fix(googleworkspace): treat secure Google defaults as PASS for Gmail checks

.github/CODEOWNERS

@@ -1,15 +1,14 @@
 # SDK
-/* @prowler-cloud/detection-remediation
-/prowler/ @prowler-cloud/detection-remediation
-/prowler/compliance/ @prowler-cloud/compliance
-/tests/ @prowler-cloud/detection-remediation
-/dashboard/ @prowler-cloud/detection-remediation
-/docs/ @prowler-cloud/detection-remediation
-/examples/ @prowler-cloud/detection-remediation
-/util/ @prowler-cloud/detection-remediation
-/contrib/ @prowler-cloud/detection-remediation
-/permissions/ @prowler-cloud/detection-remediation
-/codecov.yml @prowler-cloud/detection-remediation @prowler-cloud/api
+/* @prowler-cloud/sdk
+/prowler/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+/tests/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+/dashboard/ @prowler-cloud/sdk
+/docs/ @prowler-cloud/sdk
+/examples/ @prowler-cloud/sdk
+/util/ @prowler-cloud/sdk
+/contrib/ @prowler-cloud/sdk
+/permissions/ @prowler-cloud/sdk
+/codecov.yml @prowler-cloud/sdk @prowler-cloud/api
 
 # API
 /api/ @prowler-cloud/api
@@ -18,7 +17,7 @@
 /ui/ @prowler-cloud/ui
 
 # AI
-/mcp_server/ @prowler-cloud/detection-remediation
+/mcp_server/ @prowler-cloud/ai
 
 # Platform
 /.github/ @prowler-cloud/platform

.github/actions/setup-python-poetry/action.yml

@@ -13,15 +13,11 @@ inputs:
   poetry-version:
     description: 'Poetry version to install'
     required: false
-    default: '2.3.4'
+    default: '2.1.1'
   install-dependencies:
     description: 'Install Python dependencies with Poetry'
     required: false
     default: 'true'
-  update-lock:
-    description: 'Run `poetry lock` during setup. Only enable when a prior step mutates pyproject.toml (e.g. API `@master` VCS rewrite). Default: false.'
-    required: false
-    default: 'false'
 
 runs:
   using: 'composite'
@@ -78,7 +74,7 @@ runs:
         grep -A2 -B2 "resolved_reference" poetry.lock
 
     - name: Update poetry.lock (prowler repo only)
-      if: github.repository == 'prowler-cloud/prowler' && inputs.update-lock == 'true'
+      if: github.repository == 'prowler-cloud/prowler'
       shell: bash
       working-directory: ${{ inputs.working-directory }}
       run: poetry lock

.github/workflows/api-bump-version.yml

@@ -13,8 +13,6 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
-permissions: {}
-
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest

.github/workflows/api-code-quality.yml

@@ -17,8 +17,6 @@ concurrency:
 env:
   API_WORKING_DIR: ./api
 
-permissions: {}
-
 jobs:
   api-code-quality:
     runs-on: ubuntu-latest
@@ -69,7 +67,6 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           working-directory: ./api
-          update-lock: 'true'
 
       - name: Poetry check
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/api-codeql.yml

@@ -24,8 +24,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   api-analyze:
     name: CodeQL Security Analysis

.github/workflows/api-container-build-push.yml

@@ -33,8 +33,6 @@ env:
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
 
-permissions: {}
-
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/api-container-checks.yml

@@ -18,8 +18,6 @@ env:
   API_WORKING_DIR: ./api
   IMAGE_NAME: prowler-api
 
-permissions: {}
-
 jobs:
   api-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/api-security.yml

@@ -17,8 +17,6 @@ concurrency:
 env:
   API_WORKING_DIR: ./api
 
-permissions: {}
-
 jobs:
   api-security-scans:
     runs-on: ubuntu-latest
@@ -72,7 +70,6 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           working-directory: ./api
-          update-lock: 'true'
 
       - name: Bandit
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/api-tests.yml

@@ -30,8 +30,6 @@ env:
   VALKEY_DB: 0
   API_WORKING_DIR: ./api
 
-permissions: {}
-
 jobs:
   api-tests:
     runs-on: ubuntu-latest
@@ -118,7 +116,6 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           working-directory: ./api
-          update-lock: 'true'
 
       - name: Run tests with pytest
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/backport.yml

@@ -17,8 +17,6 @@ env:
   BACKPORT_LABEL_PREFIX: backport-to-
   BACKPORT_LABEL_IGNORE: was-backported
 
-permissions: {}
-
 jobs:
   backport:
     if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport')) && !(contains(github.event.pull_request.labels.*.name, 'was-backported'))

.github/workflows/ci-zizmor.yml

@@ -21,8 +21,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   zizmor:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/comment-label-update.yml

@@ -9,8 +9,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.issue.number }}
   cancel-in-progress: false
 
-permissions: {}
-
 jobs:
   update-labels:
     if: contains(github.event.issue.labels.*.name, 'status/awaiting-response')

.github/workflows/conventional-commit.yml

@@ -16,8 +16,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   conventional-commit-check:
     runs-on: ubuntu-latest

.github/workflows/create-backport-label.yml

@@ -13,8 +13,6 @@ env:
   BACKPORT_LABEL_PREFIX: backport-to-
   BACKPORT_LABEL_COLOR: B60205
 
-permissions: {}
-
 jobs:
   create-label:
     runs-on: ubuntu-latest

.github/workflows/docs-bump-version.yml

@@ -13,8 +13,6 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
-permissions: {}
-
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest

.github/workflows/find-secrets.yml

@@ -14,8 +14,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   scan-secrets:
     runs-on: ubuntu-latest

.github/workflows/helm-chart-checks.yml

@@ -21,8 +21,6 @@ concurrency:
 env:
   CHART_PATH: contrib/k8s/helm/prowler-app
 
-permissions: {}
-
 jobs:
   helm-lint:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/helm-chart-release.yml

@@ -13,8 +13,6 @@ concurrency:
 env:
   CHART_PATH: contrib/k8s/helm/prowler-app
 
-permissions: {}
-
 jobs:
   release-helm-chart:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/issue-lock-on-close.yml

@@ -9,8 +9,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.issue.number }}
   cancel-in-progress: false
 
-permissions: {}
-
 jobs:
   lock:
     if: |

.github/workflows/labeler.yml

@@ -15,8 +15,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   labeler:
     runs-on: ubuntu-latest

.github/workflows/mcp-container-build-push.yml

@@ -32,8 +32,6 @@ env:
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-mcp
 
-permissions: {}
-
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/mcp-container-checks.yml

@@ -18,8 +18,6 @@ env:
   MCP_WORKING_DIR: ./mcp_server
   IMAGE_NAME: prowler-mcp
 
-permissions: {}
-
 jobs:
   mcp-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/mcp-pypi-release.yml

@@ -14,8 +14,6 @@ env:
   PYTHON_VERSION: "3.12"
   WORKING_DIRECTORY: ./mcp_server
 
-permissions: {}
-
 jobs:
   validate-release:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/pr-check-changelog.yml

@@ -16,8 +16,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   check-changelog:
     if: contains(github.event.pull_request.labels.*.name, 'no-changelog') == false

.github/workflows/pr-check-compliance-mapping.yml

@@ -16,8 +16,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   check-compliance-mapping:
     if: contains(github.event.pull_request.labels.*.name, 'no-compliance-check') == false

.github/workflows/pr-conflict-checker.yml

@@ -15,8 +15,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   check-conflicts:
     runs-on: ubuntu-latest

.github/workflows/pr-merged.yml

@@ -12,8 +12,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: false
 
-permissions: {}
-
 jobs:
   trigger-cloud-pull-request:
     if: |

.github/workflows/prepare-release.yml

@@ -17,8 +17,6 @@ concurrency:
 env:
   PROWLER_VERSION: ${{ inputs.prowler_version }}
 
-permissions: {}
-
 jobs:
   prepare-release:
     if: github.event_name == 'workflow_dispatch' && github.repository == 'prowler-cloud/prowler'
@@ -40,11 +38,15 @@ jobs:
         token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
         persist-credentials: false
 
-    - name: Setup Python with Poetry
-      uses: ./.github/actions/setup-python-poetry
+    - name: Set up Python
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.12'
-        install-dependencies: 'false'
+
+    - name: Install Poetry
+      run: |
+        python3 -m pip install --user poetry==2.1.1
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
 
     - name: Configure Git
       run: |

.github/workflows/sdk-bump-version.yml

@@ -13,8 +13,6 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
-permissions: {}
-
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest

.github/workflows/sdk-check-duplicate-test-names.yml

@@ -10,8 +10,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   check-duplicate-test-names:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/sdk-code-quality.yml

@@ -14,8 +14,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   sdk-code-quality:
     if: github.repository == 'prowler-cloud/prowler'
@@ -71,11 +69,22 @@ jobs:
             contrib/**
             **/AGENTS.md
 
-      - name: Setup Python with Poetry
+      - name: Install Poetry
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: |
+          poetry install --no-root
+          poetry run pip list
 
       - name: Check Poetry lock file
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/sdk-codeql.yml

@@ -30,8 +30,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   sdk-analyze:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/sdk-container-build-push.yml

