chore(ci): update UI E2E tests workflow for cloud environments

- Rename workflow to 'UI - E2E Cloud Tests' - Add support for dev, stg, and pro environments - Add workflow_run trigger after API/UI deployments - Add workflow_dispatch for manual environment selection - Add Tailscale setup for VPN access to non-prod environments - Add deployment verification steps for STG and PRO - Update environment variables for cloud-based testing - Remove local docker-compose setup in favor of cloud APIs
2026-05-18 02:03:26 +00:00 · 2025-12-10 10:15:42 +01:00
217 changed files with 4502 additions and 10174 deletions
@@ -1,20 +0,0 @@
-# Gentleman Guardian Angel (gga) Configuration
-# https://github.com/Gentleman-Programming/gentleman-guardian-angel
-
-# AI Provider (required)
-# Options: claude, gemini, codex, ollama:<model>
-PROVIDER="claude"
-
-# File patterns to include in review (comma-separated globs)
-# Review both TypeScript (UI) and Python (SDK, API, MCP) files
-FILE_PATTERNS="*.ts,*.tsx,*.js,*.jsx,*.py"
-
-# File patterns to exclude from review (comma-separated globs)
-# Excludes: test files, type definitions, and api/ folder (no AGENTS.md yet)
-EXCLUDE_PATTERNS="*.test.ts,*.test.tsx,*.spec.ts,*.spec.tsx,*.d.ts,*_test.py,test_*.py,conftest.py,api/*"
-
-# File containing your coding standards (relative to repo root)
-RULES_FILE="AGENTS-CODE-REVIEW.md"
-
-# Strict mode: fail if AI response is ambiguous (recommended)
-STRICT_MODE="true"
@@ -20,7 +20,6 @@ env:

 jobs:
  api-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
@@ -44,7 +43,6 @@ jobs:
          ignore: DL3013

  api-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ${{ matrix.runner }}
    strategy:
      matrix:
@@ -92,7 +90,7 @@ jobs:
          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

      - name: Scan container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
@@ -20,7 +20,6 @@ env:

 jobs:
  mcp-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
@@ -43,7 +42,6 @@ jobs:
          dockerfile: mcp_server/Dockerfile

  mcp-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ${{ matrix.runner }}
    strategy:
      matrix:
@@ -90,7 +88,7 @@ jobs:
          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

      - name: Scan MCP container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
@@ -104,7 +104,7 @@ jobs:
          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

      - name: Scan SDK container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
@@ -20,7 +20,6 @@ env:

 jobs:
  ui-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
@@ -44,7 +43,6 @@ jobs:
          ignore: DL3018

  ui-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ${{ matrix.runner }}
    strategy:
      matrix:
@@ -94,7 +92,7 @@ jobs:
            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX

      - name: Scan UI container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
@@ -1,4 +1,4 @@
-name: UI - E2E Tests
+name: UI - E2E Cloud Tests

 on:
  pull_request:
@@ -6,125 +6,185 @@ on:
      - master
      - "v5.*"
    paths:
-      - '.github/workflows/ui-e2e-tests.yml'
-      - 'ui/**'
+      - ".github/workflows/ui-e2e-tests.yml"
+      - "ui/**"
+  push:
+    branches:
+      - master
+      - "v5.*"
+    paths:
+      - ".github/workflows/ui-e2e-cloud-tests.yml"
+      - "ui/**"
+  workflow_run:
+    workflows:
+      - "API - Build, Push and Deploy"
+      - "UI - Build, Push and Deploy"
+    types: [completed]
+    branches: [master, v5.*]
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Environment to test"
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - stg
+          - pro
+
+permissions:
+  id-token: write
+  contents: read
+  actions: read

