fix(ci): Release edited (#1276)

* chore(inventory): option included in main

* chore(inventory): quick inventory

* chore(inventory): functional version

* chore(inventory): functional version without echo

* Update include/quick_inventory

Co-authored-by: Pepe Fagoaga <pepe@verica.io>

* Update prowler

Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>

* Added new line at report line

* Added more information from IAM

Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>

.backportrc.json

@@ -1,14 +0,0 @@
-{
-  "repoOwner": "prowler-cloud",
-  "repoName": "prowler",
-  "targetPRLabels": [
-    "backport"
-  ],
-  "sourcePRLabels": [
-    "was-backported"
-  ],
-  "copySourcePRLabels": false,
-  "copySourcePRReviewers": true,
-  "prTitle": "{{sourcePullRequest.title}}",
-  "commitConflicts": true
-}

.dockerignore

@@ -0,0 +1,17 @@
+# Ignore git files
+.git/
+.github/
+
+# Ignore Dodckerfile
+Dockerfile
+
+# Ignore hidden files
+.pre-commit-config.yaml
+.dockerignore
+.gitignore
+.pytest*
+.DS_Store
+
+# Ignore output directories
+output/
+junit-reports/

.env

@@ -1,168 +0,0 @@
-#### Important Note ####
-# This file is used to store environment variables for the Prowler App.
-# For production, it is recommended to use a secure method to store these variables and change the default secret keys.
-
-#### Prowler UI Configuration ####
-PROWLER_UI_VERSION="stable"
-AUTH_URL=http://localhost:3000
-API_BASE_URL=http://prowler-api:8080/api/v1
-NEXT_PUBLIC_API_BASE_URL=${API_BASE_URL}
-NEXT_PUBLIC_API_DOCS_URL=http://prowler-api:8080/api/v1/docs
-AUTH_TRUST_HOST=true
-UI_PORT=3000
-# openssl rand -base64 32
-AUTH_SECRET="N/c6mnaS5+SWq81+819OrzQZlmx1Vxtp/orjttJSmw8="
-# Google Tag Manager ID
-NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID=""
-
-#### MCP Server ####
-PROWLER_MCP_VERSION=stable
-# For UI and MCP running on docker:
-PROWLER_MCP_SERVER_URL=http://mcp-server:8000/mcp
-# For UI running on host, MCP in docker:
-# PROWLER_MCP_SERVER_URL=http://localhost:8000/mcp
-
-#### Code Review Configuration ####
-# Enable Claude Code standards validation on pre-push hook
-# Set to 'true' to validate changes against AGENTS.md standards via Claude Code
-# Set to 'false' to skip validation
-CODE_REVIEW_ENABLED=true
-
-#### Prowler API Configuration ####
-PROWLER_API_VERSION="stable"
-# PostgreSQL settings
-# If running Django and celery on host, use 'localhost', else use 'postgres-db'
-POSTGRES_HOST=postgres-db
-POSTGRES_PORT=5432
-POSTGRES_ADMIN_USER=prowler_admin
-POSTGRES_ADMIN_PASSWORD=postgres
-POSTGRES_USER=prowler
-POSTGRES_PASSWORD=postgres
-POSTGRES_DB=prowler_db
-# Read replica settings (optional)
-# POSTGRES_REPLICA_HOST=postgres-db
-# POSTGRES_REPLICA_PORT=5432
-# POSTGRES_REPLICA_USER=prowler
-# POSTGRES_REPLICA_PASSWORD=postgres
-# POSTGRES_REPLICA_DB=prowler_db
-# POSTGRES_REPLICA_MAX_ATTEMPTS=3
-# POSTGRES_REPLICA_RETRY_BASE_DELAY=0.5
-
-# Neo4j auth
-NEO4J_HOST=neo4j
-NEO4J_PORT=7687
-NEO4J_USER=neo4j
-NEO4J_PASSWORD=neo4j_password
-# Neo4j settings
-NEO4J_DBMS_MAX__DATABASES=1000
-NEO4J_SERVER_MEMORY_PAGECACHE_SIZE=1G
-NEO4J_SERVER_MEMORY_HEAP_INITIAL__SIZE=1G
-NEO4J_SERVER_MEMORY_HEAP_MAX__SIZE=1G
-NEO4J_POC_EXPORT_FILE_ENABLED=true
-NEO4J_APOC_IMPORT_FILE_ENABLED=true
-NEO4J_APOC_IMPORT_FILE_USE_NEO4J_CONFIG=true
-NEO4J_PLUGINS=["apoc"]
-NEO4J_DBMS_SECURITY_PROCEDURES_ALLOWLIST=apoc.*
-NEO4J_DBMS_SECURITY_PROCEDURES_UNRESTRICTED=apoc.*
-NEO4J_DBMS_CONNECTOR_BOLT_LISTEN_ADDRESS=0.0.0.0:7687
-# Neo4j Prowler settings
-ATTACK_PATHS_FINDINGS_BATCH_SIZE=1000
-
-# Celery-Prowler task settings
-TASK_RETRY_DELAY_SECONDS=0.1
-TASK_RETRY_ATTEMPTS=5
-
-# Valkey settings
-# If running Valkey and celery on host, use localhost, else use 'valkey'
-VALKEY_HOST=valkey
-VALKEY_PORT=6379
-VALKEY_DB=0
-
-# API scan settings
-
-# The path to the directory where scan output should be stored
-DJANGO_TMP_OUTPUT_DIRECTORY="/tmp/prowler_api_output"
-
-# The maximum number of findings to process in a single batch
-DJANGO_FINDINGS_BATCH_SIZE=1000
-
-# The AWS access key to be used when uploading scan output to an S3 bucket
-# If left empty, default AWS credentials resolution behavior will be used
-DJANGO_OUTPUT_S3_AWS_ACCESS_KEY_ID=""
-
-# The AWS secret key to be used when uploading scan output to an S3 bucket
-DJANGO_OUTPUT_S3_AWS_SECRET_ACCESS_KEY=""
-
-# An optional AWS session token
-DJANGO_OUTPUT_S3_AWS_SESSION_TOKEN=""
-
-# The AWS region where your S3 bucket is located (e.g., "us-east-1")
-DJANGO_OUTPUT_S3_AWS_DEFAULT_REGION=""
-
-# The name of the S3 bucket where scan output should be stored
-DJANGO_OUTPUT_S3_AWS_OUTPUT_BUCKET=""
-
-# Django settings
-DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1,prowler-api
-DJANGO_BIND_ADDRESS=0.0.0.0
-DJANGO_PORT=8080
-DJANGO_DEBUG=False
-DJANGO_SETTINGS_MODULE=config.django.production
-# Select one of [ndjson|human_readable]
-DJANGO_LOGGING_FORMATTER=human_readable
-# Select one of [DEBUG|INFO|WARNING|ERROR|CRITICAL]
-# Applies to both Django and Celery Workers
-DJANGO_LOGGING_LEVEL=INFO
-# Defaults to the maximum available based on CPU cores if not set.
-DJANGO_WORKERS=4
-# Token lifetime is in minutes
-DJANGO_ACCESS_TOKEN_LIFETIME=30
-# Token lifetime is in minutes
-DJANGO_REFRESH_TOKEN_LIFETIME=1440
-DJANGO_CACHE_MAX_AGE=3600
-DJANGO_STALE_WHILE_REVALIDATE=60
-DJANGO_MANAGE_DB_PARTITIONS=True
-# openssl genrsa -out private.pem 2048
-DJANGO_TOKEN_SIGNING_KEY=""
-# openssl rsa -in private.pem -pubout -out public.pem
-DJANGO_TOKEN_VERIFYING_KEY=""
-# openssl rand -base64 32
-DJANGO_SECRETS_ENCRYPTION_KEY="oE/ltOhp/n1TdbHjVmzcjDPLcLA41CVI/4Rk+UB5ESc="
-DJANGO_BROKER_VISIBILITY_TIMEOUT=86400
-DJANGO_SENTRY_DSN=
-DJANGO_THROTTLE_TOKEN_OBTAIN=50/minute
-
-# Sentry settings
-SENTRY_ENVIRONMENT=local
-SENTRY_RELEASE=local
-NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}
-
-#### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.16.0
-
-# Social login credentials
-SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
-SOCIAL_GOOGLE_OAUTH_CLIENT_ID=""
-SOCIAL_GOOGLE_OAUTH_CLIENT_SECRET=""
-
-SOCIAL_GITHUB_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/github"
-SOCIAL_GITHUB_OAUTH_CLIENT_ID=""
-SOCIAL_GITHUB_OAUTH_CLIENT_SECRET=""
-
-# Single Sign-On (SSO)
-SAML_SSO_CALLBACK_URL="${AUTH_URL}/api/auth/callback/saml"
-
-# Lighthouse tracing
-LANGSMITH_TRACING=false
-LANGSMITH_ENDPOINT="https://api.smith.langchain.com"
-LANGSMITH_API_KEY=""
-LANGCHAIN_PROJECT=""
-
-# RSS Feed Configuration
-# Multiple feed sources can be configured as a JSON array (must be valid JSON, no trailing commas)
-# Each source requires: id, name, type (github_releases|blog|custom), url, and enabled flag
-# IMPORTANT: Must be a single line with valid JSON (no newlines, no trailing commas)
-# Example with one source:
-RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true}]'
-# Example with multiple sources (no trailing comma after last item):
-# RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true},{"id":"prowler-blog","name":"Prowler Blog","type":"blog","url":"https://prowler.com/blog/rss","enabled":false}]'

.github/CODEOWNERS

@@ -1,28 +1 @@
-# SDK
-/* @prowler-cloud/sdk
-/prowler/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
-/tests/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
-/dashboard/ @prowler-cloud/sdk
-/docs/ @prowler-cloud/sdk
-/examples/ @prowler-cloud/sdk
-/util/ @prowler-cloud/sdk
-/contrib/ @prowler-cloud/sdk
-/permissions/ @prowler-cloud/sdk
-/codecov.yml @prowler-cloud/sdk @prowler-cloud/api
-
-# API
-/api/ @prowler-cloud/api
-
-# UI
-/ui/ @prowler-cloud/ui
-
-# AI
-/mcp_server/ @prowler-cloud/ai
-
-# Platform
-/.github/ @prowler-cloud/platform
-/Makefile @prowler-cloud/platform
-/kubernetes/ @prowler-cloud/platform
-**/Dockerfile* @prowler-cloud/platform
-**/docker-compose*.yml @prowler-cloud/platform
-**/docker-compose*.yaml @prowler-cloud/platform
+* @prowler-cloud/prowler-team

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,50 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[Bug]: "
+labels: bug, status/needs-triage
+assignees: ''
+
+---
+
+<!--
+Please use this template to create your bug report. By providing as much info as possible you help us understand the issue, reproduce it and resolve it for you quicker. Therefore, take a couple of extra minutes to make sure you have provided all info needed.
+
+PROTIP: record your screen and attach it as a gif to showcase the issue.
+
+- How to record and attach gif: https://bit.ly/2Mi8T6K
+-->
+
+**What happened?**  
+A clear and concise description of what the bug is or what is not working as expected
+
+
+**How to reproduce it**  
+Steps to reproduce the behavior:
+1. What command are you running?
+2. Environment you have, like single account, multi-account, organizations, etc.
+3. See error
+
+
+**Expected behavior**  
+A clear and concise description of what you expected to happen.
+
+
+**Screenshots or Logs**  
+If applicable, add screenshots to help explain your problem.
+Also, you can add logs (anonymize them first!). Here a command that may help to share a log
+`bash -x ./prowler -options > debug.log 2>&1` then attach here `debug.log`
+
+
+**From where are you running Prowler?**  
+Please, complete the following information:
+ - Resource: [e.g. EC2 instance, Fargate task, Docker container manually, EKS, Cloud9, CodeBuild, workstation, etc.)  
+ - OS: [e.g. Amazon Linux 2, Mac, Alpine, Windows, etc. ]
+ - AWS-CLI Version [`aws --version`]:
+ - Prowler Version [`./prowler -V`]:
+ - Shell and version:
+ - Others:
+
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,140 +0,0 @@
-name: 🐞 Bug Report
-description: Create a report to help us improve
-labels: ["bug", "status/needs-triage"]
-
-body:
-  - type: checkboxes
-    id: search
-    attributes:
-      label: Issue search
-      options:
-        - label: I have searched the existing issues and this bug has not been reported yet
-          required: true
-  - type: dropdown
-    id: component
-    attributes:
-      label: Which component is affected?
-      multiple: true
-      options:
-        - Prowler CLI/SDK
-        - Prowler API
-        - Prowler UI
-        - Prowler Dashboard
-        - Prowler MCP Server
-        - Documentation
-        - Other
-    validations:
-      required: true
-  - type: dropdown
-    id: provider
-    attributes:
-      label: Cloud Provider (if applicable)
-      multiple: true
-      options:
-        - AWS
-        - Azure
-        - GCP
-        - Kubernetes
-        - GitHub
-        - Microsoft 365
-        - Not applicable
-  - type: textarea
-    id: reproduce
-    attributes:
-      label: Steps to Reproduce
-      description: Steps to reproduce the behavior
-      placeholder: |-
-        1. What command are you running?
-        2. Cloud provider you are launching
-        3. Environment you have, like single account, multi-account, organizations, multi or single subscription, etc.
-        4. See error
-    validations:
-      required: true
-  - type: textarea
-    id: expected
-    attributes:
-      label: Expected behavior
-      description: A clear and concise description of what you expected to happen.
-    validations:
-      required: true
-  - type: textarea
-    id: actual
-    attributes:
-      label: Actual Result with Screenshots or Logs
-      description: If applicable, add screenshots to help explain your problem. Also, you can add logs (anonymize them first!). Here a command that may help to share a log `prowler <your arguments> --log-level ERROR --log-file $(date +%F)_error.log` then attach here the log file.
-    validations:
-      required: true
-  - type: dropdown
-    id: type
-    attributes:
-      label: How did you install Prowler?
-      options:
-        - Cloning the repository from github.com (git clone)
-        - From pip package (pip install prowler)
-        - From brew (brew install prowler)
-        - Docker (docker pull toniblyx/prowler)
-    validations:
-      required: true
-  - type: textarea
-    id: environment
-    attributes:
-      label: Environment Resource
-      description: From where are you running Prowler?
-      placeholder: |-
-        1. EC2 instance
-        2. Fargate task
-        3. Docker container locally
-        4. EKS
-        5. Cloud9
-        6. CodeBuild
-        7. Workstation
-        8. Other(please specify)
-    validations:
-      required: true
-  - type: textarea
-    id: os
-    attributes:
-      label: OS used
-      description: Which OS are you using?
-      placeholder: |-
-        1. Amazon Linux 2
-        2. MacOS
-        3. Alpine Linux
-        4. Windows
-        5. Other(please specify)
-    validations:
-      required: true
-  - type: input
-    id: prowler-version
-    attributes:
-      label: Prowler version
-      description: Which Prowler version are you using?
-      placeholder: |-
-        prowler --version
-    validations:
-      required: true
-  - type: input
-    id: python-version
-    attributes:
-      label: Python version
-      description: Which Python version are you using?
-      placeholder: |-
-        python --version
-    validations:
-      required: true
-  - type: input
-    id: pip-version
-    attributes:
-      label: Pip version
-      description: Which pip version are you using?
-      placeholder: |-
-        pip --version
-    validations:
-      required: true
-  - type: textarea
-    id: additional
-    attributes:
-      description: Additional context
-      label: Context
-    validations:
-      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -1,11 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: 📖 Documentation
-    url: https://docs.prowler.com
-    about: Check our comprehensive documentation for guides and tutorials
-  - name: 💬 GitHub Discussions
-    url: https://github.com/prowler-cloud/prowler/discussions
-    about: Ask questions and discuss with the community
-  - name: 🌟 Prowler Community
-    url: https://goto.prowler.com/slack
-    about: Join our community for support and updates

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -1,79 +0,0 @@
-name: 💡 Feature Request
-description: Suggest an idea for this project
-labels: ["feature-request", "status/needs-triage"]
-
-body:
-  - type: checkboxes
-    id: search
-    attributes:
-      label: Feature search
-      options:
-        - label: I have searched the existing issues and this feature has not been requested yet or is already in our [Public Roadmap](https://roadmap.prowler.com/roadmap)
-          required: true
-  - type: dropdown
-    id: component
-    attributes:
-      label: Which component would this feature affect?
-      multiple: true
-      options:
-        - Prowler CLI/SDK
-        - Prowler API
-        - Prowler UI
-        - Prowler Dashboard
-        - Prowler MCP Server
-        - Documentation
-        - New component/Integration
-    validations:
-      required: true
-  - type: dropdown
-    id: provider
-    attributes:
-      label: Related to specific cloud provider?
-      multiple: true
-      options:
-        - AWS
-        - Azure
-        - GCP
-        - Kubernetes
-        - GitHub
-        - Microsoft 365
-        - All providers
-        - Not provider-specific
-  - type: textarea
-    id: Problem
-    attributes:
-      label: New feature motivation
-      description: Is your feature request related to a problem? Please describe
-      placeholder: |-
-        1. A clear and concise description of what the problem is. Ex. I'm always frustrated when
-    validations:
-      required: true
-  - type: textarea
-    id: Solution
-    attributes:
-      label: Solution Proposed
-      description: A clear and concise description of what you want to happen.
-    validations:
-      required: true
-  - type: textarea
-    id: use-case
-    attributes:
-      label: Use case and benefits
-      description: Who would benefit from this feature and how?
-      placeholder: This would help security teams by...
-    validations:
-      required: true
-  - type: textarea
-    id: Alternatives
-    attributes:
-      label: Describe alternatives you've considered
-      description: A clear and concise description of any alternative solutions or features you've considered.
-    validations:
-      required: true
-  - type: textarea
-    id: Context
-    attributes:
-      label: Additional context
-      description: Add any other context or screenshots about the feature request here.
-    validations:
-      required: false

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement, status/needs-triage
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/actions/setup-python-poetry/action.yml

@@ -1,93 +0,0 @@
-name: 'Setup Python with Poetry'
-description: 'Setup Python environment with Poetry and install dependencies'
-author: 'Prowler'
-
-inputs:
-  python-version:
-    description: 'Python version to use'
-    required: true
-  working-directory:
-    description: 'Working directory for Poetry'
-    required: false
-    default: '.'
-  poetry-version:
-    description: 'Poetry version to install'
-    required: false
-    default: '2.1.1'
-  install-dependencies:
-    description: 'Install Python dependencies with Poetry'
-    required: false
-    default: 'true'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Replace @master with current branch in pyproject.toml (prowler repo only)
-      if: github.event_name == 'pull_request' && github.base_ref == 'master' && github.repository == 'prowler-cloud/prowler'
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: |
-        BRANCH_NAME="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
-        echo "Using branch: $BRANCH_NAME"
-        sed -i "s|\(git+https://github.com/prowler-cloud/prowler[^@]*\)@master|\1@$BRANCH_NAME|g" pyproject.toml
-
-    - name: Install poetry
-      shell: bash
-      run: |
-        python -m pip install --upgrade pip
-        pipx install poetry==${{ inputs.poetry-version }}
-
-    - name: Update poetry.lock with latest Prowler commit
-      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: |
-        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
-        echo "Latest commit hash: $LATEST_COMMIT"
-        sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
-          s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
-        }' poetry.lock
-        echo "Updated resolved_reference:"
-        grep -A2 -B2 "resolved_reference" poetry.lock
-
-    - name: Update SDK resolved_reference to latest commit (prowler repo on push)
-      if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'prowler-cloud/prowler'
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: |
-        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
-        echo "Latest commit hash: $LATEST_COMMIT"
-        sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
-          s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
-        }' poetry.lock
-        echo "Updated resolved_reference:"
-        grep -A2 -B2 "resolved_reference" poetry.lock
-
-    - name: Update poetry.lock (prowler repo only)
-      if: github.repository == 'prowler-cloud/prowler'
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: poetry lock
-
-    - name: Set up Python ${{ inputs.python-version }}
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ inputs.python-version }}
-        cache: 'poetry'
-        cache-dependency-path: ${{ inputs.working-directory }}/poetry.lock
-
-    - name: Install Python dependencies
-      if: inputs.install-dependencies == 'true'
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: |
-        poetry install --no-root
-        poetry run pip list
-
-    - name: Update Prowler Cloud API Client
-      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: |
-        poetry remove prowler-cloud-api-client
-        poetry add ./prowler-cloud-api-client

.github/actions/slack-notification/README.md

@@ -1,198 +0,0 @@
-# Slack Notification Action
-
-A generic and flexible GitHub composite action for sending Slack notifications using JSON template files. Supports both standalone messages and message updates, with automatic status detection.
-
-## Features
-
-- **Template-based**: All messages use JSON template files for consistency
-- **Automatic status detection**: Pass `step-outcome` to auto-calculate success/failure
-- **Message updates**: Supports updating existing messages (using `chat.update`)
-- **Simple API**: Clean and minimal interface
-- **Reusable**: Use across all workflows and scenarios
-- **Maintainable**: Centralized message templates
-
-## Use Cases
-
-1. **Container releases**: Track push start and completion with automatic status
-2. **Deployments**: Track deployment progress with rich Block Kit formatting
-3. **Custom notifications**: Any scenario where you need to notify Slack
-
-## Inputs
-
-| Input | Description | Required | Default |
-|-------|-------------|----------|---------|
-| `slack-bot-token` | Slack bot token for authentication | Yes | - |
-| `payload-file-path` | Path to JSON file with the Slack message payload | Yes | - |
-| `update-ts` | Message timestamp to update (leave empty for new messages) | No | `''` |
-| `step-outcome` | Step outcome for automatic status detection (sets STATUS_EMOJI and STATUS_TEXT env vars) | No | `''` |
-
-## Outputs
-
-| Output | Description |
-|--------|-------------|
-| `ts` | Timestamp of the Slack message (use for updates) |
-
-## Usage Examples
-
-### Example 1: Container Release with Automatic Status Detection
-
-Using JSON template files with automatic status detection:
-
-```yaml
-# Send start notification
-- name: Notify container push started
-  if: github.event_name == 'release'
-  uses: ./.github/actions/slack-notification
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    RELEASE_TAG: ${{ env.RELEASE_TAG }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-# Do the work
-- name: Build and push container
-  if: github.event_name == 'release'
-  id: container-push
-  uses: docker/build-push-action@...
-  with:
-    push: true
-    tags: ...
-
-# Send completion notification with automatic status detection
-- name: Notify container push completed
-  if: github.event_name == 'release' && always()
-  uses: ./.github/actions/slack-notification
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    RELEASE_TAG: ${{ env.RELEASE_TAG }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-    step-outcome: ${{ steps.container-push.outcome }}
-```
-
-**Benefits:**
-- No status calculation needed in workflow
-- Reusable template files
-- Clean and concise
-- Automatic `STATUS_EMOJI` and `STATUS_TEXT` env vars set by action
-- Consistent message format across all workflows
-
-### Example 2: Deployment with Message Update Pattern
-
-```yaml
-# Send initial deployment message
-- name: Notify deployment started
-  id: slack-start
-  uses: ./.github/actions/slack-notification
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    ENVIRONMENT: PRODUCTION
-    COMMIT_HASH: ${{ github.sha }}
-    VERSION_DEPLOYED: latest
-    GITHUB_ACTOR: ${{ github.actor }}
-    GITHUB_WORKFLOW: ${{ github.workflow }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/deployment-started.json"
-
-# Run deployment
-- name: Deploy
-  id: deploy
-  run: terraform apply -auto-approve
-
-# Determine additional status variables
-- name: Determine deployment status
-  if: always()
-  id: deploy-status
-  run: |
-    if [[ "${{ steps.deploy.outcome }}" == "success" ]]; then
-      echo "STATUS_COLOR=28a745" >> $GITHUB_ENV
-      echo "STATUS=Completed" >> $GITHUB_ENV
-    else
-      echo "STATUS_COLOR=fc3434" >> $GITHUB_ENV
-      echo "STATUS=Failed" >> $GITHUB_ENV
-    fi
-
-# Update the same message with final status
-- name: Update deployment notification
-  if: always()
-  uses: ./.github/actions/slack-notification
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    MESSAGE_TS: ${{ steps.slack-start.outputs.ts }}
-    COMPONENT: API
-    ENVIRONMENT: PRODUCTION
-    COMMIT_HASH: ${{ github.sha }}
-    VERSION_DEPLOYED: latest
-    GITHUB_ACTOR: ${{ github.actor }}
-    GITHUB_WORKFLOW: ${{ github.workflow }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-    STATUS: ${{ env.STATUS }}
-    STATUS_COLOR: ${{ env.STATUS_COLOR }}
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    update-ts: ${{ steps.slack-start.outputs.ts }}
-    payload-file-path: "./.github/scripts/slack-messages/deployment-completed.json"
-    step-outcome: ${{ steps.deploy.outcome }}
-```
-
-## Automatic Status Detection
-
-When you provide `step-outcome` input, the action automatically sets these environment variables:
-
-| Outcome | STATUS_EMOJI | STATUS_TEXT |
-|---------|--------------|-------------|
-| success | `[✓]` | `completed successfully!` |
-| failure | `[✗]` | `failed` |
-
-These variables are then available in your payload template files.
-
-## Template File Format
-
-All template files must be valid JSON and support environment variable substitution. Example:
-
-```json
-{
-  "channel": "$SLACK_CHANNEL_ID",
-  "text": "$STATUS_EMOJI $COMPONENT container release $RELEASE_TAG push $STATUS_TEXT <$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID|View run>"
-}
-```
-
-See available templates in [`.github/scripts/slack-messages/`](../../scripts/slack-messages/).
-
-## Requirements
-
-- Slack Bot Token with scopes: `chat:write`, `chat:write.public`
-- Slack Channel ID where messages will be posted
-- JSON template files for your messages
-
-## Benefits
-
-- **Consistency**: All notifications use standardized templates
-- **Automatic status handling**: No need to calculate success/failure in workflows
-- **Clean workflows**: Minimal boilerplate code
-- **Reusable templates**: One template for all components
-- **Easy to maintain**: Change template once, applies everywhere
-- **Version controlled**: All message formats in git
-
-## Related Resources
-
-- [Slack Block Kit Builder](https://app.slack.com/block-kit-builder)
-- [Slack API Method Documentation](https://docs.slack.dev/tools/slack-github-action/sending-techniques/sending-data-slack-api-method/)
-- [Message templates documentation](../../scripts/slack-messages/README.md)

.github/actions/slack-notification/action.yml

@@ -1,74 +0,0 @@
-name: 'Slack Notification'
-description: 'Generic action to send Slack notifications with optional message updates and automatic status detection'
-inputs:
-  slack-bot-token:
-    description: 'Slack bot token for authentication'
-    required: true
-  payload-file-path:
-    description: 'Path to JSON file with the Slack message payload'
-    required: true
-  update-ts:
-    description: 'Message timestamp to update (only for updates, leave empty for new messages)'
-    required: false
-    default: ''
-  step-outcome:
-    description: 'Outcome of a step to determine status (success/failure) - automatically sets STATUS_TEXT and STATUS_COLOR env vars'
-    required: false
-    default: ''
-outputs:
-  ts:
-    description: 'Timestamp of the Slack message'
-    value: ${{ steps.slack-notification.outputs.ts }}
-runs:
-  using: 'composite'
-  steps:
-    - name: Determine status
-      id: status
-      shell: bash
-      run: |
-        if [[ "${{ inputs.step-outcome }}" == "success" ]]; then
-          echo "STATUS_TEXT=Completed" >> $GITHUB_ENV
-          echo "STATUS_COLOR=#6aa84f" >> $GITHUB_ENV
-        elif [[ "${{ inputs.step-outcome }}" == "failure" ]]; then
-          echo "STATUS_TEXT=Failed" >> $GITHUB_ENV
-          echo "STATUS_COLOR=#fc3434" >> $GITHUB_ENV
-        else
-          # No outcome provided - pending/in progress state
-          echo "STATUS_COLOR=#dbab09" >> $GITHUB_ENV
-        fi
-
-    - name: Send Slack notification (new message)
-      if: inputs.update-ts == ''
-      id: slack-notification-post
-      uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-      env:
-        SLACK_PAYLOAD_FILE_PATH: ${{ inputs.payload-file-path }}
-      with:
-        method: chat.postMessage
-        token: ${{ inputs.slack-bot-token }}
-        payload-file-path: ${{ inputs.payload-file-path }}
-        payload-templated: true
-        errors: true
-
-    - name: Update Slack notification
-      if: inputs.update-ts != ''
-      id: slack-notification-update
-      uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-      env:
-        SLACK_PAYLOAD_FILE_PATH: ${{ inputs.payload-file-path }}
-      with:
-        method: chat.update
-        token: ${{ inputs.slack-bot-token }}
-        payload-file-path: ${{ inputs.payload-file-path }}
-        payload-templated: true
-        errors: true
-
-    - name: Set output
-      id: slack-notification
-      shell: bash
-      run: |
-        if [[ "${{ inputs.update-ts }}" == "" ]]; then
-          echo "ts=${{ steps.slack-notification-post.outputs.ts }}" >> $GITHUB_OUTPUT
-        else
-          echo "ts=${{ inputs.update-ts }}" >> $GITHUB_OUTPUT
-        fi

.github/actions/trivy-scan/action.yml

@@ -1,164 +0,0 @@
-name: 'Container Security Scan with Trivy'
-description: 'Scans container images for vulnerabilities using Trivy and reports results'
-author: 'Prowler'
-
-inputs:
-  image-name:
-    description: 'Container image name to scan'
-    required: true
-  image-tag:
-    description: 'Container image tag to scan'
-    required: true
-    default: ${{ github.sha }}
-  severity:
-    description: 'Severities to scan for (comma-separated)'
-    required: false
-    default: 'CRITICAL,HIGH,MEDIUM,LOW'
-  fail-on-critical:
-    description: 'Fail the build if critical vulnerabilities are found'
-    required: false
-    default: 'false'
-  upload-sarif:
-    description: 'Upload results to GitHub Security tab'
-    required: false
-    default: 'true'
-  create-pr-comment:
-    description: 'Create a comment on the PR with scan results'
-    required: false
-    default: 'true'
-  artifact-retention-days:
-    description: 'Days to retain the Trivy report artifact'
-    required: false
-    default: '2'
-
-outputs:
-  critical-count:
-    description: 'Number of critical vulnerabilities found'
-    value: ${{ steps.security-check.outputs.critical }}
-  high-count:
-    description: 'Number of high vulnerabilities found'
-    value: ${{ steps.security-check.outputs.high }}
-  total-count:
-    description: 'Total number of vulnerabilities found'
-    value: ${{ steps.security-check.outputs.total }}
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Cache Trivy vulnerability database
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      with:
-        path: ~/.cache/trivy
-        key: trivy-db-${{ runner.os }}-${{ github.run_id }}
-        restore-keys: |
-          trivy-db-${{ runner.os }}-
-
-    - name: Run Trivy vulnerability scan (JSON)
-      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
-      with:
-        image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
-        format: 'json'
-        output: 'trivy-report.json'
-        severity: ${{ inputs.severity }}
-        exit-code: '0'
-        scanners: 'vuln'
-        timeout: '5m'
-
-    - name: Run Trivy vulnerability scan (SARIF)
-      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
-      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
-      with:
-        image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
-        format: 'sarif'
-        output: 'trivy-results.sarif'
-        severity: 'CRITICAL,HIGH'
-        exit-code: '0'
-        scanners: 'vuln'
-        timeout: '5m'
-
-    - name: Upload Trivy results to GitHub Security tab
-      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
-      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
-      with:
-        sarif_file: 'trivy-results.sarif'
-        category: 'trivy-container'
-
-    - name: Upload Trivy report artifact
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-      if: always()
-      with:
-        name: trivy-scan-report-${{ inputs.image-name }}-${{ inputs.image-tag }}
-        path: trivy-report.json
-        retention-days: ${{ inputs.artifact-retention-days }}
-
-    - name: Generate security summary
-      id: security-check
-      shell: bash
-      run: |
-        CRITICAL=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length' trivy-report.json)
-        HIGH=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="HIGH")] | length' trivy-report.json)
-        TOTAL=$(jq '[.Results[]?.Vulnerabilities[]?] | length' trivy-report.json)
-
-        echo "critical=$CRITICAL" >> $GITHUB_OUTPUT
-        echo "high=$HIGH" >> $GITHUB_OUTPUT
-        echo "total=$TOTAL" >> $GITHUB_OUTPUT
-
-        echo "### 🔒 Container Security Scan" >> $GITHUB_STEP_SUMMARY
-        echo "" >> $GITHUB_STEP_SUMMARY
-        echo "**Image:** \`${{ inputs.image-name }}:${{ inputs.image-tag }}\`" >> $GITHUB_STEP_SUMMARY
-        echo "" >> $GITHUB_STEP_SUMMARY
-        echo "- 🔴 Critical: $CRITICAL" >> $GITHUB_STEP_SUMMARY
-        echo "- 🟠 High: $HIGH" >> $GITHUB_STEP_SUMMARY
-        echo "- **Total**: $TOTAL" >> $GITHUB_STEP_SUMMARY
-
-    - name: Comment scan results on PR
-      if: inputs.create-pr-comment == 'true' && github.event_name == 'pull_request'
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-      env:
-        IMAGE_NAME: ${{ inputs.image-name }}
-        GITHUB_SHA: ${{ inputs.image-tag }}
-        SEVERITY: ${{ inputs.severity }}
-      with:
-        script: |
-          const comment = require('./.github/scripts/trivy-pr-comment.js');
-
-          // Unique identifier to find our comment
-          const marker = '<!-- trivy-scan-comment:${{ inputs.image-name }} -->';
-          const body = marker + '\n' + comment;
-
-          // Find existing comment
-          const { data: comments } = await github.rest.issues.listComments({
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            issue_number: context.issue.number,
-          });
-
-          const existingComment = comments.find(c => c.body?.includes(marker));
-
-          if (existingComment) {
-            // Update existing comment
-            await github.rest.issues.updateComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              comment_id: existingComment.id,
-              body: body
-            });
-            console.log('✅ Updated existing Trivy scan comment');
-          } else {
-            // Create new comment
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-              body: body
-            });
-            console.log('✅ Created new Trivy scan comment');
-          }
-
-    - name: Check for critical vulnerabilities
-      if: inputs.fail-on-critical == 'true' && steps.security-check.outputs.critical != '0'
-      shell: bash
-      run: |
-        echo "::error::Found ${{ steps.security-check.outputs.critical }} critical vulnerabilities"
-        echo "::warning::Please update packages or use a different base image"
-        exit 1

.github/codeql/api-codeql-config.yml

@@ -1,12 +0,0 @@
-name: 'API: CodeQL Config'
-paths:
-  - 'api/'
-
-paths-ignore:
-  - 'api/tests/**'
-  - 'api/**/__pycache__/**'
-  - 'api/**/migrations/**'
-  - 'api/**/*.md'
-
-queries:
-  - uses: security-and-quality

.github/codeql/sdk-codeql-config.yml

@@ -1,18 +0,0 @@
-name: 'SDK: CodeQL Config'
-paths:
-  - 'prowler/'
-
-paths-ignore:
-  - 'api/'
-  - 'ui/'
-  - 'dashboard/'
-  - 'mcp_server/'
-  - 'tests/**'
-  - 'util/**'
-  - 'contrib/**'
-  - 'examples/**'
-  - 'prowler/**/__pycache__/**'
-  - 'prowler/**/*.md'
-
-queries:
-  - uses: security-and-quality

.github/codeql/ui-codeql-config.yml

@@ -1,17 +0,0 @@
-name: 'UI: CodeQL Config'
-paths:
-  - 'ui/'
-
-paths-ignore:
-  - 'ui/node_modules/**'
-  - 'ui/.next/**'
-  - 'ui/out/**'
-  - 'ui/tests/**'
-  - 'ui/**/*.test.ts'
-  - 'ui/**/*.test.tsx'
-  - 'ui/**/*.spec.ts'
-  - 'ui/**/*.spec.tsx'
-  - 'ui/**/*.md'
-
-queries:
-  - uses: security-and-quality

.github/dependabot.yml

@@ -1,120 +0,0 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  # v5
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 25
-    target-branch: master
-    labels:
-      - "dependencies"
-      - "pip"
-
-  # Dependabot Updates are temporary disabled - 2025/03/19
-  # - package-ecosystem: "pip"
-  #   directory: "/api"
-  #   schedule:
-  #     interval: "daily"
-  #   open-pull-requests-limit: 10
-  #   target-branch: master
-  #   labels:
-  #     - "dependencies"
-  #     - "pip"
-  #     - "component/api"
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 25
-    target-branch: master
-    labels:
-      - "dependencies"
-      - "github_actions"
-
-  # Dependabot Updates are temporary disabled - 2025/03/19
-  # - package-ecosystem: "npm"
-  #   directory: "/ui"
-  #   schedule:
-  #     interval: "daily"
-  #   open-pull-requests-limit: 10
-  #   target-branch: master
-  #   labels:
-  #     - "dependencies"
-  #     - "npm"
-  #     - "component/ui"
-
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 25
-    target-branch: master
-    labels:
-      - "dependencies"
-      - "docker"
-
-  # Dependabot Updates are temporary disabled - 2025/04/15
-  # v4.6
-  # - package-ecosystem: "pip"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "weekly"
-  #   open-pull-requests-limit: 10
-  #   target-branch: v4.6
-  #   labels:
-  #     - "dependencies"
-  #     - "pip"
-  #     - "v4"
-
-  # - package-ecosystem: "github-actions"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "weekly"
-  #   open-pull-requests-limit: 10
-  #   target-branch: v4.6
-  #   labels:
-  #     - "dependencies"
-  #     - "github_actions"
-  #     - "v4"
-
-  # - package-ecosystem: "docker"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "weekly"
-  #   open-pull-requests-limit: 10
-  #   target-branch: v4.6
-  #   labels:
-  #     - "dependencies"
-  #     - "docker"
-  #     - "v4"
-
-  # Dependabot Updates are temporary disabled - 2025/03/19
-  # v3
-  # - package-ecosystem: "pip"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "monthly"
-  #   open-pull-requests-limit: 10
-  #   target-branch: v3
-  #   labels:
-  #     - "dependencies"
-  #     - "pip"
-  #     - "v3"
-
-  # - package-ecosystem: "github-actions"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "monthly"
-  #   open-pull-requests-limit: 10
-  #   target-branch: v3
-  #   labels:
-  #     - "dependencies"
-  #     - "github_actions"
-  #     - "v3"

.github/labeler.yml

@@ -1,159 +0,0 @@
-documentation:
-  - changed-files:
-      - any-glob-to-any-file: "docs/**"
-
-provider/aws:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/aws/**"
-      - any-glob-to-any-file: "tests/providers/aws/**"
-
-provider/azure:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/azure/**"
-      - any-glob-to-any-file: "tests/providers/azure/**"
-
-provider/gcp:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/gcp/**"
-      - any-glob-to-any-file: "tests/providers/gcp/**"
-
-provider/kubernetes:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/kubernetes/**"
-      - any-glob-to-any-file: "tests/providers/kubernetes/**"
-
-provider/m365:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/m365/**"
-      - any-glob-to-any-file: "tests/providers/m365/**"
-
-provider/github:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/github/**"
-      - any-glob-to-any-file: "tests/providers/github/**"
-
-provider/iac:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/iac/**"
-      - any-glob-to-any-file: "tests/providers/iac/**"
-
-provider/mongodbatlas:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/mongodbatlas/**"
-      - any-glob-to-any-file: "tests/providers/mongodbatlas/**"
-
-provider/oci:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/oraclecloud/**"
-      - any-glob-to-any-file: "tests/providers/oraclecloud/**"
-
-provider/alibabacloud:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/alibabacloud/**"
-      - any-glob-to-any-file: "tests/providers/alibabacloud/**"
-
-provider/cloudflare:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/cloudflare/**"
-      - any-glob-to-any-file: "tests/providers/cloudflare/**"
-
-provider/openstack:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/openstack/**"
-      - any-glob-to-any-file: "tests/providers/openstack/**"
-
-github_actions:
-  - changed-files:
-      - any-glob-to-any-file: ".github/workflows/*"
-
-cli:
-  - changed-files:
-      - any-glob-to-any-file: "cli/**"
-
-mutelist:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/aws/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/azure/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/gcp/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/kubernetes/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/m365/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/mongodbatlas/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/oraclecloud/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/alibabacloud/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/cloudflare/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/openstack/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/aws/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/azure/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/gcp/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/kubernetes/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/m365/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/mongodbatlas/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/oraclecloud/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/alibabacloud/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/cloudflare/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/openstack/lib/mutelist/**"
-
-integration/s3:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/aws/lib/s3/**"
-      - any-glob-to-any-file: "tests/providers/aws/lib/s3/**"
-
-integration/slack:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/lib/outputs/slack/**"
-      - any-glob-to-any-file: "tests/lib/outputs/slack/**"
-
-integration/security-hub:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/aws/lib/security_hub/**"
-      - any-glob-to-any-file: "tests/providers/aws/lib/security_hub/**"
-      - any-glob-to-any-file: "prowler/lib/outputs/asff/**"
-      - any-glob-to-any-file: "tests/lib/outputs/asff/**"
-
-output/html:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/lib/outputs/html/**"
-      - any-glob-to-any-file: "tests/lib/outputs/html/**"
-
-output/asff:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/lib/outputs/asff/**"
-      - any-glob-to-any-file: "tests/lib/outputs/asff/**"
-
-output/ocsf:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/lib/outputs/ocsf/**"
-      - any-glob-to-any-file: "tests/lib/outputs/ocsf/**"
-
-output/csv:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/lib/outputs/csv/**"
-      - any-glob-to-any-file: "tests/lib/outputs/csv/**"
-
-component/api:
-  - changed-files:
-      - any-glob-to-any-file: "api/**"
-
-component/ui:
-  - changed-files:
-      - any-glob-to-any-file: "ui/**"
-
-component/mcp-server:
-  - changed-files:
-      - any-glob-to-any-file: "mcp_server/**"
-
-compliance:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/compliance/**"
-      - any-glob-to-any-file: "prowler/lib/outputs/compliance/**"
-      - any-glob-to-any-file: "tests/lib/outputs/compliance/**"
-
-review-django-migrations:
-  - changed-files:
-      - any-glob-to-any-file: "api/src/backend/api/migrations/**"
-
-metadata-review:
-  - changed-files:
-      - any-glob-to-any-file: "**/*.metadata.json"

.github/pull_request_template.md

@@ -1,55 +1,12 @@
-### Context
+### Context 
 
 Please include relevant motivation and context for this PR.
 
