime_to_uuid7(datetime_end)
+                )
+            else:
+                if gte:
+                    date_start = parse_date(gte)
+                    datetime_start = datetime.combine(
+                        date_start, datetime.min.time(), tzinfo=timezone.utc
+                    )
+                    date_filters["scan_id__gte"] = uuid7_start(
+                        datetime_to_uuid7(datetime_start)
+                    )
+                if lte:
+                    date_end = parse_date(lte)
+                    datetime_end = datetime.combine(
+                        date_end + timedelta(days=1),
+                        datetime.min.time(),
+                        tzinfo=timezone.utc,
+                    )
+                    date_filters["scan_id__lt"] = uuid7_start(
+                        datetime_to_uuid7(datetime_end)
+                    )
+
+            if date_filters:
+                queryset = queryset.filter(**date_filters)
+
+        if service_filter := query_params.get("filter[service]") or query_params.get(
+            "filter[service__in]"
+        ):
+            queryset = queryset.filter(service__in=service_filter.split(","))
+        if region_filter := query_params.get("filter[region]") or query_params.get(
+            "filter[region__in]"
+        ):
+            queryset = queryset.filter(region__in=region_filter.split(","))
+        if resource_type_filter := query_params.get("filter[type]") or query_params.get(
+            "filter[type__in]"
+        ):
+            queryset = queryset.filter(
+                resource_type__in=resource_type_filter.split(",")
+            )
+
+        services = list(
+            queryset.values_list("service", flat=True).distinct().order_by("service")
+        )
+        regions = list(
+            queryset.values_list("region", flat=True).distinct().order_by("region")
+        )
+        resource_types = list(
+            queryset.values_list("resource_type", flat=True)
+            .exclude(resource_type__isnull=True)
+            .exclude(resource_type__exact="")
+            .distinct()
+            .order_by("resource_type")
+        )
+
+        result = {
+            "services": services,
+            "regions": regions,
+            "types": resource_types,
+        }
+
+        serializer = self.get_serializer(data=result)
+        serializer.is_valid(raise_exception=True)
+        return Response(serializer.data)
+
+    @action(
+        detail=False,
+        methods=["get"],
+        url_name="metadata_latest",
+        url_path="metadata/latest",
+    )
+    def metadata_latest(self, request):
+        tenant_id = request.tenant_id
+        query_params = request.query_params
+
+        latest_scans_queryset = (
+            Scan.all_objects.filter(tenant_id=tenant_id, state=StateChoices.COMPLETED)
+            .order_by("provider_id", "-inserted_at")
+            .distinct("provider_id")
+        )
+
+        queryset = ResourceScanSummary.objects.filter(
+            tenant_id=tenant_id,
+            scan_id__in=latest_scans_queryset.values_list("id", flat=True),
+        )
+
+        if service_filter := query_params.get("filter[service]") or query_params.get(
+            "filter[service__in]"
+        ):
+            queryset = queryset.filter(service__in=service_filter.split(","))
+        if region_filter := query_params.get("filter[region]") or query_params.get(
+            "filter[region__in]"
+        ):
+            queryset = queryset.filter(region__in=region_filter.split(","))
+        if resource_type_filter := query_params.get("filter[type]") or query_params.get(
+            "filter[type__in]"
+        ):
+            queryset = queryset.filter(
+                resource_type__in=resource_type_filter.split(",")
+            )
+
+        services = list(
+            queryset.values_list("service", flat=True).distinct().order_by("service")
+        )
+        regions = list(
+            queryset.values_list("region", flat=True).distinct().order_by("region")
+        )
+        resource_types = list(
+            queryset.values_list("resource_type", flat=True)
+            .exclude(resource_type__isnull=True)
+            .exclude(resource_type__exact="")
+            .distinct()
+            .order_by("resource_type")
+        )
+
+        result = {
+            "services": services,
+            "regions": regions,
+            "types": resource_types,
+        }
+
+        serializer = self.get_serializer(data=result)
+        serializer.is_valid(raise_exception=True)
+        return Response(serializer.data)
+
 
 @extend_schema_view(
     list=extend_schema(
@@ -2048,17 +2359,7 @@ class FindingViewSet(PaginateByPkMixin, BaseRLSViewSet):
                 search_value, config="simple", search_type="plain"
             )
 
-            resource_match = Resource.all_objects.filter(
-                text_search=search_query,
-                id__in=ResourceFindingMapping.objects.filter(
-                    resource_id=OuterRef("pk"),
-                    tenant_id=tenant_id,
-                ).values("resource_id"),
-            )
-
-            queryset = queryset.filter(
-                Q(text_search=search_query) | Q(Exists(resource_match))
-            )
+            queryset = queryset.filter(text_search=search_query)
 
         return queryset
 
@@ -3194,7 +3495,7 @@ class ComplianceOverviewViewSet(BaseRLSViewSet, TaskManagementMixin):
 )
 @method_decorator(CACHE_DECORATOR, name="list")
 class OverviewViewSet(BaseRLSViewSet):
-    queryset = ComplianceOverview.objects.all()
+    queryset = ScanSummary.objects.all()
     http_method_names = ["get"]
     ordering = ["-inserted_at"]
     # RBAC required permissions (implicit -> MANAGE_PROVIDERS enable unlimited visibility or check the visibility of
@@ -3205,19 +3506,10 @@ class OverviewViewSet(BaseRLSViewSet):
         role = get_role(self.request.user)
         providers = get_providers(role)
 
-        def _get_filtered_queryset(model):
-            if role.unlimited_visibility:
-                return model.all_objects.filter(tenant_id=self.request.tenant_id)
-            return model.all_objects.filter(
-                tenant_id=self.request.tenant_id, scan__provider__in=providers
-            )
+        if not role.unlimited_visibility:
+            self.allowed_providers = providers
 
-        if self.action == "providers":
-            return _get_filtered_queryset(Finding)
-        elif self.action in ("findings", "findings_severity", "services"):
-            return _get_filtered_queryset(ScanSummary)
-        else:
-            return super().get_queryset()
+        return ScanSummary.all_objects.filter(tenant_id=self.request.tenant_id)
 
     def get_serializer_class(self):
         if self.action == "providers":
@@ -3250,18 +3542,24 @@ class OverviewViewSet(BaseRLSViewSet):
     @action(detail=False, methods=["get"], url_name="providers")
     def providers(self, request):
         tenant_id = self.request.tenant_id
+        queryset = self.get_queryset()
+        provider_filter = (
+            {"provider__in": self.allowed_providers}
+            if hasattr(self, "allowed_providers")
+            else {}
+        )
 
         latest_scan_ids = (
-            Scan.all_objects.filter(tenant_id=tenant_id, state=StateChoices.COMPLETED)
+            Scan.all_objects.filter(
+                tenant_id=tenant_id, state=StateChoices.COMPLETED, **provider_filter
+            )
             .order_by("provider_id", "-inserted_at")
             .distinct("provider_id")
             .values_list("id", flat=True)
         )
 
         findings_aggregated = (
-            ScanSummary.all_objects.filter(
-                tenant_id=tenant_id, scan_id__in=latest_scan_ids
-            )
+            queryset.filter(scan_id__in=latest_scan_ids)
             .values(
                 "scan__provider_id",
                 provider=F("scan__provider__provider"),
@@ -3297,7 +3595,7 @@ class OverviewViewSet(BaseRLSViewSet):
             )
 
         return Response(
-            OverviewProviderSerializer(overview, many=True).data,
+            self.get_serializer(overview, many=True).data,
             status=status.HTTP_200_OK,
         )
 
@@ -3306,9 +3604,16 @@ class OverviewViewSet(BaseRLSViewSet):
         tenant_id = self.request.tenant_id
         queryset = self.get_queryset()
         filtered_queryset = self.filter_queryset(queryset)
+        provider_filter = (
+            {"provider__in": self.allowed_providers}
+            if hasattr(self, "allowed_providers")
+            else {}
+        )
 
         latest_scan_ids = (
-            Scan.all_objects.filter(tenant_id=tenant_id, state=StateChoices.COMPLETED)
+            Scan.all_objects.filter(
+                tenant_id=tenant_id, state=StateChoices.COMPLETED, **provider_filter
+            )
             .order_by("provider_id", "-inserted_at")
             .distinct("provider_id")
             .values_list("id", flat=True)
@@ -3345,9 +3650,16 @@ class OverviewViewSet(BaseRLSViewSet):
         tenant_id = self.request.tenant_id
         queryset = self.get_queryset()
         filtered_queryset = self.filter_queryset(queryset)
+        provider_filter = (
+            {"provider__in": self.allowed_providers}
+            if hasattr(self, "allowed_providers")
+            else {}
+        )
 
         latest_scan_ids = (
-            Scan.all_objects.filter(tenant_id=tenant_id, state=StateChoices.COMPLETED)
+            Scan.all_objects.filter(
+                tenant_id=tenant_id, state=StateChoices.COMPLETED, **provider_filter
+            )
             .order_by("provider_id", "-inserted_at")
             .distinct("provider_id")
             .values_list("id", flat=True)
@@ -3367,7 +3679,7 @@ class OverviewViewSet(BaseRLSViewSet):
         for item in severity_counts:
             severity_data[item["severity"]] = item["count"]
 
-        serializer = OverviewSeveritySerializer(severity_data)
+        serializer = self.get_serializer(severity_data)
         return Response(serializer.data, status=status.HTTP_200_OK)
 
     @action(detail=False, methods=["get"], url_name="services")
@@ -3375,9 +3687,16 @@ class OverviewViewSet(BaseRLSViewSet):
         tenant_id = self.request.tenant_id
         queryset = self.get_queryset()
         filtered_queryset = self.filter_queryset(queryset)
+        provider_filter = (
+            {"provider__in": self.allowed_providers}
+            if hasattr(self, "allowed_providers")
+            else {}
+        )
 
         latest_scan_ids = (
-            Scan.all_objects.filter(tenant_id=tenant_id, state=StateChoices.COMPLETED)
+            Scan.all_objects.filter(
+                tenant_id=tenant_id, state=StateChoices.COMPLETED, **provider_filter
+            )
             .order_by("provider_id", "-inserted_at")
             .distinct("provider_id")
             .values_list("id", flat=True)
@@ -3395,7 +3714,7 @@ class OverviewViewSet(BaseRLSViewSet):
             .order_by("service")
         )
 
-        serializer = OverviewServiceSerializer(services_data, many=True)
+        serializer = self.get_serializer(services_data, many=True)
 
         return Response(serializer.data, status=status.HTTP_200_OK)
 

api/src/backend/conftest.py

@@ -29,6 +29,7 @@ from api.models import (
     ProviderSecret,
     Resource,
     ResourceTag,
+    ResourceTagMapping,
     Role,
     SAMLConfiguration,
     SAMLDomainIndex,
@@ -45,12 +46,19 @@ from api.v1.serializers import TokenSerializer
 from prowler.lib.check.models import Severity
 from prowler.lib.outputs.finding import Status
 
+TODAY = str(datetime.today().date())
 API_JSON_CONTENT_TYPE = "application/vnd.api+json"
 NO_TENANT_HTTP_STATUS = status.HTTP_401_UNAUTHORIZED
 TEST_USER = "dev@prowler.com"
 TEST_PASSWORD = "testing_psswd"
 
 
+def today_after_n_days(n_days: int) -> str:
+    return datetime.strftime(
+        datetime.today().date() + timedelta(days=n_days), "%Y-%m-%d"
+    )
+
+
 @pytest.fixture(scope="module")
 def enforce_test_user_db_connection(django_db_setup, django_db_blocker):
     """Ensure tests use the test user for database connections."""
@@ -654,6 +662,7 @@ def findings_fixture(scans_fixture, resources_fixture):
         check_metadata={
             "CheckId": "test_check_id",
             "Description": "test description apple sauce",
+            "servicename": "ec2",
         },
         first_seen_at="2024-01-02T00:00:00Z",
     )
@@ -680,6 +689,7 @@ def findings_fixture(scans_fixture, resources_fixture):
         check_metadata={
             "CheckId": "test_check_id",
             "Description": "test description orange juice",
+            "servicename": "s3",
         },
         first_seen_at="2024-01-02T00:00:00Z",
         muted=True,
@@ -1135,6 +1145,69 @@ def latest_scan_finding(authenticated_client, providers_fixture, resources_fixtu
     return finding
 
 
+@pytest.fixture(scope="function")
+def latest_scan_resource(authenticated_client, providers_fixture):
+    provider = providers_fixture[0]
+    tenant_id = str(providers_fixture[0].tenant_id)
+    scan = Scan.objects.create(
+        name="latest completed scan for resource",
+        provider=provider,
+        trigger=Scan.TriggerChoices.MANUAL,
+        state=StateChoices.COMPLETED,
+        tenant_id=tenant_id,
+    )
+    resource = Resource.objects.create(
+        tenant_id=tenant_id,
+        provider=provider,
+        uid="latest_resource_uid",
+        name="Latest Resource",
+        region="us-east-1",
+        service="ec2",
+        type="instance",
+        metadata='{"test": "metadata"}',
+        details='{"test": "details"}',
+    )
+
+    resource_tag = ResourceTag.objects.create(
+        tenant_id=tenant_id,
+        key="environment",
+        value="test",
+    )
+    ResourceTagMapping.objects.create(
+        tenant_id=tenant_id,
+        resource=resource,
+        tag=resource_tag,
+    )
+
+    finding = Finding.objects.create(
+        tenant_id=tenant_id,
+        uid="test_finding_uid_latest",
+        scan=scan,
+        delta="new",
+        status=Status.FAIL,
+        status_extended="test status extended ",
+        impact=Severity.critical,
+        impact_extended="test impact extended",
+        severity=Severity.critical,
+        raw_result={
+            "status": Status.FAIL,
+            "impact": Severity.critical,
+            "severity": Severity.critical,
+        },
+        tags={"test": "latest"},
+        check_id="test_check_id_latest",
+        check_metadata={
+            "CheckId": "test_check_id_latest",
+            "Description": "test description latest",
+        },
+        first_seen_at="2024-01-02T00:00:00Z",
+    )
+    finding.add_resources([resource])
+
+    backfill_resource_scan_summaries(tenant_id, str(scan.id))
+    return resource
+
+
 @pytest.fixture
 def saml_setup(tenants_fixture):
     tenant_id = tenants_fixture[0].id

api/src/backend/tasks/beat.py

@@ -2,10 +2,10 @@ import json
 from datetime import datetime, timedelta, timezone
 
 from django_celery_beat.models import IntervalSchedule, PeriodicTask
-from rest_framework_json_api.serializers import ValidationError
 from tasks.tasks import perform_scheduled_scan_task
 
 from api.db_utils import rls_transaction
+from api.exceptions import ConflictException
 from api.models import Provider, Scan, StateChoices
 
 
@@ -24,15 +24,9 @@ def schedule_provider_scan(provider_instance: Provider):
     if PeriodicTask.objects.filter(
         interval=schedule, name=task_name, task="scan-perform-scheduled"
     ).exists():
-        raise ValidationError(
-            [
-                {
-                    "detail": "There is already a scheduled scan for this provider.",
-                    "status": 400,
-                    "source": {"pointer": "/data/attributes/provider_id"},
-                    "code": "invalid",
-                }
-            ]
+        raise ConflictException(
+            detail="There is already a scheduled scan for this provider.",
+            pointer="/data/attributes/provider_id",
         )
 
     with rls_transaction(tenant_id):

api/src/backend/tasks/jobs/export.py

@@ -20,6 +20,7 @@ from prowler.lib.outputs.compliance.aws_well_architected.aws_well_architected im
 from prowler.lib.outputs.compliance.cis.cis_aws import AWSCIS
 from prowler.lib.outputs.compliance.cis.cis_azure import AzureCIS
 from prowler.lib.outputs.compliance.cis.cis_gcp import GCPCIS
+from prowler.lib.outputs.compliance.cis.cis_github import GithubCIS
 from prowler.lib.outputs.compliance.cis.cis_kubernetes import KubernetesCIS
 from prowler.lib.outputs.compliance.cis.cis_m365 import M365CIS
 from prowler.lib.outputs.compliance.ens.ens_aws import AWSENS
@@ -93,6 +94,9 @@ COMPLIANCE_CLASS_MAP = {
         (lambda name: name == "prowler_threatscore_m365", ProwlerThreatScoreM365),
         (lambda name: name.startswith("iso27001_"), M365ISO27001),
     ],
+    "github": [
+        (lambda name: name.startswith("cis_"), GithubCIS),
+    ],
 }
 
 

api/src/backend/tasks/jobs/scan.py

@@ -1,19 +1,24 @@
 import json
 import time
+from collections import defaultdict
 from copy import deepcopy
 from datetime import datetime, timezone
 
 from celery.utils.log import get_task_logger
 from config.settings.celery import CELERY_DEADLOCK_ATTEMPTS
 from django.db import IntegrityError, OperationalError
-from django.db.models import Case, Count, IntegerField, Sum, When
+from django.db.models import Case, Count, IntegerField, Prefetch, Sum, When
 from tasks.utils import CustomEncoder
 
 from api.compliance import (
     PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE,
     generate_scan_compliance,
 )
-from api.db_utils import create_objects_in_batches, rls_transaction
+from api.db_utils import (
+    create_objects_in_batches,
+    rls_transaction,
+    update_objects_in_batches,
+)
 from api.exceptions import ProviderConnectionError
 from api.models import (
     ComplianceRequirementOverview,
@@ -103,7 +108,10 @@ def _store_resources(
 
 
 def perform_prowler_scan(
-    tenant_id: str, scan_id: str, provider_id: str, checks_to_execute: list[str] = None
+    tenant_id: str,
+    scan_id: str,
+    provider_id: str,
+    checks_to_execute: list[str] | None = None,
 ):
     """
     Perform a scan using Prowler and store the findings and resources in the database.
@@ -175,6 +183,7 @@ def perform_prowler_scan(
         resource_cache = {}
         tag_cache = {}
         last_status_cache = {}
+        resource_failed_findings_cache = defaultdict(int)
 
         for progress, findings in prowler_scan.scan():
             for finding in findings:
@@ -200,6 +209,9 @@ def perform_prowler_scan(
                                     },
                                 )
                                 resource_cache[resource_uid] = resource_instance
+
+                                # Initialize all processed resources in the cache
+                                resource_failed_findings_cache[resource_uid] = 0
                             else:
                                 resource_instance = resource_cache[resource_uid]
 
@@ -313,6 +325,11 @@ def perform_prowler_scan(
                     )
                     finding_instance.add_resources([resource_instance])
 
+                    # Increment failed_findings_count cache if the finding status is FAIL and not muted
+                    if status == FindingStatus.FAIL and not finding.muted:
+                        resource_uid = finding.resource_uid
+                        resource_failed_findings_cache[resource_uid] += 1
+
                 # Update scan resource summaries
                 scan_resource_cache.add(
                     (
@@ -330,6 +347,24 @@ def perform_prowler_scan(
 
         scan_instance.state = StateChoices.COMPLETED
 
+        # Update failed_findings_count for all resources in batches if scan completed successfully
+        if resource_failed_findings_cache:
+            resources_to_update = []
+            for resource_uid, failed_count in resource_failed_findings_cache.items():
+                if resource_uid in resource_cache:
+                    resource_instance = resource_cache[resource_uid]
+                    resource_instance.failed_findings_count = failed_count
+                    resources_to_update.append(resource_instance)
+
+            if resources_to_update:
+                update_objects_in_batches(
+                    tenant_id=tenant_id,
+                    model=Resource,
+                    objects=resources_to_update,
+                    fields=["failed_findings_count"],
+                    batch_size=1000,
+                )
+
     except Exception as e:
         logger.error(f"Error performing scan {scan_id}: {e}")
         exception = e
@@ -382,6 +417,9 @@ def aggregate_findings(tenant_id: str, scan_id: str):
     changed, unchanged). The results are grouped by `check_id`, `service`, `severity`, and `region`.
     These aggregated metrics are then stored in the `ScanSummary` table.
 
