docs(ui): add changelog entry for drawer mobile scroll fix (#11199 )

fix(ui): contain finding drawer horizontal scroll to the tab bar on mobile
On narrow screens the five section tabs (Finding Overview, Remediation, Findings for this resource, Scans, Events) did not fit, and because they had no dedicated scroll container the overflow leaked up to the resource card (whose overflow-y-auto implicitly resolves overflow-x to auto), scrolling the entire drawer body horizontally. - TabsList is now its own horizontal scroll container: triggers keep their intrinsic size (shrink-0) and stay on one line (whitespace-nowrap) so a partially-visible tab plus a thin scrollbar make it obvious more tabs are reachable by scrolling. - The resource card is pinned to overflow-x-hidden + min-w-0 so no child can force the drawer body to scroll sideways. - minimal-scrollbar now sets a 6px height so the horizontal scrollbar is actually visible on WebKit (it previously only set width).
2026-06-10 13:32:44 +00:00 · 2026-05-18 13:59:45 +01:00 · 2026-05-18 13:57:26 +01:00
803 changed files with 6455 additions and 43750 deletions
@@ -1,17 +0,0 @@
-{
-  "name": "prowler-plugins",
-  "description": "Prowler Cloud Security for Claude Code",
-  "owner": {
-    "name": "Prowler",
-    "email": "support@prowler.com"
-  },
-  "plugins": [
-    {
-      "name": "prowler",
-      "source": "./claude_plugins/prowler",
-      "description": "Prowler for Claude Code — cloud security and compliance skills powered by the Prowler MCP server. Bundles compliance triage and remediation; more skills coming.",
-      "category": "security",
-      "homepage": "https://prowler.com"
-    }
-  ]
-}
@@ -11,14 +11,7 @@ envs = "wt step copy-ignored"
 [[pre-start]]
 deps = "uv sync"

-# Block 3: prepare pnpm via corepack.
-[[pre-start]]
-corepack-enable = "corepack enable"
-
-[[pre-start]]
-corepack-install = "cd ui && corepack install"
-
-# Block 4: reminder - last visible output before `wt switch` returns.
+# Block 3: reminder - last visible output before `wt switch` returns.
 # Hooks can't mutate the parent shell, so venv activation is manual.
 [[pre-start]]
 reminder = "echo '>> Reminder: activate the venv in this shell with: source .venv/bin/activate'"
@@ -145,7 +145,7 @@ SENTRY_RELEASE=local
 NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}

 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.29.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.27.0

 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -6,17 +6,17 @@
 version: 2
 updates:
  # v5
-  # - package-ecosystem: "pip"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "monthly"
-  #   open-pull-requests-limit: 25
-  #   target-branch: master
-  #   labels:
-  #     - "dependencies"
-  #     - "pip"
-  #   cooldown:
-  #     default-days: 7
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 25
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "pip"
+    cooldown:
+      default-days: 7

  # Dependabot Updates are temporary disabled - 2025/03/19
  # - package-ecosystem: "pip"
@@ -66,17 +66,17 @@ updates:
    cooldown:
      default-days: 7

-  # - package-ecosystem: "pre-commit"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "monthly"
-  #   open-pull-requests-limit: 25
-  #   target-branch: master
-  #   labels:
-  #     - "dependencies"
-  #     - "pre-commit"
-  #   cooldown:
-  #     default-days: 7
+  - package-ecosystem: "pre-commit"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 25
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "pre-commit"
+    cooldown:
+      default-days: 7

  # Dependabot Updates are temporary disabled - 2025/04/15
  # v4.6
@@ -1,140 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:best-practices",
-    ":enablePreCommit",
-    ":semanticCommits",
-    ":enableVulnerabilityAlertsWithLabel(security)",
-    "docker:enableMajor",
-    "helpers:pinGitHubActionDigestsToSemver",
-    "helpers:disableTypesNodeMajor",
-    "security:openssf-scorecard",
-    "customManagers:githubActionsVersions",
-    "customManagers:dockerfileVersions"
-  ],
-  "timezone": "Europe/Madrid",
-  "baseBranchPatterns": [
-    "master"
-  ],
-  "labels": [
-    "dependencies"
-  ],
-  "dependencyDashboardTitle": "Dependency Dashboard",
-  "prConcurrentLimit": 20,
-  "prHourlyLimit": 10,
-  "vulnerabilityAlerts": {
-    "prHourlyLimit": 0,
-    "prConcurrentLimit": 0
-  },
-  "configMigration": true,
-  "minimumReleaseAge": "7 days",
-  "rangeStrategy": "pin",
-  "packageRules": [
-    {
-      "description": "Patches: 1st of every month, Madrid overnight window (22:00-06:00)",
-      "matchUpdateTypes": [
-        "patch"
-      ],
-      "schedule": [
-        "* 22-23,0-5 1 * *"
-      ],
-      "enabled": false
-    },
-    {
-      "description": "Minors: 8th of every 3 months, Madrid overnight window (22:00-06:00)",
-      "matchUpdateTypes": [
-        "minor"
-      ],
-      "schedule": [
-        "* 22-23,0-5 8 */3 *"
-      ],
-      "enabled": false
-    },
-    {
-      "description": "Majors: 15th of every 3 months, Madrid overnight window",
-      "matchUpdateTypes": [
-        "major"
-      ],
-      "schedule": [
-        "* 22-23,0-5 15 */3 *"
-      ],
-      "enabled": false
-    },
-    {
-      "description": "GitHub Actions - single grouped PR, no changelog, scope=ci",
-      "matchManagers": [
-        "github-actions"
-      ],
-      "groupName": "github-actions",
-      "semanticCommitScope": "ci",
-      "addLabels": [
-        "no-changelog"
-      ]
-    },
-    {
-      "description": "Docker images - single grouped PR, no changelog, scope=docker",
-      "matchManagers": [
-        "dockerfile",
-        "docker-compose"
-      ],
-      "groupName": "docker",
-      "semanticCommitScope": "docker",
-      "addLabels": [
-        "no-changelog"
-      ]
-    },
-    {
-      "description": "Pre-commit hooks - single grouped PR, scope=pre-commit",
-      "matchManagers": [
-        "pre-commit"
-      ],
-      "groupName": "pre-commit hooks",
-      "semanticCommitScope": "pre-commit",
-      "addLabels": [
-        "no-changelog"
-      ]
-    },
-    {
-      "description": "UI - scope=ui",
-      "matchFileNames": [
-        "ui/**"
-      ],
-      "semanticCommitScope": "ui"
-    },
-    {
-      "description": "API - scope=api",
-      "matchFileNames": [
-        "api/**"
-      ],
-      "semanticCommitScope": "api"
-    },
-    {
-      "description": "MCP server - scope=mcp",
-      "matchFileNames": [
-        "mcp_server/**"
-      ],
-      "semanticCommitScope": "mcp"
-    },
-    {
-      "description": "Python SDK (root) - scope=sdk",
-      "matchFileNames": [
-        "pyproject.toml",
-        "poetry.lock",
-        "util/prowler-bulk-provisioning/**"
-      ],
-      "semanticCommitScope": "sdk"
-    },
-    {
-      "description": "UI devDependencies - no changelog",
-      "matchFileNames": [
-        "ui/**"
-      ],
-      "matchDepTypes": [
-        "devDependencies"
-      ],
-      "addLabels": [
-        "no-changelog"
-      ]
-    }
-  ]
-}
@@ -0,0 +1,291 @@
+name: 'API: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+permissions: {}
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get current API version
+        id: get_api_version
+        run: |
+          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
+          echo "current_api_version=${CURRENT_API_VERSION}" >> "${GITHUB_OUTPUT}"
+          echo "Current API version: $CURRENT_API_VERSION"
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next API minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+
+          # API version follows Prowler minor + 1
+          # For Prowler 5.17.0 -> API 1.18.0
+          # For next master (Prowler 5.18.0) -> API 1.19.0
+          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
+
+          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
+          echo "Current API version: $CURRENT_API_VERSION"
+          echo "Next API minor version (for master): $NEXT_API_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
+
+      - name: Bump API versions in files for master
+        run: |
+          set -e
+
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
+          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_VERSION}\"|" api/src/backend/api/v1/views.py
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next API minor version to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
+          branch: api-version-bump-to-v${{ env.NEXT_API_VERSION }}
+          title: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler API version to v${{ env.NEXT_API_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first API patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          # API version follows Prowler minor + 1
+          # For Prowler 5.17.0 release -> version branch v5.17 should have API 1.18.1
+          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
+
+          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
+          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
+
+      - name: Bump API versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
+          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${FIRST_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first API patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
+          branch: api-version-bump-to-v${{ env.FIRST_API_PATCH_VERSION }}
+          title: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler API version to v${{ env.FIRST_API_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next API patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          # Extract current API patch to increment it
+          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            API_PATCH=${BASH_REMATCH[3]}
+
+            # API version follows Prowler minor + 1
+            # Keep same API minor (based on Prowler minor), increment patch
+            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
+
+            echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+            echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
+            echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+            echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
+            echo "Current API version: $CURRENT_API_VERSION"
+            echo "Next API patch version: $NEXT_API_PATCH_VERSION"
+            echo "Target branch: $VERSION_BRANCH"
+          else
+            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
+            exit 1
+          fi
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
+
+      - name: Bump API versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
+          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next API patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
+          branch: api-version-bump-to-v${{ env.NEXT_API_PATCH_VERSION }}
+          title: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler API version to v${{ env.NEXT_API_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -35,7 +35,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -53,7 +53,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            api/**
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -61,12 +61,12 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/api-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          category: '/language:${{ matrix.language }}'
@@ -46,7 +46,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block

@@ -65,7 +65,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -108,7 +108,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -122,7 +122,6 @@ jobs:
            github.com:443
            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            pypi.org:443
            registry-1.docker.io:443
            release-assets.githubusercontent.com:443
@@ -133,18 +132,14 @@ jobs:
        with:
          persist-credentials: false

-      - name: Refresh prowler SDK pin to current branch tip
+      - name: Pin prowler SDK to latest master commit
+        if: github.event_name == 'push'
        run: |
-          # api/pyproject.toml has `@master` on master and `@v5.X` on release
-          # branches (set by prepare-release.yml). uv lock --upgrade-package
-          # re-resolves whichever ref is present against the current branch tip
-          # and writes the SHA into api/uv.lock. The Dockerfile runs
-          # `uv sync --locked`, which is what actually drives the install.
-          pip install --no-cache-dir "uv==0.11.14"
-          (cd api && uv lock --upgrade-package prowler)
+          LATEST_SHA=$(git ls-remote https://github.com/prowler-cloud/prowler.git refs/heads/master | cut -f1)
+          sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml

      - name: Login to DockerHub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -155,7 +150,7 @@ jobs:
      - name: Build and push API container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -175,7 +170,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -184,9 +179,8 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
      - name: Login to DockerHub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -236,7 +230,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -283,7 +277,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -50,7 +50,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: api/Dockerfile

@@ -72,7 +72,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -83,7 +83,6 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            debian.map.fastlydns.net:80
            release-assets.githubusercontent.com:443
            objects.githubusercontent.com:443
@@ -104,7 +103,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: api/**
          files_ignore: |
@@ -119,7 +118,7 @@ jobs:

      - name: Build container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ env.API_WORKING_DIR }}
          push: false
@@ -50,7 +50,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -59,7 +59,6 @@ jobs:
            github.com:443
            api.github.com:443
            objects.githubusercontent.com:443
-            raw.githubusercontent.com:443
            release-assets.githubusercontent.com:443
            api.osv.dev:443
            api.deps.dev:443
@@ -73,7 +72,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            api/**
@@ -78,7 +78,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -102,7 +102,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            api/**
@@ -30,7 +30,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -1,409 +0,0 @@
-name: 'Release: Bump Versions'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: release-bump-versions-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  DOCS_FILE: docs/getting-started/installation/prowler-app.mdx
-
-permissions: {}
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
-        with:
-          egress-policy: audit
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-master:
-    name: Bump versions on master (minor release)
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
-        with:
-          egress-policy: audit
-
-      - name: Checkout master
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: master
-          persist-credentials: false
-
-      - name: Compute next versions for master
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-
-          # SDK / UI / docs mirror the Prowler version directly.
-          NEXT_SDK_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-
-          # API is an independent stream: 1.<prowler_minor + 1>.X
-          # After Prowler 5.M.0 release, master moves on to next API minor: 1.(M+2).0
-          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
-
-          # Read current versions to drive sed replacements.
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' "${DOCS_FILE}")
-
-          echo "NEXT_SDK_VERSION=${NEXT_SDK_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Released Prowler version: $PROWLER_VERSION"
-          echo "Next SDK/UI version (master): $NEXT_SDK_VERSION"
-          echo "Next API version (master):   $NEXT_API_VERSION  (current: $CURRENT_API_VERSION)"
-          echo "Docs target version:         $PROWLER_VERSION   (current: $CURRENT_DOCS_VERSION)"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Decide whether to bump docs on master
-        id: docs_decision
-        run: |
-          # Skip docs bump if master is already at or ahead of the release version
-          # (re-run, or patch shipped against an older minor line).
-          HIGHEST=$(printf '%s\n%s\n' "${CURRENT_DOCS_VERSION}" "${PROWLER_VERSION}" | sort -V | tail -n1)
-          if [[ "${CURRENT_DOCS_VERSION}" == "${PROWLER_VERSION}" || "${HIGHEST}" != "${PROWLER_VERSION}" ]]; then
-            echo "skip=true" >> "${GITHUB_OUTPUT}"
-            echo "Skipping docs bump: current ($CURRENT_DOCS_VERSION) >= release ($PROWLER_VERSION)"
-          else
-            echo "skip=false" >> "${GITHUB_OUTPUT}"
-          fi
-
-      - name: Bump SDK version (pyproject.toml, config.py)
-        run: |
-          set -e
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_SDK_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_SDK_VERSION}\"|" prowler/config/config.py
-
-      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
-        run: |
-          set -e
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-      - name: Regenerate lockfiles after version bump
-        run: |
-          set -e
-          # The bumps above edit pyproject.toml / api/pyproject.toml but leave
-          # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in
-          # the container builds. Refresh both with the uv version the images
-          # pin (plain `uv lock`, no --upgrade: only the version line changes).
-          pip install --no-cache-dir "uv==0.11.14"
-          uv lock
-          (cd api && uv lock)
-
-      - name: Bump UI version (.env)
-        run: |
-          set -e
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_SDK_VERSION}|" .env
-
-      - name: Bump docs versions (prowler-app.mdx)
-        if: steps.docs_decision.outputs.skip == 'false'
-        run: |
-          set -e
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
-
-      - name: Show consolidated diff
-        run: git --no-pager diff
-
-      - name: Create PR for next versions to master
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(release): Bump versions to v${{ env.NEXT_SDK_VERSION }}'
-          branch: release-version-bump-to-v${{ env.NEXT_SDK_VERSION }}
-          title: 'chore(release): Bump versions to v${{ env.NEXT_SDK_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler versions on master after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            | Area | File(s) | New version |
-            | --- | --- | --- |
-            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.NEXT_SDK_VERSION }} |
-            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.NEXT_API_VERSION }} |
-            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.NEXT_SDK_VERSION }} |
-            | Docs | `docs/getting-started/installation/prowler-app.mdx` (`PROWLER_UI_VERSION`, `PROWLER_API_VERSION`) | v${{ env.PROWLER_VERSION }} (skipped if already at or ahead) |
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-minor-version-branch:
-    name: Bump versions on version branch (minor release)
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
-        with:
-          egress-policy: audit
-
-      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
-
-      - name: Compute first patch versions for version branch
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # SDK / UI first patch mirrors Prowler version directly.
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-
-          # API on this branch stays on the 1.<MINOR+1>.X stream, starting at .1
-          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
-
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Released Prowler version:     $PROWLER_VERSION"
-          echo "Version branch:               $VERSION_BRANCH"
-          echo "First SDK/UI patch:           $FIRST_PATCH_VERSION"
-          echo "First API patch:              $FIRST_API_PATCH_VERSION  (current: $CURRENT_API_VERSION)"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Bump SDK version (pyproject.toml, config.py)
-        run: |
-          set -e
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
-
-      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
-        run: |
-          set -e
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-      - name: Regenerate lockfiles after version bump
-        run: |
-          set -e
-          # The bumps above edit pyproject.toml / api/pyproject.toml but leave
-          # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in
-          # the container builds. Refresh both with the uv version the images
-          # pin (plain `uv lock`, no --upgrade: only the version line changes).
-          pip install --no-cache-dir "uv==0.11.14"
-          uv lock
-          (cd api && uv lock)
-
-      - name: Bump UI version (.env)
-        run: |
-          set -e
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
-
-      - name: Show consolidated diff
-        run: git --no-pager diff
-
-      - name: Create PR for first patch versions to version branch
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump versions to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: release-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(release): Bump versions to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler versions on `${{ env.VERSION_BRANCH }}` after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            | Area | File(s) | New version |
-            | --- | --- | --- |
-            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.FIRST_PATCH_VERSION }} |
-            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.FIRST_API_PATCH_VERSION }} |
-            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.FIRST_PATCH_VERSION }} |
-            | Docs | (not touched on version branches) | — |
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version-branch:
-    name: Bump versions on version branch (patch release)
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Compute next patch versions
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # SDK / UI patch mirrors Prowler version directly.
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-
-          # API on this branch stays on 1.<MINOR+1>.X; bump its patch component.
-          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            API_PATCH=${BASH_REMATCH[3]}
-            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
-          else
-            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
-            exit 1
-          fi
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Released Prowler version:     $PROWLER_VERSION"
-          echo "Version branch:               $VERSION_BRANCH"
-          echo "Next SDK/UI patch:            $NEXT_PATCH_VERSION"
-          echo "Next API patch:               $NEXT_API_PATCH_VERSION  (current: $CURRENT_API_VERSION)"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-
-      - name: Bump SDK version (pyproject.toml, config.py)
-        run: |
-          set -e
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
-
-      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
-        run: |
-          set -e
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-      - name: Regenerate lockfiles after version bump
-        run: |
-          set -e
-          # The bumps above edit pyproject.toml / api/pyproject.toml but leave
-          # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in
-          # the container builds. Refresh both with the uv version the images
-          # pin (plain `uv lock`, no --upgrade: only the version line changes).
-          pip install --no-cache-dir "uv==0.11.14"
-          uv lock
-          (cd api && uv lock)
-
-      - name: Bump UI version (.env)
-        run: |
-          set -e
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
-
-      - name: Show consolidated diff
-        run: git --no-pager diff
-
-      - name: Create PR for next patch versions to version branch
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump versions to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: release-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(release): Bump versions to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler versions on `${{ env.VERSION_BRANCH }}` after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            | Area | File(s) | New version |
-            | --- | --- | --- |
-            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.NEXT_PATCH_VERSION }} |
-            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.NEXT_API_PATCH_VERSION }} |
-            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.NEXT_PATCH_VERSION }} |
-            | Docs | (not touched on version branches) | — |
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -51,6 +51,6 @@ jobs:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@a16621b09c6db4281f81a93cb393b05dcd7b7165 # v0.5.5
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
        with:
          token: ${{ github.token }}
@@ -22,7 +22,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -0,0 +1,97 @@
+name: 'Docs: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+  DOCS_FILE: docs/getting-started/installation/prowler-app.mdx
+
+permissions: {}
+
+jobs:
+  bump-version:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Validate release version
+        run: |
+          if [[ ! $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+          if (( ${BASH_REMATCH[1]} != 5 )); then
+            echo "::error::Releasing another Prowler major version, aborting..."
+            exit 1
+          fi
+
+      - name: Checkout master branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ env.BASE_BRANCH }}
+          persist-credentials: false
+
+      - name: Read current docs version on master
+        id: docs_version
+        run: |
+          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' "${DOCS_FILE}")
+          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
+          echo "Current docs version on master: $CURRENT_DOCS_VERSION"
+          echo "Target release version: $PROWLER_VERSION"
+
+          # Skip if master is already at or ahead of the release version
+          # (re-run, or patch shipped against an older minor line)
+          HIGHEST=$(printf '%s\n%s\n' "${CURRENT_DOCS_VERSION}" "${PROWLER_VERSION}" | sort -V | tail -n1)
+          if [[ "${CURRENT_DOCS_VERSION}" == "${PROWLER_VERSION}" || "${HIGHEST}" != "${PROWLER_VERSION}" ]]; then
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+            echo "Skipping bump: current ($CURRENT_DOCS_VERSION) >= release ($PROWLER_VERSION)"
+          else
+            echo "skip=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Bump versions in documentation
+        if: steps.docs_version.outputs.skip == 'false'
+        run: |
+          set -e
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for documentation update to master
+        if: steps.docs_version.outputs.skip == 'false'
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.BASE_BRANCH }}
+          commit-message: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
+          branch: docs-version-bump-to-v${{ env.PROWLER_VERSION }}
+          title: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          # We can't block as Trufflehog needs to verify secrets against vendors
          egress-policy: audit
@@ -44,6 +44,6 @@ jobs:

      - name: Scan diff for secrets with TruffleHog
        # Action auto-injects --since-commit/--branch from event payload; passing them in extra_args produces duplicate flags.
-        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3
+        uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
        with:
          extra_args: --results=verified,unknown
@@ -33,7 +33,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -22,7 +22,7 @@ jobs:
      issues: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -66,12 +66,12 @@ jobs:
      title: ${{ steps.compute-text.outputs.title }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
+        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
          destination: /opt/gh-aw/actions
      - name: Check workflow file timestamps
@@ -135,12 +135,12 @@ jobs:
      secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
+        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
          destination: /opt/gh-aw/actions
      - name: Checkout repository
@@ -870,12 +870,12 @@ jobs:
      total_count: ${{ steps.missing_tool.outputs.total_count }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
+        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
          destination: /opt/gh-aw/actions
      - name: Download agent output artifact
@@ -982,12 +982,12 @@ jobs:
      success: ${{ steps.parse_results.outputs.success }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
+        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
          destination: /opt/gh-aw/actions
      - name: Download agent artifacts
@@ -1091,12 +1091,12 @@ jobs:
      activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_rate_limit.outputs.rate_limit_ok == 'true') }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
+        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
          destination: /opt/gh-aw/actions
      - name: Add eyes reaction for immediate feedback
@@ -1164,12 +1164,12 @@ jobs:
      process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
+        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
        with:
          destination: /opt/gh-aw/actions
      - name: Download agent output artifact
@@ -27,12 +27,12 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: Apply labels to PR
-        uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        with:
          sync-labels: true

@@ -46,7 +46,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -1,60 +0,0 @@
-name: 'Docs: Markdown Lint'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  markdown-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-            registry.npmjs.org:443
-            release-assets.githubusercontent.com:443
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-        with:
-          node-version-file: ui/.nvmrc
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-        with:
-          package_json_file: ui/package.json
-          run_install: false
-
-      - name: Run markdownlint
-        # Pin must match .pre-commit-config.yaml so prek and CI behave identically.
-        # pnpm dlx doesn't accept --ignore-scripts as a flag; the env var
-        # disables postinstall scripts on transitives the same way.
-        env:
-          pnpm_config_ignore_scripts: 'true'
-        run: pnpm dlx markdownlint-cli@0.45.0 '**/*.md'
@@ -45,7 +45,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block

@@ -64,7 +64,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -106,7 +106,7 @@ jobs:
      packages: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -114,7 +114,6 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            ghcr.io:443
            pkg-containers.githubusercontent.com:443
            files.pythonhosted.org:443
@@ -126,7 +125,7 @@ jobs:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -137,7 +136,7 @@ jobs:
      - name: Build and push MCP container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -165,19 +164,18 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            github.com:443
            release-assets.githubusercontent.com:443

      - name: Login to DockerHub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -227,7 +225,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -274,7 +272,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -50,7 +50,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: mcp_server/Dockerfile

@@ -71,7 +71,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -79,7 +79,6 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            ghcr.io:443
            pkg-containers.githubusercontent.com:443
            files.pythonhosted.org:443
@@ -99,7 +98,7 @@ jobs:

      - name: Check for MCP changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: mcp_server/**
          files_ignore: |
@@ -112,7 +111,7 @@ jobs:

      - name: Build MCP container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ env.MCP_WORKING_DIR }}
          push: false
@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -67,7 +67,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -88,8 +88,7 @@ jobs:

      # The MCP server version (mcp_server/pyproject.toml) is decoupled from the Prowler release
      # version: it only changes when MCP code changes. mcp-bump-version.yml normally keeps it in
-      # sync with mcp_server/CHANGELOG.md (separate from the release bump-version.yml), but this
-      # publish workflow still runs on every release.
+      # sync with mcp_server/CHANGELOG.md, but this publish workflow still runs on every release.
      # Pre-flight PyPI check covers the legitimate "no MCP changes for this release" case (and any
      # workflow_dispatch re-runs) without failing with HTTP 400 (version exists).
      - name: Check if prowler-mcp version already exists on PyPI
@@ -113,7 +112,7 @@ jobs:

      - name: Publish prowler-mcp package to PyPI
        if: steps.pypi-check.outputs.skip != 'true'
-        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/
          print-hash: true
@@ -1,75 +0,0 @@
-name: 'MCP: Security'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'mcp_server/pyproject.toml'
-      - 'mcp_server/uv.lock'
-      - '.github/workflows/mcp-security.yml'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'mcp_server/pyproject.toml'
-      - 'mcp_server/uv.lock'
-      - '.github/workflows/mcp-security.yml'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  mcp-security-scans:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write # osv-scanner action posts/updates a PR comment with findings
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            api.github.com:443
-            objects.githubusercontent.com:443
-            release-assets.githubusercontent.com:443
-            api.osv.dev:443
-            api.deps.dev:443
-            osv-vulnerabilities.storage.googleapis.com:443
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
-
-      - name: Check for MCP dependency changes
-        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
-        with:
-          files: |
-            mcp_server/pyproject.toml
-            mcp_server/uv.lock
-            .github/workflows/mcp-security.yml
-            .github/actions/osv-scanner/**
-            .github/scripts/osv-scan.sh
-
-      - name: Dependency vulnerability scan with osv-scanner
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/osv-scanner
-        with:
-          lockfile: mcp_server/uv.lock
@@ -48,7 +48,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -61,7 +61,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Build ${{ matrix.component }} container (linux/arm64)
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ matrix.context }}
          file: ${{ matrix.dockerfile }}
@@ -83,7 +83,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -31,7 +31,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -52,7 +52,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            api/**
@@ -35,7 +35,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -56,7 +56,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            prowler/providers/**/services/**/*.metadata.json
@@ -28,7 +28,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -47,7 +47,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: '**'

@@ -26,7 +26,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -29,7 +29,7 @@ jobs:
      pull-requests: write
    steps:
    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit

@@ -53,7 +53,7 @@ jobs:

    - name: Parse version and determine branch
      run: |
-        # Validate version format (reusing pattern from bump-version.yml)
+        # Validate version format (reusing pattern from sdk-bump-version.yml)
        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
          MAJOR_VERSION=${BASH_REMATCH[1]}
          MINOR_VERSION=${BASH_REMATCH[2]}
@@ -299,6 +299,17 @@ jobs:
        fi
        echo "✓ api/pyproject.toml prowler dependency: $CURRENT_PROWLER_REF"

