chore(changelog): prepare for v5.29.3 (#11506 )

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
fix(gcp): honour org-aggregated sinks in metric-filter checks (#11501 )
2026-06-10 13:32:44 +00:00 · 2026-06-09 08:18:24 +02:00 · 2026-06-08 16:58:05 +02:00 · 2026-06-08 14:00:34 +02:00 · 2026-06-08 12:24:52 +02:00 · 2026-06-05 13:48:21 +02:00
476 changed files with 24535 additions and 3353 deletions
@@ -11,7 +11,14 @@ envs = "wt step copy-ignored"
 [[pre-start]]
 deps = "uv sync"

-# Block 3: reminder - last visible output before `wt switch` returns.
+# Block 3: prepare pnpm via corepack.
+[[pre-start]]
+corepack-enable = "corepack enable"
+
+[[pre-start]]
+corepack-install = "cd ui && corepack install"
+
+# Block 4: reminder - last visible output before `wt switch` returns.
 # Hooks can't mutate the parent shell, so venv activation is manual.
 [[pre-start]]
 reminder = "echo '>> Reminder: activate the venv in this shell with: source .venv/bin/activate'"
@@ -145,7 +145,7 @@ SENTRY_RELEASE=local
 NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}

 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.29.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.29.3

 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -0,0 +1,60 @@
+name: 'Docs: Markdown Lint'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  markdown-lint:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            registry.npmjs.org:443
+            release-assets.githubusercontent.com:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: ui/.nvmrc
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          package_json_file: ui/package.json
+          run_install: false
+
+      - name: Run markdownlint
+        # Pin must match .pre-commit-config.yaml so prek and CI behave identically.
+        # pnpm dlx doesn't accept --ignore-scripts as a flag; the env var
+        # disables postinstall scripts on transitives the same way.
+        env:
+          pnpm_config_ignore_scripts: 'true'
+        run: pnpm dlx markdownlint-cli@0.45.0 '**/*.md'
@@ -541,6 +541,54 @@ jobs:
          flags: prowler-py${{ matrix.python-version }}-vercel
          files: ./vercel_coverage.xml

+      # Scaleway Provider
+      - name: Check if Scaleway files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-scaleway
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        with:
+          files: |
+            ./prowler/**/scaleway/**
+            ./tests/**/scaleway/**
+            ./uv.lock
+
+      - name: Run Scaleway tests
+        if: steps.changed-scaleway.outputs.any_changed == 'true'
+        run: uv run pytest -n auto --cov=./prowler/providers/scaleway --cov-report=xml:scaleway_coverage.xml tests/providers/scaleway
+
+      - name: Upload Scaleway coverage to Codecov
+        if: steps.changed-scaleway.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-scaleway
+          files: ./scaleway_coverage.xml
+
+      # StackIT Provider
+      - name: Check if StackIT files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-stackit
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        with:
+          files: |
+            ./prowler/**/stackit/**
+            ./tests/**/stackit/**
+            ./uv.lock
+
+      - name: Run StackIT tests
+        if: steps.changed-stackit.outputs.any_changed == 'true'
+        run: uv run pytest -n auto --cov=./prowler/providers/stackit --cov-report=xml:stackit_coverage.xml tests/providers/stackit
+
+      - name: Upload StackIT coverage to Codecov
+        if: steps.changed-stackit.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-stackit
+          files: ./stackit_coverage.xml
+
      # Lib
      - name: Check if Lib files changed
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -172,7 +172,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: '24.13.0'
+          node-version-file: 'ui/.nvmrc'

      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
@@ -16,7 +16,6 @@ concurrency:

 env:
  UI_WORKING_DIR: ./ui
-  NODE_VERSION: "24.13.0"

 permissions: {}

@@ -93,11 +92,11 @@ jobs:
            ui/vitest.config.ts
            ui/vitest.setup.ts

-      - name: Setup Node.js ${{ env.NODE_VERSION }}
+      - name: Setup Node.js
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: ${{ env.NODE_VERSION }}
+          node-version-file: 'ui/.nvmrc'

      - name: Setup pnpm
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -0,0 +1,10 @@
+{
+  "extends": "markdownlint/style/prettier",
+  "first-line-h1": false,
+  "no-duplicate-heading": {
+    "siblings_only": true
+  },
+  "no-inline-html": false,
+  "line-length": false,
+  "no-bare-urls": false
+}
@@ -0,0 +1,16 @@
+node_modules/
+ui/node_modules/
+.git/
+.venv/
+**/.venv/
+dist/
+build/
+htmlcov/
+.next/
+ui/.next/
+ui/out/
+contrib/
+
+# Auto-generated content (keepachangelog format legitimately repeats section headings).
+# Revisit with the team — see beads task on markdownlint rule triage.
+**/CHANGELOG.md
@@ -133,6 +133,13 @@ repos:
        pass_filenames: false
        priority: 50

+  ## MARKDOWN
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.45.0
+    hooks:
+      - id: markdownlint
+        priority: 30
+
  ## CONTAINERS
  - repo: https://github.com/hadolint/hadolint
    rev: v2.14.0
@@ -11,6 +11,7 @@
 Use these skills for detailed patterns on-demand:

 ### Generic Skills (Any Project)
+
 | Skill | Description | URL |
 |-------|-------------|-----|
 | `typescript` | Const types, flat interfaces, utility types | [SKILL.md](skills/typescript/SKILL.md) |
@@ -28,6 +29,7 @@ Use these skills for detailed patterns on-demand:
 | `tdd` | Test-Driven Development workflow | [SKILL.md](skills/tdd/SKILL.md) |

 ### Prowler-Specific Skills
+
 | Skill | Description | URL |
 |-------|-------------|-----|
 | `prowler` | Project overview, component navigation | [SKILL.md](skills/prowler/SKILL.md) |
@@ -1,4 +1,4 @@
-# Do you want to learn on how to...
+# Do you want to learn on how to

 - [Contribute with your code or fixes to Prowler](https://docs.prowler.com/developer-guide/introduction)
 - [Create a new provider](https://docs.prowler.com/developer-guide/provider)
@@ -32,5 +32,6 @@ Provider-specific developer notes:

 Want some swag as appreciation for your contribution?

-# Prowler Developer Guide
-https://goto.prowler.com/devguide
+## Prowler Developer Guide
+
+<https://goto.prowler.com/devguide>
@@ -1,6 +1,6 @@
 <p align="center">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
+  <img align="center" alt="Prowler logo" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
+  <img align="center" alt="Prowler logo" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
 </p>
 <p align="center">
  <b><i>Prowler</b> is the Open Cloud Security Platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
@@ -22,8 +22,8 @@
  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=downloads"></a>
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
-  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
-  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
+  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img alt="Codecov coverage" src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
+  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img alt="Linux Foundation insights health score" src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
 </p>
 <p align="center">
    <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
@@ -36,7 +36,7 @@
 </p>
 <hr>
 <p align="center">
-  <img align="center" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
+  <img align="center" alt="Prowler Cloud demo" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
 </p>

 # Description
@@ -122,6 +122,7 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 | Vercel | 26 | 6 | 0 | 8 | Official | UI, API, CLI |
 | Okta | 1 | 1 | 0 | 1 | Official | CLI |
 | Scaleway [Contact us](https://prowler.com/contact) | 1 | 1 | 0 | 1 | Unofficial | CLI |
+| StackIT [Contact us](https://prowler.com/contact) | 4 | 1 | 0 | 1 | Unofficial | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
@@ -146,11 +147,11 @@ Prowler App offers flexible installation methods tailored to various environment

 ### Docker Compose

-**Requirements**
+#### Requirements

-* `Docker Compose` installed: https://docs.docker.com/compose/install/.
+- `Docker Compose` installed: https://docs.docker.com/compose/install/.

-**Commands**
+#### Commands

 ``` console
 VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
@@ -175,14 +176,14 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md

 ### From GitHub

-**Requirements**
+#### Requirements

-* `git` installed.
-* `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
-* `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
-* `Docker Compose` installed: https://docs.docker.com/compose/install/.
+- `git` installed.
+- `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
+- `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
+- `Docker Compose` installed: https://docs.docker.com/compose/install/.

-**Commands to run the API**
+#### Commands to run the API

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -199,7 +200,7 @@ gunicorn -c config/guniconf.py config.wsgi:application

 > After completing the setup, access the API documentation at http://localhost:8080/api/v1/docs.

-**Commands to run the API Worker**
+#### Commands to run the API Worker

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -212,7 +213,7 @@ cd src/backend
 python -m celery -A config.celery worker -l info -E
 ```

-**Commands to run the API Scheduler**
+#### Commands to run the API Scheduler

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -225,7 +226,7 @@ cd src/backend
 python -m celery -A config.celery beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler
 ```

-**Commands to run the UI**
+#### Commands to run the UI

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -237,7 +238,7 @@ pnpm start

 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.

-**Pre-commit Hooks Setup**
+#### Pre-commit Hooks Setup

 Some pre-commit hooks require tools installed on your system:

@@ -257,14 +258,14 @@ prowler -v

 ### Containers

-**Available Versions of Prowler CLI**
+#### Available Versions of Prowler CLI

 The following versions of Prowler CLI are available, depending on your requirements:

 - `latest`: Synchronizes with the `master` branch. Note that this version is not stable.
 - `v4-latest`: Synchronizes with the `v4` branch. Note that this version is not stable.
 - `v3-latest`: Synchronizes with the `v3` branch. Note that this version is not stable.
- `<x.y.z>` (release): Stable releases corresponding to specific versions. You can find the complete list of releases [here](https://github.com/prowler-cloud/prowler/releases).
+- `<x.y.z>` (release): Stable releases corresponding to specific versions. See the [complete list of Prowler releases](https://github.com/prowler-cloud/prowler/releases).
 - `stable`: Always points to the latest release.
 - `v4-stable`: Always points to the latest release for v4.
 - `v3-stable`: Always points to the latest release for v3.
@@ -293,7 +294,7 @@ python prowler-cli.py -v

 # 🛡️ GitHub Action

-The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.
+The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.

 ```yaml
 name: Prowler IaC Scan
@@ -338,7 +339,7 @@ Full configuration, per-provider authentication, and SARIF examples: [Prowler Gi

 ## Prowler CLI

-**Running Prowler**
+### Running Prowler

 Prowler can be executed across various environments, offering flexibility to meet your needs. It can be run from:

@@ -22,7 +22,7 @@ inputs:
    required: false
    default: json-ocsf
  push-to-cloud:
-    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli
+    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-import-findings#using-the-cli
    required: false
    default: "false"
  flags:
@@ -299,7 +299,7 @@ runs:
            echo ""
            echo "**Get started in 3 steps:**"
            echo "1. Create an account at [cloud.prowler.com](https://cloud.prowler.com)"
-            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli))"
+            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-import-findings#using-the-cli))"
            echo "3. Add \`PROWLER_CLOUD_API_KEY\` to your GitHub secrets and set \`push-to-cloud: true\` on this action"
            echo ""
            echo "See [prowler.com/pricing](https://prowler.com/pricing) for plan details."
@@ -10,7 +10,7 @@
 > - [`jsonapi`](../skills/jsonapi/SKILL.md) - Strict JSON:API v1.1 spec compliance
 > - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns

-### Auto-invoke Skills
+## Auto-invoke Skills

 When performing these actions, ALWAYS invoke the corresponding skill FIRST:

@@ -81,7 +81,7 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 ## DECISION TREES

 ### Serializer Selection
-```
+```text
 Read → <Model>Serializer
 Create → <Model>CreateSerializer
 Update → <Model>UpdateSerializer
@@ -89,7 +89,7 @@ Nested read → <Model>IncludeSerializer
 ```

 ### Task vs View
-```
+```text
 < 100ms → View
 > 100ms or external API → Celery task
 Needs retry → Celery task
@@ -105,7 +105,7 @@ Django 5.1.x | DRF 3.15.x | djangorestframework-jsonapi 7.x | Celery 5.4.x | Pos

 ## PROJECT STRUCTURE

-```
+```text
 api/src/backend/
 ├── api/                    # Main Django app
 │   ├── v1/                # API version 1 (views, serializers, urls)
@@ -2,11 +2,29 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.30.0] (Prowler UNRELEASED)
+## [1.30.3] (Prowler v5.29.3)
+
+### 🐞 Fixed
+
+- API startup no longer crashes when Neo4j is unreachable, as the Neo4j driver now connects lazily on first use rather than during app initialization [(#11491)](https://github.com/prowler-cloud/prowler/pull/11491)
+
+---
+
+## [1.30.1] (Prowler v5.29.1)
+
+### 🐞 Fixed
+
+- `GET /api/v1/findings` N+1 query loading `resources__tags` when listing findings [(#11420)](https://github.com/prowler-cloud/prowler/pull/11420)
+- Clean up the scan tmp output directory when `scan-report` fails so partial files do not accumulate and fill the worker disk (`No space left on device`) [(#11421)](https://github.com/prowler-cloud/prowler/pull/11421)
+
+---
+
+## [1.30.0] (Prowler v5.29.0)

 ### 🔄 Changed

 - Scan finding ingestion: bulk-resolve `Resource`/`ResourceTag` rows, replace per-mapping `SELECT FOR UPDATE` with deferred `ResourceTagMapping.bulk_create(ignore_conflicts=True)`, wrap each micro-batch in a single `rls_transaction`, and raise `SCAN_DB_BATCH_SIZE` to 1000 [(#11249)](https://github.com/prowler-cloud/prowler/pull/11249)
+- Faster `GET /api/v1/finding-groups/latest` aggregation on tenants where one recent scan holds most findings [(#11380)](https://github.com/prowler-cloud/prowler/pull/11380)

 ---

@@ -2,7 +2,7 @@

 This repository contains the JSON API and Task Runner components for Prowler, which facilitate a complete backend that interacts with the Prowler SDK and is used by the Prowler UI.

-# Components
+## Components
 The Prowler API is composed of the following components:

 - The JSON API, which is an API built with Django Rest Framework.
@@ -10,13 +10,13 @@ The Prowler API is composed of the following components:
 - The PostgreSQL database, which is used to store the data.
 - The Valkey database, which is an in-memory database which is used as a message broker for the Celery workers.

-## Note about Valkey
+### Note about Valkey

 [Valkey](https://valkey.io/) is an open source (BSD) high performance key/value datastore.

 Valkey exposes a Redis 7.2 compliant API. Any service that exposes the Redis API can be used with Prowler API.

-# Modify environment variables
+## Modify environment variables

 Under the root path of the project, you can find a file called `.env`. This file shows all the environment variables that the project uses. You should review it and set the values for the variables you want to change.

@@ -24,7 +24,7 @@ If you don’t set `DJANGO_TOKEN_SIGNING_KEY` or `DJANGO_TOKEN_VERIFYING_KEY`, t

 **Important note**: Every Prowler version (or repository branches and tags) could have different variables set in its `.env` file. Please use the `.env` file that corresponds with each version.

-## Local deployment
+### Local deployment
 Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the virtual environment, not before. Otherwise, variables will not be loaded properly.

 To do this, you can run:
@@ -34,12 +34,12 @@ set -a
 source .env
 ```

-# 🚀 Production deployment
-## Docker deployment
+## 🚀 Production deployment
+### Docker deployment

 This method requires `docker` and `docker compose`.

-### Clone the repository
+#### Clone the repository

 ```console
 # HTTPS
@@ -50,13 +50,13 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-### Build the base image
+#### Build the base image

 ```console
 docker compose --profile prod build
 ```

-### Run the production service
+#### Run the production service

 This command will start the Django production server and the Celery worker and also the Valkey and PostgreSQL databases.

@@ -68,7 +68,7 @@ You can access the server in `http://localhost:8080`.

 > **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.

-### View the Production Server Logs
+#### View the Production Server Logs

 To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:

@@ -133,13 +133,13 @@ gunicorn -c config/guniconf.py config.wsgi:application

 > By default, the Gunicorn server will try to use as many workers as your machine can handle. You can manually change that in the `src/backend/config/guniconf.py` file.

-# 🧪 Development guide
+## 🧪 Development guide

-## Local deployment
+### Local deployment

 To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `uv` and `docker compose` are installed.

-### Clone the repository
+#### Clone the repository

 ```console
 # HTTPS
@@ -150,7 +150,7 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-### Start the PostgreSQL Database and Valkey
+#### Start the PostgreSQL Database and Valkey

 The PostgreSQL database (version 16.3) and Valkey (version 7) are required for the development environment. To make development easier, we have provided a `docker-compose` file that will start these components for you.

@@ -161,7 +161,7 @@ The PostgreSQL database (version 16.3) and Valkey (version 7) are required for t
 docker compose up postgres valkey -d
 ```

-### Install the Python dependencies
+#### Install the Python dependencies

 > You must have uv installed

@@ -169,7 +169,7 @@ docker compose up postgres valkey -d
 uv sync
 ```

-### Apply migrations
+#### Apply migrations

 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

@@ -178,7 +178,7 @@ cd src/backend
 python manage.py migrate --database admin
 ```

-### Run the Django development server
+#### Run the Django development server

 ```console
 cd src/backend
@@ -188,7 +188,7 @@ python manage.py runserver
 You can access the server in `http://localhost:8000`.
 All changes in the code will be automatically reloaded in the server.

-### Run the Celery worker
+#### Run the Celery worker

 ```console
 python -m celery -A config.celery worker -l info -E
@@ -196,11 +196,11 @@ python -m celery -A config.celery worker -l info -E

 The Celery worker does not detect and reload changes in the code, so you need to restart it manually when you make changes.

-## Docker deployment
+### Docker deployment

 This method requires `docker` and `docker compose`.

-### Clone the repository
+#### Clone the repository

 ```console
 # HTTPS
@@ -211,13 +211,13 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-### Build the base image
+#### Build the base image

 ```console
 docker compose --profile dev build
 ```

-### Run the development service
+#### Run the development service

 This command will start the Django development server and the Celery worker and also the Valkey and PostgreSQL databases.

@@ -230,7 +230,7 @@ All changes in the code will be automatically reloaded in the server.

 > **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.

-### View the development server logs
+#### View the development server logs

 To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:

@@ -238,7 +238,7 @@ To view the logs for any component (e.g., Django, Celery worker), you can use th
 docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
 ```

-## Applying migrations
+### Applying migrations

 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

@@ -247,7 +247,7 @@ cd src/backend
 uv run python manage.py migrate --database admin
 ```

-## Apply fixtures
+### Apply fixtures

 Fixtures are used to populate the database with initial development data.

@@ -258,7 +258,7 @@ uv run python manage.py loaddata api/fixtures/0_dev_users.json --database admin

 > The default credentials are `dev@prowler.com:Thisisapassword123@` or `dev2@prowler.com:Thisisapassword123@`

-## Run tests
+### Run tests

 Note that the tests will fail if you use the same `.env` file as the development environment.

@@ -269,7 +269,7 @@ cd src/backend
 uv run pytest
 ```

-# Custom commands
+## Custom commands

 Django provides a way to create custom commands that can be run from the command line.

@@ -281,7 +281,7 @@ To run a custom command, you need to be in the `prowler/api/src/backend` directo
 uv run python manage.py <command_name>
 ```

-## Generate dummy data
+### Generate dummy data

 ```console
 python manage.py findings --tenant
@@ -298,7 +298,7 @@ This command creates, for a given tenant, a provider, scan and a set of findings
 >
 > The last step is required to access the findings details, since the UI needs that to print all the information.

-### Example
+#### Example

 ```console
 ~/backend $ uv run python manage.py findings --tenant
@@ -43,7 +43,7 @@ dependencies = [
  "defusedxml==0.7.1",
  "gunicorn==23.0.0",
  "lxml==6.1.0",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@v5.29",
  "psycopg2-binary==2.9.9",
  "pytest-celery[redis] (==1.3.0)",
  "sentry-sdk[django] (==2.56.0)",
@@ -68,7 +68,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.30.0"
+version = "1.30.3"

 [tool.uv]
 # Transitive pins matching master to avoid silent drift; bump deliberately.
@@ -1,12 +1,14 @@
 import logging
 import os
 import sys
+
 from pathlib import Path

+from django.apps import AppConfig
+from django.conf import settings
+
 from config.custom_logging import BackendLogger
 from config.env import env
-from django.apps import AppConfig
-from django.conf import settings

 logger = logging.getLogger(BackendLogger.API)

@@ -30,7 +32,6 @@ class ApiConfig(AppConfig):
    def ready(self):
        from api import schema_extensions  # noqa: F401
        from api import signals  # noqa: F401
-        from api.attack_paths import database as graph_database

        # Generate required cryptographic keys if not present, but only if:
        #   `"manage.py" not in sys.argv[0]`: If an external server (e.g., Gunicorn) is running the app
@@ -41,37 +42,8 @@ class ApiConfig(AppConfig):
        ):
            self._ensure_crypto_keys()

-        # Commands that don't need Neo4j
-        SKIP_NEO4J_DJANGO_COMMANDS = [
-            "makemigrations",
-            "migrate",
-            "pgpartition",
-            "check",
-            "help",
-            "showmigrations",
-            "check_and_fix_socialaccount_sites_migration",
-        ]
-
-        # Skip eager Neo4j init for tests, some Django commands, and Celery (prefork pool: driver must stay lazy, no post_fork hook)
-        if getattr(settings, "TESTING", False) or (
-            len(sys.argv) > 1
-            and (
-                (
-                    "manage.py" in sys.argv[0]
-                    and sys.argv[1] in SKIP_NEO4J_DJANGO_COMMANDS
-                )
-                or "celery" in sys.argv[0]
-            )
-        ):
-            logger.info(
-                "Skipping eager Neo4j init: tests, some Django commands, or Celery prefork pool (driver stays lazy)"
-            )
-
-        else:
-            graph_database.init_driver()
-
-        # Neo4j driver is initialized at API startup (see api.attack_paths.database)
-        # It remains lazy for Celery workers and selected Django commands
+        # Neo4j driver is created lazily on first use (see api.attack_paths.database).
+        # App init never contacts Neo4j, so a Neo4j outage cannot block API startup.

    def _ensure_crypto_keys(self):
        """
@@ -1,22 +1,24 @@
 import atexit
 import logging
 import threading
+
 from contextlib import contextmanager
 from typing import Any, Iterator
 from uuid import UUID

 import neo4j
 import neo4j.exceptions
+
 from config.env import env
 from django.conf import settings
+
+from api.attack_paths.retryable_session import RetryableSession
 from tasks.jobs.attack_paths.config import (
    BATCH_SIZE,
    PROVIDER_RESOURCE_LABEL,
    get_provider_label,
 )

-from api.attack_paths.retryable_session import RetryableSession
-
 # Without this Celery goes crazy with Neo4j logging
 logging.getLogger("neo4j").setLevel(logging.ERROR)
 logging.getLogger("neo4j").propagate = False
@@ -28,6 +30,9 @@ READ_QUERY_TIMEOUT_SECONDS = env.int(
    "ATTACK_PATHS_READ_QUERY_TIMEOUT_SECONDS", default=30
 )
 MAX_CUSTOM_QUERY_NODES = env.int("ATTACK_PATHS_MAX_CUSTOM_QUERY_NODES", default=250)
+# Shorter than CONN_ACQUISITION_TIMEOUT — the driver requires acquisition to be
+# the longer of the two (it may include opening a new connection).
+CONNECTION_TIMEOUT = env.int("NEO4J_CONNECTION_TIMEOUT", default=5)
 CONN_ACQUISITION_TIMEOUT = env.int("NEO4J_CONN_ACQUISITION_TIMEOUT", default=15)
 READ_EXCEPTION_CODES = [
    "Neo.ClientError.Statement.AccessMode",
@@ -58,15 +63,24 @@ def init_driver() -> neo4j.Driver:
            uri = get_uri()
            config = settings.DATABASES["neo4j"]

-            _driver = neo4j.GraphDatabase.driver(
+            driver = neo4j.GraphDatabase.driver(
                uri,
                auth=(config["USER"], config["PASSWORD"]),
                keep_alive=True,
                max_connection_lifetime=7200,
+                connection_timeout=CONNECTION_TIMEOUT,
                connection_acquisition_timeout=CONN_ACQUISITION_TIMEOUT,
                max_connection_pool_size=50,
            )
-            _driver.verify_connectivity()
+            # Publish the singleton only after connectivity is verified so a
+            # failed probe does not leave an unverified driver behind. Close the
+            # driver on failure so a repeatedly-probed outage cannot leak pools.
+            try:
+                driver.verify_connectivity()
+            except Exception:
+                driver.close()
+                raise
+            _driver = driver

            # Register cleanup handler (only runs once since we're inside the _driver is None block)
            atexit.register(close_driver)
@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: Prowler API
-  version: 1.30.0
+  version: 1.30.3
  description: |-
    Prowler API specification.

