Merge branch 'master' into aws-regions-update-175

feat(aws): update regions for AWS services
2026-06-10 13:32:44 +00:00 · 2026-03-23 14:27:21 +00:00 · 2026-03-09 09:13:11 +00:00
270 changed files with 2748 additions and 15256 deletions
@@ -78,9 +78,6 @@ TASK_RETRY_ATTEMPTS=5

 # Valkey settings
 # If running Valkey and celery on host, use localhost, else use 'valkey'
-VALKEY_SCHEME=redis
-VALKEY_USERNAME=
-VALKEY_PASSWORD=
 VALKEY_HOST=valkey
 VALKEY_PORT=6379
 VALKEY_DB=0
@@ -117,10 +117,7 @@ runs:
        INPUTS_IMAGE_TAG: ${{ inputs.image-tag }}

    - name: Comment scan results on PR
-      if: >-
-        inputs.create-pr-comment == 'true'
-        && github.event_name == 'pull_request'
-        && github.event.pull_request.head.repo.full_name == github.repository
+      if: inputs.create-pr-comment == 'true' && github.event_name == 'pull_request'
      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
@@ -27,11 +27,6 @@ jobs:
      patch_version: ${{ steps.detect.outputs.patch_version }}
      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -84,11 +79,6 @@ jobs:
      contents: read
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -214,11 +204,6 @@ jobs:
      contents: read
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -32,16 +32,6 @@ jobs:
        working-directory: ./api

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            api.github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -41,18 +41,6 @@ jobs:
          - 'python'

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-            uploads.github.com:443
-            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -18,6 +18,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false
@@ -40,14 +43,7 @@ jobs:
    timeout-minutes: 5
    outputs:
      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    permissions:
-      contents: read
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-
      - name: Calculate short SHA
        id: set-short-sha
        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -59,14 +55,7 @@ jobs:
    timeout-minutes: 5
    outputs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -105,26 +94,6 @@ jobs:
      packages: write

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            _http._tcp.deb.debian.org:443
-            aka.ms:443
-            auth.docker.io:443
-            cdn.powershellgallery.com:443
-            dc.services.visualstudio.com:443
-            debian.map.fastlydns.net:80
-            files.pythonhosted.org:443
-            github.com:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-            production.cloudflare.docker.com:443
-            pypi.org:443
-            registry-1.docker.io:443
-            release-assets.githubusercontent.com:443
-            www.powershellgallery.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -163,20 +132,8 @@ jobs:
    needs: [setup, container-build-push]
    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
    runs-on: ubuntu-latest
-    permissions:
-      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            release-assets.githubusercontent.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
      - name: Login to DockerHub
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
@@ -227,14 +184,7 @@ jobs:
    needs: [setup, notify-release-started, container-build-push, create-manifest]
    runs-on: ubuntu-latest
    timeout-minutes: 5
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -277,13 +227,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
      - name: Trigger API deployment
        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
        with:
@@ -27,13 +27,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -72,30 +65,6 @@ jobs:
      pull-requests: write

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            mirror.gcr.io:443
-            check.trivy.dev:443
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            debian.map.fastlydns.net:80
-            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            www.powershellgallery.com:443
-            aka.ms:443
-            cdn.powershellgallery.com:443
-            _http._tcp.deb.debian.org:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-            get.trivy.dev:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -32,19 +32,6 @@ jobs:
        working-directory: ./api

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            pypi.org:443
-            files.pythonhosted.org:443
-            github.com:443
-            auth.safetycli.com:443
-            pyup.io:443
-            data.safetycli.com:443
-            api.github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -22,9 +22,6 @@ env:
  POSTGRES_USER: prowler_user
  POSTGRES_PASSWORD: prowler
  POSTGRES_DB: postgres-db
-  VALKEY_SCHEME: redis
-  VALKEY_USERNAME: ""
-  VALKEY_PASSWORD: ""
  VALKEY_HOST: localhost
  VALKEY_PORT: 6379
  VALKEY_DB: 0
@@ -75,22 +72,6 @@ jobs:
          --health-retries 5

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            cli.codecov.io:443
-            keybase.io:443
-            ingest.codecov.io:443
-            storage.googleapis.com:443
-            o26192.ingest.us.sentry.io:443
-            api.github.com:443
-
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -27,15 +27,6 @@ jobs:
      pull-requests: write

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            f27ab01db9584e008c443b7137d16425.apm.europe-west2.gcp.elastic-cloud.com:443
-            github.com:443
-
      - name: Check labels
        id: label_check
        uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
@@ -33,16 +33,6 @@ jobs:
      actions: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            ghcr.io:443
-            pkg-containers.githubusercontent.com:443
-            api.github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -19,11 +19,6 @@ jobs:
      pull-requests: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Remove 'status/awaiting-response' label
        env:
          GH_TOKEN: ${{ github.token }}
@@ -25,11 +25,6 @@ jobs:
      pull-requests: read

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Check PR title format
        uses: agenthunt/conventional-commit-checker-action@f1823f632e95a64547566dcd2c7da920e67117ad # v2.0.1
        with:
@@ -22,11 +22,6 @@ jobs:
      issues: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Create backport label for minor releases
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -27,11 +27,6 @@ jobs:
      patch_version: ${{ steps.detect.outputs.patch_version }}
      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -84,11 +79,6 @@ jobs:
      contents: read
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -214,11 +204,6 @@ jobs:
      contents: read
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -22,15 +22,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            ghcr.io:443
-            pkg-containers.githubusercontent.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -30,11 +30,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
@@ -23,11 +23,6 @@ jobs:
      packages: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
@@ -65,11 +65,6 @@ jobs:
      text: ${{ steps.compute-text.outputs.text }}
      title: ${{ steps.compute-text.outputs.title }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Setup Scripts
        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
@@ -134,11 +129,6 @@ jobs:
      output_types: ${{ steps.collect_output.outputs.output_types }}
      secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Setup Scripts
        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
@@ -869,11 +859,6 @@ jobs:
      tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
      total_count: ${{ steps.missing_tool.outputs.total_count }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Setup Scripts
        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
@@ -981,11 +966,6 @@ jobs:
    outputs:
      success: ${{ steps.parse_results.outputs.success }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Setup Scripts
        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
@@ -1090,11 +1070,6 @@ jobs:
    outputs:
      activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_rate_limit.outputs.rate_limit_ok == 'true') }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Setup Scripts
        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
@@ -1163,11 +1138,6 @@ jobs:
      process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
      process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Setup Scripts
        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
@@ -24,11 +24,6 @@ jobs:
      pull-requests: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Apply labels to PR
        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        with:
@@ -43,11 +38,6 @@ jobs:
      pull-requests: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Check if author is org member
        id: check_membership
        env:
@@ -75,7 +65,7 @@ jobs:
            "RosaRivasProwler"
            "StylusFrost"
            "toniblyx"
-            "davidm4r"
+            "vicferpoy"
          )

          echo "Checking if $AUTHOR is a member of prowler-cloud organization"
@@ -17,6 +17,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false
@@ -39,14 +42,7 @@ jobs:
    timeout-minutes: 5
    outputs:
      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    permissions:
-      contents: read
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-
      - name: Calculate short SHA
        id: set-short-sha
        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -58,14 +54,7 @@ jobs:
    timeout-minutes: 5
    outputs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -103,20 +92,6 @@ jobs:
      contents: read
      packages: write
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            ghcr.io:443
-            pkg-containers.githubusercontent.com:443
-            files.pythonhosted.org:443
-            pypi.org:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -157,21 +132,8 @@ jobs:
    needs: [setup, container-build-push]
    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
    runs-on: ubuntu-latest
-    permissions:
-      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-
      - name: Login to DockerHub
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
@@ -222,14 +184,7 @@ jobs:
    needs: [setup, notify-release-started, container-build-push, create-manifest]
    runs-on: ubuntu-latest
    timeout-minutes: 5
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -272,13 +227,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
      - name: Trigger MCP deployment
        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
        with:
@@ -27,13 +27,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -71,23 +64,6 @@ jobs:
      pull-requests: write

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            ghcr.io:443
-            pkg-containers.githubusercontent.com:443
-            files.pythonhosted.org:443
-            pypi.org:443
-            api.github.com:443
-            mirror.gcr.io:443
-            check.trivy.dev:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -26,11 +26,6 @@ jobs:
      major_version: ${{ steps.parse-version.outputs.major }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Parse and validate version
        id: parse-version
        run: |
@@ -64,18 +59,13 @@ jobs:
      url: https://pypi.org/project/prowler-mcp/

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7
        with:
          enable-cache: false

@@ -28,14 +28,6 @@ jobs:
      MONITORED_FOLDERS: 'api ui prowler mcp_server'

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -25,11 +25,6 @@ jobs:
      issues: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout PR head
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -23,13 +23,6 @@ jobs:
    permissions:
      contents: read
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
      - name: Calculate short commit SHA
        id: vars
        run: |
@@ -26,11 +26,6 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-      with:
-        egress-policy: audit
-
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
@@ -26,11 +26,6 @@ jobs:
      minor_version: ${{ steps.detect.outputs.minor_version }}
      patch_version: ${{ steps.detect.outputs.patch_version }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Detect release type and parse version
        id: detect
        run: |
@@ -71,11 +66,6 @@ jobs:
      contents: read
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -185,11 +175,6 @@ jobs:
      contents: read
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -19,13 +19,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -24,20 +24,12 @@ jobs:
    strategy:
      matrix:
        python-version:
+          - '3.9'
          - '3.10'
          - '3.11'
          - '3.12'

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -48,16 +48,6 @@ jobs:
          - 'python'

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-            uploads.github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -23,6 +23,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false
@@ -56,19 +59,7 @@ jobs:
      prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
      latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }}
      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
-    permissions:
-      contents: read
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            dc.services.visualstudio.com:443
-            files.pythonhosted.org:443
-            github.com:443
-            pypi.org:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -124,14 +115,7 @@ jobs:
    timeout-minutes: 5
    outputs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -170,27 +154,6 @@ jobs:
      packages: write

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            _http._tcp.deb.debian.org:443
-            aka.ms:443
-            api.ecr-public.us-east-1.amazonaws.com:443
-            auth.docker.io:443
-            cdn.powershellgallery.com:443
-            debian.map.fastlydns.net:80
-            files.pythonhosted.org:443
-            github.com:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-            production.cloudflare.docker.com:443
-            public.ecr.aws:443
-            pypi.org:443
-            registry-1.docker.io:443
-            release-assets.githubusercontent.com:443
-            www.powershellgallery.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -233,24 +196,8 @@ jobs:
    needs: [setup, container-build-push]
    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
    runs-on: ubuntu-latest
-    permissions:
-      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.ecr-public.us-east-1.amazonaws.com:443
-            auth.docker.io:443
-            github.com:443
-            production.cloudflare.docker.com:443
-            public.ecr.aws:443
-            registry-1.docker.io:443
-            release-assets.githubusercontent.com:443
-
-
      - name: Login to DockerHub
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
@@ -317,14 +264,7 @@ jobs:
    needs: [setup, notify-release-started, container-build-push, create-manifest]
    runs-on: ubuntu-latest
    timeout-minutes: 5
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -367,11 +307,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Calculate short SHA
        id: short-sha
        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -26,13 +26,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -71,29 +64,6 @@ jobs:
      pull-requests: write

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            api.github.com:443
-            mirror.gcr.io:443
-            check.trivy.dev:443
-            debian.map.fastlydns.net:80
-            release-assets.githubusercontent.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            www.powershellgallery.com:443
-            aka.ms:443
-            cdn.powershellgallery.com:443
-            _http._tcp.deb.debian.org:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-            get.trivy.dev:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -25,11 +25,6 @@ jobs:
      major_version: ${{ steps.parse-version.outputs.major }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Parse and validate version
        id: parse-version
        run: |
@@ -63,11 +58,6 @@ jobs:
      url: https://pypi.org/project/prowler/${{ needs.validate-release.outputs.prowler_version }}/

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -101,11 +91,6 @@ jobs:
      url: https://pypi.org/project/prowler-cloud/${{ needs.validate-release.outputs.prowler_version }}/

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -24,11 +24,6 @@ jobs:
      contents: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -22,11 +22,6 @@ jobs:
      contents: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -23,19 +23,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            pypi.org:443
-            files.pythonhosted.org:443
-            github.com:443
-            auth.safetycli.com:443
-            pyup.io:443
-            data.safetycli.com:443
-            api.github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -24,41 +24,12 @@ jobs:
    strategy:
      matrix:
        python-version:
+          - '3.9'
          - '3.10'
          - '3.11'
          - '3.12'

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            api.github.com:443
-            release-assets.githubusercontent.com:443
-            *.amazonaws.com:443
-            *.googleapis.com:443
-            schema.ocsf.io:443
-            registry-1.docker.io:443
-            production.cloudflare.docker.com:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-            o26192.ingest.us.sentry.io:443
-            management.azure.com:443
-            login.microsoftonline.com:443
-            keybase.io:443
-            ingest.codecov.io:443
-            graph.microsoft.com:443
-            dc.services.visualstudio.com:443
-            cloud.mongodb.com:443
-            cli.codecov.io:443
-            auth.docker.io:443
-            api.vercel.com:443
-            api.atlassian.com:443
-            aka.ms:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -45,19 +45,8 @@ jobs:
      has-sdk-tests: ${{ steps.set-flags.outputs.has-sdk-tests }}
      has-api-tests: ${{ steps.set-flags.outputs.has-api-tests }}
      has-ui-e2e: ${{ steps.set-flags.outputs.has-ui-e2e }}
-    permissions:
-      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -26,11 +26,6 @@ jobs:
      minor_version: ${{ steps.detect.outputs.minor_version }}
      patch_version: ${{ steps.detect.outputs.patch_version }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Detect release type and parse version
        id: detect
        run: |
@@ -71,11 +66,6 @@ jobs:
      contents: read
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -99,7 +89,7 @@ jobs:
        run: |
          set -e

-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env

          echo "Files modified:"
          git --no-pager diff
@@ -153,7 +143,7 @@ jobs:
        run: |
          set -e

-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env

          echo "Files modified:"
          git --no-pager diff
@@ -189,11 +179,6 @@ jobs:
      contents: read
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -223,7 +208,7 @@ jobs:
        run: |
          set -e

-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env

          echo "Files modified:"
          git --no-pager diff
@@ -44,16 +44,6 @@ jobs:
          - 'javascript-typescript'

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-            uploads.github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -17,6 +17,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false
@@ -42,14 +45,7 @@ jobs:
    timeout-minutes: 5
    outputs:
      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Calculate short SHA
        id: set-short-sha
        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -61,14 +57,7 @@ jobs:
    timeout-minutes: 5
    outputs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -107,20 +96,6 @@ jobs:
      packages: write

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            registry-1.docker.io:443
-            production.cloudflare.docker.com:443
-            auth.docker.io:443
-            registry.npmjs.org:443
-            dl-cdn.alpinelinux.org:443
-            fonts.googleapis.com:443
-            fonts.gstatic.com:443
-            github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -156,21 +131,8 @@ jobs:
    needs: [setup, container-build-push]
    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
    runs-on: ubuntu-latest
-    permissions:
-      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            release-assets.githubusercontent.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-
      - name: Login to DockerHub
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
@@ -221,14 +183,7 @@ jobs:
    needs: [setup, notify-release-started, container-build-push, create-manifest]
    runs-on: ubuntu-latest
    timeout-minutes: 5
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -271,13 +226,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
      - name: Trigger UI deployment
        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
        with:
@@ -27,13 +27,6 @@ jobs:
      contents: read

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -72,24 +65,6 @@ jobs:
      pull-requests: write

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            registry.npmjs.org:443
-            dl-cdn.alpinelinux.org:443
-            fonts.googleapis.com:443
-            fonts.gstatic.com:443
-            api.github.com:443
-            mirror.gcr.io:443
-            check.trivy.dev:443
-            get.trivy.dev:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -15,12 +15,13 @@ on:
      - 'ui/**'
      - 'api/**'  # API changes can affect UI E2E

+permissions:
+  contents: read
+
 jobs:
  # First, analyze which tests need to run
  impact-analysis:
    if: github.repository == 'prowler-cloud/prowler'
-    permissions:
-      contents: read
    uses: ./.github/workflows/test-impact-analysis.yml

  # Run E2E tests based on impact analysis
@@ -74,15 +75,8 @@ jobs:
      # Pass E2E paths from impact analysis
      E2E_TEST_PATHS: ${{ needs.impact-analysis.outputs.ui-e2e }}
      RUN_ALL_TESTS: ${{ needs.impact-analysis.outputs.run-all }}
-    permissions:
-      contents: read

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -163,7 +157,7 @@ jobs:
          node-version: '24.13.0'

      - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
        with:
          version: 10
          run_install: false
@@ -279,14 +273,7 @@ jobs:
      needs.impact-analysis.outputs.has-ui-e2e != 'true' &&
      needs.impact-analysis.outputs.run-all != 'true'
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
      - name: No E2E tests needed
        run: |
          echo "## E2E Tests Skipped" >> $GITHUB_STEP_SUMMARY
@@ -29,18 +29,6 @@ jobs:
        working-directory: ./ui

    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry.npmjs.org:443
-            fonts.googleapis.com:443
-            fonts.gstatic.com:443
-            api.github.com:443
-            release-assets.githubusercontent.com:443
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -96,7 +84,7 @@ jobs:

      - name: Setup pnpm
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
        with:
          version: 10
          run_install: false
@@ -1,25 +0,0 @@
-rules:
-  secrets-outside-env:
-    ignore:
-      - api-bump-version.yml
-      - api-container-build-push.yml
-      - api-tests.yml
-      - backport.yml
-      - docs-bump-version.yml
-      - issue-triage.lock.yml
-      - mcp-container-build-push.yml
-      - pr-merged.yml
-      - prepare-release.yml
-      - sdk-bump-version.yml
-      - sdk-container-build-push.yml
-      - sdk-refresh-aws-services-regions.yml
-      - sdk-refresh-oci-regions.yml
-      - sdk-tests.yml
-      - ui-bump-version.yml
-      - ui-container-build-push.yml
-      - ui-e2e-tests-v2.yml
-  superfluous-actions:
-    ignore:
-      - pr-check-changelog.yml
-      - pr-conflict-checker.yml
-      - prepare-release.yml
@@ -140,7 +140,7 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,

 | Component | Location | Tech Stack |
 |-----------|----------|------------|
-| SDK | `prowler/` | Python 3.10+, Poetry |
+| SDK | `prowler/` | Python 3.9+, Poetry |
 | API | `api/` | Django 5.1, DRF, Celery |
 | UI | `ui/` | Next.js 15, React 19, Tailwind 4 |
 | MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
@@ -1,4 +1,4 @@
-FROM python:3.12.11-slim-bookworm@sha256:519591d6871b7bc437060736b9f7456b8731f1499a57e22e6c285135ae657bf7 AS build
+FROM python:3.12.11-slim-bookworm AS build

 LABEL maintainer="https://github.com/prowler-cloud/prowler"
 LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
@@ -241,7 +241,7 @@ pnpm start

