chore(ci): update github-actions

Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>

.github/workflows/api-container-build-push.yml

@@ -215,7 +215,7 @@ jobs:
 
       - name: Install regctl
         if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 # main
 
       - name: Cleanup intermediate architecture tags
         if: always()

.github/workflows/api-tests.yml

@@ -48,7 +48,7 @@ jobs:
 
     services:
       postgres:
-        image: postgres:17@sha256:2cd82735a36356842d5eb1ef80db3ae8f1154172f0f653db48fde079b2a0b7f7
+        image: postgres:17@sha256:2203e6282d9e7de7c24d7da234e2a744fb325df366a3fd8ed940e8abbee39527
         env:
           POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
           POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
@@ -63,7 +63,7 @@ jobs:
           --health-timeout 5s
           --health-retries 5
       valkey:
-        image: valkey/valkey:7-alpine3.19
+        image: valkey/valkey:7-alpine3.19@sha256:4054fe7fc607b9326ac7c4691ed26e9670d2ff17a9fb28c2577adecf928acbcc
         env:
           VALKEY_HOST: ${{ env.VALKEY_HOST }}
           VALKEY_PORT: ${{ env.VALKEY_PORT }}

.github/workflows/mcp-container-build-push.yml

@@ -206,7 +206,7 @@ jobs:
 
       - name: Install regctl
         if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 # main
 
       - name: Cleanup intermediate architecture tags
         if: always()

.github/workflows/sdk-container-build-push.yml

@@ -299,7 +299,7 @@ jobs:
 
       - name: Install regctl
         if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 # main
 
       - name: Cleanup intermediate architecture tags
         if: always()

.github/workflows/test-impact-analysis.yml

@@ -73,7 +73,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: '3.12'
+          python-version: '3.12.13'
 
       - name: Install PyYAML
         run: pip install pyyaml

.github/workflows/ui-container-build-push.yml

@@ -205,7 +205,7 @@ jobs:
 
       - name: Install regctl
         if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 # main
 
       - name: Cleanup intermediate architecture tags
         if: always()

.github/workflows/ui-e2e-tests-v2.yml

@@ -5,21 +5,7 @@ name: UI - E2E Tests (Optimized)
 # critical paths are changed or if impact analysis fails.
 
 on:
-  push:
-    branches:
-      - master
-      - "v5.*"
-    paths:
-      - '.github/workflows/ui-e2e-tests-v2.yml'
-      - '.github/test-impact.yml'
-      - 'ui/**'
   pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - labeled
-      - unlabeled
     branches:
       - master
       - "v5.*"
@@ -33,39 +19,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
-  # Trusted PR authors get the opt-in label automatically. This job does not
-  # check out or execute PR code; it only calls the GitHub API for trusted users.
-  auto-label-trusted-pr:
-    if: |
-      github.event_name == 'pull_request' &&
-      (github.event.action == 'opened' || github.event.action == 'reopened') &&
-      contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) &&
-      !contains(github.event.pull_request.labels.*.name, 'run-ui-e2e')
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-    steps:
-      - name: Add UI E2E opt-in label
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          script: |
-            await github.rest.issues.addLabels({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.pull_request.number,
-              labels: ['run-ui-e2e'],
-            });
-
-  # UI E2E consumes cloud credentials, so PR runs require explicit maintainer opt-in.
-  # On protected branch pushes, run independently of PR labels.
+  # First, analyze which tests need to run
   impact-analysis:
-    if: |
-      github.repository == 'prowler-cloud/prowler' &&
-      (github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run-ui-e2e'))
+    if: github.repository == 'prowler-cloud/prowler'
+    permissions:
+      contents: read
     uses: ./.github/workflows/test-impact-analysis.yml
 
   # Run E2E tests based on impact analysis
@@ -73,10 +34,8 @@ jobs:
     needs: impact-analysis
     if: |
       github.repository == 'prowler-cloud/prowler' &&
-      (github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run-ui-e2e')) &&
       (needs.impact-analysis.outputs.has-ui-e2e == 'true' || needs.impact-analysis.outputs.run-all == 'true')
     runs-on: ubuntu-latest
-    environment: ui-e2e-cloud
     env:
       AUTH_SECRET: 'fallback-ci-secret-for-testing'
       AUTH_TRUST_HOST: true
@@ -168,8 +127,8 @@ jobs:
 
       - name: Add AWS credentials for testing
         run: |
-          echo "AWS_ACCESS_KEY_ID=${E2E_AWS_PROVIDER_ACCESS_KEY}" >> .env
-          echo "AWS_SECRET_ACCESS_KEY=${E2E_AWS_PROVIDER_SECRET_KEY}" >> .env
+          echo "AWS_ACCESS_KEY_ID=${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}" >> .env
+          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}" >> .env
 
