chore: resolve merge conflict in CHANGELOG.md

Fix E225 (missing whitespace around =) in provider.py and W292
(missing trailing newline) in check file. Update metadata CheckTitle
to describe PASS state and Recommendation URL to point to Prowler Hub.

.config/wt.toml

@@ -1,23 +0,0 @@
-# Prowler worktree automation for worktrunk (wt CLI).
-# Runs automatically on `wt switch --create`.
-
-# Block 1: setup + copy gitignored env files (.envrc, ui/.env.local)
-# from the primary worktree — patterns selected via .worktreeinclude.
-[[pre-start]]
-skills = "./skills/setup.sh --claude"
-python = "poetry env use python3.12"
-envs = "wt step copy-ignored"
-
-# Block 2: install Python deps (requires `poetry env use` from block 1).
-[[pre-start]]
-deps = "poetry install --with dev"
-
-# Block 3: reminder — last visible output before `wt switch` returns.
-# Hooks can't mutate the parent shell, so venv activation is manual.
-[[pre-start]]
-reminder = "echo '>> Reminder: activate the venv in this shell with: eval $(poetry env activate)'"
-
-# Background: pnpm install runs while you start working.
-# Tail logs via `wt config state logs`.
-[post-start]
-ui = "cd ui && pnpm install"

.env

@@ -78,9 +78,6 @@ TASK_RETRY_ATTEMPTS=5
 
 # Valkey settings
 # If running Valkey and celery on host, use localhost, else use 'valkey'
-VALKEY_SCHEME=redis
-VALKEY_USERNAME=
-VALKEY_PASSWORD=
 VALKEY_HOST=valkey
 VALKEY_PORT=6379
 VALKEY_DB=0
@@ -145,7 +142,7 @@ SENTRY_RELEASE=local
 NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}
 
 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.26.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.16.0
 
 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"

.github/CODEOWNERS

@@ -1,15 +1,14 @@
 # SDK
-/* @prowler-cloud/detection-remediation
-/prowler/ @prowler-cloud/detection-remediation
-/prowler/compliance/ @prowler-cloud/compliance
-/tests/ @prowler-cloud/detection-remediation
-/dashboard/ @prowler-cloud/detection-remediation
-/docs/ @prowler-cloud/detection-remediation
-/examples/ @prowler-cloud/detection-remediation
-/util/ @prowler-cloud/detection-remediation
-/contrib/ @prowler-cloud/detection-remediation
-/permissions/ @prowler-cloud/detection-remediation
-/codecov.yml @prowler-cloud/detection-remediation @prowler-cloud/api
+/* @prowler-cloud/sdk
+/prowler/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+/tests/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+/dashboard/ @prowler-cloud/sdk
+/docs/ @prowler-cloud/sdk
+/examples/ @prowler-cloud/sdk
+/util/ @prowler-cloud/sdk
+/contrib/ @prowler-cloud/sdk
+/permissions/ @prowler-cloud/sdk
+/codecov.yml @prowler-cloud/sdk @prowler-cloud/api
 
 # API
 /api/ @prowler-cloud/api
@@ -18,7 +17,7 @@
 /ui/ @prowler-cloud/ui
 
 # AI
-/mcp_server/ @prowler-cloud/detection-remediation
+/mcp_server/ @prowler-cloud/ai
 
 # Platform
 /.github/ @prowler-cloud/platform

.github/actions/setup-python-poetry/action.yml

@@ -13,19 +13,11 @@ inputs:
   poetry-version:
     description: 'Poetry version to install'
     required: false
-    default: '2.3.4'
+    default: '2.1.1'
   install-dependencies:
     description: 'Install Python dependencies with Poetry'
     required: false
     default: 'true'
-  update-lock:
-    description: 'Run `poetry lock` during setup. Only enable when a prior step mutates pyproject.toml (e.g. API `@master` VCS rewrite). Default: false.'
-    required: false
-    default: 'false'
-  enable-cache:
-    description: 'Whether to enable Poetry dependency caching via actions/setup-python'
-    required: false
-    default: 'true'
 
 runs:
   using: 'composite'
@@ -34,18 +26,10 @@ runs:
       if: github.event_name == 'pull_request' && github.base_ref == 'master' && github.repository == 'prowler-cloud/prowler'
       shell: bash
       working-directory: ${{ inputs.working-directory }}
-      env:
-        HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
       run: |
         BRANCH_NAME="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
-        UPSTREAM="prowler-cloud/prowler"
-        if [ "$HEAD_REPO" != "$UPSTREAM" ]; then
-          echo "Fork PR detected (${HEAD_REPO}), rewriting VCS URL to fork"
-          sed -i "s|git+https://github.com/prowler-cloud/prowler\([^@]*\)@master|git+https://github.com/${HEAD_REPO}\1@$BRANCH_NAME|g" pyproject.toml
-        else
-          echo "Same-repo PR, using branch: $BRANCH_NAME"
-          sed -i "s|\(git+https://github.com/prowler-cloud/prowler[^@]*\)@master|\1@$BRANCH_NAME|g" pyproject.toml
-        fi
+        echo "Using branch: $BRANCH_NAME"
+        sed -i "s|\(git+https://github.com/prowler-cloud/prowler[^@]*\)@master|\1@$BRANCH_NAME|g" pyproject.toml
 
     - name: Install poetry
       shell: bash
@@ -68,8 +52,21 @@ runs:
         echo "Updated resolved_reference:"
         grep -A2 -B2 "resolved_reference" poetry.lock
 
+    - name: Update SDK resolved_reference to latest commit (prowler repo on push)
+      if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'prowler-cloud/prowler'
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
+        echo "Latest commit hash: $LATEST_COMMIT"
+        sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
+          s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
+        }' poetry.lock
+        echo "Updated resolved_reference:"
+        grep -A2 -B2 "resolved_reference" poetry.lock
+
     - name: Update poetry.lock (prowler repo only)
-      if: github.repository == 'prowler-cloud/prowler' && inputs.update-lock == 'true'
+      if: github.repository == 'prowler-cloud/prowler'
       shell: bash
       working-directory: ${{ inputs.working-directory }}
       run: poetry lock
@@ -78,10 +75,8 @@ runs:
       uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ inputs.python-version }}
-        # Disable cache when callers skip dependency install: Poetry 2.3.4 creates
-        # the venv in a path setup-python can't hash, breaking the post-step save-cache.
-        cache: ${{ inputs.enable-cache == 'true' && 'poetry' || '' }}
-        cache-dependency-path: ${{ inputs.enable-cache == 'true' && format('{0}/poetry.lock', inputs.working-directory) || '' }}
+        cache: 'poetry'
+        cache-dependency-path: ${{ inputs.working-directory }}/poetry.lock
 
     - name: Install Python dependencies
       if: inputs.install-dependencies == 'true'

.github/actions/trivy-scan/action.yml

@@ -117,10 +117,7 @@ runs:
         INPUTS_IMAGE_TAG: ${{ inputs.image-tag }}
 
     - name: Comment scan results on PR
-      if: >-
-        inputs.create-pr-comment == 'true'
-        && github.event_name == 'pull_request'
-        && github.event.pull_request.head.repo.full_name == github.repository
+      if: inputs.create-pr-comment == 'true' && github.event_name == 'pull_request'
       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       env:
         IMAGE_NAME: ${{ inputs.image-name }}

.github/dependabot.yml

@@ -66,18 +66,6 @@ updates:
     cooldown:
       default-days: 7
 
-  - package-ecosystem: "pre-commit"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 25
-    target-branch: master
-    labels:
-      - "dependencies"
-      - "pre-commit"
-    cooldown:
-      default-days: 7
-
   # Dependabot Updates are temporary disabled - 2025/04/15
   # v4.6
   # - package-ecosystem: "pip"

.github/labeler.yml

@@ -67,11 +67,6 @@ provider/googleworkspace:
       - any-glob-to-any-file: "prowler/providers/googleworkspace/**"
       - any-glob-to-any-file: "tests/providers/googleworkspace/**"
 
-provider/vercel:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/vercel/**"
-      - any-glob-to-any-file: "tests/providers/vercel/**"
-
 github_actions:
   - changed-files:
       - any-glob-to-any-file: ".github/workflows/*"
@@ -107,8 +102,6 @@ mutelist:
       - any-glob-to-any-file: "tests/providers/openstack/lib/mutelist/**"
       - any-glob-to-any-file: "prowler/providers/googleworkspace/lib/mutelist/**"
       - any-glob-to-any-file: "tests/providers/googleworkspace/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/vercel/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/vercel/lib/mutelist/**"
 
 integration/s3:
   - changed-files:

.github/scripts/test-e2e-path-resolution.sh

@@ -1,350 +0,0 @@
-#!/usr/bin/env bash
-#
-# Test script for E2E test path resolution logic from ui-e2e-tests-v2.yml.
-# Validates that the shell logic correctly transforms E2E_TEST_PATHS into
-# Playwright-compatible paths.
-#
-# Usage: .github/scripts/test-e2e-path-resolution.sh
-
-set -euo pipefail
-
-# -- Colors ------------------------------------------------------------------
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# -- Counters ----------------------------------------------------------------
-TOTAL=0
-PASSED=0
-FAILED=0
-
-# -- Temp directory setup & cleanup ------------------------------------------
-TMPDIR_ROOT="$(mktemp -d)"
-trap 'rm -rf "$TMPDIR_ROOT"' EXIT
-
-# ---------------------------------------------------------------------------
-# create_test_tree DIR [SUBDIRS_WITH_TESTS...]
-#
-# Creates a fake ui/tests/ tree inside DIR.
-# All standard subdirs are created (empty).
-# For each name in SUBDIRS_WITH_TESTS, a fake .spec.ts file is placed inside.
-# ---------------------------------------------------------------------------
-create_test_tree() {
-  local base="$1"; shift
-  local all_subdirs=(
-    auth home invitations profile providers scans
-    setups sign-in-base sign-up attack-paths findings
-    compliance browse manage-groups roles users overview
-    integrations
-  )
-
-  for d in "${all_subdirs[@]}"; do
-    mkdir -p "${base}/tests/${d}"
-  done
-
-  # Populate requested subdirs with a fake test file
-  for d in "$@"; do
-    mkdir -p "${base}/tests/${d}"
-    touch "${base}/tests/${d}/example.spec.ts"
-  done
-}
-
-# ---------------------------------------------------------------------------
-# resolve_paths E2E_TEST_PATHS WORKING_DIR
-#
-# Extracted EXACT logic from .github/workflows/ui-e2e-tests-v2.yml lines 212-250.
-# Outputs space-separated TEST_PATHS, or "SKIP" if no tests found.
-# Must be run with WORKING_DIR as the cwd equivalent (we cd into it).
-# ---------------------------------------------------------------------------
-resolve_paths() {
-  local E2E_TEST_PATHS="$1"
-  local WORKING_DIR="$2"
-
-  (
-    cd "$WORKING_DIR"
-
-    # --- Line 212-214: strip ui/ prefix, strip **, deduplicate ---------------
-    TEST_PATHS="${E2E_TEST_PATHS}"
-    TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u)
-
-    # --- Line 216: drop setup helpers ----------------------------------------
-    TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/' || true)
-
-    # --- Lines 219-230: safety net for bare tests/ --------------------------
-    if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-      SPECIFIC_DIRS=""
-      for dir in tests/*/; do
-        [[ "$dir" == "tests/setups/" ]] && continue
-        SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"$'\n'
-      done
-      TEST_PATHS=$(echo "$TEST_PATHS" | grep -vx 'tests/' || true)
-      TEST_PATHS="${TEST_PATHS}"$'\n'"${SPECIFIC_DIRS}"
-      TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^$' | sort -u)
-    fi
-
-    # --- Lines 231-234: bail if empty ----------------------------------------
-    if [[ -z "$TEST_PATHS" ]]; then
-      echo "SKIP"
-      return
-    fi
-
-    # --- Lines 236-245: filter dirs with no test files -----------------------
-    VALID_PATHS=""
-    while IFS= read -r p; do
-      [[ -z "$p" ]] && continue
-      if find "$p" -name '*.spec.ts' -o -name '*.test.ts' 2>/dev/null | head -1 | grep -q .; then
-        VALID_PATHS="${VALID_PATHS}${p}"$'\n'
-      fi
-    done <<< "$TEST_PATHS"
-    VALID_PATHS=$(echo "$VALID_PATHS" | grep -v '^$')
-
-    # --- Lines 246-249: bail if all empty ------------------------------------
-    if [[ -z "$VALID_PATHS" ]]; then
-      echo "SKIP"
-      return
-    fi
-
-    # --- Line 250: final output (space-separated) ---------------------------
-    echo "$VALID_PATHS" | tr '\n' ' ' | sed 's/ $//'
-  )
-}
-
-# ---------------------------------------------------------------------------
-# run_test NAME INPUT EXPECTED_TYPE [EXPECTED_VALUE]
-#
-# EXPECTED_TYPE is one of:
-#   "contains <path>"  — output must contain this path
-#   "equals <value>"   — output must exactly equal this value
-#   "skip"             — expect SKIP (no runnable tests)
-#   "not_contains <p>" — output must NOT contain this path
-#
-# Multiple expectations can be specified by calling assert_* after run_test.
-# For convenience, run_test supports a single assertion inline.
-# ---------------------------------------------------------------------------
-CURRENT_RESULT=""
-CURRENT_TEST_NAME=""
-
-run_test() {
-  local name="$1"
-  local input="$2"
-  local expect_type="$3"
-  local expect_value="${4:-}"
-
-  TOTAL=$((TOTAL + 1))
-  CURRENT_TEST_NAME="$name"
-
-  # Create a fresh temp tree per test
-  local test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-  mkdir -p "$test_dir"
-
-  # Default populated dirs: scans, providers, auth, home, profile, sign-up, sign-in-base
-  create_test_tree "$test_dir" scans providers auth home profile sign-up sign-in-base
-
-  CURRENT_RESULT=$(resolve_paths "$input" "$test_dir")
-
-  _check "$expect_type" "$expect_value"
-}
-
-# Like run_test but lets caller specify which subdirs have test files.
-run_test_custom_tree() {
-  local name="$1"
-  local input="$2"
-  local expect_type="$3"
-  local expect_value="${4:-}"
-  shift 4
-  local populated_dirs=("$@")
-
-  TOTAL=$((TOTAL + 1))
-  CURRENT_TEST_NAME="$name"
-
-  local test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-  mkdir -p "$test_dir"
-
-  create_test_tree "$test_dir" "${populated_dirs[@]}"
-
-  CURRENT_RESULT=$(resolve_paths "$input" "$test_dir")
-
-  _check "$expect_type" "$expect_value"
-}
-
-_check() {
-  local expect_type="$1"
-  local expect_value="$2"
-
-  case "$expect_type" in
-    skip)
-      if [[ "$CURRENT_RESULT" == "SKIP" ]]; then
-        _pass
-      else
-        _fail "expected SKIP, got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    contains)
-      if [[ "$CURRENT_RESULT" == *"$expect_value"* ]]; then
-        _pass
-      else
-        _fail "expected to contain '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    not_contains)
-      if [[ "$CURRENT_RESULT" != *"$expect_value"* ]]; then
-        _pass
-      else
-        _fail "expected NOT to contain '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    equals)
-      if [[ "$CURRENT_RESULT" == "$expect_value" ]]; then
-        _pass
-      else
-        _fail "expected exactly '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    *)
-      _fail "unknown expect_type: $expect_type"
-      ;;
-  esac
-}
-
-_pass() {
-  PASSED=$((PASSED + 1))
-  printf '%b  PASS%b %s\n' "$GREEN" "$RESET" "$CURRENT_TEST_NAME"
-}
-
-_fail() {
-  FAILED=$((FAILED + 1))
-  printf '%b  FAIL%b %s\n' "$RED" "$RESET" "$CURRENT_TEST_NAME"
-  printf "        %s\n" "$1"
-}
-
-# ===========================================================================
-# TEST CASES
-# ===========================================================================
-
-echo ""
-printf '%bE2E Path Resolution Tests%b\n' "$BOLD" "$RESET"
-echo "=========================================="
-
-# 1. Normal single module
-run_test \
-  "1. Normal single module" \
-  "ui/tests/scans/**" \
-  "contains" "tests/scans/"
-
-# 2. Multiple modules
-run_test \
-  "2. Multiple modules — scans present" \
-  "ui/tests/scans/** ui/tests/providers/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "2. Multiple modules — providers present" \
-  "ui/tests/scans/** ui/tests/providers/**" \
-  "contains" "tests/providers/"
-
-# 3. Broad pattern (many modules)
-run_test \
-  "3. Broad pattern — no bare tests/" \
-  "ui/tests/auth/** ui/tests/scans/** ui/tests/providers/** ui/tests/home/** ui/tests/profile/**" \
-  "not_contains" "tests/ "
-
-# 4. Empty directory
-run_test \
-  "4. Empty directory — skipped" \
-  "ui/tests/attack-paths/**" \
-  "skip"
-
-# 5. Mix of populated and empty dirs
-run_test \
-  "5. Mix populated+empty — scans present" \
-  "ui/tests/scans/** ui/tests/attack-paths/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "5. Mix populated+empty — attack-paths absent" \
-  "ui/tests/scans/** ui/tests/attack-paths/**" \
-  "not_contains" "tests/attack-paths/"
-
-# 6. All empty directories
-run_test \
-  "6. All empty directories" \
-  "ui/tests/attack-paths/** ui/tests/findings/**" \
-  "skip"
-
-# 7. Setup paths filtered
-run_test \
-  "7. Setup paths filtered out" \
-  "ui/tests/setups/**" \
-  "skip"
-
-# 8. Bare tests/ from broad pattern — safety net expands
-run_test \
-  "8. Bare tests/ expands — scans present" \
-  "ui/tests/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "8. Bare tests/ expands — setups excluded" \
-  "ui/tests/**" \
-  "not_contains" "tests/setups/"
-
-# 9. Bare tests/ with all empty subdirs (only setups has files)
-run_test_custom_tree \
-  "9. Bare tests/ — only setups has files" \
-  "ui/tests/**" \
-  "skip" "" \
-  setups
-
-# 10. Duplicate paths
-run_test \
-  "10. Duplicate paths — deduplicated" \
-  "ui/tests/scans/** ui/tests/scans/**" \
-  "equals" "tests/scans/"
-
-# 11. Empty input
-TOTAL=$((TOTAL + 1))
-CURRENT_TEST_NAME="11. Empty input"
-test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-mkdir -p "$test_dir"
-create_test_tree "$test_dir" scans providers
-CURRENT_RESULT=$(resolve_paths "" "$test_dir")
-_check "skip" ""
-
-# 12. Trailing/leading whitespace
-run_test \
-  "12. Whitespace handling" \
-  "  ui/tests/scans/**  " \
-  "contains" "tests/scans/"
-
-# 13. Path without ui/ prefix
-run_test \
-  "13. Path without ui/ prefix" \
-  "tests/scans/**" \
-  "contains" "tests/scans/"
-
-# 14. Setup mixed with valid paths — only valid pass through
-run_test \
-  "14. Setups + valid — setups filtered" \
-  "ui/tests/setups/** ui/tests/scans/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "14. Setups + valid — setups absent" \
-  "ui/tests/setups/** ui/tests/scans/**" \
-  "not_contains" "tests/setups/"
-
-# ===========================================================================
-# SUMMARY
-# ===========================================================================
-
-echo ""
-echo "=========================================="
-if [[ "$FAILED" -eq 0 ]]; then
-  printf '%b%bAll tests passed: %d/%d%b\n' "$GREEN" "$BOLD" "$PASSED" "$TOTAL" "$RESET"
-else
-  printf '%b%b%d/%d passed, %d FAILED%b\n' "$RED" "$BOLD" "$PASSED" "$TOTAL" "$FAILED" "$RESET"
-fi
-echo ""
-
-exit "$FAILED"

.github/test-impact.yml

@@ -177,14 +177,6 @@ modules:
       - tests/providers/llm/**
     e2e: []
 
-  - name: sdk-vercel
-    match:
-      - prowler/providers/vercel/**
-      - prowler/compliance/vercel/**
-    tests:
-      - tests/providers/vercel/**
-    e2e: []
-
   # ============================================
   # SDK - Lib modules
   # ============================================
@@ -232,24 +224,8 @@ modules:
     tests:
       - api/src/backend/api/tests/test_views.py
     e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # API view changes can break UI
+      - ui/tests/**
 
   - name: api-serializers
     match:
@@ -258,24 +234,8 @@ modules:
     tests:
       - api/src/backend/api/tests/**
     e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # Serializer changes affect API responses → UI
+      - ui/tests/**
 
   - name: api-filters
     match:
@@ -447,24 +407,8 @@ modules:
       - ui/components/ui/**
     tests: []
     e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # Shared components can affect any E2E
+      - ui/tests/**
 
   - name: ui-attack-paths
     match:

.github/workflows/api-bump-version.yml

@@ -13,8 +13,6 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
-permissions: {}
-
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest
@@ -29,13 +27,8 @@ jobs:
       patch_version: ${{ steps.detect.outputs.patch_version }}
       current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -86,13 +79,8 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -130,7 +118,7 @@ jobs:
           git --no-pager diff
 
       - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -149,7 +137,7 @@ jobs:
             By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
 
       - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
           persist-credentials: false
@@ -189,7 +177,7 @@ jobs:
           git --no-pager diff
 
       - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -216,13 +204,8 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -272,7 +255,7 @@ jobs:
           git --no-pager diff
 
       - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}

.github/workflows/api-code-quality.yml

@@ -17,8 +17,6 @@ concurrency:
 env:
   API_WORKING_DIR: ./api
 
-permissions: {}
-
 jobs:
   api-code-quality:
     runs-on: ubuntu-latest
@@ -34,25 +32,15 @@ jobs:
         working-directory: ./api
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            api.github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             api/**
@@ -69,7 +57,6 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           working-directory: ./api
-          update-lock: 'true'
 
       - name: Poetry check
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/api-codeql.yml

@@ -24,8 +24,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   api-analyze:
     name: CodeQL Security Analysis
@@ -43,30 +41,18 @@ jobs:
           - 'python'
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-            uploads.github.com:443
-            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/api-codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/api-container-build-push.yml

@@ -18,6 +18,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -33,8 +36,6 @@ env:
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
 
-permissions: {}
-
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'
@@ -42,14 +43,7 @@ jobs:
     timeout-minutes: 5
     outputs:
       short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    permissions:
-      contents: read
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-
       - name: Calculate short SHA
         id: set-short-sha
         run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -61,16 +55,9 @@ jobs:
     timeout-minutes: 5
     outputs:
       message-ts: ${{ steps.slack-notification.outputs.ts }}
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -107,50 +94,24 @@ jobs:
       packages: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            _http._tcp.deb.debian.org:443
-            aka.ms:443
-            auth.docker.io:443
-            cdn.powershellgallery.com:443
-            dc.services.visualstudio.com:443
-            debian.map.fastlydns.net:80
-            files.pythonhosted.org:443
-            github.com:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-            production.cloudflare.docker.com:443
-            pypi.org:443
-            registry-1.docker.io:443
-            release-assets.githubusercontent.com:443
-            www.powershellgallery.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
-      - name: Pin prowler SDK to latest master commit
-        if: github.event_name == 'push'
-        run: |
-          LATEST_SHA=$(git ls-remote https://github.com/prowler-cloud/prowler.git refs/heads/master | cut -f1)
-          sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml
-
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build and push API container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           push: true
@@ -165,26 +126,17 @@ jobs:
     needs: [setup, container-build-push]
     if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            release-assets.githubusercontent.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |
@@ -209,7 +161,7 @@ jobs:
 
       - name: Install regctl
         if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@f61d18f46c86af724a9c804cb9ff2a6fec741c7c # main
 
       - name: Cleanup intermediate architecture tags
         if: always()
@@ -226,16 +178,9 @@ jobs:
     needs: [setup, notify-release-started, container-build-push, create-manifest]
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -276,13 +221,6 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
       - name: Trigger API deployment
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:

.github/workflows/api-container-checks.yml

@@ -18,8 +18,6 @@ env:
   API_WORKING_DIR: ./api
   IMAGE_NAME: prowler-api
 
-permissions: {}
-
 jobs:
   api-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'
@@ -29,22 +27,15 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: api/Dockerfile
 
@@ -74,39 +65,15 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            mirror.gcr.io:443
-            check.trivy.dev:443
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            debian.map.fastlydns.net:80
-            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            www.powershellgallery.com:443
-            aka.ms:443
-            cdn.powershellgallery.com:443
-            _http._tcp.deb.debian.org:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-            get.trivy.dev:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: api/**
           files_ignore: |
@@ -117,11 +84,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.API_WORKING_DIR }}
           push: false

.github/workflows/api-security.yml

@@ -17,8 +17,6 @@ concurrency:
 env:
   API_WORKING_DIR: ./api
 
-permissions: {}
-
 jobs:
   api-security-scans:
     runs-on: ubuntu-latest
@@ -34,33 +32,19 @@ jobs:
         working-directory: ./api
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            pypi.org:443
-            files.pythonhosted.org:443
-            github.com:443
-            auth.safetycli.com:443
-            pyup.io:443
-            data.safetycli.com:443
-            api.github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             api/**
             .github/workflows/api-security.yml
-            .safety-policy.yml
           files_ignore: |
             api/docs/**
             api/README.md
@@ -73,7 +57,6 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           working-directory: ./api
-          update-lock: 'true'
 
       - name: Bandit
         if: steps.check-changes.outputs.any_changed == 'true'
@@ -81,8 +64,8 @@ jobs:
 
       - name: Safety
         if: steps.check-changes.outputs.any_changed == 'true'
-        # Accepted CVEs, severity threshold, and ignore expirations live in ../.safety-policy.yml
-        run: poetry run safety check --policy-file ../.safety-policy.yml
+        run: poetry run safety check --ignore 79023,79027
+        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
 
       - name: Vulture
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/api-tests.yml

@@ -22,16 +22,11 @@ env:
   POSTGRES_USER: prowler_user
   POSTGRES_PASSWORD: prowler
   POSTGRES_DB: postgres-db
-  VALKEY_SCHEME: redis
-  VALKEY_USERNAME: ""
-  VALKEY_PASSWORD: ""
   VALKEY_HOST: localhost
   VALKEY_PORT: 6379
   VALKEY_DB: 0
   API_WORKING_DIR: ./api
 
-permissions: {}
-
 jobs:
   api-tests:
     runs-on: ubuntu-latest
@@ -77,31 +72,15 @@ jobs:
           --health-retries 5
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            cli.codecov.io:443
-            keybase.io:443
-            ingest.codecov.io:443
-            storage.googleapis.com:443
-            o26192.ingest.us.sentry.io:443
-            api.github.com:443
-
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             api/**
@@ -118,7 +97,6 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           working-directory: ./api
-          update-lock: 'true'
 
       - name: Run tests with pytest
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/backport.yml

@@ -17,8 +17,6 @@ env:
   BACKPORT_LABEL_PREFIX: backport-to-
   BACKPORT_LABEL_IGNORE: was-backported
 
-permissions: {}
-
 jobs:
   backport:
     if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport')) && !(contains(github.event.pull_request.labels.*.name, 'was-backported'))
@@ -29,14 +27,6 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-
       - name: Check labels
         id: label_check
         uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
@@ -49,7 +39,7 @@ jobs:
 
       - name: Backport PR
         if: steps.label_check.outputs.label_check == 'success'
-        uses: sorenlouv/backport-github-action@9460b7102fea25466026ce806c9ebf873ac48721 # v11.0.0
+        uses: sorenlouv/backport-github-action@516854e7c9f962b9939085c9a92ea28411d1ae90 # v10.2.0
         with:
           github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           auto_backport_label_prefix: ${{ env.BACKPORT_LABEL_PREFIX }}

.github/workflows/ci-zizmor.yml

@@ -21,8 +21,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   zizmor:
     if: github.repository == 'prowler-cloud/prowler'
@@ -35,22 +33,12 @@ jobs:
       actions: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            ghcr.io:443
-            pkg-containers.githubusercontent.com:443
-            api.github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
         with:
           token: ${{ github.token }}

.github/workflows/comment-label-update.yml

@@ -9,8 +9,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.issue.number }}
   cancel-in-progress: false
 
-permissions: {}
-
 jobs:
   update-labels:
     if: contains(github.event.issue.labels.*.name, 'status/awaiting-response')
@@ -21,11 +19,6 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Remove 'status/awaiting-response' label
         env:
           GH_TOKEN: ${{ github.token }}

.github/workflows/conventional-commit.yml

@@ -16,8 +16,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   conventional-commit-check:
     runs-on: ubuntu-latest
@@ -27,11 +25,6 @@ jobs:
       pull-requests: read
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Check PR title format
         uses: agenthunt/conventional-commit-checker-action@f1823f632e95a64547566dcd2c7da920e67117ad # v2.0.1
         with:

.github/workflows/create-backport-label.yml

@@ -13,8 +13,6 @@ env:
   BACKPORT_LABEL_PREFIX: backport-to-
   BACKPORT_LABEL_COLOR: B60205
 
-permissions: {}
-
 jobs:
   create-label:
     runs-on: ubuntu-latest
@@ -24,11 +22,6 @@ jobs:
       issues: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Create backport label for minor releases
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docs-bump-version.yml

@@ -12,77 +12,247 @@ concurrency:
 env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
-  DOCS_FILE: docs/getting-started/installation/prowler-app.mdx
-
-permissions: {}
 
 jobs:
-  bump-version:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Get current documentation version
+        id: get_docs_version
+        run: |
+          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' docs/getting-started/installation/prowler-app.mdx)
+          echo "current_docs_version=${CURRENT_DOCS_VERSION}" >> "${GITHUB_OUTPUT}"
+          echo "Current documentation version: $CURRENT_DOCS_VERSION"
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
     runs-on: ubuntu-latest
     timeout-minutes: 15
     permissions:
       contents: read
       pull-requests: write
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
-          egress-policy: audit
-
-      - name: Validate release version
-        run: |
-          if [[ ! $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-          if (( ${BASH_REMATCH[1]} != 5 )); then
-            echo "::error::Releasing another Prowler major version, aborting..."
-            exit 1
-          fi
-
-      - name: Checkout master branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ env.BASE_BRANCH }}
           persist-credentials: false
 
