chore: update prowler package version in api

.env

@@ -10,23 +10,13 @@ NEXT_PUBLIC_API_BASE_URL=${API_BASE_URL}
 NEXT_PUBLIC_API_DOCS_URL=http://prowler-api:8080/api/v1/docs
 AUTH_TRUST_HOST=true
 UI_PORT=3000
+# Temp URL for feeds need to use actual
+RSS_FEED_URL=https://prowler.com/blog/rss
 # openssl rand -base64 32
 AUTH_SECRET="N/c6mnaS5+SWq81+819OrzQZlmx1Vxtp/orjttJSmw8="
 # Google Tag Manager ID
 NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID=""
 
-#### MCP Server ####
-PROWLER_MCP_VERSION=stable
-# For UI and MCP running on docker:
-PROWLER_MCP_SERVER_URL=http://mcp-server:8000/mcp
-# For UI running on host, MCP in docker:
-# PROWLER_MCP_SERVER_URL=http://localhost:8000/mcp
-
-#### Code Review Configuration ####
-# Enable Claude Code standards validation on pre-push hook
-# Set to 'true' to validate changes against AGENTS.md standards via Claude Code
-# Set to 'false' to skip validation
-CODE_REVIEW_ENABLED=true
 
 #### Prowler API Configuration ####
 PROWLER_API_VERSION="stable"
@@ -115,11 +105,9 @@ DJANGO_THROTTLE_TOKEN_OBTAIN=50/minute
 # Sentry settings
 SENTRY_ENVIRONMENT=local
 SENTRY_RELEASE=local
-NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}
-
 
 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.16.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.12.2
 
 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -138,12 +126,3 @@ LANGSMITH_TRACING=false
 LANGSMITH_ENDPOINT="https://api.smith.langchain.com"
 LANGSMITH_API_KEY=""
 LANGCHAIN_PROJECT=""
-
-# RSS Feed Configuration
-# Multiple feed sources can be configured as a JSON array (must be valid JSON, no trailing commas)
-# Each source requires: id, name, type (github_releases|blog|custom), url, and enabled flag
-# IMPORTANT: Must be a single line with valid JSON (no newlines, no trailing commas)
-# Example with one source:
-RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true}]'
-# Example with multiple sources (no trailing comma after last item):
-# RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true},{"id":"prowler-blog","name":"Prowler Blog","type":"blog","url":"https://prowler.com/blog/rss","enabled":false}]'

.github/actions/slack-notification/action.yml

@@ -12,7 +12,7 @@ inputs:
     required: false
     default: ''
   step-outcome:
-    description: 'Outcome of a step to determine status (success/failure) - automatically sets STATUS_TEXT and STATUS_COLOR env vars'
+    description: 'Outcome of a step to determine status (success/failure) - automatically sets STATUS_EMOJI, STATUS_TEXT, and STATUS_COLOR env vars'
     required: false
     default: ''
 outputs:
@@ -27,14 +27,16 @@ runs:
       shell: bash
       run: |
         if [[ "${{ inputs.step-outcome }}" == "success" ]]; then
-          echo "STATUS_TEXT=Completed" >> $GITHUB_ENV
-          echo "STATUS_COLOR=#6aa84f" >> $GITHUB_ENV
+          echo "STATUS_EMOJI=[✓]" >> $GITHUB_ENV
+          echo "STATUS_TEXT=succeeded" >> $GITHUB_ENV
+          echo "STATUS_COLOR=6aa84f" >> $GITHUB_ENV
         elif [[ "${{ inputs.step-outcome }}" == "failure" ]]; then
-          echo "STATUS_TEXT=Failed" >> $GITHUB_ENV
-          echo "STATUS_COLOR=#fc3434" >> $GITHUB_ENV
+          echo "STATUS_EMOJI=[✗]" >> $GITHUB_ENV
+          echo "STATUS_TEXT=failed" >> $GITHUB_ENV
+          echo "STATUS_COLOR=fc3434" >> $GITHUB_ENV
         else
           # No outcome provided - pending/in progress state
-          echo "STATUS_COLOR=#dbab09" >> $GITHUB_ENV
+          echo "STATUS_COLOR=dbab09" >> $GITHUB_ENV
         fi
 
     - name: Send Slack notification (new message)

.github/actions/trivy-scan/action.yml

@@ -87,7 +87,7 @@ runs:
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       if: always()
       with:
-        name: trivy-scan-report-${{ inputs.image-name }}-${{ inputs.image-tag }}
+        name: trivy-scan-report-${{ inputs.image-name }}
         path: trivy-report.json
         retention-days: ${{ inputs.artifact-retention-days }}
 

.github/labeler.yml

@@ -46,11 +46,6 @@ provider/oci:
   - changed-files:
       - any-glob-to-any-file: "prowler/providers/oraclecloud/**"
       - any-glob-to-any-file: "tests/providers/oraclecloud/**"
-      
-provider/alibabacloud:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/alibabacloud/**"
-      - any-glob-to-any-file: "tests/providers/alibabacloud/**"
 
 github_actions:
   - changed-files:
@@ -74,8 +69,6 @@ mutelist:
       - any-glob-to-any-file: "tests/providers/gcp/lib/mutelist/**"
       - any-glob-to-any-file: "tests/providers/kubernetes/lib/mutelist/**"
       - any-glob-to-any-file: "tests/providers/mongodbatlas/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/oci/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/alibabacloud/lib/mutelist/**"
 
 integration/s3:
   - changed-files:

.github/pull_request_template.md

@@ -22,13 +22,6 @@ Please add a detailed description of how to review this PR.
 - [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
 - [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/prowler/CHANGELOG.md), if applicable.
 
-#### UI
-- [ ] All issue/task requirements work as expected on the UI
-- [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
-- [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
-- [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
-- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/ui/CHANGELOG.md), if applicable.
-
 #### API
 - [ ] Verify if API specs need to be regenerated.
 - [ ] Check if version updates are required (e.g., specs, Poetry, etc.).

.github/scripts/slack-messages/container-release-completed.json

@@ -1,18 +1,4 @@
 {
   "channel": "${{ env.SLACK_CHANNEL_ID }}",
-  "ts": "${{ env.MESSAGE_TS }}",
-  "attachments": [
-    {
-      "color": "${{ env.STATUS_COLOR }}",
-      "blocks": [
-        {
-          "type": "section",
-          "text": {
-            "type": "mrkdwn",
-            "text": "*Status:*\n${{ env.STATUS_TEXT }}\n\n${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push ${{ env.STATUS_TEXT }}\n\n<${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
-          }
-        }
-      ]
-    }
-  ]
+  "text": "${{ env.STATUS_EMOJI }} ${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push ${{ env.STATUS_TEXT }} <${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
 }

.github/scripts/slack-messages/container-release-started.json

@@ -1,17 +1,4 @@
 {
   "channel": "${{ env.SLACK_CHANNEL_ID }}",
-  "attachments": [
-    {
-      "color": "${{ env.STATUS_COLOR }}",
-      "blocks": [
-        {
-          "type": "section",
-          "text": {
-            "type": "mrkdwn",
-            "text": "*Status:*\nStarted\n\n${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push started...\n\n<${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
-          }
-        }
-      ]
-    }
-  ]
+  "text": "${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push started... <${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
 }

.github/workflows/api-bump-version.yml

@@ -1,254 +0,0 @@
-name: 'API: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Get current API version
-        id: get_api_version
-        run: |
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-          echo "current_api_version=${CURRENT_API_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current API version: $CURRENT_API_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next API minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 -> API 1.18.0
-          # For next master (Prowler 5.18.0) -> API 1.19.0
-          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "Current API version: $CURRENT_API_VERSION"
-          echo "Next API minor version (for master): $NEXT_API_VERSION"
-
-      - name: Bump API versions in files for master
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 release -> version branch v5.17 should have API 1.18.1
-          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${FIRST_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.FIRST_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.FIRST_API_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # Extract current API patch to increment it
-          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            API_PATCH=${BASH_REMATCH[3]}
-
-            # API version follows Prowler minor + 1
-            # Keep same API minor (based on Prowler minor), increment patch
-            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
-
-            echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-            echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-            echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-            echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
-            echo "Current API version: $CURRENT_API_VERSION"
-            echo "Next API patch version: $NEXT_API_PATCH_VERSION"
-            echo "Target branch: $VERSION_BRANCH"
-          else
-            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
-            exit 1
-          fi
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/api-code-quality.yml

@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-code-quality.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-code-quality.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -33,15 +39,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for API changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: |
-            api/**
-            .github/workflows/api-code-quality.yml
           files_ignore: |
             api/docs/**
             api/README.md

.github/workflows/api-codeql.yml

@@ -42,15 +42,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/api-codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/api-container-build-push.yml

@@ -7,16 +7,10 @@ on:
     paths:
       - 'api/**'
       - 'prowler/**'
-      - '.github/workflows/api-container-build-push.yml'
+      - '.github/workflows/api-build-lint-push-containers.yml'
   release:
     types:
       - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
 
 permissions:
   contents: read
@@ -28,7 +22,7 @@ concurrency:
 env:
   # Tags
   LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
   STABLE_TAG: stable
   WORKING_DIRECTORY: ./api
 
@@ -48,19 +42,41 @@ jobs:
         id: set-short-sha
         run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
 
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
+  container-build-push:
     needs: setup
     runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push API container (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Notify container push started
-        id: slack-notification
+        if: github.event_name == 'release'
         uses: ./.github/actions/slack-notification
         env:
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
@@ -73,119 +89,24 @@ jobs:
           slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
 
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Build and push API container for ${{ matrix.arch }}
+      - name: Build and push API container (release)
+        if: github.event_name == 'release'
         id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           push: true
-          platforms: ${{ matrix.platform }}
           tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@f61d18f46c86af724a9c804cb9ff2a6fec741c7c # main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Notify container push completed
+        if: github.event_name == 'release' && always()
         uses: ./.github/actions/slack-notification
         env:
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
           COMPONENT: API
           RELEASE_TAG: ${{ env.RELEASE_TAG }}
           GITHUB_SERVER_URL: ${{ github.server_url }}
@@ -194,12 +115,11 @@ jobs:
         with:
           slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
+          step-outcome: ${{ steps.container-push.outcome }}
 
   trigger-deployment:
+    if: github.event_name == 'push'
     needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
@@ -207,7 +127,7 @@ jobs:
 
     steps:
       - name: Trigger API deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
         with:
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           repository: ${{ secrets.CLOUD_DISPATCH }}

.github/workflows/api-container-checks.yml

@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-container-checks.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-container-checks.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -20,7 +26,6 @@ env:
 
 jobs:
   api-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
     runs-on: ubuntu-latest
     timeout-minutes: 15
     permissions:
@@ -28,7 +33,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
@@ -44,17 +49,7 @@ jobs:
           ignore: DL3013
 
   api-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
       contents: read
@@ -63,13 +58,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for API changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: api/**
           files_ignore: |
             api/docs/**
             api/README.md
@@ -79,23 +73,22 @@ jobs:
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      - name: Build container for ${{ matrix.arch }}
+      - name: Build container
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.API_WORKING_DIR }}
           push: false
           load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: Scan container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+      - name: Scan container with Trivy
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
         uses: ./.github/actions/trivy-scan
         with:
           image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
           fail-on-critical: 'false'
           severity: 'CRITICAL'

.github/workflows/api-security.yml

@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-security.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-security.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -33,15 +39,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for API changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: |
-            api/**
-            .github/workflows/api-security.yml
           files_ignore: |
             api/docs/**
             api/README.md

.github/workflows/api-tests.yml

@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-tests.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-tests.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -73,15 +79,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for API changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: |
-            api/**
-            .github/workflows/api-tests.yml
           files_ignore: |
             api/docs/**
             api/README.md

.github/workflows/backport.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Backport PR
         if: steps.label_check.outputs.label_check == 'success'
-        uses: sorenlouv/backport-github-action@516854e7c9f962b9939085c9a92ea28411d1ae90 # v10.2.0
+        uses: sorenlouv/backport-github-action@ad888e978060bc1b2798690dd9d03c4036560947 # v9.5.1
         with:
           github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           auto_backport_label_prefix: ${{ env.BACKPORT_LABEL_PREFIX }}

.github/workflows/comment-label-update.yml

@@ -1,39 +0,0 @@
-name: 'Tools: Comment Label Update'
-
-on:
-  issue_comment:
-    types:
-      - 'created'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.issue.number }}
-  cancel-in-progress: false
-
-jobs:
-  update-labels:
-    if: contains(github.event.issue.labels.*.name, 'status/awaiting-response')
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      issues: write
-      pull-requests: write
-
-    steps:
-      - name: Remove 'status/awaiting-response' label
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          echo "Removing 'status/awaiting-response' label from #$ISSUE_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/$ISSUE_NUMBER/labels/status%2Fawaiting-response \
-            -X DELETE
-
-      - name: Add 'status/waiting-for-revision' label
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          echo "Adding 'status/waiting-for-revision' label to #$ISSUE_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/$ISSUE_NUMBER/labels \
-            -X POST \
-            -f labels[]='status/waiting-for-revision'

.github/workflows/conventional-commit.yml

@@ -26,6 +26,6 @@ jobs:
 
     steps:
       - name: Check PR title format
-        uses: agenthunt/conventional-commit-checker-action@f1823f632e95a64547566dcd2c7da920e67117ad # v2.0.1
+        uses: agenthunt/conventional-commit-checker-action@9e552d650d0e205553ec7792d447929fc78e012b # v2.0.0
         with:
           pr-title-regex: '^(feat|fix|docs|style|refactor|perf|test|chore|build|ci|revert)(\([^)]+\))?!?: .+'

.github/workflows/docs-bump-version.yml

@@ -1,247 +0,0 @@
-name: 'Docs: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Get current documentation version
-        id: get_docs_version
-        run: |
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' docs/getting-started/installation/prowler-app.mdx)
-          echo "current_docs_version=${CURRENT_DOCS_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump versions in documentation for master
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to master
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-            - All `*.mdx` files with `<VersionBadge>` components
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for version branch
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}-branch
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for patch version
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/find-secrets.yml

@@ -23,11 +23,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
       - name: Scan for secrets with TruffleHog
-        uses: trufflesecurity/trufflehog@aade3bff5594fe8808578dd4db3dfeae9bf2abdc # v3.91.1
+        uses: trufflesecurity/trufflehog@ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690 # v3.90.11
         with:
           extra_args: '--results=verified,unknown'

.github/workflows/labeler-community.yml

@@ -0,0 +1,43 @@
+name: Community PR labelling
+
+on:
+  # We need "write" permissions on the PR to be able to add a label.
+  pull_request_target: # We need this to have labelling permissions. There are no user inputs here, so we should be fine.
+    types:
+      - opened
+
+permissions: {}
+
+jobs:
+  label-if-community:
+    name: Add 'community' label if the PR is from a community contributor
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+
+    steps:
+      - name: Check if author is org member
+        id: check_membership
+        env:
+          GH_TOKEN: ${{ github.token }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+          ORG: ${{ github.repository_owner }}
+        run: |
+          echo "Checking if $AUTHOR is a member of $ORG"
+          if gh api --method GET "orgs/$ORG/members/$AUTHOR" >/dev/null 2>&1; then
+            echo "is_member=true" >> $GITHUB_OUTPUT
+            echo "$AUTHOR is an organization member"
+          else
+            echo "is_member=false" >> $GITHUB_OUTPUT
+            echo "$AUTHOR is not an organization member"
+          fi
+
+      - name: Add community label
+        if: steps.check_membership.outputs.is_member == 'false'
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo "Adding 'community' label to PR #$PR_NUMBER"
+          gh pr edit "$PR_NUMBER" --add-label community

.github/workflows/labeler.yml

@@ -27,66 +27,3 @@ jobs:
         uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           sync-labels: true
-
-  label-community:
-    name: Add 'community' label if the PR is from a community contributor
-    needs: labeler
-    if: github.repository == 'prowler-cloud/prowler' && github.event.action == 'opened'
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-
-    steps:
-      - name: Check if author is org member
-        id: check_membership
-        env:
-          AUTHOR: ${{ github.event.pull_request.user.login }}
-        run: |
-          # Hardcoded list of prowler-cloud organization members
-          # This list includes members who have set their organization membership as private
-          ORG_MEMBERS=(
-            "AdriiiPRodri"
-            "Alan-TheGentleman"
-            "alejandrobailo"
-            "amitsharm"
-            "andoniaf"
-            "cesararroba"
-            "Chan9390"
-            "danibarranqueroo"
-            "HugoPBrito"
-            "jfagoagas"
-            "josemazo"
-            "lydiavilchez"
-            "mmuller88"
-            "MrCloudSec"
-            "pedrooot"
-            "prowler-bot"
-            "puchy22"
-            "rakan-pro"
-            "RosaRivasProwler"
-            "StylusFrost"
-            "toniblyx"
-            "vicferpoy"
-          )
-
-          echo "Checking if $AUTHOR is a member of prowler-cloud organization"
-
-          # Check if author is in the org members list
-          if printf '%s\n' "${ORG_MEMBERS[@]}" | grep -q "^${AUTHOR}$"; then
-            echo "is_member=true" >> $GITHUB_OUTPUT
-            echo "$AUTHOR is an organization member"
-          else
-            echo "is_member=false" >> $GITHUB_OUTPUT
-            echo "$AUTHOR is not an organization member"
-          fi
-
-      - name: Add community label
-        if: steps.check_membership.outputs.is_member == 'false'
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          echo "Adding 'community' label to PR #$PR_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/${{ github.event.number }}/labels \
-            -X POST \
-            -f labels[]='community'

.github/workflows/mcp-container-build-push.yml

@@ -10,12 +10,6 @@ on:
   release:
     types:
       - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
 
 permissions:
   contents: read
@@ -27,7 +21,7 @@ concurrency:
 env:
   # Tags
   LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
   STABLE_TAG: stable
   WORKING_DIRECTORY: ./mcp_server
 
@@ -47,19 +41,47 @@ jobs:
         id: set-short-sha
         run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
 
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
+  container-build-push:
     needs: setup
     runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push MCP container (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}
+          labels: |
+            org.opencontainers.image.title=Prowler MCP Server
+            org.opencontainers.image.description=Model Context Protocol server for Prowler
+            org.opencontainers.image.vendor=ProwlerPro, Inc.
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Notify container push started
-        id: slack-notification
+        if: github.event_name == 'release'
         uses: ./.github/actions/slack-notification
         env:
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
@@ -72,126 +94,32 @@ jobs:
           slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
 
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Build and push MCP container for ${{ matrix.arch }}
+      - name: Build and push MCP container (release)
+        if: github.event_name == 'release'
         id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           push: true
-          platforms: ${{ matrix.platform }}
           tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
           labels: |
             org.opencontainers.image.title=Prowler MCP Server
             org.opencontainers.image.description=Model Context Protocol server for Prowler
             org.opencontainers.image.vendor=ProwlerPro, Inc.
+            org.opencontainers.image.version=${{ env.RELEASE_TAG }}
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
             org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.created=${{ github.event_name == 'release' && github.event.release.published_at || github.event.head_commit.timestamp }}
-            ${{ github.event_name == 'release' && format('org.opencontainers.image.version={0}', env.RELEASE_TAG) || '' }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
+            org.opencontainers.image.created=${{ github.event.release.published_at }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Notify container push completed
+        if: github.event_name == 'release' && always()
         uses: ./.github/actions/slack-notification
         env:
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
           COMPONENT: MCP
           RELEASE_TAG: ${{ env.RELEASE_TAG }}
           GITHUB_SERVER_URL: ${{ github.server_url }}
@@ -200,12 +128,11 @@ jobs:
         with:
           slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
+          step-outcome: ${{ steps.container-push.outcome }}
 
   trigger-deployment:
+    if: github.event_name == 'push'
     needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
@@ -213,7 +140,7 @@ jobs:
 
     steps:
       - name: Trigger MCP deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
         with:
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           repository: ${{ secrets.CLOUD_DISPATCH }}

.github/workflows/mcp-container-checks.yml

@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'mcp_server/**'
+      - '.github/workflows/mcp-container-checks.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'mcp_server/**'
+      - '.github/workflows/mcp-container-checks.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -20,7 +26,6 @@ env:
 
 jobs:
   mcp-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
     runs-on: ubuntu-latest
     timeout-minutes: 15
     permissions:
@@ -28,7 +33,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
@@ -43,17 +48,7 @@ jobs:
           dockerfile: mcp_server/Dockerfile
 
   mcp-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
       contents: read
@@ -62,13 +57,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for MCP changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: mcp_server/**
           files_ignore: |
             mcp_server/README.md
             mcp_server/CHANGELOG.md
@@ -77,23 +71,22 @@ jobs:
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      - name: Build MCP container for ${{ matrix.arch }}
+      - name: Build MCP container
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.MCP_WORKING_DIR }}
           push: false
           load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: Scan MCP container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+      - name: Scan MCP container with Trivy
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
         uses: ./.github/actions/trivy-scan
         with:
           image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
           fail-on-critical: 'false'
           severity: 'CRITICAL'

.github/workflows/mcp-pypi-release.yml

@@ -1,81 +0,0 @@
-name: "MCP: PyPI Release"
-
-on:
-  release:
-    types:
-      - "published"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  RELEASE_TAG: ${{ github.event.release.tag_name }}
-  PYTHON_VERSION: "3.12"
-  WORKING_DIRECTORY: ./mcp_server
-
-jobs:
-  validate-release:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      prowler_version: ${{ steps.parse-version.outputs.version }}
-      major_version: ${{ steps.parse-version.outputs.major }}
-
-    steps:
-      - name: Parse and validate version
-        id: parse-version
-        run: |
-          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
-          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Extract major version
-          MAJOR_VERSION="${PROWLER_VERSION%%.*}"
-          echo "major=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Validate major version (only Prowler 3, 4, 5 supported)
-          case ${MAJOR_VERSION} in
-            3|4|5)
-              echo "✓ Releasing Prowler MCP for tag ${PROWLER_VERSION}"
-              ;;
-            *)
-              echo "::error::Unsupported Prowler major version: ${MAJOR_VERSION}"
-              exit 1
-              ;;
-          esac
-
-  publish-prowler-mcp:
-    needs: validate-release
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      id-token: write
-    environment:
-      name: pypi-prowler-mcp
-      url: https://pypi.org/project/prowler-mcp/
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v7
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Build prowler-mcp package
-        working-directory: ${{ env.WORKING_DIRECTORY }}
-        run: uv build
-
-      - name: Publish prowler-mcp package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/
-          print-hash: true

.github/workflows/pr-check-changelog.yml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
@@ -83,7 +83,7 @@ jobs:
 
       - name: Update PR comment with changelog status
         if: github.event.pull_request.head.repo.full_name == github.repository
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-id: ${{ steps.find-comment.outputs.comment-id }}

.github/workflows/pr-conflict-checker.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout PR head
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -97,7 +97,7 @@ jobs:
           body-includes: '<!-- conflict-checker-comment -->'
 
       - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           comment-id: ${{ steps.find-comment.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}

.github/workflows/pr-merged.yml

@@ -13,10 +13,7 @@ concurrency:
 
 jobs:
   trigger-cloud-pull-request:
-    if: |
-      github.event.pull_request.merged == true &&
-      github.repository == 'prowler-cloud/prowler' &&
-      !contains(github.event.pull_request.labels.*.name, 'skip-sync')
+    if: github.event.pull_request.merged == true && github.repository == 'prowler-cloud/prowler'
     runs-on: ubuntu-latest
     timeout-minutes: 10
     permissions:
@@ -29,7 +26,7 @@ jobs:
           echo "SHORT_SHA=${SHORT_SHA::7}" >> $GITHUB_ENV
 
       - name: Trigger Cloud repository pull request
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
         with:
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           repository: ${{ secrets.CLOUD_DISPATCH }}

.github/workflows/prepare-release.yml

@@ -27,13 +27,13 @@ jobs:
       pull-requests: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
         token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
 
     - name: Set up Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: '3.12'
 
@@ -47,7 +47,7 @@ jobs:
         git config --global user.name 'prowler-bot'
         git config --global user.email '179230569+prowler-bot@users.noreply.github.com'
 
-    - name: Parse version and determine branch
+    - name: Parse version and read changelogs
       run: |
         # Validate version format (reusing pattern from sdk-bump-version.yml)
         if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
@@ -64,80 +64,66 @@ jobs:
           BRANCH_NAME="v${MAJOR_VERSION}.${MINOR_VERSION}"
           echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_ENV}"
 
+          # Function to extract the latest version from changelog
+          extract_latest_version() {
+            local changelog_file="$1"
+            if [ -f "$changelog_file" ]; then
+              # Extract the first version entry (most recent) from changelog
+              # Format: ## [version] (1.2.3) or ## [vversion] (v1.2.3)
+              local version=$(grep -m 1 '^## \[' "$changelog_file" | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
+              echo "$version"
+            else
+              echo ""
+            fi
+          }
+
+          # Read actual versions from changelogs (source of truth)
+          UI_VERSION=$(extract_latest_version "ui/CHANGELOG.md")
+          API_VERSION=$(extract_latest_version "api/CHANGELOG.md")
+          SDK_VERSION=$(extract_latest_version "prowler/CHANGELOG.md")
+          MCP_VERSION=$(extract_latest_version "mcp_server/CHANGELOG.md")
+
+          echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
+          echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
+          echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
+          echo "MCP_VERSION=${MCP_VERSION}" >> "${GITHUB_ENV}"
+
+          if [ -n "$UI_VERSION" ]; then
+            echo "Read UI version from changelog: $UI_VERSION"
+          else
+            echo "Warning: No UI version found in ui/CHANGELOG.md"
+          fi
+
+          if [ -n "$API_VERSION" ]; then
+            echo "Read API version from changelog: $API_VERSION"
+          else
+            echo "Warning: No API version found in api/CHANGELOG.md"
+          fi
+
+          if [ -n "$SDK_VERSION" ]; then
+            echo "Read SDK version from changelog: $SDK_VERSION"
+          else
+            echo "Warning: No SDK version found in prowler/CHANGELOG.md"
+          fi
+
+          if [ -n "$MCP_VERSION" ]; then
+            echo "Read MCP version from changelog: $MCP_VERSION"
+          else
+            echo "Warning: No MCP version found in mcp_server/CHANGELOG.md"
+          fi
+
           echo "Prowler version: $PROWLER_VERSION"
           echo "Branch name: $BRANCH_NAME"
+          echo "UI version: $UI_VERSION"
+          echo "API version: $API_VERSION"
+          echo "SDK version: $SDK_VERSION"
+          echo "MCP version: $MCP_VERSION"
           echo "Is minor release: $([ $PATCH_VERSION -eq 0 ] && echo 'true' || echo 'false')"
         else
           echo "Invalid version syntax: '$PROWLER_VERSION' (must be N.N.N)" >&2
           exit 1
         fi
 
-    - name: Checkout release branch
-      run: |
-        echo "Checking out branch $BRANCH_NAME for release $PROWLER_VERSION..."
-        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME"; then
-          echo "Branch $BRANCH_NAME exists locally, checking out..."
-          git checkout "$BRANCH_NAME"
-        elif git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
-          echo "Branch $BRANCH_NAME exists remotely, checking out..."
-          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
-        else
-          echo "ERROR: Branch $BRANCH_NAME does not exist. For minor releases (X.Y.0), create it manually first. For patch releases (X.Y.Z), the branch should already exist."
-          exit 1
-        fi
-
-    - name: Read changelog versions from release branch
-      run: |
-        # Function to extract the version for a specific Prowler release from changelog
-        # This looks for entries with "(Prowler X.Y.Z)" to find the released version
-        extract_version_for_release() {
-          local changelog_file="$1"
-          local prowler_version="$2"
-          if [ -f "$changelog_file" ]; then
-            # Extract version that matches this Prowler release
-            # Format: ## [version] (Prowler X.Y.Z) or ## [vversion] (Prowler vX.Y.Z)
-            local version=$(grep '^## \[' "$changelog_file" | grep "(Prowler v\?${prowler_version})" | head -1 | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
-            echo "$version"
-          else
-            echo ""
-          fi
-        }
-
-        # Read versions from changelogs for this specific Prowler release
-        SDK_VERSION=$(extract_version_for_release "prowler/CHANGELOG.md" "$PROWLER_VERSION")
-        API_VERSION=$(extract_version_for_release "api/CHANGELOG.md" "$PROWLER_VERSION")
-        UI_VERSION=$(extract_version_for_release "ui/CHANGELOG.md" "$PROWLER_VERSION")
-        MCP_VERSION=$(extract_version_for_release "mcp_server/CHANGELOG.md" "$PROWLER_VERSION")
-
-        echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
-        echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
-        echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
-        echo "MCP_VERSION=${MCP_VERSION}" >> "${GITHUB_ENV}"
-
-        if [ -n "$SDK_VERSION" ]; then
-          echo "✓ SDK version for Prowler $PROWLER_VERSION: $SDK_VERSION"
-        else
-          echo "ℹ No SDK version found for Prowler $PROWLER_VERSION in prowler/CHANGELOG.md"
-        fi
-
-        if [ -n "$API_VERSION" ]; then
-          echo "✓ API version for Prowler $PROWLER_VERSION: $API_VERSION"
-        else
-          echo "ℹ No API version found for Prowler $PROWLER_VERSION in api/CHANGELOG.md"
-        fi
-
-        if [ -n "$UI_VERSION" ]; then
-          echo "✓ UI version for Prowler $PROWLER_VERSION: $UI_VERSION"
-        else
-          echo "ℹ No UI version found for Prowler $PROWLER_VERSION in ui/CHANGELOG.md"
-        fi
-
-        if [ -n "$MCP_VERSION" ]; then
-          echo "✓ MCP version for Prowler $PROWLER_VERSION: $MCP_VERSION"
-        else
-          echo "ℹ No MCP version found for Prowler $PROWLER_VERSION in mcp_server/CHANGELOG.md"
-        fi
-
     - name: Extract and combine changelog entries
       run: |
         set -e
@@ -163,54 +149,70 @@ jobs:
 
           # Remove --- separators
           sed -i '/^---$/d' "$output_file"
+
+          # Remove only trailing empty lines (not all empty lines)
+          sed -i -e :a -e '/^\s*$/d;N;ba' "$output_file"
         }
 
+        # Calculate expected versions for this release
+        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+          EXPECTED_UI_VERSION="1.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}"
+          EXPECTED_API_VERSION="1.$((${BASH_REMATCH[2]} + 1)).${BASH_REMATCH[3]}"
+
+          echo "Expected UI version for this release: $EXPECTED_UI_VERSION"
+          echo "Expected API version for this release: $EXPECTED_API_VERSION"
+        fi
+
         # Determine if components have changes for this specific release
-        if [ -n "$SDK_VERSION" ]; then
-          echo "HAS_SDK_CHANGES=true" >> $GITHUB_ENV
-          HAS_SDK_CHANGES="true"
-          echo "✓ SDK changes detected - version: $SDK_VERSION"
-          extract_changelog "prowler/CHANGELOG.md" "$SDK_VERSION" "prowler_changelog.md"
-        else
-          echo "HAS_SDK_CHANGES=false" >> $GITHUB_ENV
-          HAS_SDK_CHANGES="false"
-          echo "ℹ No SDK changes for this release"
-          touch "prowler_changelog.md"
-        fi
-
-        if [ -n "$API_VERSION" ]; then
-          echo "HAS_API_CHANGES=true" >> $GITHUB_ENV
-          HAS_API_CHANGES="true"
-          echo "✓ API changes detected - version: $API_VERSION"
-          extract_changelog "api/CHANGELOG.md" "$API_VERSION" "api_changelog.md"
-        else
-          echo "HAS_API_CHANGES=false" >> $GITHUB_ENV
-          HAS_API_CHANGES="false"
-          echo "ℹ No API changes for this release"
-          touch "api_changelog.md"
-        fi
-
-        if [ -n "$UI_VERSION" ]; then
+        # UI has changes if its current version matches what we expect for this release
+        if [ -n "$UI_VERSION" ] && [ "$UI_VERSION" = "$EXPECTED_UI_VERSION" ]; then
           echo "HAS_UI_CHANGES=true" >> $GITHUB_ENV
-          HAS_UI_CHANGES="true"
-          echo "✓ UI changes detected - version: $UI_VERSION"
+          echo "✓ UI changes detected - version matches expected: $UI_VERSION"
           extract_changelog "ui/CHANGELOG.md" "$UI_VERSION" "ui_changelog.md"
         else
           echo "HAS_UI_CHANGES=false" >> $GITHUB_ENV
-          HAS_UI_CHANGES="false"
-          echo "ℹ No UI changes for this release"
+          echo "ℹ No UI changes for this release (current: $UI_VERSION, expected: $EXPECTED_UI_VERSION)"
           touch "ui_changelog.md"
         fi
 