+    Additionally, it updates the failed_findings_count field for each resource based on the most
+    recent findings for each finding.uid.
+
     Args:
         tenant_id (str): The ID of the tenant to which the scan belongs.
         scan_id (str): The ID of the scan for which findings need to be aggregated.
@@ -550,18 +588,27 @@ def create_compliance_requirements(tenant_id: str, scan_id: str):
             prowler_provider = return_prowler_provider(provider_instance)
 
         # Get check status data by region from findings
+        findings = (
+            Finding.all_objects.filter(scan_id=scan_id, muted=False)
+            .only("id", "check_id", "status")
+            .prefetch_related(
+                Prefetch(
+                    "resources",
+                    queryset=Resource.objects.only("id", "region"),
+                    to_attr="small_resources",
+                )
+            )
+            .iterator(chunk_size=1000)
+        )
+
         check_status_by_region = {}
         with rls_transaction(tenant_id):
-            findings = Finding.objects.filter(scan_id=scan_id, muted=False)
             for finding in findings:
-                # Get region from resources
-                for resource in finding.resources.all():
+                for resource in finding.small_resources:
                     region = resource.region
-                    region_dict = check_status_by_region.setdefault(region, {})
-                    current_status = region_dict.get(finding.check_id)
-                    if current_status == "FAIL":
-                        continue
-                    region_dict[finding.check_id] = finding.status
+                    current_status = check_status_by_region.setdefault(region, {})
+                    if current_status.get(finding.check_id) != "FAIL":
+                        current_status[finding.check_id] = finding.status
 
         try:
             # Try to get regions from provider

api/src/backend/tasks/tests/test_beat.py

@@ -3,9 +3,9 @@ from unittest.mock import patch
 
 import pytest
 from django_celery_beat.models import IntervalSchedule, PeriodicTask
-from rest_framework_json_api.serializers import ValidationError
 from tasks.beat import schedule_provider_scan
 
+from api.exceptions import ConflictException
 from api.models import Scan
 
 
@@ -48,8 +48,8 @@ class TestScheduleProviderScan:
         with patch("tasks.tasks.perform_scheduled_scan_task.apply_async"):
             schedule_provider_scan(provider_instance)
 
-        # Now, try scheduling again, should raise ValidationError
-        with pytest.raises(ValidationError) as exc_info:
+        # Now, try scheduling again, should raise ConflictException
+        with pytest.raises(ConflictException) as exc_info:
             schedule_provider_scan(provider_instance)
 
         assert "There is already a scheduled scan for this provider." in str(

api/tests/performance/scenarios/resources.py

@@ -0,0 +1,234 @@
+from locust import events, task
+from utils.config import (
+    L_PROVIDER_NAME,
+    M_PROVIDER_NAME,
+    RESOURCES_UI_FIELDS,
+    S_PROVIDER_NAME,
+    TARGET_INSERTED_AT,
+)
+from utils.helpers import (
+    APIUserBase,
+    get_api_token,
+    get_auth_headers,
+    get_dynamic_filters_pairs,
+    get_next_resource_filter,
+    get_scan_id_from_provider_name,
+)
+
+GLOBAL = {
+    "token": None,
+    "scan_ids": {},
+    "resource_filters": None,
+    "large_resource_filters": None,
+}
+
+
+@events.test_start.add_listener
+def on_test_start(environment, **kwargs):
+    GLOBAL["token"] = get_api_token(environment.host)
+
+    GLOBAL["scan_ids"]["small"] = get_scan_id_from_provider_name(
+        environment.host, GLOBAL["token"], S_PROVIDER_NAME
+    )
+    GLOBAL["scan_ids"]["medium"] = get_scan_id_from_provider_name(
+        environment.host, GLOBAL["token"], M_PROVIDER_NAME
+    )
+    GLOBAL["scan_ids"]["large"] = get_scan_id_from_provider_name(
+        environment.host, GLOBAL["token"], L_PROVIDER_NAME
+    )
+
+    GLOBAL["resource_filters"] = get_dynamic_filters_pairs(
+        environment.host, GLOBAL["token"], "resources"
+    )
+    GLOBAL["large_resource_filters"] = get_dynamic_filters_pairs(
+        environment.host, GLOBAL["token"], "resources", GLOBAL["scan_ids"]["large"]
+    )
+
+
+class APIUser(APIUserBase):
+    def on_start(self):
+        self.token = GLOBAL["token"]
+        self.s_scan_id = GLOBAL["scan_ids"]["small"]
+        self.m_scan_id = GLOBAL["scan_ids"]["medium"]
+        self.l_scan_id = GLOBAL["scan_ids"]["large"]
+        self.available_resource_filters = GLOBAL["resource_filters"]
+        self.available_resource_filters_large_scan = GLOBAL["large_resource_filters"]
+
+    @task
+    def resources_default(self):
+        name = "/resources"
+        page_number = self._next_page(name)
+        endpoint = (
+            f"/resources?page[number]={page_number}"
+            f"&filter[updated_at]={TARGET_INSERTED_AT}"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task(3)
+    def resources_default_ui_fields(self):
+        name = "/resources?fields"
+        page_number = self._next_page(name)
+        endpoint = (
+            f"/resources?page[number]={page_number}"
+            f"&fields[resources]={','.join(RESOURCES_UI_FIELDS)}"
+            f"&filter[updated_at]={TARGET_INSERTED_AT}"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task(3)
+    def resources_default_include(self):
+        name = "/resources?include"
+        page = self._next_page(name)
+        endpoint = (
+            f"/resources?page[number]={page}"
+            f"&filter[updated_at]={TARGET_INSERTED_AT}"
+            f"&include=provider"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task(3)
+    def resources_metadata(self):
+        name = "/resources/metadata"
+        endpoint = f"/resources/metadata?filter[updated_at]={TARGET_INSERTED_AT}"
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task
+    def resources_scan_small(self):
+        name = "/resources?filter[scan_id] - 50k"
+        page_number = self._next_page(name)
+        endpoint = (
+            f"/resources?page[number]={page_number}" f"&filter[scan]={self.s_scan_id}"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task
+    def resources_metadata_scan_small(self):
+        name = "/resources/metadata?filter[scan_id] - 50k"
+        endpoint = f"/resources/metadata?&filter[scan]={self.s_scan_id}"
+        self.client.get(
+            endpoint,
+            headers=get_auth_headers(self.token),
+            name=name,
+        )
+
+    @task(2)
+    def resources_scan_medium(self):
+        name = "/resources?filter[scan_id] - 250k"
+        page_number = self._next_page(name)
+        endpoint = (
+            f"/resources?page[number]={page_number}" f"&filter[scan]={self.m_scan_id}"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task
+    def resources_metadata_scan_medium(self):
+        name = "/resources/metadata?filter[scan_id] - 250k"
+        endpoint = f"/resources/metadata?&filter[scan]={self.m_scan_id}"
+        self.client.get(
+            endpoint,
+            headers=get_auth_headers(self.token),
+            name=name,
+        )
+
+    @task
+    def resources_scan_large(self):
+        name = "/resources?filter[scan_id] - 500k"
+        page_number = self._next_page(name)
+        endpoint = (
+            f"/resources?page[number]={page_number}" f"&filter[scan]={self.l_scan_id}"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task
+    def resources_scan_large_include(self):
+        name = "/resources?filter[scan_id]&include - 500k"
+        page_number = self._next_page(name)
+        endpoint = (
+            f"/resources?page[number]={page_number}"
+            f"&filter[scan]={self.l_scan_id}"
+            f"&include=provider"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task
+    def resources_metadata_scan_large(self):
+        endpoint = f"/resources/metadata?&filter[scan]={self.l_scan_id}"
+        self.client.get(
+            endpoint,
+            headers=get_auth_headers(self.token),
+            name="/resources/metadata?filter[scan_id] - 500k",
+        )
+
+    @task(2)
+    def resources_filters(self):
+        name = "/resources?filter[resource_filter]&include"
+        filter_name, filter_value = get_next_resource_filter(
+            self.available_resource_filters
+        )
+
+        endpoint = (
+            f"/resources?filter[{filter_name}]={filter_value}"
+            f"&filter[updated_at]={TARGET_INSERTED_AT}"
+            f"&include=provider"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task(3)
+    def resources_metadata_filters(self):
+        name = "/resources/metadata?filter[resource_filter]"
+        filter_name, filter_value = get_next_resource_filter(
+            self.available_resource_filters
+        )
+
+        endpoint = (
+            f"/resources/metadata?filter[{filter_name}]={filter_value}"
+            f"&filter[updated_at]={TARGET_INSERTED_AT}"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task(3)
+    def resources_metadata_filters_scan_large(self):
+        name = "/resources/metadata?filter[resource_filter]&filter[scan_id] - 500k"
+        filter_name, filter_value = get_next_resource_filter(
+            self.available_resource_filters
+        )
+
+        endpoint = (
+            f"/resources/metadata?filter[{filter_name}]={filter_value}"
+            f"&filter[scan]={self.l_scan_id}"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task(2)
+    def resourcess_filter_large_scan_include(self):
+        name = "/resources?filter[resource_filter][scan]&include - 500k"
+        filter_name, filter_value = get_next_resource_filter(
+            self.available_resource_filters
+        )
+
+        endpoint = (
+            f"/resources?filter[{filter_name}]={filter_value}"
+            f"&filter[scan]={self.l_scan_id}"
+            f"&include=provider"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task(3)
+    def resources_latest_default_ui_fields(self):
+        name = "/resources/latest?fields"
+        page_number = self._next_page(name)
+        endpoint = (
+            f"/resources/latest?page[number]={page_number}"
+            f"&fields[resources]={','.join(RESOURCES_UI_FIELDS)}"
+        )
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)
+
+    @task(3)
+    def resources_latest_metadata_filters(self):
+        name = "/resources/metadata/latest?filter[resource_filter]"
+        filter_name, filter_value = get_next_resource_filter(
+            self.available_resource_filters
+        )
+
+        endpoint = f"/resources/metadata/latest?filter[{filter_name}]={filter_value}"
+        self.client.get(endpoint, headers=get_auth_headers(self.token), name=name)

api/tests/performance/utils/config.py

@@ -13,6 +13,23 @@ FINDINGS_RESOURCE_METADATA = {
     "resource_types": "resource_type",
     "services": "service",
 }
+RESOURCE_METADATA = {
+    "regions": "region",
+    "types": "type",
+    "services": "service",
+}
+
+RESOURCES_UI_FIELDS = [
+    "name",
+    "failed_findings_count",
+    "region",
+    "service",
+    "type",
+    "provider",
+    "inserted_at",
+    "updated_at",
+    "uid",
+]
 
 S_PROVIDER_NAME = "provider-50k"
 M_PROVIDER_NAME = "provider-250k"

api/tests/performance/utils/helpers.py

@@ -7,6 +7,7 @@ from locust import HttpUser, between
 from utils.config import (
     BASE_HEADERS,
     FINDINGS_RESOURCE_METADATA,
+    RESOURCE_METADATA,
     TARGET_INSERTED_AT,
     USER_EMAIL,
     USER_PASSWORD,
@@ -121,13 +122,16 @@ def get_scan_id_from_provider_name(host: str, token: str, provider_name: str) ->
     return response.json()["data"][0]["id"]
 
 
-def get_resource_filters_pairs(host: str, token: str, scan_id: str = "") -> dict:
+def get_dynamic_filters_pairs(
+    host: str, token: str, endpoint: str, scan_id: str = ""
+) -> dict:
     """
-    Retrieves and maps resource metadata filter values from the findings endpoint.
+    Retrieves and maps metadata filter values from a given endpoint.
 
     Args:
         host (str): The host URL of the API.
         token (str): Bearer token for authentication.
+        endpoint (str): The API endpoint to query for metadata.
         scan_id (str, optional): Optional scan ID to filter metadata. Defaults to using inserted_at timestamp.
 
     Returns:
@@ -136,22 +140,28 @@ def get_resource_filters_pairs(host: str, token: str, scan_id: str = "") -> dict
     Raises:
         AssertionError: If the request fails or does not return a 200 status code.
     """
+    metadata_mapping = (
+        FINDINGS_RESOURCE_METADATA if endpoint == "findings" else RESOURCE_METADATA
+    )
+    date_filter = "inserted_at" if endpoint == "findings" else "updated_at"
     metadata_filters = (
         f"filter[scan]={scan_id}"
         if scan_id
-        else f"filter[inserted_at]={TARGET_INSERTED_AT}"
+        else f"filter[{date_filter}]={TARGET_INSERTED_AT}"
     )
     response = requests.get(
-        f"{host}/findings/metadata?{metadata_filters}", headers=get_auth_headers(token)
+        f"{host}/{endpoint}/metadata?{metadata_filters}",
+        headers=get_auth_headers(token),
     )
     assert (
         response.status_code == 200
     ), f"Failed to get resource filters values: {response.text}"
     attributes = response.json()["data"]["attributes"]
+
     return {
-        FINDINGS_RESOURCE_METADATA[key]: values
+        metadata_mapping[key]: values
         for key, values in attributes.items()
-        if key in FINDINGS_RESOURCE_METADATA.keys()
+        if key in metadata_mapping.keys()
     }
 
 

contrib/wazuh/prowler-wrapper.py

@@ -23,6 +23,7 @@ import argparse
 import json
 import os
 import re
+import shlex
 import signal
 import socket
 import subprocess
@@ -145,11 +146,11 @@ def _get_script_arguments():
 
 def _run_prowler(prowler_args):
     _debug("Running prowler with args: {0}".format(prowler_args), 1)
-    _prowler_command = "{prowler}/prowler {args}".format(
-        prowler=PATH_TO_PROWLER, args=prowler_args
+    _prowler_command = shlex.split(
+        "{prowler}/prowler {args}".format(prowler=PATH_TO_PROWLER, args=prowler_args)
     )
-    _debug("Running command: {0}".format(_prowler_command), 2)
-    _process = subprocess.Popen(_prowler_command, stdout=subprocess.PIPE, shell=True)
+    _debug("Running command: {0}".format(" ".join(_prowler_command)), 2)
+    _process = subprocess.Popen(_prowler_command, stdout=subprocess.PIPE)
     _output, _error = _process.communicate()
     _debug("Raw prowler output: {0}".format(_output), 3)
     _debug("Raw prowler error: {0}".format(_error), 3)

dashboard/compliance/cis_4_0_azure.py

@@ -0,0 +1,25 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_cis
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_cis(
+        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )

dashboard/pages/overview.py

@@ -1,5 +1,4 @@
 # Standard library imports
-import csv
 import glob
 import json
 import os
@@ -20,7 +19,6 @@ from dash.dependencies import Input, Output
 # Config import
 from dashboard.config import (
     critical_color,
-    encoding_format,
     fail_color,
     folder_path_overview,
     high_color,
@@ -46,6 +44,7 @@ from dashboard.lib.dropdowns import (
     create_table_row_dropdown,
 )
 from dashboard.lib.layouts import create_layout_overview
+from prowler.lib.logger import logger
 
 # Suppress warnings
 warnings.filterwarnings("ignore")
@@ -55,11 +54,13 @@ warnings.filterwarnings("ignore")
 csv_files = []
 
 for file in glob.glob(os.path.join(folder_path_overview, "*.csv")):
-    with open(file, "r", newline="", encoding=encoding_format) as csvfile:
-        reader = csv.reader(csvfile)
-        num_rows = sum(1 for row in reader)
+    try:
+        df = pd.read_csv(file, sep=";")
+        num_rows = len(df)
         if num_rows > 1:
             csv_files.append(file)
+    except Exception:
+        logger.error(f"Error reading file {file}")
 
 
 # Import logos providers
@@ -191,7 +192,13 @@ else:
         data.rename(columns={"RESOURCE_ID": "RESOURCE_UID"}, inplace=True)
 
     # Remove dupplicates on the finding_uid colummn but keep the last one taking into account the timestamp
-    data = data.sort_values("TIMESTAMP").drop_duplicates("FINDING_UID", keep="last")
+    data["DATE"] = data["TIMESTAMP"].dt.date
+    data = (
+        data.sort_values("TIMESTAMP")
+        .groupby(["DATE", "FINDING_UID"], as_index=False)
+        .last()
+    )
+    data["TIMESTAMP"] = pd.to_datetime(data["TIMESTAMP"])
 
     data["ASSESSMENT_TIME"] = data["TIMESTAMP"].dt.strftime("%Y-%m-%d")
     data_valid = pd.DataFrame()

docs/developer-guide/checks.md

@@ -8,15 +8,19 @@ Checks are the core component of Prowler. A check is a piece of code designed to
 
 ### Creating a Check
 
-To create a new check:
+The most common high level steps to create a new check are:
 
-- Prerequisites: A Prowler provider and service must exist. Verify support and check for pre-existing checks via [Prowler Hub](https://hub.prowler.com). If the provider or service is not present, please refer to the [Provider](./provider.md) and [Service](./services.md) documentation for creation instructions.
-
-- Navigate to the service directory. The path should be as follows: `prowler/providers/<provider>/services/<service>`.
-
-- Create a check-specific folder. The path should follow this pattern: `prowler/providers/<provider>/services/<service>/<check_name>`. Adhere to the [Naming Format for Checks](#naming-format-for-checks).
-
-- Populate the folder with files as specified in [File Creation](#file-creation).
+1. Prerequisites:
+    - Verify the check does not already exist by searching [Prowler Hub](https://hub.prowler.com) or checking `prowler/providers/<provider>/services/<service>/<check_name_want_to_implement>/`.
+    - Ensure required provider and service exist. If not, follow the [Provider](./provider.md) and [Service](./services.md) documentation to create them.
+    - Confirm the service has implemented all required methods and attributes for the check (in most cases, you will need to add or modify some methods in the service to get the data you need for the check).
+2. Navigate to the service directory. The path should be as follows: `prowler/providers/<provider>/services/<service>`.
+3. Create a check-specific folder. The path should follow this pattern: `prowler/providers/<provider>/services/<service>/<check_name_want_to_implement>`. Adhere to the [Naming Format for Checks](#naming-format-for-checks).
+4. Populate the folder with files as specified in [File Creation](#file-creation).
+5. Run the check locally to ensure it works as expected. For checking you can use the CLI in the next way:
+    - To ensure the check has been detected by Prowler: `poetry run python prowler-cli.py <provider> --list-checks | grep <check_name>`.
+    - To run the check, to find possible issues: `poetry run python prowler-cli.py <provider> --log-level ERROR --verbose --check <check_name>`.
+6. If the check is working as expected, you can submit a PR to Prowler.
 