 jobs:
-
  e2e-tests:
-    if: github.repository == 'prowler-cloud/prowler'
+    if: github.repository == 'prowler-cloud/prowler-cloud'
    runs-on: ubuntu-latest
    env:
-      AUTH_SECRET: 'fallback-ci-secret-for-testing'
-      AUTH_TRUST_HOST: true
-      NEXTAUTH_URL: 'http://localhost:3000'
-      NEXT_PUBLIC_API_BASE_URL: 'http://localhost:8080/api/v1'
-      E2E_ADMIN_USER: ${{ secrets.E2E_ADMIN_USER }}
-      E2E_ADMIN_PASSWORD: ${{ secrets.E2E_ADMIN_PASSWORD }}
-      E2E_AWS_PROVIDER_ACCOUNT_ID: ${{ secrets.E2E_AWS_PROVIDER_ACCOUNT_ID }}
-      E2E_AWS_PROVIDER_ACCESS_KEY: ${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}
-      E2E_AWS_PROVIDER_SECRET_KEY: ${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}
-      E2E_AWS_PROVIDER_ROLE_ARN: ${{ secrets.E2E_AWS_PROVIDER_ROLE_ARN }}
-      E2E_AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }}
-      E2E_AZURE_CLIENT_ID: ${{ secrets.E2E_AZURE_CLIENT_ID }}
-      E2E_AZURE_SECRET_ID: ${{ secrets.E2E_AZURE_SECRET_ID }}
-      E2E_AZURE_TENANT_ID: ${{ secrets.E2E_AZURE_TENANT_ID }}
-      E2E_M365_DOMAIN_ID: ${{ secrets.E2E_M365_DOMAIN_ID }}
-      E2E_M365_CLIENT_ID: ${{ secrets.E2E_M365_CLIENT_ID }}
-      E2E_M365_SECRET_ID: ${{ secrets.E2E_M365_SECRET_ID }}
-      E2E_M365_TENANT_ID: ${{ secrets.E2E_M365_TENANT_ID }}
-      E2E_M365_CERTIFICATE_CONTENT: ${{ secrets.E2E_M365_CERTIFICATE_CONTENT }}
-      E2E_KUBERNETES_CONTEXT: 'kind-kind'
-      E2E_KUBERNETES_KUBECONFIG_PATH: /home/runner/.kube/config
-      E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY: ${{ secrets.E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY }}
-      E2E_GCP_PROJECT_ID: ${{ secrets.E2E_GCP_PROJECT_ID }}
-      E2E_GITHUB_APP_ID: ${{ secrets.E2E_GITHUB_APP_ID }}
-      E2E_GITHUB_BASE64_APP_PRIVATE_KEY: ${{ secrets.E2E_GITHUB_BASE64_APP_PRIVATE_KEY }}
-      E2E_GITHUB_USERNAME: ${{ secrets.E2E_GITHUB_USERNAME }}
-      E2E_GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_PERSONAL_ACCESS_TOKEN }}
-      E2E_GITHUB_ORGANIZATION: ${{ secrets.E2E_GITHUB_ORGANIZATION }}
-      E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN }}
-      E2E_ORGANIZATION_ID: ${{ secrets.E2E_ORGANIZATION_ID }}
-      E2E_OCI_TENANCY_ID: ${{ secrets.E2E_OCI_TENANCY_ID }}
-      E2E_OCI_USER_ID: ${{ secrets.E2E_OCI_USER_ID }}
-      E2E_OCI_FINGERPRINT: ${{ secrets.E2E_OCI_FINGERPRINT }}
-      E2E_OCI_KEY_CONTENT: ${{ secrets.E2E_OCI_KEY_CONTENT }}
-      E2E_OCI_REGION: ${{ secrets.E2E_OCI_REGION }}
-      E2E_NEW_USER_PASSWORD: ${{ secrets.E2E_NEW_USER_PASSWORD }}
-
+      NEXTAUTH_URL: "http://localhost:3000"
+      AUTH_SECRET: "fallback-ci-secret-for-testing"
+      AUTH_TRUST_HOST: "true"
    steps:
+      - name: Determine environment
+        id: env
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" || "${{ github.event_name }}" == "push" ]]; then
+            echo "environment=dev" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event_name }}" == "workflow_run" && "${{ github.event.workflow_run.conclusion }}" == "success" && "${{ github.event.workflow_run.event }}" == "release" ]]; then
+            echo "environment=stg" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            echo "environment=${{ github.event.inputs.environment }}" >> $GITHUB_OUTPUT
+          else
+            echo "Unknown trigger, skipping..."
+            exit 1
+          fi
+      - name: Set environment variables
+        id: vars
+        run: |
+          case "${{ steps.env.outputs.environment }}" in
+            "dev")
+              echo "api_url=https://api.dev.prowler.com/api/v1" >> $GITHUB_OUTPUT
+              echo "e2e_user_secret=DEV_E2E_USER" >> $GITHUB_OUTPUT
+              echo "e2e_password_secret=DEV_E2E_PASSWORD" >> $GITHUB_OUTPUT
+              echo "environment_name=DEV" >> $GITHUB_OUTPUT
+              ;;
+            "stg")
+              echo "api_url=https://api.stg.prowler.com/api/v1" >> $GITHUB_OUTPUT
+              echo "e2e_user_secret=STG_E2E_USER" >> $GITHUB_OUTPUT
+              echo "e2e_password_secret=STG_E2E_PASSWORD" >> $GITHUB_OUTPUT
+              echo "environment_name=STG" >> $GITHUB_OUTPUT
+              ;;
+            "pro")
+              echo "api_url=https://api.prowler.com/api/v1" >> $GITHUB_OUTPUT
+              echo "e2e_user_secret=PRO_E2E_USER" >> $GITHUB_OUTPUT
+              echo "e2e_password_secret=PRO_E2E_PASSWORD" >> $GITHUB_OUTPUT
+              echo "environment_name=PRO" >> $GITHUB_OUTPUT
+              ;;
+          esac
      - name: Checkout repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1
+      - name: Environment info
+        env:
+          ENV_NAME: ${{ steps.vars.outputs.environment_name }}
+          API_URL: ${{ steps.vars.outputs.api_url }}
+        run: |
+          echo "Environment: $ENV_NAME"
+          echo "API URL: $API_URL"
+          echo "Workflow: ${{ github.workflow }}"
+          echo "Event: ${{ github.event_name }}"
+          echo "Started at: $(date)"
+      - name: Verify both STG deployments completed
+        if: steps.env.outputs.environment == 'stg'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo "Verifying that both API and UI deployments completed successfully..."
+
+          # Get the latest runs for both workflows triggered by the same release
+          API_RUN=$(gh run list --workflow="API - Build, Push and Deploy" --event=release --limit=1 --json status,conclusion,createdAt --jq '.[0]')
+          API_STATUS=$(echo "$API_RUN" | jq -r '.status')
+          API_CONCLUSION=$(echo "$API_RUN" | jq -r '.conclusion')
+
+          UI_RUN=$(gh run list --workflow="UI - Build, Push and Deploy" --event=release --limit=1 --json status,conclusion,createdAt --jq '.[0]')
+          UI_STATUS=$(echo "$UI_RUN" | jq -r '.status')
+          UI_CONCLUSION=$(echo "$UI_RUN" | jq -r '.conclusion')
+
+          echo "API workflow - Status: $API_STATUS, Conclusion: $API_CONCLUSION"
+          echo "UI workflow - Status: $UI_STATUS, Conclusion: $UI_CONCLUSION"
+
+          # Verify both workflows completed successfully
+          if [[ "$API_STATUS" != "completed" || "$API_CONCLUSION" != "success" ]]; then
+            echo "API deployment not ready (Status: $API_STATUS, Conclusion: $API_CONCLUSION)"
+            exit 1
+          fi
+
+          if [[ "$UI_STATUS" != "completed" || "$UI_CONCLUSION" != "success" ]]; then
+            echo "UI deployment not ready (Status: $UI_STATUS, Conclusion: $UI_CONCLUSION)"
+            exit 1
+          fi
+
+          echo "Both API and UI deployments completed successfully for STG"
+      - name: Verify both PRO deployments completed
+        if: steps.env.outputs.environment == 'pro'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo "Verifying that both API and UI deployments completed successfully..."
+
+          # Get the latest manual runs for both workflows
+          API_RUN=$(gh run list --workflow="API - Build, Push and Deploy" --event=workflow_dispatch --limit=1 --json status,conclusion,createdAt --jq '.[0]')
+          API_STATUS=$(echo "$API_RUN" | jq -r '.status')
+          API_CONCLUSION=$(echo "$API_RUN" | jq -r '.conclusion')
+
+          UI_RUN=$(gh run list --workflow="UI - Build, Push and Deploy" --event=workflow_dispatch --limit=1 --json status,conclusion,createdAt --jq '.[0]')
+          UI_STATUS=$(echo "$UI_RUN" | jq -r '.status')
+          UI_CONCLUSION=$(echo "$UI_RUN" | jq -r '.conclusion')
+
+          echo "API workflow - Status: $API_STATUS, Conclusion: $API_CONCLUSION"
+          echo "UI workflow - Status: $UI_STATUS, Conclusion: $UI_CONCLUSION"
+
+          # Verify both workflows completed successfully
+          if [[ "$API_STATUS" != "completed" || "$API_CONCLUSION" != "success" ]]; then
+            echo "API deployment not ready (Status: $API_STATUS, Conclusion: $API_CONCLUSION)"
+            exit 1
+          fi
+
+          if [[ "$UI_STATUS" != "completed" || "$UI_CONCLUSION" != "success" ]]; then
+            echo "UI deployment not ready (Status: $UI_STATUS, Conclusion: $UI_CONCLUSION)"
+            exit 1
+          fi
+
+          echo "Both API and UI deployments completed successfully for PRO"
+      - name: Setup Tailscale
+        if: steps.env.outputs.environment != 'pro'
+        uses: tailscale/github-action@84a3f23bb4d843bcf4da6cf824ec1be473daf4de # v3.2.3
        with:
-          cluster_name: kind
-      - name: Modify kubeconfig
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:github-actions
+      - name: Verify API is accessible
+        env:
+          API_URL: ${{ steps.vars.outputs.api_url }}
+          ENV_NAME: ${{ steps.vars.outputs.environment_name }}
        run: |
-            # Modify the kubeconfig to use the kind cluster server to https://kind-control-plane:6443
-            # from worker service into docker-compose.yml
-            kubectl config set-cluster kind-kind --server=https://kind-control-plane:6443
-            kubectl config view
-      - name: Add network kind to docker compose
-        run: |
-          # Add the network kind to the docker compose to interconnect to kind cluster
-          yq -i '.networks.kind.external = true' docker-compose.yml
-          # Add network kind to worker service and default network too
-          yq -i '.services.worker.networks = ["kind","default"]' docker-compose.yml
-      - name: Fix API data directory permissions
-        run: docker run --rm -v $(pwd)/_data/api:/data alpine chown -R 1000:1000 /data
-      - name: Add AWS credentials for testing AWS SDK Default Adding Provider
-        run: |
-          echo "Adding AWS credentials for testing AWS SDK Default Adding Provider..."
-          echo "AWS_ACCESS_KEY_ID=${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}" >> .env
-          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}" >> .env
-      - name: Start API services
-        run: |
-          # Override docker-compose image tag to use latest instead of stable
-          # This overrides any PROWLER_API_VERSION set in .env file
-          export PROWLER_API_VERSION=latest
-          echo "Using PROWLER_API_VERSION=${PROWLER_API_VERSION}"
-          docker compose up -d api worker worker-beat
-      - name: Wait for API to be ready
-        run: |
-          echo "Waiting for prowler-api..."
-          timeout=150  # 5 minutes max
-          elapsed=0
-          while [ $elapsed -lt $timeout ]; do
-            if curl -s ${NEXT_PUBLIC_API_BASE_URL}/docs >/dev/null 2>&1; then
-              echo "Prowler API is ready!"
-              exit 0
-            fi
-            echo "Waiting for prowler-api... (${elapsed}s elapsed)"
-            sleep 5
-            elapsed=$((elapsed + 5))
-          done
-          echo "Timeout waiting for prowler-api to start"
-          exit 1
-      - name: Load database fixtures for E2E tests
-        run: |
-          docker compose exec -T api sh -c '
-            echo "Loading all fixtures from api/fixtures/dev/..."
-            for fixture in api/fixtures/dev/*.json; do
-              if [ -f "$fixture" ]; then
-                echo "Loading $fixture"
-                poetry run python manage.py loaddata "$fixture" --database admin
-              fi
-            done
-            echo "All database fixtures loaded successfully!"
-          '
+          echo "Checking $ENV_NAME API at $API_URL/docs..."
+          curl -f --connect-timeout 30 --max-time 60 ${API_URL}/docs
+          echo "$ENV_NAME API is accessible"
      - name: Setup Node.js environment
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
-          node-version: '20.x'
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+          node-version: "20.x"
+      - name: Install pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
        with:
-          version: 10
+          version: 9
          run_install: false
      - name: Get pnpm store directory
        shell: bash
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+        run: |
+          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
      - name: Setup pnpm cache
        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
@@ -137,6 +197,10 @@ jobs:
        run: pnpm install --frozen-lockfile
      - name: Build UI application
        working-directory: ./ui
+        env:
+          NEXT_PUBLIC_API_BASE_URL: ${{ steps.vars.outputs.api_url }}
+          NEXT_PUBLIC_IS_CLOUD_ENV: "true"
+          CLOUD_API_BASE_URL: ${{ steps.vars.outputs.api_url }}
        run: pnpm run build
      - name: Cache Playwright browsers
        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
@@ -152,17 +216,50 @@ jobs:
        run: pnpm run test:e2e:install
      - name: Run E2E tests
        working-directory: ./ui
-        run: pnpm run test:e2e
+        env:
+          NEXT_PUBLIC_API_BASE_URL: ${{ steps.vars.outputs.api_url }}
+          NEXT_PUBLIC_IS_CLOUD_ENV: "true"
+          CLOUD_API_BASE_URL: ${{ steps.vars.outputs.api_url }}
+          E2E_USER: ${{ secrets[steps.vars.outputs.e2e_user_secret] }}
+          E2E_PASSWORD: ${{ secrets[steps.vars.outputs.e2e_password_secret] }}
+          E2E_ADMIN_USER: ${{ secrets.E2E_ADMIN_USER }}
+          E2E_ADMIN_PASSWORD: ${{ secrets.E2E_ADMIN_PASSWORD }}
+          E2E_AWS_PROVIDER_ACCOUNT_ID: ${{ secrets.E2E_AWS_PROVIDER_ACCOUNT_ID }}
+          E2E_AWS_PROVIDER_ACCESS_KEY: ${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}
+          E2E_AWS_PROVIDER_SECRET_KEY: ${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}
+          E2E_AWS_PROVIDER_ROLE_ARN: ${{ secrets.E2E_AWS_PROVIDER_ROLE_ARN }}
+          E2E_AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }}
+          E2E_AZURE_CLIENT_ID: ${{ secrets.E2E_AZURE_CLIENT_ID }}
+          E2E_AZURE_SECRET_ID: ${{ secrets.E2E_AZURE_SECRET_ID }}
+          E2E_AZURE_TENANT_ID: ${{ secrets.E2E_AZURE_TENANT_ID }}
+          E2E_M365_DOMAIN_ID: ${{ secrets.E2E_M365_DOMAIN_ID }}
+          E2E_M365_CLIENT_ID: ${{ secrets.E2E_M365_CLIENT_ID }}
+          E2E_M365_SECRET_ID: ${{ secrets.E2E_M365_SECRET_ID }}
+          E2E_M365_TENANT_ID: ${{ secrets.E2E_M365_TENANT_ID }}
+          E2E_M365_CERTIFICATE_CONTENT: ${{ secrets.E2E_M365_CERTIFICATE_CONTENT }}
+          E2E_KUBERNETES_CONTEXT: "kind-kind"
+          E2E_KUBERNETES_KUBECONFIG_PATH: /home/runner/.kube/config
+          E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY: ${{ secrets.E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY }}
+          E2E_GCP_PROJECT_ID: ${{ secrets.E2E_GCP_PROJECT_ID }}
+          E2E_GITHUB_APP_ID: ${{ secrets.E2E_GITHUB_APP_ID }}
+          E2E_GITHUB_BASE64_APP_PRIVATE_KEY: ${{ secrets.E2E_GITHUB_BASE64_APP_PRIVATE_KEY }}
+          E2E_GITHUB_USERNAME: ${{ secrets.E2E_GITHUB_USERNAME }}
+          E2E_GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_PERSONAL_ACCESS_TOKEN }}
+          E2E_GITHUB_ORGANIZATION: ${{ secrets.E2E_GITHUB_ORGANIZATION }}
+          E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN }}
+          E2E_ORGANIZATION_ID: ${{ secrets.E2E_ORGANIZATION_ID }}
+          E2E_OCI_TENANCY_ID: ${{ secrets.E2E_OCI_TENANCY_ID }}
+          E2E_OCI_USER_ID: ${{ secrets.E2E_OCI_USER_ID }}
+          E2E_OCI_FINGERPRINT: ${{ secrets.E2E_OCI_FINGERPRINT }}
+          E2E_OCI_KEY_CONTENT: ${{ secrets.E2E_OCI_KEY_CONTENT }}
+          E2E_OCI_REGION: ${{ secrets.E2E_OCI_REGION }}
+          E2E_NEW_USER_PASSWORD: ${{ secrets.E2E_NEW_USER_PASSWORD }}
+
+        run: pnpm run test:e2e-cloud
      - name: Upload test reports
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        if: failure()
+        if: always()
        with:
-          name: playwright-report
+          name: playwright-report-${{ steps.env.outputs.environment }}-${{ github.run_number }}
          path: ui/playwright-report/
          retention-days: 30
-      - name: Cleanup services
-        if: always()
-        run: |
-          echo "Shutting down services..."
-          docker compose down -v || true
-          echo "Cleanup completed"
@@ -82,6 +82,7 @@ repos:
        args: ["--directory=./"]
        pass_filenames: false

+
  - repo: https://github.com/hadolint/hadolint
    rev: v2.13.0-beta
    hooks:
@@ -128,20 +129,9 @@ repos:

      - id: ui-checks
        name: UI - Husky Pre-commit
-        description: "Run UI pre-commit checks (healthcheck + build)"
+        description: "Run UI pre-commit checks (Claude Code validation + healthcheck)"
        entry: bash -c 'cd ui && .husky/pre-commit'
        language: system
        files: '^ui/.*\.(ts|tsx|js|jsx|json|css)$'
        pass_filenames: false
        verbose: true
-
-      - id: gga
-        name: Gentleman Guardian Angel (AI Code Review)
-        description: "AI-powered code review - runs last after all formatters/linters"
-        entry: ./scripts/gga-review.sh
-        language: system
-        files: '\.(ts|tsx|js|jsx|py)$'
-        exclude: '(\.test\.|\.spec\.|_test\.py|test_.*\.py|conftest\.py|\.d\.ts)'
-        pass_filenames: false
-        stages: ["pre-commit"]
-        verbose: true
@@ -1,89 +0,0 @@
-# Code Review Rules
-
-## References
-
- UI details: `ui/AGENTS.md`
- SDK details: `prowler/AGENTS.md`
- MCP details: `mcp_server/AGENTS.md`
-
---
-
-## ALL FILES
-
-REJECT if:
-
- Hardcoded secrets/credentials
- `any` type (TypeScript) or missing type hints (Python)
- Code duplication (violates DRY)
- Silent error handling (no logging)
-
---
-
-## TypeScript/React (ui/)
-
-REJECT if:
-
- `import React` or `import * as React` → use `import { useState }`
- Union types `type X = "a" | "b"` → use `const X = {...} as const`
- `var()` or hex colors in className → use Tailwind classes
- `useMemo` or `useCallback` without justification (React 19 Compiler)
- `z.string().email()` → use `z.email()` (Zod v4)
- `z.string().nonempty()` → use `z.string().min(1)` (Zod v4)
- Missing `"use client"` in client components
- Missing `"use server"` in server actions
- Images without `alt` attribute
- Interactive elements without `aria` labels
- Non-semantic HTML when semantic exists
-
-PREFER:
-
- `components/shadcn/` over custom components
- `cn()` for conditional/merged classes
- Local files if used 1 place, `components/shared/` if 2+
- Responsive classes: `sm:`, `md:`, `lg:`, `xl:`
-
-EXCEPTION:
-
- `var()` allowed in chart/graph component props (not className)
-
---
-
-## Python (prowler/, mcp_server/)
-
-REJECT if:
-
- Missing type hints on public functions
- Missing docstrings on classes/public methods
- Bare `except:` without specific exception
- `print()` instead of `logger`
-
-REQUIRE for SDK checks:
-
- Inherit from `Check`
- `execute()` returns `list[CheckReport]`
- `report.status` = `"PASS"` | `"FAIL"`
- `.metadata.json` file exists
-
-REQUIRE for MCP tools:
-
- Extend `BaseTool` (auto-registration)
- `MinimalSerializerMixin` for responses
- `from_api_response()` for API transforms
-
---
-
-## Response Format
-
-FIRST LINE must be exactly:
-
-```
-STATUS: PASSED
-```
-
-or
-
-```
-STATUS: FAILED
-```
-
-If FAILED, list: `file:line - rule - issue`
@@ -6,7 +6,7 @@
  <b><i>Prowler</b> is the Open Cloud Security platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
 </p>
 <p align="center">
-<b>Secure ANY cloud at AI Speed at <a href="https://prowler.com">prowler.com</i></b>
+<b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
 </p>

 <p align="center">
@@ -23,7 +23,6 @@
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
-  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
 </p>
 <p align="center">
    <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
@@ -36,32 +35,28 @@
 </p>
 <hr>
 <p align="center">
-  <img align="center" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
+  <img align="center" src="/docs/img/prowler-cli-quick.gif" width="100%" height="100%">
 </p>

 # Description

-**Prowler** is the world’s most widely used _open-source cloud security platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
+**Prowler** is an open-source security tool designed to assess and enforce security best practices across AWS, Azure, Google Cloud, and Kubernetes. It supports tasks such as security audits, incident response, continuous monitoring, system hardening, forensic readiness, and remediation processes.

 Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:

- **Prowler ThreatScore:** Weighted risk prioritization scoring that helps you focus on the most critical security findings first
- **Industry Standards:** CIS, NIST 800, NIST CSF, CISA, and MITRE ATT&CK
- **Regulatory Compliance and Governance:** RBI, FedRAMP, PCI-DSS, and NIS2
+- **Industry Standards:** CIS, NIST 800, NIST CSF, and CISA
+- **Regulatory Compliance and Governance:** RBI, FedRAMP, and PCI-DSS
 - **Frameworks for Sensitive Data and Privacy:** GDPR, HIPAA, and FFIEC
- **Frameworks for Organizational Governance and Quality Control:** SOC2, GXP, and ISO 27001
- **Cloud-Specific Frameworks:** AWS Foundational Technical Review (FTR), AWS Well-Architected Framework, and BSI C5
- **National Security Standards:** ENS (Spanish National Security Scheme) and KISA ISMS-P (Korean)
+- **Frameworks for Organizational Governance and Quality Control:** SOC2 and GXP
+- **AWS-Specific Frameworks:** AWS Foundational Technical Review (FTR) and AWS Well-Architected Framework (Security Pillar)
+- **National Security Standards:** ENS (Spanish National Security Scheme)
 - **Custom Security Frameworks:** Tailored to your needs

-## Prowler App / Prowler Cloud
+## Prowler App

-Prowler App / [Prowler Cloud](https://cloud.prowler.com/) is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.
+Prowler App is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.

 ![Prowler App](docs/images/products/overview.png)
-![Risk Pipeline](docs/images/products/risk-pipeline.png)
-![Threat Map](docs/images/products/threat-map.png)
-

 >For more details, refer to the [Prowler App Documentation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-app-installation)

@@ -87,16 +82,16 @@ prowler dashboard

 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
 |---|---|---|---|---|---|---|
-| AWS | 584 | 85 | 40 | 17 | Official | UI, API, CLI |
-| GCP | 89 | 17 | 14 | 5 | Official | UI, API, CLI |
-| Azure | 169 | 22 | 15 | 8 | Official | UI, API, CLI |
-| Kubernetes | 84 | 7 | 6 | 9 | Official | UI, API, CLI |
-| GitHub | 20 | 2 | 1 | 2 | Official | UI, API, CLI |
+| AWS | 576 | 82 | 39 | 10 | Official | UI, API, CLI |
+| GCP | 79 | 13 | 13 | 3 | Official | UI, API, CLI |
+| Azure | 162 | 19 | 13 | 4 | Official | UI, API, CLI |
+| Kubernetes | 83 | 7 | 5 | 7 | Official | UI, API, CLI |
+| GitHub | 17 | 2 | 1 | 0 | Official | Stable | UI, API, CLI |
 | M365 | 70 | 7 | 3 | 2 | Official | UI, API, CLI |
-| OCI | 52 | 15 | 1 | 12 | Official | UI, API, CLI |
-| Alibaba Cloud | 63 | 10 | 1 | 9 | Official | CLI |
+| OCI | 51 | 13 | 1 | 10 | Official | UI, API, CLI |
+| Alibaba Cloud | 61 | 9 | 1 | 9 | Official | CLI |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
-| MongoDB Atlas | 10 | 4 | 0 | 3 | Official | UI, API, CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 0 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

@@ -2,28 +2,7 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.17.0] (Prowler UNRELEASED)
-
-### Added
- New endpoint to retrieve and overview of the categories based on finding severities [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
- Endpoints `GET /findings` and `GET /findings/latests` can now use the category filter [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
-
-### Changed
- Endpoint `GET /overviews/attack-surfaces` no longer returns the related check IDs [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
- OpenAI provider to only load chat-compatible models with tool calling support [(#9523)](https://github.com/prowler-cloud/prowler/pull/9523)
- Increased execution delay for the first scheduled scan tasks to 5 seconds[(#9558)](https://github.com/prowler-cloud/prowler/pull/9558)
-
-### Fixed
- Make `scan_id` a required filter in the compliance overview endpoint [(#9560)](https://github.com/prowler-cloud/prowler/pull/9560)
-
---
-
-## [1.16.1] (Prowler v5.15.1)
-
-### Fixed
- Race condition in scheduled scan creation by adding countdown to task [(#9516)](https://github.com/prowler-cloud/prowler/pull/9516)
-
-## [1.16.0] (Prowler v5.15.0)
+## [1.16.0] (Unreleased)

 ### Added
 - New endpoint to retrieve an overview of the attack surfaces [(#9309)](https://github.com/prowler-cloud/prowler/pull/9309)
@@ -33,6 +12,7 @@ All notable changes to the **Prowler API** are documented in this file.
 - Support to use admin credentials through the read replica database [(#9440)](https://github.com/prowler-cloud/prowler/pull/9440)

 ### Changed
+
 - Error messages from Lighthouse celery tasks [(#9165)](https://github.com/prowler-cloud/prowler/pull/9165)
 - Restore the compliance overview endpoint's mandatory filters [(#9338)](https://github.com/prowler-cloud/prowler/pull/9338)

@@ -40,6 +40,7 @@ class ApiConfig(AppConfig):
            self._ensure_crypto_keys()

        load_prowler_compliance()
+        self._initialize_attack_surface_mapping()

    def _ensure_crypto_keys(self):
        """
@@ -167,3 +168,13 @@ class ApiConfig(AppConfig):
                f"Error generating JWT keys: {e}. Please set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' manually."
            )
            raise e
+
+    def _initialize_attack_surface_mapping(self):
+        from tasks.jobs.scan import (  # noqa: F401
+            _get_attack_surface_mapping_from_provider,
+        )
+
+        from api.models import Provider  # noqa: F401
+
+        for provider_type, _label in Provider.ProviderChoices.choices:
+            _get_attack_surface_mapping_from_provider(provider_type)
@@ -43,7 +43,6 @@ from api.models import (
    ResourceTag,
    Role,
    Scan,
-    ScanCategorySummary,
    ScanSummary,
    SeverityChoices,
    StateChoices,
@@ -158,9 +157,6 @@ class CommonFindingFilters(FilterSet):
        field_name="resources__type", lookup_expr="icontains"
    )

-    category = CharFilter(method="filter_category")
-    category__in = CharInFilter(field_name="categories", lookup_expr="overlap")
-
    # Temporarily disabled until we implement tag filtering in the UI
    # resource_tag_key = CharFilter(field_name="resources__tags__key")
    # resource_tag_key__in = CharInFilter(
@@ -192,9 +188,6 @@ class CommonFindingFilters(FilterSet):
    def filter_resource_type(self, queryset, name, value):
        return queryset.filter(resource_types__contains=[value])

-    def filter_category(self, queryset, name, value):
-        return queryset.filter(categories__contains=[value])
-
    def filter_resource_tag(self, queryset, name, value):
        overall_query = Q()
        for key_value_pair in value:
@@ -769,7 +762,7 @@ class RoleFilter(FilterSet):

 class ComplianceOverviewFilter(FilterSet):
    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    scan_id = UUIDFilter(field_name="scan_id", required=True)
+    scan_id = UUIDFilter(field_name="scan_id")
    region = CharFilter(field_name="region")

    class Meta:
@@ -1103,22 +1096,3 @@ class AttackSurfaceOverviewFilter(FilterSet):
    class Meta:
        model = AttackSurfaceOverview
        fields = {}
-
-
-class CategoryOverviewFilter(FilterSet):
-    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="scan__provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-    category = CharFilter(field_name="category", lookup_expr="exact")
-    category__in = CharInFilter(field_name="category", lookup_expr="in")
-
-    class Meta:
-        model = ScanCategorySummary
-        fields = {}
@@ -1,30 +0,0 @@
-# Generated by Django 5.1.14 on 2025-12-10
-
-from django.db import migrations
-from tasks.tasks import backfill_daily_severity_summaries_task
-
-from api.db_router import MainRouter
-from api.rls import Tenant
-
-
-def trigger_backfill_task(apps, schema_editor):
-    """
-    Trigger the backfill task for all tenants.
-
-    This dispatches backfill_daily_severity_summaries_task for each tenant
-    in the system to populate DailySeveritySummary records from historical scans.
-    """
-    tenant_ids = Tenant.objects.using(MainRouter.admin_db).values_list("id", flat=True)
-
-    for tenant_id in tenant_ids:
-        backfill_daily_severity_summaries_task.delay(tenant_id=str(tenant_id), days=90)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0061_daily_severity_summary"),
-    ]
-
-    operations = [
-        migrations.RunPython(trigger_backfill_task, migrations.RunPython.noop),
-    ]
@@ -1,108 +0,0 @@
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.db_utils
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0062_backfill_daily_severity_summaries"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ScanCategorySummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                (
-                    "tenant_id",
-                    models.UUIDField(db_index=True, editable=False),
-                ),
-                (
-                    "inserted_at",
-                    models.DateTimeField(auto_now_add=True),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="category_summaries",
-                        related_query_name="category_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "category",
-                    models.CharField(max_length=100),
-                ),
-                (
-                    "severity",
-                    api.db_utils.SeverityEnumField(
-                        choices=[
-                            ("critical", "Critical"),
-                            ("high", "High"),
-                            ("medium", "Medium"),
-                            ("low", "Low"),
-                            ("informational", "Informational"),
-                        ],
-                        max_length=50,
-                    ),
-                ),
-                (
-                    "total_findings",
-                    models.IntegerField(
-                        default=0, help_text="Non-muted findings (PASS + FAIL)"
-                    ),
-                ),
-                (
-                    "failed_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Non-muted FAIL findings (subset of total_findings)",
-                    ),
-                ),
-                (
-                    "new_failed_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Non-muted FAIL with delta='new' (subset of failed_findings)",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "scan_category_summaries",
-            },
-        ),
-        migrations.AddIndex(
-            model_name="scancategorysummary",
-            index=models.Index(
-                fields=["tenant_id", "scan"], name="scs_tenant_scan_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="scancategorysummary",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "category", "severity"),
-                name="unique_category_severity_per_scan",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="scancategorysummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_scancategorysummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
@@ -1,21 +0,0 @@
-import django.contrib.postgres.fields
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0063_scan_category_summary"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="finding",
-            name="categories",
-            field=django.contrib.postgres.fields.ArrayField(
-                base_field=models.CharField(max_length=100),
-                blank=True,
-                null=True,
-                size=None,
-            ),
-        ),
-    ]
@@ -868,14 +868,6 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
        null=True,
    )

-    # Check metadata denormalization
-    categories = ArrayField(
-        models.CharField(max_length=100),
-        blank=True,
-        null=True,
-        help_text="Categories from check metadata for efficient filtering",
-    )
-
    # Relationships
    scan = models.ForeignKey(to=Scan, related_name="findings", on_delete=models.CASCADE)

@@ -1959,64 +1951,6 @@ class ResourceScanSummary(RowLevelSecurityProtectedModel):
        ]


-class ScanCategorySummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated category metrics per scan by severity.
-
-    Stores one row per (category, severity) combination per scan for efficient
-    overview queries. Categories come from check_metadata.categories.
-
-    Count relationships (each is a subset of the previous):
-        - total_findings >= failed_findings >= new_failed_findings
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="category_summaries",
-        related_query_name="category_summary",
-    )
-
-    category = models.CharField(max_length=100)
-    severity = SeverityEnumField(choices=SeverityChoices)
-
-    total_findings = models.IntegerField(
-        default=0, help_text="Non-muted findings (PASS + FAIL)"
-    )
-    failed_findings = models.IntegerField(
-        default=0, help_text="Non-muted FAIL findings (subset of total_findings)"
-    )
-    new_failed_findings = models.IntegerField(
-        default=0,
-        help_text="Non-muted FAIL with delta='new' (subset of failed_findings)",
-    )
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "scan_category_summaries"
-
-        indexes = [
-            models.Index(fields=["tenant_id", "scan"], name="scs_tenant_scan_idx"),
-        ]
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "category", "severity"),
-                name="unique_category_severity_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "scan-category-summaries"
-
-
 class LighthouseConfiguration(RowLevelSecurityProtectedModel):
    """
    Stores configuration and API keys for LLM services.
@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: Prowler API
-  version: 1.17.0
+  version: 1.16.0
  description: |-
    Prowler API specification.