-If fixes an issue please add it with `Fix #XXXX`
 
 ### Description
 
 Please include a summary of the change and which issue is fixed. List any dependencies that are required for this change.
 
-### Steps to review
-
-Please add a detailed description of how to review this PR.
-
-### Checklist
-
-<details>
-
-<summary><b>Community Checklist</b></summary>
-
-- [ ] This feature/issue is listed in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or roadmap.prowler.com
-- [ ] Is it assigned to me, if not, request it via the issue/feature in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or [Prowler Community Slack](goto.prowler.com/slack)
-
-</details>
-
-
-- [ ] Review if the code is being covered by tests.
-- [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
-- [ ] Review if backport is needed.
-- [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
-- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/prowler/CHANGELOG.md), if applicable.
-
-#### SDK/CLI
-- Are there new checks included in this PR? Yes / No
-    - If so, do we need to update permissions for the provider? Please review this carefully.
-
-#### UI
-- [ ] All issue/task requirements work as expected on the UI
-- [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
-- [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
-- [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
-- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/ui/CHANGELOG.md), if applicable.
-
-#### API
-- [ ] All issue/task requirements work as expected on the API
-- [ ] Endpoint response output (if applicable)
-- [ ] EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
-- [ ] Performance test results (if applicable)
-- [ ] Any other relevant evidence of the implementation (if applicable)
-- [ ] Verify if API specs need to be regenerated.
-- [ ] Check if version updates are required (e.g., specs, Poetry, etc.).
-- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/api/CHANGELOG.md), if applicable.
 
 ### License
 

.github/scripts/slack-messages/README.md

@@ -1,462 +0,0 @@
-# Slack Message Templates
-
-This directory contains reusable message templates for Slack notifications sent from GitHub Actions workflows.
-
-## Usage
-
-These JSON templates are used with the `slackapi/slack-github-action` using the Slack API method (`chat.postMessage` and `chat.update`). All templates support rich Block Kit formatting and message updates.
-
-### Available Templates
-
-**Container Releases**
-- `container-release-started.json`: Simple one-line notification when container push starts
-- `container-release-completed.json`: Simple one-line notification when container release completes
-
-**Deployments**
-- `deployment-started.json`: Deployment start notification with Block Kit formatting
-- `deployment-completed.json`: Deployment completion notification (updates the start message)
-
-All templates use the Slack API method and require a Slack Bot Token.
-
-## Setup Requirements
-
-1. Create a Slack App (or use existing)
-2. Add Bot Token Scopes: `chat:write`, `chat:write.public`
-3. Install the app to your workspace
-4. Get the Bot Token from OAuth & Permissions page
-5. Add secrets:
-   - `SLACK_BOT_TOKEN`: Your bot token
-   - `SLACK_CHANNEL_ID`: The channel ID where messages will be posted
-
-Reference: [Sending data using a Slack API method](https://docs.slack.dev/tools/slack-github-action/sending-techniques/sending-data-slack-api-method/)
-
-## Environment Variables
-
-### Required Secrets (GitHub Secrets)
-- `SLACK_BOT_TOKEN`: Passed as `token` parameter to the action (not as env variable)
-- `SLACK_CHANNEL_ID`: Used in payload as env variable
-
-### Container Release Variables (configured as env)
-- `COMPONENT`: Component name (e.g., "API", "SDK", "UI", "MCP")
-- `RELEASE_TAG` / `PROWLER_VERSION`: The release tag or version being deployed
-- `GITHUB_SERVER_URL`: Provided by GitHub context
-- `GITHUB_REPOSITORY`: Provided by GitHub context
-- `GITHUB_RUN_ID`: Provided by GitHub context
-- `STATUS_EMOJI`: Status symbol (calculated: `[✓]` for success, `[✗]` for failure)
-- `STATUS_TEXT`: Status text (calculated: "completed successfully!" or "failed")
-
-### Deployment Variables (configured as env)
-- `COMPONENT`: Component name (e.g., "API", "SDK", "UI", "MCP")
-- `ENVIRONMENT`: Environment name (e.g., "DEVELOPMENT", "PRODUCTION")
-- `COMMIT_HASH`: Commit hash being deployed
-- `VERSION_DEPLOYED`: Version being deployed
-- `GITHUB_ACTOR`: User who triggered the workflow
-- `GITHUB_WORKFLOW`: Workflow name
-- `GITHUB_SERVER_URL`: Provided by GitHub context
-- `GITHUB_REPOSITORY`: Provided by GitHub context
-- `GITHUB_RUN_ID`: Provided by GitHub context
-
-All other variables (MESSAGE_TS, STATUS, STATUS_COLOR, STATUS_EMOJI, etc.) are calculated internally within the workflow and should NOT be configured as environment variables.
-
-## Example Workflow Usage
-
-### Using the Generic Slack Notification Action (Recommended)
-
-**Recommended approach**: Use the generic reusable action `.github/actions/slack-notification` which provides maximum flexibility:
-
-#### Example 1: Container Release (Start + Completion)
-
-```yaml
-# Send start notification
-- name: Notify container push started
-  if: github.event_name == 'release'
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "text": "API container release ${{ env.RELEASE_TAG }} push started... <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View run>"
-      }
-
-# Build and push container
-- name: Build and push container
-  if: github.event_name == 'release'
-  id: container-push
-  uses: docker/build-push-action@...
-  with:
-    push: true
-    tags: ...
-
-# Calculate status
-- name: Determine push status
-  if: github.event_name == 'release' && always()
-  id: push-status
-  run: |
-    if [[ "${{ steps.container-push.outcome }}" == "success" ]]; then
-      echo "emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "text=completed successfully!" >> $GITHUB_OUTPUT
-    else
-      echo "emoji=[✗]" >> $GITHUB_OUTPUT
-      echo "text=failed" >> $GITHUB_OUTPUT
-    fi
-
-# Send completion notification
-- name: Notify container push completed
-  if: github.event_name == 'release' && always()
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "text": "${{ steps.push-status.outputs.emoji }} API container release ${{ env.RELEASE_TAG }} push ${{ steps.push-status.outputs.text }} <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View run>"
-      }
-```
-
-#### Example 2: Simple One-Time Message
-
-```yaml
-- name: Send notification
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "text": "Deployment completed successfully!"
-      }
-```
-
-#### Example 3: Deployment with Message Update Pattern
-
-```yaml
-# Send initial deployment message
-- name: Notify deployment started
-  id: slack-start
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "text": "API deployment to PRODUCTION started",
-        "attachments": [
-          {
-            "color": "dbab09",
-            "blocks": [
-              {
-                "type": "header",
-                "text": {
-                  "type": "plain_text",
-                  "text": "API | Deployment to PRODUCTION"
-                }
-              },
-              {
-                "type": "section",
-                "fields": [
-                  {
-                    "type": "mrkdwn",
-                    "text": "*Status:*\nIn Progress"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      }
-
-# Run deployment
-- name: Deploy
-  id: deploy
-  run: terraform apply -auto-approve
-
-# Calculate status
-- name: Determine status
-  if: always()
-  id: status
-  run: |
-    if [[ "${{ steps.deploy.outcome }}" == "success" ]]; then
-      echo "color=28a745" >> $GITHUB_OUTPUT
-      echo "emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "status=Completed" >> $GITHUB_OUTPUT
-    else
-      echo "color=fc3434" >> $GITHUB_OUTPUT
-      echo "emoji=[✗]" >> $GITHUB_OUTPUT
-      echo "status=Failed" >> $GITHUB_OUTPUT
-    fi
-
-# Update the same message with final status
-- name: Update deployment notification
-  if: always()
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    update-ts: ${{ steps.slack-start.outputs.ts }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "ts": "${{ steps.slack-start.outputs.ts }}",
-        "text": "${{ steps.status.outputs.emoji }} API deployment to PRODUCTION ${{ steps.status.outputs.status }}",
-        "attachments": [
-          {
-            "color": "${{ steps.status.outputs.color }}",
-            "blocks": [
-              {
-                "type": "header",
-                "text": {
-                  "type": "plain_text",
-                  "text": "API | Deployment to PRODUCTION"
-                }
-              },
-              {
-                "type": "section",
-                "fields": [
-                  {
-                    "type": "mrkdwn",
-                    "text": "*Status:*\n${{ steps.status.outputs.emoji }} ${{ steps.status.outputs.status }}"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      }
-```
-
-**Benefits of using the generic action:**
-- Maximum flexibility: Build any payload you need directly in the workflow
-- No template files needed: Everything inline
-- Supports all scenarios: one-time messages, start/update patterns, rich Block Kit
-- Easy to customize per use case
-- Generic: Works for containers, deployments, or any notification type
-
-For more details, see [Slack Notification Action](../../actions/slack-notification/README.md).
-
-### Using Message Templates (Alternative Approach)
-
-Simple one-line notifications for container releases:
-
-```yaml
-# Step 1: Notify when push starts
-- name: Notify container push started
-  if: github.event_name == 'release'
-  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    RELEASE_TAG: ${{ env.RELEASE_TAG }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    method: chat.postMessage
-    token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-# Step 2: Build and push container
-- name: Build and push container
-  id: container-push
-  uses: docker/build-push-action@...
-  with:
-    push: true
-    tags: ...
-
-# Step 3: Determine push status
-- name: Determine push status
-  if: github.event_name == 'release' && always()
-  id: push-status
-  run: |
-    if [[ "${{ steps.container-push.outcome }}" == "success" ]]; then
-      echo "status-emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "status-text=completed successfully!" >> $GITHUB_OUTPUT
-    else
-      echo "status-emoji=[✗]" >> $GITHUB_OUTPUT
-      echo "status-text=failed" >> $GITHUB_OUTPUT
-    fi
-
-# Step 4: Notify when push completes (success or failure)
-- name: Notify container push completed
-  if: github.event_name == 'release' && always()
-  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    RELEASE_TAG: ${{ env.RELEASE_TAG }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-    STATUS_EMOJI: ${{ steps.push-status.outputs.status-emoji }}
-    STATUS_TEXT: ${{ steps.push-status.outputs.status-text }}
-  with:
-    method: chat.postMessage
-    token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-```
-
-### Deployment with Update Pattern
-
-For deployments that start with one message and update it with the final status:
-
-```yaml
-# Step 1: Send deployment start notification
-- name: Notify Deployment Start
-  id: slack-notification-start
-  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    ENVIRONMENT: PRODUCTION
-    COMMIT_HASH: ${{ github.sha }}
-    VERSION_DEPLOYED: latest
-    GITHUB_ACTOR: ${{ github.actor }}
-    GITHUB_WORKFLOW: ${{ github.workflow }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    method: chat.postMessage
-    token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/deployment-started.json"
-
-# Step 2: Run your deployment steps
-- name: Terraform Plan
-  id: terraform-plan
-  run: terraform plan
-
-- name: Terraform Apply
-  id: terraform-apply
-  run: terraform apply -auto-approve
-
-# Step 3: Determine status (calculated internally, not configured)
-- name: Determine Status
-  if: always()
-  id: determine-status
-  run: |
-    if [[ "${{ steps.terraform-apply.outcome }}" == "success" ]]; then
-      echo "status=Completed" >> $GITHUB_OUTPUT
-      echo "status-color=28a745" >> $GITHUB_OUTPUT
-      echo "status-emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "plan-emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "apply-emoji=[✓]" >> $GITHUB_OUTPUT
-    elif [[ "${{ steps.terraform-plan.outcome }}" == "failure" || "${{ steps.terraform-apply.outcome }}" == "failure" ]]; then
-      echo "status=Failed" >> $GITHUB_OUTPUT
-      echo "status-color=fc3434" >> $GITHUB_OUTPUT
-      echo "status-emoji=[✗]" >> $GITHUB_OUTPUT
-      if [[ "${{ steps.terraform-plan.outcome }}" == "failure" ]]; then
-        echo "plan-emoji=[✗]" >> $GITHUB_OUTPUT
-      else
-        echo "plan-emoji=[✓]" >> $GITHUB_OUTPUT
-      fi
-      if [[ "${{ steps.terraform-apply.outcome }}" == "failure" ]]; then
-        echo "apply-emoji=[✗]" >> $GITHUB_OUTPUT
-      else
-        echo "apply-emoji=[✓]" >> $GITHUB_OUTPUT
-      fi
-    else
-      echo "status=Failed" >> $GITHUB_OUTPUT
-      echo "status-color=fc3434" >> $GITHUB_OUTPUT
-      echo "status-emoji=[✗]" >> $GITHUB_OUTPUT
-      echo "plan-emoji=[?]" >> $GITHUB_OUTPUT
-      echo "apply-emoji=[?]" >> $GITHUB_OUTPUT
-    fi
-
-# Step 4: Update the same Slack message (using calculated values)
-- name: Notify Deployment Result
-  if: always()
-  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    MESSAGE_TS: ${{ steps.slack-notification-start.outputs.ts }}
-    COMPONENT: API
-    ENVIRONMENT: PRODUCTION
-    COMMIT_HASH: ${{ github.sha }}
-    VERSION_DEPLOYED: latest
-    GITHUB_ACTOR: ${{ github.actor }}
-    GITHUB_WORKFLOW: ${{ github.workflow }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-    STATUS: ${{ steps.determine-status.outputs.status }}
-    STATUS_COLOR: ${{ steps.determine-status.outputs.status-color }}
-    STATUS_EMOJI: ${{ steps.determine-status.outputs.status-emoji }}
-    PLAN_EMOJI: ${{ steps.determine-status.outputs.plan-emoji }}
-    APPLY_EMOJI: ${{ steps.determine-status.outputs.apply-emoji }}
-    TERRAFORM_PLAN_OUTCOME: ${{ steps.terraform-plan.outcome }}
-    TERRAFORM_APPLY_OUTCOME: ${{ steps.terraform-apply.outcome }}
-  with:
-    method: chat.update
-    token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/deployment-completed.json"
-```
-
-**Note**: Variables like `STATUS`, `STATUS_COLOR`, `STATUS_EMOJI`, `PLAN_EMOJI`, `APPLY_EMOJI` are calculated by the `determine-status` step based on the outcomes of previous steps. They should NOT be manually configured.
-
-## Key Features
-
-### Benefits of Using Slack API Method
-
-- **Rich Block Kit Formatting**: Full support for Slack's Block Kit including headers, sections, fields, colors, and attachments
-- **Message Updates**: Update the same message instead of posting multiple messages (using `chat.update` with `ts`)
-- **Consistent Experience**: Same look and feel as Prowler Cloud notifications
-- **Flexible**: Easy to customize message appearance by editing JSON templates
-
-### Differences from Webhook Method
-
-| Feature | webhook-trigger | Slack API (chat.postMessage) |
-|---------|-----------------|------------------------------|
-| Setup | Workflow Builder webhook | Slack Bot Token + Channel ID |
-| Formatting | Plain text/simple | Full Block Kit support |
-| Message Update | No | Yes (with chat.update) |
-| Authentication | Webhook URL | Bot Token |
-| Scopes Required | None | chat:write, chat:write.public |
-
-## Message Appearance
-
-### Container Release (Simple One-Line)
-
-**Start message:**
-```
-API container release 4.5.0 push started... View run
-```
-
-**Completion message (success):**
-```
-[✓] API container release 4.5.0 push completed successfully! View run
-```
-
-**Completion message (failure):**
-```
-[✗] API container release 4.5.0 push failed View run
-```
-
-All messages are simple one-liners with a clickable "View run" link. The completion message adapts to show success `[✓]` or failure `[✗]` based on the outcome of the container push.
-
-### Deployment Start
-- Header: Component and environment
-- Yellow bar (color: `dbab09`)
-- Status: In Progress
-- Details: Commit, version, actor, workflow
-- Link: Direct link to deployment run
-
-### Deployment Completion
-- Header: Component and environment
-- Green bar for success (color: `28a745`) / Red bar for failure (color: `fc3434`)
-- Status: [✓] Completed or [✗] Failed
-- Details: All deployment info plus terraform outcomes
-- Link: Direct link to deployment run
-
-## Adding New Templates
-
-1. Create a new JSON file with Block Kit structure
-2. Use environment variable placeholders (e.g., `$VAR_NAME`)
-3. Include `channel` and `text` fields (required)
-4. Add `blocks` or `attachments` for rich formatting
-5. For update templates, include `ts` field as `$MESSAGE_TS`
-6. Document the template in this README
-7. Reference it in your workflow using `payload-file-path`
-
-## Reference
-
-- [Slack Block Kit Builder](https://app.slack.com/block-kit-builder)
-- [Slack API Method Documentation](https://docs.slack.dev/tools/slack-github-action/sending-techniques/sending-data-slack-api-method/)

.github/scripts/slack-messages/container-release-completed.json

@@ -1,18 +0,0 @@
-{
-  "channel": "${{ env.SLACK_CHANNEL_ID }}",
-  "ts": "${{ env.MESSAGE_TS }}",
-  "attachments": [
-    {
-      "color": "${{ env.STATUS_COLOR }}",
-      "blocks": [
-        {
-          "type": "section",
-          "text": {
-            "type": "mrkdwn",
-            "text": "*Status:*\n${{ env.STATUS_TEXT }}\n\n${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push ${{ env.STATUS_TEXT }}\n\n<${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
-          }
-        }
-      ]
-    }
-  ]
-}

.github/scripts/slack-messages/container-release-started.json

@@ -1,17 +0,0 @@
-{
-  "channel": "${{ env.SLACK_CHANNEL_ID }}",
-  "attachments": [
-    {
-      "color": "${{ env.STATUS_COLOR }}",
-      "blocks": [
-        {
-          "type": "section",
-          "text": {
-            "type": "mrkdwn",
-            "text": "*Status:*\nStarted\n\n${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push started...\n\n<${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
-          }
-        }
-      ]
-    }
-  ]
-}

.github/scripts/test-impact.py

@@ -1,257 +0,0 @@
-#!/usr/bin/env python3
-"""
-Test Impact Analysis Script
-
-Analyzes changed files and determines which tests need to run.
-Outputs GitHub Actions compatible outputs.
-
-Usage:
-    python test-impact.py <changed_files...>
-    python test-impact.py --from-stdin  # Read files from stdin (one per line)
-
-Outputs (for GitHub Actions):
-    - run-all: "true" if critical paths changed
-    - sdk-tests: Space-separated list of SDK test paths
-    - api-tests: Space-separated list of API test paths
-    - ui-e2e: Space-separated list of UI E2E test paths
-    - modules: Comma-separated list of affected module names
-"""
-
-import fnmatch
-import os
-import sys
-from pathlib import Path
-
-import yaml
-
-
-def load_config() -> dict:
-    """Load test-impact.yml configuration."""
-    config_path = Path(__file__).parent.parent / "test-impact.yml"
-    with open(config_path) as f:
-        return yaml.safe_load(f)
-
-
-def matches_pattern(file_path: str, pattern: str) -> bool:
-    """Check if file path matches a glob pattern."""
-    # Normalize paths
-    file_path = file_path.strip("/")
-    pattern = pattern.strip("/")
-
-    # Handle ** patterns
-    if "**" in pattern:
-        # Convert glob pattern to work with fnmatch
-        # e.g., "prowler/lib/**" matches "prowler/lib/check/foo.py"
-        base = pattern.replace("/**", "")
-        if file_path.startswith(base):
-            return True
-        # Also try standard fnmatch
-        return fnmatch.fnmatch(file_path, pattern)
-
-    return fnmatch.fnmatch(file_path, pattern)
-
-
-def filter_ignored_files(
-    changed_files: list[str], ignored_paths: list[str]
-) -> list[str]:
-    """Filter out files that match ignored patterns."""
-    filtered = []
-    for file_path in changed_files:
-        is_ignored = False
-        for pattern in ignored_paths:
-            if matches_pattern(file_path, pattern):
-                print(f"  [IGNORED] {file_path} matches {pattern}", file=sys.stderr)
-                is_ignored = True
-                break
-        if not is_ignored:
-            filtered.append(file_path)
-    return filtered
-
-
-def check_critical_paths(changed_files: list[str], critical_paths: list[str]) -> bool:
-    """Check if any changed file matches critical paths."""
-    for file_path in changed_files:
-        for pattern in critical_paths:
-            if matches_pattern(file_path, pattern):
-                print(f"  [CRITICAL] {file_path} matches {pattern}", file=sys.stderr)
-                return True
-    return False
-
-
-def find_affected_modules(
-    changed_files: list[str], modules: list[dict]
-) -> dict[str, dict]:
-    """Find which modules are affected by changed files."""
-    affected = {}
-
-    for file_path in changed_files:
-        for module in modules:
-            module_name = module["name"]
-            match_patterns = module.get("match", [])
-
-            for pattern in match_patterns:
-                if matches_pattern(file_path, pattern):
-                    if module_name not in affected:
-                        affected[module_name] = {
-                            "tests": set(),
-                            "e2e": set(),
-                            "matched_files": [],
-                        }
-                    affected[module_name]["matched_files"].append(file_path)
-
-                    # Add test patterns
-                    for test_pattern in module.get("tests", []):
-                        affected[module_name]["tests"].add(test_pattern)
-
-                    # Add E2E patterns
-                    for e2e_pattern in module.get("e2e", []):
-                        affected[module_name]["e2e"].add(e2e_pattern)
-
-                    break  # File matched this module, move to next file
-
-    return affected
-
-
-def categorize_tests(
-    affected_modules: dict[str, dict],
-) -> tuple[set[str], set[str], set[str]]:
-    """Categorize tests into SDK, API, and UI E2E."""
-    sdk_tests = set()
-    api_tests = set()
-    ui_e2e = set()
-
-    for module_name, data in affected_modules.items():
-        for test_path in data["tests"]:
-            if test_path.startswith("tests/"):
-                sdk_tests.add(test_path)
-            elif test_path.startswith("api/"):
-                api_tests.add(test_path)
-
-        for e2e_path in data["e2e"]:
-            ui_e2e.add(e2e_path)
-
-    return sdk_tests, api_tests, ui_e2e
-
-
-def set_github_output(name: str, value: str):
-    """Set GitHub Actions output."""
-    github_output = os.environ.get("GITHUB_OUTPUT")
-    if github_output:
-        with open(github_output, "a") as f:
-            # Handle multiline values
-            if "\n" in value:
-                import uuid
-
-                delimiter = uuid.uuid4().hex
-                f.write(f"{name}<<{delimiter}\n{value}\n{delimiter}\n")
-            else:
-                f.write(f"{name}={value}\n")
-    # Print for debugging (without deprecated format)
-    print(f"  {name}={value}", file=sys.stderr)
-
-
-def main():
-    # Parse arguments
-    if "--from-stdin" in sys.argv:
-        changed_files = [line.strip() for line in sys.stdin if line.strip()]
-    else:
-        changed_files = [f for f in sys.argv[1:] if f and not f.startswith("-")]
-
-    if not changed_files:
-        print("No changed files provided", file=sys.stderr)
-        set_github_output("run-all", "false")
-        set_github_output("sdk-tests", "")
-        set_github_output("api-tests", "")
-        set_github_output("ui-e2e", "")
-        set_github_output("modules", "")
-        set_github_output("has-tests", "false")
-        return
-
-    print(f"Analyzing {len(changed_files)} changed files...", file=sys.stderr)
-    for f in changed_files[:10]:  # Show first 10
-        print(f"  - {f}", file=sys.stderr)
-    if len(changed_files) > 10:
-        print(f"  ... and {len(changed_files) - 10} more", file=sys.stderr)
-
-    # Load configuration
-    config = load_config()
-
-    # Filter out ignored files (docs, configs, etc.)
-    ignored_paths = config.get("ignored", {}).get("paths", [])
-    changed_files = filter_ignored_files(changed_files, ignored_paths)
-
-    if not changed_files:
-        print("\nAll changed files are ignored (docs, configs, etc.)", file=sys.stderr)
-        print("No tests needed.", file=sys.stderr)
-        set_github_output("run-all", "false")
-        set_github_output("sdk-tests", "")
-        set_github_output("api-tests", "")
-        set_github_output("ui-e2e", "")
-        set_github_output("modules", "none-ignored")
-        set_github_output("has-tests", "false")
-        return
-
-    print(
-        f"\n{len(changed_files)} files remain after filtering ignored paths",
-        file=sys.stderr,
-    )
-
-    # Check critical paths
-    critical_paths = config.get("critical", {}).get("paths", [])
-    if check_critical_paths(changed_files, critical_paths):
-        print("\nCritical path changed - running ALL tests", file=sys.stderr)
-        set_github_output("run-all", "true")
-        set_github_output("sdk-tests", "tests/")
-        set_github_output("api-tests", "api/src/backend/")
-        set_github_output("ui-e2e", "ui/tests/")
-        set_github_output("modules", "all")
-        set_github_output("has-tests", "true")
-        return
-
-    # Find affected modules
-    modules = config.get("modules", [])
-    affected = find_affected_modules(changed_files, modules)
-
-    if not affected:
-        print("\nNo test-mapped modules affected", file=sys.stderr)
-        set_github_output("run-all", "false")
-        set_github_output("sdk-tests", "")
-        set_github_output("api-tests", "")
-        set_github_output("ui-e2e", "")
-        set_github_output("modules", "")
-        set_github_output("has-tests", "false")
-        return
-
-    # Report affected modules
-    print(f"\nAffected modules: {len(affected)}", file=sys.stderr)
-    for module_name, data in affected.items():
-        print(f"  [{module_name}]", file=sys.stderr)
-        for f in data["matched_files"][:3]:
-            print(f"    - {f}", file=sys.stderr)
-        if len(data["matched_files"]) > 3:
-            print(
-                f"    ... and {len(data['matched_files']) - 3} more files",
-                file=sys.stderr,
-            )
-
-    # Categorize tests
-    sdk_tests, api_tests, ui_e2e = categorize_tests(affected)
-
-    # Output results
-    print("\nTest paths to run:", file=sys.stderr)
-    print(f"  SDK: {sdk_tests or 'none'}", file=sys.stderr)
-    print(f"  API: {api_tests or 'none'}", file=sys.stderr)
-    print(f"  E2E: {ui_e2e or 'none'}", file=sys.stderr)
-
-    set_github_output("run-all", "false")
-    set_github_output("sdk-tests", " ".join(sorted(sdk_tests)))
-    set_github_output("api-tests", " ".join(sorted(api_tests)))
-    set_github_output("ui-e2e", " ".join(sorted(ui_e2e)))
-    set_github_output("modules", ",".join(sorted(affected.keys())))
-    set_github_output(
-        "has-tests", "true" if (sdk_tests or api_tests or ui_e2e) else "false"
-    )
-
-
-if __name__ == "__main__":
-    main()

.github/scripts/trivy-pr-comment.js

@@ -1,102 +0,0 @@
-const fs = require('fs');
-
-// Configuration from environment variables
-const REPORT_FILE = process.env.TRIVY_REPORT_FILE || 'trivy-report.json';
-const IMAGE_NAME = process.env.IMAGE_NAME || 'container-image';
-const GITHUB_SHA = process.env.GITHUB_SHA || 'unknown';
-const GITHUB_REPOSITORY = process.env.GITHUB_REPOSITORY || '';
-const GITHUB_RUN_ID = process.env.GITHUB_RUN_ID || '';
-const SEVERITY = process.env.SEVERITY || 'CRITICAL,HIGH,MEDIUM,LOW';
-
-// Parse severities to scan
-const scannedSeverities = SEVERITY.split(',').map(s => s.trim());
-
-// Read and parse the Trivy report
-const report = JSON.parse(fs.readFileSync(REPORT_FILE, 'utf-8'));
-
-let vulnCount = 0;
-let vulnsByType = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
-let affectedPackages = new Set();
-
-if (report.Results && Array.isArray(report.Results)) {
-    for (const result of report.Results) {
-        if (result.Vulnerabilities && Array.isArray(result.Vulnerabilities)) {
-            for (const vuln of result.Vulnerabilities) {
-                vulnCount++;
-                if (vulnsByType[vuln.Severity] !== undefined) {
-                    vulnsByType[vuln.Severity]++;
-                }
-                if (vuln.PkgName) {
-                    affectedPackages.add(vuln.PkgName);
-                }
-            }
-        }
-    }
-}
-
-const shortSha = GITHUB_SHA.substring(0, 7);
-const timestamp = new Date().toISOString().replace('T', ' ').substring(0, 19) + ' UTC';
-
-// Severity icons and labels
-const severityConfig = {
-    CRITICAL: { icon: '🔴', label: 'Critical' },
-    HIGH: { icon: '🟠', label: 'High' },
-    MEDIUM: { icon: '🟡', label: 'Medium' },
-    LOW: { icon: '🔵', label: 'Low' }
-};
-
-let comment = '## 🔒 Container Security Scan\n\n';
-comment += `**Image:** \`${IMAGE_NAME}:${shortSha}\`\n`;
-comment += `**Last scan:** ${timestamp}\n\n`;
-
-if (vulnCount === 0) {
-    comment += '### ✅ No Vulnerabilities Detected\n\n';
-    comment += 'The container image passed all security checks. No known CVEs were found.\n';
-} else {
-    comment += '### 📊 Vulnerability Summary\n\n';
-    comment += '| Severity | Count |\n';
-    comment += '|----------|-------|\n';
-
-    // Only show severities that were scanned
-    for (const severity of scannedSeverities) {
-        const config = severityConfig[severity];
-        const count = vulnsByType[severity] || 0;
-        const isBold = (severity === 'CRITICAL' || severity === 'HIGH') && count > 0;
-        const countDisplay = isBold ? `**${count}**` : count;
-        comment += `| ${config.icon} ${config.label} | ${countDisplay} |\n`;
-    }
-
-    comment += `| **Total** | **${vulnCount}** |\n\n`;
-
-    if (affectedPackages.size > 0) {
-        comment += `**${affectedPackages.size}** package(s) affected\n\n`;
-    }
-
-    if (vulnsByType.CRITICAL > 0) {
-        comment += '### ⚠️ Action Required\n\n';
-        comment += '**Critical severity vulnerabilities detected.** These should be addressed before merging:\n';
-        comment += '- Review the detailed scan results\n';
-        comment += '- Update affected packages to patched versions\n';
-        comment += '- Consider using a different base image if updates are unavailable\n\n';
-    } else if (vulnsByType.HIGH > 0) {
-        comment += '### ⚠️ Attention Needed\n\n';
-        comment += '**High severity vulnerabilities found.** Please review and plan remediation:\n';
-        comment += '- Assess the risk and exploitability\n';
-        comment += '- Prioritize updates in the next maintenance cycle\n\n';
-    } else {
-        comment += '### ℹ️ Review Recommended\n\n';
-        comment += 'Medium/Low severity vulnerabilities found. Consider addressing during regular maintenance.\n\n';
-    }
-}
-
-comment += '---\n';
-comment += '📋 **Resources:**\n';
-
-if (GITHUB_REPOSITORY && GITHUB_RUN_ID) {
-    comment += `- [Download full report](https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}) (see artifacts)\n`;
-}
-
-comment += '- [View in Security tab](https://github.com/' + (GITHUB_REPOSITORY || 'repository') + '/security/code-scanning)\n';
-comment += '- Scanned with [Trivy](https://github.com/aquasecurity/trivy)\n';
-
-module.exports = comment;

.github/test-impact.yml

@@ -1,399 +0,0 @@
-# Test Impact Analysis Configuration
-# Defines which tests to run based on changed files
-#
-# Usage: Changes to paths in 'critical' always run all tests.
-#        Changes to paths in 'modules' run only the mapped tests.
-#        Changes to paths in 'ignored' don't trigger any tests.
-
-# Ignored paths - changes here don't trigger any tests
-# Documentation, configs, and other non-code files
-ignored:
-  paths:
-    # Documentation
-    - docs/**
-    - "*.md"
-    - "**/*.md"
-    - mkdocs.yml
-    
-    # Config files that don't affect runtime
-    - .gitignore
-    - .gitattributes
-    - .editorconfig
-    - .pre-commit-config.yaml
-    - .backportrc.json
-    - CODEOWNERS
-    - LICENSE
-    
-    # IDE/Editor configs
-    - .vscode/**
-    - .idea/**
-    
-    # Examples and contrib (not production code)
-    - examples/**
-    - contrib/**
-    
-    # Skills (AI agent configs, not runtime)
-    - skills/**
-    
-    # Permissions docs
-    - permissions/**
-
-# Critical paths - changes here run ALL tests
-# These are foundational/shared code that can affect anything
-critical:
-  paths:
-    # SDK Core
-    - prowler/lib/**
-    - prowler/config/**
-    - prowler/exceptions/**
-    - prowler/providers/common/**
-    
-    # API Core
-    - api/src/backend/api/models.py
-    - api/src/backend/config/**
-    - api/src/backend/conftest.py
-    
-    # UI Core
-    - ui/lib/**
-    - ui/types/**
-    - ui/config/**
-    - ui/middleware.ts
-    
-    # CI/CD changes
-    - .github/workflows/**
-    - .github/test-impact.yml
-
-# Module mappings - path patterns to test patterns
-modules:
-  # ============================================
-  # SDK - Providers (each provider is isolated)
-  # ============================================
-  - name: sdk-aws
-    match:
-      - prowler/providers/aws/**
-      - prowler/compliance/aws/**
-    tests:
-      - tests/providers/aws/**
-    e2e: []
-
-  - name: sdk-azure
-    match:
-      - prowler/providers/azure/**
-      - prowler/compliance/azure/**
-    tests:
-      - tests/providers/azure/**
-    e2e: []
-
-  - name: sdk-gcp
-    match:
-      - prowler/providers/gcp/**
-      - prowler/compliance/gcp/**
-    tests:
-      - tests/providers/gcp/**
-    e2e: []
-
-  - name: sdk-kubernetes
-    match:
-      - prowler/providers/kubernetes/**
-      - prowler/compliance/kubernetes/**
-    tests:
-      - tests/providers/kubernetes/**
-    e2e: []
-
-  - name: sdk-github
-    match:
-      - prowler/providers/github/**
-      - prowler/compliance/github/**
-    tests:
-      - tests/providers/github/**
-    e2e: []
-
-  - name: sdk-m365
-    match:
-      - prowler/providers/m365/**
-      - prowler/compliance/m365/**
-    tests:
-      - tests/providers/m365/**
-    e2e: []
-
-  - name: sdk-alibabacloud
-    match:
-      - prowler/providers/alibabacloud/**
-      - prowler/compliance/alibabacloud/**
-    tests:
-      - tests/providers/alibabacloud/**
-    e2e: []
-
-  - name: sdk-cloudflare
-    match:
-      - prowler/providers/cloudflare/**
-      - prowler/compliance/cloudflare/**
-    tests:
-      - tests/providers/cloudflare/**
-    e2e: []
-
-  - name: sdk-oraclecloud
-    match:
-      - prowler/providers/oraclecloud/**
-      - prowler/compliance/oraclecloud/**
-    tests:
-      - tests/providers/oraclecloud/**
-    e2e: []
-
-  - name: sdk-mongodbatlas
-    match:
-      - prowler/providers/mongodbatlas/**
-      - prowler/compliance/mongodbatlas/**
-    tests:
-      - tests/providers/mongodbatlas/**
-    e2e: []
-
-  - name: sdk-nhn
-    match:
-      - prowler/providers/nhn/**
-      - prowler/compliance/nhn/**
-    tests:
-      - tests/providers/nhn/**
-    e2e: []
-
-  - name: sdk-iac
-    match:
-      - prowler/providers/iac/**
-      - prowler/compliance/iac/**
-    tests:
-      - tests/providers/iac/**
-    e2e: []
-
-  - name: sdk-llm
-    match:
-      - prowler/providers/llm/**
-      - prowler/compliance/llm/**
-    tests:
-      - tests/providers/llm/**
-    e2e: []
-
-  # ============================================
-  # SDK - Lib modules
-  # ============================================
-  - name: sdk-lib-check
-    match:
-      - prowler/lib/check/**
-    tests:
-      - tests/lib/check/**
-    e2e: []
-
-  - name: sdk-lib-outputs
-    match:
-      - prowler/lib/outputs/**
-    tests:
-      - tests/lib/outputs/**
-    e2e: []
-
-  - name: sdk-lib-scan
-    match:
-      - prowler/lib/scan/**
-    tests:
-      - tests/lib/scan/**
-    e2e: []
-
-  - name: sdk-lib-cli
-    match:
-      - prowler/lib/cli/**
-    tests:
-      - tests/lib/cli/**
-    e2e: []
-
-  - name: sdk-lib-mutelist
-    match:
-      - prowler/lib/mutelist/**
-    tests:
-      - tests/lib/mutelist/**
-    e2e: []
-
-  # ============================================
-  # API - Views, Serializers, Tasks
-  # ============================================
-  - name: api-views
-    match:
-      - api/src/backend/api/v1/views.py
-    tests:
-      - api/src/backend/api/tests/test_views.py
-    e2e:
-      # API view changes can break UI
-      - ui/tests/**
-
-  - name: api-serializers
-    match:
-      - api/src/backend/api/v1/serializers.py
-      - api/src/backend/api/v1/serializer_utils/**
-    tests:
-      - api/src/backend/api/tests/**
-    e2e:
-      # Serializer changes affect API responses → UI
-      - ui/tests/**
-
-  - name: api-filters
-    match:
-      - api/src/backend/api/filters.py
-    tests:
-      - api/src/backend/api/tests/**
-    e2e: []
-
-  - name: api-rbac
-    match:
-      - api/src/backend/api/rbac/**
-    tests:
-      - api/src/backend/api/tests/**
-    e2e:
-      - ui/tests/roles/**
-
-  - name: api-tasks
-    match:
-      - api/src/backend/tasks/**
-    tests:
-      - api/src/backend/tasks/tests/**
-    e2e: []
-
-  - name: api-attack-paths
-    match:
-      - api/src/backend/api/attack_paths/**
-    tests:
-      - api/src/backend/api/tests/test_attack_paths.py
-    e2e: []
-
-  # ============================================
-  # UI - Components and Features
-  # ============================================
-  - name: ui-providers
-    match:
-      - ui/components/providers/**
-      - ui/actions/providers/**
-      - ui/app/**/providers/**
-    tests: []
-    e2e:
-      - ui/tests/providers/**
-
-  - name: ui-findings
-    match:
-      - ui/components/findings/**
-      - ui/actions/findings/**
-      - ui/app/**/findings/**
-    tests: []
-    e2e:
-      - ui/tests/findings/**
-
-  - name: ui-scans
-    match:
-      - ui/components/scans/**
-      - ui/actions/scans/**
-      - ui/app/**/scans/**
-    tests: []
-    e2e:
-      - ui/tests/scans/**
-
-  - name: ui-compliance
-    match:
-      - ui/components/compliance/**
-      - ui/actions/compliances/**
-      - ui/app/**/compliance/**
-    tests: []
-    e2e:
-      - ui/tests/compliance/**
-
-  - name: ui-auth
-    match:
-      - ui/components/auth/**
-      - ui/actions/auth/**
-      - ui/app/(auth)/**
-    tests: []
-    e2e:
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-
-  - name: ui-invitations
-    match:
-      - ui/components/invitations/**
-      - ui/actions/invitations/**
-      - ui/app/**/invitations/**
-    tests: []
-    e2e:
-      - ui/tests/invitations/**
-
-  - name: ui-roles
-    match:
-      - ui/components/roles/**
-      - ui/actions/roles/**
-      - ui/app/**/roles/**
-    tests: []
-    e2e:
-      - ui/tests/roles/**
-
-  - name: ui-users
-    match:
-      - ui/components/users/**
-      - ui/actions/users/**
-      - ui/app/**/users/**
-    tests: []
-    e2e:
-      - ui/tests/users/**
-
-  - name: ui-integrations
-    match:
-      - ui/components/integrations/**
-      - ui/actions/integrations/**
-      - ui/app/**/integrations/**
-    tests: []
-    e2e:
-      - ui/tests/integrations/**
-
-  - name: ui-resources
-    match:
-      - ui/components/resources/**
-      - ui/actions/resources/**
-      - ui/app/**/resources/**
-    tests: []
-    e2e:
-      - ui/tests/resources/**
-
-  - name: ui-profile
-    match:
-      - ui/app/**/profile/**
-    tests: []
-    e2e:
-      - ui/tests/profile/**
-
-  - name: ui-lighthouse
-    match:
-      - ui/components/lighthouse/**
-      - ui/actions/lighthouse/**
-      - ui/app/**/lighthouse/**
-      - ui/lib/lighthouse/**
-    tests: []
-    e2e:
-      - ui/tests/lighthouse/**
-
-  - name: ui-overview
-    match:
-      - ui/components/overview/**
-      - ui/actions/overview/**
-    tests: []
-    e2e:
-      - ui/tests/home/**
-
-  - name: ui-shadcn
-    match:
-      - ui/components/shadcn/**
-      - ui/components/ui/**
-    tests: []
-    e2e:
-      # Shared components can affect any E2E
-      - ui/tests/**
-
-  - name: ui-attack-paths
-    match:
-      - ui/components/attack-paths/**
-      - ui/actions/attack-paths/**
-      - ui/app/**/attack-paths/**
-    tests: []
-    e2e:
-      - ui/tests/attack-paths/**