@@ -182,23 +182,19 @@ def _make_app():
    return ApiConfig("api", api)


-def test_ready_initializes_driver_for_api_process(monkeypatch):
+@pytest.mark.parametrize(
+    "argv",
+    [
+        ["gunicorn"],
+        ["celery", "-A", "api"],
+        ["manage.py", "migrate"],
+    ],
+    ids=["api", "celery", "manage_py"],
+)
+def test_ready_never_eagerly_initializes_neo4j_driver(monkeypatch, argv):
+    """ready() must never contact Neo4j; the driver is created lazily on first use."""
    config = _make_app()
-    _set_argv(monkeypatch, ["gunicorn"])
-    _set_testing(monkeypatch, False)
-
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
-        config.ready()
-
-    init_driver.assert_called_once()
-
-
-def test_ready_skips_driver_for_celery(monkeypatch):
-    config = _make_app()
-    _set_argv(monkeypatch, ["celery", "-A", "api"])
+    _set_argv(monkeypatch, argv)
    _set_testing(monkeypatch, False)

    with (
@@ -208,31 +204,3 @@ def test_ready_skips_driver_for_celery(monkeypatch):
        config.ready()

    init_driver.assert_not_called()
-
-
-def test_ready_skips_driver_for_manage_py_skip_command(monkeypatch):
-    config = _make_app()
-    _set_argv(monkeypatch, ["manage.py", "migrate"])
-    _set_testing(monkeypatch, False)
-
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
-        config.ready()
-
-    init_driver.assert_not_called()
-
-
-def test_ready_skips_driver_when_testing(monkeypatch):
-    config = _make_app()
-    _set_argv(monkeypatch, ["gunicorn"])
-    _set_testing(monkeypatch, True)
-
-    with (
-        patch.object(ApiConfig, "_ensure_crypto_keys", return_value=None),
-        patch("api.attack_paths.database.init_driver") as init_driver,
-    ):
-        config.ready()
-
-    init_driver.assert_not_called()
@@ -1,15 +1,16 @@
 """
 Tests for Neo4j database lazy initialization.

-The Neo4j driver connects on first use by default. API processes may
-eagerly initialize the driver during app startup, while Celery workers
-remain lazy. These tests validate the database module behavior itself.
+The Neo4j driver is created on first use for every process type; app startup
+never contacts Neo4j. These tests validate the database module behavior itself.
 """

 import threading
+
 from unittest.mock import MagicMock, patch

 import neo4j
+import neo4j.exceptions
 import pytest

 import api.attack_paths.database as db_module
@@ -59,6 +60,32 @@ class TestLazyInitialization:
        assert result is mock_driver
        assert db_module._driver is mock_driver

+    @patch("api.attack_paths.database.settings")
+    @patch("api.attack_paths.database.neo4j.GraphDatabase.driver")
+    def test_init_driver_leaves_driver_none_when_verify_fails(
+        self, mock_driver_factory, mock_settings
+    ):
+        """A failed verify_connectivity() must not publish or leak the driver."""
+        mock_driver = MagicMock()
+        mock_driver.verify_connectivity.side_effect = (
+            neo4j.exceptions.ServiceUnavailable("down")
+        )
+        mock_driver_factory.return_value = mock_driver
+        mock_settings.DATABASES = {
+            "neo4j": {
+                "HOST": "localhost",
+                "PORT": 7687,
+                "USER": "neo4j",
+                "PASSWORD": "password",
+            }
+        }
+
+        with pytest.raises(neo4j.exceptions.ServiceUnavailable):
+            db_module.init_driver()
+
+        assert db_module._driver is None
+        mock_driver.close.assert_called_once()
+
    @patch("api.attack_paths.database.settings")
    @patch("api.attack_paths.database.neo4j.GraphDatabase.driver")
    def test_init_driver_returns_cached_driver_on_subsequent_calls(
@@ -116,21 +143,23 @@ class TestConnectionAcquisitionTimeout:
    @pytest.fixture(autouse=True)
    def reset_module_state(self):
        original_driver = db_module._driver
-        original_timeout = db_module.CONN_ACQUISITION_TIMEOUT
+        original_acq_timeout = db_module.CONN_ACQUISITION_TIMEOUT
+        original_conn_timeout = db_module.CONNECTION_TIMEOUT

        db_module._driver = None

        yield

        db_module._driver = original_driver
-        db_module.CONN_ACQUISITION_TIMEOUT = original_timeout
+        db_module.CONN_ACQUISITION_TIMEOUT = original_acq_timeout
+        db_module.CONNECTION_TIMEOUT = original_conn_timeout

    @patch("api.attack_paths.database.settings")
    @patch("api.attack_paths.database.neo4j.GraphDatabase.driver")
    def test_driver_receives_configured_timeout(
        self, mock_driver_factory, mock_settings
    ):
-        """init_driver() should pass CONN_ACQUISITION_TIMEOUT to the neo4j driver."""
+        """init_driver() should pass the configured timeouts to the neo4j driver."""
        mock_driver_factory.return_value = MagicMock()
        mock_settings.DATABASES = {
            "neo4j": {
@@ -141,11 +170,13 @@ class TestConnectionAcquisitionTimeout:
            }
        }
        db_module.CONN_ACQUISITION_TIMEOUT = 42
+        db_module.CONNECTION_TIMEOUT = 7

        db_module.init_driver()

        _, kwargs = mock_driver_factory.call_args
        assert kwargs["connection_acquisition_timeout"] == 42
+        assert kwargs["connection_timeout"] == 7


 class TestAtexitRegistration:
@@ -24,9 +24,11 @@ from conftest import (
    today_after_n_days,
 )
 from django.conf import settings
+from django.db import connection
 from django.db.models import Count
 from django.http import JsonResponse
 from django.test import RequestFactory
+from django.test.utils import CaptureQueriesContext
 from django.urls import reverse
 from django_celery_results.models import TaskResult
 from rest_framework import status
@@ -64,6 +66,7 @@ from api.models import (
    ProviderSecret,
    Resource,
    ResourceFindingMapping,
+    ResourceTag,
    Role,
    RoleProviderGroupRelationship,
    SAMLConfiguration,
@@ -3856,16 +3859,20 @@ class TestScanViewSet:
        scan.output_location = "dummy"
        scan.save()

-        dummy_task = Task.objects.create(tenant_id=scan.tenant_id)
-        dummy_task.id = "dummy-task-id"
-        dummy_task_data = {"id": dummy_task.id, "state": StateChoices.EXECUTING}
+        task_result = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan-report",
+            task_kwargs={"scan_id": str(scan.id)},
+        )
+        task = Task.objects.create(
+            tenant_id=scan.tenant_id,
+            task_runner_task=task_result,
+        )
+        dummy_task_data = {"id": str(task.id), "state": StateChoices.EXECUTING}

-        with (
-            patch("api.v1.views.Task.objects.get", return_value=dummy_task),
-            patch(
-                "api.v1.views.TaskSerializer",
-                return_value=type("DummySerializer", (), {"data": dummy_task_data}),
-            ),
+        with patch(
+            "api.v1.views.TaskSerializer",
+            return_value=type("DummySerializer", (), {"data": dummy_task_data}),
        ):
            url = reverse("scan-report", kwargs={"pk": scan.id})
            response = authenticated_client.get(url)
@@ -4186,6 +4193,88 @@ class TestScanViewSet:
        assert resp.status_code == status.HTTP_302_FOUND
        assert resp["Location"] == presigned_url

+    def test_compliance_s3_returns_latest_match(
+        self, authenticated_client, scans_fixture, monkeypatch
+    ):
+        """When several files match, the most recently modified one is served."""
+        scan = scans_fixture[0]
+        bucket = "bucket"
+        scan.output_location = f"s3://{bucket}/path/scan.zip"
+        scan.state = StateChoices.COMPLETED
+        scan.save()
+
+        monkeypatch.setattr(
+            "api.v1.views.env",
+            type("env", (), {"str": lambda self, *args, **kwargs: "test-bucket"})(),
+        )
+
+        old_key = "path/compliance/prowler-output-aws-20240101000000_cis_1.4_aws.csv"
+        latest_key = "path/compliance/prowler-output-aws-20240202000000_cis_1.4_aws.csv"
+
+        class FakeS3Client:
+            def list_objects_v2(self, Bucket, Prefix):
+                return {
+                    "Contents": [
+                        {
+                            "Key": old_key,
+                            "LastModified": datetime(2024, 1, 1, tzinfo=timezone.utc),
+                        },
+                        {
+                            "Key": latest_key,
+                            "LastModified": datetime(2024, 2, 2, tzinfo=timezone.utc),
+                        },
+                    ]
+                }
+
+            def generate_presigned_url(self, ClientMethod, Params, ExpiresIn):
+                assert Params["Key"] == latest_key
+                return "https://test-bucket.s3.amazonaws.com/latest"
+
+        monkeypatch.setattr("api.v1.views.get_s3_client", lambda: FakeS3Client())
+
+        url = reverse("scan-compliance", kwargs={"pk": scan.id, "name": "cis_1.4_aws"})
+        resp = authenticated_client.get(url)
+        assert resp.status_code == status.HTTP_302_FOUND
+        assert resp["Location"].endswith("/latest")
+
+    def test_compliance_local_returns_latest_match(
+        self, authenticated_client, scans_fixture, monkeypatch
+    ):
+        """The local branch serves the most recently modified matching file."""
+        scan = scans_fixture[0]
+        scan.state = StateChoices.COMPLETED
+
+        with tempfile.TemporaryDirectory() as tmp:
+            comp_dir = Path(tmp) / "reports" / "compliance"
+            comp_dir.mkdir(parents=True, exist_ok=True)
+
+            old_file = comp_dir / "prowler-output-aws-20240101000000_cis_1.4_aws.csv"
+            old_file.write_bytes(b"old")
+            latest_file = comp_dir / "prowler-output-aws-20240202000000_cis_1.4_aws.csv"
+            latest_file.write_bytes(b"latest")
+            # Make `latest_file` newer regardless of creation order.
+            os.utime(old_file, (1_700_000_000, 1_700_000_000))
+            os.utime(latest_file, (1_700_000_100, 1_700_000_100))
+
+            scan.output_location = str(Path(tmp) / "reports" / "scan.zip")
+            scan.save()
+
+            monkeypatch.setattr(
+                glob,
+                "glob",
+                lambda p: [str(old_file), str(latest_file)],
+            )
+
+            url = reverse(
+                "scan-compliance", kwargs={"pk": scan.id, "name": "cis_1.4_aws"}
+            )
+            resp = authenticated_client.get(url)
+            assert resp.status_code == status.HTTP_200_OK
+            assert resp.content == b"latest"
+            assert resp["Content-Disposition"].endswith(
+                f'filename="{latest_file.name}"'
+            )
+
    def test_compliance_s3_not_found(
        self, authenticated_client, scans_fixture, monkeypatch
    ):
@@ -4294,18 +4383,24 @@ class TestScanViewSet:
            assert cd.startswith('attachment; filename="')
            assert cd.endswith(f'filename="{fname.name}"')

-    @patch("api.v1.views.Task.objects.get")
    @patch("api.v1.views.TaskSerializer")
    def test__get_task_status_returns_none_if_task_not_executing(
-        self, mock_task_serializer, mock_task_get, authenticated_client, scans_fixture
+        self, mock_task_serializer, authenticated_client, scans_fixture
    ):
        scan = scans_fixture[0]
        scan.state = StateChoices.COMPLETED
        scan.output_location = "dummy"
        scan.save()

-        task = Task.objects.create(tenant_id=scan.tenant_id)
-        mock_task_get.return_value = task
+        task_result = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan-report",
+            task_kwargs={"scan_id": str(scan.id)},
+        )
+        task = Task.objects.create(
+            tenant_id=scan.tenant_id,
+            task_runner_task=task_result,
+        )
        mock_task_serializer.return_value.data = {
            "id": str(task.id),
            "state": StateChoices.COMPLETED,
@@ -4326,6 +4421,7 @@ class TestScanViewSet:
        scan.save()

        task_result = TaskResult.objects.create(
+            task_id=str(uuid4()),
            task_name="scan-report",
            task_kwargs={"scan_id": str(scan.id)},
        )
@@ -4346,6 +4442,51 @@ class TestScanViewSet:
        assert response.status_code == status.HTTP_202_ACCEPTED
        assert response.data["id"] == str(task.id)

+    @patch("api.v1.views.TaskSerializer")
+    def test__get_task_status_returns_latest_task(
+        self, mock_task_serializer, authenticated_client, scans_fixture
+    ):
+        """With several scan-report tasks for the scan, the most recent is used."""
+        scan = scans_fixture[0]
+        scan.state = StateChoices.COMPLETED
+        scan.output_location = "dummy"
+        scan.save()
+
+        old_task = Task.objects.create(
+            tenant_id=scan.tenant_id,
+            task_runner_task=TaskResult.objects.create(
+                task_id=str(uuid4()),
+                task_name="scan-report",
+                task_kwargs={"scan_id": str(scan.id)},
+            ),
+        )
+        new_task = Task.objects.create(
+            tenant_id=scan.tenant_id,
+            task_runner_task=TaskResult.objects.create(
+                task_id=str(uuid4()),
+                task_name="scan-report",
+                task_kwargs={"scan_id": str(scan.id)},
+            ),
+        )
+        # `inserted_at` is `auto_now_add`, and within the test transaction the DB
+        # `now()` is constant, so force distinct timestamps to make order_by stable.
+        base = datetime(2024, 1, 1, tzinfo=timezone.utc)
+        Task.objects.filter(pk=old_task.pk).update(inserted_at=base)
+        Task.objects.filter(pk=new_task.pk).update(
+            inserted_at=base + timedelta(hours=1)
+        )
+
+        mock_task_serializer.side_effect = lambda instance, *a, **k: SimpleNamespace(
+            data={"id": str(instance.id), "state": StateChoices.EXECUTING}
+        )
+
+        url = reverse("scan-report", kwargs={"pk": scan.id})
+        response = authenticated_client.get(url)
+
+        assert response.status_code == status.HTTP_202_ACCEPTED
+        assert str(new_task.id) in response["Content-Location"]
+        assert str(old_task.id) not in response["Content-Location"]
+
    @patch("api.v1.views.get_s3_client")
    @patch("api.v1.views.sentry_sdk.capture_exception")
    def test_compliance_list_objects_client_error(
@@ -6916,6 +7057,80 @@ class TestFindingViewSet:
            == findings_fixture[0].status
        )

+    def test_findings_list_resource_tags_no_n_plus_one(
+        self, authenticated_client, findings_fixture
+    ):
+        """Listing findings must load every resource's tags in a constant
+        number of queries, no matter how many findings/resources are returned.
+
+        This guards ``FindingViewSet._optimize_tags_loading`` against
+        regressions that would reintroduce one extra query per resource (the
+        N+1 the prefetch was added to remove).
+        """
+        scan = findings_fixture[0].scan
+        tenant_id = findings_fixture[0].tenant_id
+        provider = scan.provider
+
+        def _create_finding_with_tagged_resource(index):
+            resource = Resource.objects.create(
+                tenant_id=tenant_id,
+                provider=provider,
+                uid=f"arn:aws:ec2:us-east-1:123456789012:instance/n-plus-one-{index}",
+                name=f"N+1 Instance {index}",
+                region="us-east-1",
+                service="ec2",
+                type="prowler-test",
+            )
+            resource.upsert_or_delete_tags(
+                [
+                    ResourceTag.objects.create(
+                        tenant_id=tenant_id,
+                        key=f"key-{index}",
+                        value=f"value-{index}",
+                    )
+                ]
+            )
+            finding = Finding.objects.create(
+                tenant_id=tenant_id,
+                uid=f"n_plus_one_finding_{index}",
+                scan=scan,
+                status=Status.FAIL,
+                status_extended="n+1 status",
+                impact=Severity.medium,
+                severity=Severity.medium,
+                check_id="test_check_id",
+                check_metadata={"CheckId": "test_check_id", "servicename": "ec2"},
+                first_seen_at="2024-01-02T00:00:00Z",
+            )
+            finding.add_resources([resource])
+            return finding
+
+        params = {"filter[inserted_at]": TODAY, "include": "resources"}
+
+        # Baseline: the two findings provided by the fixture.
+        with CaptureQueriesContext(connection) as baseline:
+            response = authenticated_client.get(reverse("finding-list"), params)
+        assert response.status_code == status.HTTP_200_OK
+
+        # Add more findings, each with its own resource carrying tags.
+        extra_findings = 5
+        for index in range(extra_findings):
+            _create_finding_with_tagged_resource(index)
+
+        with CaptureQueriesContext(connection) as scaled:
+            response = authenticated_client.get(reverse("finding-list"), params)
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) == len(findings_fixture) + extra_findings
+
+        # The query count must not grow with the number of findings/resources.
+        assert len(scaled.captured_queries) == len(baseline.captured_queries), (
+            "Resource tags are not being prefetched: "
+            f"{len(baseline.captured_queries)} queries for {len(findings_fixture)} "
+            f"findings vs {len(scaled.captured_queries)} for "
+            f"{len(findings_fixture) + extra_findings}. Likely an N+1 regression "
+            "in FindingViewSet._optimize_tags_loading."
+        )
+
    @pytest.mark.parametrize(
        "include_values, expected_resources",
        [
@@ -2059,12 +2059,17 @@ class ScanViewSet(BaseRLSViewSet):
        if scan_instance.state == StateChoices.EXECUTING and scan_instance.task:
            task = scan_instance.task
        else:
-            try:
-                task = Task.objects.get(
+            # A scan can have several `scan-report` tasks (e.g. re-runs); take the
+            # most recent one. `.first()` also avoids `MultipleObjectsReturned`.
+            task = (
+                Task.objects.filter(
                    task_runner_task__task_name="scan-report",
                    task_runner_task__task_kwargs__contains=str(scan_instance.id),
                )
-            except Task.DoesNotExist:
+                .order_by("-inserted_at")
+                .first()
+            )
+            if task is None:
                return None

        self.response_serializer_class = TaskSerializer
@@ -2139,27 +2144,32 @@ class ScanViewSet(BaseRLSViewSet):
                        status=status.HTTP_502_BAD_GATEWAY,
                    )
                contents = resp.get("Contents", [])
-                keys = []
+                matches = []
                for obj in contents:
                    key = obj["Key"]
                    key_basename = os.path.basename(key)
                    if any(ch in suffix for ch in ("*", "?", "[")):
                        if fnmatch.fnmatch(key_basename, suffix):
-                            keys.append(key)
+                            matches.append(obj)
                    elif key_basename == suffix:
-                        keys.append(key)
+                        matches.append(obj)
                    elif key.endswith(suffix):
                        # Backward compatibility if suffix already includes directories
-                        keys.append(key)
-                if not keys:
+                        matches.append(obj)
+                if not matches:
                    return Response(
                        {
                            "detail": f"No compliance file found for name '{os.path.splitext(suffix)[0]}'."
                        },
                        status=status.HTTP_404_NOT_FOUND,
                    )
-                # path_pattern here is prefix, but in compliance we build correct suffix check before
-                key = keys[0]
+                # Return the most recently modified match (latest report) when
+                # several files share the prefix/suffix. `list_objects_v2` always
+                # returns `LastModified`; the fallback keeps ordering deterministic
+                # if it is ever absent.
+                key = max(matches, key=lambda o: (o.get("LastModified", ""), o["Key"]))[
+                    "Key"
+                ]
            else:
                # path_pattern is exact key; HEAD before presigning to preserve the 404 contract.
                key = path_pattern
@@ -2209,7 +2219,9 @@ class ScanViewSet(BaseRLSViewSet):
                    },
                    status=status.HTTP_404_NOT_FOUND,
                )
-            filepath = files[0]
+            # Return the most recently modified match (latest report) when the
+            # pattern resolves to several files.
+            filepath = max(files, key=os.path.getmtime)
            with open(filepath, "rb") as f:
                content = f.read()
            filename = os.path.basename(filepath)
@@ -3749,6 +3761,16 @@ class FindingViewSet(PaginateByPkMixin, BaseRLSViewSet):
            return queryset
        return super().filter_queryset(queryset)

+    def _optimize_tags_loading(self, queryset):
+        """Prefetch resource tags to avoid N+1 queries when serializing findings"""
+        return queryset.prefetch_related(
+            Prefetch(
+                "resources__tags",
+                queryset=ResourceTag.objects.filter(tenant_id=self.request.tenant_id),
+                to_attr="prefetched_tags",
+            )
+        )
+
    def list(self, request, *args, **kwargs):
        filtered_queryset = self.filter_queryset(self.get_queryset())
        return self.paginate_by_pk(
@@ -7484,14 +7506,17 @@ class FindingGroupViewSet(BaseRLSViewSet):

    def _get_latest_findings_per_provider(self, filtered_queryset):
        """Keep only findings from each provider's most recent completed scan."""
-        latest_scan_ids = (
+        # Materialize to a literal IN list. Left as a subquery, Postgres can't
+        # estimate the match count and picks a serial nested loop on
+        # resource_finding_mappings when one scan dominates findings
+        latest_scan_ids = list(
            Scan.objects.filter(
                tenant_id=self.request.tenant_id,
                state=StateChoices.COMPLETED,
            )
            .order_by("provider_id", "-completed_at", "-inserted_at")
            .distinct("provider_id")
-            .values("id")
+            .values_list("id", flat=True)
        )
        return filtered_queryset.filter(scan_id__in=latest_scan_ids)

@@ -467,8 +467,31 @@ def delete_tenant_task(tenant_id: str):
    return delete_tenant(pk=tenant_id)