@@ -711,7 +711,6 @@ paths:
            - severity
            - check_id
            - check_metadata
-            - categories
            - raw_result
            - inserted_at
            - updated_at
@@ -724,19 +723,6 @@ paths:
        description: endpoint return only specific fields in the response on a per-type
          basis by including a fields[TYPE] query parameter.
        explode: false
-      - in: query
-        name: filter[category]
-        schema:
-          type: string
-      - in: query
-        name: filter[category__in]
-        schema:
-          type: array
-          items:
-            type: string
-        description: Multiple values may be separated by commas.
-        explode: false
-        style: form
      - in: query
        name: filter[check_id]
        schema:
@@ -1219,7 +1205,6 @@ paths:
            - severity
            - check_id
            - check_metadata
-            - categories
            - raw_result
            - inserted_at
            - updated_at
@@ -1280,19 +1265,6 @@ paths:
        description: endpoint return only specific fields in the response on a per-type
          basis by including a fields[TYPE] query parameter.
        explode: false
-      - in: query
-        name: filter[category]
-        schema:
-          type: string
-      - in: query
-        name: filter[category__in]
-        schema:
-          type: array
-          items:
-            type: string
-        description: Multiple values may be separated by commas.
-        explode: false
-        style: form
      - in: query
        name: filter[check_id]
        schema:
@@ -1750,7 +1722,6 @@ paths:
            - severity
            - check_id
            - check_metadata
-            - categories
            - raw_result
            - inserted_at
            - updated_at
@@ -1763,19 +1734,6 @@ paths:
        description: endpoint return only specific fields in the response on a per-type
          basis by including a fields[TYPE] query parameter.
        explode: false
-      - in: query
-        name: filter[category]
-        schema:
-          type: string
-      - in: query
-        name: filter[category__in]
-        schema:
-          type: array
-          items:
-            type: string
-        description: Multiple values may be separated by commas.
-        explode: false
-        style: form
      - in: query
        name: filter[check_id]
        schema:
@@ -2193,23 +2151,9 @@ paths:
            - services
            - regions
            - resource_types
-            - categories
        description: endpoint return only specific fields in the response on a per-type
          basis by including a fields[TYPE] query parameter.
        explode: false
-      - in: query
-        name: filter[category]
-        schema:
-          type: string
-      - in: query
-        name: filter[category__in]
-        schema:
-          type: array
-          items:
-            type: string
-        description: Multiple values may be separated by commas.
-        explode: false
-        style: form
      - in: query
        name: filter[check_id]
        schema:
@@ -2665,23 +2609,9 @@ paths:
            - services
            - regions
            - resource_types
-            - categories
        description: endpoint return only specific fields in the response on a per-type
          basis by including a fields[TYPE] query parameter.
        explode: false
-      - in: query
-        name: filter[category]
-        schema:
-          type: string
-      - in: query
-        name: filter[category__in]
-        schema:
-          type: array
-          items:
-            type: string
-        description: Multiple values may be separated by commas.
-        explode: false
-        style: form
      - in: query
        name: filter[check_id]
        schema:
@@ -4569,7 +4499,7 @@ paths:
          description: No response body
  /api/v1/overviews/attack-surfaces:
    get:
-      operationId: overviews_attack_surfaces_list
+      operationId: overviews_attack_surfaces_retrieve
      description: Retrieve aggregated attack surface metrics from latest completed
        scans per provider.
      summary: Get attack surface overview
@@ -4585,116 +4515,31 @@ paths:
            - total_findings
            - failed_findings
            - muted_failed_findings
+            - check_ids
        description: endpoint return only specific fields in the response on a per-type
          basis by including a fields[TYPE] query parameter.
        explode: false
+      - in: query
+        name: filter[provider_id.in]
+        schema:
+          type: string
+        description: Filter by multiple provider IDs (comma-separated UUIDs)
      - in: query
        name: filter[provider_id]
        schema:
          type: string
          format: uuid
+        description: Filter by specific provider ID
      - in: query
-        name: filter[provider_id__in]
+        name: filter[provider_type.in]
        schema:
-          type: array
-          items:
-            type: string
-            format: uuid
-        description: Multiple values may be separated by commas.
-        explode: false
-        style: form
+          type: string
+        description: Filter by multiple provider types (comma-separated)
      - in: query
        name: filter[provider_type]
        schema:
          type: string
-          x-spec-enum-id: eca8c51e6bd28935
-          enum:
-          - aws
-          - azure
-          - gcp
-          - github
-          - iac
-          - kubernetes
-          - m365
-          - mongodbatlas
-          - oraclecloud
-        description: |-
-          * `aws` - AWS
-          * `azure` - Azure
-          * `gcp` - GCP
-          * `kubernetes` - Kubernetes
-          * `m365` - M365
-          * `github` - GitHub
-          * `mongodbatlas` - MongoDB Atlas
-          * `iac` - IaC
-          * `oraclecloud` - Oracle Cloud Infrastructure
-      - in: query
-        name: filter[provider_type__in]
-        schema:
-          type: array
-          items:
-            type: string
-            x-spec-enum-id: eca8c51e6bd28935
-            enum:
-            - aws
-            - azure
-            - gcp
-            - github
-            - iac
-            - kubernetes
-            - m365
-            - mongodbatlas
-            - oraclecloud
-        description: |-
-          Multiple values may be separated by commas.
-
-          * `aws` - AWS
-          * `azure` - Azure
-          * `gcp` - GCP
-          * `kubernetes` - Kubernetes
-          * `m365` - M365
-          * `github` - GitHub
-          * `mongodbatlas` - MongoDB Atlas
-          * `iac` - IaC
-          * `oraclecloud` - Oracle Cloud Infrastructure
-        explode: false
-        style: form
-      - name: filter[search]
-        required: false
-        in: query
-        description: A search term.
-        schema:
-          type: string
-      - name: page[number]
-        required: false
-        in: query
-        description: A page number within the paginated result set.
-        schema:
-          type: integer
-      - name: page[size]
-        required: false
-        in: query
-        description: Number of results to return per page.
-        schema:
-          type: integer
-      - name: sort
-        required: false
-        in: query
-        description: '[list of fields to sort by](https://jsonapi.org/format/#fetching-sorting)'
-        schema:
-          type: array
-          items:
-            type: string
-            enum:
-            - id
-            - -id
-            - total_findings
-            - -total_findings
-            - failed_findings
-            - -failed_findings
-            - muted_failed_findings
-            - -muted_failed_findings
-        explode: false
+        description: Filter by provider type (aws, azure, gcp, etc.)
      tags:
      - Overview
      security:
@@ -4704,164 +4549,7 @@ paths:
          content:
            application/vnd.api+json:
              schema:
-                $ref: '#/components/schemas/PaginatedAttackSurfaceOverviewList'
-          description: ''
-  /api/v1/overviews/categories:
-    get:
-      operationId: overviews_categories_list
-      description: 'Retrieve aggregated category metrics from latest completed scans
-        per provider. Returns one row per category with total, failed, and new failed
-        findings counts, plus a severity breakdown showing failed findings per severity
-        level. '
-      summary: Get category overview
-      parameters:
-      - in: query
-        name: fields[category-overviews]
-        schema:
-          type: array
-          items:
-            type: string
-            enum:
-            - id
-            - total_findings
-            - failed_findings
-            - new_failed_findings
-            - severity
-        description: endpoint return only specific fields in the response on a per-type
-          basis by including a fields[TYPE] query parameter.
-        explode: false
-      - in: query
-        name: filter[category]
-        schema:
-          type: string
-      - in: query
-        name: filter[category__in]
-        schema:
-          type: array
-          items:
-            type: string
-        description: Multiple values may be separated by commas.
-        explode: false
-        style: form
-      - in: query
-        name: filter[provider_id]
-        schema:
-          type: string
-          format: uuid
-      - in: query
-        name: filter[provider_id__in]
-        schema:
-          type: array
-          items:
-            type: string
-            format: uuid
-        description: Multiple values may be separated by commas.
-        explode: false
-        style: form
-      - in: query
-        name: filter[provider_type]
-        schema:
-          type: string
-          x-spec-enum-id: eca8c51e6bd28935
-          enum:
-          - aws
-          - azure
-          - gcp
-          - github
-          - iac
-          - kubernetes
-          - m365
-          - mongodbatlas
-          - oraclecloud
-        description: |-
-          * `aws` - AWS
-          * `azure` - Azure
-          * `gcp` - GCP
-          * `kubernetes` - Kubernetes
-          * `m365` - M365
-          * `github` - GitHub
-          * `mongodbatlas` - MongoDB Atlas
-          * `iac` - IaC
-          * `oraclecloud` - Oracle Cloud Infrastructure
-      - in: query
-        name: filter[provider_type__in]
-        schema:
-          type: array
-          items:
-            type: string
-            x-spec-enum-id: eca8c51e6bd28935
-            enum:
-            - aws
-            - azure
-            - gcp
-            - github
-            - iac
-            - kubernetes
-            - m365
-            - mongodbatlas
-            - oraclecloud
-        description: |-
-          Multiple values may be separated by commas.
-
-          * `aws` - AWS
-          * `azure` - Azure
-          * `gcp` - GCP
-          * `kubernetes` - Kubernetes
-          * `m365` - M365
-          * `github` - GitHub
-          * `mongodbatlas` - MongoDB Atlas
-          * `iac` - IaC
-          * `oraclecloud` - Oracle Cloud Infrastructure
-        explode: false
-        style: form
-      - name: filter[search]
-        required: false
-        in: query
-        description: A search term.
-        schema:
-          type: string
-      - name: page[number]
-        required: false
-        in: query
-        description: A page number within the paginated result set.
-        schema:
-          type: integer
-      - name: page[size]
-        required: false
-        in: query
-        description: Number of results to return per page.
-        schema:
-          type: integer
-      - name: sort
-        required: false
-        in: query
-        description: '[list of fields to sort by](https://jsonapi.org/format/#fetching-sorting)'
-        schema:
-          type: array
-          items:
-            type: string
-            enum:
-            - id
-            - -id
-            - total_findings
-            - -total_findings
-            - failed_findings
-            - -failed_findings
-            - new_failed_findings
-            - -new_failed_findings
-            - severity
-            - -severity
-        explode: false
-      tags:
-      - Overview
-      security:
-      - JWT or API Key: []
-      responses:
-        '200':
-          content:
-            application/vnd.api+json:
-              schema:
-                $ref: '#/components/schemas/PaginatedCategoryOverviewList'
+                $ref: '#/components/schemas/AttackSurfaceOverviewResponse'
          description: ''
  /api/v1/overviews/findings:
    get:
@@ -5263,7 +4951,7 @@ paths:
      summary: Get findings severity data over time
      parameters:
      - in: query
-        name: fields[findings-severity-over-time]
+        name: fields[findings-severity-timeseries]
        schema:
          type: array
          items:
@@ -5284,12 +4972,10 @@ paths:
        name: filter[date_from]
        schema:
          type: string
-          format: date
      - in: query
        name: filter[date_to]
        schema:
          type: string
-          format: date
      - in: query
        name: filter[provider_id]
        schema:
@@ -11160,46 +10846,23 @@ components:
              type: integer
            muted_failed_findings:
              type: integer
+            check_ids:
+              type: array
+              items:
+                type: string
+              readOnly: true
          required:
          - id
          - total_findings
          - failed_findings
          - muted_failed_findings
-    CategoryOverview:
+    AttackSurfaceOverviewResponse:
      type: object
-      required:
-      - type
-      - id
-      additionalProperties: false
      properties:
-        type:
-          type: string
-          description: The [type](https://jsonapi.org/format/#document-resource-object-identification)
-            member is used to describe resource objects that share common attributes
-            and relationships.
-          enum:
-          - category-overviews
-        id: {}
-        attributes:
-          type: object
-          properties:
-            id:
-              type: string
-            total_findings:
-              type: integer
-            failed_findings:
-              type: integer
-            new_failed_findings:
-              type: integer
-            severity:
-              description: 'Severity breakdown: {informational, low, medium, high,
-                critical}'
-          required:
-          - id
-          - total_findings
-          - failed_findings
-          - new_failed_findings
-          - severity
+        data:
+          $ref: '#/components/schemas/AttackSurfaceOverview'
+      required:
+      - data
    ComplianceOverview:
      type: object
      required:
@@ -11416,13 +11079,6 @@ components:
              type: string
              maxLength: 100
            check_metadata: {}
-            categories:
-              type: array
-              items:
-                type: string
-                maxLength: 100
-              nullable: true
-              description: Categories from check metadata for efficient filtering
            raw_result: {}
            inserted_at:
              type: string
@@ -11573,15 +11229,10 @@ components:
              type: array
              items:
                type: string
-            categories:
-              type: array
-              items:
-                type: string
          required:
          - services
          - regions
          - resource_types
-          - categories
    FindingMetadataResponse:
      type: object
      properties:
@@ -14284,24 +13935,6 @@ components:
          $ref: '#/components/schemas/OverviewSeverity'
      required:
      - data
-    PaginatedAttackSurfaceOverviewList:
-      type: object
-      properties:
-        data:
-          type: array
-          items:
-            $ref: '#/components/schemas/AttackSurfaceOverview'
-      required:
-      - data
-    PaginatedCategoryOverviewList:
-      type: object
-      properties:
-        data:
-          type: array
-          items:
-            $ref: '#/components/schemas/CategoryOverview'
-      required:
-      - data
    PaginatedComplianceOverviewAttributesList:
      type: object
      properties:
@@ -4267,74 +4267,6 @@ class TestFindingViewSet:
        assert attributes["regions"] == latest_scan_finding.resource_regions
        assert attributes["resource_types"] == latest_scan_finding.resource_types