 ### Naming Format for Checks
 
@@ -59,13 +63,19 @@ from prowler.providers.<provider>.services.<service>.<service>_client import <se
 # Each check must be implemented as a Python class with the same name as its corresponding file.
 # The class must inherit from the Check base class.
 class <check_name>(Check):
-    """Short description of what is being checked"""
+    """
+    Ensure that <resource> meets <security_requirement>.
+
+    This check evaluates whether <specific_condition> to ensure <security_benefit>.
+    - PASS: <description_of_compliant_state(s)>.
+    - FAIL: <description_of_non_compliant_state(s)>.
+    """
 
     def execute(self):
-        """Execute <check short description>
+        """Execute the check logic.
 
         Returns:
-            List[CheckReport<Provider>]: A list of reports containing the result of the check.
+            A list of reports containing the result of the check.
         """
         findings = []
         # Iterate over the target resources using the provider service client
@@ -147,12 +157,10 @@ else:
 Each check **must** populate the report with an unique identifier for the audited resource. This identifier or identifiers are going to depend on the provider and the resource that is being audited. Here are the criteria for each provider:
 
 - AWS
-
     - Amazon Resource ID — `report.resource_id`.
         - The resource identifier. This is the name of the resource, the ID of the resource, or a resource path. Some resource identifiers include a parent resource (sub-resource-type/parent-resource/sub-resource) or a qualifier such as a version (resource-type:resource-name:qualifier).
         - If the resource ID cannot be retrieved directly from the audited resource, it can be extracted from the ARN. It is the last part of the ARN after the last slash (`/`) or colon (`:`).
         - If no actual resource to audit exists, this format can be used: `<resource_type>/unknown`
-
     - Amazon Resource Name — `report.resource_arn`.
         - The [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) of the audited entity.
         - If the ARN cannot be retrieved directly from the audited resource, construct a valid ARN using the `resource_id` component as the audited entity. Examples:
@@ -163,32 +171,24 @@ Each check **must** populate the report with an unique identifier for the audite
                 - AWS Security Hub — `arn:<partition>:security-hub:<region>:<account-id>:hub/unknown`.
                 - Access Analyzer — `arn:<partition>:access-analyzer:<region>:<account-id>:analyzer/unknown`.
                 - GuardDuty — `arn:<partition>:guardduty:<region>:<account-id>:detector/unknown`.
-
 - GCP
-
     - Resource ID — `report.resource_id`.
         - Resource ID represents the full, [unambiguous path to a resource](https://google.aip.dev/122#full-resource-names), known as the full resource name. Typically, it follows the format: `//{api_service/resource_path}`.
         - If the resource ID cannot be retrieved directly from the audited resource, by default the resource name is used.
     - Resource Name — `report.resource_name`.
         - Resource Name usually refers to the name of a resource within its service.
-
 - Azure
-
     - Resource ID — `report.resource_id`.
         - Resource ID represents the full Azure Resource Manager path to a resource, which follows the format: `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`.
     - Resource Name — `report.resource_name`.
         - Resource Name usually refers to the name of a resource within its service.
         - If the [resource name](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules) cannot be retrieved directly from the audited resource, the last part of the resource ID can be used.
-
 - Kubernetes
-
     - Resource ID — `report.resource_id`.
         - The UID of the Kubernetes object. This is a system-generated string that uniquely identifies the object within the cluster for its entire lifetime. See [Kubernetes Object Names and IDs - UIDs](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids).
     - Resource Name — `report.resource_name`.
         - The name of the Kubernetes object. This is a client-provided string that must be unique for the resource type within a namespace (for namespaced resources) or cluster (for cluster-scoped resources). Names typically follow DNS subdomain or label conventions. See [Kubernetes Object Names and IDs - Names](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
-
 - M365
-
     - Resource ID — `report.resource_id`.
         - If the audited resource has a globally unique identifier such as a `guid`, use it as the `resource_id`.
         - If no `guid` exists, use another unique and relevant identifier for the resource, such as the tenant domain, the internal policy ID, or a representative string following the format `<resource_type>/<name_or_id>`.
@@ -204,9 +204,7 @@ Each check **must** populate the report with an unique identifier for the audite
         - For global configurations:
             - `resource_id`: Tenant domain or representative string (e.g., "userSettings")
             - `resource_name`: Description of the configuration (e.g., "SharePoint Settings")
-
 - GitHub
-
     - Resource ID — `report.resource_id`.
         - The ID of the Github resource. This is a system-generated integer that uniquely identifies the resource within the Github platform.
     - Resource Name — `report.resource_name`.
@@ -260,44 +258,25 @@ Below is a generic example of a check metadata file. **Do not include comments i
 ### Metadata Fields and Their Purpose
 
 - **Provider** — The Prowler provider related to the check. The name **must** be lowercase and match the provider folder name. For supported providers refer to [Prowler Hub](https://hub.prowler.com/check) or directly to [Prowler Code](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers).
-
 - **CheckID** — The unique identifier for the check inside the provider, this field **must** match the check's folder and python file and json metadata file name. For more information about the naming refer to the [Naming Format for Checks](#naming-format-for-checks) section.
-
 - **CheckTitle** — A concise, descriptive title for the check.
-
 - **CheckType** — *For now this field is only standardized for the AWS provider*.
     - For AWS this field must follow the [AWS Security Hub Types](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-required-attributes.html#Types) format. So the common pattern to follow is `namespace/category/classifier`, refer to the attached documentation for the valid values for this fields.
-
 - **ServiceName** — The name of the provider service being audited. This field **must** be in lowercase and match with the service folder name. For supported services refer to [Prowler Hub](https://hub.prowler.com/check) or directly to [Prowler Code](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers).
-
 - **SubServiceName** — The subservice or resource within the service, if applicable. For more information refer to the [Naming Format for Checks](#naming-format-for-checks) section.
-
 - **ResourceIdTemplate** — A template for the unique resource identifier. For more information refer to the [Prowler's Resource Identification](#prowlers-resource-identification) section.
-
 - **Severity** — The severity of the finding if the check fails. Must be one of: `critical`, `high`, `medium`, `low`, or `informational`, this field **must** be in lowercase. To get more information about the severity levels refer to the [Prowler's Check Severity Levels](#prowlers-check-severity-levels) section.
-
 - **ResourceType** — The type of resource being audited. *For now this field is only standardized for the AWS provider*.
-
     - For AWS use the [Security Hub resource types](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-resources.html) or, if not available, the PascalCase version of the [CloudFormation type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) (e.g., `AwsEc2Instance`). Use "Other" if no match exists.
-
 - **Description** — A short description of what the check does.
-
 - **Risk** — The risk or impact if the check fails, explaining why the finding matters.
-
 - **RelatedUrl** — A URL to official documentation or further reading about the check's purpose. If no official documentation is available, use the risk and recommendation text from trusted third-party sources.
-
 - **Remediation** — Guidance for fixing a failed check, including:
-
     - **Code** — Remediation commands or code snippets for CLI, Terraform, native IaC, or other tools like the Web Console.
-
     - **Recommendation** — A textual human readable recommendation. Here it is not necessary to include actual steps, but rather a general recommendation about what to do to fix the check.
-
 - **Categories** — One or more categories for grouping checks in execution (e.g., `internet-exposed`). For the current list of categories, refer to the [Prowler Hub](https://hub.prowler.com/check).
-
 - **DependsOn** — Currently not used.
-
 - **RelatedTo** — Currently not used.
-
 - **Notes** — Any additional information not covered by other fields.
 
 ### Remediation Code Guidelines
@@ -312,3 +291,28 @@ When providing remediation steps, reference the following sources:
 ### Python Model Reference
 
 The metadata structure is enforced in code using a Pydantic model. For reference, see the [`CheckMetadata`](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py).
+
+## Generic Check Patterns and Best Practices
+
+### Common Patterns
+
+- Every check is implemented as a class inheriting from `Check` (from `prowler.lib.check.models`).
+- The main logic is implemented in the `execute()` method (**only method that must be implemented**), which always returns a list of provider-specific report objects (e.g., `CheckReport<Provider>`)—one per finding/resource. If there are no findings/resources, return an empty list.
+- **Never** use the provider's client directly; instead, use the service client (e.g., `<service>_client`) and iterate over its resources.
+- For each resource, create a provider-specific report object, populate it with metadata, resource details, status (`PASS`, `FAIL`, etc.), and a human-readable `status_extended` message.
+- Use the `metadata()` method to attach check metadata to each report.
+- Checks are designed to be idempotent and stateless: they do not modify resources, only report on their state.
+
+### Best Practices
+
+- Use clear, actionable, and user-friendly language in `status_extended` to explain the result. Always provide information to identify the resource.
+- Use helper functions/utilities for repeated logic to avoid code duplication. Save them in the `lib` folder of the service.
+- Handle exceptions gracefully: catch errors per resource, log them, and continue processing other resources.
+- Document the check with a class and function level docstring explaining what it does, what it checks, and any caveats or provider-specific behaviors.
+- Use type hints for the `execute()` method (e.g., `-> list[CheckReport<Provider>]`) for clarity and static analysis.
+- Ensure checks are efficient; avoid excessive nested loops. If the complexity is high, consider refactoring the check.
+- Keep the check logic focused: one check = one control/requirement. Avoid combining unrelated logic in a single check.
+
+## Specific Check Patterns
+
+Details for specific providers can be found in documentation pages named using the pattern `<provider_name>-details`.

docs/developer-guide/lighthouse.md

@@ -1,6 +1,6 @@
-# Extending Prowler Lighthouse
+# Extending Prowler Lighthouse AI
 
-This guide helps developers customize and extend Prowler Lighthouse by adding or modifying AI agents.
+This guide helps developers customize and extend Prowler Lighthouse AI by adding or modifying AI agents.
 
 ## Understanding AI Agents
 
@@ -13,7 +13,7 @@ AI agents fall into two main categories:
 - **Autonomous Agents**: Freely chooses from available tools to complete tasks, adapting their approach based on context. They decide which tools to use and when.
 - **Workflow Agents**: Follows structured paths with predefined logic. They execute specific tool sequences and can include conditional logic.
 
-Prowler Lighthouse is an autonomous agent - selecting the right tool(s) based on the users query.
+Prowler Lighthouse AI is an autonomous agent - selecting the right tool(s) based on the users query.
 
 ???+ note
     To learn more about AI agents, read [Anthropic's blog post on building effective agents](https://www.anthropic.com/engineering/building-effective-agents).
@@ -24,15 +24,15 @@ The autonomous nature of agents depends on the underlying LLM. Autonomous agents
 
 After evaluating multiple LLM providers (OpenAI, Gemini, Claude, LLama) based on tool calling features and response accuracy, we recommend using the `gpt-4o` model.
 
-## Prowler Lighthouse Architecture
+## Prowler Lighthouse AI Architecture
 
-Prowler Lighthouse uses a multi-agent architecture orchestrated by the [Langgraph-Supervisor](https://www.npmjs.com/package/@langchain/langgraph-supervisor) library.
+Prowler Lighthouse AI uses a multi-agent architecture orchestrated by the [Langgraph-Supervisor](https://www.npmjs.com/package/@langchain/langgraph-supervisor) library.
 
 ### Architecture Components
 
 <img src="../../tutorials/img/lighthouse-architecture.png" alt="Prowler Lighthouse architecture">
 
-Prowler Lighthouse integrates with the NextJS application:
+Prowler Lighthouse AI integrates with the NextJS application:
 
 - The [Langgraph-Supervisor](https://www.npmjs.com/package/@langchain/langgraph-supervisor) library integrates directly with NextJS
 - The system uses the authenticated user session to interact with the Prowler API server
@@ -74,7 +74,7 @@ Modifying the supervisor prompt allows you to:
 
 The supervisor agent and all specialized agents are defined in the `route.ts` file. The supervisor agent uses [langgraph-supervisor](https://www.npmjs.com/package/@langchain/langgraph-supervisor), while other agents use the prebuilt [create-react-agent](https://langchain-ai.github.io/langgraphjs/how-tos/create-react-agent/).
 
-To add new capabilities or all Lighthouse to interact with other APIs, create additional specialized agents:
+To add new capabilities or all Lighthouse AI to interact with other APIs, create additional specialized agents:
 
 1. First determine what the new agent would do. Create a detailed prompt defining the agent's purpose and capabilities. You can see an example from [here](https://github.com/prowler-cloud/prowler/blob/master/ui/lib/lighthouse/prompts.ts#L359-L385).
 ???+ note

docs/developer-guide/services.md

@@ -21,6 +21,8 @@ Within this folder the following files are also to be created:
 - `<new_service_name>_service.py` – Contains all the logic and API calls of the service.
 - `<new_service_name>_client_.py` – Contains the initialization of the freshly created service's class so that the checks can use it.
 
+Once the files are create, you can check that the service has been created by running the following command: `poetry run python prowler-cli.py <provider> --list-services | grep <new_service_name>`.
+
 ## Service Structure and Initialisation
 
 The Prowler's service structure is as outlined below. To initialise it, just import the service client in a check.
@@ -75,7 +77,7 @@ class <Service>(ServiceParentClass):
         # String in case the provider's API service name is different.
         super().__init__(__class__.__name__, provider)
 
-        # Create an empty dictionary of items to be gathered, using the unique ID as the dictionary’s key, e.g., instances.
+        # Create an empty dictionary of items to be gathered, using the unique ID as the dictionary's key, e.g., instances.
         self.<items> = {}
 
         # If parallelization can be carried out by regions or locations, the function __threading_call__ to be used must be implemented in the Service Parent Class.
@@ -160,11 +162,9 @@ class <Service>(ServiceParentClass):
 ???+note
     To prevent false findings, when Prowler fails to retrieve items due to Access Denied or similar errors, the affected item's value is set to `None`.
 
-#### Service Models
+#### Resource Models
 
-Service models define structured classes used within services to store and process data extracted from API calls.
-
-Using Pydantic for Data Validation
+Resource models define structured classes used within services to store and process data extracted from API calls. They are defined in the same file as the service class, but outside of the class, usually at the bottom of the file.
 
 Prowler leverages Pydantic's [BaseModel](https://docs.pydantic.dev/latest/api/base_model/#pydantic.BaseModel) to enforce data validation.
 
@@ -227,7 +227,7 @@ from prowler.providers.<provider>.services.<new_service_name>.<new_service_name>
 
 ## Provider Permissions in Prowler
 
-Before implementing a new service, verify that Prowler’s existing permissions for each provider are sufficient. If additional permissions are required, refer to the relevant documentation and update accordingly.
+Before implementing a new service, verify that Prowler's existing permissions for each provider are sufficient. If additional permissions are required, refer to the relevant documentation and update accordingly.
 
 Provider-Specific Permissions Documentation:
 
@@ -235,3 +235,16 @@ Provider-Specific Permissions Documentation:
 - [Azure](../getting-started/requirements.md#needed-permissions)
 - [GCP](../getting-started/requirements.md#needed-permissions_1)
 - [M365](../getting-started/requirements.md#needed-permissions_2)
+- [GitHub](../getting-started/requirements.md#authentication_2)
+
+## Best Practices
+
+- When available in the provider, use threading or parallelization utilities for all methods that can be parallelized by to maximize performance and reduce scan time.
+- Define a Pydantic `BaseModel` for every resource you manage, and use these models for all resource data handling.
+- Log every major step (start, success, error) in resource discovery and attribute collection for traceability and debugging; include as much context as possible.
+- Catch and log all exceptions, providing detailed context (region, subscription, resource, error type, line number) to aid troubleshooting.
+- Use consistent naming for resource containers, unique identifiers, and model attributes to improve code readability and maintainability.
+- Add docstrings to every method and comments to explain any service-specific logic, especially where provider APIs behave differently or have quirks.
+- Collect and store resource tags and additional attributes to support richer checks and reporting.
+- Leverage shared utility helpers for session setup, identifier parsing, and other cross-cutting concerns to avoid code duplication. This kind of code is typically stored in a `lib` folder in the service folder.
+- Keep code modular, maintainable, and well-documented for ease of extension and troubleshooting.

docs/index.md

@@ -1,12 +1,33 @@
-**Prowler** is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations! We have Prowler CLI (Command Line Interface) that we call Prowler Open Source and a service on top of it that we call <a href="https://prowler.com">Prowler Cloud</a>.
+**Prowler** is the open source cloud security platform trusted by thousands to **automate security and compliance** in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
+
+The official supported providers right now are:
+
+- **AWS**
+- **Azure**
+- **Google Cloud**
+- **Kubernetes**
+- **M365**
+- **Github**
+
+Prowler supports **auditing, incident response, continuous monitoring, hardening, forensic readiness, and remediation**.
+
+### Prowler Components
+
+- **Prowler CLI** (Command Line Interface) – Known as **Prowler Open Source**.
+- **Prowler Cloud** – A managed service built on top of Prowler CLI.
+  More information: [Prowler Cloud](https://prowler.com)
 
 ## Prowler App
 
 ![Prowler App](img/overview.png)
 
-Prowler App is a web application that allows you to run Prowler in a simple way. It provides a user-friendly interface to configure and run scans, view results, and manage your security findings.
+Prowler App is a web application that simplifies running Prowler. It provides:
 
-See how to install the Prowler App in the [Quick Start](#prowler-app-installation) section.
+- A **user-friendly interface** for configuring and executing scans.
+- A dashboard to **view results** and manage **security findings**.
+
+### Installation Guide
+Refer to the [Quick Start](#prowler-app-installation) section for installation steps.
 