+def _scan_tmp_output_directory(tenant_id: str, scan_id: str) -> Path:
+    """Root tmp output directory for a scan ({tmp}/{tenant_id}/{scan_id})."""
+    return Path(DJANGO_TMP_OUTPUT_DIRECTORY) / str(tenant_id) / str(scan_id)
+
+
+class ScanReportRLSTask(RLSTask):
+    """
+    RLS task that removes the scan's tmp output directory when the task fails.
+
+    Covers failures both inside and outside the task body (e.g. ENOSPC mid-write,
+    or setup errors) so partial artifacts do not accumulate on the worker disk.
+    """
+
+    def on_failure(self, exc, task_id, args, kwargs, _einfo):  # noqa: ARG002
+        del args  # Required by Celery's Task.on_failure signature; not used.
+        tenant_id = kwargs.get("tenant_id")
+        scan_id = kwargs.get("scan_id")
+
+        if tenant_id and scan_id:
+            logger.error(f"Scan report task {task_id} failed: {exc}")
+            rmtree(_scan_tmp_output_directory(tenant_id, scan_id), ignore_errors=True)
+
+
@shared_task(
-    base=RLSTask,
+    base=ScanReportRLSTask,
    name="scan-report",
    queue="scan-reports",
 )
@@ -518,6 +541,9 @@ def generate_outputs_task(scan_id: str, provider_id: str, tenant_id: str):
    out_dir, comp_dir = _generate_output_directory(
        DJANGO_TMP_OUTPUT_DIRECTORY, provider_uid, tenant_id, scan_id
    )
+    # Removed on success here and on failure by ScanReportRLSTask.on_failure,
+    # so partial artifacts do not accumulate and fill the disk (ENOSPC).
+    scan_tmp_dir = _scan_tmp_output_directory(tenant_id, scan_id)

    def get_writer(writer_map, name, factory, is_last):
        """
@@ -666,7 +692,7 @@ def generate_outputs_task(scan_id: str, provider_id: str, tenant_id: str):
        # TODO: We need to create a new periodic task to delete the output files
        # This task shouldn't be responsible for deleting the output files
        try:
-            rmtree(Path(compressed).parent, ignore_errors=True)
+            rmtree(scan_tmp_dir, ignore_errors=True)
        except Exception as e:
            logger.error(f"Error deleting output files: {e}")
        final_location, did_upload = upload_uri, True
@@ -15,8 +15,10 @@ from tasks.jobs.lighthouse_providers import (
 from tasks.tasks import (
    DJANGO_TMP_OUTPUT_DIRECTORY,
    STALE_TMP_OUTPUT_MAX_AGE_HOURS,
+    ScanReportRLSTask,
    _cleanup_orphan_scheduled_scans,
    _perform_scan_complete_tasks,
+    _scan_tmp_output_directory,
    check_integrations_task,
    check_lighthouse_provider_connection_task,
    generate_outputs_task,
@@ -771,6 +773,38 @@ class TestGenerateOutputs:
            mock_s3_task.assert_called_once()


+class TestScanReportRLSTaskOnFailure:
+    def test_on_failure_removes_scan_tmp_directory(self):
+        task = ScanReportRLSTask()
+
+        with patch("tasks.tasks.rmtree") as mock_rmtree:
+            task.on_failure(
+                exc=OSError("No space left on device"),
+                task_id="task-abc",
+                args=(),
+                kwargs={"tenant_id": "t-1", "scan_id": "s-1"},
+                _einfo=None,
+            )
+
+        mock_rmtree.assert_called_once_with(
+            _scan_tmp_output_directory("t-1", "s-1"), ignore_errors=True
+        )
+
+    def test_on_failure_skips_when_missing_kwargs(self):
+        task = ScanReportRLSTask()
+
+        with patch("tasks.tasks.rmtree") as mock_rmtree:
+            task.on_failure(
+                exc=OSError("No space left on device"),
+                task_id="task-abc",
+                args=(),
+                kwargs={},
+                _einfo=None,
+            )
+
+        mock_rmtree.assert_not_called()
+
+
 class TestScanCompleteTasks:
    @patch("tasks.tasks.aggregate_attack_surface_task.apply_async")
    @patch("tasks.tasks.chain")
@@ -4410,8 +4410,8 @@ wheels = [

 [[package]]
 name = "prowler"
-version = "5.27.0"
-source = { git = "https://github.com/prowler-cloud/prowler.git?rev=master#0abbb7fc590eaf7de6ed354dd5a217bca261d2b0" }
+version = "5.29.0"
+source = { git = "https://github.com/prowler-cloud/prowler.git?rev=v5.29#a769e3761532d9332cb64078ef09ebf7ffb15292" }
 dependencies = [
    { name = "alibabacloud-actiontrail20200706" },
    { name = "alibabacloud-credentials" },
@@ -4484,9 +4484,13 @@ dependencies = [
    { name = "pygithub" },
    { name = "python-dateutil" },
    { name = "pytz" },
+    { name = "scaleway" },
    { name = "schema" },
    { name = "shodan" },
    { name = "slack-sdk" },
+    { name = "stackit-core" },
+    { name = "stackit-iaas" },
+    { name = "stackit-resourcemanager" },
    { name = "tabulate" },
    { name = "tzlocal" },
    { name = "uuid6" },
@@ -4494,7 +4498,7 @@ dependencies = [

 [[package]]
 name = "prowler-api"
-version = "1.30.0"
+version = "1.30.3"
 source = { virtual = "." }
 dependencies = [
    { name = "cartography" },
@@ -4590,7 +4594,7 @@ requires-dist = [
    { name = "matplotlib", specifier = "==3.10.8" },
    { name = "neo4j", specifier = "==6.1.0" },
    { name = "openai", specifier = "==1.109.1" },
-    { name = "prowler", git = "https://github.com/prowler-cloud/prowler.git?rev=master" },
+    { name = "prowler", git = "https://github.com/prowler-cloud/prowler.git?rev=v5.29" },
    { name = "psycopg2-binary", specifier = "==2.9.9" },
    { name = "pytest-celery", extras = ["redis"], specifier = "==1.3.0" },
    { name = "reportlab", specifier = "==4.4.10" },
@@ -5526,6 +5530,52 @@ wheels = [
    { url = "https://files.pythonhosted.org/packages/49/4b/359f28a903c13438ef59ebeee215fb25da53066db67b305c125f1c6d2a25/sqlparse-0.5.5-py3-none-any.whl", hash = "sha256:12a08b3bf3eec877c519589833aed092e2444e68240a3577e8e26148acc7b1ba", size = 46138, upload-time = "2025-12-19T07:17:46.573Z" },
 ]

+[[package]]
+name = "stackit-core"
+version = "0.2.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "cryptography" },
+    { name = "pydantic" },
+    { name = "pyjwt" },
+    { name = "requests" },
+    { name = "urllib3" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/24/90/20f9ec7387eec4067cfd3d29055d0e2b5e1e0322c601a7f48125fd8ea35f/stackit_core-0.2.0.tar.gz", hash = "sha256:b8af91877cdb060d6969a303d8cf20bc0b33b345afd91f679c44a987381e2d47", size = 8987, upload-time = "2025-06-12T08:24:45.251Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/ab/b4/7b53187ce68956870d864ccb9ccfb68066c9df9de1c9568fd2feb03c4504/stackit_core-0.2.0-py3-none-any.whl", hash = "sha256:04632fc6742790d08ddfcb7f2313e04d1254827397a80250f838a2f81b92645b", size = 10240, upload-time = "2025-06-12T08:24:44.214Z" },
+]
+
+[[package]]
+name = "stackit-iaas"
+version = "1.4.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "pydantic" },
+    { name = "python-dateutil" },
+    { name = "requests" },
+    { name = "stackit-core" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/52/07/24e65278300d5c3cb19cb1660bff924c80812cf8aad3e715f826bae5aa80/stackit_iaas-1.4.0.tar.gz", hash = "sha256:93523b23442350c7ebefd9129485c4c2a539f694a9c36a0f8edfaba9862057ea", size = 116236, upload-time = "2026-05-13T09:43:15.996Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/08/51/2201164d7bfacf47539888c735f10f6320c188252384957aa1b23121a210/stackit_iaas-1.4.0-py3-none-any.whl", hash = "sha256:3f4a32321b57ac238f73e5d660c6428186b92cc0425c1f0783ba801e377149d9", size = 316588, upload-time = "2026-05-13T09:43:14.943Z" },
+]
+
+[[package]]
+name = "stackit-resourcemanager"
+version = "0.8.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "pydantic" },
+    { name = "python-dateutil" },
+    { name = "requests" },
+    { name = "stackit-core" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/23/2d/f458f18e48ed2b1c83df52cff7dbdfd5dd904fb2980ffd9385876e47bbd9/stackit_resourcemanager-0.8.0.tar.gz", hash = "sha256:f44542beab4130857f5a7f465cf02defeef657bdf63c1beeb3102f0ba3c003fe", size = 33943, upload-time = "2026-05-13T09:43:08.667Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/c7/9c/38a74d0f7a89b4320f6d2366fb660638bda8860daa08748b12c713d84381/stackit_resourcemanager-0.8.0-py3-none-any.whl", hash = "sha256:dd04bb8353d041a137c4dcba190beabded7acfaff1bc98b218fce20a99389ebc", size = 81288, upload-time = "2026-05-13T09:43:07.81Z" },
+]
+
 [[package]]
 name = "statsd"
 version = "4.0.1"
@@ -134,7 +134,7 @@ Example 1 is vague and even potentially ambiguous. Verbs state your purpose and

 Explicit use of second-person pronouns (you) and possessives (your) should be minimized whenever possible. Those constructions are best reserved for cases when instructions are directly given in an imperative form:

-**Example of Improvement Through Avoiding Second Person Pronouns**
+### Example of Improvement Through Avoiding Second Person Pronouns

 **Original:**
 Prowler App can be installed in different ways, depending on your environment:
@@ -236,7 +236,7 @@ The use of bullet points is highly recommended when:
 * Information can be logically divided into multiple categories, each sharing characteristics, features, or other relevant classifications.
 * Items are significant enough as standalone concepts to deserve their own bullet point.

-**Example of Improvement Through Bullet Points**
+#### Example of Improvement Through Bullet Points