 ## Prowler CLI
 ### Pip package
-Prowler CLI is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/). Consequently, it can be installed using pip with Python >=3.10, <3.13:
+Prowler CLI is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/). Consequently, it can be installed using pip with Python >3.9.1, <3.13:

 ```console
 pip install prowler
@@ -273,7 +273,7 @@ The container images are available here:

 ### From GitHub

-Python >=3.10, <3.13 is required with pip and Poetry:
+Python >3.9.1, <3.13 is required with pip and Poetry:

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -2,50 +2,16 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.24.0] (Prowler UNRELEASED)
-
-### 🚀 Added
-
- `VALKEY_SCHEME`, `VALKEY_USERNAME`, and `VALKEY_PASSWORD` environment variables to configure Celery broker TLS/auth connection details for Valkey/ElastiCache [(#10420)](https://github.com/prowler-cloud/prowler/pull/10420)
-
-### 🔄 Changed
-
- Attack Paths: Periodic cleanup of stale scans with dead-worker detection via Celery inspect, marking orphaned `EXECUTING` scans as `FAILED` and recovering `graph_data_ready` [(#10387)](https://github.com/prowler-cloud/prowler/pull/10387)
- Attack Paths: Replace `_provider_id` property with `_Provider_{uuid}` label for provider isolation, add regex-based label injection for custom queries [(#10402)](https://github.com/prowler-cloud/prowler/pull/10402)
-
-### 🐞 Fixed
-
- Finding groups list/latest now apply computed status/severity filters and finding-level prefilters (delta, region, service, category, resource group, scan, resource type), plus `check_title` support for sort/filter consistency [(#10428)](https://github.com/prowler-cloud/prowler/pull/10428)
- Populate compliance data inside `check_metadata` for findings, which was always returned as `null` [(#10449)](https://github.com/prowler-cloud/prowler/pull/10449)
- 403 error for admin users listing tenants due to roles query not using the admin database connection [(#10460)](https://github.com/prowler-cloud/prowler/pull/10460)
- Filter transient Neo4j defunct connection logs in Sentry `before_send` to suppress false-positive alerts handled by `RetryableSession` retries [(#10452)](https://github.com/prowler-cloud/prowler/pull/10452)
- `MANAGE_ACCOUNT` permission no longer required for listing and creating tenants [(#10468)](https://github.com/prowler-cloud/prowler/pull/10468)
- Finding groups muted filter, counters, metadata extraction and mute reaggregation [(#10477)](https://github.com/prowler-cloud/prowler/pull/10477)
- Finding groups `check_title__icontains` resolution, `name__icontains` resource filter and `resource_group` field in `/resources` response [(#10486)](https://github.com/prowler-cloud/prowler/pull/10486)
- Membership `post_delete` signal using raw FK ids to avoid `DoesNotExist` during cascade deletions [(#10497)](https://github.com/prowler-cloud/prowler/pull/10497)
-
-### 🔐 Security
-
- Pin all unpinned dependencies to exact versions to prevent supply chain attacks and ensure reproducible builds [(#10469)](https://github.com/prowler-cloud/prowler/pull/10469)
-
---
-
-## [1.23.0] (Prowler v5.22.0)
-
-### 🚀 Added
-
- Finding groups support `check_title` substring filtering [(#10377)](https://github.com/prowler-cloud/prowler/pull/10377)
+## [1.23.0] (Prowler UNRELEASED)

 ### 🐞 Fixed

 - Finding groups latest endpoint now aggregates the latest snapshot per provider before check-level totals, keeping impacted resources aligned across providers [(#10419)](https://github.com/prowler-cloud/prowler/pull/10419)
 - Mute rule creation now triggers finding-group summary re-aggregation after historical muting, keeping stats in sync after mute operations [(#10419)](https://github.com/prowler-cloud/prowler/pull/10419)
- Attack Paths: Deduplicate nodes before ProwlerFinding lookup in Attack Paths Cypher queries, reducing execution time [(#10424)](https://github.com/prowler-cloud/prowler/pull/10424)

 ### 🔐 Security

 - Replace stdlib XML parser with `defusedxml` in SAML metadata parsing to prevent XML bomb (billion laughs) DoS attacks [(#10165)](https://github.com/prowler-cloud/prowler/pull/10165)
- Bump `flask` to 3.1.3 (CVE-2026-27205) and `werkzeug` to 3.1.6 (CVE-2026-27199) [(#10430)](https://github.com/prowler-cloud/prowler/pull/10430)

 ---

@@ -62,6 +28,7 @@ All notable changes to the **Prowler API** are documented in this file.
 ### 🚀 Added

 - `CORS_ALLOWED_ORIGINS` configurable via environment variable [(#10355)](https://github.com/prowler-cloud/prowler/pull/10355)
+- Finding groups support `check_title` substring filtering [(#10377)](https://github.com/prowler-cloud/prowler/pull/10377)
 - Attack Paths: Tenant and provider related labels to the nodes so they can be easily filtered on custom queries [(#10308)](https://github.com/prowler-cloud/prowler/pull/10308)

 ### 🔄 Changed
@@ -1,4 +1,4 @@
-FROM python:3.12.10-slim-bookworm@sha256:fd95fa221297a88e1cf49c55ec1828edd7c5a428187e67b5d1805692d11588db AS build
+FROM python:3.12.10-slim-bookworm AS build

 LABEL maintainer="https://github.com/prowler-cloud/api"

@@ -30,28 +30,9 @@ start_prod_server() {
  poetry run gunicorn -c config/guniconf.py config.wsgi:application
 }

-resolve_worker_hostname() {
-  TASK_ID=""
-
-  if [ -n "$ECS_CONTAINER_METADATA_URI_V4" ]; then
-    TASK_ID=$(wget -qO- --timeout=2 "${ECS_CONTAINER_METADATA_URI_V4}/task" | \
-      python3 -c "import sys,json; print(json.load(sys.stdin)['TaskARN'].split('/')[-1])" 2>/dev/null)
-  fi
-
-  if [ -z "$TASK_ID" ]; then
-    TASK_ID=$(python3 -c "import uuid; print(uuid.uuid4().hex)")
-  fi
-
-  echo "${TASK_ID}@$(hostname)"
-}
-
 start_worker() {
  echo "Starting the worker..."
-  poetry run python -m celery -A config.celery worker \
-    -n "$(resolve_worker_hostname)" \
-    -l "${DJANGO_LOGGING_LEVEL:-info}" \
-    -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans \
-    -E --max-tasks-per-child 1
+  poetry run python -m celery -A config.celery worker -l "${DJANGO_LOGGING_LEVEL:-info}" -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans -E --max-tasks-per-child 1
 }

 start_worker_beat() {
@@ -2469,18 +2469,22 @@ toml = ["tomli ; python_full_version <= \"3.11.0a6\""]

 [[package]]
 name = "cron-descriptor"
-version = "1.4.5"
+version = "2.0.6"
 description = "A Python library that converts cron expressions into human readable strings."
 optional = false
-python-versions = "*"
+python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "cron_descriptor-1.4.5-py3-none-any.whl", hash = "sha256:736b3ae9d1a99bc3dbfc5b55b5e6e7c12031e7ba5de716625772f8b02dcd6013"},
-    {file = "cron_descriptor-1.4.5.tar.gz", hash = "sha256:f51ce4ffc1d1f2816939add8524f206c376a42c87a5fca3091ce26725b3b1bca"},
+    {file = "cron_descriptor-2.0.6-py3-none-any.whl", hash = "sha256:3a1c0d837c0e5a32e415f821b36cf758eb92d510e6beff8fbfe4fa16573d93d6"},
+    {file = "cron_descriptor-2.0.6.tar.gz", hash = "sha256:e39d2848e1d8913cfb6e3452e701b5eec662ee18bea8cc5aa53ee1a7bb217157"},
 ]

+[package.dependencies]
+typing_extensions = "*"
+
 [package.extras]
-dev = ["polib"]
+dev = ["mypy", "polib", "ruff"]
+test = ["pytest"]

 [[package]]
 name = "crowdstrike-falconpy"
@@ -2707,6 +2711,24 @@ files = [
    {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"},
 ]

+[[package]]
+name = "deprecated"
+version = "1.3.1"
+description = "Python @deprecated decorator to deprecate old python classes, functions or methods."
+optional = false
+python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,>=2.7"
+groups = ["main"]
+files = [
+    {file = "deprecated-1.3.1-py2.py3-none-any.whl", hash = "sha256:597bfef186b6f60181535a29fbe44865ce137a5079f295b479886c82729d5f3f"},
+    {file = "deprecated-1.3.1.tar.gz", hash = "sha256:b1b50e0ff0c1fddaa5708a2c6b0a6588bb09b892825ab2b214ac9ea9d92a5223"},
+]
+
+[package.dependencies]
+wrapt = ">=1.10,<3"
+
+[package.extras]
+dev = ["PyTest", "PyTest-Cov", "bump2version (<1)", "setuptools ; python_version >= \"3.12\"", "tox"]
+
 [[package]]
 name = "detect-secrets"
 version = "1.5.0"
@@ -2797,14 +2819,14 @@ bcrypt = ["bcrypt"]

 [[package]]
 name = "django-allauth"
-version = "65.15.0"
+version = "65.14.0"
 description = "Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication."
 optional = false
-python-versions = ">=3.10"
+python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "django_allauth-65.15.0-py3-none-any.whl", hash = "sha256:ad9fc49c49a9368eaa5bb95456b76e2a4f377b3c6862ee8443507816578c098d"},
-    {file = "django_allauth-65.15.0.tar.gz", hash = "sha256:b404d48cf0c3ee14dacc834c541f30adedba2ff1c433980ecc494d6cb0b395a8"},
+    {file = "django_allauth-65.14.0-py3-none-any.whl", hash = "sha256:448f5f7877f95fcbe1657256510fe7822d7871f202521a29e23ef937f3325a97"},
+    {file = "django_allauth-65.14.0.tar.gz", hash = "sha256:5529227aba2b1377d900e9274a3f24496c645e65400fbae3cad5789944bc4d0b"},
 ]

 [package.dependencies]
@@ -2827,20 +2849,20 @@ steam = ["python3-openid (>=3.0.8,<4)"]

 [[package]]
 name = "django-celery-beat"
-version = "2.9.0"
+version = "2.8.1"
 description = "Database-backed Periodic Tasks."
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "django_celery_beat-2.9.0-py3-none-any.whl", hash = "sha256:4a9e5ebe26d6f8d7215e1fc5c46e466016279dc102435a28141108649bdf2157"},
-    {file = "django_celery_beat-2.9.0.tar.gz", hash = "sha256:92404650f52fcb44cf08e2b09635cb1558327c54b1a5d570f0e2d3a22130934c"},
+    {file = "django_celery_beat-2.8.1-py3-none-any.whl", hash = "sha256:da2b1c6939495c05a551717509d6e3b79444e114a027f7b77bf3727c2a39d171"},
+    {file = "django_celery_beat-2.8.1.tar.gz", hash = "sha256:dfad0201c0ac50c91a34700ef8fa0a10ee098cc7f3375fe5debed79f2204f80a"},
 ]

 [package.dependencies]
 celery = ">=5.2.3,<6.0"
-cron-descriptor = ">=1.2.32,<2.0.0"
-Django = ">=2.2,<6.1"
+cron-descriptor = ">=1.2.32"
+Django = ">=2.2,<6.0"
 django-timezone-field = ">=5.0"
 python-crontab = ">=2.3.4"
 tzdata = "*"
@@ -3348,14 +3370,14 @@ files = [

 [[package]]
 name = "flask"
-version = "3.1.3"
+version = "3.1.2"
 description = "A simple framework for building complex web applications."
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "flask-3.1.3-py3-none-any.whl", hash = "sha256:f4bcbefc124291925f1a26446da31a5178f9483862233b23c0c96a20701f670c"},
-    {file = "flask-3.1.3.tar.gz", hash = "sha256:0ef0e52b8a9cd932855379197dd8f94047b359ca0a78695144304cb45f87c9eb"},
+    {file = "flask-3.1.2-py3-none-any.whl", hash = "sha256:ca1d8112ec8a6158cc29ea4858963350011b5c846a414cdb7a954aa9e967d03c"},
+    {file = "flask-3.1.2.tar.gz", hash = "sha256:bf656c15c80190ed628ad08cdfd3aaa35beb087855e2f494910aa3774cc4fd87"},
 ]

 [package.dependencies]
@@ -3372,62 +3394,62 @@ dotenv = ["python-dotenv"]

 [[package]]
 name = "fonttools"
-version = "4.62.1"
+version = "4.61.1"
 description = "Tools to manipulate font files"
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "fonttools-4.62.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:ad5cca75776cd453b1b035b530e943334957ae152a36a88a320e779d61fc980c"},
-    {file = "fonttools-4.62.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0b3ae47e8636156a9accff64c02c0924cbebad62854c4a6dbdc110cd5b4b341a"},
-    {file = "fonttools-4.62.1-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:c9b9e288b4da2f64fd6180644221749de651703e8d0c16bd4b719533a3a7d6e3"},
-    {file = "fonttools-4.62.1-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7bca7a1c1faf235ffe25d4f2e555246b4750220b38de8261d94ebc5ce8a23c23"},
-    {file = "fonttools-4.62.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:b4e0fcf265ad26e487c56cb12a42dffe7162de708762db951e1b3f755319507d"},
-    {file = "fonttools-4.62.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:2d850f66830a27b0d498ee05adb13a3781637b1826982cd7e2b3789ef0cc71ae"},
-    {file = "fonttools-4.62.1-cp310-cp310-win32.whl", hash = "sha256:486f32c8047ccd05652aba17e4a8819a3a9d78570eb8a0e3b4503142947880ed"},
-    {file = "fonttools-4.62.1-cp310-cp310-win_amd64.whl", hash = "sha256:5a648bde915fba9da05ae98856987ca91ba832949a9e2888b48c47ef8b96c5a9"},
-    {file = "fonttools-4.62.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:40975849bac44fb0b9253d77420c6d8b523ac4dcdcefeff6e4d706838a5b80f7"},
-    {file = "fonttools-4.62.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:9dde91633f77fa576879a0c76b1d89de373cae751a98ddf0109d54e173b40f14"},
-    {file = "fonttools-4.62.1-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6acb4109f8bee00fec985c8c7afb02299e35e9c94b57287f3ea542f28bd0b0a7"},
-    {file = "fonttools-4.62.1-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:1c5c25671ce8805e0d080e2ffdeca7f1e86778c5cbfbeae86d7f866d8830517b"},
-    {file = "fonttools-4.62.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:a5d8825e1140f04e6c99bb7d37a9e31c172f3bc208afbe02175339e699c710e1"},
-    {file = "fonttools-4.62.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:268abb1cb221e66c014acc234e872b7870d8b5d4657a83a8f4205094c32d2416"},
-    {file = "fonttools-4.62.1-cp311-cp311-win32.whl", hash = "sha256:942b03094d7edbb99bdf1ae7e9090898cad7bf9030b3d21f33d7072dbcb51a53"},
-    {file = "fonttools-4.62.1-cp311-cp311-win_amd64.whl", hash = "sha256:e8514f4924375f77084e81467e63238b095abda5107620f49421c368a6017ed2"},
-    {file = "fonttools-4.62.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:90365821debbd7db678809c7491ca4acd1e0779b9624cdc6ddaf1f31992bf974"},
-    {file = "fonttools-4.62.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:12859ff0b47dd20f110804c3e0d0970f7b832f561630cd879969011541a464a9"},
-    {file = "fonttools-4.62.1-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9c125ffa00c3d9003cdaaf7f2c79e6e535628093e14b5de1dccb08859b680936"},
-    {file = "fonttools-4.62.1-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:149f7d84afca659d1a97e39a4778794a2f83bf344c5ee5134e09995086cc2392"},
-    {file = "fonttools-4.62.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:0aa72c43a601cfa9273bb1ae0518f1acadc01ee181a6fc60cd758d7fdadffc04"},
-    {file = "fonttools-4.62.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:19177c8d96c7c36359266e571c5173bcee9157b59cfc8cb0153c5673dc5a3a7d"},
-    {file = "fonttools-4.62.1-cp312-cp312-win32.whl", hash = "sha256:a24decd24d60744ee8b4679d38e88b8303d86772053afc29b19d23bb8207803c"},
-    {file = "fonttools-4.62.1-cp312-cp312-win_amd64.whl", hash = "sha256:9e7863e10b3de72376280b515d35b14f5eeed639d1aa7824f4cf06779ec65e42"},
-    {file = "fonttools-4.62.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:c22b1014017111c401469e3acc5433e6acf6ebcc6aa9efb538a533c800971c79"},
-    {file = "fonttools-4.62.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:68959f5fc58ed4599b44aad161c2837477d7f35f5f79402d97439974faebfebe"},
-    {file = "fonttools-4.62.1-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ef46db46c9447103b8f3ff91e8ba009d5fe181b1920a83757a5762551e32bb68"},
-    {file = "fonttools-4.62.1-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:6706d1cb1d5e6251a97ad3c1b9347505c5615c112e66047abbef0f8545fa30d1"},
-    {file = "fonttools-4.62.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:2e7abd2b1e11736f58c1de27819e1955a53267c21732e78243fa2fa2e5c1e069"},
-    {file = "fonttools-4.62.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:403d28ce06ebfc547fbcb0cb8b7f7cc2f7a2d3e1a67ba9a34b14632df9e080f9"},
-    {file = "fonttools-4.62.1-cp313-cp313-win32.whl", hash = "sha256:93c316e0f5301b2adbe6a5f658634307c096fd5aae60a5b3412e4f3e1728ab24"},
-    {file = "fonttools-4.62.1-cp313-cp313-win_amd64.whl", hash = "sha256:7aa21ff53e28a9c2157acbc44e5b401149d3c9178107130e82d74ceb500e5056"},
-    {file = "fonttools-4.62.1-cp314-cp314-macosx_10_15_universal2.whl", hash = "sha256:fa1d16210b6b10a826d71bed68dd9ec24a9e218d5a5e2797f37c573e7ec215ca"},
-    {file = "fonttools-4.62.1-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:aa69d10ed420d8121118e628ad47d86e4caa79ba37f968597b958f6cceab7eca"},
-    {file = "fonttools-4.62.1-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:bd13b7999d59c5eb1c2b442eb2d0c427cb517a0b7a1f5798fc5c9e003f5ff782"},
-    {file = "fonttools-4.62.1-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:8d337fdd49a79b0d51c4da87bc38169d21c3abbf0c1aa9367eff5c6656fb6dae"},
-    {file = "fonttools-4.62.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:d241cdc4a67b5431c6d7f115fdf63335222414995e3a1df1a41e1182acd4bcc7"},
-    {file = "fonttools-4.62.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:c05557a78f8fa514da0f869556eeda40887a8abc77c76ee3f74cf241778afd5a"},
-    {file = "fonttools-4.62.1-cp314-cp314-win32.whl", hash = "sha256:49a445d2f544ce4a69338694cad575ba97b9a75fff02720da0882d1a73f12800"},
-    {file = "fonttools-4.62.1-cp314-cp314-win_amd64.whl", hash = "sha256:1eecc128c86c552fb963fe846ca4e011b1be053728f798185a1687502f6d398e"},
-    {file = "fonttools-4.62.1-cp314-cp314t-macosx_10_15_universal2.whl", hash = "sha256:1596aeaddf7f78e21e68293c011316a25267b3effdaccaf4d59bc9159d681b82"},
-    {file = "fonttools-4.62.1-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:8f8fca95d3bb3208f59626a4b0ea6e526ee51f5a8ad5d91821c165903e8d9260"},
-    {file = "fonttools-4.62.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ee91628c08e76f77b533d65feb3fbe6d9dad699f95be51cf0d022db94089cdc4"},
-    {file = "fonttools-4.62.1-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:5f37df1cac61d906e7b836abe356bc2f34c99d4477467755c216b72aa3dc748b"},
-    {file = "fonttools-4.62.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:92bb00a947e666169c99b43753c4305fc95a890a60ef3aeb2a6963e07902cc87"},
-    {file = "fonttools-4.62.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:bdfe592802ef939a0e33106ea4a318eeb17822c7ee168c290273cbd5fabd746c"},
-    {file = "fonttools-4.62.1-cp314-cp314t-win32.whl", hash = "sha256:b820fcb92d4655513d8402d5b219f94481c4443d825b4372c75a2072aa4b357a"},
-    {file = "fonttools-4.62.1-cp314-cp314t-win_amd64.whl", hash = "sha256:59b372b4f0e113d3746b88985f1c796e7bf830dd54b28374cd85c2b8acd7583e"},
-    {file = "fonttools-4.62.1-py3-none-any.whl", hash = "sha256:7487782e2113861f4ddcc07c3436450659e3caa5e470b27dc2177cade2d8e7fd"},
-    {file = "fonttools-4.62.1.tar.gz", hash = "sha256:e54c75fd6041f1122476776880f7c3c3295ffa31962dc6ebe2543c00dca58b5d"},
+    {file = "fonttools-4.61.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:7c7db70d57e5e1089a274cbb2b1fd635c9a24de809a231b154965d415d6c6d24"},
+    {file = "fonttools-4.61.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:5fe9fd43882620017add5eabb781ebfbc6998ee49b35bd7f8f79af1f9f99a958"},
+    {file = "fonttools-4.61.1-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d8db08051fc9e7d8bc622f2112511b8107d8f27cd89e2f64ec45e9825e8288da"},
+    {file = "fonttools-4.61.1-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:a76d4cb80f41ba94a6691264be76435e5f72f2cb3cab0b092a6212855f71c2f6"},
+    {file = "fonttools-4.61.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a13fc8aeb24bad755eea8f7f9d409438eb94e82cf86b08fe77a03fbc8f6a96b1"},
+    {file = "fonttools-4.61.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:b846a1fcf8beadeb9ea4f44ec5bdde393e2f1569e17d700bfc49cd69bde75881"},
+    {file = "fonttools-4.61.1-cp310-cp310-win32.whl", hash = "sha256:78a7d3ab09dc47ac1a363a493e6112d8cabed7ba7caad5f54dbe2f08676d1b47"},
+    {file = "fonttools-4.61.1-cp310-cp310-win_amd64.whl", hash = "sha256:eff1ac3cc66c2ac7cda1e64b4e2f3ffef474b7335f92fc3833fc632d595fcee6"},
+    {file = "fonttools-4.61.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:c6604b735bb12fef8e0efd5578c9fb5d3d8532d5001ea13a19cddf295673ee09"},
+    {file = "fonttools-4.61.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:5ce02f38a754f207f2f06557523cd39a06438ba3aafc0639c477ac409fc64e37"},
+    {file = "fonttools-4.61.1-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:77efb033d8d7ff233385f30c62c7c79271c8885d5c9657d967ede124671bbdfb"},
+    {file = "fonttools-4.61.1-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:75c1a6dfac6abd407634420c93864a1e274ebc1c7531346d9254c0d8f6ca00f9"},
+    {file = "fonttools-4.61.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:0de30bfe7745c0d1ffa2b0b7048fb7123ad0d71107e10ee090fa0b16b9452e87"},
+    {file = "fonttools-4.61.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:58b0ee0ab5b1fc9921eccfe11d1435added19d6494dde14e323f25ad2bc30c56"},
+    {file = "fonttools-4.61.1-cp311-cp311-win32.whl", hash = "sha256:f79b168428351d11e10c5aeb61a74e1851ec221081299f4cf56036a95431c43a"},
+    {file = "fonttools-4.61.1-cp311-cp311-win_amd64.whl", hash = "sha256:fe2efccb324948a11dd09d22136fe2ac8a97d6c1347cf0b58a911dcd529f66b7"},
+    {file = "fonttools-4.61.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:f3cb4a569029b9f291f88aafc927dd53683757e640081ca8c412781ea144565e"},
+    {file = "fonttools-4.61.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:41a7170d042e8c0024703ed13b71893519a1a6d6e18e933e3ec7507a2c26a4b2"},
+    {file = "fonttools-4.61.1-cp312-cp312-manylinux1_x86_64.manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:10d88e55330e092940584774ee5e8a6971b01fc2f4d3466a1d6c158230880796"},
+    {file = "fonttools-4.61.1-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:15acc09befd16a0fb8a8f62bc147e1a82817542d72184acca9ce6e0aeda9fa6d"},
+    {file = "fonttools-4.61.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:e6bcdf33aec38d16508ce61fd81838f24c83c90a1d1b8c68982857038673d6b8"},
+    {file = "fonttools-4.61.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:5fade934607a523614726119164ff621e8c30e8fa1ffffbbd358662056ba69f0"},
+    {file = "fonttools-4.61.1-cp312-cp312-win32.whl", hash = "sha256:75da8f28eff26defba42c52986de97b22106cb8f26515b7c22443ebc9c2d3261"},
+    {file = "fonttools-4.61.1-cp312-cp312-win_amd64.whl", hash = "sha256:497c31ce314219888c0e2fce5ad9178ca83fe5230b01a5006726cdf3ac9f24d9"},
+    {file = "fonttools-4.61.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:8c56c488ab471628ff3bfa80964372fc13504ece601e0d97a78ee74126b2045c"},
+    {file = "fonttools-4.61.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:dc492779501fa723b04d0ab1f5be046797fee17d27700476edc7ee9ae535a61e"},
+    {file = "fonttools-4.61.1-cp313-cp313-manylinux1_x86_64.manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:64102ca87e84261419c3747a0d20f396eb024bdbeb04c2bfb37e2891f5fadcb5"},
+    {file = "fonttools-4.61.1-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:4c1b526c8d3f615a7b1867f38a9410849c8f4aef078535742198e942fba0e9bd"},
+    {file = "fonttools-4.61.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:41ed4b5ec103bd306bb68f81dc166e77409e5209443e5773cb4ed837bcc9b0d3"},
+    {file = "fonttools-4.61.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:b501c862d4901792adaec7c25b1ecc749e2662543f68bb194c42ba18d6eec98d"},
+    {file = "fonttools-4.61.1-cp313-cp313-win32.whl", hash = "sha256:4d7092bb38c53bbc78e9255a59158b150bcdc115a1e3b3ce0b5f267dc35dd63c"},
+    {file = "fonttools-4.61.1-cp313-cp313-win_amd64.whl", hash = "sha256:21e7c8d76f62ab13c9472ccf74515ca5b9a761d1bde3265152a6dc58700d895b"},
+    {file = "fonttools-4.61.1-cp314-cp314-macosx_10_15_universal2.whl", hash = "sha256:fff4f534200a04b4a36e7ae3cb74493afe807b517a09e99cb4faa89a34ed6ecd"},
+    {file = "fonttools-4.61.1-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:d9203500f7c63545b4ce3799319fe4d9feb1a1b89b28d3cb5abd11b9dd64147e"},
+    {file = "fonttools-4.61.1-cp314-cp314-manylinux1_x86_64.manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:fa646ecec9528bef693415c79a86e733c70a4965dd938e9a226b0fc64c9d2e6c"},
+    {file = "fonttools-4.61.1-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:11f35ad7805edba3aac1a3710d104592df59f4b957e30108ae0ba6c10b11dd75"},
+    {file = "fonttools-4.61.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:b931ae8f62db78861b0ff1ac017851764602288575d65b8e8ff1963fed419063"},
+    {file = "fonttools-4.61.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:b148b56f5de675ee16d45e769e69f87623a4944f7443850bf9a9376e628a89d2"},
+    {file = "fonttools-4.61.1-cp314-cp314-win32.whl", hash = "sha256:9b666a475a65f4e839d3d10473fad6d47e0a9db14a2f4a224029c5bfde58ad2c"},
+    {file = "fonttools-4.61.1-cp314-cp314-win_amd64.whl", hash = "sha256:4f5686e1fe5fce75d82d93c47a438a25bf0d1319d2843a926f741140b2b16e0c"},
+    {file = "fonttools-4.61.1-cp314-cp314t-macosx_10_15_universal2.whl", hash = "sha256:e76ce097e3c57c4bcb67c5aa24a0ecdbd9f74ea9219997a707a4061fbe2707aa"},
+    {file = "fonttools-4.61.1-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:9cfef3ab326780c04d6646f68d4b4742aae222e8b8ea1d627c74e38afcbc9d91"},
+    {file = "fonttools-4.61.1-cp314-cp314t-manylinux1_x86_64.manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:a75c301f96db737e1c5ed5fd7d77d9c34466de16095a266509e13da09751bd19"},
+    {file = "fonttools-4.61.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:91669ccac46bbc1d09e9273546181919064e8df73488ea087dcac3e2968df9ba"},
+    {file = "fonttools-4.61.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:c33ab3ca9d3ccd581d58e989d67554e42d8d4ded94ab3ade3508455fe70e65f7"},
+    {file = "fonttools-4.61.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:664c5a68ec406f6b1547946683008576ef8b38275608e1cee6c061828171c118"},
+    {file = "fonttools-4.61.1-cp314-cp314t-win32.whl", hash = "sha256:aed04cabe26f30c1647ef0e8fbb207516fd40fe9472e9439695f5c6998e60ac5"},
+    {file = "fonttools-4.61.1-cp314-cp314t-win_amd64.whl", hash = "sha256:2180f14c141d2f0f3da43f3a81bc8aa4684860f6b0e6f9e165a4831f24e6a23b"},
+    {file = "fonttools-4.61.1-py3-none-any.whl", hash = "sha256:17d2bf5d541add43822bcf0c43d7d847b160c9bb01d15d5007d84e2217aaa371"},
+    {file = "fonttools-4.61.1.tar.gz", hash = "sha256:6675329885c44657f826ef01d9e4fb33b9158e9d93c537d84ad8399539bc6f69"},
 ]

 [package.extras]
@@ -5042,18 +5064,18 @@ tests = ["psutil", "pytest (!=3.3.0)", "pytest-cov"]

 [[package]]
 name = "markdown"
-version = "3.10.2"
+version = "3.9"
 description = "Python implementation of John Gruber's Markdown."
 optional = false
-python-versions = ">=3.10"
+python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "markdown-3.10.2-py3-none-any.whl", hash = "sha256:e91464b71ae3ee7afd3017d9f358ef0baf158fd9a298db92f1d4761133824c36"},
-    {file = "markdown-3.10.2.tar.gz", hash = "sha256:994d51325d25ad8aa7ce4ebaec003febcce822c3f8c911e3b17c52f7f589f950"},
+    {file = "markdown-3.9-py3-none-any.whl", hash = "sha256:9f4d91ed810864ea88a6f32c07ba8bee1346c0cc1f6b1f9f6c822f2a9667d280"},
+    {file = "markdown-3.9.tar.gz", hash = "sha256:d2900fe1782bd33bdbbd56859defef70c2e78fc46668f8eb9df3128138f2cb6a"},
 ]

 [package.extras]
-docs = ["mdx_gh_links (>=0.2)", "mkdocs (>=1.6)", "mkdocs-gen-files", "mkdocs-literate-nav", "mkdocs-nature (>=0.6)", "mkdocs-section-index", "mkdocstrings[python] (>=0.28.3)"]
+docs = ["mdx_gh_links (>=0.2)", "mkdocs (>=1.6)", "mkdocs-gen-files", "mkdocs-literate-nav", "mkdocs-nature (>=0.6)", "mkdocs-section-index", "mkdocstrings[python]"]
 testing = ["coverage", "pyyaml"]

 [[package]]
@@ -5827,14 +5849,14 @@ files = [

 [[package]]
 name = "nltk"
-version = "3.9.4"
+version = "3.9.2"
 description = "Natural Language Toolkit"
 optional = false
-python-versions = ">=3.10"
+python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "nltk-3.9.4-py3-none-any.whl", hash = "sha256:f2fa301c3a12718ce4a0e9305c5675299da5ad9e26068218b69d692fda84828f"},
-    {file = "nltk-3.9.4.tar.gz", hash = "sha256:ed03bc098a40481310320808b2db712d95d13ca65b27372f8a403949c8b523d0"},
+    {file = "nltk-3.9.2-py3-none-any.whl", hash = "sha256:1e209d2b3009110635ed9709a67a1a3e33a10f799490fa71cf4bec218c11c88a"},
+    {file = "nltk-3.9.2.tar.gz", hash = "sha256:0f409e9b069ca4177c1903c3e843eef90c7e92992fa4931ae607da6de49e1419"},
 ]

 [package.dependencies]
@@ -6632,10 +6654,10 @@ files = [

 [[package]]
 name = "prowler"
-version = "5.23.0"
+version = "5.19.0"
 description = "Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks."
 optional = false
-python-versions = ">=3.10,<3.13"
+python-versions = ">3.9.1,<3.13"
 groups = ["main"]
 files = []
 develop = false
@@ -6690,7 +6712,6 @@ colorama = "0.4.6"
 cryptography = "44.0.3"
 dash = "3.1.1"
 dash-bootstrap-components = "2.0.3"
-defusedxml = ">=0.7.1"
 detect-secrets = "1.5.0"
 dulwich = "0.23.0"
 google-api-python-client = "2.163.0"
@@ -6698,7 +6719,7 @@ google-auth-httplib2 = ">=0.1,<0.3"
 h2 = "4.3.0"
 jsonschema = "4.23.0"
 kubernetes = "32.0.1"
-markdown = "3.10.2"
+markdown = "3.9.0"
 microsoft-kiota-abstractions = "1.9.2"
 msgraph-sdk = "1.23.0"
 numpy = "2.0.2"
@@ -6708,7 +6729,7 @@ pandas = "2.2.3"
 py-iam-expand = "0.1.0"
 py-ocsf-models = "0.8.1"
 pydantic = ">=2.0,<3.0"
-pygithub = "2.8.0"
+pygithub = "2.5.0"
 python-dateutil = ">=2.9.0.post0,<3.0.0"
 pytz = "2025.1"
 schema = "0.7.5"
@@ -6716,13 +6737,12 @@ shodan = "1.31.0"
 slack-sdk = "3.39.0"
 tabulate = "0.9.0"
 tzlocal = "5.3.1"
-uuid6 = "2024.7.10"

 [package.source]
 type = "git"
 url = "https://github.com/prowler-cloud/prowler.git"
 reference = "master"
-resolved_reference = "2ddd5b3091bcdd8c7d44aba73b13c5c6f8f99e35"
+resolved_reference = "b31145616064bd6727139777dca1cea9b977346a"

 [[package]]
 name = "psutil"
@@ -7095,21 +7115,22 @@ typing-extensions = ">=4.14.1"

 [[package]]
 name = "pygithub"
-version = "2.8.0"
+version = "2.5.0"
 description = "Use the full Github API v3"
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "pygithub-2.8.0-py3-none-any.whl", hash = "sha256:11a3473c1c2f1c39c525d0ee8c559f369c6d46c272cb7321c9b0cabc7aa1ce7d"},
-    {file = "pygithub-2.8.0.tar.gz", hash = "sha256:72f5f2677d86bc3a8843aa720c6ce4c1c42fb7500243b136e3d5e14ddb5c3386"},
+    {file = "PyGithub-2.5.0-py3-none-any.whl", hash = "sha256:b0b635999a658ab8e08720bdd3318893ff20e2275f6446fcf35bf3f44f2c0fd2"},
+    {file = "pygithub-2.5.0.tar.gz", hash = "sha256:e1613ac508a9be710920d26eb18b1905ebd9926aa49398e88151c1b526aad3cf"},
 ]

 [package.dependencies]
+Deprecated = "*"
 pyjwt = {version = ">=2.4.0", extras = ["crypto"]}
 pynacl = ">=1.4.0"
 requests = ">=2.14.0"
-typing-extensions = ">=4.5.0"
+typing-extensions = ">=4.0.0"
 urllib3 = ">=1.26.0"

 [[package]]
@@ -7345,14 +7366,14 @@ dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "pygments

 [[package]]
 name = "pytest-celery"
-version = "1.3.0"
+version = "1.2.1"
 description = "Pytest plugin for Celery"
 optional = false
-python-versions = "<4.0,>=3.9"
+python-versions = "<4.0,>=3.8"
 groups = ["main"]
 files = [
-    {file = "pytest_celery-1.3.0-py3-none-any.whl", hash = "sha256:f02201d7770584a0c412a1ded329a142170c24012467c7046f2c72cc8205ad5d"},
-    {file = "pytest_celery-1.3.0.tar.gz", hash = "sha256:bd9e5b0f594ec5de9ab97cf27e3a11c644718a761bab6b997d01800fd7394f64"},
+    {file = "pytest_celery-1.2.1-py3-none-any.whl", hash = "sha256:0441ab0c2a712b775be16ffda3d7deb31995fd7b5e9d71630e7ea98b474346a3"},
+    {file = "pytest_celery-1.2.1.tar.gz", hash = "sha256:7873fb3cf4fbfe9b0dd15d359bdb8bbab4a41c7e48f5b0adb7d36138d3704d52"},
 ]

 [package.dependencies]
@@ -7363,13 +7384,14 @@ kombu = "*"
 psutil = ">=7.0.0"
 pytest-docker-tools = ">=3.1.3"
 redis = {version = "*", optional = true, markers = "extra == \"all\" or extra == \"redis\""}
+setuptools = {version = ">=75.8.0", markers = "python_version >= \"3.9\" and python_version < \"4.0\""}
 tenacity = ">=9.0.0"

 [package.extras]
-all = ["boto3", "botocore", "pycurl (>=7.43) ; sys_platform != \"win32\" and platform_python_implementation == \"CPython\"", "python-memcached", "redis", "urllib3 (>=1.26.16,<2.0)"]
+all = ["boto3", "botocore", "python-memcached", "redis", "urllib3 (>=1.26.16,<2.0)"]
 memcached = ["python-memcached"]
 redis = ["redis"]
-sqs = ["boto3", "botocore", "pycurl (>=7.43) ; sys_platform != \"win32\" and platform_python_implementation == \"CPython\"", "urllib3 (>=1.26.16,<2.0)"]
+sqs = ["boto3", "botocore", "urllib3 (>=1.26.16,<2.0)"]

 [[package]]
 name = "pytest-cov"
@@ -7854,14 +7876,14 @@ files = [

 [[package]]
 name = "reportlab"
-version = "4.4.10"
+version = "4.4.9"
 description = "The Reportlab Toolkit"
 optional = false
 python-versions = "<4,>=3.9"
 groups = ["main"]
 files = [
-    {file = "reportlab-4.4.10-py3-none-any.whl", hash = "sha256:5abc815746ae2bc44e7ff25db96814f921349ca814c992c7eac3c26029bf7c24"},
-    {file = "reportlab-4.4.10.tar.gz", hash = "sha256:5cbbb34ac3546039d0086deb2938cdec06b12da3cdb836e813258eb33cd28487"},
+    {file = "reportlab-4.4.9-py3-none-any.whl", hash = "sha256:68e2d103ae8041a37714e8896ec9b79a1c1e911d68c3bd2ea17546568cf17bfd"},
+    {file = "reportlab-4.4.9.tar.gz", hash = "sha256:7cf487764294ee791a4781f5a157bebce262a666ae4bbb87786760a9676c9378"},
 ]

 [package.dependencies]
@@ -8283,14 +8305,14 @@ contextlib2 = ">=0.5.5"

 [[package]]
 name = "sentry-sdk"
-version = "2.56.0"
+version = "2.51.0"
 description = "Python client for Sentry (https://sentry.io)"
 optional = false
 python-versions = ">=3.6"
 groups = ["main"]
 files = [
-    {file = "sentry_sdk-2.56.0-py2.py3-none-any.whl", hash = "sha256:5afafb744ceb91d22f4cc650c6bd048ac6af5f7412dcc6c59305a2e36f4dbc02"},
-    {file = "sentry_sdk-2.56.0.tar.gz", hash = "sha256:fdab72030b69625665b2eeb9738bdde748ad254e8073085a0ce95382678e8168"},
+    {file = "sentry_sdk-2.51.0-py2.py3-none-any.whl", hash = "sha256:e21016d318a097c2b617bb980afd9fc737e1efc55f9b4f0cdc819982c9717d5f"},
+    {file = "sentry_sdk-2.51.0.tar.gz", hash = "sha256:b89d64577075fd8c13088bc3609a2ce77a154e5beb8cba7cc16560b0539df4f7"},
 ]

 [package.dependencies]
@@ -8763,14 +8785,14 @@ test = ["pytest", "websockets"]

 [[package]]
 name = "werkzeug"
-version = "3.1.7"
+version = "3.1.5"
 description = "The comprehensive WSGI web application library."
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "werkzeug-3.1.7-py3-none-any.whl", hash = "sha256:4b314d81163a3e1a169b6a0be2a000a0e204e8873c5de6586f453c55688d422f"},
-    {file = "werkzeug-3.1.7.tar.gz", hash = "sha256:fb8c01fe6ab13b9b7cdb46892b99b1d66754e1d7ab8e542e865ec13f526b5351"},
+    {file = "werkzeug-3.1.5-py3-none-any.whl", hash = "sha256:5111e36e91086ece91f93268bb39b4a35c1e6f1feac762c9c822ded0a4e322dc"},
+    {file = "werkzeug-3.1.5.tar.gz", hash = "sha256:6a548b0e88955dd07ccb25539d7d0cc97417ee9e179677d22c7041c8f078ce67"},
 ]

 [package.dependencies]
@@ -9372,4 +9394,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "167d4549788b8bc8bb7772b9a81ade1eab73d8f354251a8d6af4901223cc7f67"
+content-hash = "2ed5b4e47d81da81963814f21702220ac5619f50cd605fd779be53c8c46ffca5"
@@ -5,21 +5,21 @@ requires = ["poetry-core"]
 [project]
 authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
 dependencies = [
-  "celery (==5.6.2)",
+  "celery (>=5.4.0,<6.0.0)",
  "dj-rest-auth[with_social,jwt] (==7.0.1)",
  "django (==5.1.15)",
-  "django-allauth[saml] (==65.15.0)",
-  "django-celery-beat (==2.9.0)",
-  "django-celery-results (==2.6.0)",
+  "django-allauth[saml] (>=65.13.0,<66.0.0)",
+  "django-celery-beat (>=2.7.0,<3.0.0)",