-    def test_findings_metadata_categories(
-        self, authenticated_client, findings_with_categories
-    ):
-        finding = findings_with_categories
-        response = authenticated_client.get(
-            reverse("finding-metadata"),
-            {"filter[inserted_at]": finding.inserted_at.strftime("%Y-%m-%d")},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        attributes = response.json()["data"]["attributes"]
-        assert set(attributes["categories"]) == {"gen-ai", "security"}
-
-    def test_findings_metadata_latest_categories(
-        self, authenticated_client, latest_scan_finding_with_categories
-    ):
-        response = authenticated_client.get(
-            reverse("finding-metadata_latest"),
-        )
-        assert response.status_code == status.HTTP_200_OK
-        attributes = response.json()["data"]["attributes"]
-        assert set(attributes["categories"]) == {"gen-ai", "iam"}
-
-    def test_findings_filter_by_category(
-        self, authenticated_client, findings_with_categories
-    ):
-        finding = findings_with_categories
-        response = authenticated_client.get(
-            reverse("finding-list"),
-            {
-                "filter[category]": "gen-ai",
-                "filter[inserted_at]": finding.inserted_at.strftime("%Y-%m-%d"),
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert len(response.json()["data"]) == 1
-        assert set(response.json()["data"][0]["attributes"]["categories"]) == {
-            "gen-ai",
-            "security",
-        }
-
-    def test_findings_filter_by_category_in(
-        self, authenticated_client, findings_with_multiple_categories
-    ):
-        finding1, _ = findings_with_multiple_categories
-        response = authenticated_client.get(
-            reverse("finding-list"),
-            {
-                "filter[category__in]": "gen-ai,iam",
-                "filter[inserted_at]": finding1.inserted_at.strftime("%Y-%m-%d"),
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert len(response.json()["data"]) == 2
-
-    def test_findings_filter_by_category_no_match(
-        self, authenticated_client, findings_with_categories
-    ):
-        finding = findings_with_categories
-        response = authenticated_client.get(
-            reverse("finding-list"),
-            {
-                "filter[category]": "nonexistent",
-                "filter[inserted_at]": finding.inserted_at.strftime("%Y-%m-%d"),
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert len(response.json()["data"]) == 0
-

@pytest.mark.django_db
 class TestJWTFields:
@@ -7326,6 +7258,7 @@ class TestOverviewViewSet:
            assert item["attributes"]["total_findings"] == 0
            assert item["attributes"]["failed_findings"] == 0
            assert item["attributes"]["muted_failed_findings"] == 0
+            assert item["attributes"]["check_ids"] == []

    def test_overview_attack_surface_with_data(
        self,
@@ -7337,6 +7270,13 @@ class TestOverviewViewSet:
        tenant = tenants_fixture[0]
        provider = providers_fixture[0]

+        mapping = {
+            "internet-exposed": {"aws-check-1", "aws-check-2"},
+            "secrets": {"aws-secret-check"},
+            "privilege-escalation": {"aws-priv-check"},
+            "ec2-imdsv1": {"aws-imdsv1-check"},
+        }
+
        scan = Scan.objects.create(
            name="attack-surface-scan",
            provider=provider,
@@ -7362,7 +7302,11 @@ class TestOverviewViewSet:
            muted_failed=2,
        )

-        response = authenticated_client.get(reverse("overview-attack-surface"))
+        with patch(
+            "api.v1.views._get_attack_surface_mapping_from_provider",
+            return_value=mapping,
+        ):
+            response = authenticated_client.get(reverse("overview-attack-surface"))
        assert response.status_code == status.HTTP_200_OK
        data = response.json()["data"]
        assert len(data) == 4
@@ -7370,10 +7314,19 @@ class TestOverviewViewSet:
        results_by_type = {item["id"]: item["attributes"] for item in data}
        assert results_by_type["internet-exposed"]["total_findings"] == 20
        assert results_by_type["internet-exposed"]["failed_findings"] == 10
+        assert set(results_by_type["internet-exposed"]["check_ids"]) == {
+            "aws-check-1",
+            "aws-check-2",
+        }
        assert results_by_type["secrets"]["total_findings"] == 15
        assert results_by_type["secrets"]["failed_findings"] == 8
+        assert set(results_by_type["secrets"]["check_ids"]) == {"aws-secret-check"}
        assert results_by_type["privilege-escalation"]["total_findings"] == 0
+        assert set(results_by_type["privilege-escalation"]["check_ids"]) == {
+            "aws-priv-check"
+        }
        assert results_by_type["ec2-imdsv1"]["total_findings"] == 0
+        assert set(results_by_type["ec2-imdsv1"]["check_ids"]) == {"aws-imdsv1-check"}

    def test_overview_attack_surface_provider_filter(
        self,
@@ -7400,6 +7353,13 @@ class TestOverviewViewSet:
            tenant=tenant,
        )

+        mapping = {
+            "internet-exposed": {"shared-check", "shared-check"},
+            "secrets": set(),
+            "privilege-escalation": {"priv-check"},
+            "ec2-imdsv1": {"imdsv1-check"},
+        }
+
        create_attack_surface_overview(
            tenant,
            scan1,
@@ -7417,15 +7377,20 @@ class TestOverviewViewSet:
            muted_failed=3,
        )

-        response = authenticated_client.get(
-            reverse("overview-attack-surface"),
-            {"filter[provider_id]": str(provider1.id)},
-        )
+        with patch(
+            "api.v1.views._get_attack_surface_mapping_from_provider",
+            return_value=mapping,
+        ):
+            response = authenticated_client.get(
+                reverse("overview-attack-surface"),
+                {"filter[provider_id]": str(provider1.id)},
+            )
        assert response.status_code == status.HTTP_200_OK
        data = response.json()["data"]
        results_by_type = {item["id"]: item["attributes"] for item in data}
        assert results_by_type["internet-exposed"]["total_findings"] == 10
        assert results_by_type["internet-exposed"]["failed_findings"] == 5
+        assert results_by_type["internet-exposed"]["check_ids"] == ["shared-check"]

    def test_overview_services_region_filter(
        self, authenticated_client, scan_summaries_fixture
@@ -7668,219 +7633,6 @@ class TestOverviewViewSet:
        assert len(data) == 1
        assert data[0]["attributes"]["overall_score"] == "80.00"

-    def test_overview_categories_no_data(self, authenticated_client):
-        response = authenticated_client.get(reverse("overview-categories"))
-        assert response.status_code == status.HTTP_200_OK
-        assert response.json()["data"] == []
-
-    def test_overview_categories_aggregates_by_category_with_severity(
-        self,
-        authenticated_client,
-        tenants_fixture,
-        providers_fixture,
-        create_scan_category_summary,
-    ):
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-
-        scan = Scan.objects.create(
-            name="categories-scan",
-            provider=provider,
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.COMPLETED,
-            tenant=tenant,
-        )
-
-        create_scan_category_summary(
-            tenant,
-            scan,
-            "iam",
-            "high",
-            total_findings=20,
-            failed_findings=10,
-            new_failed_findings=5,
-        )
-        create_scan_category_summary(
-            tenant,
-            scan,
-            "iam",
-            "medium",
-            total_findings=15,
-            failed_findings=8,
-            new_failed_findings=3,
-        )
-        create_scan_category_summary(
-            tenant,
-            scan,
-            "encryption",
-            "critical",
-            total_findings=5,
-            failed_findings=2,
-            new_failed_findings=1,
-        )
-
-        response = authenticated_client.get(reverse("overview-categories"))
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 2
-
-        results_by_category = {item["id"]: item["attributes"] for item in data}
-
-        assert results_by_category["iam"]["total_findings"] == 35
-        assert results_by_category["iam"]["failed_findings"] == 18
-        assert results_by_category["iam"]["new_failed_findings"] == 8
-        assert results_by_category["iam"]["severity"]["high"] == 10
-        assert results_by_category["iam"]["severity"]["medium"] == 8
-        assert results_by_category["iam"]["severity"]["critical"] == 0
-
-        assert results_by_category["encryption"]["total_findings"] == 5
-        assert results_by_category["encryption"]["failed_findings"] == 2
-        assert results_by_category["encryption"]["severity"]["critical"] == 2
-
-    @pytest.mark.parametrize(
-        "filter_key,filter_value_fn,expected_total,expected_failed",
-        [
-            ("filter[provider_id]", lambda p1, _: str(p1.id), 10, 5),
-            ("filter[provider_type]", lambda *_: "aws", 10, 5),
-            ("filter[provider_type__in]", lambda *_: "aws,gcp", 30, 20),
-        ],
-    )
-    def test_overview_categories_filters(
-        self,
-        authenticated_client,
-        tenants_fixture,
-        providers_fixture,
-        create_scan_category_summary,
-        filter_key,
-        filter_value_fn,
-        expected_total,
-        expected_failed,
-    ):
-        tenant = tenants_fixture[0]
-        provider1, _, gcp_provider, *_ = providers_fixture
-
-        scan1 = Scan.objects.create(
-            name="categories-scan-1",
-            provider=provider1,
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.COMPLETED,
-            tenant=tenant,
-        )
-        scan2 = Scan.objects.create(
-            name="categories-scan-2",
-            provider=gcp_provider,
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.COMPLETED,
-            tenant=tenant,
-        )
-
-        create_scan_category_summary(
-            tenant, scan1, "iam", "high", total_findings=10, failed_findings=5
-        )
-        create_scan_category_summary(
-            tenant, scan2, "iam", "high", total_findings=20, failed_findings=15
-        )
-
-        response = authenticated_client.get(
-            reverse("overview-categories"),
-            {filter_key: filter_value_fn(provider1, gcp_provider)},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-        assert data[0]["attributes"]["total_findings"] == expected_total
-        assert data[0]["attributes"]["failed_findings"] == expected_failed
-
-    def test_overview_categories_category_filter(
-        self,
-        authenticated_client,
-        tenants_fixture,
-        providers_fixture,
-        create_scan_category_summary,
-    ):
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-
-        scan = Scan.objects.create(
-            name="category-filter-scan",
-            provider=provider,
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.COMPLETED,
-            tenant=tenant,
-        )
-
-        create_scan_category_summary(
-            tenant, scan, "iam", "high", total_findings=10, failed_findings=5
-        )
-        create_scan_category_summary(
-            tenant, scan, "encryption", "medium", total_findings=20, failed_findings=8
-        )
-        create_scan_category_summary(
-            tenant, scan, "logging", "low", total_findings=15, failed_findings=3
-        )
-
-        response = authenticated_client.get(
-            reverse("overview-categories"),
-            {"filter[category__in]": "iam,encryption"},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        category_ids = {item["id"] for item in data}
-        assert category_ids == {"iam", "encryption"}
-
-    def test_overview_categories_aggregates_multiple_providers(
-        self,
-        authenticated_client,
-        tenants_fixture,
-        providers_fixture,
-        create_scan_category_summary,
-    ):
-        tenant = tenants_fixture[0]
-        provider1, provider2, *_ = providers_fixture
-
-        scan1 = Scan.objects.create(
-            name="multi-provider-scan-1",
-            provider=provider1,
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.COMPLETED,
-            tenant=tenant,
-        )
-        scan2 = Scan.objects.create(
-            name="multi-provider-scan-2",
-            provider=provider2,
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.COMPLETED,
-            tenant=tenant,
-        )
-
-        create_scan_category_summary(
-            tenant,
-            scan1,
-            "iam",
-            "high",
-            total_findings=10,
-            failed_findings=5,
-            new_failed_findings=2,
-        )
-        create_scan_category_summary(
-            tenant,
-            scan2,
-            "iam",
-            "high",
-            total_findings=15,
-            failed_findings=8,
-            new_failed_findings=3,
-        )
-
-        response = authenticated_client.get(reverse("overview-categories"))
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-        assert data[0]["id"] == "iam"
-        assert data[0]["attributes"]["total_findings"] == 25
-        assert data[0]["attributes"]["failed_findings"] == 13
-        assert data[0]["attributes"]["new_failed_findings"] == 5
-