-        if [ -n "$MCP_VERSION" ]; then
-          echo "HAS_MCP_CHANGES=true" >> $GITHUB_ENV
-          HAS_MCP_CHANGES="true"
-          echo "✓ MCP changes detected - version: $MCP_VERSION"
-          extract_changelog "mcp_server/CHANGELOG.md" "$MCP_VERSION" "mcp_changelog.md"
+        # API has changes if its current version matches what we expect for this release
+        if [ -n "$API_VERSION" ] && [ "$API_VERSION" = "$EXPECTED_API_VERSION" ]; then
+          echo "HAS_API_CHANGES=true" >> $GITHUB_ENV
+          echo "✓ API changes detected - version matches expected: $API_VERSION"
+          extract_changelog "api/CHANGELOG.md" "$API_VERSION" "api_changelog.md"
+        else
+          echo "HAS_API_CHANGES=false" >> $GITHUB_ENV
+          echo "ℹ No API changes for this release (current: $API_VERSION, expected: $EXPECTED_API_VERSION)"
+          touch "api_changelog.md"
+        fi
+
+        # SDK has changes if its current version matches the input version
+        if [ -n "$SDK_VERSION" ] && [ "$SDK_VERSION" = "$PROWLER_VERSION" ]; then
+          echo "HAS_SDK_CHANGES=true" >> $GITHUB_ENV
+          echo "✓ SDK changes detected - version matches input: $SDK_VERSION"
+          extract_changelog "prowler/CHANGELOG.md" "$PROWLER_VERSION" "prowler_changelog.md"
+        else
+          echo "HAS_SDK_CHANGES=false" >> $GITHUB_ENV
+          echo "ℹ No SDK changes for this release (current: $SDK_VERSION, input: $PROWLER_VERSION)"
+          touch "prowler_changelog.md"
+        fi
+
+        # MCP has changes if the changelog references this Prowler version
+        # Check if the changelog contains "(Prowler X.Y.Z)" or "(Prowler UNRELEASED)"
+        if [ -f "mcp_server/CHANGELOG.md" ]; then
+          MCP_PROWLER_REF=$(grep -m 1 "^## \[.*\] (Prowler" mcp_server/CHANGELOG.md | sed -E 's/.*\(Prowler ([^)]+)\).*/\1/' | tr -d '[:space:]')
+          if [ "$MCP_PROWLER_REF" = "$PROWLER_VERSION" ] || [ "$MCP_PROWLER_REF" = "UNRELEASED" ]; then
+            echo "HAS_MCP_CHANGES=true" >> $GITHUB_ENV
+            echo "✓ MCP changes detected - Prowler reference: $MCP_PROWLER_REF (version: $MCP_VERSION)"
+            extract_changelog "mcp_server/CHANGELOG.md" "$MCP_VERSION" "mcp_changelog.md"
+          else
+            echo "HAS_MCP_CHANGES=false" >> $GITHUB_ENV
+            echo "ℹ No MCP changes for this release (Prowler reference: $MCP_PROWLER_REF, input: $PROWLER_VERSION)"
+            touch "mcp_changelog.md"
+          fi
         else
           echo "HAS_MCP_CHANGES=false" >> $GITHUB_ENV
-          HAS_MCP_CHANGES="false"
-          echo "ℹ No MCP changes for this release"
+          echo "ℹ No MCP changelog found"
           touch "mcp_changelog.md"
         fi
 
@@ -253,6 +255,21 @@ jobs:
         echo "Combined changelog preview:"
         cat combined_changelog.md
 
+    - name: Checkout release branch for patch release
+      if: ${{ env.PATCH_VERSION != '0' }}
+      run: |
+        echo "Patch release detected, checking out existing branch $BRANCH_NAME..."
+        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists locally, checking out..."
+          git checkout "$BRANCH_NAME"
+        elif git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists remotely, checking out..."
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+        else
+          echo "ERROR: Branch $BRANCH_NAME should exist for patch release $PROWLER_VERSION"
+          exit 1
+        fi
+
     - name: Verify SDK version in pyproject.toml
       run: |
         CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')
@@ -306,16 +323,17 @@ jobs:
         fi
         echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"
 
-    - name: Verify API version in api/src/backend/api/specs/v1.yaml
-      if: ${{ env.HAS_API_CHANGES == 'true' }}
+    - name: Checkout release branch for minor release
+      if: ${{ env.PATCH_VERSION == '0' }}
       run: |
-        CURRENT_API_VERSION=$(grep '^  version: ' api/src/backend/api/specs/v1.yaml | sed -E 's/  version: ([0-9]+\.[0-9]+\.[0-9]+)/\1/' | tr -d '[:space:]')
-        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
-        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
-          echo "ERROR: API version mismatch in api/src/backend/api/specs/v1.yaml (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
+        echo "Minor release detected (patch = 0), checking out existing branch $BRANCH_NAME..."
+        if git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists remotely, checking out..."
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+        else
+          echo "ERROR: Branch $BRANCH_NAME should exist for minor release $PROWLER_VERSION. Please create it manually first."
           exit 1
         fi
-        echo "✓ api/src/backend/api/specs/v1.yaml version: $CURRENT_API_VERSION"
 
     - name: Update API prowler dependency for minor release
       if: ${{ env.PATCH_VERSION == '0' }}
@@ -374,7 +392,7 @@ jobs:
           no-changelog
 
     - name: Create draft release
-      uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+      uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
       with:
         tag_name: ${{ env.PROWLER_VERSION }}
         name: Prowler ${{ env.PROWLER_VERSION }}

.github/workflows/sdk-bump-version.yml

@@ -67,7 +67,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Calculate next minor version
         run: |
@@ -86,6 +86,7 @@ jobs:
 
           sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
           sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
 
           echo "Files modified:"
           git --no-pager diff
@@ -99,7 +100,7 @@ jobs:
           commit-message: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
           branch: version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
           title: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
+          labels: no-changelog
           body: |
             ### Description
 
@@ -110,7 +111,7 @@ jobs:
             By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
 
       - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
 
@@ -134,6 +135,7 @@ jobs:
 
           sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
           sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
 
           echo "Files modified:"
           git --no-pager diff
@@ -147,7 +149,7 @@ jobs:
           commit-message: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
           branch: version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
           title: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
+          labels: no-changelog
           body: |
             ### Description
 
@@ -167,7 +169,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Calculate next patch version
         run: |
@@ -191,6 +193,7 @@ jobs:
 
           sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
           sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
 
           echo "Files modified:"
           git --no-pager diff
@@ -204,7 +207,7 @@ jobs:
           commit-message: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
           branch: version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
           title: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
+          labels: no-changelog
           body: |
             ### Description
 

.github/workflows/sdk-code-quality.yml

@@ -5,10 +5,22 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-code-quality.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-code-quality.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -31,15 +43,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for SDK changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: ./**
           files_ignore: |
-            .github/**
             prowler/CHANGELOG.md
             docs/**
             permissions/**
@@ -62,7 +72,7 @@ jobs:
 
       - name: Set up Python ${{ matrix.python-version }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'poetry'

.github/workflows/sdk-codeql.yml

@@ -49,15 +49,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/sdk-codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/sdk-container-build-push.yml

@@ -16,12 +16,6 @@ on:
   release:
     types:
       - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
 
 permissions:
   contents: read
@@ -50,21 +44,25 @@ env:
   AWS_REGION: us-east-1
 
 jobs:
-  setup:
+  container-build-push:
     if: github.repository == 'prowler-cloud/prowler'
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 45
+    permissions:
+      contents: read
+      packages: write
     outputs:
       prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }}
       prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
-      latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }}
-      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
+    env:
+      POETRY_VIRTUALENVS_CREATE: 'false'
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -78,26 +76,28 @@ jobs:
         run: |
           PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
           echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
 
           # Extract major version
           PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
           echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_ENV}"
 
           # Set version-specific tags
           case ${PROWLER_VERSION_MAJOR} in
             3)
-              echo "latest_tag=v3-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v3-stable" >> "${GITHUB_OUTPUT}"
+              echo "LATEST_TAG=v3-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}"
               echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable"
               ;;
             4)
-              echo "latest_tag=v4-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v4-stable" >> "${GITHUB_OUTPUT}"
+              echo "LATEST_TAG=v4-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v4-stable" >> "${GITHUB_ENV}"
               echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable"
               ;;
             5)
-              echo "latest_tag=latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=stable" >> "${GITHUB_OUTPUT}"
+              echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
               echo "✓ Prowler v5 detected - tags: latest, stable"
               ;;
             *)
@@ -106,24 +106,45 @@ jobs:
               ;;
           esac
 
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: setup
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: ${{ env.AWS_REGION }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push SDK container (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: ${{ env.DOCKERFILE_PATH }}
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Notify container push started
-        id: slack-notification
+        if: github.event_name == 'release'
         uses: ./.github/actions/slack-notification
         env:
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
           COMPONENT: SDK
-          RELEASE_TAG: ${{ needs.setup.outputs.prowler_version }}
+          RELEASE_TAG: ${{ env.PROWLER_VERSION }}
           GITHUB_SERVER_URL: ${{ github.server_url }}
           GITHUB_REPOSITORY: ${{ github.repository }}
           GITHUB_RUN_ID: ${{ github.run_id }}
@@ -131,157 +152,42 @@ jobs:
           slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
 
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 45
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
-        env:
-          AWS_REGION: ${{ env.AWS_REGION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Build and push SDK container for ${{ matrix.arch }}
+      - name: Build and push SDK container (release)
+        if: github.event_name == 'release'
         id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ${{ env.DOCKERFILE_PATH }}
           push: true
-          platforms: ${{ matrix.platform }}
           tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
-        env:
-          AWS_REGION: ${{ env.AWS_REGION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.stable_tag }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.PROWLER_VERSION }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Notify container push completed
+        if: github.event_name == 'release' && always()
         uses: ./.github/actions/slack-notification
         env:
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
           COMPONENT: SDK
-          RELEASE_TAG: ${{ needs.setup.outputs.prowler_version }}
+          RELEASE_TAG: ${{ env.PROWLER_VERSION }}
           GITHUB_SERVER_URL: ${{ github.server_url }}
           GITHUB_REPOSITORY: ${{ github.repository }}
           GITHUB_RUN_ID: ${{ github.run_id }}
         with:
           slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
+          step-outcome: ${{ steps.container-push.outcome }}
 
   dispatch-v3-deployment:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.outputs.prowler_version_major == '3' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
+    if: needs.container-build-push.outputs.prowler_version_major == '3'
+    needs: container-build-push
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
@@ -294,7 +200,7 @@ jobs:
 
       - name: Dispatch v3 deployment (latest)
         if: github.event_name == 'push'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
         with:
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
@@ -303,9 +209,9 @@ jobs:
 
       - name: Dispatch v3 deployment (release)
         if: github.event_name == 'release'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
         with:
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
           event-type: dispatch
-          client-payload: '{"version":"release","tag":"${{ needs.setup.outputs.prowler_version }}"}'
+          client-payload: '{"version":"release","tag":"${{ needs.container-build-push.outputs.prowler_version }}"}'

.github/workflows/sdk-container-checks.yml

@@ -5,10 +5,20 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'Dockerfile'
+      - '.github/workflows/sdk-container-checks.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'Dockerfile'
+      - '.github/workflows/sdk-container-checks.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -27,7 +37,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
@@ -44,16 +54,7 @@ jobs:
 
   sdk-container-build-and-scan:
     if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
       contents: read
@@ -62,15 +63,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for SDK changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: ./**
           files_ignore: |
-            .github/**
             prowler/CHANGELOG.md
             docs/**
             permissions/**
@@ -91,23 +90,22 @@ jobs:
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      - name: Build SDK container for ${{ matrix.arch }}
+      - name: Build SDK container
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           push: false
           load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: Scan SDK container with Trivy for ${{ matrix.arch }}
+      - name: Scan SDK container with Trivy
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: ./.github/actions/trivy-scan
         with:
           image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
           fail-on-critical: 'false'
           severity: 'CRITICAL'

.github/workflows/sdk-pypi-release.yml

@@ -59,13 +59,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install Poetry
         run: pipx install poetry==2.1.1
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'poetry'
@@ -91,13 +91,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install Poetry
         run: pipx install poetry==2.1.1
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'poetry'

.github/workflows/sdk-refresh-aws-services-regions.yml

@@ -25,12 +25,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: 'master'
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip'
@@ -39,7 +39,7 @@ jobs:
         run: pip install boto3
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}

.github/workflows/sdk-security.yml

@@ -5,10 +5,22 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-security.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-security.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -24,15 +36,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for SDK changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: ./**
           files_ignore: |
-            .github/**
             prowler/CHANGELOG.md
             docs/**
             permissions/**
@@ -55,7 +65,7 @@ jobs:
 
       - name: Set up Python 3.12
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.12'
           cache: 'poetry'

.github/workflows/sdk-tests.yml

@@ -5,10 +5,22 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-tests.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-tests.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -31,15 +43,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for SDK changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: ./**
           files_ignore: |
-            .github/**
             prowler/CHANGELOG.md
             docs/**
             permissions/**
@@ -62,7 +72,7 @@ jobs:
 
       - name: Set up Python ${{ matrix.python-version }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'poetry'
@@ -82,110 +92,9 @@ jobs:
             ./tests/**/aws/**
             ./poetry.lock
 
-      - name: Resolve AWS services under test
-        if: steps.changed-aws.outputs.any_changed == 'true'
-        id: aws-services
-        shell: bash
-        run: |
-          python3 <<'PY'
-          import os
-          from pathlib import Path
-
-          dependents = {
-              "acm": ["elb"],
-              "autoscaling": ["dynamodb"],
-              "awslambda": ["ec2", "inspector2"],
-              "backup": ["dynamodb", "ec2", "rds"],
-              "cloudfront": ["shield"],
-              "cloudtrail": ["awslambda", "cloudwatch"],
-              "cloudwatch": ["bedrock"],
-              "ec2": ["dlm", "dms", "elbv2", "emr", "inspector2", "rds", "redshift", "route53", "shield", "ssm"],
-              "ecr": ["inspector2"],
-              "elb": ["shield"],
-              "elbv2": ["shield"],
-              "globalaccelerator": ["shield"],
-              "iam": ["bedrock", "cloudtrail", "cloudwatch", "codebuild"],
-              "kafka": ["firehose"],
-              "kinesis": ["firehose"],
-              "kms": ["kafka"],
-              "organizations": ["iam", "servicecatalog"],
-              "route53": ["shield"],
-              "s3": ["bedrock", "cloudfront", "cloudtrail", "macie"],
-              "ssm": ["ec2"],
-              "vpc": ["awslambda", "ec2", "efs", "elasticache", "neptune", "networkfirewall", "rds", "redshift", "workspaces"],
-              "waf": ["elbv2"],
-              "wafv2": ["cognito", "elbv2"],
-          }
-
-          changed_raw = """${{ steps.changed-aws.outputs.all_changed_files }}"""
-          # all_changed_files is space-separated, not newline-separated
-          # Strip leading "./" if present for consistent path handling
-          changed_files = [Path(f.lstrip("./")) for f in changed_raw.split() if f]
-
-          services = set()
-          run_all = False
-
-          for path in changed_files:
-              path_str = path.as_posix()
-              parts = path.parts
-              if path_str.startswith("prowler/providers/aws/services/"):
-                  if len(parts) > 4 and "." not in parts[4]:
-                      services.add(parts[4])
-                  else:
-                      run_all = True
-              elif path_str.startswith("tests/providers/aws/services/"):
-                  if len(parts) > 4 and "." not in parts[4]:
-                      services.add(parts[4])
-                  else:
-                      run_all = True
-              elif path_str.startswith("prowler/providers/aws/") or path_str.startswith("tests/providers/aws/"):
-                  run_all = True
-
-          # Expand with direct dependent services (one level only)
-          # We only test services that directly depend on the changed services,
-          # not transitive dependencies (services that depend on dependents)
-          original_services = set(services)
-          for svc in original_services:
-              for dep in dependents.get(svc, []):
-                  services.add(dep)
-
-          if run_all or not services:
-              run_all = True
-              services = set()
-
-          service_paths = " ".join(sorted(f"tests/providers/aws/services/{svc}" for svc in services))
-
-          output_lines = [
-              f"run_all={'true' if run_all else 'false'}",
-              f"services={' '.join(sorted(services))}",
-              f"service_paths={service_paths}",
-          ]
-
-          with open(os.environ["GITHUB_OUTPUT"], "a") as gh_out:
-              for line in output_lines:
-                  gh_out.write(line + "\n")
-
-          print(f"AWS changed files (filtered): {changed_raw or 'none'}")
-          print(f"Run all AWS tests: {run_all}")
-          if services:
-              print(f"AWS service test paths: {service_paths}")
-          else:
-              print("AWS service test paths: none detected")
-          PY
-
       - name: Run AWS tests
         if: steps.changed-aws.outputs.any_changed == 'true'
-        run: |
-          echo "AWS run_all=${{ steps.aws-services.outputs.run_all }}"
-          echo "AWS service_paths='${{ steps.aws-services.outputs.service_paths }}'"
-
-          if [ "${{ steps.aws-services.outputs.run_all }}" = "true" ]; then
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
-          elif [ -z "${{ steps.aws-services.outputs.service_paths }}" ]; then
-            echo "No AWS service paths detected; skipping AWS tests."
-          else
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${{ steps.aws-services.outputs.service_paths }}
-          fi
+        run: poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
 
       - name: Upload AWS coverage to Codecov
         if: steps.changed-aws.outputs.any_changed == 'true'

.github/workflows/ui-bump-version.yml

@@ -1,221 +0,0 @@
-name: 'UI: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump UI version in .env for master
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_MINOR_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/ui-codeql.yml

@@ -45,15 +45,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/ui-codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/ui-container-build-push.yml

@@ -10,12 +10,6 @@ on:
   release:
     types:
       - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
 
 permissions:
   contents: read
@@ -27,7 +21,7 @@ concurrency:
 env:
   # Tags
   LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
   STABLE_TAG: stable
   WORKING_DIRECTORY: ./ui
 
@@ -50,19 +44,44 @@ jobs:
         id: set-short-sha
         run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
 
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
+  container-build-push:
     needs: setup
     runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push UI container (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          build-args: |
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ needs.setup.outputs.short-sha }}
+            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Notify container push started
-        id: slack-notification
+        if: github.event_name == 'release'
         uses: ./.github/actions/slack-notification
         env:
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
@@ -75,122 +94,27 @@ jobs:
           slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
 
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Build and push UI container for ${{ matrix.arch }}
+      - name: Build and push UI container (release)
+        if: github.event_name == 'release'
         id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           build-args: |
-            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ (github.event_name == 'release' || github.event_name == 'workflow_dispatch') && format('v{0}', env.RELEASE_TAG) || needs.setup.outputs.short-sha }}
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${{ env.RELEASE_TAG }}
             NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
           push: true
-          platforms: ${{ matrix.platform }}
           tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Notify container push completed
+        if: github.event_name == 'release' && always()
         uses: ./.github/actions/slack-notification
         env:
           SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
           COMPONENT: UI
           RELEASE_TAG: ${{ env.RELEASE_TAG }}
           GITHUB_SERVER_URL: ${{ github.server_url }}
@@ -199,12 +123,11 @@ jobs:
         with:
           slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
+          step-outcome: ${{ steps.container-push.outcome }}
 
   trigger-deployment:
+    if: github.event_name == 'push'
     needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
@@ -212,7 +135,7 @@ jobs:
 
     steps:
       - name: Trigger UI deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
         with:
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           repository: ${{ secrets.CLOUD_DISPATCH }}

.github/workflows/ui-container-checks.yml

@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'ui/**'
+      - '.github/workflows/ui-container-checks.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'ui/**'
+      - '.github/workflows/ui-container-checks.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -20,7 +26,6 @@ env:
 
 jobs:
   ui-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
     runs-on: ubuntu-latest
     timeout-minutes: 10
     permissions:
@@ -28,7 +33,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
@@ -44,17 +49,7 @@ jobs:
           ignore: DL3018
 
   ui-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
       contents: read
@@ -63,13 +58,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for UI changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: ui/**
           files_ignore: |
             ui/CHANGELOG.md
             ui/README.md
@@ -78,7 +72,7 @@ jobs:
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      - name: Build UI container for ${{ matrix.arch }}
+      - name: Build UI container
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
@@ -86,18 +80,17 @@ jobs:
           target: prod
           push: false
           load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           build-args: |
             NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX
 
-      - name: Scan UI container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+      - name: Scan UI container with Trivy
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
         uses: ./.github/actions/trivy-scan
         with:
           image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
           fail-on-critical: 'false'
           severity: 'CRITICAL'

.github/workflows/ui-e2e-tests.yml

@@ -10,7 +10,6 @@ on:
       - 'ui/**'
 
 jobs:
-
   e2e-tests:
     if: github.repository == 'prowler-cloud/prowler'
     runs-on: ubuntu-latest
@@ -25,59 +24,12 @@ jobs:
       E2E_AWS_PROVIDER_ACCESS_KEY: ${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}
       E2E_AWS_PROVIDER_SECRET_KEY: ${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}
       E2E_AWS_PROVIDER_ROLE_ARN: ${{ secrets.E2E_AWS_PROVIDER_ROLE_ARN }}
-      E2E_AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }}
-      E2E_AZURE_CLIENT_ID: ${{ secrets.E2E_AZURE_CLIENT_ID }}
-      E2E_AZURE_SECRET_ID: ${{ secrets.E2E_AZURE_SECRET_ID }}
-      E2E_AZURE_TENANT_ID: ${{ secrets.E2E_AZURE_TENANT_ID }}
-      E2E_M365_DOMAIN_ID: ${{ secrets.E2E_M365_DOMAIN_ID }}
-      E2E_M365_CLIENT_ID: ${{ secrets.E2E_M365_CLIENT_ID }}
-      E2E_M365_SECRET_ID: ${{ secrets.E2E_M365_SECRET_ID }}
-      E2E_M365_TENANT_ID: ${{ secrets.E2E_M365_TENANT_ID }}
-      E2E_M365_CERTIFICATE_CONTENT: ${{ secrets.E2E_M365_CERTIFICATE_CONTENT }}
-      E2E_KUBERNETES_CONTEXT: 'kind-kind'
-      E2E_KUBERNETES_KUBECONFIG_PATH: /home/runner/.kube/config
-      E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY: ${{ secrets.E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY }}
-      E2E_GCP_PROJECT_ID: ${{ secrets.E2E_GCP_PROJECT_ID }}
-      E2E_GITHUB_APP_ID: ${{ secrets.E2E_GITHUB_APP_ID }}
-      E2E_GITHUB_BASE64_APP_PRIVATE_KEY: ${{ secrets.E2E_GITHUB_BASE64_APP_PRIVATE_KEY }}
-      E2E_GITHUB_USERNAME: ${{ secrets.E2E_GITHUB_USERNAME }}
-      E2E_GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_PERSONAL_ACCESS_TOKEN }}
-      E2E_GITHUB_ORGANIZATION: ${{ secrets.E2E_GITHUB_ORGANIZATION }}
-      E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN }}
-      E2E_ORGANIZATION_ID: ${{ secrets.E2E_ORGANIZATION_ID }}
-      E2E_OCI_TENANCY_ID: ${{ secrets.E2E_OCI_TENANCY_ID }}
-      E2E_OCI_USER_ID: ${{ secrets.E2E_OCI_USER_ID }}
-      E2E_OCI_FINGERPRINT: ${{ secrets.E2E_OCI_FINGERPRINT }}
-      E2E_OCI_KEY_CONTENT: ${{ secrets.E2E_OCI_KEY_CONTENT }}
-      E2E_OCI_REGION: ${{ secrets.E2E_OCI_REGION }}
-      E2E_NEW_USER_PASSWORD: ${{ secrets.E2E_NEW_USER_PASSWORD }}
-
+      E2E_NEW_PASSWORD: ${{ secrets.E2E_NEW_PASSWORD }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1
-        with:
-          cluster_name: kind
-      - name: Modify kubeconfig
-        run: |
-            # Modify the kubeconfig to use the kind cluster server to https://kind-control-plane:6443
-            # from worker service into docker-compose.yml
-            kubectl config set-cluster kind-kind --server=https://kind-control-plane:6443
-            kubectl config view
-      - name: Add network kind to docker compose
-        run: |
-          # Add the network kind to the docker compose to interconnect to kind cluster
-          yq -i '.networks.kind.external = true' docker-compose.yml
-          # Add network kind to worker service and default network too
-          yq -i '.services.worker.networks = ["kind","default"]' docker-compose.yml
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Fix API data directory permissions
         run: docker run --rm -v $(pwd)/_data/api:/data alpine chown -R 1000:1000 /data
-      - name: Add AWS credentials for testing AWS SDK Default Adding Provider
-        run: |
-          echo "Adding AWS credentials for testing AWS SDK Default Adding Provider..."
-          echo "AWS_ACCESS_KEY_ID=${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}" >> .env
-          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}" >> .env
       - name: Start API services
         run: |
           # Override docker-compose image tag to use latest instead of stable
@@ -114,45 +66,32 @@ jobs:
             echo "All database fixtures loaded successfully!"
           '
       - name: Setup Node.js environment
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: '20.x'
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-      - name: Get pnpm store directory
-        shell: bash
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - name: Setup pnpm cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('ui/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'
       - name: Install UI dependencies
         working-directory: ./ui
-        run: pnpm install --frozen-lockfile
+        run: npm ci
       - name: Build UI application
         working-directory: ./ui
-        run: pnpm run build
+        run: npm run build
       - name: Cache Playwright browsers
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         id: playwright-cache
         with:
           path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/pnpm-lock.yaml') }}
+          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/package-lock.json') }}
           restore-keys: |
             ${{ runner.os }}-playwright-
       - name: Install Playwright browsers
         working-directory: ./ui
         if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm run test:e2e:install
+        run: npm run test:e2e:install
       - name: Run E2E tests
         working-directory: ./ui
-        run: pnpm run test:e2e
+        run: npm run test:e2e
       - name: Upload test reports
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()

.github/workflows/ui-tests.yml

@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'ui/**'
+      - '.github/workflows/ui-tests.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'ui/**'
+      - '.github/workflows/ui-tests.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -30,15 +36,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Check for UI changes
         id: check-changes
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
-          files: |
-            ui/**
-            .github/workflows/ui-tests.yml
           files_ignore: |
             ui/CHANGELOG.md
             ui/README.md
@@ -48,36 +51,17 @@ jobs:
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-
-      - name: Setup pnpm
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-
-      - name: Get pnpm store directory
-        if: steps.check-changes.outputs.any_changed == 'true'
-        shell: bash
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - name: Setup pnpm cache
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('ui/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'
 
       - name: Install dependencies
         if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm install --frozen-lockfile
+        run: npm ci
 
       - name: Run healthcheck
         if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run healthcheck
+        run: npm run healthcheck
 
       - name: Build application
         if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run build
+        run: npm run build

.gitignore

@@ -45,86 +45,21 @@ pytest_*.xml
 .coverage
 htmlcov/
 
-# VSCode files and settings
+# VSCode files
 .vscode/
-*.code-workspace
-.vscode-test/
 
-# VSCode extension settings and workspaces
-.history/
-.ionide/
-
-# MCP Server Settings (various locations)
-**/cline_mcp_settings.json
-**/mcp_settings.json
-**/mcp-config.json
-**/mcpServers.json
-.mcp/
-
-# AI Coding Assistants - Cursor
+# Cursor files
 .cursorignore
 .cursor/
-.cursorrules
 
-# AI Coding Assistants - RooCode
+# RooCode files
 .roo/
 .rooignore
 .roomodes
 
-# AI Coding Assistants - Cline (formerly Claude Dev)
+# Cline files
 .cline/
 .clineignore
-.clinerules
-
-# AI Coding Assistants - Continue
-.continue/
-continue.json
-.continuerc
-.continuerc.json
-
-# AI Coding Assistants - GitHub Copilot
-.copilot/
-.github/copilot/
-
-# AI Coding Assistants - Amazon Q Developer (formerly CodeWhisperer)
-.aws/
-.codewhisperer/
-.amazonq/
-.aws-toolkit/
-
-# AI Coding Assistants - Tabnine
-.tabnine/
-tabnine_config.json
-
-# AI Coding Assistants - Kiro
-.kiro/
-.kiroignore
-kiro.config.json
-
-# AI Coding Assistants - Aider
-.aider/
-.aider.chat.history.md
-.aider.input.history
-.aider.tags.cache.v3/
-
-# AI Coding Assistants - Windsurf
-.windsurf/
-.windsurfignore
-
-# AI Coding Assistants - Replit Agent
-.replit
-.replitignore
-
-# AI Coding Assistants - Supermaven
-.supermaven/
-
-# AI Coding Assistants - Sourcegraph Cody
-.cody/
-
-# AI Coding Assistants - General
-.ai/
-.aiconfig
-ai-config.json
 
 # Terraform
 .terraform*
@@ -135,6 +70,7 @@ ai-config.json
 ui/.env*
 api/.env*
 mcp_server/.env*
+.env.local
 
 # Coverage
 .coverage*
@@ -150,5 +86,9 @@ _data/
 # Claude
 CLAUDE.md
 
+# MCP Server
+mcp_server/prowler_mcp_server/prowler_app/server.py
+mcp_server/prowler_mcp_server/prowler_app/utils/schema.yaml
+
 # Compliance report
 *.pdf

.pre-commit-config.yaml

@@ -126,12 +126,3 @@ repos:
         entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/" --min-confidence 100 .'
         language: system
         files: '.*\.py'
-
-      - id: ui-checks
-        name: UI - Husky Pre-commit
-        description: "Run UI pre-commit checks (Claude Code validation + healthcheck)"
-        entry: bash -c 'cd ui && .husky/pre-commit'
-        language: system
-        files: '^ui/.*\.(ts|tsx|js|jsx|json|css)$'
-        pass_filenames: false
-        verbose: true

Dockerfile

@@ -4,15 +4,10 @@ LABEL maintainer="https://github.com/prowler-cloud/prowler"
 LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
 
 ARG POWERSHELL_VERSION=7.5.0
-ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
-
-ARG TRIVY_VERSION=0.66.0
-ENV TRIVY_VERSION=${TRIVY_VERSION}
 
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
     wget libicu72 libunwind8 libssl3 libcurl4 ca-certificates apt-transport-https gnupg \
-    build-essential pkg-config libzstd-dev zlib1g-dev \
     && rm -rf /var/lib/apt/lists/*
 
 # Install PowerShell
@@ -30,24 +25,6 @@ RUN ARCH=$(uname -m) && \
     ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
     rm /tmp/powershell.tar.gz
 
-# Install Trivy for IaC scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        TRIVY_ARCH="Linux-64bit" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        TRIVY_ARCH="Linux-ARM64" ; \
-    else \
-        echo "Unsupported architecture for Trivy: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz && \
-    tar zxf /tmp/trivy.tar.gz -C /tmp && \
-    mv /tmp/trivy /usr/local/bin/trivy && \
-    chmod +x /usr/local/bin/trivy && \
-    rm /tmp/trivy.tar.gz && \
-    # Create trivy cache directory with proper permissions
-    mkdir -p /tmp/.cache/trivy && \
-    chmod 777 /tmp/.cache/trivy
-
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
     adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler

Makefile

@@ -47,12 +47,12 @@ help:     ## Show this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
 ##@ Build no cache
-build-no-cache-dev:
-	docker compose -f docker-compose-dev.yml build --no-cache api-dev worker-dev worker-beat mcp-server
+build-no-cache-dev: 
+	docker compose -f docker-compose-dev.yml build --no-cache api-dev worker-dev worker-beat
 
 ##@ Development Environment
-run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, MCP, and workers
-	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat mcp-server
+run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, and workers 
+	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat
 
 ##@ Development Environment
 build-and-run-api-dev: build-no-cache-dev run-api-dev

README.md

@@ -6,7 +6,7 @@
   <b><i>Prowler</b> is the Open Cloud Security platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
 </p>
 <p align="center">
-<b>Secure ANY cloud at AI Speed at <a href="https://prowler.com">prowler.com</i></b>
+<b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
 </p>
 
 <p align="center">
@@ -23,7 +23,6 @@
   <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
   <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
   <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
-  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
 </p>
 <p align="center">
     <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
@@ -36,32 +35,28 @@
 </p>
 <hr>
 <p align="center">
-  <img align="center" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
+  <img align="center" src="/docs/img/prowler-cli-quick.gif" width="100%" height="100%">
 </p>
 
 # Description
 
-**Prowler** is the world’s most widely used _open-source cloud security platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
+**Prowler** is an open-source security tool designed to assess and enforce security best practices across AWS, Azure, Google Cloud, and Kubernetes. It supports tasks such as security audits, incident response, continuous monitoring, system hardening, forensic readiness, and remediation processes.
 
 Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:
 
-- **Prowler ThreatScore:** Weighted risk prioritization scoring that helps you focus on the most critical security findings first
-- **Industry Standards:** CIS, NIST 800, NIST CSF, CISA, and MITRE ATT&CK
-- **Regulatory Compliance and Governance:** RBI, FedRAMP, PCI-DSS, and NIS2
+- **Industry Standards:** CIS, NIST 800, NIST CSF, and CISA
+- **Regulatory Compliance and Governance:** RBI, FedRAMP, and PCI-DSS
 - **Frameworks for Sensitive Data and Privacy:** GDPR, HIPAA, and FFIEC
-- **Frameworks for Organizational Governance and Quality Control:** SOC2, GXP, and ISO 27001
-- **Cloud-Specific Frameworks:** AWS Foundational Technical Review (FTR), AWS Well-Architected Framework, and BSI C5
-- **National Security Standards:** ENS (Spanish National Security Scheme) and KISA ISMS-P (Korean)
+- **Frameworks for Organizational Governance and Quality Control:** SOC2 and GXP
+- **AWS-Specific Frameworks:** AWS Foundational Technical Review (FTR) and AWS Well-Architected Framework (Security Pillar)
+- **National Security Standards:** ENS (Spanish National Security Scheme)
 - **Custom Security Frameworks:** Tailored to your needs
 
-## Prowler App / Prowler Cloud
+## Prowler App
 
-Prowler App / [Prowler Cloud](https://cloud.prowler.com/) is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.
-
-![Prowler App](docs/images/products/overview.png)
-![Risk Pipeline](docs/images/products/risk-pipeline.png)
-![Threat Map](docs/images/products/threat-map.png)
+Prowler App is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.
 
+![Prowler App](docs/products/img/overview.png)
 
 >For more details, refer to the [Prowler App Documentation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-app-installation)
 
@@ -78,27 +73,26 @@ prowler <provider>
 ```console
 prowler dashboard
 ```
-![Prowler Dashboard](docs/images/products/dashboard.png)
+![Prowler Dashboard](docs/products/img/dashboard.png)
 
 # Prowler at a Glance
 > [!Tip]
 > For the most accurate and up-to-date information about checks, services, frameworks, and categories, visit [**Prowler Hub**](https://hub.prowler.com).
 