+  "django-celery-results (>=2.5.1,<3.0.0)",
  "django-cors-headers==4.4.0",
  "django-environ==0.11.2",
  "django-filter==24.3",
  "django-guid==3.5.0",
-  "django-postgres-extra (==2.0.9)",
+  "django-postgres-extra (>=2.0.8,<3.0.0)",
  "djangorestframework==3.15.2",
  "djangorestframework-jsonapi==7.0.2",
-  "djangorestframework-simplejwt (==5.5.1)",
-  "drf-nested-routers (==0.95.0)",
+  "djangorestframework-simplejwt (>=5.3.1,<6.0.0)",
+  "drf-nested-routers (>=0.94.1,<1.0.0)",
  "drf-spectacular==0.27.2",
  "drf-spectacular-jsonapi==0.5.1",
  "defusedxml==0.7.1",
@@ -27,22 +27,22 @@ dependencies = [
  "lxml==5.3.2",
  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
  "psycopg2-binary==2.9.9",
-  "pytest-celery[redis] (==1.3.0)",
-  "sentry-sdk[django] (==2.56.0)",
+  "pytest-celery[redis] (>=1.0.1,<2.0.0)",
+  "sentry-sdk[django] (>=2.20.0,<3.0.0)",
  "uuid6==2024.7.10",
-  "openai (==1.109.1)",
+  "openai (>=1.82.0,<2.0.0)",
  "xmlsec==1.3.14",
  "h2 (==4.3.0)",
-  "markdown (==3.10.2)",
+  "markdown (>=3.9,<4.0)",
  "drf-simple-apikey (==2.2.1)",
-  "matplotlib (==3.10.8)",
-  "reportlab (==4.4.10)",
-  "neo4j (==6.1.0)",
+  "matplotlib (>=3.10.6,<4.0.0)",
+  "reportlab (>=4.4.4,<5.0.0)",
+  "neo4j (>=6.0.0,<7.0.0)",
  "cartography (==0.132.0)",
-  "gevent (==25.9.1)",
-  "werkzeug (==3.1.7)",
-  "sqlparse (==0.5.5)",
-  "fonttools (==4.62.1)"
+  "gevent (>=25.9.1,<26.0.0)",
+  "werkzeug (>=3.1.4)",
+  "sqlparse (>=0.5.4)",
+  "fonttools (>=4.60.2)"
 ]
 description = "Prowler's API (Django/DRF)"
 license = "Apache-2.0"
@@ -50,7 +50,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.24.0"
+version = "1.23.0"

 [project.scripts]
 celery = "src.backend.config.settings.celery"
@@ -62,7 +62,7 @@ django-silk = "5.3.2"
 docker = "7.1.0"
 filelock = "3.20.3"
 freezegun = "1.5.1"
-marshmallow = "==3.26.2"
+marshmallow = ">=3.15.0,<4.0.0"
 mypy = "1.10.1"
 pylint = "3.2.5"
 pytest = "8.2.2"
@@ -1,170 +0,0 @@
-"""
-Cypher sanitizer for custom (user-supplied) Attack Paths queries.
-
-Two responsibilities:
-
-1. **Validation** - reject queries containing SSRF or dangerous procedure
-   patterns (defense-in-depth; the primary control is ``neo4j.READ_ACCESS``).
-
-2. **Provider-scoped label injection** - inject a dynamic
-   ``_Provider_{uuid}`` label into every node pattern so the database can
-   use its native label index for provider isolation.
-
-Label-injection pipeline:
-
-1. **Protect** string literals and line comments (placeholder replacement).
-2. **Split** by top-level clause keywords to track clause context.
-3. **Pass A** - inject into *labeled* node patterns in ALL segments.
-4. **Pass B** - inject into *bare* node patterns in MATCH segments only.
-5. **Restore** protected regions.
-"""
-
-import re
-
-from rest_framework.exceptions import ValidationError
-
-from tasks.jobs.attack_paths.config import get_provider_label
-
-
-# Step 1 - String / comment protection
-# Single combined regex: strings first, then line comments.
-# The regex engine finds the leftmost match, so a string like 'https://prowler.com'
-# is consumed as a string before the // inside it can match as a comment.
-_PROTECTED_RE = re.compile(r"'(?:[^'\\]|\\.)*'|\"(?:[^\"\\]|\\.)*\"|//[^\n]*")
-
-# Step 2 - Clause splitting
-# OPTIONAL MATCH must come before MATCH to avoid partial matching.
-_CLAUSE_RE = re.compile(
-    r"\b(OPTIONAL\s+MATCH|MATCH|WHERE|RETURN|WITH|ORDER\s+BY"
-    r"|SKIP|LIMIT|UNION|UNWIND|CALL)\b",
-    re.IGNORECASE,
-)
-
-# Pass A - Labeled node patterns (all segments)
-# Matches node patterns that have at least one :Label.
-# (?<!\w)\(  - open paren NOT preceded by a word char (excludes function calls).
-# Group 1:  optional variable + one or more :Label
-# Group 2:  optional {properties} + closing paren
-_LABELED_NODE_RE = re.compile(
-    r"(?<!\w)\("
-    r"("
-    r"\s*(?:[a-zA-Z_]\w*)?"
-    r"(?:\s*:\s*(?:`[^`]*`|[a-zA-Z_]\w*))+"
-    r")"
-    r"("
-    r"\s*(?:\{[^}]*\})?"
-    r"\s*\)"
-    r")"
-)
-
-# Pass B - Bare node patterns (MATCH segments only)
-# Matches (identifier) or (identifier {properties}) without any :Label.
-# Only applied in MATCH/OPTIONAL MATCH segments.
-_BARE_NODE_RE = re.compile(
-    r"(?<!\w)\(" r"(\s*[a-zA-Z_]\w*)" r"(\s*(?:\{[^}]*\})?)" r"\s*\)"
-)
-
-_MATCH_CLAUSES = frozenset({"MATCH", "OPTIONAL MATCH"})
-
-
-def _inject_labeled(segment: str, label: str) -> str:
-    """Inject provider label into all node patterns that have existing labels."""
-    return _LABELED_NODE_RE.sub(rf"(\1:{label}\2", segment)
-
-
-def _inject_bare(segment: str, label: str) -> str:
-    """Inject provider label into bare `(identifier)` node patterns."""
-
-    def _replace(match):
-        var = match.group(1)
-        props = match.group(2).strip()
-        if props:
-            return f"({var}:{label} {props})"
-        return f"({var}:{label})"
-
-    return _BARE_NODE_RE.sub(_replace, segment)
-
-
-def inject_provider_label(cypher: str, provider_id: str) -> str:
-    """Rewrite a Cypher query to scope every node pattern to a provider.
-
-    Args:
-        cypher: The original Cypher query string.
-        provider_id: The provider UUID (will be converted to a label via
-            `get_provider_label`).
-
-    Returns:
-        The rewritten Cypher with `:_Provider_{uuid}` appended to every
-        node pattern.
-    """
-    label = get_provider_label(provider_id)
-
-    # Step 1: Protect strings and comments (single pass, leftmost-first)
-    protected: list[str] = []
-
-    def _save(match):
-        protected.append(match.group(0))
-        return f"\x00P{len(protected) - 1}\x00"
-
-    work = _PROTECTED_RE.sub(_save, cypher)
-
-    # Step 2: Split by clause keywords
-    parts = _CLAUSE_RE.split(work)
-
-    # Steps 3-4: Apply injection passes per segment
-    result: list[str] = []
-    current_clause: str | None = None
-
-    for i, part in enumerate(parts):
-        if i % 2 == 1:
-            # Keyword token - normalize for clause tracking
-            current_clause = re.sub(r"\s+", " ", part.strip()).upper()
-            result.append(part)
-        else:
-            # Content segment - apply injection based on clause context
-            part = _inject_labeled(part, label)
-            if current_clause in _MATCH_CLAUSES:
-                part = _inject_bare(part, label)
-            result.append(part)
-
-    work = "".join(result)
-
-    # Step 5: Restore protected regions
-    for i, original in enumerate(protected):
-        work = work.replace(f"\x00P{i}\x00", original)
-
-    return work
-
-
-# ---------------------------------------------------------------------------
-# Validation
-# ---------------------------------------------------------------------------
-
-# Patterns that indicate SSRF or dangerous procedure calls
-# Defense-in-depth layer - the primary control is `neo4j.READ_ACCESS`
-_BLOCKED_PATTERNS = [
-    re.compile(r"\bLOAD\s+CSV\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.load\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.import\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.export\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.cypher\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.systemdb\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.config\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.periodic\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.do\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.trigger\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.custom\b", re.IGNORECASE),
-]
-
-
-def validate_custom_query(cypher: str) -> None:
-    """Reject queries containing known SSRF or dangerous procedure patterns.
-
-    Raises ValidationError if a blocked pattern is found.
-    String literals and comments are stripped before matching to avoid
-    false positives.
-    """
-    stripped = _PROTECTED_RE.sub("", cypher)
-    for pattern in _BLOCKED_PATTERNS:
-        if pattern.search(stripped):
-            raise ValidationError({"query": "Query contains a blocked operation"})
@@ -11,8 +11,8 @@ from config.env import env
 from django.conf import settings
 from tasks.jobs.attack_paths.config import (
    BATCH_SIZE,
+    PROVIDER_ID_PROPERTY,
    PROVIDER_RESOURCE_LABEL,
-    get_provider_label,
 )

 from api.attack_paths.retryable_session import RetryableSession
@@ -163,8 +163,11 @@ def drop_subgraph(database: str, provider_id: str) -> int:
    Uses batched deletion to avoid memory issues with large graphs.
    Silently returns 0 if the database doesn't exist.
    """
-    provider_label = get_provider_label(provider_id)
    deleted_nodes = 0
+    parameters = {
+        "provider_id": provider_id,
+        "batch_size": BATCH_SIZE,
+    }

    try:
        with get_session(database) as session:
@@ -172,12 +175,12 @@ def drop_subgraph(database: str, provider_id: str) -> int:
            while deleted_count > 0:
                result = session.run(
                    f"""
-                    MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`)
+                    MATCH (n:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ID_PROPERTY}: $provider_id}})
                    WITH n LIMIT $batch_size
                    DETACH DELETE n
                    RETURN COUNT(n) AS deleted_nodes_count
                    """,
-                    {"batch_size": BATCH_SIZE},
+                    parameters,
                )
                deleted_count = result.single().get("deleted_nodes_count", 0)
                deleted_nodes += deleted_count
@@ -196,12 +199,15 @@ def has_provider_data(database: str, provider_id: str) -> bool:

    Returns `False` if the database doesn't exist.
    """
-    provider_label = get_provider_label(provider_id)
-    query = f"MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`) RETURN 1 LIMIT 1"
+    query = (
+        f"MATCH (n:{PROVIDER_RESOURCE_LABEL} "
+        f"{{{PROVIDER_ID_PROPERTY}: $provider_id}}) "
+        "RETURN 1 LIMIT 1"
+    )

    try:
        with get_session(database, default_access_mode=neo4j.READ_ACCESS) as session:
-            result = session.run(query)
+            result = session.run(query, {"provider_id": provider_id})
            return result.single() is not None

    except GraphDatabaseQueryException as exc:
@@ -1,18 +1,13 @@
-from tasks.jobs.attack_paths.config import PROVIDER_RESOURCE_LABEL, get_provider_label
-
-
-def get_cartography_schema_query(provider_id: str) -> str:
-    """Build the Cartography schema metadata query scoped to a provider label."""
-    provider_label = get_provider_label(provider_id)
-    return f"""
-        MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`)
-        WHERE n._module_name STARTS WITH 'cartography:'
-          AND NOT n._module_name IN ['cartography:ontology', 'cartography:prowler']
-          AND n._module_version IS NOT NULL
-        RETURN n._module_name AS module_name, n._module_version AS module_version
-        LIMIT 1
-    """
+from tasks.jobs.attack_paths.config import PROVIDER_ID_PROPERTY, PROVIDER_RESOURCE_LABEL

+CARTOGRAPHY_SCHEMA_METADATA = f"""
+    MATCH (n:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+    WHERE n._module_name STARTS WITH 'cartography:'
+      AND NOT n._module_name IN ['cartography:ontology', 'cartography:prowler']
+      AND n._module_version IS NOT NULL
+    RETURN n._module_name AS module_name, n._module_version AS module_version
+    LIMIT 1
+"""

 GITHUB_SCHEMA_URL = (
    "https://github.com/cartography-cncf/cartography/blob/"
@@ -1,26 +1,22 @@
 import logging
+import re

 from typing import Any, Iterable

 import neo4j
-
 from rest_framework.exceptions import APIException, PermissionDenied, ValidationError

 from api.attack_paths import database as graph_database, AttackPathsQueryDefinition
-from api.attack_paths.cypher_sanitizer import (
-    inject_provider_label,
-    validate_custom_query,
-)
 from api.attack_paths.queries.schema import (
+    CARTOGRAPHY_SCHEMA_METADATA,
    GITHUB_SCHEMA_URL,
    RAW_SCHEMA_URL,
-    get_cartography_schema_query,
 )
 from config.custom_logging import BackendLogger
 from tasks.jobs.attack_paths.config import (
    INTERNAL_LABELS,
    INTERNAL_PROPERTIES,
-    get_provider_label,
+    PROVIDER_ID_PROPERTY,
    is_dynamic_isolation_label,
 )

@@ -76,6 +72,7 @@ def prepare_parameters(

    clean_parameters = {
        "provider_uid": str(provider_uid),
+        "provider_id": str(provider_id),
    }

    for definition_parameter in definition.parameters:
@@ -126,6 +123,38 @@ def execute_query(

 # Custom query helpers

+# Patterns that indicate SSRF or dangerous procedure calls
+# Defense-in-depth layer - the primary control is `neo4j.READ_ACCESS`
+_BLOCKED_PATTERNS = [
+    re.compile(r"\bLOAD\s+CSV\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.load\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.import\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.export\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.cypher\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.systemdb\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.config\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.periodic\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.do\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.trigger\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.custom\b", re.IGNORECASE),
+]
+
+# Strip string literals so patterns inside quotes don't cause false positives
+# Handles escaped quotes (\' and \") inside strings
+_STRING_LITERALS = re.compile(r"'(?:[^'\\]|\\.)*'|\"(?:[^\"\\]|\\.)*\"")
+
+
+def validate_custom_query(cypher: str) -> None:
+    """Reject queries containing known SSRF or dangerous procedure patterns.
+
+    Raises ValidationError if a blocked pattern is found.
+    String literals are stripped before matching to avoid false positives.
+    """
+    stripped = _STRING_LITERALS.sub("", cypher)
+    for pattern in _BLOCKED_PATTERNS:
+        if pattern.search(stripped):
+            raise ValidationError({"query": "Query contains a blocked operation"})
+

 def normalize_custom_query_payload(raw_data):
    if not isinstance(raw_data, dict):
@@ -144,15 +173,7 @@ def execute_custom_query(
    cypher: str,
    provider_id: str,
 ) -> dict[str, Any]:
-    # Defense-in-depth for custom queries:
-    # 1. neo4j.READ_ACCESS — prevents mutations at the driver level
-    # 2. inject_provider_label() — regex-based label injection scopes node patterns
-    # 3. _serialize_graph() — post-query filter drops nodes without the provider label
-    #
-    # Layer 2 is best-effort (regex can't fully parse Cypher);
-    # layer 3 is the safety net that guarantees provider isolation.
    validate_custom_query(cypher)
-    cypher = inject_provider_label(cypher, provider_id)

    try:
        graph = graph_database.execute_read_query(
@@ -187,7 +208,10 @@ def get_cartography_schema(
        with graph_database.get_session(
            database_name, default_access_mode=neo4j.READ_ACCESS
        ) as session:
-            result = session.run(get_cartography_schema_query(provider_id))
+            result = session.run(
+                CARTOGRAPHY_SCHEMA_METADATA,
+                {"provider_id": provider_id},
+            )
            record = result.single()
    except graph_database.GraphDatabaseQueryException as exc:
        logger.error(f"Cartography schema query failed: {exc}")
@@ -231,12 +255,10 @@ def _truncate_graph(graph: dict[str, Any]) -> dict[str, Any]:


 def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
-    provider_label = get_provider_label(provider_id)
-
    nodes = []
    kept_node_ids = set()
    for node in graph.nodes:
-        if provider_label not in node.labels:
+        if node._properties.get(PROVIDER_ID_PROPERTY) != provider_id:
            continue

        kept_node_ids.add(node.element_id)
@@ -251,11 +273,14 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
    filtered_count = len(graph.nodes) - len(nodes)
    if filtered_count > 0:
        logger.debug(
-            f"Filtered {filtered_count} nodes without provider label {provider_label}"
+            f"Filtered {filtered_count} nodes without matching provider_id={provider_id}"
        )

    relationships = []
    for relationship in graph.relationships:
+        if relationship._properties.get(PROVIDER_ID_PROPERTY) != provider_id:
+            continue
+
        if (
            relationship.start_node.element_id not in kept_node_ids
            or relationship.end_node.element_id not in kept_node_ids
@@ -15,7 +15,6 @@ from django_filters.rest_framework import (
 from rest_framework_json_api.django_filters.backends import DjangoFilterBackend
 from rest_framework_json_api.serializers import ValidationError

-from api.constants import SEVERITY_ORDER
 from api.db_utils import (
    FindingDeltaEnumField,
    InvitationStateEnumField,
@@ -44,7 +43,6 @@ from api.models import (
    ProviderGroup,
    ProviderSecret,
    Resource,
-    ResourceFindingMapping,
    ResourceTag,
    Role,
    Scan,
@@ -198,13 +196,17 @@ class CommonFindingFilters(FilterSet):
        field_name="resource_services", lookup_expr="icontains"
    )

-    resource_uid = CharFilter(method="filter_resource_uid")
-    resource_uid__in = CharInFilter(method="filter_resource_uid_in")
-    resource_uid__icontains = CharFilter(method="filter_resource_uid_icontains")
+    resource_uid = CharFilter(field_name="resources__uid")
+    resource_uid__in = CharInFilter(field_name="resources__uid", lookup_expr="in")
+    resource_uid__icontains = CharFilter(
+        field_name="resources__uid", lookup_expr="icontains"
+    )

-    resource_name = CharFilter(method="filter_resource_name")
-    resource_name__in = CharInFilter(method="filter_resource_name_in")
-    resource_name__icontains = CharFilter(method="filter_resource_name_icontains")
+    resource_name = CharFilter(field_name="resources__name")
+    resource_name__in = CharInFilter(field_name="resources__name", lookup_expr="in")
+    resource_name__icontains = CharFilter(
+        field_name="resources__name", lookup_expr="icontains"
+    )

    resource_type = CharFilter(method="filter_resource_type")
    resource_type__in = CharInFilter(field_name="resource_types", lookup_expr="overlap")
@@ -262,52 +264,6 @@ class CommonFindingFilters(FilterSet):
            )
        return queryset.filter(overall_query).distinct()

-    def filter_check_title_icontains(self, queryset, name, value):
-        # Resolve from the summary table (has check_title column + trigram
-        # GIN index) instead of scanning JSON in the findings table.
-        matching_check_ids = (
-            FindingGroupDailySummary.objects.filter(
-                check_title__icontains=value,
-            )
-            .values_list("check_id", flat=True)
-            .distinct()
-        )
-        return queryset.filter(check_id__in=matching_check_ids)
-
-    # --- Resource subquery filters ---
-    # Resolve resource → RFM → finding_ids first, then filter findings
-    # by id__in.  This avoids a 3-way JOIN driven from the (huge)
-    # findings side and lets PostgreSQL start from the resources
-    # unique-constraint index instead.
-
-    @staticmethod
-    def _finding_ids_for_resources(**lookup):
-        return ResourceFindingMapping.objects.filter(
-            resource__in=Resource.objects.filter(**lookup).values("id")
-        ).values("finding_id")
-
-    def filter_resource_uid(self, queryset, name, value):
-        return queryset.filter(id__in=self._finding_ids_for_resources(uid=value))
-
-    def filter_resource_uid_in(self, queryset, name, value):
-        return queryset.filter(id__in=self._finding_ids_for_resources(uid__in=value))
-
-    def filter_resource_uid_icontains(self, queryset, name, value):
-        return queryset.filter(
-            id__in=self._finding_ids_for_resources(uid__icontains=value)
-        )
-
-    def filter_resource_name(self, queryset, name, value):
-        return queryset.filter(id__in=self._finding_ids_for_resources(name=value))
-
-    def filter_resource_name_in(self, queryset, name, value):
-        return queryset.filter(id__in=self._finding_ids_for_resources(name__in=value))
-
-    def filter_resource_name_icontains(self, queryset, name, value):
-        return queryset.filter(
-            id__in=self._finding_ids_for_resources(name__icontains=value)
-        )
-

 class TenantFilter(FilterSet):
    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
@@ -847,15 +803,11 @@ class FindingGroupFilter(CommonFindingFilters):
    check_id = CharFilter(field_name="check_id", lookup_expr="exact")
    check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
    check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(method="filter_check_title_icontains")
-    scan = UUIDFilter(field_name="scan_id", lookup_expr="exact")
-    scan__in = UUIDInFilter(field_name="scan_id", lookup_expr="in")

    class Meta:
        model = Finding
        fields = {
            "check_id": ["exact", "in", "icontains"],
-            "scan": ["exact", "in"],
        }

    def filter_queryset(self, queryset):
@@ -943,31 +895,15 @@ class LatestFindingGroupFilter(CommonFindingFilters):
    check_id = CharFilter(field_name="check_id", lookup_expr="exact")
    check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
    check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(method="filter_check_title_icontains")
-    scan = UUIDFilter(field_name="scan_id", lookup_expr="exact")
-    scan__in = UUIDInFilter(field_name="scan_id", lookup_expr="in")

    class Meta:
        model = Finding
        fields = {
            "check_id": ["exact", "in", "icontains"],
-            "scan": ["exact", "in"],
        }


-class _CheckTitleToCheckIdMixin:
-    """Resolve check_title search to check_ids so all provider rows are kept."""
-
-    def filter_check_title_to_check_ids(self, queryset, name, value):
-        matching_check_ids = (
-            queryset.filter(check_title__icontains=value)
-            .values_list("check_id", flat=True)
-            .distinct()
-        )
-        return queryset.filter(check_id__in=matching_check_ids)
-
-
-class FindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
+class FindingGroupSummaryFilter(FilterSet):
    """
    Filter for FindingGroupDailySummary queries.

@@ -990,7 +926,9 @@ class FindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
    check_id = CharFilter(field_name="check_id", lookup_expr="exact")
    check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
    check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(method="filter_check_title_to_check_ids")
+    check_title__icontains = CharFilter(
+        field_name="check_title", lookup_expr="icontains"
+    )

    # Provider filters
    provider_id = UUIDFilter(field_name="provider_id", lookup_expr="exact")
@@ -1078,7 +1016,7 @@ class FindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
        return dt


-class LatestFindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
+class LatestFindingGroupSummaryFilter(FilterSet):
    """
    Filter for FindingGroupDailySummary /latest endpoint.

@@ -1090,7 +1028,9 @@ class LatestFindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
    check_id = CharFilter(field_name="check_id", lookup_expr="exact")
    check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
    check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(method="filter_check_title_to_check_ids")
+    check_title__icontains = CharFilter(
+        field_name="check_title", lookup_expr="icontains"
+    )

    # Provider filters
    provider_id = UUIDFilter(field_name="provider_id", lookup_expr="exact")
@@ -1108,98 +1048,6 @@ class LatestFindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
        }


-class FindingGroupAggregatedComputedFilter(FilterSet):
-    """Filter aggregated finding-group rows by computed status/severity/muted."""
-
-    STATUS_CHOICES = (
-        ("FAIL", "Fail"),
-        ("PASS", "Pass"),
-        ("MUTED", "Muted"),
-    )
-
-    status = ChoiceFilter(method="filter_status", choices=STATUS_CHOICES)
-    status__in = CharInFilter(method="filter_status_in", lookup_expr="in")
-    severity = ChoiceFilter(method="filter_severity", choices=SeverityChoices)
-    severity__in = CharInFilter(method="filter_severity_in", lookup_expr="in")
-    include_muted = BooleanFilter(method="filter_include_muted")
-
-    def filter_status(self, queryset, name, value):
-        return queryset.filter(aggregated_status=value)
-
-    def filter_status_in(self, queryset, name, value):
-        values = value
-        if isinstance(value, str):
-            values = [part.strip() for part in value.split(",") if part.strip()]
-
-        allowed = {choice[0] for choice in self.STATUS_CHOICES}
-        invalid = [
-            status_value for status_value in values if status_value not in allowed
-        ]
-        if invalid:
-            raise ValidationError(
-                [
-                    {
-                        "detail": f"invalid status filter: {invalid[0]}",
-                        "status": "400",
-                        "source": {"pointer": "/data"},
-                        "code": "invalid",
-                    }
-                ]
-            )
-
-        if not values:
-            return queryset
-
-        return queryset.filter(aggregated_status__in=values)
-
-    def filter_severity(self, queryset, name, value):
-        severity_order = SEVERITY_ORDER.get(value)
-        if severity_order is None:
-            raise ValidationError(
-                [
-                    {
-                        "detail": f"invalid severity filter: {value}",
-                        "status": "400",
-                        "source": {"pointer": "/data"},
-                        "code": "invalid",
-                    }
-                ]
-            )
-        return queryset.filter(severity_order=severity_order)
-
-    def filter_severity_in(self, queryset, name, value):
-        values = value
-        if isinstance(value, str):
-            values = [part.strip() for part in value.split(",") if part.strip()]
-
-        orders = []
-        for severity_value in values:
-            severity_order = SEVERITY_ORDER.get(severity_value)
-            if severity_order is None:
-                raise ValidationError(
-                    [
-                        {
-                            "detail": f"invalid severity filter: {severity_value}",
-                            "status": "400",
-                            "source": {"pointer": "/data"},
-                            "code": "invalid",
-                        }
-                    ]
-                )
-            orders.append(severity_order)
-
-        if not orders:
-            return queryset
-
-        return queryset.filter(severity_order__in=orders)
-
-    def filter_include_muted(self, queryset, name, value):
-        if value is True:
-            return queryset
-        # include_muted=false: exclude fully-muted groups
-        return queryset.exclude(fail_count=0, pass_count=0, muted_count__gt=0)
-
-
 class ProviderSecretFilter(FilterSet):
    inserted_at = DateFilter(
        field_name="inserted_at",
@@ -1,49 +0,0 @@
-from django.db import migrations
-
-
-TASK_NAME = "attack-paths-cleanup-stale-scans"
-INTERVAL_HOURS = 1
-
-
-def create_periodic_task(apps, schema_editor):
-    IntervalSchedule = apps.get_model("django_celery_beat", "IntervalSchedule")
-    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
-
-    schedule, _ = IntervalSchedule.objects.get_or_create(
-        every=INTERVAL_HOURS,
-        period="hours",
-    )
-
-    PeriodicTask.objects.update_or_create(
-        name=TASK_NAME,
-        defaults={
-            "task": TASK_NAME,
-            "interval": schedule,
-            "enabled": True,
-        },
-    )
-
-
-def delete_periodic_task(apps, schema_editor):
-    IntervalSchedule = apps.get_model("django_celery_beat", "IntervalSchedule")
-    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
-
-    PeriodicTask.objects.filter(name=TASK_NAME).delete()
-
-    # Clean up the schedule if no other task references it
-    IntervalSchedule.objects.filter(
-        every=INTERVAL_HOURS,
-        period="hours",
-        periodictask__isnull=True,
-    ).delete()
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0085_finding_group_daily_summary_trgm_indexes"),
-        ("django_celery_beat", "0019_alter_periodictasks_options"),
-    ]
-
-    operations = [
-        migrations.RunPython(create_periodic_task, delete_periodic_task),
-    ]
@@ -30,10 +30,7 @@ class HasPermissions(BasePermission):
            return True

        user_roles = (
-            User.objects.using(MainRouter.admin_db)
-            .get(id=request.user.id)
-            .roles.using(MainRouter.admin_db)
-            .all()
+            User.objects.using(MainRouter.admin_db).get(id=request.user.id).roles.all()
        )
        if not user_roles:
            return False
@@ -61,7 +61,7 @@ def revoke_membership_api_keys(sender, instance, **kwargs):  # noqa: F841
    in that tenant should be revoked to prevent further access.
    """
    TenantAPIKey.objects.filter(
-        entity_id=instance.user_id, tenant_id=instance.tenant_id
+        entity=instance.user, tenant_id=instance.tenant.id
    ).update(revoked=True)


@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: Prowler API
-  version: 1.24.0
+  version: 1.23.0
  description: |-
    Prowler API specification.

@@ -11,7 +11,7 @@ from api.attack_paths import database as graph_database
 from api.attack_paths import views_helpers
 from tasks.jobs.attack_paths.config import (
    PROVIDER_ELEMENT_ID_PROPERTY,
-    get_provider_label,
+    PROVIDER_ID_PROPERTY,
 )


@@ -53,7 +53,7 @@ def test_prepare_parameters_includes_provider_and_casts(
    )

    assert result["provider_uid"] == "123456789012"
-    assert "provider_id" not in result
+    assert result["provider_id"] == "test-provider-id"
    assert result["limit"] == 5


@@ -107,12 +107,12 @@ def test_execute_query_serializes_graph(
    parameters = {"provider_uid": "123"}

    provider_id = "test-provider-123"
-    plabel = get_provider_label(provider_id)
    node = attack_paths_graph_stub_classes.Node(
        element_id="node-1",
-        labels=["AWSAccount", plabel],
+        labels=["AWSAccount"],
        properties={
            "name": "account",
+            PROVIDER_ID_PROPERTY: provider_id,
            "complex": {
                "items": [
                    attack_paths_graph_stub_classes.NativeValue("value"),
@@ -121,13 +121,15 @@ def test_execute_query_serializes_graph(
            },
        },
    )
-    node_2 = attack_paths_graph_stub_classes.Node("node-2", ["RDSInstance", plabel], {})
+    node_2 = attack_paths_graph_stub_classes.Node(
+        "node-2", ["RDSInstance"], {PROVIDER_ID_PROPERTY: provider_id}
+    )
    relationship = attack_paths_graph_stub_classes.Relationship(
        element_id="rel-1",
        rel_type="OWNS",
        start_node=node,
        end_node=node_2,
-        properties={"weight": 1},
+        properties={"weight": 1, PROVIDER_ID_PROPERTY: provider_id},
    )
    graph = SimpleNamespace(nodes=[node, node_2], relationships=[relationship])

@@ -211,27 +213,29 @@ def test_execute_query_raises_permission_denied_on_read_only(
            )


-def test_serialize_graph_filters_by_provider_label(attack_paths_graph_stub_classes):
+def test_serialize_graph_filters_by_provider_id(attack_paths_graph_stub_classes):
    provider_id = "provider-keep"
-    plabel = get_provider_label(provider_id)
-    other_label = get_provider_label("provider-other")

-    node_keep = attack_paths_graph_stub_classes.Node("n1", ["AWSAccount", plabel], {})
+    node_keep = attack_paths_graph_stub_classes.Node(
+        "n1", ["AWSAccount"], {PROVIDER_ID_PROPERTY: provider_id}
+    )
    node_drop = attack_paths_graph_stub_classes.Node(
-        "n2", ["AWSAccount", other_label], {}
+        "n2", ["AWSAccount"], {PROVIDER_ID_PROPERTY: "provider-other"}
    )

    rel_keep = attack_paths_graph_stub_classes.Relationship(
-        "r1", "OWNS", node_keep, node_keep, {}
+        "r1", "OWNS", node_keep, node_keep, {PROVIDER_ID_PROPERTY: provider_id}
+    )
+    rel_drop_by_provider = attack_paths_graph_stub_classes.Relationship(
+        "r2", "OWNS", node_keep, node_drop, {PROVIDER_ID_PROPERTY: "provider-other"}
    )
-    # Relationship connecting a kept node to a dropped node — filtered by endpoint check
    rel_drop_orphaned = attack_paths_graph_stub_classes.Relationship(
-        "r2", "OWNS", node_keep, node_drop, {}
+        "r3", "OWNS", node_keep, node_drop, {PROVIDER_ID_PROPERTY: provider_id}
    )

    graph = SimpleNamespace(
        nodes=[node_keep, node_drop],
-        relationships=[rel_keep, rel_drop_orphaned],
+        relationships=[rel_keep, rel_drop_by_provider, rel_drop_orphaned],
    )

    result = views_helpers._serialize_graph(graph, provider_id)
@@ -350,6 +354,7 @@ def test_serialize_properties_filters_internal_fields():
        "_module_name": "cartography:aws",
        "_module_version": "0.98.0",
        # Provider isolation
+        PROVIDER_ID_PROPERTY: "42",
        PROVIDER_ELEMENT_ID_PROPERTY: "42:abc123",
    }

@@ -444,11 +449,14 @@ def test_execute_custom_query_serializes_graph(
    attack_paths_graph_stub_classes,
 ):
    provider_id = "test-provider-123"
-    plabel = get_provider_label(provider_id)
-    node_1 = attack_paths_graph_stub_classes.Node("node-1", ["AWSAccount", plabel], {})
-    node_2 = attack_paths_graph_stub_classes.Node("node-2", ["RDSInstance", plabel], {})
+    node_1 = attack_paths_graph_stub_classes.Node(
+        "node-1", ["AWSAccount"], {PROVIDER_ID_PROPERTY: provider_id}
+    )
+    node_2 = attack_paths_graph_stub_classes.Node(
+        "node-2", ["RDSInstance"], {PROVIDER_ID_PROPERTY: provider_id}
+    )
    relationship = attack_paths_graph_stub_classes.Relationship(
-        "rel-1", "OWNS", node_1, node_2, {}
+        "rel-1", "OWNS", node_1, node_2, {PROVIDER_ID_PROPERTY: provider_id}
    )

    graph_result = MagicMock()
@@ -463,11 +471,10 @@ def test_execute_custom_query_serializes_graph(
            "db-tenant-test", "MATCH (n) RETURN n", provider_id
        )

-    mock_execute.assert_called_once()
-    call_kwargs = mock_execute.call_args[1]
-    assert call_kwargs["database"] == "db-tenant-test"
-    # The cypher is rewritten with the provider label injection
-    assert plabel in call_kwargs["cypher"]
+    mock_execute.assert_called_once_with(
+        database="db-tenant-test",
+        cypher="MATCH (n) RETURN n",
+    )
    assert len(result["nodes"]) == 2
    assert result["relationships"][0]["label"] == "OWNS"
    assert result["truncated"] is False