       - name: Build API image from current code
         # docker-compose.yml references prowlercloud/prowler-api:latest from the registry,
@@ -334,35 +293,11 @@ jobs:
         run: |
           docker compose down -v || true
 
-  # Skip job - provides clear feedback when UI E2E is not explicitly authorized.
-  skip-e2e-no-label:
-    if: |
-      github.repository == 'prowler-cloud/prowler' &&
-      github.event_name == 'pull_request' &&
-      !contains(github.event.pull_request.labels.*.name, 'run-ui-e2e')
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
-        with:
-          egress-policy: audit
-
-      - name: UI E2E skipped - opt-in label missing
-        run: |
-          echo "## UI E2E Tests Skipped" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "UI E2E tests consume cloud credentials and are skipped unless a maintainer adds the run-ui-e2e label." >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Add the label to opt in; remove it to stop secret-consuming UI E2E jobs." >> $GITHUB_STEP_SUMMARY
-
-  # Skip job - provides clear feedback when no E2E tests needed after opt-in.
-  skip-e2e-no-tests:
+  # Skip job - provides clear feedback when no E2E tests needed
+  skip-e2e:
     needs: impact-analysis
     if: |
       github.repository == 'prowler-cloud/prowler' &&
-      (github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run-ui-e2e')) &&
       needs.impact-analysis.outputs.has-ui-e2e != 'true' &&
       needs.impact-analysis.outputs.run-all != 'true'
     runs-on: ubuntu-latest

prowler/CHANGELOG.md

@@ -11,6 +11,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `sagemaker_clarify_exists` check for AWS provider [(#11211)](https://github.com/prowler-cloud/prowler/pull/11211)
 - `cloudsql_instance_high_availability_enabled` check for GCP provider, verifying Cloud SQL primary instances use `REGIONAL` availability for automatic zone failover [(#11024)](https://github.com/prowler-cloud/prowler/pull/11024)
 - `identity_storage_service_level_admins_scoped` check for OCI provider CIS 3.1 control 1.15, ensuring storage service-level administrators exclude delete permissions [(#11523)](https://github.com/prowler-cloud/prowler/pull/11523)
+- `cosmosdb_account_automatic_failover_enabled` check for Azure provider [(#11031)](https://github.com/prowler-cloud/prowler/pull/11031)
 
 ---
 

prowler/compliance/azure/iso27001_2022_azure.json

@@ -1293,7 +1293,8 @@
         "storage_ensure_private_endpoints_in_storage_accounts",
         "storage_secure_transfer_required_is_enabled",
         "vm_ensure_using_managed_disks",
-        "vm_trusted_launch_enabled"
+        "vm_trusted_launch_enabled",
+        "cosmosdb_account_automatic_failover_enabled"
       ]
     },
     {

prowler/compliance/csa_ccm_4.0.json

@@ -1087,7 +1087,8 @@
           "storage_blob_versioning_is_enabled",
           "storage_geo_redundant_enabled",
           "vm_scaleset_associated_with_load_balancer",
-          "vm_scaleset_not_empty"
+          "vm_scaleset_not_empty",
+          "cosmosdb_account_automatic_failover_enabled"
         ],
         "gcp": [
           "compute_instance_automatic_restart_enabled",