@@ -47,8 +47,6 @@ env:
   # AWS configuration (for ECR)
   AWS_REGION: us-east-1
 
-permissions: {}
-
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'
@@ -76,14 +74,15 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Setup Python with Poetry
-        uses: ./.github/actions/setup-python-poetry
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          install-dependencies: 'false'
 
-      - name: Inject poetry-bumpversion plugin
-        run: pipx inject poetry poetry-bumpversion
+      - name: Install Poetry
+        run: |
+          pipx install poetry==2.1.1
+          pipx inject poetry poetry-bumpversion
 
       - name: Get Prowler version and set tags
         id: get-prowler-version

.github/workflows/sdk-container-checks.yml

@@ -17,8 +17,6 @@ concurrency:
 env:
   IMAGE_NAME: prowler
 
-permissions: {}
-
 jobs:
   sdk-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/sdk-pypi-release.yml

@@ -13,8 +13,6 @@ env:
   RELEASE_TAG: ${{ github.event.release.tag_name }}
   PYTHON_VERSION: '3.12'
 
-permissions: {}
-
 jobs:
   validate-release:
     if: github.repository == 'prowler-cloud/prowler'
@@ -75,11 +73,13 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Setup Python with Poetry
-        uses: ./.github/actions/setup-python-poetry
+      - name: Install Poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          install-dependencies: 'false'
 
       - name: Build Prowler package
         run: poetry build
@@ -111,11 +111,13 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Setup Python with Poetry
-        uses: ./.github/actions/setup-python-poetry
+      - name: Install Poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          install-dependencies: 'false'
 
       - name: Install toml package
         run: pip install toml

.github/workflows/sdk-refresh-aws-services-regions.yml

@@ -13,8 +13,6 @@ env:
   PYTHON_VERSION: '3.12'
   AWS_REGION: 'us-east-1'
 
-permissions: {}
-
 jobs:
   refresh-aws-regions:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/sdk-refresh-oci-regions.yml

@@ -12,8 +12,6 @@ concurrency:
 env:
   PYTHON_VERSION: '3.12'
 
-permissions: {}
-
 jobs:
   refresh-oci-regions:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/sdk-security.yml

@@ -14,8 +14,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   sdk-security-scans:
     if: github.repository == 'prowler-cloud/prowler'
@@ -71,11 +69,20 @@ jobs:
             contrib/**
             **/AGENTS.md
 
-      - name: Setup Python with Poetry
+      - name: Install Poetry
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python 3.12
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.12'
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry install --no-root
 
       - name: Security scan with Bandit
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/sdk-tests.yml

@@ -14,8 +14,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   sdk-tests:
     if: github.repository == 'prowler-cloud/prowler'
@@ -92,11 +90,20 @@ jobs:
             contrib/**
             **/AGENTS.md
 
-      - name: Setup Python with Poetry
+      - name: Install Poetry
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry install --no-root
 
       # AWS Provider
       - name: Check if AWS files changed

.github/workflows/test-impact-analysis.yml

@@ -31,8 +31,6 @@ on:
         description: "Whether there are UI E2E tests to run"
         value: ${{ jobs.analyze.outputs.has-ui-e2e }}
 
-permissions: {}
-
 jobs:
   analyze:
     runs-on: ubuntu-latest

.github/workflows/ui-bump-version.yml

@@ -13,8 +13,6 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
-permissions: {}
-
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest

.github/workflows/ui-codeql.yml

@@ -26,8 +26,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   ui-analyze:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/ui-container-build-push.yml

@@ -35,8 +35,6 @@ env:
   # Build args
   NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1
 
-permissions: {}
-
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/ui-container-checks.yml

@@ -18,8 +18,6 @@ env:
   UI_WORKING_DIR: ./ui
   IMAGE_NAME: prowler-ui
 
-permissions: {}
-
 jobs:
   ui-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'

.github/workflows/ui-e2e-tests-v2.yml

@@ -15,8 +15,6 @@ on:
       - 'ui/**'
       - 'api/**'  # API changes can affect UI E2E
 
-permissions: {}
-
 jobs:
   # First, analyze which tests need to run
   impact-analysis:

.github/workflows/ui-tests.yml

@@ -18,8 +18,6 @@ env:
   UI_WORKING_DIR: ./ui
   NODE_VERSION: '24.13.0'
 
-permissions: {}
-
 jobs:
   ui-tests:
     runs-on: ubuntu-latest

.opencode/package-lock.json

@@ -1,115 +0,0 @@
-{
-  "name": ".opencode",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "": {
-      "dependencies": {
-        "@opencode-ai/plugin": "1.3.17"
-      }
-    },
-    "node_modules/@opencode-ai/plugin": {
-      "version": "1.3.17",
-      "resolved": "https://registry.npmjs.org/@opencode-ai/plugin/-/plugin-1.3.17.tgz",
-      "integrity": "sha512-N5lckFtYvEu2R8K1um//MIOTHsJHniF2kHoPIWPCrxKG5Jpismt1ISGzIiU3aKI2ht/9VgcqKPC5oZFLdmpxPw==",
-      "license": "MIT",
-      "dependencies": {
-        "@opencode-ai/sdk": "1.3.17",
-        "zod": "4.1.8"
-      },
-      "peerDependencies": {
-        "@opentui/core": ">=0.1.96",
-        "@opentui/solid": ">=0.1.96"
-      },
-      "peerDependenciesMeta": {
-        "@opentui/core": {
-          "optional": true
-        },
-        "@opentui/solid": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@opencode-ai/sdk": {
-      "version": "1.3.17",
-      "resolved": "https://registry.npmjs.org/@opencode-ai/sdk/-/sdk-1.3.17.tgz",
-      "integrity": "sha512-2+MGgu7wynqTBwxezR01VAGhILXlpcHDY/pF7SWB87WOgLt3kD55HjKHNj6PWxyY8n575AZolR95VUC3gtwfmA==",
-      "license": "MIT",
-      "dependencies": {
-        "cross-spawn": "7.0.6"
-      }
-    },
-    "node_modules/cross-spawn": {
-      "version": "7.0.6",
-      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
-      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
-      "license": "MIT",
-      "dependencies": {
-        "path-key": "^3.1.0",
-        "shebang-command": "^2.0.0",
-        "which": "^2.0.1"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/isexe": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
-      "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
-      "license": "ISC"
-    },
-    "node_modules/path-key": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
-      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/shebang-command": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
-      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
-      "license": "MIT",
-      "dependencies": {
-        "shebang-regex": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/shebang-regex": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
-      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/which": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
-      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
-      "license": "ISC",
-      "dependencies": {
-        "isexe": "^2.0.0"
-      },
-      "bin": {
-        "node-which": "bin/node-which"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/zod": {
-      "version": "4.1.8",
-      "license": "MIT",
-      "funding": {
-        "url": "https://github.com/sponsors/colinhacks"
-      }
-    }
-  }
-}

.pre-commit-config.yaml

@@ -70,7 +70,7 @@ repos:
         args: ["--ignore=E266,W503,E203,E501,W605"]
 
   - repo: https://github.com/python-poetry/poetry
-    rev: 2.3.4
+    rev: 2.1.1
     hooks:
       - id: poetry-check
         name: API - poetry-check

.readthedocs.yaml

@@ -13,7 +13,7 @@ build:
     post_create_environment:
       # Install poetry
       # https://python-poetry.org/docs/#installing-manually
-      - python -m pip install poetry==2.3.4
+      - python -m pip install poetry
     post_install:
       # Install dependencies with 'docs' dependency group
       # https://python-poetry.org/docs/managing-dependencies/#dependency-groups

AGENTS.md

@@ -140,7 +140,7 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,
 
 | Component | Location | Tech Stack |
 |-----------|----------|------------|
-| SDK | `prowler/` | Python 3.10+, Poetry 2.3+ |
+| SDK | `prowler/` | Python 3.10+, Poetry |
 | API | `api/` | Django 5.1, DRF, Celery |
 | UI | `ui/` | Next.js 15, React 19, Tailwind 4 |
 | MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
@@ -153,12 +153,12 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,
 ```bash
 # Setup
 poetry install --with dev
-poetry run prek install
+poetry run pre-commit install
 
 # Code quality
 poetry run make lint
 poetry run make format
-poetry run prek run --all-files
+poetry run pre-commit run --all-files
 ```
 
 ---

Dockerfile

@@ -68,7 +68,7 @@ ENV HOME='/home/prowler'
 ENV PATH="${HOME}/.local/bin:${PATH}"
 #hadolint ignore=DL3013
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir poetry==2.3.4
+    pip install --no-cache-dir poetry
 
 RUN poetry install --compile && \
     rm -rf ~/.cache/pip

README.md

@@ -246,7 +246,14 @@ Some pre-commit hooks require tools installed on your system:
 
 1. **Install [TruffleHog](https://github.com/trufflesecurity/trufflehog#install)** (secret scanning) — see the [official installation options](https://github.com/trufflesecurity/trufflehog#install).
 
-2. **Install [Hadolint](https://github.com/hadolint/hadolint#install)** (Dockerfile linting) — see the [official installation options](https://github.com/hadolint/hadolint#install).
+2. **Install [Safety](https://github.com/pyupio/safety)** (dependency vulnerability checking):
+
+    ```console
+    # Requires a Python environment (e.g. via pyenv)
+    pip install safety
+    ```
+
+3. **Install [Hadolint](https://github.com/hadolint/hadolint#install)** (Dockerfile linting) — see the [official installation options](https://github.com/hadolint/hadolint#install).
 