+    - name: Verify API version in api/src/backend/api/v1/views.py
+      if: ${{ env.HAS_API_CHANGES == 'true' }}
+      run: |
+        CURRENT_API_VERSION=$(grep 'spectacular_settings.VERSION = ' api/src/backend/api/v1/views.py | sed -E 's/.*spectacular_settings.VERSION = "([^"]+)".*/\1/' | tr -d '[:space:]')
+        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
+          echo "ERROR: API version mismatch in views.py (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
+          exit 1
+        fi
+        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"
+
    - name: Verify API version in api/src/backend/api/specs/v1.yaml
      if: ${{ env.HAS_API_CHANGES == 'true' }}
      run: |
@@ -338,7 +349,7 @@ jobs:

    - name: Create PR for API dependency update
      if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
      with:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
@@ -1,57 +0,0 @@
-name: 'CI: Renovate Config Validate'
-
-on:
-  pull_request:
-    branches:
-      - 'master'
-    paths:
-      - '.github/renovate.json'
-      - '.pre-commit-config.yaml'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-permissions: {}
-
-env:
-  # renovate: datasource=pypi depName=prek
-  PREK_VERSION: '0.4.0'
-
-jobs:
-  validate:
-    name: Validate Renovate config
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            github.com:443
-            objects.githubusercontent.com:443
-            codeload.github.com:443
-            release-assets.githubusercontent.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            registry.npmjs.org:443
-            nodejs.org:443
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Set up uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
-
-      - name: Install prek
-        run: uv tool install "prek==${PREK_VERSION}"
-
-      - name: Validate Renovate config
-        run: prek run renovate-config-validator --files .github/renovate.json
@@ -0,0 +1,247 @@
+name: 'SDK: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+permissions: {}
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next minor version: $NEXT_MINOR_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump versions in files for master
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next minor version to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          branch: sdk-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
+          title: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.NEXT_MINOR_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "First patch version: $FIRST_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: sdk-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next patch version: $NEXT_PATCH_VERSION"
+          echo "Target branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+
+      - name: Bump versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: sdk-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.NEXT_PATCH_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -32,7 +32,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -48,7 +48,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: ./**
          files_ignore: |
@@ -51,7 +51,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -66,12 +66,12 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/sdk-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          category: '/language:${{ matrix.language }}'
@@ -60,7 +60,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -98,7 +98,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -141,7 +141,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -149,7 +149,6 @@ jobs:
            public.ecr.aws:443
            registry-1.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            auth.docker.io:443
            debian.map.fastlydns.net:80
            github.com:443
@@ -168,13 +167,13 @@ jobs:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -188,7 +187,7 @@ jobs:
      - name: Build and push SDK container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: .
          file: ${{ env.DOCKERFILE_PATH }}
@@ -209,7 +208,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -217,20 +216,19 @@ jobs:
            auth.docker.io:443
            public.ecr.aws:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            github.com:443
            release-assets.githubusercontent.com:443
            api.ecr-public.us-east-1.amazonaws.com:443


      - name: Login to DockerHub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -267,7 +265,7 @@ jobs:
      # Push to toniblyx/prowler only for current version (latest/stable/release tags)
      - name: Login to DockerHub (toniblyx)
        if: needs.setup.outputs.latest_tag == 'latest'
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.TONIBLYX_DOCKERHUB_USERNAME }}
          password: ${{ secrets.TONIBLYX_DOCKERHUB_PASSWORD }}
@@ -292,7 +290,7 @@ jobs:
      # Re-login as prowlercloud for cleanup of intermediate tags
      - name: Login to DockerHub (prowlercloud)
        if: always()
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -320,7 +318,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -41,7 +41,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -55,7 +55,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: Dockerfile

@@ -77,7 +77,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -85,7 +85,6 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            api.github.com:443
            mirror.gcr.io:443
            check.trivy.dev:443
@@ -109,7 +108,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: ./**
          files_ignore: |
@@ -138,7 +137,7 @@ jobs:

      - name: Build SDK container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: .
          push: false
@@ -28,7 +28,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -66,7 +66,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -85,7 +85,7 @@ jobs:
        run: uv build

      - name: Publish Prowler package to PyPI
-        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          print-hash: true

@@ -102,7 +102,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -129,6 +129,6 @@ jobs:
        run: uv build

      - name: Publish prowler-cloud package to PyPI
-        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          print-hash: true
@@ -27,7 +27,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -47,7 +47,7 @@ jobs:
        run: pip install boto3

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -58,7 +58,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -55,7 +55,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -47,7 +47,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -69,7 +69,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files:
            ./**
@@ -32,7 +32,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -46,7 +46,6 @@ jobs:
            schema.ocsf.io:443
            registry-1.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
            o26192.ingest.us.sentry.io:443
            management.azure.com:443
@@ -70,7 +69,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: ./**
          files_ignore: |
@@ -103,7 +102,7 @@ jobs:
      - name: Check if AWS files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-aws
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/aws/**
@@ -233,7 +232,7 @@ jobs:
      - name: Check if Azure files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-azure
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/azure/**
@@ -257,7 +256,7 @@ jobs:
      - name: Check if GCP files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-gcp
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/gcp/**
@@ -281,7 +280,7 @@ jobs:
      - name: Check if Kubernetes files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-kubernetes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/kubernetes/**
@@ -305,7 +304,7 @@ jobs:
      - name: Check if GitHub files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-github
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/github/**
@@ -329,7 +328,7 @@ jobs:
      - name: Check if Okta files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-okta
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/okta/**
@@ -353,7 +352,7 @@ jobs:
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-nhn
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/nhn/**
@@ -377,7 +376,7 @@ jobs:
      - name: Check if M365 files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-m365
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/m365/**
@@ -401,7 +400,7 @@ jobs:
      - name: Check if IaC files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-iac
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/iac/**
@@ -425,7 +424,7 @@ jobs:
      - name: Check if MongoDB Atlas files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/mongodbatlas/**
@@ -449,7 +448,7 @@ jobs:
      - name: Check if OCI files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-oraclecloud
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/oraclecloud/**
@@ -473,7 +472,7 @@ jobs:
      - name: Check if OpenStack files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-openstack
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/openstack/**
@@ -497,7 +496,7 @@ jobs:
      - name: Check if Google Workspace files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-googleworkspace
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/googleworkspace/**
@@ -521,7 +520,7 @@ jobs:
      - name: Check if Vercel files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-vercel
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/**/vercel/**
@@ -541,59 +540,11 @@ jobs:
          flags: prowler-py${{ matrix.python-version }}-vercel
          files: ./vercel_coverage.xml

-      # Scaleway Provider
-      - name: Check if Scaleway files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-scaleway
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
-        with:
-          files: |
-            ./prowler/**/scaleway/**
-            ./tests/**/scaleway/**
-            ./uv.lock
-
-      - name: Run Scaleway tests
-        if: steps.changed-scaleway.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/scaleway --cov-report=xml:scaleway_coverage.xml tests/providers/scaleway
-
-      - name: Upload Scaleway coverage to Codecov
-        if: steps.changed-scaleway.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-scaleway
-          files: ./scaleway_coverage.xml
-
-      # StackIT Provider
-      - name: Check if StackIT files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-stackit
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
-        with:
-          files: |
-            ./prowler/**/stackit/**
-            ./tests/**/stackit/**
-            ./uv.lock
-
-      - name: Run StackIT tests
-        if: steps.changed-stackit.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/stackit --cov-report=xml:stackit_coverage.xml tests/providers/stackit
-
-      - name: Upload StackIT coverage to Codecov
-        if: steps.changed-stackit.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-stackit
-          files: ./stackit_coverage.xml
-
      # Lib
      - name: Check if Lib files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-lib
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/lib/**
@@ -617,7 +568,7 @@ jobs:
      - name: Check if Config files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-config
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ./prowler/config/**
@@ -52,7 +52,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -68,7 +68,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5

      - name: Setup Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -0,0 +1,253 @@
+name: 'UI: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+permissions: {}
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next minor version: $NEXT_MINOR_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump UI version in .env for master
+        run: |
+          set -e
+
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next minor version to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          branch: ui-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
+          title: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler UI version to v${{ env.NEXT_MINOR_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "First patch version: $FIRST_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump UI version in .env for version branch
+        run: |
+          set -e
+
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: ui-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler UI version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next patch version: $NEXT_PATCH_VERSION"
+          echo "Target branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+
+      - name: Bump UI version in .env for version branch
+        run: |
+          set -e
+
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: ui-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler UI version to v${{ env.NEXT_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -47,7 +47,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -62,12 +62,12 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          category: '/language:${{ matrix.language }}'
@@ -48,7 +48,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -67,7 +67,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -110,13 +110,12 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
            registry-1.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            auth.docker.io:443
            registry.npmjs.org:443
            dl-cdn.alpinelinux.org:443
@@ -130,7 +129,7 @@ jobs:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -141,7 +140,7 @@ jobs:
      - name: Build and push UI container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          build-args: |
@@ -164,7 +163,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -173,10 +172,9 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443

      - name: Login to DockerHub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -226,7 +224,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -273,7 +271,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -50,7 +50,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: ui/Dockerfile

@@ -72,7 +72,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -80,7 +80,6 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            registry.npmjs.org:443
            dl-cdn.alpinelinux.org:443
            fonts.googleapis.com:443
@@ -100,7 +99,7 @@ jobs:

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: ui/**
          files_ignore: |
@@ -114,7 +113,7 @@ jobs:

      - name: Build UI container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ env.UI_WORKING_DIR }}
          target: prod
@@ -85,7 +85,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -172,7 +172,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version-file: 'ui/.nvmrc'
+          node-version: '24.13.0'

      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
@@ -184,7 +184,7 @@ jobs:
        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm and Next.js cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -204,7 +204,7 @@ jobs:
        run: pnpm run build

      - name: Cache Playwright browsers
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
@@ -295,7 +295,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

@@ -39,7 +39,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -59,7 +59,7 @@ jobs:

      - name: Check for UI dependency changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ui/package.json
@@ -16,6 +16,7 @@ concurrency:

 env:
  UI_WORKING_DIR: ./ui
+  NODE_VERSION: "24.13.0"

 permissions: {}

@@ -31,7 +32,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -53,7 +54,7 @@ jobs:

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ui/**
@@ -66,7 +67,7 @@ jobs:
      - name: Get changed source files for targeted tests
        id: changed-source
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ui/**/*.ts
@@ -82,7 +83,7 @@ jobs:
      - name: Check for critical path changes (run all tests)
        id: critical-changes
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            ui/lib/**
@@ -92,11 +93,11 @@ jobs:
            ui/vitest.config.ts
            ui/vitest.setup.ts

-      - name: Setup Node.js
+      - name: Setup Node.js ${{ env.NODE_VERSION }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version-file: 'ui/.nvmrc'
+          node-version: ${{ env.NODE_VERSION }}

      - name: Setup pnpm
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -112,7 +113,7 @@ jobs:

      - name: Setup pnpm and Next.js cache
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -161,7 +162,7 @@ jobs:
      - name: Cache Playwright browsers
        if: steps.check-changes.outputs.any_changed == 'true'
        id: playwright-cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-chromium-${{ hashFiles('ui/pnpm-lock.yaml') }}
@@ -1,19 +1,22 @@
 rules:
  secrets-outside-env:
    ignore:
+      - api-bump-version.yml
      - api-container-build-push.yml
      - api-tests.yml
      - backport.yml
-      - bump-version.yml
+      - docs-bump-version.yml
      - issue-triage.lock.yml
      - mcp-container-build-push.yml
      - nightly-arm64-container-builds.yml
      - pr-merged.yml
      - prepare-release.yml
+      - sdk-bump-version.yml
      - sdk-container-build-push.yml
      - sdk-refresh-aws-services-regions.yml
      - sdk-refresh-oci-regions.yml
      - sdk-tests.yml
+      - ui-bump-version.yml
      - ui-container-build-push.yml
      - ui-e2e-tests-v2.yml
  superfluous-actions:
@@ -60,6 +60,7 @@ htmlcov/
 **/mcp-config.json
 **/mcpServers.json
 .mcp/
+.mcp.json

 # AI Coding Assistants - Cursor
 .cursorignore
@@ -1,10 +0,0 @@
-{
-  "extends": "markdownlint/style/prettier",
-  "first-line-h1": false,
-  "no-duplicate-heading": {
-    "siblings_only": true
-  },
-  "no-inline-html": false,
-  "line-length": false,
-  "no-bare-urls": false
-}
@@ -1,16 +0,0 @@
-node_modules/
-ui/node_modules/
-.git/
-.venv/
-**/.venv/
-dist/
-build/
-htmlcov/
-.next/
-ui/.next/
-ui/out/
-contrib/
-
-# Auto-generated content (keepachangelog format legitimately repeats section headings).
-# Revisit with the team — see beads task on markdownlint rule triage.
-**/CHANGELOG.md
@@ -49,14 +49,6 @@ repos:
        files: ^\.github/(workflows|actions)/.+\.ya?ml$|^\.github/dependabot\.ya?ml$
        priority: 30

-  ## RENOVATE
-  - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 43.150.0
-    hooks:
-      - id: renovate-config-validator
-        files: ^\.github/renovate\.json$
-        priority: 10
-
  ## BASH
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.11.0
@@ -133,13 +125,6 @@ repos:
        pass_filenames: false
        priority: 50

-  ## MARKDOWN
-  - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.45.0
-    hooks:
-      - id: markdownlint
-        priority: 30
-
  ## CONTAINERS
  - repo: https://github.com/hadolint/hadolint
    rev: v2.14.0
@@ -1,3 +1,2 @@
 .envrc
 ui/.env.local
-openspec/
@@ -11,140 +11,134 @@
 Use these skills for detailed patterns on-demand:

 ### Generic Skills (Any Project)
-
-| Skill        | Description                                     | URL                                    |
-| ------------ | ----------------------------------------------- | -------------------------------------- |
-| `typescript` | Const types, flat interfaces, utility types     | [SKILL.md](skills/typescript/SKILL.md) |
-| `react-19`   | No useMemo/useCallback, React Compiler          | [SKILL.md](skills/react-19/SKILL.md)   |
-| `nextjs-16`  | App Router, Server Actions, proxy.ts, streaming | [SKILL.md](skills/nextjs-16/SKILL.md)  |
-| `tailwind-4` | cn() utility, no var() in className             | [SKILL.md](skills/tailwind-4/SKILL.md) |
-| `playwright` | Page Object Model, MCP workflow, selectors      | [SKILL.md](skills/playwright/SKILL.md) |
-| `pytest`     | Fixtures, mocking, markers, parametrize         | [SKILL.md](skills/pytest/SKILL.md)     |
-| `django-drf` | ViewSets, Serializers, Filters                  | [SKILL.md](skills/django-drf/SKILL.md) |
-| `jsonapi`    | Strict JSON:API v1.1 spec compliance            | [SKILL.md](skills/jsonapi/SKILL.md)    |
-| `zod-4`      | New API (z.email(), z.uuid())                   | [SKILL.md](skills/zod-4/SKILL.md)      |
-| `zustand-5`  | Persist, selectors, slices                      | [SKILL.md](skills/zustand-5/SKILL.md)  |
-| `ai-sdk-5`   | UIMessage, streaming, LangChain                 | [SKILL.md](skills/ai-sdk-5/SKILL.md)   |
-| `vitest`     | Unit testing, React Testing Library             | [SKILL.md](skills/vitest/SKILL.md)     |
-| `tdd`        | Test-Driven Development workflow                | [SKILL.md](skills/tdd/SKILL.md)        |
+| Skill | Description | URL |
+|-------|-------------|-----|
+| `typescript` | Const types, flat interfaces, utility types | [SKILL.md](skills/typescript/SKILL.md) |
+| `react-19` | No useMemo/useCallback, React Compiler | [SKILL.md](skills/react-19/SKILL.md) |
+| `nextjs-16` | App Router, Server Actions, proxy.ts, streaming | [SKILL.md](skills/nextjs-16/SKILL.md) |
+| `tailwind-4` | cn() utility, no var() in className | [SKILL.md](skills/tailwind-4/SKILL.md) |
+| `playwright` | Page Object Model, MCP workflow, selectors | [SKILL.md](skills/playwright/SKILL.md) |
+| `pytest` | Fixtures, mocking, markers, parametrize | [SKILL.md](skills/pytest/SKILL.md) |
+| `django-drf` | ViewSets, Serializers, Filters | [SKILL.md](skills/django-drf/SKILL.md) |
+| `jsonapi` | Strict JSON:API v1.1 spec compliance | [SKILL.md](skills/jsonapi/SKILL.md) |
+| `zod-4` | New API (z.email(), z.uuid()) | [SKILL.md](skills/zod-4/SKILL.md) |
+| `zustand-5` | Persist, selectors, slices | [SKILL.md](skills/zustand-5/SKILL.md) |
+| `ai-sdk-5` | UIMessage, streaming, LangChain | [SKILL.md](skills/ai-sdk-5/SKILL.md) |
+| `vitest` | Unit testing, React Testing Library | [SKILL.md](skills/vitest/SKILL.md) |
+| `tdd` | Test-Driven Development workflow | [SKILL.md](skills/tdd/SKILL.md) |

 ### Prowler-Specific Skills
-
-| Skill                        | Description                                            | URL                                                    |
-| ---------------------------- | ------------------------------------------------------ | ------------------------------------------------------ |
-| `prowler`                    | Project overview, component navigation                 | [SKILL.md](skills/prowler/SKILL.md)                    |
-| `prowler-api`                | Django + RLS + JSON:API patterns                       | [SKILL.md](skills/prowler-api/SKILL.md)                |
-| `prowler-ui`                 | Next.js + shadcn conventions                           | [SKILL.md](skills/prowler-ui/SKILL.md)                 |
-| `prowler-ui-motion`          | shadcn/Radix visible microinteraction conventions      | [SKILL.md](skills/prowler-ui-motion/SKILL.md)          |
-| `prowler-ui-skeletons`       | shadcn skeleton loading and content reveal conventions | [SKILL.md](skills/prowler-ui-skeletons/SKILL.md)       |
-| `prowler-sdk-check`          | Create new security checks                             | [SKILL.md](skills/prowler-sdk-check/SKILL.md)          |
-| `prowler-mcp`                | MCP server tools and models                            | [SKILL.md](skills/prowler-mcp/SKILL.md)                |
-| `prowler-test-sdk`           | SDK testing (pytest + moto)                            | [SKILL.md](skills/prowler-test-sdk/SKILL.md)           |
-| `prowler-test-api`           | API testing (pytest-django + RLS)                      | [SKILL.md](skills/prowler-test-api/SKILL.md)           |
-| `prowler-test-ui`            | E2E testing (Playwright)                               | [SKILL.md](skills/prowler-test-ui/SKILL.md)            |
-| `prowler-compliance`         | Compliance framework structure                         | [SKILL.md](skills/prowler-compliance/SKILL.md)         |
-| `prowler-compliance-review`  | Review compliance framework PRs                        | [SKILL.md](skills/prowler-compliance-review/SKILL.md)  |
-| `prowler-provider`           | Add new cloud providers                                | [SKILL.md](skills/prowler-provider/SKILL.md)           |
-| `prowler-changelog`          | Changelog entries (keepachangelog.com)                 | [SKILL.md](skills/prowler-changelog/SKILL.md)          |
-| `prowler-ci`                 | CI checks and PR gates (GitHub Actions)                | [SKILL.md](skills/prowler-ci/SKILL.md)                 |
-| `prowler-commit`             | Professional commits (conventional-commits)            | [SKILL.md](skills/prowler-commit/SKILL.md)             |
-| `prowler-pr`                 | Pull request conventions                               | [SKILL.md](skills/prowler-pr/SKILL.md)                 |
-| `prowler-docs`               | Documentation style guide                              | [SKILL.md](skills/prowler-docs/SKILL.md)               |
-| `django-migration-psql`      | Django migration best practices for PostgreSQL         | [SKILL.md](skills/django-migration-psql/SKILL.md)      |
-| `postgresql-indexing`        | PostgreSQL indexing, EXPLAIN, monitoring, maintenance  | [SKILL.md](skills/postgresql-indexing/SKILL.md)        |
-| `prowler-attack-paths-query` | Create Attack Paths openCypher queries                 | [SKILL.md](skills/prowler-attack-paths-query/SKILL.md) |
-| `gh-aw`                      | GitHub Agentic Workflows (gh-aw)                       | [SKILL.md](skills/gh-aw/SKILL.md)                      |
-| `skill-creator`              | Create new AI agent skills                             | [SKILL.md](skills/skill-creator/SKILL.md)              |
+| Skill | Description | URL |
+|-------|-------------|-----|
+| `prowler` | Project overview, component navigation | [SKILL.md](skills/prowler/SKILL.md) |
+| `prowler-api` | Django + RLS + JSON:API patterns | [SKILL.md](skills/prowler-api/SKILL.md) |
+| `prowler-ui` | Next.js + shadcn conventions | [SKILL.md](skills/prowler-ui/SKILL.md) |
+| `prowler-sdk-check` | Create new security checks | [SKILL.md](skills/prowler-sdk-check/SKILL.md) |
+| `prowler-mcp` | MCP server tools and models | [SKILL.md](skills/prowler-mcp/SKILL.md) |
+| `prowler-test-sdk` | SDK testing (pytest + moto) | [SKILL.md](skills/prowler-test-sdk/SKILL.md) |
+| `prowler-test-api` | API testing (pytest-django + RLS) | [SKILL.md](skills/prowler-test-api/SKILL.md) |
+| `prowler-test-ui` | E2E testing (Playwright) | [SKILL.md](skills/prowler-test-ui/SKILL.md) |
+| `prowler-compliance` | Compliance framework structure | [SKILL.md](skills/prowler-compliance/SKILL.md) |
+| `prowler-compliance-review` | Review compliance framework PRs | [SKILL.md](skills/prowler-compliance-review/SKILL.md) |
+| `prowler-provider` | Add new cloud providers | [SKILL.md](skills/prowler-provider/SKILL.md) |
+| `prowler-changelog` | Changelog entries (keepachangelog.com) | [SKILL.md](skills/prowler-changelog/SKILL.md) |
+| `prowler-ci` | CI checks and PR gates (GitHub Actions) | [SKILL.md](skills/prowler-ci/SKILL.md) |
+| `prowler-commit` | Professional commits (conventional-commits) | [SKILL.md](skills/prowler-commit/SKILL.md) |
+| `prowler-pr` | Pull request conventions | [SKILL.md](skills/prowler-pr/SKILL.md) |
+| `prowler-docs` | Documentation style guide | [SKILL.md](skills/prowler-docs/SKILL.md) |
+| `django-migration-psql` | Django migration best practices for PostgreSQL | [SKILL.md](skills/django-migration-psql/SKILL.md) |
+| `postgresql-indexing` | PostgreSQL indexing, EXPLAIN, monitoring, maintenance | [SKILL.md](skills/postgresql-indexing/SKILL.md) |
+| `prowler-attack-paths-query` | Create Attack Paths openCypher queries | [SKILL.md](skills/prowler-attack-paths-query/SKILL.md) |
+| `gh-aw` | GitHub Agentic Workflows (gh-aw) | [SKILL.md](skills/gh-aw/SKILL.md) |
+| `skill-creator` | Create new AI agent skills | [SKILL.md](skills/skill-creator/SKILL.md) |

 ### Auto-invoke Skills

 When performing these actions, ALWAYS invoke the corresponding skill FIRST:

-| Action                                                                                                                | Skill                        |
-| --------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
-| Add changelog entry for a PR or feature                                                                               | `prowler-changelog`          |
-| Adding DRF pagination or permissions                                                                                  | `django-drf`                 |
-| Adding a compliance output formatter (per-provider class + table dispatcher)                                          | `prowler-compliance`         |
-| Adding indexes or constraints to database tables                                                                      | `django-migration-psql`      |
-| Adding new providers                                                                                                  | `prowler-provider`           |
-| Adding privilege escalation detection queries                                                                         | `prowler-attack-paths-query` |
-| Adding services to existing providers                                                                                 | `prowler-provider`           |
-| After creating/modifying a skill                                                                                      | `skill-sync`                 |
-| App Router / Server Actions                                                                                           | `nextjs-16`                  |
-| Auditing check-to-requirement mappings as a cloud auditor                                                             | `prowler-compliance`         |
-| Building AI chat features                                                                                             | `ai-sdk-5`                   |
-| Committing changes                                                                                                    | `prowler-commit`             |
-| Configuring MCP servers in agentic workflows                                                                          | `gh-aw`                      |
-| Create PR that requires changelog entry                                                                               | `prowler-changelog`          |
-| Create a PR with gh pr create                                                                                         | `prowler-pr`                 |
-| Creating API endpoints                                                                                                | `jsonapi`                    |
-| Creating Attack Paths queries                                                                                         | `prowler-attack-paths-query` |
-| Creating GitHub Agentic Workflows                                                                                     | `gh-aw`                      |
-| Creating ViewSets, serializers, or filters in api/                                                                    | `django-drf`                 |
-| Creating Zod schemas                                                                                                  | `zod-4`                      |
-| Creating a git commit                                                                                                 | `prowler-commit`             |
-| Creating new checks                                                                                                   | `prowler-sdk-check`          |
-| Creating new skills                                                                                                   | `skill-creator`              |
-| Creating or reviewing Django migrations                                                                               | `django-migration-psql`      |
-| Creating/modifying Prowler UI components                                                                              | `prowler-ui`                 |
-| Creating/modifying UI motion, transitions, or microinteractions                                                       | `prowler-ui-motion`          |
-| Creating/modifying skeletons, loading states, or Suspense fallbacks                                                   | `prowler-ui-skeletons`       |
-| Creating/modifying models, views, serializers                                                                         | `prowler-api`                |
-| Creating/updating compliance frameworks                                                                               | `prowler-compliance`         |
-| Debug why a GitHub Actions job is failing                                                                             | `prowler-ci`                 |
-| Debugging gh-aw compilation errors                                                                                    | `gh-aw`                      |
-| Fill .github/pull_request_template.md (Context/Description/Steps to review/Checklist)                                 | `prowler-pr`                 |
-| Fixing bug                                                                                                            | `tdd`                        |
-| Fixing compliance JSON bugs (duplicate IDs, empty Section, stale refs)                                                | `prowler-compliance`         |
-| General Prowler development questions                                                                                 | `prowler`                    |
-| Implementing JSON:API endpoints                                                                                       | `django-drf`                 |
-| Implementing feature                                                                                                  | `tdd`                        |
-| Importing Copilot Custom Agents into workflows                                                                        | `gh-aw`                      |
-| Inspect PR CI checks and gates (.github/workflows/\*)                                                                 | `prowler-ci`                 |
-| Inspect PR CI workflows (.github/workflows/\*): conventional-commit, pr-check-changelog, pr-conflict-checker, labeler | `prowler-pr`                 |
-| Mapping checks to compliance controls                                                                                 | `prowler-compliance`         |
-| Mocking AWS with moto in tests                                                                                        | `prowler-test-sdk`           |
-| Modifying API responses                                                                                               | `jsonapi`                    |
-| Modifying component                                                                                                   | `tdd`                        |
-| Modifying gh-aw workflow frontmatter or safe-outputs                                                                  | `gh-aw`                      |
-| Refactoring code                                                                                                      | `tdd`                        |
-| Regenerate AGENTS.md Auto-invoke tables (sync.sh)                                                                     | `skill-sync`                 |
-| Review PR requirements: template, title conventions, changelog gate                                                   | `prowler-pr`                 |
-| Review changelog format and conventions                                                                               | `prowler-changelog`          |
-| Reviewing JSON:API compliance                                                                                         | `jsonapi`                    |
-| Reviewing compliance framework PRs                                                                                    | `prowler-compliance-review`  |
-| Running makemigrations or pgmakemigrations                                                                            | `django-migration-psql`      |
-| Syncing compliance framework with upstream catalog                                                                    | `prowler-compliance`         |
-| Testing RLS tenant isolation                                                                                          | `prowler-test-api`           |
-| Testing hooks or utilities                                                                                            | `vitest`                     |
-| Troubleshoot why a skill is missing from AGENTS.md auto-invoke                                                        | `skill-sync`                 |
-| Understand CODEOWNERS/labeler-based automation                                                                        | `prowler-ci`                 |
-| Understand PR title conventional-commit validation                                                                    | `prowler-ci`                 |
-| Understand changelog gate and no-changelog label behavior                                                             | `prowler-ci`                 |
-| Understand review ownership with CODEOWNERS                                                                           | `prowler-pr`                 |
-| Update CHANGELOG.md in any component                                                                                  | `prowler-changelog`          |
-| Updating README.md provider statistics table                                                                          | `prowler-readme-table`       |
-| Updating checks, services, compliance, or categories count in README.md                                               | `prowler-readme-table`       |
-| Updating existing Attack Paths queries                                                                                | `prowler-attack-paths-query` |
-| Updating existing checks and metadata                                                                                 | `prowler-sdk-check`          |
-| Using Zustand stores                                                                                                  | `zustand-5`                  |
-| Working on MCP server tools                                                                                           | `prowler-mcp`                |
-| Working on Prowler UI structure (actions/adapters/types/hooks)                                                        | `prowler-ui`                 |
-| Working on task                                                                                                       | `tdd`                        |
-| Working with Prowler UI test helpers/pages                                                                            | `prowler-test-ui`            |
-| Working with Tailwind classes                                                                                         | `tailwind-4`                 |
-| Writing Playwright E2E tests                                                                                          | `playwright`                 |
-| Writing Prowler API tests                                                                                             | `prowler-test-api`           |
-| Writing Prowler SDK tests                                                                                             | `prowler-test-sdk`           |
-| Writing Prowler UI E2E tests                                                                                          | `prowler-test-ui`            |
-| Writing Python tests with pytest                                                                                      | `pytest`                     |
-| Writing React component tests                                                                                         | `vitest`                     |
-| Writing React components                                                                                              | `react-19`                   |
-| Writing TypeScript types/interfaces                                                                                   | `typescript`                 |
-| Writing Vitest tests                                                                                                  | `vitest`                     |
-| Writing data backfill or data migration                                                                               | `django-migration-psql`      |
-| Writing documentation                                                                                                 | `prowler-docs`               |
-| Writing unit tests for UI                                                                                             | `vitest`                     |
+| Action | Skill |
+|--------|-------|
+| Add changelog entry for a PR or feature | `prowler-changelog` |
+| Adding DRF pagination or permissions | `django-drf` |
+| Adding a compliance output formatter (per-provider class + table dispatcher) | `prowler-compliance` |
+| Adding indexes or constraints to database tables | `django-migration-psql` |
+| Adding new providers | `prowler-provider` |
+| Adding privilege escalation detection queries | `prowler-attack-paths-query` |
+| Adding services to existing providers | `prowler-provider` |
+| After creating/modifying a skill | `skill-sync` |
+| App Router / Server Actions | `nextjs-16` |
+| Auditing check-to-requirement mappings as a cloud auditor | `prowler-compliance` |
+| Building AI chat features | `ai-sdk-5` |
+| Committing changes | `prowler-commit` |
+| Configuring MCP servers in agentic workflows | `gh-aw` |
+| Create PR that requires changelog entry | `prowler-changelog` |
+| Create a PR with gh pr create | `prowler-pr` |
+| Creating API endpoints | `jsonapi` |
+| Creating Attack Paths queries | `prowler-attack-paths-query` |
+| Creating GitHub Agentic Workflows | `gh-aw` |
+| Creating ViewSets, serializers, or filters in api/ | `django-drf` |
+| Creating Zod schemas | `zod-4` |
+| Creating a git commit | `prowler-commit` |
+| Creating new checks | `prowler-sdk-check` |
+| Creating new skills | `skill-creator` |
+| Creating or reviewing Django migrations | `django-migration-psql` |
+| Creating/modifying Prowler UI components | `prowler-ui` |
+| Creating/modifying models, views, serializers | `prowler-api` |
+| Creating/updating compliance frameworks | `prowler-compliance` |
+| Debug why a GitHub Actions job is failing | `prowler-ci` |
+| Debugging gh-aw compilation errors | `gh-aw` |
+| Fill .github/pull_request_template.md (Context/Description/Steps to review/Checklist) | `prowler-pr` |
+| Fixing bug | `tdd` |
+| Fixing compliance JSON bugs (duplicate IDs, empty Section, stale refs) | `prowler-compliance` |
+| General Prowler development questions | `prowler` |
+| Implementing JSON:API endpoints | `django-drf` |
+| Implementing feature | `tdd` |
+| Importing Copilot Custom Agents into workflows | `gh-aw` |
+| Inspect PR CI checks and gates (.github/workflows/*) | `prowler-ci` |
+| Inspect PR CI workflows (.github/workflows/*): conventional-commit, pr-check-changelog, pr-conflict-checker, labeler | `prowler-pr` |
+| Mapping checks to compliance controls | `prowler-compliance` |
+| Mocking AWS with moto in tests | `prowler-test-sdk` |
+| Modifying API responses | `jsonapi` |
+| Modifying component | `tdd` |
+| Modifying gh-aw workflow frontmatter or safe-outputs | `gh-aw` |
+| Refactoring code | `tdd` |
+| Regenerate AGENTS.md Auto-invoke tables (sync.sh) | `skill-sync` |
+| Review PR requirements: template, title conventions, changelog gate | `prowler-pr` |
+| Review changelog format and conventions | `prowler-changelog` |
+| Reviewing JSON:API compliance | `jsonapi` |
+| Reviewing compliance framework PRs | `prowler-compliance-review` |
+| Running makemigrations or pgmakemigrations | `django-migration-psql` |
+| Syncing compliance framework with upstream catalog | `prowler-compliance` |
+| Testing RLS tenant isolation | `prowler-test-api` |
+| Testing hooks or utilities | `vitest` |
+| Troubleshoot why a skill is missing from AGENTS.md auto-invoke | `skill-sync` |
+| Understand CODEOWNERS/labeler-based automation | `prowler-ci` |
+| Understand PR title conventional-commit validation | `prowler-ci` |
+| Understand changelog gate and no-changelog label behavior | `prowler-ci` |
+| Understand review ownership with CODEOWNERS | `prowler-pr` |
+| Update CHANGELOG.md in any component | `prowler-changelog` |
+| Updating README.md provider statistics table | `prowler-readme-table` |
+| Updating checks, services, compliance, or categories count in README.md | `prowler-readme-table` |
+| Updating existing Attack Paths queries | `prowler-attack-paths-query` |
+| Updating existing checks and metadata | `prowler-sdk-check` |
+| Using Zustand stores | `zustand-5` |
+| Working on MCP server tools | `prowler-mcp` |
+| Working on Prowler UI structure (actions/adapters/types/hooks) | `prowler-ui` |
+| Working on task | `tdd` |
+| Working with Prowler UI test helpers/pages | `prowler-test-ui` |
+| Working with Tailwind classes | `tailwind-4` |
+| Writing Playwright E2E tests | `playwright` |
+| Writing Prowler API tests | `prowler-test-api` |
+| Writing Prowler SDK tests | `prowler-test-sdk` |
+| Writing Prowler UI E2E tests | `prowler-test-ui` |
+| Writing Python tests with pytest | `pytest` |
+| Writing React component tests | `vitest` |
+| Writing React components | `react-19` |
+| Writing TypeScript types/interfaces | `typescript` |
+| Writing Vitest tests | `vitest` |
+| Writing data backfill or data migration | `django-migration-psql` |
+| Writing documentation | `prowler-docs` |
+| Writing unit tests for UI | `vitest` |

 ---

@@ -152,13 +146,13 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:

 Prowler is an open-source cloud security assessment tool supporting AWS, Azure, GCP, Kubernetes, GitHub, M365, and more.

-| Component  | Location      | Tech Stack                       |
-| ---------- | ------------- | -------------------------------- |
-| SDK        | `prowler/`    | Python 3.10+, uv                 |
-| API        | `api/`        | Django 5.1, DRF, Celery          |
-| UI         | `ui/`         | Next.js 16, React 19, Tailwind 4 |
-| MCP Server | `mcp_server/` | FastMCP, Python 3.12+            |
-| Dashboard  | `dashboard/`  | Dash, Plotly                     |
+| Component | Location | Tech Stack |
+|-----------|----------|------------|
+| SDK | `prowler/` | Python 3.10+, uv |
+| API | `api/` | Django 5.1, DRF, Celery |
+| UI | `ui/` | Next.js 16, React 19, Tailwind 4 |
+| MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
+| Dashboard | `dashboard/` | Dash, Plotly |

 ---

@@ -184,7 +178,6 @@ Follow conventional-commit style: `<type>[scope]: <description>`
 **Types:** `feat`, `fix`, `docs`, `chore`, `perf`, `refactor`, `style`, `test`

 Before creating a PR:
-
 1. Complete checklist in `.github/pull_request_template.md`
 2. Run all relevant tests and linters
 3. Link screenshots for UI changes
@@ -1,4 +1,4 @@
-# Do you want to learn on how to
+# Do you want to learn on how to...

 - [Contribute with your code or fixes to Prowler](https://docs.prowler.com/developer-guide/introduction)
 - [Create a new provider](https://docs.prowler.com/developer-guide/provider)
@@ -32,6 +32,5 @@ Provider-specific developer notes:

 Want some swag as appreciation for your contribution?

-## Prowler Developer Guide
-
-<https://goto.prowler.com/devguide>
+# Prowler Developer Guide
+https://goto.prowler.com/devguide
@@ -76,11 +76,11 @@ USER prowler
 WORKDIR /home/prowler

 # Copy necessary files
-COPY --chown=prowler:prowler prowler/  /home/prowler/prowler/
-COPY --chown=prowler:prowler dashboard/ /home/prowler/dashboard/
-COPY --chown=prowler:prowler pyproject.toml uv.lock /home/prowler/
-COPY --chown=prowler:prowler README.md /home/prowler/
-COPY --chown=prowler:prowler prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py
+COPY prowler/  /home/prowler/prowler/
+COPY dashboard/ /home/prowler/dashboard/
+COPY pyproject.toml uv.lock /home/prowler/
+COPY README.md /home/prowler/
+COPY prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py

 # Install Python dependencies
 ENV HOME='/home/prowler'
@@ -89,7 +89,7 @@ ENV PATH="${HOME}/.local/bin:${PATH}"
 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir uv==0.11.14

-RUN uv sync --locked --compile-bytecode && \
+RUN uv sync --compile-bytecode && \
    rm -rf ~/.cache/uv

 # Install PowerShell modules
@@ -100,4 +100,4 @@ RUN pip uninstall dash-html-components -y && \
    pip uninstall dash-core-components -y

 USER prowler
-ENTRYPOINT ["/home/prowler/.venv/bin/prowler"]
+ENTRYPOINT [".venv/bin/prowler"]
@@ -1,6 +1,6 @@
 <p align="center">
-  <img align="center" alt="Prowler logo" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
-  <img align="center" alt="Prowler logo" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
 </p>
 <p align="center">
  <b><i>Prowler</b> is the Open Cloud Security Platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
@@ -22,8 +22,8 @@
  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=downloads"></a>
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
-  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img alt="Codecov coverage" src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
-  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img alt="Linux Foundation insights health score" src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
+  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
+  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
 </p>
 <p align="center">
    <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
@@ -36,7 +36,7 @@
 </p>
 <hr>
 <p align="center">
-  <img align="center" alt="Prowler Cloud demo" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
+  <img align="center" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
 </p>

 # Description
@@ -104,25 +104,23 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically

 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
 |---|---|---|---|---|---|---|
-| AWS | 600 | 84 | 44 | 18 | Official | UI, API, CLI |
+| AWS | 595 | 84 | 43 | 17 | Official | UI, API, CLI |
 | Azure | 167 | 22 | 19 | 16 | Official | UI, API, CLI |
 | GCP | 102 | 18 | 17 | 12 | Official | UI, API, CLI |
 | Kubernetes | 83 | 7 | 7 | 11 | Official | UI, API, CLI |
 | GitHub | 24 | 3 | 1 | 5 | Official | UI, API, CLI |
-| M365 | 102 | 10 | 4 | 10 | Official | UI, API, CLI |
+| M365 | 101 | 10 | 4 | 10 | Official | UI, API, CLI |
 | OCI | 51 | 14 | 4 | 10 | Official | UI, API, CLI |
-| Alibaba Cloud | 63 | 9 | 4 | 9 | Official | UI, API, CLI |
+| Alibaba Cloud | 61 | 9 | 4 | 9 | Official | UI, API, CLI |
 | Cloudflare | 29 | 3 | 0 | 5 | Official | UI, API, CLI |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
 | MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
 | Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 39 | 5 | 2 | 5 | Official | UI, API, CLI |
+| Google Workspace | 25 | 4 | 2 | 4 | Official | UI, API, CLI |
 | OpenStack | 34 | 5 | 0 | 9 | Official | UI, API, CLI |
-| Vercel | 26 | 6 | 0 | 8 | Official | UI, API, CLI |
+| Vercel | 26 | 6 | 0 | 5 | Official | UI, API, CLI |
 | Okta | 1 | 1 | 0 | 1 | Official | CLI |
-| Scaleway [Contact us](https://prowler.com/contact) | 1 | 1 | 0 | 1 | Unofficial | CLI |
-| StackIT [Contact us](https://prowler.com/contact) | 4 | 1 | 0 | 1 | Unofficial | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
@@ -147,11 +145,11 @@ Prowler App offers flexible installation methods tailored to various environment

 ### Docker Compose

-#### Requirements
+**Requirements**

- `Docker Compose` installed: https://docs.docker.com/compose/install/.
+* `Docker Compose` installed: https://docs.docker.com/compose/install/.

-#### Commands
+**Commands**

 ``` console
 VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
@@ -176,14 +174,14 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md

 ### From GitHub

-#### Requirements
+**Requirements**

- `git` installed.
- `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
- `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
- `Docker Compose` installed: https://docs.docker.com/compose/install/.
+* `git` installed.
+* `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
+* `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
+* `Docker Compose` installed: https://docs.docker.com/compose/install/.

-#### Commands to run the API
+**Commands to run the API**

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -200,7 +198,7 @@ gunicorn -c config/guniconf.py config.wsgi:application

 > After completing the setup, access the API documentation at http://localhost:8080/api/v1/docs.

-#### Commands to run the API Worker
+**Commands to run the API Worker**

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -213,7 +211,7 @@ cd src/backend
 python -m celery -A config.celery worker -l info -E
 ```

-#### Commands to run the API Scheduler
+**Commands to run the API Scheduler**

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -226,7 +224,7 @@ cd src/backend
 python -m celery -A config.celery beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler
 ```

-#### Commands to run the UI
+**Commands to run the UI**

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -238,7 +236,7 @@ pnpm start

 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.

-#### Pre-commit Hooks Setup
+**Pre-commit Hooks Setup**

 Some pre-commit hooks require tools installed on your system:

@@ -258,14 +256,14 @@ prowler -v

 ### Containers

-#### Available Versions of Prowler CLI
+**Available Versions of Prowler CLI**

 The following versions of Prowler CLI are available, depending on your requirements:

 - `latest`: Synchronizes with the `master` branch. Note that this version is not stable.
 - `v4-latest`: Synchronizes with the `v4` branch. Note that this version is not stable.
 - `v3-latest`: Synchronizes with the `v3` branch. Note that this version is not stable.
- `<x.y.z>` (release): Stable releases corresponding to specific versions. See the [complete list of Prowler releases](https://github.com/prowler-cloud/prowler/releases).
+- `<x.y.z>` (release): Stable releases corresponding to specific versions. You can find the complete list of releases [here](https://github.com/prowler-cloud/prowler/releases).
 - `stable`: Always points to the latest release.
 - `v4-stable`: Always points to the latest release for v4.
 - `v3-stable`: Always points to the latest release for v3.
@@ -294,7 +292,7 @@ python prowler-cli.py -v

 # 🛡️ GitHub Action

-The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.
+The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.

 ```yaml
 name: Prowler IaC Scan
@@ -339,7 +337,7 @@ Full configuration, per-provider authentication, and SARIF examples: [Prowler Gi

 ## Prowler CLI

-### Running Prowler
+**Running Prowler**

 Prowler can be executed across various environments, offering flexibility to meet your needs. It can be run from:

@@ -22,7 +22,7 @@ inputs:
    required: false
    default: json-ocsf
  push-to-cloud:
-    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-import-findings#using-the-cli
+    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli
    required: false
    default: "false"
  flags:
@@ -299,7 +299,7 @@ runs:
            echo ""
            echo "**Get started in 3 steps:**"
            echo "1. Create an account at [cloud.prowler.com](https://cloud.prowler.com)"
-            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-import-findings#using-the-cli))"
+            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli))"
            echo "3. Add \`PROWLER_CLOUD_API_KEY\` to your GitHub secrets and set \`push-to-cloud: true\` on this action"
            echo ""
            echo "See [prowler.com/pricing](https://prowler.com/pricing) for plan details."
@@ -10,7 +10,7 @@
 > - [`jsonapi`](../skills/jsonapi/SKILL.md) - Strict JSON:API v1.1 spec compliance
 > - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns

-## Auto-invoke Skills
+### Auto-invoke Skills

 When performing these actions, ALWAYS invoke the corresponding skill FIRST:

@@ -81,7 +81,7 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 ## DECISION TREES

 ### Serializer Selection
-```text
+```
 Read → <Model>Serializer
 Create → <Model>CreateSerializer
 Update → <Model>UpdateSerializer
@@ -89,7 +89,7 @@ Nested read → <Model>IncludeSerializer
 ```

 ### Task vs View
-```text
+```
 < 100ms → View
 > 100ms or external API → Celery task
 Needs retry → Celery task
@@ -105,7 +105,7 @@ Django 5.1.x | DRF 3.15.x | djangorestframework-jsonapi 7.x | Celery 5.4.x | Pos

 ## PROJECT STRUCTURE

-```text
+```
 api/src/backend/
 ├── api/                    # Main Django app
 │   ├── v1/                # API version 1 (views, serializers, urls)
@@ -2,48 +2,29 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.30.0] (Prowler UNRELEASED)
-
-### 🔄 Changed
-
- Scan finding ingestion: bulk-resolve `Resource`/`ResourceTag` rows, replace per-mapping `SELECT FOR UPDATE` with deferred `ResourceTagMapping.bulk_create(ignore_conflicts=True)`, wrap each micro-batch in a single `rls_transaction`, and raise `SCAN_DB_BATCH_SIZE` to 1000 [(#11249)](https://github.com/prowler-cloud/prowler/pull/11249)
-
---
-
-## [1.29.1] (Prowler v5.28.1)
-
-### 🐞 Fixed
-
- `finding-groups` slow response with finding-level filters such as `region`; check title and description are now read from the daily summaries, which drops sorting by `check_title` [(#11326)](https://github.com/prowler-cloud/prowler/pull/11326)
-
---
-
-## [1.29.0] (Prowler v5.28.0)
-
-### 🚀 Added
-
- `okta` provider support [(#11184)](https://github.com/prowler-cloud/prowler/pull/11184)
- `resource.metadata` attribute included in `/api/v1/findings?include=resources` [(#11187)](https://github.com/prowler-cloud/prowler/pull/11187)
-
---
-
-## [1.28.0] (Prowler v5.27.0)
+## [1.28.0] (Prowler UNRELEASED)

 ### 🚀 Added

 - GIN index on `findings(categories, resource_services, resource_regions, resource_types)` to speed up `/api/v1/finding-groups` array filters [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
- `GET /health/live` and `GET /health/ready` Kubernetes-style probe endpoints following the IETF Health Check Response Format (`application/health+json`). Readiness verifies PostgreSQL, Valkey and Neo4j connectivity and returns 503 with per-dependency detail when any is unreachable [(#11200)](https://github.com/prowler-cloud/prowler/pull/11200)

 ### 🔄 Changed

- Replace `poetry` with `uv` as package manager [(#10775)](https://github.com/prowler-cloud/prowler/pull/10775)
+- Replace `poetry` with `uv` (`0.11.14`) as the API package manager; migrate `pyproject.toml` to `[dependency-groups]` and regenerate as `uv.lock` [(#10775)](https://github.com/prowler-cloud/prowler/pull/10775)
 - Remove orphaned `gin_resources_search_idx` declaration from `Resource.Meta.indexes` (DB index dropped in `0072_drop_unused_indexes`) [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
 - PDF compliance reports cap detail tables at 100 failed findings per check (configurable via `DJANGO_PDF_MAX_FINDINGS_PER_CHECK`) to bound worker memory on large scans [(#11160)](https://github.com/prowler-cloud/prowler/pull/11160)

 ### 🐞 Fixed

- `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
- Attack Paths: `BEDROCK-001` and `BEDROCK-002` now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)
+- `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` and, in one-shot scan-worker deployments, from burning a fresh container per redelivery [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
+
+---
+
+## [1.27.2] (Prowler UNRELEASED)
+
+### 🐞 Fixed
+
+- Attack Paths: BEDROCK-001 and BEDROCK-002 now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)

 ---

@@ -89,7 +89,7 @@ WORKDIR /home/prowler
 # Ensure output directory exists
 RUN mkdir -p /tmp/prowler_api_output

-COPY --chown=prowler:prowler pyproject.toml uv.lock ./
+COPY pyproject.toml uv.lock ./

 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir uv==0.11.14
@@ -97,13 +97,13 @@ RUN pip install --no-cache-dir --upgrade pip && \
 ENV PATH="/home/prowler/.local/bin:$PATH"

 # Add `--no-install-project` to avoid installing the current project as a package
-RUN uv sync --locked --no-install-project && \
+RUN uv sync --no-install-project && \
    rm -rf ~/.cache/uv

 RUN .venv/bin/python .venv/lib/python3.12/site-packages/prowler/providers/m365/lib/powershell/m365_powershell.py

-COPY --chown=prowler:prowler src/backend/ ./backend/
-COPY --chown=prowler:prowler docker-entrypoint.sh ./docker-entrypoint.sh
+COPY src/backend/ ./backend/
+COPY docker-entrypoint.sh ./docker-entrypoint.sh

 WORKDIR /home/prowler/backend

@@ -2,7 +2,7 @@

 This repository contains the JSON API and Task Runner components for Prowler, which facilitate a complete backend that interacts with the Prowler SDK and is used by the Prowler UI.

-## Components
+# Components
 The Prowler API is composed of the following components:

 - The JSON API, which is an API built with Django Rest Framework.
@@ -10,13 +10,13 @@ The Prowler API is composed of the following components:
 - The PostgreSQL database, which is used to store the data.
 - The Valkey database, which is an in-memory database which is used as a message broker for the Celery workers.

-### Note about Valkey
+## Note about Valkey

 [Valkey](https://valkey.io/) is an open source (BSD) high performance key/value datastore.

 Valkey exposes a Redis 7.2 compliant API. Any service that exposes the Redis API can be used with Prowler API.

-## Modify environment variables
+# Modify environment variables

 Under the root path of the project, you can find a file called `.env`. This file shows all the environment variables that the project uses. You should review it and set the values for the variables you want to change.

@@ -24,7 +24,7 @@ If you don’t set `DJANGO_TOKEN_SIGNING_KEY` or `DJANGO_TOKEN_VERIFYING_KEY`, t

 **Important note**: Every Prowler version (or repository branches and tags) could have different variables set in its `.env` file. Please use the `.env` file that corresponds with each version.

-### Local deployment
+## Local deployment
 Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the virtual environment, not before. Otherwise, variables will not be loaded properly.

 To do this, you can run:
@@ -34,12 +34,12 @@ set -a
 source .env
 ```

-## 🚀 Production deployment
-### Docker deployment
+# 🚀 Production deployment
+## Docker deployment

 This method requires `docker` and `docker compose`.

-#### Clone the repository
+### Clone the repository

 ```console
 # HTTPS
@@ -50,13 +50,13 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-#### Build the base image
+### Build the base image

 ```console
 docker compose --profile prod build
 ```

-#### Run the production service
+### Run the production service

 This command will start the Django production server and the Celery worker and also the Valkey and PostgreSQL databases.

@@ -68,7 +68,7 @@ You can access the server in `http://localhost:8080`.

 > **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.

-#### View the Production Server Logs
+### View the Production Server Logs

 To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:

@@ -133,13 +133,13 @@ gunicorn -c config/guniconf.py config.wsgi:application

 > By default, the Gunicorn server will try to use as many workers as your machine can handle. You can manually change that in the `src/backend/config/guniconf.py` file.

-## 🧪 Development guide
+# 🧪 Development guide

-### Local deployment
+## Local deployment

 To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `uv` and `docker compose` are installed.

-#### Clone the repository
+### Clone the repository

 ```console
 # HTTPS
@@ -150,7 +150,7 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-#### Start the PostgreSQL Database and Valkey
+### Start the PostgreSQL Database and Valkey

 The PostgreSQL database (version 16.3) and Valkey (version 7) are required for the development environment. To make development easier, we have provided a `docker-compose` file that will start these components for you.

@@ -161,7 +161,7 @@ The PostgreSQL database (version 16.3) and Valkey (version 7) are required for t
 docker compose up postgres valkey -d
 ```

-#### Install the Python dependencies
+### Install the Python dependencies

 > You must have uv installed

@@ -169,7 +169,7 @@ docker compose up postgres valkey -d
 uv sync
 ```

-#### Apply migrations
+### Apply migrations

 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

@@ -178,7 +178,7 @@ cd src/backend
 python manage.py migrate --database admin
 ```

-#### Run the Django development server
+### Run the Django development server

 ```console
 cd src/backend
@@ -188,7 +188,7 @@ python manage.py runserver
 You can access the server in `http://localhost:8000`.
 All changes in the code will be automatically reloaded in the server.

-#### Run the Celery worker
+### Run the Celery worker

 ```console
 python -m celery -A config.celery worker -l info -E
@@ -196,11 +196,11 @@ python -m celery -A config.celery worker -l info -E

 The Celery worker does not detect and reload changes in the code, so you need to restart it manually when you make changes.

-### Docker deployment
+## Docker deployment

 This method requires `docker` and `docker compose`.

-#### Clone the repository
+### Clone the repository

 ```console
 # HTTPS
@@ -211,13 +211,13 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-#### Build the base image
+### Build the base image

 ```console
 docker compose --profile dev build
 ```

-#### Run the development service
+### Run the development service

 This command will start the Django development server and the Celery worker and also the Valkey and PostgreSQL databases.

@@ -230,7 +230,7 @@ All changes in the code will be automatically reloaded in the server.

 > **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.

-#### View the development server logs
+### View the development server logs

 To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:

@@ -238,7 +238,7 @@ To view the logs for any component (e.g., Django, Celery worker), you can use th
 docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
 ```

-### Applying migrations
+## Applying migrations

 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

@@ -247,7 +247,7 @@ cd src/backend
 uv run python manage.py migrate --database admin
 ```

-### Apply fixtures
+## Apply fixtures

 Fixtures are used to populate the database with initial development data.