@pytest.mark.django_db
 class TestScheduleViewSet:
@@ -382,18 +382,10 @@ def get_findings_metadata_no_aggregations(tenant_id: str, filtered_queryset):
    regions = sorted({region for region in aggregation["regions"] or [] if region})
    resource_types = sorted(set(aggregation["resource_types"] or []))

-    # Aggregate categories from findings
-    categories_set = set()
-    for categories_list in filtered_queryset.values_list("categories", flat=True):
-        if categories_list:
-            categories_set.update(categories_list)
-    categories = sorted(categories_set)
-
    result = {
        "services": services,
        "regions": regions,
        "resource_types": resource_types,
-        "categories": categories,
    }

    serializer = FindingMetadataSerializer(data=result)
@@ -1301,7 +1301,6 @@ class FindingSerializer(RLSSerializer):
            "severity",
            "check_id",
            "check_metadata",
-            "categories",
            "raw_result",
            "inserted_at",
            "updated_at",
@@ -1357,7 +1356,6 @@ class FindingMetadataSerializer(BaseSerializerV1):
    resource_types = serializers.ListField(
        child=serializers.CharField(), allow_empty=True
    )
-    categories = serializers.ListField(child=serializers.CharField(), allow_empty=True)
    # Temporarily disabled until we implement tag filtering in the UI
    # tags = serializers.JSONField(help_text="Tags are described as key-value pairs.")

@@ -2244,24 +2242,12 @@ class AttackSurfaceOverviewSerializer(BaseSerializerV1):
    total_findings = serializers.IntegerField()
    failed_findings = serializers.IntegerField()
    muted_failed_findings = serializers.IntegerField()
-
-    class JSONAPIMeta:
-        resource_name = "attack-surface-overviews"
-
-
-class CategoryOverviewSerializer(BaseSerializerV1):
-    """Serializer for category overview aggregations."""
-
-    id = serializers.CharField(source="category")
-    total_findings = serializers.IntegerField()
-    failed_findings = serializers.IntegerField()
-    new_failed_findings = serializers.IntegerField()
-    severity = serializers.JSONField(
-        help_text="Severity breakdown: {informational, low, medium, high, critical}"
+    check_ids = serializers.ListField(
+        child=serializers.CharField(), allow_empty=True, default=list, read_only=True
    )

    class JSONAPIMeta:
-        resource_name = "category-overviews"
+        resource_name = "attack-surface-overviews"


 class OverviewRegionSerializer(serializers.Serializer):
@@ -74,6 +74,7 @@ from rest_framework_json_api.views import RelationshipView, Response
 from rest_framework_simplejwt.exceptions import InvalidToken, TokenError
 from tasks.beat import schedule_provider_scan
 from tasks.jobs.export import get_s3_client
+from tasks.jobs.scan import _get_attack_surface_mapping_from_provider
 from tasks.tasks import (
    backfill_compliance_summaries_task,
    backfill_scan_resource_summaries_task,
@@ -99,7 +100,6 @@ from api.db_utils import rls_transaction
 from api.exceptions import TaskFailedException
 from api.filters import (
    AttackSurfaceOverviewFilter,
-    CategoryOverviewFilter,
    ComplianceOverviewFilter,
    CustomDjangoFilterBackend,
    DailySeveritySummaryFilter,
@@ -157,7 +157,6 @@ from api.models import (
    SAMLDomainIndex,
    SAMLToken,
    Scan,
-    ScanCategorySummary,
    ScanSummary,
    SeverityChoices,
    StateChoices,
@@ -179,7 +178,6 @@ from api.uuid_utils import datetime_to_uuid7, uuid7_start
 from api.v1.mixins import DisablePaginationMixin, PaginateByPkMixin, TaskManagementMixin
 from api.v1.serializers import (
    AttackSurfaceOverviewSerializer,
-    CategoryOverviewSerializer,
    ComplianceOverviewAttributesSerializer,
    ComplianceOverviewDetailSerializer,
    ComplianceOverviewDetailThreatscoreSerializer,
@@ -359,7 +357,7 @@ class SchemaView(SpectacularAPIView):

    def get(self, request, *args, **kwargs):
        spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.17.0"
+        spectacular_settings.VERSION = "1.16.0"
        spectacular_settings.DESCRIPTION = (
            "Prowler API specification.\n\nThis file is auto-generated."
        )
@@ -2762,15 +2760,12 @@ class FindingViewSet(PaginateByPkMixin, BaseRLSViewSet):

        queryset = ResourceScanSummary.objects.filter(tenant_id=tenant_id)
        scan_based_filters = {}
-        category_scan_filters = {}  # Filters for ScanCategorySummary

        if scans := query_params.get("filter[scan__in]") or query_params.get(
            "filter[scan]"
        ):
-            scan_ids_list = scans.split(",")
-            queryset = queryset.filter(scan_id__in=scan_ids_list)
-            scan_based_filters = {"id__in": scan_ids_list}
-            category_scan_filters = {"scan_id__in": scan_ids_list}
+            queryset = queryset.filter(scan_id__in=scans.split(","))
+            scan_based_filters = {"id__in": scans.split(",")}
        else:
            exact = query_params.get("filter[inserted_at]")
            gte = query_params.get("filter[inserted_at__gte]")
@@ -2814,7 +2809,6 @@ class FindingViewSet(PaginateByPkMixin, BaseRLSViewSet):
                scan_based_filters = {
                    key.lstrip("scan_"): value for key, value in date_filters.items()
                }
-                category_scan_filters = date_filters

        # ToRemove: Temporary fallback mechanism
        if not queryset.exists():
@@ -2861,31 +2855,10 @@ class FindingViewSet(PaginateByPkMixin, BaseRLSViewSet):
            .order_by("resource_type")
        )

-        # Get categories from ScanCategorySummary using same scan filters
-        categories = list(
-            ScanCategorySummary.objects.filter(
-                tenant_id=tenant_id, **category_scan_filters
-            )
-            .values_list("category", flat=True)
-            .distinct()
-            .order_by("category")
-        )
-
-        # Fallback to finding aggregation if no ScanCategorySummary exists
-        if not categories:
-            categories_set = set()
-            for categories_list in filtered_queryset.values_list(
-                "categories", flat=True
-            ):
-                if categories_list:
-                    categories_set.update(categories_list)
-            categories = sorted(categories_set)
-
        result = {
            "services": services,
            "regions": regions,
            "resource_types": resource_types,
-            "categories": categories,
        }

        serializer = self.get_serializer(data=result)
@@ -2990,36 +2963,10 @@ class FindingViewSet(PaginateByPkMixin, BaseRLSViewSet):
            .order_by("resource_type")
        )

-        # Get categories from ScanCategorySummary for latest scans
-        categories = list(
-            ScanCategorySummary.objects.filter(
-                tenant_id=tenant_id,
-                scan_id__in=latest_scans_queryset.values_list("id", flat=True),
-            )
-            .values_list("category", flat=True)
-            .distinct()
-            .order_by("category")
-        )
-
-        # Fallback to finding aggregation if no ScanCategorySummary exists
-        if not categories:
-            filtered_queryset = self.filter_queryset(self.get_queryset()).filter(
-                tenant_id=tenant_id,
-                scan_id__in=latest_scans_queryset.values_list("id", flat=True),
-            )
-            categories_set = set()
-            for categories_list in filtered_queryset.values_list(
-                "categories", flat=True
-            ):
-                if categories_list:
-                    categories_set.update(categories_list)
-            categories = sorted(categories_set)
-
        result = {
            "services": services,
            "regions": regions,
            "resource_types": resource_types,
-            "categories": categories,
        }

        serializer = self.get_serializer(data=result)
@@ -4079,19 +4026,32 @@ class ComplianceOverviewViewSet(BaseRLSViewSet, TaskManagementMixin):
        summary="Get attack surface overview",
        description="Retrieve aggregated attack surface metrics from latest completed scans per provider.",
        tags=["Overview"],
-        filters=True,
-        responses={200: AttackSurfaceOverviewSerializer(many=True)},
-    ),
-    categories=extend_schema(
-        summary="Get category overview",
-        description=(
-            "Retrieve aggregated category metrics from latest completed scans per provider. "
-            "Returns one row per category with total, failed, and new failed findings counts, "
-            "plus a severity breakdown showing failed findings per severity level. "
-        ),
-        tags=["Overview"],
-        filters=True,
-        responses={200: CategoryOverviewSerializer(many=True)},
+        parameters=[
+            OpenApiParameter(
+                name="filter[provider_id]",
+                type=OpenApiTypes.UUID,
+                location=OpenApiParameter.QUERY,
+                description="Filter by specific provider ID",
+            ),
+            OpenApiParameter(
+                name="filter[provider_id.in]",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                description="Filter by multiple provider IDs (comma-separated UUIDs)",
+            ),
+            OpenApiParameter(
+                name="filter[provider_type]",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                description="Filter by provider type (aws, azure, gcp, etc.)",
+            ),
+            OpenApiParameter(
+                name="filter[provider_type.in]",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                description="Filter by multiple provider types (comma-separated)",
+            ),
+        ],
    ),
 )
@method_decorator(CACHE_DECORATOR, name="list")
@@ -4140,8 +4100,6 @@ class OverviewViewSet(BaseRLSViewSet):
            return ThreatScoreSnapshotSerializer
        elif self.action == "attack_surface":
            return AttackSurfaceOverviewSerializer
-        elif self.action == "categories":
-            return CategoryOverviewSerializer
        return super().get_serializer_class()

    def get_filterset_class(self):
@@ -4153,10 +4111,6 @@ class OverviewViewSet(BaseRLSViewSet):
            return ScanSummarySeverityFilter
        elif self.action == "findings_severity_timeseries":
            return DailySeveritySummaryFilter
-        elif self.action == "categories":
-            return CategoryOverviewFilter
-        elif self.action == "attack_surface":
-            return AttackSurfaceOverviewFilter
        return None

    def filter_queryset(self, queryset):
@@ -4242,41 +4196,29 @@ class OverviewViewSet(BaseRLSViewSet):
        filterset = filterset_class(normalized_params, queryset=queryset)
        return filterset.qs

-    def _latest_scan_ids_for_allowed_providers(self, tenant_id, provider_filters=None):
+    def _latest_scan_ids_for_allowed_providers(self, tenant_id):
        provider_filter = self._get_provider_filter()
-        queryset = Scan.all_objects.filter(
-            tenant_id=tenant_id, state=StateChoices.COMPLETED, **provider_filter
-        )
-        if provider_filters:
-            queryset = queryset.filter(**provider_filters)
        return (
-            queryset.order_by("provider_id", "-inserted_at")
+            Scan.all_objects.filter(
+                tenant_id=tenant_id, state=StateChoices.COMPLETED, **provider_filter
+            )
+            .order_by("provider_id", "-inserted_at")
            .distinct("provider_id")
            .values_list("id", flat=True)
        )