 ## Prowler CLI
 ### Pip package

api/CHANGELOG.md

@@ -2,24 +2,6 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
-## [1.25.0] (Prowler UNRELEASED)
-
-### 🔄 Changed
-
-- Bump Poetry to `2.3.4` in Dockerfile and pre-commit hooks. Regenerate `api/poetry.lock` [(#10681)](https://github.com/prowler-cloud/prowler/pull/10681)
-- Attack Paths: Remove dead `cleanup_findings` no-op and its supporting `prowler_finding_lastupdated` index [(#10684)](https://github.com/prowler-cloud/prowler/pull/10684)
-
-### 🐞 Fixed
-
-- Worker-beat race condition on cold start: replaced `sleep 15` with API service healthcheck dependency (Docker Compose) and init containers (Helm), aligned Gunicorn default port to `8080` [(#10603)](https://github.com/prowler-cloud/prowler/pull/10603)
-- API container startup crash on Linux due to root-owned bind-mount preventing JWT key generation [(#10646)](https://github.com/prowler-cloud/prowler/pull/10646)
-
-### 🔐 Security
-
-- `pytest` from 8.2.2 to 9.0.3 to fix CVE-2025-71176 [(#10678)](https://github.com/prowler-cloud/prowler/pull/10678)
-
----
-
 ## [1.24.0] (Prowler v5.23.0)
 
 ### 🚀 Added

api/Dockerfile

@@ -71,7 +71,7 @@ RUN mkdir -p /tmp/prowler_api_output
 COPY pyproject.toml ./
 
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir poetry==2.3.4
+    pip install --no-cache-dir poetry
 
 ENV PATH="/home/prowler/.local/bin:$PATH"
 

api/docker-entrypoint.sh

@@ -56,6 +56,7 @@ start_worker() {
 
 start_worker_beat() {
   echo "Starting the worker-beat..."
+  sleep 15
   poetry run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
 }
 

api/poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.3.4 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand.
 
 [[package]]
 name = "about-time"
@@ -6445,33 +6445,6 @@ docs = ["sphinx (>=1.7.1)"]
 redis = ["redis"]
 tests = ["pytest (>=5.4.1)", "pytest-cov (>=2.8.1)", "pytest-mypy (>=0.8.0)", "pytest-timeout (>=2.1.0)", "redis", "sphinx (>=6.0.0)", "types-redis"]
 
-[[package]]
-name = "prek"
-version = "0.3.9"
-description = "A Git hook manager written in Rust, designed as a drop-in alternative to pre-commit."
-optional = false
-python-versions = ">=3.8"
-groups = ["dev"]
-files = [
-    {file = "prek-0.3.9-py3-none-linux_armv6l.whl", hash = "sha256:3ed793d51bfaa27bddb64d525d7acb77a7c8644f549412d82252e3eb0b88aad8"},
-    {file = "prek-0.3.9-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:399c58400c0bd0b82a93a3c09dc1bfd88d8d0cfb242d414d2ed247187b06ead1"},
-    {file = "prek-0.3.9-py3-none-macosx_11_0_arm64.whl", hash = "sha256:e2ea1ffb124e92f081b8e2ca5b5a623a733efb3be0c5b1f4b7ffe2ee17d1f20c"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:aaf639f95b7301639298311d8d44aad0d0b4864e9736083ad3c71ce9765d37ab"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ff104863b187fa443ea8451ca55d51e2c6e94f99f00d88784b5c3c4c623f1ebe"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:039ecaf87c63a3e67cca645ebd5bc5eb6aafa6c9d929e9a27b2921e7849d7ef9"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3bde2a3d045705095983c7f78ba04f72a7565fe1c2b4e85f5628502a254754ff"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:28a0960a21543563e2c8e19aaad176cc8423a87aac3c914d0f313030d7a9244a"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:0dfb5d5171d7523271909246ee306b4dc3d5b63752e7dd7c7e8a8908fc9490d1"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:82b791bd36c1430c84d3ae7220a85152babc7eaf00f70adcb961bd594e756ba3"},
-    {file = "prek-0.3.9-py3-none-musllinux_1_1_armv7l.whl", hash = "sha256:6eac6d2f736b041118f053a1487abed468a70dd85a8688eaf87bb42d3dcecf20"},
-    {file = "prek-0.3.9-py3-none-musllinux_1_1_i686.whl", hash = "sha256:5517e46e761367a3759b3168eabc120840ffbca9dfbc53187167298a98f87dc4"},
-    {file = "prek-0.3.9-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:92024778cf78683ca32687bb249ab6a7d5c33887b5ee1d1a9f6d0c14228f4cf3"},
-    {file = "prek-0.3.9-py3-none-win32.whl", hash = "sha256:7f89c55e5f480f5d073769e319924ad69d4bf9f98c5cb46a83082e26e634c958"},
-    {file = "prek-0.3.9-py3-none-win_amd64.whl", hash = "sha256:7722f3372eaa83b147e70a43cb7b9fe2128c13d0c78d8a1cdbf2a8ec2ee071eb"},
-    {file = "prek-0.3.9-py3-none-win_arm64.whl", hash = "sha256:0bced6278d6cc8a4b46048979e36bc9da034611dc8facd77ab123177b833a929"},
-    {file = "prek-0.3.9.tar.gz", hash = "sha256:f82b92d81f42f1f90a47f5fbbf492373e25ef1f790080215b2722dd6da66510e"},
-]
-
 [[package]]
 name = "prompt-toolkit"
 version = "3.0.52"
@@ -7351,25 +7324,24 @@ files = [
 
 [[package]]
 name = "pytest"
-version = "9.0.3"
+version = "8.2.2"
 description = "pytest: simple powerful testing with Python"
 optional = false
-python-versions = ">=3.10"
+python-versions = ">=3.8"
 groups = ["main", "dev"]
 files = [
-    {file = "pytest-9.0.3-py3-none-any.whl", hash = "sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9"},
-    {file = "pytest-9.0.3.tar.gz", hash = "sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c"},
+    {file = "pytest-8.2.2-py3-none-any.whl", hash = "sha256:c434598117762e2bd304e526244f67bf66bbd7b5d6cf22138be51ff661980343"},
+    {file = "pytest-8.2.2.tar.gz", hash = "sha256:de4bb8104e201939ccdc688b27a89a7be2079b22e2bd2b07f806b6ba71117977"},
 ]
 
 [package.dependencies]
-colorama = {version = ">=0.4", markers = "sys_platform == \"win32\""}
-iniconfig = ">=1.0.1"
-packaging = ">=22"
-pluggy = ">=1.5,<2"
-pygments = ">=2.7.2"
+colorama = {version = "*", markers = "sys_platform == \"win32\""}
+iniconfig = "*"
+packaging = "*"
+pluggy = ">=1.5,<2.0"
 
 [package.extras]
-dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "requests", "setuptools", "xmlschema"]
+dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "pygments (>=2.7.2)", "requests", "setuptools", "xmlschema"]
 
 [[package]]
 name = "pytest-celery"
@@ -9400,4 +9372,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "077e89853cfe3a6d934841488cfa5a98ff6c92b71f74b817b71387d11559f143"
+content-hash = "167d4549788b8bc8bb7772b9a81ade1eab73d8f354251a8d6af4901223cc7f67"

api/pyproject.toml

@@ -65,7 +65,7 @@ freezegun = "1.5.1"
 marshmallow = "==3.26.2"
 mypy = "1.10.1"
 pylint = "3.2.5"
-pytest = "9.0.3"
+pytest = "8.2.2"
 pytest-cov = "5.0.0"
 pytest-django = "4.8.0"
 pytest-env = "1.1.3"
@@ -75,4 +75,3 @@ ruff = "0.5.0"
 safety = "3.7.0"
 tqdm = "4.67.1"
 vulture = "2.14"
-prek = "0.3.9"

api/src/backend/config/guniconf.py

@@ -15,7 +15,7 @@ from config.django.production import LOGGING as DJANGO_LOGGERS, DEBUG  # noqa: E
 from config.custom_logging import BackendLogger  # noqa: E402
 
 BIND_ADDRESS = env("DJANGO_BIND_ADDRESS", default="127.0.0.1")
-PORT = env("DJANGO_PORT", default=8080)
+PORT = env("DJANGO_PORT", default=8000)
 
 # Server settings
 bind = f"{BIND_ADDRESS}:{PORT}"

api/src/backend/tasks/jobs/attack_paths/findings.py

@@ -5,6 +5,7 @@ This module handles:
 - Adding resource labels to Cartography nodes for efficient lookups
 - Loading Prowler findings into the graph
 - Linking findings to resources
+- Cleaning up stale findings
 """
 
 from collections import defaultdict
@@ -23,6 +24,7 @@ from tasks.jobs.attack_paths.config import (
 )
 from tasks.jobs.attack_paths.queries import (
     ADD_RESOURCE_LABEL_TEMPLATE,
+    CLEANUP_FINDINGS_TEMPLATE,
     INSERT_FINDING_TEMPLATE,
     render_cypher_template,
 )
@@ -90,13 +92,14 @@ def analysis(
     """
     Main entry point for Prowler findings analysis.
 