prowler/lib/banner.py

@@ -58,16 +58,17 @@ def print_prowler_cloud_banner(provider: str = None):
     bar = f"{banner_color}│{Style.RESET_ALL}"
     print(
         f"""
-{bar} {Style.BRIGHT}You're getting a snapshot. Prowler Cloud gives you the full picture.{Style.RESET_ALL}
+{bar} {Style.BRIGHT}You're getting a snapshot 📸. Prowler Cloud gives you the full picture:{Style.RESET_ALL}
 {bar}
-{bar} {check} {Style.BRIGHT}Attack Path Visualization{Style.RESET_ALL} - see how attackers chain risks to reach your crown jewels
-{bar} {check} {Style.BRIGHT}Lighthouse AI + MCP{Style.RESET_ALL} - autonomous triage, prioritization and remediation
-{bar} {check} {Style.BRIGHT}Organizations{Style.RESET_ALL} - all your AWS accounts under one organization
-{bar} {check} {Style.BRIGHT}Continuous scanning{Style.RESET_ALL} - scheduled scans with history, trends and alerts
-{bar} {check} {Style.BRIGHT}Integrations{Style.RESET_ALL} - Jira, Slack, AWS Security Hub, Amazon S3, SSO and RBAC
-{bar} {check} {Style.BRIGHT}Reports{Style.RESET_ALL} - download ready-to-share PDF reports
-{bar} {check} {Style.BRIGHT}Live compliance{Style.RESET_ALL} - dashboards for 50+ frameworks, always up to date
+{bar} {check} {Style.BRIGHT}Continuous Security Monitoring{Style.RESET_ALL} - scheduled scans with history, trends and alerts.
+{bar} {check} {Style.BRIGHT}Lighthouse AI + MCP{Style.RESET_ALL} - autonomous triage, custom dashboards, prioritization with prevention and remediation.
+{bar} {check} {Style.BRIGHT}Alerts{Style.RESET_ALL} - get notified when anything you want is happening.
+{bar} {check} {Style.BRIGHT}Live Compliance{Style.RESET_ALL} - dashboards for 50+ frameworks, always up to date.
+{bar} {check} {Style.BRIGHT}Remediation{Style.RESET_ALL} - complete guided remediation including Autonomous remediation with Lighthouse AI.
+{bar} {check} {Style.BRIGHT}Attack Path Visualization{Style.RESET_ALL} - see how attackers chain risks to reach your crown jewels.
+{bar} {check} {Style.BRIGHT}Bulk Provisioning{Style.RESET_ALL} - add your entire AWS Organization in seconds.
+{bar} {check} {Style.BRIGHT}Integrations{Style.RESET_ALL} - Anything with our MCP + Jira, Slack, AWS Security Hub, Amazon S3, SSO and RBAC.
 {bar}
-{bar} {Fore.BLUE}Start free at cloud.prowler.com{Style.RESET_ALL}
+{bar} {Fore.BLUE}Start free at 👉 cloud.prowler.com{Style.RESET_ALL}
 """
     )

prowler/providers/aws/aws_regions_by_service.json

@@ -2582,6 +2582,7 @@
         "aws": [
           "af-south-1",
           "ap-east-1",
+          "ap-east-2",
           "ap-northeast-1",
           "ap-northeast-2",
           "ap-northeast-3",
@@ -2591,6 +2592,9 @@
           "ap-southeast-2",
           "ap-southeast-3",
           "ap-southeast-4",
+          "ap-southeast-5",
+          "ap-southeast-6",
+          "ap-southeast-7",
           "ca-central-1",
           "ca-west-1",
           "eu-central-1",
@@ -2604,6 +2608,7 @@
           "il-central-1",
           "me-central-1",
           "me-south-1",
+          "mx-central-1",
           "sa-east-1",
           "us-east-1",
           "us-east-2",
@@ -7344,6 +7349,7 @@
     "lightsail": {
       "regions": {
         "aws": [
+          "ap-east-1",
           "ap-northeast-1",
           "ap-northeast-2",
           "ap-south-1",
@@ -7354,9 +7360,11 @@
           "ca-central-1",
           "eu-central-1",
           "eu-north-1",
+          "eu-south-2",
           "eu-west-1",
           "eu-west-2",
           "eu-west-3",
+          "sa-east-1",
           "us-east-1",
           "us-east-2",
           "us-west-2"
@@ -8269,7 +8277,9 @@
           "cn-north-1",
           "cn-northwest-1"
         ],
-        "aws-eusc": [],
+        "aws-eusc": [
+          "eusc-de-east-1"
+        ],
         "aws-us-gov": [
           "us-gov-east-1",
           "us-gov-west-1"
@@ -9220,6 +9230,7 @@
           "eu-west-1",
           "eu-west-2",
           "eu-west-3",
+          "sa-east-1",
           "us-east-1",
           "us-east-2",
           "us-west-2"
@@ -9986,6 +9997,8 @@
           "ap-south-1",
           "ap-southeast-1",
           "ap-southeast-2",
+          "ap-southeast-5",
+          "ap-southeast-7",
           "ca-central-1",
           "eu-central-1",
           "eu-south-2",

prowler/providers/azure/services/cosmosdb/cosmosdb_account_automatic_failover_enabled/cosmosdb_account_automatic_failover_enabled.metadata.json