-      - name: Read current docs version on master
-        id: docs_version
+      - name: Calculate next minor version
         run: |
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' "${DOCS_FILE}")
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+
+          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
           echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "Current docs version on master: $CURRENT_DOCS_VERSION"
-          echo "Target release version: $PROWLER_VERSION"
+          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
 
-          # Skip if master is already at or ahead of the release version
-          # (re-run, or patch shipped against an older minor line)
-          HIGHEST=$(printf '%s\n%s\n' "${CURRENT_DOCS_VERSION}" "${PROWLER_VERSION}" | sort -V | tail -n1)
-          if [[ "${CURRENT_DOCS_VERSION}" == "${PROWLER_VERSION}" || "${HIGHEST}" != "${PROWLER_VERSION}" ]]; then
-            echo "skip=true" >> "${GITHUB_OUTPUT}"
-            echo "Skipping bump: current ($CURRENT_DOCS_VERSION) >= release ($PROWLER_VERSION)"
-          else
-            echo "skip=false" >> "${GITHUB_OUTPUT}"
-          fi
+          echo "Current documentation version: $CURRENT_DOCS_VERSION"
+          echo "Current release version: $PROWLER_VERSION"
+          echo "Next minor version: $NEXT_MINOR_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
 
-      - name: Bump versions in documentation
-        if: steps.docs_version.outputs.skip == 'false'
+      - name: Bump versions in documentation for master
         run: |
           set -e
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
+
+          # Update prowler-app.mdx with current release version
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+
           echo "Files modified:"
           git --no-pager diff
 
       - name: Create PR for documentation update to master
-        if: steps.docs_version.outputs.skip == 'false'
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.BASE_BRANCH }}
-          commit-message: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-bump-to-v${{ env.PROWLER_VERSION }}
-          title: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
+          base: master
+          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
+          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
+            - All `*.mdx` files with `<VersionBadge>` components
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "First patch version: $FIRST_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
+
+      - name: Bump versions in documentation for version branch
+        run: |
+          set -e
+
+          # Update prowler-app.mdx with current release version
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for documentation update to version branch
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}-branch
+          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Calculate next patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Current documentation version: $CURRENT_DOCS_VERSION"
+          echo "Current release version: $PROWLER_VERSION"
+          echo "Next patch version: $NEXT_PATCH_VERSION"
+          echo "Target branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
+
+      - name: Bump versions in documentation for patch version
+        run: |
+          set -e
+
+          # Update prowler-app.mdx with current release version
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for documentation update to version branch
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
+          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
           labels: no-changelog,skip-sync
           body: |
             ### Description

.github/workflows/find-secrets.yml

@@ -14,8 +14,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   scan-secrets:
     runs-on: ubuntu-latest
@@ -24,18 +22,8 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          # We can't block as Trufflehog needs to verify secrets against vendors
-          egress-policy: audit
-          # allowed-endpoints: >
-          #   github.com:443
-          #   ghcr.io:443
-          #   pkg-containers.githubusercontent.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
           persist-credentials: false

.github/workflows/helm-chart-checks.yml

@@ -1,55 +0,0 @@
-name: 'Helm: Chart Checks'
-# DISCLAIMER: This workflow is not maintained by the Prowler team. Refer to contrib/k8s/helm/prowler-app for the source code.
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'contrib/k8s/helm/prowler-app/**'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'contrib/k8s/helm/prowler-app/**'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  CHART_PATH: contrib/k8s/helm/prowler-app
-
-permissions: {}
-
-jobs:
-  helm-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-
-      - name: Update chart dependencies
-        run: helm dependency update ${{ env.CHART_PATH }}
-
-      - name: Lint Helm chart
-        run: helm lint ${{ env.CHART_PATH }}
-
-      - name: Validate Helm chart template rendering
-        run: helm template prowler ${{ env.CHART_PATH }}

.github/workflows/helm-chart-release.yml

@@ -1,61 +0,0 @@
-name: 'Helm: Chart Release'
-# DISCLAIMER: This workflow is not maintained by the Prowler team. Refer to contrib/k8s/helm/prowler-app for the source code.
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  CHART_PATH: contrib/k8s/helm/prowler-app
-
-permissions: {}
-
-jobs:
-  release-helm-chart:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-
-      - name: Set appVersion from release tag
-        run: |
-          RELEASE_TAG="${GITHUB_EVENT_RELEASE_TAG_NAME}"
-          echo "Setting appVersion to ${RELEASE_TAG}"
-          sed -i "s/^appVersion:.*/appVersion: \"${RELEASE_TAG}\"/" ${{ env.CHART_PATH }}/Chart.yaml
-        env:
-          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
-
-      - name: Login to GHCR
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${GITHUB_ACTOR} --password-stdin
-
-      - name: Update chart dependencies
-        run: helm dependency update ${{ env.CHART_PATH }}
-
-      - name: Package Helm chart
-        run: helm package ${{ env.CHART_PATH }} --destination .helm-packages
-
-      - name: Push chart to GHCR
-        run: |
-          PACKAGE=$(ls .helm-packages/*.tgz)
-          helm push "$PACKAGE" oci://ghcr.io/${{ github.repository_owner }}/charts

.github/workflows/issue-lock-on-close.yml

@@ -1,53 +0,0 @@
-name: 'Tools: Lock Issue on Close'
-
-on:
-  issues:
-    types:
-      - closed
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.issue.number }}
-  cancel-in-progress: false
-
-permissions: {}
-
-jobs:
-  lock:
-    if: |
-      github.repository == 'prowler-cloud/prowler' &&
-      github.event.issue.locked == false
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      issues: write
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
-      - name: Comment and lock issue
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        with:
-          script: |
-            const { owner, repo } = context.repo;
-            const issue_number = context.payload.issue.number;
-
-            try {
-              await github.rest.issues.createComment({
-                owner,
-                repo,
-                issue_number,
-                body: 'This issue is now locked as it has been closed. If you are still hitting a related problem, please open a new issue and link back to this one for context. Thanks!'
-              });
-            } catch (error) {
-              core.warning(`Failed to post lock comment on issue #${issue_number}: ${error.message}`);
-            }
-
-            const lockParams = { owner, repo, issue_number };
-            if (context.payload.issue.state_reason === 'completed') {
-              lockParams.lock_reason = 'resolved';
-            }
-            await github.rest.issues.lock(lockParams);

.github/workflows/issue-triage.lock.yml

@@ -65,11 +65,6 @@ jobs:
       text: ${{ steps.compute-text.outputs.text }}
       title: ${{ steps.compute-text.outputs.title }}
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
@@ -134,11 +129,6 @@ jobs:
       output_types: ${{ steps.collect_output.outputs.output_types }}
       secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
@@ -772,7 +762,7 @@ jobs:
           SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload Safe Outputs
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: safe-output
           path: ${{ env.GH_AW_SAFE_OUTPUTS }}
@@ -793,13 +783,13 @@ jobs:
             await main();
       - name: Upload sanitized agent output
         if: always() && env.GH_AW_AGENT_OUTPUT
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: agent-output
           path: ${{ env.GH_AW_AGENT_OUTPUT }}
           if-no-files-found: warn
       - name: Upload engine output files
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: agent_outputs
           path: |
@@ -839,7 +829,7 @@ jobs:
       - name: Upload agent artifacts
         if: always()
         continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: agent-artifacts
           path: |
@@ -869,18 +859,13 @@ jobs:
       tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
       total_count: ${{ steps.missing_tool.outputs.total_count }}
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
           destination: /opt/gh-aw/actions
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-output
           path: /tmp/gh-aw/safeoutputs/
@@ -981,24 +966,19 @@ jobs:
     outputs:
       success: ${{ steps.parse_results.outputs.success }}
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
           destination: /opt/gh-aw/actions
       - name: Download agent artifacts
         continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-artifacts
           path: /tmp/gh-aw/threat-detection/
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-output
           path: /tmp/gh-aw/threat-detection/
@@ -1071,7 +1051,7 @@ jobs:
             await main();
       - name: Upload threat detection log
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: threat-detection.log
           path: /tmp/gh-aw/threat-detection/detection.log
@@ -1090,11 +1070,6 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_rate_limit.outputs.rate_limit_ok == 'true') }}
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
@@ -1163,18 +1138,13 @@ jobs:
       process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
       process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
           destination: /opt/gh-aw/actions
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-output
           path: /tmp/gh-aw/safeoutputs/

.github/workflows/labeler.yml

@@ -15,8 +15,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   labeler:
     runs-on: ubuntu-latest
@@ -26,11 +24,6 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Apply labels to PR
         uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
@@ -45,11 +38,6 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Check if author is org member
         id: check_membership
         env:
@@ -62,7 +50,7 @@ jobs:
             "Alan-TheGentleman"
             "alejandrobailo"
             "amitsharm"
-            # "andoniaf"
+            "andoniaf"
             "cesararroba"
             "danibarranqueroo"
             "HugoPBrito"
@@ -77,8 +65,7 @@ jobs:
             "RosaRivasProwler"
             "StylusFrost"
             "toniblyx"
-            "davidm4r"
-            "pfe-nazaries"
+            "vicferpoy"
           )
 
           echo "Checking if $AUTHOR is a member of prowler-cloud organization"

.github/workflows/mcp-container-build-push.yml

@@ -17,6 +17,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -32,8 +35,6 @@ env:
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-mcp
 
-permissions: {}
-
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'
@@ -41,14 +42,7 @@ jobs:
     timeout-minutes: 5
     outputs:
       short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    permissions:
-      contents: read
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-
       - name: Calculate short SHA
         id: set-short-sha
         run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -60,16 +54,9 @@ jobs:
     timeout-minutes: 5
     outputs:
       message-ts: ${{ steps.slack-notification.outputs.ts }}
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -105,38 +92,24 @@ jobs:
       contents: read
       packages: write
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            ghcr.io:443
-            pkg-containers.githubusercontent.com:443
-            files.pythonhosted.org:443
-            pypi.org:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build and push MCP container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           push: true
@@ -159,27 +132,17 @@ jobs:
     needs: [setup, container-build-push]
     if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |
@@ -221,16 +184,9 @@ jobs:
     needs: [setup, notify-release-started, container-build-push, create-manifest]
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -271,13 +227,6 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
       - name: Trigger MCP deployment
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:

.github/workflows/mcp-container-checks.yml

@@ -18,8 +18,6 @@ env:
   MCP_WORKING_DIR: ./mcp_server
   IMAGE_NAME: prowler-mcp
 
-permissions: {}
-
 jobs:
   mcp-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'
@@ -29,22 +27,15 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: mcp_server/Dockerfile
 
@@ -73,35 +64,15 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            ghcr.io:443
-            pkg-containers.githubusercontent.com:443
-            files.pythonhosted.org:443
-            pypi.org:443
-            api.github.com:443
-            mirror.gcr.io:443
-            check.trivy.dev:443
-            get.trivy.dev:443
-            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for MCP changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: mcp_server/**
           files_ignore: |
@@ -110,11 +81,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build MCP container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.MCP_WORKING_DIR }}
           push: false

.github/workflows/mcp-pypi-release.yml

@@ -14,8 +14,6 @@ env:
   PYTHON_VERSION: "3.12"
   WORKING_DIRECTORY: ./mcp_server
 
-permissions: {}
-
 jobs:
   validate-release:
     if: github.repository == 'prowler-cloud/prowler'
@@ -28,11 +26,6 @@ jobs:
       major_version: ${{ steps.parse-version.outputs.major }}
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Parse and validate version
         id: parse-version
         run: |
@@ -66,23 +59,18 @@ jobs:
       url: https://pypi.org/project/prowler-mcp/
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7
         with:
           enable-cache: false
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 

.github/workflows/pr-check-changelog.yml

@@ -16,8 +16,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   check-changelog:
     if: contains(github.event.pull_request.labels.*.name, 'no-changelog') == false
@@ -30,16 +28,8 @@ jobs:
       MONITORED_FOLDERS: 'api ui prowler mcp_server'
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
           # zizmor: ignore[artipacked]
@@ -47,7 +37,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             api/**

.github/workflows/pr-check-compliance-mapping.yml

@@ -1,188 +0,0 @@
-name: 'Tools: Check Compliance Mapping'
-
-on:
-  pull_request:
-    types:
-      - 'opened'
-      - 'synchronize'
-      - 'reopened'
-      - 'labeled'
-      - 'unlabeled'
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  check-compliance-mapping:
-    if: >-
-      github.event.pull_request.state == 'open' &&
-      contains(github.event.pull_request.labels.*.name, 'no-compliance-check') == false &&
-      (
-        (github.event.action != 'labeled' && github.event.action != 'unlabeled')
-        || github.event.label.name == 'no-compliance-check'
-      )
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files: |
-            prowler/providers/**/services/**/*.metadata.json
-            prowler/compliance/**/*.json
-
-      - name: Check if new checks are mapped in compliance
-        id: compliance-check
-        run: |
-          ADDED_METADATA="${STEPS_CHANGED_FILES_OUTPUTS_ADDED_FILES}"
-          ALL_CHANGED="${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}"
-
-          # Filter only new metadata files (new checks)
-          new_checks=""
-          for f in $ADDED_METADATA; do
-            case "$f" in *.metadata.json) new_checks="$new_checks $f" ;; esac
-          done
-
-          if [ -z "$(echo "$new_checks" | tr -d ' ')" ]; then
-            echo "No new checks detected."
-            echo "has_new_checks=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # Collect compliance files changed in this PR
-          changed_compliance=""
-          for f in $ALL_CHANGED; do
-            case "$f" in prowler/compliance/*.json) changed_compliance="$changed_compliance $f" ;; esac
-          done
-
-          UNMAPPED=""
-          MAPPED=""
-
-          for metadata_file in $new_checks; do
-            check_dir=$(dirname "$metadata_file")
-            check_id=$(basename "$check_dir")
-            provider=$(echo "$metadata_file" | cut -d'/' -f3)
-
-            # Read CheckID from the metadata JSON for accuracy
-            if [ -f "$metadata_file" ]; then
-              json_check_id=$(python3 -c "import json; print(json.load(open('$metadata_file')).get('CheckID', ''))" 2>/dev/null || echo "")
-              if [ -n "$json_check_id" ]; then
-                check_id="$json_check_id"
-              fi
-            fi
-
-            # Search for the check ID in compliance files changed in this PR
-            found_in=""
-            for comp_file in $changed_compliance; do
-              if grep -q "\"${check_id}\"" "$comp_file" 2>/dev/null; then
-                found_in="${found_in}$(basename "$comp_file" .json), "
-              fi
-            done
-
-            if [ -n "$found_in" ]; then
-              found_in=$(echo "$found_in" | sed 's/, $//')
-              MAPPED="${MAPPED}- \`${check_id}\` (\`${provider}\`): ${found_in}"$'\n'
-            else
-              UNMAPPED="${UNMAPPED}- \`${check_id}\` (\`${provider}\`)"$'\n'
-            fi
-          done
-
-          echo "has_new_checks=true" >> "$GITHUB_OUTPUT"
-
-          if [ -n "$UNMAPPED" ]; then
-            echo "has_unmapped=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "has_unmapped=false" >> "$GITHUB_OUTPUT"
-          fi
-
-          {
-            echo "unmapped<<EOF"
-            echo -e "${UNMAPPED}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-          {
-            echo "mapped<<EOF"
-            echo -e "${MAPPED}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-        env:
-          STEPS_CHANGED_FILES_OUTPUTS_ADDED_FILES: ${{ steps.changed-files.outputs.added_files }}
-          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
-
-      - name: Manage compliance review label
-        if: steps.compliance-check.outputs.has_new_checks == 'true'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          HAS_UNMAPPED: ${{ steps.compliance-check.outputs.has_unmapped }}
-        run: |
-          LABEL_NAME="needs-compliance-review"
-
-          if [ "$HAS_UNMAPPED" = "true" ]; then
-            echo "Adding compliance review label to PR #${PR_NUMBER}..."
-            gh pr edit "$PR_NUMBER" --add-label "$LABEL_NAME" --repo "${{ github.repository }}" || true
-          else
-            echo "Removing compliance review label from PR #${PR_NUMBER}..."
-            gh pr edit "$PR_NUMBER" --remove-label "$LABEL_NAME" --repo "${{ github.repository }}" || true
-          fi
-
-      - name: Find existing compliance comment
-        if: steps.compliance-check.outputs.has_new_checks == 'true' && github.event.pull_request.head.repo.full_name == github.repository
-        id: find-comment
-        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-author: 'github-actions[bot]'
-          body-includes: '<!-- compliance-mapping-check -->'
-
-      - name: Create or update compliance comment
-        if: steps.compliance-check.outputs.has_new_checks == 'true' && github.event.pull_request.head.repo.full_name == github.repository
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-id: ${{ steps.find-comment.outputs.comment-id }}
-          edit-mode: replace
-          body: |
-            <!-- compliance-mapping-check -->
-            ## Compliance Mapping Review
-
-            This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.
-
-            ${{ steps.compliance-check.outputs.unmapped != '' && format('### New checks not mapped to any compliance framework in this PR
-
-            {0}
-
-            > Please review whether these checks should be added to compliance framework requirements in `prowler/compliance/<provider>/`. Each compliance JSON has a `Checks` array inside each requirement — add the check ID there if it satisfies that requirement.', steps.compliance-check.outputs.unmapped) || '' }}
-
-            ${{ steps.compliance-check.outputs.mapped != '' && format('### New checks already mapped in this PR
-
-            {0}', steps.compliance-check.outputs.mapped) || '' }}
-
-            Use the `no-compliance-check` label to skip this check.

.github/workflows/pr-conflict-checker.yml

@@ -15,8 +15,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   check-conflicts:
     runs-on: ubuntu-latest
@@ -27,13 +25,8 @@ jobs:
       issues: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout PR head
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -41,7 +34,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: '**'
 

.github/workflows/pr-merged.yml

@@ -12,8 +12,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: false
 
-permissions: {}
-
 jobs:
   trigger-cloud-pull-request:
     if: |
@@ -25,13 +23,6 @@ jobs:
     permissions:
       contents: read
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
       - name: Calculate short commit SHA
         id: vars
         run: |

.github/workflows/prepare-release.yml

@@ -17,8 +17,6 @@ concurrency:
 env:
   PROWLER_VERSION: ${{ inputs.prowler_version }}
 
-permissions: {}
-
 jobs:
   prepare-release:
     if: github.event_name == 'workflow_dispatch' && github.repository == 'prowler-cloud/prowler'
@@ -28,24 +26,22 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-      with:
-        egress-policy: audit
-
     - name: Checkout repository
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 0
         token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
         persist-credentials: false
 
-    - name: Setup Python with Poetry
-      uses: ./.github/actions/setup-python-poetry
+    - name: Set up Python
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: '3.12'
-        install-dependencies: 'false'
-        enable-cache: 'false'
+
+    - name: Install Poetry
+      run: |
+        python3 -m pip install --user poetry==2.1.1
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
 
     - name: Configure Git
       run: |
@@ -349,7 +345,7 @@ jobs:
 
     - name: Create PR for API dependency update
       if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+      uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
       with:
         token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
         commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
@@ -379,7 +375,7 @@ jobs:
           no-changelog
 
     - name: Create draft release
-      uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
       with:
         tag_name: ${{ env.PROWLER_VERSION }}
         name: Prowler ${{ env.PROWLER_VERSION }}

.github/workflows/sdk-bump-version.yml

@@ -13,8 +13,6 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
-permissions: {}
-
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest
@@ -28,11 +26,6 @@ jobs:
       minor_version: ${{ steps.detect.outputs.minor_version }}
       patch_version: ${{ steps.detect.outputs.patch_version }}
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Detect release type and parse version
         id: detect
         run: |
@@ -73,13 +66,8 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -108,14 +96,14 @@ jobs:
           git --no-pager diff
 
       - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           base: master
-          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: sdk-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          commit-message: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          branch: version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
+          title: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
           labels: no-changelog,skip-sync
           body: |
             ### Description
@@ -127,7 +115,7 @@ jobs:
             By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
 
       - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
           persist-credentials: false
@@ -160,14 +148,14 @@ jobs:
           git --no-pager diff
 
       - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: sdk-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          commit-message: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
           labels: no-changelog,skip-sync
           body: |
             ### Description
@@ -187,13 +175,8 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -228,14 +211,14 @@ jobs:
           git --no-pager diff
 
       - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: sdk-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          commit-message: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
           labels: no-changelog,skip-sync
           body: |
             ### Description

.github/workflows/sdk-check-duplicate-test-names.yml

@@ -10,8 +10,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   check-duplicate-test-names:
     if: github.repository == 'prowler-cloud/prowler'
@@ -21,15 +19,8 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/sdk-code-quality.yml

@@ -14,8 +14,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   sdk-code-quality:
     if: github.repository == 'prowler-cloud/prowler'
@@ -26,29 +24,21 @@ jobs:
     strategy:
       matrix:
         python-version:
+          - '3.9'
           - '3.10'
           - '3.11'
           - '3.12'
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: ./**
           files_ignore: |
@@ -71,11 +61,22 @@ jobs:
             contrib/**
             **/AGENTS.md
 
-      - name: Setup Python with Poetry
+      - name: Install Poetry
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ matrix.python-version }}
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: |
+          poetry install --no-root
+          poetry run pip list
 
       - name: Check Poetry lock file
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/sdk-codeql.yml

@@ -30,8 +30,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   sdk-analyze:
     if: github.repository == 'prowler-cloud/prowler'
@@ -50,28 +48,18 @@ jobs:
           - 'python'
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-            uploads.github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/sdk-codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/sdk-container-build-push.yml

@@ -23,6 +23,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -42,13 +45,10 @@ env:
   # Container registries
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
-  TONIBLYX_DOCKERHUB_REPOSITORY: toniblyx
 
   # AWS configuration (for ECR)
   AWS_REGION: us-east-1
 
-permissions: {}
-
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'
@@ -59,32 +59,21 @@ jobs:
       prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
       latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }}
       stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
-    permissions:
-      contents: read
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
-      - name: Setup Python with Poetry
-        uses: ./.github/actions/setup-python-poetry
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          install-dependencies: 'false'
-          enable-cache: 'false'
 
-      - name: Inject poetry-bumpversion plugin
-        run: pipx inject poetry poetry-bumpversion
+      - name: Install Poetry
+        run: |
+          pipx install poetry==2.1.1
+          pipx inject poetry poetry-bumpversion
 
       - name: Get Prowler version and set tags
         id: get-prowler-version
@@ -126,16 +115,9 @@ jobs:
     timeout-minutes: 5
     outputs:
       message-ts: ${{ steps.slack-notification.outputs.ts }}
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -172,40 +154,19 @@ jobs:
       packages: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.ecr-public.us-east-1.amazonaws.com:443
-            public.ecr.aws:443
-            registry-1.docker.io:443
-            production.cloudflare.docker.com:443
-            auth.docker.io:443
-            debian.map.fastlydns.net:80
-            github.com:443
-            release-assets.githubusercontent.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            www.powershellgallery.com:443
-            aka.ms:443
-            cdn.powershellgallery.com:443
-            _http._tcp.deb.debian.org:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: public.ecr.aws
           username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -214,12 +175,12 @@ jobs:
           AWS_REGION: ${{ env.AWS_REGION }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build and push SDK container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ${{ env.DOCKERFILE_PATH }}
@@ -235,32 +196,16 @@ jobs:
     needs: [setup, container-build-push]
     if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            registry-1.docker.io:443
-            auth.docker.io:443
-            public.ecr.aws:443
-            production.cloudflare.docker.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-            api.ecr-public.us-east-1.amazonaws.com:443
-
-
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: public.ecr.aws
           username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -268,11 +213,15 @@ jobs:
         env:
           AWS_REGION: ${{ env.AWS_REGION }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |
           docker buildx imagetools create \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
             -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
@@ -283,10 +232,12 @@ jobs:
         if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         run: |
           docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
             -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
             -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
         env:
@@ -294,39 +245,6 @@ jobs:
           NEEDS_SETUP_OUTPUTS_STABLE_TAG: ${{ needs.setup.outputs.stable_tag }}
           NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }}
 
-      # Push to toniblyx/prowler only for current version (latest/stable/release tags)
-      - name: Login to DockerHub (toniblyx)
-        if: needs.setup.outputs.latest_tag == 'latest'
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          username: ${{ secrets.TONIBLYX_DOCKERHUB_USERNAME }}
-          password: ${{ secrets.TONIBLYX_DOCKERHUB_PASSWORD }}
-
-      - name: Push manifests to toniblyx for push event
-        if: needs.setup.outputs.latest_tag == 'latest' && github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.TONIBLYX_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:latest \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:latest
-
-      - name: Push manifests to toniblyx for release event
-        if: needs.setup.outputs.latest_tag == 'latest' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.TONIBLYX_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ env.TONIBLYX_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:stable \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:stable
-        env:
-          NEEDS_SETUP_OUTPUTS_PROWLER_VERSION: ${{ needs.setup.outputs.prowler_version }}
-
-      # Re-login as prowlercloud for cleanup of intermediate tags
-      - name: Login to DockerHub (prowlercloud)
-        if: always()
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Install regctl
         if: always()
         uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
@@ -346,16 +264,9 @@ jobs:
     needs: [setup, notify-release-started, container-build-push, create-manifest]
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -396,11 +307,6 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Calculate short SHA
         id: short-sha
         run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT

.github/workflows/sdk-container-checks.yml

@@ -17,8 +17,6 @@ concurrency:
 env:
   IMAGE_NAME: prowler
 
-permissions: {}
-
 jobs:
   sdk-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'
@@ -28,22 +26,15 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: Dockerfile
 
@@ -73,39 +64,15 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            api.github.com:443
-            mirror.gcr.io:443
-            check.trivy.dev:443
-            debian.map.fastlydns.net:80
-            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            www.powershellgallery.com:443
-            aka.ms:443
-            cdn.powershellgallery.com:443
-            _http._tcp.deb.debian.org:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-            get.trivy.dev:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: ./**
           files_ignore: |
@@ -130,11 +97,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build SDK container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           push: false

.github/workflows/sdk-pypi-release.yml

@@ -13,8 +13,6 @@ env:
   RELEASE_TAG: ${{ github.event.release.tag_name }}
   PYTHON_VERSION: '3.12'
 
-permissions: {}
-
 jobs:
   validate-release:
     if: github.repository == 'prowler-cloud/prowler'
@@ -27,11 +25,6 @@ jobs:
       major_version: ${{ steps.parse-version.outputs.major }}
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Parse and validate version
         id: parse-version
         run: |
@@ -65,22 +58,18 @@ jobs:
       url: https://pypi.org/project/prowler/${{ needs.validate-release.outputs.prowler_version }}/
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
-      - name: Setup Python with Poetry
-        uses: ./.github/actions/setup-python-poetry
+      - name: Install Poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          install-dependencies: 'false'
-          enable-cache: 'false'
 
       - name: Build Prowler package
         run: poetry build
@@ -102,22 +91,18 @@ jobs:
       url: https://pypi.org/project/prowler-cloud/${{ needs.validate-release.outputs.prowler_version }}/
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
-      - name: Setup Python with Poetry
-        uses: ./.github/actions/setup-python-poetry
+      - name: Install Poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          install-dependencies: 'false'
-          enable-cache: 'false'
 
       - name: Install toml package
         run: pip install toml

.github/workflows/sdk-refresh-aws-services-regions.yml

@@ -13,8 +13,6 @@ env:
   PYTHON_VERSION: '3.12'
   AWS_REGION: 'us-east-1'
 
-permissions: {}
-
 jobs:
   refresh-aws-regions:
     if: github.repository == 'prowler-cloud/prowler'
@@ -26,19 +24,14 @@ jobs:
       contents: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: 'master'
           persist-credentials: false
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip'
@@ -47,7 +40,7 @@ jobs:
         run: pip install boto3
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -58,7 +51,7 @@ jobs:
 
       - name: Create pull request
         id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'

.github/workflows/sdk-refresh-oci-regions.yml

@@ -12,8 +12,6 @@ concurrency:
 env:
   PYTHON_VERSION: '3.12'
 
-permissions: {}
-
 jobs:
   refresh-oci-regions:
     if: github.repository == 'prowler-cloud/prowler'
@@ -24,19 +22,14 @@ jobs:
       contents: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: 'master'
           persist-credentials: false
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip'
@@ -55,7 +48,7 @@ jobs:
 
       - name: Create pull request
         id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -79,13 +72,12 @@ jobs:
             This PR updates the `OCI_COMMERCIAL_REGIONS` dictionary in `prowler/providers/oraclecloud/config.py` with the latest regions fetched from the OCI Identity API (`list_regions()`).
 