-    Adds resource labels and loads findings.
+    Adds resource labels, loads findings, and cleans up stale data.
     """
     add_resource_label(
         neo4j_session, prowler_api_provider.provider, str(prowler_api_provider.uid)
     )
     findings_data = stream_findings_with_resources(prowler_api_provider, scan_id)
     load_findings(neo4j_session, findings_data, prowler_api_provider, config)
+    cleanup_findings(neo4j_session, prowler_api_provider, config)
 
 
 def add_resource_label(
@@ -180,6 +183,28 @@ def load_findings(
     logger.info(f"Finished loading {total_records} records in {batch_num} batches")
 
 
+def cleanup_findings(
+    neo4j_session: neo4j.Session,
+    prowler_api_provider: Provider,
+    config: CartographyConfig,
+) -> None:
+    """Remove stale findings (classic Cartography behaviour)."""
+    parameters = {
+        "last_updated": config.update_tag,
+        "batch_size": BATCH_SIZE,
+    }
+
+    batch = 1
+    deleted_count = 1
+    while deleted_count > 0:
+        logger.info(f"Cleaning findings batch {batch}")
+
+        result = neo4j_session.run(CLEANUP_FINDINGS_TEMPLATE, parameters)
+
+        deleted_count = result.single().get("deleted_findings_count", 0)
+        batch += 1
+
+
 # Findings Streaming (Generator-based)
 # -------------------------------------
 

api/src/backend/tasks/jobs/attack_paths/indexes.py

@@ -13,13 +13,14 @@ from tasks.jobs.attack_paths.config import (
 logger = get_task_logger(__name__)
 
 
-# Indexes for Prowler Findings and resource lookups
+# Indexes for Prowler findings and resource lookups
 FINDINGS_INDEX_STATEMENTS = [
     # Resource indexes for Prowler Finding lookups
     "CREATE INDEX aws_resource_arn IF NOT EXISTS FOR (n:_AWSResource) ON (n.arn);",
     "CREATE INDEX aws_resource_id IF NOT EXISTS FOR (n:_AWSResource) ON (n.id);",
     # Prowler Finding indexes
     f"CREATE INDEX prowler_finding_id IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.id);",
+    f"CREATE INDEX prowler_finding_lastupdated IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.lastupdated);",
     f"CREATE INDEX prowler_finding_status IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.status);",
     # Internet node index for MERGE lookups
     f"CREATE INDEX internet_id IF NOT EXISTS FOR (n:{INTERNET_NODE_LABEL}) ON (n.id);",

api/src/backend/tasks/jobs/attack_paths/queries.py

@@ -80,6 +80,17 @@ INSERT_FINDING_TEMPLATE = f"""
             rel.lastupdated = $last_updated
 """
 
+CLEANUP_FINDINGS_TEMPLATE = f"""
+    MATCH (finding:{PROWLER_FINDING_LABEL})
+        WHERE finding.lastupdated < $last_updated
+
+    WITH finding LIMIT $batch_size
+
+    DETACH DELETE finding
+
+    RETURN COUNT(finding) AS deleted_findings_count
+"""
+
 # Internet queries (used by internet.py)
 # ---------------------------------------
 

api/src/backend/tasks/tests/test_attack_paths_scan.py

@@ -1298,6 +1298,23 @@ class TestAttackPathsFindingsHelpers:
             assert params["last_updated"] == config.update_tag
             assert "findings_data" in params
 
+    def test_cleanup_findings_runs_batches(self, providers_fixture):
+        provider = providers_fixture[0]
+        config = SimpleNamespace(update_tag=1024)
+        mock_session = MagicMock()
+
+        first_batch = MagicMock()
+        first_batch.single.return_value = {"deleted_findings_count": 3}
+        second_batch = MagicMock()
+        second_batch.single.return_value = {"deleted_findings_count": 0}
+        mock_session.run.side_effect = [first_batch, second_batch]
+
+        findings_module.cleanup_findings(mock_session, provider, config)
+
+        assert mock_session.run.call_count == 2
+        params = mock_session.run.call_args.args[1]
+        assert params["last_updated"] == config.update_tag
+
     def test_stream_findings_with_resources_returns_latest_scan_data(
         self,
         tenants_fixture,

contrib/k8s/helm/prowler-app/templates/worker/deployment.yaml

@@ -34,10 +34,6 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.worker.initContainers }}
-      initContainers:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       containers:
         - name: worker
           {{- with .Values.worker.securityContext }}

contrib/k8s/helm/prowler-app/templates/worker_beat/deployment.yaml

@@ -32,10 +32,6 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.worker_beat.initContainers }}
-      initContainers:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       containers:
         - name: worker-beat
           {{- with .Values.worker_beat.securityContext }}

docker-compose-dev.yml

@@ -1,11 +1,4 @@
 services:
-  api-dev-init:
-    image: busybox:1.37.0
-    volumes:
-      - ./_data/api:/data
-    command: ["sh", "-c", "chown -R 1000:1000 /data"]
-    restart: "no"
-
   api-dev:
     hostname: "prowler-api"
     image: prowler-api-dev
@@ -28,20 +21,12 @@ services:
       - ./_data/api:/home/prowler/.config/prowler-api
       - outputs:/tmp/prowler_api_output
     depends_on:
-      api-dev-init:
-        condition: service_completed_successfully
       postgres:
         condition: service_healthy
       valkey:
         condition: service_healthy
       neo4j:
         condition: service_healthy
-    healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"]
-      interval: 10s
-      timeout: 5s
-      retries: 12
-      start_period: 60s
     entrypoint:
       - "/home/prowler/docker-entrypoint.sh"
       - "dev"
@@ -154,7 +139,11 @@ services:
       - ./api/docker-entrypoint.sh:/home/prowler/docker-entrypoint.sh
       - outputs:/tmp/prowler_api_output
     depends_on:
-      api-dev:
+      valkey:
+        condition: service_healthy
+      postgres:
+        condition: service_healthy
+      neo4j:
         condition: service_healthy
     ulimits:
       nofile:
@@ -176,7 +165,11 @@ services:
       - path: ./.env
         required: false
     depends_on:
-      api-dev:
+      valkey:
+        condition: service_healthy
+      postgres:
+        condition: service_healthy
+      neo4j:
         condition: service_healthy
     ulimits:
       nofile:

docker-compose.yml

@@ -5,13 +5,6 @@
 #   docker compose -f docker-compose-dev.yml up
 #
 services:
-  api-init:
-    image: busybox:1.37.0
-    volumes:
-      - ./_data/api:/data
-    command: ["sh", "-c", "chown -R 1000:1000 /data"]
-    restart: "no"
-
   api:
     hostname: "prowler-api"
     image: prowlercloud/prowler-api:${PROWLER_API_VERSION:-stable}
@@ -24,20 +17,12 @@ services:
       - ./_data/api:/home/prowler/.config/prowler-api
       - output:/tmp/prowler_api_output
     depends_on:
-      api-init:
-        condition: service_completed_successfully
       postgres:
         condition: service_healthy
       valkey:
         condition: service_healthy
       neo4j:
         condition: service_healthy
-    healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"]
-      interval: 10s
-      timeout: 5s
-      retries: 12
-      start_period: 60s
     entrypoint:
       - "/home/prowler/docker-entrypoint.sh"
       - "prod"
@@ -129,7 +114,9 @@ services:
     volumes:
       - "output:/tmp/prowler_api_output"
     depends_on:
-      api:
+      valkey:
+        condition: service_healthy
+      postgres:
         condition: service_healthy
     ulimits:
       nofile:
@@ -145,7 +132,9 @@ services:
       - path: ./.env
         required: false
     depends_on:
-      api:
+      valkey:
+        condition: service_healthy
+      postgres:
         condition: service_healthy
     ulimits:
       nofile:

docs/developer-guide/introduction.mdx

@@ -118,22 +118,18 @@ In case you have any doubts, consult the [Poetry environment activation guide](h
 
 ### Pre-Commit Hooks
 
-This repository uses Git pre-commit hooks managed by the [prek](https://prek.j178.dev/) tool, it is installed with `poetry install --with dev`. Next, run the following command in the root of this repository:
+This repository uses Git pre-commit hooks managed by the [pre-commit](https://pre-commit.com/) tool, it is installed with `poetry install --with dev`. Next, run the following command in the root of this repository:
 
 ```shell
-prek install
+pre-commit install
 ```
 
 Successful installation should produce the following output:
 
 ```shell
-prek installed at `.git/hooks/pre-commit`
+pre-commit installed at .git/hooks/pre-commit
 ```
 
-<Warning>
-If pre-commit hooks were previously installed, run `prek install --overwrite` to replace the existing hook. Otherwise, both tools will run on each commit.
-</Warning>
-
 ### Code Quality and Security Checks
 
 Before merging pull requests, several automated checks and utilities ensure code security and updated dependencies:

docs/developer-guide/lighthouse-architecture.mdx

@@ -15,7 +15,8 @@ This document describes the internal architecture of Prowler Lighthouse AI, enab
 
 Lighthouse AI operates as a Langchain-based agent that connects Large Language Models (LLMs) with Prowler security data through the Model Context Protocol (MCP).
 