 **Original:**
 It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMS, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme), and your custom security frameworks.
@@ -0,0 +1,730 @@
+---
+title: 'StackIT Provider'
+---
+
+This page details the [StackIT Cloud](https://www.stackit.de/) provider implementation in Prowler.
+
+By default, Prowler audits a single StackIT project per scan. To configure it, provide the project ID and either a service account key file path or inline service account key JSON.
+
+## StackIT Provider Classes Architecture
+
+The StackIT provider implementation follows the general [Provider structure](/developer-guide/provider). This section focuses on the StackIT-specific implementation, highlighting how the generic provider concepts are realized for StackIT in Prowler. For a full overview of the provider pattern, base classes, and extension guidelines, see [Provider documentation](/developer-guide/provider).
+
+### `StackitProvider` (Main Class)
+
+- **Location:** [`prowler/providers/stackit/stackit_provider.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/stackit_provider.py)
+- **Base Class:** Inherits from `Provider` (see [base class details](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/common/provider.py)).
+- **Purpose:** Central orchestrator for StackIT-specific logic, API authentication, credential validation, and configuration.
+- **Key StackIT Responsibilities:**
+    - Initializes StackIT SDK authentication via a service account key file or inline service account key JSON. The SDK mints and refreshes access tokens internally.
+    - Validates the service account credentials and project ID (UUID format validation).
+    - Loads and manages configuration, mutelist, and fixer settings.
+    - Provides properties and methods for downstream StackIT service classes to access credentials, identity, and configuration data.
+
+### Data Models
+
+- **Location:** [`prowler/providers/stackit/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/models.py)
+- **Purpose:** Define structured data for StackIT identity and output configuration.
+- **Key StackIT Models:**
+    - `StackITIdentityInfo`: Holds StackIT identity metadata, including project ID and project name (fetched automatically from Resource Manager API).
+    - `StackITOutputOptions`: Customizes default output filenames so StackIT reports include the audited project ID.
+    - IaaS resource models such as `SecurityGroup` and `SecurityGroupRule` are defined in the IaaS service module.
+
+### StackIT Services
+
+- **Location:** [`prowler/providers/stackit/services/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services)
+- **Purpose:** Implement StackIT service clients and resource collection logic following the generic [service pattern](/developer-guide/services#service-base-class).
+- **Current Implementation:** The `IaaSService` collects security groups, rules, and network interface usage across supported StackIT regions.
+
+### Exception Handling
+
+- **Location:** [`prowler/providers/stackit/exceptions/exceptions.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/exceptions/exceptions.py)
+- **Purpose:** Custom exception classes for StackIT-specific error handling, such as credential validation, API connection, and configuration errors.
+- **Key Exception Classes:**
+    - `StackITBaseException`: Base exception for all StackIT provider errors.
+    - `StackITCredentialsError`: Raised when credentials are invalid or missing.
+    - `StackITInvalidProjectIdError`: Raised when project ID is invalid or not in UUID format.
+    - `StackITAPIError`: Raised when StackIT API calls fail.
+
+## Authentication
+
+### Service Account Creation and Key Generation
+
+StackIT uses service account keys for API authentication. Service account keys are RSA key-pair based and provide secure, short-lived access tokens.
+
+### Creating a Service Account Key
+
+#### Method 1: Via StackIT Portal
+
+1. **Navigate to Service Accounts**
+   - Go to the [StackIT Portal](https://portal.stackit.cloud/)
+   - Select your project
+   - Click on **Service Accounts** in the left sidebar
+
+2. **Create or Select Service Account**
+   - If you don't have a service account, click **Create Service Account**
+   - Provide a name and description
+   - Assign necessary permissions:
+     - For IaaS security checks: `iaas.viewer` or `project.owner`
+     - For comprehensive audits: `project.owner`
+
+3. **Generate Service Account Key**
+   - Select your service account
+   - Navigate to **Service Account Keys**
+   - Click **Create key**
+   - Choose one of the following options:
+     - **STACKIT-generated key pair** (Recommended): Let STACKIT automatically generate an RSA key-pair
+     - **User-provided key pair**: Upload your own RSA 2048 public key
+
+4. **Download and Save the Key**
+   - Download the generated service account key file (JSON format)
+   - **Important**: Save the key securely - it contains your private key and will only be available once
+   - Store the key file in a secure location (e.g., `~/.stackit/sa_key.json`)
+
+#### Method 2: Via StackIT CLI
+
+```bash
+# Install STACKIT CLI (if not already installed)
+# Follow instructions at: https://github.com/stackitcloud/stackit-cli
+
+# Create service account key (STACKIT-generated)
+stackit service-account key create --email my-service-account@example.com
+
+# Or create with your own RSA 2048 public key
+# First, generate your RSA key pair:
+openssl genrsa -out private-key.pem 2048
+openssl rsa -in private-key.pem -pubout -out public-key.pem
+
+# Then create the key with your public key:
+stackit service-account key create \
+  --email my-service-account@example.com \
+  --public-key "$(cat public-key.pem)"
+```
+
+### Finding Your Project ID
+
+Your StackIT project ID is a UUID that can be found:
+
+1. In the StackIT Portal URL when viewing your project: `https://portal.stackit.cloud/projects/{PROJECT_ID}/...`
+2. In the project settings page
+3. Using the StackIT CLI: `stackit project list`
+
+### Passing the Service Account Key to Prowler
+
+Prowler accepts the service account credentials in two equivalent forms; both go through the same StackIT SDK flow and refresh access tokens internally.
+
+#### Option 1: Key File Path (key persisted on disk)
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
+
+prowler stackit
+```
+
+Or as CLI flags:
+
+```bash
+prowler stackit \
+  --stackit-service-account-key-path ~/.stackit/sa-key.json \
+  --stackit-project-id 12345678-1234-1234-1234-123456789abc
+```
+
+#### Option 2: Inline Key Content (CI/CD, secret managers)
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY="$(vault kv get -field=key stackit/sa)"
+export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
+
+prowler stackit
+```
+
+Prefer the environment variable over the matching `--stackit-service-account-key` CLI flag; passing the secret on the command line leaks it through process listings and shell history.
+
+### Credential Lookup Order
+
+Prowler resolves credentials in this order:
+
+1. **Command-line arguments**:
+   - `--stackit-service-account-key`
+   - `--stackit-service-account-key-path`
+   - `--stackit-project-id`
+2. **Environment variables**:
+   - `STACKIT_SERVICE_ACCOUNT_KEY`
+   - `STACKIT_SERVICE_ACCOUNT_KEY_PATH`
+   - `STACKIT_PROJECT_ID`
+
+When both the inline key and the key file path are set, the inline content takes precedence.
+
+## Configuration
+
+### Command-Line Arguments
+
+StackIT-specific command-line arguments:
+
+| Argument | Description | Required | Default |
+|----------|-------------|----------|---------|
+| `--stackit-service-account-key-path` | Path to a StackIT service account key JSON file | Yes* | `$STACKIT_SERVICE_ACCOUNT_KEY_PATH` |
+| `--stackit-service-account-key` | Inline JSON content of a StackIT service account key (preferred env var: `STACKIT_SERVICE_ACCOUNT_KEY`) | Yes* | `$STACKIT_SERVICE_ACCOUNT_KEY` |
+| `--stackit-project-id` | StackIT project ID (UUID format) | Yes* | `$STACKIT_PROJECT_ID` |
+| `--stackit-region` | StackIT region(s) to scan | No | All available regions |
+
+\* Required unless provided via environment variables.
+
+### Input Validation
+
+The StackIT provider performs comprehensive input validation:
+
+- **Service Account Credentials**:
+  - At least one of `service_account_key_path` (file path) or `service_account_key` (inline JSON) must be supplied; both empty raises `StackITNonExistentTokenError`
+  - When both are provided the inline content takes precedence
+  - The key file path is logged as-is; the inline content is redacted in the credentials box
+
+- **Project ID**:
+  - Must not be empty
+  - Must be a valid UUID format (e.g., `12345678-1234-1234-1234-123456789abc`)
+  - Validated using Python's UUID constructor
+
+Invalid credentials will result in clear error messages before any API calls are made.
+
+## Available Services
+
+### IaaS (Infrastructure as a Service)
+
+- **Service Class:** `IaaSService`
+- **Location:** [`prowler/providers/stackit/services/iaas/iaas_service.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/services/iaas/iaas_service.py)
+- **SDK:** Uses the [stackit-iaas](https://pypi.org/project/stackit-iaas/) Python SDK
+- **Purpose:** Manages IaaS resources including security groups, servers, and network interfaces.
+
+**Supported Resources:**
+- Security Groups and Rules
+- Servers (Virtual Machines)
+- Network Interfaces (NICs)
+
+**Key Features:**
+- Automatic discovery of all security groups in the project
+- Security rule parsing with support for unrestricted access detection
+- Network interface analysis to determine whether security groups are in use
+- By default, reports only security groups attached to at least one NIC; `--scan-unused-services` includes unused security groups too
+
+## Available Checks
+
+The StackIT provider currently implements 4 security checks focused on network security:
+
+### 1. iaas_security_group_ssh_unrestricted
+
+- **Severity:** High
+- **Description:** Detects security groups that allow unrestricted SSH access (port 22) from the internet.
+- **Risk:** Unrestricted SSH access increases the attack surface and risk of brute-force attacks.
+- **Detection Logic:**
+  - Checks for ingress rules allowing TCP port 22
+  - Flags rules with `ip_range=None` or `ip_range="0.0.0.0/0"` or `ip_range="::/0"`
+  - Reports security groups attached to NICs by default, or all security groups when `--scan-unused-services` is enabled
+
+### 2. iaas_security_group_rdp_unrestricted
+
+- **Severity:** High
+- **Description:** Detects security groups that allow unrestricted RDP access (port 3389) from the internet.
+- **Risk:** Unrestricted RDP access enables potential unauthorized remote desktop access.
+- **Detection Logic:**
+  - Checks for ingress rules allowing TCP port 3389
+  - Flags unrestricted IP ranges (None, 0.0.0.0/0, ::/0)
+  - Reports security groups attached to NICs by default, or all security groups when `--scan-unused-services` is enabled
+
+### 3. iaas_security_group_database_unrestricted
+
+- **Severity:** High
+- **Description:** Detects security groups that allow unrestricted access to common database ports.
+- **Monitored Ports:**
+  - MySQL: 3306
+  - PostgreSQL: 5432
+  - MongoDB: 27017
+  - Redis: 6379
+  - SQL Server: 1433
+  - CouchDB: 5984
+- **Risk:** Unrestricted database access can lead to data breaches and unauthorized data access.
+
+### 4. iaas_security_group_all_traffic_unrestricted
+
+- **Severity:** Critical
+- **Description:** Detects security groups that allow all traffic from the internet.
+- **Detection Logic:**
+  - Checks for rules with `port_range=None` (all ports)
+  - Checks for rules with port range covering 0-65535 or 1-65535
+  - Flags unrestricted IP ranges
+  - Critical security misconfiguration requiring immediate remediation
+
+### Important Implementation Notes
+
+**Self-Referencing Security Group Rules:**
+
+Security group rules with `remoteSecurityGroupId` set are automatically filtered out from unrestricted access checks. These rules only allow traffic from instances within the same security group (self-referencing), not from the internet, and are therefore not flagged as security risks.
+
+**Rule Display Names:**
+
+All findings include user-friendly rule descriptions when available. If a security group rule has a description field set (the name shown in the StackIT UI), it will be displayed in the finding message along with the rule ID:
+- With description: `'Allow SSH from office' (sgr-abc123)`
+- Without description: `'sgr-abc123'`
+
+**Network Interface (NIC) Usage Filtering:**
+
+The IaaS service lists project NICs and records the security group IDs attached to them. Checks use that signal to decide whether a security group is in use:
+
+1. **Default behavior:** Report security groups attached to at least one NIC.
+2. **`--scan-unused-services`:** Report every security group, including unused ones.
+3. **FAIL logic:** Internet exposure is driven by security group rules that allow unrestricted source ranges, not by the presence of a public IP on the NIC.
+
+**Unrestricted IP Ranges:**
+
+The StackIT API represents "unrestricted" in two ways:
+- **`ip_range=null`**: No IP restriction specified (implicit unrestricted)
+- **`ip_range="0.0.0.0/0"` or `"::/0"`**: Explicitly configured to allow all IPs
+
+Both are flagged as unrestricted. A `null` value is **more permissive** than an explicit range and applies to all protocols/ports if other fields are also `null`.
+
+## Requirements
+
+### Python Version
+
+- **Minimum:** Python 3.10+
+- **Reason:** The StackIT SDK requires Python 3.10 or higher
+
+### Dependencies
+
+The StackIT provider requires the following Python packages (automatically installed with Prowler):
+
+- **stackit-core** (v0.2.0): Core SDK for StackIT API authentication and configuration
+- **stackit-iaas** (v1.4.0): IaaS service SDK for managing compute resources
+- **stackit-resourcemanager** (v0.8.0): Resource Manager SDK for fetching project metadata (e.g., project names)
+
+These dependencies are defined in `pyproject.toml` and installed automatically with:
+
+```bash
+poetry install
+```
+
+**Note:** The `stackit-resourcemanager` package enables automatic retrieval of project names for display in reports. If this package is not available, Prowler will still function normally but project names will be empty in the output.
+
+## Region Support
+
+### Supported Regions
+
+- **Available Regions:** `eu01` (Germany South) and `eu02` (Austria West)
+- **Default:** All scans use both `eu01` and `eu02` regions by default.
+
+### Multi-Region Scanning
+
+Prowler supports scanning multiple StackIT regions in a single execution. By default, it will scan all regions defined in the `stackit_regions_by_service.json` configuration file.
+
+### CLI Argument
+
+You can specify which regions to scan using the `--stackit-region` argument:
+
+```bash
+# Scan only eu01
+prowler stackit --stackit-region eu01
+
+# Scan both eu01 and eu02
+prowler stackit --stackit-region eu01 eu02
+```
+
+### Implementation Details
+
+- **Regional Clients:** Prowler generates a separate API client for each audited region.
+- **Service Iteration:** Each service (e.g., IaaS) iterates through the regional clients to fetch and audit resources.
+- **Identity Tracking:** The `audited_regions` are stored in the identity model for reporting.
+
+### Future Enhancements
+
+As StackIT adds more regions, they can be easily added to Prowler by updating the `prowler/providers/stackit/stackit_regions_by_service.json` file without requiring code changes.
+
+## Command Examples
+
+### Scan Specific Regions
+
+Scan only the `eu01` region:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --stackit-region eu01
+```
+
+Scan multiple regions:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --stackit-region eu01 eu02
+```
+
+### Scan Specific Checks
+
+Run only SSH unrestricted check:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --checks iaas_security_group_ssh_unrestricted
+```
+
+### Scan All Security Group Checks
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --services iaas
+```
+
+### Output Formats
+
+Generate JSON output:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --output-formats json
+```
+
+Generate HTML report:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --output-formats html
+```
+
+## Known Limitations
+
+### Current Limitations
+
+1. **Single Project Scope**: Only one project can be scanned at a time
+2. **Service Coverage**: Only the IaaS service is currently implemented
+3. **Check Coverage**: Limited to security group network security checks (4 checks total)
+4. **No Compliance Frameworks**: Compliance framework mappings are not yet implemented
+
+### Planned Enhancements
+
+- Multi-project scanning capability
+- Additional IaaS checks (volume encryption, server public IP exposure, backup status)
+- Compliance framework mappings (CIS, custom StackIT best practices)
+- StackIT CLI remediation examples in metadata
+
+## Troubleshooting
+
+### Authentication Errors
+
+**Error:** `StackIT service account key was rejected`
+
+**Solutions:**
+1. Re-issue the service account key in the StackIT Portal
+2. Verify the service account key file or inline JSON content is complete
+3. Check that the service account has the necessary permissions (`iaas.viewer` or `project.owner`)
+4. Ensure the service account key is provided through `STACKIT_SERVICE_ACCOUNT_KEY_PATH`, `STACKIT_SERVICE_ACCOUNT_KEY`, or the matching CLI arguments
+
+**Error:** `StackIT credentials not found or are invalid`
+
+**Solutions:**
+1. Ensure the project ID and one service account credential source are provided
+2. Check that credentials are set via environment variables or command-line arguments
+3. Verify there are no extra spaces or newlines in the credentials
+
+**Error:** `Invalid StackIT project ID format`
+
+**Solutions:**
+1. Verify the project ID is a valid UUID format: `12345678-1234-1234-1234-123456789abc`
+2. Copy the project ID directly from the StackIT Portal
+3. Ensure there are no extra spaces or quotes around the UUID
+
+### API Connection Errors
+
+**Error:** `Failed to connect to StackIT API`
+
+**Solutions:**
+1. Check your internet connection
+2. Verify the StackIT API endpoint is accessible from your network
+3. Check if there are any firewall rules blocking HTTPS connections
+4. Review the full error message for specific API error codes
+
+**Error:** `HTTP 403 Forbidden`
+
+**Solutions:**
+1. Verify the service account has the correct permissions
+2. Ensure the project ID is correct and you have access to it
+3. Check that the service account is enabled (not disabled or expired)
+4. Verify the service account key has not been revoked
+
+**Error:** `HTTP 404 Not Found`
+
+**Solutions:**
+1. Verify the project ID exists and is correct
+2. Check that the IaaS service is enabled in your project
+3. Ensure you're using the correct region (eu01)
+
+### Empty Results
+
+**Issue:** No security groups or findings reported
+
+**Solutions:**
+1. Verify that security groups exist in your project
+2. Check that the IaaS service is properly configured
+3. Ensure the service account has `iaas.viewer` permission
+4. Check Prowler logs for any API errors (use `--log-level DEBUG`)
+
+### Debug Mode
+
+Enable debug logging for detailed troubleshooting:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --log-level DEBUG
+```
+
+This will show:
+- API authentication details (with inline service account keys redacted)
+- Resource discovery progress
+- Security rule parsing details
+- Any API errors or warnings
+
+## Specific Patterns in StackIT Services
+
+The generic service pattern is described in [service page](/developer-guide/services#service-structure-and-initialisation). You can find all the currently implemented services in the following locations:
+
+- Directly in the code, in location [`prowler/providers/stackit/services/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services)
+- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
+
+The best reference to understand how to implement a new service is following the [service implementation documentation](/developer-guide/services#adding-a-new-service) and taking other StackIT services as reference.
+
+### StackIT Service Common Patterns
+
+- Services communicate with StackIT using the StackIT Python SDK, you can find the documentation [here](https://github.com/stackitcloud/stackit-sdk-python).
+- Service constructors receive a `StackitProvider` instance and use it to access credentials, identity, and configuration.
+- The provider builds StackIT SDK `Configuration` objects from the service account key path or inline key content.
+- Resource containers **must** be initialized in the constructor, typically as lists or dictionaries.
+- Do not manipulate `os.environ` for credentials inside services. Use the provider session and SDK configuration helpers.
+- All StackIT resources are represented as Pydantic `BaseModel` classes, providing type safety and structured access to resource attributes.
+- StackIT SDK calls are wrapped in try/except blocks, with specific handling for API errors, always logging errors.
+- **Centralized Error Handling**: Use `provider.handle_api_error(exception)` for consistent authentication error detection across all services.
+- **SDK Warning Suppression**: StackIT SDK prints deprecation warnings to stderr - use the `suppress_stderr()` context manager during SDK initialization and API calls.
+- **Unrestricted Access Detection**: In StackIT API, `None` values mean "allow all" (more permissive than explicit 0.0.0.0/0).
+  - `protocol=None` → All protocols allowed
+  - `ip_range=None` → All source IPs allowed (unrestricted!)
+  - `port_range=None` → All ports allowed
+  - `remote_security_group_id` set → Only allows traffic from the same security group (not unrestricted!)
+
+### IaaS Service Specific Patterns
+
+**Security Group Discovery:**
+```python
+# List all security groups
+security_groups = client.list_security_groups(
+    project_id=self.project_id,
+    region=region,
+)
+
+# List network interfaces to determine security group usage
+nics = client.list_project_nics(
+    project_id=self.project_id,
+    region=region,
+)
+
+# Checks report in-use security groups by default. Use --scan-unused-services
+# to include security groups that are not attached to any NIC.
+```
+
+**Centralized Authentication Error Handling:**
+```python
+def _handle_api_call(self, api_function, *args, **kwargs):
+    """Wrapper for API calls with centralized error handling."""
+    try:
+        with suppress_stderr():  # Suppress SDK warnings
+            return api_function(*args, **kwargs)
+    except Exception as e:
+        # Use centralized error handler from provider
+        self.provider.handle_api_error(e)  # Detects 401 and raises StackITInvalidTokenError
+```
+
+**Unrestricted Access Detection:**
+```python
+def is_unrestricted(rule):
+    """Check if a rule allows unrestricted access."""
+    # Filter out self-referencing rules
+    if rule.remote_security_group_id is not None:
+        return False
+    # Check for unrestricted IP ranges
+    return rule.ip_range is None or rule.ip_range in ["0.0.0.0/0", "::/0"]
+
+def is_tcp(rule):
+    """Check if a rule applies to TCP protocol."""
+    # None means all protocols (including TCP)
+    return rule.protocol is None or rule.protocol.lower() in ["tcp", "all"]
+
+def includes_port(rule, port):
+    """Check if a rule includes a specific port."""
+    # None means all ports
+    if rule.port_range is None:
+        return True
+    return rule.port_range.min <= port <= rule.port_range.max
+```
+
+## Specific Patterns in StackIT Checks
+
+The StackIT checks pattern is described in [checks page](/developer-guide/checks). You can find all the currently implemented checks:
+
+- Directly in the code, within each service folder, each check has its own folder named after the name of the check. (e.g. [`prowler/providers/stackit/services/iaas/iaas_security_group_ssh_unrestricted/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services/iaas/iaas_security_group_ssh_unrestricted))
+- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
+
+The best reference to understand how to implement a new check is following the [check creation documentation](/developer-guide/checks#creating-a-check) and taking other similar StackIT checks as reference.
+
+### Check Report Class
+
+The `CheckReportStackIT` class models a single finding for a StackIT resource in a check report. It is defined in [`prowler/lib/check/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py) and inherits from the generic `Check_Report` base class.
+
+#### Purpose
+
+`CheckReportStackIT` extends the base report structure with StackIT-specific fields, enabling detailed tracking of the resource, project, and location associated with each finding.
+
+#### Constructor and Attribute Population
+
+When you instantiate `CheckReportStackIT`, you must provide the check metadata and a resource object. The class will attempt to automatically populate its StackIT-specific attributes from the resource, using the following logic:
+
+- **`resource_id`**:
+    - Uses `resource.id` if present.
+    - Otherwise, uses `resource.resource_id` if present.
+    - Defaults to an empty string if none are available.
+
+- **`resource_name`**:
+    - Uses `resource.name` if present.
+    - Defaults to an empty string if not available.
+
+- **`project_id`**:
+    - Uses `resource.project_id` if present.
+    - Defaults to an empty string if not available (should be set in check logic).
+
+- **`location`**:
+    - Uses `resource.region` if present.
+    - Otherwise, uses `resource.location` if present.
+    - Defaults to an empty string if not available.
+
+If the resource object does not contain the required attributes, you must set them manually in the check logic.
+
+Other attributes are inherited from the `Check_Report` class, from which you **always** have to set the `status` and `status_extended` attributes in the check logic.
+
+#### Example Usage
+
+```python
+from prowler.lib.check.models import CheckReportStackIT
+
+report = CheckReportStackIT(
+    metadata=self.metadata(),
+    resource=security_group
+)
+report.status = "FAIL"
+report.status_extended = f"Security group {security_group.name} allows unrestricted SSH access from the internet."
+report.resource_id = security_group.id
+report.resource_name = security_group.name
+report.project_id = security_group.project_id
+report.location = security_group.region
+```
+
+### Common Check Pattern
+
+```python
+from prowler.lib.check.models import Check, CheckReportStackIT
+from prowler.providers.stackit.services.iaas.iaas_client import iaas_client
+
+class iaas_security_group_ssh_unrestricted(Check):
+    """Check if IaaS security groups allow unrestricted SSH access."""
+
+    def execute(self):
+        findings = []
+
+        for security_group in iaas_client.security_groups:
+            if not (iaas_client.scan_unused_services or security_group.in_use):
+                continue
+
+            report = CheckReportStackIT(
+                metadata=self.metadata(),
+                resource=security_group
+            )
+            report.status = "PASS"
+            report.status_extended = f"Security group {security_group.name} does not allow unrestricted SSH access."
+
+            # Check each rule
+            for rule in security_group.rules:
+                if (rule.is_ingress() and
+                    rule.is_tcp() and
+                    rule.includes_port(22) and
+                    rule.is_unrestricted()):
+                    report.status = "FAIL"
+                    report.status_extended = f"Security group {security_group.name} allows unrestricted SSH access from the internet."
+                    break
+
+            findings.append(report)
+
+        return findings
+```
+
+## Resources
+
+### Official StackIT Documentation
+
+- **StackIT Portal**: [https://portal.stackit.cloud/](https://portal.stackit.cloud/)
+- **StackIT Documentation**: [https://docs.stackit.cloud/](https://docs.stackit.cloud/)
+- **StackIT API Documentation**: [https://docs.api.eu01.stackit.cloud/](https://docs.api.eu01.stackit.cloud/)
+
+### Python SDK
+
+- **StackIT Python SDK (GitHub)**: [https://github.com/stackitcloud/stackit-sdk-python](https://github.com/stackitcloud/stackit-sdk-python)
+- **stackit-core (PyPI)**: [https://pypi.org/project/stackit-core/](https://pypi.org/project/stackit-core/)
+- **stackit-iaas (PyPI)**: [https://pypi.org/project/stackit-iaas/](https://pypi.org/project/stackit-iaas/)
+- **IaaS Models**: [https://github.com/stackitcloud/stackit-sdk-python/tree/main/services/iaas/src/stackit/iaas/models](https://github.com/stackitcloud/stackit-sdk-python/tree/main/services/iaas/src/stackit/iaas/models)
+
+### Prowler Resources
+
+- **Provider Implementation**: [`prowler/providers/stackit/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/)
+- **IaaS Service**: [`prowler/providers/stackit/services/iaas/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services/iaas/)
+- **Prowler Hub**: [https://hub.prowler.com/](https://hub.prowler.com/)
+- **GitHub Issues**: [https://github.com/prowler-cloud/prowler/issues](https://github.com/prowler-cloud/prowler/issues)
+
+## Contributing
+
+If you'd like to contribute to the StackIT provider:
+
+1. **Add New Checks**: Follow the [check creation guide](/developer-guide/checks#creating-a-check) and use existing StackIT checks as templates
+2. **Enhance Services**: Implement additional IaaS resource discovery or add new services
+3. **Improve Documentation**: Add metadata enhancements, CLI remediation examples, or Terraform code samples
+4. **Report Issues**: Submit bug reports or feature requests on [GitHub](https://github.com/prowler-cloud/prowler/issues)
+
+### Quick Start for Contributors
+
+1. **Install dependencies**: `poetry install` (includes stackit-core and stackit-iaas)
+2. **Set credentials**: Export `STACKIT_SERVICE_ACCOUNT_KEY_PATH` and `STACKIT_PROJECT_ID`
+3. **Run checks**: `prowler stackit`
+4. **View code**: Start in `prowler/providers/stackit/`
+5. **Add checks**: Create new check directories under `services/iaas/`
+6. **Run tests**: `poetry run pytest tests/providers/stackit/ -v`
+
+### Code Quality Standards
+
+The StackIT provider should follow the same quality expectations as the rest of the Prowler SDK:
+
+- Keep service and check logic covered by unit tests.
+- Redact inline service account keys from generated output.
+- Keep documentation aligned with the implemented services and checks.
+- Follow existing provider, service, and check patterns before adding StackIT-specific abstractions.
@@ -124,8 +124,8 @@
              "user-guide/tutorials/prowler-app-rbac",
              "user-guide/tutorials/prowler-app-multi-tenant",
              "user-guide/tutorials/prowler-app-api-keys",
-              "user-guide/tutorials/prowler-app-import-findings",
-              "user-guide/tutorials/prowler-app-alerts",
+              "user-guide/tutorials/prowler-import-findings",
+              "user-guide/tutorials/prowler-alerts",
              {
                "group": "Mutelist",
                "expanded": true,
@@ -339,6 +339,13 @@
                  "user-guide/providers/scaleway/authentication"
                ]
              },
+              {
+                "group": "StackIT",
+                "pages": [
+                  "user-guide/providers/stackit/getting-started-stackit",
+                  "user-guide/providers/stackit/authentication"
+                ]
+              },
              {
                "group": "Vercel",
                "pages": [
@@ -401,7 +408,8 @@
              "developer-guide/kubernetes-details",
              "developer-guide/m365-details",
              "developer-guide/github-details",
-              "developer-guide/llm-details"
+              "developer-guide/llm-details",
+              "developer-guide/stackit-details"
            ]
          },
          {
@@ -576,6 +584,14 @@
    {
      "source": "/contact",
      "destination": "/support"
+    },
+    {
+      "source": "/user-guide/tutorials/prowler-app-import-findings",
+      "destination": "/user-guide/tutorials/prowler-import-findings"
+    },
+    {
+      "source": "/user-guide/tutorials/prowler-app-alerts",
+      "destination": "/user-guide/tutorials/prowler-alerts"
    }
  ]
 }
@@ -40,12 +40,6 @@ To install Prowler as a Python package, use `Python >= 3.10, <= 3.12`. Prowler i
    pip install prowler
    prowler -v
    ```
-
-    To upgrade Prowler to the latest version:
-
-    ``` bash
-    pip install --upgrade prowler
-    ```
  </Tab>
  <Tab title="Docker">
    _Requirements_:
@@ -170,6 +164,68 @@ To install Prowler as a Python package, use `Python >= 3.10, <= 3.12`. Prowler i
  </Tab>
 </Tabs>

+## Updating Prowler CLI
+
+Upgrade Prowler CLI to the latest release using the same method chosen for installation:
+
+<Tabs>
+  <Tab title="pipx">
+    ```bash
+    pipx upgrade prowler
+    prowler -v
+    ```
+  </Tab>
+  <Tab title="pip">
+    ```bash
+    pip install --upgrade prowler
+    prowler -v
+    ```
+  </Tab>
+  <Tab title="Docker">
+    Pull the desired image tag to fetch the latest version:
+
+    ```bash
+    docker pull toniblyx/prowler:latest
+    ```
+
+    <Note>
+      Replace `latest` with a specific release tag (for example, `stable` or `<x.y.z>`) to pin a version. Refer to the [Container Versions](#container-versions) section for the full list of available tags.
+    </Note>
+  </Tab>
+  <Tab title="GitHub">
+    Pull the latest changes and sync the environment:
+
+    ```bash
+    cd prowler
+    git pull
+    uv sync
+    uv run python prowler-cli.py -v
+    ```
+
+    <Note>
+      To upgrade to a specific release, check out the corresponding tag before syncing: `git checkout <x.y.z>`.
+    </Note>
+  </Tab>
+  <Tab title="Brew">
+    ```bash
+    brew upgrade prowler
+    prowler -v
+    ```
+  </Tab>
+  <Tab title="CloudShell">
+    Both AWS CloudShell and Azure CloudShell install Prowler with `pipx`, so the upgrade command is the same:
+
+    ```bash
+    pipx upgrade prowler
+    prowler -v
+    ```
+  </Tab>
+</Tabs>
+
+<Note>
+  To install a specific version instead of the latest release, pin it explicitly. For example, with `pipx`: `pipx install prowler==<x.y.z>`, or with `pip`: `pip install prowler==<x.y.z>`. The available releases are listed in the [Releases GitHub section](https://github.com/prowler-cloud/prowler/releases).
+</Note>
+
 ## Container Versions

 The available versions of Prowler CLI are the following:
@@ -141,6 +141,45 @@ Choose one of the following installation methods:

 ---

+## Updating Prowler MCP Server
+
+When running Prowler MCP Server locally ("Option 2: Run Locally"), upgrade to the latest version using the same method chosen for installation. The hosted server (`https://mcp.prowler.com/mcp`) is always kept up to date by Prowler and requires no action.
+
+<Tabs>
+  <Tab title="Docker">
+    Pull the latest image and restart the container:
+
+    ```bash
+    docker pull prowlercloud/prowler-mcp
+    ```
+
+    <Note>
+      Recreate any running container after pulling the new image so the updated version takes effect.
+    </Note>
+  </Tab>
+  <Tab title="From Source">
+    Pull the latest changes and sync the dependencies:
+
+    ```bash
+    cd prowler/mcp_server
+    git pull
+    uv sync
+    uv run prowler-mcp --help
+    ```
+  </Tab>
+  <Tab title="Build Docker Image">
+    Pull the latest source and rebuild the image:
+
+    ```bash
+    cd prowler/mcp_server
+    git pull
+    docker build -t prowler-mcp .
+    ```
+  </Tab>
+</Tabs>
+
+---
+
 ## Command Line Options

 The Prowler MCP Server supports the following command-line arguments:
@@ -36,6 +36,7 @@ Prowler supports a wide range of providers organized by category:
 | [OpenStack](/user-guide/providers/openstack/getting-started-openstack)           | Official   | Projects                 | UI, API, CLI |
 | [Oracle Cloud](/user-guide/providers/oci/getting-started-oci)                    | Official   | Tenancies / Compartments | UI, API, CLI |
 | [Scaleway](/user-guide/providers/scaleway/getting-started-scaleway)              | [Contact us](https://prowler.com/contact) | Organizations            | CLI          |
+| [StackIT](/user-guide/providers/stackit/getting-started-stackit)                 | [Contact us](https://prowler.com/contact) | Projects                 | CLI          |

 ### Infrastructure as Code Providers

@@ -6,7 +6,7 @@ title: 'Run Prowler in CI/CD and Send Findings to Prowler Cloud'
 For new projects, use the official [Prowler GitHub Action](/user-guide/tutorials/prowler-app-github-action) — a Docker-based reusable action that runs scans, optionally pushes findings to Prowler Cloud, and uploads SARIF results to GitHub Code Scanning. The GitHub Actions examples below document the legacy pip-based flow.
 </Warning>

-This cookbook demonstrates how to integrate Prowler into CI/CD pipelines so that security scans run automatically and findings are sent to Prowler Cloud via [Import Findings](/user-guide/tutorials/prowler-app-import-findings). Examples cover GitHub Actions and GitLab CI.
+This cookbook demonstrates how to integrate Prowler into CI/CD pipelines so that security scans run automatically and findings are sent to Prowler Cloud via [Import Findings](/user-guide/tutorials/prowler-import-findings). Examples cover GitHub Actions and GitLab CI.

 ## Prerequisites

@@ -19,7 +19,7 @@ This cookbook demonstrates how to integrate Prowler into CI/CD pipelines so that

 Prowler CLI provides the `--push-to-cloud` flag, which uploads scan results directly to Prowler Cloud after a scan completes. Combined with the `PROWLER_CLOUD_API_KEY` environment variable, this enables fully automated ingestion without manual file uploads.

-For full details on the flag and API, refer to the [Import Findings](/user-guide/tutorials/prowler-app-import-findings) documentation.
+For full details on the flag and API, refer to the [Import Findings](/user-guide/tutorials/prowler-import-findings) documentation.

 <Note>
 The examples in this guide use AWS as the target provider, but the same approach applies to any provider supported by Prowler (Azure, GCP, Kubernetes, and others). Replace `prowler aws` with the desired provider command (e.g., `prowler gcp`, `prowler azure`) and configure the corresponding credentials in the CI/CD environment.
@@ -195,7 +195,7 @@ By default, Prowler exits with a non-zero code when it finds failing checks. Thi
 * **GitLab CI**: Add `allow_failure: true` to the job

 <Note>
-Ingestion failures (e.g., network issues reaching Prowler Cloud) do not affect the Prowler exit code. The scan completes normally and only a warning is emitted. See [Import Findings troubleshooting](/user-guide/tutorials/prowler-app-import-findings#troubleshooting) for details.
+Ingestion failures (e.g., network issues reaching Prowler Cloud) do not affect the Prowler exit code. The scan completes normally and only a warning is emitted. See [Import Findings troubleshooting](/user-guide/tutorials/prowler-import-findings#troubleshooting) for details.
 </Note>

 ### Caching Prowler Installation
@@ -2,7 +2,7 @@
 title: 'Run Kubernetes In-Cluster and Send Findings to Prowler Cloud'
 ---

-This cookbook walks through deploying Prowler inside a Kubernetes cluster on a recurring schedule and automatically sending findings to Prowler Cloud via [Import Findings](/user-guide/tutorials/prowler-app-import-findings). By the end, security scan results from the cluster appear in Prowler Cloud without any manual file uploads.
+This cookbook walks through deploying Prowler inside a Kubernetes cluster on a recurring schedule and automatically sending findings to Prowler Cloud via [Import Findings](/user-guide/tutorials/prowler-import-findings). By the end, security scan results from the cluster appear in Prowler Cloud without any manual file uploads.

 ## Prerequisites

@@ -181,7 +181,7 @@ Once the job completes and findings are pushed:
 2. Open the "Scans" section to verify the ingestion job status
 3. Browse findings under the Kubernetes provider

-For details on the ingestion workflow and status tracking, refer to the [Import Findings](/user-guide/tutorials/prowler-app-import-findings) documentation.
+For details on the ingestion workflow and status tracking, refer to the [Import Findings](/user-guide/tutorials/prowler-import-findings) documentation.