@@ -258,7 +258,7 @@ uv run python manage.py loaddata api/fixtures/0_dev_users.json --database admin

 > The default credentials are `dev@prowler.com:Thisisapassword123@` or `dev2@prowler.com:Thisisapassword123@`

-### Run tests
+## Run tests

 Note that the tests will fail if you use the same `.env` file as the development environment.

@@ -269,7 +269,7 @@ cd src/backend
 uv run pytest
 ```

-## Custom commands
+# Custom commands

 Django provides a way to create custom commands that can be run from the command line.

@@ -281,7 +281,7 @@ To run a custom command, you need to be in the `prowler/api/src/backend` directo
 uv run python manage.py <command_name>
 ```

-### Generate dummy data
+## Generate dummy data

 ```console
 python manage.py findings --tenant
@@ -298,7 +298,7 @@ This command creates, for a given tenant, a provider, scan and a set of findings
 >
 > The last step is required to access the findings details, since the UI needs that to print all the information.

-#### Example
+### Example

 ```console
 ~/backend $ uv run python manage.py findings --tenant
@@ -68,7 +68,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.30.0"
+version = "1.28.0"

 [tool.uv]
 # Transitive pins matching master to avoid silent drift; bump deliberately.
@@ -1,254 +0,0 @@
-"""Liveness and readiness endpoints following the IETF Health Check Response
-Format (draft-inadarei-api-health-check-06).
-
-Liveness reports only process status. Readiness verifies that PostgreSQL,
-Valkey and Neo4j are reachable and returns per-dependency detail when any
-of them is unreachable.
-"""
-
-from __future__ import annotations
-
-import logging
-import threading
-import time
-from contextlib import suppress
-from datetime import datetime, timezone
-from typing import Any
-
-import redis
-from config.version import API_VERSION, RELEASE_ID
-from django.conf import settings
-from django.db import connections
-from drf_spectacular.utils import extend_schema
-from rest_framework import status
-from rest_framework.renderers import JSONRenderer
-from rest_framework.response import Response
-from rest_framework.throttling import ScopedRateThrottle
-from rest_framework.views import APIView
-
-logger = logging.getLogger(__name__)
-
-SERVICE_ID = "prowler-api"
-SERVICE_DESCRIPTION = "Prowler API"
-
-# Status vocabulary from the IETF draft (section 3.1).
-STATUS_PASS = "pass"
-STATUS_FAIL = "fail"
-STATUS_WARN = "warn"
-
-# Short socket timeout so a stuck Valkey cannot stall the probe.
-# Neo4j inherits its driver-level ``connection_acquisition_timeout``.
-VALKEY_PROBE_TIMEOUT_SECONDS = 2
-
-# Brief cache window so high-frequency probes (ALB target groups, scrapers)
-# do not stampede the actual dependency checks.
-CACHE_CONTROL_HEADER = "max-age=3, must-revalidate"
-
-# In-process readiness cache. Caps real dependency hits to roughly
-# (gunicorn workers / TTL) per second regardless of incoming RPS or the
-# source-IP distribution. Kept in sync with the Cache-Control max-age.
-# Access is guarded by a lock so concurrent readers do not race on the
-# read-decide-write cycle of the double-checked locking pattern below.
-READINESS_CACHE_TTL_SECONDS = 3.0
-_readiness_cache: tuple[float, dict[str, Any], int] | None = None
-_readiness_cache_lock = threading.Lock()
-
-
-class HealthJSONRenderer(JSONRenderer):
-    """Emits responses with the ``application/health+json`` content type."""
-
-    media_type = "application/health+json"
-    format = "health"
-
-
-def _now_iso() -> str:
-    return (
-        datetime.now(timezone.utc)
-        .isoformat(timespec="milliseconds")
-        .replace("+00:00", "Z")
-    )
-
-
-def _measure(name: str, check_fn) -> tuple[dict[str, Any], float]:
-    """Time ``check_fn`` and return ``(result, elapsed_ms)``.
-
-    ``check_fn`` returns ``None`` on success or raises on failure. The full
-    exception is logged for operator diagnostics under ``name``; the
-    response payload intentionally omits the error detail to avoid leaking
-    infrastructure information (DNS names, ports, credentials, certificate
-    chains) to anonymous clients.
-    """
-    started = time.perf_counter()
-    try:
-        check_fn()
-    except Exception:
-        elapsed_ms = (time.perf_counter() - started) * 1000
-        logger.warning("Health probe '%s' failed", name, exc_info=True)
-        return ({"status": STATUS_FAIL}, elapsed_ms)
-    elapsed_ms = (time.perf_counter() - started) * 1000
-    return ({"status": STATUS_PASS}, elapsed_ms)
-
-
-def _probe_postgres() -> None:
-    with connections["default"].cursor() as cursor:
-        cursor.execute("SELECT 1")
-        cursor.fetchone()
-
-
-def _probe_valkey() -> None:
-    client = redis.Redis.from_url(
-        settings.CELERY_BROKER_URL,
-        socket_connect_timeout=VALKEY_PROBE_TIMEOUT_SECONDS,
-        socket_timeout=VALKEY_PROBE_TIMEOUT_SECONDS,
-    )
-    try:
-        if not client.ping():
-            raise RuntimeError("PING did not return PONG")
-    finally:
-        # Best-effort cleanup: a failure releasing the socket (e.g. broken
-        # connection, half-closed by the server) must not mask the probe
-        # result. Narrowed to the exception types redis-py and the stdlib
-        # socket layer can raise on close.
-        with suppress(redis.RedisError, OSError):
-            client.close()
-
-
-def _probe_neo4j() -> None:
-    # Lazy import: avoids pulling attack_paths into the boot import graph.
-    from api.attack_paths.database import get_driver
-
-    get_driver().verify_connectivity()
-
-
-def _build_check_entry(
-    component_id: str,
-    component_type: str,
-    result: dict[str, Any],
-    elapsed_ms: float,
-) -> dict[str, Any]:
-    entry: dict[str, Any] = {
-        "componentId": component_id,
-        "componentType": component_type,
-        "observedValue": round(elapsed_ms, 2),
-        "observedUnit": "ms",
-        "status": result["status"],
-        "time": _now_iso(),
-    }
-    if "output" in result:
-        entry["output"] = result["output"]
-    return entry
-
-
-def _aggregate_status(check_entries: list[dict[str, Any]]) -> str:
-    statuses = {entry["status"] for entry in check_entries}
-    if STATUS_FAIL in statuses:
-        return STATUS_FAIL
-    if STATUS_WARN in statuses:
-        return STATUS_WARN
-    return STATUS_PASS
-
-
-def _base_payload(overall_status: str) -> dict[str, Any]:
-    return {
-        "status": overall_status,
-        "version": API_VERSION,
-        "releaseId": RELEASE_ID,
-        "serviceId": SERVICE_ID,
-        "description": SERVICE_DESCRIPTION,
-    }
-
-
-def _readiness_payload() -> tuple[dict[str, Any], int]:
-    global _readiness_cache
-
-    # Lock-free fast path: a stale snapshot still satisfies the freshness
-    # check correctly because we re-check after acquiring the lock below.
-    snapshot = _readiness_cache
-    if (
-        snapshot is not None
-        and time.monotonic() - snapshot[0] < READINESS_CACHE_TTL_SECONDS
-    ):
-        return snapshot[1], snapshot[2]
-
-    with _readiness_cache_lock:
-        # Double-checked locking: another thread may have refreshed while
-        # we were waiting on the lock.
-        snapshot = _readiness_cache
-        if (
-            snapshot is not None
-            and time.monotonic() - snapshot[0] < READINESS_CACHE_TTL_SECONDS
-        ):
-            return snapshot[1], snapshot[2]
-
-        postgres_result, postgres_ms = _measure("postgres", _probe_postgres)
-        valkey_result, valkey_ms = _measure("valkey", _probe_valkey)
-        neo4j_result, neo4j_ms = _measure("neo4j", _probe_neo4j)
-
-        entries = [
-            _build_check_entry("postgres", "datastore", postgres_result, postgres_ms),
-            _build_check_entry("valkey", "datastore", valkey_result, valkey_ms),
-            _build_check_entry("neo4j", "datastore", neo4j_result, neo4j_ms),
-        ]
-        overall = _aggregate_status(entries)
-
-        payload = _base_payload(overall)
-        payload["checks"] = {
-            "postgres:responseTime": [entries[0]],
-            "valkey:responseTime": [entries[1]],
-            "neo4j:responseTime": [entries[2]],
-        }
-
-        http_status = (
-            status.HTTP_503_SERVICE_UNAVAILABLE
-            if overall == STATUS_FAIL
-            else status.HTTP_200_OK
-        )
-        _readiness_cache = (time.monotonic(), payload, http_status)
-        return payload, http_status
-
-
-def _health_response(payload: dict[str, Any], http_status: int) -> Response:
-    response = Response(payload, status=http_status)
-    response["Cache-Control"] = CACHE_CONTROL_HEADER
-    return response
-
-
-@extend_schema(exclude=True)
-class LivenessView(APIView):
-    """Liveness probe. Always 200 when the process can serve requests.
-
-    Dependencies are intentionally not consulted: a failing liveness probe
-    triggers a container restart, which must not happen for transient
-    dependency outages. Throttled per-IP so the endpoint cannot be used as
-    a cheap availability oracle for the process.
-    """
-
-    authentication_classes: list = []
-    permission_classes: list = []
-    renderer_classes = [HealthJSONRenderer]
-    throttle_classes = [ScopedRateThrottle]
-    throttle_scope = "health-live"
-
-    def get(self, _request, *_args, **_kwargs):
-        return _health_response(_base_payload(STATUS_PASS), status.HTTP_200_OK)
-
-
-@extend_schema(exclude=True)
-class ReadinessView(APIView):
-    """Readiness probe.
-
-    Returns 200 when PostgreSQL, Valkey and Neo4j all respond, or 503 with
-    per-dependency detail when any of them is unreachable. Per-IP throttle
-    plus the short in-process result cache cap the real dependency hits
-    regardless of inbound traffic shape.
-    """
-
-    authentication_classes: list = []
-    permission_classes: list = []
-    renderer_classes = [HealthJSONRenderer]
-    throttle_classes = [ScopedRateThrottle]
-    throttle_scope = "health-ready"
-
-    def get(self, _request, *_args, **_kwargs):
-        payload, http_status = _readiness_payload()
-        return _health_response(payload, http_status)
@@ -1,41 +0,0 @@
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0092_findings_arrays_gin_index_parent"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                    ("cloudflare", "Cloudflare"),
-                    ("openstack", "OpenStack"),
-                    ("image", "Image"),
-                    ("googleworkspace", "Google Workspace"),
-                    ("vercel", "Vercel"),
-                    ("okta", "Okta"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'okta';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]
@@ -296,7 +296,6 @@ class Provider(RowLevelSecurityProtectedModel):
        IMAGE = "image", _("Image")
        GOOGLEWORKSPACE = "googleworkspace", _("Google Workspace")
        VERCEL = "vercel", _("Vercel")
-        OKTA = "okta", _("Okta")

    @staticmethod
    def validate_aws_uid(value):
@@ -355,26 +354,6 @@ class Provider(RowLevelSecurityProtectedModel):
                pointer="/data/attributes/uid",
            )

-    @staticmethod
-    def validate_okta_uid(value):
-        if not re.match(
-            r"^[a-z0-9][a-z0-9-]*\.("
-            r"okta\.com|oktapreview\.com|okta-emea\.com|"
-            r"okta-gov\.com|okta\.mil|okta-miltest\.com|trex-govcloud\.com"
-            r")$",
-            value,
-        ):
-            raise ModelValidationError(
-                detail=(
-                    "Okta provider ID must be a valid Okta-managed org domain "
-                    "(e.g., acme.okta.com, also .oktapreview.com / .okta-emea.com "
-                    "/ .okta-gov.com / .okta.mil / .okta-miltest.com / "
-                    ".trex-govcloud.com), without scheme or path."
-                ),
-                code="okta-uid",
-                pointer="/data/attributes/uid",
-            )
-
    @staticmethod
    def validate_kubernetes_uid(value):
        if not re.match(
@@ -501,12 +480,6 @@ class Provider(RowLevelSecurityProtectedModel):

    def clean(self):
        super().clean()
-        if self.provider == self.ProviderChoices.OKTA and self.uid:
-            # Mirror the SDK, which lowercases the org domain before connecting.
-            # Without this the API would reject Acme.okta.com even though the
-            # SDK would accept it, and stored uids could disagree with the
-            # authenticated org domain.
-            self.uid = self.uid.strip().lower()
        getattr(self, f"validate_{self.provider}_uid")(self.uid)

    def save(self, *args, **kwargs):
@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: Prowler API
-  version: 1.30.0
+  version: 1.28.0
  description: |-
    Prowler API specification.

@@ -373,7 +373,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -390,7 +389,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -414,7 +412,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -433,7 +430,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -1457,7 +1453,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -1474,7 +1469,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -1497,7 +1491,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -1516,7 +1509,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -2005,7 +1997,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -2022,7 +2013,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -2045,7 +2035,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -2064,7 +2053,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -2596,7 +2584,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -2613,7 +2600,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -2636,7 +2622,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -2655,7 +2640,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -3150,7 +3134,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -3167,7 +3150,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -3191,7 +3173,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -3210,7 +3191,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -3760,7 +3740,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -3777,7 +3756,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -3801,7 +3779,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -3820,7 +3797,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -4278,7 +4254,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -4295,7 +4270,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -4319,7 +4293,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -4338,7 +4311,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -4794,7 +4766,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -4811,7 +4782,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -4835,7 +4805,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -4854,7 +4823,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -5298,7 +5266,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -5315,7 +5282,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -5339,7 +5305,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -5358,7 +5323,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -7192,7 +7156,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7209,7 +7172,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7233,7 +7195,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7252,7 +7213,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -7375,7 +7335,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7392,7 +7351,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7416,7 +7374,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7435,7 +7392,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -7547,7 +7503,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7564,7 +7519,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7587,7 +7541,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7606,7 +7559,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -7750,7 +7702,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7767,7 +7718,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7791,7 +7741,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7810,7 +7759,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -7967,7 +7915,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7984,7 +7931,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8008,7 +7954,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8027,7 +7972,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -8178,7 +8122,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8195,7 +8138,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8218,7 +8160,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8237,7 +8178,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -8430,7 +8370,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8447,7 +8386,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8471,7 +8409,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8490,7 +8427,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -8612,7 +8548,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8629,7 +8564,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8653,7 +8587,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8672,7 +8605,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -8818,7 +8750,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8835,7 +8766,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8859,7 +8789,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8878,7 +8807,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -9665,7 +9593,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -9682,7 +9609,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider__in]
        schema:
@@ -9706,7 +9632,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -9725,7 +9650,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -9749,7 +9673,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -9766,7 +9689,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -9790,7 +9712,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -9809,7 +9730,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -10480,7 +10400,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -10497,7 +10416,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -10521,7 +10439,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -10540,7 +10457,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -11035,7 +10951,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -11052,7 +10967,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -11076,7 +10990,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -11095,7 +11008,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -11403,7 +11315,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -11420,7 +11331,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -11444,7 +11354,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -11463,7 +11372,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -11777,7 +11685,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -11794,7 +11701,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -11818,7 +11724,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -11837,7 +11742,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -12676,7 +12580,6 @@ paths:
          - openstack
          - oraclecloud
          - vercel
-          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -12693,7 +12596,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -12717,7 +12619,6 @@ paths:
            - openstack
            - oraclecloud
            - vercel
-            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -12736,7 +12637,6 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
-          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -20215,23 +20115,6 @@ components:
                    required:
                    - clouds_yaml_content
                    - clouds_yaml_cloud
-                  - type: object
-                    title: Okta OAuth Credentials
-                    properties:
-                      okta_client_id:
-                        type: string
-                        description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
-                      okta_private_key:
-                        type: string
-                        description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
-                      okta_scopes:
-                        type: array
-                        items:
-                          type: string
-                        description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
-                    required:
-                      - okta_client_id
-                      - okta_private_key
                  - type: object
                    title: Vercel API Token
                    properties:
@@ -21244,7 +21127,6 @@ components:
              - image
              - googleworkspace
              - vercel
-              - okta
              type: string
              description: |-
                * `aws` - AWS
@@ -21262,7 +21144,6 @@ components:
                * `image` - Image
                * `googleworkspace` - Google Workspace
                * `vercel` - Vercel
-                * `okta` - Okta
              x-spec-enum-id: 91f917e0c3ab97e8
            uid:
              type: string
@@ -21384,7 +21265,6 @@ components:
              - image
              - googleworkspace
              - vercel
-              - okta
              type: string
              x-spec-enum-id: 91f917e0c3ab97e8
              description: |-
@@ -21405,7 +21285,6 @@ components:
                * `image` - Image
                * `googleworkspace` - Google Workspace
                * `vercel` - Vercel
-                * `okta` - Okta
            uid:
              type: string
              title: Unique identifier for the provider, set by the provider
@@ -21458,7 +21337,6 @@ components:
                  - image
                  - googleworkspace
                  - vercel
-                  - okta
                  type: string
                  x-spec-enum-id: 91f917e0c3ab97e8
                  description: |-
@@ -21479,7 +21357,6 @@ components:
                    * `image` - Image
                    * `googleworkspace` - Google Workspace
                    * `vercel` - Vercel
-                    * `okta` - Okta
                uid:
                  type: string
                  minLength: 3
@@ -22329,23 +22206,6 @@ components:
                required:
                - clouds_yaml_content
                - clouds_yaml_cloud
-              - type: object
-                title: Okta OAuth Credentials
-                properties:
-                  okta_client_id:
-                    type: string
-                    description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
-                  okta_private_key:
-                    type: string
-                    description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
-                  okta_scopes:
-                    type: array
-                    items:
-                      type: string
-                    description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
-                required:
-                  - okta_client_id
-                  - okta_private_key
              - type: object
                title: Vercel API Token
                properties:
@@ -22771,23 +22631,6 @@ components:
                    required:
                    - clouds_yaml_content
                    - clouds_yaml_cloud
-                  - type: object
-                    title: Okta OAuth Credentials
-                    properties:
-                      okta_client_id:
-                        type: string
-                        description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
-                      okta_private_key:
-                        type: string
-                        description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
-                      okta_scopes:
-                        type: array
-                        items:
-                          type: string
-                        description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
-                    required:
-                      - okta_client_id
-                      - okta_private_key
                  - type: object
                    title: Vercel API Token
                    properties:
@@ -23223,23 +23066,6 @@ components:
                required:
                - clouds_yaml_content
                - clouds_yaml_cloud
-              - type: object
-                title: Okta OAuth Credentials
-                properties:
-                  okta_client_id:
-                    type: string
-                    description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
-                  okta_private_key:
-                    type: string
-                    description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
-                  okta_scopes:
-                    type: array
-                    items:
-                      type: string
-                    description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
-                required:
-                  - okta_client_id
-                  - okta_private_key
              - type: object
                title: Vercel API Token
                properties:
@@ -1,445 +0,0 @@
-"""Tests for the health endpoints.
-
-Cover the IETF response envelope, status code mapping (200 / 503), the
-``application/health+json`` media type and per-probe failure modes.
-"""
-
-from unittest.mock import patch
-
-import pytest
-from config import version as config_version
-from django.core.cache import cache
-from django.urls import reverse
-from rest_framework import status
-from rest_framework.test import APIClient
-
-from api import health
-
-
-HEALTH_MEDIA_TYPE = "application/health+json"
-
-
-@pytest.fixture(autouse=True)
-def _reset_health_state():
-    """Per-test isolation: clear throttle counters and the readiness cache.
-
-    DRF's ScopedRateThrottle persists state in Django's cache; without
-    clearing it the throttle budget would be shared across tests and trip
-    midway through the suite.
-    """
-    cache.clear()
-    health._readiness_cache = None
-    yield
-    cache.clear()
-    health._readiness_cache = None
-
-
-@pytest.fixture
-def api_client():
-    return APIClient()
-
-
-def _assert_health_envelope(body):
-    """Every health response must carry the RFC top-level descriptors."""
-    assert body["version"] == config_version.API_VERSION
-    assert body["releaseId"] == config_version.RELEASE_ID
-    assert body["serviceId"] == health.SERVICE_ID
-    assert body["description"] == health.SERVICE_DESCRIPTION
-
-
-class TestLivenessEndpoint:
-    def test_returns_200_with_pass_status(self, api_client):
-        response = api_client.get(reverse("health-live"))
-
-        assert response.status_code == status.HTTP_200_OK
-        assert response["Content-Type"].startswith(HEALTH_MEDIA_TYPE)
-        assert response["Cache-Control"] == health.CACHE_CONTROL_HEADER
-        body = response.json()
-        assert body["status"] == "pass"
-        _assert_health_envelope(body)
-
-    def test_does_not_require_authentication(self, api_client):
-        api_client.credentials()
-
-        response = api_client.get(reverse("health-live"))
-
-        assert response.status_code == status.HTTP_200_OK
-
-    def test_does_not_run_dependency_checks(self, api_client):
-        with (
-            patch("api.health._probe_postgres") as mock_pg,
-            patch("api.health._probe_valkey") as mock_vk,
-            patch("api.health._probe_neo4j") as mock_neo,
-        ):
-            response = api_client.get(reverse("health-live"))
-
-        assert response.status_code == status.HTTP_200_OK
-        mock_pg.assert_not_called()
-        mock_vk.assert_not_called()
-        mock_neo.assert_not_called()
-
-
-class TestReadinessEndpoint:
-    @staticmethod
-    def _patch_probes():
-        return (
-            patch("api.health._probe_postgres", return_value=None),
-            patch("api.health._probe_valkey", return_value=None),
-            patch("api.health._probe_neo4j", return_value=None),
-        )
-
-    def test_returns_200_and_pass_when_all_dependencies_healthy(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_200_OK
-        assert response["Content-Type"].startswith(HEALTH_MEDIA_TYPE)
-        assert response["Cache-Control"] == health.CACHE_CONTROL_HEADER
-
-        body = response.json()
-        _assert_health_envelope(body)
-        assert body["status"] == "pass"
-
-        # Per RFC, `checks` values are arrays of one or more measurement
-        # objects. We use a single measurement per dependency.
-        assert set(body["checks"].keys()) == {
-            "postgres:responseTime",
-            "valkey:responseTime",
-            "neo4j:responseTime",
-        }
-        for key in body["checks"]:
-            entries = body["checks"][key]
-            assert isinstance(entries, list) and len(entries) == 1
-            entry = entries[0]
-            assert entry["status"] == "pass"
-            assert entry["componentType"] == "datastore"
-            assert entry["observedUnit"] == "ms"
-            assert isinstance(entry["observedValue"], (int, float))
-            assert entry["observedValue"] >= 0
-            assert "time" in entry
-            # `output` must not leak when the check passed.
-            assert "output" not in entry
-
-    def test_returns_503_and_fail_when_postgres_is_down(self, api_client):
-        with (
-            patch(
-                "api.health._probe_postgres",
-                side_effect=RuntimeError("connection refused"),
-            ),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        pg_entry = body["checks"]["postgres:responseTime"][0]
-        assert pg_entry["status"] == "fail"
-        # Exception detail is never echoed in the response, only logged.
-        assert "output" not in pg_entry
-        assert body["checks"]["valkey:responseTime"][0]["status"] == "pass"
-        assert body["checks"]["neo4j:responseTime"][0]["status"] == "pass"
-
-    def test_returns_503_and_fail_when_valkey_is_down(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey", side_effect=ConnectionError("timeout")),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        vk_entry = body["checks"]["valkey:responseTime"][0]
-        assert vk_entry["status"] == "fail"
-        assert "output" not in vk_entry
-
-    def test_returns_503_and_fail_when_neo4j_is_down(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch(
-                "api.health._probe_neo4j",
-                side_effect=RuntimeError("ServiceUnavailable"),
-            ),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        neo_entry = body["checks"]["neo4j:responseTime"][0]
-        assert neo_entry["status"] == "fail"
-        assert "output" not in neo_entry
-
-    def test_reports_all_failures_simultaneously(self, api_client):
-        with (
-            patch("api.health._probe_postgres", side_effect=RuntimeError("pg down")),
-            patch("api.health._probe_valkey", side_effect=RuntimeError("vk down")),
-            patch("api.health._probe_neo4j", side_effect=RuntimeError("neo down")),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        for key in (
-            "postgres:responseTime",
-            "valkey:responseTime",
-            "neo4j:responseTime",
-        ):
-            entry = body["checks"][key][0]
-            assert entry["status"] == "fail"
-            # No dependency-specific error string leaks into the payload.
-            assert "output" not in entry
-
-    def test_does_not_leak_exception_detail_on_failure(self, api_client):
-        # Sanity check: an exception message resembling infra detail
-        # (host, port, credentials) must not surface in the response under
-        # any field.
-        sensitive = (
-            "connection to server at "
-            '"postgres-rw.prod.svc.cluster.local" (10.0.0.5), port 5432 '
-            'failed: FATAL: password authentication failed for user "prowler_user"'
-        )
-        with (
-            patch("api.health._probe_postgres", side_effect=RuntimeError(sensitive)),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        body = response.json()
-        assert "output" not in body["checks"]["postgres:responseTime"][0]
-        payload_text = response.content.decode()
-        for token in (
-            "postgres-rw",
-            "10.0.0.5",
-            "5432",
-            "prowler_user",
-            "password authentication failed",
-        ):
-            assert token not in payload_text
-
-    def test_does_not_require_authentication(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            api_client.credentials()
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_200_OK
-
-
-class TestReadinessCache:
-    """In-process cache caps the rate at which real probes hit the deps."""
-
-    def test_result_is_cached_for_ttl_seconds(self, api_client):
-        with (
-            patch("api.health._probe_postgres") as pg,
-            patch("api.health._probe_valkey") as vk,
-            patch("api.health._probe_neo4j") as neo,
-        ):
-            r1 = api_client.get(reverse("health-ready"))
-            r2 = api_client.get(reverse("health-ready"))
-
-        assert r1.status_code == status.HTTP_200_OK
-        assert r2.status_code == status.HTTP_200_OK
-        # Second request must not trigger fresh dep checks within the TTL.
-        assert pg.call_count == 1
-        assert vk.call_count == 1
-        assert neo.call_count == 1
-        # The cached payload is returned verbatim (same timestamps too).
-        assert r1.json() == r2.json()
-
-    def test_re_probes_after_cache_ttl_expires(self, api_client):
-        with (
-            patch("api.health._probe_postgres") as pg,
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            api_client.get(reverse("health-ready"))
-            assert pg.call_count == 1
-
-            # Rewind the cached timestamp past the TTL so the next request
-            # is forced to recompute.
-            cached_ts, payload, http_status_code = health._readiness_cache
-            health._readiness_cache = (
-                cached_ts - health.READINESS_CACHE_TTL_SECONDS - 0.1,
-                payload,
-                http_status_code,
-            )
-            api_client.get(reverse("health-ready"))
-
-        assert pg.call_count == 2
-
-    def test_cache_persists_a_failing_result(self, api_client):
-        # A failing readiness result is cached too; this is intentional so
-        # an attacker spamming the endpoint during an outage cannot amplify
-        # the dependency load.
-        with (
-            patch("api.health._probe_postgres", side_effect=RuntimeError("down")) as pg,
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            r1 = api_client.get(reverse("health-ready"))
-            r2 = api_client.get(reverse("health-ready"))
-
-        assert r1.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        assert r2.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        assert pg.call_count == 1
-
-
-class TestRateLimiting:
-    """The endpoints are unauthenticated and exposed; per-IP throttle caps
-    naive single-source floods."""
-
-    def test_live_blocks_after_budget_exhausted(self, api_client):
-        # Shrink the budget to 3 req per window so the test stays fast and
-        # deterministic. parse_rate runs once per throttle instance and
-        # each request gets a fresh instance, so this patch propagates.
-        from rest_framework.throttling import ScopedRateThrottle
-
-        with patch.object(ScopedRateThrottle, "parse_rate", return_value=(3, 60)):
-            statuses = [
-                api_client.get(reverse("health-live")).status_code for _ in range(4)
-            ]
-
-        assert statuses[:3] == [status.HTTP_200_OK] * 3
-        assert statuses[3] == status.HTTP_429_TOO_MANY_REQUESTS
-
-    def test_ready_blocks_after_budget_exhausted(self, api_client):
-        from rest_framework.throttling import ScopedRateThrottle
-
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-            patch.object(ScopedRateThrottle, "parse_rate", return_value=(2, 60)),
-        ):
-            statuses = [
-                api_client.get(reverse("health-ready")).status_code for _ in range(3)
-            ]
-
-        assert statuses[:2] == [status.HTTP_200_OK] * 2
-        assert statuses[2] == status.HTTP_429_TOO_MANY_REQUESTS
-
-
-class TestProbeImplementations:
-    """Smoke tests for each probe primitive."""
-
-    @pytest.mark.django_db
-    def test_postgres_probe_succeeds_against_real_db(self):
-        assert health._probe_postgres() is None
-
-    def test_postgres_probe_propagates_db_errors(self):
-        class _BoomCursor:
-            def __enter__(self):
-                return self
-
-            def __exit__(self, *_):
-                return False
-
-            def execute(self, *_args, **_kwargs):
-                raise RuntimeError("boom")
-
-            def fetchone(self):  # pragma: no cover - never reached
-                return None
-
-        with patch("api.health.connections") as mock_connections:
-            mock_connections.__getitem__.return_value.cursor.return_value = (
-                _BoomCursor()
-            )
-            with pytest.raises(RuntimeError, match="boom"):
-                health._probe_postgres()
-
-    def test_valkey_probe_succeeds_when_ping_returns_true(self):
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            mock_from_url.return_value.ping.return_value = True
-            assert health._probe_valkey() is None
-
-    def test_valkey_probe_raises_when_ping_returns_false(self):
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            mock_from_url.return_value.ping.return_value = False
-            with pytest.raises(RuntimeError, match="PING"):
-                health._probe_valkey()
-
-    def test_valkey_probe_propagates_connection_errors(self):
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            mock_from_url.return_value.ping.side_effect = ConnectionError("nope")
-            with pytest.raises(ConnectionError, match="nope"):
-                health._probe_valkey()
-
-    def test_valkey_probe_suppresses_redis_error_on_close(self):
-        # A redis-py-level failure releasing the socket must not mask a
-        # successful PING (best-effort cleanup contract).
-        import redis as redis_pkg
-
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            client = mock_from_url.return_value
-            client.ping.return_value = True
-            client.close.side_effect = redis_pkg.RedisError("connection reset")
-
-            assert health._probe_valkey() is None
-
-        client.close.assert_called_once_with()
-
-    def test_valkey_probe_suppresses_oserror_on_close(self):
-        # Socket-layer failures (OSError family) on close are also part of
-        # the swallowed scope.
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            client = mock_from_url.return_value
-            client.ping.return_value = True
-            client.close.side_effect = OSError("EBADF")
-
-            assert health._probe_valkey() is None
-
-        client.close.assert_called_once_with()
-
-    def test_valkey_probe_lets_unexpected_close_errors_propagate(self):
-        # The suppress() is deliberately narrow: anything outside
-        # (redis.RedisError, OSError) must surface so it is not silently
-        # hidden.
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            client = mock_from_url.return_value
-            client.ping.return_value = True
-            client.close.side_effect = RuntimeError("bug")
-
-            with pytest.raises(RuntimeError, match="bug"):
-                health._probe_valkey()
-
-    def test_neo4j_probe_calls_verify_connectivity(self):
-        with patch("api.attack_paths.database.get_driver") as mock_get_driver:
-            mock_get_driver.return_value.verify_connectivity.return_value = None
-            assert health._probe_neo4j() is None
-            mock_get_driver.return_value.verify_connectivity.assert_called_once_with()
-
-    def test_neo4j_probe_propagates_driver_errors(self):
-        with patch("api.attack_paths.database.get_driver") as mock_get_driver:
-            mock_get_driver.return_value.verify_connectivity.side_effect = RuntimeError(
-                "unreachable"
-            )
-            with pytest.raises(RuntimeError, match="unreachable"):
-                health._probe_neo4j()
-
-
-class TestStatusAggregation:
-    def test_pass_when_all_checks_pass(self):
-        entries = [{"status": "pass"}, {"status": "pass"}]
-        assert health._aggregate_status(entries) == "pass"
-
-    def test_warn_when_any_check_warns_and_none_fail(self):
-        entries = [{"status": "pass"}, {"status": "warn"}]
-        assert health._aggregate_status(entries) == "warn"
-
-    def test_fail_when_any_check_fails(self):
-        entries = [{"status": "pass"}, {"status": "warn"}, {"status": "fail"}]
-        assert health._aggregate_status(entries) == "fail"
@@ -31,7 +31,6 @@ from prowler.providers.image.image_provider import ImageProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
 from prowler.providers.m365.m365_provider import M365Provider
 from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
-from prowler.providers.okta.okta_provider import OktaProvider
 from prowler.providers.openstack.openstack_provider import OpenstackProvider
 from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
 from prowler.providers.vercel.vercel_provider import VercelProvider
@@ -131,7 +130,6 @@ class TestReturnProwlerProvider:
            (Provider.ProviderChoices.OPENSTACK.value, OpenstackProvider),
            (Provider.ProviderChoices.IMAGE.value, ImageProvider),
            (Provider.ProviderChoices.VERCEL.value, VercelProvider),
-            (Provider.ProviderChoices.OKTA.value, OktaProvider),
        ],
    )
    def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -240,31 +238,6 @@ class TestProwlerProviderConnectionTest:
            raise_on_exception=False,
        )