.github/workflows/api-bump-version.yml

@@ -1,254 +0,0 @@
-name: 'API: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Get current API version
-        id: get_api_version
-        run: |
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-          echo "current_api_version=${CURRENT_API_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current API version: $CURRENT_API_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next API minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 -> API 1.18.0
-          # For next master (Prowler 5.18.0) -> API 1.19.0
-          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "Current API version: $CURRENT_API_VERSION"
-          echo "Next API minor version (for master): $NEXT_API_VERSION"
-
-      - name: Bump API versions in files for master
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 release -> version branch v5.17 should have API 1.18.1
-          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${FIRST_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.FIRST_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.FIRST_API_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # Extract current API patch to increment it
-          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            API_PATCH=${BASH_REMATCH[3]}
-
-            # API version follows Prowler minor + 1
-            # Keep same API minor (based on Prowler minor), increment patch
-            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
-
-            echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-            echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-            echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-            echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
-            echo "Current API version: $CURRENT_API_VERSION"
-            echo "Next API patch version: $NEXT_API_PATCH_VERSION"
-            echo "Target branch: $VERSION_BRANCH"
-          else
-            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
-            exit 1
-          fi
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/api-code-quality.yml

@@ -1,72 +0,0 @@
-name: 'API: Code Quality'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  API_WORKING_DIR: ./api
-
-jobs:
-  api-code-quality:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.12'
-    defaults:
-      run:
-        working-directory: ./api
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for API changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            api/**
-            .github/workflows/api-code-quality.yml
-          files_ignore: |
-            api/docs/**
-            api/README.md
-            api/CHANGELOG.md
-            api/AGENTS.md
-
-      - name: Setup Python with Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
-        with:
-          python-version: ${{ matrix.python-version }}
-          working-directory: ./api
-
-      - name: Poetry check
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry check --lock
-
-      - name: Ruff lint
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run ruff check . --exclude contrib
-
-      - name: Ruff format
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run ruff format --check . --exclude contrib
-
-      - name: Pylint
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/

.github/workflows/api-codeql.yml

@@ -1,56 +0,0 @@
-name: 'API: CodeQL'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'api/**'
-      - '.github/workflows/api-codeql.yml'
-      - '.github/codeql/api-codeql-config.yml'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'api/**'
-      - '.github/workflows/api-codeql.yml'
-      - '.github/codeql/api-codeql-config.yml'
-  schedule:
-    - cron: '00 12 * * *'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  api-analyze:
-    name: CodeQL Security Analysis
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language:
-          - 'python'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
-        with:
-          languages: ${{ matrix.language }}
-          config-file: ./.github/codeql/api-codeql-config.yml
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
-        with:
-          category: '/language:${{ matrix.language }}'

.github/workflows/api-container-build-push.yml

@@ -1,215 +0,0 @@
-name: 'API: Container Build and Push'
-
-on:
-  push:
-    branches:
-      - 'master'
-    paths:
-      - 'api/**'
-      - 'prowler/**'
-      - '.github/workflows/api-container-build-push.yml'
-  release:
-    types:
-      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  # Tags
-  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
-  STABLE_TAG: stable
-  WORKING_DIRECTORY: ./api
-
-  # Container registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
-
-jobs:
-  setup:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    steps:
-      - name: Calculate short SHA
-        id: set-short-sha
-        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: setup
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: API
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build and push API container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.WORKING_DIRECTORY }}
-          push: true
-          platforms: ${{ matrix.platform }}
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@f61d18f46c86af724a9c804cb9ff2a6fec741c7c # main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
-          COMPONENT: API
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
-
-  trigger-deployment:
-    needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-
-    steps:
-      - name: Trigger API deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.CLOUD_DISPATCH }}
-          event-type: api-prowler-deployment
-          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ needs.setup.outputs.short-sha }}"}'

.github/workflows/api-container-checks.yml

@@ -1,102 +0,0 @@
-name: 'API: Container Checks'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  API_WORKING_DIR: ./api
-  IMAGE_NAME: prowler-api
-
-jobs:
-  api-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check if Dockerfile changed
-        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: api/Dockerfile
-
-      - name: Lint Dockerfile with Hadolint
-        if: steps.dockerfile-changed.outputs.any_changed == 'true'
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
-        with:
-          dockerfile: api/Dockerfile
-          ignore: DL3013
-
-  api-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for API changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: api/**
-          files_ignore: |
-            api/docs/**
-            api/README.md
-            api/CHANGELOG.md
-            api/AGENTS.md
-
-      - name: Set up Docker Buildx
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build container for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.API_WORKING_DIR }}
-          push: false
-          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-      - name: Scan container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/trivy-scan
-        with:
-          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
-          fail-on-critical: 'false'
-          severity: 'CRITICAL'

.github/workflows/api-security.yml

@@ -1,69 +0,0 @@
-name: 'API: Security'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  API_WORKING_DIR: ./api
-
-jobs:
-  api-security-scans:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.12'
-    defaults:
-      run:
-        working-directory: ./api
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for API changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            api/**
-            .github/workflows/api-security.yml
-          files_ignore: |
-            api/docs/**
-            api/README.md
-            api/CHANGELOG.md
-            api/AGENTS.md
-
-      - name: Setup Python with Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
-        with:
-          python-version: ${{ matrix.python-version }}
-          working-directory: ./api
-
-      - name: Bandit
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
-
-      - name: Safety
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check --ignore 79023,79027
-        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
-
-      - name: Vulture
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .

.github/workflows/api-tests.yml

@@ -1,108 +0,0 @@
-name: 'API: Tests'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  POSTGRES_HOST: localhost
-  POSTGRES_PORT: 5432
-  POSTGRES_ADMIN_USER: prowler
-  POSTGRES_ADMIN_PASSWORD: S3cret
-  POSTGRES_USER: prowler_user
-  POSTGRES_PASSWORD: prowler
-  POSTGRES_DB: postgres-db
-  VALKEY_HOST: localhost
-  VALKEY_PORT: 6379
-  VALKEY_DB: 0
-  API_WORKING_DIR: ./api
-
-jobs:
-  api-tests:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.12'
-    defaults:
-      run:
-        working-directory: ./api
-
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
-          POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
-          POSTGRES_USER: ${{ env.POSTGRES_USER }}
-          POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
-          POSTGRES_DB: ${{ env.POSTGRES_DB }}
-        ports:
-          - 5432:5432
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-      valkey:
-        image: valkey/valkey:7-alpine3.19
-        env:
-          VALKEY_HOST: ${{ env.VALKEY_HOST }}
-          VALKEY_PORT: ${{ env.VALKEY_PORT }}
-          VALKEY_DB: ${{ env.VALKEY_DB }}
-        ports:
-          - 6379:6379
-        options: >-
-          --health-cmd "valkey-cli ping"
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for API changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            api/**
-            .github/workflows/api-tests.yml
-          files_ignore: |
-            api/docs/**
-            api/README.md
-            api/CHANGELOG.md
-            api/AGENTS.md
-
-      - name: Setup Python with Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
-        with:
-          python-version: ${{ matrix.python-version }}
-          working-directory: ./api
-
-      - name: Run tests with pytest
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run pytest --cov=./src/backend --cov-report=xml src/backend
-
-      - name: Upload coverage reports to Codecov
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: api

.github/workflows/backport.yml

@@ -1,52 +0,0 @@
-name: 'Tools: Backport'
-
-on:
-  pull_request_target:
-    branches:
-      - 'master'
-    types:
-      - 'labeled'
-      - 'closed'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
-  cancel-in-progress: false
-
-env:
-  BACKPORT_LABEL_PREFIX: backport-to-
-  BACKPORT_LABEL_IGNORE: was-backported
-
-jobs:
-  backport:
-    if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport')) && !(contains(github.event.pull_request.labels.*.name, 'was-backported'))
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - name: Check labels
-        id: label_check
-        uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
-        with:
-          allow_failure: true
-          prefix_mode: true
-          any_of: ${{ env.BACKPORT_LABEL_PREFIX }}
-          none_of: ${{ env.BACKPORT_LABEL_IGNORE }}
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Backport PR
-        if: steps.label_check.outputs.label_check == 'success'
-        uses: sorenlouv/backport-github-action@516854e7c9f962b9939085c9a92ea28411d1ae90 # v10.2.0
-        with:
-          github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          auto_backport_label_prefix: ${{ env.BACKPORT_LABEL_PREFIX }}
-
-      - name: Display backport info log
-        if: success() && steps.label_check.outputs.label_check == 'success'
-        run: cat ~/.backport/backport.info.log
-
-      - name: Display backport debug log
-        if: failure() && steps.label_check.outputs.label_check == 'success'
-        run: cat ~/.backport/backport.debug.log

.github/workflows/build-lint-push-containers.yml

@@ -0,0 +1,198 @@
+name: build-lint-push-containers
+
+on:
+  push:
+    branches:
+      - 'master'
+    paths-ignore:
+      - '.github/**'
+      - 'README.md'
+      
+  release:
+    types: [published, edited]
+
+env:
+  AWS_REGION_STG: eu-west-1
+  AWS_REGION_PRO: us-east-1
+  IMAGE_NAME: prowler
+  LATEST_TAG: latest
+  TEMPORARY_TAG: temporary
+  DOCKERFILE_PATH: ./Dockerfile
+
+jobs:
+  # Lint Dockerfile using Hadolint
+  # dockerfile-linter:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     -
+  #       name: Checkout
+  #       uses: actions/checkout@v3
+  #     -
+  #       name: Install Hadolint
+  #       run: |
+  #         VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \
+  #           grep '"tag_name":' | \
+  #           sed -E 's/.*"v([^"]+)".*/\1/' \
+  #           ) && curl -L -o /tmp/hadolint https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 \
+  #           && chmod +x /tmp/hadolint
+  #     -
+  #       name: Run Hadolint
+  #       run: |
+  #         /tmp/hadolint util/Dockerfile
+
+  # Build Prowler OSS container
+  container-build:
+    # needs: dockerfile-linter
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Build
+        uses: docker/build-push-action@v2
+        with:
+          # Without pushing to registries
+          push: false
+          tags: ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          outputs: type=docker,dest=/tmp/${{ env.IMAGE_NAME }}.tar
+      -
+        name: Share image between jobs
+        uses: actions/upload-artifact@v2
+        with:
+          name: ${{ env.IMAGE_NAME }}.tar
+          path: /tmp/${{ env.IMAGE_NAME }}.tar
+
+  # Lint Prowler OSS container using Dockle
+  # container-linter:
+  #   needs: container-build
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     -
+  #       name: Get container image from shared
+  #       uses: actions/download-artifact@v2
+  #       with:
+  #         name: ${{ env.IMAGE_NAME }}.tar
+  #         path: /tmp
+  #     -
+  #       name: Load Docker image
+  #       run: |
+  #         docker load --input /tmp/${{ env.IMAGE_NAME }}.tar
+  #         docker image ls -a
+  #     -
+  #       name: Install Dockle
+  #       run: |
+  #         VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
+  #           grep '"tag_name":' | \
+  #           sed -E 's/.*"v([^"]+)".*/\1/' \
+  #           ) && curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb \
+  #           && sudo dpkg -i dockle.deb && rm dockle.deb
+  #     -
+  #       name: Run Dockle
+  #       run: dockle ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }}
+
+  # Push Prowler OSS container to registries
+  container-push:
+    # needs: container-linter
+    needs: container-build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read    # This is required for actions/checkout
+    steps:
+      -
+        name: Get container image from shared
+        uses: actions/download-artifact@v2
+        with:
+          name: ${{ env.IMAGE_NAME }}.tar
+          path: /tmp
+      -
+        name: Load Docker image
+        run: |
+          docker load --input /tmp/${{ env.IMAGE_NAME }}.tar
+          docker image ls -a
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Login to Public ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: ${{ env.AWS_REGION_PRO }}
+      -
+        name: Configure AWS Credentials -- STG
+        if: github.event_name == 'push'
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ env.AWS_REGION_STG }}
+          role-to-assume: ${{ secrets.STG_IAM_ROLE_ARN }}
+          role-session-name: build-lint-containers-stg
+      -
+        name: Login to ECR -- STG
+        if: github.event_name == 'push'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ secrets.STG_ECR }}
+      -
+        name: Configure AWS Credentials -- PRO
+        if: github.event_name == 'release'
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ env.AWS_REGION_PRO }}
+          role-to-assume: ${{ secrets.PRO_IAM_ROLE_ARN }}
+          role-session-name: build-lint-containers-pro
+      -
+        name: Login to ECR -- PRO
+        if: github.event_name == 'release'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ secrets.PRO_ECR }}
+      -
+        # Push to master branch - push "latest" tag
+        name: Tag (latest)
+        if: github.event_name == 'push'
+        run: |
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.STG_ECR }}/${{ secrets.STG_ECR_REPOSITORY }}:${{ env.LATEST_TAG }}
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+      -
+        # Push to master branch - push "latest" tag
+        name: Push (latest)
+        if: github.event_name == 'push'
+        run: |
+          docker push ${{ secrets.STG_ECR }}/${{ secrets.STG_ECR_REPOSITORY }}:${{ env.LATEST_TAG }}
+          docker push ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+          docker push ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+      -
+        # Push the new release
+        name: Tag (release)
+        if: github.event_name == 'release'
+        run: |
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PRO_ECR }}/${{ secrets.PRO_ECR_REPOSITORY }}:${{ github.event.release.tag_name }}
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+      -
+        # Push the new release
+        name: Push (release)
+        if: github.event_name == 'release'
+        run: |
+          docker push ${{ secrets.PRO_ECR }}/${{ secrets.PRO_ECR_REPOSITORY }}:${{ github.event.release.tag_name }}
+          docker push ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+          docker push ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+      -
+        name: Delete artifacts
+        if: always()
+        uses: geekyeggo/delete-artifact@v1
+        with:
+          name: ${{ env.IMAGE_NAME }}.tar

.github/workflows/comment-label-update.yml

@@ -1,39 +0,0 @@
-name: 'Tools: Comment Label Update'
-
-on:
-  issue_comment:
-    types:
-      - 'created'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.issue.number }}
-  cancel-in-progress: false
-
-jobs:
-  update-labels:
-    if: contains(github.event.issue.labels.*.name, 'status/awaiting-response')
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      issues: write
-      pull-requests: write
-
-    steps:
-      - name: Remove 'status/awaiting-response' label
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          echo "Removing 'status/awaiting-response' label from #$ISSUE_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/$ISSUE_NUMBER/labels/status%2Fawaiting-response \
-            -X DELETE
-
-      - name: Add 'status/waiting-for-revision' label
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          echo "Adding 'status/waiting-for-revision' label to #$ISSUE_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/$ISSUE_NUMBER/labels \
-            -X POST \
-            -f labels[]='status/waiting-for-revision'

.github/workflows/conventional-commit.yml

@@ -1,31 +0,0 @@
-name: 'Tools: Conventional Commit'
-
-on:
-  pull_request:
-    branches:
-      - 'master'
-      - 'v3'
-      - 'v4.*'
-      - 'v5.*'
-    types:
-      - 'opened'
-      - 'edited'
-      - 'synchronize'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  conventional-commit-check:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: read
-
-    steps:
-      - name: Check PR title format
-        uses: agenthunt/conventional-commit-checker-action@f1823f632e95a64547566dcd2c7da920e67117ad # v2.0.1
-        with:
-          pr-title-regex: '^(feat|fix|docs|style|refactor|perf|test|chore|build|ci|revert)(\([^)]+\))?!?: .+'

.github/workflows/create-backport-label.yml

@@ -1,70 +0,0 @@
-name: 'Tools: Backport Label'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  BACKPORT_LABEL_PREFIX: backport-to-
-  BACKPORT_LABEL_COLOR: B60205
-
-jobs:
-  create-label:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      issues: write
-
-    steps:
-      - name: Create backport label for minor releases
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          RELEASE_TAG="${{ github.event.release.tag_name }}"
-
-          if [ -z "$RELEASE_TAG" ]; then
-            echo "Error: No release tag provided"
-            exit 1
-          fi
-
-          echo "Processing release tag: $RELEASE_TAG"
-
-          # Remove 'v' prefix if present (e.g., v3.2.0 -> 3.2.0)
-          VERSION_ONLY="${RELEASE_TAG#v}"
-
-          # Check if it's a minor version (X.Y.0)
-          if [[ "$VERSION_ONLY" =~ ^([0-9]+)\.([0-9]+)\.0$ ]]; then
-            echo "Release $RELEASE_TAG (version $VERSION_ONLY) is a minor version. Proceeding to create backport label."
-
-            # Extract X.Y from X.Y.0 (e.g., 5.6 from 5.6.0)
-            MAJOR="${BASH_REMATCH[1]}"
-            MINOR="${BASH_REMATCH[2]}"
-            TWO_DIGIT_VERSION="${MAJOR}.${MINOR}"
-
-            LABEL_NAME="${BACKPORT_LABEL_PREFIX}v${TWO_DIGIT_VERSION}"
-            LABEL_DESC="Backport PR to the v${TWO_DIGIT_VERSION} branch"
-            LABEL_COLOR="$BACKPORT_LABEL_COLOR"
-
-            echo "Label name: $LABEL_NAME"
-            echo "Label description: $LABEL_DESC"
-
-            # Check if label already exists
-            if gh label list --repo ${{ github.repository }} --limit 1000 | grep -q "^${LABEL_NAME}[[:space:]]"; then
-              echo "Label '$LABEL_NAME' already exists."
-            else
-              echo "Label '$LABEL_NAME' does not exist. Creating it..."
-              gh label create "$LABEL_NAME" \
-                --description "$LABEL_DESC" \
-                --color "$LABEL_COLOR" \
-                --repo ${{ github.repository }}
-              echo "Label '$LABEL_NAME' created successfully."
-            fi
-          else
-            echo "Release $RELEASE_TAG (version $VERSION_ONLY) is not a minor version. Skipping backport label creation."
-          fi

.github/workflows/docs-bump-version.yml

@@ -1,247 +0,0 @@
-name: 'Docs: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Get current documentation version
-        id: get_docs_version
-        run: |
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' docs/getting-started/installation/prowler-app.mdx)
-          echo "current_docs_version=${CURRENT_DOCS_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump versions in documentation for master
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-            - All `*.mdx` files with `<VersionBadge>` components
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for version branch
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}-branch
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for patch version
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/find-secrets.yml

@@ -1,33 +1,18 @@
-name: 'Tools: TruffleHog'
+name: find-secrets
 
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+on: pull_request
 
 jobs:
-  scan-secrets:
+  trufflehog:
     runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Checkout
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-
-      - name: Scan for secrets with TruffleHog
-        uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@v3.4.4
         with:
-          extra_args: '--results=verified,unknown'
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD

.github/workflows/labeler.yml

@@ -1,92 +0,0 @@
-name: 'Tools: PR Labeler'
-
-on:
-  pull_request_target:
-    branches:
-      - 'master'
-      - 'v5.*'
-    types:
-      - 'opened'
-      - 'reopened'
-      - 'synchronize'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  labeler:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-
-    steps:
-      - name: Apply labels to PR
-        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
-        with:
-          sync-labels: true
-
-  label-community:
-    name: Add 'community' label if the PR is from a community contributor
-    needs: labeler
-    if: github.repository == 'prowler-cloud/prowler' && github.event.action == 'opened'
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-
-    steps:
-      - name: Check if author is org member
-        id: check_membership
-        env:
-          AUTHOR: ${{ github.event.pull_request.user.login }}
-        run: |
-          # Hardcoded list of prowler-cloud organization members
-          # This list includes members who have set their organization membership as private
-          ORG_MEMBERS=(
-            "AdriiiPRodri"
-            "Alan-TheGentleman"
-            "alejandrobailo"
-            "amitsharm"
-            "andoniaf"
-            "cesararroba"
-            "Chan9390"
-            "danibarranqueroo"
-            "HugoPBrito"
-            "jfagoagas"
-            "josemazo"
-            "lydiavilchez"
-            "mmuller88"
-            "MrCloudSec"
-            "pedrooot"
-            "prowler-bot"
-            "puchy22"
-            "rakan-pro"
-            "RosaRivasProwler"
-            "StylusFrost"
-            "toniblyx"
-            "vicferpoy"
-          )
-
-          echo "Checking if $AUTHOR is a member of prowler-cloud organization"
-
-          # Check if author is in the org members list
-          if printf '%s\n' "${ORG_MEMBERS[@]}" | grep -q "^${AUTHOR}$"; then
-            echo "is_member=true" >> $GITHUB_OUTPUT
-            echo "$AUTHOR is an organization member"
-          else
-            echo "is_member=false" >> $GITHUB_OUTPUT
-            echo "$AUTHOR is not an organization member"
-          fi
-
-      - name: Add community label
-        if: steps.check_membership.outputs.is_member == 'false'
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          echo "Adding 'community' label to PR #$PR_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/${{ github.event.number }}/labels \
-            -X POST \
-            -f labels[]='community'

.github/workflows/mcp-container-build-push.yml

@@ -1,221 +0,0 @@
-name: 'MCP: Container Build and Push'
-
-on:
-  push:
-    branches:
-      - 'master'
-    paths:
-      - 'mcp_server/**'
-      - '.github/workflows/mcp-container-build-push.yml'
-  release:
-    types:
-      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  # Tags
-  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
-  STABLE_TAG: stable
-  WORKING_DIRECTORY: ./mcp_server
-
-  # Container registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-mcp
-
-jobs:
-  setup:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    steps:
-      - name: Calculate short SHA
-        id: set-short-sha
-        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: setup
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: MCP
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build and push MCP container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.WORKING_DIRECTORY }}
-          push: true
-          platforms: ${{ matrix.platform }}
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
-          labels: |
-            org.opencontainers.image.title=Prowler MCP Server
-            org.opencontainers.image.description=Model Context Protocol server for Prowler
-            org.opencontainers.image.vendor=ProwlerPro, Inc.
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.created=${{ github.event_name == 'release' && github.event.release.published_at || github.event.head_commit.timestamp }}
-            ${{ github.event_name == 'release' && format('org.opencontainers.image.version={0}', env.RELEASE_TAG) || '' }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
-          COMPONENT: MCP
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
-
-  trigger-deployment:
-    needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-
-    steps:
-      - name: Trigger MCP deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.CLOUD_DISPATCH }}
-          event-type: mcp-prowler-deployment
-          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ needs.setup.outputs.short-sha }}"}'

.github/workflows/mcp-container-checks.yml

@@ -1,99 +0,0 @@
-name: 'MCP: Container Checks'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  MCP_WORKING_DIR: ./mcp_server
-  IMAGE_NAME: prowler-mcp
-
-jobs:
-  mcp-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check if Dockerfile changed
-        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: mcp_server/Dockerfile
-
-      - name: Lint Dockerfile with Hadolint
-        if: steps.dockerfile-changed.outputs.any_changed == 'true'
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
-        with:
-          dockerfile: mcp_server/Dockerfile
-
-  mcp-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for MCP changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: mcp_server/**
-          files_ignore: |
-            mcp_server/README.md
-            mcp_server/CHANGELOG.md
-
-      - name: Set up Docker Buildx
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build MCP container for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.MCP_WORKING_DIR }}
-          push: false
-          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-      - name: Scan MCP container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/trivy-scan
-        with:
-          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
-          fail-on-critical: 'false'
-          severity: 'CRITICAL'

.github/workflows/mcp-pypi-release.yml

@@ -1,81 +0,0 @@
-name: "MCP: PyPI Release"
-
-on:
-  release:
-    types:
-      - "published"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  RELEASE_TAG: ${{ github.event.release.tag_name }}
-  PYTHON_VERSION: "3.12"
-  WORKING_DIRECTORY: ./mcp_server
-
-jobs:
-  validate-release:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      prowler_version: ${{ steps.parse-version.outputs.version }}
-      major_version: ${{ steps.parse-version.outputs.major }}
-
-    steps:
-      - name: Parse and validate version
-        id: parse-version
-        run: |
-          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
-          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Extract major version
-          MAJOR_VERSION="${PROWLER_VERSION%%.*}"
-          echo "major=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Validate major version (only Prowler 3, 4, 5 supported)
-          case ${MAJOR_VERSION} in
-            3|4|5)
-              echo "✓ Releasing Prowler MCP for tag ${PROWLER_VERSION}"
-              ;;
-            *)
-              echo "::error::Unsupported Prowler major version: ${MAJOR_VERSION}"
-              exit 1
-              ;;
-          esac
-
-  publish-prowler-mcp:
-    needs: validate-release
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      id-token: write
-    environment:
-      name: pypi-prowler-mcp
-      url: https://pypi.org/project/prowler-mcp/
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v7
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Build prowler-mcp package
-        working-directory: ${{ env.WORKING_DIRECTORY }}
-        run: uv build
-
-      - name: Publish prowler-mcp package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/
-          print-hash: true

.github/workflows/pr-check-changelog.yml

@@ -1,121 +0,0 @@
-name: 'Tools: Check Changelog'
-
-on:
-  pull_request:
-    types:
-      - 'opened'
-      - 'synchronize'
-      - 'reopened'
-      - 'labeled'
-      - 'unlabeled'
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  check-changelog:
-    if: contains(github.event.pull_request.labels.*.name, 'no-changelog') == false
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    env:
-      MONITORED_FOLDERS: 'api ui prowler mcp_server'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          fetch-depth: 0
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            api/**
-            ui/**
-            prowler/**
-            mcp_server/**
-            poetry.lock
-            pyproject.toml
-
-      - name: Check for folder changes and changelog presence
-        id: check-folders
-        run: |
-          missing_changelogs=""
-
-          if [[ "${{ steps.changed-files.outputs.any_changed }}" == "true" ]]; then
-            # Check monitored folders
-            for folder in $MONITORED_FOLDERS; do
-              # Get files changed in this folder
-              changed_in_folder=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "^${folder}/" || true)
-
-              if [ -n "$changed_in_folder" ]; then
-                echo "Detected changes in ${folder}/"
-
-                # Check if CHANGELOG.md was updated
-                if ! echo "$changed_in_folder" | grep -q "^${folder}/CHANGELOG.md$"; then
-                  echo "No changelog update found for ${folder}/"
-                  missing_changelogs="${missing_changelogs}- \`${folder}\`"$'\n'
-                fi
-              fi
-            done
-
-            # Check root-level dependency files (poetry.lock, pyproject.toml)
-            # These are associated with the prowler folder changelog
-            root_deps_changed=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep -E "^(poetry\.lock|pyproject\.toml)$" || true)
-            if [ -n "$root_deps_changed" ]; then
-              echo "Detected changes in root dependency files: $root_deps_changed"
-              # Check if prowler/CHANGELOG.md was already updated (might have been caught above)
-              prowler_changelog_updated=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "^prowler/CHANGELOG.md$" || true)
-              if [ -z "$prowler_changelog_updated" ]; then
-                # Only add if prowler wasn't already flagged
-                if ! echo "$missing_changelogs" | grep -q "prowler"; then
-                  echo "No changelog update found for root dependency changes"
-                  missing_changelogs="${missing_changelogs}- \`prowler\` (root dependency files changed)"$'\n'
-                fi
-              fi
-            fi
-          fi
-
-          {
-            echo "missing_changelogs<<EOF"
-            echo -e "${missing_changelogs}"
-            echo "EOF"
-          } >> $GITHUB_OUTPUT
-
-      - name: Find existing changelog comment
-        if: github.event.pull_request.head.repo.full_name == github.repository
-        id: find-comment
-        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-author: 'github-actions[bot]'
-          body-includes: '<!-- changelog-check -->'
-
-      - name: Update PR comment with changelog status
-        if: github.event.pull_request.head.repo.full_name == github.repository
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-id: ${{ steps.find-comment.outputs.comment-id }}
-          edit-mode: replace
-          body: |
-            <!-- changelog-check -->
-            ${{ steps.check-folders.outputs.missing_changelogs != '' && format('⚠️ **Changes detected in the following folders without a corresponding update to the `CHANGELOG.md`:**
-
-            {0}
-
-            Please add an entry to the corresponding `CHANGELOG.md` file to maintain a clear history of changes.', steps.check-folders.outputs.missing_changelogs) || '✅ All necessary `CHANGELOG.md` files have been updated.' }}
-
-      - name: Fail if changelog is missing
-        if: steps.check-folders.outputs.missing_changelogs != ''
-        run: |
-          echo "::error::Missing changelog updates in some folders"
-          exit 1

.github/workflows/pr-conflict-checker.yml

@@ -1,123 +0,0 @@
-name: 'Tools: PR Conflict Checker'
-
-on:
-  pull_request_target:
-    types:
-      - 'opened'
-      - 'synchronize'
-      - 'reopened'
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  check-conflicts:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: write
-
-    steps:
-      - name: Checkout PR head
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 0
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: '**'
-
-      - name: Check for conflict markers
-        id: conflict-check
-        run: |
-          echo "Checking for conflict markers in changed files..."
-
-          CONFLICT_FILES=""
-          HAS_CONFLICTS=false
-
-          # Check each changed file for conflict markers
-          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
-            if [ -f "$file" ]; then
-              echo "Checking file: $file"
-
-              # Look for conflict markers (more precise regex)
-              if grep -qE '^(<<<<<<<|=======|>>>>>>>)' "$file" 2>/dev/null; then
-                echo "Conflict markers found in: $file"
-                CONFLICT_FILES="${CONFLICT_FILES}- \`${file}\`"$'\n'
-                HAS_CONFLICTS=true
-              fi
-            fi
-          done
-
-          if [ "$HAS_CONFLICTS" = true ]; then
-            echo "has_conflicts=true" >> $GITHUB_OUTPUT
-            {
-              echo "conflict_files<<EOF"
-              echo "$CONFLICT_FILES"
-              echo "EOF"
-            } >> $GITHUB_OUTPUT
-            echo "Conflict markers detected"
-          else
-            echo "has_conflicts=false" >> $GITHUB_OUTPUT
-            echo "No conflict markers found in changed files"
-          fi
-
-      - name: Manage conflict label
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          HAS_CONFLICTS: ${{ steps.conflict-check.outputs.has_conflicts }}
-        run: |
-          LABEL_NAME="has-conflicts"
-
-          # Add or remove label based on conflict status
-          if [ "$HAS_CONFLICTS" = "true" ]; then
-            echo "Adding conflict label to PR #${PR_NUMBER}..."
-            gh pr edit "$PR_NUMBER" --add-label "$LABEL_NAME" --repo ${{ github.repository }} || true
-          else
-            echo "Removing conflict label from PR #${PR_NUMBER}..."
-            gh pr edit "$PR_NUMBER" --remove-label "$LABEL_NAME" --repo ${{ github.repository }} || true
-          fi
-
-      - name: Find existing comment
-        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
-        id: find-comment
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-author: 'github-actions[bot]'
-          body-includes: '<!-- conflict-checker-comment -->'
-
-      - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-        with:
-          comment-id: ${{ steps.find-comment.outputs.comment-id }}
-          issue-number: ${{ github.event.pull_request.number }}
-          edit-mode: replace
-          body: |
-            <!-- conflict-checker-comment -->
-            ${{ steps.conflict-check.outputs.has_conflicts == 'true' && '⚠️ **Conflict Markers Detected**' || '✅ **Conflict Markers Resolved**' }}
-
-            ${{ steps.conflict-check.outputs.has_conflicts == 'true' && format('This pull request contains unresolved conflict markers in the following files:
-
-            {0}
-
-            Please resolve these conflicts by:
-            1. Locating the conflict markers: `<<<<<<<`, `=======`, and `>>>>>>>`
-            2. Manually editing the files to resolve the conflicts
-            3. Removing all conflict markers
-            4. Committing and pushing the changes', steps.conflict-check.outputs.conflict_files) || 'All conflict markers have been successfully resolved in this pull request.' }}
-
-      - name: Fail workflow if conflicts detected
-        if: steps.conflict-check.outputs.has_conflicts == 'true'
-        run: |
-          echo "::error::Workflow failed due to conflict markers detected in the PR"
-          exit 1

.github/workflows/pr-merged.yml

@@ -1,49 +0,0 @@
-name: 'Tools: PR Merged'
-
-on:
-  pull_request_target:
-    branches:
-      - 'master'
-    types:
-      - 'closed'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
-  cancel-in-progress: false
-
-jobs:
-  trigger-cloud-pull-request:
-    if: |
-      github.event.pull_request.merged == true &&
-      github.repository == 'prowler-cloud/prowler' &&
-      !contains(github.event.pull_request.labels.*.name, 'skip-sync')
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-    steps:
-      - name: Calculate short commit SHA
-        id: vars
-        run: |
-          SHORT_SHA="${{ github.event.pull_request.merge_commit_sha }}"
-          echo "SHORT_SHA=${SHORT_SHA::7}" >> $GITHUB_ENV
-
-      - name: Trigger Cloud repository pull request
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.CLOUD_DISPATCH }}
-          event-type: prowler-pull-request-merged
-          client-payload: |
-            {
-              "PROWLER_COMMIT_SHA": "${{ github.event.pull_request.merge_commit_sha }}",
-              "PROWLER_COMMIT_SHORT_SHA": "${{ env.SHORT_SHA }}",
-              "PROWLER_PR_NUMBER": "${{ github.event.pull_request.number }}",
-              "PROWLER_PR_TITLE": ${{ toJson(github.event.pull_request.title) }},
-              "PROWLER_PR_LABELS": ${{ toJson(github.event.pull_request.labels.*.name) }},
-              "PROWLER_PR_BODY": ${{ toJson(github.event.pull_request.body) }},
-              "PROWLER_PR_URL": ${{ toJson(github.event.pull_request.html_url) }},
-              "PROWLER_PR_MERGED_BY": "${{ github.event.pull_request.merged_by.login }}",
-              "PROWLER_PR_BASE_BRANCH": "${{ github.event.pull_request.base.ref }}",
-              "PROWLER_PR_HEAD_BRANCH": "${{ github.event.pull_request.head.ref }}"
-            }