-    def _extract_provider_filters_from_params(self):
-        """Extract provider filters from query params to apply on Scan queryset."""
-        params = self.request.query_params
-        filters = {}
-
-        provider_id = params.get("filter[provider_id]")
-        if provider_id:
-            filters["provider_id"] = provider_id
-
-        provider_id_in = params.get("filter[provider_id__in]")
-        if provider_id_in:
-            filters["provider_id__in"] = provider_id_in.split(",")
-
-        provider_type = params.get("filter[provider_type]")
-        if provider_type:
-            filters["provider__provider"] = provider_type
-
-        provider_type_in = params.get("filter[provider_type__in]")
-        if provider_type_in:
-            filters["provider__provider__in"] = provider_type_in.split(",")
-
-        return filters
+    def _attack_surface_check_ids_by_provider_types(self, provider_types):
+        check_ids_by_type = {
+            attack_surface_type: set()
+            for attack_surface_type in AttackSurfaceOverview.AttackSurfaceTypeChoices.values
+        }
+        for provider_type in provider_types:
+            attack_surface_mapping = _get_attack_surface_mapping_from_provider(
+                provider_type=provider_type
+            )
+            for attack_surface_type, check_ids in attack_surface_mapping.items():
+                check_ids_by_type[attack_surface_type].update(check_ids)
+        return check_ids_by_type

    @action(detail=False, methods=["get"], url_name="providers")
    def providers(self, request):
@@ -4883,13 +4825,22 @@ class OverviewViewSet(BaseRLSViewSet):
        tenant_id = request.tenant_id
        latest_scan_ids = self._latest_scan_ids_for_allowed_providers(tenant_id)

+        # Build base queryset and apply user filters via FilterSet
        base_queryset = AttackSurfaceOverview.objects.filter(
            tenant_id=tenant_id, scan_id__in=latest_scan_ids
        )
        filtered_queryset = self._apply_filterset(
            base_queryset, AttackSurfaceOverviewFilter
        )
-
+        provider_types = list(
+            filtered_queryset.values_list(
+                "scan__provider__provider", flat=True
+            ).distinct()
+        )
+        attack_surface_check_ids = self._attack_surface_check_ids_by_provider_types(
+            provider_types
+        )
+        # Aggregate attack surface data
        aggregation = filtered_queryset.values("attack_surface_type").annotate(
            total_findings=Coalesce(Sum("total_findings"), 0),
            failed_findings=Coalesce(Sum("failed_findings"), 0),
@@ -4912,71 +4863,12 @@ class OverviewViewSet(BaseRLSViewSet):
            }

        response_data = [
-            {"attack_surface_type": key, **value} for key, value in results.items()
-        ]
-
-        return Response(
-            self.get_serializer(response_data, many=True).data,
-            status=status.HTTP_200_OK,
-        )
-
-    @action(detail=False, methods=["get"], url_name="categories")
-    def categories(self, request):
-        tenant_id = request.tenant_id
-        provider_filters = self._extract_provider_filters_from_params()
-        latest_scan_ids = self._latest_scan_ids_for_allowed_providers(
-            tenant_id, provider_filters
-        )
-
-        base_queryset = ScanCategorySummary.objects.filter(
-            tenant_id=tenant_id, scan_id__in=latest_scan_ids
-        )
-        provider_filter_keys = {
-            "provider_id",
-            "provider_id__in",
-            "provider_type",
-            "provider_type__in",
-        }
-        filtered_queryset = self._apply_filterset(
-            base_queryset, CategoryOverviewFilter, exclude_keys=provider_filter_keys
-        )
-
-        aggregation = (
-            filtered_queryset.values("category", "severity")
-            .annotate(
-                total=Coalesce(Sum("total_findings"), 0),
-                failed=Coalesce(Sum("failed_findings"), 0),
-                new_failed=Coalesce(Sum("new_failed_findings"), 0),
-            )
-            .order_by("category", "severity")
-        )
-
-        category_data = defaultdict(
-            lambda: {
-                "total_findings": 0,
-                "failed_findings": 0,
-                "new_failed_findings": 0,
-                "severity": {
-                    "informational": 0,
-                    "low": 0,
-                    "medium": 0,
-                    "high": 0,
-                    "critical": 0,
-                },
+            {
+                "attack_surface_type": key,
+                **value,
+                "check_ids": attack_surface_check_ids.get(key, []),
            }
-        )
-
-        for row in aggregation:
-            cat = row["category"]
-            sev = row["severity"]
-            category_data[cat]["total_findings"] += row["total"]
-            category_data[cat]["failed_findings"] += row["failed"]
-            category_data[cat]["new_failed_findings"] += row["new_failed"]
-            if sev in category_data[cat]["severity"]:
-                category_data[cat]["severity"][sev] = row["failed"]
-
-        response_data = [
-            {"category": cat, **data} for cat, data in sorted(category_data.items())
+            for key, value in results.items()
        ]

        return Response(
@@ -19,6 +19,8 @@ PORT = env("DJANGO_PORT", default=8000)

 # Server settings
 bind = f"{BIND_ADDRESS}:{PORT}"
+# TODO: Remove after the category filter is implemented
+limit_request_line = 0

 workers = env.int("DJANGO_WORKERS", default=multiprocessing.cpu_count() * 2 + 1)
 reload = DEBUG
@@ -11,10 +11,7 @@ from django.urls import reverse
 from django_celery_results.models import TaskResult
 from rest_framework import status
 from rest_framework.test import APIClient
-from tasks.jobs.backfill import (
-    backfill_resource_scan_summaries,
-    backfill_scan_category_summaries,
-)
+from tasks.jobs.backfill import backfill_resource_scan_summaries

 from api.db_utils import rls_transaction
 from api.models import (
@@ -39,7 +36,6 @@ from api.models import (
    SAMLConfiguration,
    SAMLDomainIndex,
    Scan,
-    ScanCategorySummary,
    ScanSummary,
    StateChoices,
    StatusChoices,
@@ -1275,113 +1271,6 @@ def latest_scan_finding(authenticated_client, providers_fixture, resources_fixtu
    return finding


-@pytest.fixture(scope="function")
-def findings_with_categories(scans_fixture, resources_fixture):
-    scan = scans_fixture[0]
-    resource = resources_fixture[0]
-
-    finding = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_with_categories_1",
-        scan=scan,
-        delta=None,
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="genai_check",
-        check_metadata={"CheckId": "genai_check"},
-        categories=["gen-ai", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding.add_resources([resource])
-    backfill_resource_scan_summaries(str(scan.tenant_id), str(scan.id))
-    return finding
-
-
-@pytest.fixture(scope="function")
-def findings_with_multiple_categories(scans_fixture, resources_fixture):
-    scan = scans_fixture[0]
-    resource1, resource2 = resources_fixture[:2]
-
-    finding1 = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_multi_cat_1",
-        scan=scan,
-        delta=None,
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="genai_check",
-        check_metadata={"CheckId": "genai_check"},
-        categories=["gen-ai", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding1.add_resources([resource1])
-
-    finding2 = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_multi_cat_2",
-        scan=scan,
-        delta=None,
-        status=Status.FAIL,
-        status_extended="test status 2",
-        impact=Severity.high,
-        impact_extended="test impact 2",
-        severity=Severity.high,
-        raw_result={"status": Status.FAIL},
-        check_id="iam_check",
-        check_metadata={"CheckId": "iam_check"},
-        categories=["iam", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding2.add_resources([resource2])
-
-    backfill_resource_scan_summaries(str(scan.tenant_id), str(scan.id))
-    return finding1, finding2
-
-
-@pytest.fixture(scope="function")
-def latest_scan_finding_with_categories(
-    authenticated_client, providers_fixture, resources_fixture
-):
-    provider = providers_fixture[0]
-    tenant_id = str(providers_fixture[0].tenant_id)
-    resource = resources_fixture[0]
-    scan = Scan.objects.create(
-        name="latest completed scan with categories",
-        provider=provider,
-        trigger=Scan.TriggerChoices.MANUAL,
-        state=StateChoices.COMPLETED,
-        tenant_id=tenant_id,
-    )
-    finding = Finding.objects.create(
-        tenant_id=tenant_id,
-        uid="latest_finding_with_categories",
-        scan=scan,
-        delta="new",
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="genai_iam_check",
-        check_metadata={"CheckId": "genai_iam_check"},
-        categories=["gen-ai", "iam"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding.add_resources([resource])
-    backfill_resource_scan_summaries(tenant_id, str(scan.id))
-    backfill_scan_category_summaries(tenant_id, str(scan.id))
-    return finding
-
-
@pytest.fixture(scope="function")
 def latest_scan_resource(authenticated_client, providers_fixture):
    provider = providers_fixture[0]
@@ -1596,30 +1485,6 @@ def create_attack_surface_overview():
    return _create


-@pytest.fixture
-def create_scan_category_summary():
-    def _create(
-        tenant,
-        scan,
-        category,
-        severity,
-        total_findings=10,
-        failed_findings=5,
-        new_failed_findings=2,
-    ):
-        return ScanCategorySummary.objects.create(
-            tenant=tenant,
-            scan=scan,
-            category=category,
-            severity=severity,
-            total_findings=total_findings,
-            failed_findings=failed_findings,
-            new_failed_findings=new_failed_findings,
-        )
-
-    return _create
-
-
 def get_authorization_header(access_token: str) -> dict:
    return {"Authorization": f"Bearer {access_token}"}

@@ -61,5 +61,4 @@ def schedule_provider_scan(provider_instance: Provider):
            "tenant_id": str(provider_instance.tenant_id),
            "provider_id": provider_id,
        },
-        countdown=5,  # Avoid race conditions between the worker and the database
    )
@@ -1,9 +1,6 @@
 from collections import defaultdict
-from datetime import timedelta

 from django.db.models import Sum
-from django.utils import timezone
-from tasks.jobs.scan import aggregate_category_counts

 from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
@@ -11,12 +8,10 @@ from api.models import (
    ComplianceOverviewSummary,
    ComplianceRequirementOverview,
    DailySeveritySummary,
-    Finding,
    Resource,
    ResourceFindingMapping,
    ResourceScanSummary,
    Scan,
-    ScanCategorySummary,
    ScanSummary,
    StateChoices,
 )
@@ -191,6 +186,10 @@ def backfill_daily_severity_summaries(tenant_id: str, days: int = None):
    Backfill DailySeveritySummary from completed scans.
    Groups by provider+date, keeps latest scan per day.
    """
+    from datetime import timedelta
+
+    from django.utils import timezone
+
    created_count = 0
    updated_count = 0

@@ -277,67 +276,3 @@ def backfill_daily_severity_summaries(tenant_id: str, days: int = None):
        "updated": updated_count,
        "total_days": len(latest_scans_by_day),
    }
-
-
-def backfill_scan_category_summaries(tenant_id: str, scan_id: str):
-    """
-    Backfill ScanCategorySummary for a completed scan.
-
-    Aggregates category counts from all findings in the scan and creates
-    one ScanCategorySummary row per (category, severity) combination.
-
-    Args:
-        tenant_id: Target tenant UUID
-        scan_id: Scan UUID to backfill
-
-    Returns:
-        dict: Status indicating whether backfill was performed
-    """
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        if ScanCategorySummary.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).exists():
-            return {"status": "already backfilled"}
-
-        if not Scan.objects.filter(
-            tenant_id=tenant_id,
-            id=scan_id,
-            state__in=(StateChoices.COMPLETED, StateChoices.FAILED),
-        ).exists():
-            return {"status": "scan is not completed"}
-
-        category_counts: dict[tuple[str, str], dict[str, int]] = {}
-        for finding in Finding.all_objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).values("categories", "severity", "status", "delta", "muted"):
-            aggregate_category_counts(
-                categories=finding.get("categories") or [],
-                severity=finding.get("severity"),
-                status=finding.get("status"),
-                delta=finding.get("delta"),
-                muted=finding.get("muted", False),
-                cache=category_counts,
-            )
-
-        if not category_counts:
-            return {"status": "no categories to backfill"}
-
-    category_summaries = [
-        ScanCategorySummary(
-            tenant_id=tenant_id,
-            scan_id=scan_id,
-            category=category,
-            severity=severity,
-            total_findings=counts["total"],
-            failed_findings=counts["failed"],
-            new_failed_findings=counts["new_failed"],
-        )
-        for (category, severity), counts in category_counts.items()
-    ]
-
-    with rls_transaction(tenant_id):
-        ScanCategorySummary.objects.bulk_create(
-            category_summaries, batch_size=500, ignore_conflicts=True
-        )
-
-    return {"status": "backfilled", "categories_count": len(category_counts)}
@@ -11,41 +11,6 @@ from api.models import LighthouseProviderConfiguration, LighthouseProviderModels

 logger = get_task_logger(__name__)