             - Government regions (`OCI_GOVERNMENT_REGIONS`) are preserved unchanged
-            - DOD regions (`OCI_US_DOD_REGIONS`) are preserved unchanged
             - Region display names are mapped from Oracle's official documentation
 
             ### Checklist
 
             - [x] This is an automated update from OCI official sources
-            - [x] Government regions (us-langley-1, us-luke-1) and DOD regions (us-gov-ashburn-1, us-gov-phoenix-1, us-gov-chicago-1) are preserved
+            - [x] Government regions (us-langley-1, us-luke-1) preserved
             - [x] No manual review of region data required
 
             ### License

.github/workflows/sdk-security.yml

@@ -14,8 +14,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   sdk-security-scans:
     if: github.repository == 'prowler-cloud/prowler'
@@ -25,28 +23,15 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            pypi.org:443
-            files.pythonhosted.org:443
-            github.com:443
-            auth.safetycli.com:443
-            pyup.io:443
-            data.safetycli.com:443
-            api.github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files:
             ./**
@@ -71,11 +56,20 @@ jobs:
             contrib/**
             **/AGENTS.md
 
-      - name: Setup Python with Poetry
+      - name: Install Poetry
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python 3.12
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: '3.12'
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry install --no-root
 
       - name: Security scan with Bandit
         if: steps.check-changes.outputs.any_changed == 'true'
@@ -83,8 +77,7 @@ jobs:
 
       - name: Security scan with Safety
         if: steps.check-changes.outputs.any_changed == 'true'
-        # Accepted CVEs, severity threshold, and ignore expirations live in .safety-policy.yml
-        run: poetry run safety check -r pyproject.toml --policy-file .safety-policy.yml
+        run: poetry run safety check -r pyproject.toml
 
       - name: Dead code detection with Vulture
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/sdk-tests.yml

@@ -14,8 +14,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   sdk-tests:
     if: github.repository == 'prowler-cloud/prowler'
@@ -26,50 +24,21 @@ jobs:
     strategy:
       matrix:
         python-version:
+          - '3.9'
           - '3.10'
           - '3.11'
           - '3.12'
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            api.github.com:443
-            release-assets.githubusercontent.com:443
-            *.amazonaws.com:443
-            *.googleapis.com:443
-            schema.ocsf.io:443
-            registry-1.docker.io:443
-            production.cloudflare.docker.com:443
-            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
-            o26192.ingest.us.sentry.io:443
-            management.azure.com:443
-            login.microsoftonline.com:443
-            keybase.io:443
-            ingest.codecov.io:443
-            graph.microsoft.com:443
-            dc.services.visualstudio.com:443
-            cloud.mongodb.com:443
-            cli.codecov.io:443
-            auth.docker.io:443
-            api.vercel.com:443
-            api.atlassian.com:443
-            aka.ms:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: ./**
           files_ignore: |
@@ -92,17 +61,26 @@ jobs:
             contrib/**
             **/AGENTS.md
 
-      - name: Setup Python with Poetry
+      - name: Install Poetry
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ matrix.python-version }}
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry install --no-root
 
       # AWS Provider
       - name: Check if AWS files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-aws
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/aws/**
@@ -144,7 +122,7 @@ jobs:
               "wafv2": ["cognito", "elbv2"],
           }
 
-          changed_raw = os.environ.get("STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES", "")
+          changed_raw = """${STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES}"""
           # all_changed_files is space-separated, not newline-separated
           # Strip leading "./" if present for consistent path handling
           changed_files = [Path(f.lstrip("./")) for f in changed_raw.split() if f]
@@ -232,7 +210,7 @@ jobs:
       - name: Check if Azure files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-azure
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/azure/**
@@ -256,7 +234,7 @@ jobs:
       - name: Check if GCP files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-gcp
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/gcp/**
@@ -280,7 +258,7 @@ jobs:
       - name: Check if Kubernetes files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-kubernetes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/kubernetes/**
@@ -304,7 +282,7 @@ jobs:
       - name: Check if GitHub files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-github
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/github/**
@@ -328,7 +306,7 @@ jobs:
       - name: Check if NHN files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-nhn
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/nhn/**
@@ -352,7 +330,7 @@ jobs:
       - name: Check if M365 files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-m365
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/m365/**
@@ -376,7 +354,7 @@ jobs:
       - name: Check if IaC files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-iac
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/iac/**
@@ -400,7 +378,7 @@ jobs:
       - name: Check if MongoDB Atlas files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-mongodbatlas
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/mongodbatlas/**
@@ -424,7 +402,7 @@ jobs:
       - name: Check if OCI files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-oraclecloud
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/oraclecloud/**
@@ -448,7 +426,7 @@ jobs:
       - name: Check if OpenStack files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-openstack
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/openstack/**
@@ -472,7 +450,7 @@ jobs:
       - name: Check if Google Workspace files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-googleworkspace
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/**/googleworkspace/**
@@ -492,35 +470,11 @@ jobs:
           flags: prowler-py${{ matrix.python-version }}-googleworkspace
           files: ./googleworkspace_coverage.xml
 
-      # Vercel Provider
-      - name: Check if Vercel files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-vercel
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files: |
-            ./prowler/**/vercel/**
-            ./tests/**/vercel/**
-            ./poetry.lock
-
-      - name: Run Vercel tests
-        if: steps.changed-vercel.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/vercel --cov-report=xml:vercel_coverage.xml tests/providers/vercel
-
-      - name: Upload Vercel coverage to Codecov
-        if: steps.changed-vercel.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-vercel
-          files: ./vercel_coverage.xml
-
       # Lib
       - name: Check if Lib files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-lib
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/lib/**
@@ -544,7 +498,7 @@ jobs:
       - name: Check if Config files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-config
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ./prowler/config/**

.github/workflows/test-impact-analysis.yml

@@ -31,8 +31,6 @@ on:
         description: "Whether there are UI E2E tests to run"
         value: ${{ jobs.analyze.outputs.has-ui-e2e }}
 
-permissions: {}
-
 jobs:
   analyze:
     runs-on: ubuntu-latest
@@ -47,31 +45,20 @@ jobs:
       has-sdk-tests: ${{ steps.set-flags.outputs.has-sdk-tests }}
       has-api-tests: ${{ steps.set-flags.outputs.has-api-tests }}
       has-ui-e2e: ${{ steps.set-flags.outputs.has-ui-e2e }}
-    permissions:
-      contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
 
       - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.12'
 

.github/workflows/ui-bump-version.yml

@@ -13,8 +13,6 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
-permissions: {}
-
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest
@@ -28,11 +26,6 @@ jobs:
       minor_version: ${{ steps.detect.outputs.minor_version }}
       patch_version: ${{ steps.detect.outputs.patch_version }}
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Detect release type and parse version
         id: detect
         run: |
@@ -73,13 +66,8 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -101,13 +89,13 @@ jobs:
         run: |
           set -e
 
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
 
           echo "Files modified:"
           git --no-pager diff
 
       - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -129,7 +117,7 @@ jobs:
             By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
 
       - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
           persist-credentials: false
@@ -155,13 +143,13 @@ jobs:
         run: |
           set -e
 
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
 
           echo "Files modified:"
           git --no-pager diff
 
       - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -191,13 +179,8 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -225,13 +208,13 @@ jobs:
         run: |
           set -e
 
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
 
           echo "Files modified:"
           git --no-pager diff
 
       - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}

.github/workflows/ui-codeql.yml

@@ -26,8 +26,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   ui-analyze:
     if: github.repository == 'prowler-cloud/prowler'
@@ -46,28 +44,18 @@ jobs:
           - 'javascript-typescript'
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-            release-assets.githubusercontent.com:443
-            uploads.github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/ui-codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/ui-container-build-push.yml

@@ -17,6 +17,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -35,8 +38,6 @@ env:
   # Build args
   NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1
 
-permissions: {}
-
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'
@@ -44,14 +45,7 @@ jobs:
     timeout-minutes: 5
     outputs:
       short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Calculate short SHA
         id: set-short-sha
         run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -63,16 +57,9 @@ jobs:
     timeout-minutes: 5
     outputs:
       message-ts: ${{ steps.slack-notification.outputs.ts }}
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -109,38 +96,24 @@ jobs:
       packages: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            registry-1.docker.io:443
-            production.cloudflare.docker.com:443
-            auth.docker.io:443
-            registry.npmjs.org:443
-            dl-cdn.alpinelinux.org:443
-            fonts.googleapis.com:443
-            fonts.gstatic.com:443
-            github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build and push UI container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           build-args: |
@@ -158,27 +131,17 @@ jobs:
     needs: [setup, container-build-push]
     if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            release-assets.githubusercontent.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-
       - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |
@@ -220,16 +183,9 @@ jobs:
     needs: [setup, notify-release-started, container-build-push, create-manifest]
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -270,13 +226,6 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-
       - name: Trigger UI deployment
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:

.github/workflows/ui-container-checks.yml

@@ -18,8 +18,6 @@ env:
   UI_WORKING_DIR: ./ui
   IMAGE_NAME: prowler-ui
 
-permissions: {}
-
 jobs:
   ui-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'
@@ -29,22 +27,15 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: ui/Dockerfile
 
@@ -74,35 +65,15 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry-1.docker.io:443
-            auth.docker.io:443
-            production.cloudflare.docker.com:443
-            registry.npmjs.org:443
-            dl-cdn.alpinelinux.org:443
-            fonts.googleapis.com:443
-            fonts.gstatic.com:443
-            api.github.com:443
-            mirror.gcr.io:443
-            check.trivy.dev:443
-            get.trivy.dev:443
-            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for UI changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: ui/**
           files_ignore: |
@@ -112,11 +83,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Build UI container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.UI_WORKING_DIR }}
           target: prod

.github/workflows/ui-e2e-tests-v2.yml

@@ -15,14 +15,13 @@ on:
       - 'ui/**'
       - 'api/**'  # API changes can affect UI E2E
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   # First, analyze which tests need to run
   impact-analysis:
     if: github.repository == 'prowler-cloud/prowler'
-    permissions:
-      contents: read
     uses: ./.github/workflows/test-impact-analysis.yml
 
   # Run E2E tests based on impact analysis
@@ -76,17 +75,10 @@ jobs:
       # Pass E2E paths from impact analysis
       E2E_TEST_PATHS: ${{ needs.impact-analysis.outputs.ui-e2e }}
       RUN_ALL_TESTS: ${{ needs.impact-analysis.outputs.run-all }}
-    permissions:
-      contents: read
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -160,21 +152,21 @@ jobs:
           '
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: '24.13.0'
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
         with:
-          package_json_file: ui/package.json
+          version: 10
           run_install: false
 
       - name: Get pnpm store directory
         run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
 
       - name: Setup pnpm and Next.js cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: |
             ${{ env.STORE_PATH }}
@@ -194,7 +186,7 @@ jobs:
         run: pnpm run build
 
       - name: Cache Playwright browsers
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         id: playwright-cache
         with:
           path: ~/.cache/ms-playwright
@@ -222,46 +214,17 @@ jobs:
             TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u)
             # Drop auth setup helpers (not runnable test suites)
             TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/')
-            # Safety net: if bare "tests/" appears (from broad patterns like ui/tests/**),
-            # expand to specific subdirs to avoid Playwright discovering setup files
-            if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-              echo "Expanding bare 'tests/' to specific subdirs (excluding setups)..."
-              SPECIFIC_DIRS=""
-              for dir in tests/*/; do
-                [[ "$dir" == "tests/setups/" ]] && continue
-                SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"$'\n'
-              done
-              # Replace "tests/" with specific dirs, keep other paths
-              TEST_PATHS=$(echo "$TEST_PATHS" | grep -vx 'tests/')
-              TEST_PATHS="${TEST_PATHS}"$'\n'"${SPECIFIC_DIRS}"
-              TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^$' | sort -u)
-            fi
             if [[ -z "$TEST_PATHS" ]]; then
               echo "No runnable E2E test paths after filtering setups"
               exit 0
             fi
-            # Filter out directories that don't contain any test files
-            VALID_PATHS=""
-            while IFS= read -r p; do
-              [[ -z "$p" ]] && continue
-              if find "$p" -name '*.spec.ts' -o -name '*.test.ts' 2>/dev/null | head -1 | grep -q .; then
-                VALID_PATHS="${VALID_PATHS}${p}"$'\n'
-              else
-                echo "Skipping empty test directory: $p"
-              fi
-            done <<< "$TEST_PATHS"
-            VALID_PATHS=$(echo "$VALID_PATHS" | grep -v '^$' || true)
-            if [[ -z "$VALID_PATHS" ]]; then
-              echo "No test files found in any resolved paths — skipping E2E"
-              exit 0
-            fi
-            TEST_PATHS=$(echo "$VALID_PATHS" | tr '\n' ' ')
+            TEST_PATHS=$(echo "$TEST_PATHS" | tr '\n' ' ')
             echo "Resolved test paths: $TEST_PATHS"
             pnpm exec playwright test $TEST_PATHS
           fi
 
       - name: Upload test reports
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: failure()
         with:
           name: playwright-report
@@ -281,14 +244,7 @@ jobs:
       needs.impact-analysis.outputs.has-ui-e2e != 'true' &&
       needs.impact-analysis.outputs.run-all != 'true'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
       - name: No E2E tests needed
         run: |
           echo "## E2E Tests Skipped" >> $GITHUB_STEP_SUMMARY

.github/workflows/ui-tests.yml

@@ -18,8 +18,6 @@ env:
   UI_WORKING_DIR: ./ui
   NODE_VERSION: '24.13.0'
 
-permissions: {}
-
 jobs:
   ui-tests:
     runs-on: ubuntu-latest
@@ -31,27 +29,15 @@ jobs:
         working-directory: ./ui
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            registry.npmjs.org:443
-            fonts.googleapis.com:443
-            fonts.gstatic.com:443
-            api.github.com:443
-            release-assets.githubusercontent.com:443
-
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for UI changes
         id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ui/**
@@ -64,7 +50,7 @@ jobs:
       - name: Get changed source files for targeted tests
         id: changed-source
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ui/**/*.ts
@@ -80,7 +66,7 @@ jobs:
       - name: Check for critical path changes (run all tests)
         id: critical-changes
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
           files: |
             ui/lib/**
@@ -92,15 +78,15 @@ jobs:
 
       - name: Setup Node.js ${{ env.NODE_VERSION }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: ${{ env.NODE_VERSION }}
 
       - name: Setup pnpm
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
         with:
-          package_json_file: ui/package.json
+          version: 10
           run_install: false
 
       - name: Get pnpm store directory
@@ -110,7 +96,7 @@ jobs:
 
       - name: Setup pnpm and Next.js cache
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: |
             ${{ env.STORE_PATH }}

.github/zizmor.yml

@@ -1,25 +0,0 @@
-rules:
-  secrets-outside-env:
-    ignore:
-      - api-bump-version.yml
-      - api-container-build-push.yml
-      - api-tests.yml
-      - backport.yml
-      - docs-bump-version.yml
-      - issue-triage.lock.yml
-      - mcp-container-build-push.yml
-      - pr-merged.yml
-      - prepare-release.yml
-      - sdk-bump-version.yml
-      - sdk-container-build-push.yml
-      - sdk-refresh-aws-services-regions.yml
-      - sdk-refresh-oci-regions.yml
-      - sdk-tests.yml
-      - ui-bump-version.yml
-      - ui-container-build-push.yml
-      - ui-e2e-tests-v2.yml
-  superfluous-actions:
-    ignore:
-      - pr-check-changelog.yml
-      - pr-conflict-checker.yml
-      - prepare-release.yml

.gitignore

@@ -60,7 +60,6 @@ htmlcov/
 **/mcp-config.json
 **/mcpServers.json
 .mcp/
-.mcp.json
 
 # AI Coding Assistants - Cursor
 .cursorignore
@@ -84,7 +83,6 @@ continue.json
 .continuerc.json
 
 # AI Coding Assistants - OpenCode
-.opencode/
 opencode.json
 
 # AI Coding Assistants - GitHub Copilot
@@ -151,8 +149,6 @@ node_modules
 
 # Persistent data
 _data/
-/openspec/
-/.gitmodules
 
 # AI Instructions (generated by skills/setup.sh from AGENTS.md)
 CLAUDE.md
@@ -167,6 +163,3 @@ GEMINI.md
 .codex/skills
 .github/skills
 .gemini/skills
-
-# Claude Code
-.claude/*

.pre-commit-config.yaml

@@ -1,212 +1,140 @@
-# Priority tiers (lower = runs first, same priority = concurrent):
-#   P0  — fast file fixers
-#   P10 — validators and guards
-#   P20 — auto-formatters
-#   P30 — linters
-#   P40 — security scanners
-#   P50 — dependency validation
-
-default_install_hook_types: [pre-commit, pre-push]
-
 repos:
-  ## GENERAL (prek built-in — no external repo needed)
-  - repo: builtin
+  ## GENERAL
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
     hooks:
       - id: check-merge-conflict
-        priority: 10
       - id: check-yaml
-        args: ["--allow-multiple-documents"]
-        exclude: (prowler/config/llm_config.yaml|contrib/)
-        priority: 10
+        args: ["--unsafe"]
+        exclude: prowler/config/llm_config.yaml
       - id: check-json
-        priority: 10
       - id: end-of-file-fixer
-        priority: 0
       - id: trailing-whitespace
-        priority: 0
       - id: no-commit-to-branch
-        priority: 10
       - id: pretty-format-json
         args: ["--autofix", --no-sort-keys, --no-ensure-ascii]
-        priority: 10
 
   ## TOML
   - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.16.0
+    rev: v2.13.0
     hooks:
       - id: pretty-format-toml
         args: [--autofix]
         files: pyproject.toml
-        priority: 20
-
-  ## GITHUB ACTIONS
-  - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.24.1
-    hooks:
-      - id: zizmor
-        files: ^\.github/
-        priority: 30
 
   ## BASH
   - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.11.0
+    rev: v0.10.0
     hooks:
       - id: shellcheck
         exclude: contrib
-        priority: 30
 
-  ## PYTHON — SDK (prowler/, tests/, dashboard/, util/, scripts/)
+  ## PYTHON
   - repo: https://github.com/myint/autoflake
-    rev: v2.3.3
+    rev: v2.3.1
     hooks:
       - id: autoflake
-        name: "SDK - autoflake"
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
+        exclude: ^skills/
         args:
           [
             "--in-place",
             "--remove-all-unused-imports",
             "--remove-unused-variable",
           ]
-        priority: 20
 
   - repo: https://github.com/pycqa/isort
-    rev: 8.0.1
+    rev: 5.13.2
     hooks:
       - id: isort
-        name: "SDK - isort"
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
+        exclude: ^skills/
         args: ["--profile", "black"]
-        priority: 20
 
   - repo: https://github.com/psf/black
-    rev: 26.3.1
+    rev: 24.4.2
     hooks:
       - id: black
-        name: "SDK - black"
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
-        priority: 20
+        exclude: ^skills/
 
   - repo: https://github.com/pycqa/flake8
-    rev: 7.3.0
+    rev: 7.0.0
     hooks:
       - id: flake8
-        name: "SDK - flake8"
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
+        exclude: (contrib|^skills/)
         args: ["--ignore=E266,W503,E203,E501,W605"]
-        priority: 30
 
-  ## PYTHON — API + MCP Server (ruff)
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.12
-    hooks:
-      - id: ruff
-        name: "API + MCP - ruff check"
-        files: { glob: ["{api,mcp_server}/**/*.py"] }
-        args: ["--fix"]
-        priority: 30
-      - id: ruff-format
-        name: "API + MCP - ruff format"
-        files: { glob: ["{api,mcp_server}/**/*.py"] }
-        priority: 20
-
-  ## PYTHON — Poetry
   - repo: https://github.com/python-poetry/poetry
-    rev: 2.3.4
+    rev: 2.1.1
     hooks:
       - id: poetry-check
         name: API - poetry-check
         args: ["--directory=./api"]
-        files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
-        priority: 50
 
       - id: poetry-lock
         name: API - poetry-lock
         args: ["--directory=./api"]
-        files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
-        priority: 50
 
       - id: poetry-check
         name: SDK - poetry-check
         args: ["--directory=./"]
-        files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
-        priority: 50
 
       - id: poetry-lock
         name: SDK - poetry-lock
         args: ["--directory=./"]
-        files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
-        priority: 50
 
-  ## CONTAINERS
   - repo: https://github.com/hadolint/hadolint
-    rev: v2.14.0
+    rev: v2.13.0-beta
     hooks:
       - id: hadolint
         args: ["--ignore=DL3013"]
-        priority: 30
 
-  ## LOCAL HOOKS
   - repo: local
     hooks:
       - id: pylint
-        name: "SDK - pylint"
-        entry: pylint --disable=W,C,R,E -j 0 -rn -sn
+        name: pylint
+        entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
         language: system
-        types: [python]
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
-        priority: 30
+        files: '.*\.py'
 
       - id: trufflehog
         name: TruffleHog
         description: Detect secrets in your data.
-        entry: bash -c 'trufflehog --no-update git file://. --since-commit HEAD --only-verified --fail'
+        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
         # For running trufflehog in docker, use the following entry instead:
         # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
         language: system
-        pass_filenames: false
         stages: ["pre-commit", "pre-push"]
-        priority: 40
 
       - id: bandit
         name: bandit
         description: "Bandit is a tool for finding common security issues in Python code"
-        entry: bandit -q -lll
+        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/,./skills/' -r .'
         language: system
-        types: [python]
         files: '.*\.py'
-        exclude:
-          { glob: ["{contrib,skills}/**", "**/.venv/**", "**/*_test.py"] }
-        priority: 40
 
       - id: safety
         name: safety
         description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
-        # Accepted CVEs, severity threshold, and ignore expirations live in .safety-policy.yml
-        entry: safety check --policy-file .safety-policy.yml
+        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
+        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
+        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027'
         language: system
-        pass_filenames: false
-        files:
-          {
-            glob:
-              [
-                "**/pyproject.toml",
-                "**/poetry.lock",
-                "**/requirements*.txt",
-                ".safety-policy.yml",
-              ],
-          }
-        priority: 40
 
       - id: vulture
         name: vulture
         description: "Vulture finds unused code in Python programs."
-        entry: vulture --min-confidence 100
+        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/,skills/" --min-confidence 100 .'
         language: system
-        types: [python]
         files: '.*\.py'
-        priority: 40
+
+      - id: ui-checks
+        name: UI - Husky Pre-commit
+        description: "Run UI pre-commit checks (Claude Code validation + healthcheck)"
+        entry: bash -c 'cd ui && .husky/pre-commit'
+        language: system
+        files: '^ui/.*\.(ts|tsx|js|jsx|json|css)$'
+        pass_filenames: false
+        verbose: true

.readthedocs.yaml

@@ -13,7 +13,7 @@ build:
     post_create_environment:
       # Install poetry
       # https://python-poetry.org/docs/#installing-manually
-      - python -m pip install poetry==2.3.4
+      - python -m pip install poetry
     post_install:
       # Install dependencies with 'docs' dependency group
       # https://python-poetry.org/docs/managing-dependencies/#dependency-groups

.safety-policy.yml

@@ -1,58 +0,0 @@
-# Safety policy for `safety check` (Safety CLI 3.x, v2 schema).
-# Applied in: .pre-commit-config.yaml, .github/workflows/api-security.yml,
-# .github/workflows/sdk-security.yml via `--policy-file`.
-#
-# Validate: poetry run safety validate policy_file --path .safety-policy.yml
-
-security:
-  # Scan unpinned requirements too. Prowler pins via poetry.lock, so this is
-  # defensive against accidental unpinned entries.
-  ignore-unpinned-requirements: False
-
-  # CVSS severity filter. 7 = report only HIGH (7.0–8.9) and CRITICAL (9.0–10.0).
-  # Reference: 9=CRITICAL only, 7=CRITICAL+HIGH, 4=CRITICAL+HIGH+MEDIUM.
-  ignore-cvss-severity-below: 7
-
-  # Unknown severity is unrated, not safe. Keep False so unrated CVEs still fail
-  # the build and get a human eye. Flip to True only if noise is unmanageable.
-  ignore-cvss-unknown-severity: False
-
-  # Fail the build when a non-ignored vulnerability is found.
-  continue-on-vulnerability-error: False
-
-  # Explicit accepted vulnerabilities. Each entry MUST have a reason and an
-  # expiry. Expired entries fail the scan, forcing re-audit.
-  ignore-vulnerabilities:
-    77744:
-      reason: "Botocore requires urllib3 1.X. Remove once upgraded to urllib3 2.X."
-      expires: '2026-10-22'
-    77745:
-      reason: "Botocore requires urllib3 1.X. Remove once upgraded to urllib3 2.X."
-      expires: '2026-10-22'
-    79023:
-      reason: "knack ReDoS; blocked until azure-cli-core (via cartography) allows knack >=0.13.0."
-      expires: '2026-10-22'
-    79027:
-      reason: "knack ReDoS; blocked until azure-cli-core (via cartography) allows knack >=0.13.0."
-      expires: '2026-10-22'
-    86217:
-      reason: "alibabacloud-tea-openapi==0.4.3 blocks upgrade to cryptography >=46.0.0."
-      expires: '2026-10-22'
-    71600:
-      reason: "CVE-2024-1135 false positive. Fixed in gunicorn 22.0.0; project uses 23.0.0."
-      expires: '2026-10-22'
-    70612:
-      reason: "TBD - audit required. Reason not documented in prior --ignore list."
-      expires: '2026-07-22'
-    66963:
-      reason: "TBD - audit required. Reason not documented in prior --ignore list."
-      expires: '2026-07-22'
-    74429:
-      reason: "TBD - audit required. Reason not documented in prior --ignore list."
-      expires: '2026-07-22'
-    76352:
-      reason: "TBD - audit required. Reason not documented in prior --ignore list."
-      expires: '2026-07-22'
-    76353:
-      reason: "TBD - audit required. Reason not documented in prior --ignore list."
-      expires: '2026-07-22'

.worktreeinclude

@@ -1,2 +0,0 @@
-.envrc
-ui/.env.local

AGENTS.md

@@ -46,8 +46,6 @@ Use these skills for detailed patterns on-demand:
 | `prowler-commit` | Professional commits (conventional-commits) | [SKILL.md](skills/prowler-commit/SKILL.md) |
 | `prowler-pr` | Pull request conventions | [SKILL.md](skills/prowler-pr/SKILL.md) |
 | `prowler-docs` | Documentation style guide | [SKILL.md](skills/prowler-docs/SKILL.md) |
-| `django-migration-psql` | Django migration best practices for PostgreSQL | [SKILL.md](skills/django-migration-psql/SKILL.md) |
-| `postgresql-indexing` | PostgreSQL indexing, EXPLAIN, monitoring, maintenance | [SKILL.md](skills/postgresql-indexing/SKILL.md) |
 | `prowler-attack-paths-query` | Create Attack Paths openCypher queries | [SKILL.md](skills/prowler-attack-paths-query/SKILL.md) |
 | `gh-aw` | GitHub Agentic Workflows (gh-aw) | [SKILL.md](skills/gh-aw/SKILL.md) |
 | `skill-creator` | Create new AI agent skills | [SKILL.md](skills/skill-creator/SKILL.md) |
@@ -87,15 +85,15 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Fixing bug | `tdd` |
 | General Prowler development questions | `prowler` |
 | Implementing JSON:API endpoints | `django-drf` |
-| Implementing feature | `tdd` |
 | Importing Copilot Custom Agents into workflows | `gh-aw` |
+| Implementing feature | `tdd` |
 | Inspect PR CI checks and gates (.github/workflows/*) | `prowler-ci` |
 | Inspect PR CI workflows (.github/workflows/*): conventional-commit, pr-check-changelog, pr-conflict-checker, labeler | `prowler-pr` |
 | Mapping checks to compliance controls | `prowler-compliance` |
 | Mocking AWS with moto in tests | `prowler-test-sdk` |
 | Modifying API responses | `jsonapi` |
-| Modifying component | `tdd` |
 | Modifying gh-aw workflow frontmatter or safe-outputs | `gh-aw` |
+| Modifying component | `tdd` |
 | Refactoring code | `tdd` |
 | Regenerate AGENTS.md Auto-invoke tables (sync.sh) | `skill-sync` |
 | Review PR requirements: template, title conventions, changelog gate | `prowler-pr` |
@@ -140,7 +138,7 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,
 
 | Component | Location | Tech Stack |
 |-----------|----------|------------|
-| SDK | `prowler/` | Python 3.10+, Poetry 2.3+ |
+| SDK | `prowler/` | Python 3.9+, Poetry |
 | API | `api/` | Django 5.1, DRF, Celery |
 | UI | `ui/` | Next.js 15, React 19, Tailwind 4 |
 | MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
@@ -153,12 +151,12 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,
 ```bash
 # Setup
 poetry install --with dev
-poetry run prek install
+poetry run pre-commit install
 
 # Code quality
 poetry run make lint
 poetry run make format
-poetry run prek run --all-files
+poetry run pre-commit run --all-files
 ```
 
 ---

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12.11-slim-bookworm@sha256:519591d6871b7bc437060736b9f7456b8731f1499a57e22e6c285135ae657bf7 AS build
+FROM python:3.12.11-slim-bookworm AS build
 
 LABEL maintainer="https://github.com/prowler-cloud/prowler"
 LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
@@ -9,9 +9,6 @@ ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 ARG TRIVY_VERSION=0.69.2
 ENV TRIVY_VERSION=${TRIVY_VERSION}
 
-ARG ZIZMOR_VERSION=1.24.1
-ENV ZIZMOR_VERSION=${ZIZMOR_VERSION}
-
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
     wget libicu72 libunwind8 libssl3 libcurl4 ca-certificates apt-transport-https gnupg \
@@ -51,22 +48,6 @@ RUN ARCH=$(uname -m) && \
     mkdir -p /tmp/.cache/trivy && \
     chmod 777 /tmp/.cache/trivy
 
-# Install zizmor for GitHub Actions workflow scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        ZIZMOR_ARCH="x86_64-unknown-linux-gnu" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        ZIZMOR_ARCH="aarch64-unknown-linux-gnu" ; \
-    else \
-        echo "Unsupported architecture for zizmor: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-${ZIZMOR_ARCH}.tar.gz" -O /tmp/zizmor.tar.gz && \
-    mkdir -p /tmp/zizmor-extract && \
-    tar zxf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract && \
-    mv /tmp/zizmor-extract/zizmor /usr/local/bin/zizmor && \
-    chmod +x /usr/local/bin/zizmor && \
-    rm -rf /tmp/zizmor.tar.gz /tmp/zizmor-extract
-
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
     adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
@@ -87,7 +68,7 @@ ENV HOME='/home/prowler'
 ENV PATH="${HOME}/.local/bin:${PATH}"
 #hadolint ignore=DL3013
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir poetry==2.3.4
+    pip install --no-cache-dir poetry
 