.github/workflows/prepare-release.yml

@@ -1,390 +0,0 @@
-name: 'Tools: Prepare Release'
-
-run-name: 'Prepare Release for Prowler ${{ inputs.prowler_version }}'
-
-on:
-  workflow_dispatch:
-    inputs:
-      prowler_version:
-        description: 'Prowler version to release (e.g., 5.9.0)'
-        required: true
-        type: string
-
-concurrency:
-  group: ${{ github.workflow }}-${{ inputs.prowler_version }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ inputs.prowler_version }}
-
-jobs:
-  prepare-release:
-    if: github.event_name == 'workflow_dispatch' && github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-
-    - name: Set up Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-      with:
-        python-version: '3.12'
-
-    - name: Install Poetry
-      run: |
-        python3 -m pip install --user poetry==2.1.1
-        echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-    - name: Configure Git
-      run: |
-        git config --global user.name 'prowler-bot'
-        git config --global user.email '179230569+prowler-bot@users.noreply.github.com'
-
-    - name: Parse version and determine branch
-      run: |
-        # Validate version format (reusing pattern from sdk-bump-version.yml)
-        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-          MAJOR_VERSION=${BASH_REMATCH[1]}
-          MINOR_VERSION=${BASH_REMATCH[2]}
-          PATCH_VERSION=${BASH_REMATCH[3]}
-
-          # Export version components to environment
-          echo "MAJOR_VERSION=${MAJOR_VERSION}" >> "${GITHUB_ENV}"
-          echo "MINOR_VERSION=${MINOR_VERSION}" >> "${GITHUB_ENV}"
-          echo "PATCH_VERSION=${PATCH_VERSION}" >> "${GITHUB_ENV}"
-
-          # Determine branch name (format: v5.9)
-          BRANCH_NAME="v${MAJOR_VERSION}.${MINOR_VERSION}"
-          echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_ENV}"
-
-          echo "Prowler version: $PROWLER_VERSION"
-          echo "Branch name: $BRANCH_NAME"
-          echo "Is minor release: $([ $PATCH_VERSION -eq 0 ] && echo 'true' || echo 'false')"
-        else
-          echo "Invalid version syntax: '$PROWLER_VERSION' (must be N.N.N)" >&2
-          exit 1
-        fi
-
-    - name: Checkout release branch
-      run: |
-        echo "Checking out branch $BRANCH_NAME for release $PROWLER_VERSION..."
-        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME"; then
-          echo "Branch $BRANCH_NAME exists locally, checking out..."
-          git checkout "$BRANCH_NAME"
-        elif git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
-          echo "Branch $BRANCH_NAME exists remotely, checking out..."
-          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
-        else
-          echo "ERROR: Branch $BRANCH_NAME does not exist. For minor releases (X.Y.0), create it manually first. For patch releases (X.Y.Z), the branch should already exist."
-          exit 1
-        fi
-
-    - name: Read changelog versions from release branch
-      run: |
-        # Function to extract the version for a specific Prowler release from changelog
-        # This looks for entries with "(Prowler X.Y.Z)" to find the released version
-        extract_version_for_release() {
-          local changelog_file="$1"
-          local prowler_version="$2"
-          if [ -f "$changelog_file" ]; then
-            # Extract version that matches this Prowler release
-            # Format: ## [version] (Prowler X.Y.Z) or ## [vversion] (Prowler vX.Y.Z)
-            local version=$(grep '^## \[' "$changelog_file" | grep "(Prowler v\?${prowler_version})" | head -1 | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
-            echo "$version"
-          else
-            echo ""
-          fi
-        }
-
-        # Read versions from changelogs for this specific Prowler release
-        SDK_VERSION=$(extract_version_for_release "prowler/CHANGELOG.md" "$PROWLER_VERSION")
-        API_VERSION=$(extract_version_for_release "api/CHANGELOG.md" "$PROWLER_VERSION")
-        UI_VERSION=$(extract_version_for_release "ui/CHANGELOG.md" "$PROWLER_VERSION")
-        MCP_VERSION=$(extract_version_for_release "mcp_server/CHANGELOG.md" "$PROWLER_VERSION")
-
-        echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
-        echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
-        echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
-        echo "MCP_VERSION=${MCP_VERSION}" >> "${GITHUB_ENV}"
-
-        if [ -n "$SDK_VERSION" ]; then
-          echo "✓ SDK version for Prowler $PROWLER_VERSION: $SDK_VERSION"
-        else
-          echo "ℹ No SDK version found for Prowler $PROWLER_VERSION in prowler/CHANGELOG.md"
-        fi
-
-        if [ -n "$API_VERSION" ]; then
-          echo "✓ API version for Prowler $PROWLER_VERSION: $API_VERSION"
-        else
-          echo "ℹ No API version found for Prowler $PROWLER_VERSION in api/CHANGELOG.md"
-        fi
-
-        if [ -n "$UI_VERSION" ]; then
-          echo "✓ UI version for Prowler $PROWLER_VERSION: $UI_VERSION"
-        else
-          echo "ℹ No UI version found for Prowler $PROWLER_VERSION in ui/CHANGELOG.md"
-        fi
-
-        if [ -n "$MCP_VERSION" ]; then
-          echo "✓ MCP version for Prowler $PROWLER_VERSION: $MCP_VERSION"
-        else
-          echo "ℹ No MCP version found for Prowler $PROWLER_VERSION in mcp_server/CHANGELOG.md"
-        fi
-
-    - name: Extract and combine changelog entries
-      run: |
-        set -e
-
-        # Function to extract changelog for a specific version
-        extract_changelog() {
-          local file="$1"
-          local version="$2"
-          local output_file="$3"
-
-          if [ ! -f "$file" ]; then
-            echo "Warning: $file not found, skipping..."
-            touch "$output_file"
-            return
-          fi
-
-          # Extract changelog section for this version
-          awk -v version="$version" '
-            /^## \[v?'"$version"'\]/ { found=1; next }
-            found && /^## \[v?[0-9]+\.[0-9]+\.[0-9]+\]/ { found=0 }
-            found && !/^## \[v?'"$version"'\]/ { print }
-          ' "$file" > "$output_file"
-
-          # Remove --- separators
-          sed -i '/^---$/d' "$output_file"
-        }
-
-        # Determine if components have changes for this specific release
-        if [ -n "$SDK_VERSION" ]; then
-          echo "HAS_SDK_CHANGES=true" >> $GITHUB_ENV
-          HAS_SDK_CHANGES="true"
-          echo "✓ SDK changes detected - version: $SDK_VERSION"
-          extract_changelog "prowler/CHANGELOG.md" "$SDK_VERSION" "prowler_changelog.md"
-        else
-          echo "HAS_SDK_CHANGES=false" >> $GITHUB_ENV
-          HAS_SDK_CHANGES="false"
-          echo "ℹ No SDK changes for this release"
-          touch "prowler_changelog.md"
-        fi
-
-        if [ -n "$API_VERSION" ]; then
-          echo "HAS_API_CHANGES=true" >> $GITHUB_ENV
-          HAS_API_CHANGES="true"
-          echo "✓ API changes detected - version: $API_VERSION"
-          extract_changelog "api/CHANGELOG.md" "$API_VERSION" "api_changelog.md"
-        else
-          echo "HAS_API_CHANGES=false" >> $GITHUB_ENV
-          HAS_API_CHANGES="false"
-          echo "ℹ No API changes for this release"
-          touch "api_changelog.md"
-        fi
-
-        if [ -n "$UI_VERSION" ]; then
-          echo "HAS_UI_CHANGES=true" >> $GITHUB_ENV
-          HAS_UI_CHANGES="true"
-          echo "✓ UI changes detected - version: $UI_VERSION"
-          extract_changelog "ui/CHANGELOG.md" "$UI_VERSION" "ui_changelog.md"
-        else
-          echo "HAS_UI_CHANGES=false" >> $GITHUB_ENV
-          HAS_UI_CHANGES="false"
-          echo "ℹ No UI changes for this release"
-          touch "ui_changelog.md"
-        fi
-
-        if [ -n "$MCP_VERSION" ]; then
-          echo "HAS_MCP_CHANGES=true" >> $GITHUB_ENV
-          HAS_MCP_CHANGES="true"
-          echo "✓ MCP changes detected - version: $MCP_VERSION"
-          extract_changelog "mcp_server/CHANGELOG.md" "$MCP_VERSION" "mcp_changelog.md"
-        else
-          echo "HAS_MCP_CHANGES=false" >> $GITHUB_ENV
-          HAS_MCP_CHANGES="false"
-          echo "ℹ No MCP changes for this release"
-          touch "mcp_changelog.md"
-        fi
-
-        # Combine changelogs in order: UI, API, SDK, MCP
-        > combined_changelog.md
-
-        if [ "$HAS_UI_CHANGES" = "true" ] && [ -s "ui_changelog.md" ]; then
-          echo "## UI" >> combined_changelog.md
-          echo "" >> combined_changelog.md
-          cat ui_changelog.md >> combined_changelog.md
-          echo "" >> combined_changelog.md
-        fi
-
-        if [ "$HAS_API_CHANGES" = "true" ] && [ -s "api_changelog.md" ]; then
-          echo "## API" >> combined_changelog.md
-          echo "" >> combined_changelog.md
-          cat api_changelog.md >> combined_changelog.md
-          echo "" >> combined_changelog.md
-        fi
-
-        if [ "$HAS_SDK_CHANGES" = "true" ] && [ -s "prowler_changelog.md" ]; then
-          echo "## SDK" >> combined_changelog.md
-          echo "" >> combined_changelog.md
-          cat prowler_changelog.md >> combined_changelog.md
-          echo "" >> combined_changelog.md
-        fi
-
-        if [ "$HAS_MCP_CHANGES" = "true" ] && [ -s "mcp_changelog.md" ]; then
-          echo "## MCP" >> combined_changelog.md
-          echo "" >> combined_changelog.md
-          cat mcp_changelog.md >> combined_changelog.md
-          echo "" >> combined_changelog.md
-        fi
-
-        # Add fallback message if no changelogs were added
-        if [ ! -s combined_changelog.md ]; then
-          echo "No component changes detected for this release." >> combined_changelog.md
-        fi
-
-        echo "Combined changelog preview:"
-        cat combined_changelog.md
-
-    - name: Verify SDK version in pyproject.toml
-      run: |
-        CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')
-        PROWLER_VERSION_TRIMMED=$(echo "$PROWLER_VERSION" | tr -d '[:space:]')
-        if [ "$CURRENT_VERSION" != "$PROWLER_VERSION_TRIMMED" ]; then
-          echo "ERROR: Version mismatch in pyproject.toml (expected: '$PROWLER_VERSION_TRIMMED', found: '$CURRENT_VERSION')"
-          exit 1
-        fi
-        echo "✓ pyproject.toml version: $CURRENT_VERSION"
-
-    - name: Verify SDK version in prowler/config/config.py
-      run: |
-        CURRENT_VERSION=$(grep '^prowler_version = ' prowler/config/config.py | sed -E 's/prowler_version = "([^"]+)"/\1/' | tr -d '[:space:]')
-        PROWLER_VERSION_TRIMMED=$(echo "$PROWLER_VERSION" | tr -d '[:space:]')
-        if [ "$CURRENT_VERSION" != "$PROWLER_VERSION_TRIMMED" ]; then
-          echo "ERROR: Version mismatch in prowler/config/config.py (expected: '$PROWLER_VERSION_TRIMMED', found: '$CURRENT_VERSION')"
-          exit 1
-        fi
-        echo "✓ prowler/config/config.py version: $CURRENT_VERSION"
-
-    - name: Verify API version in api/pyproject.toml
-      if: ${{ env.HAS_API_CHANGES == 'true' }}
-      run: |
-        CURRENT_API_VERSION=$(grep '^version = ' api/pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')
-        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
-        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
-          echo "ERROR: API version mismatch in api/pyproject.toml (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
-          exit 1
-        fi
-        echo "✓ api/pyproject.toml version: $CURRENT_API_VERSION"
-
-    - name: Verify API prowler dependency in api/pyproject.toml
-      if: ${{ env.PATCH_VERSION != '0' && env.HAS_API_CHANGES == 'true' }}
-      run: |
-        CURRENT_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
-        BRANCH_NAME_TRIMMED=$(echo "$BRANCH_NAME" | tr -d '[:space:]')
-        if [ "$CURRENT_PROWLER_REF" != "$BRANCH_NAME_TRIMMED" ]; then
-          echo "ERROR: Prowler dependency mismatch in api/pyproject.toml (expected: '$BRANCH_NAME_TRIMMED', found: '$CURRENT_PROWLER_REF')"
-          exit 1
-        fi
-        echo "✓ api/pyproject.toml prowler dependency: $CURRENT_PROWLER_REF"
-
-    - name: Verify API version in api/src/backend/api/v1/views.py
-      if: ${{ env.HAS_API_CHANGES == 'true' }}
-      run: |
-        CURRENT_API_VERSION=$(grep 'spectacular_settings.VERSION = ' api/src/backend/api/v1/views.py | sed -E 's/.*spectacular_settings.VERSION = "([^"]+)".*/\1/' | tr -d '[:space:]')
-        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
-        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
-          echo "ERROR: API version mismatch in views.py (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
-          exit 1
-        fi
-        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"
-
-    - name: Verify API version in api/src/backend/api/specs/v1.yaml
-      if: ${{ env.HAS_API_CHANGES == 'true' }}
-      run: |
-        CURRENT_API_VERSION=$(grep '^  version: ' api/src/backend/api/specs/v1.yaml | sed -E 's/  version: ([0-9]+\.[0-9]+\.[0-9]+)/\1/' | tr -d '[:space:]')
-        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
-        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
-          echo "ERROR: API version mismatch in api/src/backend/api/specs/v1.yaml (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
-          exit 1
-        fi
-        echo "✓ api/src/backend/api/specs/v1.yaml version: $CURRENT_API_VERSION"
-
-    - name: Update API prowler dependency for minor release
-      if: ${{ env.PATCH_VERSION == '0' }}
-      run: |
-        CURRENT_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
-        BRANCH_NAME_TRIMMED=$(echo "$BRANCH_NAME" | tr -d '[:space:]')
-
-        # Minor release: update the dependency to use the release branch
-        echo "Updating prowler dependency from '$CURRENT_PROWLER_REF' to '$BRANCH_NAME_TRIMMED'"
-        sed -i "s|prowler @ git+https://github.com/prowler-cloud/prowler.git@[^\"]*\"|prowler @ git+https://github.com/prowler-cloud/prowler.git@$BRANCH_NAME_TRIMMED\"|" api/pyproject.toml
-
-        # Verify the change was made
-        UPDATED_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
-        if [ "$UPDATED_PROWLER_REF" != "$BRANCH_NAME_TRIMMED" ]; then
-          echo "ERROR: Failed to update prowler dependency in api/pyproject.toml"
-          exit 1
-        fi
-
-        # Update poetry lock file
-        echo "Updating poetry.lock file..."
-        cd api
-        poetry lock
-        cd ..
-
-        echo "✓ Prepared prowler dependency update to: $UPDATED_PROWLER_REF"
-
-    - name: Create PR for API dependency update
-      if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-      with:
-        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
-        branch: update-api-dependency-${{ env.BRANCH_NAME }}-${{ github.run_number }}
-        base: ${{ env.BRANCH_NAME }}
-        add-paths: |
-          api/pyproject.toml
-          api/poetry.lock
-        title: "chore(api): Update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}"
-        body: |
-          ### Description
-
-          Updates the API prowler dependency for release ${{ env.PROWLER_VERSION }}.
-
-          **Changes:**
-          - Updates `api/pyproject.toml` prowler dependency from `@master` to `@${{ env.BRANCH_NAME }}`
-          - Updates `api/poetry.lock` file with resolved dependencies
-
-          This PR should be merged into the `${{ env.BRANCH_NAME }}` release branch.
-
-          ### License
-
-          By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-        author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-        labels: |
-          component/api
-          no-changelog
-
-    - name: Create draft release
-      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
-      with:
-        tag_name: ${{ env.PROWLER_VERSION }}
-        name: Prowler ${{ env.PROWLER_VERSION }}
-        body_path: combined_changelog.md
-        draft: true
-        target_commitish: ${{ env.BRANCH_NAME }}
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Clean up temporary files
-      if: always()
-      run: |
-        rm -f prowler_changelog.md api_changelog.md ui_changelog.md mcp_changelog.md combined_changelog.md

.github/workflows/refresh_aws_services_regions.yml

@@ -0,0 +1,50 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Refresh regions of AWS services
+
+on:
+  schedule:
+    - cron: "0 9 * * *" #runs at 09:00 UTC everyday
+
+env:
+  GITHUB_BRANCH: "prowler-3.0-dev"
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ env.GITHUB_BRANCH }}
+
+      - name: setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9 #install the python needed
+
+      # Runs a single command using the runners shell
+      - name: Run a one-line script
+        run: python3 util/update_aws_services_regions.py
+
+      # Create pull request
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "feat(regions_update): Update regions for AWS services."
+          branch: "aws-services-regions-updated"
+          labels: "status/waiting-for-revision, severity/low"
+          title: "feat(regions_update): Changes in regions for AWS services."
+          body: |
+            ### Description
+
+            This PR updates the regions for AWS services.
+            
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/sdk-bump-version.yml

@@ -1,215 +0,0 @@
-name: 'SDK: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump versions in files for master
-        run: |
-          set -e
-
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler version to v${{ env.NEXT_MINOR_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler version to v${{ env.NEXT_PATCH_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/sdk-check-duplicate-test-names.yml

@@ -1,91 +0,0 @@
-name: 'SDK: Check Duplicate Test Names'
-
-on:
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  check-duplicate-test-names:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for duplicate test names across providers
-        run: |
-          python3 << 'EOF'
-          import sys
-          from collections import defaultdict
-          from pathlib import Path
-
-          def find_duplicate_test_names():
-              """Find test files with the same name across different providers."""
-              tests_dir = Path("tests/providers")
-
-              if not tests_dir.exists():
-                  print("tests/providers directory not found")
-                  sys.exit(0)
-
-              # Dictionary: filename -> list of (provider, full_path)
-              test_files = defaultdict(list)
-
-              # Find all *_test.py files
-              for test_file in tests_dir.rglob("*_test.py"):
-                  relative_path = test_file.relative_to(tests_dir)
-                  provider = relative_path.parts[0]
-                  filename = test_file.name
-                  test_files[filename].append((provider, str(test_file)))
-
-              # Find duplicates (files appearing in multiple providers)
-              duplicates = {
-                  filename: locations
-                  for filename, locations in test_files.items()
-                  if len(set(loc[0] for loc in locations)) > 1
-              }
-
-              if not duplicates:
-                  print("No duplicate test file names found across providers.")
-                  print("All test names are unique within the repository.")
-                  sys.exit(0)
-
-              # Report duplicates
-              print("::error::Duplicate test file names found across providers!")
-              print()
-              print("=" * 70)
-              print("DUPLICATE TEST NAMES DETECTED")
-              print("=" * 70)
-              print()
-              print("The following test files have the same name in multiple providers.")
-              print("Please rename YOUR new test file by adding the provider prefix.")
-              print()
-              print("Example: 'kms_service_test.py' -> 'oraclecloud_kms_service_test.py'")
-              print()
-
-              for filename, locations in sorted(duplicates.items()):
-                  print(f"### {filename}")
-                  print(f"  Found in {len(locations)} providers:")
-                  for provider, path in sorted(locations):
-                      print(f"    - {provider}: {path}")
-                  print()
-                  print(f"  Suggested fix: Rename your new file to '<provider>_{filename}'")
-                  print()
-
-              print("=" * 70)
-              print()
-              print("See: tests/providers/TESTING.md for naming conventions.")
-              sys.exit(1)
-
-          if __name__ == "__main__":
-              find_duplicate_test_names()
-          EOF

.github/workflows/sdk-code-quality.yml

@@ -1,92 +0,0 @@
-name: 'SDK: Code Quality'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  sdk-code-quality:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.9'
-          - '3.10'
-          - '3.11'
-          - '3.12'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for SDK changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ./**
-          files_ignore: |
-            .github/**
-            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            skills/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
-            **/AGENTS.md
-
-      - name: Install Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ matrix.python-version }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: |
-          poetry install --no-root
-          poetry run pip list
-
-      - name: Check Poetry lock file
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry check --lock
-
-      - name: Lint with flake8
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api,skills
-
-      - name: Check format with black
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run black --exclude "api|ui|skills" --check .
-
-      - name: Lint with pylint
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/

.github/workflows/sdk-codeql.yml

@@ -1,63 +0,0 @@
-name: 'SDK: CodeQL'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'tests/**'
-      - 'pyproject.toml'
-      - '.github/workflows/sdk-codeql.yml'
-      - '.github/codeql/sdk-codeql-config.yml'
-      - '!prowler/CHANGELOG.md'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'tests/**'
-      - 'pyproject.toml'
-      - '.github/workflows/sdk-codeql.yml'
-      - '.github/codeql/sdk-codeql-config.yml'
-      - '!prowler/CHANGELOG.md'
-  schedule:
-    - cron: '00 12 * * *'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  sdk-analyze:
-    if: github.repository == 'prowler-cloud/prowler'
-    name: CodeQL Security Analysis
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language:
-          - 'python'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
-        with:
-          languages: ${{ matrix.language }}
-          config-file: ./.github/codeql/sdk-codeql-config.yml
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
-        with:
-          category: '/language:${{ matrix.language }}'

.github/workflows/sdk-container-build-push.yml

@@ -1,311 +0,0 @@
-name: 'SDK: Container Build and Push'
-
-on:
-  push:
-    branches:
-      - 'v3'      # For v3-latest
-      - 'v4.6'    # For v4-latest
-      - 'master'  # For latest
-    paths-ignore:
-      - '.github/**'
-      - '!.github/workflows/sdk-container-build-push.yml'
-      - 'README.md'
-      - 'docs/**'
-      - 'ui/**'
-      - 'api/**'
-  release:
-    types:
-      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  # Container configuration
-  IMAGE_NAME: prowler
-  DOCKERFILE_PATH: ./Dockerfile
-
-  # Python configuration
-  PYTHON_VERSION: '3.12'
-
-  # Tags (dynamically set based on version)
-  LATEST_TAG: latest
-  STABLE_TAG: stable
-
-  # Container registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
-
-  # AWS configuration (for ECR)
-  AWS_REGION: us-east-1
-
-jobs:
-  setup:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }}
-      prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
-      latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }}
-      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install Poetry
-        run: |
-          pipx install poetry==2.1.1
-          pipx inject poetry poetry-bumpversion
-
-      - name: Get Prowler version and set tags
-        id: get-prowler-version
-        run: |
-          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
-          echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Extract major version
-          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
-          echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
-
-          # Set version-specific tags
-          case ${PROWLER_VERSION_MAJOR} in
-            3)
-              echo "latest_tag=v3-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v3-stable" >> "${GITHUB_OUTPUT}"
-              echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable"
-              ;;
-            4)
-              echo "latest_tag=v4-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v4-stable" >> "${GITHUB_OUTPUT}"
-              echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable"
-              ;;
-            5)
-              echo "latest_tag=latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=stable" >> "${GITHUB_OUTPUT}"
-              echo "✓ Prowler v5 detected - tags: latest, stable"
-              ;;
-            *)
-              echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}"
-              exit 1
-              ;;
-          esac
-
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: setup
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: SDK
-          RELEASE_TAG: ${{ needs.setup.outputs.prowler_version }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 45
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
-        env:
-          AWS_REGION: ${{ env.AWS_REGION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build and push SDK container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: .
-          file: ${{ env.DOCKERFILE_PATH }}
-          push: true
-          platforms: ${{ matrix.platform }}
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
-        env:
-          AWS_REGION: ${{ env.AWS_REGION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.stable_tag }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
-          COMPONENT: SDK
-          RELEASE_TAG: ${{ needs.setup.outputs.prowler_version }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
-
-  dispatch-v3-deployment:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.outputs.prowler_version_major == '3' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-
-    steps:
-      - name: Calculate short SHA
-        id: short-sha
-        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-
-      - name: Dispatch v3 deployment (latest)
-        if: github.event_name == 'push'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
-          event-type: dispatch
-          client-payload: '{"version":"v3-latest","tag":"${{ steps.short-sha.outputs.short_sha }}"}'
-
-      - name: Dispatch v3 deployment (release)
-        if: github.event_name == 'release'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
-          event-type: dispatch
-          client-payload: '{"version":"release","tag":"${{ needs.setup.outputs.prowler_version }}"}'

.github/workflows/sdk-container-checks.yml

@@ -1,115 +0,0 @@
-name: 'SDK: Container Checks'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  IMAGE_NAME: prowler
-
-jobs:
-  sdk-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check if Dockerfile changed
-        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: Dockerfile
-
-      - name: Lint Dockerfile with Hadolint
-        if: steps.dockerfile-changed.outputs.any_changed == 'true'
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
-        with:
-          dockerfile: Dockerfile
-          ignore: DL3013
-
-  sdk-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for SDK changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ./**
-          files_ignore: |
-            .github/**
-            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            skills/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
-            **/AGENTS.md
-
-      - name: Set up Docker Buildx
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build SDK container for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: .
-          push: false
-          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-      - name: Scan SDK container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/trivy-scan
-        with:
-          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
-          fail-on-critical: 'false'
-          severity: 'CRITICAL'

.github/workflows/sdk-pypi-release.yml

@@ -1,119 +0,0 @@
-name: 'SDK: PyPI Release'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  RELEASE_TAG: ${{ github.event.release.tag_name }}
-  PYTHON_VERSION: '3.12'
-
-jobs:
-  validate-release:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      prowler_version: ${{ steps.parse-version.outputs.version }}
-      major_version: ${{ steps.parse-version.outputs.major }}
-
-    steps:
-      - name: Parse and validate version
-        id: parse-version
-        run: |
-          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
-          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Extract major version
-          MAJOR_VERSION="${PROWLER_VERSION%%.*}"
-          echo "major=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Validate major version
-          case ${MAJOR_VERSION} in
-            3|4|5)
-              echo "✓ Releasing Prowler v${MAJOR_VERSION} with tag ${PROWLER_VERSION}"
-              ;;
-            *)
-              echo "::error::Unsupported Prowler major version: ${MAJOR_VERSION}"
-              exit 1
-              ;;
-          esac
-
-  publish-prowler:
-    needs: validate-release
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      id-token: write
-    environment:
-      name: pypi-prowler
-      url: https://pypi.org/project/prowler/${{ needs.validate-release.outputs.prowler_version }}/
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Install Poetry
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-          cache: 'poetry'
-
-      - name: Build Prowler package
-        run: poetry build
-
-      - name: Publish Prowler package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          print-hash: true
-
-  publish-prowler-cloud:
-    needs: validate-release
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      id-token: write
-    environment:
-      name: pypi-prowler-cloud
-      url: https://pypi.org/project/prowler-cloud/${{ needs.validate-release.outputs.prowler_version }}/
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Install Poetry
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-          cache: 'poetry'
-
-      - name: Install toml package
-        run: pip install toml
-
-      - name: Replicate PyPI package for prowler-cloud
-        run: |
-          rm -rf ./dist ./build prowler.egg-info
-          python util/replicate_pypi_package.py
-
-      - name: Build prowler-cloud package
-        run: poetry build
-
-      - name: Publish prowler-cloud package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          print-hash: true

.github/workflows/sdk-refresh-aws-services-regions.yml

@@ -1,90 +0,0 @@
-name: 'SDK: Refresh AWS Regions'
-
-on:
-  schedule:
-    - cron: '0 9 * * 1' # Every Monday at 09:00 UTC
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: false
-
-env:
-  PYTHON_VERSION: '3.12'
-  AWS_REGION: 'us-east-1'
-
-jobs:
-  refresh-aws-regions:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      id-token: write
-      pull-requests: write
-      contents: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: 'master'
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-          cache: 'pip'
-
-      - name: Install dependencies
-        run: pip install boto3
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
-        with:
-          aws-region: ${{ env.AWS_REGION }}
-          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
-          role-session-name: prowler-refresh-aws-regions
-
-      - name: Update AWS services regions
-        run: python util/update_aws_services_regions.py
-
-      - name: Create pull request
-        id: create-pr
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
-          committer: 'github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>'
-          commit-message: 'feat(aws): update regions for AWS services'
-          branch: 'aws-regions-update-${{ github.run_number }}'
-          title: 'feat(aws): Update regions for AWS services'
-          labels: |
-            status/waiting-for-revision
-            severity/low
-            provider/aws
-            no-changelog
-          body: |
-            ### Description
-
-            Automated update of AWS service regions from the official AWS IP ranges.
-
-            **Trigger:** ${{ github.event_name == 'schedule' && 'Scheduled (weekly)' || github.event_name == 'workflow_dispatch' && 'Manual' || 'Workflow update' }}
-            **Run:** [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
-
-            ### Checklist
-
-            - [x] This is an automated update from AWS official sources
-            - [x] No manual review of region data required
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: PR creation result
-        run: |
-          if [[ "${{ steps.create-pr.outputs.pull-request-number }}" ]]; then
-            echo "✓ Pull request #${{ steps.create-pr.outputs.pull-request-number }} created successfully"
-            echo "URL: ${{ steps.create-pr.outputs.pull-request-url }}"
-          else
-            echo "✓ No changes detected - AWS regions are up to date"
-          fi

.github/workflows/sdk-security.yml

@@ -1,81 +0,0 @@
-name: 'SDK: Security'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  sdk-security-scans:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for SDK changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: 
-            ./**
-            .github/workflows/sdk-security.yml
-          files_ignore: |
-            .github/**
-            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            skills/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
-            **/AGENTS.md
-
-      - name: Install Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python 3.12
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: '3.12'
-          cache: 'poetry'
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry install --no-root
-
-      - name: Security scan with Bandit
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r .
-
-      - name: Security scan with Safety
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check -r pyproject.toml
-
-      - name: Dead code detection with Vulture
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .

.github/workflows/sdk-tests.yml

@@ -1,487 +0,0 @@
-name: 'SDK: Tests'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  sdk-tests:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 120
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.9'
-          - '3.10'
-          - '3.11'
-          - '3.12'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for SDK changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ./**
-          files_ignore: |
-            .github/**
-            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            skills/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
-            **/AGENTS.md
-
-      - name: Install Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ matrix.python-version }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry install --no-root
-
-      # AWS Provider
-      - name: Check if AWS files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-aws
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/aws/**
-            ./tests/**/aws/**
-            ./poetry.lock
-
-      - name: Resolve AWS services under test
-        if: steps.changed-aws.outputs.any_changed == 'true'
-        id: aws-services
-        shell: bash
-        run: |
-          python3 <<'PY'
-          import os
-          from pathlib import Path
-
-          dependents = {
-              "acm": ["elb"],
-              "autoscaling": ["dynamodb"],
-              "awslambda": ["ec2", "inspector2"],
-              "backup": ["dynamodb", "ec2", "rds"],
-              "cloudfront": ["shield"],
-              "cloudtrail": ["awslambda", "cloudwatch"],
-              "cloudwatch": ["bedrock"],
-              "ec2": ["dlm", "dms", "elbv2", "emr", "inspector2", "rds", "redshift", "route53", "shield", "ssm"],
-              "ecr": ["inspector2"],
-              "elb": ["shield"],
-              "elbv2": ["shield"],
-              "globalaccelerator": ["shield"],
-              "iam": ["bedrock", "cloudtrail", "cloudwatch", "codebuild"],
-              "kafka": ["firehose"],
-              "kinesis": ["firehose"],
-              "kms": ["kafka"],
-              "organizations": ["iam", "servicecatalog"],
-              "route53": ["shield"],
-              "s3": ["bedrock", "cloudfront", "cloudtrail", "macie"],
-              "ssm": ["ec2"],
-              "vpc": ["awslambda", "ec2", "efs", "elasticache", "neptune", "networkfirewall", "rds", "redshift", "workspaces"],
-              "waf": ["elbv2"],
-              "wafv2": ["cognito", "elbv2"],
-          }
-
-          changed_raw = """${{ steps.changed-aws.outputs.all_changed_files }}"""
-          # all_changed_files is space-separated, not newline-separated
-          # Strip leading "./" if present for consistent path handling
-          changed_files = [Path(f.lstrip("./")) for f in changed_raw.split() if f]
-
-          services = set()
-          run_all = False
-
-          for path in changed_files:
-              path_str = path.as_posix()
-              parts = path.parts
-              if path_str.startswith("prowler/providers/aws/services/"):
-                  if len(parts) > 4 and "." not in parts[4]:
-                      services.add(parts[4])
-                  else:
-                      run_all = True
-              elif path_str.startswith("tests/providers/aws/services/"):
-                  if len(parts) > 4 and "." not in parts[4]:
-                      services.add(parts[4])
-                  else:
-                      run_all = True
-              elif path_str.startswith("prowler/providers/aws/") or path_str.startswith("tests/providers/aws/"):
-                  run_all = True
-
-          # Expand with direct dependent services (one level only)
-          # We only test services that directly depend on the changed services,
-          # not transitive dependencies (services that depend on dependents)
-          original_services = set(services)
-          for svc in original_services:
-              for dep in dependents.get(svc, []):
-                  services.add(dep)
-
-          if run_all or not services:
-              run_all = True
-              services = set()
-
-          service_paths = " ".join(sorted(f"tests/providers/aws/services/{svc}" for svc in services))
-
-          output_lines = [
-              f"run_all={'true' if run_all else 'false'}",
-              f"services={' '.join(sorted(services))}",
-              f"service_paths={service_paths}",
-          ]
-
-          with open(os.environ["GITHUB_OUTPUT"], "a") as gh_out:
-              for line in output_lines:
-                  gh_out.write(line + "\n")
-
-          print(f"AWS changed files (filtered): {changed_raw or 'none'}")
-          print(f"Run all AWS tests: {run_all}")
-          if services:
-              print(f"AWS service test paths: {service_paths}")
-          else:
-              print("AWS service test paths: none detected")
-          PY
-
-      - name: Run AWS tests
-        if: steps.changed-aws.outputs.any_changed == 'true'
-        run: |
-          echo "AWS run_all=${{ steps.aws-services.outputs.run_all }}"
-          echo "AWS service_paths='${{ steps.aws-services.outputs.service_paths }}'"
-
-          if [ "${{ steps.aws-services.outputs.run_all }}" = "true" ]; then
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
-          elif [ -z "${{ steps.aws-services.outputs.service_paths }}" ]; then
-            echo "No AWS service paths detected; skipping AWS tests."
-          else
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${{ steps.aws-services.outputs.service_paths }}
-          fi
-
-      - name: Upload AWS coverage to Codecov
-        if: steps.changed-aws.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-aws
-          files: ./aws_coverage.xml
-
-      # Azure Provider
-      - name: Check if Azure files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-azure
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/azure/**
-            ./tests/**/azure/**
-            ./poetry.lock
-
-      - name: Run Azure tests
-        if: steps.changed-azure.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure
-
-      - name: Upload Azure coverage to Codecov
-        if: steps.changed-azure.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-azure
-          files: ./azure_coverage.xml
-
-      # GCP Provider
-      - name: Check if GCP files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-gcp
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/gcp/**
-            ./tests/**/gcp/**
-            ./poetry.lock
-
-      - name: Run GCP tests
-        if: steps.changed-gcp.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp
-
-      - name: Upload GCP coverage to Codecov
-        if: steps.changed-gcp.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-gcp
-          files: ./gcp_coverage.xml
-
-      # Kubernetes Provider
-      - name: Check if Kubernetes files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-kubernetes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/kubernetes/**
-            ./tests/**/kubernetes/**
-            ./poetry.lock
-
-      - name: Run Kubernetes tests
-        if: steps.changed-kubernetes.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes
-
-      - name: Upload Kubernetes coverage to Codecov
-        if: steps.changed-kubernetes.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-kubernetes
-          files: ./kubernetes_coverage.xml
-
-      # GitHub Provider
-      - name: Check if GitHub files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-github
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/github/**
-            ./tests/**/github/**
-            ./poetry.lock
-
-      - name: Run GitHub tests
-        if: steps.changed-github.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github
-
-      - name: Upload GitHub coverage to Codecov
-        if: steps.changed-github.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-github
-          files: ./github_coverage.xml
-
-      # NHN Provider
-      - name: Check if NHN files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-nhn
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/nhn/**
-            ./tests/**/nhn/**
-            ./poetry.lock
-
-      - name: Run NHN tests
-        if: steps.changed-nhn.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn
-
-      - name: Upload NHN coverage to Codecov
-        if: steps.changed-nhn.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-nhn
-          files: ./nhn_coverage.xml
-
-      # M365 Provider
-      - name: Check if M365 files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-m365
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/m365/**
-            ./tests/**/m365/**
-            ./poetry.lock
-
-      - name: Run M365 tests
-        if: steps.changed-m365.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365
-
-      - name: Upload M365 coverage to Codecov
-        if: steps.changed-m365.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-m365
-          files: ./m365_coverage.xml
-
-      # IaC Provider
-      - name: Check if IaC files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-iac
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/iac/**
-            ./tests/**/iac/**
-            ./poetry.lock
-
-      - name: Run IaC tests
-        if: steps.changed-iac.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac
-
-      - name: Upload IaC coverage to Codecov
-        if: steps.changed-iac.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-iac
-          files: ./iac_coverage.xml
-
-      # MongoDB Atlas Provider
-      - name: Check if MongoDB Atlas files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/mongodbatlas/**
-            ./tests/**/mongodbatlas/**
-            ./poetry.lock
-
-      - name: Run MongoDB Atlas tests
-        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodbatlas_coverage.xml tests/providers/mongodbatlas
-
-      - name: Upload MongoDB Atlas coverage to Codecov
-        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-mongodbatlas
-          files: ./mongodbatlas_coverage.xml
-
-      # OCI Provider
-      - name: Check if OCI files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-oraclecloud
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/oraclecloud/**
-            ./tests/**/oraclecloud/**
-            ./poetry.lock
-
-      - name: Run OCI tests
-        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/oraclecloud --cov-report=xml:oraclecloud_coverage.xml tests/providers/oraclecloud
-
-      - name: Upload OCI coverage to Codecov
-        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-oraclecloud
-          files: ./oraclecloud_coverage.xml
-
-      # OpenStack Provider
-      - name: Check if OpenStack files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-openstack
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/openstack/**
-            ./tests/**/openstack/**
-            ./poetry.lock
-
-      - name: Run OpenStack tests
-        if: steps.changed-openstack.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/openstack --cov-report=xml:openstack_coverage.xml tests/providers/openstack
-
-      - name: Upload OpenStack coverage to Codecov
-        if: steps.changed-openstack.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-openstack
-          files: ./openstack_coverage.xml
-
-      # Lib
-      - name: Check if Lib files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-lib
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/lib/**
-            ./tests/lib/**
-            ./poetry.lock
-
-      - name: Run Lib tests
-        if: steps.changed-lib.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib
-
-      - name: Upload Lib coverage to Codecov
-        if: steps.changed-lib.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-lib
-          files: ./lib_coverage.xml
-
-      # Config
-      - name: Check if Config files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-config
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/config/**
-            ./tests/config/**
-            ./poetry.lock
-
-      - name: Run Config tests
-        if: steps.changed-config.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config
-
-      - name: Upload Config coverage to Codecov
-        if: steps.changed-config.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-config
-          files: ./config_coverage.xml

.github/workflows/test-impact-analysis.yml

@@ -1,112 +0,0 @@
-name: Test Impact Analysis
-
-on:
-  workflow_call:
-    outputs:
-      run-all:
-        description: "Whether to run all tests (critical path changed)"
-        value: ${{ jobs.analyze.outputs.run-all }}
-      sdk-tests:
-        description: "SDK test paths to run"
-        value: ${{ jobs.analyze.outputs.sdk-tests }}
-      api-tests:
-        description: "API test paths to run"
-        value: ${{ jobs.analyze.outputs.api-tests }}
-      ui-e2e:
-        description: "UI E2E test paths to run"
-        value: ${{ jobs.analyze.outputs.ui-e2e }}
-      modules:
-        description: "Comma-separated list of affected modules"
-        value: ${{ jobs.analyze.outputs.modules }}
-      has-tests:
-        description: "Whether there are any tests to run"
-        value: ${{ jobs.analyze.outputs.has-tests }}
-      has-sdk-tests:
-        description: "Whether there are SDK tests to run"
-        value: ${{ jobs.analyze.outputs.has-sdk-tests }}
-      has-api-tests:
-        description: "Whether there are API tests to run"
-        value: ${{ jobs.analyze.outputs.has-api-tests }}
-      has-ui-e2e:
-        description: "Whether there are UI E2E tests to run"
-        value: ${{ jobs.analyze.outputs.has-ui-e2e }}
-
-jobs:
-  analyze:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      run-all: ${{ steps.impact.outputs.run-all }}
-      sdk-tests: ${{ steps.impact.outputs.sdk-tests }}
-      api-tests: ${{ steps.impact.outputs.api-tests }}
-      ui-e2e: ${{ steps.impact.outputs.ui-e2e }}
-      modules: ${{ steps.impact.outputs.modules }}
-      has-tests: ${{ steps.impact.outputs.has-tests }}
-      has-sdk-tests: ${{ steps.set-flags.outputs.has-sdk-tests }}
-      has-api-tests: ${{ steps.set-flags.outputs.has-api-tests }}
-      has-ui-e2e: ${{ steps.set-flags.outputs.has-ui-e2e }}
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-
-      - name: Setup Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
-        with:
-          python-version: '3.12'
-
-      - name: Install PyYAML
-        run: pip install pyyaml
-
-      - name: Analyze test impact
-        id: impact
-        run: |
-          echo "Changed files:"
-          echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n'
-          echo ""
-          python .github/scripts/test-impact.py ${{ steps.changed-files.outputs.all_changed_files }}
-
-      - name: Set convenience flags
-        id: set-flags
-        run: |
-          if [[ -n "${{ steps.impact.outputs.sdk-tests }}" ]]; then
-            echo "has-sdk-tests=true" >> $GITHUB_OUTPUT
-          else
-            echo "has-sdk-tests=false" >> $GITHUB_OUTPUT
-          fi
-          
-          if [[ -n "${{ steps.impact.outputs.api-tests }}" ]]; then
-            echo "has-api-tests=true" >> $GITHUB_OUTPUT
-          else
-            echo "has-api-tests=false" >> $GITHUB_OUTPUT
-          fi
-          
-          if [[ -n "${{ steps.impact.outputs.ui-e2e }}" ]]; then
-            echo "has-ui-e2e=true" >> $GITHUB_OUTPUT
-          else
-            echo "has-ui-e2e=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Summary
-        run: |
-          echo "## Test Impact Analysis" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          
-          if [[ "${{ steps.impact.outputs.run-all }}" == "true" ]]; then
-            echo "🚨 **Critical path changed - running ALL tests**" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "### Affected Modules" >> $GITHUB_STEP_SUMMARY
-            echo "\`${{ steps.impact.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            
-            echo "### Tests to Run" >> $GITHUB_STEP_SUMMARY
-            echo "| Category | Paths |" >> $GITHUB_STEP_SUMMARY
-            echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-            echo "| SDK Tests | \`${{ steps.impact.outputs.sdk-tests || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| API Tests | \`${{ steps.impact.outputs.api-tests || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| UI E2E | \`${{ steps.impact.outputs.ui-e2e || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY
-          fi

.github/workflows/ui-bump-version.yml

@@ -1,221 +0,0 @@
-name: 'UI: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump UI version in .env for master
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_MINOR_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/ui-codeql.yml