 ## Prowler CLI
 
@@ -22,14 +43,37 @@ prowler dashboard
 ```
 ![Prowler Dashboard](img/dashboard.png)
 
-It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks.
+Prowler includes hundreds of security controls aligned with widely recognized industry frameworks and standards, including:
+
+- CIS Benchmarks (AWS, Azure, Microsoft 365, Kubernetes, GitHub)
+- NIST SP 800-53 (rev. 4 and 5) and NIST SP 800-171
+- NIST Cybersecurity Framework (CSF)
+- CISA Guidelines
+- FedRAMP Low & Moderate
+- PCI DSS v3.2.1 and v4.0
+- ISO/IEC 27001:2013 and 2022
+- SOC 2
+- GDPR (General Data Protection Regulation)
+- HIPAA (Health Insurance Portability and Accountability Act)
+- FFIEC (Federal Financial Institutions Examination Council)
+- ENS RD2022 (Spanish National Security Framework)
+- GxP 21 CFR Part 11 and EU Annex 11
+- RBI Cybersecurity Framework (Reserve Bank of India)
+- KISA ISMS-P (Korean Information Security Management System)
+- MITRE ATT&CK
+- AWS Well-Architected Framework (Security & Reliability Pillars)
+- AWS Foundational Technical Review (FTR)
+- Microsoft NIS2 Directive (EU)
+- Custom threat scoring frameworks (prowler_threatscore)
+- Custom security frameworks for enterprise needs
 
 ## Quick Start
+
 ### Prowler App Installation
 
-Prowler App can be installed in different ways, depending on your environment:
+Prowler App supports multiple installation methods based on your environment.
 
-> See how to use Prowler App in the [Prowler App Tutorial](tutorials/prowler-app.md) section.
+Refer to the [Prowler App Tutorial](tutorials/prowler-app.md) for detailed usage instructions.
 
 === "Docker Compose"
 
@@ -136,7 +180,7 @@ Prowler App can be installed in different ways, depending on your environment:
 
 ### Prowler CLI Installation
 
-Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), thus can be installed as Python package with `Python >= 3.9, <= 3.12`:
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/). Consequently, it can be installed as Python package with `Python >= 3.9, <= 3.12`:
 
 === "pipx"
 
@@ -274,7 +318,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
 
 === "AWS CloudShell"
 
-    After the migration of AWS CloudShell from Amazon Linux 2 to Amazon Linux 2023 [[1]](https://aws.amazon.com/about-aws/whats-new/2023/12/aws-cloudshell-migrated-al2023/) [[2]](https://docs.aws.amazon.com/cloudshell/latest/userguide/cloudshell-AL2023-migration.html), there is no longer a need to manually compile Python 3.9 as it's already included in AL2023. Prowler can thus be easily installed following the Generic method of installation via pip. Follow the steps below to successfully execute Prowler v4 in AWS CloudShell:
+    After the migration of AWS CloudShell from Amazon Linux 2 to Amazon Linux 2023 [[1]](https://aws.amazon.com/about-aws/whats-new/2023/12/aws-cloudshell-migrated-al2023/) [[2]](https://docs.aws.amazon.com/cloudshell/latest/userguide/cloudshell-AL2023-migration.html), there is no longer a need to manually compile Python 3.9 as it is already included in AL2023. Prowler can thus be easily installed following the generic method of installation via pip. Follow the steps below to successfully execute Prowler v4 in AWS CloudShell:
 
     _Requirements_:
 
@@ -312,13 +356,58 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
     prowler azure --az-cli-auth
     ```
 
+### Prowler App Update
+
+You have two options to upgrade your Prowler App installation:
+
+#### Option 1: Change env file with the following values
+
+Edit your `.env` file and change the version values:
+
+```env
+PROWLER_UI_VERSION="5.9.0"
+PROWLER_API_VERSION="5.9.0"
+```
+
+#### Option 2: Run the following command
+
+```bash
+docker compose pull --policy always
+```
+
+The `--policy always` flag ensures that Docker pulls the latest images even if they already exist locally.
+
+
+???+ note "What Gets Preserved During Upgrade"
+
+    Everything is preserved, nothing will be deleted after the update.
+
+#### Troubleshooting
+
+If containers don't start, check logs for errors:
+
+```bash
+# Check logs for errors
+docker compose logs
+
+# Verify image versions
+docker images | grep prowler
+```
+
+If you encounter issues, you can rollback to the previous version by changing the `.env` file back to your previous version and running:
+
+```bash
+docker compose pull
+docker compose up -d
+```
+
 ## Prowler container versions
 
 The available versions of Prowler CLI are the following:
 
-- `latest`: in sync with `master` branch (bear in mind that it is not a stable version)
-- `v4-latest`: in sync with `v4` branch (bear in mind that it is not a stable version)
-- `v3-latest`: in sync with `v3` branch (bear in mind that it is not a stable version)
+- `latest`: in sync with `master` branch (please note that it is not a stable version)
+- `v4-latest`: in sync with `v4` branch (please note that it is not a stable version)
+- `v3-latest`: in sync with `v3` branch (please note that it is not a stable version)
 - `<x.y.z>` (release): you can find the releases [here](https://github.com/prowler-cloud/prowler/releases), those are stable releases.
 - `stable`: this tag always point to the latest release.
 - `v4-stable`: this tag always point to the latest release for v4.
@@ -348,7 +437,7 @@ The **Prowler App** consists of three main components:
 
 - **Prowler UI**: A user-friendly web interface for running Prowler and viewing results, powered by Next.js.
 - **Prowler API**: The backend API that executes Prowler scans and stores the results, built with Django REST Framework.
-- **Prowler SDK**: A Python SDK that integrates with the Prowler CLI for advanced functionality.
+- **Prowler SDK**: A Python SDK that integrates with Prowler CLI for advanced functionality.
 
 The app leverages the following supporting infrastructure:
 
@@ -360,24 +449,29 @@ The app leverages the following supporting infrastructure:
 
 ## Deprecations from v3
 
-### General
-- `Allowlist` now is called `Mutelist`.
-- The `--quiet` option has been deprecated, now use the `--status` flag to select the finding's status you want to get from PASS, FAIL or MANUAL.
-- All `INFO` finding's status has changed to `MANUAL`.
-- The CSV output format is common for all the providers.
+The following are the deprecations carried out from v3.
 
-We have deprecated some of our outputs formats:
+### General
+
+- `Allowlist` now is called `Mutelist`.
+- The `--quiet` option has been deprecated. From now on use the `--status` flag to select the finding's status you want to get: PASS, FAIL or MANUAL.
+- All `INFO` finding's status has changed to `MANUAL`.
+- The CSV output format is common for all providers.
+
+Some output formats are now deprecated:
 
 - The native JSON is replaced for the JSON [OCSF](https://schema.ocsf.io/) v1.1.0, common for all the providers.
 
 ### AWS
-- Deprecate the AWS flag --sts-endpoint-region since we use AWS STS regional tokens.
-- To send only FAILS to AWS Security Hub, now use either `--send-sh-only-fails` or `--security-hub --status FAIL`.
+- Deprecate the AWS flag `--sts-endpoint-region` since AWS STS regional tokens are used.
+- To send only FAILS to AWS Security Hub, now you must use either `--send-sh-only-fails` or `--security-hub --status FAIL`.
 
 ## Basic Usage
+
 ### Prowler App
 
 #### **Access the App**
+
 Go to [http://localhost:3000](http://localhost:3000) after installing the app (see [Quick Start](#prowler-app-installation)). Sign up with your email and password.
 
 <img src="img/sign-up-button.png" alt="Sign Up Button" width="320"/>
@@ -391,42 +485,61 @@ Go to [http://localhost:3000](http://localhost:3000) after installing the app (s
 
         - A new tenant is automatically created.
         - The new user is assigned to this tenant.
-        - A set of **RBAC admin permissions** is generated and assigned to the user for the newly created tenant.
+        - A set of **RBAC admin permissions** is generated and assigned to the user for the newly-created tenant.
+
     - **With an invitation**: The user is added to the specified tenant with the permissions defined in the invitation.
 
     This mechanism ensures that the first user in a newly created tenant has administrative permissions within that tenant.
 
-#### **Log In**
-Log in with your email and password to start using the Prowler App.
+#### Log In
+
+Log in using your **email and password** to access the Prowler App.
 
 <img src="img/log-in.png" alt="Log In" width="285"/>
 
-#### **Add a Provider**
-- Go to `Settings > Cloud Providers` and click `Add Account`.
-- Select the provider you want to scan (AWS, GCP, Azure, Kubernetes).
-- Enter the provider's ID (AWS Account ID, GCP Project ID, Azure Subscription ID, Kubernetes Cluster) and optional alias.
-- Follow the instructions to add your credentials.
+#### Add a Cloud Provider
 
-#### **Start a Scan**
-After successfully adding and testing your credentials, Prowler will start scanning your cloud environment, click on the `Go to Scans` button to see the progress.
+To configure a cloud provider for scanning:
 
-#### **View Results**
-While the scan is running, start exploring the findings in these sections:
+1. Navigate to `Settings > Cloud Providers` and click `Add Account`.
+2. Select the cloud provider you wish to scan (**AWS, GCP, Azure, Kubernetes**).
+3. Enter the provider's identifier (Optional: Add an alias):
+    - **AWS**: Account ID
+    - **GCP**: Project ID
+    - **Azure**: Subscription ID
+    - **Kubernetes**: Cluster ID
+    - **M36**: Domain ID
+4. Follow the guided instructions to add and authenticate your credentials.
 
-- **Overview**: High-level summary of the scans. <img src="img/overview.png" alt="Overview" width="700"/>
-- **Compliance**: Insights into compliance status. <img src="img/compliance.png" alt="Compliance" width="700"/>
+#### Start a Scan
 
-> See more details about the Prowler App usage in the [Prowler App](tutorials/prowler-app.md) section.
+Once credentials are successfully added and validated, Prowler initiates a scan of your cloud environment.
+
+Click `Go to Scans` to monitor progress.
+
+#### View Results
+
+While the scan is running, you can review findings in the following sections:
+
+- **Overview** – Provides a high-level summary of your scans.
+  <img src="img/overview.png" alt="Overview" width="700"/>
+
+- **Compliance** – Displays compliance insights based on security frameworks.
+  <img src="img/compliance.png" alt="Compliance" width="700"/>
+
+> For detailed usage instructions, refer to the [Prowler App Guide](tutorials/prowler-app.md).
 
 ???+ note
     Prowler will automatically scan all configured providers every **24 hours**, ensuring your cloud environment stays continuously monitored.
 
 ### Prowler CLI
 
-To run Prowler, you will need to specify the provider (e.g `aws`, `gcp`, `azure`, `m365` or `kubernetes`):
+#### Running Prowler
+
+To run Prowler, you will need to specify the provider (e.g `aws`, `gcp`, `azure`, `m365`, `github` or `kubernetes`):
 
 ???+ note
-    If no provider specified, AWS will be used for backward compatibility with most of v2 options.
+    If no provider is specified, AWS is used by default for backward compatibility with Prowler v2.
 
 ```console
 prowler <provider>
@@ -434,27 +547,34 @@ prowler <provider>
 ![Prowler Execution](img/short-display.png)
 
 ???+ note
-    Running the `prowler` command without options will use your environment variable credentials, see [Requirements](./getting-started/requirements.md) section to review the credentials settings.
+    Running the `prowler` command without options will uses environment variable credentials. Refer to the [Requirements](./getting-started/requirements.md) section for credential configuration details.
 
-If you miss the former output you can use `--verbose` but Prowler v4 is smoking fast, so you won't see much ;
+#### Verbose Output
 
-By default, Prowler generates CSV, JSON-OCSF and HTML reports. However, you can generate a JSON-ASFF report (used by AWS Security Hub) with `-M` or `--output-modes`:
+If you prefer the former verbose output, use: `--verbose`. This allows seeing more info while Prowler is running, minimal output is displayed unless verbosity is enabled.
+
+#### Report Generation
+
+By default, Prowler generates CSV, JSON-OCSF, and HTML reports. To generate a JSON-ASFF report (used by AWS Security Hub), specify `-M` or `--output-modes`:
 
 ```console
 prowler <provider> -M csv json-asff json-ocsf html
 ```
-The html report will be located in the output directory as the other files and it will look like:
+The HTML report is saved in the output directory, alongside other reports. It will look like this:
 
 ![Prowler Execution](img/html-output.png)
 
-You can use `-l`/`--list-checks` or `--list-services` to list all available checks or services within the provider.
+#### Listing Available Checks and Services
+
+To view all available checks or services within a provider:, use `-l`/`--list-checks` or `--list-services`.
 
 ```console
 prowler <provider> --list-checks
 prowler <provider> --list-services
 ```
+#### Running Specific Checks or Services
 
-For executing specific checks or services you can use options `-c`/`checks` or `-s`/`services`:
+Execute specific checks or services using `-c`/`checks` or `-s`/`services`:
 
 ```console
 prowler azure --checks storage_blob_public_access_level_is_disabled
@@ -462,8 +582,9 @@ prowler aws --services s3 ec2
 prowler gcp --services iam compute
 prowler kubernetes --services etcd apiserver
 ```
+#### Excluding Checks and Services
 
-Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`:
+Checks and services can be excluded with `-e`/`--excluded-checks` or `--excluded-services`:
 
 ```console
 prowler aws --excluded-checks s3_bucket_public_access
@@ -471,10 +592,11 @@ prowler azure --excluded-services defender iam
 prowler gcp --excluded-services kms
 prowler kubernetes --excluded-services controllermanager
 ```
+#### Additional Options
 
-More options and executions methods that will save your time in [Miscellaneous](tutorials/misc.md).
+Explore more advanced time-saving execution methods in the [Miscellaneous](tutorials/misc.md) section.
 
-You can always use `-h`/`--help` to access to the usage information and all the possible options:
+To access the help menu and view all available options, use: `-h`/`--help`:
 
 ```console
 prowler --help
@@ -482,7 +604,7 @@ prowler --help
 
 #### AWS
 
-Use a custom AWS profile with `-p`/`--profile` and/or AWS regions which you want to audit with `-f`/`--filter-region`:
+Use a custom AWS profile with `-p`/`--profile` and/or the AWS regions you want to audit with `-f`/`--filter-region`:
 
 ```console
 prowler aws --profile custom-profile -f us-east-1 eu-south-2
@@ -491,11 +613,11 @@ prowler aws --profile custom-profile -f us-east-1 eu-south-2
 ???+ note
     By default, `prowler` will scan all AWS regions.
 
-See more details about AWS Authentication in [Requirements](getting-started/requirements.md#aws)
+See more details about AWS Authentication in the [Requirements](getting-started/requirements.md#aws) section.
 
 #### Azure
 
-With Azure you need to specify which auth method is going to be used:
+Azure requires specifying the auth method:
 
 ```console
 # To use service principal authentication
@@ -513,62 +635,73 @@ prowler azure --managed-identity-auth
 
 See more details about Azure Authentication in [Requirements](getting-started/requirements.md#azure)
 
-Prowler by default scans all the subscriptions that is allowed to scan, if you want to scan a single subscription or various specific subscriptions you can use the following flag (using az cli auth as example):
+By default, Prowler scans all the subscriptions for which it has permissions. To scan a single or various specific subscription you can use the following flag (using az cli auth as example):
+
 ```console
 prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N>
 ```
-
 #### Google Cloud
 
-Prowler will use by default your User Account credentials, you can configure it using:
+- **User Account Credentials**
 
-- `gcloud init` to use a new account
-- `gcloud config set account <account>` to use an existing account
+    By default, Prowler uses **User Account credentials**. You can configure your account using:
 
-Then, obtain your access credentials using: `gcloud auth application-default login`
+    - `gcloud init` – Set up a new account.
+    - `gcloud config set account <account>` – Switch to an existing account.
 
-Otherwise, you can generate and download Service Account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and provide the location of the file with the following argument:
+    Once configured, obtain access credentials using: `gcloud auth application-default login`.
 
-```console
-prowler gcp --credentials-file path
-```
+- **Service Account Authentication**
 
-Prowler by default scans all the GCP Projects that is allowed to scan, if you want to scan a single project or various specific projects you can use the following flag:
-```console
-prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>
-```
+    Alternatively, you can use Service Account credentials:
 
-See more details about GCP Authentication in [Requirements](getting-started/requirements.md#google-cloud)
+    Generate and download Service Account keys in JSON format. Refer to [Google IAM documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for details.
+
+    Provide the key file location using this argument:
+
+    ```console
+    prowler gcp --credentials-file path
+    ```
+
+- **Scanning Specific GCP Projects**
+
+    By default, Prowler scans all accessible GCP projects. To scan specific projects, use the `--project-ids` flag:
+
+    ```console
+    prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>
+    ```
 
 #### Kubernetes
 
-Prowler allows you to scan your Kubernetes Cluster either from within the cluster or from outside the cluster.
+Prowler enables security scanning of Kubernetes clusters, supporting both **in-cluster** and **external** execution.
 
-For non in-cluster execution, you can provide the location of the KubeConfig file with the following argument:
+- **Non In-Cluster Execution**
 
-```console
-prowler kubernetes --kubeconfig-file path
-```
-???+ note
-    If no `--kubeconfig-file` is provided, Prowler will use the default KubeConfig file location (`~/.kube/config`).
+    ```console
+    prowler kubernetes --kubeconfig-file path
+    ```
+    ???+ note
+        If no `--kubeconfig-file` is provided, Prowler will use the default KubeConfig file location (`~/.kube/config`).
 
-For in-cluster execution, you can use the supplied yaml to run Prowler as a job within a new Prowler namespace:
-```console
-kubectl apply -f kubernetes/prowler-sa.yaml
-kubectl apply -f kubernetes/job.yaml
-kubectl apply -f kubernetes/prowler-role.yaml
-kubectl apply -f kubernetes/prowler-rolebinding.yaml
-kubectl get pods --namespace prowler-ns --> prowler-XXXXX
-kubectl logs prowler-XXXXX --namespace prowler-ns
-```
+- **In-Cluster Execution**
 
-???+ note
-    By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the flag `--context` to specify the context to be scanned and `--namespaces` to specify the namespaces to be scanned.
+    To run Prowler inside the cluster, apply the provided YAML configuration to deploy a job in a new namespace:
 
+    ```console
+    kubectl apply -f kubernetes/prowler-sa.yaml
+    kubectl apply -f kubernetes/job.yaml
+    kubectl apply -f kubernetes/prowler-role.yaml
+    kubectl apply -f kubernetes/prowler-rolebinding.yaml
+    kubectl get pods --namespace prowler-ns --> prowler-XXXXX
+    kubectl logs prowler-XXXXX --namespace prowler-ns
+    ```
+
+    ???+ note
+        By default, Prowler scans all namespaces in the active Kubernetes context. Use the `--context`flag to specify the context to be scanned and `--namespaces` to restrict scanning to specific namespaces.
 
 #### Microsoft 365
 
-With M365 you need to specify which auth method is going to be used:
+Microsoft 365 requires specifying the auth method:
 
 ```console
 
@@ -586,40 +719,53 @@ prowler m365 --browser-auth --tenant-id "XXXXXXXX"
 
 ```
 
-See more details about M365 Authentication in [Requirements](getting-started/requirements.md#microsoft-365)
+See more details about M365 Authentication in the [Requirements](getting-started/requirements.md#microsoft-365) section.
 
 #### GitHub
 
-Prowler allows you to scan your GitHub account, including your repositories, organizations or applications.
+Prowler enables security scanning of your **GitHub account**, including **Repositories**, **Organizations** and **Applications**.
 
-There are several supported login methods:
+- **Supported Authentication Methods**
 
-```console
-# Personal Access Token (PAT):
-prowler github --personal-access-token pat
+    Authenticate using one of the following methods:
 
-# OAuth App Token:
-prowler github --oauth-app-token oauth_token
+    ```console
+    # Personal Access Token (PAT):
+    prowler github --personal-access-token pat
 
-# GitHub App Credentials:
-prowler github --github-app-id app_id --github-app-key app_key
-```
+    # OAuth App Token:
+    prowler github --oauth-app-token oauth_token
 
-???+ note
-    If no login method is explicitly provided, Prowler will automatically attempt to authenticate using environment variables in the following order of precedence:
+    # GitHub App Credentials:
+    prowler github --github-app-id app_id --github-app-key app_key
+    ```
 
-      1. `GITHUB_PERSONAL_ACCESS_TOKEN`
-      2. `OAUTH_APP_TOKEN`
-      3. `GITHUB_APP_ID` and `GITHUB_APP_KEY`
+    ???+ note
+        If no login method is explicitly provided, Prowler will automatically attempt to authenticate using environment variables in the following order of precedence:
+
+        1. `GITHUB_PERSONAL_ACCESS_TOKEN`
+        2. `OAUTH_APP_TOKEN`
+        3. `GITHUB_APP_ID` and `GITHUB_APP_KEY`
 
 #### Infrastructure as Code (IaC)
 
-Prowler's Infrastructure as Code (IaC) provider enables you to scan local infrastructure code for security and compliance issues using [Checkov](https://www.checkov.io/). This provider supports a wide range of IaC frameworks, allowing you to assess your code before deployment.
+Prowler's Infrastructure as Code (IaC) provider enables you to scan local or remote infrastructure code for security and compliance issues using [Checkov](https://www.checkov.io/). This provider supports a wide range of IaC frameworks, allowing you to assess your code before deployment.
 