 
-| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
-|---|---|---|---|---|---|---|
-| AWS | 584 | 85 | 40 | 17 | Official | UI, API, CLI |
-| GCP | 89 | 17 | 14 | 5 | Official | UI, API, CLI |
-| Azure | 169 | 22 | 15 | 8 | Official | UI, API, CLI |
-| Kubernetes | 84 | 7 | 6 | 9 | Official | UI, API, CLI |
-| GitHub | 20 | 2 | 1 | 2 | Official | UI, API, CLI |
-| M365 | 70 | 7 | 3 | 2 | Official | UI, API, CLI |
-| OCI | 52 | 15 | 1 | 12 | Official | UI, API, CLI |
-| Alibaba Cloud | 63 | 10 | 1 | 9 | Official | CLI |
-| IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
-| MongoDB Atlas | 10 | 4 | 0 | 3 | Official | UI, API, CLI |
-| LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
-| NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |
+| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Stage | Interface |
+|---|---|---|---|---|---|---|---|
+| AWS | 576 | 82 | 38 | 10 | Official | Stable | UI, API, CLI |
+| GCP | 79 | 13 | 11 | 3 | Official | Stable | UI, API, CLI |
+| Azure | 162 | 19 | 12 | 4 | Official | Stable | UI, API, CLI |
+| Kubernetes | 83 | 7 | 5 | 7 | Official | Stable | UI, API, CLI |
+| GitHub | 17 | 2 | 1 | 0 | Official | Stable | UI, API, CLI |
+| M365 | 70 | 7 | 3 | 2 | Official | Stable | UI, API, CLI |
+| OCI | 51 | 13 | 1 | 10 | Official | Stable | UI, API, CLI |
+| IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | Beta | CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 0 | Official | Beta | CLI |
+| LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | Beta | CLI |
+| NHN | 6 | 2 | 1 | 0 | Unofficial | Beta | CLI |
 
 > [!Note]
 > The numbers in the table are updated periodically.
@@ -148,9 +142,9 @@ If your workstation's architecture is incompatible, you can resolve this by:
 ### Common Issues with Docker Pull Installation
 
 > [!Note]
-  If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local `.aws` directory into the container as a volume (e.g., `- "${HOME}/.aws:/home/prowler/.aws:ro"`). There are several ways to configure credentials for Docker containers. See the [Troubleshooting](./docs/troubleshooting.mdx) section for more details and examples.
+  If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local `.aws` directory into the container as a volume (e.g., `- "${HOME}/.aws:/home/prowler/.aws:ro"`). There are several ways to configure credentials for Docker containers. See the [Troubleshooting](./docs/troubleshooting.md) section for more details and examples.
 
-You can find more information in the [Troubleshooting](./docs/troubleshooting.mdx) section.
+You can find more information in the [Troubleshooting](./docs/troubleshooting.md) section.
 
 
 ### From GitHub
@@ -159,7 +153,7 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md
 
 * `git` installed.
 * `poetry` v2 installed: [poetry installation](https://python-poetry.org/docs/#installation).
-* `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
+* `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
 * `Docker Compose` installed: https://docs.docker.com/compose/install/.
 