-![Prowler Lighthouse Architecture](/images/lighthouse-architecture.png)
+<img className="block dark:hidden" src="/images/lighthouse-architecture-light.png" alt="Prowler Lighthouse Architecture" />
+<img className="hidden dark:block" src="/images/lighthouse-architecture-dark.png" alt="Prowler Lighthouse Architecture" />
 
 ### Three-Tier Architecture
 

docs/docs.json

@@ -12,24 +12,6 @@
     "dark": "/images/prowler-logo-white.png",
     "light": "/images/prowler-logo-black.png"
   },
-  "contextual": {
-    "options": [
-      "copy",
-      "view",
-      {
-        "title": "Request a feature",
-        "description": "Open a feature request on GitHub",
-        "icon": "plus",
-        "href": "https://github.com/prowler-cloud/prowler/issues/new?template=feature-request.yml"
-      },
-      {
-        "title": "Report an issue",
-        "description": "Open a bug report on GitHub",
-        "icon": "bug",
-        "href": "https://github.com/prowler-cloud/prowler/issues/new?template=bug_report.yml"
-      }
-    ]
-  },
   "navigation": {
     "tabs": [
       {
@@ -151,7 +133,6 @@
                 ]
               },
               "user-guide/tutorials/prowler-app-attack-paths",
-              "user-guide/tutorials/prowler-app-finding-groups",
               "user-guide/tutorials/prowler-cloud-public-ips",
               {
                 "group": "Tutorials",

docs/getting-started/products/prowler-lighthouse-ai.mdx

@@ -59,10 +59,6 @@ Prowler Lighthouse AI is powerful, but there are limitations:
 - **NextJS session dependence**: If your Prowler application session expires or logs out, Lighthouse AI will error out. Refresh and log back in to continue.
 - **Response quality**: The response quality depends on the selected LLM provider and model. Choose models with strong tool-calling capabilities for best results. We recommend `gpt-5` model from OpenAI.
 
-## Architecture
-
-![Prowler Lighthouse Architecture](/images/lighthouse-architecture.png)
-
 ## Extending Lighthouse AI
 
 Lighthouse AI retrieves data through Prowler MCP. To add new capabilities, extend the Prowler MCP Server with additional tools and Lighthouse AI discovers them automatically.

docs/getting-started/products/prowler-mcp.mdx

@@ -46,7 +46,8 @@ Search and retrieve official Prowler documentation:
 
 The following diagram illustrates the Prowler MCP Server architecture and its integration points:
 
-![Prowler MCP Server Schema](/images/prowler_mcp_schema.png)
+<img className="block dark:hidden" src="/images/prowler_mcp_schema_light.png" alt="Prowler MCP Server Schema" />
+<img className="hidden dark:block" src="/images/prowler_mcp_schema_dark.png" alt="Prowler MCP Server Schema" />
 
 The architecture shows how AI assistants connect through the MCP protocol to access Prowler's three main components:
 - Prowler Cloud/App for security operations

docs/images/lighthouse-architecture.mmd

@@ -1,37 +0,0 @@
-flowchart TB
-    browser([Browser])
-
-    subgraph NEXTJS["Next.js Server"]
-        route["API Route<br/>(auth + context assembly)"]
-        agent["LangChain Agent"]
-
-        subgraph TOOLS["Agent Tools"]
-            metatools["Meta-tools<br/>describe_tool / execute_tool / load_skill"]
-        end
-
-        mcpclient["MCP Client<br/>(HTTP transport)"]
-    end
-
-    llm["LLM Provider<br/>(OpenAI / Bedrock / OpenAI-compatible)"]
-
-    subgraph MCP["Prowler MCP Server"]
-        app_tools["prowler_app_* tools<br/>(auth required)"]
-        hub_tools["prowler_hub_* tools<br/>(no auth)"]
-        docs_tools["prowler_docs_* tools<br/>(no auth)"]
-    end
-
-    api["Prowler API"]
-    hub["hub.prowler.com"]
-    docs["docs.prowler.com<br/>(Mintlify)"]
-
-    browser <-->|SSE stream| route
-    route --> agent
-    agent <-->|LLM API| llm
-    agent --> metatools
-    metatools --> mcpclient
-    mcpclient -->|MCP HTTP · Bearer token<br/>for prowler_app_* only| app_tools
-    mcpclient -->|MCP HTTP| hub_tools
-    mcpclient -->|MCP HTTP| docs_tools
-    app_tools -->|REST| api
-    hub_tools -->|REST| hub
-    docs_tools -->|REST| docs

docs/images/products/prowler-app-architecture.mmd

@@ -23,8 +23,6 @@ flowchart TB
     user --> ui
     user --> cli
     ui -->|REST| api
-    ui -->|MCP HTTP| mcp
-    mcp -->|REST| api
     api --> pg
     api --> valkey
     beat -->|enqueue jobs| valkey
@@ -33,5 +31,7 @@ flowchart TB
     worker -->|Attack Paths| neo4j
     worker -->|invokes| sdk
     cli --> sdk
+    api -. AI tools .-> mcp
+    mcp -. context .-> api
 
     sdk --> providers

docs/images/prowler_mcp_schema.mmd

@@ -1,29 +0,0 @@
-flowchart LR
-    subgraph HOSTS["MCP Hosts"]
-        chat["Chat Interfaces<br/>(Claude Desktop, LobeChat)"]
-        ide["IDEs and Code Editors<br/>(Claude Code, Cursor)"]
-        apps["Other AI Applications<br/>(5ire, custom agents)"]
-    end
-
-    subgraph MCP["Prowler MCP Server"]
-        app_tools["prowler_app_* tools<br/>(JWT or API key auth)<br/>Findings · Providers · Scans<br/>Resources · Muting · Compliance<br/>Attack Paths"]
-        hub_tools["prowler_hub_* tools<br/>(no auth)<br/>Checks Catalog · Check Code<br/>Fixers · Compliance Frameworks"]
-        docs_tools["prowler_docs_* tools<br/>(no auth)<br/>Search · Document Retrieval"]
-    end
-
-    api["Prowler API<br/>(REST)"]
-    hub["hub.prowler.com<br/>(REST)"]
-    docs["docs.prowler.com<br/>(Mintlify)"]
-
-    chat -->|STDIO or HTTP| app_tools
-    chat -->|STDIO or HTTP| hub_tools
-    chat -->|STDIO or HTTP| docs_tools
-    ide -->|STDIO or HTTP| app_tools
-    ide -->|STDIO or HTTP| hub_tools
-    ide -->|STDIO or HTTP| docs_tools
-    apps -->|STDIO or HTTP| app_tools
-    apps -->|STDIO or HTTP| hub_tools
-    apps -->|STDIO or HTTP| docs_tools
-    app_tools -->|REST| api
-    hub_tools -->|REST| hub
-    docs_tools -->|REST| docs