@@ -504,6 +511,72 @@ def test_execute_custom_query_wraps_graph_errors():
    mock_logger.error.assert_called_once()


+# -- validate_custom_query ------------------------------------------------
+
+
+@pytest.mark.parametrize(
+    "cypher",
+    [
+        "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
+        "load csv from 'http://evil.com' as row return row",
+        "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
+        "CALL apoc.load.csvParams('http://evil.com/', {}, null) YIELD list RETURN list",
+        "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
+        "CALL apoc.export.csv.all('file.csv', {})",
+        "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
+        "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
+        "CALL apoc.config.list() YIELD key, value RETURN key, value",
+        "CALL apoc.periodic.iterate('MATCH (n) RETURN n', 'DELETE n', {batchSize: 100})",
+        "CALL apoc.do.when(true, 'CREATE (n) RETURN n', '', {}) YIELD value RETURN value",
+        "CALL apoc.trigger.add('t', 'RETURN 1', {phase: 'before'})",
+        "CALL apoc.custom.asProcedure('myProc', 'RETURN 1')",
+    ],
+    ids=[
+        "LOAD_CSV",
+        "LOAD_CSV_lowercase",
+        "apoc.load.json",
+        "apoc.load.csvParams",
+        "apoc.import.csv",
+        "apoc.export.csv",
+        "apoc.cypher.run",
+        "apoc.systemdb.graph",
+        "apoc.config.list",
+        "apoc.periodic.iterate",
+        "apoc.do.when",
+        "apoc.trigger.add",
+        "apoc.custom.asProcedure",
+    ],
+)
+def test_validate_custom_query_rejects_blocked_patterns(cypher):
+    with pytest.raises(ValidationError) as exc:
+        views_helpers.validate_custom_query(cypher)
+
+    assert "blocked operation" in str(exc.value.detail)
+
+
+@pytest.mark.parametrize(
+    "cypher",
+    [
+        "MATCH (n:AWSAccount) RETURN n LIMIT 10",
+        "MATCH (a)-[r]->(b) RETURN a, r, b",
+        "MATCH (n) WHERE n.name CONTAINS 'load' RETURN n",
+        "CALL apoc.create.vNode(['Label'], {}) YIELD node RETURN node",
+        "MATCH (n) WHERE n.name = 'apoc.load.json' RETURN n",
+        'MATCH (n) WHERE n.description = "LOAD CSV is cool" RETURN n',
+    ],
+    ids=[
+        "simple_match",
+        "traversal",
+        "contains_load_substring",
+        "apoc_virtual_node",
+        "apoc_load_inside_single_quotes",
+        "load_csv_inside_double_quotes",
+    ],
+)
+def test_validate_custom_query_allows_clean_queries(cypher):
+    views_helpers.validate_custom_query(cypher)
+
+
 # -- _truncate_graph ----------------------------------------------------------


@@ -1,43 +0,0 @@
-import pytest
-from config.settings.celery import _build_celery_broker_url
-
-
-class TestBuildCeleryBrokerUrl:
-    def test_without_credentials(self):
-        broker_url = _build_celery_broker_url("redis", "", "", "valkey", "6379", "0")
-
-        assert broker_url == "redis://valkey:6379/0"
-
-    def test_with_password_only(self):
-        broker_url = _build_celery_broker_url(
-            "rediss", "", "secret", "cache.example.com", "6379", "0"
-        )
-
-        assert broker_url == "rediss://:secret@cache.example.com:6379/0"
-
-    def test_with_username_and_password(self):
-        broker_url = _build_celery_broker_url(
-            "rediss", "default", "secret", "cache.example.com", "6379", "0"
-        )
-
-        assert broker_url == "rediss://default:secret@cache.example.com:6379/0"
-
-    def test_with_username_only(self):
-        broker_url = _build_celery_broker_url(
-            "redis", "admin", "", "valkey", "6379", "0"
-        )
-
-        assert broker_url == "redis://admin@valkey:6379/0"
-
-    def test_url_encodes_credentials(self):
-        broker_url = _build_celery_broker_url(
-            "rediss", "user@name", "p@ss:word", "cache.example.com", "6379", "0"
-        )
-
-        assert (
-            broker_url == "rediss://user%40name:p%40ss%3Aword@cache.example.com:6379/0"
-        )
-
-    def test_invalid_scheme_raises_error(self):
-        with pytest.raises(ValueError, match="Invalid VALKEY_SCHEME 'http'"):
-            _build_celery_broker_url("http", "", "", "valkey", "6379", "0")
@@ -1,429 +0,0 @@
-"""Unit tests for the Cypher sanitizer (validation + provider-label injection)."""
-
-from unittest.mock import patch
-
-import pytest
-
-from rest_framework.exceptions import ValidationError
-
-from api.attack_paths.cypher_sanitizer import (
-    inject_provider_label,
-    validate_custom_query,
-)
-
-PROVIDER_ID = "019c41ee-7df3-7dec-a684-d839f95619f8"
-LABEL = "_Provider_019c41ee7df37deca684d839f95619f8"
-
-
-def _inject(cypher: str) -> str:
-    """Shortcut that patches `get_provider_label` to avoid config imports."""
-    with patch(
-        "api.attack_paths.cypher_sanitizer.get_provider_label", return_value=LABEL
-    ):
-        return inject_provider_label(cypher, PROVIDER_ID)
-
-
-# ---------------------------------------------------------------------------
-# Pass A - Labeled node patterns (all clauses)
-# ---------------------------------------------------------------------------
-
-
-class TestLabeledNodes:
-    def test_single_label(self):
-        result = _inject("MATCH (n:AWSRole) RETURN n")
-        assert f"(n:AWSRole:{LABEL})" in result
-
-    def test_label_with_properties(self):
-        result = _inject("MATCH (n:AWSRole {name: 'admin'}) RETURN n")
-        assert f"(n:AWSRole:{LABEL} {{name: 'admin'}})" in result
-
-    def test_multiple_labels(self):
-        result = _inject("MATCH (n:AWSRole:AWSPrincipal) RETURN n")
-        assert f"(n:AWSRole:AWSPrincipal:{LABEL})" in result
-
-    def test_anonymous_labeled(self):
-        result = _inject(
-            "MATCH (:AWSPrincipal {arn: 'ecs-tasks.amazonaws.com'}) RETURN 1"
-        )
-        assert f"(:AWSPrincipal:{LABEL} {{arn: 'ecs-tasks.amazonaws.com'}})" in result
-
-    def test_backtick_label(self):
-        result = _inject("MATCH (n:`My Label`) RETURN n")
-        assert f"(n:`My Label`:{LABEL})" in result
-
-    def test_labeled_in_where_clause(self):
-        """Labeled nodes in WHERE (pattern existence) still get the label."""
-        result = _inject(
-            "MATCH (n:AWSRole) WHERE EXISTS((n)-[:REL]->(:Target)) RETURN n"
-        )
-        assert f"(n:AWSRole:{LABEL})" in result
-        assert f"(:Target:{LABEL})" in result
-
-    def test_labeled_in_return_clause(self):
-        """Labeled nodes in RETURN still get the label (they're always node patterns)."""
-        result = _inject("MATCH (n:AWSRole) RETURN (n:AWSRole)")
-        assert result.count(f":AWSRole:{LABEL}") == 2
-
-    def test_labeled_in_optional_match(self):
-        result = _inject(
-            "OPTIONAL MATCH (pf:ProwlerFinding {status: 'FAIL'}) RETURN pf"
-        )
-        assert f"(pf:ProwlerFinding:{LABEL} {{status: 'FAIL'}})" in result
-
-
-# ---------------------------------------------------------------------------
-# Pass B - Bare node patterns (MATCH/OPTIONAL MATCH only)
-# ---------------------------------------------------------------------------
-
-
-class TestBareNodes:
-    def test_bare_in_match(self):
-        result = _inject("MATCH (a)-[:HAS_POLICY]->(b) RETURN a, b")
-        assert f"(a:{LABEL})" in result
-        assert f"(b:{LABEL})" in result
-
-    def test_bare_with_properties_in_match(self):
-        result = _inject("MATCH (n {name: 'x'}) RETURN n")
-        assert f"(n:{LABEL} {{name: 'x'}})" in result
-
-    def test_bare_in_optional_match(self):
-        result = _inject("OPTIONAL MATCH (n)-[r]-(m) RETURN n")
-        assert f"(n:{LABEL})" in result
-        assert f"(m:{LABEL})" in result
-
-    def test_bare_not_injected_in_return(self):
-        """Bare (identifier) in RETURN could be expression grouping."""
-        cypher = "MATCH (n:AWSRole) RETURN (n)"
-        result = _inject(cypher)
-        # The labeled (n:AWSRole) gets the label, but the bare (n) in RETURN should not
-        assert f"(n:AWSRole:{LABEL})" in result
-        # Count how many times the label appears - should be 1 (from MATCH only)
-        assert result.count(LABEL) == 1
-
-    def test_bare_not_injected_in_where(self):
-        cypher = "MATCH (n:AWSRole) WHERE (n.x > 1) RETURN n"
-        result = _inject(cypher)
-        # (n.x > 1) is an expression group, not a node pattern - should be untouched
-        assert "(n.x > 1)" in result
-
-    def test_bare_not_injected_in_with(self):
-        cypher = "MATCH (n:AWSRole) WITH (n) RETURN n"
-        result = _inject(cypher)
-        assert result.count(LABEL) == 1
-
-    def test_bare_not_injected_in_unwind(self):
-        cypher = "UNWIND nodes(path) as n OPTIONAL MATCH (n)-[r]-(m) RETURN n"
-        result = _inject(cypher)
-        # (n) and (m) in OPTIONAL MATCH get injected, but nodes(path) in UNWIND does not
-        assert f"(n:{LABEL})" in result
-        assert f"(m:{LABEL})" in result
-
-
-# ---------------------------------------------------------------------------
-# Function call exclusion
-# ---------------------------------------------------------------------------
-
-
-class TestFunctionCallExclusion:
-    @pytest.mark.parametrize(
-        "func_call",
-        [
-            "collect(DISTINCT pf)",
-            "any(x IN stmt.action WHERE toLower(x) = 'iam:*')",
-            "toLower(action)",
-            "nodes(path)",
-            "count(n)",
-            "apoc.create.vNode(labels)",
-            "EXISTS(n.prop)",
-            "size(n.list)",
-        ],
-    )
-    def test_function_calls_not_injected(self, func_call):
-        cypher = f"MATCH (n:AWSRole) WHERE {func_call} RETURN n"
-        result = _inject(cypher)
-        # The function call should remain unchanged
-        assert func_call in result
-        # Only the MATCH labeled node should get the label
-        assert result.count(LABEL) == 1
-
-
-# ---------------------------------------------------------------------------
-# String and comment protection
-# ---------------------------------------------------------------------------
-
-
-class TestProtection:
-    def test_string_with_fake_node_pattern(self):
-        cypher = "MATCH (n:AWSRole) WHERE n.name = '(fake:Label)' RETURN n"
-        result = _inject(cypher)
-        assert "'(fake:Label)'" in result
-        assert result.count(LABEL) == 1
-
-    def test_double_quoted_string(self):
-        cypher = 'MATCH (n:AWSRole) WHERE n.name = "(fake:Label)" RETURN n'
-        result = _inject(cypher)
-        assert '"(fake:Label)"' in result
-        assert result.count(LABEL) == 1
-
-    def test_line_comment_with_node_pattern(self):
-        cypher = "// (n:Fake)\nMATCH (n:AWSRole) RETURN n"
-        result = _inject(cypher)
-        assert "// (n:Fake)" in result
-        assert result.count(LABEL) == 1
-
-    def test_string_containing_double_slash(self):
-        """Strings with // inside should be consumed as strings, not comments."""
-        cypher = "MATCH (n:AWSRole {url: 'https://example.com'}) RETURN n"
-        result = _inject(cypher)
-        assert "'https://example.com'" in result
-        assert f"(n:AWSRole:{LABEL}" in result
-
-    def test_escaped_quotes_in_string(self):
-        cypher = r"MATCH (n:AWSRole) WHERE n.name = 'it\'s a test' RETURN n"
-        result = _inject(cypher)
-        assert result.count(LABEL) == 1
-
-
-# ---------------------------------------------------------------------------
-# Clause splitting
-# ---------------------------------------------------------------------------
-
-
-class TestClauseSplitting:
-    def test_case_insensitive_keywords(self):
-        cypher = "match (n:AWSRole) where n.x = 1 return n"
-        result = _inject(cypher)
-        assert f"(n:AWSRole:{LABEL})" in result
-
-    def test_optional_match_with_extra_whitespace(self):
-        cypher = "OPTIONAL   MATCH (n:AWSRole) RETURN n"
-        result = _inject(cypher)
-        assert f"(n:AWSRole:{LABEL})" in result
-
-    def test_multiple_match_clauses(self):
-        cypher = (
-            "MATCH (a:AWSAccount)--(b:AWSRole) "
-            "MATCH (b)--(c:AWSPolicy) "
-            "RETURN a, b, c"
-        )
-        result = _inject(cypher)
-        assert f"(a:AWSAccount:{LABEL})" in result
-        assert f"(b:AWSRole:{LABEL})" in result
-        assert f"(c:AWSPolicy:{LABEL})" in result
-        # (b) in second MATCH is bare and gets injected
-        assert result.count(LABEL) == 4  # a, b (labeled), b (bare in 2nd MATCH), c
-
-
-# ---------------------------------------------------------------------------
-# Real-world query patterns from aws.py
-# ---------------------------------------------------------------------------
-
-
-class TestRealWorldQueries:
-    def test_basic_resource_query(self):
-        cypher = (
-            "MATCH path = (aws:AWSAccount {id: $provider_uid})--(rds:RDSInstance)\n"
-            "UNWIND nodes(path) as n\n"
-            "OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding {status: 'FAIL'})\n"
-            "RETURN path, collect(DISTINCT pf) as dpf"
-        )
-        result = _inject(cypher)
-        assert f"(aws:AWSAccount:{LABEL} {{id: $provider_uid}})" in result
-        assert f"(rds:RDSInstance:{LABEL})" in result
-        assert f"(n:{LABEL})" in result
-        assert f"(pf:ProwlerFinding:{LABEL} {{status: 'FAIL'}})" in result
-        assert "nodes(path)" in result  # function call untouched
-        assert "collect(DISTINCT pf)" in result  # function call untouched
-
-    def test_privilege_escalation_query(self):
-        cypher = (
-            "MATCH path_principal = (aws:AWSAccount {id: $uid})"
-            "--(principal:AWSPrincipal)--(pol:AWSPolicy)\n"
-            "WHERE pol.effect = 'Allow'\n"
-            "MATCH (principal)--(cfn_policy:AWSPolicy)"
-            "--(stmt_cfn:AWSPolicyStatement)\n"
-            "WHERE any(action IN stmt_cfn.action WHERE toLower(action) = 'iam:passrole')\n"
-            "MATCH path_target = (aws)--(target_role:AWSRole)"
-            "-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {arn: 'cloudformation.amazonaws.com'})\n"
-            "RETURN path_principal, path_target"
-        )
-        result = _inject(cypher)
-        assert f"(aws:AWSAccount:{LABEL} {{id: $uid}})" in result
-        assert f"(principal:AWSPrincipal:{LABEL})" in result
-        assert f"(pol:AWSPolicy:{LABEL})" in result
-        assert f"(principal:{LABEL})" in result  # bare in 2nd MATCH
-        assert f"(cfn_policy:AWSPolicy:{LABEL})" in result
-        assert f"(stmt_cfn:AWSPolicyStatement:{LABEL})" in result
-        assert f"(aws:{LABEL})" in result  # bare in 3rd MATCH
-        assert f"(target_role:AWSRole:{LABEL})" in result
-        assert (
-            f"(:AWSPrincipal:{LABEL} {{arn: 'cloudformation.amazonaws.com'}})" in result
-        )
-        # Function calls in WHERE untouched
-        assert "any(action IN" in result
-        assert "toLower(action)" in result
-
-    def test_custom_bare_query(self):
-        cypher = (
-            "MATCH (a)-[:HAS_POLICY]->(b)\n"
-            "WHERE a.name CONTAINS 'admin'\n"
-            "RETURN a, b"
-        )
-        result = _inject(cypher)
-        assert f"(a:{LABEL})" in result
-        assert f"(b:{LABEL})" in result
-        assert result.count(LABEL) == 2
-
-    def test_internet_via_path_connectivity(self):
-        """Post-refactor pattern: Internet reached via CAN_ACCESS, not standalone."""
-        cypher = (
-            "MATCH path = (aws:AWSAccount {id: $provider_uid})--(ec2:EC2Instance)\n"
-            "WHERE ec2.exposed_internet = true\n"
-            "OPTIONAL MATCH (internet:Internet)-[can_access:CAN_ACCESS]->(ec2)\n"
-            "RETURN path, internet, can_access"
-        )
-        result = _inject(cypher)
-        assert f"(aws:AWSAccount:{LABEL}" in result
-        assert f"(ec2:EC2Instance:{LABEL})" in result
-        assert f"(internet:Internet:{LABEL})" in result
-        # ec2 in OPTIONAL MATCH is bare, but already labeled via Pass A won't match it
-        # because it has no label. It IS bare, so Pass B injects.
-        assert f"(ec2:{LABEL})" in result
-
-
-# ---------------------------------------------------------------------------
-# Edge cases
-# ---------------------------------------------------------------------------
-
-
-class TestEdgeCases:
-    def test_empty_query(self):
-        assert _inject("") == ""
-
-    def test_no_node_patterns(self):
-        cypher = "RETURN 1 + 2"
-        assert _inject(cypher) == cypher
-
-    def test_anonymous_empty_parens_not_injected(self):
-        """Empty () in MATCH is extremely rare but should not be injected."""
-        cypher = "MATCH ()--(m:AWSRole) RETURN m"
-        result = _inject(cypher)
-        assert "()" in result  # empty parens untouched
-        assert f"(m:AWSRole:{LABEL})" in result
-
-    def test_fully_anonymous_query_bypasses_injection(self):
-        """All-anonymous patterns bypass injection entirely.
-
-        MATCH ()--()--() has no labels and no variables, so neither Pass A
-        (labeled) nor Pass B (bare identifier) can inject the provider label.
-        This is safe because _serialize_graph() (Layer 3) filters every
-        returned node by provider label, dropping cross-provider data before
-        it reaches the user.
-        """
-        cypher = "MATCH ()--()--() RETURN *"
-        result = _inject(cypher)
-        assert result == cypher  # completely unmodified
-        assert LABEL not in result
-
-    def test_relationship_patterns_untouched(self):
-        cypher = "MATCH (a:X)-[r:REL_TYPE {x: 1}]->(b:Y) RETURN a"
-        result = _inject(cypher)
-        assert "[r:REL_TYPE {x: 1}]" in result  # relationship untouched
-        assert f"(a:X:{LABEL})" in result
-        assert f"(b:Y:{LABEL})" in result
-
-    def test_call_subquery(self):
-        cypher = (
-            "CALL {\n"
-            "  MATCH (inner:AWSRole) RETURN inner\n"
-            "}\n"
-            "MATCH (outer:AWSAccount) RETURN outer, inner"
-        )
-        result = _inject(cypher)
-        assert f"(inner:AWSRole:{LABEL})" in result
-        assert f"(outer:AWSAccount:{LABEL})" in result
-
-    def test_multiple_protected_regions(self):
-        cypher = (
-            "MATCH (n:X {a: 'hello'}) " 'WHERE n.b = "world" ' "// comment\n" "RETURN n"
-        )
-        result = _inject(cypher)
-        assert "'hello'" in result
-        assert '"world"' in result
-        assert "// comment" in result
-        assert f"(n:X:{LABEL}" in result
-
-    def test_idempotent_on_already_injected(self):
-        """Running injection twice should add the label twice (not ideal, but predictable)."""
-        first = _inject("MATCH (n:AWSRole) RETURN n")
-        second = _inject(first)
-        # The label appears twice (stacked)
-        assert second.count(LABEL) == 2
-
-
-# ---------------------------------------------------------------------------
-# Validation
-# ---------------------------------------------------------------------------
-
-
-class TestValidation:
-    @pytest.mark.parametrize(
-        "cypher",
-        [
-            "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
-            "load csv from 'http://evil.com' as row return row",
-            "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
-            "CALL apoc.load.csvParams('http://evil.com/', {}, null) YIELD list RETURN list",
-            "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
-            "CALL apoc.export.csv.all('file.csv', {})",
-            "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
-            "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
-            "CALL apoc.config.list() YIELD key, value RETURN key, value",
-            "CALL apoc.periodic.iterate('MATCH (n) RETURN n', 'DELETE n', {batchSize: 100})",
-            "CALL apoc.do.when(true, 'CREATE (n) RETURN n', '', {}) YIELD value RETURN value",
-            "CALL apoc.trigger.add('t', 'RETURN 1', {phase: 'before'})",
-            "CALL apoc.custom.asProcedure('myProc', 'RETURN 1')",
-        ],
-        ids=[
-            "LOAD_CSV",
-            "LOAD_CSV_lowercase",
-            "apoc.load.json",
-            "apoc.load.csvParams",
-            "apoc.import.csv",
-            "apoc.export.csv",
-            "apoc.cypher.run",
-            "apoc.systemdb.graph",
-            "apoc.config.list",
-            "apoc.periodic.iterate",
-            "apoc.do.when",
-            "apoc.trigger.add",
-            "apoc.custom.asProcedure",
-        ],
-    )
-    def test_rejects_blocked_patterns(self, cypher):
-        with pytest.raises(ValidationError) as exc:
-            validate_custom_query(cypher)
-
-        assert "blocked operation" in str(exc.value.detail)
-
-    @pytest.mark.parametrize(
-        "cypher",
-        [
-            "MATCH (n:AWSAccount) RETURN n LIMIT 10",
-            "MATCH (a)-[r]->(b) RETURN a, r, b",
-            "MATCH (n) WHERE n.name CONTAINS 'load' RETURN n",
-            "CALL apoc.create.vNode(['Label'], {}) YIELD node RETURN node",
-            "MATCH (n) WHERE n.name = 'apoc.load.json' RETURN n",
-            'MATCH (n) WHERE n.description = "LOAD CSV is cool" RETURN n',
-        ],
-        ids=[
-            "simple_match",
-            "traversal",
-            "contains_load_substring",
-            "apoc_virtual_node",
-            "apoc_load_inside_single_quotes",
-            "load_csv_inside_double_quotes",
-        ],
-    )
-    def test_allows_clean_queries(self, cypher):
-        validate_custom_query(cypher)
@@ -4,25 +4,14 @@ from unittest.mock import MagicMock
 from config.settings.sentry import before_send


-def _make_log_record(msg, level=logging.ERROR, name="test", args=None):
-    """Build a real LogRecord so getMessage() works like in production."""
-    record = logging.LogRecord(
-        name=name,
-        level=level,
-        pathname="",
-        lineno=0,
-        msg=msg,
-        args=args,
-        exc_info=None,
-    )
-    return record
-
-
 def test_before_send_ignores_log_with_ignored_exception():
    """Test that before_send ignores logs containing ignored exceptions."""
-    log_record = _make_log_record("Provider kubernetes is not connected")
+    log_record = MagicMock()
+    log_record.msg = "Provider kubernetes is not connected"
+    log_record.levelno = logging.ERROR  # 40

    hint = {"log_record": log_record}
+
    event = MagicMock()

    result = before_send(event, hint)
@@ -47,9 +36,12 @@ def test_before_send_ignores_exception_with_ignored_exception():

 def test_before_send_passes_through_non_ignored_log():
    """Test that before_send passes through logs that don't contain ignored exceptions."""
-    log_record = _make_log_record("Some other error message")
+    log_record = MagicMock()
+    log_record.msg = "Some other error message"
+    log_record.levelno = logging.ERROR  # 40

    hint = {"log_record": log_record}
+
    event = MagicMock()

    result = before_send(event, hint)
@@ -74,53 +66,15 @@ def test_before_send_passes_through_non_ignored_exception():

 def test_before_send_handles_warning_level():
    """Test that before_send handles warning level logs."""
-    log_record = _make_log_record(
-        "Provider kubernetes is not connected", level=logging.WARNING
-    )
+    log_record = MagicMock()
+    log_record.msg = "Provider kubernetes is not connected"
+    log_record.levelno = logging.WARNING  # 30

    hint = {"log_record": log_record}
+
    event = MagicMock()

    result = before_send(event, hint)

    # Assert that the event was dropped (None returned)
    assert result is None
-
-
-def test_before_send_ignores_neo4j_defunct_connection():
-    """Test that before_send drops neo4j.io defunct connection logs.
-
-    The Neo4j driver logs transient connection errors at ERROR level
-    before RetryableSession retries them. These are noise.
-
-    The driver uses %s formatting, so "defunct" is in the args, not
-    in the template. This test mirrors the real LogRecord structure.
-    """
-    log_record = _make_log_record(
-        msg="[#%04X]  _: <CONNECTION> error: %s: %r",
-        name="neo4j.io",
-        args=(
-            0xE5CC,
-            "Failed to read from defunct connection "
-            "IPv4Address(('cloud-neo4j.prowler.com', 7687))",
-            ConnectionResetError(104, "Connection reset by peer"),
-        ),
-    )
-
-    hint = {"log_record": log_record}
-    event = MagicMock()
-
-    assert before_send(event, hint) is None
-
-
-def test_before_send_passes_non_defunct_neo4j_log():
-    """Test that before_send passes through neo4j.io logs that are not about defunct connections."""
-    log_record = _make_log_record(
-        msg="Some other neo4j transport error",
-        name="neo4j.io",
-    )
-
-    hint = {"log_record": log_record}
-    event = MagicMock()
-
-    assert before_send(event, hint) == event
@@ -45,6 +45,7 @@ from api.models import (
    ComplianceRequirementOverview,
    DailySeveritySummary,
    Finding,
+    FindingGroupDailySummary,
    Integration,
    Invitation,
    LighthouseProviderConfiguration,
@@ -807,63 +808,6 @@ class TestTenantViewSet:
        )
        assert response.status_code == status.HTTP_404_NOT_FOUND

-    def test_tenants_list_no_permissions(
-        self, authenticated_client_no_permissions_rbac, tenants_fixture
-    ):
-        response = authenticated_client_no_permissions_rbac.get(reverse("tenant-list"))
-        assert response.status_code == status.HTTP_200_OK
-
-    def test_tenants_retrieve_no_permissions(
-        self, authenticated_client_no_permissions_rbac, tenants_fixture
-    ):
-        tenant1, *_ = tenants_fixture
-        response = authenticated_client_no_permissions_rbac.get(
-            reverse("tenant-detail", kwargs={"pk": tenant1.id})
-        )
-        assert response.status_code == status.HTTP_200_OK
-
-    def test_tenants_create_no_permissions(
-        self, authenticated_client_no_permissions_rbac, valid_tenant_payload
-    ):
-        response = authenticated_client_no_permissions_rbac.post(
-            reverse("tenant-list"),
-            data=valid_tenant_payload,
-            format="json",
-        )
-        assert response.status_code == status.HTTP_201_CREATED
-
-    def test_tenants_partial_update_no_permissions(
-        self, authenticated_client_no_permissions_rbac, tenants_fixture
-    ):
-        tenant1, *_ = tenants_fixture
-        payload = {
-            "data": {
-                "type": "tenants",
-                "id": str(tenant1.id),
-                "attributes": {"name": "Unauthorized update"},
-            },
-        }
-        response = authenticated_client_no_permissions_rbac.patch(
-            reverse("tenant-detail", kwargs={"pk": tenant1.id}),
-            data=payload,
-            content_type=API_JSON_CONTENT_TYPE,
-        )
-        assert response.status_code == status.HTTP_403_FORBIDDEN
-
-    @patch("api.v1.views.delete_tenant_task.apply_async")
-    def test_tenants_delete_no_permissions(
-        self,
-        delete_tenant_mock,
-        authenticated_client_no_permissions_rbac,
-        tenants_fixture,
-    ):
-        tenant1, *_ = tenants_fixture
-        response = authenticated_client_no_permissions_rbac.delete(
-            reverse("tenant-detail", kwargs={"pk": tenant1.id})
-        )
-        assert response.status_code == status.HTTP_403_FORBIDDEN
-        delete_tenant_mock.assert_not_called()
-

@pytest.mark.django_db
 class TestMembershipViewSet:
@@ -14747,14 +14691,14 @@ class TestMuteRuleViewSet:
        assert data[0]["id"] == str(mute_rules_fixture[first_index].id)

    @patch("api.v1.views.chain")
-    @patch("api.v1.views.reaggregate_all_finding_group_summaries_task.si")
+    @patch("api.v1.views.aggregate_finding_group_summaries_task.si")
    @patch("api.v1.views.mute_historical_findings_task.si")
    @patch("api.v1.views.transaction.on_commit", side_effect=lambda fn: fn())
    def test_mute_rules_create_valid(
        self,
        _mock_on_commit,
        mock_mute_signature,
-        mock_reaggregate_signature,
+        mock_aggregate_signature,
        mock_chain,
        authenticated_client,
        findings_fixture,
@@ -14793,12 +14737,12 @@ class TestMuteRuleViewSet:
        assert finding.muted_at is not None
        assert finding.muted_reason == "Security exception approved"

-        # Verify background task chain was called: mute → reaggregate all
+        # Verify background task chain was called
        mock_mute_signature.assert_called_once()
-        mock_reaggregate_signature.assert_called_once()
+        mock_aggregate_signature.assert_called_once()
        mock_chain.assert_called_once_with(
            mock_mute_signature.return_value,
-            mock_reaggregate_signature.return_value,
+            mock_aggregate_signature.return_value,
        )
        mock_chain.return_value.apply_async.assert_called_once()

@@ -15273,29 +15217,6 @@ class TestFindingGroupViewSet:
        # ec2_instance_public_ip has 1 PASS and 1 FAIL, should aggregate to FAIL
        assert data[0]["attributes"]["status"] == "FAIL"

-    def test_finding_groups_region_filter_reaggregates_metrics(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test finding-level filters recompute group metrics from matching findings."""
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {
-                "filter[inserted_at]": TODAY,
-                "filter[check_id]": "ec2_instance_public_ip",
-                "filter[region]": "us-east-1",
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-
-        attrs = data[0]["attributes"]
-        assert attrs["status"] == "PASS"
-        assert attrs["pass_count"] == 1
-        assert attrs["fail_count"] == 0
-        assert attrs["resources_total"] == 1
-        assert attrs["resources_fail"] == 0
-
    def test_finding_groups_status_pass_when_no_fail(
        self, authenticated_client, finding_groups_fixture
    ):
@@ -15324,182 +15245,6 @@ class TestFindingGroupViewSet:
        # rds_encryption has all muted findings
        assert data[0]["attributes"]["status"] == "MUTED"

-    def test_finding_groups_status_filter(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test finding groups can be filtered by aggregated status."""
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {"filter[inserted_at]": TODAY, "filter[status]": "FAIL"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-        assert all(item["attributes"]["status"] == "FAIL" for item in data)
-
-    def test_finding_groups_status_in_filter(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test finding groups support status__in filter on aggregated status."""
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {"filter[inserted_at]": TODAY, "filter[status__in]": "FAIL,PASS"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-        assert all(item["attributes"]["status"] in {"FAIL", "PASS"} for item in data)
-
-    def test_finding_groups_severity_filter(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test finding groups can be filtered by aggregated severity."""
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {"filter[inserted_at]": TODAY, "filter[severity]": "critical"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-        assert all(item["attributes"]["severity"] == "critical" for item in data)
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    def test_finding_groups_combined_region_and_status_filters(
-        self, authenticated_client, finding_groups_fixture, endpoint_name
-    ):
-        """Test combined region + aggregated status filters."""
-        params = {"filter[region]": "us-east-1", "filter[status]": "FAIL"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        check_ids = {item["id"] for item in data}
-        assert check_ids == {"s3_bucket_public_access", "cloudtrail_enabled"}
-        assert all(item["attributes"]["status"] == "FAIL" for item in data)
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    def test_finding_groups_combined_delta_and_severity_filters(
-        self, authenticated_client, finding_groups_fixture, endpoint_name
-    ):
-        """Test combined delta + aggregated severity filters."""
-        params = {"filter[delta]": "new", "filter[severity]": "critical"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        check_ids = {item["id"] for item in data}
-        assert check_ids == {"s3_bucket_public_access", "cloudtrail_enabled"}
-        assert all(item["attributes"]["severity"] == "critical" for item in data)
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    @pytest.mark.parametrize(
-        "filter_key,filter_value",
-        [
-            ("status", "INVALID_STATUS"),
-            ("severity", "INVALID_SEVERITY"),
-        ],
-    )
-    def test_finding_groups_invalid_status_or_severity_returns_400(
-        self,
-        authenticated_client,
-        finding_groups_fixture,
-        endpoint_name,
-        filter_key,
-        filter_value,
-    ):
-        """Test invalid aggregated status/severity values are rejected."""
-        params = {f"filter[{filter_key}]": filter_value}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-        assert response.json()["errors"][0]["code"] == "invalid"
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    @pytest.mark.parametrize(
-        "filter_key,filter_value,expected_detail",
-        [
-            ("status__in", "FAIL,INVALID_STATUS", "invalid status filter"),
-            ("severity__in", "critical,INVALID_SEVERITY", "invalid severity filter"),
-        ],
-    )
-    def test_finding_groups_invalid_in_filters_return_400(
-        self,
-        authenticated_client,
-        finding_groups_fixture,
-        endpoint_name,
-        filter_key,
-        filter_value,
-        expected_detail,
-    ):
-        """Test invalid values in status__in/severity__in are rejected."""
-        params = {f"filter[{filter_key}]": filter_value}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-        errors = response.json()["errors"]
-        assert errors[0]["code"] == "invalid"
-        assert expected_detail in errors[0]["detail"]
-
-    @pytest.mark.parametrize(
-        "filter_name,filter_value",
-        [
-            ("region", "__region_does_not_exist__"),
-            ("service", "__service_does_not_exist__"),
-            ("category", "__category_does_not_exist__"),
-            ("resource_groups", "__group_does_not_exist__"),
-            ("resource_type", "__type_does_not_exist__"),
-            ("scan", "00000000-0000-7000-8000-000000000001"),
-        ],
-    )
-    def test_finding_groups_finding_level_filters_are_applied(
-        self,
-        authenticated_client,
-        finding_groups_fixture,
-        filter_name,
-        filter_value,
-    ):
-        """Test finding-level filters are applied in /finding-groups aggregation."""