@@ -1,59 +0,0 @@
-name: 'UI: CodeQL'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'ui/**'
-      - '.github/workflows/ui-codeql.yml'
-      - '.github/codeql/ui-codeql-config.yml'
-      - '!ui/CHANGELOG.md'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'ui/**'
-      - '.github/workflows/ui-codeql.yml'
-      - '.github/codeql/ui-codeql-config.yml'
-      - '!ui/CHANGELOG.md'
-  schedule:
-    - cron: '00 12 * * *'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  ui-analyze:
-    if: github.repository == 'prowler-cloud/prowler'
-    name: CodeQL Security Analysis
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language:
-          - 'javascript-typescript'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
-        with:
-          languages: ${{ matrix.language }}
-          config-file: ./.github/codeql/ui-codeql-config.yml
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
-        with:
-          category: '/language:${{ matrix.language }}'

.github/workflows/ui-container-build-push.yml

@@ -1,220 +0,0 @@
-name: 'UI: Container Build and Push'
-
-on:
-  push:
-    branches:
-      - 'master'
-    paths:
-      - 'ui/**'
-      - '.github/workflows/ui-container-build-push.yml'
-  release:
-    types:
-      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  # Tags
-  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
-  STABLE_TAG: stable
-  WORKING_DIRECTORY: ./ui
-
-  # Container registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-ui
-
-  # Build args
-  NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1
-
-jobs:
-  setup:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    steps:
-      - name: Calculate short SHA
-        id: set-short-sha
-        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: setup
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: UI
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build and push UI container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.WORKING_DIRECTORY }}
-          build-args: |
-            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ (github.event_name == 'release' || github.event_name == 'workflow_dispatch') && format('v{0}', env.RELEASE_TAG) || needs.setup.outputs.short-sha }}
-            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
-          push: true
-          platforms: ${{ matrix.platform }}
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
-          COMPONENT: UI
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
-
-  trigger-deployment:
-    needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-
-    steps:
-      - name: Trigger UI deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.CLOUD_DISPATCH }}
-          event-type: ui-prowler-deployment
-          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ needs.setup.outputs.short-sha }}"}'

.github/workflows/ui-container-checks.yml

@@ -1,104 +0,0 @@
-name: 'UI: Container Checks'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  UI_WORKING_DIR: ./ui
-  IMAGE_NAME: prowler-ui
-
-jobs:
-  ui-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check if Dockerfile changed
-        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ui/Dockerfile
-
-      - name: Lint Dockerfile with Hadolint
-        if: steps.dockerfile-changed.outputs.any_changed == 'true'
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
-        with:
-          dockerfile: ui/Dockerfile
-          ignore: DL3018
-
-  ui-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for UI changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ui/**
-          files_ignore: |
-            ui/CHANGELOG.md
-            ui/README.md
-            ui/AGENTS.md
-
-      - name: Set up Docker Buildx
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build UI container for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.UI_WORKING_DIR }}
-          target: prod
-          push: false
-          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-          build-args: |
-            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX
-
-      - name: Scan UI container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/trivy-scan
-        with:
-          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
-          fail-on-critical: 'false'
-          severity: 'CRITICAL'

.github/workflows/ui-e2e-tests-v2.yml

@@ -1,238 +0,0 @@
-name: UI - E2E Tests (Optimized)
-
-# This is an optimized version that runs only relevant E2E tests
-# based on changed files. Falls back to running all tests if
-# critical paths are changed or if impact analysis fails.
-
-on:
-  pull_request:
-    branches:
-      - master
-      - "v5.*"
-    paths:
-      - '.github/workflows/ui-e2e-tests-v2.yml'
-      - '.github/test-impact.yml'
-      - 'ui/**'
-      - 'api/**'  # API changes can affect UI E2E
-
-jobs:
-  # First, analyze which tests need to run
-  impact-analysis:
-    if: github.repository == 'prowler-cloud/prowler'
-    uses: ./.github/workflows/test-impact-analysis.yml
-
-  # Run E2E tests based on impact analysis
-  e2e-tests:
-    needs: impact-analysis
-    if: |
-      github.repository == 'prowler-cloud/prowler' && 
-      (needs.impact-analysis.outputs.has-ui-e2e == 'true' || needs.impact-analysis.outputs.run-all == 'true')
-    runs-on: ubuntu-latest
-    env:
-      AUTH_SECRET: 'fallback-ci-secret-for-testing'
-      AUTH_TRUST_HOST: true
-      NEXTAUTH_URL: 'http://localhost:3000'
-      NEXT_PUBLIC_API_BASE_URL: 'http://localhost:8080/api/v1'
-      E2E_ADMIN_USER: ${{ secrets.E2E_ADMIN_USER }}
-      E2E_ADMIN_PASSWORD: ${{ secrets.E2E_ADMIN_PASSWORD }}
-      E2E_AWS_PROVIDER_ACCOUNT_ID: ${{ secrets.E2E_AWS_PROVIDER_ACCOUNT_ID }}
-      E2E_AWS_PROVIDER_ACCESS_KEY: ${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}
-      E2E_AWS_PROVIDER_SECRET_KEY: ${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}
-      E2E_AWS_PROVIDER_ROLE_ARN: ${{ secrets.E2E_AWS_PROVIDER_ROLE_ARN }}
-      E2E_AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }}
-      E2E_AZURE_CLIENT_ID: ${{ secrets.E2E_AZURE_CLIENT_ID }}
-      E2E_AZURE_SECRET_ID: ${{ secrets.E2E_AZURE_SECRET_ID }}
-      E2E_AZURE_TENANT_ID: ${{ secrets.E2E_AZURE_TENANT_ID }}
-      E2E_M365_DOMAIN_ID: ${{ secrets.E2E_M365_DOMAIN_ID }}
-      E2E_M365_CLIENT_ID: ${{ secrets.E2E_M365_CLIENT_ID }}
-      E2E_M365_SECRET_ID: ${{ secrets.E2E_M365_SECRET_ID }}
-      E2E_M365_TENANT_ID: ${{ secrets.E2E_M365_TENANT_ID }}
-      E2E_M365_CERTIFICATE_CONTENT: ${{ secrets.E2E_M365_CERTIFICATE_CONTENT }}
-      E2E_KUBERNETES_CONTEXT: 'kind-kind'
-      E2E_KUBERNETES_KUBECONFIG_PATH: /home/runner/.kube/config
-      E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY: ${{ secrets.E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY }}
-      E2E_GCP_PROJECT_ID: ${{ secrets.E2E_GCP_PROJECT_ID }}
-      E2E_GITHUB_APP_ID: ${{ secrets.E2E_GITHUB_APP_ID }}
-      E2E_GITHUB_BASE64_APP_PRIVATE_KEY: ${{ secrets.E2E_GITHUB_BASE64_APP_PRIVATE_KEY }}
-      E2E_GITHUB_USERNAME: ${{ secrets.E2E_GITHUB_USERNAME }}
-      E2E_GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_PERSONAL_ACCESS_TOKEN }}
-      E2E_GITHUB_ORGANIZATION: ${{ secrets.E2E_GITHUB_ORGANIZATION }}
-      E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN }}
-      E2E_ORGANIZATION_ID: ${{ secrets.E2E_ORGANIZATION_ID }}
-      E2E_OCI_TENANCY_ID: ${{ secrets.E2E_OCI_TENANCY_ID }}
-      E2E_OCI_USER_ID: ${{ secrets.E2E_OCI_USER_ID }}
-      E2E_OCI_FINGERPRINT: ${{ secrets.E2E_OCI_FINGERPRINT }}
-      E2E_OCI_KEY_CONTENT: ${{ secrets.E2E_OCI_KEY_CONTENT }}
-      E2E_OCI_REGION: ${{ secrets.E2E_OCI_REGION }}
-      E2E_NEW_USER_PASSWORD: ${{ secrets.E2E_NEW_USER_PASSWORD }}
-      # Pass E2E paths from impact analysis
-      E2E_TEST_PATHS: ${{ needs.impact-analysis.outputs.ui-e2e }}
-      RUN_ALL_TESTS: ${{ needs.impact-analysis.outputs.run-all }}
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Show test scope
-        run: |
-          echo "## E2E Test Scope" >> $GITHUB_STEP_SUMMARY
-          if [[ "${{ env.RUN_ALL_TESTS }}" == "true" ]]; then
-            echo "Running **ALL** E2E tests (critical path changed)" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "Running tests matching: \`${{ env.E2E_TEST_PATHS }}\`" >> $GITHUB_STEP_SUMMARY
-          fi
-          echo ""
-          echo "Affected modules: \`${{ needs.impact-analysis.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY
-
-      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1
-        with:
-          cluster_name: kind
-
-      - name: Modify kubeconfig
-        run: |
-          kubectl config set-cluster kind-kind --server=https://kind-control-plane:6443
-          kubectl config view
-
-      - name: Add network kind to docker compose
-        run: |
-          yq -i '.networks.kind.external = true' docker-compose.yml
-          yq -i '.services.worker.networks = ["kind","default"]' docker-compose.yml
-
-      - name: Fix API data directory permissions
-        run: docker run --rm -v $(pwd)/_data/api:/data alpine chown -R 1000:1000 /data
-
-      - name: Add AWS credentials for testing
-        run: |
-          echo "AWS_ACCESS_KEY_ID=${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}" >> .env
-          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}" >> .env
-
-      - name: Start API services
-        run: |
-          export PROWLER_API_VERSION=latest
-          docker compose up -d api worker worker-beat
-
-      - name: Wait for API to be ready
-        run: |
-          echo "Waiting for prowler-api..."
-          timeout=150
-          elapsed=0
-          while [ $elapsed -lt $timeout ]; do
-            if curl -s ${NEXT_PUBLIC_API_BASE_URL}/docs >/dev/null 2>&1; then
-              echo "Prowler API is ready!"
-              exit 0
-            fi
-            echo "Waiting... (${elapsed}s elapsed)"
-            sleep 5
-            elapsed=$((elapsed + 5))
-          done
-          echo "Timeout waiting for prowler-api"
-          exit 1
-
-      - name: Load database fixtures
-        run: |
-          docker compose exec -T api sh -c '
-            for fixture in api/fixtures/dev/*.json; do
-              if [ -f "$fixture" ]; then
-                echo "Loading $fixture"
-                poetry run python manage.py loaddata "$fixture" --database admin
-              fi
-            done
-          '
-
-      - name: Setup Node.js
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
-        with:
-          node-version: '24.13.0'
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-
-      - name: Get pnpm store directory
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - name: Setup pnpm and Next.js cache
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        with:
-          path: |
-            ${{ env.STORE_PATH }}
-            ./ui/node_modules
-            ./ui/.next/cache
-          key: ${{ runner.os }}-pnpm-nextjs-${{ hashFiles('ui/pnpm-lock.yaml') }}-${{ hashFiles('ui/**/*.ts', 'ui/**/*.tsx', 'ui/**/*.js', 'ui/**/*.jsx') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-nextjs-${{ hashFiles('ui/pnpm-lock.yaml') }}-
-            ${{ runner.os }}-pnpm-nextjs-
-
-      - name: Install UI dependencies
-        working-directory: ./ui
-        run: pnpm install --frozen-lockfile --prefer-offline
-
-      - name: Build UI application
-        working-directory: ./ui
-        run: pnpm run build
-
-      - name: Cache Playwright browsers
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        id: playwright-cache
-        with:
-          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-
-
-      - name: Install Playwright browsers
-        working-directory: ./ui
-        if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm run test:e2e:install
-
-      - name: Run E2E tests
-        working-directory: ./ui
-        run: |
-          if [[ "${{ env.RUN_ALL_TESTS }}" == "true" ]]; then
-            echo "Running ALL E2E tests..."
-            pnpm run test:e2e
-          else
-            echo "Running targeted E2E tests: ${{ env.E2E_TEST_PATHS }}"
-            # Convert glob patterns to playwright test paths
-            # e.g., "ui/tests/providers/**" -> "tests/providers"
-            TEST_PATHS="${{ env.E2E_TEST_PATHS }}"
-            # Remove ui/ prefix and convert ** to empty (playwright handles recursion)
-            TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u | tr '\n' ' ')
-            echo "Resolved test paths: $TEST_PATHS"
-            pnpm exec playwright test $TEST_PATHS
-          fi
-
-      - name: Upload test reports
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: failure()
-        with:
-          name: playwright-report
-          path: ui/playwright-report/
-          retention-days: 30
-
-      - name: Cleanup services
-        if: always()
-        run: |
-          docker compose down -v || true
-
-  # Skip job - provides clear feedback when no E2E tests needed
-  skip-e2e:
-    needs: impact-analysis
-    if: |
-      github.repository == 'prowler-cloud/prowler' && 
-      needs.impact-analysis.outputs.has-ui-e2e != 'true' && 
-      needs.impact-analysis.outputs.run-all != 'true'
-    runs-on: ubuntu-latest
-    steps:
-      - name: No E2E tests needed
-        run: |
-          echo "## E2E Tests Skipped" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "No UI E2E tests needed for this change." >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Affected modules: \`${{ needs.impact-analysis.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "To run all tests, modify a file in a critical path (e.g., \`ui/lib/**\`)." >> $GITHUB_STEP_SUMMARY

.github/workflows/ui-e2e-tests.yml

@@ -1,172 +0,0 @@
-name: UI - E2E Tests
-
-on:
-  pull_request:
-    branches:
-      - master
-      - "v5.*"
-    paths:
-      - '.github/workflows/ui-e2e-tests.yml'
-      - 'ui/**'
-
-jobs:
-
-  e2e-tests:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    env:
-      AUTH_SECRET: 'fallback-ci-secret-for-testing'
-      AUTH_TRUST_HOST: true
-      NEXTAUTH_URL: 'http://localhost:3000'
-      NEXT_PUBLIC_API_BASE_URL: 'http://localhost:8080/api/v1'
-      E2E_ADMIN_USER: ${{ secrets.E2E_ADMIN_USER }}
-      E2E_ADMIN_PASSWORD: ${{ secrets.E2E_ADMIN_PASSWORD }}
-      E2E_AWS_PROVIDER_ACCOUNT_ID: ${{ secrets.E2E_AWS_PROVIDER_ACCOUNT_ID }}
-      E2E_AWS_PROVIDER_ACCESS_KEY: ${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}
-      E2E_AWS_PROVIDER_SECRET_KEY: ${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}
-      E2E_AWS_PROVIDER_ROLE_ARN: ${{ secrets.E2E_AWS_PROVIDER_ROLE_ARN }}
-      E2E_AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }}
-      E2E_AZURE_CLIENT_ID: ${{ secrets.E2E_AZURE_CLIENT_ID }}
-      E2E_AZURE_SECRET_ID: ${{ secrets.E2E_AZURE_SECRET_ID }}
-      E2E_AZURE_TENANT_ID: ${{ secrets.E2E_AZURE_TENANT_ID }}
-      E2E_M365_DOMAIN_ID: ${{ secrets.E2E_M365_DOMAIN_ID }}
-      E2E_M365_CLIENT_ID: ${{ secrets.E2E_M365_CLIENT_ID }}
-      E2E_M365_SECRET_ID: ${{ secrets.E2E_M365_SECRET_ID }}
-      E2E_M365_TENANT_ID: ${{ secrets.E2E_M365_TENANT_ID }}
-      E2E_M365_CERTIFICATE_CONTENT: ${{ secrets.E2E_M365_CERTIFICATE_CONTENT }}
-      E2E_KUBERNETES_CONTEXT: 'kind-kind'
-      E2E_KUBERNETES_KUBECONFIG_PATH: /home/runner/.kube/config
-      E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY: ${{ secrets.E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY }}
-      E2E_GCP_PROJECT_ID: ${{ secrets.E2E_GCP_PROJECT_ID }}
-      E2E_GITHUB_APP_ID: ${{ secrets.E2E_GITHUB_APP_ID }}
-      E2E_GITHUB_BASE64_APP_PRIVATE_KEY: ${{ secrets.E2E_GITHUB_BASE64_APP_PRIVATE_KEY }}
-      E2E_GITHUB_USERNAME: ${{ secrets.E2E_GITHUB_USERNAME }}
-      E2E_GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_PERSONAL_ACCESS_TOKEN }}
-      E2E_GITHUB_ORGANIZATION: ${{ secrets.E2E_GITHUB_ORGANIZATION }}
-      E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN }}
-      E2E_ORGANIZATION_ID: ${{ secrets.E2E_ORGANIZATION_ID }}
-      E2E_OCI_TENANCY_ID: ${{ secrets.E2E_OCI_TENANCY_ID }}
-      E2E_OCI_USER_ID: ${{ secrets.E2E_OCI_USER_ID }}
-      E2E_OCI_FINGERPRINT: ${{ secrets.E2E_OCI_FINGERPRINT }}
-      E2E_OCI_KEY_CONTENT: ${{ secrets.E2E_OCI_KEY_CONTENT }}
-      E2E_OCI_REGION: ${{ secrets.E2E_OCI_REGION }}
-      E2E_NEW_USER_PASSWORD: ${{ secrets.E2E_NEW_USER_PASSWORD }}
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1
-        with:
-          cluster_name: kind
-      - name: Modify kubeconfig
-        run: |
-            # Modify the kubeconfig to use the kind cluster server to https://kind-control-plane:6443
-            # from worker service into docker-compose.yml
-            kubectl config set-cluster kind-kind --server=https://kind-control-plane:6443
-            kubectl config view
-      - name: Add network kind to docker compose
-        run: |
-          # Add the network kind to the docker compose to interconnect to kind cluster
-          yq -i '.networks.kind.external = true' docker-compose.yml
-          # Add network kind to worker service and default network too
-          yq -i '.services.worker.networks = ["kind","default"]' docker-compose.yml
-      - name: Fix API data directory permissions
-        run: docker run --rm -v $(pwd)/_data/api:/data alpine chown -R 1000:1000 /data
-      - name: Add AWS credentials for testing AWS SDK Default Adding Provider
-        run: |
-          echo "Adding AWS credentials for testing AWS SDK Default Adding Provider..."
-          echo "AWS_ACCESS_KEY_ID=${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}" >> .env
-          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}" >> .env
-      - name: Start API services
-        run: |
-          # Override docker-compose image tag to use latest instead of stable
-          # This overrides any PROWLER_API_VERSION set in .env file
-          export PROWLER_API_VERSION=latest
-          echo "Using PROWLER_API_VERSION=${PROWLER_API_VERSION}"
-          docker compose up -d api worker worker-beat
-      - name: Wait for API to be ready
-        run: |
-          echo "Waiting for prowler-api..."
-          timeout=150  # 5 minutes max
-          elapsed=0
-          while [ $elapsed -lt $timeout ]; do
-            if curl -s ${NEXT_PUBLIC_API_BASE_URL}/docs >/dev/null 2>&1; then
-              echo "Prowler API is ready!"
-              exit 0
-            fi
-            echo "Waiting for prowler-api... (${elapsed}s elapsed)"
-            sleep 5
-            elapsed=$((elapsed + 5))
-          done
-          echo "Timeout waiting for prowler-api to start"
-          exit 1
-      - name: Load database fixtures for E2E tests
-        run: |
-          docker compose exec -T api sh -c '
-            echo "Loading all fixtures from api/fixtures/dev/..."
-            for fixture in api/fixtures/dev/*.json; do
-              if [ -f "$fixture" ]; then
-                echo "Loading $fixture"
-                poetry run python manage.py loaddata "$fixture" --database admin
-              fi
-            done
-            echo "All database fixtures loaded successfully!"
-          '
-      - name: Setup Node.js environment
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
-        with:
-          node-version: '24.13.0'
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-      - name: Get pnpm store directory
-        shell: bash
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - name: Setup pnpm and Next.js cache
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        with:
-          path: |
-            ${{ env.STORE_PATH }}
-            ./ui/node_modules
-            ./ui/.next/cache
-          key: ${{ runner.os }}-pnpm-nextjs-${{ hashFiles('ui/pnpm-lock.yaml') }}-${{ hashFiles('ui/**/*.ts', 'ui/**/*.tsx', 'ui/**/*.js', 'ui/**/*.jsx') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-nextjs-${{ hashFiles('ui/pnpm-lock.yaml') }}-
-            ${{ runner.os }}-pnpm-nextjs-
-      - name: Install UI dependencies
-        working-directory: ./ui
-        run: pnpm install --frozen-lockfile --prefer-offline
-      - name: Build UI application
-        working-directory: ./ui
-        run: pnpm run build
-      - name: Cache Playwright browsers
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        id: playwright-cache
-        with:
-          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-
-      - name: Install Playwright browsers
-        working-directory: ./ui
-        if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm run test:e2e:install
-      - name: Run E2E tests
-        working-directory: ./ui
-        run: pnpm run test:e2e
-      - name: Upload test reports
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: failure()
-        with:
-          name: playwright-report
-          path: ui/playwright-report/
-          retention-days: 30
-      - name: Cleanup services
-        if: always()
-        run: |
-          echo "Shutting down services..."
-          docker compose down -v || true
-          echo "Cleanup completed"

.github/workflows/ui-tests.yml

@@ -1,88 +0,0 @@
-name: 'UI: Tests'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  UI_WORKING_DIR: ./ui
-  NODE_VERSION: '24.13.0'
-
-jobs:
-  ui-tests:
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: ./ui
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for UI changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ui/**
-            .github/workflows/ui-tests.yml
-          files_ignore: |
-            ui/CHANGELOG.md
-            ui/README.md
-            ui/AGENTS.md
-
-      - name: Setup Node.js ${{ env.NODE_VERSION }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Setup pnpm
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-
-      - name: Get pnpm store directory
-        if: steps.check-changes.outputs.any_changed == 'true'
-        shell: bash
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - name: Setup pnpm and Next.js cache
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        with:
-          path: |
-            ${{ env.STORE_PATH }}
-            ${{ env.UI_WORKING_DIR }}/node_modules
-            ${{ env.UI_WORKING_DIR }}/.next/cache
-          key: ${{ runner.os }}-pnpm-nextjs-${{ hashFiles('ui/pnpm-lock.yaml') }}-${{ hashFiles('ui/**/*.ts', 'ui/**/*.tsx', 'ui/**/*.js', 'ui/**/*.jsx') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-nextjs-${{ hashFiles('ui/pnpm-lock.yaml') }}-
-            ${{ runner.os }}-pnpm-nextjs-
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm install --frozen-lockfile --prefer-offline
-
-      - name: Run healthcheck
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run healthcheck
-
-      - name: Build application
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run build

.gitignore

@@ -5,15 +5,6 @@
 [._]ss[a-gi-z]
 [._]sw[a-p]
 
-# Python code
-__pycache__
-venv/
-build/
-/dist/
-*.egg-info/
-*/__pycache__/*.pyc
-.idea/
-
 # Session
 Session.vim
 Sessionx.vim
@@ -31,7 +22,7 @@ tags
 *.DS_Store
 
 # Prowler output
-/output
+output/
 
 # Prowler found secrets
 secrets-*/
@@ -39,127 +30,11 @@ secrets-*/
 # JUnit Reports
 junit-reports/
 
-# Test and coverage artifacts
-*_coverage.xml
-pytest_*.xml
-.coverage
-htmlcov/
-
-# VSCode files and settings
+# VSCode files
 .vscode/
-*.code-workspace
-.vscode-test/
 
-# VSCode extension settings and workspaces
-.history/
-.ionide/
+terraform-kickstarter/.terraform.lock.hcl
 
-# MCP Server Settings (various locations)
-**/cline_mcp_settings.json
-**/mcp_settings.json
-**/mcp-config.json
-**/mcpServers.json
-.mcp/
+terraform-kickstarter/.terraform/providers/registry.terraform.io/hashicorp/aws/3.56.0/darwin_amd64/terraform-provider-aws_v3.56.0_x5
 
-# AI Coding Assistants - Cursor
-.cursorignore
-.cursor/
-.cursorrules
-
-# AI Coding Assistants - RooCode
-.roo/
-.rooignore
-.roomodes
-
-# AI Coding Assistants - Cline (formerly Claude Dev)
-.cline/
-.clineignore
-.clinerules
-
-# AI Coding Assistants - Continue
-.continue/
-continue.json
-.continuerc
-.continuerc.json
-
-# AI Coding Assistants - OpenCode
-opencode.json
-
-# AI Coding Assistants - GitHub Copilot
-.copilot/
-.github/copilot/
-
-# AI Coding Assistants - Amazon Q Developer (formerly CodeWhisperer)
-.aws/
-.codewhisperer/
-.amazonq/
-.aws-toolkit/
-
-# AI Coding Assistants - Tabnine
-.tabnine/
-tabnine_config.json
-
-# AI Coding Assistants - Kiro
-.kiro/
-.kiroignore
-kiro.config.json
-
-# AI Coding Assistants - Aider
-.aider/
-.aider.chat.history.md
-.aider.input.history
-.aider.tags.cache.v3/
-
-# AI Coding Assistants - Windsurf
-.windsurf/
-.windsurfignore
-
-# AI Coding Assistants - Replit Agent
-.replit
-.replitignore
-
-# AI Coding Assistants - Supermaven
-.supermaven/
-
-# AI Coding Assistants - Sourcegraph Cody
-.cody/
-
-# AI Coding Assistants - General
-.ai/
-.aiconfig
-ai-config.json
-
-# Terraform
-.terraform*
-*.tfstate
-*.tfstate.*
-
-# .env
-ui/.env*
-api/.env*
-mcp_server/.env*
-
-# Coverage
-.coverage*
-.coverage
-coverage*
-
-# Node
-node_modules
-
-# Persistent data
-_data/
-
-# AI Instructions (generated by skills/setup.sh from AGENTS.md)
-CLAUDE.md
-GEMINI.md
-.github/copilot-instructions.md
-
-# Compliance report
-*.pdf
-
-# AI Skills symlinks (generated by skills/setup.sh)
-.claude/skills
-.codex/skills
-.github/skills
-.gemini/skills
+terraform-kickstarter/terraform.tfstate

.pre-commit-config.yaml

@@ -1,141 +1,29 @@
 repos:
-  ## GENERAL
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v3.3.0
     hooks:
       - id: check-merge-conflict
       - id: check-yaml
-        args: ["--unsafe"]
-        exclude: prowler/config/llm_config.yaml
+        args: ['--unsafe']
       - id: check-json
       - id: end-of-file-fixer
       - id: trailing-whitespace
+        exclude: 'README.md'
       - id: no-commit-to-branch
       - id: pretty-format-json
-        args: ["--autofix", --no-sort-keys, --no-ensure-ascii]
+        args: ['--autofix']
 
-  ## TOML
-  - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.13.0
-    hooks:
-      - id: pretty-format-toml
-        args: [--autofix]
-        files: pyproject.toml
-
-  ## BASH
   - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.10.0
+    rev: v0.8.0
     hooks:
-      - id: shellcheck
-        exclude: contrib
-
-  ## PYTHON
-  - repo: https://github.com/myint/autoflake
-    rev: v2.3.1
-    hooks:
-      - id: autoflake
-        exclude: ^skills/
-        args:
-          [
-            "--in-place",
-            "--remove-all-unused-imports",
-            "--remove-unused-variable",
-          ]
-
-  - repo: https://github.com/pycqa/isort
-    rev: 5.13.2
-    hooks:
-      - id: isort
-        exclude: ^skills/
-        args: ["--profile", "black"]
-
-  - repo: https://github.com/psf/black
-    rev: 24.4.2
-    hooks:
-      - id: black
-        exclude: ^skills/
-
-  - repo: https://github.com/pycqa/flake8
-    rev: 7.0.0
-    hooks:
-      - id: flake8
-        exclude: (contrib|^skills/)
-        args: ["--ignore=E266,W503,E203,E501,W605"]
-
-  - repo: https://github.com/python-poetry/poetry
-    rev: 2.1.1
-    hooks:
-      - id: poetry-check
-        name: API - poetry-check
-        args: ["--directory=./api"]
-        pass_filenames: false
-
-      - id: poetry-lock
-        name: API - poetry-lock
-        args: ["--directory=./api"]
-        pass_filenames: false
-
-      - id: poetry-check
-        name: SDK - poetry-check
-        args: ["--directory=./"]
-        pass_filenames: false
-
-      - id: poetry-lock
-        name: SDK - poetry-lock
-        args: ["--directory=./"]
-        pass_filenames: false
-
+    -   id: shellcheck
 
   - repo: https://github.com/hadolint/hadolint
-    rev: v2.13.0-beta
+    rev: v2.10.0
     hooks:
       - id: hadolint
-        args: ["--ignore=DL3013"]
-
-  - repo: local
-    hooks:
-      - id: pylint
-        name: pylint
-        entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
+        name: Lint Dockerfiles
+        description: Runs hadolint to lint Dockerfiles
         language: system
-        files: '.*\.py'
-
-      - id: trufflehog
-        name: TruffleHog
-        description: Detect secrets in your data.
-        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
-        # For running trufflehog in docker, use the following entry instead:
-        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
-        language: system
-        stages: ["pre-commit", "pre-push"]
-
-      - id: bandit
-        name: bandit
-        description: "Bandit is a tool for finding common security issues in Python code"
-        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/,./skills/' -r .'
-        language: system
-        files: '.*\.py'
-
-      - id: safety
-        name: safety
-        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
-        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
-        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
-        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027'
-        language: system
-
-      - id: vulture
-        name: vulture
-        description: "Vulture finds unused code in Python programs."
-        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/,skills/" --min-confidence 100 .'
-        language: system
-        files: '.*\.py'
-
-      - id: ui-checks
-        name: UI - Husky Pre-commit
-        description: "Run UI pre-commit checks (Claude Code validation + healthcheck)"
-        entry: bash -c 'cd ui && .husky/pre-commit'
-        language: system
-        files: '^ui/.*\.(ts|tsx|js|jsx|json|css)$'
-        pass_filenames: false
-        verbose: true
+        types: ["dockerfile"]
+        entry: hadolint

.readthedocs.yaml

@@ -1,25 +0,0 @@
-# .readthedocs.yaml
-# Read the Docs configuration file
-# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
-
-# Required
-version: 2
-
-build:
-  os: "ubuntu-22.04"
-  tools:
-    python: "3.11"
-  jobs:
-    post_create_environment:
-      # Install poetry
-      # https://python-poetry.org/docs/#installing-manually
-      - python -m pip install poetry
-    post_install:
-      # Install dependencies with 'docs' dependency group
-      # https://python-poetry.org/docs/managing-dependencies/#dependency-groups
-      # VIRTUAL_ENV needs to be set manually for now.
-      # See https://github.com/readthedocs/readthedocs.org/pull/11152/
-      - VIRTUAL_ENV=${READTHEDOCS_VIRTUALENV_PATH} python -m poetry install --only=docs
-
-mkdocs:
-  configuration: mkdocs.yml

AGENTS.md

@@ -1,150 +0,0 @@
-# Repository Guidelines
-
-## How to Use This Guide
-
-- Start here for cross-project norms. Prowler is a monorepo with several components.
-- Each component has an `AGENTS.md` file with specific guidelines (e.g., `api/AGENTS.md`, `ui/AGENTS.md`).
-- Component docs override this file when guidance conflicts.
-
-## Available Skills
-
-Use these skills for detailed patterns on-demand:
-
-### Generic Skills (Any Project)
-| Skill | Description | URL |
-|-------|-------------|-----|
-| `typescript` | Const types, flat interfaces, utility types | [SKILL.md](skills/typescript/SKILL.md) |
-| `react-19` | No useMemo/useCallback, React Compiler | [SKILL.md](skills/react-19/SKILL.md) |
-| `nextjs-15` | App Router, Server Actions, streaming | [SKILL.md](skills/nextjs-15/SKILL.md) |
-| `tailwind-4` | cn() utility, no var() in className | [SKILL.md](skills/tailwind-4/SKILL.md) |
-| `playwright` | Page Object Model, MCP workflow, selectors | [SKILL.md](skills/playwright/SKILL.md) |
-| `pytest` | Fixtures, mocking, markers, parametrize | [SKILL.md](skills/pytest/SKILL.md) |
-| `django-drf` | ViewSets, Serializers, Filters | [SKILL.md](skills/django-drf/SKILL.md) |
-| `jsonapi` | Strict JSON:API v1.1 spec compliance | [SKILL.md](skills/jsonapi/SKILL.md) |
-| `zod-4` | New API (z.email(), z.uuid()) | [SKILL.md](skills/zod-4/SKILL.md) |
-| `zustand-5` | Persist, selectors, slices | [SKILL.md](skills/zustand-5/SKILL.md) |
-| `ai-sdk-5` | UIMessage, streaming, LangChain | [SKILL.md](skills/ai-sdk-5/SKILL.md) |
-
-### Prowler-Specific Skills
-| Skill | Description | URL |
-|-------|-------------|-----|
-| `prowler` | Project overview, component navigation | [SKILL.md](skills/prowler/SKILL.md) |
-| `prowler-api` | Django + RLS + JSON:API patterns | [SKILL.md](skills/prowler-api/SKILL.md) |
-| `prowler-ui` | Next.js + shadcn conventions | [SKILL.md](skills/prowler-ui/SKILL.md) |
-| `prowler-sdk-check` | Create new security checks | [SKILL.md](skills/prowler-sdk-check/SKILL.md) |
-| `prowler-mcp` | MCP server tools and models | [SKILL.md](skills/prowler-mcp/SKILL.md) |
-| `prowler-test-sdk` | SDK testing (pytest + moto) | [SKILL.md](skills/prowler-test-sdk/SKILL.md) |
-| `prowler-test-api` | API testing (pytest-django + RLS) | [SKILL.md](skills/prowler-test-api/SKILL.md) |
-| `prowler-test-ui` | E2E testing (Playwright) | [SKILL.md](skills/prowler-test-ui/SKILL.md) |
-| `prowler-compliance` | Compliance framework structure | [SKILL.md](skills/prowler-compliance/SKILL.md) |
-| `prowler-compliance-review` | Review compliance framework PRs | [SKILL.md](skills/prowler-compliance-review/SKILL.md) |
-| `prowler-provider` | Add new cloud providers | [SKILL.md](skills/prowler-provider/SKILL.md) |
-| `prowler-changelog` | Changelog entries (keepachangelog.com) | [SKILL.md](skills/prowler-changelog/SKILL.md) |
-| `prowler-ci` | CI checks and PR gates (GitHub Actions) | [SKILL.md](skills/prowler-ci/SKILL.md) |
-| `prowler-commit` | Professional commits (conventional-commits) | [SKILL.md](skills/prowler-commit/SKILL.md) |
-| `prowler-pr` | Pull request conventions | [SKILL.md](skills/prowler-pr/SKILL.md) |
-| `prowler-docs` | Documentation style guide | [SKILL.md](skills/prowler-docs/SKILL.md) |
-| `skill-creator` | Create new AI agent skills | [SKILL.md](skills/skill-creator/SKILL.md) |
-
-### Auto-invoke Skills
-
-When performing these actions, ALWAYS invoke the corresponding skill FIRST:
-
-| Action | Skill |
-|--------|-------|
-| Add changelog entry for a PR or feature | `prowler-changelog` |
-| Adding DRF pagination or permissions | `django-drf` |
-| Adding new providers | `prowler-provider` |
-| Adding services to existing providers | `prowler-provider` |
-| After creating/modifying a skill | `skill-sync` |
-| App Router / Server Actions | `nextjs-15` |
-| Building AI chat features | `ai-sdk-5` |
-| Committing changes | `prowler-commit` |
-| Create PR that requires changelog entry | `prowler-changelog` |
-| Create a PR with gh pr create | `prowler-pr` |
-| Creating API endpoints | `jsonapi` |
-| Creating ViewSets, serializers, or filters in api/ | `django-drf` |
-| Creating Zod schemas | `zod-4` |
-| Creating a git commit | `prowler-commit` |
-| Creating new checks | `prowler-sdk-check` |
-| Creating new skills | `skill-creator` |
-| Creating/modifying Prowler UI components | `prowler-ui` |
-| Creating/modifying models, views, serializers | `prowler-api` |
-| Creating/updating compliance frameworks | `prowler-compliance` |
-| Debug why a GitHub Actions job is failing | `prowler-ci` |
-| Fill .github/pull_request_template.md (Context/Description/Steps to review/Checklist) | `prowler-pr` |
-| General Prowler development questions | `prowler` |
-| Implementing JSON:API endpoints | `django-drf` |
-| Inspect PR CI checks and gates (.github/workflows/*) | `prowler-ci` |
-| Inspect PR CI workflows (.github/workflows/*): conventional-commit, pr-check-changelog, pr-conflict-checker, labeler | `prowler-pr` |
-| Mapping checks to compliance controls | `prowler-compliance` |
-| Mocking AWS with moto in tests | `prowler-test-sdk` |
-| Modifying API responses | `jsonapi` |
-| Regenerate AGENTS.md Auto-invoke tables (sync.sh) | `skill-sync` |
-| Review PR requirements: template, title conventions, changelog gate | `prowler-pr` |
-| Review changelog format and conventions | `prowler-changelog` |
-| Reviewing JSON:API compliance | `jsonapi` |
-| Reviewing compliance framework PRs | `prowler-compliance-review` |
-| Testing RLS tenant isolation | `prowler-test-api` |
-| Troubleshoot why a skill is missing from AGENTS.md auto-invoke | `skill-sync` |
-| Understand CODEOWNERS/labeler-based automation | `prowler-ci` |
-| Understand PR title conventional-commit validation | `prowler-ci` |
-| Understand changelog gate and no-changelog label behavior | `prowler-ci` |
-| Understand review ownership with CODEOWNERS | `prowler-pr` |
-| Update CHANGELOG.md in any component | `prowler-changelog` |
-| Updating existing checks and metadata | `prowler-sdk-check` |
-| Using Zustand stores | `zustand-5` |
-| Working on MCP server tools | `prowler-mcp` |
-| Working on Prowler UI structure (actions/adapters/types/hooks) | `prowler-ui` |
-| Working with Prowler UI test helpers/pages | `prowler-test-ui` |
-| Working with Tailwind classes | `tailwind-4` |
-| Writing Playwright E2E tests | `playwright` |
-| Writing Prowler API tests | `prowler-test-api` |
-| Writing Prowler SDK tests | `prowler-test-sdk` |
-| Writing Prowler UI E2E tests | `prowler-test-ui` |
-| Writing Python tests with pytest | `pytest` |
-| Writing React components | `react-19` |
-| Writing TypeScript types/interfaces | `typescript` |
-| Writing documentation | `prowler-docs` |
-
----
-
-## Project Overview
-
-Prowler is an open-source cloud security assessment tool supporting AWS, Azure, GCP, Kubernetes, GitHub, M365, and more.
-
-| Component | Location | Tech Stack |
-|-----------|----------|------------|
-| SDK | `prowler/` | Python 3.9+, Poetry |
-| API | `api/` | Django 5.1, DRF, Celery |
-| UI | `ui/` | Next.js 15, React 19, Tailwind 4 |
-| MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
-| Dashboard | `dashboard/` | Dash, Plotly |
-
----
-
-## Python Development
-
-```bash
-# Setup
-poetry install --with dev
-poetry run pre-commit install
-
-# Code quality
-poetry run make lint
-poetry run make format
-poetry run pre-commit run --all-files
-```
-
----
-
-## Commit & Pull Request Guidelines
-
-Follow conventional-commit style: `<type>[scope]: <description>`
-
-**Types:** `feat`, `fix`, `docs`, `chore`, `perf`, `refactor`, `style`, `test`
-
-Before creating a PR:
-1. Complete checklist in `.github/pull_request_template.md`
-2. Run all relevant tests and linters
-3. Link screenshots for UI changes

CODE_OF_CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at [support.prowler.com](https://customer.support.prowler.com/servicedesk/customer/portals). All
+reported by contacting the project team at community@prowler.cloud. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

CONTRIBUTING.md

@@ -1,13 +0,0 @@
-# Do you want to learn on how to...
-
-- Contribute with your code or fixes to Prowler
-- Create a new check for a provider
-- Create a new security compliance framework
-- Add a custom output format
-- Add a new integration
-- Contribute with documentation
-
-Want some swag as appreciation for your contribution?
-
-# Prowler Developer Guide
-https://goto.prowler.com/devguide

Dockerfile

@@ -1,84 +1,64 @@
-FROM python:3.12.11-slim-bookworm AS build
+# Build command
+# docker build --platform=linux/amd64  --no-cache -t prowler:latest -f util/Dockerfile .
+
+# hadolint ignore=DL3007
+FROM public.ecr.aws/amazonlinux/amazonlinux:latest
 
 LABEL maintainer="https://github.com/prowler-cloud/prowler"
-LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
 
-ARG POWERSHELL_VERSION=7.5.0
-ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
+ARG USERNAME=prowler
+ARG USERID=34000
 
-ARG TRIVY_VERSION=0.66.0
-ENV TRIVY_VERSION=${TRIVY_VERSION}
+# Prepare image as root
+USER 0
+# System dependencies
+# hadolint ignore=DL3006,DL3013,DL3033
+RUN yum upgrade -y  && \
+  yum install -y python3 bash curl jq coreutils py3-pip which unzip shadow-utils && \
+  yum clean all && \
+  rm -rf /var/cache/yum
 
-# hadolint ignore=DL3008
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    wget libicu72 libunwind8 libssl3 libcurl4 ca-certificates apt-transport-https gnupg \
-    build-essential pkg-config libzstd-dev zlib1g-dev \
-    && rm -rf /var/lib/apt/lists/*
+RUN amazon-linux-extras install -y epel postgresql14 && \
+    yum clean all && \
+    rm -rf /var/cache/yum
 
-# Install PowerShell
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        wget --progress=dot:giga https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-x64.tar.gz -O /tmp/powershell.tar.gz ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        wget --progress=dot:giga https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz -O /tmp/powershell.tar.gz ; \
-    else \
-        echo "Unsupported architecture: $ARCH" && exit 1 ; \
-    fi && \
-    mkdir -p /opt/microsoft/powershell/7 && \
-    tar zxf /tmp/powershell.tar.gz -C /opt/microsoft/powershell/7 && \
-    chmod +x /opt/microsoft/powershell/7/pwsh && \
-    ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
-    rm /tmp/powershell.tar.gz
+# Create non-root user
+RUN  useradd -l -s /bin/bash -U -u ${USERID} ${USERNAME}
 
-# Install Trivy for IaC scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        TRIVY_ARCH="Linux-64bit" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        TRIVY_ARCH="Linux-ARM64" ; \
-    else \
-        echo "Unsupported architecture for Trivy: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz && \
-    tar zxf /tmp/trivy.tar.gz -C /tmp && \
-    mv /tmp/trivy /usr/local/bin/trivy && \
-    chmod +x /usr/local/bin/trivy && \
-    rm /tmp/trivy.tar.gz && \
-    # Create trivy cache directory with proper permissions
-    mkdir -p /tmp/.cache/trivy && \
-    chmod 777 /tmp/.cache/trivy
+USER ${USERNAME}
 
-# Add prowler user
-RUN addgroup --gid 1000 prowler && \
-    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
+# Python dependencies
+# hadolint ignore=DL3006,DL3013,DL3042
+RUN pip3 install --upgrade pip && \
+  pip3 install --no-cache-dir boto3 detect-secrets==1.0.3 && \
+  pip3 cache purge
+# Set Python PATH
+ENV PATH="/home/${USERNAME}/.local/bin:${PATH}"
 
-USER prowler
+USER 0
 
-WORKDIR /home/prowler
+# Install AWS CLI
+RUN curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip && \
+  unzip -q awscliv2.zip && \
+  aws/install && \
+  rm -rf aws awscliv2.zip
 
-# Copy necessary files
-COPY prowler/  /home/prowler/prowler/
-COPY dashboard/ /home/prowler/dashboard/
-COPY pyproject.toml /home/prowler
-COPY README.md /home/prowler/
-COPY prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py
+# Keep Python2 for yum
+RUN sed -i '1 s/python/python2.7/' /usr/bin/yum
 
-# Install Python dependencies
-ENV HOME='/home/prowler'
-ENV PATH="${HOME}/.local/bin:${PATH}"
-#hadolint ignore=DL3013
-RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir poetry
+# Set Python3
+RUN rm /usr/bin/python && \
+    ln -s /usr/bin/python3 /usr/bin/python
 
-RUN poetry install --compile && \
-    rm -rf ~/.cache/pip
+# Set working directory
+WORKDIR /prowler
 
-# Install PowerShell modules
-RUN poetry run python prowler/providers/m365/lib/powershell/m365_powershell.py
+# Copy all files
+COPY . ./
 
-# Remove deprecated dash dependencies
-RUN pip uninstall dash-html-components -y && \
-    pip uninstall dash-core-components -y
+# Set files ownership
+RUN chown -R prowler .
 