-    @patch("api.utils.return_prowler_provider")
-    def test_prowler_provider_connection_test_okta_provider(
-        self, mock_return_prowler_provider
-    ):
-        """Test connection test for Okta provider passes org domain and provider_id."""
-        provider = MagicMock()
-        provider.uid = "acme.okta.com"
-        provider.provider = Provider.ProviderChoices.OKTA.value
-        provider.secret.secret = {
-            "okta_client_id": "0oa123456789abcdef",
-            "okta_private_key": "-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----",
-            "okta_scopes": ["okta.policies.read"],
-        }
-        mock_return_prowler_provider.return_value = MagicMock()
-
-        prowler_provider_connection_test(provider)
-        mock_return_prowler_provider.return_value.test_connection.assert_called_once_with(
-            okta_client_id="0oa123456789abcdef",
-            okta_private_key="-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----",
-            okta_scopes=["okta.policies.read"],
-            okta_org_domain="acme.okta.com",
-            provider_id="acme.okta.com",
-            raise_on_exception=False,
-        )
-
    @patch("api.utils.return_prowler_provider")
    def test_prowler_provider_connection_test_image_provider_no_creds(
        self, mock_return_prowler_provider
@@ -335,10 +308,6 @@ class TestGetProwlerProviderKwargs:
                Provider.ProviderChoices.VERCEL.value,
                {"team_id": "provider_uid"},
            ),
-            (
-                Provider.ProviderChoices.OKTA.value,
-                {"okta_org_domain": "provider_uid"},
-            ),
        ],
    )
    def test_get_prowler_provider_kwargs(self, provider_type, expected_extra_kwargs):
@@ -1,40 +0,0 @@
-"""Drift checks for the API version constants.
-
-Guarantee that ``config.version`` always reflects the canonical
-``[project].version`` declared in ``api/pyproject.toml``.
-"""
-
-import tomllib
-from pathlib import Path
-
-import pytest
-from config import version as config_version
-
-
-@pytest.fixture(scope="module")
-def pyproject_data():
-    here = Path(__file__).resolve()
-    for directory in here.parents:
-        candidate = directory / "pyproject.toml"
-        if not candidate.is_file():
-            continue
-        with candidate.open("rb") as f:
-            data = tomllib.load(f)
-        if data.get("project", {}).get("name") == "prowler-api":
-            return data
-    raise AssertionError("api/pyproject.toml not reachable from the test runner")
-
-
-def test_release_id_matches_pyproject(pyproject_data):
-    assert config_version.RELEASE_ID == pyproject_data["project"]["version"]
-
-
-def test_api_version_is_major_of_release_id():
-    assert config_version.API_VERSION == config_version.RELEASE_ID.split(".", 1)[0]
-    assert config_version.API_VERSION.isdigit()
-
-
-def test_api_version_matches_v1_url_prefix():
-    # The public contract version surfaced in the health payload must match
-    # the URL namespace the API is published under.
-    assert config_version.API_VERSION == "1"
@@ -1625,21 +1625,6 @@ class TestProviderViewSet:
                    "uid": "C12",
                    "alias": "Google Workspace Minimum Length",
                },
-                {
-                    "provider": "okta",
-                    "uid": "acme.okta.com",
-                    "alias": "Okta Org",
-                },
-                {
-                    "provider": "okta",
-                    "uid": "agency.okta-gov.com",
-                    "alias": "Okta Gov Org",
-                },
-                {
-                    "provider": "okta",
-                    "uid": "agency.okta.mil",
-                    "alias": "Okta Mil Org",
-                },
            ]
        ),
    )
@@ -2158,24 +2143,6 @@ class TestProviderViewSet:
                    "googleworkspace-uid",
                    "uid",
                ),
-                (
-                    {
-                        "provider": "okta",
-                        "uid": "https://acme.okta.com",
-                        "alias": "test",
-                    },
-                    "okta-uid",
-                    "uid",
-                ),
-                (
-                    {
-                        "provider": "okta",
-                        "uid": "acme.example.com",
-                        "alias": "test",
-                    },
-                    "okta-uid",
-                    "uid",
-                ),
            ]
        ),
    )
@@ -2196,25 +2163,6 @@ class TestProviderViewSet:
            == f"/data/attributes/{error_pointer}"
        )

-    @pytest.mark.parametrize(
-        "input_uid,stored_uid",
-        [
-            ("Acme.okta.com", "acme.okta.com"),
-            ("  ACME.OKTA.COM  ", "acme.okta.com"),
-            ("Agency.Okta-Gov.com", "agency.okta-gov.com"),
-        ],
-    )
-    def test_providers_create_okta_uid_normalized(
-        self, authenticated_client, input_uid, stored_uid
-    ):
-        response = authenticated_client.post(
-            reverse("provider-list"),
-            data={"provider": "okta", "uid": input_uid, "alias": "Okta"},
-            format="json",
-        )
-        assert response.status_code == status.HTTP_201_CREATED
-        assert Provider.objects.get().uid == stored_uid
-
    def test_providers_partial_update(self, authenticated_client, providers_fixture):
        provider1, *_ = providers_fixture
        new_alias = "This is the new name"
@@ -2372,17 +2320,17 @@ class TestProviderViewSet:
                ),
                ("alias", "aws_testing_1", 1),
                ("alias.icontains", "aws", 2),
-                ("inserted_at", TODAY, 14),
+                ("inserted_at", TODAY, 13),
                (
                    "inserted_at.gte",
                    "2024-01-01",
-                    14,
+                    13,
                ),
                ("inserted_at.lte", "2024-01-01", 0),
                (
                    "updated_at.gte",
                    "2024-01-01",
-                    14,
+                    13,
                ),
                ("updated_at.lte", "2024-01-01", 0),
            ]
@@ -3015,19 +2963,6 @@ class TestProviderSecretViewSet:
                    "api_token": "fake-vercel-api-token-for-testing",
                },
            ),
-            # Okta with inline private key credentials
-            (
-                Provider.ProviderChoices.OKTA.value,
-                ProviderSecret.TypeChoices.STATIC,
-                {
-                    "okta_client_id": "0oa123456789abcdef",
-                    "okta_private_key": "-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----",
-                    "okta_scopes": [
-                        "okta.policies.read",
-                        "okta.groups.read",
-                    ],
-                },
-            ),
        ],
    )
    def test_provider_secrets_create_valid(
@@ -3140,46 +3075,6 @@ class TestProviderSecretViewSet:
            == f"/data/attributes/{error_pointer}"
        )

-    def test_provider_secrets_invalid_create_okta_missing_private_key(
-        self,
-        providers_fixture,
-        authenticated_client,
-    ):
-        okta_provider = next(
-            provider
-            for provider in providers_fixture
-            if provider.provider == Provider.ProviderChoices.OKTA.value
-        )
-        data = {
-            "data": {
-                "type": "provider-secrets",
-                "attributes": {
-                    "name": "Okta Secret",
-                    "secret_type": ProviderSecret.TypeChoices.STATIC,
-                    "secret": {
-                        "okta_client_id": "0oa123456789abcdef",
-                    },
-                },
-                "relationships": {
-                    "provider": {
-                        "data": {"type": "providers", "id": str(okta_provider.id)}
-                    }
-                },
-            }
-        }
-
-        response = authenticated_client.post(
-            reverse("providersecret-list"),
-            data=json.dumps(data),
-            content_type="application/vnd.api+json",
-        )
-
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-        assert response.json()["errors"][0]["code"] == "required"
-        assert response.json()["errors"][0]["source"]["pointer"] == (
-            "/data/attributes/secret/okta_private_key"
-        )
-
    def test_provider_secrets_partial_update(
        self, authenticated_client, provider_secret_fixture
    ):
@@ -7158,32 +7053,6 @@ class TestFindingViewSet:
            "id"
        ] == str(finding_1.resources.first().id)

-    def test_findings_retrieve_include_resource_metadata(
-        self, authenticated_client, findings_fixture
-    ):
-        finding_1, *_ = findings_fixture
-        resource = finding_1.resources.first()
-        resource.metadata = '{"VulnerabilityID": "CVE-2026-0001"}'
-        resource.details = "Python 3.12 base image"
-        resource.save()
-
-        response = authenticated_client.get(
-            reverse("finding-detail", kwargs={"pk": finding_1.id}),
-            {"include": "resources"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-
-        included_resource = next(
-            item
-            for item in response.json()["included"]
-            if item["type"] == "resources" and item["id"] == str(resource.id)
-        )
-        assert (
-            included_resource["attributes"]["metadata"]
-            == '{"VulnerabilityID": "CVE-2026-0001"}'
-        )
-        assert included_resource["attributes"]["details"] == "Python 3.12 base image"
-
    def test_findings_invalid_retrieve(self, authenticated_client):
        response = authenticated_client.get(
            reverse("finding-detail", kwargs={"pk": "random_id"}),
@@ -15921,12 +15790,6 @@ class TestFindingGroupViewSet:
        assert attrs["fail_count"] == 0
        assert attrs["resources_total"] == 1
        assert attrs["resources_fail"] == 0
-        # check_title / check_description are resolved post-pagination from the
-        # summary table, not from the finding's check_metadata.
-        assert attrs["check_title"] == "Ensure EC2 instances do not have public IPs"
-        assert (
-            attrs["check_description"] == "EC2 instances should use private IPs only."
-        )

    def test_finding_groups_status_pass_when_no_fail(
        self, authenticated_client, finding_groups_fixture
@@ -17168,12 +17031,6 @@ class TestFindingGroupViewSet:
        assert attrs["fail_count"] == 0
        assert attrs["resources_total"] == 1
        assert attrs["resources_fail"] == 0
-        # check_title / check_description are resolved post-pagination from the
-        # summary table, not from the finding's check_metadata.
-        assert attrs["check_title"] == "Ensure EC2 instances do not have public IPs"
-        assert (
-            attrs["check_description"] == "EC2 instances should use private IPs only."
-        )

    def test_finding_groups_latest_status_in_filter(
        self, authenticated_client, finding_groups_fixture
@@ -17431,20 +17288,18 @@ class TestFindingGroupViewSet:
        check_ids = [item["id"] for item in data]
        assert check_ids == sorted(check_ids)

-    def test_finding_groups_latest_sort_by_check_title_not_supported(
+    def test_finding_groups_latest_sort_by_check_title(
        self, authenticated_client, finding_groups_fixture
    ):
-        """check_title is not a sortable field for finding groups.
-
-        Titles live in the TOASTed check_metadata blob and are resolved after
-        pagination from the summary table, so they cannot drive DB-level
-        ordering. Requesting that sort is rejected.
-        """
+        """Test /latest supports sorting by check_title."""
        response = authenticated_client.get(
            reverse("finding-group-latest"),
            {"sort": "check_title"},
        )
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
+        assert response.status_code == status.HTTP_200_OK
+        data = response.json()["data"]
+        check_titles = [item["attributes"]["check_title"] for item in data]
+        assert check_titles == sorted(check_titles)

    @pytest.mark.parametrize(
        "endpoint_name", ["finding-group-list", "finding-group-latest"]
@@ -37,7 +37,6 @@ if TYPE_CHECKING:
    from prowler.providers.mongodbatlas.mongodbatlas_provider import (
        MongodbatlasProvider,
    )
-    from prowler.providers.okta.okta_provider import OktaProvider
    from prowler.providers.openstack.openstack_provider import OpenstackProvider
    from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
    from prowler.providers.vercel.vercel_provider import VercelProvider
@@ -94,7 +93,6 @@ def return_prowler_provider(
    | KubernetesProvider
    | M365Provider
    | MongodbatlasProvider
-    | OktaProvider
    | OpenstackProvider
    | OraclecloudProvider
    | VercelProvider
@@ -183,10 +181,6 @@ def return_prowler_provider(
            from prowler.providers.vercel.vercel_provider import VercelProvider

            prowler_provider = VercelProvider
-        case Provider.ProviderChoices.OKTA.value:
-            from prowler.providers.okta.okta_provider import OktaProvider
-
-            prowler_provider = OktaProvider
        case _:
            raise ValueError(f"Provider type {provider.provider} not supported")
    return prowler_provider
@@ -252,11 +246,6 @@ def get_prowler_provider_kwargs(
            **prowler_provider_kwargs,
            "team_id": provider.uid,
        }
-    elif provider.provider == Provider.ProviderChoices.OKTA.value:
-        prowler_provider_kwargs = {
-            **prowler_provider_kwargs,
-            "okta_org_domain": provider.uid,
-        }
    elif provider.provider == Provider.ProviderChoices.IMAGE.value:
        # Detect whether uid is a registry URL (e.g. "docker.io/andoniaf") or
        # a concrete image reference (e.g. "docker.io/andoniaf/myimage:latest").
@@ -301,7 +290,6 @@ def initialize_prowler_provider(
    | KubernetesProvider
    | M365Provider
    | MongodbatlasProvider
-    | OktaProvider
    | OpenstackProvider
    | OraclecloudProvider
    | VercelProvider
@@ -363,14 +351,6 @@ def prowler_provider_connection_test(provider: Provider) -> Connection:
            "raise_on_exception": False,
        }
        return prowler_provider.test_connection(**vercel_kwargs)
-    elif provider.provider == Provider.ProviderChoices.OKTA.value:
-        okta_kwargs = {
-            **prowler_provider_kwargs,
-            "okta_org_domain": provider.uid,
-            "provider_id": provider.uid,
-            "raise_on_exception": False,
-        }
-        return prowler_provider.test_connection(**okta_kwargs)
    elif provider.provider == Provider.ProviderChoices.IMAGE.value:
        image_kwargs = {
            "image": provider.uid,
@@ -404,26 +404,6 @@ from rest_framework_json_api import serializers
                },
                "required": ["clouds_yaml_content", "clouds_yaml_cloud"],
            },
-            {
-                "type": "object",
-                "title": "Okta OAuth Credentials",
-                "properties": {
-                    "okta_client_id": {
-                        "type": "string",
-                        "description": "Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.",
-                    },
-                    "okta_private_key": {
-                        "type": "string",
-                        "description": "PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.",
-                    },
-                    "okta_scopes": {
-                        "type": "array",
-                        "items": {"type": "string"},
-                        "description": "OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.",
-                    },
-                },
-                "required": ["okta_client_id", "okta_private_key"],
-            },
            {
                "type": "object",
                "title": "Vercel API Token",
@@ -1397,7 +1397,6 @@ class ResourceIncludeSerializer(RLSSerializer):
            "service",
            "type_",
            "tags",
-            "metadata",
            "details",
            "partition",
        ]
@@ -1405,7 +1404,6 @@ class ResourceIncludeSerializer(RLSSerializer):
            "id": {"read_only": True},
            "inserted_at": {"read_only": True},
            "updated_at": {"read_only": True},
-            "metadata": {"read_only": True},
            "details": {"read_only": True},
            "partition": {"read_only": True},
        }
@@ -1545,8 +1543,6 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                serializer = GCPProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.GOOGLEWORKSPACE.value:
                serializer = GoogleWorkspaceProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.OKTA.value:
-                serializer = OktaProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.GITHUB.value:
                serializer = GithubProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.IAC.value:
@@ -1692,15 +1688,6 @@ class GoogleWorkspaceProviderSecret(serializers.Serializer):
        resource_name = "provider-secrets"


-class OktaProviderSecret(serializers.Serializer):
-    okta_client_id = serializers.CharField()
-    okta_private_key = serializers.CharField()
-    okta_scopes = serializers.ListField(child=serializers.CharField(), required=False)
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
 class MongoDBAtlasProviderSecret(serializers.Serializer):
    atlas_public_key = serializers.CharField()
    atlas_private_key = serializers.CharField()
@@ -21,7 +21,6 @@ from celery import chain, states
 from celery.result import AsyncResult
 from config.custom_logging import BackendLogger
 from config.env import env
-from config.version import RELEASE_ID
 from config.settings.social_login import (
    GITHUB_OAUTH_CALLBACK_URL,
    GOOGLE_OAUTH_CALLBACK_URL,
@@ -425,7 +424,7 @@ class SchemaView(SpectacularAPIView):

    def get(self, request, *args, **kwargs):
        spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = RELEASE_ID
+        spectacular_settings.VERSION = "1.28.0"
        spectacular_settings.DESCRIPTION = (
            "Prowler API specification.\n\nThis file is auto-generated."
        )
@@ -7369,15 +7368,6 @@ class FindingGroupViewSet(BaseRLSViewSet):
            output_field=IntegerField(),
        )

-        # `check_title` / `check_description` are intentionally NOT resolved
-        # here. They live in the large JSONB `check_metadata` blob (TOASTed),
-        # so reading them per finding row is very expensive, and pulling them
-        # in via a correlated subquery makes Django add the subquery to GROUP
-        # BY, which re-evaluates it once per input row. They are identical for
-        # every finding of a `check_id`, so `_post_process_aggregation` fills
-        # them from the summary table's plain columns in a single batched
-        # lookup scoped to the paginated page.
-
        # `pass_count`, `fail_count` and `manual_count` only count non-muted
        # findings. Muted findings are tracked separately via the
        # `*_muted_count` fields.
@@ -7448,6 +7438,15 @@ class FindingGroupViewSet(BaseRLSViewSet):
                agg_failing_since=Min(
                    "first_seen_at", filter=Q(status="FAIL", muted=False)
                ),
+                check_title=Coalesce(
+                    Max(KeyTextTransform("checktitle", "check_metadata")),
+                    Max(KeyTextTransform("CheckTitle", "check_metadata")),
+                    Max(KeyTextTransform("Checktitle", "check_metadata")),
+                ),
+                check_description=Coalesce(
+                    Max(KeyTextTransform("description", "check_metadata")),
+                    Max(KeyTextTransform("Description", "check_metadata")),
+                ),
            )
            .annotate(
                # Group is muted only if it has zero non-muted findings.
@@ -7484,17 +7483,14 @@ class FindingGroupViewSet(BaseRLSViewSet):

    def _get_latest_findings_per_provider(self, filtered_queryset):
        """Keep only findings from each provider's most recent completed scan."""
-        # Materialize to a literal IN list. Left as a subquery, Postgres can't
-        # estimate the match count and picks a serial nested loop on
-        # resource_finding_mappings when one scan dominates findings
-        latest_scan_ids = list(
+        latest_scan_ids = (
            Scan.objects.filter(
                tenant_id=self.request.tenant_id,
                state=StateChoices.COMPLETED,
            )
            .order_by("provider_id", "-completed_at", "-inserted_at")
            .distinct("provider_id")
-            .values_list("id", flat=True)
+            .values("id")
        )
        return filtered_queryset.filter(scan_id__in=latest_scan_ids)

@@ -7506,38 +7502,9 @@ class FindingGroupViewSet(BaseRLSViewSet):
        - Computes aggregated status (FAIL > PASS > MANUAL); the orthogonal
          ``muted`` boolean is already on the row from the SQL aggregation
        - Converts provider string to list
-        - Fills check_title / check_description for the findings path
        """
-        rows = list(aggregated_data)
-
-        # The findings-aggregation path omits check_title / check_description
-        # (they sit in TOASTed JSONB; see _aggregate_findings). Fill them from
-        # the summary table's plain columns in one query scoped to this page.
-        # The summary-aggregation path already carries them, so skip it there.
-        if rows and "check_title" not in rows[0]:
-            check_ids = [row["check_id"] for row in rows]
-            role = get_role(self.request.user, self.request.tenant_id)
-            summaries = FindingGroupDailySummary.objects.filter(
-                tenant_id=self.request.tenant_id,
-                check_id__in=check_ids,
-            )
-            # Scope to the user's providers, mirroring get_queryset(), so titles
-            # are read only from providers the user can see.
-            if not role.unlimited_visibility:
-                summaries = summaries.filter(provider__in=get_providers(role))
-            metadata_by_check = {
-                item["check_id"]: item
-                for item in summaries.order_by("check_id", "-inserted_at")
-                .distinct("check_id")
-                .values("check_id", "check_title", "check_description")
-            }
-            for row in rows:
-                metadata = metadata_by_check.get(row["check_id"], {})
-                row["check_title"] = metadata.get("check_title")
-                row["check_description"] = metadata.get("check_description")
-
        results = []
-        for row in rows:
+        for row in aggregated_data:
            # Convert severity order back to string
            severity_order = row.get("severity_order", 1)
            row["severity"] = SEVERITY_ORDER_REVERSE.get(
@@ -7583,6 +7550,7 @@ class FindingGroupViewSet(BaseRLSViewSet):

    _FINDING_GROUP_SORT_MAP = {
        "check_id": "check_id",
+        "check_title": "check_title",
        "severity": "severity_order",
        "status": "status_order",
        "muted": "muted",
@@ -118,8 +118,6 @@ REST_FRAMEWORK = {
        "attack-paths-custom-query": env(
            "DJANGO_THROTTLE_ATTACK_PATHS_CUSTOM_QUERY", default="10/min"
        ),
-        "health-live": env("DJANGO_THROTTLE_HEALTH_LIVE", default="120/min"),
-        "health-ready": env("DJANGO_THROTTLE_HEALTH_READY", default="60/min"),
    },
 }