 RUN poetry install --compile && \
     rm -rf ~/.cache/pip

README.md

@@ -3,7 +3,7 @@
   <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
 </p>
 <p align="center">
-  <b><i>Prowler</b> is the Open Cloud Security Platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
+  <b><i>Prowler</b> is the Open Cloud Security platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
 </p>
 <p align="center">
 <b>Secure ANY cloud at AI Speed at <a href="https://prowler.com">prowler.com</i></b>
@@ -41,7 +41,7 @@
 
 # Description
 
-**Prowler** is the world’s most widely used _Open-Source Cloud Security Platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY Cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
+**Prowler** is the world’s most widely used _open-source cloud security platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
 
 Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:
 
@@ -104,22 +104,19 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 
 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
 |---|---|---|---|---|---|---|
-| AWS | 595 | 84 | 43 | 17 | Official | UI, API, CLI |
-| Azure | 167 | 22 | 19 | 16 | Official | UI, API, CLI |
-| GCP | 102 | 18 | 17 | 12 | Official | UI, API, CLI |
-| Kubernetes | 83 | 7 | 7 | 11 | Official | UI, API, CLI |
-| GitHub | 24 | 3 | 1 | 5 | Official | UI, API, CLI |
-| M365 | 101 | 10 | 4 | 10 | Official | UI, API, CLI |
-| OCI | 51 | 14 | 4 | 10 | Official | UI, API, CLI |
-| Alibaba Cloud | 61 | 9 | 4 | 9 | Official | UI, API, CLI |
-| Cloudflare | 29 | 3 | 0 | 5 | Official | UI, API, CLI |
+| AWS | 572 | 83 | 41 | 17 | Official | UI, API, CLI |
+| Azure | 165 | 20 | 18 | 13 | Official | UI, API, CLI |
+| GCP | 100 | 13 | 15 | 11 | Official | UI, API, CLI |
+| Kubernetes | 83 | 7 | 7 | 9 | Official | UI, API, CLI |
+| GitHub | 21 | 2 | 1 | 2 | Official | UI, API, CLI |
+| M365 | 75 | 7 | 4 | 4 | Official | UI, API, CLI |
+| OCI | 51 | 13 | 3 | 12 | Official | UI, API, CLI |
+| Alibaba Cloud | 61 | 9 | 3 | 9 | Official | UI, API, CLI |
+| Cloudflare | 29 | 2 | 0 | 5 | Official | CLI, API |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
-| MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 3 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
-| Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 25 | 4 | 2 | 4 | Official | CLI |
-| OpenStack | 34 | 5 | 0 | 9 | Official | UI, API, CLI |
-| Vercel | 26 | 6 | 0 | 5 | Official | CLI |
+| OpenStack | 1 | 1 | 0 | 2 | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |
 