-USER prowler
-ENTRYPOINT ["poetry", "run", "prowler"]
+USER ${USERNAME}
+
+ENTRYPOINT ["./prowler"]

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright @ 2024 Toni de la Fuente
+Copyright 2018 Netflix, Inc.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

LIST_OF_CHECKS_AND_GROUPS.md

@@ -0,0 +1,5 @@
+```
+./prowler -l # to see all available checks and their groups.
+./prowler -L # to see all available groups only.
+./prowler -l -g groupname # to see checks in a particular group
+```

Makefile

@@ -1,59 +0,0 @@
-.DEFAULT_GOAL:=help
-
-##@ Testing
-test:   ## Test with pytest
-	rm -rf .coverage && \
-	pytest -n auto -vvv -s --cov=./prowler --cov-report=xml tests
-
-coverage: ## Show Test Coverage
-	coverage run --skip-covered -m pytest -v && \
-	coverage report -m && \
-	rm -rf .coverage && \
-	coverage report -m
-
-coverage-html: ## Show Test Coverage
-	rm -rf ./htmlcov && \
-	coverage html && \
-	open htmlcov/index.html
-
-##@ Linting
-format: ## Format Code
-	@echo "Running black..."
-	black .
-
-lint: ## Lint Code
-	@echo "Running flake8..."
-	flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib
-	@echo "Running black... "
-	black --check .
-	@echo "Running pylint..."
-	pylint --disable=W,C,R,E -j 0 prowler util
-
-##@ PyPI
-pypi-clean: ## Delete the distribution files
-	rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info
-
-pypi-build: ## Build package
-	$(MAKE) pypi-clean && \
-	poetry build
-
-pypi-upload: ## Upload package
-	python3 -m twine upload --repository pypi dist/*
-
-
-##@ Help
-help:     ## Show this help.
-	@echo "Prowler Makefile"
-	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
-
-##@ Build no cache
-build-no-cache-dev:
-	docker compose -f docker-compose-dev.yml build --no-cache api-dev worker-dev worker-beat mcp-server
-
-##@ Development Environment
-run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, MCP, and workers
-	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat mcp-server
-
-##@ Development Environment
-build-and-run-api-dev: build-no-cache-dev run-api-dev
-

Pipfile

@@ -0,0 +1,13 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+
+[packages]
+boto3 = ">=1.9.188"
+detect-secrets = "==1.0.3"
+
+[requires]
+python_version = "3.7"

SECURITY.md

@@ -1,65 +0,0 @@
-# Security
-
-## Reporting Vulnerabilities
-
-At Prowler, we consider the security of our open source software and systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
-
-If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our users, our clients and our systems.
-
-When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
-
-- Social engineering support or attacks requiring social engineering.
-- Clickjacking on pages with no sensitive actions.
-- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
-- Attacks requiring Man-In-The-Middle (MITM) or physical access to a user's device.
-- Previously known vulnerable libraries without a working Proof of Concept (PoC).
-- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
-- Missing best practices in SSL/TLS configuration.
-- Any activity that could lead to the disruption of service (DoS).
-- Rate limiting or brute force issues on non-authentication endpoints.
-- Missing best practices in Content Security Policy (CSP).
-- Missing HttpOnly or Secure flags on cookies.
-- Configuration of or missing security headers.
-- Missing email best practices, such as invalid, incomplete, or missing SPF/DKIM/DMARC records.
-- Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind).
-- Software version disclosure, banner identification issues, or descriptive error messages.
-- Tabnabbing.
-- Issues that require unlikely user interaction.
-- Improper logout functionality and improper session timeout.
-- CORS misconfiguration without an exploitation scenario.
-- Broken link hijacking.
-- Automated scanning results (e.g., sqlmap, Burp active scanner) that have not been manually verified.
-- Content spoofing and text injection issues without a clear attack vector.
-- Email spoofing without exploiting security flaws.
-- Dead links or broken links.
-- User enumeration.
-
-Testing guidelines:
-- Do not run automated scanners on other customer projects. Running automated scanners can run up costs for our users. Aggressively configured scanners might inadvertently disrupt services, exploit vulnerabilities, lead to system instability or breaches and violate Terms of Service from our upstream providers. Our own security systems won't be able to distinguish hostile reconnaissance from whitehat research. If you wish to run an automated scanner, notify us at support@prowler.com and only run it on your own Prowler app project. Do NOT attack Prowler in usage of other customers.
-- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
-
-Reporting guidelines:
-- File a report through our Support Desk at https://support.prowler.com
-- If it is about a lack of a security functionality, please file a feature request instead at https://github.com/prowler-cloud/prowler/issues
-- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible.
-- If you have further questions and want direct interaction with the Prowler team, please contact us at via our Community Slack at goto.prowler.com/slack.
-
-Disclosure guidelines:
-- In order to protect our users and customers, do not reveal the problem to others until we have researched, addressed and informed our affected customers.
-- If you want to publicly share your research about Prowler at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 30 days prior to the publication date. Please note that the following should not be included:
-    - Data regarding any Prowler user or customer projects.
-    - Prowler customers' data.
-    - Information about Prowler employees, contractors or partners.
-
-What we promise:
-- We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
-- If you have followed the instructions above, we will not take any legal action against you in regard to the report.
-- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
-- We will keep you informed of the progress towards resolving the problem.
-- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
-
-We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
-
----
-
-For more information about our security policies, please refer to our [Security](https://docs.prowler.com/security) section in our documentation.

allowlist_example.txt

@@ -0,0 +1,29 @@
+# Each line is a (checkid:item) tuple
+
+# Example: Will not consider a myignoredbucket failures as full failure. (Still printed as a warning)
+check26:myignoredbucket
+
+# Note that by default, this searches for the string appearing *anywhere* in the resource name.
+# For example:
+#   extra718:ci-logs  # Will block bucket "ci-logs" AND ALSO bucket "ci-logs-replica"
+#   extra718:logs     # Will block EVERY BUCKET containing the string "logs"
+
+# line starting with # are ignored as comments
+# add a line per resource as here:
+#<checkid1>:<resource to ignore 1>
+#<checkid1>:<resource to ignore 2>
+# checkid2
+#<checkid2>:<resource to ignore 1>
+
+# REGEXES
+# This allowlist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use)
+# therefore:
+# extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc.
+
+# EXAMPLE: CONTROL TOWER
+# When using Control Tower, guardrails prevent access to certain protected resources. The allowlist
+# below ensures that warnings instead of errors are reported for the affected resources.
+#extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
+#extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
+#extra764:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
+#extra764:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+

api/.env.example

@@ -1,60 +0,0 @@
-# Django settings
-DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1
-DJANGO_BIND_ADDRESS=0.0.0.0
-DJANGO_PORT=8000
-DJANGO_DEBUG=False
-# Select one of [production|devel]
-DJANGO_SETTINGS_MODULE=config.django.[production|devel]
-# Select one of [ndjson|human_readable]
-DJANGO_LOGGING_FORMATTER=[ndjson|human_readable]
-# Select one of [DEBUG|INFO|WARNING|ERROR|CRITICAL]
-# Applies to both Django and Celery Workers
-DJANGO_LOGGING_LEVEL=INFO
-DJANGO_WORKERS=4 # Defaults to the maximum available based on CPU cores if not set.
-DJANGO_TOKEN_SIGNING_KEY=""
-DJANGO_TOKEN_VERIFYING_KEY=""
-# Token lifetime is in minutes
-DJANGO_ACCESS_TOKEN_LIFETIME=30
-DJANGO_REFRESH_TOKEN_LIFETIME=1440
-DJANGO_CACHE_MAX_AGE=3600
-DJANGO_STALE_WHILE_REVALIDATE=60
-DJANGO_SECRETS_ENCRYPTION_KEY=""
-# Throttle, two options: Empty means no throttle; or if desired use one in DRF format: https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy
-DJANGO_THROTTLE_TOKEN_OBTAIN=50/minute
-# Decide whether to allow Django manage database table partitions
-DJANGO_MANAGE_DB_PARTITIONS=[True|False]
-DJANGO_CELERY_DEADLOCK_ATTEMPTS=5
-DJANGO_BROKER_VISIBILITY_TIMEOUT=86400
-DJANGO_SENTRY_DSN=
-
-# PostgreSQL settings
-# If running django and celery on host, use 'localhost', else use 'postgres-db'
-POSTGRES_HOST=[localhost|postgres-db]
-POSTGRES_PORT=5432
-POSTGRES_ADMIN_USER=prowler
-POSTGRES_ADMIN_PASSWORD=S3cret
-POSTGRES_USER=prowler_user
-POSTGRES_PASSWORD=S3cret
-POSTGRES_DB=prowler_db
-
-# Valkey settings
-# If running django and celery on host, use localhost, else use 'valkey'
-VALKEY_HOST=[localhost|valkey]
-VALKEY_PORT=6379
-VALKEY_DB=0
-
-# Sentry settings
-SENTRY_ENVIRONMENT=local
-SENTRY_RELEASE=local
-
-# Social login credentials
-DJANGO_GOOGLE_OAUTH_CLIENT_ID=""
-DJANGO_GOOGLE_OAUTH_CLIENT_SECRET=""
-DJANGO_GOOGLE_OAUTH_CALLBACK_URL=""
-
-DJANGO_GITHUB_OAUTH_CLIENT_ID=""
-DJANGO_GITHUB_OAUTH_CLIENT_SECRET=""
-DJANGO_GITHUB_OAUTH_CALLBACK_URL=""
-
-# Deletion Task Batch Size
-DJANGO_DELETION_BATCH_SIZE=5000

api/AGENTS.md

@@ -1,163 +0,0 @@
-# Prowler API - AI Agent Ruleset
-
-> **Skills Reference**: For detailed patterns, use these skills:
-> - [`prowler-api`](../skills/prowler-api/SKILL.md) - Models, Serializers, Views, RLS patterns
-> - [`prowler-test-api`](../skills/prowler-test-api/SKILL.md) - Testing patterns (pytest-django)
-> - [`django-drf`](../skills/django-drf/SKILL.md) - Generic DRF patterns
-> - [`jsonapi`](../skills/jsonapi/SKILL.md) - Strict JSON:API v1.1 spec compliance
-> - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns
-
-### Auto-invoke Skills
-
-When performing these actions, ALWAYS invoke the corresponding skill FIRST:
-
-| Action | Skill |
-|--------|-------|
-| Add changelog entry for a PR or feature | `prowler-changelog` |
-| Adding DRF pagination or permissions | `django-drf` |
-| Committing changes | `prowler-commit` |
-| Create PR that requires changelog entry | `prowler-changelog` |
-| Creating API endpoints | `jsonapi` |
-| Creating ViewSets, serializers, or filters in api/ | `django-drf` |
-| Creating a git commit | `prowler-commit` |
-| Creating/modifying models, views, serializers | `prowler-api` |
-| Implementing JSON:API endpoints | `django-drf` |
-| Modifying API responses | `jsonapi` |
-| Review changelog format and conventions | `prowler-changelog` |
-| Reviewing JSON:API compliance | `jsonapi` |
-| Testing RLS tenant isolation | `prowler-test-api` |
-| Update CHANGELOG.md in any component | `prowler-changelog` |
-| Writing Prowler API tests | `prowler-test-api` |
-| Writing Python tests with pytest | `pytest` |
-
----
-
-## CRITICAL RULES - NON-NEGOTIABLE
-
-### Models
-- ALWAYS: UUIDv4 PKs, `inserted_at`/`updated_at` timestamps, `JSONAPIMeta` class
-- ALWAYS: Inherit from `RowLevelSecurityProtectedModel` for tenant-scoped data
-- NEVER: Auto-increment integer PKs, models without tenant isolation
-
-### Serializers
-- ALWAYS: Separate serializers for Create/Update operations
-- ALWAYS: Inherit from `RLSSerializer` for tenant-scoped models
-- NEVER: Write logic in serializers (use services/utils)
-
-### Views
-- ALWAYS: Inherit from `BaseRLSViewSet` for tenant-scoped resources
-- ALWAYS: Define `filterset_class`, use `@extend_schema` for OpenAPI
-- NEVER: Raw SQL queries, business logic in views
-
-### Row-Level Security (RLS)
-- ALWAYS: Use `rls_transaction(tenant_id)` context manager
-- NEVER: Query across tenants, trust client-provided tenant_id
-
-### Celery Tasks
-- ALWAYS: `@shared_task` with `name`, `queue`, `RLSTask` base class
-- NEVER: Long-running ops in views, request context in tasks
-
----
-
-## DECISION TREES
-
-### Serializer Selection
-```
-Read → <Model>Serializer
-Create → <Model>CreateSerializer
-Update → <Model>UpdateSerializer
-Nested read → <Model>IncludeSerializer
-```
-
-### Task vs View
-```
-< 100ms → View
-> 100ms or external API → Celery task
-Needs retry → Celery task
-```
-
----
-
-## TECH STACK
-
-Django 5.1.x | DRF 3.15.x | djangorestframework-jsonapi 7.x | Celery 5.4.x | PostgreSQL 16 | pytest 8.x
-
----
-
-## PROJECT STRUCTURE
-
-```
-api/src/backend/
-├── api/                    # Main Django app
-│   ├── v1/                # API version 1 (views, serializers, urls)
-│   ├── models.py          # Django models
-│   ├── filters.py         # FilterSet classes
-│   ├── base_views.py      # Base ViewSet classes
-│   ├── rls.py             # Row-Level Security
-│   └── tests/             # Unit tests
-├── config/                # Django configuration
-└── tasks/                 # Celery tasks
-```
-
----
-
-## COMMANDS
-
-```bash
-# Development
-poetry run python src/backend/manage.py runserver
-poetry run celery -A config.celery worker -l INFO
-
-# Database
-poetry run python src/backend/manage.py makemigrations
-poetry run python src/backend/manage.py migrate
-
-# Testing & Linting
-poetry run pytest -x --tb=short
-poetry run make lint
-```
-
----
-
-## QA CHECKLIST
-
-- [ ] `poetry run pytest` passes
-- [ ] `poetry run make lint` passes
-- [ ] Migrations created if models changed
-- [ ] New endpoints have `@extend_schema` decorators
-- [ ] RLS properly applied for tenant data
-- [ ] Tests cover success and error cases
-
----
-
-## NAMING CONVENTIONS
-
-| Entity | Pattern | Example |
-|--------|---------|---------|
-| Serializer (read) | `<Model>Serializer` | `ProviderSerializer` |
-| Serializer (create) | `<Model>CreateSerializer` | `ProviderCreateSerializer` |
-| Serializer (update) | `<Model>UpdateSerializer` | `ProviderUpdateSerializer` |
-| Filter | `<Model>Filter` | `ProviderFilter` |
-| ViewSet | `<Model>ViewSet` | `ProviderViewSet` |
-| Task | `<action>_<entity>_task` | `sync_provider_resources_task` |
-
----
-
-## API CONVENTIONS (JSON:API)
-
-```json
-{
-  "data": {
-    "type": "providers",
-    "id": "uuid",
-    "attributes": { "name": "value" },
-    "relationships": { "tenant": { "data": { "type": "tenants", "id": "uuid" } } }
-  }
-}
-```
-
-- Content-Type: `application/vnd.api+json`
-- Pagination: `?page[number]=1&page[size]=20`
-- Filtering: `?filter[field]=value`, `?filter[field__in]=val1,val2`
-- Sorting: `?sort=field`, `?sort=-field`
-- Including: `?include=provider,findings`

api/CHANGELOG.md

@@ -1,510 +0,0 @@
-# Prowler API Changelog
-
-All notable changes to the **Prowler API** are documented in this file.
-
-## [1.19.0] (Prowler UNRELEASED)
-
-### 🚀 Added
-
-- Cloudflare provider support [(#9907)](https://github.com/prowler-cloud/prowler/pull/9907)
-- Attack Paths: Bedrock Code Interpreter and AttachRolePolicy privilege escalation queries [(#9885)](https://github.com/prowler-cloud/prowler/pull/9885)
-- `provider_id` and `provider_id__in` filters for resources endpoints (`GET /resources` and `GET /resources/metadata/latest`) [(#9864)](https://github.com/prowler-cloud/prowler/pull/9864)
-- Added memory optimizations for large compliance report generation [(#9444)](https://github.com/prowler-cloud/prowler/pull/9444)
-- `GET /api/v1/resources/{id}/events` endpoint to retrieve AWS resource modification history from CloudTrail [(#9101)](https://github.com/prowler-cloud/prowler/pull/9101)
-- Partial index on findings to speed up new failed findings queries [(#9904)](https://github.com/prowler-cloud/prowler/pull/9904)
-
-### 🔄 Changed
-
-- Lazy-load providers and compliance data to reduce API/worker startup memory and time [(#9857)](https://github.com/prowler-cloud/prowler/pull/9857)
-- Remove unused indexes [(#9904)](https://github.com/prowler-cloud/prowler/pull/9904)
-
----
-
-## [1.18.2] (Prowler UNRELEASED)
-
-### 🐞 Fixed
-
-- Attack Paths: `aws-security-groups-open-internet-facing` query returning no results due to incorrect relationship matching [(#9892)](https://github.com/prowler-cloud/prowler/pull/9892)
-
----
-
-## [1.18.1] (Prowler v5.17.1)
-
-### 🐞 Fixed
-
-- Improve API startup process by `manage.py` argument detection [(#9856)](https://github.com/prowler-cloud/prowler/pull/9856)
-- Deleting providers don't try to delete a `None` Neo4j database when an Attack Paths scan is scheduled [(#9858)](https://github.com/prowler-cloud/prowler/pull/9858)
-- Use replica database for reading Findings to add them to the Attack Paths graph [(#9861)](https://github.com/prowler-cloud/prowler/pull/9861)
-- Attack paths findings loading query to use streaming generator for O(batch_size) memory instead of O(total_findings) [(#9862)](https://github.com/prowler-cloud/prowler/pull/9862)
-- Lazy load Neo4j driver [(#9868)](https://github.com/prowler-cloud/prowler/pull/9868)
-- Use `Findings.all_objects` to avoid the `ActiveProviderPartitionedManager` [(#9869)](https://github.com/prowler-cloud/prowler/pull/9869)
-- Lazy load Neo4j driver for workers only [(#9872)](https://github.com/prowler-cloud/prowler/pull/9872)
-- Improve Cypher query for inserting Findings into Attack Paths scan graphs [(#9874)](https://github.com/prowler-cloud/prowler/pull/9874)
-- Clear Neo4j database cache after Attack Paths scan and each API query [(#9877)](https://github.com/prowler-cloud/prowler/pull/9877)
-- Deduplicated scheduled scans for long-running providers [(#9829)](https://github.com/prowler-cloud/prowler/pull/9829)
-
----
-
-## [1.18.0] (Prowler v5.17.0)
-
-### 🚀 Added
-
-- `/api/v1/overviews/compliance-watchlist` endpoint to retrieve the compliance watchlist [(#9596)](https://github.com/prowler-cloud/prowler/pull/9596)
-- AlibabaCloud provider support [(#9485)](https://github.com/prowler-cloud/prowler/pull/9485)
-- `/api/v1/overviews/resource-groups` endpoint to retrieve an overview of resource groups based on finding severities [(#9694)](https://github.com/prowler-cloud/prowler/pull/9694)
-- `group` filter for `GET /findings` and `GET /findings/metadata/latest` endpoints [(#9694)](https://github.com/prowler-cloud/prowler/pull/9694)
-- `provider_id` and `provider_id__in` filter aliases for findings endpoints to enable consistent frontend parameter naming [(#9701)](https://github.com/prowler-cloud/prowler/pull/9701)
-- Attack Paths: `/api/v1/attack-paths-scans` for AWS providers backed by Neo4j [(#9805)](https://github.com/prowler-cloud/prowler/pull/9805)
-
-### 🔐 Security
-
-- Django 5.1.15 (CVE-2025-64460, CVE-2025-13372), Werkzeug 3.1.4 (CVE-2025-66221), sqlparse 0.5.5 (PVE-2025-82038), fonttools 4.60.2 (CVE-2025-66034) [(#9730)](https://github.com/prowler-cloud/prowler/pull/9730)
-- `safety` to `3.7.0` and `filelock` to `3.20.3` due to [Safety vulnerability 82754 (CVE-2025-68146)](https://data.safetycli.com/v/82754/97c/) [(#9816)](https://github.com/prowler-cloud/prowler/pull/9816)
-- `pyasn1` to v0.6.2 to address [CVE-2026-23490](https://nvd.nist.gov/vuln/detail/CVE-2026-23490) [(#9818)](https://github.com/prowler-cloud/prowler/pull/9818)
-- `django-allauth[saml]` to v65.13.0 to address [CVE-2025-65431](https://nvd.nist.gov/vuln/detail/CVE-2025-65431) [(#9575)](https://github.com/prowler-cloud/prowler/pull/9575)
-
----
-
-## [1.17.1] (Prowler v5.16.1)
-
-### 🔄 Changed
-
-- Security Hub integration error when no regions [(#9635)](https://github.com/prowler-cloud/prowler/pull/9635)
-
-### 🐞 Fixed
-
-- Orphan scheduled scans caused by transaction isolation during provider creation [(#9633)](https://github.com/prowler-cloud/prowler/pull/9633)
-
----
-
-## [1.17.0] (Prowler v5.16.0)
-
-### 🚀 Added
-
-- New endpoint to retrieve and overview of the categories based on finding severities [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
-- Endpoints `GET /findings` and `GET /findings/latests` can now use the category filter [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
-- Account id, alias and provider name to PDF reporting table [(#9574)](https://github.com/prowler-cloud/prowler/pull/9574)
-
-### 🔄 Changed
-
-- Endpoint `GET /overviews/attack-surfaces` no longer returns the related check IDs [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
-- OpenAI provider to only load chat-compatible models with tool calling support [(#9523)](https://github.com/prowler-cloud/prowler/pull/9523)
-- Increased execution delay for the first scheduled scan tasks to 5 seconds[(#9558)](https://github.com/prowler-cloud/prowler/pull/9558)
-
-### 🐞 Fixed
-
-- Made `scan_id` a required filter in the compliance overview endpoint [(#9560)](https://github.com/prowler-cloud/prowler/pull/9560)
-- Reduced unnecessary UPDATE resources operations by only saving when tag mappings change, lowering write load during scans [(#9569)](https://github.com/prowler-cloud/prowler/pull/9569)
-
----
-
-## [1.16.1] (Prowler v5.15.1)
-
-### 🐞 Fixed
-
-- Race condition in scheduled scan creation by adding countdown to task [(#9516)](https://github.com/prowler-cloud/prowler/pull/9516)
-
-## [1.16.0] (Prowler v5.15.0)
-
-### 🚀 Added
-
-- New endpoint to retrieve an overview of the attack surfaces [(#9309)](https://github.com/prowler-cloud/prowler/pull/9309)
-- New endpoint `GET /api/v1/overviews/findings_severity/timeseries` to retrieve daily aggregated findings by severity level [(#9363)](https://github.com/prowler-cloud/prowler/pull/9363)
-- Lighthouse AI support for Amazon Bedrock API key [(#9343)](https://github.com/prowler-cloud/prowler/pull/9343)
-- Exception handler for provider deletions during scans [(#9414)](https://github.com/prowler-cloud/prowler/pull/9414)
-- Support to use admin credentials through the read replica database [(#9440)](https://github.com/prowler-cloud/prowler/pull/9440)
-
-### 🔄 Changed
-
-- Error messages from Lighthouse celery tasks [(#9165)](https://github.com/prowler-cloud/prowler/pull/9165)
-- Restore the compliance overview endpoint's mandatory filters [(#9338)](https://github.com/prowler-cloud/prowler/pull/9338)
-
----
-
-## [1.15.2] (Prowler v5.14.2)
-
-### 🐞 Fixed
-
-- Unique constraint violation during compliance overviews task [(#9436)](https://github.com/prowler-cloud/prowler/pull/9436)
-- Division by zero error in ENS PDF report when all requirements are manual [(#9443)](https://github.com/prowler-cloud/prowler/pull/9443)
-
----
-
-## [1.15.1] (Prowler v5.14.1)
-
-### 🐞 Fixed
-
-- Fix typo in PDF reporting [(#9345)](https://github.com/prowler-cloud/prowler/pull/9345)
-- Fix IaC provider initialization failure when mutelist processor is configured [(#9331)](https://github.com/prowler-cloud/prowler/pull/9331)
-- Match logic for ThreatScore when counting findings [(#9348)](https://github.com/prowler-cloud/prowler/pull/9348)
-
----
-
-## [1.15.0] (Prowler v5.14.0)
-
-### 🚀 Added
-
-- IaC (Infrastructure as Code) provider support for remote repositories [(#8751)](https://github.com/prowler-cloud/prowler/pull/8751)
-- Extend `GET /api/v1/providers` with provider-type filters and optional pagination disable to support the new Overview filters [(#8975)](https://github.com/prowler-cloud/prowler/pull/8975)
-- New endpoint to retrieve the number of providers grouped by provider type [(#8975)](https://github.com/prowler-cloud/prowler/pull/8975)
-- Support for configuring multiple LLM providers [(#8772)](https://github.com/prowler-cloud/prowler/pull/8772)
-- Support C5 compliance framework for Azure provider [(#9081)](https://github.com/prowler-cloud/prowler/pull/9081)
-- Support for Oracle Cloud Infrastructure (OCI) provider [(#8927)](https://github.com/prowler-cloud/prowler/pull/8927)
-- Support muting findings based on simple rules with custom reason [(#9051)](https://github.com/prowler-cloud/prowler/pull/9051)
-- Support C5 compliance framework for the GCP provider [(#9097)](https://github.com/prowler-cloud/prowler/pull/9097)
-- Support for Amazon Bedrock and OpenAI compatible providers in Lighthouse AI [(#8957)](https://github.com/prowler-cloud/prowler/pull/8957)
-- Support PDF reporting for ENS compliance framework [(#9158)](https://github.com/prowler-cloud/prowler/pull/9158)
-- Support PDF reporting for NIS2 compliance framework [(#9170)](https://github.com/prowler-cloud/prowler/pull/9170)
-- Tenant-wide ThreatScore overview aggregation and snapshot persistence with backfill support [(#9148)](https://github.com/prowler-cloud/prowler/pull/9148)
-- Added `metadata`, `details`, and `partition` attributes to `/resources` endpoint & `details`, and `partition` to `/findings` endpoint [(#9098)](https://github.com/prowler-cloud/prowler/pull/9098)
-- Support for MongoDB Atlas provider [(#9167)](https://github.com/prowler-cloud/prowler/pull/9167)
-- Support Prowler ThreatScore for the K8S provider [(#9235)](https://github.com/prowler-cloud/prowler/pull/9235)
-- Enhanced compliance overview endpoint with provider filtering and latest scan aggregation [(#9244)](https://github.com/prowler-cloud/prowler/pull/9244)
-- New endpoint `GET /api/v1/overview/regions` to retrieve aggregated findings data by region [(#9273)](https://github.com/prowler-cloud/prowler/pull/9273)
-
-### 🔄 Changed
-
-- Optimized database write queries for scan related tasks [(#9190)](https://github.com/prowler-cloud/prowler/pull/9190)
-- Date filters are now optional for `GET /api/v1/overviews/services` endpoint; returns latest scan data by default [(#9248)](https://github.com/prowler-cloud/prowler/pull/9248)
-
-### 🐞 Fixed
-
-- Scans no longer fail when findings have UIDs exceeding 300 characters; such findings are now skipped with detailed logging [(#9246)](https://github.com/prowler-cloud/prowler/pull/9246)
-- Updated unique constraint for `Provider` model to exclude soft-deleted entries, resolving duplicate errors when re-deleting providers [(#9054)](https://github.com/prowler-cloud/prowler/pull/9054)
-- Removed compliance generation for providers without compliance frameworks [(#9208)](https://github.com/prowler-cloud/prowler/pull/9208)
-- Refresh output report timestamps for each scan [(#9272)](https://github.com/prowler-cloud/prowler/pull/9272)
-- Severity overview endpoint now ignores muted findings as expected [(#9283)](https://github.com/prowler-cloud/prowler/pull/9283)
-- Fixed discrepancy between ThreatScore PDF report values and database calculations [(#9296)](https://github.com/prowler-cloud/prowler/pull/9296)
-
-### 🔐 Security
-
-- Django updated to the latest 5.1 security release, 5.1.14, due to problems with potential [SQL injection](https://github.com/prowler-cloud/prowler/security/dependabot/113) and [denial-of-service vulnerability](https://github.com/prowler-cloud/prowler/security/dependabot/114) [(#9176)](https://github.com/prowler-cloud/prowler/pull/9176)
-
----
-
-## [1.14.1] (Prowler v5.13.1)
-
-### 🐞 Fixed
-
-- `/api/v1/overviews/providers` collapses data by provider type so the UI receives a single aggregated record per cloud family even when multiple accounts exist [(#9053)](https://github.com/prowler-cloud/prowler/pull/9053)
-- Added retry logic to database transactions to handle Aurora read replica connection failures during scale-down events [(#9064)](https://github.com/prowler-cloud/prowler/pull/9064)
-- Security Hub integrations stop failing when they read relationships via the replica by allowing replica relations and saving updates through the primary [(#9080)](https://github.com/prowler-cloud/prowler/pull/9080)
-
----
-
-## [1.14.0] (Prowler v5.13.0)
-
-### 🚀 Added
-
-- Default JWT keys are generated and stored if they are missing from configuration [(#8655)](https://github.com/prowler-cloud/prowler/pull/8655)
-- `compliance_name` for each compliance [(#7920)](https://github.com/prowler-cloud/prowler/pull/7920)
-- Support C5 compliance framework for the AWS provider [(#8830)](https://github.com/prowler-cloud/prowler/pull/8830)
-- Support for M365 Certificate authentication [(#8538)](https://github.com/prowler-cloud/prowler/pull/8538)
-- API Key support [(#8805)](https://github.com/prowler-cloud/prowler/pull/8805)
-- SAML role mapping protection for single-admin tenants to prevent accidental lockout [(#8882)](https://github.com/prowler-cloud/prowler/pull/8882)
-- Support for `passed_findings` and `total_findings` fields in compliance requirement overview for accurate Prowler ThreatScore calculation [(#8582)](https://github.com/prowler-cloud/prowler/pull/8582)
-- PDF reporting for Prowler ThreatScore [(#8867)](https://github.com/prowler-cloud/prowler/pull/8867)
-- Database read replica support [(#8869)](https://github.com/prowler-cloud/prowler/pull/8869)
-- Support Common Cloud Controls for AWS, Azure and GCP [(#8000)](https://github.com/prowler-cloud/prowler/pull/8000)
-- Add `provider_id__in` filter support to findings and findings severity overview endpoints [(#8951)](https://github.com/prowler-cloud/prowler/pull/8951)
-
-### 🔄 Changed
-
-- Now the MANAGE_ACCOUNT permission is required to modify or read user permissions instead of MANAGE_USERS [(#8281)](https://github.com/prowler-cloud/prowler/pull/8281)
-- Now at least one user with MANAGE_ACCOUNT permission is required in the tenant [(#8729)](https://github.com/prowler-cloud/prowler/pull/8729)
-
-### 🔐 Security
-
-- Django updated to the latest 5.1 security release, 5.1.13, due to problems with potential [SQL injection](https://github.com/prowler-cloud/prowler/security/dependabot/104) and [directory traversals](https://github.com/prowler-cloud/prowler/security/dependabot/103) [(#8842)](https://github.com/prowler-cloud/prowler/pull/8842)
-
----
-
-## [1.13.2] (Prowler v5.12.3)
-
-### 🐞 Fixed
-
-- 500 error when deleting user [(#8731)](https://github.com/prowler-cloud/prowler/pull/8731)
-
----
-
-## [1.13.1] (Prowler v5.12.2)
-
-### 🔄 Changed
-
-- Renamed compliance overview task queue to `compliance` [(#8755)](https://github.com/prowler-cloud/prowler/pull/8755)
-
-### 🔐 Security
-
-- Django updated to the latest 5.1 security release, 5.1.12, due to [problems](https://www.djangoproject.com/weblog/2025/sep/03/security-releases/) with potential SQL injection in FilteredRelation column aliases [(#8693)](https://github.com/prowler-cloud/prowler/pull/8693)
-
----
-
-## [1.13.0] (Prowler v5.12.0)
-
-### 🚀 Added
-
-- Integration with JIRA, enabling sending findings to a JIRA project [(#8622)](https://github.com/prowler-cloud/prowler/pull/8622), [(#8637)](https://github.com/prowler-cloud/prowler/pull/8637)
-- `GET /overviews/findings_severity` now supports `filter[status]` and `filter[status__in]` to aggregate by specific statuses (`FAIL`, `PASS`)[(#8186)](https://github.com/prowler-cloud/prowler/pull/8186)
-- Throttling options for `/api/v1/tokens` using the `DJANGO_THROTTLE_TOKEN_OBTAIN` environment variable [(#8647)](https://github.com/prowler-cloud/prowler/pull/8647)
-
----
-
-## [1.12.0] (Prowler v5.11.0)
-
-### 🚀 Added
-
-- Lighthouse support for OpenAI GPT-5 [(#8527)](https://github.com/prowler-cloud/prowler/pull/8527)
-- Integration with Amazon Security Hub, enabling sending findings to Security Hub [(#8365)](https://github.com/prowler-cloud/prowler/pull/8365)
-- Generate ASFF output for AWS providers with SecurityHub integration enabled [(#8569)](https://github.com/prowler-cloud/prowler/pull/8569)
-
-### 🐞 Fixed
-
-- GitHub provider always scans user instead of organization when using provider UID [(#8587)](https://github.com/prowler-cloud/prowler/pull/8587)
-
----
-
-## [1.11.0] (Prowler v5.10.0)
-
-### 🚀 Added
-
-- Github provider support [(#8271)](https://github.com/prowler-cloud/prowler/pull/8271)
-- Integration with Amazon S3, enabling storage and retrieval of scan data via S3 buckets [(#8056)](https://github.com/prowler-cloud/prowler/pull/8056)
-
-### 🐞 Fixed
-
-- Avoid sending errors to Sentry in M365 provider when user authentication fails [(#8420)](https://github.com/prowler-cloud/prowler/pull/8420)
-
----
-
-## [1.10.2] (Prowler v5.9.2)
-
-### 🔄 Changed
-
-- Optimized queries for resources views [(#8336)](https://github.com/prowler-cloud/prowler/pull/8336)
-
----
-
-## [v1.10.1] (Prowler v5.9.1)
-
-### 🐞 Fixed
-
-- Calculate failed findings during scans to prevent heavy database queries [(#8322)](https://github.com/prowler-cloud/prowler/pull/8322)
-
----
-
-## [v1.10.0] (Prowler v5.9.0)
-
-### 🚀 Added
-
-- SSO with SAML support [(#8175)](https://github.com/prowler-cloud/prowler/pull/8175)
-- `GET /resources/metadata`, `GET /resources/metadata/latest` and `GET /resources/latest` to expose resource metadata and latest scan results [(#8112)](https://github.com/prowler-cloud/prowler/pull/8112)
-
-### 🔄 Changed
-
-- `/processors` endpoints to post-process findings. Currently, only the Mutelist processor is supported to allow to mute findings.
-- Optimized the underlying queries for resources endpoints [(#8112)](https://github.com/prowler-cloud/prowler/pull/8112)
-- Optimized include parameters for resources view [(#8229)](https://github.com/prowler-cloud/prowler/pull/8229)
-- Optimized overview background tasks [(#8300)](https://github.com/prowler-cloud/prowler/pull/8300)
-
-### 🐞 Fixed
-
-- Search filter for findings and resources [(#8112)](https://github.com/prowler-cloud/prowler/pull/8112)
-- RBAC is now applied to `GET /overviews/providers` [(#8277)](https://github.com/prowler-cloud/prowler/pull/8277)
-
-### 🔄 Changed
-
-- `POST /schedules/daily` returns a `409 CONFLICT` if already created [(#8258)](https://github.com/prowler-cloud/prowler/pull/8258)
-
-### 🔐 Security
-
-- Enhanced password validation to enforce 12+ character passwords with special characters, uppercase, lowercase, and numbers [(#8225)](https://github.com/prowler-cloud/prowler/pull/8225)
-
----
-
-## [v1.9.1] (Prowler v5.8.1)
-
-### 🚀 Added
-
-- Custom exception for provider connection errors during scans [(#8234)](https://github.com/prowler-cloud/prowler/pull/8234)
-
-### 🔄 Changed
-
-- Summary and overview tasks now use a dedicated queue and no longer propagate errors to compliance tasks [(#8214)](https://github.com/prowler-cloud/prowler/pull/8214)
-
-### 🐞 Fixed
-
-- Scan with no resources will not trigger legacy code for findings metadata [(#8183)](https://github.com/prowler-cloud/prowler/pull/8183)
-- Invitation email comparison case-insensitive [(#8206)](https://github.com/prowler-cloud/prowler/pull/8206)
-
-### ❌ Removed
-
-- Validation of the provider's secret type during updates [(#8197)](https://github.com/prowler-cloud/prowler/pull/8197)
-
----
-
-## [v1.9.0] (Prowler v5.8.0)
-
-### 🚀 Added
-
-- Support GCP Service Account key [(#7824)](https://github.com/prowler-cloud/prowler/pull/7824)
-- `GET /compliance-overviews` endpoints to retrieve compliance metadata and specific requirements statuses [(#7877)](https://github.com/prowler-cloud/prowler/pull/7877)
-- Lighthouse configuration support [(#7848)](https://github.com/prowler-cloud/prowler/pull/7848)
-
-### 🔄 Changed
-
-- Reworked `GET /compliance-overviews` to return proper requirement metrics [(#7877)](https://github.com/prowler-cloud/prowler/pull/7877)
-- Optional `user` and `password` for M365 provider [(#7992)](https://github.com/prowler-cloud/prowler/pull/7992)
-
-### 🐞 Fixed
-
-- Scheduled scans are no longer deleted when their daily schedule run is disabled [(#8082)](https://github.com/prowler-cloud/prowler/pull/8082)
-
----
-
-## [v1.8.5] (Prowler v5.7.5)
-
-### 🐞 Fixed
-
-- Normalize provider UID to ensure safe and unique export directory paths [(#8007)](https://github.com/prowler-cloud/prowler/pull/8007).
-- Blank resource types in `/metadata` endpoints [(#8027)](https://github.com/prowler-cloud/prowler/pull/8027)
-
----
-
-## [v1.8.4] (Prowler v5.7.4)
-
-### ❌ Removed
-
-- Reverted RLS transaction handling and DB custom backend [(#7994)](https://github.com/prowler-cloud/prowler/pull/7994)
-
----
-
-## [v1.8.3] (Prowler v5.7.3)
-
-### 🚀 Added
-
-- Database backend to handle already closed connections [(#7935)](https://github.com/prowler-cloud/prowler/pull/7935)
-
-### 🔄 Changed
-
-- Renamed field encrypted_password to password for M365 provider [(#7784)](https://github.com/prowler-cloud/prowler/pull/7784)
-
-### 🐞 Fixed
-
-- Transaction persistence with RLS operations [(#7916)](https://github.com/prowler-cloud/prowler/pull/7916)
-- Reverted the change `get_with_retry` to use the original `get` method for retrieving tasks [(#7932)](https://github.com/prowler-cloud/prowler/pull/7932)
-
----
-
-## [v1.8.2] (Prowler v5.7.2)
-
-### 🐞 Fixed
-
-- Task lookup to use task_kwargs instead of task_args for scan report resolution [(#7830)](https://github.com/prowler-cloud/prowler/pull/7830)
-- Kubernetes UID validation to allow valid context names [(#7871)](https://github.com/prowler-cloud/prowler/pull/7871)
-- Connection status verification before launching a scan [(#7831)](https://github.com/prowler-cloud/prowler/pull/7831)
-- Race condition when creating background tasks [(#7876)](https://github.com/prowler-cloud/prowler/pull/7876)
-- Error when modifying or retrieving tenants due to missing user UUID in transaction context [(#7890)](https://github.com/prowler-cloud/prowler/pull/7890)
-
----
-
-## [v1.8.1] (Prowler v5.7.1)
-
-### 🐞 Fixed
-
-- Added database index to improve performance on finding lookup [(#7800)](https://github.com/prowler-cloud/prowler/pull/7800)
-
----
-
-## [v1.8.0] (Prowler v5.7.0)
-
-### 🚀 Added
-
-- Huge improvements to `/findings/metadata` and resource related filters for findings [(#7690)](https://github.com/prowler-cloud/prowler/pull/7690)
-- Improvements to `/overviews` endpoints [(#7690)](https://github.com/prowler-cloud/prowler/pull/7690)
-- Queue to perform backfill background tasks [(#7690)](https://github.com/prowler-cloud/prowler/pull/7690)
-- New endpoints to retrieve latest findings and metadata [(#7743)](https://github.com/prowler-cloud/prowler/pull/7743)
-- Export support for Prowler ThreatScore in M365 [(7783)](https://github.com/prowler-cloud/prowler/pull/7783)
-
----
-
-## [v1.7.0] (Prowler v5.6.0)
-
-### 🚀 Added
-
-- M365 as a new provider [(#7563)](https://github.com/prowler-cloud/prowler/pull/7563)
-- `compliance/` folder and ZIP‐export functionality for all compliance reports [(#7653)](https://github.com/prowler-cloud/prowler/pull/7653)
-- API endpoint to fetch and download any specific compliance file by name [(#7653)](https://github.com/prowler-cloud/prowler/pull/7653)
-
----
-
-## [v1.6.0] (Prowler v5.5.0)
-
-### 🚀 Added
-
-- Support for developing new integrations [(#7167)](https://github.com/prowler-cloud/prowler/pull/7167)
-- HTTP Security Headers [(#7289)](https://github.com/prowler-cloud/prowler/pull/7289)
-- New endpoint to get the compliance overviews metadata [(#7333)](https://github.com/prowler-cloud/prowler/pull/7333)
-- Support for muted findings [(#7378)](https://github.com/prowler-cloud/prowler/pull/7378)
-- Missing fields to API findings and resources [(#7318)](https://github.com/prowler-cloud/prowler/pull/7318)
-
----
-
-## [v1.5.4] (Prowler v5.4.4)
-
-### 🐞 Fixed
-
-- Bug with periodic tasks when trying to delete a provider [(#7466)](https://github.com/prowler-cloud/prowler/pull/7466)
-
----
-
-## [v1.5.3] (Prowler v5.4.3)
-
-### 🐞 Fixed
-
-- Duplicated scheduled scans handling [(#7401)](https://github.com/prowler-cloud/prowler/pull/7401)
-- Environment variable to configure the deletion task batch size [(#7423)](https://github.com/prowler-cloud/prowler/pull/7423)
-
----
-
-## [v1.5.2] (Prowler v5.4.2)
-
-### 🔄 Changed
-
-- Refactored deletion logic and implemented retry mechanism for deletion tasks [(#7349)](https://github.com/prowler-cloud/prowler/pull/7349)
-
----
-
-## [v1.5.1] (Prowler v5.4.1)
-
-### 🐞 Fixed
-
-- Handle response in case local files are missing [(#7183)](https://github.com/prowler-cloud/prowler/pull/7183)
-- Race condition when deleting export files after the S3 upload [(#7172)](https://github.com/prowler-cloud/prowler/pull/7172)
-- Handle exception when a provider has no secret in test connection [(#7283)](https://github.com/prowler-cloud/prowler/pull/7283)
-
----
-
-## [v1.5.0] (Prowler v5.4.0)
-
-### 🚀 Added
-
-- Social login integration with Google and GitHub [(#6906)](https://github.com/prowler-cloud/prowler/pull/6906)
-- API scan report system, now all scans launched from the API will generate a compressed file with the report in OCSF, CSV and HTML formats [(#6878)](https://github.com/prowler-cloud/prowler/pull/6878)
-- Configurable Sentry integration [(#6874)](https://github.com/prowler-cloud/prowler/pull/6874)
-
-### 🔄 Changed
-
-- Optimized `GET /findings` endpoint to improve response time and size [(#7019)](https://github.com/prowler-cloud/prowler/pull/7019)
-
----
-
-## [v1.4.0] (Prowler v5.3.0)
-
-### 🔄 Changed
-
-- Daily scheduled scan instances are now created beforehand with `SCHEDULED` state [(#6700)](https://github.com/prowler-cloud/prowler/pull/6700)
-- Findings endpoints now require at least one date filter [(#6800)](https://github.com/prowler-cloud/prowler/pull/6800)
-- Findings metadata endpoint received a performance improvement [(#6863)](https://github.com/prowler-cloud/prowler/pull/6863)
-- Increased the allowed length of the provider UID for Kubernetes providers [(#6869)](https://github.com/prowler-cloud/prowler/pull/6869)
-
----