 ```console
 # Scan a directory for IaC files
 prowler iac --scan-path ./my-iac-directory
 
+# Scan a remote GitHub repository (public or private)
+prowler iac --scan-repository-url https://github.com/user/repo.git
+
+# Authenticate to a private repo with GitHub username and PAT
+prowler iac --scan-repository-url https://github.com/user/repo.git \
+  --github-username <username> --personal-access-token <token>
+
+# Authenticate to a private repo with OAuth App Token
+prowler iac --scan-repository-url https://github.com/user/repo.git \
+  --oauth-app-token <oauth_token>
+
 # Specify frameworks to scan (default: all)
 prowler iac --scan-path ./my-iac-directory --frameworks terraform kubernetes
 
@@ -628,11 +774,14 @@ prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/tes
 ```
 
 ???+ note
-    - The IaC provider does not require cloud authentication
-    - It is ideal for CI/CD pipelines and local development environments
+    - `--scan-path` and `--scan-repository-url` are mutually exclusive; only one can be specified at a time.
+    - For remote repository scans, authentication can be provided via CLI flags or environment variables (`GITHUB_OAUTH_APP_TOKEN`, `GITHUB_USERNAME`, `GITHUB_PERSONAL_ACCESS_TOKEN`). CLI flags take precedence.
+    - The IaC provider does not require cloud authentication for local scans.
+    - It is ideal for CI/CD pipelines and local development environments.
     - For more details on supported frameworks and rules, see the [Checkov documentation](https://www.checkov.io/1.Welcome/Quick%20Start.html)
 
 See more details about IaC scanning in the [IaC Tutorial](tutorials/iac/getting-started-iac.md) section.
 
 ## Prowler v2 Documentation
-For **Prowler v2 Documentation**, please check it out [here](https://github.com/prowler-cloud/prowler/blob/8818f47333a0c1c1a457453c87af0ea5b89a385f/README.md).
+
+For **Prowler v2 Documentation**, refer to the [official repository](https://github.com/prowler-cloud/prowler/blob/8818f47333a0c1c1a457453c87af0ea5b89a385f/README.md).

docs/troubleshooting.md

@@ -12,3 +12,34 @@
 
 
 See section [Logging](./tutorials/logging.md) for further information or [contact us](./contact.md).
+
+## Common Issues with Docker Compose Installation
+
+- **Problem adding AWS Provider using "Connect assuming IAM Role" in Docker (see [GitHub Issue #7745](https://github.com/prowler-cloud/prowler/issues/7745))**:
+
+    When running Prowler App via Docker, you may encounter errors such as `Provider not set`, `AWS assume role error - Unable to locate credentials`, or `Provider has no secret` when trying to add an AWS Provider using the "Connect assuming IAM Role" option. This typically happens because the container does not have access to the necessary AWS credentials or profiles.
+
+    **Workaround:**
+
+      - Ensure your AWS credentials and configuration are available to the Docker container. You can do this by mounting your local `.aws` directory into the container. For example, in your `docker-compose.yaml`, add the following volume to the relevant services:
+
+      ```yaml
+      volumes:
+        - "${HOME}/.aws:/home/prowler/.aws:ro"
+      ```
+      This should be added to the `api`, `worker`, and `worker-beat` services.
+
+    - Create or update your `~/.aws/config` and `~/.aws/credentials` files with the appropriate profiles and roles. For example:
+
+      ```ini
+      [profile prowler-profile]
+      role_arn = arn:aws:iam::<account-id>:role/ProwlerScan
+      source_profile = default
+      ```
+      And set the environment variable in your `.env` file:
+
+      ```env
+      AWS_PROFILE=prowler-profile
+      ```
+
+    - If you are scanning multiple AWS accounts, you may need to add multiple profiles to your AWS config. Note that this workaround is mainly for local testing; for production or multi-account setups, follow the [CloudFormation Template guide](https://github.com/prowler-cloud/prowler/issues/7745) and ensure the correct IAM roles and permissions are set up in each account.

docs/tutorials/aws/authentication.md

@@ -1,6 +1,10 @@
-# AWS Authentication
+# AWS Authentication in Prowler
 
-Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
+Proper authentication is required for Prowler to perform security checks across AWS resources. Ensure that AWS-CLI is correctly configured or manually declare AWS credentials before running scans.
+
+## Configure AWS Credentials
+
+Use one of the following methods to authenticate:
 
 ```console
 aws configure
@@ -14,25 +18,32 @@ export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
 export AWS_SESSION_TOKEN="XXXXXXXXX"
 ```
 
-Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
+These credentials must be associated with a user or role with the necessary permissions to perform security checks. 
 
-  - `arn:aws:iam::aws:policy/SecurityAudit`
-  - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
+## Assign Required AWS Permissions
+To ensure full functionality, attach the following AWS managed policies to the designated user or role:
+
+- `arn:aws:iam::aws:policy/SecurityAudit`
+- `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
 
 ???+ note
-    Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using. If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
+    Some security checks require read-only additional permissions. Attach the following custom policies to the role: [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json). If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure to also attach the custom policy: [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
 
+## AWS Profiles and Service Scanning in Prowler
 
-## Profiles
+Prowler supports authentication and security assessments using custom AWS profiles and can optionally scan unused services.
+
+**Using Custom AWS Profiles**
+
+Prowler allows you to specify a custom AWS profile using the following command:
 
-Prowler can use your custom AWS Profile with:
 ```console
 prowler aws -p/--profile <profile_name>
 ```
 
-## Multi-Factor Authentication
+## Multi-Factor Authentication (MFA)
 
-If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to input the following values to get a new session:
+If MFA enforcement is required for your IAM entity, you can use `--mfa`. Prowler will prompt you to enter the following in order to get a new session:
 
 - ARN of your MFA device
 - TOTP (Time-Based One-Time Password)

docs/tutorials/aws/boto3-configuration.md

@@ -1,45 +1,52 @@
-# Boto3 Retrier Configuration
+# Boto3 Retrier Configuration in Prowler
 
-Prowler's AWS Provider uses the Boto3 [Standard](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/retries.html) retry mode to assist in retrying client calls to AWS services when these kinds of errors or exceptions are experienced. This mode includes the following behaviours:
+Prowler's AWS Provider leverages Boto3's [Standard](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/retries.html) retry mode to automatically retry client calls to AWS services when encountering errors or exceptions.
 
-- A default value of 3 for maximum retry attempts. This can be overwritten with the `--aws-retries-max-attempts 5` argument.
+## Retry Behavior Overview
 
-- Retry attempts for an expanded list of errors/exceptions:
-    ```
-    # Transient errors/exceptions
-    RequestTimeout
-    RequestTimeoutException
-    PriorRequestNotComplete
-    ConnectionError
-    HTTPClientError
+Boto3's Standard retry mode includes the following mechanisms:
 
-    # Service-side throttling/limit errors and exceptions
-    Throttling
-    ThrottlingException
-    ThrottledException
-    RequestThrottledException
-    TooManyRequestsException
-    ProvisionedThroughputExceededException
-    TransactionInProgressException
-    RequestLimitExceeded
-    BandwidthLimitExceeded
-    LimitExceededException
-    RequestThrottled
-    SlowDown
-    EC2ThrottledException
-    ```
+- Maximum Retry Attempts: Default value set to 3, configurable via the `--aws-retries-max-attempts 5` argument.
 
-- Retry attempts on nondescriptive, transient error codes. Specifically, these HTTP status codes: 500, 502, 503, 504.
+- Expanded Error Handling: Retries occur for a comprehensive set of errors.
 
-- Any retry attempt will include an exponential backoff by a base factor of 2 for a maximum backoff time of 20 seconds.
+  ```
+  # *Transient Errors/Exceptions*
+  The retrier handles various temporary failures:
+  RequestTimeout
+  RequestTimeoutException
+  PriorRequestNotComplete
+  ConnectionError
+  HTTPClientError
 
-## Notes for validating retry attempts
+  # *Service-Side Throttling and Limit Errors*
+  Retries occur for service-imposed rate limits and resource constraints:
+  Throttling
+  ThrottlingException
+  ThrottledException
+  RequestThrottledException
+  TooManyRequestsException
+  ProvisionedThroughputExceededException
+  TransactionInProgressException
+  RequestLimitExceeded
+  BandwidthLimitExceeded
+  LimitExceededException
+  RequestThrottled
+  SlowDown
+  EC2ThrottledException
+  ```
 
-If you are making changes to Prowler, and want to validate if requests are being retried or given up on, you can take the following approach
+- Nondescriptive Transient Error Codes: The retrier applies retry logic to standard HTTP status codes signaling transient errors: 500, 502, 503, 504.
+
+- Exponential Backoff Strategy: Each retry attempt follows exponential backoff with a base factor of 2, ensuring progressive delay between retries. Maximum backoff time: 20 seconds
+
+## Validating Retry Attempts
+
+For testing or modifying Prowler's behavior, use the following steps to confirm whether requests are being retried or abandoned:
 
 * Run prowler with `--log-level DEBUG` and `--log-file debuglogs.txt`
 * Search for retry attempts using `grep -i 'Retry needed' debuglogs.txt`
 
-This is based off of the [AWS documentation](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/retries.html#checking-retry-attempts-in-your-client-logs), which states that if a retry is performed, you will see a message starting with "Retry needed".
+This approach follows the [AWS documentation](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/retries.html#checking-retry-attempts-in-your-client-logs), which states that if a retry is performed, a message starting with "Retry needed” will be prompted.
 
-You can determine the total number of calls made using `grep -i 'Sending http request' debuglogs.txt | wc -l`
+It is possible to determine the total number of calls made using `grep -i 'Sending http request' debuglogs.txt | wc -l`

docs/tutorials/aws/cloudshell.md

@@ -1,7 +1,11 @@
-# AWS CloudShell
+# Installing Prowler in AWS CloudShell
+
+## Following the migration of AWS CloudShell from Amazon Linux 2 to Amazon Linux 2023
+
+AWS CloudShell has migrated from Amazon Linux 2 to Amazon Linux 2023 [[1]](https://aws.amazon.com/about-aws/whats-new/2023/12/aws-cloudshell-migrated-al2023/) [[2]](https://docs.aws.amazon.com/cloudshell/latest/userguide/cloudshell-AL2023-migration.html). With this transition, Python 3.9 is now included by default in AL2023, eliminating the need for manual compilation.
+
+To install Prowler v4 in AWS CloudShell, follow the standard installation method using pip:
 
-## Installation
-After the migration of AWS CloudShell from Amazon Linux 2 to Amazon Linux 2023 [[1]](https://aws.amazon.com/about-aws/whats-new/2023/12/aws-cloudshell-migrated-al2023/) [[2]](https://docs.aws.amazon.com/cloudshell/latest/userguide/cloudshell-AL2023-migration.html), there is no longer a need to manually compile Python 3.9 as it's already included in AL2023. Prowler can thus be easily installed following the Generic method of installation via pip. Follow the steps below to successfully execute Prowler v4 in AWS CloudShell:
 ```shell
 sudo bash
 adduser prowler
@@ -11,13 +15,20 @@ cd /tmp
 prowler aws
 ```
 
-## Download Files
+## Downloading Files from AWS CloudShell
 
-To download the results from AWS CloudShell, select Actions -> Download File and add the full path of each file. For the CSV file it will be something like `/home/cloudshell-user/output/prowler-output-123456789012-20221220191331.csv`
+To download results from AWS CloudShell:
 
-## Clone Prowler from Github
+- Select Actions → Download File.
+
+- Specify the full file path of each file you wish to download. For example, downloading a CSV file would require providing its complete path, as in: `/home/cloudshell-user/output/prowler-output-123456789012-20221220191331.csv`
+
+## Cloning Prowler from GitHub
+
+Due to the limited storage in AWS CloudShell's home directory, installing Poetry dependencies for running Prowler from GitHub can be problematic.
+
+The following workaround ensures successful installation:
 
-The limited storage that AWS CloudShell provides for the user's home directory causes issues when installing the poetry dependencies to run Prowler from GitHub. Here is a workaround:
 ```shell
 sudo bash
 adduser prowler
@@ -31,8 +42,8 @@ eval $(poetry env activate)
 poetry install
 python prowler-cli.py -v
 ```
-> [!IMPORTANT]
-> Starting from Poetry v2.0.0, `poetry shell` has been deprecated in favor of `poetry env activate`.
->
-> If your poetry version is below 2.0.0 you must keep using `poetry shell` to activate your environment.
-> In case you have any doubts, consult the Poetry environment activation guide: https://python-poetry.org/docs/managing-environments/#activating-the-environment
+
+???+ important
+    Starting from Poetry v2.0.0, `poetry shell` has been deprecated in favor of `poetry env activate`.
+
+    If your Poetry version is below v2.0.0, continue using `poetry shell` to activate your environment. For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.

docs/tutorials/aws/multiaccount.md

@@ -1,34 +1,39 @@
-# Scan Multiple AWS Accounts
+# Scanning Multiple AWS Accounts with Prowler
 
-Prowler can scan multiple accounts when it is executed from one account that can assume a role in those given accounts to scan using [Assume Role feature](role-assumption.md) and [AWS Organizations integration feature](organizations.md).
+Prowler enables security scanning across multiple AWS accounts by utilizing the  [Assume Role feature](role-assumption.md) and [integration with AWS Organizations feature](organizations.md).
 
+This approach allows execution from a single account with permissions to assume roles in the target accounts.
 
-## Scan multiple specific accounts sequentially
+## Scanning Multiple Accounts Sequentially
 
-- Declare a variable with all the accounts to scan:
+To scan specific accounts one at a time:
+
+- Define a variable containing the AWS account IDs to be scanned:
 
 ```
 ACCOUNTS_LIST='11111111111 2222222222 333333333'
 ```
 
-- Then run Prowler to assume a role (change `<role_name>` below to yours, that must be the same in all accounts):
+- Run Prowler with an IAM role that exists in all target accounts: (replace the `<role_name>` with to yours, that is to be consistent throughout all accounts):
 
 ```
 ROLE_TO_ASSUME=<role_name>
-  for accountId in $ACCOUNTS_LIST; do
-  prowler aws --role arn:aws:iam::$accountId:role/$ROLE_TO_ASSUME
+    for accountId in $ACCOUNTS_LIST; do
+    prowler aws --role arn:aws:iam::$accountId:role/$ROLE_TO_ASSUME
 done
 ```
 
-## Scan multiple specific accounts in parallel
+## Scanning Multiple Accounts in Parallel
 
-- Declare a variable with all the accounts to scan:
+- To scan multiple accounts simultaneously:
+
+Define the AWS accounts to be scanned with a variable:
 
 ```
 ACCOUNTS_LIST='11111111111 2222222222 333333333'
 ```
 
-- Then run Prowler to assume a role (change `<role_name>` below to yours, that must be the same in all accounts), in this example it will scan 3 accounts in parallel:
+- Run Prowler with an IAM role that exists in all target accounts: (replace the `<role_name>` with to yours, that is to be consistent throughout all accounts). The following example executes scanning across three accounts in parallel:
 
 ```
 ROLE_TO_ASSUME=<role_name>
@@ -41,25 +46,35 @@ for accountId in $ACCOUNTS_LIST; do
 done
 ```
 
-## Scan multiple accounts from AWS Organizations in parallel
+## Scanning Multiple AWS Organization Accounts in Parallel
 
-- Declare a variable with all the accounts to scan. To do so, get the list of your AWS accounts in your AWS Organization by running the following command (will create a variable with all your ACTIVE accounts). Remember to run that command with the permissions needed to get that information in your AWS Organizations Management account.
+Prowler enables parallel security scans across multiple AWS accounts within an AWS Organization.
+
+### Retrieve Active AWS Accounts
+
+To efficiently scan multiple accounts within an AWS Organization, follow these steps:
+
+- Step 1: Retrieve a List of Active Accounts
+
+First, declare a variable containing all active accounts in your AWS Organization. Run the following command in your AWS Organizations Management account, ensuring that you have the necessary permissions:
 
 ```
 ACCOUNTS_IN_ORG=$(aws organizations list-accounts --query Accounts[?Status==`ACTIVE`].Id --output text)
 ```
 
-- Then run Prowler to assume a role (change `<role_name>` that must be the same in all accounts and `<management_organizations_account_id>` that must be your AWS Organizations management account ID):
+- Step 2: Run Prowler with Assumed Roles
+
+Use Prowler to assume roles across accounts in parallel. Modify <role_name> to match the role that exists in all accounts and <management_organizations_account_id> to your AWS Organizations Management account ID.
 