 > [!Note]
@@ -240,17 +237,9 @@ pnpm start
 
 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
 
-**Pre-commit Hooks Setup**
-
-Some pre-commit hooks require tools installed on your system:
-
-1. **Install [TruffleHog](https://github.com/trufflesecurity/trufflehog#install)** (secret scanning) — see the [official installation options](https://github.com/trufflesecurity/trufflehog#install).
-
-2. **Install [Hadolint](https://github.com/hadolint/hadolint#install)** (Dockerfile linting) — see the [official installation options](https://github.com/hadolint/hadolint#install).
-
 ## Prowler CLI
 ### Pip package
-Prowler CLI is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/). Consequently, it can be installed using pip with Python >=3.10, <3.13:
+Prowler CLI is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/). Consequently, it can be installed using pip with Python >3.9.1, <3.13:
 
 ```console
 pip install prowler
@@ -282,7 +271,7 @@ The container images are available here:
 
 ### From GitHub
 
-Python >=3.10, <3.13 is required with pip and Poetry:
+Python >3.9.1, <3.13 is required with pip and Poetry:
 
 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -300,36 +289,6 @@ python prowler-cli.py -v
 > If your Poetry version is below v2.0.0, continue using `poetry shell` to activate your environment.
 > For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.
 
-# 🛡️ GitHub Action
-
-The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.
-
-```yaml
-name: Prowler IaC Scan
-on:
-  pull_request:
-
-permissions:
-  contents: read
-  security-events: write
-  actions: read
-
-jobs:
-  prowler:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: prowler-cloud/prowler@5.25
-        with:
-          provider: iac
-          output-formats: sarif json-ocsf
-          upload-sarif: true
-          flags: --severity critical high
-```
-
-Full configuration, per-provider authentication, and SARIF examples: [Prowler GitHub Action tutorial](docs/user-guide/tutorials/prowler-app-github-action.mdx). Marketplace listing: [Prowler Security Scan](https://github.com/marketplace/actions/prowler-security-scan).
-
 # ✏️ High level architecture
 
 ## Prowler App
@@ -340,10 +299,7 @@ Full configuration, per-provider authentication, and SARIF examples: [Prowler Gi
 - **Prowler SDK**: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.
 - **Prowler MCP Server**: A Model Context Protocol server that provides AI tools for Lighthouse, the AI-powered security assistant. This is a critical dependency for Lighthouse functionality.
 
-![Prowler App Architecture](docs/images/products/prowler-app-architecture.png)
-
-<!-- Diagram source: docs/images/products/prowler-app-architecture.mmd — edit there, re-render at https://mermaid.live, and replace the PNG. -->
-
+![Prowler App Architecture](docs/products/img/prowler-app-architecture.png)
 
 ## Prowler CLI
 

action.yml

@@ -1,307 +0,0 @@
-name: Prowler Security Scan
-description: Run Prowler cloud security scanner using the official Docker image
-branding:
-  icon: cloud
-  color: green
-
-inputs:
-  provider:
-    description: Cloud provider to scan (e.g. aws, azure, gcp, github, kubernetes, iac). See https://docs.prowler.com for supported providers.
-    required: true
-  image-tag:
-    description: >
-      Docker image tag for prowlercloud/prowler.
-      Default is "stable" (latest release). Available tags:
-      "stable" (latest release), "latest" (master branch, not stable),
-      "<x.y.z>" (pinned release version).
-      See all tags at https://hub.docker.com/r/prowlercloud/prowler/tags
-    required: false
-    default: stable
-  output-formats:
-    description: Output format(s) for scan results (e.g. "json-ocsf", "sarif json-ocsf")
-    required: false
-    default: json-ocsf
-  push-to-cloud:
-    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli
-    required: false
-    default: "false"
-  flags:
-    description: 'Additional CLI flags passed to the Prowler scan (e.g. "--severity critical high --compliance cis_aws"). Values containing spaces can be quoted, e.g. "--resource-tag ''Environment=My Server''".'
-    required: false
-    default: ""
-  extra-env:
-    description: >
-      Space-, newline-, or comma-separated list of host environment variable NAMES to forward to the Prowler container
-      (e.g. "AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN" for AWS,
-      "GITHUB_PERSONAL_ACCESS_TOKEN" for GitHub, "CLOUDFLARE_API_TOKEN" for Cloudflare).
-      List names only; set the values via `env:` at the workflow or job level (typically from `secrets.*`).
-      See the README for per-provider examples.
-    required: false
-    default: ""
-  upload-sarif:
-    description: 'Upload SARIF results to GitHub Code Scanning (requires "sarif" in output-formats and both `security-events: write` and `actions: read` permissions)'
-    required: false
-    default: "false"
-  sarif-file:
-    description: Path to the SARIF file to upload (auto-detected from output/ if not set)
-    required: false
-    default: ""
-  sarif-category:
-    description: Category for the SARIF upload (used to distinguish multiple analyses)
-    required: false
-    default: prowler
-  fail-on-findings:
-    description: Fail the workflow step when Prowler detects findings (exit code 3). By default the action tolerates findings and succeeds.
-    required: false
-    default: "false"
-
-runs:
-  using: composite
-  steps:
-    - name: Validate inputs
-      shell: bash
-      env:
-        INPUT_IMAGE_TAG: ${{ inputs.image-tag }}
-        INPUT_UPLOAD_SARIF: ${{ inputs.upload-sarif }}
-        INPUT_OUTPUT_FORMATS: ${{ inputs.output-formats }}
-      run: |
-        # Validate image tag format (alphanumeric, dots, hyphens, underscores only)
-        if [[ ! "$INPUT_IMAGE_TAG" =~ ^[a-zA-Z0-9._-]+$ ]]; then
-          echo "::error::Invalid image-tag '${INPUT_IMAGE_TAG}'. Must contain only alphanumeric characters, dots, hyphens, and underscores."
-          exit 1
-        fi
-
-        # Warn if upload-sarif is enabled but sarif not in output-formats
-        if [ "$INPUT_UPLOAD_SARIF" = "true" ]; then
-          if [[ ! "$INPUT_OUTPUT_FORMATS" =~ (^|[[:space:]])sarif($|[[:space:]]) ]]; then
-            echo "::warning::upload-sarif is enabled but 'sarif' is not included in output-formats ('${INPUT_OUTPUT_FORMATS}'). SARIF upload will fail unless you add 'sarif' to output-formats."
-          fi
-        fi
-
-    - name: Run Prowler scan
-      shell: bash
-      env:
-        INPUT_PROVIDER: ${{ inputs.provider }}
-        INPUT_IMAGE_TAG: ${{ inputs.image-tag }}
-        INPUT_OUTPUT_FORMATS: ${{ inputs.output-formats }}
-        INPUT_PUSH_TO_CLOUD: ${{ inputs.push-to-cloud }}
-        INPUT_FLAGS: ${{ inputs.flags }}
-        INPUT_EXTRA_ENV: ${{ inputs.extra-env }}
-        INPUT_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }}
-      run: |
-        set -e
-
-        # Parse space-separated inputs with shlex so values with spaces can be quoted
-        # (e.g. `--resource-tag 'Environment=My Server'`).
-        mapfile -t OUTPUT_FORMATS < <(python3 -c 'import shlex, os; [print(t) for t in shlex.split(os.environ.get("INPUT_OUTPUT_FORMATS", ""))]')
-        mapfile -t EXTRA_FLAGS < <(python3 -c 'import shlex, os; [print(t) for t in shlex.split(os.environ.get("INPUT_FLAGS", ""))]')
-        mapfile -t EXTRA_ENV_NAMES < <(python3 -c 'import shlex, os; [print(t) for t in shlex.split(os.environ.get("INPUT_EXTRA_ENV", "").replace(",", " "))]')
-
-        env_args=()
-        for var in "${EXTRA_ENV_NAMES[@]}"; do
-          [ -z "$var" ] && continue
-          if [[ ! "$var" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]]; then
-            echo "::error::Invalid env var name '${var}' in extra-env. Names must match ^[A-Za-z_][A-Za-z0-9_]*$."
-            exit 1
-          fi
-          env_args+=("-e" "$var")
-        done
-
-        push_args=()
-        if [ "$INPUT_PUSH_TO_CLOUD" = "true" ]; then
-          push_args=("--push-to-cloud")
-          env_args+=("-e" "PROWLER_CLOUD_API_KEY")
-        fi
-
-        mkdir -p "$GITHUB_WORKSPACE/output"
-        chmod 777 "$GITHUB_WORKSPACE/output"
-
-        set +e
-        docker run --rm \
-          "${env_args[@]}" \
-          -v "$GITHUB_WORKSPACE:/home/prowler/workspace" \
-          -v "$GITHUB_WORKSPACE/output:/home/prowler/workspace/output" \
-          -w /home/prowler/workspace \
-          "prowlercloud/prowler:${INPUT_IMAGE_TAG}" \
-          "$INPUT_PROVIDER" \
-          --output-formats "${OUTPUT_FORMATS[@]}" \
-          "${push_args[@]}" \
-          "${EXTRA_FLAGS[@]}"
-        exit_code=$?
-        set -e
-
-        # Exit code 3 = findings detected
-        if [ "$exit_code" -eq 3 ] && [ "$INPUT_FAIL_ON_FINDINGS" != "true" ]; then
-          echo "::notice::Prowler detected findings (exit code 3). Set fail-on-findings to 'true' to fail the workflow on findings."
-          exit 0
-        fi
-        exit $exit_code
-
-    - name: Upload scan results
-      if: always()
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-      with:
-        name: prowler-${{ inputs.provider }}
-        path: output/
-        retention-days: 30
-        if-no-files-found: warn
-
-    - name: Find SARIF file
-      if: always() && inputs.upload-sarif == 'true'
-      id: find-sarif
-      shell: bash
-      env:
-        INPUT_SARIF_FILE: ${{ inputs.sarif-file }}
-      run: |
-        if [ -n "$INPUT_SARIF_FILE" ]; then
-          echo "sarif_path=$INPUT_SARIF_FILE" >> "$GITHUB_OUTPUT"
-        else
-          sarif_file=$(find output/ -name '*.sarif' -type f | head -1)
-          if [ -z "$sarif_file" ]; then
-            echo "::warning::No .sarif file found in output/. Ensure 'sarif' is included in output-formats."
-            echo "sarif_path=" >> "$GITHUB_OUTPUT"
-          else
-            echo "sarif_path=$sarif_file" >> "$GITHUB_OUTPUT"
-          fi
-        fi
-
-    - name: Upload SARIF to GitHub Code Scanning
-      if: always() && inputs.upload-sarif == 'true' && steps.find-sarif.outputs.sarif_path != ''
-      uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
-      with:
-        sarif_file: ${{ steps.find-sarif.outputs.sarif_path }}
-        category: ${{ inputs.sarif-category }}
-
-    - name: Write scan summary
-      if: always()
-      shell: bash
-      env:
-        INPUT_PROVIDER: ${{ inputs.provider }}
-        INPUT_UPLOAD_SARIF: ${{ inputs.upload-sarif }}
-        INPUT_PUSH_TO_CLOUD: ${{ inputs.push-to-cloud }}
-        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        REPO_URL: ${{ github.server_url }}/${{ github.repository }}
-        BRANCH: ${{ github.head_ref || github.ref_name }}
-        GH_TOKEN: ${{ github.token }}
-      run: |
-        set +e
-
-        # Build a link to the scan step in the workflow logs. Requires `actions: read`
-        # on the caller's GITHUB_TOKEN; silently skips the link if unavailable.
-        scan_step_url=""
-        if [ -n "${GH_TOKEN:-}" ] && command -v gh >/dev/null 2>&1; then
-          job_info=$(gh api \
-            "repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT:-1}/jobs" \
-            --jq ".jobs[] | select(.runner_name == \"${RUNNER_NAME:-}\")" 2>/dev/null)
-          if [ -n "$job_info" ]; then
-            job_id=$(jq -r '.id // empty' <<<"$job_info")
-            step_number=$(jq -r '[.steps[]? | select((.name // "") | test("Run Prowler scan"; "i")) | .number] | first // empty' <<<"$job_info")
-            if [ -z "$step_number" ]; then
-              step_number=$(jq -r '[.steps[]? | select(.status == "in_progress") | .number] | first // empty' <<<"$job_info")
-            fi
-            if [ -n "$job_id" ] && [ -n "$step_number" ]; then
-              scan_step_url="${REPO_URL}/actions/runs/${GITHUB_RUN_ID}/job/${job_id}#step:${step_number}:1"
-            elif [ -n "$job_id" ]; then
-              scan_step_url="${REPO_URL}/actions/runs/${GITHUB_RUN_ID}/job/${job_id}"
-            fi
-          fi
-        fi
-
-        # Map provider code to a properly-cased display name.
-        case "$INPUT_PROVIDER" in
-          alibabacloud)    provider_name="Alibaba Cloud" ;;
-          aws)             provider_name="AWS" ;;
-          azure)           provider_name="Azure" ;;
-          cloudflare)      provider_name="Cloudflare" ;;
-          gcp)             provider_name="GCP" ;;
-          github)          provider_name="GitHub" ;;
-          googleworkspace) provider_name="Google Workspace" ;;
-          iac)             provider_name="IaC" ;;
-          image)           provider_name="Container Image" ;;
-          kubernetes)      provider_name="Kubernetes" ;;
-          llm)             provider_name="LLM" ;;
-          m365)            provider_name="Microsoft 365" ;;
-          mongodbatlas)    provider_name="MongoDB Atlas" ;;
-          nhn)             provider_name="NHN" ;;
-          openstack)       provider_name="OpenStack" ;;
-          oraclecloud)     provider_name="Oracle Cloud" ;;
-          vercel)          provider_name="Vercel" ;;
-          *)               provider_name="${INPUT_PROVIDER^}" ;;
-        esac
-
-        ocsf_file=$(find output/ -name '*.ocsf.json' -type f 2>/dev/null | head -1)
-
-        {
-          echo "## Prowler ${provider_name} Scan Summary"
-          echo ""
-
-          counts=""
-          if [ -n "$ocsf_file" ] && [ -s "$ocsf_file" ]; then
-            counts=$(jq -r '[
-                length,
-                ([.[] | select(.status_code == "FAIL")] | length),
-                ([.[] | select(.status_code == "PASS")] | length),
-                ([.[] | select(.status_code == "MUTED")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "Critical")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "High")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "Medium")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "Low")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "Informational")] | length)
-              ] | @tsv' "$ocsf_file" 2>/dev/null)
-          fi
-
-          if [ -n "$counts" ]; then
-            read -r total fail pass muted critical high medium low info <<<"$counts"
-
-            line="**${fail:-0} failing** · ${pass:-0} passing"
-            [ "${muted:-0}" -gt 0 ] && line="${line} · ${muted} muted"
-            echo "${line} — ${total:-0} checks total"
-            echo ""
-            echo "| Severity | Failing |"
-            echo "|----------|---------|"
-            echo "| ‼️ Critical | ${critical:-0} |"
-            echo "| 🔴 High | ${high:-0} |"
-            echo "| 🟠 Medium | ${medium:-0} |"
-            echo "| 🔵 Low | ${low:-0} |"
-            echo "| ⚪ Informational | ${info:-0} |"
-            echo ""
-          else
-            echo "_No findings report was produced. Check the scan logs above._"
-            echo ""
-          fi
-
-          if [ -n "$scan_step_url" ]; then
-            echo "**Scan logs:** [view in workflow run](${scan_step_url})"
-            echo ""
-          fi
-
-          echo "**Get the full report:** [\`prowler-${INPUT_PROVIDER}\` artifact](${RUN_URL}#artifacts)"
-
-          if [ "$INPUT_UPLOAD_SARIF" = "true" ] && [ -n "$BRANCH" ]; then
-            encoded_branch=$(jq -nr --arg b "$BRANCH" '$b|@uri')
-            echo ""
-            echo "**See results in GitHub Code Security:** [open alerts on \`${BRANCH}\`](${REPO_URL}/security/code-scanning?query=is%3Aopen+branch%3A${encoded_branch})"
-          fi
-
-          if [ "$INPUT_PUSH_TO_CLOUD" != "true" ]; then
-            echo ""
-            echo "---"
-            echo ""
-            echo "### Scale ${provider_name} security with Prowler Cloud ☁️"
-            echo ""
-            echo "Send this scan's findings to **[Prowler Cloud](https://cloud.prowler.com)** and get:"
-            echo ""
-            echo "- **Unified findings** across every cloud, SaaS provider (M365, Google Workspace, GitHub, MongoDB Atlas), IaC repo, Kubernetes cluster, and container image"
-            echo "- **Posture over time** with alerts, and notifications"
-            echo "- **Prowler Lighthouse AI**: agentic assistant that triages findings, explains root cause and helps with remediation"
-            echo "- **50+ Compliance frameworks** mapped automatically"
-            echo "- **Enterprise-ready platform**: SOC 2 Type 2, SSO/SAML, AWS Security Hub, S3 and Jira integrations"
-            echo ""
-            echo "**Get started in 3 steps:**"
-            echo "1. Create an account at [cloud.prowler.com](https://cloud.prowler.com)"
-            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli))"
-            echo "3. Add \`PROWLER_CLOUD_API_KEY\` to your GitHub secrets and set \`push-to-cloud: true\` on this action"
-            echo ""
-            echo "See [prowler.com/pricing](https://prowler.com/pricing) for plan details."
-          fi
-        } >> "$GITHUB_STEP_SUMMARY"

api/AGENTS.md

@@ -4,8 +4,6 @@
 > - [`prowler-api`](../skills/prowler-api/SKILL.md) - Models, Serializers, Views, RLS patterns
 > - [`prowler-test-api`](../skills/prowler-test-api/SKILL.md) - Testing patterns (pytest-django)
 > - [`prowler-attack-paths-query`](../skills/prowler-attack-paths-query/SKILL.md) - Attack Paths openCypher queries
-> - [`django-migration-psql`](../skills/django-migration-psql/SKILL.md) - Migration best practices for PostgreSQL
-> - [`postgresql-indexing`](../skills/postgresql-indexing/SKILL.md) - PostgreSQL indexing, EXPLAIN, monitoring, maintenance
 > - [`django-drf`](../skills/django-drf/SKILL.md) - Generic DRF patterns
 > - [`jsonapi`](../skills/jsonapi/SKILL.md) - Strict JSON:API v1.1 spec compliance
 > - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns
@@ -18,20 +16,14 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 |--------|-------|
 | Add changelog entry for a PR or feature | `prowler-changelog` |
 | Adding DRF pagination or permissions | `django-drf` |
-| Adding indexes or constraints to database tables | `django-migration-psql` |
 | Adding privilege escalation detection queries | `prowler-attack-paths-query` |
-| Analyzing query performance with EXPLAIN | `postgresql-indexing` |
 | Committing changes | `prowler-commit` |
 | Create PR that requires changelog entry | `prowler-changelog` |
 | Creating API endpoints | `jsonapi` |
 | Creating Attack Paths queries | `prowler-attack-paths-query` |
 | Creating ViewSets, serializers, or filters in api/ | `django-drf` |
 | Creating a git commit | `prowler-commit` |
-| Creating or modifying PostgreSQL indexes | `postgresql-indexing` |
-| Creating or reviewing Django migrations | `django-migration-psql` |
 | Creating/modifying models, views, serializers | `prowler-api` |
-| Debugging slow queries or missing indexes | `postgresql-indexing` |
-| Dropping or reindexing PostgreSQL indexes | `postgresql-indexing` |
 | Fixing bug | `tdd` |
 | Implementing JSON:API endpoints | `django-drf` |
 | Implementing feature | `tdd` |
@@ -40,14 +32,12 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Refactoring code | `tdd` |
 | Review changelog format and conventions | `prowler-changelog` |
 | Reviewing JSON:API compliance | `jsonapi` |
-| Running makemigrations or pgmakemigrations | `django-migration-psql` |
 | Testing RLS tenant isolation | `prowler-test-api` |
 | Update CHANGELOG.md in any component | `prowler-changelog` |
 | Updating existing Attack Paths queries | `prowler-attack-paths-query` |
 | Working on task | `tdd` |
 | Writing Prowler API tests | `prowler-test-api` |
 | Writing Python tests with pytest | `pytest` |
-| Writing data backfill or data migration | `django-migration-psql` |
 
 ---
 

api/CHANGELOG.md

@@ -2,225 +2,6 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
-## [1.27.0] (Prowler UNRELEASED)
-
-### 🚀 Added
-
-- New `scan-reset-ephemeral-resources` post-scan task zeroes `failed_findings_count` for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort [(#10929)](https://github.com/prowler-cloud/prowler/pull/10929)
-
----
-
-## [1.26.1] (Prowler v5.25.1)
-
-### 🐞 Fixed
-
-- Attack Paths: AWS scans no longer fail when enabled regions cannot be retrieved, and scans stuck in `scheduled` state are now cleaned up after the stale threshold [(#10917)](https://github.com/prowler-cloud/prowler/pull/10917)
-- Scan report and compliance downloads now redirect to a presigned S3 URL instead of streaming through the API worker, preventing gunicorn timeouts on large files [(#10927)](https://github.com/prowler-cloud/prowler/pull/10927)
-
----
-
-## [1.26.0] (Prowler v5.25.0)
-
-### 🚀 Added
-
-- CIS Benchmark PDF report generation for scans, exposing the latest CIS version per provider via `GET /scans/{id}/cis/{name}/` [(#10650)](https://github.com/prowler-cloud/prowler/pull/10650)
-- `/overviews/resource-groups` (resource inventory), `/overviews/categories` and `/overviews/attack-surfaces` now reflect newly-muted findings without waiting for the next scan. The post-mute `reaggregate-all-finding-group-summaries` task now also dispatches `aggregate_scan_resource_group_summaries_task`, `aggregate_scan_category_summaries_task` and `aggregate_attack_surface_task` per latest scan of every `(provider, day)` pair, rebuilding `ScanGroupSummary`, `ScanCategorySummary` and `AttackSurfaceOverview` alongside the tables already covered in #10827 [(#10843)](https://github.com/prowler-cloud/prowler/pull/10843)
-- Install zizmor v1.24.1 in API Docker image for GitHub Actions workflow scanning [(#10607)](https://github.com/prowler-cloud/prowler/pull/10607)
-
-### 🔄 Changed
-
-- Allows tenant owners to expel users from their organizations [(#10787)](https://github.com/prowler-cloud/prowler/pull/10787)
-- `aggregate_findings`, `aggregate_attack_surface`, `aggregate_scan_resource_group_summaries` and `aggregate_scan_category_summaries` now upsert via `bulk_create(update_conflicts=True, ...)` instead of the prior `ignore_conflicts=True` / plain INSERT / `already backfilled` short-circuit. Re-runs triggered by the post-mute reaggregation pipeline no longer trip the `unique_*_per_scan` constraints nor silently drop updates, and are race-safe under concurrent writers (e.g. scan completion overlapping with a fresh mute rule) [(#10843)](https://github.com/prowler-cloud/prowler/pull/10843)
-- Rename the scan-category and scan-resource-group summary aggregators from `backfill_*` to `aggregate_*` [(#10843)](https://github.com/prowler-cloud/prowler/pull/10843)
-
-### 🐞 Fixed
-
-- `generate_outputs_task` crashing with `KeyError` for compliance frameworks listed by `get_compliance_frameworks` but not loadable by `Compliance.get_bulk` [(#10903)](https://github.com/prowler-cloud/prowler/pull/10903)
-
----
-
-## [1.25.4] (Prowler v5.24.4)
-
-### 🚀 Added
-
-- `DJANGO_SENTRY_TRACES_SAMPLE_RATE` env var (default `0.02`) enables Sentry performance tracing for the API [(#10873)](https://github.com/prowler-cloud/prowler/pull/10873)
-
-### 🔄 Changed
-
-- Attack Paths: Neo4j driver `connection_acquisition_timeout` is now configurable via `NEO4J_CONN_ACQUISITION_TIMEOUT` (default lowered from 120 s to 15 s) [(#10873)](https://github.com/prowler-cloud/prowler/pull/10873)
-
-### 🐞 Fixed
-
-- `/tmp/prowler_api_output` saturation in compliance report workers: the final `rmtree` in `generate_compliance_reports` now only waits on frameworks actually generated for the provider (so unsupported frameworks no longer leave a placeholder `results` entry that blocks cleanup), output directories are created lazily per enabled framework, and both `generate_compliance_reports` and `generate_outputs_task` run an opportunistic stale cleanup at task start with a 48h age threshold, a per-host `fcntl` throttle, a 50-deletions-per-run cap, and guards that protect EXECUTING scans and scans whose `output_location` still points to a local path (metadata lookups routed through the admin DB so RLS does not hide those rows) [(#10874)](https://github.com/prowler-cloud/prowler/pull/10874)
-
----
-
-## [1.25.3] (Prowler v5.24.3)
-
-### 🚀 Added
-
-- `/overviews/findings`, `/overviews/findings-severity` and `/overviews/services` now reflect newly-muted findings without waiting for the next scan. The post-mute `reaggregate-all-finding-group-summaries` task was extended to re-run the same per-scan pipeline that scan completion runs (`ScanSummary`, `DailySeveritySummary`, `FindingGroupDailySummary`) on the latest scan of every `(provider, day)` pair, keeping the pre-aggregated tables in sync with `Finding.muted` updates [(#10827)](https://github.com/prowler-cloud/prowler/pull/10827)
-
-### 🐞 Fixed
-
-- Finding groups aggregated `status` now treats muted findings as resolved: a group is `FAIL` only while at least one non-muted FAIL remains, otherwise it is `PASS` (including fully-muted groups). The `filter[status]` filter and the `sort=status` ordering share the same semantics, keeping `status` consistent with `fail_count` and the orthogonal `muted` flag [(#10825)](https://github.com/prowler-cloud/prowler/pull/10825)
-- `aggregate_findings` is now idempotent: it deletes the scan's existing `ScanSummary` rows before `bulk_create`, so re-runs (such as the post-mute reaggregation pipeline) no longer violate the `unique_scan_summary` constraint and no longer abort the downstream `DailySeveritySummary` / `FindingGroupDailySummary` recomputation for the affected scan [(#10827)](https://github.com/prowler-cloud/prowler/pull/10827)
-- Attack Paths: Findings on AWS were silently dropped during the Neo4j merge for resources whose Cartography node is keyed by a short identifier (e.g. EC2 instances) rather than the full ARN [(#10839)](https://github.com/prowler-cloud/prowler/pull/10839)
-
----
-
-## [1.25.2] (Prowler v5.24.2)
-
-### 🔄 Changed
-
-- Finding groups `/resources` endpoints now materialize the filtered finding IDs into a Python list before filtering `ResourceFindingMapping`, so PostgreSQL switches from a Merge Semi Join that read hundreds of thousands of RFM index entries to a Nested Loop Index Scan over `finding_id`. The `has_mappings.exists()` pre-check is removed, and a request-scoped cache deduplicates the finding-id round-trip across the helpers that build different RFM querysets [(#10816)](https://github.com/prowler-cloud/prowler/pull/10816)
-
-### 🐞 Fixed
-
-- `/finding-groups/latest/<check_id>/resources` now selects the latest completed scan per provider by `-completed_at` (then `-inserted_at`) instead of `-inserted_at`, matching the `/finding-groups/latest` summary path and the daily-summary upsert so overlapping scans no longer produce diverging `delta`/`new_count` between the two endpoints [(#10802)](https://github.com/prowler-cloud/prowler/pull/10802)
-
-
-## [1.25.1] (Prowler v5.24.1)
-
-### 🔄 Changed
-
-- Attack Paths: Restore `SYNC_BATCH_SIZE` and `FINDINGS_BATCH_SIZE` defaults to 1000, upgrade Cartography to 0.135.0, enable Celery queue priority for cleanup task, rewrite Finding insertion, remove AWS graph cleanup and add timing logs [(#10729)](https://github.com/prowler-cloud/prowler/pull/10729)
-
-### 🐞 Fixed
-
-- Finding group resources endpoints now include findings without associated resources (orphaned IaC findings) as simulated resource rows, and return one row per finding when multiple findings share a resource [(#10708)](https://github.com/prowler-cloud/prowler/pull/10708)
-- Attack Paths: Missing `tenant_id` filter while getting related findings after scan completes [(#10722)](https://github.com/prowler-cloud/prowler/pull/10722)
-- Finding group counters `pass_count`, `fail_count` and `manual_count` now exclude muted findings [(#10753)](https://github.com/prowler-cloud/prowler/pull/10753)
-- Silent data loss in `ResourceFindingMapping` bulk insert that left findings orphaned when `INSERT ... ON CONFLICT DO NOTHING` dropped rows without raising; added explicit `unique_fields` [(#10724)](https://github.com/prowler-cloud/prowler/pull/10724)
-- `DELETE /tenants/{tenant_pk}/memberships/{id}` now deletes the expelled user's account when the removed membership was their last one, and blacklists every outstanding refresh token for that user so their existing sessions can no longer mint new access tokens [(#10787)](https://github.com/prowler-cloud/prowler/pull/10787)
-
----
-
-## [1.25.0] (Prowler v5.24.0)
-
-### 🔄 Changed
-
-- Bump Poetry to `2.3.4` in Dockerfile and pre-commit hooks. Regenerate `api/poetry.lock` [(#10681)](https://github.com/prowler-cloud/prowler/pull/10681)
-- Attack Paths: Remove dead `cleanup_findings` no-op and its supporting `prowler_finding_lastupdated` index [(#10684)](https://github.com/prowler-cloud/prowler/pull/10684)
-
-### 🐞 Fixed
-
-- Worker-beat race condition on cold start: replaced `sleep 15` with API service healthcheck dependency (Docker Compose) and init containers (Helm), aligned Gunicorn default port to `8080` [(#10603)](https://github.com/prowler-cloud/prowler/pull/10603)
-- API container startup crash on Linux due to root-owned bind-mount preventing JWT key generation [(#10646)](https://github.com/prowler-cloud/prowler/pull/10646)
-
-### 🔐 Security
-
-- `pytest` from 8.2.2 to 9.0.3 to fix CVE-2025-71176 [(#10678)](https://github.com/prowler-cloud/prowler/pull/10678)
-
----
-
-## [1.24.0] (Prowler v5.23.0)
-
-### 🚀 Added
-
-- RBAC role lookup filtered by `tenant_id` to prevent cross-tenant privilege leak [(#10491)](https://github.com/prowler-cloud/prowler/pull/10491)
-- `VALKEY_SCHEME`, `VALKEY_USERNAME`, and `VALKEY_PASSWORD` environment variables to configure Celery broker TLS/auth connection details for Valkey/ElastiCache [(#10420)](https://github.com/prowler-cloud/prowler/pull/10420)
-- `Vercel` provider support [(#10190)](https://github.com/prowler-cloud/prowler/pull/10190)
-- Finding groups list and latest endpoints support `sort=delta`, ordering by `new_count` then `changed_count` so groups with the most new findings rank highest [(#10606)](https://github.com/prowler-cloud/prowler/pull/10606)
-- Finding group resources endpoints (`/finding-groups/{check_id}/resources` and `/finding-groups/latest/{check_id}/resources`) now expose `finding_id` per row, pointing to the most recent matching Finding for each resource. UUIDv7 ordering guarantees `Max(finding__id)` resolves to the latest snapshot [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
-- Handle CIS and CISA SCuBA compliance framework from google workspace [(#10629)](https://github.com/prowler-cloud/prowler/pull/10629)
-- Sort support for all finding group counter fields: `pass_muted_count`, `fail_muted_count`, `manual_muted_count`, and all `new_*`/`changed_*` status-mute breakdown counters [(#10655)](https://github.com/prowler-cloud/prowler/pull/10655)
-
-### 🔄 Changed
-
-- Finding groups list/latest/resources now expose `status` ∈ `{FAIL, PASS, MANUAL}` and `muted: bool` as orthogonal fields. The aggregated `status` reflects the underlying check outcome regardless of mute state, and `muted=true` signals that every finding in the group/resource is muted. New `manual_count` is exposed alongside `pass_count`/`fail_count`, plus `pass_muted_count`/`fail_muted_count`/`manual_muted_count` siblings so clients can isolate the muted half of each status. The `new_*`/`changed_*` deltas are now broken down by status and mute state via 12 new counters (`new_fail_count`, `new_fail_muted_count`, `new_pass_count`, `new_pass_muted_count`, `new_manual_count`, `new_manual_muted_count` and the matching `changed_*` set). New `filter[muted]=true|false` and `sort=status` (FAIL > PASS > MANUAL) / `sort=muted` are supported. `filter[status]=MUTED` is no longer accepted [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
-- Attack Paths: Periodic cleanup of stale scans with dead-worker detection via Celery inspect, marking orphaned `EXECUTING` scans as `FAILED` and recovering `graph_data_ready` [(#10387)](https://github.com/prowler-cloud/prowler/pull/10387)
-- Attack Paths: Replace `_provider_id` property with `_Provider_{uuid}` label for provider isolation, add regex-based label injection for custom queries [(#10402)](https://github.com/prowler-cloud/prowler/pull/10402)
-
-### 🐞 Fixed
-
-- `reaggregate_all_finding_group_summaries_task` now refreshes finding group daily summaries for every `(provider, day)` combination instead of only the latest scan per provider, matching the unbounded scope of `mute_historical_findings_task`. Mute rule operations no longer leave older daily summaries drifting from the underlying muted findings [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
-- Finding groups list/latest now apply computed status/severity filters and finding-level prefilters (delta, region, service, category, resource group, scan, resource type), plus `check_title` support for sort/filter consistency [(#10428)](https://github.com/prowler-cloud/prowler/pull/10428)
-- Populate compliance data inside `check_metadata` for findings, which was always returned as `null` [(#10449)](https://github.com/prowler-cloud/prowler/pull/10449)
-- 403 error for admin users listing tenants due to roles query not using the admin database connection [(#10460)](https://github.com/prowler-cloud/prowler/pull/10460)
-- Filter transient Neo4j defunct connection logs in Sentry `before_send` to suppress false-positive alerts handled by `RetryableSession` retries [(#10452)](https://github.com/prowler-cloud/prowler/pull/10452)
-- `MANAGE_ACCOUNT` permission no longer required for listing and creating tenants [(#10468)](https://github.com/prowler-cloud/prowler/pull/10468)
-- Finding groups muted filter, counters, metadata extraction and mute reaggregation [(#10477)](https://github.com/prowler-cloud/prowler/pull/10477)
-- Finding groups `check_title__icontains` resolution, `name__icontains` resource filter and `resource_group` field in `/resources` response [(#10486)](https://github.com/prowler-cloud/prowler/pull/10486)
-- Membership `post_delete` signal using raw FK ids to avoid `DoesNotExist` during cascade deletions [(#10497)](https://github.com/prowler-cloud/prowler/pull/10497)
-- Finding group resources endpoints returning false 404 when filters match no results, and `sort` parameter being ignored [(#10510)](https://github.com/prowler-cloud/prowler/pull/10510)
-- Jira integration failing with `JiraInvalidIssueTypeError` on non-English Jira instances due to hardcoded `"Task"` issue type; now dynamically fetches available issue types per project [(#10534)](https://github.com/prowler-cloud/prowler/pull/10534)
-- Finding group `first_seen_at` now reflects when a new finding appeared in the scan instead of the oldest carry-forward date across all unchanged findings [(#10595)](https://github.com/prowler-cloud/prowler/pull/10595)
-- Attack Paths: Remove `clear_cache` call from read-only query endpoints; cache clearing belongs to the scan/ingestion flow, not API queries [(#10586)](https://github.com/prowler-cloud/prowler/pull/10586)
-
-### 🔐 Security
-
-- Pin all unpinned dependencies to exact versions to prevent supply chain attacks and ensure reproducible builds [(#10469)](https://github.com/prowler-cloud/prowler/pull/10469)
-- `authlib` bumped from 1.6.6 to 1.6.9 to fix CVE-2026-28802 (JWT `alg: none` validation bypass) [(#10579)](https://github.com/prowler-cloud/prowler/pull/10579)
-- `aiohttp` bumped from 3.13.3 to 3.13.5 to fix CVE-2026-34520 (the C parser accepted null bytes and control characters in response headers) [(#10538)](https://github.com/prowler-cloud/prowler/pull/10538)
-
----
-
-## [1.23.0] (Prowler v5.22.0)
-
-### 🚀 Added
-
-- Finding groups support `check_title` substring filtering [(#10377)](https://github.com/prowler-cloud/prowler/pull/10377)
-
-### 🐞 Fixed
-
-- Finding groups latest endpoint now aggregates the latest snapshot per provider before check-level totals, keeping impacted resources aligned across providers [(#10419)](https://github.com/prowler-cloud/prowler/pull/10419)
-- Mute rule creation now triggers finding-group summary re-aggregation after historical muting, keeping stats in sync after mute operations [(#10419)](https://github.com/prowler-cloud/prowler/pull/10419)
-- Attack Paths: Deduplicate nodes before ProwlerFinding lookup in Attack Paths Cypher queries, reducing execution time [(#10424)](https://github.com/prowler-cloud/prowler/pull/10424)
-
-### 🔐 Security
-
-- Replace stdlib XML parser with `defusedxml` in SAML metadata parsing to prevent XML bomb (billion laughs) DoS attacks [(#10165)](https://github.com/prowler-cloud/prowler/pull/10165)
-- Bump `flask` to 3.1.3 (CVE-2026-27205) and `werkzeug` to 3.1.6 (CVE-2026-27199) [(#10430)](https://github.com/prowler-cloud/prowler/pull/10430)
-
----
-
-## [1.22.1] (Prowler v5.21.1)
-
-### 🐞 Fixed
-
-- Threat score aggregation query to eliminate unnecessary JOINs and `COUNT(DISTINCT)` overhead [(#10394)](https://github.com/prowler-cloud/prowler/pull/10394)
-
----
-
-## [1.22.0] (Prowler v5.21.0)
-
-### 🚀 Added
-
-- `CORS_ALLOWED_ORIGINS` configurable via environment variable [(#10355)](https://github.com/prowler-cloud/prowler/pull/10355)