 **Commands to run the API**
@@ -215,9 +209,9 @@ python -m celery -A config.celery beat -l info --scheduler django_celery_beat.sc
 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler/ui
-pnpm install
-pnpm run build
-pnpm start
+npm install
+npm run build
+npm start
 ```
 
 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
@@ -277,12 +271,11 @@ python prowler-cli.py -v
 # ✏️ High level architecture
 
 ## Prowler App
-**Prowler App** is composed of four key components:
+**Prowler App** is composed of three key components:
 
 - **Prowler UI**: A web-based interface, built with Next.js, providing a user-friendly experience for executing Prowler scans and visualizing results.
 - **Prowler API**: A backend service, developed with Django REST Framework, responsible for running Prowler scans and storing the generated results.
 - **Prowler SDK**: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.
-- **Prowler MCP Server**: A Model Context Protocol server that provides AI tools for Lighthouse, the AI-powered security assistant. This is a critical dependency for Lighthouse functionality.
 
 ![Prowler App Architecture](docs/products/img/prowler-app-architecture.png)
 

api/CHANGELOG.md

@@ -2,89 +2,9 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
-## [1.18.0] (Prowler UNRELEASED)
+## [1.15.0] (Prowler UNRELEASED)
 
 ### Added
-- Support AlibabaCloud provider [(#9485)](https://github.com/prowler-cloud/prowler/pull/9485)
-
----
-
-## [1.17.2] (Prowler v5.16.2)
-
-### Security
-- Updated dependencies to patch security vulnerabilities: Django 5.1.15 (CVE-2025-64460, CVE-2025-13372), Werkzeug 3.1.4 (CVE-2025-66221), sqlparse 0.5.5 (PVE-2025-82038), fonttools 4.60.2 (CVE-2025-66034) [(#9730)](https://github.com/prowler-cloud/prowler/pull/9730)
-
----
-
-## [1.17.1] (Prowler v5.16.1)
-
-### Changed
-- Security Hub integration error when no regions [(#9635)](https://github.com/prowler-cloud/prowler/pull/9635)
-
-### Fixed
-- Orphan scheduled scans caused by transaction isolation during provider creation [(#9633)](https://github.com/prowler-cloud/prowler/pull/9633)
-
----
-
-## [1.17.0] (Prowler v5.16.0)
-
-### Added
-- New endpoint to retrieve and overview of the categories based on finding severities [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
-- Endpoints `GET /findings` and `GET /findings/latests` can now use the category filter [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
-- Account id, alias and provider name to PDF reporting table [(#9574)](https://github.com/prowler-cloud/prowler/pull/9574)
-
-### Changed
-- Endpoint `GET /overviews/attack-surfaces` no longer returns the related check IDs [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
-- OpenAI provider to only load chat-compatible models with tool calling support [(#9523)](https://github.com/prowler-cloud/prowler/pull/9523)
-- Increased execution delay for the first scheduled scan tasks to 5 seconds[(#9558)](https://github.com/prowler-cloud/prowler/pull/9558)
-
-### Fixed
-- Made `scan_id` a required filter in the compliance overview endpoint [(#9560)](https://github.com/prowler-cloud/prowler/pull/9560)
-- Reduced unnecessary UPDATE resources operations by only saving when tag mappings change, lowering write load during scans [(#9569)](https://github.com/prowler-cloud/prowler/pull/9569)
-
----
-
-## [1.16.1] (Prowler v5.15.1)
-
-### Fixed
-- Race condition in scheduled scan creation by adding countdown to task [(#9516)](https://github.com/prowler-cloud/prowler/pull/9516)
-
-## [1.16.0] (Prowler v5.15.0)
-
-### Added
-- New endpoint to retrieve an overview of the attack surfaces [(#9309)](https://github.com/prowler-cloud/prowler/pull/9309)
-- New endpoint `GET /api/v1/overviews/findings_severity/timeseries` to retrieve daily aggregated findings by severity level [(#9363)](https://github.com/prowler-cloud/prowler/pull/9363)
-- Lighthouse AI support for Amazon Bedrock API key [(#9343)](https://github.com/prowler-cloud/prowler/pull/9343)
-- Exception handler for provider deletions during scans [(#9414)](https://github.com/prowler-cloud/prowler/pull/9414)
-- Support to use admin credentials through the read replica database [(#9440)](https://github.com/prowler-cloud/prowler/pull/9440)
-
-### Changed
-- Error messages from Lighthouse celery tasks [(#9165)](https://github.com/prowler-cloud/prowler/pull/9165)
-- Restore the compliance overview endpoint's mandatory filters [(#9338)](https://github.com/prowler-cloud/prowler/pull/9338)
-
----
-
-## [1.15.2] (Prowler v5.14.2)
-
-### Fixed
-- Unique constraint violation during compliance overviews task [(#9436)](https://github.com/prowler-cloud/prowler/pull/9436)
-- Division by zero error in ENS PDF report when all requirements are manual [(#9443)](https://github.com/prowler-cloud/prowler/pull/9443)
-
----
-
-## [1.15.1] (Prowler v5.14.1)
-
-### Fixed
-- Fix typo in PDF reporting [(#9345)](https://github.com/prowler-cloud/prowler/pull/9345)
-- Fix IaC provider initialization failure when mutelist processor is configured [(#9331)](https://github.com/prowler-cloud/prowler/pull/9331)
-- Match logic for ThreatScore when counting findings [(#9348)](https://github.com/prowler-cloud/prowler/pull/9348)
-
----
-
-## [1.15.0] (Prowler v5.14.0)
-
-### Added
-- IaC (Infrastructure as Code) provider support for remote repositories [(#8751)](https://github.com/prowler-cloud/prowler/pull/8751)
 - Extend `GET /api/v1/providers` with provider-type filters and optional pagination disable to support the new Overview filters [(#8975)](https://github.com/prowler-cloud/prowler/pull/8975)
 - New endpoint to retrieve the number of providers grouped by provider type [(#8975)](https://github.com/prowler-cloud/prowler/pull/8975)
 - Support for configuring multiple LLM providers [(#8772)](https://github.com/prowler-cloud/prowler/pull/8772)
@@ -93,33 +13,10 @@ All notable changes to the **Prowler API** are documented in this file.
 - Support muting findings based on simple rules with custom reason [(#9051)](https://github.com/prowler-cloud/prowler/pull/9051)
 - Support C5 compliance framework for the GCP provider [(#9097)](https://github.com/prowler-cloud/prowler/pull/9097)
 - Support for Amazon Bedrock and OpenAI compatible providers in Lighthouse AI [(#8957)](https://github.com/prowler-cloud/prowler/pull/8957)
-- Support PDF reporting for ENS compliance framework [(#9158)](https://github.com/prowler-cloud/prowler/pull/9158)
-- Support PDF reporting for NIS2 compliance framework [(#9170)](https://github.com/prowler-cloud/prowler/pull/9170)
-- Tenant-wide ThreatScore overview aggregation and snapshot persistence with backfill support [(#9148)](https://github.com/prowler-cloud/prowler/pull/9148)
-- Added `metadata`, `details`, and `partition` attributes to `/resources` endpoint & `details`, and `partition` to `/findings` endpoint [(#9098)](https://github.com/prowler-cloud/prowler/pull/9098)
-- Support for MongoDB Atlas provider [(#9167)](https://github.com/prowler-cloud/prowler/pull/9167)
-- Support Prowler ThreatScore for the K8S provider [(#9235)](https://github.com/prowler-cloud/prowler/pull/9235)
-- Enhanced compliance overview endpoint with provider filtering and latest scan aggregation [(#9244)](https://github.com/prowler-cloud/prowler/pull/9244)
-- New endpoint `GET /api/v1/overview/regions` to retrieve aggregated findings data by region [(#9273)](https://github.com/prowler-cloud/prowler/pull/9273)
-
-### Changed
-- Optimized database write queries for scan related tasks [(#9190)](https://github.com/prowler-cloud/prowler/pull/9190)
-- Date filters are now optional for `GET /api/v1/overviews/services` endpoint; returns latest scan data by default [(#9248)](https://github.com/prowler-cloud/prowler/pull/9248)
-
-### Fixed
-- Scans no longer fail when findings have UIDs exceeding 300 characters; such findings are now skipped with detailed logging [(#9246)](https://github.com/prowler-cloud/prowler/pull/9246)
-- Updated unique constraint for `Provider` model to exclude soft-deleted entries, resolving duplicate errors when re-deleting providers [(#9054)](https://github.com/prowler-cloud/prowler/pull/9054)
-- Removed compliance generation for providers without compliance frameworks [(#9208)](https://github.com/prowler-cloud/prowler/pull/9208)
-- Refresh output report timestamps for each scan [(#9272)](https://github.com/prowler-cloud/prowler/pull/9272)
-- Severity overview endpoint now ignores muted findings as expected [(#9283)](https://github.com/prowler-cloud/prowler/pull/9283)
-- Fixed discrepancy between ThreatScore PDF report values and database calculations [(#9296)](https://github.com/prowler-cloud/prowler/pull/9296)
-
-### Security
-- Django updated to the latest 5.1 security release, 5.1.14, due to problems with potential [SQL injection](https://github.com/prowler-cloud/prowler/security/dependabot/113) and [denial-of-service vulnerability](https://github.com/prowler-cloud/prowler/security/dependabot/114) [(#9176)](https://github.com/prowler-cloud/prowler/pull/9176)
 
 ---
 
-## [1.14.1] (Prowler v5.13.1)
+## [1.14.1] (Prowler 5.13.1)
 
 ### Fixed
 - `/api/v1/overviews/providers` collapses data by provider type so the UI receives a single aggregated record per cloud family even when multiple accounts exist [(#9053)](https://github.com/prowler-cloud/prowler/pull/9053)
@@ -128,7 +25,7 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ---
 
-## [1.14.0] (Prowler v5.13.0)
+## [1.14.0] (Prowler 5.13.0)
 
 ### Added
 - Default JWT keys are generated and stored if they are missing from configuration [(#8655)](https://github.com/prowler-cloud/prowler/pull/8655)
@@ -152,14 +49,14 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ---
 
-## [1.13.2] (Prowler v5.12.3)
+## [1.13.2] (Prowler 5.12.3)
 
 ### Fixed
 - 500 error when deleting user [(#8731)](https://github.com/prowler-cloud/prowler/pull/8731)
 
 ---
 
-## [1.13.1] (Prowler v5.12.2)
+## [1.13.1] (Prowler 5.12.2)
 
 ### Changed
 - Renamed compliance overview task queue to `compliance` [(#8755)](https://github.com/prowler-cloud/prowler/pull/8755)
@@ -169,7 +66,7 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ---
 
-## [1.13.0] (Prowler v5.12.0)
+## [1.13.0] (Prowler 5.12.0)
 
 ### Added
 - Integration with JIRA, enabling sending findings to a JIRA project [(#8622)](https://github.com/prowler-cloud/prowler/pull/8622), [(#8637)](https://github.com/prowler-cloud/prowler/pull/8637)
@@ -178,7 +75,7 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ---
 
-## [1.12.0] (Prowler v5.11.0)
+## [1.12.0] (Prowler 5.11.0)
 
 ### Added
 - Lighthouse support for OpenAI GPT-5 [(#8527)](https://github.com/prowler-cloud/prowler/pull/8527)
@@ -190,7 +87,7 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ---
 
-## [1.11.0] (Prowler v5.10.0)
+## [1.11.0] (Prowler 5.10.0)
 
 ### Added
 - Github provider support [(#8271)](https://github.com/prowler-cloud/prowler/pull/8271)

api/Dockerfile

@@ -5,9 +5,6 @@ LABEL maintainer="https://github.com/prowler-cloud/api"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 
-ARG TRIVY_VERSION=0.66.0
-ENV TRIVY_VERSION=${TRIVY_VERSION}
-
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
     wget \
@@ -39,24 +36,6 @@ RUN ARCH=$(uname -m) && \
     ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
     rm /tmp/powershell.tar.gz
 
-# Install Trivy for IaC scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        TRIVY_ARCH="Linux-64bit" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        TRIVY_ARCH="Linux-ARM64" ; \
-    else \
-        echo "Unsupported architecture for Trivy: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz && \
-    tar zxf /tmp/trivy.tar.gz -C /tmp && \
-    mv /tmp/trivy /usr/local/bin/trivy && \
-    chmod +x /usr/local/bin/trivy && \
-    rm /tmp/trivy.tar.gz && \
-    # Create trivy cache directory with proper permissions
-    mkdir -p /tmp/.cache/trivy && \
-    chmod 777 /tmp/.cache/trivy
-
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
     adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler

api/pyproject.toml

@@ -7,7 +7,7 @@ authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
 dependencies = [
   "celery[pytest] (>=5.4.0,<6.0.0)",
   "dj-rest-auth[with_social,jwt] (==7.0.1)",
-  "django (==5.1.15)",
+  "django (==5.1.13)",
   "django-allauth[saml] (>=65.8.0,<66.0.0)",
   "django-celery-beat (>=2.7.0,<3.0.0)",
   "django-celery-results (>=2.5.1,<3.0.0)",
@@ -35,11 +35,7 @@ dependencies = [
   "markdown (>=3.9,<4.0)",
   "drf-simple-apikey (==2.2.1)",
   "matplotlib (>=3.10.6,<4.0.0)",
-  "reportlab (>=4.4.4,<5.0.0)",
-  "gevent (>=25.9.1,<26.0.0)",
-  "werkzeug (>=3.1.4)",
-  "sqlparse (>=0.5.4)",
-  "fonttools (>=4.60.2)"
+  "reportlab (>=4.4.4,<5.0.0)"
 ]
 description = "Prowler's API (Django/DRF)"
 license = "Apache-2.0"
@@ -47,7 +43,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.18.0"
+version = "1.15.0"
 
 [project.scripts]
 celery = "src.backend.config.settings.celery"

api/src/backend/api/compliance.py

@@ -144,7 +144,6 @@ def generate_scan_compliance(
     Returns:
         None: This function modifies the compliance_overview in place.
     """
-
     for compliance_id in PROWLER_CHECKS[provider_type][check_id]:
         for requirement in compliance_overview[compliance_id]["requirements"].values():
             if check_id in requirement["checks"]:

api/src/backend/api/db_router.py

@@ -26,7 +26,6 @@ class MainRouter:
     default_db = "default"
     admin_db = "admin"
     replica_db = "replica"
-    admin_replica_db = "admin_replica"
 
     def db_for_read(self, model, **hints):  # noqa: F841
         model_table_name = model._meta.db_table
@@ -50,12 +49,7 @@ class MainRouter:
 
     def allow_relation(self, obj1, obj2, **hints):  # noqa: F841
         # Allow relations when both objects originate from allowed connectors
-        allowed_dbs = {
-            self.default_db,
-            self.admin_db,
-            self.replica_db,
-            self.admin_replica_db,
-        }
+        allowed_dbs = {self.default_db, self.admin_db, self.replica_db}
         if {obj1._state.db, obj2._state.db} <= allowed_dbs:
             return True
         return None

api/src/backend/api/decorators.py

@@ -1,14 +1,10 @@
 import uuid
 from functools import wraps
 
-from django.core.exceptions import ObjectDoesNotExist
-from django.db import IntegrityError, connection, transaction
+from django.db import connection, transaction
 from rest_framework_json_api.serializers import ValidationError
 
-from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY, rls_transaction
-from api.exceptions import ProviderDeletedException
-from api.models import Provider, Scan
+from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY
 
 
 def set_tenant(func=None, *, keep_tenant=False):
@@ -70,49 +66,3 @@ def set_tenant(func=None, *, keep_tenant=False):
         return decorator
     else:
         return decorator(func)
-
-
-def handle_provider_deletion(func):
-    """
-    Decorator that raises ProviderDeletedException if provider was deleted during execution.
-
-    Catches ObjectDoesNotExist and IntegrityError, checks if provider still exists,
-    and raises ProviderDeletedException if not. Otherwise, re-raises original exception.
-
-    Requires tenant_id and provider_id in kwargs.
-
-    Example:
-        @shared_task
-        @handle_provider_deletion
-        def scan_task(scan_id, tenant_id, provider_id):
-            ...
-    """
-
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-        try:
-            return func(*args, **kwargs)
-        except (ObjectDoesNotExist, IntegrityError):
-            tenant_id = kwargs.get("tenant_id")
-            provider_id = kwargs.get("provider_id")
-
-            with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-                if provider_id is None:
-                    scan_id = kwargs.get("scan_id")
-                    if scan_id is None:
-                        raise AssertionError(
-                            "This task does not have provider or scan in the kwargs"
-                        )
-                    scan = Scan.objects.filter(pk=scan_id).first()
-                    if scan is None:
-                        raise ProviderDeletedException(
-                            f"Provider for scan '{scan_id}' was deleted during the scan"
-                        ) from None
-                    provider_id = str(scan.provider_id)
-                if not Provider.objects.filter(pk=provider_id).exists():
-                    raise ProviderDeletedException(
-                        f"Provider '{provider_id}' was deleted during the scan"
-                    ) from None
-            raise
-
-    return wrapper

api/src/backend/api/exceptions.py

@@ -66,10 +66,6 @@ class ProviderConnectionError(Exception):
     """Base exception for provider connection errors."""
 
 
-class ProviderDeletedException(Exception):
-    """Raised when a provider has been deleted during scan/task execution."""
-
-
 def custom_exception_handler(exc, context):
     if isinstance(exc, django_validation_error):
         if hasattr(exc, "error_dict"):

api/src/backend/api/filters.py

@@ -23,9 +23,7 @@ from api.db_utils import (
     StatusEnumField,
 )
 from api.models import (
-    AttackSurfaceOverview,
     ComplianceRequirementOverview,
-    DailySeveritySummary,
     Finding,
     Integration,
     Invitation,
@@ -43,14 +41,12 @@ from api.models import (
     ResourceTag,
     Role,
     Scan,
-    ScanCategorySummary,
     ScanSummary,
     SeverityChoices,
     StateChoices,
     StatusChoices,
     Task,
     TenantAPIKey,
-    ThreatScoreSnapshot,
     User,
 )
 from api.rls import Tenant
@@ -158,9 +154,6 @@ class CommonFindingFilters(FilterSet):
         field_name="resources__type", lookup_expr="icontains"
     )
 
-    category = CharFilter(method="filter_category")
-    category__in = CharInFilter(field_name="categories", lookup_expr="overlap")
-
     # Temporarily disabled until we implement tag filtering in the UI
     # resource_tag_key = CharFilter(field_name="resources__tags__key")
     # resource_tag_key__in = CharInFilter(
@@ -192,9 +185,6 @@ class CommonFindingFilters(FilterSet):
     def filter_resource_type(self, queryset, name, value):
         return queryset.filter(resource_types__contains=[value])
 
-    def filter_category(self, queryset, name, value):
-        return queryset.filter(categories__contains=[value])
-
     def filter_resource_tag(self, queryset, name, value):
         overall_query = Q()
         for key_value_pair in value:
@@ -769,7 +759,7 @@ class RoleFilter(FilterSet):
 
 class ComplianceOverviewFilter(FilterSet):
     inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    scan_id = UUIDFilter(field_name="scan_id", required=True)
+    scan_id = UUIDFilter(field_name="scan_id")
     region = CharFilter(field_name="region")
 
     class Meta:
@@ -803,68 +793,6 @@ class ScanSummaryFilter(FilterSet):
         }
 
 
-class DailySeveritySummaryFilter(FilterSet):
-    """Filter for findings_severity/timeseries endpoint."""
-
-    MAX_DATE_RANGE_DAYS = 365
-
-    provider_id = UUIDFilter(field_name="provider_id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="provider_id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    date_from = DateFilter(method="filter_noop")
-    date_to = DateFilter(method="filter_noop")
-
-    class Meta:
-        model = DailySeveritySummary
-        fields = ["provider_id"]
-
-    def filter_noop(self, queryset, name, value):
-        return queryset
-
-    def filter_queryset(self, queryset):
-        if not self.data.get("date_from"):
-            raise ValidationError(
-                [
-                    {
-                        "detail": "This query parameter is required.",
-                        "status": "400",
-                        "source": {"pointer": "filter[date_from]"},
-                        "code": "required",
-                    }
-                ]
-            )
-
-        today = date.today()
-        date_from = self.form.cleaned_data.get("date_from")
-        date_to = min(self.form.cleaned_data.get("date_to") or today, today)
-
-        if (date_to - date_from).days > self.MAX_DATE_RANGE_DAYS:
-            raise ValidationError(
-                [
-                    {
-                        "detail": f"Date range cannot exceed {self.MAX_DATE_RANGE_DAYS} days.",
-                        "status": "400",
-                        "source": {"pointer": "filter[date_from]"},
-                        "code": "invalid",
-                    }
-                ]
-            )
-
-        # View access
-        self.request._date_from = date_from
-        self.request._date_to = date_to
-
-        # Apply date filter (only lte for fill-forward logic)
-        queryset = queryset.filter(date__lte=date_to)
-
-        return super().filter_queryset(queryset)
-
-
 class ScanSummarySeverityFilter(ScanSummaryFilter):
     """Filter for findings_severity ScanSummary endpoint - includes status filters"""
 
@@ -883,8 +811,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
         elif value == OverviewStatusChoices.PASS:
             return queryset.annotate(status_count=F("_pass"))
         else:
-            # Exclude muted findings by default
-            return queryset.annotate(status_count=F("_pass") + F("fail"))
+            return queryset.annotate(status_count=F("total"))
 
     def filter_status_in(self, queryset, name, value):
         # Validate the status values
@@ -893,7 +820,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
             if status_val not in valid_statuses:
                 raise ValidationError(f"Invalid status value: {status_val}")
 
-        # If all statuses or no valid statuses, exclude muted findings (pass + fail)
+        # If all statuses or no valid statuses, use total
         if (
             set(value)
             >= {
@@ -902,7 +829,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
             }
             or not value
         ):
-            return queryset.annotate(status_count=F("_pass") + F("fail"))
+            return queryset.annotate(status_count=F("total"))
 
         # Build the sum expression based on status values
         sum_expression = None
@@ -920,7 +847,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
                 sum_expression = sum_expression + field_expr
 
         if sum_expression is None:
-            return queryset.annotate(status_count=F("_pass") + F("fail"))
+            return queryset.annotate(status_count=F("total"))
 
         return queryset.annotate(status_count=sum_expression)
 
@@ -932,6 +859,26 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
         }
 
 
+class ServiceOverviewFilter(ScanSummaryFilter):
+    def is_valid(self):
+        # Check if at least one of the inserted_at filters is present
+        inserted_at_filters = [
+            self.data.get("inserted_at"),
+            self.data.get("inserted_at__gte"),
+            self.data.get("inserted_at__lte"),
+        ]
+        if not any(inserted_at_filters):
+            raise ValidationError(
+                {
+                    "inserted_at": [
+                        "At least one of filter[inserted_at], filter[inserted_at__gte], or "
+                        "filter[inserted_at__lte] is required."
+                    ]
+                }
+            )
+        return super().is_valid()
+
+
 class IntegrationFilter(FilterSet):
     inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
     integration_type = ChoiceFilter(choices=Integration.IntegrationChoices.choices)
@@ -957,26 +904,6 @@ class ProcessorFilter(FilterSet):
     )
 
 
-class IntegrationGitHubFindingsFilter(FilterSet):
-    # To be expanded as needed
-    finding_id = UUIDFilter(field_name="id", lookup_expr="exact")
-    finding_id__in = UUIDInFilter(field_name="id", lookup_expr="in")
-
-    class Meta:
-        model = Finding
-        fields = {}
-
-    def filter_queryset(self, queryset):
-        # Validate that there is at least one filter provided
-        if not self.data:
-            raise ValidationError(
-                {
-                    "findings": "No finding filters provided. At least one filter is required."
-                }
-            )
-        return super().filter_queryset(queryset)
-
-
 class IntegrationJiraFindingsFilter(FilterSet):
     # To be expanded as needed
     finding_id = UUIDFilter(field_name="id", lookup_expr="exact")
@@ -1071,74 +998,3 @@ class MuteRuleFilter(FilterSet):
             "inserted_at": ["gte", "lte"],
             "updated_at": ["gte", "lte"],
         }
-
-
-class ThreatScoreSnapshotFilter(FilterSet):
-    """
-    Filter for ThreatScore snapshots.
-    Allows filtering by scan, provider, compliance_id, and date ranges.
-    """
-
-    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    scan_id = UUIDFilter(field_name="scan__id", lookup_expr="exact")
-    scan_id__in = UUIDInFilter(field_name="scan__id", lookup_expr="in")
-    provider_id = UUIDFilter(field_name="provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-    compliance_id = CharFilter(field_name="compliance_id", lookup_expr="exact")
-    compliance_id__in = CharInFilter(field_name="compliance_id", lookup_expr="in")
-
-    class Meta:
-        model = ThreatScoreSnapshot
-        fields = {
-            "scan": ["exact", "in"],
-            "provider": ["exact", "in"],
-            "compliance_id": ["exact", "in"],
-            "inserted_at": ["date", "gte", "lte"],
-            "overall_score": ["exact", "gte", "lte"],
-        }
-
-
-class AttackSurfaceOverviewFilter(FilterSet):
-    """Filter for attack surface overview aggregations by provider."""
-
-    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="scan__provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-
-    class Meta:
-        model = AttackSurfaceOverview
-        fields = {}
-
-
-class CategoryOverviewFilter(FilterSet):
-    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="scan__provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-    category = CharFilter(field_name="category", lookup_expr="exact")
-    category__in = CharInFilter(field_name="category", lookup_expr="in")
-
-    class Meta:
-        model = ScanCategorySummary
-        fields = {}

api/src/backend/api/migrations/0051_oraclecloud_provider.py

@@ -22,13 +22,13 @@ class Migration(migrations.Migration):
                     ("kubernetes", "Kubernetes"),
                     ("m365", "M365"),
                     ("github", "GitHub"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
+                    ("oci", "Oracle Cloud Infrastructure"),
                 ],
                 default="aws",
             ),
         ),
         migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'oraclecloud';",
+            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'oci';",
             reverse_sql=migrations.RunSQL.noop,
         ),
     ]

api/src/backend/api/migrations/0054_iac_provider.py

@@ -1,35 +0,0 @@
-# Generated by Django 5.1.10 on 2025-09-09 09:25
-
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0053_lighthouse_bedrock_openai_compatible"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("iac", "IaC"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'iac';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]

api/src/backend/api/migrations/0055_mongodbatlas_provider.py

@@ -1,36 +0,0 @@
-# Generated by Django 5.1.13 on 2025-11-05 08:37
-
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0054_iac_provider"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'mongodbatlas';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]

api/src/backend/api/migrations/0056_remove_provider_unique_provider_uids_and_more.py

@@ -1,24 +0,0 @@
-# Generated by Django 5.1.13 on 2025-11-06 09:20
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0055_mongodbatlas_provider"),
-    ]
-
-    operations = [
-        migrations.RemoveConstraint(
-            model_name="provider",
-            name="unique_provider_uids",
-        ),
-        migrations.AddConstraint(
-            model_name="provider",
-            constraint=models.UniqueConstraint(
-                condition=models.Q(("is_deleted", False)),
-                fields=("tenant_id", "provider", "uid"),
-                name="unique_provider_uids",
-            ),
-        ),
-    ]

api/src/backend/api/migrations/0057_threatscoresnapshot.py

@@ -1,170 +0,0 @@
-# Generated by Django 5.1.13 on 2025-10-31 09:04
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0056_remove_provider_unique_provider_uids_and_more"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ThreatScoreSnapshot",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                (
-                    "compliance_id",
-                    models.CharField(
-                        help_text="Compliance framework ID (e.g., 'prowler_threatscore_aws')",
-                        max_length=100,
-                    ),
-                ),
-                (
-                    "overall_score",
-                    models.DecimalField(
-                        decimal_places=2,
-                        help_text="Overall ThreatScore percentage (0-100)",
-                        max_digits=5,
-                    ),
-                ),
-                (
-                    "score_delta",
-                    models.DecimalField(
-                        blank=True,
-                        decimal_places=2,
-                        help_text="Score change compared to previous snapshot (positive = improvement)",
-                        max_digits=5,
-                        null=True,
-                    ),
-                ),
-                (
-                    "section_scores",
-                    models.JSONField(
-                        blank=True,
-                        default=dict,
-                        help_text="ThreatScore breakdown by section",
-                    ),
-                ),
-                (
-                    "critical_requirements",
-                    models.JSONField(
-                        blank=True,
-                        default=list,
-                        help_text="List of critical failed requirements (risk >= 4)",
-                    ),
-                ),
-                (
-                    "total_requirements",
-                    models.IntegerField(
-                        default=0, help_text="Total number of requirements evaluated"
-                    ),
-                ),
-                (
-                    "passed_requirements",
-                    models.IntegerField(
-                        default=0, help_text="Number of requirements with PASS status"
-                    ),
-                ),
-                (
-                    "failed_requirements",
-                    models.IntegerField(
-                        default=0, help_text="Number of requirements with FAIL status"
-                    ),
-                ),
-                (
-                    "manual_requirements",
-                    models.IntegerField(
-                        default=0, help_text="Number of requirements with MANUAL status"
-                    ),
-                ),
-                (
-                    "total_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Total number of findings across all requirements",
-                    ),
-                ),
-                (
-                    "passed_findings",
-                    models.IntegerField(
-                        default=0, help_text="Number of findings with PASS status"
-                    ),
-                ),
-                (
-                    "failed_findings",
-                    models.IntegerField(
-                        default=0, help_text="Number of findings with FAIL status"
-                    ),
-                ),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="threatscore_snapshots",
-                        related_query_name="threatscore_snapshot",
-                        to="api.provider",
-                    ),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="threatscore_snapshots",
-                        related_query_name="threatscore_snapshot",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "threatscore_snapshots",
-                "abstract": False,
-            },
-        ),
-        migrations.AddIndex(
-            model_name="threatscoresnapshot",
-            index=models.Index(
-                fields=["tenant_id", "scan_id"], name="threatscore_snap_t_scan_idx"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="threatscoresnapshot",
-            index=models.Index(
-                fields=["tenant_id", "provider_id"], name="threatscore_snap_t_prov_idx"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="threatscoresnapshot",
-            index=models.Index(
-                fields=["tenant_id", "inserted_at"], name="threatscore_snap_t_time_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="threatscoresnapshot",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_threatscoresnapshot",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]

api/src/backend/api/migrations/0058_drop_redundant_compliance_requirement_indexes.py

@@ -1,29 +0,0 @@
-from django.contrib.postgres.operations import RemoveIndexConcurrently
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    atomic = False
-
-    dependencies = [
-        ("api", "0057_threatscoresnapshot"),
-    ]
-
-    operations = [
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_tenant_scan_idx",
-        ),
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_scan_comp_idx",
-        ),
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_scan_comp_req_idx",
-        ),
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_scan_comp_req_reg_idx",
-        ),
-    ]

api/src/backend/api/migrations/0059_compliance_overview_summary.py

@@ -1,75 +0,0 @@
-# Generated by Django 5.1.13 on 2025-10-30 15:23
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0058_drop_redundant_compliance_requirement_indexes"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ComplianceOverviewSummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                ("compliance_id", models.TextField()),
-                ("requirements_passed", models.IntegerField(default=0)),
-                ("requirements_failed", models.IntegerField(default=0)),
-                ("requirements_manual", models.IntegerField(default=0)),
-                ("total_requirements", models.IntegerField(default=0)),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="compliance_summaries",
-                        related_query_name="compliance_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "compliance_overview_summaries",
-                "abstract": False,
-                "indexes": [
-                    models.Index(
-                        fields=["tenant_id", "scan_id"], name="cos_tenant_scan_idx"
-                    )
-                ],
-                "constraints": [
-                    models.UniqueConstraint(
-                        fields=("tenant_id", "scan_id", "compliance_id"),
-                        name="unique_compliance_summary_per_scan",
-                    )
-                ],
-            },
-        ),
-        migrations.AddConstraint(
-            model_name="complianceoverviewsummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_complianceoverviewsummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]

api/src/backend/api/migrations/0060_attack_surface_overview.py

@@ -1,89 +0,0 @@
-# Generated by Django 5.1.14 on 2025-11-19 13:03
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0059_compliance_overview_summary"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="AttackSurfaceOverview",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                (
-                    "attack_surface_type",
-                    models.CharField(
-                        choices=[
-                            ("internet-exposed", "Internet Exposed"),
-                            ("secrets", "Exposed Secrets"),
-                            ("privilege-escalation", "Privilege Escalation"),
-                            ("ec2-imdsv1", "EC2 IMDSv1 Enabled"),
-                        ],
-                        max_length=50,
-                    ),
-                ),
-                ("total_findings", models.IntegerField(default=0)),
-                ("failed_findings", models.IntegerField(default=0)),
-                ("muted_failed_findings", models.IntegerField(default=0)),
-            ],
-            options={
-                "db_table": "attack_surface_overviews",
-                "abstract": False,
-            },
-        ),
-        migrations.AddField(
-            model_name="attacksurfaceoverview",
-            name="scan",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE,
-                related_name="attack_surface_overviews",
-                related_query_name="attack_surface_overview",
-                to="api.scan",
-            ),
-        ),
-        migrations.AddField(
-            model_name="attacksurfaceoverview",
-            name="tenant",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="attacksurfaceoverview",
-            index=models.Index(
-                fields=["tenant_id", "scan_id"], name="attack_surf_tenant_scan_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="attacksurfaceoverview",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "attack_surface_type"),
-                name="unique_attack_surface_per_scan",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="attacksurfaceoverview",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_attacksurfaceoverview",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]

api/src/backend/api/migrations/0061_daily_severity_summary.py

@@ -1,96 +0,0 @@
-# Generated by Django 5.1.14 on 2025-12-03 13:38
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0060_attack_surface_overview"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="DailySeveritySummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("date", models.DateField()),
-                ("critical", models.IntegerField(default=0)),
-                ("high", models.IntegerField(default=0)),
-                ("medium", models.IntegerField(default=0)),
-                ("low", models.IntegerField(default=0)),
-                ("informational", models.IntegerField(default=0)),
-                ("muted", models.IntegerField(default=0)),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="daily_severity_summaries",
-                        related_query_name="daily_severity_summary",
-                        to="api.provider",
-                    ),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="daily_severity_summaries",
-                        related_query_name="daily_severity_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "daily_severity_summaries",
-                "abstract": False,
-            },
-        ),
-        migrations.AddIndex(
-            model_name="dailyseveritysummary",
-            index=models.Index(
-                fields=["tenant_id", "id"],
-                name="dss_tenant_id_idx",
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="dailyseveritysummary",
-            index=models.Index(
-                fields=["tenant_id", "provider_id"],
-                name="dss_tenant_provider_idx",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="dailyseveritysummary",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "provider", "date"),
-                name="unique_daily_severity_summary",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="dailyseveritysummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_dailyseveritysummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]

api/src/backend/api/migrations/0062_backfill_daily_severity_summaries.py

@@ -1,30 +0,0 @@
-# Generated by Django 5.1.14 on 2025-12-10
-
-from django.db import migrations
-from tasks.tasks import backfill_daily_severity_summaries_task
-
-from api.db_router import MainRouter
-from api.rls import Tenant
-
-
-def trigger_backfill_task(apps, schema_editor):
-    """
-    Trigger the backfill task for all tenants.
-
-    This dispatches backfill_daily_severity_summaries_task for each tenant
-    in the system to populate DailySeveritySummary records from historical scans.
-    """
-    tenant_ids = Tenant.objects.using(MainRouter.admin_db).values_list("id", flat=True)
-
-    for tenant_id in tenant_ids:
-        backfill_daily_severity_summaries_task.delay(tenant_id=str(tenant_id), days=90)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0061_daily_severity_summary"),
-    ]
-
-    operations = [
-        migrations.RunPython(trigger_backfill_task, migrations.RunPython.noop),
-    ]

api/src/backend/api/migrations/0063_scan_category_summary.py

@@ -1,111 +0,0 @@
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.db_utils
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0062_backfill_daily_severity_summaries"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ScanCategorySummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-                (
-                    "inserted_at",
-                    models.DateTimeField(auto_now_add=True),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="category_summaries",
-                        related_query_name="category_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "category",
-                    models.CharField(max_length=100),
-                ),
-                (
-                    "severity",
-                    api.db_utils.SeverityEnumField(
-                        choices=[
-                            ("critical", "Critical"),
-                            ("high", "High"),
-                            ("medium", "Medium"),
-                            ("low", "Low"),
-                            ("informational", "Informational"),
-                        ],
-                    ),
-                ),
-                (
-                    "total_findings",
-                    models.IntegerField(
-                        default=0, help_text="Non-muted findings (PASS + FAIL)"
-                    ),
-                ),
-                (
-                    "failed_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Non-muted FAIL findings (subset of total_findings)",
-                    ),
-                ),
-                (
-                    "new_failed_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Non-muted FAIL with delta='new' (subset of failed_findings)",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "scan_category_summaries",
-                "abstract": False,
-            },
-        ),
-        migrations.AddIndex(
-            model_name="scancategorysummary",
-            index=models.Index(
-                fields=["tenant_id", "scan"], name="scs_tenant_scan_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="scancategorysummary",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "category", "severity"),
-                name="unique_category_severity_per_scan",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="scancategorysummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_scancategorysummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]

api/src/backend/api/migrations/0064_finding_categories.py

@@ -1,22 +0,0 @@
-import django.contrib.postgres.fields
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0063_scan_category_summary"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="finding",
-            name="categories",
-            field=django.contrib.postgres.fields.ArrayField(
-                base_field=models.CharField(max_length=100),
-                blank=True,
-                null=True,
-                size=None,
-                help_text="Categories from check metadata for efficient filtering",
-            ),
-        ),
-    ]

api/src/backend/api/migrations/0065_alibabacloud_provider.py

@@ -1,37 +0,0 @@
-# Generated by Django migration for Alibaba Cloud provider support
-
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0064_finding_categories"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'alibabacloud';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]

api/src/backend/api/models.py

@@ -284,10 +284,7 @@ class Provider(RowLevelSecurityProtectedModel):
         KUBERNETES = "kubernetes", _("Kubernetes")
         M365 = "m365", _("M365")
         GITHUB = "github", _("GitHub")
-        MONGODBATLAS = "mongodbatlas", _("MongoDB Atlas")
-        IAC = "iac", _("IaC")