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {"filter[inserted_at]": TODAY, f"filter[{filter_name}]": filter_value},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 0
-
-    def test_finding_groups_delta_filter_is_applied(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test delta filter is applied in /finding-groups aggregation."""
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {"filter[inserted_at]": TODAY, "filter[delta]": "new"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-        assert all(item["attributes"]["new_count"] > 0 for item in data)
-
    def test_finding_groups_provider_aggregation(
        self, authenticated_client, finding_groups_fixture
    ):
@@ -15810,50 +15555,6 @@ class TestFindingGroupViewSet:
        assert len(data) == 1
        assert data[0]["id"] == "s3_bucket_public_access"

-    @pytest.mark.parametrize(
-        "extra_filters",
-        [
-            {},
-            {"filter[muted]": "include"},
-        ],
-        ids=["summary_path", "finding_level_path"],
-    )
-    def test_check_title_icontains_includes_all_title_variants(
-        self,
-        authenticated_client,
-        finding_groups_title_variants_fixture,
-        extra_filters,
-    ):
-        """
-        Regression: two providers report the same check_id with different
-        checktitle values (e.g. after a Prowler version upgrade).  Filtering
-        by check_title__icontains with a term that matches only ONE variant
-        must still return the finding group with counts from BOTH providers.
-
-        Parametrized to cover both aggregation paths:
-        - summary_path: default, uses _CheckTitleToCheckIdMixin on summaries
-        - finding_level_path: filter[muted]=include forces CommonFindingFilters
-        """
-        params = {
-            "filter[inserted_at]": TODAY,
-            "filter[check_title.icontains]": "Ensure repository",
-            **extra_filters,
-        }
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            params,
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-        assert data[0]["id"] == "github_secret_scanning_enabled"
-        attrs = data[0]["attributes"]
-        # Both providers' findings must be counted
-        assert attrs["fail_count"] == 2, (
-            "fail_count must include findings from both providers, "
-            "regardless of which title variant matches the search"
-        )
-
    def test_resources_not_found(self, authenticated_client):
        """Test 404 returned for nonexistent check_id."""
        response = authenticated_client.get(
@@ -15895,44 +15596,6 @@ class TestFindingGroupViewSet:
            assert resource.get("region"), "resource.region must not be empty"
            assert resource.get("type"), "resource.type must not be empty"

-    def test_resources_resource_group(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test resource_group is extracted from check_metadata.resourcegroup."""
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-resources", kwargs={"pk": "s3_bucket_public_access"}
-            ),
-            {"filter[inserted_at]": TODAY},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 2
-        for item in data:
-            resource = item["attributes"]["resource"]
-            assert (
-                resource["resource_group"] == "storage"
-            ), "resource_group must be 'storage'"
-
-    def test_resources_name_icontains(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test resource_name__icontains filters resources by name substring."""
-        # s3_bucket_public_access has "My Instance 1" and "My Instance 2"
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-resources", kwargs={"pk": "s3_bucket_public_access"}
-            ),
-            {
-                "filter[inserted_at]": TODAY,
-                "filter[resource_name.icontains]": "Instance 1",
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-        assert "Instance 1" in data[0]["attributes"]["resource"]["name"]
-
    def test_resources_provider_info(
        self, authenticated_client, finding_groups_fixture
    ):
@@ -16190,257 +15853,47 @@ class TestFindingGroupViewSet:
        assert len(data) == 1
        assert data[0]["id"] == "cloudtrail_enabled"

-    def test_finding_groups_latest_status_filter(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test /latest supports status filter on aggregated status."""
-        response = authenticated_client.get(
-            reverse("finding-group-latest"),
-            {"filter[status]": "FAIL"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-        assert all(item["attributes"]["status"] == "FAIL" for item in data)
-
-    def test_finding_groups_latest_region_filter_reaggregates_metrics(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test /latest recomputes metrics from findings matching region filter."""
-        response = authenticated_client.get(
-            reverse("finding-group-latest"),
-            {
-                "filter[check_id]": "ec2_instance_public_ip",
-                "filter[region]": "us-east-1",
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-
-        attrs = data[0]["attributes"]
-        assert attrs["status"] == "PASS"
-        assert attrs["pass_count"] == 1
-        assert attrs["fail_count"] == 0
-        assert attrs["resources_total"] == 1
-        assert attrs["resources_fail"] == 0
-
-    def test_finding_groups_latest_status_in_filter(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test /latest supports status__in filter on aggregated status."""
-        response = authenticated_client.get(
-            reverse("finding-group-latest"),
-            {"filter[status__in]": "FAIL,PASS"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-        assert all(item["attributes"]["status"] in {"FAIL", "PASS"} for item in data)
-
-    def test_finding_groups_latest_severity_filter(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test /latest supports severity filter on aggregated severity."""
-        response = authenticated_client.get(
-            reverse("finding-group-latest"),
-            {"filter[severity]": "critical"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-        assert all(item["attributes"]["severity"] == "critical" for item in data)
-
-    @pytest.mark.parametrize(
-        "filter_name,filter_value",
-        [
-            ("region", "__region_does_not_exist__"),
-            ("service", "__service_does_not_exist__"),
-            ("category", "__category_does_not_exist__"),
-            ("resource_groups", "__group_does_not_exist__"),
-            ("resource_type", "__type_does_not_exist__"),
-            ("scan", "00000000-0000-7000-8000-000000000001"),
-        ],
-    )
-    def test_finding_groups_latest_finding_level_filters_are_applied(
-        self,
-        authenticated_client,
-        finding_groups_fixture,
-        filter_name,
-        filter_value,
-    ):
-        """Test finding-level filters are applied in /finding-groups/latest aggregation."""
-        response = authenticated_client.get(
-            reverse("finding-group-latest"),
-            {f"filter[{filter_name}]": filter_value},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 0
-
-    def test_finding_groups_check_title_filter_applies_with_delta(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test check_title filter is honored when finding-level path is used."""
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {
-                "filter[inserted_at]": TODAY,
-                "filter[delta]": "new",
-                "filter[check_title.icontains]": "__missing_check_title__",
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 0
-
-    def test_finding_groups_latest_check_title_filter_applies_with_delta(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test /latest check_title filter is honored on finding-level path."""
-        response = authenticated_client.get(
-            reverse("finding-group-latest"),
-            {
-                "filter[delta]": "new",
-                "filter[check_title.icontains]": "__missing_check_title__",
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 0
-
-    def test_finding_groups_latest_delta_filter_is_applied(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test delta filter is applied in /finding-groups/latest aggregation."""
-        response = authenticated_client.get(
-            reverse("finding-group-latest"),
-            {"filter[delta]": "new"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-        assert all(item["attributes"]["new_count"] > 0 for item in data)
-
    def test_finding_groups_latest_aggregates_latest_per_provider(
-        self,
-        authenticated_client,
-        providers_fixture,
-        resources_fixture,
+        self, authenticated_client, providers_fixture
    ):
-        """Test /latest keeps all findings from the latest scan per provider.
-
-        Verifies that when the latest scan produces multiple findings for the
-        same check_id (e.g. one per resource), all of them are included in the
-        aggregation — not just one.
-        """
+        """Test /latest aggregates latest summary from each provider for the same check."""
        provider1 = providers_fixture[0]
        provider2 = providers_fixture[1]
-        resource1 = resources_fixture[0]
-        resource2 = resources_fixture[1]
-        resource3 = resources_fixture[2]
-        check_id = "cross_provider_latest_resources_total"

-        latest_scan_provider1 = Scan.objects.create(
+        check_id = "cross_provider_latest_resources_total"
+        now = datetime.now(timezone.utc).replace(minute=0, second=0, microsecond=0)
+
+        FindingGroupDailySummary.objects.create(
            tenant_id=provider1.tenant_id,
            provider=provider1,
-            state=StateChoices.COMPLETED,
-            trigger=Scan.TriggerChoices.MANUAL,
-            completed_at=datetime.now(timezone.utc),
+            check_id=check_id,
+            inserted_at=now - timedelta(days=1),
+            resources_total=20,
+            resources_fail=20,
+            fail_count=20,
        )
-
-        latest_scan_provider2 = Scan.objects.create(
+        FindingGroupDailySummary.objects.create(
            tenant_id=provider2.tenant_id,
            provider=provider2,
-            state=StateChoices.COMPLETED,
-            trigger=Scan.TriggerChoices.MANUAL,
-            completed_at=datetime.now(timezone.utc),
-        )
-
-        older_scan_provider1 = Scan.objects.create(
-            tenant_id=provider1.tenant_id,
-            provider=provider1,
-            state=StateChoices.COMPLETED,
-            trigger=Scan.TriggerChoices.MANUAL,
-            completed_at=datetime.now(timezone.utc) - timedelta(days=1),
-        )
-
-        # Older scan — these should be excluded from /latest
-        Finding.objects.create(
-            tenant_id=provider1.tenant_id,
-            uid="old_cross_provider_1",
-            scan=older_scan_provider1,
-            delta="new",
-            status="FAIL",
-            severity="high",
-            impact="high",
            check_id=check_id,
-            check_metadata={"CheckId": check_id, "checktitle": "Cross provider check"},
-            first_seen_at=datetime.now(timezone.utc) - timedelta(days=2),
-            muted=False,
+            inserted_at=now,
+            resources_total=7,
+            resources_fail=7,
+            fail_count=7,
        )

-        # Latest scan provider1: TWO findings (PASS + FAIL) for the same check
-        latest_p1_pass = Finding.objects.create(
-            tenant_id=provider1.tenant_id,
-            uid="latest_cross_provider_1_pass",
-            scan=latest_scan_provider1,
-            delta="new",
-            status="PASS",
-            severity="high",
-            impact="high",
-            check_id=check_id,
-            check_metadata={"CheckId": check_id, "checktitle": "Cross provider check"},
-            first_seen_at=datetime.now(timezone.utc) - timedelta(hours=1),
-            muted=False,
-        )
-        latest_p1_pass.add_resources([resource1])
-
-        latest_p1_fail = Finding.objects.create(
-            tenant_id=provider1.tenant_id,
-            uid="latest_cross_provider_1_fail",
-            scan=latest_scan_provider1,
-            delta="new",
-            status="FAIL",
-            severity="high",
-            impact="high",
-            check_id=check_id,
-            check_metadata={"CheckId": check_id, "checktitle": "Cross provider check"},
-            first_seen_at=datetime.now(timezone.utc) - timedelta(hours=1),
-            muted=False,
-        )
-        latest_p1_fail.add_resources([resource2])
-
-        # Latest scan provider2: one finding
-        latest_p2 = Finding.objects.create(
-            tenant_id=provider2.tenant_id,
-            uid="latest_cross_provider_2",
-            scan=latest_scan_provider2,
-            delta="new",
-            status="FAIL",
-            severity="high",
-            impact="high",
-            check_id=check_id,
-            check_metadata={"CheckId": check_id, "checktitle": "Cross provider check"},
-            first_seen_at=datetime.now(timezone.utc) - timedelta(hours=1),
-            muted=False,
-        )
-        latest_p2.add_resources([resource3])
-
        response = authenticated_client.get(
            reverse("finding-group-latest"),
-            {"filter[check_id]": check_id, "filter[delta]": "new"},
+            {"filter[check_id]": check_id},
        )

        assert response.status_code == status.HTTP_200_OK
        data = response.json()["data"]
        assert len(data) == 1
        attrs = data[0]["attributes"]
-        # 3 findings total: 2 from provider1 latest + 1 from provider2 latest
-        assert attrs["pass_count"] == 1
-        assert attrs["fail_count"] == 2
-        assert attrs["resources_total"] == 3
-        assert attrs["resources_fail"] == 2
+        assert attrs["resources_total"] == 27
+        assert attrs["resources_fail"] == 27
+        assert attrs["fail_count"] == 27

    def test_finding_groups_latest_provider_type_filter(
        self, authenticated_client, finding_groups_fixture
@@ -16481,44 +15934,6 @@ class TestFindingGroupViewSet:
        check_ids = [item["id"] for item in data]
        assert check_ids == sorted(check_ids)

-    def test_finding_groups_latest_sort_by_check_title(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Test /latest supports sorting by check_title."""
-        response = authenticated_client.get(
-            reverse("finding-group-latest"),
-            {"sort": "check_title"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        check_titles = [item["attributes"]["check_title"] for item in data]
-        assert check_titles == sorted(check_titles)
-
-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    @pytest.mark.parametrize(
-        "sort_field",
-        ["first_seen_at", "-first_seen_at", "last_seen_at", "failing_since"],
-    )
-    def test_finding_groups_sort_by_time_fields(
-        self,
-        authenticated_client,
-        finding_groups_fixture,
-        endpoint_name,
-        sort_field,
-    ):
-        """Test sorting by aggregated time fields (first_seen_at, last_seen_at, failing_since)."""
-        params = {"sort": sort_field}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-
    def test_finding_groups_latest_ignores_date_filters(
        self, authenticated_client, finding_groups_fixture
    ):
@@ -4180,7 +4180,6 @@ class FindingGroupResourceSerializer(BaseSerializerV1):
    severity = serializers.CharField()
    first_seen_at = serializers.DateTimeField(required=False, allow_null=True)
    last_seen_at = serializers.DateTimeField(required=False, allow_null=True)
-    muted_reason = serializers.CharField(required=False, allow_null=True)

    class JSONAPIMeta:
        resource_name = "finding-group-resources"
@@ -4194,7 +4193,6 @@ class FindingGroupResourceSerializer(BaseSerializerV1):
                "service": {"type": "string"},
                "region": {"type": "string"},
                "type": {"type": "string"},
-                "resource_group": {"type": "string"},
            },
        }
    )
@@ -4206,7 +4204,6 @@ class FindingGroupResourceSerializer(BaseSerializerV1):
            "service": obj.get("resource_service", ""),
            "region": obj.get("resource_region", ""),
            "type": obj.get("resource_type", ""),
-            "resource_group": obj.get("resource_group", ""),
        }

    @extend_schema_field(
@@ -31,7 +31,6 @@ from django.contrib.postgres.search import SearchQuery
 from django.db import transaction
 from django.db.models import (
    Case,
-    CharField,
    Count,
    DecimalField,
    ExpressionWrapper,
@@ -48,8 +47,7 @@ from django.db.models import (
    When,
    Window,
 )
-from django.db.models.fields.json import KeyTextTransform
-from django.db.models.functions import Cast, Coalesce, RowNumber
+from django.db.models.functions import Coalesce, RowNumber
 from django.http import HttpResponse, QueryDict
 from django.shortcuts import redirect
 from django.urls import reverse
@@ -84,6 +82,7 @@ from tasks.beat import schedule_provider_scan
 from tasks.jobs.attack_paths import db_utils as attack_paths_db_utils
 from tasks.jobs.export import get_s3_client
 from tasks.tasks import (
+    aggregate_finding_group_summaries_task,
    backfill_compliance_summaries_task,
    backfill_scan_resource_summaries_task,
    check_integration_connection_task,
@@ -95,7 +94,6 @@ from tasks.tasks import (
    jira_integration_task,
    mute_historical_findings_task,
    perform_scan_task,
-    reaggregate_all_finding_group_summaries_task,
    refresh_lighthouse_provider_models_task,
 )

@@ -126,7 +124,6 @@ from api.filters import (
    CustomDjangoFilterBackend,
    DailySeveritySummaryFilter,
    FindingFilter,
-    FindingGroupAggregatedComputedFilter,
    FindingGroupFilter,
    FindingGroupSummaryFilter,
    IntegrationFilter,
@@ -412,7 +409,7 @@ class SchemaView(SpectacularAPIView):

    def get(self, request, *args, **kwargs):
        spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.24.0"
+        spectacular_settings.VERSION = "1.23.0"
        spectacular_settings.DESCRIPTION = (
            "Prowler API specification.\n\nThis file is auto-generated."
        )
@@ -1211,17 +1208,6 @@ class TenantViewSet(BaseTenantViewset):
    # RBAC required permissions
    required_permissions = [Permissions.MANAGE_ACCOUNT]

-    def set_required_permissions(self):
-        """
-        Returns the required permissions based on the request method.
-        """
-        if self.action in ("list", "retrieve", "create"):
-            # No permissions required for listing, retrieving or creating tenants
-            self.required_permissions = []
-        else:
-            # Require MANAGE_ACCOUNT for update and delete
-            self.required_permissions = [Permissions.MANAGE_ACCOUNT]
-
    def get_queryset(self):
        queryset = Tenant.objects.filter(membership__user=self.request.user)
        return queryset.prefetch_related("memberships")
@@ -3483,7 +3469,7 @@ class FindingViewSet(PaginateByPkMixin, BaseRLSViewSet):
            request,
            filtered_queryset,
            manager=Finding.all_objects,
-            select_related=["scan__provider"],
+            select_related=["scan"],
            prefetch_related=["resources"],
        )

@@ -3653,7 +3639,7 @@ class FindingViewSet(PaginateByPkMixin, BaseRLSViewSet):
        tenant_id = request.tenant_id
        filtered_queryset = self.filter_queryset(self.get_queryset())

-        latest_scan_ids = list(
+        latest_scan_ids = (
            Scan.all_objects.filter(tenant_id=tenant_id, state=StateChoices.COMPLETED)
            .order_by("provider_id", "-inserted_at")
            .distinct("provider_id")
@@ -3667,7 +3653,7 @@ class FindingViewSet(PaginateByPkMixin, BaseRLSViewSet):
            request,
            filtered_queryset,
            manager=Finding.all_objects,
-            select_related=["scan__provider"],
+            select_related=["scan"],
            prefetch_related=["resources"],
        )

@@ -6740,15 +6726,23 @@ class MuteRuleViewSet(BaseRLSViewSet):
            muted_reason=mute_rule.reason,
        )

-        # Launch background task for historical muting + reaggregation
+        # Launch background task for historical muting
+        latest_scan_id = (
+            Scan.objects.filter(tenant_id=tenant_id, state=StateChoices.COMPLETED)
+            .order_by("-completed_at", "-inserted_at")
+            .values_list("id", flat=True)
+            .first()
+        )
+
        transaction.on_commit(
            lambda: chain(
                mute_historical_findings_task.si(
                    tenant_id=tenant_id,
                    mute_rule_id=str(mute_rule.id),
                ),
-                reaggregate_all_finding_group_summaries_task.si(
+                aggregate_finding_group_summaries_task.si(
                    tenant_id=tenant_id,
+                    scan_id=str(latest_scan_id),
                ),
            ).apply_async()
        )
@@ -6792,13 +6786,13 @@ class FindingGroupViewSet(BaseRLSViewSet):
    security analysts to see which checks are failing across their
    infrastructure without scrolling through thousands of individual findings.

-    Uses a hybrid strategy: pre-aggregated daily summaries when possible,
-    and raw findings when finding-level filters require precise subset metrics.
+    Uses pre-aggregated FindingGroupDailySummary table for efficient queries.
+    Daily summaries are re-aggregated across the requested date range.
    """

    queryset = FindingGroupDailySummary.objects.all()
    serializer_class = FindingGroupSerializer
-    filterset_class = FindingGroupFilter
+    filterset_class = FindingGroupSummaryFilter
    filter_backends = [
        jsonapi_filters.QueryParameterValidationFilter,
        jsonapi_filters.OrderingFilter,
@@ -6817,12 +6811,12 @@ class FindingGroupViewSet(BaseRLSViewSet):
        affects the OpenAPI schema generated by drf-spectacular.
        """
        if self.action == "latest":
-            return LatestFindingGroupFilter
+            return LatestFindingGroupSummaryFilter
        if self.action == "resources":
            return FindingGroupFilter
        if self.action == "latest_resources":
            return LatestFindingGroupFilter
-        return FindingGroupFilter
+        return FindingGroupSummaryFilter

    def get_queryset(self):
        """Get the base FindingGroupDailySummary queryset with RLS filtering."""
@@ -6878,15 +6872,8 @@ class FindingGroupViewSet(BaseRLSViewSet):
        "resource_type__icontains": "type__icontains",
    }

-    # Fields accepted directly by LatestResourceFilter (no translation needed)
-    _RESOURCE_FILTER_FIELDS = {
-        f"{field}__{lookup}"
-        for field, lookups in LatestResourceFilter.Meta.fields.items()
-        for lookup in lookups
-    } | set(LatestResourceFilter.Meta.fields.keys())
-
    def _split_resource_filters(self, params: QueryDict) -> tuple[QueryDict, QueryDict]:
-        resource_keys = set(self.RESOURCE_FILTER_MAP) | self._RESOURCE_FILTER_FIELDS
+        resource_keys = set(self.RESOURCE_FILTER_MAP)
        finding_params = QueryDict(mutable=True)
        resource_params = QueryDict(mutable=True)
        for key, values in params.lists():
@@ -6907,16 +6894,11 @@ class FindingGroupViewSet(BaseRLSViewSet):
            queryset = queryset.filter(tenant_id=tenant_id)

        filter_params = QueryDict(mutable=True)
-        for key, values in params.lists():
-            # Translate resource_* prefixed keys via the map
-            if key in self.RESOURCE_FILTER_MAP:
-                mapped_key = self.RESOURCE_FILTER_MAP[key]
-            elif key in self._RESOURCE_FILTER_FIELDS:
-                mapped_key = key
-            else:
+        for key, mapped_key in self.RESOURCE_FILTER_MAP.items():
+            if key not in params:
                continue
-
            if key == "resources" or key.endswith("__in"):
+                values = params.getlist(key)
                items: list[str] = []
                for value in values:
                    if value is None:
@@ -6941,27 +6923,20 @@ class FindingGroupViewSet(BaseRLSViewSet):

        return filterset.qs.values("id")

-    def _get_finding_level_filter_keys(self, latest: bool = False) -> set[str]:
-        """Derive filters that require querying raw findings."""
-        summary_filterset = (
-            LatestFindingGroupSummaryFilter if latest else FindingGroupSummaryFilter
-        )
-        finding_filterset = LatestFindingGroupFilter if latest else FindingGroupFilter
-
-        summary_supported = set(summary_filterset.base_filters.keys())
-        finding_supported = set(finding_filterset.base_filters.keys())
-        return finding_supported - summary_supported
-
-    def _requires_finding_level_aggregation(
-        self, params: QueryDict, latest: bool = False
-    ) -> bool:
-        finding_level_keys = self._get_finding_level_filter_keys(latest=latest)
-        return any(key in finding_level_keys for key in params.keys())
-
    def _aggregate_daily_summaries(self, queryset):
-        """Re-aggregate summary rows by check_id."""
+        """
+        Re-aggregate daily summaries across the date range.
+
+        Takes pre-computed daily summaries and aggregates them by check_id
+        to produce totals across the selected date range.
+        """
+        from django.db.models import CharField
+        from django.db.models.functions import Cast
+
        return queryset.values("check_id").annotate(
+            # Max severity across days
            severity_order=Max("severity_order"),
+            # Sum counts across days
            pass_count=Sum("pass_count"),
            fail_count=Sum("fail_count"),
            muted_count=Sum("muted_count"),
@@ -6969,99 +6944,22 @@ class FindingGroupViewSet(BaseRLSViewSet):
            changed_count=Sum("changed_count"),
            resources_total=Sum("resources_total"),
            resources_fail=Sum("resources_fail"),
+            # Collect provider types using StringAgg (cast enum to text first)
            impacted_providers_str=StringAgg(
                Cast("provider__provider", CharField()),
                delimiter=",",
                distinct=True,
                default="",
            ),
-            agg_first_seen_at=Min("first_seen_at"),
-            agg_last_seen_at=Max("last_seen_at"),
-            agg_failing_since=Min("failing_since"),
+            # Min/Max timing across days
+            first_seen_at=Min("first_seen_at"),
+            last_seen_at=Max("last_seen_at"),
+            failing_since=Min("failing_since"),
+            # Get check metadata from first row (same for all days)
            check_title=Max("check_title"),
            check_description=Max("check_description"),
        )

-    def _aggregate_findings(self, queryset):
-        """Aggregate findings by check_id for finding-group endpoints."""
-        severity_case = Case(
-            *[
-                When(severity=severity, then=Value(order))
-                for severity, order in SEVERITY_ORDER.items()
-            ],
-            output_field=IntegerField(),
-        )
-
-        return queryset.values("check_id").annotate(
-            severity_order=Max(severity_case),
-            pass_count=Count("id", filter=Q(status="PASS", muted=False)),
-            fail_count=Count("id", filter=Q(status="FAIL", muted=False)),
-            muted_count=Count("id", filter=Q(muted=True)),
-            new_count=Count("id", filter=Q(delta="new", muted=False)),
-            changed_count=Count("id", filter=Q(delta="changed", muted=False)),
-            resources_total=Count("resources__id", distinct=True),
-            resources_fail=Count(
-                "resources__id",
-                distinct=True,
-                filter=Q(status="FAIL", muted=False),
-            ),
-            impacted_providers_str=StringAgg(
-                Cast("scan__provider__provider", CharField()),
-                delimiter=",",
-                distinct=True,
-                default="",
-            ),
-            agg_first_seen_at=Min("first_seen_at"),
-            agg_last_seen_at=Max("inserted_at"),
-            agg_failing_since=Min(
-                "first_seen_at", filter=Q(status="FAIL", muted=False)
-            ),
-            check_title=Coalesce(
-                Max(KeyTextTransform("checktitle", "check_metadata")),
-                Max(KeyTextTransform("CheckTitle", "check_metadata")),
-                Max(KeyTextTransform("Checktitle", "check_metadata")),
-            ),
-            check_description=Coalesce(
-                Max(KeyTextTransform("description", "check_metadata")),
-                Max(KeyTextTransform("Description", "check_metadata")),
-            ),
-        )
-
-    def _split_computed_aggregate_filters(
-        self, params: QueryDict
-    ) -> tuple[QueryDict, QueryDict]:
-        """Split finding filters from computed aggregate filters."""
-        computed_keys = {
-            "status",
-            "status__in",
-            "severity",
-            "severity__in",
-            "include_muted",
-        }
-        finding_params = QueryDict(mutable=True)
-        computed_params = QueryDict(mutable=True)
-
-        for key, values in params.lists():
-            if key in computed_keys:
-                computed_params.setlist(key, values)
-            else:
-                finding_params.setlist(key, values)
-
-        return finding_params, computed_params
-
-    def _get_latest_findings_per_provider(self, filtered_queryset):
-        """Keep only findings from each provider's most recent completed scan."""
-        latest_scan_ids = (
-            Scan.objects.filter(
-                tenant_id=self.request.tenant_id,
-                state=StateChoices.COMPLETED,
-            )
-            .order_by("provider_id", "-completed_at", "-inserted_at")
-            .distinct("provider_id")
-            .values("id")
-        )
-        return filtered_queryset.filter(scan_id__in=latest_scan_ids)
-
    def _post_process_aggregation(self, aggregated_data):
        """
        Post-process aggregation results to add computed fields.
@@ -7078,13 +6976,6 @@ class FindingGroupViewSet(BaseRLSViewSet):
                severity_order, "informational"
            )

-            if "agg_first_seen_at" in row:
-                row["first_seen_at"] = row.pop("agg_first_seen_at")
-            if "agg_last_seen_at" in row:
-                row["last_seen_at"] = row.pop("agg_last_seen_at")
-            if "agg_failing_since" in row:
-                row["failing_since"] = row.pop("agg_failing_since")
-
            # Compute aggregated status
            if row.get("fail_count", 0) > 0:
                row["status"] = "FAIL"
@@ -7107,7 +6998,6 @@ class FindingGroupViewSet(BaseRLSViewSet):
        """Validate and map JSON:API sort fields for aggregated finding groups."""
        sort_field_map = {
            "check_id": "check_id",
-            "check_title": "check_title",
            "severity": "severity_order",
            "fail_count": "fail_count",
            "pass_count": "pass_count",
@@ -7116,9 +7006,9 @@ class FindingGroupViewSet(BaseRLSViewSet):
            "changed_count": "changed_count",
            "resources_total": "resources_total",
            "resources_fail": "resources_fail",
-            "first_seen_at": "agg_first_seen_at",
-            "last_seen_at": "agg_last_seen_at",
-            "failing_since": "agg_failing_since",
+            "first_seen_at": "first_seen_at",
+            "last_seen_at": "last_seen_at",
+            "failing_since": "failing_since",
        }

        ordering = []
@@ -7145,33 +7035,6 @@ class FindingGroupViewSet(BaseRLSViewSet):

        return ordering

-    def _apply_aggregated_computed_filters(self, queryset, computed_params: QueryDict):
-        """Apply computed filters (status/severity) on aggregated finding-group rows."""
-        if not computed_params:
-            return queryset
-
-        if computed_params.get("status") or computed_params.getlist("status__in"):
-            queryset = queryset.annotate(
-                aggregated_status=Case(
-                    When(fail_count__gt=0, then=Value("FAIL")),
-                    When(pass_count__gt=0, then=Value("PASS")),
-                    default=Value("MUTED"),
-                    output_field=CharField(),
-                )
-            )
-
-        # Exclude fully-muted groups by default unless include_muted is set
-        if "include_muted" not in computed_params:
-            queryset = queryset.exclude(fail_count=0, pass_count=0, muted_count__gt=0)
-
-        filterset = FindingGroupAggregatedComputedFilter(
-            computed_params, queryset=queryset
-        )
-        if not filterset.is_valid():
-            raise ValidationError(filterset.errors)
-
-        return filterset.qs
-
    def _build_resource_mapping_queryset(
        self, filtered_queryset, resource_ids=None, tenant_id: str | None = None
    ):
@@ -7244,13 +7107,6 @@ class FindingGroupViewSet(BaseRLSViewSet):
                ),
                first_seen_at=Min("finding__first_seen_at"),
                last_seen_at=Max("finding__inserted_at"),
-                # Max() on muted_reason / check_metadata is safe because
-                # all findings for the same resource+check share identical
-                # values (mute rules and metadata are applied per-check).
-                muted_reason=Max("finding__muted_reason"),
-                resource_group=Max(
-                    KeyTextTransform("resourcegroup", "finding__check_metadata")
-                ),
            )
            .filter(resource_id__isnull=False)
            .order_by("resource_id")
@@ -7286,95 +7142,56 @@ class FindingGroupViewSet(BaseRLSViewSet):
                    ),
                    "first_seen_at": row["first_seen_at"],
                    "last_seen_at": row["last_seen_at"],
-                    "muted_reason": row.get("muted_reason"),
-                    "resource_group": row.get("resource_group", ""),
                }
            )

        return results

-    def _build_aggregated_queryset(self, finding_params, latest=False):
-        """Select the summary or findings path and return an aggregated queryset."""
-        finding_filterset_class = (
-            LatestFindingGroupFilter if latest else FindingGroupFilter
-        )
-        summary_filterset_class = (
-            LatestFindingGroupSummaryFilter if latest else FindingGroupSummaryFilter
-        )
-