-- Attack Paths: Tenant and provider related labels to the nodes so they can be easily filtered on custom queries [(#10308)](https://github.com/prowler-cloud/prowler/pull/10308)
-
-### 🔄 Changed
-
-- Attack Paths: Complete migration to private graph labels and properties, removing deprecated dual-write support [(#10268)](https://github.com/prowler-cloud/prowler/pull/10268)
-- Attack Paths: Reduce sync and findings memory usage with smaller batches, cursor iteration, and sequential sessions [(#10359)](https://github.com/prowler-cloud/prowler/pull/10359)
-
-### 🐞 Fixed
-
-- Attack Paths: Recover `graph_data_ready` flag when scan fails during graph swap, preventing query endpoints from staying blocked until the next successful scan [(#10354)](https://github.com/prowler-cloud/prowler/pull/10354)
-
-### 🔐 Security
-
-- Use `psycopg2.sql` to safely compose DDL in `PostgresEnumMigration`, preventing SQL injection via f-string interpolation [(#10166)](https://github.com/prowler-cloud/prowler/pull/10166)
-- Replace stdlib XML parser with `defusedxml` in SAML metadata parsing to prevent XML bomb (billion laughs) DoS attacks [(#10165)](https://github.com/prowler-cloud/prowler/pull/10165)
-
----
-
-## [1.21.0] (Prowler v5.20.0)
-
-### 🔄 Changed
-
-- Attack Paths: Migrate network exposure queries from APOC to standard openCypher for Neo4j and Neptune compatibility [(#10266)](https://github.com/prowler-cloud/prowler/pull/10266)
-- `POST /api/v1/providers` returns `409 Conflict` if already exists [(#10293)](https://github.com/prowler-cloud/prowler/pull/10293)
-
-### 🐞 Fixed
-
-- Attack Paths: Security hardening for custom query endpoint (Cypher blocklist, input validation, rate limiting, Helm lockdown) [(#10238)](https://github.com/prowler-cloud/prowler/pull/10238)
-- Attack Paths: Missing logging for query execution and exception details in scan error handling [(#10269)](https://github.com/prowler-cloud/prowler/pull/10269)
-- Attack Paths: Upgrade Cartography from 0.129.0 to 0.132.0, fixing `exposed_internet` not set on ELB/ELBv2 nodes [(#10272)](https://github.com/prowler-cloud/prowler/pull/10272)
-
----
-
 ## [1.20.0] (Prowler v5.19.0)
 
 ### 🚀 Added
@@ -230,7 +11,6 @@ All notable changes to the **Prowler API** are documented in this file.
 - PDF report for the CSA CCM compliance framework [(#10088)](https://github.com/prowler-cloud/prowler/pull/10088)
 - `image` provider support for container image scanning [(#10128)](https://github.com/prowler-cloud/prowler/pull/10128)
 - Attack Paths: Custom query and Cartography schema endpoints (temporarily blocked) [(#10149)](https://github.com/prowler-cloud/prowler/pull/10149)
-- `googleworkspace` provider support [(#10247)](https://github.com/prowler-cloud/prowler/pull/10247)
 
 ### 🔄 Changed
 
@@ -249,7 +29,6 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ### 🐞 Fixed
 
-- PDF compliance reports consistency with UI: exclude resourceless findings and fix ENS MANUAL status handling [(#10270)](https://github.com/prowler-cloud/prowler/pull/10270)
 - Attack Paths: Orphaned temporary Neo4j databases are now cleaned up on scan failure and provider deletion [(#10101)](https://github.com/prowler-cloud/prowler/pull/10101)
 - Attack Paths: scan no longer raises `DatabaseError` when provider is deleted mid-scan [(#10116)](https://github.com/prowler-cloud/prowler/pull/10116)
 - Tenant compliance summaries recalculated after provider deletion [(#10172)](https://github.com/prowler-cloud/prowler/pull/10172)

api/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12.10-slim-bookworm@sha256:fd95fa221297a88e1cf49c55ec1828edd7c5a428187e67b5d1805692d11588db AS build
+FROM python:3.12.10-slim-bookworm AS build
 
 LABEL maintainer="https://github.com/prowler-cloud/api"
 
@@ -8,9 +8,6 @@ ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 ARG TRIVY_VERSION=0.69.2
 ENV TRIVY_VERSION=${TRIVY_VERSION}
 
-ARG ZIZMOR_VERSION=1.24.1
-ENV ZIZMOR_VERSION=${ZIZMOR_VERSION}
-
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
     wget \
@@ -25,9 +22,15 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libtool \
     libxslt1-dev \
     python3-dev \
-    git \
     && rm -rf /var/lib/apt/lists/*
 
+# Cartography depends on `dockerfile` which has no pre-built arm64 wheel and requires Go to compile
+# hadolint ignore=DL3008
+RUN if [ "$(uname -m)" = "aarch64" ]; then \
+        apt-get update && apt-get install -y --no-install-recommends golang-go \
+        && rm -rf /var/lib/apt/lists/* ; \
+    fi
+
 # Install PowerShell
 RUN ARCH=$(uname -m) && \
     if [ "$ARCH" = "x86_64" ]; then \
@@ -61,22 +64,6 @@ RUN ARCH=$(uname -m) && \
     mkdir -p /tmp/.cache/trivy && \
     chmod 777 /tmp/.cache/trivy
 
-# Install zizmor for GitHub Actions workflow scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        ZIZMOR_ARCH="x86_64-unknown-linux-gnu" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        ZIZMOR_ARCH="aarch64-unknown-linux-gnu" ; \
-    else \
-        echo "Unsupported architecture for zizmor: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-${ZIZMOR_ARCH}.tar.gz" -O /tmp/zizmor.tar.gz && \
-    mkdir -p /tmp/zizmor-extract && \
-    tar zxf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract && \
-    mv /tmp/zizmor-extract/zizmor /usr/local/bin/zizmor && \
-    chmod +x /usr/local/bin/zizmor && \
-    rm -rf /tmp/zizmor.tar.gz /tmp/zizmor-extract
-
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
     adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
@@ -91,7 +78,7 @@ RUN mkdir -p /tmp/prowler_api_output
 COPY pyproject.toml ./
 
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir poetry==2.3.4
+    pip install --no-cache-dir poetry
 
 ENV PATH="/home/prowler/.local/bin:$PATH"
 

api/docker-entrypoint.sh

@@ -30,32 +30,14 @@ start_prod_server() {
   poetry run gunicorn -c config/guniconf.py config.wsgi:application
 }
 
-resolve_worker_hostname() {
-  TASK_ID=""
-
-  if [ -n "$ECS_CONTAINER_METADATA_URI_V4" ]; then
-    TASK_ID=$(wget -qO- --timeout=2 "${ECS_CONTAINER_METADATA_URI_V4}/task" | \
-      python3 -c "import sys,json; print(json.load(sys.stdin)['TaskARN'].split('/')[-1])" 2>/dev/null)
-  fi
-
-  if [ -z "$TASK_ID" ]; then
-    TASK_ID=$(python3 -c "import uuid; print(uuid.uuid4().hex)")
-  fi
-
-  echo "${TASK_ID}@$(hostname)"
-}
-
 start_worker() {
   echo "Starting the worker..."
-  poetry run python -m celery -A config.celery worker \
-    -n "$(resolve_worker_hostname)" \
-    -l "${DJANGO_LOGGING_LEVEL:-info}" \
-    -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans \
-    -E --max-tasks-per-child 1
+  poetry run python -m celery -A config.celery worker -l "${DJANGO_LOGGING_LEVEL:-info}" -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans -E --max-tasks-per-child 1
 }
 
 start_worker_beat() {
   echo "Starting the worker-beat..."
+  sleep 15
   poetry run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
 }
 

api/pyproject.toml

@@ -5,44 +5,43 @@ requires = ["poetry-core"]
 [project]
 authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
 dependencies = [
-  "celery (==5.6.2)",
+  "celery (>=5.4.0,<6.0.0)",
   "dj-rest-auth[with_social,jwt] (==7.0.1)",
   "django (==5.1.15)",
-  "django-allauth[saml] (==65.15.0)",
-  "django-celery-beat (==2.9.0)",
-  "django-celery-results (==2.6.0)",
+  "django-allauth[saml] (>=65.13.0,<66.0.0)",
+  "django-celery-beat (>=2.7.0,<3.0.0)",
+  "django-celery-results (>=2.5.1,<3.0.0)",
   "django-cors-headers==4.4.0",
   "django-environ==0.11.2",
   "django-filter==24.3",
   "django-guid==3.5.0",
-  "django-postgres-extra (==2.0.9)",
+  "django-postgres-extra (>=2.0.8,<3.0.0)",
   "djangorestframework==3.15.2",
   "djangorestframework-jsonapi==7.0.2",
-  "djangorestframework-simplejwt (==5.5.1)",
-  "drf-nested-routers (==0.95.0)",
+  "djangorestframework-simplejwt (>=5.3.1,<6.0.0)",
+  "drf-nested-routers (>=0.94.1,<1.0.0)",
   "drf-spectacular==0.27.2",
   "drf-spectacular-jsonapi==0.5.1",
-  "defusedxml==0.7.1",
   "gunicorn==23.0.0",
   "lxml==5.3.2",
   "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
   "psycopg2-binary==2.9.9",
-  "pytest-celery[redis] (==1.3.0)",
-  "sentry-sdk[django] (==2.56.0)",
+  "pytest-celery[redis] (>=1.0.1,<2.0.0)",
+  "sentry-sdk[django] (>=2.20.0,<3.0.0)",
   "uuid6==2024.7.10",
-  "openai (==1.109.1)",
+  "openai (>=1.82.0,<2.0.0)",
   "xmlsec==1.3.14",
   "h2 (==4.3.0)",
-  "markdown (==3.10.2)",
+  "markdown (>=3.9,<4.0)",
   "drf-simple-apikey (==2.2.1)",
-  "matplotlib (==3.10.8)",
-  "reportlab (==4.4.10)",
-  "neo4j (==6.1.0)",
-  "cartography (==0.135.0)",
-  "gevent (==25.9.1)",
-  "werkzeug (==3.1.7)",
-  "sqlparse (==0.5.5)",
-  "fonttools (==4.62.1)"
+  "matplotlib (>=3.10.6,<4.0.0)",
+  "reportlab (>=4.4.4,<5.0.0)",
+  "neo4j (>=6.0.0,<7.0.0)",
+  "cartography (==0.129.0)",
+  "gevent (>=25.9.1,<26.0.0)",
+  "werkzeug (>=3.1.4)",
+  "sqlparse (>=0.5.4)",
+  "fonttools (>=4.60.2)"
 ]
 description = "Prowler's API (Django/DRF)"
 license = "Apache-2.0"
@@ -50,7 +49,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.27.0"
+version = "1.20.0"
 
 [project.scripts]
 celery = "src.backend.config.settings.celery"
@@ -62,9 +61,10 @@ django-silk = "5.3.2"
 docker = "7.1.0"
 filelock = "3.20.3"
 freezegun = "1.5.1"
+marshmallow = ">=3.15.0,<4.0.0"
 mypy = "1.10.1"
 pylint = "3.2.5"
-pytest = "9.0.3"
+pytest = "8.2.2"
 pytest-cov = "5.0.0"
 pytest-django = "4.8.0"
 pytest-env = "1.1.3"
@@ -74,4 +74,3 @@ ruff = "0.5.0"
 safety = "3.7.0"
 tqdm = "4.67.1"
 vulture = "2.14"
-prek = "0.3.9"

api/src/backend/api/apps.py

@@ -52,7 +52,7 @@ class ApiConfig(AppConfig):
             "check_and_fix_socialaccount_sites_migration",
         ]
 
-        # Skip eager Neo4j init for tests, some Django commands, and Celery (prefork pool: driver must stay lazy, no post_fork hook)
+        # Skip Neo4j initialization during tests, some Django commands, and Celery
         if getattr(settings, "TESTING", False) or (
             len(sys.argv) > 1
             and (
@@ -64,7 +64,7 @@ class ApiConfig(AppConfig):
             )
         ):
             logger.info(
-                "Skipping eager Neo4j init: tests, some Django commands, or Celery prefork pool (driver stays lazy)"
+                "Skipping Neo4j initialization because tests, some Django commands or Celery"
             )
 
         else:

api/src/backend/api/attack_paths/cypher_sanitizer.py

@@ -1,170 +0,0 @@
-"""
-Cypher sanitizer for custom (user-supplied) Attack Paths queries.
-
-Two responsibilities:
-
-1. **Validation** - reject queries containing SSRF or dangerous procedure
-   patterns (defense-in-depth; the primary control is ``neo4j.READ_ACCESS``).
-
-2. **Provider-scoped label injection** - inject a dynamic
-   ``_Provider_{uuid}`` label into every node pattern so the database can
-   use its native label index for provider isolation.
-
-Label-injection pipeline:
-
-1. **Protect** string literals and line comments (placeholder replacement).
-2. **Split** by top-level clause keywords to track clause context.
-3. **Pass A** - inject into *labeled* node patterns in ALL segments.
-4. **Pass B** - inject into *bare* node patterns in MATCH segments only.
-5. **Restore** protected regions.
-"""
-
-import re
-
-from rest_framework.exceptions import ValidationError
-
-from tasks.jobs.attack_paths.config import get_provider_label
-
-
-# Step 1 - String / comment protection
-# Single combined regex: strings first, then line comments.
-# The regex engine finds the leftmost match, so a string like 'https://prowler.com'
-# is consumed as a string before the // inside it can match as a comment.
-_PROTECTED_RE = re.compile(r"'(?:[^'\\]|\\.)*'|\"(?:[^\"\\]|\\.)*\"|//[^\n]*")
-
-# Step 2 - Clause splitting
-# OPTIONAL MATCH must come before MATCH to avoid partial matching.
-_CLAUSE_RE = re.compile(
-    r"\b(OPTIONAL\s+MATCH|MATCH|WHERE|RETURN|WITH|ORDER\s+BY"
-    r"|SKIP|LIMIT|UNION|UNWIND|CALL)\b",
-    re.IGNORECASE,
-)
-
-# Pass A - Labeled node patterns (all segments)
-# Matches node patterns that have at least one :Label.
-# (?<!\w)\(  - open paren NOT preceded by a word char (excludes function calls).
-# Group 1:  optional variable + one or more :Label
-# Group 2:  optional {properties} + closing paren
-_LABELED_NODE_RE = re.compile(
-    r"(?<!\w)\("
-    r"("
-    r"\s*(?:[a-zA-Z_]\w*)?"
-    r"(?:\s*:\s*(?:`[^`]*`|[a-zA-Z_]\w*))+"
-    r")"
-    r"("
-    r"\s*(?:\{[^}]*\})?"
-    r"\s*\)"
-    r")"
-)
-
-# Pass B - Bare node patterns (MATCH segments only)
-# Matches (identifier) or (identifier {properties}) without any :Label.
-# Only applied in MATCH/OPTIONAL MATCH segments.
-_BARE_NODE_RE = re.compile(
-    r"(?<!\w)\(" r"(\s*[a-zA-Z_]\w*)" r"(\s*(?:\{[^}]*\})?)" r"\s*\)"
-)
-
-_MATCH_CLAUSES = frozenset({"MATCH", "OPTIONAL MATCH"})
-
-
-def _inject_labeled(segment: str, label: str) -> str:
-    """Inject provider label into all node patterns that have existing labels."""
-    return _LABELED_NODE_RE.sub(rf"(\1:{label}\2", segment)
-
-
-def _inject_bare(segment: str, label: str) -> str:
-    """Inject provider label into bare `(identifier)` node patterns."""
-
-    def _replace(match):
-        var = match.group(1)
-        props = match.group(2).strip()
-        if props:
-            return f"({var}:{label} {props})"
-        return f"({var}:{label})"
-
-    return _BARE_NODE_RE.sub(_replace, segment)
-
-
-def inject_provider_label(cypher: str, provider_id: str) -> str:
-    """Rewrite a Cypher query to scope every node pattern to a provider.
-
-    Args:
-        cypher: The original Cypher query string.
-        provider_id: The provider UUID (will be converted to a label via
-            `get_provider_label`).
-
-    Returns:
-        The rewritten Cypher with `:_Provider_{uuid}` appended to every
-        node pattern.
-    """
-    label = get_provider_label(provider_id)
-
-    # Step 1: Protect strings and comments (single pass, leftmost-first)
-    protected: list[str] = []
-
-    def _save(match):
-        protected.append(match.group(0))
-        return f"\x00P{len(protected) - 1}\x00"
-
-    work = _PROTECTED_RE.sub(_save, cypher)
-
-    # Step 2: Split by clause keywords
-    parts = _CLAUSE_RE.split(work)
-
-    # Steps 3-4: Apply injection passes per segment
-    result: list[str] = []
-    current_clause: str | None = None
-
-    for i, part in enumerate(parts):
-        if i % 2 == 1:
-            # Keyword token - normalize for clause tracking
-            current_clause = re.sub(r"\s+", " ", part.strip()).upper()
-            result.append(part)
-        else:
-            # Content segment - apply injection based on clause context
-            part = _inject_labeled(part, label)
-            if current_clause in _MATCH_CLAUSES:
-                part = _inject_bare(part, label)
-            result.append(part)
-
-    work = "".join(result)
-
-    # Step 5: Restore protected regions
-    for i, original in enumerate(protected):
-        work = work.replace(f"\x00P{i}\x00", original)
-
-    return work
-
-
-# ---------------------------------------------------------------------------
-# Validation
-# ---------------------------------------------------------------------------
-
-# Patterns that indicate SSRF or dangerous procedure calls
-# Defense-in-depth layer - the primary control is `neo4j.READ_ACCESS`
-_BLOCKED_PATTERNS = [
-    re.compile(r"\bLOAD\s+CSV\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.load\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.import\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.export\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.cypher\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.systemdb\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.config\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.periodic\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.do\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.trigger\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.custom\b", re.IGNORECASE),
-]
-
-
-def validate_custom_query(cypher: str) -> None:
-    """Reject queries containing known SSRF or dangerous procedure patterns.
-
-    Raises ValidationError if a blocked pattern is found.
-    String literals and comments are stripped before matching to avoid
-    false positives.
-    """
-    stripped = _PROTECTED_RE.sub("", cypher)
-    for pattern in _BLOCKED_PATTERNS:
-        if pattern.search(stripped):
-            raise ValidationError({"query": "Query contains a blocked operation"})

api/src/backend/api/attack_paths/database.py

@@ -1,21 +1,24 @@
 import atexit
 import logging
 import threading
+
+from typing import Any
+
 from contextlib import contextmanager
-from typing import Any, Iterator
+from typing import Iterator
 from uuid import UUID
 
 import neo4j
 import neo4j.exceptions
-from config.env import env
+
 from django.conf import settings
-from tasks.jobs.attack_paths.config import (
-    BATCH_SIZE,
-    PROVIDER_RESOURCE_LABEL,
-    get_provider_label,
-)
 
 from api.attack_paths.retryable_session import RetryableSession
+from config.env import env
+from tasks.jobs.attack_paths.config import (
+    BATCH_SIZE,
+    DEPRECATED_PROVIDER_RESOURCE_LABEL,
+)
 
 # Without this Celery goes crazy with Neo4j logging
 logging.getLogger("neo4j").setLevel(logging.ERROR)
@@ -28,12 +31,10 @@ READ_QUERY_TIMEOUT_SECONDS = env.int(
     "ATTACK_PATHS_READ_QUERY_TIMEOUT_SECONDS", default=30
 )
 MAX_CUSTOM_QUERY_NODES = env.int("ATTACK_PATHS_MAX_CUSTOM_QUERY_NODES", default=250)
-CONN_ACQUISITION_TIMEOUT = env.int("NEO4J_CONN_ACQUISITION_TIMEOUT", default=15)
 READ_EXCEPTION_CODES = [
     "Neo.ClientError.Statement.AccessMode",
     "Neo.ClientError.Procedure.ProcedureNotFound",
 ]
-CLIENT_STATEMENT_EXCEPTION_PREFIX = "Neo.ClientError.Statement."
 
 # Module-level process-wide driver singleton
 _driver: neo4j.Driver | None = None
@@ -63,7 +64,7 @@ def init_driver() -> neo4j.Driver:
                 auth=(config["USER"], config["PASSWORD"]),
                 keep_alive=True,
                 max_connection_lifetime=7200,
-                connection_acquisition_timeout=CONN_ACQUISITION_TIMEOUT,
+                connection_acquisition_timeout=120,
                 max_connection_pool_size=50,
             )
             _driver.verify_connectivity()
@@ -107,7 +108,6 @@ def get_session(
     except neo4j.exceptions.Neo4jError as exc:
         if (
             default_access_mode == neo4j.READ_ACCESS
-            and exc.code
             and exc.code in READ_EXCEPTION_CODES
         ):
             message = "Read query not allowed"
@@ -115,10 +115,6 @@ def get_session(
             raise WriteQueryNotAllowedException(message=message, code=code)
 
         message = exc.message if exc.message is not None else str(exc)
-
-        if exc.code and exc.code.startswith(CLIENT_STATEMENT_EXCEPTION_PREFIX):
-            raise ClientStatementException(message=message, code=exc.code)
-
         raise GraphDatabaseQueryException(message=message, code=exc.code)
 
     finally:
@@ -164,8 +160,11 @@ def drop_subgraph(database: str, provider_id: str) -> int:
     Uses batched deletion to avoid memory issues with large graphs.
     Silently returns 0 if the database doesn't exist.
     """
-    provider_label = get_provider_label(provider_id)
     deleted_nodes = 0
+    parameters = {
+        "provider_id": provider_id,
+        "batch_size": BATCH_SIZE,
+    }
 
     try:
         with get_session(database) as session:
@@ -173,12 +172,12 @@ def drop_subgraph(database: str, provider_id: str) -> int:
             while deleted_count > 0:
                 result = session.run(
                     f"""
-                    MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`)
+                    MATCH (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL} {{provider_id: $provider_id}})
                     WITH n LIMIT $batch_size
                     DETACH DELETE n
                     RETURN COUNT(n) AS deleted_nodes_count
                     """,
-                    {"batch_size": BATCH_SIZE},
+                    parameters,
                 )
                 deleted_count = result.single().get("deleted_nodes_count", 0)
                 deleted_nodes += deleted_count
@@ -191,26 +190,6 @@ def drop_subgraph(database: str, provider_id: str) -> int:
     return deleted_nodes
 
 
-def has_provider_data(database: str, provider_id: str) -> bool:
-    """
-    Check if any ProviderResource node exists for this provider.
-
-    Returns `False` if the database doesn't exist.
-    """
-    provider_label = get_provider_label(provider_id)
-    query = f"MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`) RETURN 1 LIMIT 1"
-
-    try:
-        with get_session(database, default_access_mode=neo4j.READ_ACCESS) as session:
-            result = session.run(query)
-            return result.single() is not None
-
-    except GraphDatabaseQueryException as exc:
-        if exc.code == "Neo.ClientError.Database.DatabaseNotFound":
-            return False
-        raise
-
-
 def clear_cache(database: str) -> None:
     query = "CALL db.clearQueryCaches()"
 
@@ -248,7 +227,3 @@ class GraphDatabaseQueryException(Exception):
 
 class WriteQueryNotAllowedException(GraphDatabaseQueryException):
     pass
-
-
-class ClientStatementException(GraphDatabaseQueryException):
-    pass

api/src/backend/api/attack_paths/queries/schema.py

@@ -1,18 +1,13 @@
-from tasks.jobs.attack_paths.config import PROVIDER_RESOURCE_LABEL, get_provider_label
-
-
-def get_cartography_schema_query(provider_id: str) -> str:
-    """Build the Cartography schema metadata query scoped to a provider label."""
-    provider_label = get_provider_label(provider_id)
-    return f"""
-        MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`)
-        WHERE n._module_name STARTS WITH 'cartography:'
-          AND NOT n._module_name IN ['cartography:ontology', 'cartography:prowler']
-          AND n._module_version IS NOT NULL
-        RETURN n._module_name AS module_name, n._module_version AS module_version
-        LIMIT 1
-    """
+from tasks.jobs.attack_paths.config import DEPRECATED_PROVIDER_RESOURCE_LABEL
 
+CARTOGRAPHY_SCHEMA_METADATA = f"""
+    MATCH (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL} {{provider_id: $provider_id}})
+    WHERE n._module_name STARTS WITH 'cartography:'
+      AND NOT n._module_name IN ['cartography:ontology', 'cartography:prowler']
+      AND n._module_version IS NOT NULL
+    RETURN n._module_name AS module_name, n._module_version AS module_version
+    LIMIT 1
+"""
 
 GITHUB_SCHEMA_URL = (
     "https://github.com/cartography-cncf/cartography/blob/"

api/src/backend/api/attack_paths/views_helpers.py

@@ -3,26 +3,16 @@ import logging
 from typing import Any, Iterable
 
 import neo4j
-
 from rest_framework.exceptions import APIException, PermissionDenied, ValidationError
 
 from api.attack_paths import database as graph_database, AttackPathsQueryDefinition
-from api.attack_paths.cypher_sanitizer import (
-    inject_provider_label,
-    validate_custom_query,
-)
 from api.attack_paths.queries.schema import (
+    CARTOGRAPHY_SCHEMA_METADATA,
     GITHUB_SCHEMA_URL,
     RAW_SCHEMA_URL,
-    get_cartography_schema_query,
 )
 from config.custom_logging import BackendLogger
-from tasks.jobs.attack_paths.config import (
-    INTERNAL_LABELS,
-    INTERNAL_PROPERTIES,
-    get_provider_label,
-    is_dynamic_isolation_label,
-)
+from tasks.jobs.attack_paths.config import INTERNAL_LABELS, INTERNAL_PROPERTIES
 
 logger = logging.getLogger(BackendLogger.API)
 
@@ -76,6 +66,7 @@ def prepare_parameters(
 
     clean_parameters = {
         "provider_uid": str(provider_uid),
+        "provider_id": str(provider_id),
     }
 
     for definition_parameter in definition.parameters:
@@ -144,16 +135,6 @@ def execute_custom_query(
     cypher: str,
     provider_id: str,
 ) -> dict[str, Any]:
-    # Defense-in-depth for custom queries:
-    # 1. neo4j.READ_ACCESS — prevents mutations at the driver level
-    # 2. inject_provider_label() — regex-based label injection scopes node patterns
-    # 3. _serialize_graph() — post-query filter drops nodes without the provider label
-    #
-    # Layer 2 is best-effort (regex can't fully parse Cypher);
-    # layer 3 is the safety net that guarantees provider isolation.
-    validate_custom_query(cypher)
-    cypher = inject_provider_label(cypher, provider_id)
-
     try:
         graph = graph_database.execute_read_query(
             database=database_name,
@@ -162,9 +143,6 @@ def execute_custom_query(
         serialized = _serialize_graph(graph, provider_id)
         return _truncate_graph(serialized)
 
-    except graph_database.ClientStatementException as exc:
-        raise ValidationError({"query": exc.message})
-
     except graph_database.WriteQueryNotAllowedException:
         raise PermissionDenied(
             "Attack Paths query execution failed: read-only queries are enforced"
@@ -187,7 +165,10 @@ def get_cartography_schema(
         with graph_database.get_session(
             database_name, default_access_mode=neo4j.READ_ACCESS
         ) as session:
-            result = session.run(get_cartography_schema_query(provider_id))
+            result = session.run(
+                CARTOGRAPHY_SCHEMA_METADATA,
+                {"provider_id": provider_id},
+            )
             record = result.single()
     except graph_database.GraphDatabaseQueryException as exc:
         logger.error(f"Cartography schema query failed: {exc}")
@@ -231,12 +212,10 @@ def _truncate_graph(graph: dict[str, Any]) -> dict[str, Any]:
 
 
 def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
-    provider_label = get_provider_label(provider_id)
-
     nodes = []
     kept_node_ids = set()
     for node in graph.nodes:
-        if provider_label not in node.labels:
+        if node._properties.get("provider_id") != provider_id:
             continue
 
         kept_node_ids.add(node.element_id)
@@ -248,14 +227,11 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
             },
         )
 
-    filtered_count = len(graph.nodes) - len(nodes)
-    if filtered_count > 0:
-        logger.debug(
-            f"Filtered {filtered_count} nodes without provider label {provider_label}"
-        )
-
     relationships = []
     for relationship in graph.relationships:
+        if relationship._properties.get("provider_id") != provider_id:
+            continue
+
         if (
             relationship.start_node.element_id not in kept_node_ids
             or relationship.end_node.element_id not in kept_node_ids
@@ -281,11 +257,7 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
 
 
 def _filter_labels(labels: Iterable[str]) -> list[str]:
-    return [
-        label
-        for label in labels
-        if label not in INTERNAL_LABELS and not is_dynamic_isolation_label(label)
-    ]
+    return [label for label in labels if label not in INTERNAL_LABELS]
 
 
 def _serialize_properties(properties: dict[str, Any]) -> dict[str, Any]:

api/src/backend/api/base_views.py

@@ -1,10 +1,10 @@
 from django.conf import settings
+from django.core.exceptions import ObjectDoesNotExist
 from django.db import transaction
 from rest_framework import permissions
 from rest_framework.exceptions import NotAuthenticated
 from rest_framework.filters import SearchFilter
 from rest_framework.permissions import SAFE_METHODS
-from rest_framework.response import Response
 from rest_framework_json_api import filters
 from rest_framework_json_api.views import ModelViewSet
 
@@ -12,7 +12,7 @@ from api.authentication import CombinedJWTOrAPIKeyAuthentication
 from api.db_router import MainRouter, reset_read_db_alias, set_read_db_alias
 from api.db_utils import POSTGRES_USER_VAR, rls_transaction
 from api.filters import CustomDjangoFilterBackend
-from api.models import Role, UserRoleRelationship
+from api.models import Role, Tenant
 from api.rbac.permissions import HasPermissions
 
 
@@ -113,22 +113,27 @@ class BaseTenantViewset(BaseViewSet):
             if request is not None:
                 request.db_alias = self.db_alias
 
-            if request.method == "POST":
-                with transaction.atomic(using=MainRouter.admin_db):
-                    tenant = super().dispatch(request, *args, **kwargs)
-                    if isinstance(tenant, Response) and tenant.status_code == 201:
-                        self._create_admin_role(tenant.data["id"])
-                    return tenant
-            else:
-                with transaction.atomic(using=self.db_alias):
-                    return super().dispatch(request, *args, **kwargs)
+            with transaction.atomic(using=self.db_alias):
+                tenant = super().dispatch(request, *args, **kwargs)
+
+            try:
+                # If the request is a POST, create the admin role
+                if request.method == "POST":
+                    isinstance(tenant, dict) and self._create_admin_role(
+                        tenant.data["id"]
+                    )
+            except Exception as e:
+                self._handle_creation_error(e, tenant)
+                raise
+
+            return tenant
         finally:
             if alias_token is not None:
                 reset_read_db_alias(alias_token)
             self.db_alias = MainRouter.default_db
 
     def _create_admin_role(self, tenant_id):
-        admin_role = Role.objects.using(MainRouter.admin_db).create(
+        Role.objects.using(MainRouter.admin_db).create(
             name="admin",
             tenant_id=tenant_id,
             manage_users=True,
@@ -139,11 +144,15 @@ class BaseTenantViewset(BaseViewSet):
             manage_scans=True,
             unlimited_visibility=True,
         )
-        UserRoleRelationship.objects.using(MainRouter.admin_db).create(
-            user=self.request.user,
-            role=admin_role,
-            tenant_id=tenant_id,
-        )
+
+    def _handle_creation_error(self, error, tenant):
+        if tenant.data.get("id"):
+            try:
+                Tenant.objects.using(MainRouter.admin_db).filter(
+                    id=tenant.data["id"]
+                ).delete()
+            except ObjectDoesNotExist:
+                pass  # Tenant might not exist, handle gracefully
 
     def initial(self, request, *args, **kwargs):
         if request.auth is None:

api/src/backend/api/compliance.py

@@ -1,6 +1,7 @@
 from collections.abc import Iterable, Mapping
 
 from api.models import Provider
+from prowler.config.config import get_available_compliance_frameworks
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.check.models import CheckMetadata
 
@@ -94,12 +95,12 @@ PROWLER_CHECKS = LazyChecksMapping()
 
 
 def get_compliance_frameworks(provider_type: Provider.ProviderChoices) -> list[str]:
-    """List compliance frameworks the API can load for `provider_type`.
+    """
+    Retrieve and cache the list of available compliance frameworks for a specific cloud provider.
 
-    The list is sourced from `Compliance.get_bulk` so that the names
-    returned here are guaranteed to be loadable by the bulk loader. This
-    prevents downstream key mismatches (e.g. CSV report generation iterating
-    framework names and looking them up in the bulk dict).
+    This function lazily loads and caches the available compliance frameworks (e.g., CIS, MITRE, ISO)
+    for each provider type (AWS, Azure, GCP, etc.) on first access. Subsequent calls for the same
+    provider will return the cached result.
 
     Args:
         provider_type (Provider.ProviderChoices): The cloud provider type for which to retrieve
@@ -111,8 +112,8 @@ def get_compliance_frameworks(provider_type: Provider.ProviderChoices) -> list[s
     """
     global AVAILABLE_COMPLIANCE_FRAMEWORKS
     if provider_type not in AVAILABLE_COMPLIANCE_FRAMEWORKS:
-        AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type] = list(
-            Compliance.get_bulk(provider_type).keys()
+        AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type] = (
+            get_available_compliance_frameworks(provider_type)
         )
 
     return AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type]

api/src/backend/api/db_utils.py

@@ -18,7 +18,6 @@ from django.db import (
 )
 from django_celery_beat.models import PeriodicTask
 from psycopg2 import connect as psycopg2_connect
-from psycopg2 import sql as psycopg2_sql
 from psycopg2.extensions import AsIs, new_type, register_adapter, register_type
 from rest_framework_json_api.serializers import ValidationError
 
@@ -281,23 +280,15 @@ class PostgresEnumMigration:
         self.enum_values = enum_values
 
     def create_enum_type(self, apps, schema_editor):  # noqa: F841
+        string_enum_values = ", ".join([f"'{value}'" for value in self.enum_values])
         with schema_editor.connection.cursor() as cursor:
             cursor.execute(
-                psycopg2_sql.SQL("CREATE TYPE {} AS ENUM ({})").format(
-                    psycopg2_sql.Identifier(self.enum_name),
-                    psycopg2_sql.SQL(", ").join(
-                        psycopg2_sql.Literal(v) for v in self.enum_values
-                    ),
-                )
+                f"CREATE TYPE {self.enum_name} AS ENUM ({string_enum_values});"
             )
 
     def drop_enum_type(self, apps, schema_editor):  # noqa: F841
         with schema_editor.connection.cursor() as cursor:
-            cursor.execute(
-                psycopg2_sql.SQL("DROP TYPE {}").format(
-                    psycopg2_sql.Identifier(self.enum_name)
-                )
-            )
+            cursor.execute(f"DROP TYPE {self.enum_name};")
 
 
 class PostgresEnumField(models.Field):

api/src/backend/api/filters.py

@@ -15,7 +15,6 @@ from django_filters.rest_framework import (
 from rest_framework_json_api.django_filters.backends import DjangoFilterBackend
 from rest_framework_json_api.serializers import ValidationError
 
-from api.constants import SEVERITY_ORDER
 from api.db_utils import (
     FindingDeltaEnumField,
     InvitationStateEnumField,
@@ -44,7 +43,6 @@ from api.models import (
     ProviderGroup,
     ProviderSecret,
     Resource,
-    ResourceFindingMapping,
     ResourceTag,
     Role,
     Scan,
@@ -198,13 +196,17 @@ class CommonFindingFilters(FilterSet):
         field_name="resource_services", lookup_expr="icontains"
     )
 
-    resource_uid = CharFilter(method="filter_resource_uid")
-    resource_uid__in = CharInFilter(method="filter_resource_uid_in")
-    resource_uid__icontains = CharFilter(method="filter_resource_uid_icontains")
+    resource_uid = CharFilter(field_name="resources__uid")
+    resource_uid__in = CharInFilter(field_name="resources__uid", lookup_expr="in")
+    resource_uid__icontains = CharFilter(
+        field_name="resources__uid", lookup_expr="icontains"
+    )
 
-    resource_name = CharFilter(method="filter_resource_name")
-    resource_name__in = CharInFilter(method="filter_resource_name_in")
-    resource_name__icontains = CharFilter(method="filter_resource_name_icontains")
+    resource_name = CharFilter(field_name="resources__name")
+    resource_name__in = CharInFilter(field_name="resources__name", lookup_expr="in")
+    resource_name__icontains = CharFilter(
+        field_name="resources__name", lookup_expr="icontains"
+    )
 
     resource_type = CharFilter(method="filter_resource_type")
     resource_type__in = CharInFilter(field_name="resource_types", lookup_expr="overlap")
@@ -262,52 +264,6 @@ class CommonFindingFilters(FilterSet):
             )
         return queryset.filter(overall_query).distinct()
 
-    def filter_check_title_icontains(self, queryset, name, value):
-        # Resolve from the summary table (has check_title column + trigram
-        # GIN index) instead of scanning JSON in the findings table.
-        matching_check_ids = (
-            FindingGroupDailySummary.objects.filter(
-                check_title__icontains=value,
-            )
-            .values_list("check_id", flat=True)
-            .distinct()
-        )
-        return queryset.filter(check_id__in=matching_check_ids)
-
-    # --- Resource subquery filters ---
-    # Resolve resource → RFM → finding_ids first, then filter findings
-    # by id__in.  This avoids a 3-way JOIN driven from the (huge)
-    # findings side and lets PostgreSQL start from the resources
-    # unique-constraint index instead.
-
-    @staticmethod
-    def _finding_ids_for_resources(**lookup):
-        return ResourceFindingMapping.objects.filter(
-            resource__in=Resource.objects.filter(**lookup).values("id")
-        ).values("finding_id")
-
-    def filter_resource_uid(self, queryset, name, value):
-        return queryset.filter(id__in=self._finding_ids_for_resources(uid=value))
-
-    def filter_resource_uid_in(self, queryset, name, value):
-        return queryset.filter(id__in=self._finding_ids_for_resources(uid__in=value))
-