docs/user-guide/tutorials/prowler-app-finding-groups.mdx

@@ -1,119 +0,0 @@
----
-title: 'Finding Groups'
-description: 'Organize and triage security findings by check to reduce noise and prioritize remediation effectively.'
----
-
-import { VersionBadge } from "/snippets/version-badge.mdx"
-
-<VersionBadge version="5.23.0" />
-
-Finding Groups transforms security findings triage by grouping them by check instead of displaying a flat list. This dramatically reduces noise and enables faster, more effective prioritization.
-
-## Triage Challenges with Flat Finding Lists
-
-A real cloud environment produces thousands of findings per scan. A flat list makes it impossible to triage effectively:
-
-- **Signal buried in noise**: the same misconfiguration repeated across 200 resources shows up as 200 rows, burying the signal in repetitive data
-- **Prioritization guesswork**: without grouping, understanding which issues affect the most resources requires manual counting and correlation
-- **Tedious muting**: muting a false positive globally requires manually acting on each individual finding across the list
-- **Lost context**: when investigating a single resource, related findings are scattered across the same flat list, making it hard to see the full picture
-
-## How Finding Groups Addresses These Challenges
-
-Finding Groups addresses these challenges by intelligently grouping findings by check.
-
-### Grouped View at a Glance
-
-Each row represents a single check title with key information immediately visible:
-
-- **Severity** indicator for quick risk assessment
-- **Impacted providers** showing which cloud platforms are affected
-- **X of Y impacted resources** counter displaying how many resources fail this check
-
-For example, `Vercel project has the Web Application Firewall enabled` across every affected project collapses to a single row — not one per project. Sort or filter by severity, provider, or status at the group level to triage top-down instead of drowning in per-resource rows.
-
-![Finding Groups list view](/images/finding-groups-list.png)
-
-### Expanding Groups for Details
-
-Expand any group inline to see the failing resources with detailed information:
-
-| Column | Description |
-|--------|-------------|
-| **UID** | Unique identifier for the resource |
-| **Service** | The cloud service the resource belongs to |
-| **Region** | Geographic region where the resource is deployed |
-| **Severity** | Risk level of the finding |
-| **Provider** | Cloud provider (AWS, Azure, GCP, Kubernetes, etc.) |
-| **Last Seen** | When the finding was last detected |
-| **Failing For** | Duration the resource has been in a failing state |
-
-![Finding Groups expanded view](/images/finding-groups-expanded.png)
-
-### Resource Detail Drawer
-
-Select any resource to open the detail drawer with full finding context:
-
-- **Risk**: the security risk associated with this finding
-- **Description**: detailed explanation of what was detected
-- **Status Extended**: additional status information and context
-- **Remediation**: step-by-step guidance to resolve the issue
-- **View in Prowler Hub**: direct link to explore the check in Prowler Hub
-- **Analyze This Finding With Lighthouse AI**: one-click AI-powered analysis for deeper insights
-
-![Finding Groups resource detail drawer](/images/finding-groups-drawer.png)
-
-### Bulk Actions
-
-Bulk-mute an entire group instead of chasing duplicates across the list. This is especially useful for:
-
-- Known false positives that appear across many resources
-- Findings in development or test environments
-- Accepted risks that have been documented and approved
-
-<Warning>
-Muting findings does not resolve underlying security issues. Review each finding carefully before muting to ensure it represents an acceptable risk or has been properly addressed.
-</Warning>
-
-## Other Findings for This Resource
-
-Inside the resource detail drawer, the **Other Findings For This Resource** tab lists every finding that hits the same resource — passing, failing, and muted — alongside the one currently being reviewed.
-
-![Other Findings For This Resource tab](/images/finding-groups-other-findings.png)
-
-### Why This Matters
-
-When reviewing "WAF not enabled" on a Vercel project, the tab immediately shows:
-
-- Skew protection status
-- Rate limiting configuration
-- IP blocking settings
-- Custom firewall rules
-- Password protection findings
-
-All for that same project, without navigating back to the main list and filtering by resource UID.
-
-### Complete Context Within the Drawer
-
-Pair the Other Findings tab with:
-
-- **Scans tab**: scan history for this resource
-- **Events tab**: changes and events over time
-
-This provides full context without leaving the drawer.
-
-## Best Practices
-
-1. **Start with high severity groups**: focus on critical and high severity groups first for maximum impact.
-2. **Use filters strategically**: filter by provider or status at the group level to narrow the triage scope.
-3. **Leverage bulk mute**: when a finding represents a confirmed false positive, mute the entire group at once.
-4. **Check related findings**: review the Other Findings tab to understand the full security posture of a resource.
-5. **Track failure duration**: use the "Failing For" column to prioritize long-standing issues that may indicate systemic problems.
-
-## Getting Started
-
-1. Navigate to the **Findings** section in Prowler Cloud/App.
-2. Toggle to the **Grouped View** to see findings organized by check.
-3. Select any group row to expand and see affected resources.
-4. Select a resource to open the detail drawer with full context.
-5. Use the **Other Findings For This Resource** tab to see all findings for that resource.

docs/user-guide/tutorials/prowler-app-lighthouse.mdx

@@ -25,7 +25,8 @@ Behind the scenes, Lighthouse AI works as follows:
 Lighthouse AI supports multiple LLM providers including OpenAI, Amazon Bedrock, and OpenAI-compatible services. For configuration details, see [Using Multiple LLM Providers with Lighthouse](/user-guide/tutorials/prowler-app-lighthouse-multi-llm).
 </Note>
 
-![Prowler Lighthouse Architecture](/images/lighthouse-architecture.png)
+<img className="block dark:hidden" src="/images/lighthouse-architecture-light.png" alt="Prowler Lighthouse Architecture" />
+<img className="hidden dark:block" src="/images/lighthouse-architecture-dark.png" alt="Prowler Lighthouse Architecture" />
 
 
 <Note>

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.3.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand.
 
 [[package]]
 name = "about-time"
@@ -1671,6 +1671,18 @@ files = [
 [package.dependencies]
 pycparser = {version = "*", markers = "implementation_name != \"PyPy\""}
 
+[[package]]
+name = "cfgv"
+version = "3.4.0"
+description = "Validate configuration and produce human readable error messages."
+optional = false
+python-versions = ">=3.8"
+groups = ["dev"]
+files = [
+    {file = "cfgv-3.4.0-py2.py3-none-any.whl", hash = "sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9"},
+    {file = "cfgv-3.4.0.tar.gz", hash = "sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560"},
+]
+
 [[package]]
 name = "cfn-lint"
 version = "1.38.0"
@@ -2169,6 +2181,18 @@ files = [
 graph = ["objgraph (>=1.7.2)"]
 profile = ["gprof2dot (>=2022.7.29)"]
 
+[[package]]
+name = "distlib"
+version = "0.4.0"
+description = "Distribution utilities"
+optional = false
+python-versions = "*"
+groups = ["dev"]
+files = [
+    {file = "distlib-0.4.0-py2.py3-none-any.whl", hash = "sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16"},
+    {file = "distlib-0.4.0.tar.gz", hash = "sha256:feec40075be03a04501a973d81f633735b4b69f98b05450592310c0f401a4e0d"},
+]
+
 [[package]]
 name = "distro"
 version = "1.9.0"
@@ -2825,6 +2849,21 @@ files = [
     {file = "iamdata-0.1.202507281.tar.gz", hash = "sha256:4050870068ca2fb044d03c46229bc8dbafb4f99db2f50c77297aafd437154ddd"},
 ]
 
+[[package]]
+name = "identify"
+version = "2.6.12"
+description = "File identification library for Python"
+optional = false
+python-versions = ">=3.9"
+groups = ["dev"]
+files = [
+    {file = "identify-2.6.12-py2.py3-none-any.whl", hash = "sha256:ad9672d5a72e0d2ff7c5c8809b62dfa60458626352fb0eb7b55e69bdc45334a2"},
+    {file = "identify-2.6.12.tar.gz", hash = "sha256:d8de45749f1efb108badef65ee8386f0f7bb19a7f26185f74de6367bffbaf0e6"},
+]
+
+[package.extras]
+license = ["ukkonen"]
+
 [[package]]
 name = "idna"
 version = "3.10"
@@ -3962,6 +4001,18 @@ plot = ["matplotlib"]
 tgrep = ["pyparsing"]
 twitter = ["twython"]
 
+[[package]]
+name = "nodeenv"
+version = "1.9.1"
+description = "Node.js virtual environment builder"
+optional = false
+python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7"
+groups = ["dev"]
+files = [
+    {file = "nodeenv-1.9.1-py2.py3-none-any.whl", hash = "sha256:ba11c9782d29c27c70ffbdda2d7415098754709be8a7056d79a737cd901155c9"},
+    {file = "nodeenv-1.9.1.tar.gz", hash = "sha256:6ec12890a2dab7946721edbfbcd91f3319c6ccc9aec47be7c7e6b7011ee6645f"},
+]
+
 [[package]]
 name = "numpy"
 version = "2.0.2"
@@ -4393,32 +4444,24 @@ files = [
 ]
 
 [[package]]
-name = "prek"
-version = "0.3.9"
-description = "A Git hook manager written in Rust, designed as a drop-in alternative to pre-commit."
+name = "pre-commit"
+version = "4.2.0"
+description = "A framework for managing and maintaining multi-language pre-commit hooks."
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "prek-0.3.9-py3-none-linux_armv6l.whl", hash = "sha256:3ed793d51bfaa27bddb64d525d7acb77a7c8644f549412d82252e3eb0b88aad8"},
-    {file = "prek-0.3.9-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:399c58400c0bd0b82a93a3c09dc1bfd88d8d0cfb242d414d2ed247187b06ead1"},
-    {file = "prek-0.3.9-py3-none-macosx_11_0_arm64.whl", hash = "sha256:e2ea1ffb124e92f081b8e2ca5b5a623a733efb3be0c5b1f4b7ffe2ee17d1f20c"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:aaf639f95b7301639298311d8d44aad0d0b4864e9736083ad3c71ce9765d37ab"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ff104863b187fa443ea8451ca55d51e2c6e94f99f00d88784b5c3c4c623f1ebe"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:039ecaf87c63a3e67cca645ebd5bc5eb6aafa6c9d929e9a27b2921e7849d7ef9"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3bde2a3d045705095983c7f78ba04f72a7565fe1c2b4e85f5628502a254754ff"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:28a0960a21543563e2c8e19aaad176cc8423a87aac3c914d0f313030d7a9244a"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:0dfb5d5171d7523271909246ee306b4dc3d5b63752e7dd7c7e8a8908fc9490d1"},
-    {file = "prek-0.3.9-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:82b791bd36c1430c84d3ae7220a85152babc7eaf00f70adcb961bd594e756ba3"},
-    {file = "prek-0.3.9-py3-none-musllinux_1_1_armv7l.whl", hash = "sha256:6eac6d2f736b041118f053a1487abed468a70dd85a8688eaf87bb42d3dcecf20"},
-    {file = "prek-0.3.9-py3-none-musllinux_1_1_i686.whl", hash = "sha256:5517e46e761367a3759b3168eabc120840ffbca9dfbc53187167298a98f87dc4"},
-    {file = "prek-0.3.9-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:92024778cf78683ca32687bb249ab6a7d5c33887b5ee1d1a9f6d0c14228f4cf3"},
-    {file = "prek-0.3.9-py3-none-win32.whl", hash = "sha256:7f89c55e5f480f5d073769e319924ad69d4bf9f98c5cb46a83082e26e634c958"},
-    {file = "prek-0.3.9-py3-none-win_amd64.whl", hash = "sha256:7722f3372eaa83b147e70a43cb7b9fe2128c13d0c78d8a1cdbf2a8ec2ee071eb"},
-    {file = "prek-0.3.9-py3-none-win_arm64.whl", hash = "sha256:0bced6278d6cc8a4b46048979e36bc9da034611dc8facd77ab123177b833a929"},
-    {file = "prek-0.3.9.tar.gz", hash = "sha256:f82b92d81f42f1f90a47f5fbbf492373e25ef1f790080215b2722dd6da66510e"},
+    {file = "pre_commit-4.2.0-py2.py3-none-any.whl", hash = "sha256:a009ca7205f1eb497d10b845e52c838a98b6cdd2102a6c8e4540e94ee75c58bd"},
+    {file = "pre_commit-4.2.0.tar.gz", hash = "sha256:601283b9757afd87d40c4c4a9b2b5de9637a8ea02eaff7adc2d0fb4e04841146"},
 ]
 