-        ORACLECLOUD = "oraclecloud", _("Oracle Cloud Infrastructure")
-        ALIBABACLOUD = "alibabacloud", _("Alibaba Cloud")
+        OCI = "oci", _("Oracle Cloud Infrastructure")
 
     @staticmethod
     def validate_aws_uid(value):
@@ -359,45 +356,14 @@ class Provider(RowLevelSecurityProtectedModel):
             )
 
     @staticmethod
-    def validate_iac_uid(value):
-        # Validate that it's a valid repository URL (git URL format)
-        if not re.match(
-            r"^(https?://|git@|ssh://)[^\s/]+[^\s]*\.git$|^(https?://)[^\s/]+[^\s]*$",
-            value,
-        ):
-            raise ModelValidationError(
-                detail="IaC provider ID must be a valid repository URL (e.g., https://github.com/user/repo or https://github.com/user/repo.git).",
-                code="iac-uid",
-                pointer="/data/attributes/uid",
-            )
-
-    @staticmethod
-    def validate_oraclecloud_uid(value):
+    def validate_oci_uid(value):
         if not re.match(
             r"^ocid1\.([a-z0-9_-]+)\.([a-z0-9_-]+)\.([a-z0-9_-]*)\.([a-z0-9]+)$", value
         ):
             raise ModelValidationError(
                 detail="Oracle Cloud Infrastructure provider ID must be a valid tenancy OCID in the format: "
                 "ocid1.<resource_type>.<realm>.<region>.<unique_id>",
-                code="oraclecloud-uid",
-                pointer="/data/attributes/uid",
-            )
-
-    @staticmethod
-    def validate_mongodbatlas_uid(value):
-        if not re.match(r"^[0-9a-fA-F]{24}$", value):
-            raise ModelValidationError(
-                detail="MongoDB Atlas organization ID must be a 24-character hexadecimal string.",
-                code="mongodbatlas-uid",
-                pointer="/data/attributes/uid",
-            )
-
-    @staticmethod
-    def validate_alibabacloud_uid(value):
-        if not re.match(r"^\d{16}$", value):
-            raise ModelValidationError(
-                detail="Alibaba Cloud account ID must be exactly 16 digits.",
-                code="alibabacloud-uid",
+                code="oci-uid",
                 pointer="/data/attributes/uid",
             )
 
@@ -435,8 +401,7 @@ class Provider(RowLevelSecurityProtectedModel):
 
         constraints = [
             models.UniqueConstraint(
-                fields=("tenant_id", "provider", "uid"),
-                condition=Q(is_deleted=False),
+                fields=("tenant_id", "provider", "uid", "is_deleted"),
                 name="unique_provider_uids",
             ),
             RowLevelSecurityConstraint(
@@ -726,19 +691,14 @@ class Resource(RowLevelSecurityProtectedModel):
             self.clear_tags()
             return
 
-        # Add new relationships with the tenant_id field; avoid touching the
-        # Resource row unless a mapping is actually created to prevent noisy
-        # updates during scans.
-        mapping_created = False
+        # Add new relationships with the tenant_id field
         for tag in tags:
-            _, created = ResourceTagMapping.objects.update_or_create(
+            ResourceTagMapping.objects.update_or_create(
                 tag=tag, resource=self, tenant_id=self.tenant_id
             )
-            mapping_created = mapping_created or created
 
-        if mapping_created:
-            # Only bump updated_at when the tag set truly changed
-            self.save(update_fields=["updated_at"])
+        # Save the instance
+        self.save()
 
     class Meta(RowLevelSecurityProtectedModel.Meta):
         db_table = "resources"
@@ -883,14 +843,6 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
         null=True,
     )
 
-    # Check metadata denormalization
-    categories = ArrayField(
-        models.CharField(max_length=100),
-        blank=True,
-        null=True,
-        help_text="Categories from check metadata for efficient filtering",
-    )
-
     # Relationships
     scan = models.ForeignKey(to=Scan, related_name="findings", on_delete=models.CASCADE)
 
@@ -1394,70 +1346,35 @@ class ComplianceRequirementOverview(RowLevelSecurityProtectedModel):
             ),
         ]
         indexes = [
+            models.Index(fields=["tenant_id", "scan_id"], name="cro_tenant_scan_idx"),
+            models.Index(
+                fields=["tenant_id", "scan_id", "compliance_id"],
+                name="cro_scan_comp_idx",
+            ),
             models.Index(
                 fields=["tenant_id", "scan_id", "compliance_id", "region"],
                 name="cro_scan_comp_reg_idx",
             ),
+            models.Index(
+                fields=["tenant_id", "scan_id", "compliance_id", "requirement_id"],
+                name="cro_scan_comp_req_idx",
+            ),
+            models.Index(
+                fields=[
+                    "tenant_id",
+                    "scan_id",
+                    "compliance_id",
+                    "requirement_id",
+                    "region",
+                ],
+                name="cro_scan_comp_req_reg_idx",
+            ),
         ]
 
     class JSONAPIMeta:
         resource_name = "compliance-requirements-overviews"
 
 
-class ComplianceOverviewSummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated compliance overview aggregated across ALL regions.
-    One row per (scan_id, compliance_id) combination.
-
-    This table optimizes the common case where users view overall compliance
-    without filtering by region. For region-specific views, the detailed
-    ComplianceRequirementOverview table is used instead.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="compliance_summaries",
-        related_query_name="compliance_summary",
-    )
-
-    compliance_id = models.TextField(blank=False)
-
-    # Pre-aggregated scores (computed across ALL regions)
-    requirements_passed = models.IntegerField(default=0)
-    requirements_failed = models.IntegerField(default=0)
-    requirements_manual = models.IntegerField(default=0)
-    total_requirements = models.IntegerField(default=0)
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "compliance_overview_summaries"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "compliance_id"),
-                name="unique_compliance_summary_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "scan_id"],
-                name="cos_tenant_scan_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "compliance-overview-summaries"
-
-
 class ScanSummary(RowLevelSecurityProtectedModel):
     objects = ActiveProviderManager()
     all_objects = models.Manager()
@@ -1523,70 +1440,10 @@ class ScanSummary(RowLevelSecurityProtectedModel):
         resource_name = "scan-summaries"
 
 
-class DailySeveritySummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated daily severity counts per provider.
-    Used by findings_severity/timeseries endpoint for efficient queries.
-    """
-
-    objects = ActiveProviderManager()
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    date = models.DateField()
-
-    provider = models.ForeignKey(
-        Provider,
-        on_delete=models.CASCADE,
-        related_name="daily_severity_summaries",
-        related_query_name="daily_severity_summary",
-    )
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="daily_severity_summaries",
-        related_query_name="daily_severity_summary",
-    )
-
-    # Aggregated fail counts by severity
-    critical = models.IntegerField(default=0)
-    high = models.IntegerField(default=0)
-    medium = models.IntegerField(default=0)
-    low = models.IntegerField(default=0)
-    informational = models.IntegerField(default=0)
-    muted = models.IntegerField(default=0)
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "daily_severity_summaries"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "provider", "date"),
-                name="unique_daily_severity_summary",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "id"],
-                name="dss_tenant_id_idx",
-            ),
-            models.Index(
-                fields=["tenant_id", "provider_id"],
-                name="dss_tenant_provider_idx",
-            ),
-        ]
-
-
 class Integration(RowLevelSecurityProtectedModel):
     class IntegrationChoices(models.TextChoices):
         AMAZON_S3 = "amazon_s3", _("Amazon S3")
         AWS_SECURITY_HUB = "aws_security_hub", _("AWS Security Hub")
-        GITHUB = "github", _("GitHub")
         JIRA = "jira", _("JIRA")
         SLACK = "slack", _("Slack")
 
@@ -1975,64 +1832,6 @@ class ResourceScanSummary(RowLevelSecurityProtectedModel):
         ]
 
 
-class ScanCategorySummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated category metrics per scan by severity.
-
-    Stores one row per (category, severity) combination per scan for efficient
-    overview queries. Categories come from check_metadata.categories.
-
-    Count relationships (each is a subset of the previous):
-        - total_findings >= failed_findings >= new_failed_findings
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="category_summaries",
-        related_query_name="category_summary",
-    )
-
-    category = models.CharField(max_length=100)
-    severity = SeverityEnumField(choices=SeverityChoices)
-
-    total_findings = models.IntegerField(
-        default=0, help_text="Non-muted findings (PASS + FAIL)"
-    )
-    failed_findings = models.IntegerField(
-        default=0, help_text="Non-muted FAIL findings (subset of total_findings)"
-    )
-    new_failed_findings = models.IntegerField(
-        default=0,
-        help_text="Non-muted FAIL with delta='new' (subset of failed_findings)",
-    )
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "scan_category_summaries"
-
-        indexes = [
-            models.Index(fields=["tenant_id", "scan"], name="scs_tenant_scan_idx"),
-        ]
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "category", "severity"),
-                name="unique_category_severity_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "scan-category-summaries"
-
-
 class LighthouseConfiguration(RowLevelSecurityProtectedModel):
     """
     Stores configuration and API keys for LLM services.
@@ -2415,194 +2214,3 @@ class LighthouseProviderModels(RowLevelSecurityProtectedModel):
 
     class JSONAPIMeta:
         resource_name = "lighthouse-models"
-
-
-class ThreatScoreSnapshot(RowLevelSecurityProtectedModel):
-    """
-    Stores historical ThreatScore metrics for a given scan.
-    Snapshots are created automatically after each ThreatScore report generation.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="threatscore_snapshots",
-        related_query_name="threatscore_snapshot",
-    )
-
-    provider = models.ForeignKey(
-        Provider,
-        on_delete=models.CASCADE,
-        related_name="threatscore_snapshots",
-        related_query_name="threatscore_snapshot",
-    )
-
-    compliance_id = models.CharField(
-        max_length=100,
-        blank=False,
-        null=False,
-        help_text="Compliance framework ID (e.g., 'prowler_threatscore_aws')",
-    )
-
-    # Overall ThreatScore metrics
-    overall_score = models.DecimalField(
-        max_digits=5,
-        decimal_places=2,
-        help_text="Overall ThreatScore percentage (0-100)",
-    )
-
-    # Score improvement/degradation compared to previous snapshot
-    score_delta = models.DecimalField(
-        max_digits=5,
-        decimal_places=2,
-        null=True,
-        blank=True,
-        help_text="Score change compared to previous snapshot (positive = improvement)",
-    )
-
-    # Section breakdown stored as JSON
-    # Format: {"1. IAM": 85.5, "2. Attack Surface": 92.3, ...}
-    section_scores = models.JSONField(
-        default=dict,
-        blank=True,
-        help_text="ThreatScore breakdown by section",
-    )
-
-    # Critical requirements metadata stored as JSON
-    # Format: [{"requirement_id": "...", "risk_level": 5, "weight": 150, ...}, ...]
-    critical_requirements = models.JSONField(
-        default=list,
-        blank=True,
-        help_text="List of critical failed requirements (risk >= 4)",
-    )
-
-    # Summary statistics
-    total_requirements = models.IntegerField(
-        default=0,
-        help_text="Total number of requirements evaluated",
-    )
-
-    passed_requirements = models.IntegerField(
-        default=0,
-        help_text="Number of requirements with PASS status",
-    )
-
-    failed_requirements = models.IntegerField(
-        default=0,
-        help_text="Number of requirements with FAIL status",
-    )
-
-    manual_requirements = models.IntegerField(
-        default=0,
-        help_text="Number of requirements with MANUAL status",
-    )
-
-    total_findings = models.IntegerField(
-        default=0,
-        help_text="Total number of findings across all requirements",
-    )
-
-    passed_findings = models.IntegerField(
-        default=0,
-        help_text="Number of findings with PASS status",
-    )
-
-    failed_findings = models.IntegerField(
-        default=0,
-        help_text="Number of findings with FAIL status",
-    )
-
-    def __str__(self):
-        return f"ThreatScore {self.overall_score}% for scan {self.scan_id} ({self.inserted_at})"
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "threatscore_snapshots"
-
-        constraints = [
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "scan_id"],
-                name="threatscore_snap_t_scan_idx",
-            ),
-            models.Index(
-                fields=["tenant_id", "provider_id"],
-                name="threatscore_snap_t_prov_idx",
-            ),
-            models.Index(
-                fields=["tenant_id", "inserted_at"],
-                name="threatscore_snap_t_time_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "threatscore-snapshots"
-
-
-class AttackSurfaceOverview(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated attack surface metrics per scan.
-
-    Stores counts for each attack surface type (internet-exposed, secrets,
-    privilege-escalation, ec2-imdsv1) to enable fast overview queries.
-    """
-
-    class AttackSurfaceTypeChoices(models.TextChoices):
-        INTERNET_EXPOSED = "internet-exposed", _("Internet Exposed")
-        SECRETS = "secrets", _("Exposed Secrets")
-        PRIVILEGE_ESCALATION = "privilege-escalation", _("Privilege Escalation")
-        EC2_IMDSV1 = "ec2-imdsv1", _("EC2 IMDSv1 Enabled")
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="attack_surface_overviews",
-        related_query_name="attack_surface_overview",
-    )
-
-    attack_surface_type = models.CharField(
-        max_length=50,
-        choices=AttackSurfaceTypeChoices.choices,
-    )
-
-    # Finding counts
-    total_findings = models.IntegerField(default=0)  # All findings (PASS + FAIL)
-    failed_findings = models.IntegerField(default=0)  # Non-muted failed findings
-    muted_failed_findings = models.IntegerField(default=0)  # Muted failed findings
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "attack_surface_overviews"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "attack_surface_type"),
-                name="unique_attack_surface_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "scan_id"],
-                name="attack_surf_tenant_scan_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "attack-surface-overviews"

api/src/backend/api/rbac/permissions.py

@@ -65,11 +65,11 @@ def get_providers(role: Role) -> QuerySet[Provider]:
         A QuerySet of Provider objects filtered by the role's provider groups.
         If the role has no provider groups, returns an empty queryset.
     """
-    tenant_id = role.tenant_id
+    tenant = role.tenant
     provider_groups = role.provider_groups.all()
     if not provider_groups.exists():
         return Provider.objects.none()
 
     return Provider.objects.filter(
-        tenant_id=tenant_id, provider_groups__in=provider_groups
+        tenant=tenant, provider_groups__in=provider_groups
     ).distinct()

api/src/backend/api/tests/test_decorators.py

@@ -2,12 +2,9 @@ import uuid
 from unittest.mock import call, patch
 
 import pytest
-from django.core.exceptions import ObjectDoesNotExist
-from django.db import IntegrityError
 
 from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY
-from api.decorators import handle_provider_deletion, set_tenant
-from api.exceptions import ProviderDeletedException
+from api.decorators import set_tenant
 
 
 @pytest.mark.django_db
@@ -37,142 +34,3 @@ class TestSetTenantDecorator:
 
         with pytest.raises(KeyError):
             random_func("test_arg")
-
-
-@pytest.mark.django_db
-class TestHandleProviderDeletionDecorator:
-    def test_success_no_exception(self, tenants_fixture, providers_fixture):
-        """Decorated function runs normally when no exception is raised."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            return "success"
-
-        result = task_func(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-        )
-        assert result == "success"
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    def test_provider_deleted_with_provider_id(
-        self, mock_filter, mock_rls, tenants_fixture
-    ):
-        """Raises ProviderDeletedException when provider_id provided and provider deleted."""
-        tenant = tenants_fixture[0]
-        deleted_provider_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_filter.return_value.exists.return_value = False
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(ProviderDeletedException) as exc_info:
-            task_func(tenant_id=str(tenant.id), provider_id=deleted_provider_id)
-
-        assert deleted_provider_id in str(exc_info.value)
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    @patch("api.decorators.Scan.objects.filter")
-    def test_provider_deleted_with_scan_id(
-        self, mock_scan_filter, mock_provider_filter, mock_rls, tenants_fixture
-    ):
-        """Raises ProviderDeletedException when scan exists but provider deleted."""
-        tenant = tenants_fixture[0]
-        scan_id = str(uuid.uuid4())
-        provider_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-
-        mock_scan = type("MockScan", (), {"provider_id": provider_id})()
-        mock_scan_filter.return_value.first.return_value = mock_scan
-        mock_provider_filter.return_value.exists.return_value = False
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(ProviderDeletedException) as exc_info:
-            task_func(tenant_id=str(tenant.id), scan_id=scan_id)
-
-        assert provider_id in str(exc_info.value)
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Scan.objects.filter")
-    def test_scan_deleted_cascade(self, mock_scan_filter, mock_rls, tenants_fixture):
-        """Raises ProviderDeletedException when scan was deleted (CASCADE from provider)."""
-        tenant = tenants_fixture[0]
-        scan_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_scan_filter.return_value.first.return_value = None
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(ProviderDeletedException) as exc_info:
-            task_func(tenant_id=str(tenant.id), scan_id=scan_id)
-
-        assert scan_id in str(exc_info.value)
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    def test_provider_exists_reraises_original(
-        self, mock_filter, mock_rls, tenants_fixture, providers_fixture
-    ):
-        """Re-raises original exception when provider still exists."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_filter.return_value.exists.return_value = True
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Actual object missing")
-
-        with pytest.raises(ObjectDoesNotExist):
-            task_func(tenant_id=str(tenant.id), provider_id=str(provider.id))
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    def test_integrity_error_provider_deleted(
-        self, mock_filter, mock_rls, tenants_fixture
-    ):
-        """Raises ProviderDeletedException on IntegrityError when provider deleted."""
-        tenant = tenants_fixture[0]
-        deleted_provider_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_filter.return_value.exists.return_value = False
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise IntegrityError("FK constraint violation")
-
-        with pytest.raises(ProviderDeletedException):
-            task_func(tenant_id=str(tenant.id), provider_id=deleted_provider_id)
-
-    def test_missing_provider_and_scan_raises_assertion(self, tenants_fixture):
-        """Raises AssertionError when neither provider_id nor scan_id in kwargs."""
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(AssertionError) as exc_info:
-            task_func(tenant_id=str(tenants_fixture[0].id))
-
-        assert "provider or scan" in str(exc_info.value)

api/src/backend/api/tests/test_utils.py

@@ -16,17 +16,13 @@ from api.utils import (
     return_prowler_provider,
     validate_invitation,
 )
-from prowler.providers.alibabacloud.alibabacloud_provider import AlibabacloudProvider
 from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHubConnection
 from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.gcp.gcp_provider import GcpProvider
-from prowler.providers.github.github_provider import GithubProvider
-from prowler.providers.iac.iac_provider import IacProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
 from prowler.providers.m365.m365_provider import M365Provider
-from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
-from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
+from prowler.providers.oraclecloud.oci_provider import OciProvider
 
 
 class TestMergeDicts:
@@ -113,11 +109,7 @@ class TestReturnProwlerProvider:
             (Provider.ProviderChoices.AZURE.value, AzureProvider),
             (Provider.ProviderChoices.KUBERNETES.value, KubernetesProvider),
             (Provider.ProviderChoices.M365.value, M365Provider),
-            (Provider.ProviderChoices.GITHUB.value, GithubProvider),
-            (Provider.ProviderChoices.MONGODBATLAS.value, MongodbatlasProvider),
-            (Provider.ProviderChoices.ORACLECLOUD.value, OraclecloudProvider),
-            (Provider.ProviderChoices.IAC.value, IacProvider),
-            (Provider.ProviderChoices.ALIBABACLOUD.value, AlibabacloudProvider),
+            (Provider.ProviderChoices.OCI.value, OciProvider),
         ],
     )
     def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -214,13 +206,9 @@ class TestGetProwlerProviderKwargs:
                 {"organizations": ["provider_uid"]},
             ),
             (
-                Provider.ProviderChoices.ORACLECLOUD.value,
+                Provider.ProviderChoices.OCI.value,
                 {},
             ),
-            (
-                Provider.ProviderChoices.MONGODBATLAS.value,
-                {"atlas_organization_id": "provider_uid"},
-            ),
         ],
     )
     def test_get_prowler_provider_kwargs(self, provider_type, expected_extra_kwargs):
@@ -258,72 +246,6 @@ class TestGetProwlerProviderKwargs:
         expected_result = {**secret_dict, "mutelist_content": {"key": "value"}}
         assert result == expected_result
 
-    def test_get_prowler_provider_kwargs_iac_provider(self):
-        """Test that IaC provider gets correct kwargs with repository URL."""
-        provider_uid = "https://github.com/org/repo"
-        secret_dict = {"access_token": "test_token"}
-        secret_mock = MagicMock()
-        secret_mock.secret = secret_dict
-
-        provider = MagicMock()
-        provider.provider = Provider.ProviderChoices.IAC.value
-        provider.secret = secret_mock
-        provider.uid = provider_uid
-
-        result = get_prowler_provider_kwargs(provider)
-
-        expected_result = {
-            "scan_repository_url": provider_uid,
-            "oauth_app_token": "test_token",
-        }
-        assert result == expected_result
-
-    def test_get_prowler_provider_kwargs_iac_provider_without_token(self):
-        """Test that IaC provider works without access token for public repos."""
-        provider_uid = "https://github.com/org/public-repo"
-        secret_dict = {}
-        secret_mock = MagicMock()
-        secret_mock.secret = secret_dict
-
-        provider = MagicMock()
-        provider.provider = Provider.ProviderChoices.IAC.value
-        provider.secret = secret_mock
-        provider.uid = provider_uid
-
-        result = get_prowler_provider_kwargs(provider)
-
-        expected_result = {"scan_repository_url": provider_uid}
-        assert result == expected_result
-
-    def test_get_prowler_provider_kwargs_iac_provider_ignores_mutelist(self):
-        """Test that IaC provider does NOT receive mutelist_content.
-
-        IaC provider uses Trivy's built-in mutelist logic, so it should not
-        receive mutelist_content even when a mutelist processor is configured.
-        """
-        provider_uid = "https://github.com/org/repo"
-        secret_dict = {"access_token": "test_token"}
-        secret_mock = MagicMock()
-        secret_mock.secret = secret_dict
-
-        mutelist_processor = MagicMock()
-        mutelist_processor.configuration = {"Mutelist": {"key": "value"}}
-
-        provider = MagicMock()
-        provider.provider = Provider.ProviderChoices.IAC.value
-        provider.secret = secret_mock
-        provider.uid = provider_uid
-
-        result = get_prowler_provider_kwargs(provider, mutelist_processor)
-
-        # IaC provider should NOT have mutelist_content
-        assert "mutelist_content" not in result
-        expected_result = {
-            "scan_repository_url": provider_uid,
-            "oauth_app_token": "test_token",
-        }
-        assert result == expected_result
-
     def test_get_prowler_provider_kwargs_unsupported_provider(self):
         # Setup
         provider_uid = "provider_uid"

api/src/backend/api/utils.py

@@ -11,7 +11,6 @@ from api.exceptions import InvitationTokenExpiredException
 from api.models import Integration, Invitation, Processor, Provider, Resource
 from api.v1.serializers import FindingMetadataSerializer
 from prowler.lib.outputs.jira.jira import Jira, JiraBasicAuthError
-from prowler.providers.alibabacloud.alibabacloud_provider import AlibabacloudProvider
 from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.aws.lib.s3.s3 import S3
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHub
@@ -19,11 +18,9 @@ from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.common.models import Connection
 from prowler.providers.gcp.gcp_provider import GcpProvider
 from prowler.providers.github.github_provider import GithubProvider
-from prowler.providers.iac.iac_provider import IacProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
 from prowler.providers.m365.m365_provider import M365Provider
-from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
-from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
+from prowler.providers.oraclecloud.oci_provider import OciProvider
 
 
 class CustomOAuth2Client(OAuth2Client):
@@ -64,25 +61,22 @@ def merge_dicts(default_dict: dict, replacement_dict: dict) -> dict:
 
 def return_prowler_provider(
     provider: Provider,
-) -> (
-    AlibabacloudProvider
-    | AwsProvider
+) -> [
+    AwsProvider
     | AzureProvider
     | GcpProvider
     | GithubProvider
-    | IacProvider
     | KubernetesProvider
     | M365Provider
-    | MongodbatlasProvider
-    | OraclecloudProvider
-):
+    | OciProvider
+]:
     """Return the Prowler provider class based on the given provider type.
 
     Args:
         provider (Provider): The provider object containing the provider type and associated secrets.
 
     Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OraclecloudProvider: The corresponding provider class.
+        AwsProvider | AzureProvider | GcpProvider | GithubProvider | KubernetesProvider | M365Provider | OciProvider: The corresponding provider class.
 
     Raises:
         ValueError: If the provider type specified in `provider.provider` is not supported.
@@ -100,14 +94,8 @@ def return_prowler_provider(
             prowler_provider = M365Provider
         case Provider.ProviderChoices.GITHUB.value:
             prowler_provider = GithubProvider
-        case Provider.ProviderChoices.MONGODBATLAS.value:
-            prowler_provider = MongodbatlasProvider
-        case Provider.ProviderChoices.IAC.value:
-            prowler_provider = IacProvider
-        case Provider.ProviderChoices.ORACLECLOUD.value:
-            prowler_provider = OraclecloudProvider
-        case Provider.ProviderChoices.ALIBABACLOUD.value:
-            prowler_provider = AlibabacloudProvider
+        case Provider.ProviderChoices.OCI.value:
+            prowler_provider = OciProvider
         case _:
             raise ValueError(f"Provider type {provider.provider} not supported")
     return prowler_provider
@@ -144,26 +132,10 @@ def get_prowler_provider_kwargs(
                 **prowler_provider_kwargs,
                 "organizations": [provider.uid],
             }
-    elif provider.provider == Provider.ProviderChoices.IAC.value:
-        # For IaC provider, uid contains the repository URL
-        # Extract the access token if present in the secret
-        prowler_provider_kwargs = {
-            "scan_repository_url": provider.uid,
-        }
-        if "access_token" in provider.secret.secret:
-            prowler_provider_kwargs["oauth_app_token"] = provider.secret.secret[
-                "access_token"
-            ]
-    elif provider.provider == Provider.ProviderChoices.MONGODBATLAS.value:
-        prowler_provider_kwargs = {
-            **prowler_provider_kwargs,
-            "atlas_organization_id": provider.uid,
-        }
 
     if mutelist_processor:
         mutelist_content = mutelist_processor.configuration.get("Mutelist", {})
-        # IaC provider doesn't support mutelist (uses Trivy's built-in logic)
-        if mutelist_content and provider.provider != Provider.ProviderChoices.IAC.value:
+        if mutelist_content:
             prowler_provider_kwargs["mutelist_content"] = mutelist_content
 
     return prowler_provider_kwargs
@@ -173,16 +145,13 @@ def initialize_prowler_provider(
     provider: Provider,
     mutelist_processor: Processor | None = None,
 ) -> (
-    AlibabacloudProvider
-    | AwsProvider
+    AwsProvider
     | AzureProvider
     | GcpProvider
     | GithubProvider
-    | IacProvider
     | KubernetesProvider
     | M365Provider
-    | MongodbatlasProvider
-    | OraclecloudProvider
+    | OciProvider
 ):
     """Initialize a Prowler provider instance based on the given provider type.
 
@@ -191,8 +160,9 @@ def initialize_prowler_provider(
         mutelist_processor (Processor): The mutelist processor object containing the mutelist configuration.
 
     Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OraclecloudProvider: An instance of the corresponding provider class
-            initialized with the provider's secrets.
+        AwsProvider | AzureProvider | GcpProvider | GithubProvider | KubernetesProvider | M365Provider | OciProvider: An instance of the corresponding provider class
+            (`AwsProvider`, `AzureProvider`, `GcpProvider`, `GithubProvider`, `KubernetesProvider`, `M365Provider` or `OciProvider`) initialized with the
+            provider's secrets.
     """
     prowler_provider = return_prowler_provider(provider)
     prowler_provider_kwargs = get_prowler_provider_kwargs(provider, mutelist_processor)
@@ -215,23 +185,9 @@ def prowler_provider_connection_test(provider: Provider) -> Connection:
     except Provider.secret.RelatedObjectDoesNotExist as secret_error:
         return Connection(is_connected=False, error=secret_error)
 
-    # For IaC provider, construct the kwargs properly for test_connection
-    if provider.provider == Provider.ProviderChoices.IAC.value:
-        # Don't pass repository_url from secret, use scan_repository_url with the UID
-        iac_test_kwargs = {
-            "scan_repository_url": provider.uid,
-            "raise_on_exception": False,
-        }
-        # Add access_token if present in the secret
-        if "access_token" in prowler_provider_kwargs:
-            iac_test_kwargs["access_token"] = prowler_provider_kwargs["access_token"]
-        return prowler_provider.test_connection(**iac_test_kwargs)
-    else:
-        return prowler_provider.test_connection(
-            **prowler_provider_kwargs,
-            provider_id=provider.uid,
-            raise_on_exception=False,
-        )
+    return prowler_provider.test_connection(
+        **prowler_provider_kwargs, provider_id=provider.uid, raise_on_exception=False
+    )
 
 
 def prowler_integration_connection_test(integration: Integration) -> Connection:
@@ -287,20 +243,6 @@ def prowler_integration_connection_test(integration: Integration) -> Connection:
             integration.save()
 
         return connection
-    elif integration.integration_type == Integration.IntegrationChoices.GITHUB:
-        from prowler.lib.outputs.github.github import GitHub
-
-        github_connection = GitHub.test_connection(
-            **integration.credentials,
-            raise_on_exception=False,
-        )
-        repositories = (
-            github_connection.repositories if github_connection.is_connected else {}
-        )
-        with rls_transaction(str(integration.tenant_id)):
-            integration.configuration["repositories"] = repositories
-            integration.save()
-        return github_connection
     elif integration.integration_type == Integration.IntegrationChoices.JIRA:
         jira_connection = Jira.test_connection(
             **integration.credentials,
@@ -400,18 +342,10 @@ def get_findings_metadata_no_aggregations(tenant_id: str, filtered_queryset):
     regions = sorted({region for region in aggregation["regions"] or [] if region})
     resource_types = sorted(set(aggregation["resource_types"] or []))
 
-    # Aggregate categories from findings
-    categories_set = set()
-    for categories_list in filtered_queryset.values_list("categories", flat=True):
-        if categories_list:
-            categories_set.update(categories_list)
-    categories = sorted(categories_set)
-
     result = {
         "services": services,
         "regions": regions,
         "resource_types": resource_types,
-        "categories": categories,
     }
 
     serializer = FindingMetadataSerializer(data=result)
@@ -420,22 +354,9 @@ def get_findings_metadata_no_aggregations(tenant_id: str, filtered_queryset):
     return serializer.data
 
 
-def initialize_prowler_integration(integration: Integration):
+def initialize_prowler_integration(integration: Integration) -> Jira:
     # TODO Refactor other integrations to use this function
-    if integration.integration_type == Integration.IntegrationChoices.GITHUB:
-        from prowler.lib.outputs.github.exceptions import GitHubAuthenticationError
-        from prowler.lib.outputs.github.github import GitHub
-
-        try:
-            return GitHub(**integration.credentials)
-        except GitHubAuthenticationError as github_auth_error:
-            with rls_transaction(str(integration.tenant_id)):
-                integration.configuration["repositories"] = {}
-                integration.connected = False
-                integration.connection_last_checked_at = datetime.now(tz=timezone.utc)
-                integration.save()
-            raise github_auth_error
-    elif integration.integration_type == Integration.IntegrationChoices.JIRA:
+    if integration.integration_type == Integration.IntegrationChoices.JIRA:
         try:
             return Jira(**integration.credentials)
         except JiraBasicAuthError as jira_auth_error:

api/src/backend/api/v1/serializer_utils/integrations.py

@@ -67,14 +67,6 @@ class SecurityHubConfigSerializer(BaseValidateSerializer):
         resource_name = "integrations"
 
 
-class GitHubConfigSerializer(BaseValidateSerializer):
-    owner = serializers.CharField(read_only=True)
-    repositories = serializers.DictField(read_only=True)
-
-    class Meta:
-        resource_name = "integrations"
-
-
 class JiraConfigSerializer(BaseValidateSerializer):
     domain = serializers.CharField(read_only=True)
     issue_types = serializers.ListField(
@@ -101,14 +93,6 @@ class AWSCredentialSerializer(BaseValidateSerializer):
         resource_name = "integrations"
 
 
-class GitHubCredentialSerializer(BaseValidateSerializer):
-    token = serializers.CharField(required=True)
-    owner = serializers.CharField(required=False)
-
-    class Meta:
-        resource_name = "integrations"
-
-
 class JiraCredentialSerializer(BaseValidateSerializer):
     user_mail = serializers.EmailField(required=True)
     api_token = serializers.CharField(required=True)
@@ -169,23 +153,6 @@ class JiraCredentialSerializer(BaseValidateSerializer):
                     },
                 },
             },
-            {
-                "type": "object",
-                "title": "GitHub Credentials",
-                "properties": {
-                    "token": {
-                        "type": "string",
-                        "description": "GitHub Personal Access Token (PAT) with repo scope. Can be generated from "
-                        "GitHub Settings > Developer settings > Personal access tokens.",
-                    },
-                    "owner": {
-                        "type": "string",
-                        "description": "Repository owner (username or organization name). Optional - if not provided, "
-                        "all accessible repositories will be available.",
-                    },
-                },
-                "required": ["token"],
-            },
             {
                 "type": "object",
                 "title": "JIRA Credentials",
@@ -254,14 +221,6 @@ class IntegrationCredentialField(serializers.JSONField):
                     },
                 },
             },
-            {
-                "type": "object",
-                "title": "GitHub",
-                "description": "GitHub integration does not accept any configuration in the payload. Leave it as an "
-                "empty JSON object (`{}`).",
-                "properties": {},
-                "additionalProperties": False,
-            },
             {
                 "type": "object",
                 "title": "JIRA",

api/src/backend/api/v1/serializer_utils/lighthouse.py

@@ -40,16 +40,11 @@ class BedrockCredentialsSerializer(serializers.Serializer):
     """
     Serializer for AWS Bedrock credentials validation.
 
-    Supports two authentication methods:
-    1. AWS access key + secret key
-    2. Bedrock API key (bearer token)
-
-    In both cases, region is mandatory.
+    Validates long-term AWS credentials (AKIA) and region format.
     """
 
-    access_key_id = serializers.CharField(required=False, allow_blank=False)
-    secret_access_key = serializers.CharField(required=False, allow_blank=False)
-    api_key = serializers.CharField(required=False, allow_blank=False)
+    access_key_id = serializers.CharField()
+    secret_access_key = serializers.CharField()
     region = serializers.CharField()
 
     def validate_access_key_id(self, value: str) -> str:
@@ -70,15 +65,6 @@ class BedrockCredentialsSerializer(serializers.Serializer):
             )
         return value
 
-    def validate_api_key(self, value: str) -> str:
-        """
-        Validate Bedrock API key (bearer token).
-        """
-        pattern = r"^ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/=]{110}$"
-        if not re.match(pattern, value or ""):
-            raise serializers.ValidationError("Invalid Bedrock API key format.")
-        return value
-
     def validate_region(self, value: str) -> str:
         """Validate AWS region format."""
         pattern = r"^[a-z]{2}-[a-z]+-\d+$"
@@ -88,50 +74,6 @@ class BedrockCredentialsSerializer(serializers.Serializer):
             )
         return value
 
-    def validate(self, attrs):
-        """
-        Enforce either:
-        - access_key_id + secret_access_key + region
-        OR
-        - api_key + region
-        """
-        access_key_id = attrs.get("access_key_id")
-        secret_access_key = attrs.get("secret_access_key")
-        api_key = attrs.get("api_key")
-        region = attrs.get("region")
-
-        errors = {}
-
-        if not region:
-            errors["region"] = ["Region is required."]
-
-        using_access_keys = bool(access_key_id or secret_access_key)
-        using_api_key = api_key is not None and api_key != ""
-
-        if using_access_keys and using_api_key:
-            errors["non_field_errors"] = [
-                "Provide either access key + secret key OR api key, not both."
-            ]
-        elif not using_access_keys and not using_api_key:
-            errors["non_field_errors"] = [
-                "You must provide either access key + secret key OR api key."
-            ]
-        elif using_access_keys:
-            # Both access_key_id and secret_access_key must be present together
-            if not access_key_id:
-                errors.setdefault("access_key_id", []).append(
-                    "AWS access key ID is required when using access key authentication."
-                )
-            if not secret_access_key:
-                errors.setdefault("secret_access_key", []).append(
-                    "AWS secret access key is required when using access key authentication."
-                )
-
-        if errors:
-            raise serializers.ValidationError(errors)
-
-        return attrs
-
     def to_internal_value(self, data):
         """Check for unknown fields before DRF filters them out."""
         if not isinstance(data, dict):
@@ -169,15 +111,6 @@ class BedrockCredentialsUpdateSerializer(BedrockCredentialsSerializer):
         for field in self.fields.values():
             field.required = False
 
-    def validate(self, attrs):
-        """
-        For updates, this serializer only checks individual fields.
-        It does NOT enforce the "either access keys OR api key" rule.
-        That rule is applied later, after merging with existing stored
-        credentials, in LighthouseProviderConfigUpdateSerializer.
-        """
-        return attrs
-
 
 class OpenAICompatibleCredentialsSerializer(serializers.Serializer):
     """
@@ -235,51 +168,27 @@ class OpenAICompatibleCredentialsSerializer(serializers.Serializer):
                 "required": ["api_key"],
             },
             {
+                "type": "object",
                 "title": "AWS Bedrock Credentials",
-                "oneOf": [
-                    {
-                        "title": "IAM Access Key Pair",
-                        "type": "object",
-                        "description": "Authenticate with AWS access key and secret key. Recommended when you manage IAM users or roles.",
-                        "properties": {
-                            "access_key_id": {
-                                "type": "string",
-                                "description": "AWS access key ID.",
-                                "pattern": "^AKIA[0-9A-Z]{16}$",
-                            },
-                            "secret_access_key": {
-                                "type": "string",
-                                "description": "AWS secret access key.",
-                                "pattern": "^[A-Za-z0-9/+=]{40}$",
-                            },
-                            "region": {
-                                "type": "string",
-                                "description": "AWS region identifier where Bedrock is available. Examples: us-east-1, "
-                                "us-west-2, eu-west-1, ap-northeast-1.",
-                                "pattern": "^[a-z]{2}-[a-z]+-\\d+$",
-                            },
-                        },
-                        "required": ["access_key_id", "secret_access_key", "region"],
+                "properties": {
+                    "access_key_id": {
+                        "type": "string",
+                        "description": "AWS access key ID.",
+                        "pattern": "^AKIA[0-9A-Z]{16}$",
                     },
-                    {
-                        "title": "Amazon Bedrock API Key",
-                        "type": "object",
-                        "description": "Authenticate with an Amazon Bedrock API key (bearer token). Region is still required.",
-                        "properties": {
-                            "api_key": {
-                                "type": "string",
-                                "description": "Amazon Bedrock API key (bearer token).",
-                            },
-                            "region": {