 ## Tips and Troubleshooting

@@ -204,4 +204,4 @@ For details on the ingestion workflow and status tracking, refer to the [Import
    --namespace prowler-ns
  ```

-* **Failed uploads**: If the push to Prowler Cloud fails, the scan still completes and findings are saved locally in the container. Check the [Import Findings troubleshooting section](/user-guide/tutorials/prowler-app-import-findings#troubleshooting) for common error messages.
+* **Failed uploads**: If the push to Prowler Cloud fails, the scan still completes and findings are saved locally in the container. Check the [Import Findings troubleshooting section](/user-guide/tutorials/prowler-import-findings#troubleshooting) for common error messages.
@@ -18,7 +18,7 @@ Prowler requests the following read-only OAuth 2.0 scopes:
 | `https://www.googleapis.com/auth/admin.directory.domain.readonly` | Read access to domain information |
 | `https://www.googleapis.com/auth/admin.directory.customer.readonly` | Read access to customer information (Customer ID) |
 | `https://www.googleapis.com/auth/admin.directory.orgunit.readonly` | Read access to organizational unit hierarchy (identifies the root OU for policy filtering) |
-| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar, Gmail, Chat, and Drive service checks) |
+| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar, Chat, Drive, Gmail, Groups, Marketplace, Security, and Sites service checks) |
 | `https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly` | Read access to admin roles and role assignments |

 <Warning>
@@ -40,7 +40,7 @@ In the [Google Cloud Console](https://console.cloud.google.com), select the targ
 | API | Required For |
 |-----|--------------|
 | **Admin SDK API** | Directory service checks (users, roles, domains) |
-| **Cloud Identity API** | Calendar, Gmail, Chat, and Drive service checks (domain-level application policies) |
+| **Cloud Identity API** | All service checks except Directory (domain-level application policies) |

 For each API:

@@ -49,7 +49,7 @@ For each API:
 3. Click **Enable**

 <Note>
-Both APIs must be enabled in the same GCP project that hosts the Service Account. Calendar, Gmail, Chat, and Drive checks will return no findings if the Cloud Identity API is not enabled.
+Both APIs must be enabled in the same GCP project that hosts the Service Account. All service checks except Directory will return no findings if the Cloud Identity API is not enabled.
 </Note>

 ### Step 3: Create a Service Account
@@ -178,7 +178,7 @@ If Prowler connects but returns empty results or permission errors for specific

 ### Policy API Checks Return No Findings

-If the Directory checks run successfully but the Calendar, Gmail, Chat, or Drive checks return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:
+If the Directory checks run successfully but other service checks (Calendar, Chat, Drive, Gmail, Groups, Marketplace, Security, Sites) return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:

 - The **Cloud Identity API** is enabled in the GCP project hosting the Service Account (Step 2)
 - The scope `https://www.googleapis.com/auth/cloud-identity.policies.readonly` is included in the Domain-Wide Delegation OAuth scopes list in the Admin Console (Step 5)
@@ -0,0 +1,100 @@
+---
+title: 'StackIT Authentication'
+---
+
+Prowler authenticates with StackIT using a **service account key file**. The StackIT SDK signs the RSA challenge in the key file and mints/refreshes access tokens internally for the life of the scan, so no manual token rotation is needed.
+
+## Service Account Key
+
+StackIT uses RSA key-pair based service account keys. They are issued once, must be stored securely, and are read by the SDK on every scan to mint short-lived access tokens transparently.
+
+### Option 1: Create the Key via the StackIT Portal
+
+1. Open the [StackIT Portal](https://portal.stackit.cloud/) and select your project.
+2. In the left sidebar, click **Service Accounts**.
+3. Create a service account if you do not have one already. Assign:
+    - `iaas.viewer` for the IaaS security group checks currently shipped, or
+    - `project.owner` if you want to cover any future service Prowler adds.
+4. Open the service account and go to **Service Account Keys**.
+5. Click **Create key** and choose **STACKIT-generated key pair** (recommended). Download the resulting JSON file and store it securely (for example, `~/.stackit/sa-key.json`). The private material is only shown once.
+
+### Option 2: Create the Key via the StackIT CLI
+
+```bash
+# Install the StackIT CLI from https://github.com/stackitcloud/stackit-cli first
+stackit service-account key create --email my-service-account@example.com
+```
+
+## Project ID
+
+Your StackIT project ID is a UUID. You can find it in:
+
+1. The portal URL when viewing the project: `https://portal.stackit.cloud/projects/{PROJECT_ID}/...`
+2. The project settings page
+3. `stackit project list`
+
+## Passing Credentials to Prowler
+
+You can give Prowler either the **path** to the key file on disk or the **inline JSON content** of the key. Both go through the same StackIT SDK flow and refresh access tokens internally.
+
+### Option A: Key File Path (workstation, persistent agents)
+
+Recommended when the key is stored on disk.
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
+
+prowler stackit
+```
+
+Or as CLI flags:
+
+```bash
+prowler stackit \
+  --stackit-service-account-key-path ~/.stackit/sa-key.json \
+  --stackit-project-id 12345678-1234-1234-1234-123456789abc
+```
+
+<Note>
+Keep the key file outside of source control and lock it down with `chmod 600 ~/.stackit/sa-key.json`. Anyone with the JSON can mint access tokens for the service account.
+</Note>
+
+### Option B: Inline Key Content (CI/CD, secret managers)
+
+Recommended when the key is fetched at run time from a secret manager (GitHub Actions secret, AWS Secrets Manager, HashiCorp Vault, etc.) and you do not want to write it to disk.
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY="$(vault kv get -field=key stackit/sa)"
+export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
+
+prowler stackit
+```
+
+<Note>
+Prefer the `STACKIT_SERVICE_ACCOUNT_KEY` environment variable over the matching CLI flag (`--stackit-service-account-key`); passing the secret on the command line leaks it through process listings and shell history.
+</Note>
+
+When both the inline content and a key path are set, the inline content wins.
+
+## Credential Lookup Order
+
+Prowler resolves credentials in this order:
+
+1. CLI arguments: `--stackit-service-account-key`, `--stackit-service-account-key-path`, `--stackit-project-id`
+2. Environment variables: `STACKIT_SERVICE_ACCOUNT_KEY`, `STACKIT_SERVICE_ACCOUNT_KEY_PATH`, `STACKIT_PROJECT_ID`
+
+When both the inline key and the key file path are set, the inline content takes precedence.
+
+## Token Lifetime
+
+Access tokens are minted on demand by the SDK from the key file and refreshed before they expire. There is nothing to rotate while Prowler is running.
+
+## Troubleshooting
+
+| Symptom | Likely Cause | Fix |
+|---------|--------------|-----|
+| `401 Unauthorized` during scan | Key file is missing fields, the public key is no longer registered, or the key was revoked | Re-issue the service account key in the StackIT portal and update `STACKIT_SERVICE_ACCOUNT_KEY_PATH` |
+| `403 Forbidden` during scan | Service account lacks role on the project | Re-check role assignment in the StackIT portal; `iaas.viewer` is the minimum for the shipped IaaS checks |
+| `StackIT project ID must be a valid UUID` | The project ID is not in UUID format | Copy the UUID from the portal URL or `stackit project list` |
+| `StackIT service account credentials are required` | None of the four credential inputs is set | Export `STACKIT_SERVICE_ACCOUNT_KEY_PATH` or `STACKIT_SERVICE_ACCOUNT_KEY` (or use their CLI counterparts) before running Prowler |
@@ -0,0 +1,141 @@
+---
+title: 'Getting Started With StackIT'
+---
+
+Prowler supports [StackIT](https://www.stackit.de/) from the CLI. This guide walks you through the requirements and how to run scans.
+
+<Note>
+StackIT support in Prowler is community-maintained. For commercial support or to request additional service coverage, [contact us](https://prowler.com/contact).
+</Note>
+
+## Prerequisites
+
+Before running Prowler with the StackIT provider, ensure you have:
+
+1. A StackIT account with at least one project
+2. A StackIT service account key file with permissions on the project (`iaas.viewer` is enough for the currently shipped IaaS checks; `project.owner` works for any future service). See the [Authentication guide](/user-guide/providers/stackit/authentication) for the full setup.
+3. Access to Prowler CLI (see [Installation](/getting-started/installation/prowler-cli))
+
+## Prowler CLI
+
+### Step 1: Point Prowler at the Service Account Key
+
+Prowler authenticates with a StackIT service account key. The SDK signs the RSA challenge in the key and refreshes access tokens internally for the life of the scan, so there is no manual token rotation.
+
+**On a workstation or persistent agent** (key on disk):
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
+```
+
+**In CI/CD** (key in a secret manager, never written to disk):
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY="$(vault kv get -field=key stackit/sa)"
+export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
+```
+
+CLI flags work too:
+
+```bash
+prowler stackit \
+  --stackit-service-account-key-path ~/.stackit/sa-key.json \
+  --stackit-project-id 12345678-1234-1234-1234-123456789abc
+```
+
+<Note>
+For the inline key, prefer the `STACKIT_SERVICE_ACCOUNT_KEY` env var over the matching CLI flag; passing the secret on the command line leaks it through process listings and shell history.
+
+Keep the key file outside of source control and lock it down with `chmod 600 ~/.stackit/sa-key.json`. Anyone with the JSON can mint access tokens for the service account.
+</Note>
+
+### Step 2: Run Your First Scan
+
+```bash
+prowler stackit
+```
+
+Prowler will discover and audit the project's IaaS security groups across the available StackIT regions.
+
+**Scan specific regions:**
+
+```bash
+prowler stackit --stackit-region eu01 eu02
+```
+
+**Run specific security checks:**
+
+```bash
+prowler stackit --checks iaas_security_group_ssh_unrestricted
+
+# List all available checks
+prowler stackit --list-checks
+```
+
+**Filter by check severity:**
+
+```bash
+prowler stackit --severity critical high
+```
+
+**Generate specific output formats:**
+
+```bash
+# JSON only
+prowler stackit --output-modes json
+
+# CSV and HTML
+prowler stackit --output-modes csv html
+
+# Custom output directory
+prowler stackit --output-directory /path/to/reports/
+```
+
+**Use a mutelist to suppress findings:**
+
+```yaml
+# mutelist.yaml
+Mutelist:
+  Accounts:
+    "12345678-1234-1234-1234-123456789abc":
+      Checks:
+        iaas_security_group_ssh_unrestricted:
+          Regions:
+            - "*"
+          Resources:
+            - "test-sg-id"
+          Tags: []
+```
+
+```bash
+prowler stackit --mutelist-file mutelist.yaml
+```
+
+### Step 3: Review the Results
+
+Prowler outputs findings to the console and writes reports to the `output/` directory by default:
+
+- CSV: `output/prowler-output-stackit-{project_id}-{timestamp}.csv`
+- JSON: `output/prowler-output-stackit-{project_id}-{timestamp}.json`
+- HTML: `output/prowler-output-stackit-{project_id}-{timestamp}.html`
+
+## Supported StackIT Services
+
+| Service | StackIT API | Description | Example Checks |
+|---------|-------------|-------------|----------------|
+| **IaaS** | `iaas` | Virtual machines, network interfaces, security groups | `iaas_security_group_ssh_unrestricted`, `iaas_security_group_rdp_unrestricted`, `iaas_security_group_database_unrestricted`, `iaas_security_group_all_traffic_unrestricted` |
+
+Additional services will be added in future releases. Track progress in the [Prowler release notes](https://github.com/prowler-cloud/prowler/releases).
+
+## Troubleshooting
+
+### Authentication Errors
+
+If the scan fails with a 401 error, the service account key is no longer valid (revoked, rotated or the key file is incomplete). Re-issue the key in the [StackIT portal](https://portal.stackit.cloud/) and update `STACKIT_SERVICE_ACCOUNT_KEY_PATH`.
+
+### Permission Errors
+
+If checks fail with a 403 error, the service account is missing the required role on the project. Re-check the role assignment in the StackIT portal (`iaas.viewer` is the minimum for the shipped IaaS checks).
+
+For detailed setup steps, see the [Authentication guide](/user-guide/providers/stackit/authentication).
@@ -10,7 +10,7 @@ import { VersionBadge } from "/snippets/version-badge.mdx"
 Alerts notify recipients by email when security findings match saved filter conditions. Use Alerts to track high-priority findings, monitor specific providers or services, and keep teams informed about scan results that match defined criteria.

 <Note>
-This feature is available exclusively in **Prowler Cloud** with a paid subscription.
+This feature is available exclusively in **Prowler Cloud** and **Prowler Enterprise** with a [paid subscription](https://prowler.com/pricing).
 </Note>

 ## Prerequisites
@@ -18,7 +18,7 @@ Source: [`prowler-cloud/prowler`](https://github.com/prowler-cloud/prowler) · M
 | `provider` | yes | — | Cloud provider to scan (`aws`, `azure`, `gcp`, `github`, `kubernetes`, `iac`, `cloudflare`, etc.) |
 | `image-tag` | no | `stable` | Docker image tag — `stable` (latest release), `latest` (master, not stable), or `<x.y.z>` (pinned). See [available tags](https://hub.docker.com/r/prowlercloud/prowler/tags). |
 | `output-formats` | no | `json-ocsf` | Output format(s) for scan results. Space-separated (e.g. `sarif json-ocsf`) |
-| `push-to-cloud` | no | `false` | Push findings to [Prowler Cloud](/user-guide/tutorials/prowler-app-import-findings). When `true`, `PROWLER_CLOUD_API_KEY` is auto-forwarded |
+| `push-to-cloud` | no | `false` | Push findings to [Prowler Cloud](/user-guide/tutorials/prowler-import-findings). When `true`, `PROWLER_CLOUD_API_KEY` is auto-forwarded |
 | `flags` | no | `""` | Additional CLI flags (e.g. `--severity critical high`). Values with spaces can be quoted: `--resource-tag 'Environment=My Server'` |
 | `extra-env` | no | `""` | Space-, newline-, or comma-separated list of env var **names** to forward to the container (see [Authentication](#authentication)) |
 | `upload-sarif` | no | `false` | Upload SARIF results to GitHub Code Scanning |
@@ -43,7 +43,7 @@ Source: [`prowler-cloud/prowler`](https://github.com/prowler-cloud/prowler) · M

 ### Push findings to Prowler Cloud

-Send scan results directly to [Prowler Cloud](/user-guide/tutorials/prowler-app-import-findings) for centralized visibility, compliance tracking, and team collaboration.
+Send scan results directly to [Prowler Cloud](/user-guide/tutorials/prowler-import-findings) for centralized visibility, compliance tracking, and team collaboration.

 ```yaml
 - uses: prowler-cloud/prowler@5.25
@@ -47,7 +47,11 @@ Follow these steps to remove a user of your account:
 1. Navigate to **Users** from the side menu.
 2. Click the delete button of your current user.

-> **Note: Each user will be able to delete himself and not others, regardless of his permissions.**
+> **Note: Each user can only delete their own account, regardless of their permissions. For this reason, the delete button is only shown on your own row and not on other users' rows.**
+
+Deleting a user removes the **entire user account** from Prowler, not just its membership in your organization. Because a single account can belong to more than one tenant, allowing one administrator to delete it outright could affect organizations they don't manage and irreversibly remove another person's identity. To keep this destructive action under the control of the account owner, the API only permits a user to delete themselves (it rejects any other target with a `400` response), and the UI mirrors this by showing the delete button exclusively on your own row.
+
+To remove **another** user from your organization, use the [_Expel from organization_](/user-guide/tutorials/prowler-app-multi-tenant#expelling-a-user-from-an-organization) action instead. Expelling removes the user's membership, role grants, and active sessions for your tenant only, and deletes the underlying account just for that user if your organization was their last remaining membership. This action is reserved for tenant **owners**.

 <img src="/images/prowler-app/rbac/user_remove.png" alt="Remove User" width="700" />

@@ -239,7 +243,7 @@ To grant all administrative permissions, select the **Grant all admin permission

 The following permissions are available exclusively in **Prowler Cloud**:

-**Manage Ingestions:** Submit and manage findings ingestion jobs via the API. Required to upload OCSF scan results using the `--push-to-cloud` CLI flag or the ingestion endpoints. See [Import Findings](/user-guide/tutorials/prowler-app-import-findings) for details.
+**Manage Ingestions:** Submit and manage findings ingestion jobs via the API. Required to upload OCSF scan results using the `--push-to-cloud` CLI flag or the ingestion endpoints. See [Import Findings](/user-guide/tutorials/prowler-import-findings) for details.

 **Manage Billing:** Access and manage billing settings, subscription plans, and payment methods.

@@ -10,7 +10,7 @@ import { VersionBadge } from "/snippets/version-badge.mdx"
 Findings Ingestion enables uploading OCSF (Open Cybersecurity Schema Framework) scan results to Prowler Cloud. This feature supports importing findings from Prowler CLI output files that use the [Detection Finding](https://schema.ocsf.io/classes/detection_finding) class.

 <Note>
-This feature is available exclusively in **Prowler Cloud** with a paid subscription.
+This feature is available exclusively in **Prowler Cloud** and **Prowler Enterprise** with a [paid subscription](https://prowler.com/pricing).
 </Note>

 ## OCSF Detection Finding format
@@ -2,7 +2,7 @@

 > **Skills Reference**: See [`prowler-mcp`](../skills/prowler-mcp/SKILL.md)

-### Auto-invoke Skills
+## Auto-invoke Skills

 When performing these actions, ALWAYS invoke the corresponding skill FIRST:

@@ -68,7 +68,7 @@ Python 3.12+ | FastMCP 2.13.1 | httpx (async) | Pydantic | uv

 ## PROJECT STRUCTURE

-```
+```text
 mcp_server/prowler_mcp_server/
 ├── server.py                    # Main orchestration
 ├── prowler_hub/server.py        # Hub tools (no auth)
@@ -83,14 +83,14 @@ npm install --save-exact mcp-remote@0.1.38

 ### 2. Local STDIO Mode

-**Run the server locally on your machine**
+Run the server locally on your machine:

 - Runs as a subprocess of your MCP client
 - Requires Python 3.12+ or Docker

 ### 3. Self-Hosted HTTP Mode

-**Deploy your own remote MCP server**
+Deploy your own remote MCP server:

 - Full control over deployment
 - Requires Python 3.12+ or Docker
@@ -132,7 +132,7 @@ All tools follow a consistent naming pattern with prefixes:

 ## Architecture

-```
+```text
 prowler_mcp_server/
 ├── server.py                 # Main orchestrator (imports sub-servers with prefixes)
 ├── main.py                   # CLI entry point
@@ -154,17 +154,20 @@ prowler_mcp_server/

 The Prowler MCP Server enables powerful workflows through AI assistants:

-**Security Operations**
+### Security Operations
+
 - "Show me all critical findings from my AWS production accounts"
 - "Register my new AWS account in Prowler and run a scheduled scan every day"
 - "List all muted findings and detect what findgings are muted by a not enough good reason in relation to their severity"

-**Security Research**
+### Security Research
+
 - "Explain what the S3 bucket public access Prowler check does"
 - "Find all Prowler checks related to encryption at rest"
 - "What is the latest version of the CIS that Prowler is covering per provider?"

-**Documentation & Learning**
+### Documentation & Learning
+
 - "How do I configure Prowler to scan my GCP organization?"
 - "What authentication methods does Prowler support for Azure?"
 - "How can I contribute with a new security check to Prowler?"
@@ -28,12 +28,12 @@ This Terraform configuration creates the necessary IAM role and policies to allo

 ### Usage Examples

-#### Basic deployment (without S3 integration):
+#### Basic deployment (without S3 integration)
 ```bash
 terraform apply -var="external_id=your-external-id-here"
 ```

-#### With S3 integration enabled:
+#### With S3 integration enabled
 ```bash
 terraform apply \
  -var="external_id=your-external-id-here" \
@@ -42,14 +42,14 @@ terraform apply \
  -var="s3_integration_bucket_account_id=123456789012"
 ```

-#### Using terraform.tfvars file (Recommended):
+#### Using terraform.tfvars file (Recommended)
 ```bash
 cp terraform.tfvars.example terraform.tfvars
 # Edit the file with your values
 terraform apply
 ```

-#### Command line variables (Alternative):
+#### Command line variables (Alternative)
 ```bash
 terraform apply -var="external_id=your-external-id-here"
 ```
@@ -7,7 +7,7 @@
 > - [`prowler-compliance`](../skills/prowler-compliance/SKILL.md) - Compliance framework structure
 > - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns

-### Auto-invoke Skills
+## Auto-invoke Skills

 When performing these actions, ALWAYS invoke the corresponding skill FIRST:

@@ -44,7 +44,7 @@ The Prowler SDK is the core Python engine powering cloud security assessments ac

 ### Provider Architecture

-```
+```text
 prowler/providers/{provider}/
 ├── {provider}_provider.py      # Main provider class
 ├── models.py                   # Provider-specific models
@@ -91,7 +91,7 @@ Python 3.10+ | uv | pytest | moto (AWS mocking) | Pre-commit hooks (black, flake

 ## PROJECT STRUCTURE

-```
+```text
 prowler/
 ├── __main__.py                # CLI entry point
 ├── config/                    # Global configuration
@@ -2,22 +2,51 @@

 All notable changes to the **Prowler SDK** are documented in this file.