 ```
 ROLE_TO_ASSUME=<role_name>
 MGMT_ACCOUNT_ID=<management_organizations_account_id>
 PARALLEL_ACCOUNTS="3"
 for accountId in $ACCOUNTS_IN_ORG; do
-    test "$(jobs | wc -l)" -ge $PARALLEL_ACCOUNTS && wait || true
-    {
-        prowler aws --role arn:aws:iam::$accountId:role/$ROLE_TO_ASSUME \
-        --organizations-role arn:aws:iam::$MGMT_ACCOUNT_ID:role/$ROLE_TO_ASSUME
-    } &
+test "$(jobs | wc -l)" -ge $PARALLEL_ACCOUNTS && wait || true
+{
+    prowler aws --role arn:aws:iam::$accountId:role/$ROLE_TO_ASSUME \
+    --organizations-role arn:aws:iam::$MGMT_ACCOUNT_ID:role/$ROLE_TO_ASSUME
+} &
 done
 ```

docs/tutorials/aws/organizations.md

@@ -1,28 +1,39 @@
-# AWS Organizations
+# AWS Organizations in Prowler
 
-## Get AWS Account details from your AWS Organization
+## Retrieving AWS Account Details
 
-Prowler allows you to get additional information of the scanned account from AWS Organizations.
+If AWS Organizations is enabled, Prowler can fetch detailed account information during scans, including:
 
-If you have AWS Organizations enabled, Prowler can get your account details like account name, email, ARN, organization id and tags and you will have them next to every finding's output.
+- Account Name
+- Email Address
+- ARN
+- Organization ID
+- Tags
 
-In order to do that you can use the argument `-O`/`--organizations-role <organizations_role_arn>`. If this argument is not present Prowler will try to fetch that information automatically if the AWS account is a delegated administrator for the AWS Organization.
+These details will be included alongside each security finding in the output.
+
+### Enabling AWS Organizations Data Retrieval
+
+To retrieve AWS Organizations account details, use the `-O`/`--organizations-role <organizations_role_arn>` argument. If this argument is not provided, Prowler will attempt to fetch the data automatically—provided the AWS account is a delegated administrator for the AWS Organization.
 
 ???+ note
-    Refer [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html) for more information about AWS Organizations delegated administrator.
+    For more information on AWS Organizations delegated administrator, refer to the official documentation [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html).
 
-See the following sample command:
+The following command is an example:
 
 ```shell
 prowler aws \
   -O arn:aws:iam::<management_organizations_account_id>:role/<role_name>
 ```
+
 ???+ note
-    Make sure the role in your AWS Organizations management account has the permissions `organizations:DescribeAccount` and `organizations:ListTagsForResource`.
+    Ensure the IAM role used in your AWS Organizations management account has the following permissions:`organizations:DescribeAccount` and `organizations:ListTagsForResource`.
 
 Prowler will scan the AWS account and get the account details from AWS Organizations.
 
-In the JSON output below you can see tags coded in base64 to prevent breaking CSV or JSON due to its format:
+### Handling JSON Output
+
+In Prowler’s JSON output, tags are encoded in Base64 to prevent formatting errors in CSV or JSON outputs. This ensures compatibility when exporting findings.
 
 ```json
   "Account Email": "my-prod-account@domain.com",
@@ -34,17 +45,17 @@ In the JSON output below you can see tags coded in base64 to prevent breaking CS
 
 The additional fields in CSV header output are as follows:
 
-- ACCOUNT_DETAILS_EMAIL
-- ACCOUNT_DETAILS_NAME
-- ACCOUNT_DETAILS_ARN
-- ACCOUNT_DETAILS_ORG
-- ACCOUNT_DETAILS_TAGS
+- ACCOUNT\_DETAILS\_EMAIL
+- ACCOUNT\_DETAILS\_NAME
+- ACCOUNT\_DETAILS\_ARN
+- ACCOUNT\_DETAILS\_ORG
+- ACCOUNT\_DETAILS\_TAGS
 
 ## Extra: Run Prowler across all accounts in AWS Organizations by assuming roles
 
-If you want to run Prowler across all accounts of AWS Organizations you can do this:
+### Running Prowler Across All AWS Organization Accounts
 
-1. First get a list of accounts that are not suspended:
+1. To run Prowler across all accounts in AWS Organizations, first retrieve a list of accounts that are not suspended:
 
     ```shell
     ACCOUNTS_IN_ORGS=$(aws organizations list-accounts \
@@ -65,5 +76,4 @@ If you want to run Prowler across all accounts of AWS Organizations you can do t
     ```
 
 ???+ note
-    Using the same for loop it can be scanned a list of accounts with a variable like:
-    </br>`ACCOUNTS_LIST='11111111111 2222222222 333333333'`
+    This same loop structure can be adapted to scan a predefined list of accounts using a variable like the following: </br>`ACCOUNTS_LIST='11111111111 2222222222 333333333'`

docs/tutorials/aws/regions-and-partitions.md

@@ -7,62 +7,81 @@ By default Prowler is able to scan the following AWS partitions:
 - GovCloud (US): `aws-us-gov`
 
 ???+ note
-    To check the available regions for each partition and service please refer to the following document [aws_regions_by_service.json](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_regions_by_service.json)
+    To check the available regions for each partition and service, refer to: [aws\_regions\_by\_service.json](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_regions_by_service.json)
 
-It is important to take into consideration that to scan the China (`aws-cn`) or GovCloud (`aws-us-gov`) partitions it is either required to have a valid region for that partition in your AWS credentials or to specify the regions you want to audit for that partition using the `-f/--region` flag.
+## Scanning AWS China and GovCloud Partitions in Prowler
+
+When scanning the China (`aws-cn`) or GovCloud (`aws-us-gov`), ensure one of the following:
+
+- Your AWS credentials include a valid region within the desired partition.
+
+- Specify the regions to audit within that partition using the `-f/--region` flag.
 
 ???+ note
-    Please, refer to https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials for more information about the AWS credentials configuration.
+    Refer to: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials for more information about the AWS credential configuration.
+
+### Scanning Specific Regions
+
+To scan a particular AWS region with Prowler, use:
 
-Prowler can scan specific region(s) with:
 ```console
 prowler aws -f/--region eu-west-1 us-east-1
 ```
 
-You can get more information about the available partitions and regions in the following [Botocore](https://github.com/boto/botocore) [file](https://github.com/boto/botocore/blob/22a19ea7c4c2c4dd7df4ab8c32733cba0c7597a4/botocore/data/partitions.json).
+### AWS Credentials Configuration
 
+For details on configuring AWS credentials, refer to the following [Botocore](https://github.com/boto/botocore) [file](https://github.com/boto/botocore/blob/22a19ea7c4c2c4dd7df4ab8c32733cba0c7597a4/botocore/data/partitions.json).
 
-## AWS China
+## Scanning AWS Partitions in Prowler
 
-To scan your AWS account in the China partition (`aws-cn`):
+### AWS China
+
+To scan an account in the AWS China partition (`aws-cn`):
+
+- By using the `-f/--region` flag:
+
+    ```
+    prowler aws --region cn-north-1 cn-northwest-1
+    ```
+
+- By using the region configured in your AWS profile at `~/.aws/credentials` or `~/.aws/config`:
+
+    ```
+    [default]
+    aws_access_key_id = XXXXXXXXXXXXXXXXXXX
+    aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
+    region = cn-north-1
+    ```
 
-- Using the `-f/--region` flag:
-```
-prowler aws --region cn-north-1 cn-northwest-1
-```
-- Using the region configured in your AWS profile at `~/.aws/credentials` or `~/.aws/config`:
-```
-[default]
-aws_access_key_id = XXXXXXXXXXXXXXXXXXX
-aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
-region = cn-north-1
-```
 ???+ note
-    With this option all the partition regions will be scanned without the need of use the `-f/--region` flag
+    With this configuration, all partition regions will be scanned without needing the `-f/--region` flag
 
+### AWS GovCloud (US)
 
-## AWS GovCloud (US)
+To scan an account in the AWS GovCloud (US) partition (`aws-us-gov`):
 
-To scan your AWS account in the GovCloud (US) partition (`aws-us-gov`):
+- By using the `-f/--region` flag:
+
+    ```
+    prowler aws --region us-gov-east-1 us-gov-west-1
+    ```
+
+- By using the region configured in your AWS profile at `~/.aws/credentials` or `~/.aws/config`:
+
+    ```
+    [default]
+    aws_access_key_id = XXXXXXXXXXXXXXXXXXX
+    aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
+    region = us-gov-east-1
+    ```
 
-- Using the `-f/--region` flag:
-```
-prowler aws --region us-gov-east-1 us-gov-west-1
-```
-- Using the region configured in your AWS profile at `~/.aws/credentials` or `~/.aws/config`:
-```
-[default]
-aws_access_key_id = XXXXXXXXXXXXXXXXXXX
-aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
-region = us-gov-east-1
-```
 ???+ note
-    With this option all the partition regions will be scanned without the need of use the `-f/--region` flag
+    With this configuration, all partition regions will be scanned without needing the `-f/--region` flag
 
+### AWS ISO (US \& Europe)
 
-## AWS ISO (US & Europe)
+The AWS ISO partitions—commonly referred to as "secret partitions"—are air-gapped from the Internet, and Prowler does not have a built-in way to scan them. To audit an AWS ISO partition, manually update [aws\_regions\_by\_service.json](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_regions_by_service.json) to include the partition, region, and services. For example:
 
-For the AWS ISO partitions, which are known as "secret partitions" and are air-gapped from the Internet, there is no builtin way to scan it. If you want to audit an AWS account in one of the AWS ISO partitions you should manually update the [aws_regions_by_service.json](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_regions_by_service.json) and include the partition, region and services, e.g.:
 ```json
 "iam": {
     "regions": {

docs/tutorials/aws/resource-arn-based-scan.md

@@ -1,9 +1,13 @@
-# Resource ARNs based Scan
+# Resource ARN-based Scanning
 
-Prowler allows you to scan only the resources with specific AWS Resource ARNs. This can be done with the flag `--resource-arn` followed by one or more [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) separated by space:
+Prowler enables scanning of resources based on specific AWS Resource ARNs.
+
+## Resource ARN-Based Scanning
+
+Prowler enables scanning of resources based on specific AWS Resource [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). To perform this scan, use the designated flag `--resource-arn` followed by one or more ARNs, separated by spaces.
 
 ```
 prowler aws --resource-arn arn:aws:iam::012345678910:user/test arn:aws:ec2:us-east-1:123456789012:vpc/vpc-12345678
 ```
 
-This example will only scan the two resources with those ARNs.
+Example: This configuration scans only the specified two resources using their ARNs.

docs/tutorials/aws/role-assumption.md

@@ -1,50 +1,74 @@
-# AWS Assume Role
+# AWS Assume Role in Prowler
 
-Prowler uses the AWS SDK (Boto3) underneath so it uses the same authentication methods.
+## Authentication Overview
 
-However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on each use case:
+Prowler leverages the AWS SDK (Boto3) for authentication, following standard AWS authentication methods.
 
-1. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `prowler aws -p/--profile your-custom-profile`.
- - An example profile that performs role-chaining is given below. The `credential_source` can either be set to `Environment`, `Ec2InstanceMetadata`, or `EcsContainer`.
-- Alternatively, you could use the `source_profile` instead of `credential_source` to specify a separate named profile that contains IAM user credentials with permission to assume the target the role. More information can be found [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
-```
-[profile crossaccountrole]
-role_arn = arn:aws:iam::234567890123:role/SomeRole
-credential_source = EcsContainer
-```
+### Running Prowler Against Multiple Accounts
 
-2. You can use `-R`/`--role <role_arn>` and Prowler will get those temporary credentials using `Boto3` and run against that given account.
-```sh
-prowler aws -R arn:aws:iam::<account_id>:role/<role_name>
-```
-- Optionally, the session duration (in seconds, by default 3600) and the external ID of this role assumption can be defined:
+To execute Prowler across multiple AWS accounts using IAM Assume Role, choose one of the following approaches:
 
-```sh
-prowler aws -T/--session-duration <seconds> -I/--external-id <external_id> -R arn:aws:iam::<account_id>:role/<role_name>
-```
+1. Custom Profile Configuration
 
-## Custom Role Session Name
+    Set up a custom profile inside `~/.aws/config` with the necessary role information.
+
+    Then call the profile using `prowler aws -p/--profile your-custom-profile`.
+
+    - Role-Chaining Example Profile The `credential_source` parameter can be set to `Environment`, `Ec2InstanceMetadata`, or `EcsContainer`.
+
+    - Using an Alternative Named Profile
+
+        Instead of the `credential_source` parameter, `source_profile` can be used to specify a separate named profile.
+
+        This profile must contain IAM user credentials with permissions to assume the target role. For additional details, refer to the AWS Assume Role documentation: [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
+
+        ```
+        [profile crossaccountrole]
+        role_arn = arn:aws:iam::234567890123:role/SomeRole
+        credential_source = EcsContainer
+        ```
+
+2. Using IAM Role Assumption in Prowler
+
+    To allow Prowler to retrieve temporary credentials by using `Boto3` and run assessments on the specified account, use the `-R`/`--role <role_arn>` flag.
+
+    ```sh
+    prowler aws -R arn:aws:iam::<account_id>:role/<role_name>
+    ```
+
+    **Defining Session Duration and External ID**
+
+    Optionally, specify the session duration (in seconds, default: 3600) and the external ID for role assumption:
+
+    ```sh
+    prowler aws -T/--session-duration <seconds> -I/--external-id <external_id> -R arn:aws:iam::<account_id>:role/<role_name>
+    ```
+
+## Custom Role Session Name in Prowler
+
+### Setting a Custom Session Name
+
+Prowler allows you to specify a custom Role Session name using the following flag:
 
-Prowler can use your custom Role Session name with:
 ```console
 prowler aws --role-session-name <role_session_name>
 ```
 
 ???+ note
-    It defaults to `ProwlerAssessmentSession`.
+    If not specified, it defaults to `ProwlerAssessmentSession`.
 
-## Role MFA
+## Role MFA Authentication
 
-If your IAM Role has MFA configured you can use `--mfa` along with  `-R`/`--role <role_arn>` and Prowler will ask you to input the following values to get a new temporary session for the IAM Role provided:
+If your IAM Role is configured with Multi-Factor Authentication (MFA), use `--mfa` along with `-R`/`--role <role_arn>`. Prowler will prompt you to input the following values to obtain a temporary session for the IAM Role provided:
 
 - ARN of your MFA device
 - TOTP (Time-Based One-Time Password)
 
-## Create Role
+## Creating a Role for One or Multiple Accounts
 
-To create a role to be assumed in one or multiple accounts you can use either as CloudFormation Stack or StackSet the following [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml) and adapt it.
+To create an IAM role that can be assumed in one or multiple AWS accounts, use either a CloudFormation Stack or StackSet and adapt the provided [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml).
 
-???+ note "About Session Duration"
-    Depending on the amount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option `-T <seconds>` to allow up to 12h (43200 seconds). To allow more than 1h you need to modify _"Maximum CLI/API session duration"_ for that particular role, read more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).
+???+ note
+    **Session Duration Considerations**: Depending on the number of checks performed and the size of your infrastructure, Prowler may require more than 1 hour to complete. Use the `-T <seconds>` option to allow up to 12 hours (43,200 seconds). If you need more than 1 hour, modify the _“Maximum CLI/API session duration”_ setting for the role. Learn more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).
 
-    Bear in mind that if you are using roles assumed by role chaining there is a hard limit of 1 hour so consider not using role chaining if possible, read more about that, in foot note 1 below the table [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html).
+    ⚠️ Important: If assuming roles via role chaining, there is a hard limit of 1 hour. Whenever possible, avoid role chaining to prevent session expiration issues. More details are available in footnote 1 below the table in the [AWS IAM guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html).

docs/tutorials/aws/s3.md

@@ -1,12 +1,14 @@
-# Send report to AWS S3 Bucket
+# Sending Reports to an AWS S3 Bucket
 
-To save your report in an S3 bucket, use `-B`/`--output-bucket`.
+To save reports directly in an S3 bucket, use: `-B`/`--output-bucket`.
 
 ```sh
 prowler aws -B my-bucket
 ```
 
-If you can use a custom folder and/or filename, use `-o`/`--output-directory` and/or `-F`/`--output-filename`.
+### Custom Folder and Filename
+
+For a custom folder and/or filename, specify: `-o`/`--output-directory` and/or `-F`/`--output-filename`.
 
 ```sh
 prowler aws \
@@ -15,14 +17,16 @@ prowler aws \
         --output-filename output-filename
 ```
 
-By default Prowler sends HTML, JSON and CSV output formats, if you want to send a custom output format or a single one of the defaults you can specify it with the `-M`/`--output-modes` flag.
+### Custom Output Formats
+
+By default, Prowler sends HTML, JSON, and CSV output formats. To specify a single output format, use the `-M`/`--output-modes` flag.
 