@@ -0,0 +1,38 @@
+{
+  "Provider": "azure",
+  "CheckID": "cosmosdb_account_automatic_failover_enabled",
+  "CheckTitle": "Cosmos DB account has automatic failover enabled",
+  "CheckType": [],
+  "ServiceName": "cosmosdb",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "microsoft.documentdb/databaseaccounts",
+  "ResourceGroup": "database",
+  "Description": "**Azure Cosmos DB accounts** are evaluated for **automatic failover** configuration. When enabled, Cosmos DB automatically promotes a secondary region to primary during a regional outage, ensuring continuous availability without manual intervention.",
+  "Risk": "Without **automatic failover**, a regional outage requires **manual failover** which delays recovery and risks data unavailability. Applications dependent on the primary region experience downtime until an operator intervenes.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
+    "https://learn.microsoft.com/en-us/azure/cosmos-db/high-availability",
+    "https://learn.microsoft.com/en-us/azure/cosmos-db/distribute-data-globally"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "az cosmosdb update --name <COSMOS_ACCOUNT_NAME> --resource-group <RESOURCE_GROUP> --enable-automatic-failover true",
+      "NativeIaC": "```bicep\n// Bicep: Enable automatic failover on a Cosmos DB account\nresource account 'Microsoft.DocumentDB/databaseAccounts@2025-10-15' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  kind: 'GlobalDocumentDB'\n  properties: {\n    databaseAccountOfferType: 'Standard'\n    locations: [\n      { locationName: '<primary_region>', failoverPriority: 0 }\n      { locationName: '<secondary_region>', failoverPriority: 1 }\n    ]\n    enableAutomaticFailover: true // Critical: Promotes a secondary region during a primary region outage\n  }\n}\n```",
+      "Other": "1. Sign in to the Azure portal and open your Cosmos DB account\n2. In the left menu, select Replicate data globally\n3. Click Automatic Failover\n4. Toggle Enable Automatic Failover to On\n5. Set failover priorities for each region\n6. Click Save",
+      "Terraform": "```hcl\n# Terraform: Enable automatic failover on a Cosmos DB account\nresource \"azurerm_cosmosdb_account\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<primary_region>\"\n  offer_type          = \"Standard\"\n  kind                = \"GlobalDocumentDB\"\n\n  geo_location {\n    location          = \"<primary_region>\"\n    failover_priority = 0\n  }\n\n  geo_location {\n    location          = \"<secondary_region>\"\n    failover_priority = 1\n  }\n\n  enable_automatic_failover = true # Critical: Promotes a secondary region during a primary region outage\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable **automatic failover** on Cosmos DB accounts with **multi-region** deployments so a secondary region is promoted automatically when the primary region becomes unavailable. Configure **failover priorities** to reflect your recovery strategy, validate **RTO/RPO** expectations with periodic failover drills, and combine with **multi-region writes** where active-active is required.",
+      "Url": "https://hub.prowler.com/check/cosmosdb_account_automatic_failover_enabled"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/azure/services/cosmosdb/cosmosdb_account_automatic_failover_enabled/cosmosdb_account_automatic_failover_enabled.py

@@ -0,0 +1,29 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.cosmosdb.cosmosdb_client import cosmosdb_client
+
+
+class cosmosdb_account_automatic_failover_enabled(Check):
+    """Ensure that Cosmos DB accounts have automatic failover enabled."""
+
+    def execute(self) -> Check_Report_Azure:
+        """Execute the Cosmos DB automatic failover check.
+
+        Iterates over every Cosmos DB account fetched by the service and reports
+        PASS when `enableAutomaticFailover` is True, FAIL otherwise.
+
+        Returns:
+            A list of Check_Report_Azure with one report per Cosmos DB account.
+        """
+        findings = []
+        for subscription, accounts in cosmosdb_client.accounts.items():
+            for account in accounts:
+                report = Check_Report_Azure(metadata=self.metadata(), resource=account)
+                report.subscription = subscription
+                report.status = "FAIL"
+                report.status_extended = f"CosmosDB account {account.name} from subscription {subscription} does not have automatic failover enabled."
+                if account.enable_automatic_failover:
+                    report.status = "PASS"
+                    report.status_extended = f"CosmosDB account {account.name} from subscription {subscription} has automatic failover enabled."
+                findings.append(report)
+
+        return findings

prowler/providers/azure/services/cosmosdb/cosmosdb_service.py

@@ -1,5 +1,5 @@
 from dataclasses import dataclass
-from typing import List
+from typing import List, Optional
 