-## [5.29.0] (Prowler UNRELEASED)
+## [5.29.3] (Prowler v5.29.3)
+
+### 🐞 Fixed
+
+- GCP `logging_sink_created` now recognizes organization-level aggregated sinks with `includeChildren=True`, avoiding false failures for covered projects [(#11355)](https://github.com/prowler-cloud/prowler/pull/11355)
+- GCP `logging_log_metric_filter_and_alert_*` checks now recognize organization-level aggregated sinks with `includeChildren=True`, no longer false-failing projects covered by a central bucket-scoped metric + alert [(#11488)](https://github.com/prowler-cloud/prowler/pull/11488)
+- Jira integration no longer fails with `400 INVALID_INPUT` when a finding has empty fields [(#11474)](https://github.com/prowler-cloud/prowler/pull/11474)
+- GCP `iam_service_account_unused` now passes disabled service accounts instead of failing them, since a disabled account cannot authenticate or be used [(#11467)](https://github.com/prowler-cloud/prowler/pull/11467)
+
+---
+
+## [5.29.1] (Prowler v5.29.1)
+
+### 🐞 Fixed
+
+- OCSF output writer now re-raises I/O errors (e.g. `ENOSPC`) instead of logging them per finding and leaving a truncated file [(#11421)](https://github.com/prowler-cloud/prowler/pull/11421)
+
+---
+
+## [5.29.0] (Prowler v5.29.0)

 ### 🚀 Added

 - `application` service for Okta provider with `application_admin_console_session_idle_timeout_15min`, `application_admin_console_mfa_required`, `application_admin_console_phishing_resistant_authentication`, `application_dashboard_mfa_required`, `application_dashboard_phishing_resistant_authentication`, and `application_authentication_policy_network_zone_enforced` checks [(#11358)](https://github.com/prowler-cloud/prowler/pull/11358)
 - AWS AI Security Framework compliance for AWS provider [(#11353)](https://github.com/prowler-cloud/prowler/pull/11353)
 - `storage_account_public_network_access_disabled` check for Azure provider and remapped the Azure CIS "Public Network Access is Disabled" requirements to it [(#11334)](https://github.com/prowler-cloud/prowler/pull/11334)
+- StackIT provider with service account key authentication [(#9237)](https://github.com/prowler-cloud/prowler/pull/9237)
+- 8 Rules service checks for Google Workspace provider using the Cloud Identity Policy API [(#11379)](https://github.com/prowler-cloud/prowler/pull/11379)
+- 12 Security service checks for Google Workspace provider using the Cloud Identity Policy API [(#11356)](https://github.com/prowler-cloud/prowler/pull/11356)
+
+### ⚠️ Deprecated
+
+- `s3_bucket_default_encryption` check for AWS provider since SSE-S3 is automatically applied to all S3 buckets by AWS as of January 5, 2023 and can no longer be disabled [(#11230)](https://github.com/prowler-cloud/prowler/pull/11230)

 ### 🐞 Fixed

+- Broken documentation URLs in Google Workspace check metadata [(#11405)](https://github.com/prowler-cloud/prowler/pull/11405)
 - ENS RD 311/2022 (AWS) compliance mapping: `vpc_different_regions` was uncorrectly mapped under the `mp.com.4` family (Network segregation). That check is now mapped to a new `op.cont.2.aws.vpc.1` requirement under the Continuity of Service control [(#11372)](https://github.com/prowler-cloud/prowler/pull/11372)
 - Compliance CSV row count now matches the UI per requirement by sourcing rows from the framework JSON's `requirement.Checks` instead of the stale `finding.compliance` snapshot [(#11370)](https://github.com/prowler-cloud/prowler/pull/11370)
+- OpenStack provider exception codes moved from the `10000-10999` range, shared with the AlibabaCloud provider, to the free `17000-17999` range to keep error codes unambiguous [(#11382)](https://github.com/prowler-cloud/prowler/pull/11382)
+- Azure provider authentication against sovereign clouds (`AzureChinaCloud`, `AzureUSGovernment`) [(#10284)](https://github.com/prowler-cloud/prowler/pull/10284)

 ---

-## [5.28.1] (Prowler 5.28.1)
+## [5.28.1] (Prowler v5.28.1)

 ### 🐞 Fixed

@@ -158,6 +158,7 @@ from prowler.providers.okta.models import OktaOutputOptions
 from prowler.providers.openstack.models import OpenStackOutputOptions
 from prowler.providers.oraclecloud.models import OCIOutputOptions
 from prowler.providers.scaleway.models import ScalewayOutputOptions
+from prowler.providers.stackit.models import StackITOutputOptions
 from prowler.providers.vercel.models import VercelOutputOptions


@@ -416,6 +417,10 @@ def prowler():
        output_options = OCIOutputOptions(
            args, bulk_checks_metadata, global_provider.identity
        )
+    elif provider == "stackit":
+        output_options = StackITOutputOptions(
+            args, bulk_checks_metadata, global_provider.identity
+        )
    elif provider == "alibabacloud":
        output_options = AlibabaCloudOutputOptions(
            args, bulk_checks_metadata, global_provider.identity
@@ -1360,7 +1360,9 @@
    {
      "Id": "4.1.1.1",
      "Description": "Ensure 2-Step Verification (Multi-Factor Authentication) is enforced for all users in administrative roles",
-      "Checks": [],
+      "Checks": [
+        "security_2sv_enforced"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1381,7 +1383,9 @@
    {
      "Id": "4.1.1.2",
      "Description": "Ensure hardware security keys are used for all users in administrative roles and other high-value accounts",
-      "Checks": [],
+      "Checks": [
+        "security_2sv_hardware_keys_admins"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1402,7 +1406,9 @@
    {
      "Id": "4.1.1.3",
      "Description": "Ensure 2-Step Verification (Multi-Factor Authentication) is enforced for all users",
-      "Checks": [],
+      "Checks": [
+        "security_2sv_enforced"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1423,7 +1429,9 @@
    {
      "Id": "4.1.2.1",
      "Description": "Ensure Super Admin account recovery is disabled",
-      "Checks": [],
+      "Checks": [
+        "security_super_admin_recovery_disabled"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1444,7 +1452,9 @@
    {
      "Id": "4.1.2.2",
      "Description": "Ensure User account recovery is enabled",
-      "Checks": [],
+      "Checks": [
+        "security_user_recovery_enabled"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1465,7 +1475,9 @@
    {
      "Id": "4.1.3.1",
      "Description": "Ensure Advanced Protection Program is configured",
-      "Checks": [],
+      "Checks": [
+        "security_advanced_protection_configured"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1486,7 +1498,9 @@
    {
      "Id": "4.1.4.1",
      "Description": "Ensure login challenges are enforced",
-      "Checks": [],
+      "Checks": [
+        "security_login_challenges_configured"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1507,7 +1521,9 @@
    {
      "Id": "4.1.5.1",
      "Description": "Ensure password policy is configured for enhanced security",
-      "Checks": [],
+      "Checks": [
+        "security_password_policy_strong"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1528,7 +1544,9 @@
    {
      "Id": "4.2.1.1",
      "Description": "Ensure application access to Google services is restricted",
-      "Checks": [],
+      "Checks": [
+        "security_app_access_restricted"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1570,7 +1588,9 @@
    {
      "Id": "4.2.1.3",
      "Description": "Ensure internal apps can access Google Workspace APIs",
-      "Checks": [],
+      "Checks": [
+        "security_internal_apps_trusted"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1633,7 +1653,9 @@
    {
      "Id": "4.2.3.1",
      "Description": "Ensure DLP policies for Google Drive are configured",
-      "Checks": [],
+      "Checks": [
+        "security_dlp_drive_rules_configured"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1654,7 +1676,9 @@
    {
      "Id": "4.2.4.1",
      "Description": "Ensure Google session control is configured",
-      "Checks": [],
+      "Checks": [
+        "security_session_duration_limited"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1696,7 +1720,9 @@
    {
      "Id": "4.2.6.1",
      "Description": "Ensure less secure app access is disabled",
-      "Checks": [],
+      "Checks": [
+        "security_less_secure_apps_disabled"
+      ],
      "Attributes": [
        {
          "Section": "4 Security",
@@ -1801,7 +1827,9 @@
    {
      "Id": "6.1",
      "Description": "Ensure User's password changed is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_password_changed_alert_configured"
+      ],
      "Attributes": [
        {
          "Section": "6 Rules",
@@ -1822,7 +1850,9 @@
    {
      "Id": "6.2",
      "Description": "Ensure Government-backed attacks is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_government_backed_attacks_alert_configured"
+      ],
      "Attributes": [
        {
          "Section": "6 Rules",
@@ -1843,7 +1873,9 @@
    {
      "Id": "6.3",
      "Description": "Ensure User suspended due to suspicious activity is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_suspicious_activity_suspension_alert_configured"
+      ],
      "Attributes": [
        {
          "Section": "6 Rules",
@@ -1864,7 +1896,9 @@
    {
      "Id": "6.4",
      "Description": "Ensure User granted Admin privilege is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_admin_privilege_granted_alert_configured"
+      ],
      "Attributes": [
        {
          "Section": "6 Rules",
@@ -1885,7 +1919,9 @@
    {
      "Id": "6.5",
      "Description": "Ensure Suspicious programmatic login is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_suspicious_programmatic_login_alert_configured"
+      ],
      "Attributes": [
        {
          "Section": "6 Rules",
@@ -1906,7 +1942,9 @@
    {
      "Id": "6.6",
      "Description": "Ensure Suspicious login is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_suspicious_login_alert_configured"
+      ],
      "Attributes": [
        {
          "Section": "6 Rules",
@@ -1927,7 +1965,9 @@
    {
      "Id": "6.7",
      "Description": "Ensure Leaked password is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_leaked_password_alert_configured"
+      ],
      "Attributes": [
        {
          "Section": "6 Rules",
@@ -1948,7 +1988,9 @@
    {
      "Id": "6.8",
      "Description": "Ensure Gmail potential employee spoofing is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_gmail_employee_spoofing_alert_configured"
+      ],
      "Attributes": [
        {
          "Section": "6 Rules",
@@ -8,7 +8,10 @@
    {
      "Id": "GWS.COMMONCONTROLS.1.1",
      "Description": "Phishing-resistant MFA SHALL be required for all users",
-      "Checks": [],
+      "Checks": [
+        "security_2sv_enforced",
+        "security_2sv_hardware_keys_admins"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -21,7 +24,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.1.2",
      "Description": "If phishing-resistant MFA is not yet tenable, an MFA method from the list of acceptable MFA methods SHALL be used as an interim solution",
-      "Checks": [],
+      "Checks": [
+        "security_2sv_enforced"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -112,7 +117,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.4.1",
      "Description": "Google Workspace sessions SHALL re-authenticate after 12 hours",
-      "Checks": [],
+      "Checks": [
+        "security_session_duration_limited"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -125,7 +132,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.5.1",
      "Description": "Password strength SHALL be enforced",
-      "Checks": [],
+      "Checks": [
+        "security_password_policy_strong"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -138,7 +147,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.5.2",
      "Description": "Minimum password length SHALL be at least 12 characters",
-      "Checks": [],
+      "Checks": [
+        "security_password_policy_strong"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -151,7 +162,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.5.3",
      "Description": "Minimum password length SHOULD be at least 15 characters",
-      "Checks": [],
+      "Checks": [
+        "security_password_policy_strong"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -164,7 +177,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.5.4",
      "Description": "Password policy SHALL be enforced at next sign-in",
-      "Checks": [],
+      "Checks": [
+        "security_password_policy_strong"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -177,7 +192,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.5.5",
      "Description": "Password reuse SHALL be restricted",
-      "Checks": [],
+      "Checks": [
+        "security_password_policy_strong"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -244,7 +261,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.8.1",
      "Description": "Account recovery for super admins SHALL be disabled",
-      "Checks": [],
+      "Checks": [
+        "security_super_admin_recovery_disabled"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -283,7 +302,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.9.1",
      "Description": "Privileged accounts SHALL be enrolled in the Advanced Protection Program",
-      "Checks": [],
+      "Checks": [
+        "security_advanced_protection_configured"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -296,7 +317,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.9.2",
      "Description": "Sensitive user accounts SHOULD be enrolled in the Advanced Protection Program",
-      "Checks": [],
+      "Checks": [
+        "security_advanced_protection_configured"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -361,7 +384,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.10.5",
      "Description": "Internal apps SHALL be allowed to access restricted Google Workspace APIs",
-      "Checks": [],
+      "Checks": [
+        "security_internal_apps_trusted"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -402,7 +427,16 @@
    {
      "Id": "GWS.COMMONCONTROLS.13.1",
      "Description": "All system-defined alerting rules SHALL be enabled with alerts sent to admin email addresses",
-      "Checks": [],
+      "Checks": [
+        "rules_password_changed_alert_configured",
+        "rules_government_backed_attacks_alert_configured",
+        "rules_suspicious_activity_suspension_alert_configured",
+        "rules_admin_privilege_granted_alert_configured",
+        "rules_suspicious_programmatic_login_alert_configured",
+        "rules_suspicious_login_alert_configured",
+        "rules_leaked_password_alert_configured",
+        "rules_gmail_employee_spoofing_alert_configured"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -506,7 +540,9 @@
    {
      "Id": "GWS.COMMONCONTROLS.18.1",
      "Description": "A DLP policy SHALL be configured for Drive",
-      "Checks": [],
+      "Checks": [
+        "security_dlp_drive_rules_configured"
+      ],
      "Attributes": [
        {
          "Section": "Common Controls",
@@ -48,7 +48,7 @@ class _MutableTimestamp:

 timestamp = _MutableTimestamp(datetime.today())
 timestamp_utc = _MutableTimestamp(datetime.now(timezone.utc))
-prowler_version = "5.29.0"
+prowler_version = "5.29.3"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 square_logo_img = "https://raw.githubusercontent.com/prowler-cloud/prowler/dc7d2d5aeb92fdf12e8604f42ef6472cd3e8e889/docs/img/prowler-logo-black.png"
 aws_logo = "https://user-images.githubusercontent.com/38561120/235953920-3e3fba08-0795-41dc-b480-9bea57db9f2e.png"
@@ -78,6 +78,7 @@ class Provider(str, Enum):
    SCALEWAY = "scaleway"
    VERCEL = "vercel"
    OKTA = "okta"
+    STACKIT = "stackit"


 # Compliance
@@ -0,0 +1,26 @@
+### Project, Check and/or Region can be * to apply for all the cases.
+### Project == <StackIT Project ID>
+### Resources and tags are lists that can have either Regex or Keywords.
+### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together.
+### Use an alternation Regex to match one of multiple tags with "ORed" logic.
+### For each check you can except Projects, Regions, Resources and/or Tags.
+###########################  MUTELIST EXAMPLE  ###########################
+Mutelist:
+  Accounts:
+    "project_id_1":
+      Checks:
+        "iaas_security_group_ssh_unrestricted":
+          Regions:
+            - "*"
+          Resources:
+            - "sg-production-ssh"
+            - "sg-development-rdp"
+          Tags:
+            - "environment=dev"
+    "project_id_2":
+      Checks:
+        "*":
+          Regions:
+            - "eu01"
+          Resources:
+            - ".*-test$"
@@ -1230,6 +1230,31 @@ class CheckReportNHN(Check_Report):
        self.location = getattr(resource, "location", "kr1")


+@dataclass
+class CheckReportStackIT(Check_Report):
+    """Contains the StackIT Check's finding information."""
+
+    resource_name: str
+    resource_id: str
+    project_id: str
+    location: str
+
+    def __init__(self, metadata: Dict, resource: Any) -> None:
+        """Initialize the StackIT Check's finding information.
+
+        Args:
+            metadata: The metadata of the check.
+            resource: Basic information about the resource. Defaults to None.
+        """
+        super().__init__(metadata, resource)
+        self.resource_name = getattr(
+            resource, "name", getattr(resource, "resource_name", "")
+        )
+        self.resource_id = getattr(resource, "id", getattr(resource, "resource_id", ""))
+        self.project_id = getattr(resource, "project_id", "")
+        self.location = getattr(resource, "region", getattr(resource, "location", ""))
+
+
@dataclass
 class CheckReportOpenStack(Check_Report):
    """Contains the OpenStack Check's finding information."""
@@ -29,10 +29,10 @@ class ProwlerArgumentParser:
        self.parser = argparse.ArgumentParser(
            prog="prowler",
            formatter_class=RawTextHelpFormatter,
-            usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,scaleway,vercel,dashboard,iac,image,llm} ...",
+            usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,scaleway,stackit,vercel,dashboard,iac,image,llm} ...",
            epilog="""
 Available Cloud Providers:
-  {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,iac,llm,image,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,scaleway,vercel}
+  {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,iac,llm,image,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,scaleway,stackit,vercel}
    aws                 AWS Provider
    azure               Azure Provider
    gcp                 GCP Provider
@@ -44,6 +44,7 @@ Available Cloud Providers:
    cloudflare          Cloudflare Provider
    oraclecloud         Oracle Cloud Infrastructure Provider
    openstack           OpenStack Provider
+    stackit             StackIT Provider
    alibabacloud        Alibaba Cloud Provider
    iac                 IaC Provider
    llm                 LLM Provider (Beta)
@@ -342,6 +342,20 @@ class Finding(BaseModel):
                output_data["resource_uid"] = check_output.resource_id
                output_data["region"] = check_output.location

+            elif provider.type == "stackit":
+                output_data["auth_method"] = getattr(
+                    provider, "auth_method", "api_token"
+                )
+                output_data["account_uid"] = get_nested_attribute(
+                    provider, "identity.project_id"
+                )
+                output_data["account_name"] = get_nested_attribute(
+                    provider, "identity.project_name"
+                )
+                output_data["resource_name"] = check_output.resource_name
+                output_data["resource_uid"] = check_output.resource_id
+                output_data["region"] = check_output.location
+
            elif provider.type == "iac":
                output_data["auth_method"] = provider.auth_method
                provider_uid = getattr(provider, "provider_uid", None)
@@ -576,6 +590,8 @@ class Finding(BaseModel):
            finding.subscription = list(provider.identity.subscriptions.keys())[0]
        elif provider.type == "gcp":
            finding.project_id = list(provider.projects.keys())[0]
+        elif provider.type == "stackit":
+            finding.project_id = provider.identity.project_id
        elif provider.type == "iac":
            # For IaC, we don't have resource_line_range in the Finding model
            # It would need to be extracted from the resource metadata if needed
@@ -1076,6 +1076,73 @@ class HTML(Output):
            )
            return ""

+    @staticmethod
+    def get_stackit_assessment_summary(provider: Provider) -> str:
+        """
+        get_stackit_assessment_summary gets the HTML assessment summary for the StackIT provider
+
+        Args:
+            provider (Provider): the StackIT provider object
+
+        Returns:
+            str: HTML assessment summary for the StackIT provider
+        """
+        try:
+            project_id = getattr(provider.identity, "project_id", "unknown")
+            project_name = getattr(provider.identity, "project_name", "")
+            audited_regions = getattr(provider.identity, "audited_regions", set())
+
+            project_name_item = (
+                f"""
+                            <li class="list-group-item">
+                                <b>Project Name:</b> {project_name}
+                            </li>"""
+                if project_name
+                else ""
+            )
+
+            regions_item = (
+                f"""
+                            <li class="list-group-item">
+                                <b>Regions:</b> {", ".join(sorted(audited_regions))}
+                            </li>"""
+                if audited_regions
+                else ""
+            )
+
+            return f"""
+                <div class="col-md-2">
+                    <div class="card">
+                        <div class="card-header">
+                            StackIT Assessment Summary
+                        </div>
+                        <ul class="list-group list-group-flush">
+                            <li class="list-group-item">
+                                <b>Project ID:</b> {project_id}
+                            </li>
+                            {project_name_item}
+                            {regions_item}
+                        </ul>
+                    </div>
+                </div>
+                <div class="col-md-4">
+                    <div class="card">
+                        <div class="card-header">
+                            StackIT Credentials
+                        </div>
+                        <ul class="list-group list-group-flush">
+                            <li class="list-group-item">
+                                <b>Authentication Type:</b> Service Account Key
+                            </li>
+                        </ul>
+                    </div>
+                </div>"""
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+            )
+            return ""
+
    @staticmethod
    def get_cloudflare_assessment_summary(provider: Provider) -> str:
        """
@@ -229,7 +229,9 @@ class MarkdownToADFConverter:
        return node

    def _paragraph_with_text(self, text: str) -> Dict:
-        return {"type": "paragraph", "content": [self._create_text_node(text, None)]}
+        # ADF forbids empty text nodes; emit an empty paragraph instead.
+        content = [self._create_text_node(text, None)] if text else []
+        return {"type": "paragraph", "content": content}

    @staticmethod
    def _pop_mark(marks_stack: List[Dict], mark_type: str) -> None:
@@ -1118,6 +1120,18 @@ class Jira:
        tenant_info: str = "",
    ) -> dict:

+        # ADF forbids empty text nodes, so Jira rejects them with 400 INVALID_INPUT.
+        def _safe(value: str) -> str:
+            return value if (value and value.strip()) else "-"
+
+        check_id = _safe(check_id)
+        check_title = _safe(check_title)
+        status_extended = _safe(status_extended)
+        provider = _safe(provider)
+        region = _safe(region)
+        resource_uid = _safe(resource_uid)
+        resource_name = _safe(resource_name)
+
        table_rows = [
            {
                "type": "tableRow",
@@ -227,6 +227,10 @@ class OCSF(Output):
                            json_output = finding.json(exclude_none=True, indent=4)
                        self._file_descriptor.write(json_output)
                        self._file_descriptor.write(",")
+                    except OSError:
+                        # I/O errors (e.g. ENOSPC) are not recoverable per finding:
+                        # fail fast instead of logging once per finding.
+                        raise
                    except Exception as error:
                        logger.error(
                            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
@@ -239,6 +243,10 @@ class OCSF(Output):
                    self._file_descriptor.truncate()
                    self._file_descriptor.write("]")
                    self._file_descriptor.close()
+        except OSError:
+            # Propagate unrecoverable I/O errors (e.g. ENOSPC) so the caller can
+            # fail fast instead of producing a corrupt output file.
+            raise
        except Exception as error:
            logger.error(
                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
@@ -24,6 +24,8 @@ def stdout_report(finding, color, verbose, status, fix):
        details = finding.location
    if finding.check_metadata.Provider == "nhn":
        details = finding.location
+    if finding.check_metadata.Provider == "stackit":
+        details = finding.location
    if finding.check_metadata.Provider == "llm":
        details = finding.check_metadata.CheckID
    if finding.check_metadata.Provider == "iac":
@@ -70,6 +70,13 @@ def display_summary_table(
        elif provider.type == "nhn":
            entity_type = "Tenant Domain"
            audited_entities = provider.identity.tenant_domain
+        elif provider.type == "stackit":
+            if provider.identity.project_name:
+                entity_type = "Project"
+                audited_entities = provider.identity.project_name
+            else:
+                entity_type = "Project ID"
+                audited_entities = provider.identity.project_id
        elif provider.type == "iac":
            if provider.scan_repository_url:
                entity_type = "Repository"
@@ -1,7 +1,7 @@
 {
  "Provider": "aws",
  "CheckID": "s3_bucket_default_encryption",
-  "CheckTitle": "S3 bucket has default server-side encryption (SSE) enabled",
+  "CheckTitle": "[DEPRECATED] S3 bucket has default server-side encryption (SSE) enabled",
  "CheckType": [
    "Software and Configuration Checks/AWS Security Best Practices",
    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
@@ -14,13 +14,11 @@
  "Severity": "medium",
  "ResourceType": "AwsS3Bucket",
  "ResourceGroup": "storage",
-  "Description": "**Amazon S3 buckets** have a default **server-side encryption** setting that automatically encrypts new objects using `SSE-S3` or `SSE-KMS`. This evaluates whether a bucket has a default encryption configuration defined.",
+  "Description": "[DEPRECATED] **Amazon S3 buckets** have a default **server-side encryption** setting that automatically encrypts new objects using `SSE-S3` or `SSE-KMS`. This evaluates whether a bucket has a default encryption configuration defined.",
  "Risk": "Without default encryption, older objects may remain unencrypted and new uploads won't be forced to use `SSE-KMS`. This reduces confidentiality and governance by limiting key audit logs, rotation, and cross-account controls, and increases exposure if data is copied, replicated, or accessed outside intended paths.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://docs.amazonaws.cn/en_us/AmazonS3/latest/userguide/bucket-encryption.html",
-    "https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/",
-    "https://docs.aws.amazon.com/us_en/AmazonS3/latest/userguide/default-encryption-faq.html"
+    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html"
  ],
  "Remediation": {
    "Code": {
@@ -39,5 +37,5 @@
  ],
  "DependsOn": [],
  "RelatedTo": [],
-  "Notes": ""
+  "Notes": "This check is being deprecated since AWS automatically applies SSE-S3 to every S3 bucket (both new buckets and previously-unencrypted existing buckets) as of January 5, 2023, and encryption can no longer be disabled. For SSE-KMS validation, use `s3_bucket_kms_encryption` instead."
 }
@@ -241,7 +241,10 @@ class AzureProvider(Provider):
        azure_credentials = None
        if tenant_id and client_id and client_secret:
            azure_credentials = self.validate_static_credentials(
-                tenant_id=tenant_id, client_id=client_id, client_secret=client_secret
+                tenant_id=tenant_id,
+                client_id=client_id,
+                client_secret=client_secret,
+                region_config=self._region_config,
            )

        # Set up the Azure session
@@ -410,6 +413,9 @@ class AzureProvider(Provider):
                authority=config["authority"],
                base_url=config["base_url"],
                credential_scopes=config["credential_scopes"],
+                graph_host=config["graph_host"],
+                graph_scope=config["graph_scope"],
+                logs_endpoint=config["logs_endpoint"],
            )
        except ArgumentTypeError as validation_error:
            logger.error(
@@ -507,6 +513,7 @@ class AzureProvider(Provider):
                            tenant_id=azure_credentials["tenant_id"],
                            client_id=azure_credentials["client_id"],
                            client_secret=azure_credentials["client_secret"],
+                            authority=region_config.authority,
                        )
                        return credentials
                    except ClientAuthenticationError as error:
@@ -579,7 +586,10 @@ class AzureProvider(Provider):
                )
        else:
            try:
-                credentials = InteractiveBrowserCredential(tenant_id=tenant_id)
+                credentials = InteractiveBrowserCredential(
+                    tenant_id=tenant_id,
+                    authority=region_config.authority,
+                )
            except Exception as error:
                logger.critical(
                    "Failed to retrieve azure credentials using browser authentication"
@@ -662,6 +672,7 @@ class AzureProvider(Provider):
                    tenant_id=tenant_id,
                    client_id=client_id,
                    client_secret=client_secret,
+                    region_config=region_config,
                )

            # Set up the Azure session
@@ -675,7 +686,11 @@ class AzureProvider(Provider):
                region_config,
            )
            # Create a SubscriptionClient
-            subscription_client = SubscriptionClient(credentials)
+            subscription_client = SubscriptionClient(
+                credentials,
+                base_url=region_config.base_url,
+                credential_scopes=region_config.credential_scopes,
+            )

            # Get info from the subscriptions
            available_subscriptions = []
@@ -1039,7 +1054,11 @@ class AzureProvider(Provider):
            }
        """
        credentials = self.session
-        subscription_client = SubscriptionClient(credentials)
+        subscription_client = SubscriptionClient(
+            credentials,
+            base_url=self.region_config.base_url,
+            credential_scopes=self.region_config.credential_scopes,
+        )
        locations = {}

        for subscription_id, display_name in self._identity.subscriptions.items():
@@ -1084,7 +1103,10 @@ class AzureProvider(Provider):

    @staticmethod
    def validate_static_credentials(
-        tenant_id: str = None, client_id: str = None, client_secret: str = None
+        tenant_id: str = None,
+        client_id: str = None,
+        client_secret: str = None,
+        region_config: AzureRegionConfig = None,
    ) -> dict:
        """
        Validates the static credentials for the Azure provider.
@@ -1093,6 +1115,9 @@ class AzureProvider(Provider):
            tenant_id (str): The Azure Active Directory tenant ID.
            client_id (str): The Azure client ID.
            client_secret (str): The Azure client secret.
+            region_config (AzureRegionConfig): The region configuration used to
+                build the per-cloud login endpoint and Graph scope. Defaults to
+                the public-cloud configuration when not provided.