-    def filter_resource_uid_icontains(self, queryset, name, value):
-        return queryset.filter(
-            id__in=self._finding_ids_for_resources(uid__icontains=value)
-        )
-
-    def filter_resource_name(self, queryset, name, value):
-        return queryset.filter(id__in=self._finding_ids_for_resources(name=value))
-
-    def filter_resource_name_in(self, queryset, name, value):
-        return queryset.filter(id__in=self._finding_ids_for_resources(name__in=value))
-
-    def filter_resource_name_icontains(self, queryset, name, value):
-        return queryset.filter(
-            id__in=self._finding_ids_for_resources(name__icontains=value)
-        )
-
 
 class TenantFilter(FilterSet):
     inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
@@ -330,7 +286,6 @@ class MembershipFilter(FilterSet):
         model = Membership
         fields = {
             "tenant": ["exact"],
-            "user": ["exact"],
             "role": ["exact"],
             "date_joined": ["date", "gte", "lte"],
         }
@@ -435,7 +390,6 @@ class ScanFilter(ProviderRelationshipFilterSet):
     class Meta:
         model = Scan
         fields = {
-            "id": ["exact", "in"],
             "provider": ["exact", "in"],
             "name": ["exact", "icontains"],
             "started_at": ["gte", "lte"],
@@ -849,15 +803,11 @@ class FindingGroupFilter(CommonFindingFilters):
     check_id = CharFilter(field_name="check_id", lookup_expr="exact")
     check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
     check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(method="filter_check_title_icontains")
-    scan = UUIDFilter(field_name="scan_id", lookup_expr="exact")
-    scan__in = UUIDInFilter(field_name="scan_id", lookup_expr="in")
 
     class Meta:
         model = Finding
         fields = {
             "check_id": ["exact", "in", "icontains"],
-            "scan": ["exact", "in"],
         }
 
     def filter_queryset(self, queryset):
@@ -945,31 +895,15 @@ class LatestFindingGroupFilter(CommonFindingFilters):
     check_id = CharFilter(field_name="check_id", lookup_expr="exact")
     check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
     check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(method="filter_check_title_icontains")
-    scan = UUIDFilter(field_name="scan_id", lookup_expr="exact")
-    scan__in = UUIDInFilter(field_name="scan_id", lookup_expr="in")
 
     class Meta:
         model = Finding
         fields = {
             "check_id": ["exact", "in", "icontains"],
-            "scan": ["exact", "in"],
         }
 
 
-class _CheckTitleToCheckIdMixin:
-    """Resolve check_title search to check_ids so all provider rows are kept."""
-
-    def filter_check_title_to_check_ids(self, queryset, name, value):
-        matching_check_ids = (
-            queryset.filter(check_title__icontains=value)
-            .values_list("check_id", flat=True)
-            .distinct()
-        )
-        return queryset.filter(check_id__in=matching_check_ids)
-
-
-class FindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
+class FindingGroupSummaryFilter(FilterSet):
     """
     Filter for FindingGroupDailySummary queries.
 
@@ -992,7 +926,6 @@ class FindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
     check_id = CharFilter(field_name="check_id", lookup_expr="exact")
     check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
     check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(method="filter_check_title_to_check_ids")
 
     # Provider filters
     provider_id = UUIDFilter(field_name="provider_id", lookup_expr="exact")
@@ -1080,7 +1013,7 @@ class FindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
         return dt
 
 
-class LatestFindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
+class LatestFindingGroupSummaryFilter(FilterSet):
     """
     Filter for FindingGroupDailySummary /latest endpoint.
 
@@ -1092,7 +1025,6 @@ class LatestFindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
     check_id = CharFilter(field_name="check_id", lookup_expr="exact")
     check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
     check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(method="filter_check_title_to_check_ids")
 
     # Provider filters
     provider_id = UUIDFilter(field_name="provider_id", lookup_expr="exact")
@@ -1110,99 +1042,6 @@ class LatestFindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
         }
 
 
-class FindingGroupAggregatedComputedFilter(FilterSet):
-    """Filter aggregated finding-group rows by computed status/severity/muted."""
-
-    STATUS_CHOICES = (
-        ("FAIL", "Fail"),
-        ("PASS", "Pass"),
-        ("MANUAL", "Manual"),
-    )
-
-    status = ChoiceFilter(method="filter_status", choices=STATUS_CHOICES)
-    status__in = CharInFilter(method="filter_status_in", lookup_expr="in")
-    severity = ChoiceFilter(method="filter_severity", choices=SeverityChoices)
-    severity__in = CharInFilter(method="filter_severity_in", lookup_expr="in")
-    muted = BooleanFilter(field_name="muted")
-    include_muted = BooleanFilter(method="filter_include_muted")
-
-    def filter_status(self, queryset, name, value):
-        return queryset.filter(aggregated_status=value)
-
-    def filter_status_in(self, queryset, name, value):
-        values = value
-        if isinstance(value, str):
-            values = [part.strip() for part in value.split(",") if part.strip()]
-
-        allowed = {choice[0] for choice in self.STATUS_CHOICES}
-        invalid = [
-            status_value for status_value in values if status_value not in allowed
-        ]
-        if invalid:
-            raise ValidationError(
-                [
-                    {
-                        "detail": f"invalid status filter: {invalid[0]}",
-                        "status": "400",
-                        "source": {"pointer": "/data"},
-                        "code": "invalid",
-                    }
-                ]
-            )
-
-        if not values:
-            return queryset
-
-        return queryset.filter(aggregated_status__in=values)
-
-    def filter_severity(self, queryset, name, value):
-        severity_order = SEVERITY_ORDER.get(value)
-        if severity_order is None:
-            raise ValidationError(
-                [
-                    {
-                        "detail": f"invalid severity filter: {value}",
-                        "status": "400",
-                        "source": {"pointer": "/data"},
-                        "code": "invalid",
-                    }
-                ]
-            )
-        return queryset.filter(severity_order=severity_order)
-
-    def filter_severity_in(self, queryset, name, value):
-        values = value
-        if isinstance(value, str):
-            values = [part.strip() for part in value.split(",") if part.strip()]
-
-        orders = []
-        for severity_value in values:
-            severity_order = SEVERITY_ORDER.get(severity_value)
-            if severity_order is None:
-                raise ValidationError(
-                    [
-                        {
-                            "detail": f"invalid severity filter: {severity_value}",
-                            "status": "400",
-                            "source": {"pointer": "/data"},
-                            "code": "invalid",
-                        }
-                    ]
-                )
-            orders.append(severity_order)
-
-        if not orders:
-            return queryset
-
-        return queryset.filter(severity_order__in=orders)
-
-    def filter_include_muted(self, queryset, name, value):
-        if value is True:
-            return queryset
-        # include_muted=false: exclude fully-muted groups
-        return queryset.exclude(muted=True)
-
-
 class ProviderSecretFilter(FilterSet):
     inserted_at = DateFilter(
         field_name="inserted_at",

api/src/backend/api/migrations/0084_googleworkspace_provider.py

@@ -1,39 +0,0 @@
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0083_image_provider"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                    ("cloudflare", "Cloudflare"),
-                    ("openstack", "OpenStack"),
-                    ("image", "Image"),
-                    ("googleworkspace", "Google Workspace"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'googleworkspace';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]

api/src/backend/api/migrations/0085_finding_group_daily_summary_trgm_indexes.py

@@ -1,31 +0,0 @@
-# Generated by Django 5.1.15 on 2026-03-18
-
-from django.contrib.postgres.indexes import GinIndex, OpClass
-from django.contrib.postgres.operations import AddIndexConcurrently
-from django.db import migrations
-from django.db.models.functions import Upper
-
-
-class Migration(migrations.Migration):
-    atomic = False
-
-    dependencies = [
-        ("api", "0084_googleworkspace_provider"),
-    ]
-
-    operations = [
-        AddIndexConcurrently(
-            model_name="findinggroupdailysummary",
-            index=GinIndex(
-                OpClass(Upper("check_id"), name="gin_trgm_ops"),
-                name="fgds_check_id_trgm_idx",
-            ),
-        ),
-        AddIndexConcurrently(
-            model_name="findinggroupdailysummary",
-            index=GinIndex(
-                OpClass(Upper("check_title"), name="gin_trgm_ops"),
-                name="fgds_check_title_trgm_idx",
-            ),
-        ),
-    ]

api/src/backend/api/migrations/0086_attack_paths_cleanup_periodic_task.py

@@ -1,49 +0,0 @@
-from django.db import migrations
-
-
-TASK_NAME = "attack-paths-cleanup-stale-scans"
-INTERVAL_HOURS = 1
-
-
-def create_periodic_task(apps, schema_editor):
-    IntervalSchedule = apps.get_model("django_celery_beat", "IntervalSchedule")
-    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
-
-    schedule, _ = IntervalSchedule.objects.get_or_create(
-        every=INTERVAL_HOURS,
-        period="hours",
-    )
-
-    PeriodicTask.objects.update_or_create(
-        name=TASK_NAME,
-        defaults={
-            "task": TASK_NAME,
-            "interval": schedule,
-            "enabled": True,
-        },
-    )
-
-
-def delete_periodic_task(apps, schema_editor):
-    IntervalSchedule = apps.get_model("django_celery_beat", "IntervalSchedule")
-    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
-
-    PeriodicTask.objects.filter(name=TASK_NAME).delete()
-
-    # Clean up the schedule if no other task references it
-    IntervalSchedule.objects.filter(
-        every=INTERVAL_HOURS,
-        period="hours",
-        periodictask__isnull=True,
-    ).delete()
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0085_finding_group_daily_summary_trgm_indexes"),
-        ("django_celery_beat", "0019_alter_periodictasks_options"),
-    ]
-
-    operations = [
-        migrations.RunPython(create_periodic_task, delete_periodic_task),
-    ]

api/src/backend/api/migrations/0087_vercel_provider.py

@@ -1,40 +0,0 @@
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0086_attack_paths_cleanup_periodic_task"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                    ("cloudflare", "Cloudflare"),
-                    ("openstack", "OpenStack"),
-                    ("image", "Image"),
-                    ("googleworkspace", "Google Workspace"),
-                    ("vercel", "Vercel"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'vercel';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]

api/src/backend/api/migrations/0088_finding_group_status_muted_fields.py

@@ -1,95 +0,0 @@
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0087_vercel_provider"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="manual_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="pass_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="fail_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="manual_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="muted",
-            field=models.BooleanField(default=False),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_fail_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_fail_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_pass_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_pass_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_manual_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="new_manual_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_fail_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_fail_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_pass_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_pass_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_manual_count",
-            field=models.IntegerField(default=0),
-        ),
-        migrations.AddField(
-            model_name="findinggroupdailysummary",
-            name="changed_manual_muted_count",
-            field=models.IntegerField(default=0),
-        ),
-    ]

api/src/backend/api/migrations/0089_backfill_finding_group_status_muted.py

@@ -1,31 +0,0 @@
-from django.db import migrations
-from tasks.tasks import backfill_finding_group_summaries_task
-
-from api.db_router import MainRouter
-from api.rls import Tenant
-
-
-def trigger_backfill_task(apps, schema_editor):
-    """
-    Re-dispatch the finding-group backfill task for every tenant so the new
-    `manual_count` and `muted` columns added in 0088 get populated from the
-    last 10 days of completed scans.
-
-    The aggregator (`aggregate_finding_group_summaries`) recomputes every
-    column on each call, so it back-populates the new fields without touching
-    the existing ones beyond a normal upsert.
-    """
-    tenant_ids = Tenant.objects.using(MainRouter.admin_db).values_list("id", flat=True)
-
-    for tenant_id in tenant_ids:
-        backfill_finding_group_summaries_task.delay(tenant_id=str(tenant_id), days=10)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0088_finding_group_status_muted_fields"),
-    ]
-
-    operations = [
-        migrations.RunPython(trigger_backfill_task, migrations.RunPython.noop),
-    ]

api/src/backend/api/migrations/0090_attack_paths_cleanup_priority.py

@@ -1,23 +0,0 @@
-from django.db import migrations
-
-TASK_NAME = "attack-paths-cleanup-stale-scans"
-
-
-def set_cleanup_priority(apps, schema_editor):
-    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
-    PeriodicTask.objects.filter(name=TASK_NAME).update(priority=0)
-
-
-def unset_cleanup_priority(apps, schema_editor):
-    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
-    PeriodicTask.objects.filter(name=TASK_NAME).update(priority=None)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0089_backfill_finding_group_status_muted"),
-    ]
-
-    operations = [
-        migrations.RunPython(set_cleanup_priority, unset_cleanup_priority),
-    ]

api/src/backend/api/models.py

@@ -1,15 +1,14 @@
 import json
 import logging
 import re
+import xml.etree.ElementTree as ET
 from datetime import datetime, timedelta, timezone
 from uuid import UUID, uuid4
 
-import defusedxml
 from allauth.socialaccount.models import SocialApp
 from config.custom_logging import BackendLogger
 from config.settings.social_login import SOCIALACCOUNT_PROVIDERS
 from cryptography.fernet import Fernet, InvalidToken
-from defusedxml import ElementTree as ET
 from django.conf import settings
 from django.contrib.auth.models import AbstractBaseUser
 from django.contrib.postgres.fields import ArrayField
@@ -294,8 +293,6 @@ class Provider(RowLevelSecurityProtectedModel):
         CLOUDFLARE = "cloudflare", _("Cloudflare")
         OPENSTACK = "openstack", _("OpenStack")
         IMAGE = "image", _("Image")
-        GOOGLEWORKSPACE = "googleworkspace", _("Google Workspace")
-        VERCEL = "vercel", _("Vercel")
 
     @staticmethod
     def validate_aws_uid(value):
@@ -345,15 +342,6 @@ class Provider(RowLevelSecurityProtectedModel):
                 pointer="/data/attributes/uid",
             )
 
-    @staticmethod
-    def validate_googleworkspace_uid(value):
-        if not re.match(r"^C[0-9a-zA-Z]+$", value):
-            raise ModelValidationError(
-                detail="Google Workspace Customer ID must start with 'C' followed by one or more alphanumeric characters (e.g., C01234abc, C12345678).",
-                code="googleworkspace-uid",
-                pointer="/data/attributes/uid",
-            )
-
     @staticmethod
     def validate_kubernetes_uid(value):
         if not re.match(
@@ -439,15 +427,6 @@ class Provider(RowLevelSecurityProtectedModel):
                 pointer="/data/attributes/uid",
             )
 
-    @staticmethod
-    def validate_vercel_uid(value):
-        if not re.match(r"^team_[a-zA-Z0-9]{16,32}$", value):
-            raise ModelValidationError(
-                detail="Vercel provider ID must be a valid Vercel Team ID (e.g., team_xxxxxxxxxxxxxxxxxxxxxxxx).",
-                code="vercel-uid",
-                pointer="/data/attributes/uid",
-            )
-
     @staticmethod
     def validate_image_uid(value):
         if not re.match(r"^[a-zA-Z0-9][a-zA-Z0-9._/:@-]{2,249}$", value):
@@ -595,40 +574,10 @@ class Scan(RowLevelSecurityProtectedModel):
     objects = ActiveProviderManager()
     all_objects = models.Manager()
 
-    _SCOPING_SCANNER_ARG_KEYS_CACHE: tuple[str, ...] | None = None
-
-    @classmethod
-    def get_scoping_scanner_arg_keys(cls) -> tuple[str, ...]:
-        """Return the scanner_args keys that mark a scan as scoped.
-
-        Derived from ``prowler.lib.scan.scan.Scan.__init__`` so the API stays
-        in sync with whatever the SDK actually accepts as filters. Cached at
-        class level — the signature is stable for the process lifetime.
-        """
-        if cls._SCOPING_SCANNER_ARG_KEYS_CACHE is None:
-            import inspect
-
-            from prowler.lib.scan.scan import Scan as ProwlerScan
-
-            params = inspect.signature(ProwlerScan.__init__).parameters
-            cls._SCOPING_SCANNER_ARG_KEYS_CACHE = tuple(
-                name for name in params if name not in ("self", "provider")
-            )
-        return cls._SCOPING_SCANNER_ARG_KEYS_CACHE
-
     class TriggerChoices(models.TextChoices):
         SCHEDULED = "scheduled", _("Scheduled")
         MANUAL = "manual", _("Manual")
 
-    # Trigger values for scans that ran the SDK end-to-end. Imported scans (or
-    # any future trigger) are intentionally NOT in this set — they may carry
-    # only a partial slice of resources, so post-scan logic that depends on a
-    # full-scope sweep (e.g. resetting ephemeral resource findings) must skip
-    # them by default.
-    LIVE_SCAN_TRIGGERS = frozenset(
-        (TriggerChoices.SCHEDULED.value, TriggerChoices.MANUAL.value)
-    )
-
     id = models.UUIDField(primary_key=True, default=uuid7, editable=False)
     name = models.CharField(
         blank=True, null=True, max_length=100, validators=[MinLengthValidator(3)]
@@ -711,24 +660,6 @@ class Scan(RowLevelSecurityProtectedModel):
     class JSONAPIMeta:
         resource_name = "scans"
 
-    def is_full_scope(self) -> bool:
-        """Return True if this scan ran with no scoping filters at all.
-
-        Used to gate post-scan operations (such as resetting the
-        failed_findings_count of resources missing from the scan) that are only
-        safe when the scan covered every check, service, and category. Imported
-        scans are NOT full-scope by definition — they may carry only a partial
-        slice of resources, so they're rejected via ``trigger`` even before the
-        scanner_args check.
-        """
-        if self.trigger not in self.LIVE_SCAN_TRIGGERS:
-            return False
-        scanner_args = self.scanner_args or {}
-        for key in self.get_scoping_scanner_arg_keys():
-            if scanner_args.get(key):
-                return False
-        return True
-
 
 class AttackPathsScan(RowLevelSecurityProtectedModel):
     objects = ActiveProviderManager()
@@ -1796,45 +1727,15 @@ class FindingGroupDailySummary(RowLevelSecurityProtectedModel):
     # Severity stored as integer for MAX aggregation (5=critical, 4=high, etc.)
     severity_order = models.SmallIntegerField(default=1)
 
-    # Finding counts (inclusive of muted findings; use the `muted` flag to
-    # tell whether the group has any actionable findings).
+    # Finding counts
     pass_count = models.IntegerField(default=0)
     fail_count = models.IntegerField(default=0)
-    manual_count = models.IntegerField(default=0)
     muted_count = models.IntegerField(default=0)
 
-    # Status counts restricted to muted findings, so clients can isolate the
-    # muted half of each status (e.g. `pass_count - pass_muted_count` gives the
-    # actionable PASS findings).
-    pass_muted_count = models.IntegerField(default=0)
-    fail_muted_count = models.IntegerField(default=0)
-    manual_muted_count = models.IntegerField(default=0)
-
-    # Whether every finding for this (provider, check, day) is muted.
-    muted = models.BooleanField(default=False)
-
-    # Delta counts (non-muted, kept for convenience and as a "total" view).
+    # Delta counts
     new_count = models.IntegerField(default=0)
     changed_count = models.IntegerField(default=0)
 
-    # Delta breakdown by (status, muted) so clients can answer questions like
-    # "how many new failing findings appeared in this scan?" without scanning
-    # the underlying findings table. Mirrors the existing pass/fail/manual
-    # naming, with `_muted_count` siblings tracking the muted half of each
-    # bucket explicitly.
-    new_fail_count = models.IntegerField(default=0)
-    new_fail_muted_count = models.IntegerField(default=0)
-    new_pass_count = models.IntegerField(default=0)
-    new_pass_muted_count = models.IntegerField(default=0)
-    new_manual_count = models.IntegerField(default=0)
-    new_manual_muted_count = models.IntegerField(default=0)
-    changed_fail_count = models.IntegerField(default=0)
-    changed_fail_muted_count = models.IntegerField(default=0)
-    changed_pass_count = models.IntegerField(default=0)
-    changed_pass_muted_count = models.IntegerField(default=0)
-    changed_manual_count = models.IntegerField(default=0)
-    changed_manual_muted_count = models.IntegerField(default=0)
-
     # Resource counts
     resources_fail = models.IntegerField(default=0)
     resources_total = models.IntegerField(default=0)
@@ -1872,15 +1773,6 @@ class FindingGroupDailySummary(RowLevelSecurityProtectedModel):
                 fields=["tenant_id", "provider", "inserted_at"],
                 name="fgds_tenant_prov_ins_idx",
             ),
-            # Trigram indexes for case-insensitive search
-            GinIndex(
-                OpClass(Upper("check_id"), name="gin_trgm_ops"),
-                name="fgds_check_id_trgm_idx",
-            ),
-            GinIndex(
-                OpClass(Upper("check_title"), name="gin_trgm_ops"),
-                name="fgds_check_title_trgm_idx",
-            ),
         ]
 
     class JSONAPIMeta:
@@ -2156,8 +2048,6 @@ class SAMLConfiguration(RowLevelSecurityProtectedModel):
             root = ET.fromstring(self.metadata_xml)
         except ET.ParseError as e:
             raise ValidationError({"metadata_xml": f"Invalid XML: {e}"})
-        except defusedxml.DefusedXmlException as e:
-            raise ValidationError({"metadata_xml": f"Unsafe XML content rejected: {e}"})
 
         # Entity ID
         entity_id = root.attrib.get("entityID")

api/src/backend/api/rbac/permissions.py

@@ -1,7 +1,7 @@
 from enum import Enum
+from typing import Optional
 
 from django.db.models import QuerySet
-from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import BasePermission
 
 from api.db_router import MainRouter
@@ -29,17 +29,8 @@ class HasPermissions(BasePermission):
         if not required_permissions:
             return True
 
-        tenant_id = getattr(request, "tenant_id", None)
-        if not tenant_id:
-            tenant_id = request.auth.get("tenant_id") if request.auth else None
-        if not tenant_id:
-            return False
-
         user_roles = (
-            User.objects.using(MainRouter.admin_db)
-            .get(id=request.user.id)
-            .roles.using(MainRouter.admin_db)
-            .filter(tenant_id=tenant_id)
+            User.objects.using(MainRouter.admin_db).get(id=request.user.id).roles.all()
         )
         if not user_roles:
             return False
@@ -51,17 +42,14 @@ class HasPermissions(BasePermission):
         return True
 
 
-def get_role(user: User, tenant_id: str) -> Role:
+def get_role(user: User) -> Optional[Role]:
     """
-    Retrieve the role assigned to the given user in the specified tenant.
+    Retrieve the first role assigned to the given user.
 
-    Raises:
-        PermissionDenied: If the user has no role in the given tenant.
+    Returns:
+        The user's first Role instance if the user has any roles, otherwise None.
     """
-    role = user.roles.using(MainRouter.admin_db).filter(tenant_id=tenant_id).first()
-    if role is None:
-        raise PermissionDenied("User has no role in this tenant.")
-    return role
+    return user.roles.first()
 
 
 def get_providers(role: Role) -> QuerySet[Provider]:

api/src/backend/api/signals.py

@@ -61,7 +61,7 @@ def revoke_membership_api_keys(sender, instance, **kwargs):  # noqa: F841
     in that tenant should be revoked to prevent further access.
     """
     TenantAPIKey.objects.filter(
-        entity_id=instance.user_id, tenant_id=instance.tenant_id
+        entity=instance.user, tenant_id=instance.tenant.id
     ).update(revoked=True)
 
 

api/src/backend/api/tests/integration/test_authentication.py

@@ -215,21 +215,6 @@ class TestTokenSwitchTenant:
         tenant_id = tenants_fixture[0].id
         user_instance = User.objects.get(email=test_user)
         Membership.objects.create(user=user_instance, tenant_id=tenant_id)
-        # Assign an admin role in the target tenant so the user can access resources
-        target_role = Role.objects.create(
-            name="admin",
-            tenant_id=tenant_id,
-            manage_users=True,
-            manage_account=True,
-            manage_billing=True,
-            manage_providers=True,
-            manage_integrations=True,
-            manage_scans=True,
-            unlimited_visibility=True,
-        )
-        UserRoleRelationship.objects.create(
-            user=user_instance, role=target_role, tenant_id=tenant_id
-        )
 
         # Check that using our new user's credentials we can authenticate and get the providers
         access_token, _ = get_api_tokens(client, test_user, test_password)
@@ -316,7 +301,7 @@ class TestTokenSwitchTenant:
         assert invalid_tenant_response.status_code == 400
         assert invalid_tenant_response.json()["errors"][0]["code"] == "invalid"
         assert invalid_tenant_response.json()["errors"][0]["detail"] == (
-            "Tenant does not exist or user is not a member."
+            "Tenant does not exist or user is not a " "member."
         )
 
 
@@ -927,9 +912,10 @@ class TestAPIKeyLifecycle:
         auth_response = client.get(reverse("provider-list"), headers=api_key_headers)
 
         # Must return 401 Unauthorized, not 500 Internal Server Error
-        assert (
-            auth_response.status_code == 401
-        ), f"Expected 401 but got {auth_response.status_code}: {auth_response.json()}"
+        assert auth_response.status_code == 401, (
+            f"Expected 401 but got {auth_response.status_code}: "
+            f"{auth_response.json()}"
+        )
 
         # Verify error message is present
         response_json = auth_response.json()

api/src/backend/api/tests/test_apps.py

@@ -10,11 +10,11 @@ from django.conf import settings
 import api
 import api.apps as api_apps_module
 from api.apps import (
+    ApiConfig,
     PRIVATE_KEY_FILE,
     PUBLIC_KEY_FILE,
     SIGNING_KEY_ENV,
     VERIFYING_KEY_ENV,
-    ApiConfig,
 )
 
 
@@ -187,10 +187,9 @@ def test_ready_initializes_driver_for_api_process(monkeypatch):
     _set_argv(monkeypatch, ["gunicorn"])
     _set_testing(monkeypatch, False)
 
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
+    with patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None), patch(
+        "api.attack_paths.database.init_driver"
+    ) as init_driver:
         config.ready()
 
     init_driver.assert_called_once()
@@ -201,10 +200,9 @@ def test_ready_skips_driver_for_celery(monkeypatch):
     _set_argv(monkeypatch, ["celery", "-A", "api"])
     _set_testing(monkeypatch, False)
 
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
+    with patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None), patch(
+        "api.attack_paths.database.init_driver"
+    ) as init_driver:
         config.ready()
 
     init_driver.assert_not_called()
@@ -215,10 +213,9 @@ def test_ready_skips_driver_for_manage_py_skip_command(monkeypatch):
     _set_argv(monkeypatch, ["manage.py", "migrate"])
     _set_testing(monkeypatch, False)
 
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
+    with patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None), patch(
+        "api.attack_paths.database.init_driver"
+    ) as init_driver:
         config.ready()
 
     init_driver.assert_not_called()
@@ -229,10 +226,9 @@ def test_ready_skips_driver_when_testing(monkeypatch):
     _set_argv(monkeypatch, ["gunicorn"])
     _set_testing(monkeypatch, True)
 
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
+    with patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None), patch(
+        "api.attack_paths.database.init_driver"
+    ) as init_driver:
         config.ready()
 
     init_driver.assert_not_called()

api/src/backend/api/tests/test_attack_paths.py

@@ -9,10 +9,6 @@ from rest_framework.exceptions import APIException, PermissionDenied, Validation
 
 from api.attack_paths import database as graph_database
 from api.attack_paths import views_helpers
-from tasks.jobs.attack_paths.config import (
-    PROVIDER_ELEMENT_ID_PROPERTY,
-    get_provider_label,
-)
 
 
 def _make_neo4j_error(message, code):
@@ -53,7 +49,7 @@ def test_prepare_parameters_includes_provider_and_casts(
     )
 
     assert result["provider_uid"] == "123456789012"
-    assert "provider_id" not in result
+    assert result["provider_id"] == "test-provider-id"
     assert result["limit"] == 5
 
 
@@ -107,12 +103,12 @@ def test_execute_query_serializes_graph(
     parameters = {"provider_uid": "123"}
 
     provider_id = "test-provider-123"
-    plabel = get_provider_label(provider_id)
     node = attack_paths_graph_stub_classes.Node(
         element_id="node-1",
-        labels=["AWSAccount", plabel],
+        labels=["AWSAccount"],
         properties={
             "name": "account",
+            "provider_id": provider_id,
             "complex": {
                 "items": [
                     attack_paths_graph_stub_classes.NativeValue("value"),
@@ -121,13 +117,15 @@ def test_execute_query_serializes_graph(
             },
         },
     )
-    node_2 = attack_paths_graph_stub_classes.Node("node-2", ["RDSInstance", plabel], {})
+    node_2 = attack_paths_graph_stub_classes.Node(
+        "node-2", ["RDSInstance"], {"provider_id": provider_id}
+    )
     relationship = attack_paths_graph_stub_classes.Relationship(
         element_id="rel-1",
         rel_type="OWNS",
         start_node=node,
         end_node=node_2,
-        properties={"weight": 1},
+        properties={"weight": 1, "provider_id": provider_id},
     )
     graph = SimpleNamespace(nodes=[node, node_2], relationships=[relationship])
 
@@ -211,27 +209,29 @@ def test_execute_query_raises_permission_denied_on_read_only(
             )
 
 
-def test_serialize_graph_filters_by_provider_label(attack_paths_graph_stub_classes):
+def test_serialize_graph_filters_by_provider_id(attack_paths_graph_stub_classes):
     provider_id = "provider-keep"
-    plabel = get_provider_label(provider_id)
-    other_label = get_provider_label("provider-other")
 
-    node_keep = attack_paths_graph_stub_classes.Node("n1", ["AWSAccount", plabel], {})
+    node_keep = attack_paths_graph_stub_classes.Node(
+        "n1", ["AWSAccount"], {"provider_id": provider_id}
+    )
     node_drop = attack_paths_graph_stub_classes.Node(
-        "n2", ["AWSAccount", other_label], {}
+        "n2", ["AWSAccount"], {"provider_id": "provider-other"}
     )
 
     rel_keep = attack_paths_graph_stub_classes.Relationship(
-        "r1", "OWNS", node_keep, node_keep, {}
+        "r1", "OWNS", node_keep, node_keep, {"provider_id": provider_id}
+    )
+    rel_drop_by_provider = attack_paths_graph_stub_classes.Relationship(
+        "r2", "OWNS", node_keep, node_drop, {"provider_id": "provider-other"}
     )
-    # Relationship connecting a kept node to a dropped node — filtered by endpoint check
     rel_drop_orphaned = attack_paths_graph_stub_classes.Relationship(
-        "r2", "OWNS", node_keep, node_drop, {}
+        "r3", "OWNS", node_keep, node_drop, {"provider_id": provider_id}
     )
 
     graph = SimpleNamespace(
         nodes=[node_keep, node_drop],
-        relationships=[rel_keep, rel_drop_orphaned],
+        relationships=[rel_keep, rel_drop_by_provider, rel_drop_orphaned],
     )
 
     result = views_helpers._serialize_graph(graph, provider_id)
@@ -350,7 +350,10 @@ def test_serialize_properties_filters_internal_fields():
         "_module_name": "cartography:aws",
         "_module_version": "0.98.0",
         # Provider isolation
-        PROVIDER_ELEMENT_ID_PROPERTY: "42:abc123",
+        "_provider_id": "42",
+        "_provider_element_id": "42:abc123",
+        "provider_id": "42",
+        "provider_element_id": "42:abc123",
     }
 
     result = views_helpers._serialize_properties(properties)
@@ -358,14 +361,6 @@ def test_serialize_properties_filters_internal_fields():
     assert result == {"name": "prod"}
 
 
-def test_filter_labels_strips_dynamic_isolation_labels():
-    labels = ["AWSRole", "_Tenant_abc123", "_Provider_def456", "_ProviderResource"]
-
-    result = views_helpers._filter_labels(labels)
-
-    assert result == ["AWSRole"]
-
-
 def test_serialize_graph_as_text_node_without_properties():
     graph = {
         "nodes": [{"id": "n1", "labels": ["AWSAccount"], "properties": {}}],
@@ -444,11 +439,14 @@ def test_execute_custom_query_serializes_graph(
     attack_paths_graph_stub_classes,
 ):
     provider_id = "test-provider-123"
-    plabel = get_provider_label(provider_id)
-    node_1 = attack_paths_graph_stub_classes.Node("node-1", ["AWSAccount", plabel], {})
-    node_2 = attack_paths_graph_stub_classes.Node("node-2", ["RDSInstance", plabel], {})
+    node_1 = attack_paths_graph_stub_classes.Node(
+        "node-1", ["AWSAccount"], {"provider_id": provider_id}
+    )
+    node_2 = attack_paths_graph_stub_classes.Node(
+        "node-2", ["RDSInstance"], {"provider_id": provider_id}
+    )
     relationship = attack_paths_graph_stub_classes.Relationship(
-        "rel-1", "OWNS", node_1, node_2, {}
+        "rel-1", "OWNS", node_1, node_2, {"provider_id": provider_id}
     )
 
     graph_result = MagicMock()
@@ -463,11 +461,10 @@ def test_execute_custom_query_serializes_graph(
             "db-tenant-test", "MATCH (n) RETURN n", provider_id
         )
 
-    mock_execute.assert_called_once()
-    call_kwargs = mock_execute.call_args[1]
-    assert call_kwargs["database"] == "db-tenant-test"
-    # The cypher is rewritten with the provider label injection
-    assert plabel in call_kwargs["cypher"]
+    mock_execute.assert_called_once_with(
+        database="db-tenant-test",
+        cypher="MATCH (n) RETURN n",
+    )
     assert len(result["nodes"]) == 2
     assert result["relationships"][0]["label"] == "OWNS"
     assert result["truncated"] is False

api/src/backend/api/tests/test_attack_paths_database.py

@@ -12,8 +12,6 @@ from unittest.mock import MagicMock, patch
 import neo4j
 import pytest
 
-import api.attack_paths.database as db_module
-
 
 class TestLazyInitialization:
     """Test that Neo4j driver is initialized lazily on first use."""
@@ -21,6 +19,8 @@ class TestLazyInitialization:
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
         """Reset module-level singleton state before each test."""
+        import api.attack_paths.database as db_module
+
         original_driver = db_module._driver
 
         db_module._driver = None
@@ -31,6 +31,8 @@ class TestLazyInitialization:
 
     def test_driver_not_initialized_at_import(self):
         """Driver should be None after module import (no eager connection)."""
+        import api.attack_paths.database as db_module
+
         assert db_module._driver is None
 
     @patch("api.attack_paths.database.settings")
@@ -39,6 +41,8 @@ class TestLazyInitialization:
         self, mock_driver_factory, mock_settings
     ):