-                                "type": "string",
-                                "description": "AWS region identifier where Bedrock is available. Examples: us-east-1, "
-                                "us-west-2, eu-west-1, ap-northeast-1.",
-                                "pattern": "^[a-z]{2}-[a-z]+-\\d+$",
-                            },
-                        },
-                        "required": ["api_key", "region"],
+                    "secret_access_key": {
+                        "type": "string",
+                        "description": "AWS secret access key.",
+                        "pattern": "^[A-Za-z0-9/+=]{40}$",
                     },
-                ],
+                    "region": {
+                        "type": "string",
+                        "description": "AWS region identifier where Bedrock is available. Examples: us-east-1, "
+                        "us-west-2, eu-west-1, ap-northeast-1.",
+                        "pattern": "^[a-z]{2}-[a-z]+-\\d+$",
+                    },
+                },
+                "required": ["access_key_id", "secret_access_key", "region"],
             },
             {
                 "type": "object",

api/src/backend/api/v1/serializer_utils/providers.py

@@ -239,21 +239,6 @@ from rest_framework_json_api import serializers
                 },
                 "required": ["github_app_id", "github_app_key"],
             },
-            {
-                "type": "object",
-                "title": "IaC Repository Credentials",
-                "properties": {
-                    "repository_url": {
-                        "type": "string",
-                        "description": "Repository URL to scan for IaC files.",
-                    },
-                    "access_token": {
-                        "type": "string",
-                        "description": "Optional access token for private repositories.",
-                    },
-                },
-                "required": ["repository_url"],
-            },
             {
                 "type": "object",
                 "title": "Oracle Cloud Infrastructure (OCI) API Key Credentials",
@@ -289,63 +274,6 @@ from rest_framework_json_api import serializers
                 },
                 "required": ["user", "fingerprint", "tenancy", "region"],
             },
-            {
-                "type": "object",
-                "title": "MongoDB Atlas API Key",
-                "properties": {
-                    "atlas_public_key": {
-                        "type": "string",
-                        "description": "MongoDB Atlas API public key.",
-                    },
-                    "atlas_private_key": {
-                        "type": "string",
-                        "description": "MongoDB Atlas API private key.",
-                    },
-                },
-                "required": ["atlas_public_key", "atlas_private_key"],
-            },
-            {
-                "type": "object",
-                "title": "Alibaba Cloud Static Credentials",
-                "properties": {
-                    "access_key_id": {
-                        "type": "string",
-                        "description": "The Alibaba Cloud access key ID for authentication.",
-                    },
-                    "access_key_secret": {
-                        "type": "string",
-                        "description": "The Alibaba Cloud access key secret for authentication.",
-                    },
-                    "security_token": {
-                        "type": "string",
-                        "description": "The STS security token for temporary credentials (optional).",
-                    },
-                },
-                "required": ["access_key_id", "access_key_secret"],
-            },
-            {
-                "type": "object",
-                "title": "Alibaba Cloud RAM Role Assumption",
-                "properties": {
-                    "role_arn": {
-                        "type": "string",
-                        "description": "The ARN of the RAM role to assume (e.g., acs:ram::1234567890123456:role/ProwlerRole).",
-                    },
-                    "access_key_id": {
-                        "type": "string",
-                        "description": "The Alibaba Cloud access key ID of the RAM user that will assume the role.",
-                    },
-                    "access_key_secret": {
-                        "type": "string",
-                        "description": "The Alibaba Cloud access key secret of the RAM user that will assume the role.",
-                    },
-                    "role_session_name": {
-                        "type": "string",
-                        "description": "An identifier for the role session (optional, defaults to 'ProwlerSession').",
-                    },
-                },
-                "required": ["role_arn", "access_key_id", "access_key_secret"],
-            },
         ]
     }
 )

api/src/backend/api/v1/serializers.py

@@ -47,15 +47,12 @@ from api.models import (
     StatusChoices,
     Task,
     TenantAPIKey,
-    ThreatScoreSnapshot,
     User,
     UserRoleRelationship,
 )
 from api.rls import Tenant
 from api.v1.serializer_utils.integrations import (
     AWSCredentialSerializer,
-    GitHubConfigSerializer,
-    GitHubCredentialSerializer,
     IntegrationConfigField,
     IntegrationCredentialField,
     JiraConfigSerializer,
@@ -74,42 +71,6 @@ from api.v1.serializer_utils.processors import ProcessorConfigField
 from api.v1.serializer_utils.providers import ProviderSecretField
 from prowler.lib.mutelist.mutelist import Mutelist
 
-# Base
-
-
-class BaseModelSerializerV1(serializers.ModelSerializer):
-    def get_root_meta(self, _resource, _many):
-        return {"version": "v1"}
-
-
-class BaseSerializerV1(serializers.Serializer):
-    def get_root_meta(self, _resource, _many):
-        return {"version": "v1"}
-
-
-class BaseWriteSerializer(BaseModelSerializerV1):
-    def validate(self, data):
-        if hasattr(self, "initial_data"):
-            initial_data = set(self.initial_data.keys()) - {"id", "type"}
-            unknown_keys = initial_data - set(self.fields.keys())
-            if unknown_keys:
-                raise ValidationError(f"Invalid fields: {unknown_keys}")
-        return data
-
-
-class RLSSerializer(BaseModelSerializerV1):
-    def create(self, validated_data):
-        tenant_id = self.context.get("tenant_id")
-        validated_data["tenant_id"] = tenant_id
-        return super().create(validated_data)
-
-
-class StateEnumSerializerField(serializers.ChoiceField):
-    def __init__(self, **kwargs):
-        kwargs["choices"] = StateChoices.choices
-        super().__init__(**kwargs)
-
-
 # Tokens
 
 
@@ -217,7 +178,7 @@ class TokenSocialLoginSerializer(BaseTokenSerializer):
 
 
 # TODO: Check if we can change the parent class to TokenRefreshSerializer from rest_framework_simplejwt.serializers
-class TokenRefreshSerializer(BaseSerializerV1):
+class TokenRefreshSerializer(serializers.Serializer):
     refresh = serializers.CharField()
 
     # Output token
@@ -251,7 +212,7 @@ class TokenRefreshSerializer(BaseSerializerV1):
             raise ValidationError({"refresh": "Invalid or expired token"})
 
 
-class TokenSwitchTenantSerializer(BaseSerializerV1):
+class TokenSwitchTenantSerializer(serializers.Serializer):
     tenant_id = serializers.UUIDField(
         write_only=True, help_text="The tenant ID for which to request a new token."
     )
@@ -275,10 +236,41 @@ class TokenSwitchTenantSerializer(BaseSerializerV1):
         return generate_tokens(user, tenant_id)
 
 
+# Base
+
+
+class BaseSerializerV1(serializers.ModelSerializer):
+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}
+
+
+class BaseWriteSerializer(BaseSerializerV1):
+    def validate(self, data):
+        if hasattr(self, "initial_data"):
+            initial_data = set(self.initial_data.keys()) - {"id", "type"}
+            unknown_keys = initial_data - set(self.fields.keys())
+            if unknown_keys:
+                raise ValidationError(f"Invalid fields: {unknown_keys}")
+        return data
+
+
+class RLSSerializer(BaseSerializerV1):
+    def create(self, validated_data):
+        tenant_id = self.context.get("tenant_id")
+        validated_data["tenant_id"] = tenant_id
+        return super().create(validated_data)
+
+
+class StateEnumSerializerField(serializers.ChoiceField):
+    def __init__(self, **kwargs):
+        kwargs["choices"] = StateChoices.choices
+        super().__init__(**kwargs)
+
+
 # Users
 
 
-class UserSerializer(BaseModelSerializerV1):
+class UserSerializer(BaseSerializerV1):
     """
     Serializer for the User model.
     """
@@ -409,7 +401,7 @@ class UserUpdateSerializer(BaseWriteSerializer):
         return super().update(instance, validated_data)
 
 
-class RoleResourceIdentifierSerializer(BaseSerializerV1):
+class RoleResourceIdentifierSerializer(serializers.Serializer):
     resource_type = serializers.CharField(source="type")
     id = serializers.UUIDField()
 
@@ -592,7 +584,7 @@ class TaskSerializer(RLSSerializer, TaskBase):
 # Tenants
 
 
-class TenantSerializer(BaseModelSerializerV1):
+class TenantSerializer(BaseSerializerV1):
     """
     Serializer for the Tenant model.
     """
@@ -604,7 +596,7 @@ class TenantSerializer(BaseModelSerializerV1):
         fields = ["id", "name", "memberships"]
 
 
-class TenantIncludeSerializer(BaseModelSerializerV1):
+class TenantIncludeSerializer(BaseSerializerV1):
     class Meta:
         model = Tenant
         fields = ["id", "name"]
@@ -780,7 +772,7 @@ class ProviderGroupUpdateSerializer(ProviderGroupSerializer):
         return super().update(instance, validated_data)
 
 
-class ProviderResourceIdentifierSerializer(BaseSerializerV1):
+class ProviderResourceIdentifierSerializer(serializers.Serializer):
     resource_type = serializers.CharField(source="type")
     id = serializers.UUIDField()
 
@@ -1117,7 +1109,7 @@ class ScanTaskSerializer(RLSSerializer):
         ]
 
 
-class ScanReportSerializer(BaseSerializerV1):
+class ScanReportSerializer(serializers.Serializer):
     id = serializers.CharField(source="scan")
 
     class Meta:
@@ -1125,7 +1117,7 @@ class ScanReportSerializer(BaseSerializerV1):
         fields = ["id"]
 
 
-class ScanComplianceReportSerializer(BaseSerializerV1):
+class ScanComplianceReportSerializer(serializers.Serializer):
     id = serializers.CharField(source="scan")
     name = serializers.CharField()
 
@@ -1174,17 +1166,11 @@ class ResourceSerializer(RLSSerializer):
             "findings",
             "failed_findings_count",
             "url",
-            "metadata",
-            "details",
-            "partition",
         ]
         extra_kwargs = {
             "id": {"read_only": True},
             "inserted_at": {"read_only": True},
             "updated_at": {"read_only": True},
-            "metadata": {"read_only": True},
-            "details": {"read_only": True},
-            "partition": {"read_only": True},
         }
 
     included_serializers = {
@@ -1241,15 +1227,11 @@ class ResourceIncludeSerializer(RLSSerializer):
             "service",
             "type_",
             "tags",
-            "details",
-            "partition",
         ]
         extra_kwargs = {
             "id": {"read_only": True},
             "inserted_at": {"read_only": True},
             "updated_at": {"read_only": True},
-            "details": {"read_only": True},
-            "partition": {"read_only": True},
         }
 
     @extend_schema_field(
@@ -1274,7 +1256,7 @@ class ResourceIncludeSerializer(RLSSerializer):
         return fields
 
 
-class ResourceMetadataSerializer(BaseSerializerV1):
+class ResourceMetadataSerializer(serializers.Serializer):
     services = serializers.ListField(child=serializers.CharField(), allow_empty=True)
     regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)
     types = serializers.ListField(child=serializers.CharField(), allow_empty=True)
@@ -1303,7 +1285,6 @@ class FindingSerializer(RLSSerializer):
             "severity",
             "check_id",
             "check_metadata",
-            "categories",
             "raw_result",
             "inserted_at",
             "updated_at",
@@ -1345,7 +1326,7 @@ class FindingIncludeSerializer(RLSSerializer):
 
 
 # To be removed when the related endpoint is removed as well
-class FindingDynamicFilterSerializer(BaseSerializerV1):
+class FindingDynamicFilterSerializer(serializers.Serializer):
     services = serializers.ListField(child=serializers.CharField(), allow_empty=True)
     regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)
 
@@ -1353,13 +1334,12 @@ class FindingDynamicFilterSerializer(BaseSerializerV1):
         resource_name = "finding-dynamic-filters"
 
 
-class FindingMetadataSerializer(BaseSerializerV1):
+class FindingMetadataSerializer(serializers.Serializer):
     services = serializers.ListField(child=serializers.CharField(), allow_empty=True)
     regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)
     resource_types = serializers.ListField(
         child=serializers.CharField(), allow_empty=True
     )
-    categories = serializers.ListField(child=serializers.CharField(), allow_empty=True)
     # Temporarily disabled until we implement tag filtering in the UI
     # tags = serializers.JSONField(help_text="Tags are described as key-value pairs.")
 
@@ -1382,33 +1362,18 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                 serializer = GCPProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.GITHUB.value:
                 serializer = GithubProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.IAC.value:
-                serializer = IacProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.KUBERNETES.value:
                 serializer = KubernetesProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.M365.value:
                 serializer = M365ProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.ORACLECLOUD.value:
+            elif provider_type == Provider.ProviderChoices.OCI.value:
                 serializer = OracleCloudProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.MONGODBATLAS.value:
-                serializer = MongoDBAtlasProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.ALIBABACLOUD.value:
-                serializer = AlibabaCloudProviderSecret(data=secret)
             else:
                 raise serializers.ValidationError(
                     {"provider": f"Provider type not supported {provider_type}"}
                 )
         elif secret_type == ProviderSecret.TypeChoices.ROLE:
-            if provider_type == Provider.ProviderChoices.AWS.value:
-                serializer = AWSRoleAssumptionProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.ALIBABACLOUD.value:
-                serializer = AlibabaCloudRoleAssumptionProviderSecret(data=secret)
-            else:
-                raise serializers.ValidationError(
-                    {
-                        "secret_type": f"Role assumption not supported for provider type: {provider_type}"
-                    }
-                )
+            serializer = AWSRoleAssumptionProviderSecret(data=secret)
         elif secret_type == ProviderSecret.TypeChoices.SERVICE_ACCOUNT:
             serializer = GCPServiceAccountProviderSecret(data=secret)
         else:
@@ -1499,14 +1464,6 @@ class GCPServiceAccountProviderSecret(serializers.Serializer):
         resource_name = "provider-secrets"
 
 
-class MongoDBAtlasProviderSecret(serializers.Serializer):
-    atlas_public_key = serializers.CharField()
-    atlas_private_key = serializers.CharField()
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
 class KubernetesProviderSecret(serializers.Serializer):
     kubeconfig_content = serializers.CharField()
 
@@ -1524,14 +1481,6 @@ class GithubProviderSecret(serializers.Serializer):
         resource_name = "provider-secrets"
 
 
-class IacProviderSecret(serializers.Serializer):
-    repository_url = serializers.CharField()
-    access_token = serializers.CharField(required=False)
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
 class OracleCloudProviderSecret(serializers.Serializer):
     user = serializers.CharField()
     fingerprint = serializers.CharField()
@@ -1545,34 +1494,6 @@ class OracleCloudProviderSecret(serializers.Serializer):
         resource_name = "provider-secrets"
 
 
-class AlibabaCloudProviderSecret(serializers.Serializer):
-    access_key_id = serializers.CharField()
-    access_key_secret = serializers.CharField()
-    security_token = serializers.CharField(required=False)
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
-class AlibabaCloudRoleAssumptionProviderSecret(serializers.Serializer):
-    role_arn = serializers.CharField(
-        help_text="Access Key ID of the RAM user that will assume the role"
-    )
-    access_key_id = serializers.CharField(
-        help_text="Access Key ID of the RAM user that will assume the role"
-    )
-    access_key_secret = serializers.CharField(
-        help_text="Access Key Secret of the RAM user that will assume the role"
-    )
-    role_session_name = serializers.CharField(
-        required=False,
-        help_text="Session name for the assumed role session (optional, defaults to 'ProwlerSession')",
-    )
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
 class AWSRoleAssumptionProviderSecret(serializers.Serializer):
     role_arn = serializers.CharField()
     external_id = serializers.CharField()
@@ -2087,7 +2008,7 @@ class RoleProviderGroupRelationshipSerializer(RLSSerializer, BaseWriteSerializer
 # Compliance overview
 
 
-class ComplianceOverviewSerializer(BaseSerializerV1):
+class ComplianceOverviewSerializer(serializers.Serializer):
     """
     Serializer for compliance requirement status aggregated by compliance framework.
 
@@ -2109,7 +2030,7 @@ class ComplianceOverviewSerializer(BaseSerializerV1):
         resource_name = "compliance-overviews"
 
 
-class ComplianceOverviewDetailSerializer(BaseSerializerV1):
+class ComplianceOverviewDetailSerializer(serializers.Serializer):
     """
     Serializer for detailed compliance requirement information.
 
@@ -2138,7 +2059,7 @@ class ComplianceOverviewDetailThreatscoreSerializer(ComplianceOverviewDetailSeri
     total_findings = serializers.IntegerField()
 
 
-class ComplianceOverviewAttributesSerializer(BaseSerializerV1):
+class ComplianceOverviewAttributesSerializer(serializers.Serializer):
     id = serializers.CharField()
     compliance_name = serializers.CharField()
     framework_description = serializers.CharField()
@@ -2152,7 +2073,7 @@ class ComplianceOverviewAttributesSerializer(BaseSerializerV1):
         resource_name = "compliance-requirements-attributes"
 
 
-class ComplianceOverviewMetadataSerializer(BaseSerializerV1):
+class ComplianceOverviewMetadataSerializer(serializers.Serializer):
     regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)
 
     class JSONAPIMeta:
@@ -2162,7 +2083,7 @@ class ComplianceOverviewMetadataSerializer(BaseSerializerV1):
 # Overviews
 
 
-class OverviewProviderSerializer(BaseSerializerV1):
+class OverviewProviderSerializer(serializers.Serializer):
     id = serializers.CharField(source="provider")
     findings = serializers.SerializerMethodField(read_only=True)
     resources = serializers.SerializerMethodField(read_only=True)
@@ -2170,6 +2091,9 @@ class OverviewProviderSerializer(BaseSerializerV1):
     class JSONAPIMeta:
         resource_name = "providers-overview"
 
+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}
+
     @extend_schema_field(
         {
             "type": "object",
@@ -2203,15 +2127,18 @@ class OverviewProviderSerializer(BaseSerializerV1):
         }
 
 
-class OverviewProviderCountSerializer(BaseSerializerV1):
+class OverviewProviderCountSerializer(serializers.Serializer):
     id = serializers.CharField(source="provider")
     count = serializers.IntegerField()
 
     class JSONAPIMeta:
         resource_name = "providers-count-overview"
 
+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}
 
-class OverviewFindingSerializer(BaseSerializerV1):
+
+class OverviewFindingSerializer(serializers.Serializer):
     id = serializers.CharField(default="n/a")
     new = serializers.IntegerField()
     changed = serializers.IntegerField()
@@ -2230,12 +2157,15 @@ class OverviewFindingSerializer(BaseSerializerV1):
     class JSONAPIMeta:
         resource_name = "findings-overview"
 
+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}
+
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields["pass"] = self.fields.pop("_pass")
 
 
-class OverviewSeveritySerializer(BaseSerializerV1):
+class OverviewSeveritySerializer(serializers.Serializer):
     id = serializers.CharField(default="n/a")
     critical = serializers.IntegerField()
     high = serializers.IntegerField()
@@ -2246,24 +2176,11 @@ class OverviewSeveritySerializer(BaseSerializerV1):
     class JSONAPIMeta:
         resource_name = "findings-severity-overview"
 
-
-class FindingsSeverityOverTimeSerializer(BaseSerializerV1):
-    """Serializer for daily findings severity trend data."""
-
-    id = serializers.DateField(source="date")
-    critical = serializers.IntegerField()
-    high = serializers.IntegerField()
-    medium = serializers.IntegerField()
-    low = serializers.IntegerField()
-    informational = serializers.IntegerField()
-    muted = serializers.IntegerField()
-    scan_ids = serializers.ListField(child=serializers.UUIDField())
-
-    class JSONAPIMeta:
-        resource_name = "findings-severity-over-time"
+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}
 
 
-class OverviewServiceSerializer(BaseSerializerV1):
+class OverviewServiceSerializer(serializers.Serializer):
     id = serializers.CharField(source="service")
     total = serializers.IntegerField()
     _pass = serializers.IntegerField()
@@ -2277,54 +2194,6 @@ class OverviewServiceSerializer(BaseSerializerV1):
         super().__init__(*args, **kwargs)
         self.fields["pass"] = self.fields.pop("_pass")
 
-
-class AttackSurfaceOverviewSerializer(BaseSerializerV1):
-    """Serializer for attack surface overview aggregations."""
-
-    id = serializers.CharField(source="attack_surface_type")
-    total_findings = serializers.IntegerField()
-    failed_findings = serializers.IntegerField()
-    muted_failed_findings = serializers.IntegerField()
-
-    class JSONAPIMeta:
-        resource_name = "attack-surface-overviews"
-
-
-class CategoryOverviewSerializer(BaseSerializerV1):
-    """Serializer for category overview aggregations."""
-
-    id = serializers.CharField(source="category")
-    total_findings = serializers.IntegerField()
-    failed_findings = serializers.IntegerField()
-    new_failed_findings = serializers.IntegerField()
-    severity = serializers.JSONField(
-        help_text="Severity breakdown: {informational, low, medium, high, critical}"
-    )
-
-    class JSONAPIMeta:
-        resource_name = "category-overviews"
-
-
-class OverviewRegionSerializer(serializers.Serializer):
-    id = serializers.SerializerMethodField()
-    provider_type = serializers.CharField()
-    region = serializers.CharField()
-    total = serializers.IntegerField()
-    _pass = serializers.IntegerField()
-    fail = serializers.IntegerField()
-    muted = serializers.IntegerField()
-
-    class JSONAPIMeta:
-        resource_name = "regions-overview"
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.fields["pass"] = self.fields.pop("_pass")
-
-    def get_id(self, obj):
-        """Generate unique ID from provider_type and region."""
-        return f"{obj['provider_type']}:{obj['region']}"
-
     def get_root_meta(self, _resource, _many):
         return {"version": "v1"}
 
@@ -2332,7 +2201,7 @@ class OverviewRegionSerializer(serializers.Serializer):
 # Schedules
 
 
-class ScheduleDailyCreateSerializer(BaseSerializerV1):
+class ScheduleDailyCreateSerializer(serializers.Serializer):
     provider_id = serializers.UUIDField(required=True)
 
     class JSONAPIMeta:
@@ -2434,28 +2303,6 @@ class BaseWriteIntegrationSerializer(BaseWriteSerializer):
                     )
             config_serializer = SecurityHubConfigSerializer
             credentials_serializers = [AWSCredentialSerializer]
-        elif integration_type == Integration.IntegrationChoices.GITHUB:
-            if providers:
-                raise serializers.ValidationError(
-                    {
-                        "providers": "Relationship field is not accepted. This integration applies to all providers."
-                    }
-                )
-            if configuration:
-                raise serializers.ValidationError(
-                    {
-                        "configuration": "This integration does not support custom configuration."
-                    }
-                )
-            config_serializer = GitHubConfigSerializer
-            # Create non-editable configuration for GitHub integration
-            configuration.update(
-                {
-                    "repositories": {},
-                    "owner": credentials.get("owner", ""),
-                }
-            )
-            credentials_serializers = [GitHubCredentialSerializer]
         elif integration_type == Integration.IntegrationChoices.JIRA:
             if providers:
                 raise serializers.ValidationError(
@@ -2543,11 +2390,7 @@ class IntegrationSerializer(RLSSerializer):
                 for provider in representation["providers"]
                 if provider["id"] in allowed_provider_ids
             ]
-        if instance.integration_type == Integration.IntegrationChoices.GITHUB:
-            representation["configuration"].update(
-                {"owner": instance.credentials.get("owner", "")}
-            )
-        elif instance.integration_type == Integration.IntegrationChoices.JIRA:
+        if instance.integration_type == Integration.IntegrationChoices.JIRA:
             representation["configuration"].update(
                 {"domain": instance.credentials.get("domain")}
             )
@@ -2694,52 +2537,7 @@ class IntegrationUpdateSerializer(BaseWriteIntegrationSerializer):
         return representation
 
 
-class IntegrationGitHubDispatchSerializer(BaseSerializerV1):
-    """
-    Serializer for dispatching findings to GitHub integration.
-    """
-
-    repository = serializers.CharField(required=True)
-    labels = serializers.ListField(
-        child=serializers.CharField(), required=False, default=list
-    )
-
-    class JSONAPIMeta:
-        resource_name = "integrations-github-dispatches"
-
-    def validate(self, attrs):
-        validated_attrs = super().validate(attrs)
-        integration_instance = Integration.objects.get(
-            id=self.context.get("integration_id")
-        )
-        if (
-            integration_instance.integration_type
-            != Integration.IntegrationChoices.GITHUB
-        ):
-            raise ValidationError(
-                {
-                    "integration_type": "The given integration is not a GitHub integration"
-                }
-            )
-
-        if not integration_instance.enabled:
-            raise ValidationError(
-                {"integration": "The given integration is not enabled"}
-            )
-
-        repository = attrs.get("repository")
-        if repository not in integration_instance.configuration.get("repositories", {}):
-            raise ValidationError(
-                {
-                    "repository": "The given repository is not available for this GitHub integration. Refresh the "
-                    "connection if this is an error."
-                }
-            )
-
-        return validated_attrs
-
-
-class IntegrationJiraDispatchSerializer(BaseSerializerV1):
+class IntegrationJiraDispatchSerializer(serializers.Serializer):
     """
     Serializer for dispatching findings to JIRA integration.
     """
@@ -2902,14 +2700,14 @@ class ProcessorUpdateSerializer(BaseWriteSerializer):
 # SSO
 
 
-class SamlInitiateSerializer(BaseSerializerV1):
+class SamlInitiateSerializer(serializers.Serializer):
     email_domain = serializers.CharField()
 
     class JSONAPIMeta:
         resource_name = "saml-initiate"
 
 
-class SamlMetadataSerializer(BaseSerializerV1):
+class SamlMetadataSerializer(serializers.Serializer):
     class JSONAPIMeta:
         resource_name = "saml-meta"
 
@@ -3441,19 +3239,6 @@ class LighthouseProviderConfigUpdateSerializer(BaseWriteSerializer):
             and provider_type
             == LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK
         ):
-            # For updates, enforce that the authentication method (access keys vs API key)
-            # is immutable. To switch methods, the UI must delete and recreate the provider.
-            existing_credentials = (
-                self.instance.credentials_decoded if self.instance else {}
-            ) or {}
-
-            existing_uses_api_key = "api_key" in existing_credentials
-            existing_uses_access_keys = any(
-                k in existing_credentials
-                for k in ("access_key_id", "secret_access_key")
-            )
-
-            # First run field-level validation on the partial payload
             try:
                 BedrockCredentialsUpdateSerializer(data=credentials).is_valid(
                     raise_exception=True
@@ -3464,31 +3249,6 @@ class LighthouseProviderConfigUpdateSerializer(BaseWriteSerializer):
                     e.detail[f"credentials/{key}"] = value
                     del e.detail[key]
                 raise e
-
-            # Then enforce invariants about not changing the auth method
-            # If the existing config uses an API key, forbid introducing access keys.
-            if existing_uses_api_key and any(
-                k in credentials for k in ("access_key_id", "secret_access_key")
-            ):
-                raise ValidationError(
-                    {
-                        "credentials/non_field_errors": [
-                            "Cannot change Bedrock authentication method from API key "
-                            "to access key via update. Delete and recreate the provider instead."
-                        ]
-                    }
-                )
-
-            # If the existing config uses access keys, forbid introducing an API key.
-            if existing_uses_access_keys and "api_key" in credentials:
-                raise ValidationError(
-                    {
-                        "credentials/non_field_errors": [
-                            "Cannot change Bedrock authentication method from access key "
-                            "to API key via update. Delete and recreate the provider instead."
-                        ]
-                    }
-                )
         elif (
             credentials is not None
             and provider_type
@@ -3846,64 +3606,3 @@ class MuteRuleUpdateSerializer(BaseWriteSerializer):
         ):
             raise ValidationError("A mute rule with this name already exists.")
         return value
-
-
-# ThreatScore Snapshots
-
-
-class ThreatScoreSnapshotSerializer(RLSSerializer):
-    """
-    Serializer for ThreatScore snapshots.
-    Read-only serializer for retrieving historical ThreatScore metrics.
-    """
-
-    id = serializers.SerializerMethodField()
-
-    class Meta:
-        model = ThreatScoreSnapshot
-        fields = [
-            "id",
-            "inserted_at",
-            "scan",
-            "provider",
-            "compliance_id",
-            "overall_score",
-            "score_delta",
-            "section_scores",
-            "critical_requirements",
-            "total_requirements",
-            "passed_requirements",
-            "failed_requirements",
-            "manual_requirements",
-            "total_findings",
-            "passed_findings",
-            "failed_findings",
-        ]
-        extra_kwargs = {
-            "id": {"read_only": True},
-            "inserted_at": {"read_only": True},
-            "scan": {"read_only": True},
-            "provider": {"read_only": True},
-            "compliance_id": {"read_only": True},
-            "overall_score": {"read_only": True},
-            "score_delta": {"read_only": True},
-            "section_scores": {"read_only": True},
-            "critical_requirements": {"read_only": True},
-            "total_requirements": {"read_only": True},
-            "passed_requirements": {"read_only": True},
-            "failed_requirements": {"read_only": True},
-            "manual_requirements": {"read_only": True},
-            "total_findings": {"read_only": True},
-            "passed_findings": {"read_only": True},
-            "failed_findings": {"read_only": True},
-        }
-
-    included_serializers = {
-        "scan": "api.v1.serializers.ScanIncludeSerializer",
-        "provider": "api.v1.serializers.ProviderIncludeSerializer",
-    }
-
-    def get_id(self, obj):
-        if getattr(obj, "_aggregated", False):
-            return "n/a"
-        return str(obj.id)

api/src/backend/api/v1/urls.py

@@ -12,7 +12,6 @@ from api.v1.views import (
     FindingViewSet,
     GithubSocialLoginView,
     GoogleSocialLoginView,
-    IntegrationGitHubViewSet,
     IntegrationJiraViewSet,
     IntegrationViewSet,
     InvitationAcceptViewSet,
@@ -95,9 +94,6 @@ users_router.register(r"memberships", MembershipViewSet, basename="user-membersh
 integrations_router = routers.NestedSimpleRouter(
     router, r"integrations", lookup="integration"
 )
-integrations_router.register(
-    r"github", IntegrationGitHubViewSet, basename="integration-github"
-)
 integrations_router.register(
     r"jira", IntegrationJiraViewSet, basename="integration-jira"
 )

api/src/backend/config/django/devel.py

@@ -36,14 +36,6 @@ DATABASES = {
         "HOST": env("POSTGRES_REPLICA_HOST", default=default_db_host),
         "PORT": env("POSTGRES_REPLICA_PORT", default=default_db_port),
     },
-    "admin_replica": {
-        "ENGINE": "psqlextra.backend",
-        "NAME": env("POSTGRES_REPLICA_DB", default=default_db_name),
-        "USER": env("POSTGRES_ADMIN_USER", default="prowler"),
-        "PASSWORD": env("POSTGRES_ADMIN_PASSWORD", default="S3cret"),
-        "HOST": env("POSTGRES_REPLICA_HOST", default=default_db_host),
-        "PORT": env("POSTGRES_REPLICA_PORT", default=default_db_port),
-    },
 }
 
 DATABASES["default"] = DATABASES["prowler_user"]

api/src/backend/config/django/production.py

@@ -37,14 +37,6 @@ DATABASES = {
         "HOST": env("POSTGRES_REPLICA_HOST", default=default_db_host),
         "PORT": env("POSTGRES_REPLICA_PORT", default=default_db_port),
     },
-    "admin_replica": {
-        "ENGINE": "psqlextra.backend",
-        "NAME": env("POSTGRES_REPLICA_DB", default=default_db_name),
-        "USER": env("POSTGRES_ADMIN_USER"),
-        "PASSWORD": env("POSTGRES_ADMIN_PASSWORD"),
-        "HOST": env("POSTGRES_REPLICA_HOST", default=default_db_host),
-        "PORT": env("POSTGRES_REPLICA_PORT", default=default_db_port),
-    },
 }
 
 DATABASES["default"] = DATABASES["prowler_user"]

api/src/backend/config/settings/sentry.py

@@ -5,9 +5,6 @@ IGNORED_EXCEPTIONS = [
     # Provider is not connected due to credentials errors
     "is not connected",
     "ProviderConnectionError",
-    # Provider was deleted during a scan
-    "ProviderDeletedException",
-    "violates foreign key constraint",
     # Authentication Errors from AWS
     "InvalidToken",
     "AccessDeniedException",

api/src/backend/conftest.py

@@ -11,14 +11,10 @@ from django.urls import reverse
 from django_celery_results.models import TaskResult
 from rest_framework import status
 from rest_framework.test import APIClient
-from tasks.jobs.backfill import (
-    backfill_resource_scan_summaries,
-    backfill_scan_category_summaries,
-)
+from tasks.jobs.backfill import backfill_resource_scan_summaries
 
 from api.db_utils import rls_transaction
 from api.models import (
-    AttackSurfaceOverview,
     ComplianceOverview,
     ComplianceRequirementOverview,
     Finding,
@@ -39,7 +35,6 @@ from api.models import (
     SAMLConfiguration,
     SAMLDomainIndex,
     Scan,
-    ScanCategorySummary,
     ScanSummary,
     StateChoices,
     StatusChoices,
@@ -506,35 +501,13 @@ def providers_fixture(tenants_fixture):
         tenant_id=tenant.id,
     )
     provider7 = Provider.objects.create(
-        provider="oraclecloud",
+        provider="oci",
         uid="ocid1.tenancy.oc1..aaaaaaaa3dwoazoox4q7wrvriywpokp5grlhgnkwtyt6dmwyou7no6mdmzda",
         alias="oci_testing",
         tenant_id=tenant.id,
     )
-    provider8 = Provider.objects.create(
-        provider="mongodbatlas",
-        uid="64b1d3c0e4b03b1234567890",
-        alias="mongodbatlas_testing",
-        tenant_id=tenant.id,
-    )
-    provider9 = Provider.objects.create(
-        provider="alibabacloud",
-        uid="1234567890123456",
-        alias="alibabacloud_testing",
-        tenant_id=tenant.id,
-    )
 
-    return (
-        provider1,
-        provider2,
-        provider3,
-        provider4,
-        provider5,
-        provider6,
-        provider7,
-        provider8,
-        provider9,
-    )
+    return provider1, provider2, provider3, provider4, provider5, provider6, provider7
 
 
 @pytest.fixture
@@ -1120,8 +1093,8 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
         region="region1",
         _pass=1,
         fail=0,
-        muted=2,
-        total=3,
+        muted=0,
+        total=1,
         new=1,
         changed=0,
         unchanged=0,
@@ -1129,7 +1102,7 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
         fail_changed=0,
         pass_new=1,
         pass_changed=0,
-        muted_new=2,
+        muted_new=0,
         muted_changed=0,
         scan=scan,
     )
@@ -1142,8 +1115,8 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
         region="region2",
         _pass=0,
         fail=1,
-        muted=3,
-        total=4,
+        muted=1,
+        total=2,
         new=2,
         changed=0,
         unchanged=0,
@@ -1151,7 +1124,7 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
         fail_changed=0,
         pass_new=0,
         pass_changed=0,
-        muted_new=3,
+        muted_new=1,
         muted_changed=0,
         scan=scan,
     )
@@ -1164,8 +1137,8 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
         region="region1",
         _pass=1,
         fail=0,
-        muted=1,
-        total=2,
+        muted=0,
+        total=1,
         new=1,
         changed=0,
         unchanged=0,
@@ -1173,7 +1146,7 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
         fail_changed=0,
         pass_new=1,
         pass_changed=0,
-        muted_new=1,
+        muted_new=0,
         muted_changed=0,
         scan=scan,
     )
@@ -1282,113 +1255,6 @@ def latest_scan_finding(authenticated_client, providers_fixture, resources_fixtu
     return finding
 
 
-@pytest.fixture(scope="function")
-def findings_with_categories(scans_fixture, resources_fixture):
-    scan = scans_fixture[0]
-    resource = resources_fixture[0]
-
-    finding = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_with_categories_1",
-        scan=scan,
-        delta=None,
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="genai_check",
-        check_metadata={"CheckId": "genai_check"},
-        categories=["gen-ai", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding.add_resources([resource])
-    backfill_resource_scan_summaries(str(scan.tenant_id), str(scan.id))
-    return finding
-
-
-@pytest.fixture(scope="function")
-def findings_with_multiple_categories(scans_fixture, resources_fixture):
-    scan = scans_fixture[0]
-    resource1, resource2 = resources_fixture[:2]
-
-    finding1 = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_multi_cat_1",
-        scan=scan,
-        delta=None,
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="genai_check",
-        check_metadata={"CheckId": "genai_check"},
-        categories=["gen-ai", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding1.add_resources([resource1])
-
-    finding2 = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_multi_cat_2",
-        scan=scan,
-        delta=None,
-        status=Status.FAIL,
-        status_extended="test status 2",
-        impact=Severity.high,
-        impact_extended="test impact 2",
-        severity=Severity.high,
-        raw_result={"status": Status.FAIL},
-        check_id="iam_check",
-        check_metadata={"CheckId": "iam_check"},
-        categories=["iam", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding2.add_resources([resource2])
-
-    backfill_resource_scan_summaries(str(scan.tenant_id), str(scan.id))
-    return finding1, finding2
-
-
-@pytest.fixture(scope="function")
-def latest_scan_finding_with_categories(
-    authenticated_client, providers_fixture, resources_fixture
-):
-    provider = providers_fixture[0]
-    tenant_id = str(providers_fixture[0].tenant_id)
-    resource = resources_fixture[0]
-    scan = Scan.objects.create(
-        name="latest completed scan with categories",
-        provider=provider,
-        trigger=Scan.TriggerChoices.MANUAL,
-        state=StateChoices.COMPLETED,
-        tenant_id=tenant_id,
-    )
-    finding = Finding.objects.create(
-        tenant_id=tenant_id,
-        uid="latest_finding_with_categories",
-        scan=scan,
-        delta="new",
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="genai_iam_check",
-        check_metadata={"CheckId": "genai_iam_check"},
-        categories=["gen-ai", "iam"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding.add_resources([resource])
-    backfill_resource_scan_summaries(tenant_id, str(scan.id))
-    backfill_scan_category_summaries(tenant_id, str(scan.id))
-    return finding
-
-
 @pytest.fixture(scope="function")
 def latest_scan_resource(authenticated_client, providers_fixture):
     provider = providers_fixture[0]
@@ -1588,45 +1454,6 @@ def mute_rules_fixture(tenants_fixture, create_test_user, findings_fixture):
     return mute_rule1, mute_rule2
 
 
-@pytest.fixture
-def create_attack_surface_overview():
-    def _create(tenant, scan, attack_surface_type, total=10, failed=5, muted_failed=2):
-        return AttackSurfaceOverview.objects.create(
-            tenant=tenant,
-            scan=scan,
-            attack_surface_type=attack_surface_type,
-            total_findings=total,
-            failed_findings=failed,
-            muted_failed_findings=muted_failed,
-        )
-
-    return _create
-
-
-@pytest.fixture
-def create_scan_category_summary():
-    def _create(
-        tenant,
-        scan,
-        category,
-        severity,
-        total_findings=10,
-        failed_findings=5,
-        new_failed_findings=2,
-    ):
-        return ScanCategorySummary.objects.create(
-            tenant=tenant,
-            scan=scan,
-            category=category,
-            severity=severity,
-            total_findings=total_findings,
-            failed_findings=failed_findings,
-            new_failed_findings=new_failed_findings,
-        )
-
-    return _create
-
-
 def get_authorization_header(access_token: str) -> dict:
     return {"Authorization": f"Bearer {access_token}"}
 

api/src/backend/tasks/beat.py

@@ -61,5 +61,4 @@ def schedule_provider_scan(provider_instance: Provider):
             "tenant_id": str(provider_instance.tenant_id),
             "provider_id": provider_id,
         },
-        countdown=5,  # Avoid race conditions between the worker and the database
     )

api/src/backend/tasks/jobs/backfill.py

@@ -1,29 +1,15 @@
-from collections import defaultdict
-from datetime import timedelta
-
-from django.db.models import Sum
-from django.utils import timezone
-from tasks.jobs.scan import aggregate_category_counts
-
-from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
 from api.models import (
-    ComplianceOverviewSummary,
-    ComplianceRequirementOverview,
-    DailySeveritySummary,
-    Finding,
     Resource,
     ResourceFindingMapping,
     ResourceScanSummary,
     Scan,
-    ScanCategorySummary,
-    ScanSummary,
     StateChoices,
 )
 
 
 def backfill_resource_scan_summaries(tenant_id: str, scan_id: str):
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
+    with rls_transaction(tenant_id):
         if ResourceScanSummary.objects.filter(
             tenant_id=tenant_id, scan_id=scan_id
         ).exists():
@@ -73,271 +59,3 @@ def backfill_resource_scan_summaries(tenant_id: str, scan_id: str):
             )
 
     return {"status": "backfilled", "inserted": len(summaries)}