@@ -1,9 +1,5 @@
 from django.urls import include, path

-from api.health import LivenessView, ReadinessView
-
 urlpatterns = [
    path("api/v1/", include("api.v1.urls")),
-    path("health/live", LivenessView.as_view(), name="health-live"),
-    path("health/ready", ReadinessView.as_view(), name="health-ready"),
 ]
@@ -1,41 +0,0 @@
-"""Single source of truth for the API version.
-
-The semantic version is read once from ``api/pyproject.toml`` at module
-import; consumers (health payload, OpenAPI schema) read the resulting
-constants. Fails fast at boot if the file cannot be located, so a
-packaging mistake surfaces immediately rather than serving stale data.
-"""
-
-from __future__ import annotations
-
-import tomllib
-from pathlib import Path
-
-_PROJECT_NAME = "prowler-api"
-
-
-def _discover_release_id() -> str:
-    here = Path(__file__).resolve()
-    for directory in here.parents:
-        candidate = directory / "pyproject.toml"
-        if not candidate.is_file():
-            continue
-        with candidate.open("rb") as f:
-            data = tomllib.load(f)
-        project = data.get("project") or {}
-        if project.get("name") != _PROJECT_NAME:
-            continue
-        version = project.get("version")
-        if not isinstance(version, str) or not version:
-            raise RuntimeError(
-                f"{candidate} declares an empty or invalid [project].version"
-            )
-        return version
-    raise RuntimeError(
-        f"Could not locate the {_PROJECT_NAME} pyproject.toml from {here}"
-    )
-
-
-RELEASE_ID: str = _discover_release_id()
-# Public contract major (e.g. "1"); matches the /api/v1/ namespace.
-API_VERSION: str = RELEASE_ID.split(".", 1)[0]
@@ -571,12 +571,6 @@ def providers_fixture(tenants_fixture):
        alias="vercel_testing",
        tenant_id=tenant.id,
    )
-    provider14 = Provider.objects.create(
-        provider="okta",
-        uid="acme.okta.com",
-        alias="okta_testing",
-        tenant_id=tenant.id,
-    )

    return (
        provider1,
@@ -592,7 +586,6 @@ def providers_fixture(tenants_fixture):
        provider11,
        provider12,
        provider13,
-        provider14,
    )


@@ -42,6 +42,7 @@ from api.db_utils import (
    SET_CONFIG_QUERY,
    psycopg_connection,
    rls_transaction,
+    update_objects_in_batches,
 )
 from api.exceptions import ProviderConnectionError
 from api.models import (
@@ -58,7 +59,6 @@ from api.models import (
    ResourceFindingMapping,
    ResourceScanSummary,
    ResourceTag,
-    ResourceTagMapping,
    Scan,
    ScanCategorySummary,
    ScanGroupSummary,
@@ -97,16 +97,8 @@ COMPLIANCE_REQUIREMENT_COPY_COLUMNS = (
 )
 # Controls how many findings we process per micro-batch before flushing to DB writes
 FINDINGS_MICRO_BATCH_SIZE = env.int("DJANGO_FINDINGS_MICRO_BATCH_SIZE", default=3000)
-# Controls how many rows each ORM bulk_create/bulk_update call sends to Postgres.
-SCAN_DB_BATCH_SIZE = env.int("DJANGO_SCAN_DB_BATCH_SIZE", default=1000)
-# Throttle scan progress persistence: minimum progress delta (fraction 0-1)
-# between two persisted progress updates.
-PROGRESS_THROTTLE_DELTA = env.float("DJANGO_SCAN_PROGRESS_THROTTLE_DELTA", default=0.01)
-# Throttle scan progress persistence: maximum seconds without persisting progress
-# regardless of delta (so slow checks still show progress in the UI).
-PROGRESS_THROTTLE_SECONDS = env.float(
-    "DJANGO_SCAN_PROGRESS_THROTTLE_SECONDS", default=10.0
-)
+# Controls how many rows each ORM bulk_create/bulk_update call sends to Postgres
+SCAN_DB_BATCH_SIZE = env.int("DJANGO_SCAN_DB_BATCH_SIZE", default=500)

 ATTACK_SURFACE_PROVIDER_COMPATIBILITY = {
    "internet-exposed": None,  # Compatible with all providers
@@ -536,26 +528,16 @@ def _process_finding_micro_batch(
    """
    # Accumulate objects for bulk operations
    findings_to_create = []
+    mappings_to_create = []
    dirty_resources = {}
-    resources_with_new_tag_mappings: set[str] = set()
    resource_denormalized_data = []  # (finding_instance, resource_instance) pairs
-    tag_mappings_to_create: list[ResourceTagMapping] = []
    skipped_findings_count = 0  # Track findings skipped due to UID length

-    # Separate findings into those persistable (uid <= 300) and over-limit.
-    # Resources/tags ARE still resolved for over-limit findings to preserve the
-    # original behavior (resources are persisted even when their finding is dropped).
-    non_null_findings = [f for f in findings_batch if f is not None]
-    persistable_findings = [f for f in non_null_findings if len(f.uid) <= 300]
-    skipped_findings_count = len(non_null_findings) - len(persistable_findings)
-    none_count = len(findings_batch) - len(non_null_findings)
-    if none_count:
-        logger.error(
-            f"{none_count} None finding(s) detected on scan {scan_instance.id}."
-        )
-
-    # Prefetch last statuses for all persistable findings in this batch (read replica)
-    finding_uids = [f.uid for f in persistable_findings]
+    # Prefetch last statuses for all findings in this batch
+    # TEMPORARY WORKAROUND: Filter out UIDs > 300 chars to avoid query errors
+    finding_uids = [
+        f.uid for f in findings_batch if f is not None and len(f.uid) <= 300
+    ]
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
        last_statuses = {
            item["uid"]: (item["status"], item["first_seen_at"])
@@ -566,411 +548,281 @@ def _process_finding_micro_batch(
            .order_by("uid", "-inserted_at")
            .distinct("uid")
        }
+        # Update cache
        for uid, data in last_statuses.items():
            if uid not in last_status_cache:
                last_status_cache[uid] = data

-    # All DB writes for this micro-batch run inside ONE rls_transaction,
-    # with deadlock-retry at micro-batch granularity instead of per-finding.
-    for attempt in range(CELERY_DEADLOCK_ATTEMPTS):
-        try:
-            with rls_transaction(tenant_id):
-                # 1) Pre-resolve Resources in bulk
-                # Collect all uids referenced by this batch that are not in cache yet.
-                # NOTE: we intentionally include empty-string uids here. The SDK
-                # explicitly emits findings with `resource_uid=""` for some flows
-                # (IaC scans, some Azure/GCP/K8s checks). The original
-                # `get_or_create` behavior was to create/share a Resource with
-                # uid="" for these findings rather than dropping them. Preserve
-                # that behavior; do NOT filter by truthiness.
-                batch_resource_uids: set[str] = set()
-                for f in non_null_findings:
-                    if f.resource_uid not in resource_cache:
-                        batch_resource_uids.add(f.resource_uid)
+    # Process each finding in the batch
+    for finding in findings_batch:
+        if finding is None:
+            logger.error(f"None finding detected on scan {scan_instance.id}.")
+            continue

-                if batch_resource_uids:
-                    existing_resources = {
-                        r.uid: r
-                        for r in Resource.objects.filter(
-                            tenant_id=tenant_id,
-                            provider_id=provider_instance.id,
-                            uid__in=batch_resource_uids,
-                        )
-                    }
-                    missing_uids = batch_resource_uids - existing_resources.keys()
-                    if missing_uids:
-                        # Build defaults from the first finding referencing each uid.
-                        first_finding_per_uid: dict[str, ProwlerFinding] = {}
-                        for f in non_null_findings:
-                            if f.resource_uid in missing_uids:
-                                first_finding_per_uid.setdefault(f.resource_uid, f)
-                        resources_to_create = []
-                        for uid in missing_uids:
-                            f = first_finding_per_uid[uid]
-                            check_metadata = f.get_metadata()
-                            group = check_metadata.get("resourcegroup") or None
-                            resources_to_create.append(
-                                Resource(
-                                    tenant_id=tenant_id,
-                                    provider=provider_instance,
-                                    uid=uid,
-                                    region=f.region,
-                                    service=f.service_name,
-                                    type=f.resource_type,
-                                    name=f.resource_name,
-                                    groups=[group] if group else None,
-                                )
-                            )
-                        Resource.objects.bulk_create(
-                            resources_to_create,
-                            batch_size=SCAN_DB_BATCH_SIZE,
-                            ignore_conflicts=True,
-                            unique_fields=["tenant_id", "provider_id", "uid"],
-                        )
-                        # Re-fetch to obtain instances we just created AND any
-                        # created concurrently by another scan against the same provider.
-                        existing_resources.update(
-                            {
-                                r.uid: r
-                                for r in Resource.objects.filter(
-                                    tenant_id=tenant_id,
-                                    provider_id=provider_instance.id,
-                                    uid__in=missing_uids,
-                                )
-                            }
-                        )
-                    for uid, r in existing_resources.items():
-                        resource_cache[uid] = r
-                        resource_failed_findings_cache.setdefault(uid, 0)
-
-                # 2) Pre-resolve ResourceTags in bulk
-                batch_tag_kv: set[tuple[str, str]] = set()
-                for f in non_null_findings:
-                    for k, v in f.resource_tags.items():
-                        if (k, v) not in tag_cache:
-                            batch_tag_kv.add((k, v))
-
-                if batch_tag_kv:
-                    keys_to_query = {k for k, _ in batch_tag_kv}
-                    existing_tags = {
-                        (t.key, t.value): t
-                        for t in ResourceTag.objects.filter(
-                            tenant_id=tenant_id, key__in=keys_to_query
-                        )
-                        if (t.key, t.value) in batch_tag_kv
-                    }
-                    missing_kv = batch_tag_kv - existing_tags.keys()
-                    if missing_kv:
-                        ResourceTag.objects.bulk_create(
-                            [
-                                ResourceTag(tenant_id=tenant_id, key=k, value=v)
-                                for k, v in missing_kv
-                            ],
-                            batch_size=SCAN_DB_BATCH_SIZE,
-                            ignore_conflicts=True,
-                            unique_fields=["tenant_id", "key", "value"],
-                        )
-                        existing_tags.update(
-                            {
-                                (t.key, t.value): t
-                                for t in ResourceTag.objects.filter(
-                                    tenant_id=tenant_id,
-                                    key__in={k for k, _ in missing_kv},
-                                )
-                                if (t.key, t.value) in missing_kv
-                            }
-                        )
-                    tag_cache.update(existing_tags)
-
-                # 3) Per-finding in-memory processing
-                for finding in non_null_findings:
+        # Process resource with deadlock retry
+        for attempt in range(CELERY_DEADLOCK_ATTEMPTS):
+            try:
+                with rls_transaction(tenant_id):
                    resource_uid = finding.resource_uid
-                    resource_instance = resource_cache.get(resource_uid)
-                    if resource_instance is None:
-                        # Should be unreachable after the pre-resolve step. Defensive log.
-                        logger.error(
-                            f"Resource {resource_uid} missing from cache after pre-resolve "
-                            f"on scan {scan_instance.id}; skipping finding."
-                        )
-                        continue
-
-                    # Detect resource field changes (defer save until end-of-batch bulk_update).
-                    check_metadata = finding.get_metadata()
-                    group = check_metadata.get("resourcegroup") or None
-                    updated = False
-                    if finding.region and resource_instance.region != finding.region:
-                        resource_instance.region = finding.region
-                        updated = True
-                    if resource_instance.service != finding.service_name:
-                        resource_instance.service = finding.service_name
-                        updated = True
-                    if resource_instance.type != finding.resource_type:
-                        resource_instance.type = finding.resource_type
-                        updated = True
-                    if resource_instance.metadata != finding.resource_metadata:
-                        resource_instance.metadata = json.dumps(
-                            finding.resource_metadata, cls=CustomEncoder
-                        )
-                        updated = True
-                    if resource_instance.details != finding.resource_details:
-                        resource_instance.details = finding.resource_details
-                        updated = True
-                    if resource_instance.partition != finding.partition:
-                        resource_instance.partition = finding.partition
-                        updated = True
-                    if group and (
-                        not resource_instance.groups
-                        or group not in resource_instance.groups
-                    ):
-                        resource_instance.groups = (resource_instance.groups or []) + [
-                            group
-                        ]
-                        updated = True
-
-                    if updated:
-                        dirty_resources[resource_uid] = resource_instance
-
-                    # Accumulate ResourceTagMapping rows; bulk_create at end of block.
-                    for k, v in finding.resource_tags.items():
-                        tag_instance = tag_cache.get((k, v))
-                        if tag_instance is None:
-                            # Should not happen after pre-resolve; skip defensively.
-                            continue
-                        tag_mappings_to_create.append(
-                            ResourceTagMapping(
-                                tenant_id=tenant_id,
-                                resource=resource_instance,
-                                tag=tag_instance,
-                            )
-                        )
-
-                    unique_resources.add(
-                        (resource_instance.uid, resource_instance.region)
-                    )
-
-                    # TEMPORARY WORKAROUND: Skip findings with UID > 300 chars
-                    # TODO: Remove this after implementing text field migration for finding.uid
-                    if len(finding.uid) > 300:
-                        logger.warning(
-                            f"Skipping finding with UID exceeding 300 characters. "
-                            f"Length: {len(finding.uid)}, "
-                            f"Check: {finding.check_id}, "
-                            f"Resource: {finding.resource_name}, "
-                            f"UID: {finding.uid}"
-                        )
-                        continue
-
-                    finding_uid = finding.uid
-                    last_status, last_first_seen_at = last_status_cache.get(
-                        finding_uid, (None, None)
-                    )
-
-                    status = FindingStatus[finding.status]
-                    delta = _create_finding_delta(last_status, status)
-
-                    if not last_first_seen_at:
-                        last_first_seen_at = datetime.now(tz=timezone.utc)
-
-                    # Determine if finding should be muted and why
-                    # Priority: mutelist processor (highest) > manual mute rules
-                    is_muted = False
-                    muted_reason = None
-                    if finding.muted:
-                        is_muted = True
-                        muted_reason = "Muted by mutelist"
-                    elif finding_uid in mute_rules_cache:
-                        is_muted = True
-                        muted_reason = mute_rules_cache[finding_uid]
-
-                    if status == FindingStatus.FAIL and not is_muted:
-                        resource_failed_findings_cache[resource_uid] += 1
-
-                    check_metadata["compliance"] = finding.compliance
-                    finding_instance = Finding(
-                        tenant_id=tenant_id,
-                        uid=finding_uid,
-                        delta=delta,
-                        check_metadata=check_metadata,
-                        status=status,
-                        status_extended=finding.status_extended,
-                        severity=finding.severity,
-                        impact=finding.severity,
-                        raw_result=finding.raw,
-                        check_id=finding.check_id,
-                        scan=scan_instance,
-                        first_seen_at=last_first_seen_at,
-                        muted=is_muted,
-                        muted_at=datetime.now(tz=timezone.utc) if is_muted else None,
-                        muted_reason=muted_reason,
-                        compliance=finding.compliance,
-                        categories=check_metadata.get("categories", []) or [],
-                        resource_groups=check_metadata.get("resourcegroup") or None,
-                        # Denormalized resource arrays populated directly on insert
-                        # (was previously a separate bulk_update; saves a CASE WHEN
-                        # over thousands of rows per micro-batch).
-                        resource_regions=[resource_instance.region]
-                        if resource_instance.region
-                        else [],
-                        resource_services=[resource_instance.service]
-                        if resource_instance.service
-                        else [],
-                        resource_types=[resource_instance.type]
-                        if resource_instance.type
-                        else [],
-                    )
-                    findings_to_create.append(finding_instance)
-                    resource_denormalized_data.append(
-                        (finding_instance, resource_instance)
-                    )
-
-                    scan_resource_cache.add(
-                        (
-                            str(resource_instance.id),
-                            resource_instance.service,
-                            resource_instance.region,
-                            resource_instance.type,
-                        )
-                    )
-
-                    aggregate_category_counts(
-                        categories=check_metadata.get("categories", []) or [],
-                        severity=finding.severity.value,
-                        status=status.value,
-                        delta=delta.value if delta else None,
-                        muted=is_muted,
-                        cache=scan_categories_cache,
-                    )
-
-                    aggregate_resource_group_counts(
-                        resource_group=check_metadata.get("resourcegroup") or None,
-                        severity=finding.severity.value,
-                        status=status.value,
-                        delta=delta.value if delta else None,
-                        muted=is_muted,
-                        resource_uid=resource_instance.uid if resource_instance else "",
-                        cache=scan_resource_groups_cache,
-                        group_resources_cache=group_resources_cache,
-                    )
-
-                # 4) Bulk create ResourceTagMappings
-                # Replaces the original per-resource `upsert_or_delete_tags`
-                # (which did one `update_or_create` + SELECT FOR UPDATE per mapping).
-                if tag_mappings_to_create:
-                    # Pre-SELECT existing pairs: `bulk_create(ignore_conflicts=True)`
-                    # does not populate `pk`, so we cannot tell new vs existing from
-                    # the result; we need that to bump `updated_at` only on resources
-                    # that actually gain a mapping.
-                    candidate_resource_ids = {
-                        m.resource_id for m in tag_mappings_to_create
-                    }
-                    candidate_tag_ids = {m.tag_id for m in tag_mappings_to_create}
-                    existing_pairs = set(
-                        ResourceTagMapping.objects.filter(
+                    if resource_uid not in resource_cache:
+                        check_metadata = finding.get_metadata()
+                        group = check_metadata.get("resourcegroup") or None
+                        resource_instance, _ = Resource.objects.get_or_create(
                            tenant_id=tenant_id,
-                            resource_id__in=candidate_resource_ids,
-                            tag_id__in=candidate_tag_ids,
-                        ).values_list("resource_id", "tag_id")
-                    )
-                    resource_uid_by_id = {
-                        str(r.id): uid for uid, r in resource_cache.items()
-                    }
-                    for m in tag_mappings_to_create:
-                        if (m.resource_id, m.tag_id) not in existing_pairs:
-                            uid = resource_uid_by_id.get(str(m.resource_id))
-                            if uid is not None:
-                                resources_with_new_tag_mappings.add(uid)
-
-                    ResourceTagMapping.objects.bulk_create(
-                        tag_mappings_to_create,
-                        batch_size=SCAN_DB_BATCH_SIZE,
-                        ignore_conflicts=True,
-                        unique_fields=["tenant_id", "resource_id", "tag_id"],
-                    )
-
-                # 5) Bulk create Findings
-                if findings_to_create:
-                    Finding.objects.bulk_create(
-                        findings_to_create, batch_size=SCAN_DB_BATCH_SIZE
-                    )
-
-                # 6) Bulk create ResourceFindingMapping rows
-                mappings_to_create = [
-                    ResourceFindingMapping(
-                        tenant_id=tenant_id,
-                        resource=resource_instance,
-                        finding=finding_instance,
-                    )
-                    for finding_instance, resource_instance in resource_denormalized_data
-                ]
-                if mappings_to_create:
-                    created_mappings = ResourceFindingMapping.objects.bulk_create(
-                        mappings_to_create,
-                        batch_size=SCAN_DB_BATCH_SIZE,
-                        ignore_conflicts=True,
-                        unique_fields=["tenant_id", "resource_id", "finding_id"],
-                    )
-                    inserted = sum(1 for m in created_mappings if m.pk)
-                    if inserted != len(mappings_to_create):
-                        logger.error(
-                            f"scan {scan_instance.id}: expected "
-                            f"{len(mappings_to_create)} ResourceFindingMapping rows, "
-                            f"inserted {inserted}. Rolling back micro-batch."
+                            provider=provider_instance,
+                            uid=resource_uid,
+                            defaults={
+                                "region": finding.region,
+                                "service": finding.service_name,
+                                "type": finding.resource_type,
+                                "name": finding.resource_name,
+                                "groups": [group] if group else None,
+                            },
                        )
+                        resource_cache[resource_uid] = resource_instance
+                        resource_failed_findings_cache[resource_uid] = 0
+                    else:
+                        resource_instance = resource_cache[resource_uid]
+                break
+            except (OperationalError, IntegrityError) as db_err:
+                if attempt < CELERY_DEADLOCK_ATTEMPTS - 1:
+                    logger.warning(
+                        f"{'Deadlock error' if isinstance(db_err, OperationalError) else 'Integrity error'} "
+                        f"detected when processing resource {resource_uid} on scan {scan_instance.id}. Retrying..."
+                    )
+                    time.sleep(0.1 * (2**attempt))
+                    continue
+                else:
+                    raise db_err

-                # 7) Bulk update Resources
-                # Union of:
-                #  - resources whose fields changed (dirty_resources)
-                #  - resources that got new tag mappings (need updated_at bump,
-                #    preserving the original `self.save(update_fields=["updated_at"])`
-                #    behavior of `upsert_or_delete_tags`)
-                all_resource_uids_to_touch = (
-                    set(dirty_resources.keys()) | resources_with_new_tag_mappings
+        # Track resource field changes (defer save)
+        updated = False
+        check_metadata = finding.get_metadata()
+        group = check_metadata.get("resourcegroup") or None
+        if finding.region and resource_instance.region != finding.region:
+            resource_instance.region = finding.region
+            updated = True
+        if resource_instance.service != finding.service_name:
+            resource_instance.service = finding.service_name
+            updated = True
+        if resource_instance.type != finding.resource_type:
+            resource_instance.type = finding.resource_type
+            updated = True
+        if resource_instance.metadata != finding.resource_metadata:
+            resource_instance.metadata = json.dumps(
+                finding.resource_metadata, cls=CustomEncoder
+            )
+            updated = True
+        if resource_instance.details != finding.resource_details:
+            resource_instance.details = finding.resource_details
+            updated = True
+        if resource_instance.partition != finding.partition:
+            resource_instance.partition = finding.partition
+            updated = True
+        if group and (
+            not resource_instance.groups or group not in resource_instance.groups
+        ):
+            resource_instance.groups = (resource_instance.groups or []) + [group]
+            updated = True
+
+        if updated:
+            dirty_resources[resource_uid] = resource_instance
+
+        # Process tags
+        tags = []
+        with rls_transaction(tenant_id):
+            for key, value in finding.resource_tags.items():
+                tag_key = (key, value)
+                if tag_key not in tag_cache:
+                    tag_instance, _ = ResourceTag.objects.get_or_create(
+                        tenant_id=tenant_id, key=key, value=value
+                    )
+                    tag_cache[tag_key] = tag_instance
+                else:
+                    tag_instance = tag_cache[tag_key]
+                tags.append(tag_instance)
+            resource_instance.upsert_or_delete_tags(tags=tags)
+
+        unique_resources.add((resource_instance.uid, resource_instance.region))
+
+        # Prepare finding data
+        finding_uid = finding.uid
+
+        # TEMPORARY WORKAROUND: Skip findings with UID > 300 chars
+        # TODO: Remove this after implementing text field migration for finding.uid
+        if len(finding_uid) > 300:
+            skipped_findings_count += 1
+            logger.warning(
+                f"Skipping finding with UID exceeding 300 characters. "
+                f"Length: {len(finding_uid)}, "
+                f"Check: {finding.check_id}, "
+                f"Resource: {finding.resource_name}, "
+                f"UID: {finding_uid}"
+            )
+            continue
+
+        last_status, last_first_seen_at = last_status_cache.get(
+            finding_uid, (None, None)
+        )
+
+        status = FindingStatus[finding.status]
+        delta = _create_finding_delta(last_status, status)
+
+        if not last_first_seen_at:
+            last_first_seen_at = datetime.now(tz=timezone.utc)
+
+        # Determine if finding should be muted and why
+        # Priority: mutelist processor (highest) > manual mute rules
+        is_muted = False
+        muted_reason = None
+
+        # Check mutelist processor first (highest priority)
+        if finding.muted:
+            is_muted = True
+            muted_reason = "Muted by mutelist"
+        # If not muted by mutelist, check manual mute rules
+        elif finding_uid in mute_rules_cache:
+            is_muted = True
+            muted_reason = mute_rules_cache[finding_uid]
+
+        # Increment failed_findings_count cache if needed
+        if status == FindingStatus.FAIL and not is_muted:
+            resource_failed_findings_cache[resource_uid] += 1
+
+        # Create finding object (don't save yet)
+        check_metadata = finding.get_metadata()
+        check_metadata["compliance"] = finding.compliance
+        finding_instance = Finding(
+            tenant_id=tenant_id,
+            uid=finding_uid,
+            delta=delta,
+            check_metadata=check_metadata,
+            status=status,
+            status_extended=finding.status_extended,
+            severity=finding.severity,
+            impact=finding.severity,
+            raw_result=finding.raw,
+            check_id=finding.check_id,
+            scan=scan_instance,
+            first_seen_at=last_first_seen_at,
+            muted=is_muted,
+            muted_at=datetime.now(tz=timezone.utc) if is_muted else None,
+            muted_reason=muted_reason,
+            compliance=finding.compliance,
+            categories=check_metadata.get("categories", []) or [],
+            resource_groups=check_metadata.get("resourcegroup") or None,
+        )
+        findings_to_create.append(finding_instance)
+        resource_denormalized_data.append((finding_instance, resource_instance))
+
+        # Track for scan summary
+        scan_resource_cache.add(
+            (
+                str(resource_instance.id),
+                resource_instance.service,
+                resource_instance.region,
+                resource_instance.type,
+            )
+        )
+
+        # Track categories with counts for ScanCategorySummary by (category, severity)
+        aggregate_category_counts(
+            categories=check_metadata.get("categories", []) or [],
+            severity=finding.severity.value,
+            status=status.value,
+            delta=delta.value if delta else None,
+            muted=is_muted,
+            cache=scan_categories_cache,
+        )
+
+        # Track resource groups with counts for ScanGroupSummary
+        aggregate_resource_group_counts(
+            resource_group=check_metadata.get("resourcegroup") or None,
+            severity=finding.severity.value,
+            status=status.value,
+            delta=delta.value if delta else None,
+            muted=is_muted,
+            resource_uid=resource_instance.uid if resource_instance else "",
+            cache=scan_resource_groups_cache,
+            group_resources_cache=group_resources_cache,
+        )
+
+    # Bulk operations within single transaction
+    with rls_transaction(tenant_id):
+        # Bulk create findings
+        if findings_to_create:
+            Finding.objects.bulk_create(
+                findings_to_create, batch_size=SCAN_DB_BATCH_SIZE
+            )
+
+        # Bulk create resource-finding mappings
+        for finding_instance, resource_instance in resource_denormalized_data:
+            mappings_to_create.append(
+                ResourceFindingMapping(
+                    tenant_id=tenant_id,
+                    resource=resource_instance,
+                    finding=finding_instance,
                )
-                if all_resource_uids_to_touch:
-                    now_utc = datetime.now(tz=timezone.utc)
-                    resources_to_bulk_update = []
-                    for uid in all_resource_uids_to_touch:
-                        # Use the instance from dirty_resources if present (has mutated
-                        # fields), otherwise the cached one (for updated_at bump only).
-                        r = dirty_resources.get(uid) or resource_cache.get(uid)
-                        if r is None:
-                            continue
-                        # Manually bump updated_at since bulk_update bypasses auto_now.
-                        r.updated_at = now_utc
-                        resources_to_bulk_update.append(r)
-                    if resources_to_bulk_update:
-                        Resource.objects.bulk_update(
-                            resources_to_bulk_update,
-                            [
-                                "metadata",
-                                "details",
-                                "partition",
-                                "region",
-                                "service",
-                                "type",
-                                "groups",
-                                "updated_at",
-                            ],
-                            batch_size=1000,
-                        )
-            # Successful execution: leave deadlock retry loop.
-            break
-        except (OperationalError, IntegrityError) as db_err:
-            if attempt < CELERY_DEADLOCK_ATTEMPTS - 1:
-                logger.warning(
-                    f"{'Deadlock error' if isinstance(db_err, OperationalError) else 'Integrity error'} "
-                    f"on micro-batch for scan {scan_instance.id}. Retrying (attempt {attempt + 1})..."
+            )
+
+        if mappings_to_create:
+            created_mappings = ResourceFindingMapping.objects.bulk_create(
+                mappings_to_create,
+                batch_size=SCAN_DB_BATCH_SIZE,
+                ignore_conflicts=True,
+                unique_fields=["tenant_id", "resource_id", "finding_id"],
+            )
+            inserted = sum(1 for m in created_mappings if m.pk)
+            if inserted != len(mappings_to_create):
+                logger.error(
+                    f"scan {scan_instance.id}: expected "
+                    f"{len(mappings_to_create)} ResourceFindingMapping rows, "
+                    f"inserted {inserted}. Rolling back micro-batch."
                )
-                time.sleep(0.1 * (2**attempt))
-                # Clear accumulators that we appended to inside the failed transaction
-                # so the retry produces consistent results.
-                findings_to_create.clear()
-                resource_denormalized_data.clear()
-                tag_mappings_to_create.clear()
-                dirty_resources.clear()
-                resources_with_new_tag_mappings.clear()
-                continue
-            raise
+
+        # Update finding denormalized arrays
+        findings_to_update = []
+        for finding_instance, resource_instance in resource_denormalized_data:
+            if not finding_instance.resource_regions:
+                finding_instance.resource_regions = []
+            if not finding_instance.resource_services:
+                finding_instance.resource_services = []
+            if not finding_instance.resource_types:
+                finding_instance.resource_types = []
+
+            if resource_instance.region not in finding_instance.resource_regions:
+                finding_instance.resource_regions.append(resource_instance.region)
+            if resource_instance.service not in finding_instance.resource_services:
+                finding_instance.resource_services.append(resource_instance.service)
+            if resource_instance.type not in finding_instance.resource_types:
+                finding_instance.resource_types.append(resource_instance.type)
+
+            findings_to_update.append(finding_instance)
+
+        if findings_to_update:
+            Finding.objects.bulk_update(
+                findings_to_update,
+                ["resource_regions", "resource_services", "resource_types"],
+                batch_size=SCAN_DB_BATCH_SIZE,
+            )
+
+    # Bulk update dirty resources
+    if dirty_resources:
+        update_objects_in_batches(
+            tenant_id=tenant_id,
+            model=Resource,
+            objects=list(dirty_resources.values()),
+            fields=[
+                "metadata",
+                "details",
+                "partition",
+                "region",
+                "service",
+                "type",
+                "groups",
+            ],
+            batch_size=1000,
+        )