         """init_driver() should create connection only when called."""
+        import api.attack_paths.database as db_module
+
         mock_driver = MagicMock()
         mock_driver_factory.return_value = mock_driver
         mock_settings.DATABASES = {
@@ -65,6 +69,8 @@ class TestLazyInitialization:
         self, mock_driver_factory, mock_settings
     ):
         """Subsequent calls should return cached driver without reconnecting."""
+        import api.attack_paths.database as db_module
+
         mock_driver = MagicMock()
         mock_driver_factory.return_value = mock_driver
         mock_settings.DATABASES = {
@@ -93,6 +99,8 @@ class TestLazyInitialization:
         self, mock_driver_factory, mock_settings
     ):
         """get_driver() should use init_driver() for lazy initialization."""
+        import api.attack_paths.database as db_module
+
         mock_driver = MagicMock()
         mock_driver_factory.return_value = mock_driver
         mock_settings.DATABASES = {
@@ -110,50 +118,14 @@ class TestLazyInitialization:
         mock_driver_factory.assert_called_once()
 
 
-class TestConnectionAcquisitionTimeout:
-    """Test that the connection acquisition timeout is configurable."""
-
-    @pytest.fixture(autouse=True)
-    def reset_module_state(self):
-        original_driver = db_module._driver
-        original_timeout = db_module.CONN_ACQUISITION_TIMEOUT
-
-        db_module._driver = None
-
-        yield
-
-        db_module._driver = original_driver
-        db_module.CONN_ACQUISITION_TIMEOUT = original_timeout
-
-    @patch("api.attack_paths.database.settings")
-    @patch("api.attack_paths.database.neo4j.GraphDatabase.driver")
-    def test_driver_receives_configured_timeout(
-        self, mock_driver_factory, mock_settings
-    ):
-        """init_driver() should pass CONN_ACQUISITION_TIMEOUT to the neo4j driver."""
-        mock_driver_factory.return_value = MagicMock()
-        mock_settings.DATABASES = {
-            "neo4j": {
-                "HOST": "localhost",
-                "PORT": 7687,
-                "USER": "neo4j",
-                "PASSWORD": "password",
-            }
-        }
-        db_module.CONN_ACQUISITION_TIMEOUT = 42
-
-        db_module.init_driver()
-
-        _, kwargs = mock_driver_factory.call_args
-        assert kwargs["connection_acquisition_timeout"] == 42
-
-
 class TestAtexitRegistration:
     """Test that atexit cleanup handler is registered correctly."""
 
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
         """Reset module-level singleton state before each test."""
+        import api.attack_paths.database as db_module
+
         original_driver = db_module._driver
 
         db_module._driver = None
@@ -169,6 +141,8 @@ class TestAtexitRegistration:
         self, mock_driver_factory, mock_atexit_register, mock_settings
     ):
         """atexit.register should be called on first initialization."""
+        import api.attack_paths.database as db_module
+
         mock_driver_factory.return_value = MagicMock()
         mock_settings.DATABASES = {
             "neo4j": {
@@ -194,6 +168,8 @@ class TestAtexitRegistration:
         The double-checked locking on _driver ensures the atexit registration
         block only executes once (when _driver is first created).
         """
+        import api.attack_paths.database as db_module
+
         mock_driver_factory.return_value = MagicMock()
         mock_settings.DATABASES = {
             "neo4j": {
@@ -218,6 +194,8 @@ class TestCloseDriver:
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
         """Reset module-level singleton state before each test."""
+        import api.attack_paths.database as db_module
+
         original_driver = db_module._driver
 
         db_module._driver = None
@@ -228,6 +206,8 @@ class TestCloseDriver:
 
     def test_close_driver_closes_and_clears_driver(self):
         """close_driver() should close the driver and set it to None."""
+        import api.attack_paths.database as db_module
+
         mock_driver = MagicMock()
         db_module._driver = mock_driver
 
@@ -238,6 +218,8 @@ class TestCloseDriver:
 
     def test_close_driver_handles_none_driver(self):
         """close_driver() should handle case where driver is None."""
+        import api.attack_paths.database as db_module
+
         db_module._driver = None
 
         # Should not raise
@@ -247,6 +229,8 @@ class TestCloseDriver:
 
     def test_close_driver_clears_driver_even_on_close_error(self):
         """Driver should be cleared even if close() raises an exception."""
+        import api.attack_paths.database as db_module
+
         mock_driver = MagicMock()
         mock_driver.close.side_effect = Exception("Connection error")
         db_module._driver = mock_driver
@@ -262,6 +246,8 @@ class TestExecuteReadQuery:
     """Test read query execution helper."""
 
     def test_execute_read_query_calls_read_session_and_returns_result(self):
+        import api.attack_paths.database as db_module
+
         tx = MagicMock()
         expected_graph = MagicMock()
         run_result = MagicMock()
@@ -303,6 +289,8 @@ class TestExecuteReadQuery:
         assert result is expected_graph
 
     def test_execute_read_query_defaults_parameters_to_empty_dict(self):
+        import api.attack_paths.database as db_module
+
         tx = MagicMock()
         run_result = MagicMock()
         run_result.graph.return_value = MagicMock()
@@ -337,6 +325,8 @@ class TestGetSessionReadOnly:
 
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
+        import api.attack_paths.database as db_module
+
         original_driver = db_module._driver
         db_module._driver = None
         yield
@@ -351,6 +341,8 @@ class TestGetSessionReadOnly:
     )
     def test_get_session_raises_write_query_not_allowed(self, neo4j_code):
         """Read-mode Neo4j errors should raise `WriteQueryNotAllowedException`."""
+        import api.attack_paths.database as db_module
+
         mock_session = MagicMock()
         neo4j_error = neo4j.exceptions.Neo4jError._hydrate_neo4j(
             code=neo4j_code,
@@ -370,6 +362,8 @@ class TestGetSessionReadOnly:
 
     def test_get_session_raises_generic_exception_for_other_errors(self):
         """Non-read-mode Neo4j errors should raise GraphDatabaseQueryException."""
+        import api.attack_paths.database as db_module
+
         mock_session = MagicMock()
         neo4j_error = neo4j.exceptions.Neo4jError._hydrate_neo4j(
             code="Neo.ClientError.Statement.SyntaxError",
@@ -394,6 +388,8 @@ class TestThreadSafety:
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
         """Reset module-level singleton state before each test."""
+        import api.attack_paths.database as db_module
+
         original_driver = db_module._driver
 
         db_module._driver = None
@@ -408,6 +404,8 @@ class TestThreadSafety:
         self, mock_driver_factory, mock_settings
     ):
         """Multiple threads calling init_driver() should create only one driver."""
+        import api.attack_paths.database as db_module
+
         mock_driver = MagicMock()
         mock_driver_factory.return_value = mock_driver
         mock_settings.DATABASES = {
@@ -444,70 +442,3 @@ class TestThreadSafety:
         # All threads got the same driver instance
         assert all(r is mock_driver for r in results)
         assert len(results) == 10
-
-
-class TestHasProviderData:
-    """Test has_provider_data helper for checking provider nodes in Neo4j."""
-
-    def test_returns_true_when_nodes_exist(self):
-        mock_session = MagicMock()
-        mock_result = MagicMock()
-        mock_result.single.return_value = MagicMock()  # non-None record
-        mock_session.run.return_value = mock_result
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.return_value = mock_session
-        session_ctx.__exit__.return_value = False
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            assert db_module.has_provider_data("db-tenant-abc", "provider-123") is True
-
-        mock_session.run.assert_called_once()
-
-    def test_returns_false_when_no_nodes(self):
-        mock_session = MagicMock()
-        mock_result = MagicMock()
-        mock_result.single.return_value = None
-        mock_session.run.return_value = mock_result
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.return_value = mock_session
-        session_ctx.__exit__.return_value = False
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            assert db_module.has_provider_data("db-tenant-abc", "provider-123") is False
-
-    def test_returns_false_when_database_not_found(self):
-        session_ctx = MagicMock()
-        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
-            message="Database does not exist",
-            code="Neo.ClientError.Database.DatabaseNotFound",
-        )
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            assert (
-                db_module.has_provider_data("db-tenant-gone", "provider-123") is False
-            )
-
-    def test_raises_on_other_errors(self):
-        session_ctx = MagicMock()
-        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
-            message="Connection refused",
-            code="Neo.TransientError.General.UnknownError",
-        )
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            with pytest.raises(db_module.GraphDatabaseQueryException):
-                db_module.has_provider_data("db-tenant-abc", "provider-123")

api/src/backend/api/tests/test_celery_settings.py

@@ -1,43 +0,0 @@
-import pytest
-from config.settings.celery import _build_celery_broker_url
-
-
-class TestBuildCeleryBrokerUrl:
-    def test_without_credentials(self):
-        broker_url = _build_celery_broker_url("redis", "", "", "valkey", "6379", "0")
-
-        assert broker_url == "redis://valkey:6379/0"
-
-    def test_with_password_only(self):
-        broker_url = _build_celery_broker_url(
-            "rediss", "", "secret", "cache.example.com", "6379", "0"
-        )
-
-        assert broker_url == "rediss://:secret@cache.example.com:6379/0"
-
-    def test_with_username_and_password(self):
-        broker_url = _build_celery_broker_url(
-            "rediss", "default", "secret", "cache.example.com", "6379", "0"
-        )
-
-        assert broker_url == "rediss://default:secret@cache.example.com:6379/0"
-
-    def test_with_username_only(self):
-        broker_url = _build_celery_broker_url(
-            "redis", "admin", "", "valkey", "6379", "0"
-        )
-
-        assert broker_url == "redis://admin@valkey:6379/0"
-
-    def test_url_encodes_credentials(self):
-        broker_url = _build_celery_broker_url(
-            "rediss", "user@name", "p@ss:word", "cache.example.com", "6379", "0"
-        )
-
-        assert (
-            broker_url == "rediss://user%40name:p%40ss%3Aword@cache.example.com:6379/0"
-        )
-
-    def test_invalid_scheme_raises_error(self):
-        with pytest.raises(ValueError, match="Invalid VALKEY_SCHEME 'http'"):
-            _build_celery_broker_url("http", "", "", "valkey", "6379", "0")

api/src/backend/api/tests/test_compliance.py

@@ -1,18 +1,13 @@
 from unittest.mock import MagicMock, patch
 
-import pytest
-
-from api import compliance as compliance_module
 from api.compliance import (
     generate_compliance_overview_template,
     generate_scan_compliance,
-    get_compliance_frameworks,
     get_prowler_provider_checks,
     get_prowler_provider_compliance,
     load_prowler_checks,
 )
 from api.models import Provider
-from prowler.lib.check.compliance_models import Compliance
 
 
 class TestCompliance:
@@ -255,58 +250,3 @@ class TestCompliance:
         }
 
         assert template == expected_template
-
-
-@pytest.fixture
-def reset_compliance_cache():
-    """Reset the module-level cache so each test starts cold."""
-    previous = dict(compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS)
-    compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.clear()
-    try:
-        yield
-    finally:
-        compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.clear()
-        compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.update(previous)
-
-
-class TestGetComplianceFrameworks:
-    def test_returns_keys_from_compliance_get_bulk(self, reset_compliance_cache):
-        with patch("api.compliance.Compliance") as mock_compliance:
-            mock_compliance.get_bulk.return_value = {
-                "cis_1.4_aws": MagicMock(),
-                "mitre_attack_aws": MagicMock(),
-            }
-            result = get_compliance_frameworks(Provider.ProviderChoices.AWS)
-
-        assert sorted(result) == ["cis_1.4_aws", "mitre_attack_aws"]
-        mock_compliance.get_bulk.assert_called_once_with(Provider.ProviderChoices.AWS)
-
-    def test_caches_result_per_provider(self, reset_compliance_cache):
-        with patch("api.compliance.Compliance") as mock_compliance:
-            mock_compliance.get_bulk.return_value = {"cis_1.4_aws": MagicMock()}
-            get_compliance_frameworks(Provider.ProviderChoices.AWS)
-            get_compliance_frameworks(Provider.ProviderChoices.AWS)
-
-        # Cached after first call.
-        assert mock_compliance.get_bulk.call_count == 1
-
-    @pytest.mark.parametrize(
-        "provider_type",
-        [choice.value for choice in Provider.ProviderChoices],
-    )
-    def test_listing_is_subset_of_bulk(self, reset_compliance_cache, provider_type):
-        """Regression for CLOUD-API-40S: every name returned by
-        ``get_compliance_frameworks`` must be loadable via ``Compliance.get_bulk``.
-
-        A divergence here is what produced ``KeyError: 'csa_ccm_4.0'`` in
-        ``generate_outputs_task`` after universal/multi-provider compliance
-        JSONs were introduced at the top-level ``prowler/compliance/`` path.
-        """
-        bulk_keys = set(Compliance.get_bulk(provider_type).keys())
-        listed = set(get_compliance_frameworks(provider_type))
-
-        missing = listed - bulk_keys
-        assert not missing, (
-            f"get_compliance_frameworks({provider_type!r}) returned names not "
-            f"loadable by Compliance.get_bulk: {sorted(missing)}"
-        )

api/src/backend/api/tests/test_cypher_sanitizer.py

@@ -1,429 +0,0 @@
-"""Unit tests for the Cypher sanitizer (validation + provider-label injection)."""
-
-from unittest.mock import patch
-
-import pytest
-
-from rest_framework.exceptions import ValidationError
-
-from api.attack_paths.cypher_sanitizer import (
-    inject_provider_label,
-    validate_custom_query,
-)
-
-PROVIDER_ID = "019c41ee-7df3-7dec-a684-d839f95619f8"
-LABEL = "_Provider_019c41ee7df37deca684d839f95619f8"
-
-
-def _inject(cypher: str) -> str:
-    """Shortcut that patches `get_provider_label` to avoid config imports."""
-    with patch(
-        "api.attack_paths.cypher_sanitizer.get_provider_label", return_value=LABEL
-    ):
-        return inject_provider_label(cypher, PROVIDER_ID)
-
-
-# ---------------------------------------------------------------------------
-# Pass A - Labeled node patterns (all clauses)
-# ---------------------------------------------------------------------------
-
-
-class TestLabeledNodes:
-    def test_single_label(self):
-        result = _inject("MATCH (n:AWSRole) RETURN n")
-        assert f"(n:AWSRole:{LABEL})" in result
-
-    def test_label_with_properties(self):
-        result = _inject("MATCH (n:AWSRole {name: 'admin'}) RETURN n")
-        assert f"(n:AWSRole:{LABEL} {{name: 'admin'}})" in result
-
-    def test_multiple_labels(self):
-        result = _inject("MATCH (n:AWSRole:AWSPrincipal) RETURN n")
-        assert f"(n:AWSRole:AWSPrincipal:{LABEL})" in result
-
-    def test_anonymous_labeled(self):
-        result = _inject(
-            "MATCH (:AWSPrincipal {arn: 'ecs-tasks.amazonaws.com'}) RETURN 1"
-        )
-        assert f"(:AWSPrincipal:{LABEL} {{arn: 'ecs-tasks.amazonaws.com'}})" in result
-
-    def test_backtick_label(self):
-        result = _inject("MATCH (n:`My Label`) RETURN n")
-        assert f"(n:`My Label`:{LABEL})" in result
-
-    def test_labeled_in_where_clause(self):
-        """Labeled nodes in WHERE (pattern existence) still get the label."""
-        result = _inject(
-            "MATCH (n:AWSRole) WHERE EXISTS((n)-[:REL]->(:Target)) RETURN n"
-        )
-        assert f"(n:AWSRole:{LABEL})" in result
-        assert f"(:Target:{LABEL})" in result
-
-    def test_labeled_in_return_clause(self):
-        """Labeled nodes in RETURN still get the label (they're always node patterns)."""
-        result = _inject("MATCH (n:AWSRole) RETURN (n:AWSRole)")
-        assert result.count(f":AWSRole:{LABEL}") == 2
-
-    def test_labeled_in_optional_match(self):
-        result = _inject(
-            "OPTIONAL MATCH (pf:ProwlerFinding {status: 'FAIL'}) RETURN pf"
-        )
-        assert f"(pf:ProwlerFinding:{LABEL} {{status: 'FAIL'}})" in result
-
-
-# ---------------------------------------------------------------------------
-# Pass B - Bare node patterns (MATCH/OPTIONAL MATCH only)
-# ---------------------------------------------------------------------------
-
-
-class TestBareNodes:
-    def test_bare_in_match(self):
-        result = _inject("MATCH (a)-[:HAS_POLICY]->(b) RETURN a, b")
-        assert f"(a:{LABEL})" in result
-        assert f"(b:{LABEL})" in result
-
-    def test_bare_with_properties_in_match(self):
-        result = _inject("MATCH (n {name: 'x'}) RETURN n")
-        assert f"(n:{LABEL} {{name: 'x'}})" in result
-
-    def test_bare_in_optional_match(self):
-        result = _inject("OPTIONAL MATCH (n)-[r]-(m) RETURN n")
-        assert f"(n:{LABEL})" in result
-        assert f"(m:{LABEL})" in result
-
-    def test_bare_not_injected_in_return(self):
-        """Bare (identifier) in RETURN could be expression grouping."""
-        cypher = "MATCH (n:AWSRole) RETURN (n)"
-        result = _inject(cypher)
-        # The labeled (n:AWSRole) gets the label, but the bare (n) in RETURN should not
-        assert f"(n:AWSRole:{LABEL})" in result
-        # Count how many times the label appears - should be 1 (from MATCH only)
-        assert result.count(LABEL) == 1
-
-    def test_bare_not_injected_in_where(self):
-        cypher = "MATCH (n:AWSRole) WHERE (n.x > 1) RETURN n"
-        result = _inject(cypher)
-        # (n.x > 1) is an expression group, not a node pattern - should be untouched
-        assert "(n.x > 1)" in result
-
-    def test_bare_not_injected_in_with(self):
-        cypher = "MATCH (n:AWSRole) WITH (n) RETURN n"
-        result = _inject(cypher)
-        assert result.count(LABEL) == 1
-
-    def test_bare_not_injected_in_unwind(self):
-        cypher = "UNWIND nodes(path) as n OPTIONAL MATCH (n)-[r]-(m) RETURN n"
-        result = _inject(cypher)
-        # (n) and (m) in OPTIONAL MATCH get injected, but nodes(path) in UNWIND does not
-        assert f"(n:{LABEL})" in result
-        assert f"(m:{LABEL})" in result
-
-
-# ---------------------------------------------------------------------------
-# Function call exclusion
-# ---------------------------------------------------------------------------
-
-
-class TestFunctionCallExclusion:
-    @pytest.mark.parametrize(
-        "func_call",
-        [
-            "collect(DISTINCT pf)",
-            "any(x IN stmt.action WHERE toLower(x) = 'iam:*')",
-            "toLower(action)",
-            "nodes(path)",
-            "count(n)",
-            "apoc.create.vNode(labels)",
-            "EXISTS(n.prop)",
-            "size(n.list)",
-        ],
-    )
-    def test_function_calls_not_injected(self, func_call):
-        cypher = f"MATCH (n:AWSRole) WHERE {func_call} RETURN n"
-        result = _inject(cypher)
-        # The function call should remain unchanged
-        assert func_call in result
-        # Only the MATCH labeled node should get the label
-        assert result.count(LABEL) == 1
-
-
-# ---------------------------------------------------------------------------
-# String and comment protection
-# ---------------------------------------------------------------------------
-
-
-class TestProtection:
-    def test_string_with_fake_node_pattern(self):
-        cypher = "MATCH (n:AWSRole) WHERE n.name = '(fake:Label)' RETURN n"
-        result = _inject(cypher)
-        assert "'(fake:Label)'" in result
-        assert result.count(LABEL) == 1
-
-    def test_double_quoted_string(self):
-        cypher = 'MATCH (n:AWSRole) WHERE n.name = "(fake:Label)" RETURN n'
-        result = _inject(cypher)
-        assert '"(fake:Label)"' in result
-        assert result.count(LABEL) == 1
-
-    def test_line_comment_with_node_pattern(self):
-        cypher = "// (n:Fake)\nMATCH (n:AWSRole) RETURN n"
-        result = _inject(cypher)
-        assert "// (n:Fake)" in result
-        assert result.count(LABEL) == 1
-
-    def test_string_containing_double_slash(self):
-        """Strings with // inside should be consumed as strings, not comments."""
-        cypher = "MATCH (n:AWSRole {url: 'https://example.com'}) RETURN n"
-        result = _inject(cypher)
-        assert "'https://example.com'" in result
-        assert f"(n:AWSRole:{LABEL}" in result
-
-    def test_escaped_quotes_in_string(self):
-        cypher = r"MATCH (n:AWSRole) WHERE n.name = 'it\'s a test' RETURN n"
-        result = _inject(cypher)
-        assert result.count(LABEL) == 1
-
-
-# ---------------------------------------------------------------------------
-# Clause splitting
-# ---------------------------------------------------------------------------
-
-
-class TestClauseSplitting:
-    def test_case_insensitive_keywords(self):
-        cypher = "match (n:AWSRole) where n.x = 1 return n"
-        result = _inject(cypher)
-        assert f"(n:AWSRole:{LABEL})" in result
-
-    def test_optional_match_with_extra_whitespace(self):
-        cypher = "OPTIONAL   MATCH (n:AWSRole) RETURN n"
-        result = _inject(cypher)
-        assert f"(n:AWSRole:{LABEL})" in result
-
-    def test_multiple_match_clauses(self):
-        cypher = (
-            "MATCH (a:AWSAccount)--(b:AWSRole) "
-            "MATCH (b)--(c:AWSPolicy) "
-            "RETURN a, b, c"
-        )
-        result = _inject(cypher)
-        assert f"(a:AWSAccount:{LABEL})" in result
-        assert f"(b:AWSRole:{LABEL})" in result
-        assert f"(c:AWSPolicy:{LABEL})" in result
-        # (b) in second MATCH is bare and gets injected
-        assert result.count(LABEL) == 4  # a, b (labeled), b (bare in 2nd MATCH), c
-
-
-# ---------------------------------------------------------------------------
-# Real-world query patterns from aws.py
-# ---------------------------------------------------------------------------
-
-
-class TestRealWorldQueries:
-    def test_basic_resource_query(self):
-        cypher = (
-            "MATCH path = (aws:AWSAccount {id: $provider_uid})--(rds:RDSInstance)\n"
-            "UNWIND nodes(path) as n\n"
-            "OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding {status: 'FAIL'})\n"
-            "RETURN path, collect(DISTINCT pf) as dpf"
-        )
-        result = _inject(cypher)
-        assert f"(aws:AWSAccount:{LABEL} {{id: $provider_uid}})" in result
-        assert f"(rds:RDSInstance:{LABEL})" in result
-        assert f"(n:{LABEL})" in result
-        assert f"(pf:ProwlerFinding:{LABEL} {{status: 'FAIL'}})" in result
-        assert "nodes(path)" in result  # function call untouched
-        assert "collect(DISTINCT pf)" in result  # function call untouched
-
-    def test_privilege_escalation_query(self):
-        cypher = (
-            "MATCH path_principal = (aws:AWSAccount {id: $uid})"
-            "--(principal:AWSPrincipal)--(pol:AWSPolicy)\n"
-            "WHERE pol.effect = 'Allow'\n"
-            "MATCH (principal)--(cfn_policy:AWSPolicy)"
-            "--(stmt_cfn:AWSPolicyStatement)\n"
-            "WHERE any(action IN stmt_cfn.action WHERE toLower(action) = 'iam:passrole')\n"
-            "MATCH path_target = (aws)--(target_role:AWSRole)"
-            "-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {arn: 'cloudformation.amazonaws.com'})\n"
-            "RETURN path_principal, path_target"
-        )
-        result = _inject(cypher)
-        assert f"(aws:AWSAccount:{LABEL} {{id: $uid}})" in result
-        assert f"(principal:AWSPrincipal:{LABEL})" in result
-        assert f"(pol:AWSPolicy:{LABEL})" in result
-        assert f"(principal:{LABEL})" in result  # bare in 2nd MATCH
-        assert f"(cfn_policy:AWSPolicy:{LABEL})" in result
-        assert f"(stmt_cfn:AWSPolicyStatement:{LABEL})" in result
-        assert f"(aws:{LABEL})" in result  # bare in 3rd MATCH
-        assert f"(target_role:AWSRole:{LABEL})" in result
-        assert (
-            f"(:AWSPrincipal:{LABEL} {{arn: 'cloudformation.amazonaws.com'}})" in result
-        )
-        # Function calls in WHERE untouched
-        assert "any(action IN" in result
-        assert "toLower(action)" in result
-
-    def test_custom_bare_query(self):
-        cypher = (
-            "MATCH (a)-[:HAS_POLICY]->(b)\n"
-            "WHERE a.name CONTAINS 'admin'\n"
-            "RETURN a, b"
-        )
-        result = _inject(cypher)
-        assert f"(a:{LABEL})" in result
-        assert f"(b:{LABEL})" in result
-        assert result.count(LABEL) == 2
-
-    def test_internet_via_path_connectivity(self):
-        """Post-refactor pattern: Internet reached via CAN_ACCESS, not standalone."""
-        cypher = (
-            "MATCH path = (aws:AWSAccount {id: $provider_uid})--(ec2:EC2Instance)\n"
-            "WHERE ec2.exposed_internet = true\n"
-            "OPTIONAL MATCH (internet:Internet)-[can_access:CAN_ACCESS]->(ec2)\n"
-            "RETURN path, internet, can_access"
-        )
-        result = _inject(cypher)
-        assert f"(aws:AWSAccount:{LABEL}" in result
-        assert f"(ec2:EC2Instance:{LABEL})" in result
-        assert f"(internet:Internet:{LABEL})" in result
-        # ec2 in OPTIONAL MATCH is bare, but already labeled via Pass A won't match it
-        # because it has no label. It IS bare, so Pass B injects.
-        assert f"(ec2:{LABEL})" in result
-
-
-# ---------------------------------------------------------------------------
-# Edge cases
-# ---------------------------------------------------------------------------
-
-
-class TestEdgeCases:
-    def test_empty_query(self):
-        assert _inject("") == ""
-
-    def test_no_node_patterns(self):
-        cypher = "RETURN 1 + 2"
-        assert _inject(cypher) == cypher
-
-    def test_anonymous_empty_parens_not_injected(self):
-        """Empty () in MATCH is extremely rare but should not be injected."""
-        cypher = "MATCH ()--(m:AWSRole) RETURN m"
-        result = _inject(cypher)
-        assert "()" in result  # empty parens untouched
-        assert f"(m:AWSRole:{LABEL})" in result
-
-    def test_fully_anonymous_query_bypasses_injection(self):
-        """All-anonymous patterns bypass injection entirely.
-
-        MATCH ()--()--() has no labels and no variables, so neither Pass A
-        (labeled) nor Pass B (bare identifier) can inject the provider label.
-        This is safe because _serialize_graph() (Layer 3) filters every
-        returned node by provider label, dropping cross-provider data before
-        it reaches the user.
-        """
-        cypher = "MATCH ()--()--() RETURN *"
-        result = _inject(cypher)
-        assert result == cypher  # completely unmodified
-        assert LABEL not in result
-
-    def test_relationship_patterns_untouched(self):
-        cypher = "MATCH (a:X)-[r:REL_TYPE {x: 1}]->(b:Y) RETURN a"
-        result = _inject(cypher)
-        assert "[r:REL_TYPE {x: 1}]" in result  # relationship untouched
-        assert f"(a:X:{LABEL})" in result
-        assert f"(b:Y:{LABEL})" in result
-
-    def test_call_subquery(self):
-        cypher = (
-            "CALL {\n"
-            "  MATCH (inner:AWSRole) RETURN inner\n"
-            "}\n"
-            "MATCH (outer:AWSAccount) RETURN outer, inner"
-        )
-        result = _inject(cypher)
-        assert f"(inner:AWSRole:{LABEL})" in result
-        assert f"(outer:AWSAccount:{LABEL})" in result
-
-    def test_multiple_protected_regions(self):
-        cypher = (
-            "MATCH (n:X {a: 'hello'}) " 'WHERE n.b = "world" ' "// comment\n" "RETURN n"
-        )
-        result = _inject(cypher)
-        assert "'hello'" in result
-        assert '"world"' in result
-        assert "// comment" in result
-        assert f"(n:X:{LABEL}" in result
-
-    def test_idempotent_on_already_injected(self):
-        """Running injection twice should add the label twice (not ideal, but predictable)."""
-        first = _inject("MATCH (n:AWSRole) RETURN n")
-        second = _inject(first)
-        # The label appears twice (stacked)
-        assert second.count(LABEL) == 2
-
-
-# ---------------------------------------------------------------------------
-# Validation
-# ---------------------------------------------------------------------------
-
-
-class TestValidation:
-    @pytest.mark.parametrize(
-        "cypher",
-        [
-            "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
-            "load csv from 'http://evil.com' as row return row",
-            "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
-            "CALL apoc.load.csvParams('http://evil.com/', {}, null) YIELD list RETURN list",
-            "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
-            "CALL apoc.export.csv.all('file.csv', {})",
-            "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
-            "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
-            "CALL apoc.config.list() YIELD key, value RETURN key, value",
-            "CALL apoc.periodic.iterate('MATCH (n) RETURN n', 'DELETE n', {batchSize: 100})",
-            "CALL apoc.do.when(true, 'CREATE (n) RETURN n', '', {}) YIELD value RETURN value",
-            "CALL apoc.trigger.add('t', 'RETURN 1', {phase: 'before'})",
-            "CALL apoc.custom.asProcedure('myProc', 'RETURN 1')",
-        ],
-        ids=[
-            "LOAD_CSV",
-            "LOAD_CSV_lowercase",
-            "apoc.load.json",
-            "apoc.load.csvParams",
-            "apoc.import.csv",
-            "apoc.export.csv",
-            "apoc.cypher.run",
-            "apoc.systemdb.graph",
-            "apoc.config.list",
-            "apoc.periodic.iterate",
-            "apoc.do.when",
-            "apoc.trigger.add",
-            "apoc.custom.asProcedure",
-        ],
-    )
-    def test_rejects_blocked_patterns(self, cypher):
-        with pytest.raises(ValidationError) as exc:
-            validate_custom_query(cypher)
-
-        assert "blocked operation" in str(exc.value.detail)
-
-    @pytest.mark.parametrize(
-        "cypher",
-        [
-            "MATCH (n:AWSAccount) RETURN n LIMIT 10",
-            "MATCH (a)-[r]->(b) RETURN a, r, b",
-            "MATCH (n) WHERE n.name CONTAINS 'load' RETURN n",
-            "CALL apoc.create.vNode(['Label'], {}) YIELD node RETURN node",
-            "MATCH (n) WHERE n.name = 'apoc.load.json' RETURN n",
-            'MATCH (n) WHERE n.description = "LOAD CSV is cool" RETURN n',
-        ],
-        ids=[
-            "simple_match",
-            "traversal",
-            "contains_load_substring",
-            "apoc_virtual_node",
-            "apoc_load_inside_single_quotes",
-            "load_csv_inside_double_quotes",
-        ],
-    )
-    def test_allows_clean_queries(self, cypher):
-        validate_custom_query(cypher)

api/src/backend/api/tests/test_db_utils.py

@@ -6,12 +6,10 @@ import pytest
 from django.conf import settings
 from django.db import DEFAULT_DB_ALIAS, OperationalError
 from freezegun import freeze_time
-from psycopg2 import sql as psycopg2_sql
 from rest_framework_json_api.serializers import ValidationError
 
 from api.db_utils import (
     POSTGRES_TENANT_VAR,
-    PostgresEnumMigration,
     _should_create_index_on_partition,
     batch_delete,
     create_objects_in_batches,
@@ -912,61 +910,3 @@ class TestRlsTransaction:
             cursor.execute("SELECT 1")
             result = cursor.fetchone()
             assert result[0] == 1
-
-
-class TestPostgresEnumMigration:
-    """
-    Verify that PostgresEnumMigration builds DDL statements via psycopg2.sql
-    so that enum type names and values are always properly quoted — preventing
-    SQL injection through f-string interpolation.
-    """
-
-    def _make_mock_schema_editor(self):
-        mock_cursor = MagicMock()
-        mock_conn = MagicMock()
-        mock_conn.cursor.return_value.__enter__ = MagicMock(return_value=mock_cursor)
-        mock_conn.cursor.return_value.__exit__ = MagicMock(return_value=False)
-        mock_schema_editor = MagicMock()
-        mock_schema_editor.connection = mock_conn
-        return mock_schema_editor, mock_cursor
-
-    def test_create_enum_type_generates_correct_sql(self):
-        """create_enum_type builds a proper CREATE TYPE … AS ENUM via psycopg2.sql."""
-        migration = PostgresEnumMigration("my_enum", ("val_a", "val_b"))
-        schema_editor, mock_cursor = self._make_mock_schema_editor()
-
-        migration.create_enum_type(apps=None, schema_editor=schema_editor)
-
-        mock_cursor.execute.assert_called_once()
-        query_arg = mock_cursor.execute.call_args[0][0]
-        assert isinstance(
-            query_arg, psycopg2_sql.Composable
-        ), "create_enum_type must pass a psycopg2.sql.Composable, not a raw string."
-        # Verify the composed SQL structure: CREATE TYPE <Identifier> AS ENUM (<Literals>)
-        parts = query_arg.seq
-        assert parts[0] == psycopg2_sql.SQL("CREATE TYPE ")
-        assert isinstance(parts[1], psycopg2_sql.Identifier)
-        assert parts[1].strings == ("my_enum",)
-        assert parts[2] == psycopg2_sql.SQL(" AS ENUM (")
-        # The enum values are a Composed of Literal items joined by ", "
-        enum_literals = [p for p in parts[3].seq if isinstance(p, psycopg2_sql.Literal)]
-        assert [lit._wrapped for lit in enum_literals] == ["val_a", "val_b"]
-        assert parts[4] == psycopg2_sql.SQL(")")
-
-    def test_drop_enum_type_generates_correct_sql(self):
-        """drop_enum_type builds a proper DROP TYPE via psycopg2.sql."""
-        migration = PostgresEnumMigration("my_enum", ("val_a",))
-        schema_editor, mock_cursor = self._make_mock_schema_editor()
-
-        migration.drop_enum_type(apps=None, schema_editor=schema_editor)
-
-        mock_cursor.execute.assert_called_once()
-        query_arg = mock_cursor.execute.call_args[0][0]
-        assert isinstance(
-            query_arg, psycopg2_sql.Composable
-        ), "drop_enum_type must pass a psycopg2.sql.Composable, not a raw string."
-        # Verify the composed SQL structure: DROP TYPE <Identifier>
-        parts = query_arg.seq
-        assert parts[0] == psycopg2_sql.SQL("DROP TYPE ")
-        assert isinstance(parts[1], psycopg2_sql.Identifier)
-        assert parts[1].strings == ("my_enum",)

api/src/backend/api/tests/test_models.py

@@ -243,39 +243,6 @@ class TestSAMLConfigurationModel:
         assert "Invalid XML" in errors["metadata_xml"][0]
         assert "not well-formed" in errors["metadata_xml"][0]
 
-    def test_xml_bomb_rejected(self, tenants_fixture):
-        """
-        Regression test: a 'billion laughs' XML bomb in the SAML metadata field
-        must be rejected and not allowed to exhaust server memory / CPU.
-
-        Before the fix, xml.etree.ElementTree was used directly, which does not
-        protect against entity-expansion attacks.  The fix switches to defusedxml
-        which raises an exception for any XML containing entity definitions.
-        """
-        tenant = tenants_fixture[0]
-        xml_bomb = (
-            "<?xml version='1.0'?>"
-            "<!DOCTYPE bomb ["
-            "  <!ENTITY a 'aaaaaaaaaa'>"
-            "  <!ENTITY b '&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;'>"
-            "  <!ENTITY c '&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;'>"
-            "  <!ENTITY d '&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;'>"
-            "]>"
-            "<md:EntityDescriptor entityID='&d;' "
-            "xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'/>"
-        )
-        config = SAMLConfiguration(
-            email_domain="xmlbomb.com",
-            metadata_xml=xml_bomb,
-            tenant=tenant,
-        )
-
-        with pytest.raises(ValidationError) as exc_info:
-            config._parse_metadata()
-
-        errors = exc_info.value.message_dict
-        assert "metadata_xml" in errors
-
     def test_metadata_missing_sso_fails(self, tenants_fixture):
         tenant = tenants_fixture[0]
         xml = """<md:EntityDescriptor entityID="x" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">