-
-
-def backfill_compliance_summaries(tenant_id: str, scan_id: str):
-    """
-    Backfill ComplianceOverviewSummary records for a completed scan.
-
-    This function checks if summary records already exist for the scan.
-    If not, it aggregates compliance requirement data and creates the summaries.
-
-    Args:
-        tenant_id: Target tenant UUID
-        scan_id: Scan UUID to backfill
-
-    Returns:
-        dict: Status indicating whether backfill was performed
-    """
-    with rls_transaction(tenant_id):
-        if ComplianceOverviewSummary.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).exists():
-            return {"status": "already backfilled"}
-
-    with rls_transaction(tenant_id):
-        if not Scan.objects.filter(
-            tenant_id=tenant_id,
-            id=scan_id,
-            state__in=(StateChoices.COMPLETED, StateChoices.FAILED),
-        ).exists():
-            return {"status": "scan is not completed"}
-
-        # Fetch all compliance requirement overview rows for this scan
-        requirement_rows = ComplianceRequirementOverview.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).values(
-            "compliance_id",
-            "requirement_id",
-            "requirement_status",
-        )
-
-        if not requirement_rows:
-            return {"status": "no compliance data to backfill"}
-
-        # Group by (compliance_id, requirement_id) across regions
-        requirement_statuses = defaultdict(
-            lambda: {"fail_count": 0, "pass_count": 0, "total_count": 0}
-        )
-
-        for row in requirement_rows:
-            compliance_id = row["compliance_id"]
-            requirement_id = row["requirement_id"]
-            requirement_status = row["requirement_status"]
-
-            # Aggregate requirement status across regions
-            key = (compliance_id, requirement_id)
-            requirement_statuses[key]["total_count"] += 1
-
-            if requirement_status == "FAIL":
-                requirement_statuses[key]["fail_count"] += 1
-            elif requirement_status == "PASS":
-                requirement_statuses[key]["pass_count"] += 1
-
-        # Determine per-requirement status and aggregate to compliance level
-        compliance_summaries = defaultdict(
-            lambda: {
-                "total_requirements": 0,
-                "requirements_passed": 0,
-                "requirements_failed": 0,
-                "requirements_manual": 0,
-            }
-        )
-
-        for (compliance_id, requirement_id), counts in requirement_statuses.items():
-            # Apply business rule: any FAIL → requirement fails
-            if counts["fail_count"] > 0:
-                req_status = "FAIL"
-            elif counts["pass_count"] == counts["total_count"]:
-                req_status = "PASS"
-            else:
-                req_status = "MANUAL"
-
-            # Aggregate to compliance level
-            compliance_summaries[compliance_id]["total_requirements"] += 1
-            if req_status == "PASS":
-                compliance_summaries[compliance_id]["requirements_passed"] += 1
-            elif req_status == "FAIL":
-                compliance_summaries[compliance_id]["requirements_failed"] += 1
-            else:
-                compliance_summaries[compliance_id]["requirements_manual"] += 1
-
-        # Create summary objects
-        summary_objects = []
-        for compliance_id, data in compliance_summaries.items():
-            summary_objects.append(
-                ComplianceOverviewSummary(
-                    tenant_id=tenant_id,
-                    scan_id=scan_id,
-                    compliance_id=compliance_id,
-                    requirements_passed=data["requirements_passed"],
-                    requirements_failed=data["requirements_failed"],
-                    requirements_manual=data["requirements_manual"],
-                    total_requirements=data["total_requirements"],
-                )
-            )
-
-        # Bulk insert summaries
-        if summary_objects:
-            ComplianceOverviewSummary.objects.bulk_create(
-                summary_objects, batch_size=500, ignore_conflicts=True
-            )
-
-    return {"status": "backfilled", "inserted": len(summary_objects)}
-
-
-def backfill_daily_severity_summaries(tenant_id: str, days: int = None):
-    """
-    Backfill DailySeveritySummary from completed scans.
-    Groups by provider+date, keeps latest scan per day.
-    """
-    created_count = 0
-    updated_count = 0
-
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        scan_filter = {
-            "tenant_id": tenant_id,
-            "state": StateChoices.COMPLETED,
-            "completed_at__isnull": False,
-        }
-
-        if days is not None:
-            cutoff_date = timezone.now() - timedelta(days=days)
-            scan_filter["completed_at__gte"] = cutoff_date
-
-        completed_scans = (
-            Scan.objects.filter(**scan_filter)
-            .order_by("provider_id", "-completed_at")
-            .values("id", "provider_id", "completed_at")
-        )
-
-        if not completed_scans:
-            return {"status": "no scans to backfill"}
-
-        # Keep only latest scan per provider/day
-        latest_scans_by_day = {}
-        for scan in completed_scans:
-            key = (scan["provider_id"], scan["completed_at"].date())
-            if key not in latest_scans_by_day:
-                latest_scans_by_day[key] = scan
-
-    # Process each provider/day
-    for (provider_id, scan_date), scan in latest_scans_by_day.items():
-        scan_id = scan["id"]
-
-        with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-            severity_totals = (
-                ScanSummary.objects.filter(
-                    tenant_id=tenant_id,
-                    scan_id=scan_id,
-                )
-                .values("severity")
-                .annotate(total_fail=Sum("fail"), total_muted=Sum("muted"))
-            )
-
-            severity_data = {
-                "critical": 0,
-                "high": 0,
-                "medium": 0,
-                "low": 0,
-                "informational": 0,
-                "muted": 0,
-            }
-
-            for row in severity_totals:
-                severity = row["severity"]
-                if severity in severity_data:
-                    severity_data[severity] = row["total_fail"] or 0
-                severity_data["muted"] += row["total_muted"] or 0
-
-        with rls_transaction(tenant_id):
-            _, created = DailySeveritySummary.objects.update_or_create(
-                tenant_id=tenant_id,
-                provider_id=provider_id,
-                date=scan_date,
-                defaults={
-                    "scan_id": scan_id,
-                    "critical": severity_data["critical"],
-                    "high": severity_data["high"],
-                    "medium": severity_data["medium"],
-                    "low": severity_data["low"],
-                    "informational": severity_data["informational"],
-                    "muted": severity_data["muted"],
-                },
-            )
-
-            if created:
-                created_count += 1
-            else:
-                updated_count += 1
-
-    return {
-        "status": "backfilled",
-        "created": created_count,
-        "updated": updated_count,
-        "total_days": len(latest_scans_by_day),
-    }
-
-
-def backfill_scan_category_summaries(tenant_id: str, scan_id: str):
-    """
-    Backfill ScanCategorySummary for a completed scan.
-
-    Aggregates category counts from all findings in the scan and creates
-    one ScanCategorySummary row per (category, severity) combination.
-
-    Args:
-        tenant_id: Target tenant UUID
-        scan_id: Scan UUID to backfill
-
-    Returns:
-        dict: Status indicating whether backfill was performed
-    """
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        if ScanCategorySummary.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).exists():
-            return {"status": "already backfilled"}
-
-        if not Scan.objects.filter(
-            tenant_id=tenant_id,
-            id=scan_id,
-            state__in=(StateChoices.COMPLETED, StateChoices.FAILED),
-        ).exists():
-            return {"status": "scan is not completed"}
-
-        category_counts: dict[tuple[str, str], dict[str, int]] = {}
-        for finding in Finding.all_objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).values("categories", "severity", "status", "delta", "muted"):
-            aggregate_category_counts(
-                categories=finding.get("categories") or [],
-                severity=finding.get("severity"),
-                status=finding.get("status"),
-                delta=finding.get("delta"),
-                muted=finding.get("muted", False),
-                cache=category_counts,
-            )
-
-        if not category_counts:
-            return {"status": "no categories to backfill"}
-
-    category_summaries = [
-        ScanCategorySummary(
-            tenant_id=tenant_id,
-            scan_id=scan_id,
-            category=category,
-            severity=severity,
-            total_findings=counts["total"],
-            failed_findings=counts["failed"],
-            new_failed_findings=counts["new_failed"],
-        )
-        for (category, severity), counts in category_counts.items()
-    ]
-
-    with rls_transaction(tenant_id):
-        ScanCategorySummary.objects.bulk_create(
-            category_summaries, batch_size=500, ignore_conflicts=True
-        )
-
-    return {"status": "backfilled", "categories_count": len(category_counts)}

api/src/backend/tasks/jobs/export.py

@@ -15,7 +15,6 @@ from prowler.config.config import (
     html_file_suffix,
     json_asff_file_suffix,
     json_ocsf_file_suffix,
-    set_output_timestamp,
 )
 from prowler.lib.outputs.asff.asff import ASFF
 from prowler.lib.outputs.compliance.aws_well_architected.aws_well_architected import (
@@ -27,14 +26,13 @@ from prowler.lib.outputs.compliance.c5.c5_gcp import GCPC5
 from prowler.lib.outputs.compliance.ccc.ccc_aws import CCC_AWS
 from prowler.lib.outputs.compliance.ccc.ccc_azure import CCC_Azure
 from prowler.lib.outputs.compliance.ccc.ccc_gcp import CCC_GCP
-from prowler.lib.outputs.compliance.cis.cis_alibabacloud import AlibabaCloudCIS
 from prowler.lib.outputs.compliance.cis.cis_aws import AWSCIS
 from prowler.lib.outputs.compliance.cis.cis_azure import AzureCIS
 from prowler.lib.outputs.compliance.cis.cis_gcp import GCPCIS
 from prowler.lib.outputs.compliance.cis.cis_github import GithubCIS
 from prowler.lib.outputs.compliance.cis.cis_kubernetes import KubernetesCIS
 from prowler.lib.outputs.compliance.cis.cis_m365 import M365CIS
-from prowler.lib.outputs.compliance.cis.cis_oraclecloud import OracleCloudCIS
+from prowler.lib.outputs.compliance.cis.cis_oci import OCICIS
 from prowler.lib.outputs.compliance.ens.ens_aws import AWSENS
 from prowler.lib.outputs.compliance.ens.ens_azure import AzureENS
 from prowler.lib.outputs.compliance.ens.ens_gcp import GCPENS
@@ -51,9 +49,6 @@ from prowler.lib.outputs.compliance.mitre_attack.mitre_attack_azure import (
     AzureMitreAttack,
 )
 from prowler.lib.outputs.compliance.mitre_attack.mitre_attack_gcp import GCPMitreAttack
-from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_alibaba import (
-    ProwlerThreatScoreAlibaba,
-)
 from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_aws import (
     ProwlerThreatScoreAWS,
 )
@@ -63,9 +58,6 @@ from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_azur
 from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_gcp import (
     ProwlerThreatScoreGCP,
 )
-from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_kubernetes import (
-    ProwlerThreatScoreKubernetes,
-)
 from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_m365 import (
     ProwlerThreatScoreM365,
 )
@@ -112,10 +104,6 @@ COMPLIANCE_CLASS_MAP = {
     "kubernetes": [
         (lambda name: name.startswith("cis_"), KubernetesCIS),
         (lambda name: name.startswith("iso27001_"), KubernetesISO27001),
-        (
-            lambda name: name == "prowler_threatscore_kubernetes",
-            ProwlerThreatScoreKubernetes,
-        ),
     ],
     "m365": [
         (lambda name: name.startswith("cis_"), M365CIS),
@@ -125,19 +113,8 @@ COMPLIANCE_CLASS_MAP = {
     "github": [
         (lambda name: name.startswith("cis_"), GithubCIS),
     ],
-    "iac": [
-        # IaC provider doesn't have specific compliance frameworks yet
-        # Trivy handles its own compliance checks
-    ],
-    "oraclecloud": [
-        (lambda name: name.startswith("cis_"), OracleCloudCIS),
-    ],
-    "alibabacloud": [
-        (lambda name: name.startswith("cis_"), AlibabaCloudCIS),
-        (
-            lambda name: name == "prowler_threatscore_alibabacloud",
-            ProwlerThreatScoreAlibaba,
-        ),
+    "oci": [
+        (lambda name: name.startswith("cis_"), OCICIS),
     ],
 }
 
@@ -253,33 +230,36 @@ def _upload_to_s3(
         logger.error(f"S3 upload failed: {str(e)}")
 
 
-def _build_output_path(
-    output_directory: str,
-    prowler_provider: str,
-    tenant_id: str,
-    scan_id: str,
-    subdirectory: str = None,
-) -> str:
+def _generate_output_directory(
+    output_directory, prowler_provider: object, tenant_id: str, scan_id: str
+) -> tuple[str, str, str]:
     """
-    Build a file system path for the output directory of a prowler scan.
+    Generate a file system path for the output directory of a prowler scan.
+
+    This function constructs the output directory path by combining a base
+    temporary output directory, the tenant ID, the scan ID, and details about
+    the prowler provider along with a timestamp. The resulting path is used to
+    store the output files of a prowler scan.
+
+    Note:
+        This function depends on one external variable:
+          - `output_file_timestamp`: A timestamp (as a string) used to uniquely identify the output.
 
     Args:
         output_directory (str): The base output directory.
-        prowler_provider (str): An identifier or descriptor for the prowler provider.
-                               Typically, this is a string indicating the provider (e.g., "aws").
+        prowler_provider (object): An identifier or descriptor for the prowler provider.
+                                   Typically, this is a string indicating the provider (e.g., "aws").
         tenant_id (str): The unique identifier for the tenant.
         scan_id (str): The unique identifier for the scan.
-        subdirectory (str, optional): Optional subdirectory to include in the path
-                                     (e.g., "compliance", "threatscore", "ens").
 
     Returns:
-        str: The constructed path with directory created.
+        str: The constructed file system path for the prowler scan output directory.
 
     Example:
-        >>> _build_output_path("/tmp", "aws", "tenant-1234", "scan-5678")
-        '/tmp/tenant-1234/scan-5678/prowler-output-aws-20230215123456'
-        >>> _build_output_path("/tmp", "aws", "tenant-1234", "scan-5678", "threatscore")
-        '/tmp/tenant-1234/scan-5678/threatscore/prowler-output-aws-20230215123456'
+        >>> _generate_output_directory("/tmp", "aws", "tenant-1234", "scan-5678")
+        '/tmp/tenant-1234/aws/scan-5678/prowler-output-2023-02-15T12:34:56',
+        '/tmp/tenant-1234/aws/scan-5678/compliance/prowler-output-2023-02-15T12:34:56'
+        '/tmp/tenant-1234/aws/scan-5678/threatscore/prowler-output-2023-02-15T12:34:56'
     """
     # Sanitize the prowler provider name to ensure it is a valid directory name
     prowler_provider_sanitized = re.sub(r"[^\w\-]", "-", prowler_provider)
@@ -287,107 +267,23 @@ def _build_output_path(
     with rls_transaction(tenant_id):
         started_at = Scan.objects.get(id=scan_id).started_at
 
-    set_output_timestamp(started_at)
-
     timestamp = started_at.strftime("%Y%m%d%H%M%S")
-
-    if subdirectory:
-        path = (
-            f"{output_directory}/{tenant_id}/{scan_id}/{subdirectory}/prowler-output-"
-            f"{prowler_provider_sanitized}-{timestamp}"
-        )
-    else:
-        path = (
-            f"{output_directory}/{tenant_id}/{scan_id}/prowler-output-"
-            f"{prowler_provider_sanitized}-{timestamp}"
-        )
-
-    # Create directory for the path if it doesn't exist
+    path = (
+        f"{output_directory}/{tenant_id}/{scan_id}/prowler-output-"
+        f"{prowler_provider_sanitized}-{timestamp}"
+    )
     os.makedirs("/".join(path.split("/")[:-1]), exist_ok=True)
 
-    return path
-
-
-def _generate_compliance_output_directory(
-    output_directory: str,
-    prowler_provider: str,
-    tenant_id: str,
-    scan_id: str,
-    compliance_framework: str,
-) -> str:
-    """
-    Generate a file system path for a compliance framework output directory.
-
-    This function constructs the output directory path specifically for a compliance
-    framework (e.g., "threatscore", "ens") by combining a base temporary output directory,
-    the tenant ID, the scan ID, the compliance framework name, and details about the
-    prowler provider along with a timestamp.
-
-    Args:
-        output_directory (str): The base output directory.
-        prowler_provider (str): An identifier or descriptor for the prowler provider.
-                               Typically, this is a string indicating the provider (e.g., "aws").
-        tenant_id (str): The unique identifier for the tenant.
-        scan_id (str): The unique identifier for the scan.
-        compliance_framework (str): The compliance framework name (e.g., "threatscore", "ens").
-
-    Returns:
-        str: The path for the compliance framework output directory.
-
-    Example:
-        >>> _generate_compliance_output_directory("/tmp", "aws", "tenant-1234", "scan-5678", "threatscore")
-        '/tmp/tenant-1234/scan-5678/threatscore/prowler-output-aws-20230215123456'
-        >>> _generate_compliance_output_directory("/tmp", "aws", "tenant-1234", "scan-5678", "ens")
-        '/tmp/tenant-1234/scan-5678/ens/prowler-output-aws-20230215123456'
-        >>> _generate_compliance_output_directory("/tmp", "aws", "tenant-1234", "scan-5678", "nis2")
-        '/tmp/tenant-1234/scan-5678/nis2/prowler-output-aws-20230215123456'
-    """
-    return _build_output_path(
-        output_directory,
-        prowler_provider,
-        tenant_id,
-        scan_id,
-        subdirectory=compliance_framework,
+    compliance_path = (
+        f"{output_directory}/{tenant_id}/{scan_id}/compliance/prowler-output-"
+        f"{prowler_provider_sanitized}-{timestamp}"
     )
+    os.makedirs("/".join(compliance_path.split("/")[:-1]), exist_ok=True)
 
-
-def _generate_output_directory(
-    output_directory: str,
-    prowler_provider: str,
-    tenant_id: str,
-    scan_id: str,
-) -> tuple[str, str]:
-    """
-    Generate file system paths for the standard and compliance output directories of a prowler scan.
-
-    This function constructs both the standard output directory path and the compliance
-    output directory path by combining a base temporary output directory, the tenant ID,
-    the scan ID, and details about the prowler provider along with a timestamp.
-
-    Args:
-        output_directory (str): The base output directory.
-        prowler_provider (str): An identifier or descriptor for the prowler provider.
-                               Typically, this is a string indicating the provider (e.g., "aws").
-        tenant_id (str): The unique identifier for the tenant.
-        scan_id (str): The unique identifier for the scan.
-
-    Returns:
-        tuple[str, str]: A tuple containing (standard_path, compliance_path).
-
-    Example:
-        >>> _generate_output_directory("/tmp", "aws", "tenant-1234", "scan-5678")
-        ('/tmp/tenant-1234/scan-5678/prowler-output-aws-20230215123456',
-         '/tmp/tenant-1234/scan-5678/compliance/prowler-output-aws-20230215123456')
-    """
-    standard_path = _build_output_path(
-        output_directory, prowler_provider, tenant_id, scan_id
-    )
-    compliance_path = _build_output_path(
-        output_directory,
-        prowler_provider,
-        tenant_id,
-        scan_id,
-        subdirectory="compliance",
+    threatscore_path = (
+        f"{output_directory}/{tenant_id}/{scan_id}/threatscore/prowler-output-"
+        f"{prowler_provider_sanitized}-{timestamp}"
     )
+    os.makedirs("/".join(threatscore_path.split("/")[:-1]), exist_ok=True)
 
-    return standard_path, compliance_path
+    return path, compliance_path, threatscore_path

api/src/backend/tasks/jobs/integrations.py

@@ -17,9 +17,6 @@ from prowler.lib.outputs.html.html import HTML
 from prowler.lib.outputs.ocsf.ocsf import OCSF
 from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.aws.lib.s3.s3 import S3
-from prowler.providers.aws.lib.security_hub.exceptions.exceptions import (
-    SecurityHubNoEnabledRegionsError,
-)
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHub
 from prowler.providers.common.models import Connection
 
@@ -225,9 +222,8 @@ def get_security_hub_client_from_integration(
         )
         return True, security_hub
     else:
-        # Reset regions information if connection fails and integration is not connected
+        # Reset regions information if connection fails
         with rls_transaction(tenant_id, using=MainRouter.default_db):
-            integration.connected = False
             integration.configuration["regions"] = {}
             integration.save()
 
@@ -334,18 +330,15 @@ def upload_security_hub_integration(
                                 )
 
                                 if not connected:
-                                    if isinstance(
-                                        security_hub.error,
-                                        SecurityHubNoEnabledRegionsError,
+                                    logger.error(
+                                        f"Security Hub connection failed for integration {integration.id}: "
+                                        f"{security_hub.error}"
+                                    )
+                                    with rls_transaction(
+                                        tenant_id, using=MainRouter.default_db
                                     ):
-                                        logger.warning(
-                                            f"Security Hub integration {integration.id} has no enabled regions"
-                                        )
-                                    else:
-                                        logger.error(
-                                            f"Security Hub connection failed for integration {integration.id}: "
-                                            f"{security_hub.error}"
-                                        )
+                                        integration.connected = False
+                                        integration.save()
                                     break  # Skip this integration
 
                                 security_hub_client = security_hub
@@ -416,16 +409,22 @@ def upload_security_hub_integration(
                             logger.warning(
                                 f"Failed to archive previous findings: {str(archive_error)}"
                             )
+
             except Exception as e:
                 logger.error(
                     f"Security Hub integration {integration.id} failed: {str(e)}"
                 )
+                continue
 
         result = integration_executions == len(integrations)
         if result:
             logger.info(
                 f"All Security Hub integrations completed successfully for provider {provider_id}"
             )
+        else:
+            logger.error(
+                f"Some Security Hub integrations failed for provider {provider_id}"
+            )
 
         return result
 
@@ -436,81 +435,6 @@ def upload_security_hub_integration(
         return False
 
 
-def send_findings_to_github(
-    tenant_id: str,
-    integration_id: str,
-    repository: str,
-    labels: list[str],
-    finding_ids: list[str],
-):
-    with rls_transaction(tenant_id):
-        integration = Integration.objects.get(id=integration_id)
-        github_integration = initialize_prowler_integration(integration)
-
-    num_issues_created = 0
-    for finding_id in finding_ids:
-        with rls_transaction(tenant_id):
-            finding_instance = (
-                Finding.all_objects.select_related("scan__provider")
-                .prefetch_related("resources")
-                .get(id=finding_id)
-            )
-
-            # Extract resource information
-            resource = (
-                finding_instance.resources.first()
-                if finding_instance.resources.exists()
-                else None
-            )
-            resource_uid = resource.uid if resource else ""
-            resource_name = resource.name if resource else ""
-            resource_tags = {}
-            if resource and hasattr(resource, "tags"):
-                resource_tags = resource.get_tags(tenant_id)
-
-            # Get region
-            region = resource.region if resource and resource.region else ""
-
-            # Extract remediation information from check_metadata
-            check_metadata = finding_instance.check_metadata
-            remediation = check_metadata.get("remediation", {})
-            recommendation = remediation.get("recommendation", {})
-            remediation_code = remediation.get("code", {})
-
-            # Send the individual finding to GitHub
-            result = github_integration.send_finding(
-                check_id=finding_instance.check_id,
-                check_title=check_metadata.get("checktitle", ""),
-                severity=finding_instance.severity,
-                status=finding_instance.status,
-                status_extended=finding_instance.status_extended or "",
-                provider=finding_instance.scan.provider.provider,
-                region=region,
-                resource_uid=resource_uid,
-                resource_name=resource_name,
-                risk=check_metadata.get("risk", ""),
-                recommendation_text=recommendation.get("text", ""),
-                recommendation_url=recommendation.get("url", ""),
-                remediation_code_native_iac=remediation_code.get("nativeiac", ""),
-                remediation_code_terraform=remediation_code.get("terraform", ""),
-                remediation_code_cli=remediation_code.get("cli", ""),
-                remediation_code_other=remediation_code.get("other", ""),
-                resource_tags=resource_tags,
-                compliance=finding_instance.compliance or {},
-                repository=repository,
-                issue_labels=labels,
-            )
-            if result:
-                num_issues_created += 1
-            else:
-                logger.error(f"Failed to send finding {finding_id} to GitHub")
-
-    return {
-        "created_count": num_issues_created,
-        "failed_count": len(finding_ids) - num_issues_created,
-    }
-
-
 def send_findings_to_jira(
     tenant_id: str,
     integration_id: str,

api/src/backend/tasks/jobs/lighthouse_providers.py

@@ -2,8 +2,6 @@ from typing import Dict
 
 import boto3
 import openai
-from botocore import UNSIGNED
-from botocore.config import Config
 from botocore.exceptions import BotoCoreError, ClientError
 from celery.utils.log import get_task_logger
 
@@ -11,74 +9,6 @@ from api.models import LighthouseProviderConfiguration, LighthouseProviderModels
 
 logger = get_task_logger(__name__)
 
-# OpenAI model prefixes to exclude from Lighthouse model selection.
-# These models don't support text chat completions and tool calling.
-EXCLUDED_OPENAI_MODEL_PREFIXES = (
-    "dall-e",  # Image generation
-    "whisper",  # Audio transcription
-    "tts-",  # Text-to-speech (tts-1, tts-1-hd, etc.)
-    "sora",  # Text-to-video (sora-2, sora-2-pro, etc.)
-    "text-embedding",  # Embeddings
-    "embedding",  # Embeddings (alternative naming)
-    "text-moderation",  # Content moderation
-    "omni-moderation",  # Content moderation
-    "text-davinci",  # Legacy completion models
-    "text-curie",  # Legacy completion models
-    "text-babbage",  # Legacy completion models
-    "text-ada",  # Legacy completion models
-    "davinci",  # Legacy completion models
-    "curie",  # Legacy completion models
-    "babbage",  # Legacy completion models
-    "ada",  # Legacy completion models
-    "computer-use",  # Computer control agent
-    "gpt-image",  # Image generation
-    "gpt-audio",  # Audio models
-    "gpt-realtime",  # Realtime voice API
-)
-
-# OpenAI model substrings to exclude (patterns that can appear anywhere in model ID).
-# These patterns identify non-chat model variants.
-EXCLUDED_OPENAI_MODEL_SUBSTRINGS = (
-    "-audio-",  # Audio preview models (gpt-4o-audio-preview, etc.)
-    "-realtime-",  # Realtime preview models (gpt-4o-realtime-preview, etc.)
-    "-transcribe",  # Transcription models (gpt-4o-transcribe, etc.)
-    "-tts",  # TTS models (gpt-4o-mini-tts)
-    "-instruct",  # Legacy instruct models (gpt-3.5-turbo-instruct, etc.)
-)
-
-
-def _extract_error_message(e: Exception) -> str:
-    """
-    Extract a user-friendly error message from various exception types.
-
-    This function handles exceptions from different providers (OpenAI, AWS Bedrock)
-    and extracts the most relevant error message for display to users.
-
-    Args:
-        e: The exception to extract a message from.
-
-    Returns:
-        str: A user-friendly error message.
-    """
-    # For OpenAI SDK errors (>= v1.0)
-    # OpenAI exceptions have a 'body' attribute with error details
-    if hasattr(e, "body") and isinstance(e.body, dict):
-        if "message" in e.body:
-            return e.body["message"]
-        # Sometimes nested under 'error' key
-        if "error" in e.body and isinstance(e.body["error"], dict):
-            return e.body["error"].get("message", str(e))
-
-    # For boto3 ClientError
-    # Boto3 exceptions have a 'response' attribute with error details
-    if hasattr(e, "response") and isinstance(e.response, dict):
-        error_info = e.response.get("Error", {})
-        if error_info.get("Message"):
-            return error_info["Message"]
-
-    # Fallback to string representation for unknown error types
-    return str(e)
-
 
 def _extract_openai_api_key(
     provider_cfg: LighthouseProviderConfiguration,
@@ -126,39 +56,21 @@ def _extract_bedrock_credentials(
     """
     Safely extract AWS Bedrock credentials from a provider configuration.
 
-    Supports two authentication methods:
-    1. AWS access key + secret key + region
-    2. Bedrock API key (bearer token) + region
-
     Args:
         provider_cfg (LighthouseProviderConfiguration): The provider configuration instance
             containing the credentials.
 
     Returns:
-        Dict[str, str] | None: Dictionary with either:
-            - 'access_key_id', 'secret_access_key', and 'region' for access key auth
-            - 'api_key' and 'region' for API key (bearer token) auth
-            Returns None if credentials are invalid or missing.
+        Dict[str, str] | None: Dictionary with 'access_key_id', 'secret_access_key', and
+            'region' if present and valid, otherwise None.
     """
     creds = provider_cfg.credentials_decoded
     if not isinstance(creds, dict):
         return None
 
-    region = creds.get("region")
-    if not isinstance(region, str) or not region:
-        return None
-
-    # Check for API key authentication first
-    api_key = creds.get("api_key")
-    if isinstance(api_key, str) and api_key:
-        return {
-            "api_key": api_key,
-            "region": region,
-        }
-
-    # Fall back to access key authentication
     access_key_id = creds.get("access_key_id")
     secret_access_key = creds.get("secret_access_key")
+    region = creds.get("region")
 
     # Validate all required fields are present and are strings
     if (
@@ -166,6 +78,8 @@ def _extract_bedrock_credentials(
         or not access_key_id
         or not isinstance(secret_access_key, str)
         or not secret_access_key
+        or not isinstance(region, str)
+        or not region
     ):
         return None
 
@@ -176,51 +90,6 @@ def _extract_bedrock_credentials(
     }
 
 
-def _create_bedrock_client(
-    bedrock_creds: Dict[str, str], service_name: str = "bedrock"
-):
-    """
-    Create a boto3 Bedrock client with the appropriate authentication method.
-
-    Supports two authentication methods:
-    1. API key (bearer token) - uses unsigned requests with Authorization header
-    2. AWS access key + secret key - uses standard SigV4 signing
-
-    Args:
-        bedrock_creds: Dictionary with either:
-            - 'api_key' and 'region' for API key (bearer token) auth
-            - 'access_key_id', 'secret_access_key', and 'region' for access key auth
-        service_name: The Bedrock service name. Use 'bedrock' for control plane
-            operations (list_foundation_models, etc.) or 'bedrock-runtime' for
-            inference operations.
-
-    Returns:
-        boto3 client configured for the specified Bedrock service.
-    """
-    region = bedrock_creds["region"]
-
-    if "api_key" in bedrock_creds:
-        bearer_token = bedrock_creds["api_key"]
-        client = boto3.client(
-            service_name=service_name,
-            region_name=region,
-            config=Config(signature_version=UNSIGNED),
-        )
-
-        def inject_bearer_token(request, **kwargs):
-            request.headers["Authorization"] = f"Bearer {bearer_token}"
-
-        client.meta.events.register("before-send.*.*", inject_bearer_token)
-        return client
-
-    return boto3.client(
-        service_name=service_name,
-        region_name=region,
-        aws_access_key_id=bedrock_creds["access_key_id"],
-        aws_secret_access_key=bedrock_creds["secret_access_key"],
-    )
-
-
 def check_lighthouse_provider_connection(provider_config_id: str) -> Dict:
     """
     Validate a Lighthouse provider configuration by calling the provider API and
@@ -272,7 +141,12 @@ def check_lighthouse_provider_connection(provider_config_id: str) -> Dict:
                 }
 
             # Test connection by listing foundation models
-            bedrock_client = _create_bedrock_client(bedrock_creds)
+            bedrock_client = boto3.client(
+                "bedrock",
+                aws_access_key_id=bedrock_creds["access_key_id"],
+                aws_secret_access_key=bedrock_creds["secret_access_key"],
+                region_name=bedrock_creds["region"],
+            )
             _ = bedrock_client.list_foundation_models()
 
         elif (
@@ -305,54 +179,32 @@ def check_lighthouse_provider_connection(provider_config_id: str) -> Dict:
         return {"connected": True, "error": None}
 
     except Exception as e:
-        error_message = _extract_error_message(e)
         logger.warning(
-            "%s connection check failed: %s", provider_cfg.provider_type, error_message
+            "%s connection check failed: %s", provider_cfg.provider_type, str(e)
         )
         provider_cfg.is_active = False
         provider_cfg.save()
-        return {"connected": False, "error": error_message}
+        return {"connected": False, "error": str(e)}
 
 
 def _fetch_openai_models(api_key: str) -> Dict[str, str]:
     """
     Fetch available models from OpenAI API.
 
-    Filters out models that don't support text input/output and tool calling,
-    such as image generation (DALL-E), audio transcription (Whisper),
-    text-to-speech (TTS), embeddings, and moderation models.
-
     Args:
         api_key: OpenAI API key for authentication.
 
     Returns:
         Dict mapping model_id to model_name. For OpenAI, both are the same
-        as the API doesn't provide separate display names. Only includes
-        models that support text input, text output or tool calling.
+        as the API doesn't provide separate display names.
 
     Raises:
         Exception: If the API call fails.
     """
     client = openai.OpenAI(api_key=api_key)
     models = client.models.list()
-
-    # Filter models to only include those supporting chat completions + tool calling
-    filtered_models = {}
-    for model in getattr(models, "data", []):
-        model_id = model.id
-
-        # Skip if model ID starts with excluded prefixes
-        if model_id.startswith(EXCLUDED_OPENAI_MODEL_PREFIXES):
-            continue
-
-        # Skip if model ID contains excluded substrings
-        if any(substring in model_id for substring in EXCLUDED_OPENAI_MODEL_SUBSTRINGS):
-            continue
-
-        # Include model (supports chat completions + tool calling)
-        filtered_models[model_id] = model_id
-
-    return filtered_models
+    # OpenAI uses model.id for both ID and display name
+    return {m.id: m.id for m in getattr(models, "data", [])}
 
 
 def _fetch_openai_compatible_models(base_url: str, api_key: str) -> Dict[str, str]:
@@ -380,219 +232,105 @@ def _fetch_openai_compatible_models(base_url: str, api_key: str) -> Dict[str, st
     return available_models
 
 
-def _get_region_prefix(region: str) -> str:
-    """
-    Determine geographic prefix for AWS region.
-
-    Examples: ap-south-1 -> apac, us-east-1 -> us, eu-west-1 -> eu
-    """
-    if region.startswith(("us-", "ca-", "sa-")):
-        return "us"
-    elif region.startswith("eu-"):
-        return "eu"
-    elif region.startswith("ap-"):
-        return "apac"
-    return "global"
-
-
-def _clean_inference_profile_name(profile_name: str) -> str:
-    """
-    Remove geographic prefix from inference profile name.
-
-    AWS includes geographic prefixes in profile names which are redundant
-    since the profile ID already contains this information.
-
-    Examples:
-        "APAC Anthropic Claude 3.5 Sonnet" -> "Anthropic Claude 3.5 Sonnet"
-        "GLOBAL Claude Sonnet 4.5" -> "Claude Sonnet 4.5"
-        "US Anthropic Claude 3 Haiku" -> "Anthropic Claude 3 Haiku"
-    """
-    prefixes = ["APAC ", "GLOBAL ", "US ", "EU ", "APAC-", "GLOBAL-", "US-", "EU-"]
-
-    for prefix in prefixes:
-        if profile_name.upper().startswith(prefix.upper()):
-            return profile_name[len(prefix) :].strip()
-
-    return profile_name
-
-
-def _supports_text_modality(input_modalities: list, output_modalities: list) -> bool:
-    """Check if model supports TEXT for both input and output."""
-    return "TEXT" in input_modalities and "TEXT" in output_modalities
-
-
-def _get_foundation_model_modalities(
-    bedrock_client, model_id: str
-) -> tuple[list, list] | None:
-    """
-    Fetch input and output modalities for a foundation model.
-
-    Returns:
-        (input_modalities, output_modalities) or None if fetch fails
-    """
-    try:
-        model_info = bedrock_client.get_foundation_model(modelIdentifier=model_id)
-        model_details = model_info.get("modelDetails", {})
-        input_mods = model_details.get("inputModalities", [])
-        output_mods = model_details.get("outputModalities", [])
-        return (input_mods, output_mods)
-    except (BotoCoreError, ClientError) as e:
-        logger.debug("Could not fetch model details for %s: %s", model_id, str(e))
-        return None
-
-
-def _extract_foundation_model_ids(profile_models: list) -> list[str]:
-    """
-    Extract foundation model IDs from inference profile model ARNs.
-
-    Args:
-        profile_models: List of model references from inference profile
-
-    Returns:
-        List of foundation model IDs extracted from ARNs
-    """
-    model_ids = []
-    for model_ref in profile_models:
-        model_arn = model_ref.get("modelArn", "")
-        if "foundation-model/" in model_arn:
-            model_id = model_arn.split("foundation-model/")[1]
-            model_ids.append(model_id)
-    return model_ids
-
-
-def _build_inference_profile_map(
-    bedrock_client, region: str
-) -> Dict[str, tuple[str, str]]:
-    """
-    Build map of foundation_model_id -> best inference profile.
-
-    Returns:
-        Dict mapping foundation_model_id to (profile_id, profile_name)
-        Only includes profiles with TEXT modality support
-        Prefers region-matched profiles over others
-    """
-    region_prefix = _get_region_prefix(region)
-    model_to_profile: Dict[str, tuple[str, str]] = {}
-
-    try:
-        response = bedrock_client.list_inference_profiles()
-        profiles = response.get("inferenceProfileSummaries", [])
-
-        for profile in profiles:
-            profile_id = profile.get("inferenceProfileId")
-            profile_name = profile.get("inferenceProfileName")
-
-            if not profile_id or not profile_name:
-                continue
-
-            profile_models = profile.get("models", [])
-            if not profile_models:
-                continue
-
-            foundation_model_ids = _extract_foundation_model_ids(profile_models)
-            if not foundation_model_ids:
-                continue
-
-            modalities = _get_foundation_model_modalities(
-                bedrock_client, foundation_model_ids[0]
-            )
-            if not modalities:
-                continue
-
-            input_mods, output_mods = modalities
-            if not _supports_text_modality(input_mods, output_mods):
-                continue
-
-            is_preferred = profile_id.startswith(f"{region_prefix}.")
-            clean_name = _clean_inference_profile_name(profile_name)
-
-            for foundation_model_id in foundation_model_ids:
-                if foundation_model_id not in model_to_profile:
-                    model_to_profile[foundation_model_id] = (profile_id, clean_name)
-                elif is_preferred and not model_to_profile[foundation_model_id][
-                    0
-                ].startswith(f"{region_prefix}."):
-                    model_to_profile[foundation_model_id] = (profile_id, clean_name)
-
-    except (BotoCoreError, ClientError) as e:
-        logger.info("Could not fetch inference profiles in %s: %s", region, str(e))
-
-    return model_to_profile
-
-
-def _check_on_demand_availability(bedrock_client, model_id: str) -> bool:
-    """Check if an ON_DEMAND foundation model is entitled and available."""
-    try:
-        availability = bedrock_client.get_foundation_model_availability(
-            modelId=model_id
-        )
-        entitlement = availability.get("entitlementAvailability")
-        return entitlement == "AVAILABLE"
-    except (BotoCoreError, ClientError) as e:
-        logger.debug("Could not check availability for %s: %s", model_id, str(e))
-        return False
-
-
 def _fetch_bedrock_models(bedrock_creds: Dict[str, str]) -> Dict[str, str]:
     """
-    Fetch available models from AWS Bedrock, preferring inference profiles over ON_DEMAND.
+    Fetch available models from AWS Bedrock with entitlement verification.
 
-    Strategy:
-    1. Build map of foundation_model -> best_inference_profile (with TEXT validation)
-    2. For each TEXT-capable foundation model:
-       - Use inference profile ID if available (preferred - better throughput)
-       - Fallback to foundation model ID if only ON_DEMAND available
-    3. Verify entitlement for ON_DEMAND models
+    This function:
+    1. Lists foundation models with TEXT modality support
+    2. Lists inference profiles with TEXT modality support
+    3. Verifies user has entitlement access to each model
 
     Args:
-        bedrock_creds: Dict with 'region' and auth credentials
+        bedrock_creds: Dictionary with 'access_key_id', 'secret_access_key', and 'region'.
 
     Returns:
-        Dict mapping model_id to model_name. IDs can be:
-        - Inference profile IDs (e.g., "apac.anthropic.claude-3-5-sonnet-20240620-v1:0")
-        - Foundation model IDs (e.g., "anthropic.claude-3-5-sonnet-20240620-v1:0")
+        Dict mapping model_id to model_name for all accessible models.
+
+    Raises:
+        BotoCoreError, ClientError: If AWS API calls fail.
     """
-    bedrock_client = _create_bedrock_client(bedrock_creds)
-    region = bedrock_creds["region"]
+    bedrock_client = boto3.client(
+        "bedrock",
+        aws_access_key_id=bedrock_creds["access_key_id"],
+        aws_secret_access_key=bedrock_creds["secret_access_key"],
+        region_name=bedrock_creds["region"],
+    )
 
-    model_to_profile = _build_inference_profile_map(bedrock_client, region)