-        if self._requires_finding_level_aggregation(finding_params, latest=latest):
-            finding_queryset = self._get_finding_queryset()
-            filterset = finding_filterset_class(
-                finding_params, queryset=finding_queryset
-            )
-            if not filterset.is_valid():
-                raise ValidationError(filterset.errors)
-            filtered_queryset = filterset.qs
-            if latest:
-                filtered_queryset = self._get_latest_findings_per_provider(
-                    filtered_queryset
-                )
-            return self._aggregate_findings(filtered_queryset)
-
-        summary_queryset = self.get_queryset()
-        filterset = summary_filterset_class(finding_params, queryset=summary_queryset)
-        if not filterset.is_valid():
-            raise ValidationError(filterset.errors)
-        filtered_queryset = filterset.qs
-        # Only include summaries from each provider's most recent date
-        # (within the filtered range).
-        # We use a subquery to strip the Window annotation so it does not
-        # leak into the GROUP BY of _aggregate_daily_summaries.
-        latest_per_provider = filtered_queryset.annotate(
-            _max_provider_date=Window(
-                expression=Max("inserted_at"),
-                partition_by=[F("provider_id")],
-            ),
-        ).filter(inserted_at=F("_max_provider_date"))
-        clean_queryset = FindingGroupDailySummary.objects.filter(
-            pk__in=latest_per_provider.values("pk")
-        )
-        return self._aggregate_daily_summaries(clean_queryset)
-
-    def _sorted_paginated_response(self, request, aggregated_queryset):
-        """Apply ordering, pagination, post-processing, and return the Response."""
-        sort_param = request.query_params.get("sort")
-        if sort_param:
-            ordering = self._validate_sort_fields(sort_param)
-            if ordering:
-                aggregated_queryset = aggregated_queryset.order_by(*ordering)
-        else:
-            aggregated_queryset = aggregated_queryset.order_by(
-                "-fail_count", "-severity_order", "check_id"
-            )
-
-        page = self.paginate_queryset(aggregated_queryset)
-        if page is not None:
-            processed_data = self._post_process_aggregation(page)
-            serializer = self.get_serializer(processed_data, many=True)
-            return self.get_paginated_response(serializer.data)
-
-        processed_data = self._post_process_aggregation(aggregated_queryset)
-        serializer = self.get_serializer(processed_data, many=True)
-        return Response(serializer.data)
-
    def list(self, request, *args, **kwargs):
        """
        List finding groups with aggregation and filtering.

        Returns findings grouped by check_id with aggregated metrics.
        Requires at least one date filter for performance.
-        Uses summaries when possible and raw findings for finding-level filters.
+        Uses pre-aggregated daily summaries for efficient queries.
        """
+        queryset = self.get_queryset()
+
+        # Apply filters
        normalized_params = self._normalize_jsonapi_params(request.query_params)
-        finding_params, computed_params = self._split_computed_aggregate_filters(
-            normalized_params
-        )
-        aggregated_qs = self._build_aggregated_queryset(finding_params, latest=False)
-        aggregated_qs = self._apply_aggregated_computed_filters(
-            aggregated_qs, computed_params
-        )
-        return self._sorted_paginated_response(request, aggregated_qs)
+        filterset = self.filterset_class(normalized_params, queryset=queryset)
+        if not filterset.is_valid():
+            raise ValidationError(filterset.errors)
+        filtered_queryset = filterset.qs
+
+        # Re-aggregate daily summaries across the date range
+        aggregated_queryset = self._aggregate_daily_summaries(filtered_queryset)
+
+        # Apply ordering (respect JSON:API sort param or use default)
+        sort_param = request.query_params.get("sort")
+        if sort_param:
+            # Convert JSON:API sort notation (prefix '-' for descending)
+            ordering = self._validate_sort_fields(sort_param)
+            if ordering:
+                aggregated_queryset = aggregated_queryset.order_by(*ordering)
+        else:
+            # Default ordering: failures first, then severity, then check_id
+            aggregated_queryset = aggregated_queryset.order_by(
+                "-fail_count", "-severity_order", "check_id"
+            )
+
+        # Paginate
+        page = self.paginate_queryset(aggregated_queryset)
+        if page is not None:
+            # Post-process the page
+            processed_data = self._post_process_aggregation(page)
+            serializer = self.get_serializer(processed_data, many=True)
+            return self.get_paginated_response(serializer.data)
+
+        # Post-process all results (no pagination)
+        processed_data = self._post_process_aggregation(aggregated_queryset)
+        serializer = self.get_serializer(processed_data, many=True)
+        return Response(serializer.data)

    @extend_schema(
        summary="List latest finding groups",
@@ -7392,22 +7209,58 @@ class FindingGroupViewSet(BaseRLSViewSet):
        """
        List the latest finding group state per check_id.

-        Returns findings grouped by check_id using latest data per
-        (check_id, provider), without requiring date filters.
+        Returns findings grouped by check_id using the latest available
+        inserted_at date per check_id, without requiring date filters.
        """
+        queryset = self.get_queryset()
+
+        # Apply other filters (provider_id, provider_type, check_id, etc.)
        normalized_params = self._normalize_jsonapi_params(request.query_params)
+        # Remove date filters since we're using latest
        for key in list(normalized_params.keys()):
            if key.startswith("inserted_at"):
                del normalized_params[key]

-        finding_params, computed_params = self._split_computed_aggregate_filters(
-            normalized_params
+        filterset_class = self.get_filterset_class()
+        filterset = filterset_class(normalized_params, queryset=queryset)
+        if not filterset.is_valid():
+            raise ValidationError(filterset.errors)
+        filtered_queryset = filterset.qs
+
+        # Keep only the latest row per (check_id, provider), then aggregate by check_id.
+        latest_per_check_ids = (
+            filtered_queryset.order_by("check_id", "provider_id", "-inserted_at")
+            .distinct("check_id", "provider_id")
+            .values("id")
        )
-        aggregated_qs = self._build_aggregated_queryset(finding_params, latest=True)
-        aggregated_qs = self._apply_aggregated_computed_filters(
-            aggregated_qs, computed_params
+        latest_per_check = filtered_queryset.filter(
+            id__in=Subquery(latest_per_check_ids)
        )
-        return self._sorted_paginated_response(request, aggregated_qs)
+
+        # Re-aggregate daily summaries
+        aggregated_queryset = self._aggregate_daily_summaries(latest_per_check)
+
+        # Apply ordering
+        sort_param = request.query_params.get("sort")
+        if sort_param:
+            ordering = self._validate_sort_fields(sort_param)
+            if ordering:
+                aggregated_queryset = aggregated_queryset.order_by(*ordering)
+        else:
+            aggregated_queryset = aggregated_queryset.order_by(
+                "-fail_count", "-severity_order", "check_id"
+            )
+
+        # Paginate
+        page = self.paginate_queryset(aggregated_queryset)
+        if page is not None:
+            processed_data = self._post_process_aggregation(page)
+            serializer = self.get_serializer(processed_data, many=True)
+            return self.get_paginated_response(serializer.data)
+
+        processed_data = self._post_process_aggregation(aggregated_queryset)
+        serializer = self.get_serializer(processed_data, many=True)
+        return Response(serializer.data)

    @extend_schema(
        summary="List resources for a finding group",
@@ -299,8 +299,3 @@ DJANGO_DELETION_BATCH_SIZE = env.int("DJANGO_DELETION_BATCH_SIZE", 5000)
 # SAML requirement
 CSRF_COOKIE_SECURE = True
 SESSION_COOKIE_SECURE = True
-
-# Attack Paths
-ATTACK_PATHS_SCAN_STALE_THRESHOLD_MINUTES = env.int(
-    "ATTACK_PATHS_SCAN_STALE_THRESHOLD_MINUTES", 2880
-)  # 48h
@@ -1,52 +1,10 @@
-from urllib.parse import quote
-
 from config.env import env

-_VALID_SCHEMES = {"redis", "rediss"}
-
-
-def _build_celery_broker_url(
-    scheme: str,
-    username: str,
-    password: str,
-    host: str,
-    port: str,
-    db: str,
-) -> str:
-    if scheme not in _VALID_SCHEMES:
-        raise ValueError(
-            f"Invalid VALKEY_SCHEME '{scheme}'. Must be one of: {', '.join(sorted(_VALID_SCHEMES))}"
-        )
-
-    encoded_username = quote(username, safe="") if username else ""
-    encoded_password = quote(password, safe="") if password else ""
-
-    auth = ""
-    if encoded_username and encoded_password:
-        auth = f"{encoded_username}:{encoded_password}@"
-    elif encoded_password:
-        auth = f":{encoded_password}@"
-    elif encoded_username:
-        auth = f"{encoded_username}@"
-
-    return f"{scheme}://{auth}{host}:{port}/{db}"
-
-
-VALKEY_SCHEME = env("VALKEY_SCHEME", default="redis")
-VALKEY_USERNAME = env("VALKEY_USERNAME", default="")
-VALKEY_PASSWORD = env("VALKEY_PASSWORD", default="")
 VALKEY_HOST = env("VALKEY_HOST", default="valkey")
 VALKEY_PORT = env("VALKEY_PORT", default="6379")
 VALKEY_DB = env("VALKEY_DB", default="0")

-CELERY_BROKER_URL = _build_celery_broker_url(
-    VALKEY_SCHEME,
-    VALKEY_USERNAME,
-    VALKEY_PASSWORD,
-    VALKEY_HOST,
-    VALKEY_PORT,
-    VALKEY_DB,
-)
+CELERY_BROKER_URL = f"redis://{VALKEY_HOST}:{VALKEY_PORT}/{VALKEY_DB}"
 CELERY_RESULT_BACKEND = "django-db"
 CELERY_TASK_TRACK_STARTED = True

@@ -1,5 +1,4 @@
 import sentry_sdk
-
 from config.env import env

 IGNORED_EXCEPTIONS = [
@@ -86,20 +85,8 @@ def before_send(event, hint):
    # Ignore logs with the ignored_exceptions
    # https://docs.python.org/3/library/logging.html#logrecord-objects
    if "log_record" in hint:
-        log_record = hint["log_record"]
-        log_msg = log_record.getMessage()
-        log_lvl = log_record.levelno
-
-        # The Neo4j driver logs transient connection errors (defunct
-        # connections, resets) at ERROR level via the `neo4j.io` logger.
-        # `RetryableSession` handles these with retries. If all retries
-        # are exhausted, the exception propagates and Sentry captures
-        # it as a normal exception event.
-        if (
-            getattr(log_record, "name", "").startswith("neo4j.io")
-            and "defunct" in log_msg
-        ):
-            return None
+        log_msg = hint["log_record"].msg
+        log_lvl = hint["log_record"].levelno

        # Handle Error and Critical events and discard the rest
        if log_lvl <= 40 and any(ignored in log_msg for ignored in IGNORED_EXCEPTIONS):
@@ -111,9 +111,8 @@ def disable_logging():
    logging.disable(logging.CRITICAL)


-@pytest.fixture(scope="session")
-def _session_test_user(django_db_setup, django_db_blocker):
-    """Create the test user once per session. Internal; use create_test_user instead."""
+@pytest.fixture(scope="session", autouse=True)
+def create_test_user(django_db_setup, django_db_blocker):
    with django_db_blocker.unblock():
        user = User.objects.create_user(
            name="testing",
@@ -123,21 +122,6 @@ def _session_test_user(django_db_setup, django_db_blocker):
    return user


-@pytest.fixture(autouse=True)
-def create_test_user(_session_test_user, django_db_blocker):
-    """Re-create the session-scoped test user when a TransactionTestCase
-    has truncated the users table."""
-    with django_db_blocker.unblock():
-        if not User.objects.filter(pk=_session_test_user.pk).exists():
-            User.objects.create_user(
-                id=_session_test_user.pk,
-                name="testing",
-                email=TEST_USER,
-                password=TEST_PASSWORD,
-            )
-    return _session_test_user
-
-
@pytest.fixture(scope="function")
 def create_test_user_rbac(django_db_setup, django_db_blocker, tenants_fixture):
    with django_db_blocker.unblock():
@@ -2028,7 +2012,6 @@ def finding_groups_fixture(
            "CheckId": "s3_bucket_public_access",
            "checktitle": "Ensure S3 buckets do not allow public access",
            "Description": "S3 buckets should be configured to restrict public access.",
-            "resourcegroup": "storage",
        },
        first_seen_at="2024-01-02T00:00:00Z",
        muted=False,
@@ -2053,7 +2036,6 @@ def finding_groups_fixture(
            "CheckId": "s3_bucket_public_access",
            "checktitle": "Ensure S3 buckets do not allow public access",
            "Description": "S3 buckets should be configured to restrict public access.",
-            "resourcegroup": "storage",
        },
        first_seen_at="2024-01-03T00:00:00Z",
        muted=False,
@@ -2252,89 +2234,6 @@ def finding_groups_fixture(
    return findings


-@pytest.fixture
-def finding_groups_title_variants_fixture(
-    tenants_fixture, providers_fixture, scans_fixture, resources_fixture
-):
-    """
-    Two providers report the same check_id with different checktitle values.
-
-    Simulates a Prowler version upgrade where the check title changed but the
-    check_id stayed the same.  Used to verify that check_title__icontains
-    resolves to check_id first, so results include all providers regardless
-    of which title variant matches the search term.
-    """
-    tenant = tenants_fixture[0]
-    provider1, provider2, *_ = providers_fixture
-    scan1, scan2, *_ = scans_fixture
-    resource1, resource2, *_ = resources_fixture
-
-    findings = []
-
-    # Provider 1 — OLD title variant
-    finding_old = Finding.objects.create(
-        tenant_id=tenant.id,
-        uid="fg_title_variant_old",
-        scan=scan1,
-        delta="new",
-        status=Status.FAIL,
-        status_extended="Secret scanning not enabled",
-        impact=Severity.high,
-        impact_extended="High risk",
-        severity=Severity.high,
-        raw_result={"status": Status.FAIL, "severity": Severity.high},
-        tags={},
-        check_id="github_secret_scanning_enabled",
-        check_metadata={
-            "CheckId": "github_secret_scanning_enabled",
-            "checktitle": "Ensure repository has secret scanning enabled",
-            "Description": "Checks if secret scanning is enabled.",
-        },
-        first_seen_at="2024-01-01T00:00:00Z",
-        muted=False,
-    )
-    finding_old.add_resources([resource1])
-    findings.append(finding_old)
-
-    # Provider 2 — NEW title variant (same check_id, different checktitle)
-    finding_new = Finding.objects.create(
-        tenant_id=tenant.id,
-        uid="fg_title_variant_new",
-        scan=scan2,
-        delta="new",
-        status=Status.FAIL,
-        status_extended="Secret scanning not enabled on repo",
-        impact=Severity.high,
-        impact_extended="High risk",
-        severity=Severity.high,
-        raw_result={"status": Status.FAIL, "severity": Severity.high},
-        tags={},
-        check_id="github_secret_scanning_enabled",
-        check_metadata={
-            "CheckId": "github_secret_scanning_enabled",
-            "checktitle": "Check if secret scanning is enabled in GitHub",
-            "Description": "Checks if secret scanning is enabled.",
-        },
-        first_seen_at="2024-01-02T00:00:00Z",
-        muted=False,
-    )
-    finding_new.add_resources([resource2])
-    findings.append(finding_new)
-
-    from tasks.jobs.scan import aggregate_finding_group_summaries
-
-    aggregate_finding_group_summaries(
-        tenant_id=str(tenant.id),
-        scan_id=str(scan1.id),
-    )
-    aggregate_finding_group_summaries(
-        tenant_id=str(tenant.id),
-        scan_id=str(scan2.id),
-    )
-
-    return findings
-
-
 def pytest_collection_modifyitems(items):
    """Ensure test_rbac.py is executed first."""
    items.sort(key=lambda item: 0 if "test_rbac.py" in item.nodeid else 1)
@@ -1,152 +0,0 @@
-from datetime import datetime, timedelta, timezone
-
-from celery import current_app, states
-from celery.utils.log import get_task_logger
-from config.django.base import ATTACK_PATHS_SCAN_STALE_THRESHOLD_MINUTES
-from tasks.jobs.attack_paths.db_utils import (
-    _mark_scan_finished,
-    recover_graph_data_ready,
-)
-
-from api.attack_paths import database as graph_database
-from api.db_router import MainRouter
-from api.db_utils import rls_transaction
-from api.models import AttackPathsScan, StateChoices
-
-logger = get_task_logger(__name__)
-
-
-def cleanup_stale_attack_paths_scans() -> dict:
-    """
-    Find `EXECUTING` `AttackPathsScan` scans whose workers are dead or that have
-    exceeded the stale threshold, and mark them as `FAILED`.
-
-    Two-pass detection:
-    1. If `TaskResult.worker` exists, ping the worker.
-       - Dead worker: cleanup immediately (any age).
-       - Alive + past threshold: revoke the task, then cleanup.
-       - Alive + within threshold: skip.
-    2. If no worker field: fall back to time-based heuristic only.
-    """
-    threshold = timedelta(minutes=ATTACK_PATHS_SCAN_STALE_THRESHOLD_MINUTES)
-    now = datetime.now(tz=timezone.utc)
-    cutoff = now - threshold
-
-    executing_scans = (
-        AttackPathsScan.all_objects.using(MainRouter.admin_db)
-        .filter(state=StateChoices.EXECUTING)
-        .select_related("task__task_runner_task")
-    )
-
-    # Cache worker liveness so each worker is pinged at most once
-    executing_scans = list(executing_scans)
-    workers = {
-        tr.worker
-        for scan in executing_scans
-        if (tr := getattr(scan.task, "task_runner_task", None) if scan.task else None)
-        and tr.worker
-    }
-    worker_alive = {w: _is_worker_alive(w) for w in workers}
-
-    cleaned_up = []
-
-    for scan in executing_scans:
-        task_result = (
-            getattr(scan.task, "task_runner_task", None) if scan.task else None
-        )
-        worker = task_result.worker if task_result else None
-
-        if worker:
-            alive = worker_alive.get(worker, True)
-
-            if alive:
-                if scan.started_at and scan.started_at >= cutoff:
-                    continue
-
-                # Alive but stale — revoke before cleanup
-                _revoke_task(task_result)
-                reason = (
-                    "Scan exceeded stale threshold — " "cleaned up by periodic task"
-                )
-            else:
-                reason = "Worker dead — cleaned up by periodic task"
-        else:
-            # No worker recorded — time-based heuristic only
-            if scan.started_at and scan.started_at >= cutoff:
-                continue
-            reason = (
-                "No worker recorded, scan exceeded stale threshold — "
-                "cleaned up by periodic task"
-            )
-
-        if _cleanup_scan(scan, task_result, reason):
-            cleaned_up.append(str(scan.id))
-
-    logger.info(
-        f"Stale `AttackPathsScan` cleanup: {len(cleaned_up)} scan(s) cleaned up"
-    )
-    return {"cleaned_up_count": len(cleaned_up), "scan_ids": cleaned_up}
-
-
-def _is_worker_alive(worker: str) -> bool:
-    """Ping a specific Celery worker. Returns `True` if it responds or on error."""
-    try:
-        response = current_app.control.inspect(destination=[worker], timeout=1.0).ping()
-        return response is not None and worker in response
-    except Exception:
-        logger.exception(f"Failed to ping worker {worker}, treating as alive")
-        return True
-
-
-def _revoke_task(task_result) -> None:
-    """Send `SIGTERM` to a hung Celery task. Non-fatal on failure."""
-    try:
-        current_app.control.revoke(
-            task_result.task_id, terminate=True, signal="SIGTERM"
-        )
-        logger.info(f"Revoked task {task_result.task_id}")
-    except Exception:
-        logger.exception(f"Failed to revoke task {task_result.task_id}")
-
-
-def _cleanup_scan(scan, task_result, reason: str) -> bool:
-    """
-    Clean up a single stale `AttackPathsScan`:
-    drop temp DB, mark `FAILED`, update `TaskResult`, recover `graph_data_ready`.
-
-    Returns `True` if the scan was actually cleaned up, `False` if skipped.
-    """
-    scan_id_str = str(scan.id)
-
-    # 1. Drop temp Neo4j database
-    tmp_db_name = graph_database.get_database_name(scan.id, temporary=True)
-    try:
-        graph_database.drop_database(tmp_db_name)
-    except Exception:
-        logger.exception(f"Failed to drop temp database {tmp_db_name}")
-
-    # 2. Lock row, verify still EXECUTING, mark FAILED — all atomic
-    with rls_transaction(str(scan.tenant_id)):
-        try:
-            fresh_scan = AttackPathsScan.objects.select_for_update().get(id=scan.id)
-        except AttackPathsScan.DoesNotExist:
-            logger.warning(f"Scan {scan_id_str} no longer exists, skipping")
-            return False
-
-        if fresh_scan.state != StateChoices.EXECUTING:
-            logger.info(f"Scan {scan_id_str} is now {fresh_scan.state}, skipping")
-            return False
-
-        _mark_scan_finished(fresh_scan, StateChoices.FAILED, {"global_error": reason})
-
-    # 3. Mark `TaskResult` as `FAILURE` (not RLS-protected, outside lock)
-    if task_result:
-        task_result.status = states.FAILURE
-        task_result.date_done = datetime.now(tz=timezone.utc)
-        task_result.save(update_fields=["status", "date_done"])
-
-    # 4. Recover graph_data_ready if provider data still exists
-    recover_graph_data_ready(fresh_scan)
-
-    logger.info(f"Cleaned up stale scan {scan_id_str}: {reason}")
-    return True
@@ -63,9 +63,11 @@ INTERNAL_LABELS: list[str] = [
 ]

 # Provider isolation properties
+PROVIDER_ID_PROPERTY = "_provider_id"
 PROVIDER_ELEMENT_ID_PROPERTY = "_provider_element_id"

 PROVIDER_ISOLATION_PROPERTIES: list[str] = [
+    PROVIDER_ID_PROPERTY,
    PROVIDER_ELEMENT_ID_PROPERTY,
 ]

@@ -88,41 +88,34 @@ def starting_attack_paths_scan(
        )


-def _mark_scan_finished(
-    attack_paths_scan: ProwlerAPIAttackPathsScan,
-    state: StateChoices,
-    ingestion_exceptions: dict[str, Any],
-) -> None:
-    """Set terminal fields on a scan. Caller must be inside a transaction."""
-    now = datetime.now(tz=timezone.utc)
-    duration = (
-        int((now - attack_paths_scan.started_at).total_seconds())
-        if attack_paths_scan.started_at
-        else 0
-    )
-    attack_paths_scan.state = state
-    attack_paths_scan.progress = 100
-    attack_paths_scan.completed_at = now
-    attack_paths_scan.duration = duration
-    attack_paths_scan.ingestion_exceptions = ingestion_exceptions
-    attack_paths_scan.save(
-        update_fields=[
-            "state",
-            "progress",
-            "completed_at",
-            "duration",
-            "ingestion_exceptions",
-        ]
-    )
-
-
 def finish_attack_paths_scan(
    attack_paths_scan: ProwlerAPIAttackPathsScan,
    state: StateChoices,
    ingestion_exceptions: dict[str, Any],
 ) -> None:
    with rls_transaction(attack_paths_scan.tenant_id):
-        _mark_scan_finished(attack_paths_scan, state, ingestion_exceptions)
+        now = datetime.now(tz=timezone.utc)
+        duration = (
+            int((now - attack_paths_scan.started_at).total_seconds())
+            if attack_paths_scan.started_at
+            else 0
+        )
+
+        attack_paths_scan.state = state
+        attack_paths_scan.progress = 100
+        attack_paths_scan.completed_at = now
+        attack_paths_scan.duration = duration
+        attack_paths_scan.ingestion_exceptions = ingestion_exceptions
+
+        attack_paths_scan.save(
+            update_fields=[
+                "state",
+                "progress",
+                "completed_at",
+                "duration",
+                "ingestion_exceptions",
+            ]
+        )


 def update_attack_paths_scan_progress(
@@ -201,26 +194,25 @@ def fail_attack_paths_scan(
    Used as a safety net when the Celery task fails outside the job's own error handling.
    """
    attack_paths_scan = retrieve_attack_paths_scan(tenant_id, scan_id)
-    if not attack_paths_scan:
-        return
+    if attack_paths_scan and attack_paths_scan.state not in (
+        StateChoices.COMPLETED,
+        StateChoices.FAILED,
+    ):
+        tmp_db_name = graph_database.get_database_name(
+            attack_paths_scan.id, temporary=True
+        )
+        try:
+            graph_database.drop_database(tmp_db_name)

-    tmp_db_name = graph_database.get_database_name(attack_paths_scan.id, temporary=True)
-    try:
-        graph_database.drop_database(tmp_db_name)
-    except Exception:
-        logger.exception(
-            f"Failed to drop temp database {tmp_db_name} during failure handling"
+        except Exception:
+            logger.exception(
+                f"Failed to drop temp database {tmp_db_name} during failure handling"
+            )
+
+        finish_attack_paths_scan(
+            attack_paths_scan,
+            StateChoices.FAILED,
+            {"global_error": error},
        )

-    with rls_transaction(tenant_id):
-        try:
-            fresh = ProwlerAPIAttackPathsScan.objects.select_for_update().get(
-                id=attack_paths_scan.id
-            )
-        except ProwlerAPIAttackPathsScan.DoesNotExist:
-            return
-        if fresh.state in (StateChoices.COMPLETED, StateChoices.FAILED):
-            return
-        _mark_scan_finished(fresh, StateChoices.FAILED, {"global_error": error})
-
-    recover_graph_data_ready(fresh)
+        recover_graph_data_ready(attack_paths_scan)
@@ -22,6 +22,7 @@ from tasks.jobs.attack_paths.config import (
    get_provider_resource_label,
    get_root_node_label,
 )
+from tasks.jobs.attack_paths.indexes import IndexType, create_indexes
 from tasks.jobs.attack_paths.queries import (
    ADD_RESOURCE_LABEL_TEMPLATE,
    CLEANUP_FINDINGS_TEMPLATE,
@@ -83,6 +84,11 @@ def _to_neo4j_dict(record: dict[str, Any], resource_uid: str) -> dict[str, Any]:
 # ----------


+def create_findings_indexes(neo4j_session: neo4j.Session) -> None:
+    """Create indexes for Prowler findings and resource lookups."""
+    create_indexes(neo4j_session, IndexType.FINDINGS)
+
+
 def analysis(
    neo4j_session: neo4j.Session,
    prowler_api_provider: Provider,
@@ -190,6 +196,7 @@ def cleanup_findings(
 ) -> None:
    """Remove stale findings (classic Cartography behaviour)."""
    parameters = {
+        "provider_uid": str(prowler_api_provider.uid),
        "last_updated": config.update_tag,
        "batch_size": BATCH_SIZE,
    }
@@ -1,3 +1,5 @@
+from enum import Enum
+
 import neo4j

 from cartography.client.core.tx import run_write_query
@@ -7,12 +9,20 @@ from tasks.jobs.attack_paths.config import (
    INTERNET_NODE_LABEL,
    PROWLER_FINDING_LABEL,
    PROVIDER_ELEMENT_ID_PROPERTY,
+    PROVIDER_ID_PROPERTY,
    PROVIDER_RESOURCE_LABEL,
 )

 logger = get_task_logger(__name__)


+class IndexType(Enum):
+    """Types of indexes that can be created."""
+
+    FINDINGS = "findings"
+    SYNC = "sync"
+
+
 # Indexes for Prowler findings and resource lookups
 FINDINGS_INDEX_STATEMENTS = [
    # Resource indexes for Prowler Finding lookups
@@ -20,6 +30,7 @@ FINDINGS_INDEX_STATEMENTS = [
    "CREATE INDEX aws_resource_id IF NOT EXISTS FOR (n:_AWSResource) ON (n.id);",
    # Prowler Finding indexes
    f"CREATE INDEX prowler_finding_id IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.id);",
+    f"CREATE INDEX prowler_finding_provider_uid IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.provider_uid);",
    f"CREATE INDEX prowler_finding_lastupdated IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.lastupdated);",
    f"CREATE INDEX prowler_finding_status IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.status);",
    # Internet node index for MERGE lookups
@@ -29,18 +40,30 @@ FINDINGS_INDEX_STATEMENTS = [
 # Indexes for provider resource sync operations
 SYNC_INDEX_STATEMENTS = [
    f"CREATE INDEX provider_resource_element_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n.{PROVIDER_ELEMENT_ID_PROPERTY});",
+    f"CREATE INDEX provider_resource_provider_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n.{PROVIDER_ID_PROPERTY});",
 ]


-def create_findings_indexes(neo4j_session: neo4j.Session) -> None:
-    """Create indexes for Prowler findings and resource lookups."""
-    logger.info("Creating indexes for Prowler Findings node types")
-    for statement in FINDINGS_INDEX_STATEMENTS:
-        run_write_query(neo4j_session, statement)
+def create_indexes(neo4j_session: neo4j.Session, index_type: IndexType) -> None:
+    """
+    Create indexes for the specified type.
+
+    Args:
+        `neo4j_session`: The Neo4j session to use
+        `index_type`: The type of indexes to create (FINDINGS or SYNC)
+    """
+    if index_type == IndexType.FINDINGS:
+        logger.info("Creating indexes for Prowler Findings node types")
+        for statement in FINDINGS_INDEX_STATEMENTS:
+            run_write_query(neo4j_session, statement)
+
+    elif index_type == IndexType.SYNC:
+        logger.info("Ensuring ProviderResource indexes exist")
+        for statement in SYNC_INDEX_STATEMENTS:
+            neo4j_session.run(statement)


-def create_sync_indexes(neo4j_session: neo4j.Session) -> None:
-    """Create indexes for provider resource sync operations."""
-    logger.info("Ensuring ProviderResource indexes exist")
-    for statement in SYNC_INDEX_STATEMENTS:
-        neo4j_session.run(statement)
+def create_all_indexes(neo4j_session: neo4j.Session) -> None:
+    """Create all indexes (both findings and sync)."""
+    create_indexes(neo4j_session, IndexType.FINDINGS)
+    create_indexes(neo4j_session, IndexType.SYNC)
@@ -3,6 +3,7 @@ from tasks.jobs.attack_paths.config import (
    INTERNET_NODE_LABEL,
    PROWLER_FINDING_LABEL,
    PROVIDER_ELEMENT_ID_PROPERTY,
+    PROVIDER_ID_PROPERTY,
    PROVIDER_RESOURCE_LABEL,
 )

@@ -61,6 +62,7 @@ INSERT_FINDING_TEMPLATE = f"""
            finding.check_title = finding_data.check_title,
            finding.muted = finding_data.muted,
            finding.muted_reason = finding_data.muted_reason,
+            finding.provider_uid = $provider_uid,
            finding.firstseen = timestamp(),
            finding.lastupdated = $last_updated,
            finding._module_name = 'cartography:prowler',
@@ -72,6 +74,7 @@ INSERT_FINDING_TEMPLATE = f"""

    MERGE (resource)-[rel:HAS_FINDING]->(finding)
        ON CREATE SET
+            rel.provider_uid = $provider_uid,
            rel.firstseen = timestamp(),
            rel.lastupdated = $last_updated,
            rel._module_name = 'cartography:prowler',
@@ -81,7 +84,7 @@ INSERT_FINDING_TEMPLATE = f"""
 """

 CLEANUP_FINDINGS_TEMPLATE = f"""
-    MATCH (finding:{PROWLER_FINDING_LABEL})
+    MATCH (finding:{PROWLER_FINDING_LABEL} {{provider_uid: $provider_uid}})
        WHERE finding.lastupdated < $last_updated

    WITH finding LIMIT $batch_size
@@ -152,6 +155,7 @@ NODE_SYNC_TEMPLATE = f"""
    UNWIND $rows AS row
    MERGE (n:__NODE_LABELS__ {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.provider_element_id}})
    SET n += row.props
+    SET n.{PROVIDER_ID_PROPERTY} = $provider_id
 """

 RELATIONSHIP_SYNC_TEMPLATE = f"""
@@ -160,4 +164,5 @@ RELATIONSHIP_SYNC_TEMPLATE = f"""
    MATCH (t:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.end_element_id}})
    MERGE (s)-[r:__REL_TYPE__ {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.provider_element_id}}]->(t)
    SET r += row.props
+    SET r.{PROVIDER_ID_PROPERTY} = $provider_id
 """
@@ -38,12 +38,12 @@ Pipeline steps:
   Stale findings from previous scans are cleaned up.

 7. Sync the temp database into the tenant database:
-   - Drop the old provider subgraph (matched by dynamic _Provider_{uuid} label).
+   - Drop the old provider subgraph (matched by _provider_id property).
     graph_data_ready is set to False for all scans of this provider while
     the swap happens so the API doesn't serve partial data.
   - Copy nodes and relationships in batches. Every synced node gets a
-     _ProviderResource label and dynamic _Tenant_{uuid} / _Provider_{uuid}
-     isolation labels, plus a _provider_element_id property for MERGE keys.
+     _ProviderResource label and _provider_id / _provider_element_id
+     properties for multi-provider isolation.
   - Set graph_data_ready back to True.

 8. Drop the temporary database, mark the AttackPathsScan as COMPLETED.
@@ -62,7 +62,7 @@ from cartography.intel import analysis as cartography_analysis
 from cartography.intel import create_indexes as cartography_create_indexes
 from cartography.intel import ontology as cartography_ontology
 from celery.utils.log import get_task_logger
-from tasks.jobs.attack_paths import db_utils, findings, indexes, internet, sync, utils
+from tasks.jobs.attack_paths import db_utils, findings, internet, sync, utils
 from tasks.jobs.attack_paths.config import get_cartography_ingestion_function

 from api.attack_paths import database as graph_database
@@ -165,7 +165,7 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
        ) as tmp_neo4j_session:
            # Indexes creation
            cartography_create_indexes.run(tmp_neo4j_session, tmp_cartography_config)
-            indexes.create_findings_indexes(tmp_neo4j_session)
+            findings.create_findings_indexes(tmp_neo4j_session)
            db_utils.update_attack_paths_scan_progress(attack_paths_scan, 2)

            # The real scan, where iterates over cloud services
@@ -221,8 +221,8 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
            cartography_create_indexes.run(
                tenant_neo4j_session, tenant_cartography_config
            )
-            indexes.create_findings_indexes(tenant_neo4j_session)
-            indexes.create_sync_indexes(tenant_neo4j_session)
+            findings.create_findings_indexes(tenant_neo4j_session)
+            sync.create_sync_indexes(tenant_neo4j_session)

        logger.info(f"Deleting existing provider graph in {tenant_database_name}")
        db_utils.set_provider_graph_data_ready(attack_paths_scan, False)
@@ -10,6 +10,8 @@ from typing import Any

 import neo4j
 from celery.utils.log import get_task_logger
+
+from api.attack_paths import database as graph_database
 from tasks.jobs.attack_paths.config import (
    PROVIDER_ISOLATION_PROPERTIES,