    # Log skipped findings summary
    if skipped_findings_count > 0:
@@ -1021,7 +873,7 @@ def perform_prowler_scan(
        scan_instance = Scan.objects.get(pk=scan_id)
        scan_instance.state = StateChoices.EXECUTING
        scan_instance.started_at = datetime.now(tz=timezone.utc)
-        scan_instance.save(update_fields=["state", "started_at", "updated_at"])
+        scan_instance.save()

    # Find the mutelist processor if it exists
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
@@ -1066,13 +918,7 @@ def perform_prowler_scan(
                provider_instance.connection_last_checked_at = datetime.now(
                    tz=timezone.utc
                )
-                provider_instance.save(
-                    update_fields=[
-                        "connected",
-                        "connection_last_checked_at",
-                        "updated_at",
-                    ]
-                )
+                provider_instance.save()

        # If the provider is not connected, raise an exception outside the transaction.
        # If raised within the transaction, the transaction will be rolled back and the provider will not be marked
@@ -1087,13 +933,6 @@ def perform_prowler_scan(
        last_status_cache = {}
        resource_failed_findings_cache = defaultdict(int)

-        # Throttle scan_instance progress writes to avoid hammering the writer:
-        # only persist when progress moves by at least `PROGRESS_THROTTLE_DELTA`
-        # OR `PROGRESS_THROTTLE_SECONDS` have elapsed. The final progress (1.0)
-        # always persists in the `finally` block below.
-        last_persisted_progress = -1.0
-        last_persisted_progress_at = 0.0
-
        for progress, findings in prowler_scan.scan():
            # Process findings in micro-batches
            findings_list = list(findings)
@@ -1120,20 +959,10 @@ def perform_prowler_scan(
                    group_resources_cache=group_resources_cache,
                )

-            # Throttled progress save (the final save in the `finally` block
-            # below always runs regardless of throttle).
-            now = time.time()
-            progress_delta = progress - last_persisted_progress
-            elapsed = now - last_persisted_progress_at
-            if (
-                progress_delta >= PROGRESS_THROTTLE_DELTA
-                or elapsed >= PROGRESS_THROTTLE_SECONDS
-            ):
-                with rls_transaction(tenant_id):
-                    scan_instance.progress = progress
-                    scan_instance.save(update_fields=["progress", "updated_at"])
-                last_persisted_progress = progress
-                last_persisted_progress_at = now
+            # Update scan progress
+            with rls_transaction(tenant_id):
+                scan_instance.progress = progress
+                scan_instance.save()

        scan_instance.state = StateChoices.COMPLETED

@@ -1147,16 +976,13 @@ def perform_prowler_scan(
                    resources_to_update.append(resource_instance)

            if resources_to_update:
-                # Single rls_transaction wrapping the bulk_update (previously
-                # `update_objects_in_batches` opened one rls_transaction per
-                # chunk; for tenants with many resources this collapsed N
-                # BEGINs/COMMITs into 1).
-                with rls_transaction(tenant_id):
-                    Resource.objects.bulk_update(
-                        resources_to_update,
-                        ["failed_findings_count"],
-                        batch_size=SCAN_DB_BATCH_SIZE,
-                    )
+                update_objects_in_batches(
+                    tenant_id=tenant_id,
+                    model=Resource,
+                    objects=resources_to_update,
+                    fields=["failed_findings_count"],
+                    batch_size=1000,
+                )

    except Exception as e:
        logger.error(f"Error performing scan {scan_id}: {e}")
@@ -1168,16 +994,7 @@ def perform_prowler_scan(
            scan_instance.duration = time.time() - start_time
            scan_instance.completed_at = datetime.now(tz=timezone.utc)
            scan_instance.unique_resource_count = len(unique_resources)
-            scan_instance.save(
-                update_fields=[
-                    "state",
-                    "duration",
-                    "completed_at",
-                    "unique_resource_count",
-                    "progress",
-                    "updated_at",
-                ]
-            )
+            scan_instance.save()

    if exception is not None:
        raise exception
@@ -4494,7 +4494,7 @@ dependencies = [

 [[package]]
 name = "prowler-api"
-version = "1.30.0"
+version = "1.28.0"
 source = { virtual = "." }
 dependencies = [
    { name = "cartography" },
@@ -1,30 +0,0 @@
-{
-  "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
-  "name": "prowler",
-  "version": "0.1.0",
-  "description": "Prowler for Claude Code — cloud security and compliance skills powered by the Prowler MCP server. Bundles compliance triage and remediation; more skills coming.",
-  "author": {
-    "name": "Prowler",
-    "email": "support@prowler.com",
-    "url": "https://prowler.com"
-  },
-  "homepage": "https://docs.prowler.com",
-  "repository": "https://github.com/prowler-cloud/prowler",
-  "license": "Apache-2.0",
-  "keywords": [
-    "prowler",
-    "security",
-    "compliance",
-    "cloud-security",
-    "mcp"
-  ],
-  "userConfig": {
-    "api_key": {
-      "type": "string",
-      "title": "Prowler API key",
-      "description": "API key token used to authenticate with Prowler Cloud / Prowler App via the Prowler MCP server. Create one at https://cloud.prowler.com.",
-      "sensitive": true,
-      "required": true
-    }
-  }
-}
@@ -1,9 +0,0 @@
-{
-  "prowler": {
-    "type": "http",
-    "url": "https://mcp.prowler.com/mcp",
-    "headers": {
-      "Authorization": "Bearer ${user_config.api_key}"
-    }
-  }
-}
@@ -1,80 +0,0 @@
-# Prowler for Claude Code
-
-End-to-end cloud security and compliance from inside [Claude Code](https://www.claude.com/product/claude-code), powered by the [Prowler MCP server](https://docs.prowler.com/projects/prowler-mcp/). The plugin lets Claude walk a Prowler Cloud-connected account through a compliance assessment and remediate findings until the chosen security or industry framework is compliant.
-
-> **Preview**: this plugin is under active development. Report issues at <https://github.com/prowler-cloud/prowler/issues> or join the [Slack community](https://goto.prowler.com/slack).
-
-## Requirements
-
- [Claude Code](https://www.claude.com/product/claude-code) installed and signed in.
- A [Prowler Cloud](https://cloud.prowler.com) account (the free tier is enough to start).
- A Prowler API key — create one at <https://cloud.prowler.com/profile>.
-
-## Installation
-
-Inside a Claude Code session:
-
-```text
-/plugin marketplace add prowler-cloud/prowler
-/plugin install prowler@prowler-plugins
-```
-
-Or, if you already have the repo checked out locally:
-
-```text
-/plugin marketplace add /absolute/path/to/prowler
-/plugin install prowler@prowler-plugins
-```
-
-## Configuration
-
-On first install, Claude Code prompts for your **Prowler API key**. It is stored securely (macOS keychain or `~/.claude/.credentials.json`) and used to authenticate against Prowler Cloud.
-
-To rotate the key, uninstall and reinstall the plugin — Claude Code will prompt again.
-
-## Verify the install
-
-In a Claude Code session:
-
-```text
-/mcp          → "prowler" appears as a connected server
-/plugin       → "prowler" enabled, skill listed as prowler:framework-compliance-triage
-```
-
-If `/mcp` reports the `prowler` server as failed, the most common cause is a rejected API key — re-issue one in Prowler Cloud and reinstall the plugin so it re-prompts.
-
-## Usage
-
-Open a conversation that mentions the framework you want to comply with. Examples:
-
- *"Make my AWS production account compliant with CIS 4.0."*
- *"Make my current Terraform project compliant with the Prowler ThreatScore Compliance Framework based on the latest scan results."*
- *"Help me get to 100% on PCI-DSS for this GCP project."*
-
-You pick a **primary tool** (Terraform, gh / az / aws CLI, web console, or mixed) and a **mode**:
-
- **Claude-assisted** (default). Claude shows each fix — target resource, exact commands, side effects, reversibility — and waits for your go-ahead before applying.
- **Claude autonomous**. Claude presents a single up-front plan grouped by shared fixes, waits for one confirmation, then proceeds. It pauses mid-loop if a fix has wide blast radius or a finding is not applicable.
-
-Claude tracks progress in a markdown report under `.prowler/` at your project root — one file per framework × account. Open it any time to see exactly where the flow is. When all findings are addressed, Claude proposes a fresh Prowler scan to verify everything end-to-end.
-
-## Uninstalling
-
-```text
-/plugin uninstall prowler@prowler-plugins
-/plugin marketplace remove prowler-plugins
-```
-
-The stored API key is removed automatically.
-
-## Troubleshooting
-
-| Symptom | Likely cause | Fix |
-|---|---|---|
-| `/mcp` shows `prowler` as failed | Rejected API key | Generate a new one in Prowler Cloud and reinstall the plugin to re-prompt. |
-| Skill not invoked when expected | The skill description didn't match the prompt | Mention the framework name plus "compliance" or "compliant" in your prompt. |
-| "Framework not supported" | Prowler Hub does not list the framework for that provider | Open an issue or PR at <https://github.com/prowler-cloud/prowler>. |
-
-## License
-
-Apache 2.0 — see [LICENSE](../../LICENSE).
@@ -1,199 +0,0 @@
---
-name: framework-compliance-triage
-description: Make a cloud account compliant with a security or industry framework using Prowler Cloud.
---
-
-# Framework compliance
-
-Iterative, interactive flow that takes a cloud account through setup, reporting, and remediation until it complies with the chosen security or industry framework.
-
-## Checkpoints
-
-This skill uses **checkpoints** to mark moments where you must stop, post a clear question or summary to the user, and wait for the reply before continuing. Each checkpoint is rendered like this:
-
-> **Checkpoint — <name>**
->
-> What to present, and what to wait for.
-
-Treat every checkpoint as a hard stop:
-
- Do not skip a checkpoint because the user previously said "go ahead", "just do it", or similar. Confirmations are scoped to a single checkpoint and do not transfer to later ones.
- Do not bundle two checkpoints into one message. Post one, wait for the reply, then continue.
- Do not infer the user's answer from context or proceed on silence. Ask explicitly and wait.
- If a checkpoint is conditional (e.g. only fires when multiple accounts exist), evaluate the condition first; if it does not apply, continue without prompting.
- If the user's initial message already answers the question a checkpoint asks (e.g. "make my AWS subscription compliant with CIS using Terraform autonomously"), treat the checkpoint as satisfied for the parts they covered, and only ask for what is still missing.
-
-## 1. Initial Prowler Cloud setup
-
-> **Checkpoint — Provider and framework selection**
->
-> If the user has not already specified both the provider and the framework, ask explicitly and wait for the answer. If they have specified them in their opening message, skip this checkpoint.
-
-Confirm both are supported by the Prowler Hub MCP:
-
- Enumerate supported providers with `prowler_hub_list_providers`.
- Enumerate frameworks for the chosen provider with `prowler_hub_list_compliances`, passing the provider `id` as the only element of the `provider` input list.
-
-If the framework is not supported, tell the user, suggest they request it or contribute it themselves, and end the flow. Otherwise continue.
-
-### 1.1 Connect to Prowler Cloud
-
-Verify the Prowler MCP connection by calling `prowler_app_search_providers` — a successful response returns the list of providers. If the call fails, walk the user through troubleshooting: internet connectivity, Prowler Cloud credentials, and permissions on the Prowler Cloud account.
-For getting accurate information about configurations use `prowler_docs_search` to pull relevant instructions from the Prowler documentation.
-
-### 1.2 Verify the provider is configured (or configure it)
-
-Call `prowler_app_search_providers` to check whether the target provider (AWS account, Azure Subscription, GitHub Account...) exists in the user's Prowler Cloud account. Handle the result based on what's found:
-
- **Provider not present.** Guide the user through adding and configuring it. Retrieve the relevant connection, credential, and permission instructions with `prowler_docs_search`.
- **Provider present but misconfigured** (missing credentials, insufficient permissions, etc.). Walk the user through fixing the configuration, pulling the relevant guidance with `prowler_docs_search`.
- **Provider present and configured.** Continue.
-
-> **Checkpoint — Account selection** *(conditional: more than one account of the chosen provider is configured)*
->
-> List the accounts with helpful detail (account name, uid, last scan date) and ask which one to use. Wait for the answer. If only one account exists, skip this checkpoint and use it.
-
-### 1.3 Review compliance report for the provider account
-
-The flow needs at least one completed scan with a compliance report available.
-
-Look for a completed scan first: call `prowler_app_list_scans` with the selected `provider_id` and `state: ["completed"]`, then call `prowler_app_get_compliance_overview` with each `scan_id` to find one whose compliance report is available. If one is found, continue to the next section.
-
-If no completed scan has a report, call `prowler_app_list_scans` again with `state: ["available", "executing"]` to detect a scan in progress.
-
-> **Checkpoint — Scan-in-progress decision** *(conditional: an in-progress scan was detected)*
->
-> Tell the user a scan is already running and ask whether to wait for it to complete or start a fresh one. Wait for the answer.
-
-If no scan is running (or the user chose to start a fresh one), trigger a new scan with `prowler_app_trigger_scan` and the `provider_id`. The link `https://cloud.prowler.com/scans?filter%5Bprovider_uid__in%5D={provider_id}` lets the user monitor progress.
-
-When a scan is in progress (either pre-existing and elected to wait, or just triggered), stop the flow and ask the user to return when it's completed — restart this section to re-check the results.
-
-## 2. Compliance report
-
-Every iteration of the remediation loop reads and writes a single markdown file per provider account and framework, stored at `${CLAUDE_PROJECT_DIR}/.prowler/compliance-<compliance_id>-<provider_uid>.md`. Sanitize `<provider_uid>` to `[a-zA-Z0-9_-]` by replacing anything else with `-`. Create `.prowler/` if missing.
-
-Across iterations, edit only: status tags on failed requirements and their findings, the per-requirement `Fix plan` / `Fix applied` sub-bullets added during sections 3.3–3.4, the **Global remediation approach** block, and the **Activity log** (append-only, newest on top). Requirement descriptions, finding IDs, and the entire **Manual review requirements** section are read-only after first render.
-
-Status taxonomy for failed requirements and their findings:
-
- `[FAIL]` — failing in the latest scan.
- `[IN PROGRESS]` — picked up by section 3.3.
- `[FIXED-UNVERIFIED]` — remediation applied; not yet confirmed.
- `[PASS]` — passing in the latest scan (set when a rescan in section 3.5 confirms the fix).
- `[SKIPPED]` — user explicitly deferred.
-
-### Report template
-
-A fresh report is rendered like this (substituting values from the `prowler_app_get_compliance_framework_state_details` Prowler MCP tool response):
-
-````markdown
-# Compliance report: <compliance_id>
-
-**Provider account**: <display name + uid>
-**Scan ID**: <scan_id>
-**Generated**: <ISO timestamp>
-**Last update**: <ISO timestamp>
-**Status**: <passed>/<total> passing (<pct>%) · <failed> failing · <manual_review> manual review
-
-## Global remediation approach
-<!-- Filled by section 3.1. -->
- **Primary tool**: _Terraform | Azure CLI | AWS CLI | web console | mixed_
- **Mode**: _Claude autonomous | Claude-assisted_
- **Notes**:
-
-## Activity log
- <ISO timestamp> — Report initialized from scan `<scan_id>`.
-
-## Failed requirements
-
-### <code> — [FAIL]
-**Description**: <text>
-**Findings** (<n>):
- [FAIL] `<finding_id>`
-
-## Manual review requirements
- **<code>** — [PENDING]: <description>
-````
-
-### 2.1 Generate or refresh the report
-
-Resolve the report path for the current `compliance_id` and provider account.
-
-If the file does not exist, call `prowler_app_get_compliance_framework_state_details` for the target scan, render the template above, and write the file with one initialization entry in the activity log.
-
-If the file exists, read it and compare its `Scan ID` to the target scan from section 1.3. When the scan matches, reuse the file and summarize remaining `[FAIL]` and `[IN PROGRESS]` items in chat.
-
-> **Checkpoint — Report refresh** *(conditional: the file's `Scan ID` differs from the current target scan)*
->
-> Tell the user the report on disk was generated from a different scan and ask whether to refresh it from the new scan. Wait for the answer.
-
-On confirmation, regenerate the failed-requirements section from the new `prowler_app_get_compliance_framework_state_details` response, carry forward the **Global remediation approach** block and the full activity log, and append an activity-log entry noting the scan change.
-
-Once the file is current, surface the top failing requirements in chat: sort by finding count descending, show the top 5 with their codes and counts, and point to the file path for the full list.
-
-## 3. Remediation loop
-
-### 3.1 Define the global remediation approach
-
-Two modes are available:
-
- **Claude-assisted** (default when the user has not specified): per-requirement confirmation. For each requirement Claude shows the target resource, exact commands, side effects, and reversibility, then waits for explicit go-ahead before applying.
- **Claude autonomous**: no per-requirement gate, but Claude still presents one batch-level fix plan up front (§3.2) and waits for a single confirmation, and pauses if a finding looks not applicable, requires a paid feature, or has wide blast radius (breaks dev workflow, forces collaborator changes, is hard to reverse).
-
-If the user phrases their request as "just do it" or similar, treat that as autonomous **with** the batch-plan confirmation still required — the confirmation is a property of the skill, not the user's verbosity preference.
-
-> **Checkpoint — Global remediation approach**
->
-> Ask the user which tool to use for fixes (Terraform, gh / az / aws CLI, web console, mixed...) and which mode to operate in. Wait for the answer before continuing. This checkpoint is non-negotiable: never assume a default tool, and never assume autonomous mode.
-
-Once answered, write the values into the **Global remediation approach** block of the report file.
-
-> **Checkpoint — Overwriting an existing approach** *(conditional: the block is already populated from a previous session)*
->
-> Show the previous values and the new ones, and ask the user to confirm before overwriting. Wait for the answer.
-
-### 3.2 Present the batch fix plan *(autonomous mode only)*
-
-In **assisted** mode, skip this section — the per-requirement gate in §3.3 confirms each fix as it comes up. Only run §3.2 in **autonomous** mode, where the loop will otherwise apply fixes without further input.
-
-Before touching anything, post a single chat summary covering every `[FAIL]` requirement:
-
- Group findings that share a fix (e.g. ten branch-protection requirements satisfied by one PUT call → present as one group).
- For each group: target resource, exact tool calls, side effects, reversibility.
- Call out findings that look **not applicable** to this target (e.g. an Organization-only check evaluated against a User account, a feature gated by a paid plan, a resource type the user doesn't have) and propose `[SKIPPED]` with the reason.
- Call out findings that require manual user action Claude cannot perform.
-
-> **Checkpoint — Batch fix plan approval** *(conditional: autonomous mode)*
->
-> Post the grouped plan and wait for explicit confirmation. Do not start any fix before the user replies.
-
-Once approved, the loop proceeds through the batch without further prompts unless something deviates from the approved plan.
-
-### 3.3 Pick the first FAIL requirement and inspect its findings
-
-Pick the first `[FAIL]` requirement at the top of the failed-requirements section. Move its status and every finding under it to `[IN PROGRESS]`, and add a `**Fix plan**:` sub-bullet describing what will be done.
-
-Call `prowler_app_get_finding_details` for each `finding_id` to retrieve the failing resource and the Prowler Hub's remediation guidance for that check using the tool `prowler_hub_get_check_details` with the `check_id` from the finding details. Summarize the guidance in chat, and append it to the `**Fix plan**` note for each finding.
-
-If a finding does not apply to the target resource (Organization-only check on a User account, paid-tier feature, missing resource type, etc.), set the requirement status to `[SKIPPED]` with the reason, log it in the activity log, and move on without attempting the fix — even if it was missed during §3.2.
-
-> **Checkpoint — Per-requirement approval** *(conditional: assisted mode)*
->
-> Post the per-requirement plan in chat — resource, command, side effects, reversibility — and wait for confirmation before moving to §3.4. In **autonomous** mode, post the plan for transparency but proceed unless it deviates from the batch plan agreed in §3.2.
-
-### 3.4 Diagnose, fix, verify
-
-Read the remediation guidance returned in §3.3, identify the root cause, and apply the fix using the tool defined in the **Global remediation approach** block. After applying, verify via the same tool that applied the fix or via a provider API call when applicable. If the re-read shows the change did not land, leave the status at `[IN PROGRESS]`, surface the error to the user, and stop the loop for this requirement.
-
-When the change is in place, append a `**Fix applied**: <tool, summary, refs>` sub-bullet to the requirement, move each fixed finding to `[FIXED-UNVERIFIED]`, and add one activity-log entry describing the change. If no programmatic verification was possible (e.g. web console action), note in the activity log that confirmation depends on the rescan in §3.5.
-
-### 3.5 Loop
-
-Move to the next `[FAIL]` requirement and repeat from section 3.3.
-
-> **Checkpoint — Rescan trigger** *(conditional: no `[FAIL]` requirements remain; all are `[FIXED-UNVERIFIED]` or `[SKIPPED]`)*
->
-> Summarize what was applied, list any `[SKIPPED]` items with reasons, and ask whether to trigger a fresh scan with `prowler_app_trigger_scan` to verify the fixes end-to-end. Wait for the answer.
-
-On confirmation, trigger the rescan. When it completes, restart section 2.1 with the carry-forward path — requirements no longer in the new FAIL list move to `[PASS]`, anything still failing reverts to `[FAIL]` with the previous fix attempt visible in the activity log.
@@ -590,16 +590,13 @@ resources: {}
  #   memory: 128Mi

 # This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
-# /health/live succeeds while the process answers; /health/ready also
-# checks PostgreSQL, Valkey and Neo4j connectivity and returns 503 when
-# any of them is unreachable.
 livenessProbe:
  httpGet:
-    path: /health/live
+    path: /
    port: http
 readinessProbe:
  httpGet:
-    path: /health/ready
+    path: /
    port: http

 #This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
@@ -270,23 +270,20 @@ api:
  # 3m30s to setup DB
  # startupProbe:
  #   httpGet:
-  #     path: /health/live
+  #     path: /api/v1/docs
  #     port: http

  # This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
-  # /health/live succeeds while the process answers; /health/ready also
-  # checks PostgreSQL, Valkey and Neo4j connectivity and returns 503 when
-  # any of them is unreachable.
  livenessProbe:
    failureThreshold: 10
    httpGet:
-      path: /health/live
+      path: /api/v1/docs
      port: http
    periodSeconds: 20
  readinessProbe:
    failureThreshold: 10
    httpGet:
-      path: /health/ready
+      path: /api/v1/docs
      port: http
    periodSeconds: 20

@@ -37,7 +37,7 @@ services:
      neo4j:
        condition: service_healthy
    healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/health/live || exit 1"]
+      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 12
@@ -211,7 +211,6 @@ services:
      interval: 10s
      timeout: 5s
      retries: 3
-      start_period: 60s

 volumes:
  outputs:
@@ -33,7 +33,7 @@ services:
      neo4j:
        condition: service_healthy
    healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/health/live || exit 1"]
+      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 12
@@ -176,7 +176,6 @@ services:
      interval: 10s
      timeout: 5s
      retries: 3
-      start_period: 60s

 volumes:
  output:
@@ -134,7 +134,7 @@ Example 1 is vague and even potentially ambiguous. Verbs state your purpose and

 Explicit use of second-person pronouns (you) and possessives (your) should be minimized whenever possible. Those constructions are best reserved for cases when instructions are directly given in an imperative form:

-### Example of Improvement Through Avoiding Second Person Pronouns
+**Example of Improvement Through Avoiding Second Person Pronouns**

 **Original:**
 Prowler App can be installed in different ways, depending on your environment:
@@ -236,7 +236,7 @@ The use of bullet points is highly recommended when:
 * Information can be logically divided into multiple categories, each sharing characteristics, features, or other relevant classifications.
 * Items are significant enough as standalone concepts to deserve their own bullet point.