 ```sh
 prowler aws -M csv -B my-bucket
 ```
 
-
 ???+ note
-    In the case you do not want to use the assumed role credentials but the initial credentials to put the reports into the S3 bucket, use `-D`/`--output-bucket-no-assume` instead of `-B`/`--output-bucket`.
+    If you prefer using the initial credentials instead of the assumed role credentials for uploading reports, use `-D`/`--output-bucket-no-assume` instead of `-B`/`--output-bucket`.
+
 ???+ warning
-    Make sure that the used credentials have `s3:PutObject` permissions in the S3 path where the reports are going to be uploaded.
+    Ensure the credentials used have write permissions for the `s3:PutObject` where reports will be uploaded.

docs/tutorials/aws/securityhub.md

@@ -1,84 +1,92 @@
-# AWS Security Hub Integration
+# AWS Security Hub Integration with Prowler
 
-Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows **Prowler** to import its findings to AWS Security Hub.
+Prowler natively supports **official integration** with [AWS Security Hub](https://aws.amazon.com/security-hub), allowing security findings to be sent directly.  This integration enables **Prowler** to import its findings into AWS Security Hub.
 
+To activate the integration, follow these steps in at least one AWS region within your AWS account:
 
-Before sending findings, you will need to enable AWS Security Hub and the **Prowler** integration.
+## Enabling AWS Security Hub for Prowler Integration
 
-## Enable AWS Security Hub
+To enable the integration, follow these steps in **at least** one AWS region within your AWS account.
 
-To enable the integration you have to perform the following steps, in _at least_ one AWS region of a given AWS account, to enable **AWS Security Hub** and **Prowler** as a partner integration.
+Since **AWS Security Hub** is a region-based service, it must be activated in each region where security findings need to be collected.
 
-Since **AWS Security Hub** is a region based service, you will need to enable it in the region or regions you require. You can configure it using the AWS Management Console or the AWS CLI.
+**Configuration Options**
+
+AWS Security Hub can be enabled using either of the following methods:
 
 ???+ note
-    Take into account that enabling this integration will incur in costs in AWS Security Hub, please refer to its pricing [here](https://aws.amazon.com/security-hub/pricing/) for more information.
+    Enabling this integration incurs costs in AWS Security Hub. Refer to [this information](https://aws.amazon.com/security-hub/pricing/) for details.
 
 ### Using the AWS Management Console
 
-#### Enable AWS Security Hub
+#### Enabling AWS Security Hub for Prowler Integration
 
-If you have currently AWS Security Hub enabled you can skip to the [next section](#enable-prowler-integration).
+If AWS Security Hub is already enabled, you can proceed to the [next section](#enable-prowler-integration).
 
-1. Open the **AWS Security Hub** console at https://console.aws.amazon.com/securityhub/.
+1. Enable AWS Security Hub via Console: Open the **AWS Security Hub** console: https://console.aws.amazon.com/securityhub/.
 
-2. When you open the Security Hub console for the first time make sure that you are in the region you want to enable, then choose **Go to Security Hub**.
-![](./img/enable.png)
+2. Ensure you are in the correct AWS region, then select “**Go to Security Hub**”. ![](./img/enable.png)
 
-3. On the next page, the Security standards section lists the security standards that Security Hub supports. Select the check box for a standard to enable it, and clear the check box to disable it.
+3. In the “Security Standards” section, review the supported security standards. Select the checkbox for each standard you want to enable, or clear it to disable a standard.
 
-4. Choose **Enable Security Hub**.
-![](./img/enable-2.png)
+4. Choose “**Enable Security Hub**”. ![](./img/enable-2.png)
 
-#### Enable Prowler Integration
+#### Enabling Prowler Integration in AWS Security Hub
 
-If you have currently the Prowler integration enabled in AWS Security Hub you can skip to the [next section](#send-findings) and start sending findings.
+If the Prowler integration is already enabled in AWS Security Hub, you can proceed to the [next section](#send-findings) and begin sending findings.
 
-Once **AWS Security Hub** is enabled you will need to enable **Prowler** as partner integration to allow **Prowler** to send findings to your **AWS Security Hub**.
+Once **AWS Security Hub** is activated, **Prowler** must be enabled as partner integration to allow security findings to be sent to it.
 
-1. Open the **AWS Security Hub** console at https://console.aws.amazon.com/securityhub/.
+1. Enabling AWS Security Hub via Console
+Open the **AWS Security Hub** console: https://console.aws.amazon.com/securityhub/.
 
-2. Select the **Integrations** tab in the right-side menu bar.
-![](./img/enable-partner-integration.png)
+2. Select the “**Integrations**” tab from the right-side menu bar. ![](./img/enable-partner-integration.png)
 
-3. Search for _Prowler_ in the text search box and the **Prowler** integration will appear.
+3. Search for “_Prowler_” in the text search box and the **Prowler** integration will appear.
 
-4. Once there, click on **Accept Findings** to allow **AWS Security Hub** to receive findings from **Prowler**.
-![](./img/enable-partner-integration-2.png)
+4. Click “**Accept Findings**” to authorize **AWS Security Hub** to receive findings from **Prowler**. ![](./img/enable-partner-integration-2.png)
 
-5. A new modal will appear to confirm that you are enabling the **Prowler** integration.
-![](./img/enable-partner-integration-3.png)
+5. A new modal will appear to confirm that the integration with **Prowler** is being enabled. ![](./img/enable-partner-integration-3.png)
 
-6. Right after click on **Accept Findings**, you will see that the integration is enabled in **AWS Security Hub**.
-![](./img/enable-partner-integration-4.png)
+6. Click “**Accept Findings**”, to authorize **AWS Security Hub** to receive findings from Prowler. ![](./img/enable-partner-integration-4.png)
 
-### Using the AWS CLI
+### Using AWS CLI
 
-To enable **AWS Security Hub** and the **Prowler** integration you have to run the following commands using the AWS CLI:
+To enable **AWS Security Hub** and integrate **Prowler**, execute the following AWS CLI commands:
+
+**Step 1: Enable AWS Security Hub**
+
+Run the following command to activate AWS Security Hub in the desired region:
 
 ```shell
 aws securityhub enable-security-hub --region <region>
 ```
-???+ note
-    For this command to work you will need the `securityhub:EnableSecurityHub` permission. You will need to set the AWS region where you want to enable AWS Security Hub.
 
-Once **AWS Security Hub** is enabled you will need to enable **Prowler** as partner integration to allow **Prowler** to send findings to your AWS Security Hub. You have to run the following commands using the AWS CLI:
+???+ note
+    This command requires the `securityhub:EnableSecurityHub` permission. Ensure you set the correct AWS region where you want to enable AWS Security Hub.
+
+**Step 2: Enable Prowler Integration**
+
+Once **AWS Security Hub** is activated, **Prowler** must be enabled as partner integration to allow security findings to be sent to it. Run the following AWS CLI commands:
 
 ```shell
 aws securityhub enable-import-findings-for-product --region eu-west-1 --product-arn arn:aws:securityhub:<region>::product/prowler/prowler
 ```
+
 ???+ note
-    You will need to set the AWS region where you want to enable the integration and also the AWS region also within the ARN. For this command to work you will need the `securityhub:securityhub:EnableImportFindingsForProduct` permission.
+    Specify the AWS region where you want to enable the integration. Ensure the region is correctly set within the ARN value. This command requires the`securityhub:securityhub:EnableImportFindingsForProduct` permission.
 
+## Sending Findings to AWS Security Hub
 
-## Send Findings
-Once it is enabled, it is as simple as running the command below (for all regions):
+Once AWS Security Hub is enabled, findings can be sent using the following commands:
+
+For all regions:
 
 ```sh
 prowler aws --security-hub
 ```
 
-or for only one filtered region like eu-west-1:
+For a specific region (e.g., eu-west-1):
 
 ```sh
 prowler --security-hub --region eu-west-1
@@ -91,52 +99,60 @@ prowler --security-hub --region eu-west-1
 
     To have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.
 
-### See you Prowler findings in AWS Security Hub
+### Viewing Prowler Findings in AWS Security Hub
 
-Once configured the **AWS Security Hub** in your next scan you will receive the **Prowler** findings in the AWS regions configured. To review those findings in **AWS Security Hub**:
+After enabling **AWS Security Hub**, findings from **Prowler** will be available in the configured AWS regions. Reviewing Prowler Findings in **AWS Security Hub**:
 
-1. Open the **AWS Security Hub** console at https://console.aws.amazon.com/securityhub/.
+1. Enabling AWS Security Hub via Console
 
-2. Select the **Findings** tab in the right-side menu bar.
-![](./img/findings.png)
+    Open the **AWS Security Hub** console: https://console.aws.amazon.com/securityhub/.
 
-3. Use the search box filters and use the **Product Name** filter with the value _Prowler_ to see the findings sent from **Prowler**.
+2. Select the “**Findings**” tab from the right-side menu bar. ![](./img/findings.png)
 
-4. Then, you can click on the check **Title** to see the details and the history of a finding.
-![](./img/finding-details.png)
+3. Use the search box filters and apply the “**Product Name**” filter with the value _Prowler_ to display findings sent by **Prowler**.
 
-As you can see in the related requirements section, in the detailed view of the findings, **Prowler** also sends compliance information related to every finding.
+4. Click the check “**Title**” to access its detailed view, including its history and status. ![](./img/finding-details.png)
 
-## Send findings to Security Hub assuming an IAM Role
+#### Compliance Information
 
-When you are auditing a multi-account AWS environment, you can send findings to a Security Hub of another account by assuming an IAM role from that account using the `-R` flag in the Prowler command:
+As outlined in the Requirements section, the detailed view includes compliance details for each finding reported by **Prowler**.
+
+## Sending Findings to Security Hub with IAM Role Assumption
+
+### Multi-Account AWS Auditing
+
+When auditing a multi-account AWS environment, Prowler allows you to send findings to a Security Hub in another account by assuming an IAM role from that target account.
+
+#### Using an IAM Role to Send Findings
+
+To send findings to Security Hub, use the `-R` flag in the Prowler command:
 
 ```sh
 prowler --security-hub --role arn:aws:iam::123456789012:role/ProwlerExecutionRole
 ```
 
 ???+ note
-    Remember that the used role needs to have permissions to send findings to Security Hub. To get more information about the permissions required, please refer to the following IAM policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json)
+    The specified IAM role must have the necessary permissions to send findings to Security Hub. For details on the required permissions, refer to the IAM policy: [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json)
 
+## Sending Only Failed Findings to AWS Security Hub
 
-## Send only failed findings to Security Hub
-
-When using the **AWS Security Hub** integration you can send only the `FAIL` findings generated by **Prowler**. Therefore, the **AWS Security Hub** usage costs eventually would be lower. To follow that recommendation you could add the `--status FAIL` flag to the Prowler command:
+When using **AWS Security Hub** integration, **Prowler** allows sending only failed findings (`FAIL`), helping reduce **AWS Security Hub** usage costs. To enable this, add the `--status FAIL` flag to the Prowler command:
 
 ```sh
 prowler --security-hub --status FAIL
 ```
 
-You can use, instead of the `--status FAIL` argument, the `--send-sh-only-fails` argument to save all the findings in the Prowler outputs but just to send FAIL findings to AWS Security Hub:
+**Configuring Findings Output**
+
+Instead of using `--status FAIL`, the `--send-sh-only-fails` argument to store all findings in Prowler outputs while sending only FAIL findings to AWS Security:
 
 ```sh
 prowler --security-hub --send-sh-only-fails
 ```
 
-## Skip sending updates of findings to Security Hub
+## Skipping Updates for Findings in Security Hub
 
-By default, Prowler archives all its findings in Security Hub that have not appeared in the last scan.
-You can skip this logic by using the option `--skip-sh-update` so Prowler will not archive older findings:
+By default, Prowler archives any findings in Security Hub that were not detected in the latest scan. To prevent older findings from being archived, use the `--skip-sh-update` option:
 
 ```sh
 prowler --security-hub --skip-sh-update

docs/tutorials/aws/tag-based-scan.md

@@ -1,9 +1,9 @@
-# Tags-based Scan
+# Tag-based scan
 
-Prowler allows you to scan only the resources that contain specific tags. This can be done with the flag `--resource-tags` followed by the tags `Key=Value` separated by space:
+Prowler provides the capability to scan only resources containing specific tags. To execute this, use the designated flag `--resource-tags` followed by the tags `Key=Value`, separated by spaces.
 
 ```
 prowler aws --resource-tags Environment=dev Project=prowler
 ```
 
-This example will only scan the resources that contains both tags.
+This configuration scans only resources that contain both specified tags.

docs/tutorials/aws/threat-detection.md

@@ -1,28 +1,32 @@
-# Threat Detection
+# Threat Detection in AWS with Prowler
+
+Prowler enables threat detection in AWS by analyzing CloudTrail log records. To execute threat detection checks, use the following command:
 
-Prowler allows you to do threat detection in AWS based on the CloudTrail log records. To run checks related with threat detection use:
 ```
 prowler aws --category threat-detection
 ```
-This command will run these checks:
 
-* `cloudtrail_threat_detection_privilege_escalation` -> Detects privilege escalation attacks.
-* `cloudtrail_threat_detection_enumeration` -> Detects enumeration attacks.
-* `cloudtrail_threat_detection_llm_jacking` -> Detects LLM Jacking attacks.
+This command runs checks to detect:
+
+* `cloudtrail_threat_detection_privilege_escalation`: Privilege escalation attacks
+* `cloudtrail_threat_detection_enumeration`: Enumeration attacks
+* `cloudtrail_threat_detection_llm_jacking`: LLM Jacking attacks
 
 ???+ note
-    Threat Detection checks will be only executed using `--category threat-detection` flag due to performance.
+    Threat detection checks are executed only when the `--category threat-detection` flag is used, due to performance considerations.
 
-## Config File
+## Config File for Threat Detection
 
-If you want to manage the behavior of the Threat Detection checks you can edit `config.yaml` file from `/prowler/config`. In this file you can edit the following attributes related with Threat Detection:
+To manage the behavior of threat detection checks, edit the configuration file located in `config.yaml` file from `/prowler/config`. The following attributes can be modified, all related to threat detection:
 
-* `threat_detection_privilege_escalation_threshold`: determines the percentage of actions found to decide if it is an privilege_scalation attack event, by default is 0.2 (20%)
-* `threat_detection_privilege_escalation_minutes`: it is the past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
-* `threat_detection_privilege_escalation_actions`: these are the default actions related with privilege escalation.
-* `threat_detection_enumeration_threshold`: determines the percentage of actions found to decide if it is an enumeration attack event, by default is 0.3 (30%)
-* `threat_detection_enumeration_minutes`: it is the past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
-* `threat_detection_enumeration_actions`: these are the default actions related with enumeration attacks.
-* `threat_detection_llm_jacking_threshold`: determines the percentage of actions found to decide if it is an LLM Jacking attack event, by default is 0.4 (40%)
-* `threat_detection_llm_jacking_minutes`: it is the past minutes to search from now for LLM Jacking attacks, by default is 1440 minutes (24 hours)
-* `threat_detection_llm_jacking_actions`: these are the default actions related with LLM Jacking attacks.
+* `threat_detection_privilege_escalation_threshold`: Defines the percentage of actions required to classify an event as a privilege escalation attack. Default: 0.2 (20%)
+* `threat_detection_privilege_escalation_minutes`: Specifies the time window (in minutes) to search for privilege escalation attack patterns. Default: 1440 minutes (24 hours).
+* `threat_detection_privilege_escalation_actions`: Lists the default actions associated with privilege escalation attacks.
+* `threat_detection_enumeration_threshold`: Defines the percentage of actions required to classify an event as an enumeration attack. Default: 0.3 (30%)
+* `threat_detection_enumeration_minutes`: Specifies the time window (in minutes) to search for enumeration attack patterns. Default: 1440 minutes (24 hours).
+* `threat_detection_enumeration_actions`: Lists the default actions associated with enumeration attacks.
+* `threat_detection_llm_jacking_threshold`: Defines the percentage of actions required to classify an event as LLM jacking attack. Default: 0.4 (40%)
+* `threat_detection_llm_jacking_minutes`: Specifies the time window (in minutes) to search for LLM jacking attack patterns. Default: 1440 minutes (24 hours).
+* `threat_detection_llm_jacking_actions`: Lists the default actions associated with LLM jacking attacks.
+
+Modify these attributes in the configuration file to fine-tune threat detection checks based on your security requirements.

docs/tutorials/aws/v2_to_v3_checks_mapping.md

@@ -1,8 +1,8 @@
-# Check mapping between Prowler v4/v3 and v2
+# Check Mapping Prowler v4/v3 to v2
 
-Prowler v3 and v4 comes with different identifiers but we maintained the same checks that were implemented in v2. The reason for this change is because in previous versions of Prowler, check names were mostly based on CIS Benchmark for AWS. In v4 and v3 all checks are independent from any security framework and they have its own name and ID.
+Prowler v3 and v4 introduce distinct identifiers while preserving the checks originally implemented in v2. This change was made because, in previous versions, check names were primarily derived from the CIS Benchmark for AWS. Starting with v3 and v4, all checks are independent of any security framework and have unique names and IDs.
 
-If you need more information about how new compliance implementation works in Prowler v4 and v3 see [Compliance](../compliance.md) section.
+For more details on the updated compliance implementation in Prowler v4 and v3, refer to the [Compliance](../compliance.md) section.
 
 ```
 checks_v4_v3_to_v2_mapping = {
@@ -17,7 +17,7 @@ checks_v4_v3_to_v2_mapping = {
     "apigateway_restapi_public": "extra745",
     "apigateway_restapi_logging_enabled": "extra722",
     "apigateway_restapi_waf_acl_attached": "extra744",
-    "apigatewayv2_api_access_logging_enabled": "extra7156",
+    “apigatewayv2_api_access_logging_enabled": "extra7156",
     "apigatewayv2_api_authorizers_enabled": "extra7157",
     "appstream_fleet_default_internet_access_disabled": "extra7193",
     "appstream_fleet_maximum_session_duration": "extra7190",

docs/tutorials/azure/authentication.md

@@ -1,27 +1,28 @@
-# Azure authentication
+# Azure Authentication in Prowler
 
-By default Prowler uses Azure Python SDK identity package authentication methods using the classes `DefaultAzureCredential` and `InteractiveBrowserCredential`.
-This allows Prowler to authenticate against azure using the following methods:
+By default, Prowler utilizes the Azure Python SDK identity package for authentication, leveraging the classes `DefaultAzureCredential` and `InteractiveBrowserCredential`. This enables authentication against Azure using the following approaches:
 
-- Service principal authentication by environment variables (Enterprise Application)
-- Current AZ CLI credentials stored
+- Service principal authentication via environment variables (Enterprise Application)
+- Currently stored AZ CLI credentials
 - Interactive browser authentication
 - Managed identity authentication
 
-To launch the tool it is required to specify which method is used through the following flags:
+Before launching the tool, specify the desired method using the following flags:
 
 ```console
-# To use service principal authentication
+# Service principal authentication:
 prowler azure --sp-env-auth
 
-# To use az cli authentication
+# AZ CLI authentication
 prowler azure --az-cli-auth
 
-# To use browser authentication
+# Browser authentication
 prowler azure --browser-auth --tenant-id "XXXXXXXX"
 
-# To use managed identity auth
+# Managed identity authentication
 prowler azure --managed-identity-auth
 ```
 
-To use Prowler you need to set up also the permissions required to access your resources in your Azure account, to more details refer to [Requirements](../../getting-started/requirements.md)
+## Permission Configuration
+
+To ensure Prowler can access the required resources within your Azure account, proper permissions must be configured. Refer to the [Requirements](../../getting-started/requirements.md) section for details on setting up necessary privileges.

docs/tutorials/azure/create-prowler-service-principal.md

@@ -1,79 +1,100 @@
-# How to create Prowler Service Principal Application
+# Creating a Prowler Service Principal Application
 
-To allow Prowler assume an identity to start the scan with the required privileges is necesary to create a Service Principal. This Service Principal is going to be used to authenticate against Azure and retrieve the metadata needed to perform the checks.
+To enable Prowler to assume an identity for scanning with the required privileges, a Service Principal must be created. This Service Principal authenticates against Azure and retrieves necessary metadata for checks.
 
-To create a Service Principal Application you can use the Azure Portal or the Azure CLI.
+### Methods for Creating a Service Principal
 
-## From Azure Portal / Entra Admin Center
+Service Principal Applications can be created using either the Azure Portal or the Azure CLI.
 