    PROVIDER_RESOURCE_LABEL,
@@ -17,6 +19,7 @@ from tasks.jobs.attack_paths.config import (
    get_provider_label,
    get_tenant_label,
 )
+from tasks.jobs.attack_paths.indexes import IndexType, create_indexes
 from tasks.jobs.attack_paths.queries import (
    NODE_FETCH_QUERY,
    NODE_SYNC_TEMPLATE,
@@ -25,11 +28,14 @@ from tasks.jobs.attack_paths.queries import (
    render_cypher_template,
 )

-from api.attack_paths import database as graph_database
-
 logger = get_task_logger(__name__)


+def create_sync_indexes(neo4j_session) -> None:
+    """Create indexes for provider resource sync operations."""
+    create_indexes(neo4j_session, IndexType.SYNC)
+
+
 def sync_graph(
    source_database: str,
    target_database: str,
@@ -75,8 +81,8 @@ def sync_nodes(
    """
    Sync nodes from source to target database.

-    Adds `_ProviderResource` label and dynamic `_Tenant_{id}` and `_Provider_{id}`
-    isolation labels to all nodes.
+    Adds `_ProviderResource` label and `_provider_id` property to all nodes.
+    Also adds dynamic `_Tenant_{id}` and `_Provider_{id}` isolation labels.

    Source and target sessions are opened sequentially per batch to avoid
    holding two Bolt connections simultaneously for the entire sync duration.
@@ -113,7 +119,13 @@ def sync_nodes(
                query = render_cypher_template(
                    NODE_SYNC_TEMPLATE, {"__NODE_LABELS__": node_labels}
                )
-                target_session.run(query, {"rows": batch})
+                target_session.run(
+                    query,
+                    {
+                        "rows": batch,
+                        "provider_id": provider_id,
+                    },
+                )

        total_synced += batch_count
        logger.info(
@@ -131,7 +143,7 @@ def sync_relationships(
    """
    Sync relationships from source to target database.

-    Matches source and target nodes by `_provider_element_id` in the tenant database.
+    Adds `_provider_id` property to all relationships.

    Source and target sessions are opened sequentially per batch to avoid
    holding two Bolt connections simultaneously for the entire sync duration.
@@ -162,7 +174,13 @@ def sync_relationships(
                query = render_cypher_template(
                    RELATIONSHIP_SYNC_TEMPLATE, {"__REL_TYPE__": rel_type}
                )
-                target_session.run(query, {"rows": batch})
+                target_session.run(
+                    query,
+                    {
+                        "rows": batch,
+                        "provider_id": provider_id,
+                    },
+                )

        total_synced += batch_count
        logger.info(
@@ -677,7 +677,6 @@ def _process_finding_micro_batch(

        # Create finding object (don't save yet)
        check_metadata = finding.get_metadata()
-        check_metadata["compliance"] = finding.compliance
        finding_instance = Finding(
            tenant_id=tenant_id,
            uid=finding_uid,
@@ -1888,8 +1887,7 @@ def aggregate_finding_group_summaries(tenant_id: str, scan_id: str):
                    inserted_at=summary_timestamp,
                    updated_at=updated_at,
                    check_title=metadata.get("checktitle", ""),
-                    check_description=metadata.get("description", "")
-                    or metadata.get("Description", ""),
+                    check_description=metadata.get("Description", ""),
                    severity_order=row["severity_order"] or 1,
                    pass_count=row["pass_count"],
                    fail_count=row["fail_count"],
@@ -11,9 +11,8 @@ from django_celery_beat.models import PeriodicTask
 from tasks.jobs.attack_paths import (
    attack_paths_scan,
    can_provider_run_attack_paths_scan,
+    db_utils as attack_paths_db_utils,
 )
-from tasks.jobs.attack_paths import db_utils as attack_paths_db_utils
-from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
 from tasks.jobs.backfill import (
    backfill_compliance_summaries,
    backfill_daily_severity_summaries,
@@ -407,11 +406,6 @@ def perform_attack_paths_scan_task(self, tenant_id: str, scan_id: str):
    )


-@shared_task(name="attack-paths-cleanup-stale-scans", queue="attack-paths-scans")
-def cleanup_stale_attack_paths_scans_task():
-    return cleanup_stale_attack_paths_scans()
-
-
@shared_task(name="tenant-deletion", queue="deletion", autoretry_for=(Exception,))
 def delete_tenant_task(tenant_id: str):
    return delete_tenant(pk=tenant_id)
@@ -766,33 +760,6 @@ def aggregate_finding_group_summaries_task(tenant_id: str, scan_id: str):
    return aggregate_finding_group_summaries(tenant_id=tenant_id, scan_id=scan_id)


-@shared_task(
-    base=RLSTask, name="reaggregate-all-finding-group-summaries", queue="overview"
-)
-@set_tenant(keep_tenant=True)
-def reaggregate_all_finding_group_summaries_task(tenant_id: str):
-    """Reaggregate finding group summaries for all providers' latest completed scans."""
-    latest_scan_ids = list(
-        Scan.objects.filter(tenant_id=tenant_id, state=StateChoices.COMPLETED)
-        .order_by("provider_id", "-completed_at", "-inserted_at")
-        .distinct("provider_id")
-        .values_list("id", flat=True)
-    )
-    if latest_scan_ids:
-        logger.info(
-            "Reaggregating finding group summaries for %d scans: %s",
-            len(latest_scan_ids),
-            latest_scan_ids,
-        )
-        group(
-            aggregate_finding_group_summaries_task.si(
-                tenant_id=tenant_id, scan_id=str(scan_id)
-            )
-            for scan_id in latest_scan_ids
-        ).apply_async()
-    return {"scans_reaggregated": len(latest_scan_ids)}
-
-
@shared_task(base=RLSTask, name="lighthouse-connection-check")
@set_tenant
 def check_lighthouse_connection_task(lighthouse_config_id: str, tenant_id: str = None):
@@ -1,12 +1,9 @@
 from contextlib import nullcontext
-from datetime import datetime, timedelta, timezone
 from types import SimpleNamespace
 from unittest.mock import MagicMock, call, patch

 import pytest
-from django_celery_results.models import TaskResult
 from tasks.jobs.attack_paths import findings as findings_module
-from tasks.jobs.attack_paths import indexes as indexes_module
 from tasks.jobs.attack_paths import internet as internet_module
 from tasks.jobs.attack_paths import sync as sync_module
 from tasks.jobs.attack_paths.scan import run as attack_paths_run
@@ -20,7 +17,6 @@ from api.models import (
    Scan,
    StateChoices,
    StatusChoices,
-    Task,
 )
 from prowler.lib.check.models import Severity

@@ -40,10 +36,10 @@ class TestAttackPathsRun:
    @patch("tasks.jobs.attack_paths.scan.db_utils.starting_attack_paths_scan")
    @patch("tasks.jobs.attack_paths.scan.sync.sync_graph")
    @patch("tasks.jobs.attack_paths.scan.graph_database.drop_subgraph")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_sync_indexes")
+    @patch("tasks.jobs.attack_paths.scan.sync.create_sync_indexes")
    @patch("tasks.jobs.attack_paths.scan.internet.analysis")
    @patch("tasks.jobs.attack_paths.scan.findings.analysis")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_findings_indexes")
+    @patch("tasks.jobs.attack_paths.scan.findings.create_findings_indexes")
    @patch("tasks.jobs.attack_paths.scan.cartography_ontology.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_analysis.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_create_indexes.run")
@@ -190,7 +186,7 @@ class TestAttackPathsRun:
    @patch("tasks.jobs.attack_paths.scan.db_utils.starting_attack_paths_scan")
    @patch("tasks.jobs.attack_paths.scan.findings.analysis")
    @patch("tasks.jobs.attack_paths.scan.internet.analysis")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_findings_indexes")
+    @patch("tasks.jobs.attack_paths.scan.findings.create_findings_indexes")
    @patch("tasks.jobs.attack_paths.scan.cartography_analysis.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_create_indexes.run")
    @patch("tasks.jobs.attack_paths.scan.graph_database.create_database")
@@ -289,7 +285,7 @@ class TestAttackPathsRun:
    @patch("tasks.jobs.attack_paths.scan.db_utils.starting_attack_paths_scan")
    @patch("tasks.jobs.attack_paths.scan.findings.analysis")
    @patch("tasks.jobs.attack_paths.scan.internet.analysis")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_findings_indexes")
+    @patch("tasks.jobs.attack_paths.scan.findings.create_findings_indexes")
    @patch("tasks.jobs.attack_paths.scan.cartography_analysis.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_create_indexes.run")
    @patch("tasks.jobs.attack_paths.scan.graph_database.create_database")
@@ -392,7 +388,7 @@ class TestAttackPathsRun:
    @patch("tasks.jobs.attack_paths.scan.db_utils.starting_attack_paths_scan")
    @patch("tasks.jobs.attack_paths.scan.findings.analysis")
    @patch("tasks.jobs.attack_paths.scan.internet.analysis")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_findings_indexes")
+    @patch("tasks.jobs.attack_paths.scan.findings.create_findings_indexes")
    @patch("tasks.jobs.attack_paths.scan.cartography_analysis.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_create_indexes.run")
    @patch("tasks.jobs.attack_paths.scan.graph_database.create_database")
@@ -494,10 +490,10 @@ class TestAttackPathsRun:
        "tasks.jobs.attack_paths.scan.graph_database.drop_subgraph",
        side_effect=RuntimeError("drop failed"),
    )
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_sync_indexes")
+    @patch("tasks.jobs.attack_paths.scan.sync.create_sync_indexes")
    @patch("tasks.jobs.attack_paths.scan.internet.analysis")
    @patch("tasks.jobs.attack_paths.scan.findings.analysis")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_findings_indexes")
+    @patch("tasks.jobs.attack_paths.scan.findings.create_findings_indexes")
    @patch("tasks.jobs.attack_paths.scan.cartography_ontology.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_analysis.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_create_indexes.run")
@@ -607,10 +603,10 @@ class TestAttackPathsRun:
        side_effect=RuntimeError("sync failed"),
    )
    @patch("tasks.jobs.attack_paths.scan.graph_database.drop_subgraph")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_sync_indexes")
+    @patch("tasks.jobs.attack_paths.scan.sync.create_sync_indexes")
    @patch("tasks.jobs.attack_paths.scan.internet.analysis")
    @patch("tasks.jobs.attack_paths.scan.findings.analysis")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_findings_indexes")
+    @patch("tasks.jobs.attack_paths.scan.findings.create_findings_indexes")
    @patch("tasks.jobs.attack_paths.scan.cartography_ontology.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_analysis.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_create_indexes.run")
@@ -720,10 +716,10 @@ class TestAttackPathsRun:
    @patch("tasks.jobs.attack_paths.scan.db_utils.starting_attack_paths_scan")
    @patch("tasks.jobs.attack_paths.scan.sync.sync_graph")
    @patch("tasks.jobs.attack_paths.scan.graph_database.drop_subgraph")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_sync_indexes")
+    @patch("tasks.jobs.attack_paths.scan.sync.create_sync_indexes")
    @patch("tasks.jobs.attack_paths.scan.internet.analysis")
    @patch("tasks.jobs.attack_paths.scan.findings.analysis")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_findings_indexes")
+    @patch("tasks.jobs.attack_paths.scan.findings.create_findings_indexes")
    @patch("tasks.jobs.attack_paths.scan.cartography_ontology.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_analysis.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_create_indexes.run")
@@ -838,10 +834,10 @@ class TestAttackPathsRun:
        "tasks.jobs.attack_paths.scan.graph_database.drop_subgraph",
        side_effect=RuntimeError("drop failed"),
    )
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_sync_indexes")
+    @patch("tasks.jobs.attack_paths.scan.sync.create_sync_indexes")
    @patch("tasks.jobs.attack_paths.scan.internet.analysis")
    @patch("tasks.jobs.attack_paths.scan.findings.analysis")
-    @patch("tasks.jobs.attack_paths.scan.indexes.create_findings_indexes")
+    @patch("tasks.jobs.attack_paths.scan.findings.create_findings_indexes")
    @patch("tasks.jobs.attack_paths.scan.cartography_ontology.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_analysis.run")
    @patch("tasks.jobs.attack_paths.scan.cartography_create_indexes.run")
@@ -1007,6 +1003,9 @@ class TestFailAttackPathsScan:
            patch(
                "tasks.jobs.attack_paths.db_utils.graph_database.drop_database"
            ) as mock_drop_db,
+            patch(
+                "tasks.jobs.attack_paths.db_utils.finish_attack_paths_scan"
+            ) as mock_finish,
            patch("tasks.jobs.attack_paths.db_utils.recover_graph_data_ready"),
        ):
            fail_attack_paths_scan(str(tenant.id), str(scan.id), "setup exploded")
@@ -1014,12 +1013,11 @@ class TestFailAttackPathsScan:
        mock_retrieve.assert_called_once_with(str(tenant.id), str(scan.id))
        expected_tmp_db = f"db-tmp-scan-{str(attack_paths_scan.id).lower()}"
        mock_drop_db.assert_called_once_with(expected_tmp_db)
-
-        attack_paths_scan.refresh_from_db()
-        assert attack_paths_scan.state == StateChoices.FAILED
-        assert attack_paths_scan.ingestion_exceptions == {
-            "global_error": "setup exploded"
-        }
+        mock_finish.assert_called_once_with(
+            attack_paths_scan,
+            StateChoices.FAILED,
+            {"global_error": "setup exploded"},
+        )

    def test_drops_temp_database_even_when_drop_fails(
        self, tenants_fixture, providers_fixture, scans_fixture
@@ -1050,12 +1048,18 @@ class TestFailAttackPathsScan:
                "tasks.jobs.attack_paths.db_utils.graph_database.drop_database",
                side_effect=Exception("Neo4j unreachable"),
            ),
+            patch(
+                "tasks.jobs.attack_paths.db_utils.finish_attack_paths_scan"
+            ) as mock_finish,
            patch("tasks.jobs.attack_paths.db_utils.recover_graph_data_ready"),
        ):
            fail_attack_paths_scan(str(tenant.id), str(scan.id), "setup exploded")

-        attack_paths_scan.refresh_from_db()
-        assert attack_paths_scan.state == StateChoices.FAILED
+        mock_finish.assert_called_once_with(
+            attack_paths_scan,
+            StateChoices.FAILED,
+            {"global_error": "setup exploded"},
+        )

    def test_skips_already_failed_scan(
        self, tenants_fixture, providers_fixture, scans_fixture
@@ -1085,25 +1089,33 @@ class TestFailAttackPathsScan:
            patch(
                "tasks.jobs.attack_paths.db_utils.graph_database.drop_database"
            ) as mock_drop_db,
+            patch(
+                "tasks.jobs.attack_paths.db_utils.finish_attack_paths_scan"
+            ) as mock_finish,
        ):
            fail_attack_paths_scan(str(tenant.id), str(scan.id), "setup exploded")

-        mock_drop_db.assert_called_once()
-
-        attack_paths_scan.refresh_from_db()
-        assert attack_paths_scan.state == StateChoices.FAILED
+        mock_drop_db.assert_not_called()
+        mock_finish.assert_not_called()

    def test_skips_when_no_scan_found(self, tenants_fixture):
        from tasks.jobs.attack_paths.db_utils import fail_attack_paths_scan

        tenant = tenants_fixture[0]

-        with patch(
-            "tasks.jobs.attack_paths.db_utils.retrieve_attack_paths_scan",
-            return_value=None,
+        with (
+            patch(
+                "tasks.jobs.attack_paths.db_utils.retrieve_attack_paths_scan",
+                return_value=None,
+            ),
+            patch(
+                "tasks.jobs.attack_paths.db_utils.finish_attack_paths_scan"
+            ) as mock_finish,
        ):
            fail_attack_paths_scan(str(tenant.id), "nonexistent", "setup exploded")

+        mock_finish.assert_not_called()
+
    def test_fail_recovers_graph_data_ready_when_data_exists(
        self, tenants_fixture, providers_fixture, scans_fixture
    ):
@@ -1130,6 +1142,7 @@ class TestFailAttackPathsScan:
                return_value=attack_paths_scan,
            ),
            patch("tasks.jobs.attack_paths.db_utils.graph_database.drop_database"),
+            patch("tasks.jobs.attack_paths.db_utils.finish_attack_paths_scan"),
            patch(
                "tasks.jobs.attack_paths.db_utils.graph_database.has_provider_data",
                return_value=True,
@@ -1168,6 +1181,7 @@ class TestFailAttackPathsScan:
                return_value=attack_paths_scan,
            ),
            patch("tasks.jobs.attack_paths.db_utils.graph_database.drop_database"),
+            patch("tasks.jobs.attack_paths.db_utils.finish_attack_paths_scan"),
            patch(
                "tasks.jobs.attack_paths.db_utils.graph_database.has_provider_data",
                return_value=False,
@@ -1251,7 +1265,7 @@ class TestAttackPathsFindingsHelpers:
    def test_create_findings_indexes_executes_all_statements(self):
        mock_session = MagicMock()
        with patch("tasks.jobs.attack_paths.indexes.run_write_query") as mock_run_write:
-            indexes_module.create_findings_indexes(mock_session)
+            findings_module.create_findings_indexes(mock_session)

        from tasks.jobs.attack_paths.indexes import FINDINGS_INDEX_STATEMENTS

@@ -1313,6 +1327,7 @@ class TestAttackPathsFindingsHelpers:

        assert mock_session.run.call_count == 2
        params = mock_session.run.call_args.args[1]
+        assert params["provider_uid"] == str(provider.uid)
        assert params["last_updated"] == config.update_tag

    def test_stream_findings_with_resources_returns_latest_scan_data(
@@ -2302,374 +2317,3 @@ class TestAttackPathsDbUtilsGraphDataReady:
        ap_scan_b.refresh_from_db()
        assert ap_scan_a.graph_data_ready is False
        assert ap_scan_b.graph_data_ready is True
-
-
-@pytest.mark.django_db
-class TestCleanupStaleAttackPathsScans:
-    def _create_executing_scan(
-        self, tenant, provider, scan=None, started_at=None, worker=None
-    ):
-        """Helper to create an EXECUTING AttackPathsScan with optional Task+TaskResult."""
-        ap_scan = AttackPathsScan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            scan=scan,
-            state=StateChoices.EXECUTING,
-            started_at=started_at or datetime.now(tz=timezone.utc),
-        )
-
-        task_result = None
-        if worker is not None:
-            task_result = TaskResult.objects.create(
-                task_id=str(ap_scan.id),
-                task_name="attack-paths-scan-perform",
-                status="STARTED",
-                worker=worker,
-            )
-            task = Task.objects.create(
-                id=task_result.task_id,
-                task_runner_task=task_result,
-                tenant_id=tenant.id,
-            )
-            ap_scan.task = task
-            ap_scan.save(update_fields=["task_id"])
-
-        return ap_scan, task_result
-
-    @patch("tasks.jobs.attack_paths.cleanup.recover_graph_data_ready")
-    @patch("tasks.jobs.attack_paths.cleanup.graph_database.drop_database")
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.rls_transaction",
-        new=lambda *args, **kwargs: nullcontext(),
-    )
-    @patch("tasks.jobs.attack_paths.cleanup._is_worker_alive", return_value=False)
-    def test_cleans_up_scan_with_dead_worker(
-        self,
-        mock_alive,
-        mock_drop_db,
-        mock_recover,
-        tenants_fixture,
-        providers_fixture,
-        scans_fixture,
-    ):
-        from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
-
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        provider.provider = Provider.ProviderChoices.AWS
-        provider.save()
-
-        # Recent scan — should still be cleaned up because worker is dead
-        ap_scan, task_result = self._create_executing_scan(
-            tenant, provider, worker="dead-worker@host"
-        )
-
-        result = cleanup_stale_attack_paths_scans()
-
-        assert result["cleaned_up_count"] == 1
-        assert str(ap_scan.id) in result["scan_ids"]
-        mock_drop_db.assert_called_once()
-        mock_recover.assert_called_once()
-
-        ap_scan.refresh_from_db()
-        assert ap_scan.state == StateChoices.FAILED
-        assert ap_scan.progress == 100
-        assert ap_scan.completed_at is not None
-        assert ap_scan.ingestion_exceptions == {
-            "global_error": "Worker dead — cleaned up by periodic task"
-        }
-
-        task_result.refresh_from_db()
-        assert task_result.status == "FAILURE"
-        assert task_result.date_done is not None
-
-    @patch("tasks.jobs.attack_paths.cleanup.recover_graph_data_ready")
-    @patch("tasks.jobs.attack_paths.cleanup.graph_database.drop_database")
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.rls_transaction",
-        new=lambda *args, **kwargs: nullcontext(),
-    )
-    @patch("tasks.jobs.attack_paths.cleanup._revoke_task")
-    @patch("tasks.jobs.attack_paths.cleanup._is_worker_alive", return_value=True)
-    def test_revokes_and_cleans_scan_exceeding_threshold_on_live_worker(
-        self,
-        mock_alive,
-        mock_revoke,
-        mock_drop_db,
-        mock_recover,
-        tenants_fixture,
-        providers_fixture,
-        scans_fixture,
-    ):
-        from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
-
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        provider.provider = Provider.ProviderChoices.AWS
-        provider.save()
-
-        old_start = datetime.now(tz=timezone.utc) - timedelta(hours=49)
-        ap_scan, task_result = self._create_executing_scan(
-            tenant, provider, started_at=old_start, worker="live-worker@host"
-        )
-
-        result = cleanup_stale_attack_paths_scans()
-
-        assert result["cleaned_up_count"] == 1
-        mock_revoke.assert_called_once_with(task_result)
-        mock_recover.assert_called_once()
-
-        ap_scan.refresh_from_db()
-        assert ap_scan.state == StateChoices.FAILED
-
-    @patch("tasks.jobs.attack_paths.cleanup.recover_graph_data_ready")
-    @patch("tasks.jobs.attack_paths.cleanup.graph_database.drop_database")
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.rls_transaction",
-        new=lambda *args, **kwargs: nullcontext(),
-    )
-    @patch("tasks.jobs.attack_paths.cleanup._is_worker_alive", return_value=True)
-    def test_ignores_recent_executing_scans_on_live_worker(
-        self,
-        mock_alive,
-        mock_drop_db,
-        mock_recover,
-        tenants_fixture,
-        providers_fixture,
-        scans_fixture,
-    ):
-        from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
-
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        provider.provider = Provider.ProviderChoices.AWS
-        provider.save()
-
-        # Recent scan on live worker — should be skipped
-        self._create_executing_scan(tenant, provider, worker="live-worker@host")
-
-        result = cleanup_stale_attack_paths_scans()
-
-        assert result["cleaned_up_count"] == 0
-        mock_drop_db.assert_not_called()
-        mock_recover.assert_not_called()
-
-    @patch("tasks.jobs.attack_paths.cleanup.recover_graph_data_ready")
-    @patch("tasks.jobs.attack_paths.cleanup.graph_database.drop_database")
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.rls_transaction",
-        new=lambda *args, **kwargs: nullcontext(),
-    )
-    def test_ignores_completed_and_failed_scans(
-        self,
-        mock_drop_db,
-        mock_recover,
-        tenants_fixture,
-        providers_fixture,
-        scans_fixture,
-    ):
-        from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
-
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        provider.provider = Provider.ProviderChoices.AWS
-        provider.save()
-
-        AttackPathsScan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            state=StateChoices.COMPLETED,
-        )
-        AttackPathsScan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            state=StateChoices.FAILED,
-        )
-
-        result = cleanup_stale_attack_paths_scans()
-
-        assert result["cleaned_up_count"] == 0
-        mock_drop_db.assert_not_called()
-
-    @patch("tasks.jobs.attack_paths.cleanup.recover_graph_data_ready")
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.graph_database.drop_database",
-        side_effect=Exception("Neo4j unreachable"),
-    )
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.rls_transaction",
-        new=lambda *args, **kwargs: nullcontext(),
-    )
-    @patch("tasks.jobs.attack_paths.cleanup._is_worker_alive", return_value=False)
-    def test_handles_drop_database_failure_gracefully(
-        self,
-        mock_alive,
-        mock_drop_db,
-        mock_recover,
-        tenants_fixture,
-        providers_fixture,
-        scans_fixture,
-    ):
-        from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
-
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        provider.provider = Provider.ProviderChoices.AWS
-        provider.save()
-
-        self._create_executing_scan(tenant, provider, worker="dead-worker@host")
-
-        result = cleanup_stale_attack_paths_scans()
-
-        assert result["cleaned_up_count"] == 1
-        mock_drop_db.assert_called_once()
-
-    @patch("tasks.jobs.attack_paths.cleanup.recover_graph_data_ready")
-    @patch("tasks.jobs.attack_paths.cleanup.graph_database.drop_database")
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.rls_transaction",
-        new=lambda *args, **kwargs: nullcontext(),
-    )
-    @patch("tasks.jobs.attack_paths.cleanup._is_worker_alive", return_value=False)
-    def test_cross_tenant_cleanup(
-        self,
-        mock_alive,
-        mock_drop_db,
-        mock_recover,
-        tenants_fixture,
-        providers_fixture,
-    ):
-        from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
-
-        tenant1 = tenants_fixture[0]
-        tenant2 = tenants_fixture[1]
-        provider1 = providers_fixture[0]
-        provider1.provider = Provider.ProviderChoices.AWS
-        provider1.save()
-
-        provider2 = Provider.objects.create(
-            provider="aws",
-            uid="999888777666",
-            alias="aws_tenant2",
-            tenant_id=tenant2.id,
-        )
-
-        ap_scan1, _ = self._create_executing_scan(
-            tenant1, provider1, worker="dead-worker-1@host"
-        )
-        ap_scan2, _ = self._create_executing_scan(
-            tenant2, provider2, worker="dead-worker-2@host"
-        )
-
-        result = cleanup_stale_attack_paths_scans()
-
-        assert result["cleaned_up_count"] == 2
-        assert mock_recover.call_count == 2
-
-        ap_scan1.refresh_from_db()
-        ap_scan2.refresh_from_db()
-        assert ap_scan1.state == StateChoices.FAILED
-        assert ap_scan2.state == StateChoices.FAILED
-
-    @patch("tasks.jobs.attack_paths.cleanup.recover_graph_data_ready")
-    @patch("tasks.jobs.attack_paths.cleanup.graph_database.drop_database")
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.rls_transaction",
-        new=lambda *args, **kwargs: nullcontext(),
-    )
-    @patch("tasks.jobs.attack_paths.cleanup._is_worker_alive", return_value=False)
-    def test_recovers_graph_data_ready_for_stale_scan(
-        self,
-        mock_alive,
-        mock_drop_db,
-        mock_recover,
-        tenants_fixture,
-        providers_fixture,
-        scans_fixture,
-    ):
-        from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
-
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        provider.provider = Provider.ProviderChoices.AWS
-        provider.save()
-
-        ap_scan, _ = self._create_executing_scan(
-            tenant, provider, worker="dead-worker@host"
-        )
-
-        cleanup_stale_attack_paths_scans()
-
-        mock_recover.assert_called_once()
-        recovered_scan = mock_recover.call_args[0][0]
-        assert recovered_scan.id == ap_scan.id
-
-    @patch("tasks.jobs.attack_paths.cleanup.recover_graph_data_ready")
-    @patch("tasks.jobs.attack_paths.cleanup.graph_database.drop_database")
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.rls_transaction",
-        new=lambda *args, **kwargs: nullcontext(),
-    )
-    def test_fallback_to_time_heuristic_when_no_worker_field(
-        self,
-        mock_drop_db,
-        mock_recover,
-        tenants_fixture,
-        providers_fixture,
-        scans_fixture,
-    ):
-        from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
-
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        provider.provider = Provider.ProviderChoices.AWS
-        provider.save()
-
-        # Old scan with no Task/TaskResult
-        old_start = datetime.now(tz=timezone.utc) - timedelta(hours=49)
-        ap_scan = AttackPathsScan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            state=StateChoices.EXECUTING,
-            started_at=old_start,
-        )
-
-        result = cleanup_stale_attack_paths_scans()
-
-        assert result["cleaned_up_count"] == 1
-
-        ap_scan.refresh_from_db()
-        assert ap_scan.state == StateChoices.FAILED
-
-    @patch("tasks.jobs.attack_paths.cleanup.recover_graph_data_ready")
-    @patch("tasks.jobs.attack_paths.cleanup.graph_database.drop_database")
-    @patch(
-        "tasks.jobs.attack_paths.cleanup.rls_transaction",
-        new=lambda *args, **kwargs: nullcontext(),
-    )
-    @patch("tasks.jobs.attack_paths.cleanup._is_worker_alive", return_value=False)
-    def test_shared_worker_is_pinged_only_once(
-        self,
-        mock_alive,
-        mock_drop_db,
-        mock_recover,
-        tenants_fixture,
-        providers_fixture,
-        scans_fixture,
-    ):
-        from tasks.jobs.attack_paths.cleanup import cleanup_stale_attack_paths_scans
-
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        provider.provider = Provider.ProviderChoices.AWS
-        provider.save()
-
-        # Two scans on the same dead worker
-        self._create_executing_scan(tenant, provider, worker="shared-worker@host")
-        self._create_executing_scan(tenant, provider, worker="shared-worker@host")
-
-        result = cleanup_stale_attack_paths_scans()
-
-        assert result["cleaned_up_count"] == 2
-        # Worker should be pinged exactly once — cache prevents second ping
-        mock_alive.assert_called_once_with("shared-worker@host")
@@ -1411,9 +1411,7 @@ class TestProcessFindingMicroBatch:
        assert created_finding.status == StatusChoices.PASS
        assert created_finding.delta == Finding.DeltaChoices.NEW
        assert created_finding.muted is False
-        expected_metadata = {**finding.metadata, "compliance": finding.compliance}
-        assert created_finding.check_metadata == expected_metadata
-        assert created_finding.check_metadata["compliance"] == finding.compliance
+        assert created_finding.check_metadata == finding.metadata
        assert created_finding.resource_regions == [finding.region]
        assert created_finding.resource_services == [finding.service_name]
        assert created_finding.resource_types == [finding.resource_type]
@@ -20,7 +20,6 @@ from tasks.tasks import (
    generate_outputs_task,
    perform_attack_paths_scan_task,
    perform_scheduled_scan_task,
-    reaggregate_all_finding_group_summaries_task,
    refresh_lighthouse_provider_models_task,
    s3_integration_task,
    security_hub_integration_task,
@@ -2352,47 +2351,3 @@ class TestPerformScheduledScanTask:
            ).count()
            == 1
        )
-
-
-@pytest.mark.django_db
-class TestReaggregateAllFindingGroupSummaries:
-    def setup_method(self):
-        self.tenant_id = str(uuid.uuid4())
-
-    @patch("tasks.tasks.group")
-    @patch("tasks.tasks.aggregate_finding_group_summaries_task")
-    @patch("tasks.tasks.Scan.objects.filter")
-    def test_dispatches_subtasks_for_each_provider(
-        self, mock_scan_filter, mock_agg_task, mock_group
-    ):
-        scan_id_1 = uuid.uuid4()
-        scan_id_2 = uuid.uuid4()
-        mock_group_result = MagicMock()
-        mock_group.side_effect = lambda gen: (list(gen), mock_group_result)[1]
-
-        mock_scan_filter.return_value.order_by.return_value.distinct.return_value.values_list.return_value = [
-            scan_id_1,
-            scan_id_2,
-        ]
-
-        result = reaggregate_all_finding_group_summaries_task(tenant_id=self.tenant_id)
-
-        assert result == {"scans_reaggregated": 2}
-        assert mock_agg_task.si.call_count == 2
-        mock_agg_task.si.assert_any_call(
-            tenant_id=self.tenant_id, scan_id=str(scan_id_1)
-        )
-        mock_agg_task.si.assert_any_call(
-            tenant_id=self.tenant_id, scan_id=str(scan_id_2)
-        )
-        mock_group_result.apply_async.assert_called_once()
-
-    @patch("tasks.tasks.group")
-    @patch("tasks.tasks.Scan.objects.filter")
-    def test_no_completed_scans_skips_dispatch(self, mock_scan_filter, mock_group):
-        mock_scan_filter.return_value.order_by.return_value.distinct.return_value.values_list.return_value = []
-
-        result = reaggregate_all_finding_group_summaries_task(tenant_id=self.tenant_id)
-
-        assert result == {"scans_reaggregated": 0}
-        mock_group.assert_not_called()
@@ -39,9 +39,6 @@ secrets:
  POSTGRES_PASSWORD:
  POSTGRES_DB:
  # Valkey settings
-  VALKEY_SCHEME: redis
-  VALKEY_USERNAME:
-  VALKEY_PASSWORD:
  VALKEY_HOST: valkey-headless
  VALKEY_PORT: "6379"
  VALKEY_DB: "0"
@@ -7,9 +7,6 @@ metadata:
    {{- include "prowler.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  VALKEY_SCHEME: {{ .Values.valkey.scheme | default "redis" | quote }}
-  VALKEY_USERNAME: {{ .Values.valkey.username | default "" | quote }}
-  VALKEY_PASSWORD: {{ .Values.valkey.password | default "" | quote }}
  VALKEY_HOST: "{{ include "prowler.fullname" . }}-valkey"
  VALKEY_PORT: "6379"
  VALKEY_DB: "0"
@@ -529,9 +529,6 @@ postgresql:
 valkey:
  # If enabled, it will create a Secret with the following.
  # Otherwise, create a secret with
-  # - VALKEY_SCHEME
-  # - VALKEY_USERNAME
-  # - VALKEY_PASSWORD
  # - VALKEY_HOST
  # - VALKEY_PORT
  # - VALKEY_DB
@@ -79,7 +79,7 @@ Remember, our community is here to help! If you need guidance, do not hesitate t
 Before proceeding, ensure the following:

 - Git is installed.
- Python 3.10 or higher is installed.
+- Python 3.9 or higher is installed.
 - `poetry` is installed to manage dependencies.

 ### Forking the Prowler Repository
@@ -1249,7 +1249,7 @@ Dependencies ensure that your provider's required libraries are available when P