api/Dockerfile

@@ -1,97 +0,0 @@
-FROM python:3.12.10-slim-bookworm AS build
-
-LABEL maintainer="https://github.com/prowler-cloud/api"
-
-ARG POWERSHELL_VERSION=7.5.0
-ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
-
-ARG TRIVY_VERSION=0.66.0
-ENV TRIVY_VERSION=${TRIVY_VERSION}
-
-# hadolint ignore=DL3008
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    wget \
-    libicu72 \
-    gcc \
-    g++ \
-    make \
-    libxml2-dev \
-    libxmlsec1-dev \
-    libxmlsec1-openssl \
-    pkg-config \
-    libtool \
-    libxslt1-dev \
-    python3-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install PowerShell
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        wget --progress=dot:giga https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-x64.tar.gz -O /tmp/powershell.tar.gz ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        wget --progress=dot:giga https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz -O /tmp/powershell.tar.gz ; \
-    else \
-        echo "Unsupported architecture: $ARCH" && exit 1 ; \
-    fi && \
-    mkdir -p /opt/microsoft/powershell/7 && \
-    tar zxf /tmp/powershell.tar.gz -C /opt/microsoft/powershell/7 && \
-    chmod +x /opt/microsoft/powershell/7/pwsh && \
-    ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
-    rm /tmp/powershell.tar.gz
-
-# Install Trivy for IaC scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        TRIVY_ARCH="Linux-64bit" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        TRIVY_ARCH="Linux-ARM64" ; \
-    else \
-        echo "Unsupported architecture for Trivy: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz && \
-    tar zxf /tmp/trivy.tar.gz -C /tmp && \
-    mv /tmp/trivy /usr/local/bin/trivy && \
-    chmod +x /usr/local/bin/trivy && \
-    rm /tmp/trivy.tar.gz && \
-    # Create trivy cache directory with proper permissions
-    mkdir -p /tmp/.cache/trivy && \
-    chmod 777 /tmp/.cache/trivy
-
-# Add prowler user
-RUN addgroup --gid 1000 prowler && \
-    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
-
-USER prowler
-
-WORKDIR /home/prowler
-
-# Ensure output directory exists
-RUN mkdir -p /tmp/prowler_api_output
-
-COPY pyproject.toml ./
-
-RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir poetry
-
-ENV PATH="/home/prowler/.local/bin:$PATH"
-
-# Add `--no-root` to avoid installing the current project as a package
-RUN poetry install --no-root && \
-    rm -rf ~/.cache/pip
-
-RUN poetry run python "$(poetry env info --path)/src/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py"
-
-COPY src/backend/ ./backend/
-COPY docker-entrypoint.sh ./docker-entrypoint.sh
-
-WORKDIR /home/prowler/backend
-
-# Development image
-FROM build AS dev
-
-ENTRYPOINT ["../docker-entrypoint.sh", "dev"]
-
-# Production image
-FROM build
-
-ENTRYPOINT ["../docker-entrypoint.sh", "prod"]

api/README.md

@@ -1,339 +0,0 @@
-# Description
-
-This repository contains the JSON API and Task Runner components for Prowler, which facilitate a complete backend that interacts with the Prowler SDK and is used by the Prowler UI.
-
-# Components
-The Prowler API is composed of the following components:
-
-- The JSON API, which is an API built with Django Rest Framework.
-- The Celery worker, which is responsible for executing the background tasks that are defined in the JSON API.
-- The PostgreSQL database, which is used to store the data.
-- The Valkey database, which is an in-memory database which is used as a message broker for the Celery workers.
-
-## Note about Valkey
-
-[Valkey](https://valkey.io/) is an open source (BSD) high performance key/value datastore.
-
-Valkey exposes a Redis 7.2 compliant API. Any service that exposes the Redis API can be used with Prowler API.
-
-# Modify environment variables
-
-Under the root path of the project, you can find a file called `.env`. This file shows all the environment variables that the project uses. You should review it and set the values for the variables you want to change.
-
-If you don’t set `DJANGO_TOKEN_SIGNING_KEY` or `DJANGO_TOKEN_VERIFYING_KEY`, the API will generate them at `~/.config/prowler-api/` with `0600` and `0644` permissions; back up these files to persist identity across redeploys.
-
-**Important note**: Every Prowler version (or repository branches and tags) could have different variables set in its `.env` file. Please use the `.env` file that corresponds with each version.
-
-## Local deployment
-Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the Poetry interpreter, not before. Otherwise, variables will not be loaded properly.
-
-To do this, you can run:
-
-```console
-poetry shell
-set -a
-source .env
-```
-
-# 🚀 Production deployment
-## Docker deployment
-
-This method requires `docker` and `docker compose`.
-
-### Clone the repository
-
-```console
-# HTTPS
-git clone https://github.com/prowler-cloud/api.git
-
-# SSH
-git clone git@github.com:prowler-cloud/api.git
-
-```
-
-### Build the base image
-
-```console
-docker compose --profile prod build
-```
-
-### Run the production service
-
-This command will start the Django production server and the Celery worker and also the Valkey and PostgreSQL databases.
-
-```console
-docker compose --profile prod up -d
-```
-
-You can access the server in `http://localhost:8080`.
-
-> **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.
-
-### View the Production Server Logs
-
-To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:
-
-```console
-docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
-
-## Local deployment
-
-To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `poetry` and `docker compose` are installed.
-
-### Clone the repository
-
-```console
-# HTTPS
-git clone https://github.com/prowler-cloud/api.git
-
-# SSH
-git clone git@github.com:prowler-cloud/api.git
-
-```
-### Install all dependencies with Poetry
-
-```console
-poetry install
-poetry shell
-```
-
-## Start the PostgreSQL Database and Valkey
-
-The PostgreSQL database (version 16.3) and Valkey (version 7) are required for the development environment. To make development easier, we have provided a `docker-compose` file that will start these components for you.
-
-**Note:** Make sure to use the specified versions, as there are features in our setup that may not be compatible with older versions of PostgreSQL and Valkey.
-
-
-```console
-docker compose up postgres valkey -d
-```
-
-## Deploy Django and the Celery worker
-
-### Run migrations
-
-For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:
-
-```console
-cd src/backend
-python manage.py migrate --database admin
-```
-
-### Run the Celery worker
-
-```console
-cd src/backend
-python -m celery -A config.celery worker -l info -E
-```
-
-### Run the Django server with Gunicorn
-
-```console
-cd src/backend
-gunicorn -c config/guniconf.py config.wsgi:application
-```
-
-> By default, the Gunicorn server will try to use as many workers as your machine can handle. You can manually change that in the `src/backend/config/guniconf.py` file.
-
-# 🧪 Development guide
-
-## Local deployment
-
-To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `poetry` and `docker compose` are installed.
-
-### Clone the repository
-
-```console
-# HTTPS
-git clone https://github.com/prowler-cloud/api.git
-
-# SSH
-git clone git@github.com:prowler-cloud/api.git
-
-```
-
-### Start the PostgreSQL Database and Valkey
-
-The PostgreSQL database (version 16.3) and Valkey (version 7) are required for the development environment. To make development easier, we have provided a `docker-compose` file that will start these components for you.
-
-**Note:** Make sure to use the specified versions, as there are features in our setup that may not be compatible with older versions of PostgreSQL and Valkey.
-
-
-```console
-docker compose up postgres valkey -d
-```
-
-### Install the Python dependencies
-
-> You must have Poetry installed
-
-```console
-poetry install
-poetry shell
-```
-
-### Apply migrations
-
-For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:
-
-```console
-cd src/backend
-python manage.py migrate --database admin
-```
-
-### Run the Django development server
-
-```console
-cd src/backend
-python manage.py runserver
-```
-
-You can access the server in `http://localhost:8000`.
-All changes in the code will be automatically reloaded in the server.
-
-### Run the Celery worker
-
-```console
-python -m celery -A config.celery worker -l info -E
-```
-
-The Celery worker does not detect and reload changes in the code, so you need to restart it manually when you make changes.
-
-## Docker deployment
-
-This method requires `docker` and `docker compose`.
-
-### Clone the repository
-
-```console
-# HTTPS
-git clone https://github.com/prowler-cloud/api.git
-
-# SSH
-git clone git@github.com:prowler-cloud/api.git
-
-```
-
-### Build the base image
-
-```console
-docker compose --profile dev build
-```
-
-### Run the development service
-
-This command will start the Django development server and the Celery worker and also the Valkey and PostgreSQL databases.
-
-```console
-docker compose --profile dev up -d
-```
-
-You can access the server in `http://localhost:8080`.
-All changes in the code will be automatically reloaded in the server.
-
-> **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.
-
-### View the development server logs
-
-To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:
-
-```console
-docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
-```
-
-## Applying migrations
-
-For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:
-
-```console
-poetry shell
-cd src/backend
-python manage.py migrate --database admin
-```
-
-## Apply fixtures
-
-Fixtures are used to populate the database with initial development data.
-
-```console
-poetry shell
-cd src/backend
-python manage.py loaddata api/fixtures/0_dev_users.json --database admin
-```
-
-> The default credentials are `dev@prowler.com:Thisisapassword123@` or `dev2@prowler.com:Thisisapassword123@`
-
-## Run tests
-
-Note that the tests will fail if you use the same `.env` file as the development environment.
-
-For best results, run in a new shell with no environment variables set.
-
-```console
-poetry shell
-cd src/backend
-pytest
-```
-
-# Custom commands
-
-Django provides a way to create custom commands that can be run from the command line.
-
-> These commands can be found in: ```prowler/api/src/backend/api/management/commands```
-
-To run a custom command, you need to be in the `prowler/api/src/backend` directory and run:
-
-```console
-poetry shell
-python manage.py <command_name>
-```
-
-## Generate dummy data
-
-```console
-python manage.py findings --tenant
-<TENANT_ID> --findings <NUM_FINDINGS> --re
-sources <NUM_RESOURCES> --batch <TRANSACTION_BATCH_SIZE> --alias <ALIAS>
-```
-
-This command creates, for a given tenant, a provider, scan and a set of findings and resources related altogether.
-
-> Scan progress and state are updated in real time.
-> - 0-33%: Create resources.
-> - 33-66%: Create findings.
-> - 66%: Create resource-finding mapping.
->
-> The last step is required to access the findings details, since the UI needs that to print all the information.
-
-### Example
-
-```console
-~/backend $ poetry run python manage.py findings --tenant
-fffb1893-3fc7-4623-a5d9-fae47da1c528 --findings 25000 --re
-sources 1000 --batch 5000 --alias test-script
-
-Starting data population
-	Tenant: fffb1893-3fc7-4623-a5d9-fae47da1c528
-	Alias: test-script
-	Resources: 1000
-	Findings: 25000
-	Batch size: 5000
-
-
-Creating resources...
-100%|███████████████████████| 1/1 [00:00<00:00,  7.72it/s]
-Resources created successfully.
-
-
-Creating findings...
-100%|███████████████████████| 5/5 [00:05<00:00,  1.09s/it]
-Findings created successfully.
-
-
-Creating resource-finding mappings...
-100%|███████████████████████| 5/5 [00:02<00:00,  1.81it/s]
-Resource-finding mappings created successfully.
-
-
-Successfully populated test data.
-```

api/docker-entrypoint.sh

@@ -1,75 +0,0 @@
-#!/bin/sh
-
-
-apply_migrations() {
-  echo "Applying database migrations..."
-
-  # Fix Inconsistent migration history after adding sites app
-  poetry run python manage.py check_and_fix_socialaccount_sites_migration --database admin
-
-  poetry run python manage.py migrate --database admin
-}
-
-apply_fixtures() {
-  echo "Applying Django fixtures..."
-  for fixture in api/fixtures/dev/*.json; do
-    if [ -f "$fixture" ]; then
-      echo "Loading $fixture"
-      poetry run python manage.py loaddata "$fixture" --database admin
-    fi
-  done
-}
-
-start_dev_server() {
-  echo "Starting the development server..."
-  poetry run python manage.py runserver 0.0.0.0:"${DJANGO_PORT:-8080}"
-}
-
-start_prod_server() {
-  echo "Starting the Gunicorn server..."
-  poetry run gunicorn -c config/guniconf.py config.wsgi:application
-}
-
-start_worker() {
-  echo "Starting the worker..."
-  poetry run python -m celery -A config.celery worker -l "${DJANGO_LOGGING_LEVEL:-info}" -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans -E --max-tasks-per-child 1
-}
-
-start_worker_beat() {
-  echo "Starting the worker-beat..."
-  sleep 15
-  poetry run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
-}
-
-manage_db_partitions() {
-  if [ "${DJANGO_MANAGE_DB_PARTITIONS}" = "True" ]; then
-    echo "Managing DB partitions..."
-    # For now we skip the deletion of partitions until we define the data retention policy
-    # --yes auto approves the operation without the need of an interactive terminal
-    poetry run python manage.py pgpartition --using admin --skip-delete --yes
-  fi
-}
-
-case "$1" in
-  dev)
-    apply_migrations
-    apply_fixtures
-    manage_db_partitions
-    start_dev_server
-    ;;
-  prod)
-    apply_migrations
-    manage_db_partitions
-    start_prod_server
-    ;;
-  worker)
-    start_worker
-    ;;
-  beat)
-    start_worker_beat
-    ;;
-  *)
-    echo "Usage: $0 {dev|prod|worker|beat}"
-    exit 1
-    ;;
-esac

api/docs/partitions.md

@@ -1,65 +0,0 @@
-# Partitions
-
-## Overview
-
-Partitions are used to split the data in a table into smaller chunks, allowing for more efficient querying and storage.
-
-The Prowler API uses partitions to store findings. The partitions are created based on the UUIDv7 `id` field.
-
-You can use the Prowler API without ever creating additional partitions. This documentation is only relevant if you want to manage partitions to gain additional query performance.
-
-### Required Postgres Configuration
-
-There are 3 configuration options that need to be set in the `postgres.conf` file to get the most performance out of the partitioning:
-
-- `enable_partition_pruning = on` (default is on)
-- `enable_partitionwise_join = on` (default is off)
-- `enable_partitionwise_aggregate = on` (default is off)
-
-For more information on these options, see the [Postgres documentation](https://www.postgresql.org/docs/current/runtime-config-query.html).
-
-## Partitioning Strategy
-
-The partitioning strategy is defined in the `api.partitions` module. The strategy is responsible for creating and deleting partitions based on the provided configuration.
-
-## Managing Partitions
-
-The application will run without any extra work on your part. If you want to add or delete partitions, you can use the following commands:
-
-To manage the partitions, run `python manage.py pgpartition --using admin`
-
-This command will generate a list of partitions to create and delete based on the provided configuration.
-
-By default, the command will prompt you to accept the changes before applying them.
-
-```shell
-Finding:
-   + 2024_nov
-      name: 2024_nov
-      from_values: 0192e505-9000-72c8-a47c-cce719d8fb93
-      to_values: 01937f84-5418-7eb8-b2a6-e3be749e839d
-      size_unit: months
-      size_value: 1
-   + 2024_dec
-      name: 2024_dec
-      from_values: 01937f84-5800-7b55-879c-9cdb46f023f6
-      to_values: 01941f29-7818-7f9f-b4be-20b05bb2f574
-      size_unit: months
-      size_value: 1
-
-0 partitions will be deleted
-2 partitions will be created
-```
-
-If you choose to apply the partitions, tables will be generated with the following format: `<table_name>_<year>_<month>`.
-
-For more info on the partitioning manager, see https://github.com/SectorLabs/django-postgres-extra
-
-### Changing the Partitioning Parameters
-
-There are 4 environment variables that can be used to change the partitioning parameters:
-
-- `DJANGO_MANAGE_DB_PARTITIONS`: Allow Django to manage database partitons. By default is set to `False`.
-- `FINDINGS_TABLE_PARTITION_MONTHS`: Set the months for each partition. Setting the partition monts to 1 will create partitions with a size of 1 natural month.
-- `FINDINGS_TABLE_PARTITION_COUNT`: Set the number of partitions to create
-- `FINDINGS_TABLE_PARTITION_MAX_AGE_MONTHS`: Set the number of months to keep partitions before deleting them. Setting this to `None` will keep partitions indefinitely.

api/pyproject.toml

@@ -1,76 +0,0 @@
-[build-system]
-build-backend = "poetry.core.masonry.api"
-requires = ["poetry-core"]
-
-[project]
-authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
-dependencies = [
-  "celery (>=5.4.0,<6.0.0)",
-  "dj-rest-auth[with_social,jwt] (==7.0.1)",
-  "django (==5.1.15)",
-  "django-allauth[saml] (>=65.13.0,<66.0.0)",
-  "django-celery-beat (>=2.7.0,<3.0.0)",
-  "django-celery-results (>=2.5.1,<3.0.0)",
-  "django-cors-headers==4.4.0",
-  "django-environ==0.11.2",
-  "django-filter==24.3",
-  "django-guid==3.5.0",
-  "django-postgres-extra (>=2.0.8,<3.0.0)",
-  "djangorestframework==3.15.2",
-  "djangorestframework-jsonapi==7.0.2",
-  "djangorestframework-simplejwt (>=5.3.1,<6.0.0)",
-  "drf-nested-routers (>=0.94.1,<1.0.0)",
-  "drf-spectacular==0.27.2",
-  "drf-spectacular-jsonapi==0.5.1",
-  "gunicorn==23.0.0",
-  "lxml==5.3.2",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
-  "psycopg2-binary==2.9.9",
-  "pytest-celery[redis] (>=1.0.1,<2.0.0)",
-  "sentry-sdk[django] (>=2.20.0,<3.0.0)",
-  "uuid6==2024.7.10",
-  "openai (>=1.82.0,<2.0.0)",
-  "xmlsec==1.3.14",
-  "h2 (==4.3.0)",
-  "markdown (>=3.9,<4.0)",
-  "drf-simple-apikey (==2.2.1)",
-  "matplotlib (>=3.10.6,<4.0.0)",
-  "reportlab (>=4.4.4,<5.0.0)",
-  "neo4j (<6.0.0)",
-  "cartography @ git+https://github.com/prowler-cloud/cartography@master",
-  "gevent (>=25.9.1,<26.0.0)",
-  "werkzeug (>=3.1.4)",
-  "sqlparse (>=0.5.4)",
-  "fonttools (>=4.60.2)"
-]
-description = "Prowler's API (Django/DRF)"
-license = "Apache-2.0"
-name = "prowler-api"
-package-mode = false
-# Needed for the SDK compatibility
-requires-python = ">=3.11,<3.13"
-version = "1.19.0"
-
-[project.scripts]
-celery = "src.backend.config.settings.celery"
-
-[tool.poetry.group.dev.dependencies]
-bandit = "1.7.9"
-coverage = "7.5.4"
-django-silk = "5.3.2"
-docker = "7.1.0"
-filelock = "3.20.3"
-freezegun = "1.5.1"
-marshmallow = ">=3.15.0,<4.0.0"
-mypy = "1.10.1"
-pylint = "3.2.5"
-pytest = "8.2.2"
-pytest-cov = "5.0.0"
-pytest-django = "4.8.0"
-pytest-env = "1.1.3"
-pytest-randomly = "3.15.0"
-pytest-xdist = "3.6.1"
-ruff = "0.5.0"
-safety = "3.7.0"
-tqdm = "4.67.1"
-vulture = "2.14"

api/src/backend/api/adapters.py

@@ -1,71 +0,0 @@
-from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
-from django.db import transaction
-
-from api.db_router import MainRouter
-from api.db_utils import rls_transaction
-from api.models import Membership, Role, Tenant, User, UserRoleRelationship
-
-
-class ProwlerSocialAccountAdapter(DefaultSocialAccountAdapter):
-    @staticmethod
-    def get_user_by_email(email: str):
-        try:
-            return User.objects.get(email=email)
-        except User.DoesNotExist:
-            return None
-
-    def pre_social_login(self, request, sociallogin):
-        # Link existing accounts with the same email address
-        email = sociallogin.account.extra_data.get("email")
-        if sociallogin.provider.id == "saml":
-            email = sociallogin.user.email
-        if email:
-            existing_user = self.get_user_by_email(email)
-            if existing_user:
-                sociallogin.connect(request, existing_user)
-
-    def save_user(self, request, sociallogin, form=None):
-        """
-        Called after the user data is fully populated from the provider
-        and is about to be saved to the DB for the first time.
-        """
-        with transaction.atomic(using=MainRouter.admin_db):
-            user = super().save_user(request, sociallogin, form)
-            provider = sociallogin.provider.id
-            extra = sociallogin.account.extra_data
-
-            if provider != "saml":
-                # Handle other providers (e.g., GitHub, Google)
-                user.save(using=MainRouter.admin_db)
-                social_account_name = extra.get("name")
-                if social_account_name:
-                    user.name = social_account_name
-                    user.save(using=MainRouter.admin_db)
-
-                tenant = Tenant.objects.using(MainRouter.admin_db).create(
-                    name=f"{user.email.split('@')[0]} default tenant"
-                )
-                with rls_transaction(str(tenant.id)):
-                    Membership.objects.using(MainRouter.admin_db).create(
-                        user=user, tenant=tenant, role=Membership.RoleChoices.OWNER
-                    )
-                    role = Role.objects.using(MainRouter.admin_db).create(
-                        name="admin",
-                        tenant_id=tenant.id,
-                        manage_users=True,
-                        manage_account=True,
-                        manage_billing=True,
-                        manage_providers=True,
-                        manage_integrations=True,
-                        manage_scans=True,
-                        unlimited_visibility=True,
-                    )
-                    UserRoleRelationship.objects.using(MainRouter.admin_db).create(
-                        user=user,
-                        role=role,
-                        tenant_id=tenant.id,
-                    )
-            else:
-                request.session["saml_user_created"] = str(user.id)
-
-        return user

api/src/backend/api/apps.py

@@ -1,201 +0,0 @@
-import logging
-import os
-import sys
-from pathlib import Path
-
-from config.custom_logging import BackendLogger
-from config.env import env
-from django.apps import AppConfig
-from django.conf import settings
-
-logger = logging.getLogger(BackendLogger.API)
-
-SIGNING_KEY_ENV = "DJANGO_TOKEN_SIGNING_KEY"
-VERIFYING_KEY_ENV = "DJANGO_TOKEN_VERIFYING_KEY"
-
-PRIVATE_KEY_FILE = "jwt_private.pem"
-PUBLIC_KEY_FILE = "jwt_public.pem"
-
-KEYS_DIRECTORY = (
-    Path.home() / ".config" / "prowler-api"
-)  # `/home/prowler/.config/prowler-api` inside the container
-
-_keys_initialized = False  # Flag to prevent multiple executions within the same process
-
-
-class ApiConfig(AppConfig):
-    default_auto_field = "django.db.models.BigAutoField"
-    name = "api"
-
-    def ready(self):
-        from api import schema_extensions  # noqa: F401
-        from api import signals  # noqa: F401
-        from api.attack_paths import database as graph_database
-
-        # Generate required cryptographic keys if not present, but only if:
-        #   `"manage.py" not in sys.argv[0]`: If an external server (e.g., Gunicorn) is running the app
-        #   `os.environ.get("RUN_MAIN")`: If it's not a Django command or using `runserver`,
-        #                                 only the main process will do it
-        if (len(sys.argv) >= 1 and "manage.py" not in sys.argv[0]) or os.environ.get(
-            "RUN_MAIN"
-        ):
-            self._ensure_crypto_keys()
-
-        # Commands that don't need Neo4j
-        SKIP_NEO4J_DJANGO_COMMANDS = [
-            "makemigrations",
-            "migrate",
-            "pgpartition",
-            "check",
-            "help",
-            "showmigrations",
-            "check_and_fix_socialaccount_sites_migration",
-        ]
-
-        # Skip Neo4j initialization during tests, some Django commands, and Celery
-        if getattr(settings, "TESTING", False) or (
-            len(sys.argv) > 1
-            and (
-                (
-                    "manage.py" in sys.argv[0]
-                    and sys.argv[1] in SKIP_NEO4J_DJANGO_COMMANDS
-                )
-                or "celery" in sys.argv[0]
-            )
-        ):
-            logger.info(
-                "Skipping Neo4j initialization because tests, some Django commands or Celery"
-            )
-
-        else:
-            graph_database.init_driver()
-
-        # Neo4j driver is initialized at API startup (see api.attack_paths.database)
-        # It remains lazy for Celery workers and selected Django commands
-
-    def _ensure_crypto_keys(self):
-        """
-        Orchestrator method that ensures all required cryptographic keys are present.
-        This method coordinates the generation of:
-          - RSA key pairs for JWT token signing and verification
-        Note: During development, Django spawns multiple processes (migrations, fixtures, etc.)
-        which will each generate their own keys. This is expected behavior and each process
-        will have consistent keys for its lifetime. In production, set the keys as environment
-        variables to avoid regeneration.
-        """
-        global _keys_initialized
-
-        # Skip key generation if running tests
-        if getattr(settings, "TESTING", False):
-            return
-
-        # Skip if already initialized in this process
-        if _keys_initialized:
-            return
-
-        # Check if both JWT keys are set; if not, generate them
-        signing_key = env.str(SIGNING_KEY_ENV, default="").strip()
-        verifying_key = env.str(VERIFYING_KEY_ENV, default="").strip()
-
-        if not signing_key or not verifying_key:
-            logger.info(
-                f"Generating JWT RSA key pair. In production, set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' "
-                "environment variables."
-            )
-            self._ensure_jwt_keys()
-
-        # Mark as initialized to prevent future executions in this process
-        _keys_initialized = True
-
-    def _read_key_file(self, file_name):
-        """
-        Utility method to read the contents of a file.
-        """
-        file_path = KEYS_DIRECTORY / file_name
-        return file_path.read_text().strip() if file_path.is_file() else None
-
-    def _write_key_file(self, file_name, content, private=True):
-        """
-        Utility method to write content to a file.
-        """
-        try:
-            file_path = KEYS_DIRECTORY / file_name
-            file_path.parent.mkdir(parents=True, exist_ok=True)
-            file_path.write_text(content)
-            file_path.chmod(0o600 if private else 0o644)
-
-        except Exception as e:
-            logger.error(
-                f"Error writing key file '{file_name}': {e}. "
-                f"Please set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' manually."
-            )
-            raise e
-
-    def _ensure_jwt_keys(self):
-        """
-        Generate RSA key pairs for JWT token signing and verification
-        if they are not already set in environment variables.
-        """
-        # Read existing keys from files if they exist
-        signing_key = self._read_key_file(PRIVATE_KEY_FILE)
-        verifying_key = self._read_key_file(PUBLIC_KEY_FILE)
-
-        if not signing_key or not verifying_key:
-            # Generate and store the RSA key pair
-            signing_key, verifying_key = self._generate_jwt_keys()
-            self._write_key_file(PRIVATE_KEY_FILE, signing_key, private=True)
-            self._write_key_file(PUBLIC_KEY_FILE, verifying_key, private=False)
-            logger.info("JWT keys generated and stored successfully")
-
-        else:
-            logger.info("JWT keys already generated")
-
-        # Set environment variables and Django settings
-        os.environ[SIGNING_KEY_ENV] = signing_key
-        settings.SIMPLE_JWT["SIGNING_KEY"] = signing_key
-
-        os.environ[VERIFYING_KEY_ENV] = verifying_key
-        settings.SIMPLE_JWT["VERIFYING_KEY"] = verifying_key
-
-    def _generate_jwt_keys(self):
-        """
-        Generate and set RSA key pairs for JWT token operations.
-        """
-        try:
-            from cryptography.hazmat.primitives import serialization
-            from cryptography.hazmat.primitives.asymmetric import rsa
-
-            # Generate RSA key pair
-            private_key = rsa.generate_private_key(  # Future improvement: we could read the next values from env vars
-                public_exponent=65537,
-                key_size=2048,
-            )
-
-            # Serialize private key (for signing)
-            private_pem = private_key.private_bytes(
-                encoding=serialization.Encoding.PEM,
-                format=serialization.PrivateFormat.PKCS8,
-                encryption_algorithm=serialization.NoEncryption(),
-            ).decode("utf-8")
-
-            # Serialize public key (for verification)
-            public_key = private_key.public_key()
-            public_pem = public_key.public_bytes(
-                encoding=serialization.Encoding.PEM,
-                format=serialization.PublicFormat.SubjectPublicKeyInfo,
-            ).decode("utf-8")
-
-            logger.debug("JWT RSA key pair generated successfully.")
-            return private_pem, public_pem
-
-        except ImportError as e:
-            logger.warning(
-                "The 'cryptography' package is required for automatic JWT key generation."
-            )
-            raise e
-
-        except Exception as e:
-            logger.error(
-                f"Error generating JWT keys: {e}. Please set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' manually."
-            )
-            raise e

api/src/backend/api/attack_paths/__init__.py

@@ -1,13 +0,0 @@
-from api.attack_paths.query_definitions import (
-    AttackPathsQueryDefinition,
-    AttackPathsQueryParameterDefinition,
-    get_queries_for_provider,
-    get_query_by_id,
-)
-
-__all__ = [
-    "AttackPathsQueryDefinition",
-    "AttackPathsQueryParameterDefinition",
-    "get_queries_for_provider",
-    "get_query_by_id",
-]