+    models_to_check: Dict[str, str] = {}
 
+    # Step 1: Get foundation models with TEXT modality
     foundation_response = bedrock_client.list_foundation_models()
     model_summaries = foundation_response.get("modelSummaries", [])
 
-    models_to_return: Dict[str, str] = {}
-    on_demand_models: set[str] = set()
-
     for model in model_summaries:
-        input_mods = model.get("inputModalities", [])
-        output_mods = model.get("outputModalities", [])
+        # Check if model supports TEXT input and output modality
+        input_modalities = model.get("inputModalities", [])
+        output_modalities = model.get("outputModalities", [])
 
-        if not _supports_text_modality(input_mods, output_mods):
+        if "TEXT" not in input_modalities or "TEXT" not in output_modalities:
             continue
 
         model_id = model.get("modelId")
-        model_name = model.get("modelName")
-
-        if not model_id or not model_name:
+        if not model_id:
             continue
 
-        if model_id in model_to_profile:
-            profile_id, profile_name = model_to_profile[model_id]
-            models_to_return[profile_id] = profile_name
-        else:
-            inference_types = model.get("inferenceTypesSupported", [])
-            if "ON_DEMAND" in inference_types:
-                models_to_return[model_id] = model_name
-                on_demand_models.add(model_id)
+        inference_types = model.get("inferenceTypesSupported", [])
 
+        # Only include models with ON_DEMAND inference support
+        if "ON_DEMAND" in inference_types:
+            models_to_check[model_id] = model["modelName"]
+
+    # Step 2: Get inference profiles
+    try:
+        inference_profiles_response = bedrock_client.list_inference_profiles()
+        inference_profiles = inference_profiles_response.get(
+            "inferenceProfileSummaries", []
+        )
+
+        for profile in inference_profiles:
+            # Check if profile supports TEXT modality
+            input_modalities = profile.get("inputModalities", [])
+            output_modalities = profile.get("outputModalities", [])
+
+            if "TEXT" not in input_modalities or "TEXT" not in output_modalities:
+                continue
+
+            profile_id = profile.get("inferenceProfileId")
+            if profile_id:
+                models_to_check[profile_id] = profile["inferenceProfileName"]
+
+    except (BotoCoreError, ClientError) as e:
+        logger.info(
+            "Could not fetch inference profiles in %s: %s",
+            bedrock_creds["region"],
+            str(e),
+        )
+
+    # Step 3: Verify entitlement availability for each model
     available_models: Dict[str, str] = {}
 
-    for model_id, model_name in models_to_return.items():
-        if model_id in on_demand_models:
-            if _check_on_demand_availability(bedrock_client, model_id):
+    for model_id, model_name in models_to_check.items():
+        try:
+            availability = bedrock_client.get_foundation_model_availability(
+                modelId=model_id
+            )
+
+            entitlement = availability.get("entitlementAvailability")
+
+            # Only include models user has access to
+            if entitlement == "AVAILABLE":
                 available_models[model_id] = model_name
-        else:
-            available_models[model_id] = model_name
+            else:
+                logger.debug(
+                    "Skipping model %s - entitlement status: %s", model_id, entitlement
+                )
+
+        except (BotoCoreError, ClientError) as e:
+            logger.debug(
+                "Could not check availability for model %s: %s", model_id, str(e)
+            )
+            continue
 
     return available_models
 
@@ -621,6 +359,7 @@ def refresh_lighthouse_provider_models(provider_config_id: str) -> Dict:
     provider_cfg = LighthouseProviderConfiguration.objects.get(pk=provider_config_id)
     fetched_models: Dict[str, str] = {}
 
+    # Fetch models from the appropriate provider
     try:
         if (
             provider_cfg.provider_type
@@ -675,13 +414,12 @@ def refresh_lighthouse_provider_models(provider_config_id: str) -> Dict:
             }
 
     except Exception as e:
-        error_message = _extract_error_message(e)
         logger.warning(
             "Unexpected error refreshing %s models: %s",
             provider_cfg.provider_type,
-            error_message,
+            str(e),
         )
-        return {"created": 0, "updated": 0, "deleted": 0, "error": error_message}
+        return {"created": 0, "updated": 0, "deleted": 0, "error": str(e)}
 
     # Upsert models into the catalog
     created = 0

api/src/backend/tasks/jobs/threatscore.py

@@ -1,214 +0,0 @@
-from celery.utils.log import get_task_logger
-from tasks.jobs.threatscore_utils import (
-    _aggregate_requirement_statistics_from_database,
-    _calculate_requirements_data_from_statistics,
-)
-
-from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import rls_transaction
-from api.models import Provider, StatusChoices
-from prowler.lib.check.compliance_models import Compliance
-
-logger = get_task_logger(__name__)
-
-
-def compute_threatscore_metrics(
-    tenant_id: str,
-    scan_id: str,
-    provider_id: str,
-    compliance_id: str,
-    min_risk_level: int = 4,
-) -> dict:
-    """
-    Compute ThreatScore metrics for a given scan.
-
-    This function calculates all the metrics needed for a ThreatScore snapshot:
-    - Overall ThreatScore percentage
-    - Section-by-section scores
-    - Critical failed requirements (risk >= min_risk_level)
-    - Summary statistics (requirements and findings counts)
-
-    Args:
-        tenant_id (str): The tenant ID for Row-Level Security context.
-        scan_id (str): The ID of the scan to analyze.
-        provider_id (str): The ID of the provider used in the scan.
-        compliance_id (str): Compliance framework ID (e.g., "prowler_threatscore_aws").
-        min_risk_level (int): Minimum risk level for critical requirements. Defaults to 4.
-
-    Returns:
-        dict: A dictionary containing:
-            - overall_score (float): Overall ThreatScore percentage (0-100)
-            - section_scores (dict): Section name -> score percentage mapping
-            - critical_requirements (list): List of critical failed requirement dicts
-            - total_requirements (int): Total number of requirements
-            - passed_requirements (int): Number of PASS requirements
-            - failed_requirements (int): Number of FAIL requirements
-            - manual_requirements (int): Number of MANUAL requirements
-            - total_findings (int): Total findings count
-            - passed_findings (int): Passed findings count
-            - failed_findings (int): Failed findings count
-
-    Example:
-        >>> metrics = compute_threatscore_metrics(
-        ...     tenant_id="tenant-123",
-        ...     scan_id="scan-456",
-        ...     provider_id="provider-789",
-        ...     compliance_id="prowler_threatscore_aws"
-        ... )
-        >>> print(f"Overall ThreatScore: {metrics['overall_score']:.2f}%")
-    """
-    # Get provider and compliance information
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        provider_obj = Provider.objects.get(id=provider_id)
-        provider_type = provider_obj.provider
-
-        frameworks_bulk = Compliance.get_bulk(provider_type)
-        compliance_obj = frameworks_bulk[compliance_id]
-
-    # Aggregate requirement statistics from database
-    requirement_statistics_by_check_id = (
-        _aggregate_requirement_statistics_from_database(tenant_id, scan_id)
-    )
-
-    # Calculate requirements data using aggregated statistics
-    attributes_by_requirement_id, requirements_list = (
-        _calculate_requirements_data_from_statistics(
-            compliance_obj, requirement_statistics_by_check_id
-        )
-    )
-
-    # Initialize metrics
-    overall_numerator = 0
-    overall_denominator = 0
-    overall_has_findings = False
-
-    sections_data = {}
-
-    total_requirements = len(requirements_list)
-    passed_requirements = 0
-    failed_requirements = 0
-    manual_requirements = 0
-    total_findings = 0
-    passed_findings = 0
-    failed_findings = 0
-
-    critical_requirements_list = []
-
-    # Process each requirement
-    for requirement in requirements_list:
-        requirement_id = requirement["id"]
-        requirement_status = requirement["attributes"]["status"]
-        requirement_attributes = attributes_by_requirement_id.get(requirement_id, {})
-
-        # Count requirements by status
-        if requirement_status == StatusChoices.PASS:
-            passed_requirements += 1
-        elif requirement_status == StatusChoices.FAIL:
-            failed_requirements += 1
-        elif requirement_status == StatusChoices.MANUAL:
-            manual_requirements += 1
-
-        # Get findings data
-        req_passed_findings = requirement["attributes"].get("passed_findings", 0)
-        req_total_findings = requirement["attributes"].get("total_findings", 0)
-
-        # Accumulate findings counts
-        total_findings += req_total_findings
-        passed_findings += req_passed_findings
-        failed_findings += req_total_findings - req_passed_findings
-
-        # Skip requirements with no findings
-        if req_total_findings == 0:
-            continue
-
-        overall_has_findings = True
-
-        # Get requirement metadata
-        metadata = requirement_attributes.get("attributes", {}).get(
-            "req_attributes", []
-        )
-        if not metadata or len(metadata) == 0:
-            continue
-
-        m = metadata[0]
-        risk_level = getattr(m, "LevelOfRisk", 0)
-        weight = getattr(m, "Weight", 0)
-        section = getattr(m, "Section", "Unknown")
-
-        # Calculate ThreatScore components using formula from UI
-        rate_i = req_passed_findings / req_total_findings
-        rfac_i = 1 + 0.25 * risk_level
-
-        # Update overall score
-        overall_numerator += rate_i * req_total_findings * weight * rfac_i
-        overall_denominator += req_total_findings * weight * rfac_i
-
-        # Update section scores
-        if section not in sections_data:
-            sections_data[section] = {
-                "numerator": 0,
-                "denominator": 0,
-                "has_findings": False,
-            }
-
-        sections_data[section]["has_findings"] = True
-        sections_data[section]["numerator"] += (
-            rate_i * req_total_findings * weight * rfac_i
-        )
-        sections_data[section]["denominator"] += req_total_findings * weight * rfac_i
-
-        # Identify critical failed requirements
-        if requirement_status == StatusChoices.FAIL and risk_level >= min_risk_level:
-            critical_requirements_list.append(
-                {
-                    "requirement_id": requirement_id,
-                    "title": getattr(m, "Title", "N/A"),
-                    "section": section,
-                    "subsection": getattr(m, "SubSection", "N/A"),
-                    "risk_level": risk_level,
-                    "weight": weight,
-                    "passed_findings": req_passed_findings,
-                    "total_findings": req_total_findings,
-                    "description": getattr(m, "AttributeDescription", "N/A"),
-                }
-            )
-
-    # Calculate overall ThreatScore
-    if not overall_has_findings:
-        overall_score = 100.0
-    elif overall_denominator > 0:
-        overall_score = (overall_numerator / overall_denominator) * 100
-    else:
-        overall_score = 0.0
-
-    # Calculate section scores
-    section_scores = {}
-    for section, data in sections_data.items():
-        if data["has_findings"] and data["denominator"] > 0:
-            section_scores[section] = (data["numerator"] / data["denominator"]) * 100
-        else:
-            section_scores[section] = 100.0
-
-    # Sort critical requirements by risk level (desc) and weight (desc)
-    critical_requirements_list.sort(
-        key=lambda x: (x["risk_level"], x["weight"]), reverse=True
-    )
-
-    logger.info(
-        f"ThreatScore computed: {overall_score:.2f}% "
-        f"({passed_requirements}/{total_requirements} requirements passed, "
-        f"{len(critical_requirements_list)} critical failures)"
-    )
-
-    return {
-        "overall_score": round(overall_score, 2),
-        "section_scores": {k: round(v, 2) for k, v in section_scores.items()},
-        "critical_requirements": critical_requirements_list,
-        "total_requirements": total_requirements,
-        "passed_requirements": passed_requirements,
-        "failed_requirements": failed_requirements,
-        "manual_requirements": manual_requirements,
-        "total_findings": total_findings,
-        "passed_findings": passed_findings,
-        "failed_findings": failed_findings,
-    }

api/src/backend/tasks/jobs/threatscore_utils.py

@@ -1,239 +0,0 @@
-from collections import defaultdict
-
-from celery.utils.log import get_task_logger
-from config.django.base import DJANGO_FINDINGS_BATCH_SIZE
-from django.db.models import Count, Q
-from tasks.utils import batched
-
-from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import rls_transaction
-from api.models import Finding, StatusChoices
-from prowler.lib.outputs.finding import Finding as FindingOutput
-
-logger = get_task_logger(__name__)
-
-
-def _aggregate_requirement_statistics_from_database(
-    tenant_id: str, scan_id: str
-) -> dict[str, dict[str, int]]:
-    """
-    Aggregate finding statistics by check_id using database aggregation.
-
-    This function uses Django ORM aggregation to calculate pass/fail statistics
-    entirely in the database, avoiding the need to load findings into memory.
-
-    Args:
-        tenant_id (str): The tenant ID for Row-Level Security context.
-        scan_id (str): The ID of the scan to retrieve findings for.
-
-    Returns:
-        dict[str, dict[str, int]]: Dictionary mapping check_id to statistics:
-            - 'passed' (int): Number of passed findings for this check
-            - 'total' (int): Total number of findings for this check
-
-    Example:
-        {
-            'aws_iam_user_mfa_enabled': {'passed': 10, 'total': 15},
-            'aws_s3_bucket_public_access': {'passed': 0, 'total': 5}
-        }
-    """
-    requirement_statistics_by_check_id = {}
-
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        aggregated_statistics_queryset = (
-            Finding.all_objects.filter(
-                tenant_id=tenant_id, scan_id=scan_id, muted=False
-            )
-            .values("check_id")
-            .annotate(
-                total_findings=Count(
-                    "id",
-                    filter=Q(status__in=[StatusChoices.PASS, StatusChoices.FAIL]),
-                ),
-                passed_findings=Count("id", filter=Q(status=StatusChoices.PASS)),
-            )
-        )
-
-        for aggregated_stat in aggregated_statistics_queryset:
-            check_id = aggregated_stat["check_id"]
-            requirement_statistics_by_check_id[check_id] = {
-                "passed": aggregated_stat["passed_findings"],
-                "total": aggregated_stat["total_findings"],
-            }
-
-    logger.info(
-        f"Aggregated statistics for {len(requirement_statistics_by_check_id)} unique checks"
-    )
-    return requirement_statistics_by_check_id
-
-
-def _calculate_requirements_data_from_statistics(
-    compliance_obj, requirement_statistics_by_check_id: dict[str, dict[str, int]]
-) -> tuple[dict[str, dict], list[dict]]:
-    """
-    Calculate requirement status and statistics using pre-aggregated database statistics.
-
-    Args:
-        compliance_obj: The compliance framework object containing requirements.
-        requirement_statistics_by_check_id (dict[str, dict[str, int]]): Pre-aggregated statistics
-            mapping check_id to {'passed': int, 'total': int} counts.
-
-    Returns:
-        tuple[dict[str, dict], list[dict]]: A tuple containing:
-            - attributes_by_requirement_id: Dictionary mapping requirement IDs to their attributes.
-            - requirements_list: List of requirement dictionaries with status and statistics.
-    """
-    attributes_by_requirement_id = {}
-    requirements_list = []
-
-    compliance_framework = getattr(compliance_obj, "Framework", "N/A")
-    compliance_version = getattr(compliance_obj, "Version", "N/A")
-
-    for requirement in compliance_obj.Requirements:
-        requirement_id = requirement.Id
-        requirement_description = getattr(requirement, "Description", "")
-        requirement_checks = getattr(requirement, "Checks", [])
-        requirement_attributes = getattr(requirement, "Attributes", [])
-
-        attributes_by_requirement_id[requirement_id] = {
-            "attributes": {
-                "req_attributes": requirement_attributes,
-                "checks": requirement_checks,
-            },
-            "description": requirement_description,
-        }
-
-        total_passed_findings = 0
-        total_findings_count = 0
-
-        for check_id in requirement_checks:
-            if check_id in requirement_statistics_by_check_id:
-                check_statistics = requirement_statistics_by_check_id[check_id]
-                total_findings_count += check_statistics["total"]
-                total_passed_findings += check_statistics["passed"]
-
-        if total_findings_count > 0:
-            if total_passed_findings == total_findings_count:
-                requirement_status = StatusChoices.PASS
-            else:
-                requirement_status = StatusChoices.FAIL
-        else:
-            requirement_status = StatusChoices.MANUAL
-
-        requirements_list.append(
-            {
-                "id": requirement_id,
-                "attributes": {
-                    "framework": compliance_framework,
-                    "version": compliance_version,
-                    "status": requirement_status,
-                    "description": requirement_description,
-                    "passed_findings": total_passed_findings,
-                    "total_findings": total_findings_count,
-                },
-            }
-        )
-
-    return attributes_by_requirement_id, requirements_list
-
-
-def _load_findings_for_requirement_checks(
-    tenant_id: str,
-    scan_id: str,
-    check_ids: list[str],
-    prowler_provider,
-    findings_cache: dict[str, list[FindingOutput]] | None = None,
-) -> dict[str, list[FindingOutput]]:
-    """
-    Load findings for specific check IDs on-demand with optional caching.
-
-    This function loads only the findings needed for a specific set of checks,
-    minimizing memory usage by avoiding loading all findings at once. This is used
-    when generating detailed findings tables for specific requirements in the PDF.
-
-    Supports optional caching to avoid duplicate queries when generating multiple
-    reports for the same scan.
-
-    Args:
-        tenant_id (str): The tenant ID for Row-Level Security context.
-        scan_id (str): The ID of the scan to retrieve findings for.
-        check_ids (list[str]): List of check IDs to load findings for.
-        prowler_provider: The initialized Prowler provider instance.
-        findings_cache (dict, optional): Cache of already loaded findings.
-            If provided, checks are first looked up in cache before querying database.
-
-    Returns:
-        dict[str, list[FindingOutput]]: Dictionary mapping check_id to list of FindingOutput objects.
-
-    Example:
-        {
-            'aws_iam_user_mfa_enabled': [FindingOutput(...), FindingOutput(...)],
-            'aws_s3_bucket_public_access': [FindingOutput(...)]
-        }
-    """
-    findings_by_check_id = defaultdict(list)
-
-    if not check_ids:
-        return dict(findings_by_check_id)
-
-    # Initialize cache if not provided
-    if findings_cache is None:
-        findings_cache = {}
-
-    # Separate cached and non-cached check_ids
-    check_ids_to_load = []
-    cache_hits = 0
-    cache_misses = 0
-
-    for check_id in check_ids:
-        if check_id in findings_cache:
-            # Reuse from cache
-            findings_by_check_id[check_id] = findings_cache[check_id]
-            cache_hits += 1
-        else:
-            # Need to load from database
-            check_ids_to_load.append(check_id)
-            cache_misses += 1
-
-    if cache_hits > 0:
-        logger.info(
-            f"Findings cache: {cache_hits} hits, {cache_misses} misses "
-            f"({cache_hits / (cache_hits + cache_misses) * 100:.1f}% hit rate)"
-        )
-
-    # If all check_ids were in cache, return early
-    if not check_ids_to_load:
-        return dict(findings_by_check_id)
-
-    logger.info(f"Loading findings for {len(check_ids_to_load)} checks on-demand")
-
-    findings_queryset = (
-        Finding.all_objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id, check_id__in=check_ids_to_load
-        )
-        .order_by("uid")
-        .iterator()
-    )
-
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        for batch, is_last_batch in batched(
-            findings_queryset, DJANGO_FINDINGS_BATCH_SIZE
-        ):
-            for finding_model in batch:
-                finding_output = FindingOutput.transform_api_finding(
-                    finding_model, prowler_provider
-                )
-                findings_by_check_id[finding_output.check_id].append(finding_output)
-                # Update cache with newly loaded findings
-                if finding_output.check_id not in findings_cache:
-                    findings_cache[finding_output.check_id] = []
-                findings_cache[finding_output.check_id].append(finding_output)
-
-    total_findings_loaded = sum(
-        len(findings) for findings in findings_by_check_id.values()
-    )
-    logger.info(
-        f"Loaded {total_findings_loaded} findings for {len(findings_by_check_id)} checks"
-    )
-
-    return dict(findings_by_check_id)

api/src/backend/tasks/tasks.py

@@ -8,12 +8,7 @@ from celery.utils.log import get_task_logger
 from config.celery import RLSTask
 from config.django.base import DJANGO_FINDINGS_BATCH_SIZE, DJANGO_TMP_OUTPUT_DIRECTORY
 from django_celery_beat.models import PeriodicTask
-from tasks.jobs.backfill import (
-    backfill_compliance_summaries,
-    backfill_daily_severity_summaries,
-    backfill_resource_scan_summaries,
-    backfill_scan_category_summaries,
-)
+from tasks.jobs.backfill import backfill_resource_scan_summaries
 from tasks.jobs.connection import (
     check_integration_connection,
     check_lighthouse_connection,
@@ -28,7 +23,6 @@ from tasks.jobs.export import (
     _upload_to_s3,
 )
 from tasks.jobs.integrations import (
-    send_findings_to_github,
     send_findings_to_jira,
     upload_s3_integration,
     upload_security_hub_integration,
@@ -38,10 +32,8 @@ from tasks.jobs.lighthouse_providers import (
     refresh_lighthouse_provider_models,
 )
 from tasks.jobs.muting import mute_historical_findings
-from tasks.jobs.report import generate_compliance_reports_job
+from tasks.jobs.report import generate_threatscore_report_job
 from tasks.jobs.scan import (
-    aggregate_attack_surface,
-    aggregate_daily_severity,
     aggregate_findings,
     create_compliance_requirements,
     perform_prowler_scan,
@@ -51,7 +43,7 @@ from tasks.utils import batched, get_next_execution_datetime
 from api.compliance import get_compliance_frameworks
 from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
-from api.decorators import handle_provider_deletion, set_tenant
+from api.decorators import set_tenant
 from api.models import Finding, Integration, Provider, Scan, ScanSummary, StateChoices
 from api.utils import initialize_prowler_provider
 from api.v1.serializers import ScanTaskSerializer
@@ -62,58 +54,6 @@ from prowler.lib.outputs.finding import Finding as FindingOutput
 logger = get_task_logger(__name__)
 
 
-def _cleanup_orphan_scheduled_scans(
-    tenant_id: str,
-    provider_id: str,
-    scheduler_task_id: int,
-) -> int:
-    """
-    TEMPORARY WORKAROUND: Clean up orphan AVAILABLE scans.
-
-    Detects and removes AVAILABLE scans that were never used due to an
-    issue during the first scheduled scan setup.
-
-    An AVAILABLE scan is considered orphan if there's also a SCHEDULED scan for
-    the same provider with the same scheduler_task_id. This situation indicates
-    that the first scan execution didn't find the AVAILABLE scan (because it
-    wasn't committed yet, probably) and created a new one, leaving the AVAILABLE orphaned.
-
-    Args:
-        tenant_id: The tenant ID.
-        provider_id: The provider ID.
-        scheduler_task_id: The PeriodicTask ID that triggers these scans.
-
-    Returns:
-        Number of orphan scans deleted (0 if none found).
-    """
-    orphan_available_scans = Scan.objects.filter(
-        tenant_id=tenant_id,
-        provider_id=provider_id,
-        trigger=Scan.TriggerChoices.SCHEDULED,
-        state=StateChoices.AVAILABLE,
-        scheduler_task_id=scheduler_task_id,
-    )
-
-    scheduled_scan_exists = Scan.objects.filter(
-        tenant_id=tenant_id,
-        provider_id=provider_id,
-        trigger=Scan.TriggerChoices.SCHEDULED,
-        state=StateChoices.SCHEDULED,
-        scheduler_task_id=scheduler_task_id,
-    ).exists()
-
-    if scheduled_scan_exists and orphan_available_scans.exists():
-        orphan_count = orphan_available_scans.count()
-        logger.warning(
-            f"[WORKAROUND] Found {orphan_count} orphan AVAILABLE scan(s) for "
-            f"provider {provider_id} alongside a SCHEDULED scan. Cleaning up orphans..."
-        )
-        orphan_available_scans.delete()
-        return orphan_count
-
-    return 0
-
-
 def _perform_scan_complete_tasks(tenant_id: str, scan_id: str, provider_id: str):
     """
     Helper function to perform tasks after a scan is completed.
@@ -126,20 +66,13 @@ def _perform_scan_complete_tasks(tenant_id: str, scan_id: str, provider_id: str)
     create_compliance_requirements_task.apply_async(
         kwargs={"tenant_id": tenant_id, "scan_id": scan_id}
     )
-    aggregate_attack_surface_task.apply_async(
-        kwargs={"tenant_id": tenant_id, "scan_id": scan_id}
-    )
     chain(
         perform_scan_summary_task.si(tenant_id=tenant_id, scan_id=scan_id),
-        group(
-            aggregate_daily_severity_task.si(tenant_id=tenant_id, scan_id=scan_id),
-            generate_outputs_task.si(
-                scan_id=scan_id, provider_id=provider_id, tenant_id=tenant_id
-            ),
+        generate_outputs_task.si(
+            scan_id=scan_id, provider_id=provider_id, tenant_id=tenant_id
         ),
         group(
-            # Use optimized task that generates both reports with shared queries
-            generate_compliance_reports_task.si(
+            generate_threatscore_report_task.si(
                 tenant_id=tenant_id, scan_id=scan_id, provider_id=provider_id
             ),
             check_integrations_task.si(
@@ -203,7 +136,6 @@ def delete_provider_task(provider_id: str, tenant_id: str):
 
 
 @shared_task(base=RLSTask, name="scan-perform", queue="scans")
-@handle_provider_deletion
 def perform_scan_task(
     tenant_id: str, scan_id: str, provider_id: str, checks_to_execute: list[str] = None
 ):
@@ -236,7 +168,6 @@ def perform_scan_task(
 
 
 @shared_task(base=RLSTask, bind=True, name="scan-perform-scheduled", queue="scans")
-@handle_provider_deletion
 def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
     """
     Task to perform a scheduled Prowler scan on a given provider.
@@ -300,14 +231,6 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
             return serializer.data
 
         next_scan_datetime = get_next_execution_datetime(task_id, provider_id)
-
-        # TEMPORARY WORKAROUND: Clean up orphan scans from transaction isolation issue
-        _cleanup_orphan_scheduled_scans(
-            tenant_id=tenant_id,
-            provider_id=provider_id,
-            scheduler_task_id=periodic_task_instance.id,
-        )
-
         scan_instance, _ = Scan.objects.get_or_create(
             tenant_id=tenant_id,
             provider_id=provider_id,
@@ -350,7 +273,6 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
 
 
 @shared_task(name="scan-summary", queue="overview")
-@handle_provider_deletion
 def perform_scan_summary_task(tenant_id: str, scan_id: str):
     return aggregate_findings(tenant_id=tenant_id, scan_id=scan_id)
 
@@ -366,7 +288,6 @@ def delete_tenant_task(tenant_id: str):
     queue="scan-reports",
 )
 @set_tenant(keep_tenant=True)
-@handle_provider_deletion
 def generate_outputs_task(scan_id: str, provider_id: str, tenant_id: str):
     """
     Process findings in batches and generate output files in multiple formats.
@@ -395,7 +316,7 @@ def generate_outputs_task(scan_id: str, provider_id: str, tenant_id: str):
 
     frameworks_bulk = Compliance.get_bulk(provider_type)
     frameworks_avail = get_compliance_frameworks(provider_type)
-    out_dir, comp_dir = _generate_output_directory(
+    out_dir, comp_dir, _ = _generate_output_directory(
         DJANGO_TMP_OUTPUT_DIRECTORY, provider_uid, tenant_id, scan_id
     )
 
@@ -562,7 +483,6 @@ def generate_outputs_task(scan_id: str, provider_id: str, tenant_id: str):
 
 
 @shared_task(name="backfill-scan-resource-summaries", queue="backfill")
-@handle_provider_deletion
 def backfill_scan_resource_summaries_task(tenant_id: str, scan_id: str):
     """
     Tries to backfill the resource scan summaries table for a given scan.
@@ -574,45 +494,7 @@ def backfill_scan_resource_summaries_task(tenant_id: str, scan_id: str):
     return backfill_resource_scan_summaries(tenant_id=tenant_id, scan_id=scan_id)
 
 
-@shared_task(name="backfill-compliance-summaries", queue="backfill")
-@handle_provider_deletion
-def backfill_compliance_summaries_task(tenant_id: str, scan_id: str):
-    """
-    Tries to backfill compliance overview summaries for a completed scan.
-
-    This task aggregates compliance requirement data across regions
-    to create pre-computed summary records for fast compliance overview queries.
-
-    Args:
-        tenant_id (str): The tenant identifier.
-        scan_id (str): The scan identifier.
-    """
-    return backfill_compliance_summaries(tenant_id=tenant_id, scan_id=scan_id)
-
-
-@shared_task(name="backfill-daily-severity-summaries", queue="backfill")
-def backfill_daily_severity_summaries_task(tenant_id: str, days: int = None):
-    """Backfill DailySeveritySummary from historical scans. Use days param to limit scope."""
-    return backfill_daily_severity_summaries(tenant_id=tenant_id, days=days)
-
-
-@shared_task(name="backfill-scan-category-summaries", queue="backfill")
-@handle_provider_deletion
-def backfill_scan_category_summaries_task(tenant_id: str, scan_id: str):
-    """
-    Backfill ScanCategorySummary for a completed scan.
-
-    Aggregates unique categories from findings and creates a summary row.
-
-    Args:
-        tenant_id (str): The tenant identifier.
-        scan_id (str): The scan identifier.
-    """
-    return backfill_scan_category_summaries(tenant_id=tenant_id, scan_id=scan_id)
-
-
 @shared_task(base=RLSTask, name="scan-compliance-overviews", queue="compliance")
-@handle_provider_deletion
 def create_compliance_requirements_task(tenant_id: str, scan_id: str):
     """
     Creates detailed compliance requirement records for a scan.
@@ -628,29 +510,6 @@ def create_compliance_requirements_task(tenant_id: str, scan_id: str):
     return create_compliance_requirements(tenant_id=tenant_id, scan_id=scan_id)
 
 
-@shared_task(name="scan-attack-surface-overviews", queue="overview")
-@handle_provider_deletion
-def aggregate_attack_surface_task(tenant_id: str, scan_id: str):
-    """
-    Creates attack surface overview records for a scan.
-
-    This task processes findings and aggregates them into attack surface categories
-    (internet-exposed, secrets, privilege-escalation, ec2-imdsv1) for quick overview queries.
-
-    Args:
-        tenant_id (str): The tenant ID for which to create records.
-        scan_id (str): The ID of the scan for which to create records.
-    """
-    return aggregate_attack_surface(tenant_id=tenant_id, scan_id=scan_id)
-
-
-@shared_task(name="scan-daily-severity", queue="overview")
-@handle_provider_deletion
-def aggregate_daily_severity_task(tenant_id: str, scan_id: str):
-    """Aggregate scan severity into DailySeveritySummary for findings_severity/timeseries endpoint."""
-    return aggregate_daily_severity(tenant_id=tenant_id, scan_id=scan_id)
-
-
 @shared_task(base=RLSTask, name="lighthouse-connection-check")
 @set_tenant
 def check_lighthouse_connection_task(lighthouse_config_id: str, tenant_id: str = None):
@@ -689,7 +548,6 @@ def refresh_lighthouse_provider_models_task(
 
 
 @shared_task(name="integration-check")
-@handle_provider_deletion
 def check_integrations_task(tenant_id: str, provider_id: str, scan_id: str = None):
     """
     Check and execute all configured integrations for a provider.
@@ -754,7 +612,6 @@ def check_integrations_task(tenant_id: str, provider_id: str, scan_id: str = Non
     name="integration-s3",
     queue="integrations",
 )
-@handle_provider_deletion
 def s3_integration_task(
     tenant_id: str,
     provider_id: str,
@@ -792,23 +649,6 @@ def security_hub_integration_task(
     return upload_security_hub_integration(tenant_id, provider_id, scan_id)
 
 
-@shared_task(
-    base=RLSTask,
-    name="integration-github",
-    queue="integrations",
-)
-def github_integration_task(
-    tenant_id: str,
-    integration_id: str,
-    repository: str,
-    labels: list[str],
-    finding_ids: list[str],
-):
-    return send_findings_to_github(
-        tenant_id, integration_id, repository, labels, finding_ids
-    )
-
-
 @shared_task(
     base=RLSTask,
     name="integration-jira",
@@ -828,34 +668,19 @@ def jira_integration_task(
 
 @shared_task(
     base=RLSTask,
-    name="scan-compliance-reports",
+    name="scan-threatscore-report",
     queue="scan-reports",
 )
-@handle_provider_deletion
-def generate_compliance_reports_task(tenant_id: str, scan_id: str, provider_id: str):
+def generate_threatscore_report_task(tenant_id: str, scan_id: str, provider_id: str):
     """
-    Optimized task to generate ThreatScore, ENS, and NIS2 reports with shared queries.
-
-    This task is more efficient than running separate report tasks because it reuses database queries:
-    - Provider object fetched once (instead of three times)
-    - Requirement statistics aggregated once (instead of three times)
-    - Can reduce database load by up to 50-70%
-
+    Task to generate a threatscore report for a given scan.
     Args:
         tenant_id (str): The tenant identifier.
         scan_id (str): The scan identifier.
         provider_id (str): The provider identifier.
-
-    Returns:
-        dict: Results for all reports containing upload status and paths.
     """
-    return generate_compliance_reports_job(
-        tenant_id=tenant_id,
-        scan_id=scan_id,
-        provider_id=provider_id,
-        generate_threatscore=True,
-        generate_ens=True,
-        generate_nis2=True,
+    return generate_threatscore_report_job(
+        tenant_id=tenant_id, scan_id=scan_id, provider_id=provider_id
     )
 
 

api/src/backend/tasks/tests/test_backfill.py

@@ -1,97 +1,43 @@
 from uuid import uuid4
 
 import pytest
-from tasks.jobs.backfill import (
-    backfill_compliance_summaries,
-    backfill_resource_scan_summaries,
-    backfill_scan_category_summaries,
-)
+from tasks.jobs.backfill import backfill_resource_scan_summaries
 
-from api.models import (
-    ComplianceOverviewSummary,
-    Finding,
-    ResourceScanSummary,
-    Scan,
-    ScanCategorySummary,
-    StateChoices,
-)
-from prowler.lib.check.models import Severity
-from prowler.lib.outputs.finding import Status
-
-
-@pytest.fixture(scope="function")
-def resource_scan_summary_data(scans_fixture):
-    scan = scans_fixture[0]
-    return ResourceScanSummary.objects.create(
-        tenant_id=scan.tenant_id,
-        scan_id=scan.id,
-        resource_id=str(uuid4()),
-        service="aws",
-        region="us-east-1",
-        resource_type="instance",
-    )
-
-
-@pytest.fixture(scope="function")
-def get_not_completed_scans(providers_fixture):
-    provider_id = providers_fixture[0].id
-    tenant_id = providers_fixture[0].tenant_id
-    scan_1 = Scan.objects.create(
-        tenant_id=tenant_id,
-        trigger=Scan.TriggerChoices.MANUAL,
-        state=StateChoices.EXECUTING,
-        provider_id=provider_id,
-    )
-    scan_2 = Scan.objects.create(
-        tenant_id=tenant_id,
-        trigger=Scan.TriggerChoices.MANUAL,
-        state=StateChoices.AVAILABLE,
-        provider_id=provider_id,
-    )
-    return scan_1, scan_2
-
-
-@pytest.fixture(scope="function")
-def findings_with_categories_fixture(scans_fixture, resources_fixture):
-    scan = scans_fixture[0]
-    resource = resources_fixture[0]
-
-    finding = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_with_categories",
-        scan=scan,
-        delta="new",
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="test_check",
-        check_metadata={"CheckId": "test_check"},
-        categories=["gen-ai", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding.add_resources([resource])
-    return finding
-
-
-@pytest.fixture(scope="function")
-def scan_category_summary_fixture(scans_fixture):
-    scan = scans_fixture[0]
-    return ScanCategorySummary.objects.create(
-        tenant_id=scan.tenant_id,
-        scan=scan,
-        category="existing-category",
-        severity=Severity.critical,
-        total_findings=1,
-        failed_findings=0,
-        new_failed_findings=0,
-    )
+from api.models import ResourceScanSummary, Scan, StateChoices
 
 
 @pytest.mark.django_db
 class TestBackfillResourceScanSummaries:
+    @pytest.fixture(scope="function")
+    def resource_scan_summary_data(self, scans_fixture):
+        scan = scans_fixture[0]
+        return ResourceScanSummary.objects.create(
+            tenant_id=scan.tenant_id,
+            scan_id=scan.id,
+            resource_id=str(uuid4()),
+            service="aws",
+            region="us-east-1",
+            resource_type="instance",
+        )
+
+    @pytest.fixture(scope="function")
+    def get_not_completed_scans(self, providers_fixture):
+        provider_id = providers_fixture[0].id
+        tenant_id = providers_fixture[0].tenant_id
+        scan_1 = Scan.objects.create(
+            tenant_id=tenant_id,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.EXECUTING,
+            provider_id=provider_id,
+        )
+        scan_2 = Scan.objects.create(
+            tenant_id=tenant_id,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.AVAILABLE,
+            provider_id=provider_id,
+        )
+        return scan_1, scan_2
+
     def test_already_backfilled(self, resource_scan_summary_data):
         tenant_id = resource_scan_summary_data.tenant_id
         scan_id = resource_scan_summary_data.scan_id
@@ -131,132 +77,3 @@ class TestBackfillResourceScanSummaries:
             assert summary.service == resource.service
             assert summary.region == resource.region
             assert summary.resource_type == resource.type
-
-    def test_no_resources_to_backfill(self, scans_fixture):
-        scan = scans_fixture[1]  # Failed scan with no findings/resources
-        tenant_id = str(scan.tenant_id)
-        scan_id = str(scan.id)
-
-        result = backfill_resource_scan_summaries(tenant_id, scan_id)
-
-        assert result == {"status": "no resources to backfill"}
-
-
-@pytest.mark.django_db
-class TestBackfillComplianceSummaries:
-    def test_already_backfilled(self, scans_fixture):
-        scan = scans_fixture[0]
-        tenant_id = str(scan.tenant_id)
-        ComplianceOverviewSummary.objects.create(
-            tenant_id=scan.tenant_id,
-            scan=scan,
-            compliance_id="aws_account_security_onboarding_aws",
-            requirements_passed=1,
-            requirements_failed=0,
-            requirements_manual=0,
-            total_requirements=1,
-        )
-
-        result = backfill_compliance_summaries(tenant_id, str(scan.id))
-
-        assert result == {"status": "already backfilled"}
-
-    def test_not_completed_scan(self, get_not_completed_scans):
-        for scan in get_not_completed_scans:
-            result = backfill_compliance_summaries(str(scan.tenant_id), str(scan.id))
-            assert result == {"status": "scan is not completed"}
-
-    def test_no_compliance_data(self, scans_fixture):
-        scan = scans_fixture[1]  # Failed scan with no compliance rows
-
-        result = backfill_compliance_summaries(str(scan.tenant_id), str(scan.id))
-
-        assert result == {"status": "no compliance data to backfill"}
-
-    def test_backfill_creates_compliance_summaries(
-        self, tenants_fixture, scans_fixture, compliance_requirements_overviews_fixture
-    ):
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        result = backfill_compliance_summaries(str(tenant.id), str(scan.id))
-
-        expected = {
-            "aws_account_security_onboarding_aws": {
-                "requirements_passed": 1,
-                "requirements_failed": 1,
-                "requirements_manual": 1,
-                "total_requirements": 3,
-            },
-            "cis_1.4_aws": {
-                "requirements_passed": 0,
-                "requirements_failed": 1,
-                "requirements_manual": 0,
-                "total_requirements": 1,
-            },
-            "mitre_attack_aws": {
-                "requirements_passed": 0,
-                "requirements_failed": 1,
-                "requirements_manual": 0,
-                "total_requirements": 1,
-            },
-        }
-
-        assert result == {"status": "backfilled", "inserted": len(expected)}
-
-        summaries = ComplianceOverviewSummary.objects.filter(
-            tenant_id=str(tenant.id), scan_id=str(scan.id)
-        )
-        assert summaries.count() == len(expected)
-
-        for summary in summaries:
-            assert summary.compliance_id in expected
-            expected_counts = expected[summary.compliance_id]
-            assert summary.requirements_passed == expected_counts["requirements_passed"]
-            assert summary.requirements_failed == expected_counts["requirements_failed"]
-            assert summary.requirements_manual == expected_counts["requirements_manual"]
-            assert summary.total_requirements == expected_counts["total_requirements"]
-
-
-@pytest.mark.django_db
-class TestBackfillScanCategorySummaries:
-    def test_already_backfilled(self, scan_category_summary_fixture):
-        tenant_id = scan_category_summary_fixture.tenant_id
-        scan_id = scan_category_summary_fixture.scan_id
-
-        result = backfill_scan_category_summaries(str(tenant_id), str(scan_id))
-
-        assert result == {"status": "already backfilled"}
-
-    def test_not_completed_scan(self, get_not_completed_scans):
-        for scan in get_not_completed_scans:
-            result = backfill_scan_category_summaries(str(scan.tenant_id), str(scan.id))
-            assert result == {"status": "scan is not completed"}
-
-    def test_no_categories_to_backfill(self, scans_fixture):
-        scan = scans_fixture[1]  # Failed scan with no findings
-        result = backfill_scan_category_summaries(str(scan.tenant_id), str(scan.id))
-        assert result == {"status": "no categories to backfill"}
-
-    def test_successful_backfill(self, findings_with_categories_fixture):
-        finding = findings_with_categories_fixture
-        tenant_id = str(finding.tenant_id)
-        scan_id = str(finding.scan_id)
-
-        result = backfill_scan_category_summaries(tenant_id, scan_id)
-
-        # 2 categories × 1 severity = 2 rows
-        assert result == {"status": "backfilled", "categories_count": 2}
-
-        summaries = ScanCategorySummary.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        )
-        assert summaries.count() == 2
-        categories = set(summaries.values_list("category", flat=True))
-        assert categories == {"gen-ai", "security"}
-
-        for summary in summaries:
-            assert summary.severity == Severity.critical
-            assert summary.total_findings == 1
-            assert summary.failed_findings == 1
-            assert summary.new_failed_findings == 1