 ```toml
 [tool.poetry.dependencies]
-python = ">=3.10,<3.13"
+python = "^3.9"
 # ... other dependencies
 your-sdk-library = "^1.0.0"  # Add your SDK dependency
 ```
@@ -225,7 +225,8 @@
                "group": "Kubernetes",
                "pages": [
                  "user-guide/providers/kubernetes/getting-started-k8s",
-                  "user-guide/providers/kubernetes/misc"
+                  "user-guide/providers/kubernetes/misc",
+                  "user-guide/cookbooks/kubernetes-in-cluster"
                ]
              },
              {
@@ -121,8 +121,8 @@ To update the environment file:
 Edit the `.env` file and change version values:

 ```env
-PROWLER_UI_VERSION="5.22.0"
-PROWLER_API_VERSION="5.22.0"
+PROWLER_UI_VERSION="5.21.0"
+PROWLER_API_VERSION="5.21.0"
 ```

 <Note>
@@ -4,7 +4,7 @@ title: 'Installation'

 ## Installation

-To install Prowler as a Python package, use `Python >= 3.10, <= 3.12`. Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/):
+To install Prowler as a Python package, use `Python >= 3.9, <= 3.12`. Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/):

 <Tabs>
  <Tab title="pipx">
@@ -12,7 +12,7 @@ To install Prowler as a Python package, use `Python >= 3.10, <= 3.12`. Prowler i

    _Requirements_:

-    * `Python >= 3.10, <= 3.12`
+    * `Python >= 3.9, <= 3.12`
    * `pipx` installed: [pipx installation](https://pipx.pypa.io/stable/installation/).
    * AWS, GCP, Azure and/or Kubernetes credentials

@@ -30,7 +30,7 @@ To install Prowler as a Python package, use `Python >= 3.10, <= 3.12`. Prowler i

    _Requirements_:

-    * `Python >= 3.10, <= 3.12`
+    * `Python >= 3.9, <= 3.12`
    * `Python pip >= 21.0.0`
    * AWS, GCP, Azure, M365 and/or Kubernetes credentials

@@ -87,7 +87,7 @@ To install Prowler as a Python package, use `Python >= 3.10, <= 3.12`. Prowler i
  <Tab title="Amazon Linux 2">
    _Requirements_:

-    * `Python >= 3.10, <= 3.12`
+    * `Python >= 3.9, <= 3.12`
    * AWS, GCP, Azure and/or Kubernetes credentials

    _Commands_:
@@ -102,8 +102,8 @@ To install Prowler as a Python package, use `Python >= 3.10, <= 3.12`. Prowler i
  <Tab title="Ubuntu">
    _Requirements_:

-    * `Ubuntu 23.04` or above. For older Ubuntu versions, check [pipx installation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#__tabbed_1_1) and ensure `Python >= 3.10, <= 3.12` is installed.
-    * `Python >= 3.10, <= 3.12`
+    * `Ubuntu 23.04` or above. For older Ubuntu versions, check [pipx installation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#__tabbed_1_1) and ensure `Python >= 3.9, <= 3.12` is installed.
+    * `Python >= 3.9, <= 3.12`
    * AWS, GCP, Azure and/or Kubernetes credentials

    _Commands_:
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Pepe Fagoaga	f3dca2c9c4	Merge branch 'master' into aws-regions-update-175	2026-03-23 14:27:21 +00:00
prowler-bot	54fe2cfa64	feat(aws): update regions for AWS services	2026-03-09 09:13:11 +00:00