+[package.dependencies]
+cfgv = ">=2.0.0"
+identify = ">=1.0.0"
+nodeenv = ">=0.11.1"
+pyyaml = ">=5.1"
+virtualenv = ">=20.10.0"
+
 [[package]]
 name = "propcache"
 version = "0.3.2"
@@ -6240,6 +6283,27 @@ files = [
     {file = "uuid6-2024.7.10.tar.gz", hash = "sha256:2d29d7f63f593caaeea0e0d0dd0ad8129c9c663b29e19bdf882e864bedf18fb0"},
 ]
 
+[[package]]
+name = "virtualenv"
+version = "20.32.0"
+description = "Virtual Python Environment builder"
+optional = false
+python-versions = ">=3.8"
+groups = ["dev"]
+files = [
+    {file = "virtualenv-20.32.0-py3-none-any.whl", hash = "sha256:2c310aecb62e5aa1b06103ed7c2977b81e042695de2697d01017ff0f1034af56"},
+    {file = "virtualenv-20.32.0.tar.gz", hash = "sha256:886bf75cadfdc964674e6e33eb74d787dff31ca314ceace03ca5810620f4ecf0"},
+]
+
+[package.dependencies]
+distlib = ">=0.3.7,<1"
+filelock = ">=3.12.2,<4"
+platformdirs = ">=3.9.1,<5"
+
+[package.extras]
+docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2,!=7.3)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"]
+test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8) ; platform_python_implementation == \"PyPy\" or platform_python_implementation == \"GraalVM\" or platform_python_implementation == \"CPython\" and sys_platform == \"win32\" and python_version >= \"3.13\"", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10) ; platform_python_implementation == \"CPython\""]
+
 [[package]]
 name = "vulture"
 version = "2.14"
@@ -6681,4 +6745,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.10,<3.13"
-content-hash = "786921163bb46716defae1d9de1df001af2abf17edd3061165638707bcd28ce4"
+content-hash = "4050d3a95f5bc5448576ca0361fd899b35aa04de28d379cdfd3c2b0db67848ad"

prowler/AGENTS.md

@@ -81,7 +81,7 @@ class {check_name}(Check):
 
 ## TECH STACK
 
-Python 3.10+ | Poetry 2.3+ | pytest | moto (AWS mocking) | Pre-commit hooks (black, flake8, pylint, bandit)
+Python 3.10+ | Poetry 2+ | pytest | moto (AWS mocking) | Pre-commit hooks (black, flake8, pylint, bandit)
 
 ---
 

prowler/CHANGELOG.md

@@ -6,25 +6,14 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
-- `entra_conditional_access_policy_directory_sync_account_excluded` check for M365 provider [(#10620)](https://github.com/prowler-cloud/prowler/pull/10620)
 - `intune_device_compliance_policy_unassigned_devices_not_compliant_by_default` check for M365 provider [(#10599)](https://github.com/prowler-cloud/prowler/pull/10599)
 - `entra_conditional_access_policy_all_apps_all_users` check for M365 provider [(#10619)](https://github.com/prowler-cloud/prowler/pull/10619)
 - `bedrock_full_access_policy_attached` check for AWS provider [(#10577)](https://github.com/prowler-cloud/prowler/pull/10577)
 - `iam_role_access_not_stale_to_bedrock` and `iam_user_access_not_stale_to_bedrock` checks for AWS provider [(#10536)](https://github.com/prowler-cloud/prowler/pull/10536)
+- 9 Gmail checks for Google Workspace provider (`gmail_mail_delegation_disabled`, `gmail_shortener_scanning_enabled`, `gmail_external_image_scanning_enabled`, `gmail_untrusted_link_warnings_enabled`, `gmail_pop_imap_access_disabled`, `gmail_auto_forwarding_disabled`, `gmail_per_user_outbound_gateway_disabled`, `gmail_enhanced_pre_delivery_scanning_enabled`, `gmail_comprehensive_mail_storage_enabled`) using the Cloud Identity Policy API [(#10683)](https://github.com/prowler-cloud/prowler/pull/10683)
 - `iam_policy_no_wildcard_marketplace_subscribe` and `iam_inline_policy_no_wildcard_marketplace_subscribe` checks for AWS provider [(#10525)](https://github.com/prowler-cloud/prowler/pull/10525)
 - `bedrock_vpc_endpoints_configured` check for AWS provider [(#10591)](https://github.com/prowler-cloud/prowler/pull/10591)
 - `exchange_organization_delicensing_resiliency_enabled` check for m365 provider [(#10608)](https://github.com/prowler-cloud/prowler/pull/10608)
-- `entra_conditional_access_policy_mfa_enforced_for_guest_users` check for M365 provider [(#10616)](https://github.com/prowler-cloud/prowler/pull/10616)
-- `entra_conditional_access_policy_corporate_device_sign_in_frequency_enforced` check for m365 provider [(#10618)](https://github.com/prowler-cloud/prowler/pull/10618)
-- `entra_conditional_access_policy_block_unknown_device_platforms` check for m365 provider [(#10615)](https://github.com/prowler-cloud/prowler/pull/10615)
-
-### 🔄 Changed
-
-- Bump Poetry to `2.3.4` and consolidate SDK workflows onto the `setup-python-poetry` composite action with opt-in lockfile regeneration [(#10681)](https://github.com/prowler-cloud/prowler/pull/10681)
-- Normalize Conditional Access platform values in Entra models and simplify platform-based checks [(#10635)](https://github.com/prowler-cloud/prowler/pull/10635)
-
-### 🐞 Fixed
-- Vercel firewall config handling for team-scoped projects and current API response shapes [(#10695)](https://github.com/prowler-cloud/prowler/pull/10695)
 
 ---
 

prowler/compliance/googleworkspace/cis_1.3_googleworkspace.json

@@ -525,7 +525,9 @@
     {
       "Id": "3.1.3.1.1",
       "Description": "Ensure users cannot delegate access to their mailbox",
-      "Checks": [],
+      "Checks": [
+        "gmail_mail_delegation_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -714,7 +716,9 @@
     {
       "Id": "3.1.3.4.2.1",
       "Description": "Ensure link identification behind shortened URLs is enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_shortener_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -735,7 +739,9 @@
     {
       "Id": "3.1.3.4.2.2",
       "Description": "Ensure scan linked images for malicious content is enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_external_image_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -756,7 +762,9 @@
     {
       "Id": "3.1.3.4.2.3",
       "Description": "Ensure warning prompt is shown for any click on links to untrusted domains",
-      "Checks": [],
+      "Checks": [
+        "gmail_untrusted_link_warnings_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -882,7 +890,9 @@
     {
       "Id": "3.1.3.5.1",
       "Description": "Ensure POP and IMAP access is disabled for all users",
-      "Checks": [],
+      "Checks": [
+        "gmail_pop_imap_access_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -903,7 +913,9 @@
     {
       "Id": "3.1.3.5.2",
       "Description": "Ensure automatic forwarding options are disabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_auto_forwarding_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -924,7 +936,9 @@
     {
       "Id": "3.1.3.5.3",
       "Description": "Ensure per-user outbound gateways is disabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_per_user_outbound_gateway_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -966,7 +980,9 @@
     {
       "Id": "3.1.3.6.1",
       "Description": "Ensure enhanced pre-delivery message scanning is enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_enhanced_pre_delivery_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -1008,7 +1024,9 @@
     {
       "Id": "3.1.3.7.1",
       "Description": "Ensure comprehensive mail storage is enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_comprehensive_mail_storage_enabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",