api/src/backend/api/attack_paths/database.py

@@ -1,161 +0,0 @@
-import atexit
-import logging
-import threading
-from contextlib import contextmanager
-from typing import Iterator
-from uuid import UUID
-
-import neo4j
-import neo4j.exceptions
-from django.conf import settings
-
-from api.attack_paths.retryable_session import RetryableSession
-
-# Without this Celery goes crazy with Neo4j logging
-logging.getLogger("neo4j").setLevel(logging.ERROR)
-logging.getLogger("neo4j").propagate = False
-
-SERVICE_UNAVAILABLE_MAX_RETRIES = 3
-
-# Module-level process-wide driver singleton
-_driver: neo4j.Driver | None = None
-_lock = threading.Lock()
-
-# Base Neo4j functions
-
-
-def get_uri() -> str:
-    host = settings.DATABASES["neo4j"]["HOST"]
-    port = settings.DATABASES["neo4j"]["PORT"]
-    return f"bolt://{host}:{port}"
-
-
-def init_driver() -> neo4j.Driver:
-    global _driver
-    if _driver is not None:
-        return _driver
-
-    with _lock:
-        if _driver is None:
-            uri = get_uri()
-            config = settings.DATABASES["neo4j"]
-
-            _driver = neo4j.GraphDatabase.driver(
-                uri,
-                auth=(config["USER"], config["PASSWORD"]),
-                keep_alive=True,
-                max_connection_lifetime=7200,
-                connection_acquisition_timeout=120,
-                max_connection_pool_size=50,
-            )
-            _driver.verify_connectivity()
-
-            # Register cleanup handler (only runs once since we're inside the _driver is None block)
-            atexit.register(close_driver)
-
-    return _driver
-
-
-def get_driver() -> neo4j.Driver:
-    return init_driver()
-
-
-def close_driver() -> None:  # TODO: Use it
-    global _driver
-    with _lock:
-        if _driver is not None:
-            try:
-                _driver.close()
-
-            finally:
-                _driver = None
-
-
-@contextmanager
-def get_session(database: str | None = None) -> Iterator[RetryableSession]:
-    session_wrapper: RetryableSession | None = None
-
-    try:
-        session_wrapper = RetryableSession(
-            session_factory=lambda: get_driver().session(database=database),
-            max_retries=SERVICE_UNAVAILABLE_MAX_RETRIES,
-        )
-        yield session_wrapper
-
-    except neo4j.exceptions.Neo4jError as exc:
-        raise GraphDatabaseQueryException(message=exc.message, code=exc.code)
-
-    finally:
-        if session_wrapper is not None:
-            session_wrapper.close()
-
-
-def create_database(database: str) -> None:
-    query = "CREATE DATABASE $database IF NOT EXISTS"
-    parameters = {"database": database}
-
-    with get_session() as session:
-        session.run(query, parameters)
-
-
-def drop_database(database: str) -> None:
-    query = f"DROP DATABASE `{database}` IF EXISTS DESTROY DATA"
-
-    with get_session() as session:
-        session.run(query)
-
-
-def drop_subgraph(database: str, root_node_label: str, root_node_id: str) -> int:
-    query = """
-        MATCH (a:__ROOT_NODE_LABEL__ {id: $root_node_id})
-        CALL apoc.path.subgraphNodes(a, {})
-        YIELD node
-        DETACH DELETE node
-        RETURN COUNT(node) AS deleted_nodes_count
-    """.replace("__ROOT_NODE_LABEL__", root_node_label)
-    parameters = {"root_node_id": root_node_id}
-
-    with get_session(database) as session:
-        result = session.run(query, parameters)
-
-        try:
-            return result.single()["deleted_nodes_count"]
-
-        except neo4j.exceptions.ResultConsumedError:
-            return 0  # As there are no nodes to delete, the result is empty
-
-
-def clear_cache(database: str) -> None:
-    query = "CALL db.clearQueryCaches()"
-
-    try:
-        with get_session(database) as session:
-            session.run(query)
-
-    except GraphDatabaseQueryException as exc:
-        logging.warning(f"Failed to clear query cache for database `{database}`: {exc}")
-
-
-# Neo4j functions related to Prowler + Cartography
-DATABASE_NAME_TEMPLATE = "db-{attack_paths_scan_id}"
-
-
-def get_database_name(attack_paths_scan_id: UUID) -> str:
-    attack_paths_scan_id_str = str(attack_paths_scan_id).lower()
-    return DATABASE_NAME_TEMPLATE.format(attack_paths_scan_id=attack_paths_scan_id_str)
-
-
-# Exceptions
-
-
-class GraphDatabaseQueryException(Exception):
-    def __init__(self, message: str, code: str | None = None) -> None:
-        super().__init__(message)
-        self.message = message
-        self.code = code
-
-    def __str__(self) -> str:
-        if self.code:
-            return f"{self.code}: {self.message}"
-
-        return self.message

api/src/backend/api/attack_paths/query_definitions.py

@@ -1,690 +0,0 @@
-from dataclasses import dataclass, field
-
-
-# Dataclases for handling API's Attack Path query definitions and their parameters
-@dataclass
-class AttackPathsQueryParameterDefinition:
-    """
-    Metadata describing a parameter that must be provided to an Attack Paths query.
-    """
-
-    name: str
-    label: str
-    data_type: str = "string"
-    cast: type = str
-    description: str | None = None
-    placeholder: str | None = None
-
-
-@dataclass
-class AttackPathsQueryDefinition:
-    """
-    Immutable representation of an Attack Path query.
-    """
-
-    id: str
-    name: str
-    description: str
-    provider: str
-    cypher: str
-    parameters: list[AttackPathsQueryParameterDefinition] = field(default_factory=list)
-
-
-# Accessor functions for API's Attack Paths query definitions
-def get_queries_for_provider(provider: str) -> list[AttackPathsQueryDefinition]:
-    return _QUERY_DEFINITIONS.get(provider, [])
-
-
-def get_query_by_id(query_id: str) -> AttackPathsQueryDefinition | None:
-    return _QUERIES_BY_ID.get(query_id)
-
-
-# API's Attack Paths query definitions
-_QUERY_DEFINITIONS: dict[str, list[AttackPathsQueryDefinition]] = {
-    "aws": [
-        # Custom query for detecting internet-exposed EC2 instances with sensitive S3 access
-        AttackPathsQueryDefinition(
-            id="aws-internet-exposed-ec2-sensitive-s3-access",
-            name="Identify internet-exposed EC2 instances with sensitive S3 access",
-            description="Detect EC2 instances with SSH exposed to the internet that can assume higher-privileged roles to read tagged sensitive S3 buckets despite bucket-level public access blocks.",
-            provider="aws",
-            cypher="""
-                CALL apoc.create.vNode(['Internet'], {id: 'Internet', name: 'Internet'})
-                YIELD node AS internet
-
-                MATCH path_s3 = (aws:AWSAccount {id: $provider_uid})--(s3:S3Bucket)--(t:AWSTag)
-                WHERE toLower(t.key) = toLower($tag_key) AND toLower(t.value) = toLower($tag_value)
-
-                MATCH path_ec2 = (aws)--(ec2:EC2Instance)--(sg:EC2SecurityGroup)--(ipi:IpPermissionInbound)
-                WHERE ec2.exposed_internet = true
-                    AND ipi.toport = 22
-
-                MATCH path_role = (r:AWSRole)--(pol:AWSPolicy)--(stmt:AWSPolicyStatement)
-                WHERE ANY(x IN stmt.resource WHERE x CONTAINS s3.name)
-                    AND ANY(x IN stmt.action WHERE toLower(x) =~ 's3:(listbucket|getobject).*')
-
-                MATCH path_assume_role = (ec2)-[p:STS_ASSUMEROLE_ALLOW*1..9]-(r:AWSRole)
-
-                CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {}, ec2)
-                YIELD rel AS can_access
-
-                UNWIND nodes(path_s3) + nodes(path_ec2) + nodes(path_role) + nodes(path_assume_role) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path_s3, path_ec2, path_role, path_assume_role, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
-            """,
-            parameters=[
-                AttackPathsQueryParameterDefinition(
-                    name="tag_key",
-                    label="Tag key",
-                    description="Tag key to filter the S3 bucket, e.g. DataClassification.",
-                    placeholder="DataClassification",
-                ),
-                AttackPathsQueryParameterDefinition(
-                    name="tag_value",
-                    label="Tag value",
-                    description="Tag value to filter the S3 bucket, e.g. Sensitive.",
-                    placeholder="Sensitive",
-                ),
-            ],
-        ),
-        # Regular Cartography Attack Paths queries
-        AttackPathsQueryDefinition(
-            id="aws-rds-instances",
-            name="Identify provisioned RDS instances",
-            description="List the selected AWS account alongside the RDS instances it owns.",
-            provider="aws",
-            cypher="""
-                MATCH path = (aws:AWSAccount {id: $provider_uid})--(rds:RDSInstance)
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-rds-unencrypted-storage",
-            name="Identify RDS instances without storage encryption",
-            description="Find RDS instances with storage encryption disabled within the selected account.",
-            provider="aws",
-            cypher="""
-                MATCH path = (aws:AWSAccount {id: $provider_uid})--(rds:RDSInstance)
-                WHERE rds.storage_encrypted = false
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-s3-anonymous-access-buckets",
-            name="Identify S3 buckets with anonymous access",
-            description="Find S3 buckets that allow anonymous access within the selected account.",
-            provider="aws",
-            cypher="""
-                MATCH path = (aws:AWSAccount {id: $provider_uid})--(s3:S3Bucket)
-                WHERE s3.anonymous_access = true
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-iam-statements-allow-all-actions",
-            name="Identify IAM statements that allow all actions",
-            description="Find IAM policy statements that allow all actions via '*' within the selected account.",
-            provider="aws",
-            cypher="""
-                MATCH path = (aws:AWSAccount {id: $provider_uid})--(principal:AWSPrincipal)--(pol:AWSPolicy)--(stmt:AWSPolicyStatement)
-                WHERE stmt.effect = 'Allow'
-                    AND any(x IN stmt.action WHERE x = '*')
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-iam-statements-allow-delete-policy",
-            name="Identify IAM statements that allow iam:DeletePolicy",
-            description="Find IAM policy statements that allow the iam:DeletePolicy action within the selected account.",
-            provider="aws",
-            cypher="""
-                MATCH path = (aws:AWSAccount {id: $provider_uid})--(principal:AWSPrincipal)--(pol:AWSPolicy)--(stmt:AWSPolicyStatement)
-                WHERE stmt.effect = 'Allow'
-                    AND any(x IN stmt.action WHERE x = "iam:DeletePolicy")
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-iam-statements-allow-create-actions",
-            name="Identify IAM statements that allow create actions",
-            description="Find IAM policy statements that allow actions containing 'create' within the selected account.",
-            provider="aws",
-            cypher="""
-                MATCH path = (aws:AWSAccount {id: $provider_uid})--(principal:AWSPrincipal)--(pol:AWSPolicy)--(stmt:AWSPolicyStatement)
-                WHERE stmt.effect = "Allow"
-                    AND any(x IN stmt.action WHERE toLower(x) CONTAINS "create")
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-ec2-instances-internet-exposed",
-            name="Identify internet-exposed EC2 instances",
-            description="Find EC2 instances flagged as exposed to the internet within the selected account.",
-            provider="aws",
-            cypher="""
-                CALL apoc.create.vNode(['Internet'], {id: 'Internet', name: 'Internet'})
-                YIELD node AS internet
-
-                MATCH path = (aws:AWSAccount {id: $provider_uid})--(ec2:EC2Instance)
-                WHERE ec2.exposed_internet = true
-
-                CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {}, ec2)
-                YIELD rel AS can_access
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-security-groups-open-internet-facing",
-            name="Identify internet-facing resources with open security groups",
-            description="Find internet-facing resources associated with security groups that allow inbound access from '0.0.0.0/0'.",
-            provider="aws",
-            cypher="""
-                CALL apoc.create.vNode(['Internet'], {id: 'Internet', name: 'Internet'})
-                YIELD node AS internet
-
-                // Match EC2 instances that are internet-exposed with open security groups (0.0.0.0/0)
-                MATCH path_ec2 = (aws:AWSAccount {id: $provider_uid})--(ec2:EC2Instance)--(sg:EC2SecurityGroup)--(ipi:IpPermissionInbound)--(ir:IpRange)
-                WHERE ec2.exposed_internet = true
-                    AND ir.range = "0.0.0.0/0"
-
-                CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {}, ec2)
-                YIELD rel AS can_access
-
-                UNWIND nodes(path_ec2) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path_ec2, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-classic-elb-internet-exposed",
-            name="Identify internet-exposed Classic Load Balancers",
-            description="Find Classic Load Balancers exposed to the internet along with their listeners.",
-            provider="aws",
-            cypher="""
-                CALL apoc.create.vNode(['Internet'], {id: 'Internet', name: 'Internet'})
-                YIELD node AS internet
-
-                MATCH path = (aws:AWSAccount {id: $provider_uid})--(elb:LoadBalancer)--(listener:ELBListener)
-                WHERE elb.exposed_internet = true
-
-                CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {}, elb)
-                YIELD rel AS can_access
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-elbv2-internet-exposed",
-            name="Identify internet-exposed ELBv2 load balancers",
-            description="Find ELBv2 load balancers exposed to the internet along with their listeners.",
-            provider="aws",
-            cypher="""
-                CALL apoc.create.vNode(['Internet'], {id: 'Internet', name: 'Internet'})
-                YIELD node AS internet
-
-                MATCH path = (aws:AWSAccount {id: $provider_uid})--(elbv2:LoadBalancerV2)--(listener:ELBV2Listener)
-                WHERE elbv2.exposed_internet = true
-
-                CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {}, elbv2)
-                YIELD rel AS can_access
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-public-ip-resource-lookup",
-            name="Identify resources by public IP address",
-            description="Given a public IP address, find the related AWS resource and its adjacent node within the selected account.",
-            provider="aws",
-            cypher="""
-                CALL apoc.create.vNode(['Internet'], {id: 'Internet', name: 'Internet'})
-                YIELD node AS internet
-
-                CALL () {
-                    MATCH path = (aws:AWSAccount {id: $provider_uid})-[r]-(x:EC2PrivateIp)-[q]-(y)
-                    WHERE x.public_ip = $ip
-                    RETURN path, x
-
-                    UNION MATCH path = (aws:AWSAccount {id: $provider_uid})-[r]-(x:EC2Instance)-[q]-(y)
-                    WHERE x.publicipaddress = $ip
-                    RETURN path, x
-
-                    UNION MATCH path = (aws:AWSAccount {id: $provider_uid})-[r]-(x:NetworkInterface)-[q]-(y)
-                    WHERE x.public_ip = $ip
-                    RETURN path, x
-
-                    UNION MATCH path = (aws:AWSAccount {id: $provider_uid})-[r]-(x:ElasticIPAddress)-[q]-(y)
-                    WHERE x.public_ip = $ip
-                    RETURN path, x
-                }
-
-                WITH path, x, internet
-
-                CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {}, x)
-                YIELD rel AS can_access
-
-                UNWIND nodes(path) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
-            """,
-            parameters=[
-                AttackPathsQueryParameterDefinition(
-                    name="ip",
-                    label="IP address",
-                    description="Public IP address, e.g. 192.0.2.0.",
-                    placeholder="192.0.2.0",
-                ),
-            ],
-        ),
-        # Privilege Escalation Queries (based on pathfinding.cloud research): https://github.com/DataDog/pathfinding.cloud
-        AttackPathsQueryDefinition(
-            id="aws-iam-privesc-passrole-ec2",
-            name="Privilege Escalation: iam:PassRole + ec2:RunInstances",
-            description="Detect principals who can launch EC2 instances with privileged IAM roles attached. This allows gaining the permissions of the passed role by accessing the EC2 instance metadata service. This is a new-passrole escalation path (pathfinding.cloud: ec2-001).",
-            provider="aws",
-            cypher="""
-                // Create a single shared virtual EC2 instance node
-                CALL apoc.create.vNode(['EC2Instance'], {
-                    id: 'potential-ec2-passrole',
-                    name: 'New EC2 Instance',
-                    description: 'Attacker-controlled EC2 with privileged role'
-                })
-                YIELD node AS ec2_node
-
-                // Create a single shared virtual escalation outcome node (styled like a finding)
-                CALL apoc.create.vNode(['PrivilegeEscalation'], {
-                    id: 'effective-administrator-passrole-ec2',
-                    check_title: 'Privilege Escalation',
-                    name: 'Effective Administrator',
-                    status: 'FAIL',
-                    severity: 'critical'
-                })
-                YIELD node AS escalation_outcome
-
-                WITH ec2_node, escalation_outcome
-
-                // Find principals in the account
-                MATCH path_principal = (aws:AWSAccount {id: $provider_uid})--(principal:AWSPrincipal)
-
-                // Find statements granting iam:PassRole
-                MATCH path_passrole = (principal)--(passrole_policy:AWSPolicy)--(stmt_passrole:AWSPolicyStatement)
-                WHERE stmt_passrole.effect = 'Allow'
-                    AND any(action IN stmt_passrole.action WHERE
-                        toLower(action) = 'iam:passrole'
-                        OR toLower(action) = 'iam:*'
-                        OR action = '*'
-                    )
-
-                // Find statements granting ec2:RunInstances
-                MATCH path_ec2 = (principal)--(ec2_policy:AWSPolicy)--(stmt_ec2:AWSPolicyStatement)
-                WHERE stmt_ec2.effect = 'Allow'
-                    AND any(action IN stmt_ec2.action WHERE
-                        toLower(action) = 'ec2:runinstances'
-                        OR toLower(action) = 'ec2:*'
-                        OR action = '*'
-                    )
-
-                // Find roles that trust EC2 service (can be passed to EC2)
-                MATCH path_target = (aws)--(target_role:AWSRole)
-                WHERE target_role.arn CONTAINS $provider_uid
-                    // Check if principal can pass this role
-                    AND any(resource IN stmt_passrole.resource WHERE
-                        resource = '*'
-                        OR target_role.arn CONTAINS resource
-                        OR resource CONTAINS target_role.name
-                    )
-
-                // Check if target role has elevated permissions (optional, for severity assessment)
-                OPTIONAL MATCH (target_role)--(role_policy:AWSPolicy)--(role_stmt:AWSPolicyStatement)
-                WHERE role_stmt.effect = 'Allow'
-                    AND (
-                        any(action IN role_stmt.action WHERE action = '*')
-                        OR any(action IN role_stmt.action WHERE toLower(action) = 'iam:*')
-                    )
-
-                CALL apoc.create.vRelationship(principal, 'CAN_LAUNCH', {
-                    via: 'ec2:RunInstances + iam:PassRole'
-                }, ec2_node)
-                YIELD rel AS launch_rel
-
-                CALL apoc.create.vRelationship(ec2_node, 'ASSUMES_ROLE', {}, target_role)
-                YIELD rel AS assumes_rel
-
-                CALL apoc.create.vRelationship(target_role, 'GRANTS_ACCESS', {
-                    reference: 'https://pathfinding.cloud/paths/ec2-001'
-                }, escalation_outcome)
-                YIELD rel AS grants_rel
-
-                UNWIND nodes(path_principal) + nodes(path_passrole) + nodes(path_ec2) + nodes(path_target) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path_principal, path_passrole, path_ec2, path_target,
-                       ec2_node, escalation_outcome, launch_rel, assumes_rel, grants_rel,
-                       collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-glue-privesc-passrole-dev-endpoint",
-            name="Privilege Escalation: Glue Dev Endpoint with PassRole",
-            description="Detect principals that can escalate privileges by passing a role to a Glue development endpoint. The attacker creates a dev endpoint with an arbitrary role attached, then accesses those credentials through the endpoint.",
-            provider="aws",
-            cypher="""
-                CALL apoc.create.vNode(['PrivilegeEscalation'], {
-                    id: 'effective-administrator-glue',
-                    check_title: 'Privilege Escalation',
-                    name: 'Effective Administrator (Glue)',
-                    status: 'FAIL',
-                    severity: 'critical'
-                })
-                YIELD node AS escalation_outcome
-
-                WITH escalation_outcome
-
-                // Find principals in the account
-                MATCH path_principal = (aws:AWSAccount {id: $provider_uid})--(principal:AWSPrincipal)
-
-                // Principal can assume roles (up to 2 hops)
-                OPTIONAL MATCH path_assume = (principal)-[:STS_ASSUMEROLE_ALLOW*0..2]->(acting_as:AWSRole)
-                WITH escalation_outcome, principal, path_principal, path_assume,
-                     CASE WHEN path_assume IS NULL THEN principal ELSE acting_as END AS effective_principal
-
-                // Find iam:PassRole permission
-                MATCH path_passrole = (effective_principal)--(passrole_policy:AWSPolicy)--(passrole_stmt:AWSPolicyStatement)
-                WHERE passrole_stmt.effect = 'Allow'
-                    AND any(action IN passrole_stmt.action WHERE toLower(action) = 'iam:passrole' OR action = '*')
-
-                // Find Glue CreateDevEndpoint permission
-                MATCH (effective_principal)--(glue_policy:AWSPolicy)--(glue_stmt:AWSPolicyStatement)
-                WHERE glue_stmt.effect = 'Allow'
-                    AND any(action IN glue_stmt.action WHERE toLower(action) = 'glue:createdevendpoint' OR action = '*' OR toLower(action) = 'glue:*')
-
-                // Find target role with elevated permissions
-                MATCH (aws)--(target_role:AWSRole)--(target_policy:AWSPolicy)--(target_stmt:AWSPolicyStatement)
-                WHERE target_stmt.effect = 'Allow'
-                    AND (
-                        any(action IN target_stmt.action WHERE action = '*')
-                        OR any(action IN target_stmt.action WHERE toLower(action) = 'iam:*')
-                    )
-
-                // Deduplicate before creating virtual nodes
-                WITH DISTINCT escalation_outcome, aws, principal, effective_principal, target_role
-
-                // Create virtual Glue endpoint node (one per unique principal->target pair)
-                CALL apoc.create.vNode(['GlueDevEndpoint'], {
-                    name: 'New Dev Endpoint',
-                    description: 'Glue endpoint with target role attached',
-                    id: effective_principal.arn + '->' + target_role.arn
-                })
-                YIELD node AS glue_endpoint
-
-                CALL apoc.create.vRelationship(effective_principal, 'CREATES_ENDPOINT', {
-                    permissions: ['iam:PassRole', 'glue:CreateDevEndpoint'],
-                    technique: 'new-passrole'
-                }, glue_endpoint)
-                YIELD rel AS create_rel
-
-                CALL apoc.create.vRelationship(glue_endpoint, 'RUNS_AS', {}, target_role)
-                YIELD rel AS runs_rel
-
-                CALL apoc.create.vRelationship(target_role, 'GRANTS_ACCESS', {
-                    reference: 'https://pathfinding.cloud/paths/glue-001'
-                }, escalation_outcome)
-                YIELD rel AS grants_rel
-
-                // Re-match paths for visualization
-                MATCH path_principal = (aws)--(principal)
-                MATCH path_target = (aws)--(target_role)
-
-                RETURN path_principal, path_target,
-                       glue_endpoint, escalation_outcome, create_rel, runs_rel, grants_rel
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-iam-privesc-attach-role-policy-assume-role",
-            name="Privilege Escalation: iam:AttachRolePolicy + sts:AssumeRole",
-            description="Detect principals who can both attach policies to roles AND assume those roles. This two-step attack allows modifying a role's permissions then assuming it to gain elevated access. This is a principal-access escalation path (pathfinding.cloud: iam-014).",
-            provider="aws",
-            cypher="""
-                // Create a virtual escalation outcome node (styled like a finding)
-                CALL apoc.create.vNode(['PrivilegeEscalation'], {
-                    id: 'effective-administrator',
-                    check_title: 'Privilege Escalation',
-                    name: 'Effective Administrator',
-                    status: 'FAIL',
-                    severity: 'critical'
-                })
-                YIELD node AS admin_outcome
-
-                WITH admin_outcome
-
-                // Find principals in the account
-                MATCH path_principal = (aws:AWSAccount {id: $provider_uid})--(principal:AWSPrincipal)
-
-                // Find statements granting iam:AttachRolePolicy
-                MATCH path_attach = (principal)--(attach_policy:AWSPolicy)--(stmt_attach:AWSPolicyStatement)
-                WHERE stmt_attach.effect = 'Allow'
-                    AND any(action IN stmt_attach.action WHERE
-                        toLower(action) = 'iam:attachrolepolicy'
-                        OR toLower(action) = 'iam:*'
-                        OR action = '*'
-                    )
-
-                // Find statements granting sts:AssumeRole
-                MATCH path_assume = (principal)--(assume_policy:AWSPolicy)--(stmt_assume:AWSPolicyStatement)
-                WHERE stmt_assume.effect = 'Allow'
-                    AND any(action IN stmt_assume.action WHERE
-                        toLower(action) = 'sts:assumerole'
-                        OR toLower(action) = 'sts:*'
-                        OR action = '*'
-                    )
-
-                // Find target roles that the principal can both modify AND assume
-                MATCH path_target = (aws)--(target_role:AWSRole)
-                WHERE target_role.arn CONTAINS $provider_uid
-                    // Can attach policy to this role
-                    AND any(resource IN stmt_attach.resource WHERE
-                        resource = '*'
-                        OR target_role.arn CONTAINS resource
-                        OR resource CONTAINS target_role.name
-                    )
-                    // Can assume this role
-                    AND any(resource IN stmt_assume.resource WHERE
-                        resource = '*'
-                        OR target_role.arn CONTAINS resource
-                        OR resource CONTAINS target_role.name
-                    )
-
-                // Deduplicate before creating virtual relationships
-                WITH DISTINCT admin_outcome, aws, principal, target_role
-
-                // Create virtual relationships showing the attack path
-                CALL apoc.create.vRelationship(principal, 'CAN_MODIFY', {
-                    via: 'iam:AttachRolePolicy'
-                }, target_role)
-                YIELD rel AS modify_rel
-
-                CALL apoc.create.vRelationship(target_role, 'LEADS_TO', {
-                    technique: 'iam:AttachRolePolicy + sts:AssumeRole',
-                    via: 'sts:AssumeRole',
-                    reference: 'https://pathfinding.cloud/paths/iam-014'
-                }, admin_outcome)
-                YIELD rel AS escalation_rel
-
-                // Re-match paths for visualization
-                MATCH path_principal = (aws)--(principal)
-                MATCH path_target = (aws)--(target_role)
-
-                UNWIND nodes(path_principal) + nodes(path_target) as n
-                OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding)
-                WHERE pf.status = 'FAIL'
-
-                RETURN path_principal, path_target,
-                       admin_outcome, modify_rel, escalation_rel,
-                       collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
-            """,
-            parameters=[],
-        ),
-        AttackPathsQueryDefinition(
-            id="aws-bedrock-privesc-passrole-code-interpreter",
-            name="Privilege Escalation: Bedrock Code Interpreter with PassRole",
-            description="Detect principals that can escalate privileges by passing a role to a Bedrock AgentCore Code Interpreter. The attacker creates a code interpreter with an arbitrary role, then invokes it to execute code with those credentials.",
-            provider="aws",
-            cypher="""
-                CALL apoc.create.vNode(['PrivilegeEscalation'], {
-                    id: 'effective-administrator-bedrock',
-                    check_title: 'Privilege Escalation',
-                    name: 'Effective Administrator (Bedrock)',
-                    status: 'FAIL',
-                    severity: 'critical'
-                })
-                YIELD node AS escalation_outcome
-
-                WITH escalation_outcome
-
-                // Find principals in the account
-                MATCH path_principal = (aws:AWSAccount {id: $provider_uid})--(principal:AWSPrincipal)
-
-                // Principal can assume roles (up to 2 hops)
-                OPTIONAL MATCH path_assume = (principal)-[:STS_ASSUMEROLE_ALLOW*0..2]->(acting_as:AWSRole)
-                WITH escalation_outcome, aws, principal, path_principal, path_assume,
-                     CASE WHEN path_assume IS NULL THEN principal ELSE acting_as END AS effective_principal
-
-                // Find iam:PassRole permission
-                MATCH path_passrole = (effective_principal)--(passrole_policy:AWSPolicy)--(passrole_stmt:AWSPolicyStatement)
-                WHERE passrole_stmt.effect = 'Allow'
-                    AND any(action IN passrole_stmt.action WHERE toLower(action) = 'iam:passrole' OR action = '*')
-
-                // Find Bedrock AgentCore permissions
-                MATCH (effective_principal)--(bedrock_policy:AWSPolicy)--(bedrock_stmt:AWSPolicyStatement)
-                WHERE bedrock_stmt.effect = 'Allow'
-                    AND (
-                        any(action IN bedrock_stmt.action WHERE toLower(action) = 'bedrock-agentcore:createcodeinterpreter' OR action = '*' OR toLower(action) = 'bedrock-agentcore:*')
-                    )
-                    AND (
-                        any(action IN bedrock_stmt.action WHERE toLower(action) = 'bedrock-agentcore:startsession' OR action = '*' OR toLower(action) = 'bedrock-agentcore:*')
-                    )
-                    AND (
-                        any(action IN bedrock_stmt.action WHERE toLower(action) = 'bedrock-agentcore:invoke' OR action = '*' OR toLower(action) = 'bedrock-agentcore:*')
-                    )
-
-                // Find target roles with elevated permissions that could be passed
-                MATCH (aws)--(target_role:AWSRole)--(target_policy:AWSPolicy)--(target_stmt:AWSPolicyStatement)
-                WHERE target_stmt.effect = 'Allow'
-                    AND (
-                        any(action IN target_stmt.action WHERE action = '*')
-                        OR any(action IN target_stmt.action WHERE toLower(action) = 'iam:*')
-                    )
-
-                // Deduplicate per (principal, target_role) pair
-                WITH DISTINCT escalation_outcome, aws, principal, target_role
-
-                // Group by principal, collect target_roles
-                WITH escalation_outcome, aws, principal,
-                     collect(DISTINCT target_role) AS target_roles,
-                     count(DISTINCT target_role) AS target_count
-
-                // Create single virtual Bedrock node per principal
-                CALL apoc.create.vNode(['BedrockCodeInterpreter'], {
-                    name: 'New Code Interpreter',
-                    description: toString(target_count) + ' admin role(s) can be passed',
-                    id: principal.arn,
-                    target_role_count: target_count
-                })
-                YIELD node AS bedrock_agent
-
-                // Connect from principal (not effective_principal) to keep graph connected
-                CALL apoc.create.vRelationship(principal, 'CREATES_INTERPRETER', {
-                    permissions: ['iam:PassRole', 'bedrock-agentcore:CreateCodeInterpreter', 'bedrock-agentcore:StartSession', 'bedrock-agentcore:Invoke'],
-                    technique: 'new-passrole'
-                }, bedrock_agent)
-                YIELD rel AS create_rel
-
-                // UNWIND target_roles to show which roles can be passed
-                UNWIND target_roles AS target_role
-
-                CALL apoc.create.vRelationship(bedrock_agent, 'PASSES_ROLE', {}, target_role)
-                YIELD rel AS pass_rel
-
-                CALL apoc.create.vRelationship(target_role, 'GRANTS_ACCESS', {
-                    reference: 'https://pathfinding.cloud/paths/bedrock-001'
-                }, escalation_outcome)
-                YIELD rel AS grants_rel
-
-                // Re-match path for visualization
-                MATCH path_principal = (aws)--(principal)
-
-                RETURN path_principal,
-                       bedrock_agent, target_role, escalation_outcome, create_rel, pass_rel, grants_rel, target_count
-            """,
-            parameters=[],
-        ),
-    ],
-}
-
-_QUERIES_BY_ID: dict[str, AttackPathsQueryDefinition] = {
-    definition.id: definition
-    for definitions in _QUERY_DEFINITIONS.values()
-    for definition in definitions
-}

api/src/backend/api/attack_paths/retryable_session.py

@@ -1,92 +0,0 @@
-import logging
-
-from collections.abc import Callable
-from typing import Any
-
-import neo4j
-import neo4j.exceptions
-
-logger = logging.getLogger(__name__)
-
-
-class RetryableSession:
-    """
-    Wrapper around `neo4j.Session` that retries `neo4j.exceptions.ServiceUnavailable` errors.
-    """
-
-    def __init__(
-        self,
-        session_factory: Callable[[], neo4j.Session],
-        max_retries: int,
-    ) -> None:
-        self._session_factory = session_factory
-        self._max_retries = max(0, max_retries)
-        self._session = self._session_factory()
-
-    def close(self) -> None:
-        if self._session is not None:
-            self._session.close()
-            self._session = None
-
-    def __enter__(self) -> "RetryableSession":
-        return self
-
-    def __exit__(
-        self, _: Any, __: Any, ___: Any
-    ) -> None:  # Unused args:  exc_type, exc, exc_tb
-        self.close()
-
-    def run(self, *args: Any, **kwargs: Any) -> Any:
-        return self._call_with_retry("run", *args, **kwargs)
-
-    def write_transaction(self, *args: Any, **kwargs: Any) -> Any:
-        return self._call_with_retry("write_transaction", *args, **kwargs)
-
-    def read_transaction(self, *args: Any, **kwargs: Any) -> Any:
-        return self._call_with_retry("read_transaction", *args, **kwargs)
-
-    def execute_write(self, *args: Any, **kwargs: Any) -> Any:
-        return self._call_with_retry("execute_write", *args, **kwargs)
-
-    def execute_read(self, *args: Any, **kwargs: Any) -> Any:
-        return self._call_with_retry("execute_read", *args, **kwargs)
-
-    def __getattr__(self, item: str) -> Any:
-        return getattr(self._session, item)
-
-    def _call_with_retry(self, method_name: str, *args: Any, **kwargs: Any) -> Any:
-        attempt = 0
-        last_exc: Exception | None = None
-
-        while attempt <= self._max_retries:
-            try:
-                method = getattr(self._session, method_name)
-                return method(*args, **kwargs)
-
-            except (
-                BrokenPipeError,
-                ConnectionResetError,
-                neo4j.exceptions.ServiceUnavailable,
-            ) as exc:  # pragma: no cover - depends on infra
-                last_exc = exc
-                attempt += 1
-
-                if attempt > self._max_retries:
-                    raise
-
-                logger.warning(
-                    f"Neo4j session {method_name} failed with {type(exc).__name__} ({attempt}/{self._max_retries} attempts). Retrying..."
-                )
-                self._refresh_session()
-
-        raise last_exc if last_exc else RuntimeError("Unexpected retry loop exit")
-
-    def _refresh_session(self) -> None:
-        if self._session is not None:
-            try:
-                self._session.close()
-            except Exception:
-                # Best-effort close; failures just mean we open a new session below
-                pass
-
-        self._session = self._session_factory()

api/src/backend/api/attack_paths/views_helpers.py

@@ -1,143 +0,0 @@
-import logging
-
-from typing import Any
-
-from rest_framework.exceptions import APIException, ValidationError
-
-from api.attack_paths import database as graph_database, AttackPathsQueryDefinition
-from api.models import AttackPathsScan
-from config.custom_logging import BackendLogger
-
-logger = logging.getLogger(BackendLogger.API)
-
-
-def normalize_run_payload(raw_data):
-    if not isinstance(raw_data, dict):  # Let the serializer handle this
-        return raw_data
-
-    if "data" in raw_data and isinstance(raw_data.get("data"), dict):
-        data_section = raw_data.get("data") or {}
-        attributes = data_section.get("attributes") or {}
-        payload = {
-            "id": attributes.get("id", data_section.get("id")),
-            "parameters": attributes.get("parameters"),
-        }
-
-        # Remove `None` parameters to allow defaults downstream
-        if payload.get("parameters") is None:
-            payload.pop("parameters")
-        return payload
-
-    return raw_data
-
-
-def prepare_query_parameters(
-    definition: AttackPathsQueryDefinition,
-    provided_parameters: dict[str, Any],
-    provider_uid: str,
-) -> dict[str, Any]:
-    parameters = dict(provided_parameters or {})
-    expected_names = {parameter.name for parameter in definition.parameters}
-    provided_names = set(parameters.keys())
-
-    unexpected = provided_names - expected_names
-    if unexpected:
-        raise ValidationError(
-            {"parameters": f"Unknown parameter(s): {', '.join(sorted(unexpected))}"}
-        )
-
-    missing = expected_names - provided_names
-    if missing:
-        raise ValidationError(
-            {
-                "parameters": f"Missing required parameter(s): {', '.join(sorted(missing))}"
-            }
-        )
-
-    clean_parameters = {
-        "provider_uid": str(provider_uid),
-    }
-
-    for definition_parameter in definition.parameters:
-        raw_value = provided_parameters[definition_parameter.name]
-
-        try:
-            casted_value = definition_parameter.cast(raw_value)
-
-        except (ValueError, TypeError) as exc:
-            raise ValidationError(
-                {
-                    "parameters": (
-                        f"Invalid value for parameter `{definition_parameter.name}`: {str(exc)}"
-                    )
-                }
-            )
-
-        clean_parameters[definition_parameter.name] = casted_value
-
-    return clean_parameters
-
-
-def execute_attack_paths_query(
-    attack_paths_scan: AttackPathsScan,
-    definition: AttackPathsQueryDefinition,
-    parameters: dict[str, Any],
-) -> dict[str, Any]:
-    try:
-        with graph_database.get_session(attack_paths_scan.graph_database) as session:
-            result = session.run(definition.cypher, parameters)
-            return _serialize_graph(result.graph())
-
-    except graph_database.GraphDatabaseQueryException as exc:
-        logger.error(f"Query failed for Attack Paths query `{definition.id}`: {exc}")
-        raise APIException(
-            "Attack Paths query execution failed due to a database error"
-        )
-
-
-def _serialize_graph(graph):
-    nodes = []
-    for node in graph.nodes:
-        nodes.append(
-            {
-                "id": node.element_id,
-                "labels": list(node.labels),
-                "properties": _serialize_properties(node._properties),
-            },
-        )
-
-    relationships = []
-    for relationship in graph.relationships:
-        relationships.append(
-            {
-                "id": relationship.element_id,
-                "label": relationship.type,
-                "source": relationship.start_node.element_id,
-                "target": relationship.end_node.element_id,
-                "properties": _serialize_properties(relationship._properties),
-            },
-        )
-
-    return {
-        "nodes": nodes,
-        "relationships": relationships,
-    }
-
-
-def _serialize_properties(properties: dict[str, Any]) -> dict[str, Any]:
-    """Convert Neo4j property values into JSON-serializable primitives."""
-
-    def _serialize_value(value: Any) -> Any:
-        # Neo4j temporal and spatial values expose `to_native` returning Python primitives
-        if hasattr(value, "to_native") and callable(value.to_native):
-            return _serialize_value(value.to_native())
-
-        if isinstance(value, (list, tuple)):
-            return [_serialize_value(item) for item in value]
-
-        if isinstance(value, dict):
-            return {key: _serialize_value(val) for key, val in value.items()}
-
-        return value
-
-    return {key: _serialize_value(val) for key, val in properties.items()}

api/src/backend/api/authentication.py

@@ -1,95 +0,0 @@
-from typing import Optional, Tuple
-from uuid import UUID
-
-from cryptography.fernet import InvalidToken
-from django.utils import timezone
-from drf_simple_apikey.backends import APIKeyAuthentication as BaseAPIKeyAuth
-from drf_simple_apikey.crypto import get_crypto
-from rest_framework.authentication import BaseAuthentication
-from rest_framework.exceptions import AuthenticationFailed
-from rest_framework.request import Request
-from rest_framework_simplejwt.authentication import JWTAuthentication
-
-from api.db_router import MainRouter
-from api.models import TenantAPIKey, TenantAPIKeyManager
-
-
-class TenantAPIKeyAuthentication(BaseAPIKeyAuth):
-    model = TenantAPIKey
-
-    def __init__(self):
-        self.key_crypto = get_crypto()
-
-    def _authenticate_credentials(self, request, key):
-        """
-        Override to use admin connection, bypassing RLS during authentication.
-        Delegates to parent after temporarily routing model queries to admin DB.
-        """
-        # Temporarily point the model's manager to admin database
-        original_objects = self.model.objects
-        self.model.objects = self.model.objects.using(MainRouter.admin_db)
-
-        try:
-            # Call parent method which will now use admin database
-            return super()._authenticate_credentials(request, key)
-        finally:
-            # Restore original manager
-            self.model.objects = original_objects
-
-    def authenticate(self, request: Request):
-        prefixed_key = self.get_key(request)
-
-        # Split prefix from key (format: pk_xxxxxxxx.encrypted_key)
-        try:
-            prefix, key = prefixed_key.split(TenantAPIKeyManager.separator, 1)
-        except ValueError:
-            raise AuthenticationFailed("Invalid API Key.")
-
-        try:
-            entity, _ = self._authenticate_credentials(request, key)
-        except InvalidToken:
-            raise AuthenticationFailed("Invalid API Key.")
-
-        # Get the API key instance to update last_used_at and retrieve tenant info
-        # We need to decrypt again to get the pk (already validated by _authenticate_credentials)
-        payload = self.key_crypto.decrypt(key)
-        api_key_pk = payload["_pk"]
-
-        # Convert string UUID back to UUID object for lookup
-        if isinstance(api_key_pk, str):
-            api_key_pk = UUID(api_key_pk)
-
-        try:
-            api_key_instance = TenantAPIKey.objects.using(MainRouter.admin_db).get(
-                id=api_key_pk, prefix=prefix
-            )
-        except TenantAPIKey.DoesNotExist:
-            raise AuthenticationFailed("Invalid API Key.")
-
-        # Update last_used_at
-        api_key_instance.last_used_at = timezone.now()
-        api_key_instance.save(update_fields=["last_used_at"], using=MainRouter.admin_db)
-
-        return entity, {
-            "tenant_id": str(api_key_instance.tenant_id),
-            "sub": str(api_key_instance.entity.id),
-            "api_key_prefix": prefix,
-        }
-
-
-class CombinedJWTOrAPIKeyAuthentication(BaseAuthentication):
-    jwt_auth = JWTAuthentication()
-    api_key_auth = TenantAPIKeyAuthentication()
-
-    def authenticate(self, request: Request) -> Optional[Tuple[object, dict]]:
-        auth_header = request.headers.get("Authorization", "")
-
-        # Prioritize JWT authentication if both are present
-        if auth_header.startswith("Bearer "):
-            return self.jwt_auth.authenticate(request)
-
-        if auth_header.startswith("Api-Key "):
-            return self.api_key_auth.authenticate(request)
-
-        # Default fallback
-        return self.jwt_auth.authenticate(request)