-1. Access to Microsoft Entra ID
-2. In the left menu bar, go to "App registrations"
-3. Once there, in the menu bar click on "+ New registration" to register a new application
-4. Fill the "Name, select the "Supported account types" and click on "Register. You will be redirected to the applications page.
-5. Once in the application page, in the left menu bar, select "Certificates & secrets"
-6. In the "Certificates & secrets" view, click on "+ New client secret"
-7. Fill the "Description" and "Expires" fields and click on "Add"
-8. Copy the value of the secret, it is going to be used as `AZURE_CLIENT_SECRET` environment variable.
+## Creating a Service Principal via Azure Portal / Entra Admin Center
 
-![Register an Application page](../img/create-sp.gif)
+1. Access Microsoft Entra ID.
+2. In the left menu bar, navigate to **"App registrations"**.
+3. Click **"+ New registration"** in the menu bar to register a new application
+4. Fill the **"Name"**, select the **"Supported account types"** and click **"Register"**. You will be redirected to the applications page.
+5. In the left menu bar, select **"Certificates & secrets"**.
+6. Under the **"Certificates & secrets"** view, click **"+ New client secret"**.
+7. Fill the **"Description"** and **"Expires"** fields, then click **"Add"**.
+8. Copy the secret value, as it will be used as `AZURE_CLIENT_SECRET` environment variable.
+
+![Registering an Application in Azure CLI for Prowler](../img/create-sp.gif)
 
 ## From Azure CLI
 
-To create a Service Principal using the Azure CLI, follow the next steps:
+### Creating a Service Principal
 
-1. Open a terminal and execute the following command to create a new Service Principal application:
-```console
-az ad sp create-for-rbac --name "ProwlerApp"
-```
-2. The output of the command is going to be similar to the following:
-```json
-{
-"appId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-"displayName": "ProwlerApp",
-"password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
-"tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
-}
-```
-3. Save the values of `appId`, `password` and `tenant` to be used as credentials in Prowler.
+To create a Service Principal using the Azure CLI, follow these steps:
 
-# Assigning the proper permissions
+1. Open a terminal and execute the following command:
 
-To allow Prowler to retrieve metadata from the identity assumed and run specific Entra checks, it is needed to assign the following permissions:
+      ```console
+      az ad sp create-for-rbac --name "ProwlerApp"
+      ```
 
-- `Domain.Read.All`
+2. The output will be similar to:
+
+      ```json
+      {
+      "appId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+      "displayName": "ProwlerApp",
+      "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+      "tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
+      }
+      ```
+
+3. Save the values of `appId`, `password` and `tenant`, as they will be used as credentials in Prowler.
+
+## Assigning Proper Permissions
+
+To allow Prowler to retrieve metadata from the assumed identity and run Entra checks, assign the following permissions:
+
+- `Directory.Read.All`
 - `Policy.Read.All`
 - `UserAuthenticationMethod.Read.All` (used only for the Entra checks related with multifactor authentication)
 
-To assign the permissions you can make it from the Azure Portal or using the Azure CLI.
+Permissions can be assigned via the Azure Portal or the Azure CLI.
 
 ???+ note
-    Once you have created and assigned the proper Entra permissions to the application, you can go to this [tutorial](../azure/subscriptions.md) to add the subscription permissions to the application and start scanning your resources.
+      After creating and assigning the necessary Entra permissions, follow this [tutorial](../azure/subscriptions.md) to add subscription permissions to the application and start scanning your resources.
 
-## From Azure Portal
+### Assigning the Reader Role in Azure Portal
+
+1. Access Microsoft Entra ID.
+
+2. In the left menu bar, navigate to “App registrations”.
+
+3. Select the created application.
+
+4. In the left menu bar, select “API permissions”.
+
+5. Click “+ Add a permission” and select “Microsoft Graph”.
+
+6. In the “Microsoft Graph” view, select “Application permissions”.
 
-1. Access to Microsoft Entra ID
-2. In the left menu bar, go to "App registrations"
-3. Once there, select the application that you have created
-4. In the left menu bar, select "API permissions"
-5. Then click on "+ Add a permission" and select "Microsoft Graph"
-6. Once in the "Microsoft Graph" view, select "Application permissions"
 7. Finally, search for "Directory", "Policy" and "UserAuthenticationMethod" select the following permissions:
+
     - `Domain.Read.All`
+
     - `Policy.Read.All`
+
     - `UserAuthenticationMethod.Read.All`
-8. Click on "Add permissions" to apply the new permissions.
-9. Finally, an admin should click on "Grant admin consent for [your tenant]" to apply the permissions.
 
+8. Click “Add permissions” to apply the new permissions.
 
-![EntraID Permissions](../../img/AAD-permissions.png)
+9. Finally, an admin must click “Grant admin consent for \[your tenant]” to apply the permissions.
 
-## From Azure CLI
+![Entra ID Permissions in Prowler](../../img/AAD-permissions.png)
 
-1. Open a terminal and execute the following command to assign the permissions to the Service Principal:
-```console
-az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role 246dd0d5-5bd0-4def-940b-0421030a5b68=Role 38d9df27-64da-44fd-b7c5-a6fbac20248f=Role
-```
-2. The admin consent is needed to apply the permissions, an admin should execute the following command:
-```console
-az ad app permission admin-consent --id {appId}
-```
+### From Azure CLI
+
+1. To grant permissions to a Service Principal, execute the following command in a terminal:
+
+      ```console
+      az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role 246dd0d5-5bd0-4def-940b-0421030a5b68=Role 38d9df27-64da-44fd-b7c5-a6fbac20248f=Role
+      ```
+
+2. Once the permissions are assigned, admin consent is required to finalize the changes. An administrator should run:
+
+      ```console
+      az ad app permission admin-consent --id {appId}
+      ```

docs/tutorials/azure/getting-started-azure.md

@@ -144,8 +144,8 @@ Assign the following Microsoft Graph permissions:
 
 6. Return to `Access control (IAM)` > `+ Add` > `Add role assignment`
 
-    - Assign the `Reader` role
-    - Then repeat and assign the custom `ProwlerRole`
+    - Assign the `Reader` role to the Application created in the previous step
+    - Then repeat the same process assigning the custom `ProwlerRole`
 
     ![Role Assignment](./img/add-role-assigment.png)
 

docs/tutorials/azure/subscriptions.md

@@ -1,134 +1,159 @@
-# Azure subscriptions scope
+# Azure Subscription Scope
 
-The main target for performing the scans in Azure is the subscription scope. Prowler needs to have the proper permissions to access the subscription and retrieve the metadata needed to perform the checks.
+Prowler performs security scans within the subscription scope in Azure. To execute checks, it requires appropriate permissions to access the subscription and retrieve necessary metadata.
 
-By default, Prowler is multi-subscription, which means that is going to scan all the subscriptions is able to list. If you only assign permissions to one subscription, it is going to scan a single one.
-Prowler also has the ability to limit the subscriptions to scan to a set passed as input argument, to do so:
+By default, Prowler operates multi-subscription, scanning all subscriptions it has permission to list. If permissions are granted for only a single subscription, Prowler will limit scans to that subscription.
+
+## Configuring Specific Subscription Scans in Prowler
+
+Additionally, Prowler supports restricting scans to specific subscriptions by passing a set of subscription IDs as an input argument. To configure this limitation, use the appropriate command options:
 
 ```console
 prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N>
 ```
 
-Where you can pass from 1 up to N subscriptions to be scanned.
+Prowler allows you to specify one or more subscriptions for scanning (up to N), enabling flexible audit configurations.
 
 ???+ warning
-    The multi-subscription feature is only available for the CLI, in the case of Prowler App is only possible to scan one subscription per scan.
+    The multi-subscription feature is available only in the CLI. In Prowler App, each scan is limited to a single subscription.
 
-## Assign the appropriate permissions to the identity that is going to be assumed by Prowler
+## Assigning Permissions for Subscription Scans
 
+To perform scans, ensure that the identity assumed by Prowler has the appropriate permissions.
 
-Regarding the subscription scope, Prowler, by default, scans all subscriptions it can access. Therefore, it is necessary to add a `Reader` role assignment for each subscription you want to audit. To make it easier and less repetitive to assign roles in environments with multiple subscriptions check the [following section](#recommendation-for-multiple-subscriptions).
+By default, Prowler scans all accessible subscriptions. If you need to audit specific subscriptions, you must assign the necessary role `Reader` for each one. For streamlined and less repetitive role assignments in multi-subscription environments, refer to the [following section](#recommendation-for-multiple-subscriptions).
 
-### From Azure Portal
+### Assigning the Reader Role in Azure Portal
 
-1. Access to the subscription you want to scan with Prowler.
-2. Select "Access control (IAM)" in the left menu.
-3. Click on "+ Add" and select "Add role assignment".
-4. In the search bar, type `Reader`, select it and click on "Next".
-5. In the Members tab, click on "+ Select members" and add the members you want to assign this role.
-6. Click on "Review + assign" to apply the new role.
+1. To grant Prowler access to scan a specific Azure subscription, follow these steps in Azure Portal:
+Navigate to the subscription you want to audit with Prowler.
 
-![Add reader role to subscription](../../img/add-reader-role.gif)
+2. In the left menu, select “Access control (IAM)”.
+
+3. Click “+ Add” and select “Add role assignment”.
+
+4. In the search bar, enter `Reader`, select it and click “Next”.
+
+5. In the “Members” tab, click “+ Select members”, then add the accounts to assign this role.
+
+6. Click “Review + assign” to finalize and apply the role assignment.
+
+![Adding the Reader Role to a Subscription](../../img/add-reader-role.gif)
 
 ### From Azure CLI
 
 1. Open a terminal and execute the following command to assign the `Reader` role to the identity that is going to be assumed by Prowler:
-```console
-az role assignment create --role "Reader" --assignee <user, group, or service principal> --scope /subscriptions/<subscription-id>
-```
+
+    ```console
+    az role assignment create --role "Reader" --assignee <user, group, or service principal> --scope /subscriptions/<subscription-id>
+    ```
+
 2. If the command is executed successfully, the output is going to be similar to the following:
-```json
-{
-    "condition": null,
-    "conditionVersion": null,
-    "createdBy": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "createdOn": "YYYY-MM-DDTHH:MM:SS.SSSSSS+00:00",
-    "delegatedManagedIdentityResourceId": null,
-    "description": null,
-    "id": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/Microsoft.Authorization/roleAssignments/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "name": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "principalId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "principalName": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "principalType": "ServicePrincipal",
-    "roleDefinitionId": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "roleDefinitionName": "Reader",
-    "scope": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "type": "Microsoft.Authorization/roleAssignments",
-    "updatedBy": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "updatedOn": "YYYY-MM-DDTHH:MM:SS.SSSSSS+00:00"
-}
-```
+
+    ```json
+    {
+        "condition": null,
+        "conditionVersion": null,
+        "createdBy": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "createdOn": "YYYY-MM-DDTHH:MM:SS.SSSSSS+00:00",
+        "delegatedManagedIdentityResourceId": null,
+        "description": null,
+        "id": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/Microsoft.Authorization/roleAssignments/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "name": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "principalId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "principalName": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "principalType": "ServicePrincipal",
+        "roleDefinitionId": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "roleDefinitionName": "Reader",
+        "scope": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "type": "Microsoft.Authorization/roleAssignments",
+        "updatedBy": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "updatedOn": "YYYY-MM-DDTHH:MM:SS.SSSSSS+00:00"
+    }
+    ```
 
 ### Prowler Custom Role
 
-Moreover, some additional read-only permissions not included in the built-in reader role are needed for some checks, for this kind of checks we use a custom role. This role is defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json). Once the custom role is created you can assign it in the same way as the `Reader` role.
+Some read-only permissions required for specific security checks are not included in the built-in Reader role. To support these checks, Prowler utilizes a custom role, defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json). Once created, this role can be assigned following the same process as the `Reader` role.
 
-The checks that needs the `ProwlerRole` can be consulted in the [requirements section](../../getting-started/requirements.md#checks-that-require-prowlerrole).
+The checks requiring this `ProwlerRole` can be found in the [requirements section](../../getting-started/requirements.md#checks-that-require-prowlerrole).
 
-#### Create ProwlerRole from Azure Portal
+#### Create ProwlerRole via Azure Portal
 
-1. Download the [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json) file and modify the `assignableScopes` field to be the subscription ID where the role assignment is going to be made, it should be shomething like `/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`.
-2. Access your subscription.
-3. Select "Access control (IAM)".
-4. Click on "+ Add" and select "Add custom role".
-5. In the "Baseline permissions" select "Start from JSON" and upload the file downloaded and modified in the step 1.
-7. Click on "Review + create" to create the new role.
+1. Download the [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json) file and modify the `assignableScopes` field to match the target subscription. Example format: `/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`.
 
-#### Create ProwlerRole from Azure CLI
+2. Access your Azure subscription.
 
-1. Open a terminal and execute the following command to create a new custom role:
-```console
-az role definition create --role-definition '{                                                                                                                   640ms  lun 16 dic 17:04:17 2024
-                     "Name": "ProwlerRole",
-                     "IsCustom": true,
-                     "Description": "Role used for checks that require read-only access to Azure resources and are not covered by the Reader role.",
-                     "AssignableScopes": [
-                       "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" // USE YOUR SUBSCRIPTION ID
-                     ],
-                     "Actions": [
-                       "Microsoft.Web/sites/host/listkeys/action",
-                       "Microsoft.Web/sites/config/list/Action"
-                     ]
-                   }'
-```
-3. If the command is executed successfully, the output is going to be similar to the following:
-```json
-{
-    "assignableScopes": [
-        "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
-    ],
-    "createdBy": null,
-    "createdOn": "YYYY-MM-DDTHH:MM:SS.SSSSSS+00:00",
-    "description": "Role used for checks that require read-only access to Azure resources and are not covered by the Reader role.",
-    "id": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "name": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "permissions": [
-        {
-            "actions": [
-                "Microsoft.Web/sites/host/listkeys/action",
-                "Microsoft.Web/sites/config/list/Action"
-            ],
-            "condition": null,
-            "conditionVersion": null,
-            "dataActions": [],
-            "notActions": [],
-            "notDataActions": []
-        }
-    ],
-    "roleName": "ProwlerRole",
-    "roleType": "CustomRole",
-    "type": "Microsoft.Authorization/roleDefinitions",
-    "updatedBy": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
-    "updatedOn": "YYYY-MM-DDTHH:MM:SS.SSSSSS+00:00"
-}
-```
+3. Select “Access control (IAM)”.
 
-## Recommendation for multiple subscriptions
+4. Click “+ Add” and select “Add custom role”.
 
-Scanning multiple subscriptions can be tedious due to the need to create and assign roles for each one. To simplify this process, we recommend using management groups to organize and audit subscriptions collectively with Prowler.
+5. Under “Baseline permissions”, select “Start from JSON” and upload the modified role file.
+
+6. Click “Review + create” to finalize the role creation.
+
+#### Create ProwlerRole via Azure CLI
+
+1. To create a new custom role, open a terminal and execute the following command:
+
+    ```console
+    az role definition create --role-definition '{                                                                                                                   640ms  lun 16 dic 17:04:17 2024
+                        "Name": "ProwlerRole",
+                        "IsCustom": true,
+                        "Description": "Role used for checks that require read-only access to Azure resources and are not covered by the Reader role.",
+                        "AssignableScopes": [
+                        "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" // USE YOUR SUBSCRIPTION ID
+                        ],
+                        "Actions": [
+                        "Microsoft.Web/sites/host/listkeys/action",
+                        "Microsoft.Web/sites/config/list/Action"
+                        ]
+                    }'
+    ```
+
+2. If the command is executed successfully, the output is going to be similar to the following:
+
+    ```json
+    {
+        "assignableScopes": [
+            "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
+        ],
+        "createdBy": null,
+        "createdOn": "YYYY-MM-DDTHH:MM:SS.SSSSSS+00:00",
+        "description": "Role used for checks that require read-only access to Azure resources and are not covered by the Reader role.",
+        "id": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "name": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "permissions": [
+            {
+                "actions": [
+                    "Microsoft.Web/sites/host/listkeys/action",
+                    "Microsoft.Web/sites/config/list/Action"
+                ],
+                "condition": null,
+                "conditionVersion": null,
+                "dataActions": [],
+                "notActions": [],
+                "notDataActions": []
+            }
+        ],
+        "roleName": "ProwlerRole",
+        "roleType": "CustomRole",
+        "type": "Microsoft.Authorization/roleDefinitions",
+        "updatedBy": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+        "updatedOn": "YYYY-MM-DDTHH:MM:SS.SSSSSS+00:00"
+    }
+    ```
+
+## Recommendation for Managing Multiple Subscriptions
+
+Scanning multiple subscriptions requires creating and assigning roles for each, which can be a time-consuming process. To streamline subscription management and auditing, use management groups in Azure. This approach allows Prowler to efficiently organize and audit multiple subscriptions collectively.
 
 1. **Create a Management Group**: Follow the [official guide](https://learn.microsoft.com/en-us/azure/governance/management-groups/create-management-group-portal) to create a new management group.
-![Create management group](../../img/create-management-group.gif)
-2. **Add all roles**: Assign roles at to the new management group like in the [past section](#assign-the-appropriate-permissions-to-the-identity-that-is-going-to-be-assumed-by-prowler) but at the management group level instead of the subscription level.
-3. **Add subscriptions**: Add all the subscriptions you want to audit to the management group.
-![Add subscription to management group](../../img/add-sub-to-management-group.gif)
+
+    ![Create management group](../../img/create-management-group.gif)
+
+2. **Assign Roles**: Assign necessary roles to the management group, similar to the [role assignment process](#assign-the-appropriate-permissions-to-the-identity-that-is-going-to-be-assumed-by-prowler).
+
+    Role assignment should be done at the management group level instead of per subscription.
+
+3. **Add Subscriptions**: Add all subscriptions you want to audit to the newly created management group. ![Add Subscription to Management Group](../../img/add-sub-to-management-group.gif)

docs/tutorials/azure/use-non-default-cloud.md

@@ -1,14 +1,14 @@
-# Use non default Azure regions
+# Using Non-Default Azure Regions
 
-Microsoft provides clouds for compliance with regional laws, which are available for your use.
-By default, Prowler uses `AzureCloud` cloud which is the comercial one. (you can list all the available with `az cloud list --output table`).
+Microsoft offers cloud environments that comply with regional regulations. These clouds are available for use based on your requirements. By default, Prowler utilizes the commercial `AzureCloud` environment. (To list all available Azure clouds, use `az cloud list --output table`).
+
+As of this documentation's publication, the following Azure clouds are available:
 
-At the time of writing this documentation the available Azure Clouds from different regions are the following:
 - AzureCloud
 - AzureChinaCloud
 - AzureUSGovernment
 
-If you want to change the default one you must include the flag `--azure-region`, i.e.:
+To change the default cloud, include the flag `--azure-region`. For example:
 
 ```console
 prowler azure --az-cli-auth --azure-region AzureChinaCloud

docs/tutorials/check-aliases.md

@@ -1,6 +1,7 @@
 # Check Aliases
 
 Prowler allows you to use aliases for the checks. You only have to add the `CheckAliases` key to the check's metadata with a list of the aliases:
+
 ```json title="check.metadata.json"
 "Provider": "<provider>",
 "CheckID": "<check_id>",
@@ -12,7 +13,9 @@ Prowler allows you to use aliases for the checks. You only have to add the `Chec
 ],
 ...
 ```
-Then, you can execute the check either with its check ID or with one of the previous aliases:
+
+Then you can execute the check either with its check ID or with one of the previous aliases:
+
 ```shell
 prowler <provider> -c/--checks <check_alias_1>