prowler/compliance/googleworkspace/cisa_scuba_0.6_googleworkspace.json

@@ -556,7 +556,9 @@
     {
       "Id": "GWS.GMAIL.1.1",
       "Description": "Mail Delegation SHOULD be disabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_mail_delegation_disabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -725,7 +727,9 @@
     {
       "Id": "GWS.GMAIL.6.1",
       "Description": "Identify links behind shortened URLs SHALL be enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_shortener_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -738,7 +742,9 @@
     {
       "Id": "GWS.GMAIL.6.2",
       "Description": "Scan linked images SHALL be enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_external_image_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -751,7 +757,9 @@
     {
       "Id": "GWS.GMAIL.6.3",
       "Description": "Show warning prompt for any click on links to untrusted domains SHALL be enabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_untrusted_link_warnings_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -907,7 +915,9 @@
     {
       "Id": "GWS.GMAIL.9.1",
       "Description": "POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients",
-      "Checks": [],
+      "Checks": [
+        "gmail_pop_imap_access_disabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -933,7 +943,9 @@
     {
       "Id": "GWS.GMAIL.11.1",
       "Description": "Automatic forwarding SHOULD be disabled, especially to external domains",
-      "Checks": [],
+      "Checks": [
+        "gmail_auto_forwarding_disabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -946,7 +958,9 @@
     {
       "Id": "GWS.GMAIL.12.1",
       "Description": "Using a per-user outbound gateway that is a mail server other than the Google Workspace (GWS) mail servers SHALL be disabled",
-      "Checks": [],
+      "Checks": [
+        "gmail_per_user_outbound_gateway_disabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -985,7 +999,9 @@
     {
       "Id": "GWS.GMAIL.15.1",
       "Description": "Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing",
-      "Checks": [],
+      "Checks": [
+        "gmail_enhanced_pre_delivery_scanning_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",
@@ -1037,7 +1053,9 @@
     {
       "Id": "GWS.GMAIL.17.1",
       "Description": "Comprehensive mail storage SHOULD be enabled to allow information traceability across applications",
-      "Checks": [],
+      "Checks": [
+        "gmail_comprehensive_mail_storage_enabled"
+      ],
       "Attributes": [
         {
           "Section": "Gmail",

prowler/compliance/m365/iso27001_2022_m365.json

@@ -206,11 +206,7 @@
         "admincenter_users_admins_reduced_license_footprint",
         "entra_admin_portals_access_restriction",
         "entra_admin_users_phishing_resistant_mfa_enabled",
-        "entra_conditional_access_policy_mfa_enforced_for_guest_users",
         "entra_conditional_access_policy_block_o365_elevated_insider_risk",
-        "entra_conditional_access_policy_block_unknown_device_platforms",
-        "entra_conditional_access_policy_directory_sync_account_excluded",
-        "entra_conditional_access_policy_corporate_device_sign_in_frequency_enforced",
         "entra_policy_guest_users_access_restrictions",
         "entra_seamless_sso_disabled"
       ]
@@ -249,14 +245,11 @@
         "entra_admin_users_mfa_enabled",
         "entra_admin_users_sign_in_frequency_enabled",
         "entra_break_glass_account_fido2_security_key_registered",
-        "entra_conditional_access_policy_mfa_enforced_for_guest_users",
         "entra_default_app_management_policy_enabled",
         "entra_all_apps_conditional_access_coverage",
         "entra_conditional_access_policy_device_registration_mfa_required",
         "entra_intune_enrollment_sign_in_frequency_every_time",
-        "entra_conditional_access_policy_block_unknown_device_platforms",
         "entra_conditional_access_policy_device_code_flow_blocked",
-        "entra_conditional_access_policy_corporate_device_sign_in_frequency_enforced",
         "entra_legacy_authentication_blocked",
         "entra_managed_device_required_for_authentication",
         "entra_seamless_sso_disabled",
@@ -634,7 +627,6 @@
         "entra_admin_users_phishing_resistant_mfa_enabled",
         "entra_conditional_access_policy_approved_client_app_required_for_mobile",
         "entra_conditional_access_policy_app_enforced_restrictions",
-        "entra_conditional_access_policy_block_unknown_device_platforms",
         "entra_conditional_access_policy_device_registration_mfa_required",
         "entra_intune_enrollment_sign_in_frequency_every_time",
         "entra_managed_device_required_for_authentication",
@@ -694,10 +686,7 @@
         "entra_conditional_access_policy_approved_client_app_required_for_mobile",
         "entra_conditional_access_policy_app_enforced_restrictions",
         "entra_conditional_access_policy_block_elevated_insider_risk",
-        "entra_conditional_access_policy_directory_sync_account_excluded",
         "entra_conditional_access_policy_block_o365_elevated_insider_risk",
-        "entra_conditional_access_policy_block_unknown_device_platforms",
-        "entra_conditional_access_policy_mfa_enforced_for_guest_users",
         "entra_policy_guest_users_access_restrictions",
         "sharepoint_external_sharing_restricted"
       ]
@@ -719,14 +708,10 @@
         "entra_admin_users_sign_in_frequency_enabled",
         "entra_all_apps_conditional_access_coverage",
         "entra_conditional_access_policy_device_registration_mfa_required",
-        "entra_conditional_access_policy_mfa_enforced_for_guest_users",
         "entra_intune_enrollment_sign_in_frequency_every_time",
         "entra_break_glass_account_fido2_security_key_registered",
         "entra_conditional_access_policy_approved_client_app_required_for_mobile",
-        "entra_conditional_access_policy_block_unknown_device_platforms",
         "entra_conditional_access_policy_device_code_flow_blocked",
-        "entra_conditional_access_policy_directory_sync_account_excluded",
-        "entra_conditional_access_policy_corporate_device_sign_in_frequency_enforced",
         "entra_identity_protection_sign_in_risk_enabled",
         "entra_managed_device_required_for_authentication",
         "entra_seamless_sso_disabled",

prowler/providers/googleworkspace/services/gmail/gmail_auto_forwarding_disabled/gmail_auto_forwarding_disabled.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_auto_forwarding_disabled",
+  "CheckTitle": "Automatic forwarding options are disabled",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Automatic email forwarding allows users to automatically forward all incoming email to an external address. Disabling this feature prevents unauthorized data exfiltration through email forwarding rules.",
+  "Risk": "With auto-forwarding enabled, an attacker who gains control of a user account can create **forwarding rules to exfiltrate** all incoming email to an external address. This can persist undetected and provide the attacker with continuous access to sensitive communications even after the account is recovered.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/2491924",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **End User Access** > **Automatic forwarding**\n4. Uncheck **Allow users to automatically forward incoming email to another address**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable automatic email forwarding to prevent users and attackers from setting up rules that exfiltrate email data to external addresses.",
+      "Url": "https://hub.prowler.com/check/gmail_auto_forwarding_disabled"
+    }
+  },
+  "Categories": [
+    "email-security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "gmail_pop_imap_access_disabled",
+    "gmail_per_user_outbound_gateway_disabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/gmail/gmail_auto_forwarding_disabled/gmail_auto_forwarding_disabled.py

@@ -0,0 +1,53 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.gmail.gmail_client import gmail_client
+
+
+class gmail_auto_forwarding_disabled(Check):
+    """Check that automatic forwarding options are disabled.
+
+    This check verifies that the domain-level Gmail policy prevents users
+    from automatically forwarding incoming email to external addresses,
+    reducing the risk of data exfiltration.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if gmail_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=gmail_client.provider.identity,
+                resource_name=gmail_client.provider.identity.domain,
+                resource_id=gmail_client.provider.identity.customer_id,
+                customer_id=gmail_client.provider.identity.customer_id,
+                location="global",
+            )
+
+            forwarding_enabled = gmail_client.policies.enable_auto_forwarding
+
+            if forwarding_enabled is False:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Automatic email forwarding is disabled "
+                    f"in domain {gmail_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                if forwarding_enabled is None:
+                    report.status_extended = (
+                        f"Automatic email forwarding is not explicitly configured "
+                        f"in domain {gmail_client.provider.identity.domain}. "
+                        f"Auto-forwarding should be disabled to prevent data exfiltration."
+                    )
+                else:
+                    report.status_extended = (
+                        f"Automatic email forwarding is enabled "
+                        f"in domain {gmail_client.provider.identity.domain}. "
+                        f"Auto-forwarding should be disabled to prevent data exfiltration."
+                    )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/gmail/gmail_client.py

@@ -0,0 +1,4 @@
+from prowler.providers.common.provider import Provider
+from prowler.providers.googleworkspace.services.gmail.gmail_service import Gmail
+
+gmail_client = Gmail(Provider.get_global_provider())

prowler/providers/googleworkspace/services/gmail/gmail_comprehensive_mail_storage_enabled/gmail_comprehensive_mail_storage_enabled.metadata.json

@@ -0,0 +1,37 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "gmail_comprehensive_mail_storage_enabled",
+  "CheckTitle": "Comprehensive mail storage is enabled",
+  "CheckType": [],
+  "ServiceName": "gmail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Comprehensive mail storage ensures that a copy of all sent and received messages in the domain, including messages sent or received by non-Gmail mailboxes, is stored in users' Gmail mailboxes. This makes all messages accessible to Google Vault for retention, eDiscovery, and compliance purposes.",
+  "Risk": "Without comprehensive mail storage, messages sent through other Google services (Calendar, Drive, etc.) may not be stored in Gmail and therefore **not subject to Vault retention policies**. This creates gaps in **compliance coverage**, **eDiscovery**, and **audit trails** that could violate regulatory requirements.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/3547347",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Gmail**\n3. Click **Compliance** > **Comprehensive mail storage**\n4. Check **Ensure that a copy of all sent and received mail is stored in associated users' mailboxes**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable comprehensive mail storage to ensure all email is stored in Gmail mailboxes for Vault retention and eDiscovery compliance.",
+      "Url": "https://hub.prowler.com/check/gmail_comprehensive_mail_storage_enabled"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}