        Raises:
            AzureNotValidTenantIdError: If the provided Azure Tenant ID is not valid.
@@ -1129,8 +1154,13 @@ class AzureProvider(Provider):
                message="The provided Azure Client Secret is not valid.",
            )

+        if region_config is None:
+            region_config = AzureProvider.setup_region_config("AzureCloud")
+
        try:
-            AzureProvider.verify_client(tenant_id, client_id, client_secret)
+            AzureProvider.verify_client(
+                tenant_id, client_id, client_secret, region_config
+            )
            return {
                "tenant_id": tenant_id,
                "client_id": client_id,
@@ -1162,7 +1192,9 @@ class AzureProvider(Provider):
            )

    @staticmethod
-    def verify_client(tenant_id, client_id, client_secret) -> None:
+    def verify_client(
+        tenant_id, client_id, client_secret, region_config: AzureRegionConfig = None
+    ) -> None:
        """
        Verifies the Azure client credentials using the specified tenant ID, client ID, and client secret.

@@ -1170,6 +1202,9 @@ class AzureProvider(Provider):
            tenant_id (str): The Azure Active Directory tenant ID.
            client_id (str): The Azure client ID.
            client_secret (str): The Azure client secret.
+            region_config (AzureRegionConfig): The region configuration used to
+                build the per-cloud login endpoint and Graph scope. Defaults to
+                the public-cloud configuration when not provided.

        Raises:
            AzureNotValidTenantIdError: If the provided Azure Tenant ID is not valid.
@@ -1179,7 +1214,13 @@ class AzureProvider(Provider):
        Returns:
            None
        """
-        url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
+        if region_config is None:
+            region_config = AzureProvider.setup_region_config("AzureCloud")
+        # `authority` is None for the public cloud and a bare host (e.g.
+        # `login.chinacloudapi.cn`) for sovereign clouds, mirroring the
+        # `AzureAuthorityHosts` constants used by azure-identity.
+        login_endpoint = region_config.authority or "login.microsoftonline.com"
+        url = f"https://{login_endpoint}/{tenant_id}/oauth2/v2.0/token"
        headers = {
            "Content-Type": "application/x-www-form-urlencoded",
            "Accept": "application/json",
@@ -1188,7 +1229,7 @@ class AzureProvider(Provider):
            "grant_type": "client_credentials",
            "client_id": client_id,
            "client_secret": client_secret,
-            "scope": "https://graph.microsoft.com/.default",
+            "scope": region_config.graph_scope,
        }
        response = requests.post(url, headers=headers, data=data).json()
        if "access_token" not in response.keys() and "error_codes" in response.keys():
@@ -4,6 +4,18 @@ AZURE_CHINA_CLOUD = "https://management.chinacloudapi.cn"
 AZURE_US_GOV_CLOUD = "https://management.usgovcloudapi.net"
 AZURE_GENERIC_CLOUD = "https://management.azure.com"

+AZURE_GENERIC_GRAPH_HOST = "https://graph.microsoft.com"
+AZURE_CHINA_GRAPH_HOST = "https://microsoftgraph.chinacloudapi.cn"
+AZURE_US_GOV_GRAPH_HOST = "https://graph.microsoft.us"
+
+AZURE_GENERIC_GRAPH_SCOPE = f"{AZURE_GENERIC_GRAPH_HOST}/.default"
+AZURE_CHINA_GRAPH_SCOPE = f"{AZURE_CHINA_GRAPH_HOST}/.default"
+AZURE_US_GOV_GRAPH_SCOPE = f"{AZURE_US_GOV_GRAPH_HOST}/.default"
+
+AZURE_GENERIC_LOGS_ENDPOINT = "https://api.loganalytics.io"
+AZURE_CHINA_LOGS_ENDPOINT = "https://api.loganalytics.azure.cn"
+AZURE_US_GOV_LOGS_ENDPOINT = "https://api.loganalytics.us"
+

 def get_regions_config(region):
    allowed_regions = {
@@ -11,16 +23,25 @@ def get_regions_config(region):
            "authority": None,
            "base_url": AZURE_GENERIC_CLOUD,
            "credential_scopes": [AZURE_GENERIC_CLOUD + "/.default"],
+            "graph_host": AZURE_GENERIC_GRAPH_HOST,
+            "graph_scope": AZURE_GENERIC_GRAPH_SCOPE,
+            "logs_endpoint": AZURE_GENERIC_LOGS_ENDPOINT,
        },
        "AzureChinaCloud": {
            "authority": AzureAuthorityHosts.AZURE_CHINA,
            "base_url": AZURE_CHINA_CLOUD,
            "credential_scopes": [AZURE_CHINA_CLOUD + "/.default"],
+            "graph_host": AZURE_CHINA_GRAPH_HOST,
+            "graph_scope": AZURE_CHINA_GRAPH_SCOPE,
+            "logs_endpoint": AZURE_CHINA_LOGS_ENDPOINT,
        },
        "AzureUSGovernment": {
            "authority": AzureAuthorityHosts.AZURE_GOVERNMENT,
            "base_url": AZURE_US_GOV_CLOUD,
            "credential_scopes": [AZURE_US_GOV_CLOUD + "/.default"],
+            "graph_host": AZURE_US_GOV_GRAPH_HOST,
+            "graph_scope": AZURE_US_GOV_GRAPH_SCOPE,
+            "logs_endpoint": AZURE_US_GOV_LOGS_ENDPOINT,
        },
    }
    return allowed_regions[region]
@@ -1,5 +1,11 @@
 from concurrent.futures import ThreadPoolExecutor, as_completed

+from kiota_authentication_azure.azure_identity_authentication_provider import (
+    AzureIdentityAuthenticationProvider,
+)
+from msgraph.graph_request_adapter import GraphRequestAdapter
+from msgraph_core import GraphClientFactory
+
 from prowler.lib.logger import logger
 from prowler.providers.azure.azure_provider import AzureProvider

@@ -47,10 +53,32 @@ class AzureService:
        clients = {}
        try:
            if "GraphServiceClient" in str(service):
-                clients.update({identity.tenant_domain: service(credentials=session)})
+                # GraphServiceClient(credentials, scopes=...) only customises the
+                # OAuth scope; the underlying httpx client's base URL stays at
+                # graph.microsoft.com. For sovereign clouds we must also point
+                # the HTTP transport at the per-cloud host, which is done by
+                # building a custom GraphRequestAdapter with a NationalClouds
+                # base URL.
+                auth_provider = AzureIdentityAuthenticationProvider(
+                    session, scopes=[region_config.graph_scope]
+                )
+                http_client = GraphClientFactory.create_with_default_middleware(
+                    host=region_config.graph_host
+                )
+                request_adapter = GraphRequestAdapter(auth_provider, client=http_client)
+                clients.update(
+                    {identity.tenant_domain: service(request_adapter=request_adapter)}
+                )
            elif "LogsQueryClient" in str(service):
                for subscription_id, display_name in identity.subscriptions.items():
-                    clients.update({subscription_id: service(credential=session)})
+                    clients.update(
+                        {
+                            subscription_id: service(
+                                credential=session,
+                                endpoint=region_config.logs_endpoint,
+                            )
+                        }
+                    )
            else:
                for subscription_id, display_name in identity.subscriptions.items():
                    clients.update(
@@ -20,6 +20,9 @@ class AzureRegionConfig(BaseModel):
    authority: Optional[str] = None
    base_url: str = ""
    credential_scopes: list = []
+    graph_host: str = "https://graph.microsoft.com"
+    graph_scope: str = "https://graph.microsoft.com/.default"
+    logs_endpoint: str = "https://api.loganalytics.io"


 class AzureSubscription(BaseModel):
@@ -256,6 +256,25 @@ class Provider(ABC):
                        mutelist_path=arguments.mutelist_file,
                        fixer_config=fixer_config,
                    )
+                elif "stackit" in provider_class_name.lower():
+                    provider_class(
+                        project_id=arguments.stackit_project_id,
+                        service_account_key_path=getattr(
+                            arguments, "stackit_service_account_key_path", None
+                        ),
+                        service_account_key=getattr(
+                            arguments, "stackit_service_account_key", None
+                        ),
+                        regions=(
+                            set(arguments.stackit_region)
+                            if arguments.stackit_region
+                            else None
+                        ),
+                        scan_unused_services=arguments.scan_unused_services,
+                        config_path=arguments.config_file,
+                        mutelist_path=arguments.mutelist_file,
+                        fixer_config=fixer_config,
+                    )
                elif "github" in provider_class_name.lower():
                    orgs = []
                    repos = []
@@ -37,6 +37,7 @@ class IAM(GCPService):
                                display_name=account.get("displayName", ""),
                                project_id=project_id,
                                uniqueId=account.get("uniqueId", ""),
+                                disabled=account.get("disabled", False),
                            )
                        )

@@ -102,6 +103,7 @@ class ServiceAccount(BaseModel):
    keys: list[Key] = []
    project_id: str
    uniqueId: str
+    disabled: bool = False


 class AccessApproval(GCPService):
@@ -19,7 +19,12 @@ class iam_service_account_unused(Check):
                resource_id=account.email,
                location=iam_client.region,
            )
-            if account.uniqueId in sa_ids_used:
+            if account.disabled:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Service Account {account.email} is disabled and cannot be used."
+                )
+            elif account.uniqueId in sa_ids_used:
                report.status = "PASS"
                report.status_extended = f"Service Account {account.email} was used over the last {max_unused_days} days."
            else:
@@ -1,5 +1,8 @@
 from prowler.lib.check.models import Check, Check_Report_GCP
 from prowler.providers.gcp.services.logging.logging_client import logging_client
+from prowler.providers.gcp.services.logging.logging_service import (
+    get_projects_covered_by_aggregated_metric,
+)
 from prowler.providers.gcp.services.monitoring.monitoring_client import (
    monitoring_client,
 )
@@ -10,12 +13,10 @@ class logging_log_metric_filter_and_alert_for_audit_configuration_changes_enable
 ):
    def execute(self) -> Check_Report_GCP:
        findings = []
+        metric_filter = 'protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*'
        projects_with_metric = set()
        for metric in logging_client.metrics:
-            if (
-                'protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*'
-                in metric.filter
-            ):
+            if metric_filter in metric.filter:
                report = Check_Report_GCP(
                    metadata=self.metadata(),
                    resource=metric,
@@ -33,6 +34,11 @@ class logging_log_metric_filter_and_alert_for_audit_configuration_changes_enable
                            break
                findings.append(report)

+        # Credit projects whose logs are centrally monitored via an org-level
+        # aggregated sink to a bucket-scoped metric + alert (instead of failing them).
+        centrally_covered = get_projects_covered_by_aggregated_metric(
+            logging_client, monitoring_client, metric_filter
+        )
        for project in logging_client.project_ids:
            if project not in projects_with_metric:
                report = Check_Report_GCP(
@@ -46,8 +52,12 @@ class logging_log_metric_filter_and_alert_for_audit_configuration_changes_enable
                        else "GCP Project"
                    ),
                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
+                if project in centrally_covered:
+                    report.status = "PASS"
+                    report.status_extended = f"Log metric filter {centrally_covered[project]} found with an alert, covering project {project} via an organization-level aggregated sink."
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
                findings.append(report)

        return findings
@@ -1,5 +1,8 @@
 from prowler.lib.check.models import Check, Check_Report_GCP
 from prowler.providers.gcp.services.logging.logging_client import logging_client
+from prowler.providers.gcp.services.logging.logging_service import (
+    get_projects_covered_by_aggregated_metric,
+)
 from prowler.providers.gcp.services.monitoring.monitoring_client import (
    monitoring_client,
 )
@@ -8,12 +11,10 @@ from prowler.providers.gcp.services.monitoring.monitoring_client import (
 class logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled(Check):
    def execute(self) -> Check_Report_GCP:
        findings = []
+        metric_filter = 'resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"'
        projects_with_metric = set()
        for metric in logging_client.metrics:
-            if (
-                'resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"'
-                in metric.filter
-            ):
+            if metric_filter in metric.filter:
                metric_name = getattr(metric, "name", None) or "unknown"
                report = Check_Report_GCP(
                    metadata=self.metadata(),
@@ -36,6 +37,9 @@ class logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled(
                            break
                findings.append(report)

+        centrally_covered = get_projects_covered_by_aggregated_metric(
+            logging_client, monitoring_client, metric_filter
+        )
        for project in logging_client.project_ids:
            if project not in projects_with_metric:
                project_obj = logging_client.projects.get(project)
@@ -46,8 +50,12 @@ class logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled(
                    location=logging_client.region,
                    resource_name=(getattr(project_obj, "name", None) or "GCP Project"),
                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
+                if project in centrally_covered:
+                    report.status = "PASS"
+                    report.status_extended = f"Log metric filter {centrally_covered[project]} found with an alert, covering project {project} via an organization-level aggregated sink."
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
                findings.append(report)

        return findings
@@ -1,5 +1,8 @@
 from prowler.lib.check.models import Check, Check_Report_GCP
 from prowler.providers.gcp.services.logging.logging_client import logging_client
+from prowler.providers.gcp.services.logging.logging_service import (
+    get_projects_covered_by_aggregated_metric,
+)
 from prowler.providers.gcp.services.monitoring.monitoring_client import (
    monitoring_client,
 )
@@ -10,9 +13,10 @@ class logging_log_metric_filter_and_alert_for_compute_configuration_changes_enab
 ):
    def execute(self) -> Check_Report_GCP:
        findings = []
+        metric_filter = 'protoPayload.serviceName="compute.googleapis.com"'
        projects_with_metric = set()
        for metric in logging_client.metrics:
-            if 'protoPayload.serviceName="compute.googleapis.com"' in metric.filter:
+            if metric_filter in metric.filter:
                report = Check_Report_GCP(
                    metadata=self.metadata(),
                    resource=metric,
@@ -30,6 +34,9 @@ class logging_log_metric_filter_and_alert_for_compute_configuration_changes_enab
                            break
                findings.append(report)

+        centrally_covered = get_projects_covered_by_aggregated_metric(
+            logging_client, monitoring_client, metric_filter
+        )
        for project in logging_client.project_ids:
            if project not in projects_with_metric:
                report = Check_Report_GCP(
@@ -43,8 +50,12 @@ class logging_log_metric_filter_and_alert_for_compute_configuration_changes_enab
                        else "GCP Project"
                    ),
                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no log metric filters or alerts associated for Compute Engine configuration changes in project {project}."
+                if project in centrally_covered:
+                    report.status = "PASS"
+                    report.status_extended = f"Log metric filter {centrally_covered[project]} found with an alert, covering project {project} via an organization-level aggregated sink."
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There are no log metric filters or alerts associated for Compute Engine configuration changes in project {project}."
                findings.append(report)

        return findings
@@ -1,5 +1,8 @@
 from prowler.lib.check.models import Check, Check_Report_GCP
 from prowler.providers.gcp.services.logging.logging_client import logging_client
+from prowler.providers.gcp.services.logging.logging_service import (
+    get_projects_covered_by_aggregated_metric,
+)
 from prowler.providers.gcp.services.monitoring.monitoring_client import (
    monitoring_client,
 )
@@ -8,12 +11,10 @@ from prowler.providers.gcp.services.monitoring.monitoring_client import (
 class logging_log_metric_filter_and_alert_for_custom_role_changes_enabled(Check):
    def execute(self) -> Check_Report_GCP:
        findings = []
+        metric_filter = 'resource.type="iam_role" AND (protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")'
        projects_with_metric = set()
        for metric in logging_client.metrics:
-            if (
-                'resource.type="iam_role" AND (protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")'
-                in metric.filter
-            ):
+            if metric_filter in metric.filter:
                report = Check_Report_GCP(
                    metadata=self.metadata(),
                    resource=metric,
@@ -31,6 +32,9 @@ class logging_log_metric_filter_and_alert_for_custom_role_changes_enabled(Check)
                            break
                findings.append(report)

+        centrally_covered = get_projects_covered_by_aggregated_metric(
+            logging_client, monitoring_client, metric_filter
+        )
        for project in logging_client.project_ids:
            if project not in projects_with_metric:
                report = Check_Report_GCP(
@@ -44,8 +48,12 @@ class logging_log_metric_filter_and_alert_for_custom_role_changes_enabled(Check)
                        else "GCP Project"
                    ),
                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
+                if project in centrally_covered:
+                    report.status = "PASS"
+                    report.status_extended = f"Log metric filter {centrally_covered[project]} found with an alert, covering project {project} via an organization-level aggregated sink."
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
                findings.append(report)

        return findings
@@ -1,5 +1,8 @@
 from prowler.lib.check.models import Check, Check_Report_GCP
 from prowler.providers.gcp.services.logging.logging_client import logging_client
+from prowler.providers.gcp.services.logging.logging_service import (
+    get_projects_covered_by_aggregated_metric,
+)
 from prowler.providers.gcp.services.monitoring.monitoring_client import (
    monitoring_client,
 )
@@ -8,12 +11,10 @@ from prowler.providers.gcp.services.monitoring.monitoring_client import (
 class logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled(Check):
    def execute(self) -> Check_Report_GCP:
        findings = []
+        metric_filter = '(protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")'
        projects_with_metric = set()
        for metric in logging_client.metrics:
-            if (
-                '(protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")'
-                in metric.filter
-            ):
+            if metric_filter in metric.filter:
                metric_name = getattr(metric, "name", None) or "unknown"
                report = Check_Report_GCP(
                    metadata=self.metadata(),
@@ -36,6 +37,9 @@ class logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled(
                            break
                findings.append(report)

+        centrally_covered = get_projects_covered_by_aggregated_metric(
+            logging_client, monitoring_client, metric_filter
+        )
        for project in logging_client.project_ids:
            if project not in projects_with_metric:
                project_obj = logging_client.projects.get(project)
@@ -47,8 +51,12 @@ class logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled(
                    location=logging_client.region,
                    resource_name=(getattr(project_obj, "name", None) or "GCP Project"),
                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
+                if project in centrally_covered:
+                    report.status = "PASS"
+                    report.status_extended = f"Log metric filter {centrally_covered[project]} found with an alert, covering project {project} via an organization-level aggregated sink."
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
                findings.append(report)

        return findings
@@ -1,5 +1,8 @@
 from prowler.lib.check.models import Check, Check_Report_GCP
 from prowler.providers.gcp.services.logging.logging_client import logging_client
+from prowler.providers.gcp.services.logging.logging_service import (
+    get_projects_covered_by_aggregated_metric,
+)
 from prowler.providers.gcp.services.monitoring.monitoring_client import (
    monitoring_client,
 )
@@ -10,9 +13,10 @@ class logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes
 ):
    def execute(self) -> Check_Report_GCP:
        findings = []
+        metric_filter = 'protoPayload.methodName="cloudsql.instances.update"'
        projects_with_metric = set()
        for metric in logging_client.metrics:
-            if 'protoPayload.methodName="cloudsql.instances.update"' in metric.filter:
+            if metric_filter in metric.filter:
                report = Check_Report_GCP(
                    metadata=self.metadata(),
                    resource=metric,
@@ -30,6 +34,9 @@ class logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes
                            break
                findings.append(report)

+        centrally_covered = get_projects_covered_by_aggregated_metric(
+            logging_client, monitoring_client, metric_filter
+        )
        for project in logging_client.project_ids:
            if project not in projects_with_metric:
                report = Check_Report_GCP(
@@ -43,8 +50,12 @@ class logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes
                        else "GCP Project"
                    ),
                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
+                if project in centrally_covered:
+                    report.status = "PASS"
+                    report.status_extended = f"Log metric filter {centrally_covered[project]} found with an alert, covering project {project} via an organization-level aggregated sink."
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
                findings.append(report)

        return findings
@@ -1,5 +1,8 @@
 from prowler.lib.check.models import Check, Check_Report_GCP
 from prowler.providers.gcp.services.logging.logging_client import logging_client
+from prowler.providers.gcp.services.logging.logging_service import (
+    get_projects_covered_by_aggregated_metric,
+)
 from prowler.providers.gcp.services.monitoring.monitoring_client import (
    monitoring_client,
 )
@@ -8,12 +11,10 @@ from prowler.providers.gcp.services.monitoring.monitoring_client import (
 class logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled(Check):
    def execute(self) -> Check_Report_GCP:
        findings = []
+        metric_filter = 'resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete")'
        projects_with_metric = set()
        for metric in logging_client.metrics:
-            if (
-                'resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete")'
-                in metric.filter
-            ):
+            if metric_filter in metric.filter:
                report = Check_Report_GCP(
                    metadata=self.metadata(),
                    resource=metric,
@@ -31,6 +32,9 @@ class logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled(
                            break
                findings.append(report)