-#### Example of Improvement Through Bullet Points
+**Example of Improvement Through Bullet Points**

 **Original:**
 It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMS, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme), and your custom security frameworks.
@@ -1,730 +0,0 @@
---
-title: 'StackIT Provider'
---
-
-This page details the [StackIT Cloud](https://www.stackit.de/) provider implementation in Prowler.
-
-By default, Prowler audits a single StackIT project per scan. To configure it, provide the project ID and either a service account key file path or inline service account key JSON.
-
-## StackIT Provider Classes Architecture
-
-The StackIT provider implementation follows the general [Provider structure](/developer-guide/provider). This section focuses on the StackIT-specific implementation, highlighting how the generic provider concepts are realized for StackIT in Prowler. For a full overview of the provider pattern, base classes, and extension guidelines, see [Provider documentation](/developer-guide/provider).
-
-### `StackitProvider` (Main Class)
-
- **Location:** [`prowler/providers/stackit/stackit_provider.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/stackit_provider.py)
- **Base Class:** Inherits from `Provider` (see [base class details](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/common/provider.py)).
- **Purpose:** Central orchestrator for StackIT-specific logic, API authentication, credential validation, and configuration.
- **Key StackIT Responsibilities:**
-    - Initializes StackIT SDK authentication via a service account key file or inline service account key JSON. The SDK mints and refreshes access tokens internally.
-    - Validates the service account credentials and project ID (UUID format validation).
-    - Loads and manages configuration, mutelist, and fixer settings.
-    - Provides properties and methods for downstream StackIT service classes to access credentials, identity, and configuration data.
-
-### Data Models
-
- **Location:** [`prowler/providers/stackit/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/models.py)
- **Purpose:** Define structured data for StackIT identity and output configuration.
- **Key StackIT Models:**
-    - `StackITIdentityInfo`: Holds StackIT identity metadata, including project ID and project name (fetched automatically from Resource Manager API).
-    - `StackITOutputOptions`: Customizes default output filenames so StackIT reports include the audited project ID.
-    - IaaS resource models such as `SecurityGroup` and `SecurityGroupRule` are defined in the IaaS service module.
-
-### StackIT Services
-
- **Location:** [`prowler/providers/stackit/services/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services)
- **Purpose:** Implement StackIT service clients and resource collection logic following the generic [service pattern](/developer-guide/services#service-base-class).
- **Current Implementation:** The `IaaSService` collects security groups, rules, and network interface usage across supported StackIT regions.
-
-### Exception Handling
-
- **Location:** [`prowler/providers/stackit/exceptions/exceptions.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/exceptions/exceptions.py)
- **Purpose:** Custom exception classes for StackIT-specific error handling, such as credential validation, API connection, and configuration errors.
- **Key Exception Classes:**
-    - `StackITBaseException`: Base exception for all StackIT provider errors.
-    - `StackITCredentialsError`: Raised when credentials are invalid or missing.
-    - `StackITInvalidProjectIdError`: Raised when project ID is invalid or not in UUID format.
-    - `StackITAPIError`: Raised when StackIT API calls fail.
-
-## Authentication
-
-### Service Account Creation and Key Generation
-
-StackIT uses service account keys for API authentication. Service account keys are RSA key-pair based and provide secure, short-lived access tokens.
-
-### Creating a Service Account Key
-
-#### Method 1: Via StackIT Portal
-
-1. **Navigate to Service Accounts**
-   - Go to the [StackIT Portal](https://portal.stackit.cloud/)
-   - Select your project
-   - Click on **Service Accounts** in the left sidebar
-
-2. **Create or Select Service Account**
-   - If you don't have a service account, click **Create Service Account**
-   - Provide a name and description
-   - Assign necessary permissions:
-     - For IaaS security checks: `iaas.viewer` or `project.owner`
-     - For comprehensive audits: `project.owner`
-
-3. **Generate Service Account Key**
-   - Select your service account
-   - Navigate to **Service Account Keys**
-   - Click **Create key**
-   - Choose one of the following options:
-     - **STACKIT-generated key pair** (Recommended): Let STACKIT automatically generate an RSA key-pair
-     - **User-provided key pair**: Upload your own RSA 2048 public key
-
-4. **Download and Save the Key**
-   - Download the generated service account key file (JSON format)
-   - **Important**: Save the key securely - it contains your private key and will only be available once
-   - Store the key file in a secure location (e.g., `~/.stackit/sa_key.json`)
-
-#### Method 2: Via StackIT CLI
-
-```bash
-# Install STACKIT CLI (if not already installed)
-# Follow instructions at: https://github.com/stackitcloud/stackit-cli
-
-# Create service account key (STACKIT-generated)
-stackit service-account key create --email my-service-account@example.com
-
-# Or create with your own RSA 2048 public key
-# First, generate your RSA key pair:
-openssl genrsa -out private-key.pem 2048
-openssl rsa -in private-key.pem -pubout -out public-key.pem
-
-# Then create the key with your public key:
-stackit service-account key create \
-  --email my-service-account@example.com \
-  --public-key "$(cat public-key.pem)"
-```
-
-### Finding Your Project ID
-
-Your StackIT project ID is a UUID that can be found:
-
-1. In the StackIT Portal URL when viewing your project: `https://portal.stackit.cloud/projects/{PROJECT_ID}/...`
-2. In the project settings page
-3. Using the StackIT CLI: `stackit project list`
-
-### Passing the Service Account Key to Prowler
-
-Prowler accepts the service account credentials in two equivalent forms; both go through the same StackIT SDK flow and refresh access tokens internally.
-
-#### Option 1: Key File Path (key persisted on disk)
-
-```bash
-export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
-export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
-
-prowler stackit
-```
-
-Or as CLI flags:
-
-```bash
-prowler stackit \
-  --stackit-service-account-key-path ~/.stackit/sa-key.json \
-  --stackit-project-id 12345678-1234-1234-1234-123456789abc
-```
-
-#### Option 2: Inline Key Content (CI/CD, secret managers)
-
-```bash
-export STACKIT_SERVICE_ACCOUNT_KEY="$(vault kv get -field=key stackit/sa)"
-export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
-
-prowler stackit
-```
-
-Prefer the environment variable over the matching `--stackit-service-account-key` CLI flag; passing the secret on the command line leaks it through process listings and shell history.
-
-### Credential Lookup Order
-
-Prowler resolves credentials in this order:
-
-1. **Command-line arguments**:
-   - `--stackit-service-account-key`
-   - `--stackit-service-account-key-path`
-   - `--stackit-project-id`
-2. **Environment variables**:
-   - `STACKIT_SERVICE_ACCOUNT_KEY`
-   - `STACKIT_SERVICE_ACCOUNT_KEY_PATH`
-   - `STACKIT_PROJECT_ID`
-
-When both the inline key and the key file path are set, the inline content takes precedence.
-
-## Configuration
-
-### Command-Line Arguments
-
-StackIT-specific command-line arguments:
-
-| Argument | Description | Required | Default |
-|----------|-------------|----------|---------|
-| `--stackit-service-account-key-path` | Path to a StackIT service account key JSON file | Yes* | `$STACKIT_SERVICE_ACCOUNT_KEY_PATH` |
-| `--stackit-service-account-key` | Inline JSON content of a StackIT service account key (preferred env var: `STACKIT_SERVICE_ACCOUNT_KEY`) | Yes* | `$STACKIT_SERVICE_ACCOUNT_KEY` |
-| `--stackit-project-id` | StackIT project ID (UUID format) | Yes* | `$STACKIT_PROJECT_ID` |
-| `--stackit-region` | StackIT region(s) to scan | No | All available regions |
-
-\* Required unless provided via environment variables.
-
-### Input Validation
-
-The StackIT provider performs comprehensive input validation:
-
- **Service Account Credentials**:
-  - At least one of `service_account_key_path` (file path) or `service_account_key` (inline JSON) must be supplied; both empty raises `StackITNonExistentTokenError`
-  - When both are provided the inline content takes precedence
-  - The key file path is logged as-is; the inline content is redacted in the credentials box
-
- **Project ID**:
-  - Must not be empty
-  - Must be a valid UUID format (e.g., `12345678-1234-1234-1234-123456789abc`)
-  - Validated using Python's UUID constructor
-
-Invalid credentials will result in clear error messages before any API calls are made.
-
-## Available Services
-
-### IaaS (Infrastructure as a Service)
-
- **Service Class:** `IaaSService`
- **Location:** [`prowler/providers/stackit/services/iaas/iaas_service.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/services/iaas/iaas_service.py)
- **SDK:** Uses the [stackit-iaas](https://pypi.org/project/stackit-iaas/) Python SDK
- **Purpose:** Manages IaaS resources including security groups, servers, and network interfaces.
-
-**Supported Resources:**
- Security Groups and Rules
- Servers (Virtual Machines)
- Network Interfaces (NICs)
-
-**Key Features:**
- Automatic discovery of all security groups in the project
- Security rule parsing with support for unrestricted access detection
- Network interface analysis to determine whether security groups are in use
- By default, reports only security groups attached to at least one NIC; `--scan-unused-services` includes unused security groups too
-
-## Available Checks
-
-The StackIT provider currently implements 4 security checks focused on network security:
-
-### 1. iaas_security_group_ssh_unrestricted
-
- **Severity:** High
- **Description:** Detects security groups that allow unrestricted SSH access (port 22) from the internet.
- **Risk:** Unrestricted SSH access increases the attack surface and risk of brute-force attacks.
- **Detection Logic:**
-  - Checks for ingress rules allowing TCP port 22
-  - Flags rules with `ip_range=None` or `ip_range="0.0.0.0/0"` or `ip_range="::/0"`
-  - Reports security groups attached to NICs by default, or all security groups when `--scan-unused-services` is enabled
-
-### 2. iaas_security_group_rdp_unrestricted
-
- **Severity:** High
- **Description:** Detects security groups that allow unrestricted RDP access (port 3389) from the internet.
- **Risk:** Unrestricted RDP access enables potential unauthorized remote desktop access.
- **Detection Logic:**
-  - Checks for ingress rules allowing TCP port 3389
-  - Flags unrestricted IP ranges (None, 0.0.0.0/0, ::/0)
-  - Reports security groups attached to NICs by default, or all security groups when `--scan-unused-services` is enabled
-
-### 3. iaas_security_group_database_unrestricted
-
- **Severity:** High
- **Description:** Detects security groups that allow unrestricted access to common database ports.
- **Monitored Ports:**
-  - MySQL: 3306
-  - PostgreSQL: 5432
-  - MongoDB: 27017
-  - Redis: 6379
-  - SQL Server: 1433
-  - CouchDB: 5984
- **Risk:** Unrestricted database access can lead to data breaches and unauthorized data access.
-
-### 4. iaas_security_group_all_traffic_unrestricted
-
- **Severity:** Critical
- **Description:** Detects security groups that allow all traffic from the internet.
- **Detection Logic:**
-  - Checks for rules with `port_range=None` (all ports)
-  - Checks for rules with port range covering 0-65535 or 1-65535
-  - Flags unrestricted IP ranges
-  - Critical security misconfiguration requiring immediate remediation
-
-### Important Implementation Notes
-
-**Self-Referencing Security Group Rules:**
-
-Security group rules with `remoteSecurityGroupId` set are automatically filtered out from unrestricted access checks. These rules only allow traffic from instances within the same security group (self-referencing), not from the internet, and are therefore not flagged as security risks.
-
-**Rule Display Names:**
-
-All findings include user-friendly rule descriptions when available. If a security group rule has a description field set (the name shown in the StackIT UI), it will be displayed in the finding message along with the rule ID:
- With description: `'Allow SSH from office' (sgr-abc123)`
- Without description: `'sgr-abc123'`
-
-**Network Interface (NIC) Usage Filtering:**
-
-The IaaS service lists project NICs and records the security group IDs attached to them. Checks use that signal to decide whether a security group is in use:
-
-1. **Default behavior:** Report security groups attached to at least one NIC.
-2. **`--scan-unused-services`:** Report every security group, including unused ones.
-3. **FAIL logic:** Internet exposure is driven by security group rules that allow unrestricted source ranges, not by the presence of a public IP on the NIC.
-
-**Unrestricted IP Ranges:**
-
-The StackIT API represents "unrestricted" in two ways:
- **`ip_range=null`**: No IP restriction specified (implicit unrestricted)
- **`ip_range="0.0.0.0/0"` or `"::/0"`**: Explicitly configured to allow all IPs
-
-Both are flagged as unrestricted. A `null` value is **more permissive** than an explicit range and applies to all protocols/ports if other fields are also `null`.
-
-## Requirements
-
-### Python Version
-
- **Minimum:** Python 3.10+
- **Reason:** The StackIT SDK requires Python 3.10 or higher
-
-### Dependencies
-
-The StackIT provider requires the following Python packages (automatically installed with Prowler):
-
- **stackit-core** (v0.2.0): Core SDK for StackIT API authentication and configuration
- **stackit-iaas** (v1.4.0): IaaS service SDK for managing compute resources
- **stackit-resourcemanager** (v0.8.0): Resource Manager SDK for fetching project metadata (e.g., project names)
-
-These dependencies are defined in `pyproject.toml` and installed automatically with:
-
-```bash
-poetry install
-```
-
-**Note:** The `stackit-resourcemanager` package enables automatic retrieval of project names for display in reports. If this package is not available, Prowler will still function normally but project names will be empty in the output.
-
-## Region Support
-
-### Supported Regions
-
- **Available Regions:** `eu01` (Germany South) and `eu02` (Austria West)
- **Default:** All scans use both `eu01` and `eu02` regions by default.
-
-### Multi-Region Scanning
-
-Prowler supports scanning multiple StackIT regions in a single execution. By default, it will scan all regions defined in the `stackit_regions_by_service.json` configuration file.
-
-### CLI Argument
-
-You can specify which regions to scan using the `--stackit-region` argument:
-
-```bash
-# Scan only eu01
-prowler stackit --stackit-region eu01
-
-# Scan both eu01 and eu02
-prowler stackit --stackit-region eu01 eu02
-```
-
-### Implementation Details
-
- **Regional Clients:** Prowler generates a separate API client for each audited region.
- **Service Iteration:** Each service (e.g., IaaS) iterates through the regional clients to fetch and audit resources.
- **Identity Tracking:** The `audited_regions` are stored in the identity model for reporting.
-
-### Future Enhancements
-
-As StackIT adds more regions, they can be easily added to Prowler by updating the `prowler/providers/stackit/stackit_regions_by_service.json` file without requiring code changes.
-
-## Command Examples
-
-### Scan Specific Regions
-
-Scan only the `eu01` region:
-
-```bash
-export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
-
-prowler stackit \
-  --stackit-project-id "your-project-id" \
-  --stackit-region eu01
-```
-
-Scan multiple regions:
-
-```bash
-export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
-
-prowler stackit \
-  --stackit-project-id "your-project-id" \
-  --stackit-region eu01 eu02
-```
-
-### Scan Specific Checks
-
-Run only SSH unrestricted check:
-
-```bash
-export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
-
-prowler stackit \
-  --stackit-project-id "your-project-id" \
-  --checks iaas_security_group_ssh_unrestricted
-```
-
-### Scan All Security Group Checks
-
-```bash
-export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
-
-prowler stackit \
-  --stackit-project-id "your-project-id" \
-  --services iaas
-```
-
-### Output Formats
-
-Generate JSON output:
-
-```bash
-export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
-
-prowler stackit \
-  --stackit-project-id "your-project-id" \
-  --output-formats json
-```
-
-Generate HTML report:
-
-```bash
-export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
-
-prowler stackit \
-  --stackit-project-id "your-project-id" \
-  --output-formats html
-```
-
-## Known Limitations
-
-### Current Limitations
-
-1. **Single Project Scope**: Only one project can be scanned at a time
-2. **Service Coverage**: Only the IaaS service is currently implemented
-3. **Check Coverage**: Limited to security group network security checks (4 checks total)
-4. **No Compliance Frameworks**: Compliance framework mappings are not yet implemented
-
-### Planned Enhancements
-
- Multi-project scanning capability
- Additional IaaS checks (volume encryption, server public IP exposure, backup status)
- Compliance framework mappings (CIS, custom StackIT best practices)
- StackIT CLI remediation examples in metadata
-
-## Troubleshooting
-
-### Authentication Errors
-
-**Error:** `StackIT service account key was rejected`
-
-**Solutions:**
-1. Re-issue the service account key in the StackIT Portal
-2. Verify the service account key file or inline JSON content is complete
-3. Check that the service account has the necessary permissions (`iaas.viewer` or `project.owner`)
-4. Ensure the service account key is provided through `STACKIT_SERVICE_ACCOUNT_KEY_PATH`, `STACKIT_SERVICE_ACCOUNT_KEY`, or the matching CLI arguments
-
-**Error:** `StackIT credentials not found or are invalid`
-
-**Solutions:**
-1. Ensure the project ID and one service account credential source are provided
-2. Check that credentials are set via environment variables or command-line arguments
-3. Verify there are no extra spaces or newlines in the credentials
-
-**Error:** `Invalid StackIT project ID format`
-
-**Solutions:**
-1. Verify the project ID is a valid UUID format: `12345678-1234-1234-1234-123456789abc`
-2. Copy the project ID directly from the StackIT Portal
-3. Ensure there are no extra spaces or quotes around the UUID
-
-### API Connection Errors
-
-**Error:** `Failed to connect to StackIT API`
-
-**Solutions:**
-1. Check your internet connection
-2. Verify the StackIT API endpoint is accessible from your network
-3. Check if there are any firewall rules blocking HTTPS connections
-4. Review the full error message for specific API error codes
-
-**Error:** `HTTP 403 Forbidden`
-
-**Solutions:**
-1. Verify the service account has the correct permissions
-2. Ensure the project ID is correct and you have access to it
-3. Check that the service account is enabled (not disabled or expired)
-4. Verify the service account key has not been revoked
-
-**Error:** `HTTP 404 Not Found`
-
-**Solutions:**
-1. Verify the project ID exists and is correct
-2. Check that the IaaS service is enabled in your project
-3. Ensure you're using the correct region (eu01)
-
-### Empty Results
-
-**Issue:** No security groups or findings reported
-
-**Solutions:**
-1. Verify that security groups exist in your project
-2. Check that the IaaS service is properly configured
-3. Ensure the service account has `iaas.viewer` permission
-4. Check Prowler logs for any API errors (use `--log-level DEBUG`)
-
-### Debug Mode
-
-Enable debug logging for detailed troubleshooting:
-
-```bash
-export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
-
-prowler stackit \
-  --stackit-project-id "your-project-id" \
-  --log-level DEBUG
-```
-
-This will show:
- API authentication details (with inline service account keys redacted)
- Resource discovery progress
- Security rule parsing details
- Any API errors or warnings
-
-## Specific Patterns in StackIT Services
-
-The generic service pattern is described in [service page](/developer-guide/services#service-structure-and-initialisation). You can find all the currently implemented services in the following locations:
-
- Directly in the code, in location [`prowler/providers/stackit/services/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services)
- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
-
-The best reference to understand how to implement a new service is following the [service implementation documentation](/developer-guide/services#adding-a-new-service) and taking other StackIT services as reference.
-
-### StackIT Service Common Patterns
-
- Services communicate with StackIT using the StackIT Python SDK, you can find the documentation [here](https://github.com/stackitcloud/stackit-sdk-python).
- Service constructors receive a `StackitProvider` instance and use it to access credentials, identity, and configuration.
- The provider builds StackIT SDK `Configuration` objects from the service account key path or inline key content.
- Resource containers **must** be initialized in the constructor, typically as lists or dictionaries.
- Do not manipulate `os.environ` for credentials inside services. Use the provider session and SDK configuration helpers.
- All StackIT resources are represented as Pydantic `BaseModel` classes, providing type safety and structured access to resource attributes.
- StackIT SDK calls are wrapped in try/except blocks, with specific handling for API errors, always logging errors.
- **Centralized Error Handling**: Use `provider.handle_api_error(exception)` for consistent authentication error detection across all services.
- **SDK Warning Suppression**: StackIT SDK prints deprecation warnings to stderr - use the `suppress_stderr()` context manager during SDK initialization and API calls.
- **Unrestricted Access Detection**: In StackIT API, `None` values mean "allow all" (more permissive than explicit 0.0.0.0/0).
-  - `protocol=None` → All protocols allowed
-  - `ip_range=None` → All source IPs allowed (unrestricted!)
-  - `port_range=None` → All ports allowed
-  - `remote_security_group_id` set → Only allows traffic from the same security group (not unrestricted!)
-
-### IaaS Service Specific Patterns
-
-**Security Group Discovery:**
-```python
-# List all security groups
-security_groups = client.list_security_groups(
-    project_id=self.project_id,
-    region=region,
-)
-
-# List network interfaces to determine security group usage
-nics = client.list_project_nics(
-    project_id=self.project_id,
-    region=region,
-)
-
-# Checks report in-use security groups by default. Use --scan-unused-services
-# to include security groups that are not attached to any NIC.
-```
-
-**Centralized Authentication Error Handling:**
-```python
-def _handle_api_call(self, api_function, *args, **kwargs):
-    """Wrapper for API calls with centralized error handling."""
-    try:
-        with suppress_stderr():  # Suppress SDK warnings
-            return api_function(*args, **kwargs)
-    except Exception as e:
-        # Use centralized error handler from provider
-        self.provider.handle_api_error(e)  # Detects 401 and raises StackITInvalidTokenError
-```
-
-**Unrestricted Access Detection:**
-```python
-def is_unrestricted(rule):
-    """Check if a rule allows unrestricted access."""
-    # Filter out self-referencing rules
-    if rule.remote_security_group_id is not None:
-        return False
-    # Check for unrestricted IP ranges
-    return rule.ip_range is None or rule.ip_range in ["0.0.0.0/0", "::/0"]
-
-def is_tcp(rule):
-    """Check if a rule applies to TCP protocol."""
-    # None means all protocols (including TCP)
-    return rule.protocol is None or rule.protocol.lower() in ["tcp", "all"]
-
-def includes_port(rule, port):
-    """Check if a rule includes a specific port."""
-    # None means all ports
-    if rule.port_range is None:
-        return True
-    return rule.port_range.min <= port <= rule.port_range.max
-```
-
-## Specific Patterns in StackIT Checks
-
-The StackIT checks pattern is described in [checks page](/developer-guide/checks). You can find all the currently implemented checks:
-
- Directly in the code, within each service folder, each check has its own folder named after the name of the check. (e.g. [`prowler/providers/stackit/services/iaas/iaas_security_group_ssh_unrestricted/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services/iaas/iaas_security_group_ssh_unrestricted))
- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
-
-The best reference to understand how to implement a new check is following the [check creation documentation](/developer-guide/checks#creating-a-check) and taking other similar StackIT checks as reference.
-
-### Check Report Class
-
-The `CheckReportStackIT` class models a single finding for a StackIT resource in a check report. It is defined in [`prowler/lib/check/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py) and inherits from the generic `Check_Report` base class.
-
-#### Purpose
-
-`CheckReportStackIT` extends the base report structure with StackIT-specific fields, enabling detailed tracking of the resource, project, and location associated with each finding.
-
-#### Constructor and Attribute Population
-
-When you instantiate `CheckReportStackIT`, you must provide the check metadata and a resource object. The class will attempt to automatically populate its StackIT-specific attributes from the resource, using the following logic:
-
- **`resource_id`**:
-    - Uses `resource.id` if present.
-    - Otherwise, uses `resource.resource_id` if present.
-    - Defaults to an empty string if none are available.
-
- **`resource_name`**:
-    - Uses `resource.name` if present.
-    - Defaults to an empty string if not available.
-
- **`project_id`**:
-    - Uses `resource.project_id` if present.
-    - Defaults to an empty string if not available (should be set in check logic).
-
- **`location`**:
-    - Uses `resource.region` if present.
-    - Otherwise, uses `resource.location` if present.
-    - Defaults to an empty string if not available.
-
-If the resource object does not contain the required attributes, you must set them manually in the check logic.
-
-Other attributes are inherited from the `Check_Report` class, from which you **always** have to set the `status` and `status_extended` attributes in the check logic.
-
-#### Example Usage
-
-```python
-from prowler.lib.check.models import CheckReportStackIT
-
-report = CheckReportStackIT(
-    metadata=self.metadata(),
-    resource=security_group
-)
-report.status = "FAIL"
-report.status_extended = f"Security group {security_group.name} allows unrestricted SSH access from the internet."
-report.resource_id = security_group.id
-report.resource_name = security_group.name
-report.project_id = security_group.project_id
-report.location = security_group.region
-```
-
-### Common Check Pattern
-
-```python
-from prowler.lib.check.models import Check, CheckReportStackIT
-from prowler.providers.stackit.services.iaas.iaas_client import iaas_client
-
-class iaas_security_group_ssh_unrestricted(Check):
-    """Check if IaaS security groups allow unrestricted SSH access."""
-
-    def execute(self):
-        findings = []
-
-        for security_group in iaas_client.security_groups:
-            if not (iaas_client.scan_unused_services or security_group.in_use):
-                continue
-
-            report = CheckReportStackIT(
-                metadata=self.metadata(),
-                resource=security_group
-            )
-            report.status = "PASS"
-            report.status_extended = f"Security group {security_group.name} does not allow unrestricted SSH access."
-
-            # Check each rule
-            for rule in security_group.rules:
-                if (rule.is_ingress() and
-                    rule.is_tcp() and
-                    rule.includes_port(22) and
-                    rule.is_unrestricted()):
-                    report.status = "FAIL"
-                    report.status_extended = f"Security group {security_group.name} allows unrestricted SSH access from the internet."
-                    break
-
-            findings.append(report)
-
-        return findings
-```
-
-## Resources
-
-### Official StackIT Documentation
-
- **StackIT Portal**: [https://portal.stackit.cloud/](https://portal.stackit.cloud/)
- **StackIT Documentation**: [https://docs.stackit.cloud/](https://docs.stackit.cloud/)
- **StackIT API Documentation**: [https://docs.api.eu01.stackit.cloud/](https://docs.api.eu01.stackit.cloud/)
-
-### Python SDK
-
- **StackIT Python SDK (GitHub)**: [https://github.com/stackitcloud/stackit-sdk-python](https://github.com/stackitcloud/stackit-sdk-python)
- **stackit-core (PyPI)**: [https://pypi.org/project/stackit-core/](https://pypi.org/project/stackit-core/)
- **stackit-iaas (PyPI)**: [https://pypi.org/project/stackit-iaas/](https://pypi.org/project/stackit-iaas/)
- **IaaS Models**: [https://github.com/stackitcloud/stackit-sdk-python/tree/main/services/iaas/src/stackit/iaas/models](https://github.com/stackitcloud/stackit-sdk-python/tree/main/services/iaas/src/stackit/iaas/models)
-
-### Prowler Resources
-
- **Provider Implementation**: [`prowler/providers/stackit/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/)
- **IaaS Service**: [`prowler/providers/stackit/services/iaas/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services/iaas/)
- **Prowler Hub**: [https://hub.prowler.com/](https://hub.prowler.com/)
- **GitHub Issues**: [https://github.com/prowler-cloud/prowler/issues](https://github.com/prowler-cloud/prowler/issues)
-
-## Contributing
-
-If you'd like to contribute to the StackIT provider:
-
-1. **Add New Checks**: Follow the [check creation guide](/developer-guide/checks#creating-a-check) and use existing StackIT checks as templates
-2. **Enhance Services**: Implement additional IaaS resource discovery or add new services
-3. **Improve Documentation**: Add metadata enhancements, CLI remediation examples, or Terraform code samples
-4. **Report Issues**: Submit bug reports or feature requests on [GitHub](https://github.com/prowler-cloud/prowler/issues)
-
-### Quick Start for Contributors
-
-1. **Install dependencies**: `poetry install` (includes stackit-core and stackit-iaas)
-2. **Set credentials**: Export `STACKIT_SERVICE_ACCOUNT_KEY_PATH` and `STACKIT_PROJECT_ID`
-3. **Run checks**: `prowler stackit`
-4. **View code**: Start in `prowler/providers/stackit/`
-5. **Add checks**: Create new check directories under `services/iaas/`
-6. **Run tests**: `poetry run pytest tests/providers/stackit/ -v`
-
-### Code Quality Standards
-
-The StackIT provider should follow the same quality expectations as the rest of the Prowler SDK:
-
- Keep service and check logic covered by unit tests.
- Redact inline service account keys from generated output.
- Keep documentation aligned with the implemented services and checks.
- Follow existing provider, service, and check patterns before adding StackIT-specific abstractions.
--- a/Show More
+++ b/Show More