 from azure.mgmt.cosmosdb import CosmosDBManagementClient
 
@@ -36,14 +36,29 @@ class CosmosDB(AzureService):
                                     name=private_endpoint_connection.name,
                                     type=private_endpoint_connection.type,
                                 )
-                                for private_endpoint_connection in getattr(
-                                    account, "private_endpoint_connections", []
+                                for private_endpoint_connection in (
+                                    getattr(account, "private_endpoint_connections", [])
+                                    or []
                                 )
                                 if private_endpoint_connection
                             ],
                             disable_local_auth=getattr(
                                 account, "disable_local_auth", False
                             ),
+                            enable_automatic_failover=getattr(
+                                account, "enable_automatic_failover", False
+                            ),
+                            backup_policy_type=getattr(
+                                getattr(account, "backup_policy", None),
+                                "type",
+                                None,
+                            ),
+                            public_network_access=getattr(
+                                account, "public_network_access", None
+                            ),
+                            minimal_tls_version=getattr(
+                                account, "minimal_tls_version", None
+                            ),
                         )
                     )
             except Exception as error:
@@ -71,3 +86,7 @@ class Account:
     location: str
     private_endpoint_connections: List[PrivateEndpointConnection]
     disable_local_auth: bool = False
+    enable_automatic_failover: bool = False
+    backup_policy_type: Optional[str] = None
+    public_network_access: Optional[str] = None
+    minimal_tls_version: Optional[str] = None

tests/providers/azure/services/cosmosdb/cosmosdb_account_automatic_failover_enabled/cosmosdb_account_automatic_failover_enabled_test.py

@@ -0,0 +1,115 @@
+from unittest import mock
+
+from tests.providers.azure.azure_fixtures import (
+    AZURE_SUBSCRIPTION_ID,
+    set_mocked_azure_provider,
+)
+
+
+class Test_cosmosdb_account_automatic_failover_enabled:
+    def test_no_subscriptions(self):
+        cosmosdb_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_azure_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.azure.services.cosmosdb.cosmosdb_account_automatic_failover_enabled.cosmosdb_account_automatic_failover_enabled.cosmosdb_client",
+                new=cosmosdb_client,
+            ),
+        ):
+            from prowler.providers.azure.services.cosmosdb.cosmosdb_account_automatic_failover_enabled.cosmosdb_account_automatic_failover_enabled import (
+                cosmosdb_account_automatic_failover_enabled,
+            )
+
+            cosmosdb_client.accounts = {}
+
+            check = cosmosdb_account_automatic_failover_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_pass(self):
+        cosmosdb_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_azure_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.azure.services.cosmosdb.cosmosdb_account_automatic_failover_enabled.cosmosdb_account_automatic_failover_enabled.cosmosdb_client",
+                new=cosmosdb_client,
+            ),
+        ):
+            from prowler.providers.azure.services.cosmosdb.cosmosdb_account_automatic_failover_enabled.cosmosdb_account_automatic_failover_enabled import (
+                cosmosdb_account_automatic_failover_enabled,
+            )
+            from prowler.providers.azure.services.cosmosdb.cosmosdb_service import (
+                Account,
+            )
+
+            cosmosdb_client.accounts = {
+                AZURE_SUBSCRIPTION_ID: [
+                    Account(
+                        id="/subscriptions/sub1/resourceGroups/rg1/providers/Microsoft.DocumentDB/databaseAccounts/test-account",
+                        name="test-account",
+                        kind="GlobalDocumentDB",
+                        type="Microsoft.DocumentDB/databaseAccounts",
+                        tags={},
+                        is_virtual_network_filter_enabled=False,
+                        location="eastus",
+                        private_endpoint_connections=[],
+                        disable_local_auth=False,
+                        enable_automatic_failover=True,
+                    )
+                ]
+            }
+
+            check = cosmosdb_account_automatic_failover_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+
+    def test_fail(self):
+        cosmosdb_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_azure_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.azure.services.cosmosdb.cosmosdb_account_automatic_failover_enabled.cosmosdb_account_automatic_failover_enabled.cosmosdb_client",
+                new=cosmosdb_client,
+            ),
+        ):
+            from prowler.providers.azure.services.cosmosdb.cosmosdb_account_automatic_failover_enabled.cosmosdb_account_automatic_failover_enabled import (
+                cosmosdb_account_automatic_failover_enabled,
+            )
+            from prowler.providers.azure.services.cosmosdb.cosmosdb_service import (
+                Account,
+            )
+
+            cosmosdb_client.accounts = {
+                AZURE_SUBSCRIPTION_ID: [
+                    Account(
+                        id="/subscriptions/sub1/resourceGroups/rg1/providers/Microsoft.DocumentDB/databaseAccounts/test-account",
+                        name="test-account",
+                        kind="GlobalDocumentDB",
+                        type="Microsoft.DocumentDB/databaseAccounts",
+                        tags={},
+                        is_virtual_network_filter_enabled=False,
+                        location="eastus",
+                        private_endpoint_connections=[],
+                        disable_local_auth=False,
+                        enable_automatic_failover=False,
+                    )
+                ]
+            }
+
+            check = cosmosdb_account_automatic_failover_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"