+        centrally_covered = get_projects_covered_by_aggregated_metric(
+            logging_client, monitoring_client, metric_filter
+        )
        for project in logging_client.project_ids:
            if project not in projects_with_metric:
                report = Check_Report_GCP(
@@ -44,8 +48,12 @@ class logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled(
                        else "GCP Project"
                    ),
                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
+                if project in centrally_covered:
+                    report.status = "PASS"
+                    report.status_extended = f"Log metric filter {centrally_covered[project]} found with an alert, covering project {project} via an organization-level aggregated sink."
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
                findings.append(report)

        return findings
@@ -1,5 +1,8 @@
 from prowler.lib.check.models import Check, Check_Report_GCP
 from prowler.providers.gcp.services.logging.logging_client import logging_client
+from prowler.providers.gcp.services.logging.logging_service import (
+    get_projects_covered_by_aggregated_metric,
+)
 from prowler.providers.gcp.services.monitoring.monitoring_client import (
    monitoring_client,
 )
@@ -8,12 +11,10 @@ from prowler.providers.gcp.services.monitoring.monitoring_client import (
 class logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled(Check):
    def execute(self) -> Check_Report_GCP:
        findings = []
+        metric_filter = 'resource.type="gce_network" AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering")'
        projects_with_metric = set()
        for metric in logging_client.metrics:
-            if (
-                'resource.type="gce_network" AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering")'
-                in metric.filter
-            ):
+            if metric_filter in metric.filter:
                report = Check_Report_GCP(
                    metadata=self.metadata(),
                    resource=metric,
@@ -31,6 +32,9 @@ class logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled(Check)
                            break
                findings.append(report)

+        centrally_covered = get_projects_covered_by_aggregated_metric(
+            logging_client, monitoring_client, metric_filter
+        )
        for project in logging_client.project_ids:
            if project not in projects_with_metric:
                report = Check_Report_GCP(
@@ -44,8 +48,12 @@ class logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled(Check)
                        else "GCP Project"
                    ),
                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
+                if project in centrally_covered:
+                    report.status = "PASS"
+                    report.status_extended = f"Log metric filter {centrally_covered[project]} found with an alert, covering project {project} via an organization-level aggregated sink."
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
                findings.append(report)

        return findings
@@ -1,5 +1,8 @@
 from prowler.lib.check.models import Check, Check_Report_GCP
 from prowler.providers.gcp.services.logging.logging_client import logging_client
+from prowler.providers.gcp.services.logging.logging_service import (
+    get_projects_covered_by_aggregated_metric,
+)
 from prowler.providers.gcp.services.monitoring.monitoring_client import (
    monitoring_client,
 )
@@ -8,12 +11,10 @@ from prowler.providers.gcp.services.monitoring.monitoring_client import (
 class logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled(Check):
    def execute(self) -> Check_Report_GCP:
        findings = []
+        metric_filter = 'resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert")'
        projects_with_metric = set()
        for metric in logging_client.metrics:
-            if (
-                'resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert")'
-                in metric.filter
-            ):
+            if metric_filter in metric.filter:
                report = Check_Report_GCP(
                    metadata=self.metadata(),
                    resource=metric,
@@ -31,6 +32,9 @@ class logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled(
                            break
                findings.append(report)

+        centrally_covered = get_projects_covered_by_aggregated_metric(
+            logging_client, monitoring_client, metric_filter
+        )
        for project in logging_client.project_ids:
            if project not in projects_with_metric:
                report = Check_Report_GCP(
@@ -44,8 +48,12 @@ class logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled(
                        else "GCP Project"
                    ),
                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
+                if project in centrally_covered:
+                    report.status = "PASS"
+                    report.status_extended = f"Log metric filter {centrally_covered[project]} found with an alert, covering project {project} via an organization-level aggregated sink."
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There are no log metric filters or alerts associated in project {project}."
                findings.append(report)

        return findings
@@ -12,6 +12,7 @@ class Logging(GCPService):
        self.sinks = []
        self.metrics = []
        self._get_sinks()
+        self._get_org_sinks()
        self._get_metrics()

    def _get_sinks(self):
@@ -39,6 +40,38 @@ class Logging(GCPService):
                    f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                )

+    def _get_org_sinks(self):
+        """Fetch org-level sinks with includeChildren so child projects are not falsely failed."""
+        org_ids = set()
+        for project in self.projects.values():
+            if project.organization:
+                org_ids.add(project.organization.id)
+
+        for org_id in org_ids:
+            try:
+                request = self.client.sinks().list(parent=f"organizations/{org_id}")
+                while request is not None:
+                    response = request.execute(num_retries=DEFAULT_RETRY_ATTEMPTS)
+
+                    for sink in response.get("sinks", []):
+                        self.sinks.append(
+                            Sink(
+                                name=sink["name"],
+                                destination=sink["destination"],
+                                filter=sink.get("filter", "all"),
+                                project_id=f"organizations/{org_id}",
+                                include_children=sink.get("includeChildren", False),
+                            )
+                        )
+
+                    request = self.client.sinks().list_next(
+                        previous_request=request, previous_response=response
+                    )
+            except Exception as error:
+                logger.error(
+                    f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+
    def _get_metrics(self):
        for project_id in self.project_ids:
            try:
@@ -57,6 +90,7 @@ class Logging(GCPService):
                                type=metric["metricDescriptor"]["type"],
                                filter=metric["filter"],
                                project_id=project_id,
+                                bucket_name=metric.get("bucketName", ""),
                            )
                        )

@@ -76,6 +110,7 @@ class Sink(BaseModel):
    destination: str
    filter: str
    project_id: str
+    include_children: bool = False


 class Metric(BaseModel):
@@ -83,3 +118,59 @@ class Metric(BaseModel):
    type: str
    filter: str
    project_id: str
+    bucket_name: str = ""
+
+
+def get_projects_covered_by_aggregated_metric(
+    logging_client, monitoring_client, metric_filter
+):
+    """Return {project_id: metric_name} for scanned projects whose logs are routed,
+    via an organization-level sink with includeChildren=True, to a bucket that holds
+    a bucket-scoped log metric matching ``metric_filter`` that has an alert policy.
+
+    The CIS GCP logging-metric checks are written per-project, but a common (and
+    recommended) topology centralizes monitoring: an org-level aggregated sink ships
+    every child project's logs into one bucket, where a single bucket-scoped metric
+    + alert covers them all. Without crediting that, those child projects are falsely
+    failed. Mirrors the org-sink handling already in ``logging_sink_created`` (#11355).
+    """
+    # Buckets that hold a matching, alerted, bucket-scoped metric -> metric name.
+    bucket_to_metric = {}
+    for metric in logging_client.metrics:
+        if not getattr(metric, "bucket_name", ""):
+            continue
+        if metric_filter not in metric.filter:
+            continue
+        if any(
+            metric.name in policy_filter
+            for alert_policy in monitoring_client.alert_policies
+            for policy_filter in alert_policy.filters
+        ):
+            bucket_to_metric[metric.bucket_name] = metric.name
+    if not bucket_to_metric:
+        return {}
+
+    # Org resources whose includeChildren sink targets one of those buckets.
+    org_to_metric = {}
+    for sink in logging_client.sinks:
+        if not getattr(sink, "include_children", False):
+            continue
+        if getattr(sink, "filter", "all") != "all":
+            continue
+        for bucket, metric_name in bucket_to_metric.items():
+            # sink.destination e.g. "logging.googleapis.com/projects/.../buckets/X";
+            # metric.bucket_name e.g. "projects/.../buckets/X".
+            if sink.destination.endswith(bucket):
+                org_to_metric[sink.project_id] = metric_name
+                break
+    if not org_to_metric:
+        return {}
+
+    # Scanned projects sitting under a covering organization.
+    covered = {}
+    for project_id in logging_client.project_ids:
+        project = logging_client.projects.get(project_id)
+        organization = getattr(project, "organization", None) if project else None
+        if organization and f"organizations/{organization.id}" in org_to_metric:
+            covered[project_id] = org_to_metric[f"organizations/{organization.id}"]
+    return covered
@@ -5,26 +5,30 @@ from prowler.providers.gcp.services.logging.logging_client import logging_client
 class logging_sink_created(Check):
    def execute(self) -> Check_Report_GCP:
        findings = []
+
+        # Map project_id -> sink for direct project-level sinks
        projects_with_logging_sink = {}
        for sink in logging_client.sinks:
-            if sink.filter == "all":
+            if sink.filter == "all" and not sink.include_children:
                projects_with_logging_sink[sink.project_id] = sink

+        # Collect org resource names that have a covering sink (includeChildren=True)
+        covering_org_sinks = {}
+        for sink in logging_client.sinks:
+            if sink.filter == "all" and sink.include_children:
+                covering_org_sinks[sink.project_id] = sink
+
        for project in logging_client.project_ids:
-            if project not in projects_with_logging_sink.keys():
-                project_obj = logging_client.projects.get(project)
-                report = Check_Report_GCP(
-                    metadata=self.metadata(),
-                    resource=project_obj,
-                    resource_id=project,
-                    project_id=project,
-                    location=logging_client.region,
-                    resource_name=(getattr(project_obj, "name", None) or "GCP Project"),
-                )
-                report.status = "FAIL"
-                report.status_extended = f"There are no logging sinks to export copies of all the log entries in project {project}."
-                findings.append(report)
-            else:
+            project_obj = logging_client.projects.get(project)
+
+            # Determine whether this project is covered by an org-level sink
+            org = getattr(project_obj, "organization", None) if project_obj else None
+            org_resource = f"organizations/{org.id}" if org else None
+            covering_sink = (
+                covering_org_sinks.get(org_resource) if org_resource else None
+            )
+
+            if project in projects_with_logging_sink:
                sink = projects_with_logging_sink[project]
                sink_name = getattr(sink, "name", None) or "unknown"
                report = Check_Report_GCP(
@@ -40,4 +44,31 @@ class logging_sink_created(Check):
                report.status = "PASS"
                report.status_extended = f"Sink {sink_name} is enabled exporting copies of all the log entries in project {project}."
                findings.append(report)
+            elif covering_sink:
+                sink_name = getattr(covering_sink, "name", None) or "unknown"
+                report = Check_Report_GCP(
+                    metadata=self.metadata(),
+                    resource=covering_sink,
+                    resource_id=sink_name,
+                    project_id=project,
+                    location=logging_client.region,
+                    resource_name=(
+                        sink_name if sink_name != "unknown" else "Logging Sink"
+                    ),
+                )
+                report.status = "PASS"
+                report.status_extended = f"Sink {sink_name} at organization level is exporting copies of all the log entries in project {project}."
+                findings.append(report)
+            else:
+                report = Check_Report_GCP(
+                    metadata=self.metadata(),
+                    resource=project_obj,
+                    resource_id=project,
+                    project_id=project,
+                    location=logging_client.region,
+                    resource_name=(getattr(project_obj, "name", None) or "GCP Project"),
+                )
+                report.status = "FAIL"
+                report.status_extended = f"There are no logging sinks to export copies of all the log entries in project {project}."
+                findings.append(report)
        return findings
@@ -13,8 +13,8 @@
  "Risk": "When external Google Groups access is enabled, users can access and participate in groups created **outside the organization**, potentially exposing them to **phishing, social engineering, or data leakage** through unmanaged external group communications.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/181865",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/users/advanced/turn-on-or-off-additional-google-services",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,9 +13,8 @@
  "Risk": "Without external invitation warnings, users may unintentionally include **external guests** in internal meetings, exposing **confidential meeting details**, agendas, and internal attendee lists to unauthorized parties. This is a common vector for inadvertent data leakage through everyday calendar actions.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/6329284",
-    "https://knowledge.workspace.google.com/admin/calendar/set-google-calendar-sharing-options",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/calendar/allow-external-invitations-in-google-calendar-events",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,9 +13,8 @@
  "Risk": "Overly permissive external sharing of primary calendars exposes **sensitive meeting metadata** — titles, attendees, locations, and descriptions — to users outside the organization. This increases the risk of **information disclosure**, **social engineering**, and **targeted phishing** based on insights into organizational activities.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/60765",
    "https://knowledge.workspace.google.com/admin/calendar/set-google-calendar-sharing-options",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,9 +13,8 @@
  "Risk": "Overly permissive external sharing of secondary calendars exposes **project-specific or team-specific event details** to users outside the organization. Because secondary calendars often hold more targeted activities (e.g., product launches, internal reviews), unrestricted external sharing increases the risk of **information disclosure** and **competitive intelligence leakage**.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/60765",
    "https://knowledge.workspace.google.com/admin/calendar/set-google-calendar-sharing-options",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "Unrestricted Chat app installation allows **unvetted third-party applications** to access user data including conversation content and organizational information. An attacker could distribute a malicious Chat app to **exfiltrate confidential data** or establish **persistent access** to internal communications.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/6089179",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/apps/manage-the-marketplace-app-allowlist-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "Enabled external file sharing allows users to send files containing **confidential information** to external parties through Chat. This creates a **data leakage** channel that bypasses DLP controls, particularly dangerous for organizations handling **regulated data** such as PII, PHI, or financial records.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/9540647",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/chat/set-up-chat-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "Unrestricted external messaging allows users to communicate freely with **any external party**, increasing the risk of **data exfiltration** through conversation content and **social engineering attacks** from untrusted domains targeting internal users.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/9540647",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/chat/set-up-chat-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "Unrestricted external spaces allow users to add **anyone from any domain** to persistent group conversations. This increases the risk of **confidential information exposure** in shared spaces and enables **unauthorized external access** to ongoing organizational discussions.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/9540647",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/chat/set-up-chat-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "Exposed webhook URLs allow **unauthorized content injection** into Chat spaces. Attackers can send **fraudulent or misleading messages** that appear to come from trusted services, creating a vector for **social engineering** and **phishing** within internal communications.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/6089179",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/apps/manage-the-marketplace-app-allowlist-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "Unrestricted internal file sharing in Chat allows files with **sensitive information** to be distributed freely without passing through approved channels. This undermines **data governance** and **audit trail** requirements, making it harder to track data movement within the organization.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/9540647",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/chat/set-up-chat-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -14,7 +14,7 @@
  "RelatedUrl": "",
  "AdditionalURLs": [
    "https://knowledge.workspace.google.com/admin/users/prebuilt-administrator-roles",
-    "https://support.google.com/a/answer/9011373"
+    "https://knowledge.workspace.google.com/admin/users/security-best-practices-for-administrator-accounts"
  ],
  "Remediation": {
    "Code": {
@@ -14,7 +14,7 @@
  "RelatedUrl": "",
  "AdditionalURLs": [
    "https://knowledge.workspace.google.com/admin/users/prebuilt-administrator-roles",
-    "https://support.google.com/a/answer/9011373"
+    "https://knowledge.workspace.google.com/admin/users/security-best-practices-for-administrator-accounts"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "If Access Checker suggests broader audiences or public visibility, users may **inadvertently widen access** to a file beyond the people they intended to share with. This is a common cause of unintentional internal or external over-sharing.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/60781",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/drive/manage-external-sharing-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "When Drive for desktop is enabled, organizational files are **synchronized to local devices** and remain accessible if the device is lost, stolen, or compromised. Because Drive for desktop bypasses the central offline-access controls, this channel is a frequently overlooked path for sensitive data to leave organization-managed environments.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/7491144",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/drive/set-up-drive-for-desktop-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "Without external sharing warnings, users may unintentionally share **sensitive documents** with external recipients who are not entitled to the data. This is a common vector for inadvertent leakage of intellectual property, personally identifiable information, and confidential business data through routine Drive sharing.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/60781",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/drive/manage-external-sharing-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "If external users can move files from internal shared drives into shared drives owned by another organization, the organization **loses authoritative control** over its own data. This is a frequently overlooked path for unintentional or malicious data exfiltration through shared drive collaboration.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/60781",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/drive/manage-external-sharing-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "Allowing users to publish Drive files to the web creates a path for **unbounded data exposure**. Sensitive documents, intellectual property, customer data, or internal communications can be made publicly accessible — and indexed by search engines — with a single click, often unintentionally.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/60781",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/drive/manage-external-sharing-for-your-organization",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "When users cannot create shared drives, they store collaborative content in their personal **My Drive** instead. When that user account is deleted, the data is also deleted, leading to **unintentional data loss** of organizationally significant information. Allowing shared drive creation makes data survivable across account lifecycle events.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/7212025",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://support.google.com/a/users/answer/7212025",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "When viewers and commenters can download, print, or copy shared drive files, they can **bulk-extract sensitive content** — including intellectual property, personally identifiable information, and confidential business documents — using nothing more than read access. This is one of the most direct paths to data exfiltration through Drive.",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/7662202",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/drive/manage-shared-drives-as-an-admin",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
@@ -13,8 +13,8 @@
  "Risk": "If shared drive managers can override organizational defaults, **unauthorized data exposure** can occur when a manager intentionally or accidentally weakens a shared drive's security posture (for example, allowing external members or enabling download for viewers).",
  "RelatedUrl": "",
  "AdditionalURLs": [
-    "https://support.google.com/a/answer/7662202",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+    "https://knowledge.workspace.google.com/admin/drive/manage-shared-drives-as-an-admin",
+    "https://docs.cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
  ],
  "Remediation": {
    "Code": {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Prowler Bot	19a1ac2744	chore(changelog): prepare for v5.29.3 (#11506 ) Co-authored-by: Pepe Fagoaga <pepe@prowler.com>	2026-06-09 08:18:24 +02:00
Prowler Bot	859fe1a29f	fix(gcp): honour org-aggregated sinks in metric-filter checks (#11501 ) Co-authored-by: Aline Almeida <aline@tuplita.ai> Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com>	2026-06-08 16:58:05 +02:00
Prowler Bot	a0ee9107db	fix(api): create Neo4j driver lazily so an outage can't block API startup (#11498 ) Co-authored-by: Josema Camacho <josema@prowler.com>	2026-06-08 14:00:34 +02:00
Prowler Bot	d49ec58c02	fix(ui): preserve active tab styling with tooltips (#11495 ) Co-authored-by: Alejandro Bailo <59607668+alejandrobailo@users.noreply.github.com>	2026-06-08 12:24:52 +02:00
Prowler Bot	736f3f6f02	fix(jira): avoid 400 INVALID_INPUT on findings with empty field (#11477 ) Co-authored-by: Pedro Martín <pedromarting3@gmail.com>	2026-06-05 13:48:21 +02:00
Prowler Bot	7b8acf974a	fix(gcp): pass iam_service_account_unused for disabled service accounts (#11473 ) Co-authored-by: Aline Almeida <aline@tuplita.ai>	2026-06-05 12:12:54 +02:00
Prowler Bot	c6d8aa78dc	fix(gcp): honour org-level aggregated sinks in logging_sink_created check (#11462 ) Co-authored-by: Oleksandr_Sanin <alexaaander.sanin@gmail.com> Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>	2026-06-04 12:18:57 +02:00
Prowler Bot	7c9f8971a5	chore(release): Bump versions to v5.29.3 (#11459 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-06-03 20:45:37 +02:00
Prowler Bot	21e7f29153	fix(ui): show delete user action only for the current user (#11458 ) Co-authored-by: Pedro Martín <pedromarting3@gmail.com> Co-authored-by: Pepe Fagoaga <pepe@prowler.com>	2026-06-03 17:12:55 +02:00
Prowler Bot	de51eed96c	fix(ui): refine add-provider wizard flow between scans and providers (#11457 ) Co-authored-by: Alejandro Bailo <59607668+alejandrobailo@users.noreply.github.com>	2026-06-03 16:30:18 +02:00
Prowler Bot	835dbddc6a	chore(release): Bump versions to v5.29.2 (#11446 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-06-03 10:52:45 +02:00
Prowler Bot	103761f146	perf(api): avoid N+1 query loading finding resource tags (#11426 ) Co-authored-by: Davidm4r <david.copo@gmail.com> Co-authored-by: Pepe Fagoaga <pepe@prowler.com>	2026-06-02 13:50:56 +02:00
Prowler Bot	0e6268e159	fix(api): clean up scan tmp output failure to avoid disk fill (#11423 ) Co-authored-by: Pedro Martín <pedromarting3@gmail.com> Co-authored-by: Pepe Fagoaga <pepe@prowler.com>	2026-06-02 11:58:04 +02:00
Prowler Bot	f48984e6a1	chore(release): Bump versions to v5.29.1 (#11417 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-06-01 18:35:25 +02:00
Prowler Bot	6df80a4890	chore(api): Update prowler dependency to v5.29 for release 5.29.0 (#11414 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-06-01 16:26:56 +02:00
Alejandro Bailo	a769e37615	fix(ui): restore scheduled scan column (#11411 )	2026-06-01 14:34:58 +02:00
Alejandro Bailo	9d2a8d9108	fix(ui): improve background glow contrast (#11409 )	2026-06-01 14:25:23 +02:00
Alejandro Bailo	e05519ff9f	fix(ui): refine scans tabs and provider launch flow (#11407 )	2026-06-01 12:34:11 +02:00
Pedro Martín	67b26072f8	docs(installation): add info about updating prowler (#11404 )	2026-06-01 11:15:07 +02:00
lydiavilchez	2222082631	fix(googleworkspace): update metadata urls to point to official documentation (#11405 )	2026-06-01 10:52:32 +02:00
Pepe Fagoaga	8b0cb4b981	chore: fix SDK changelog for v5.29 (#11392 )	2026-05-29 18:23:36 +02:00
Pepe Fagoaga	9422eff8ab	chore: changelog v5.29.0 (#11390 ) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-05-29 17:29:52 +02:00
Br1an	e3c4368d32	fix(azure): pass authority to credentials for sovereign clouds (#10284 ) Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com> Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>	2026-05-29 15:17:41 +02:00
OokaToru	2a641b39c8	chore(s3): deprecate `s3_bucket_default_encryption` check (#11230 ) Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com>	2026-05-29 14:41:52 +02:00
Alejandro Bailo	02b713572b	test(ui): find scheduled scan e2e row in In Progress tab (#11385 )	2026-05-29 10:55:16 +02:00
Alejandro Bailo	74251350bc	feat(ui): add new scan jobs view (#11258 )	2026-05-28 19:20:39 +02:00
Pablo Fernandez Guerra (PFE)	8f745cdbe6	chore(ui): upgrade pnpm to 11 and harden supply-chain defaults (#11225 ) Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com>	2026-05-28 14:39:57 +02:00
Adrián Peña	81226cd837	perf(api): use literal scan_ids in finding-groups /latest aggregation (#11380 )	2026-05-28 13:46:15 +02:00
Johannes Engler	a2824f7166	feat(stackit): add new provider with 4 checks (#9237 ) Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Sergio Garcia <hello@mistercloudsec.com> Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com> Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>	2026-05-28 13:16:38 +02:00
Hugo Pereira Brito	edbbd86828	fix(openstack): move exception codes off the Alibaba Cloud range (#11382 )	2026-05-28 11:52:45 +02:00
lydiavilchez	c58dad2ca4	feat(googleworkspace): add rules service checks (#11379 ) Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>	2026-05-28 11:17:33 +02:00
lydiavilchez	b4befe3a10	feat(googleworkspace): add security service checks (#11356 ) Co-authored-by: pedrooot <pedromarting3@gmail.com> Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com>	2026-05-28 10:15:10 +02:00
Alan Buscaglia	d98933c2e7	fix(ui): improve invitation error messages (#11376 )	2026-05-28 09:37:28 +02:00
Pedro Martín	03dfa3816d	docs: fix alerts/import-findings URLs and pricing note (#11378 )	2026-05-27 17:26:50 +02:00
Pablo Fernandez Guerra (PFE)	ad1261ce54	ci(docs): add markdownlint foundation (prek + CI) (#11210 ) Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 16:42:01 +02:00