-# OpenAI model prefixes to exclude from Lighthouse model selection.
-# These models don't support text chat completions and tool calling.
-EXCLUDED_OPENAI_MODEL_PREFIXES = (
-    "dall-e",  # Image generation
-    "whisper",  # Audio transcription
-    "tts-",  # Text-to-speech (tts-1, tts-1-hd, etc.)
-    "sora",  # Text-to-video (sora-2, sora-2-pro, etc.)
-    "text-embedding",  # Embeddings
-    "embedding",  # Embeddings (alternative naming)
-    "text-moderation",  # Content moderation
-    "omni-moderation",  # Content moderation
-    "text-davinci",  # Legacy completion models
-    "text-curie",  # Legacy completion models
-    "text-babbage",  # Legacy completion models
-    "text-ada",  # Legacy completion models
-    "davinci",  # Legacy completion models
-    "curie",  # Legacy completion models
-    "babbage",  # Legacy completion models
-    "ada",  # Legacy completion models
-    "computer-use",  # Computer control agent
-    "gpt-image",  # Image generation
-    "gpt-audio",  # Audio models
-    "gpt-realtime",  # Realtime voice API
-)
-
-# OpenAI model substrings to exclude (patterns that can appear anywhere in model ID).
-# These patterns identify non-chat model variants.
-EXCLUDED_OPENAI_MODEL_SUBSTRINGS = (
-    "-audio-",  # Audio preview models (gpt-4o-audio-preview, etc.)
-    "-realtime-",  # Realtime preview models (gpt-4o-realtime-preview, etc.)
-    "-transcribe",  # Transcription models (gpt-4o-transcribe, etc.)
-    "-tts",  # TTS models (gpt-4o-mini-tts)
-    "-instruct",  # Legacy instruct models (gpt-3.5-turbo-instruct, etc.)
-)
-

 def _extract_error_message(e: Exception) -> str:
    """
@@ -318,41 +283,20 @@ def _fetch_openai_models(api_key: str) -> Dict[str, str]:
    """
    Fetch available models from OpenAI API.

-    Filters out models that don't support text input/output and tool calling,
-    such as image generation (DALL-E), audio transcription (Whisper),
-    text-to-speech (TTS), embeddings, and moderation models.
-
    Args:
        api_key: OpenAI API key for authentication.

    Returns:
        Dict mapping model_id to model_name. For OpenAI, both are the same
-        as the API doesn't provide separate display names. Only includes
-        models that support text input, text output or tool calling.
+        as the API doesn't provide separate display names.

    Raises:
        Exception: If the API call fails.
    """
    client = openai.OpenAI(api_key=api_key)
    models = client.models.list()
-
-    # Filter models to only include those supporting chat completions + tool calling
-    filtered_models = {}
-    for model in getattr(models, "data", []):
-        model_id = model.id
-
-        # Skip if model ID starts with excluded prefixes
-        if model_id.startswith(EXCLUDED_OPENAI_MODEL_PREFIXES):
-            continue
-
-        # Skip if model ID contains excluded substrings
-        if any(substring in model_id for substring in EXCLUDED_OPENAI_MODEL_SUBSTRINGS):
-            continue
-
-        # Include model (supports chat completions + tool calling)
-        filtered_models[model_id] = model_id
-
-    return filtered_models
+    # OpenAI uses model.id for both ID and display name
+    return {m.id: m.id for m in getattr(models, "data", [])}


 def _fetch_openai_compatible_models(base_url: str, api_key: str) -> Dict[str, str]:
@@ -8,7 +8,6 @@ from collections import defaultdict
 from datetime import datetime, timezone
 from typing import Any

-import sentry_sdk
 from celery.utils.log import get_task_logger
 from config.env import env
 from config.settings.celery import CELERY_DEADLOCK_ATTEMPTS
@@ -40,7 +39,6 @@ from api.models import (
    ResourceScanSummary,
    ResourceTag,
    Scan,
-    ScanCategorySummary,
    ScanSummary,
    StateChoices,
 )
@@ -79,6 +77,7 @@ FINDINGS_MICRO_BATCH_SIZE = env.int("DJANGO_FINDINGS_MICRO_BATCH_SIZE", default=
 # Controls how many rows each ORM bulk_create/bulk_update call sends to Postgres
 SCAN_DB_BATCH_SIZE = env.int("DJANGO_SCAN_DB_BATCH_SIZE", default=500)

+
 ATTACK_SURFACE_PROVIDER_COMPATIBILITY = {
    "internet-exposed": None,  # Compatible with all providers
    "secrets": None,  # Compatible with all providers
@@ -89,40 +88,6 @@ ATTACK_SURFACE_PROVIDER_COMPATIBILITY = {
 _ATTACK_SURFACE_MAPPING_CACHE: dict[str, dict] = {}


-def aggregate_category_counts(
-    categories: list[str],
-    severity: str,
-    status: str,
-    delta: str | None,
-    muted: bool,
-    cache: dict[tuple[str, str], dict[str, int]],
-) -> None:
-    """
-    Increment category counters in-place for a finding.
-
-    Args:
-        categories: List of categories from finding metadata.
-        severity: Severity level (e.g., "high", "medium").
-        status: Finding status as string ("FAIL", "PASS").
-        delta: Delta value as string ("new", "changed") or None.
-        muted: Whether the finding is muted.
-        cache: Dict {(category, severity): {"total", "failed", "new_failed"}} to update.
-    """
-    is_failed = status == "FAIL" and not muted
-    is_new_failed = is_failed and delta == "new"
-
-    for cat in categories:
-        key = (cat, severity)
-        if key not in cache:
-            cache[key] = {"total": 0, "failed": 0, "new_failed": 0}
-        if not muted:
-            cache[key]["total"] += 1
-        if is_failed:
-            cache[key]["failed"] += 1
-        if is_new_failed:
-            cache[key]["new_failed"] += 1
-
-
 def _get_attack_surface_mapping_from_provider(provider_type: str) -> dict:
    global _ATTACK_SURFACE_MAPPING_CACHE

@@ -433,7 +398,6 @@ def _process_finding_micro_batch(
    unique_resources: set,
    scan_resource_cache: set,
    mute_rules_cache: dict,
-    scan_categories_cache: dict[tuple[str, str], dict[str, int]],
 ) -> None:
    """
    Process a micro-batch of findings and persist them using bulk operations.
@@ -454,7 +418,6 @@ def _process_finding_micro_batch(
        unique_resources: Set tracking (uid, region) pairs seen in the scan.
        scan_resource_cache: Set of tuples used to create `ResourceScanSummary` rows.
        mute_rules_cache: Map of finding UID -> mute reason gathered before the scan.
-        scan_categories_cache: Dict tracking category counts {(category, severity): {"total", "failed", "new_failed"}}.
    """
    # Accumulate objects for bulk operations
    findings_to_create = []
@@ -610,12 +573,11 @@ def _process_finding_micro_batch(
            resource_failed_findings_cache[resource_uid] += 1

        # Create finding object (don't save yet)
-        check_metadata = finding.get_metadata()
        finding_instance = Finding(
            tenant_id=tenant_id,
            uid=finding_uid,
            delta=delta,
-            check_metadata=check_metadata,
+            check_metadata=finding.get_metadata(),
            status=status,
            status_extended=finding.status_extended,
            severity=finding.severity,
@@ -628,7 +590,6 @@ def _process_finding_micro_batch(
            muted_at=datetime.now(tz=timezone.utc) if is_muted else None,
            muted_reason=muted_reason,
            compliance=finding.compliance,
-            categories=check_metadata.get("categories", []) or [],
        )
        findings_to_create.append(finding_instance)
        resource_denormalized_data.append((finding_instance, resource_instance))
@@ -643,16 +604,6 @@ def _process_finding_micro_batch(
            )
        )

-        # Track categories with counts for ScanCategorySummary by (category, severity)
-        aggregate_category_counts(
-            categories=check_metadata.get("categories", []) or [],
-            severity=finding.severity.value,
-            status=status.value,
-            delta=delta.value if delta else None,
-            muted=is_muted,
-            cache=scan_categories_cache,
-        )
-
    # Bulk operations within single transaction
    with rls_transaction(tenant_id):
        # Bulk create findings
@@ -752,7 +703,6 @@ def perform_prowler_scan(
    exception = None
    unique_resources = set()
    scan_resource_cache: set[tuple[str, str, str, str]] = set()
-    scan_categories_cache: dict[tuple[str, str], dict[str, int]] = {}
    start_time = time.time()
    exc = None

@@ -842,7 +792,6 @@ def perform_prowler_scan(
                    unique_resources=unique_resources,
                    scan_resource_cache=scan_resource_cache,
                    mute_rules_cache=mute_rules_cache,
-                    scan_categories_cache=scan_categories_cache,
                )

            # Update scan progress
@@ -902,33 +851,13 @@ def perform_prowler_scan(
                resource_scan_summaries, batch_size=500, ignore_conflicts=True
            )
    except Exception as filter_exception:
+        import sentry_sdk
+
        sentry_sdk.capture_exception(filter_exception)
        logger.error(
            f"Error storing filter values for scan {scan_id}: {filter_exception}"
        )

-    try:
-        if scan_categories_cache:
-            category_summaries = [
-                ScanCategorySummary(
-                    tenant_id=tenant_id,
-                    scan_id=scan_id,
-                    category=category,
-                    severity=severity,
-                    total_findings=counts["total"],
-                    failed_findings=counts["failed"],
-                    new_failed_findings=counts["new_failed"],
-                )
-                for (category, severity), counts in scan_categories_cache.items()
-            ]
-            with rls_transaction(tenant_id):
-                ScanCategorySummary.objects.bulk_create(
-                    category_summaries, batch_size=500, ignore_conflicts=True
-                )
-    except Exception as cat_exception:
-        sentry_sdk.capture_exception(cat_exception)
-        logger.error(f"Error storing categories for scan {scan_id}: {cat_exception}")
-
    serializer = ScanTaskSerializer(instance=scan_instance)
    return serializer.data

@@ -12,7 +12,6 @@ from tasks.jobs.backfill import (
    backfill_compliance_summaries,
    backfill_daily_severity_summaries,
    backfill_resource_scan_summaries,
-    backfill_scan_category_summaries,
 )
 from tasks.jobs.connection import (
    check_integration_connection,
@@ -535,21 +534,6 @@ def backfill_daily_severity_summaries_task(tenant_id: str, days: int = None):
    return backfill_daily_severity_summaries(tenant_id=tenant_id, days=days)


-@shared_task(name="backfill-scan-category-summaries", queue="backfill")
-@handle_provider_deletion
-def backfill_scan_category_summaries_task(tenant_id: str, scan_id: str):
-    """
-    Backfill ScanCategorySummary for a completed scan.
-
-    Aggregates unique categories from findings and creates a summary row.
-
-    Args:
-        tenant_id (str): The tenant identifier.
-        scan_id (str): The scan identifier.
-    """
-    return backfill_scan_category_summaries(tenant_id=tenant_id, scan_id=scan_id)
-
-
@shared_task(base=RLSTask, name="scan-compliance-overviews", queue="compliance")
@handle_provider_deletion
 def create_compliance_requirements_task(tenant_id: str, scan_id: str):
@@ -4,19 +4,14 @@ import pytest
 from tasks.jobs.backfill import (
    backfill_compliance_summaries,
    backfill_resource_scan_summaries,
-    backfill_scan_category_summaries,
 )

 from api.models import (
    ComplianceOverviewSummary,
-    Finding,
    ResourceScanSummary,
    Scan,
-    ScanCategorySummary,
    StateChoices,
 )
-from prowler.lib.check.models import Severity
-from prowler.lib.outputs.finding import Status


@pytest.fixture(scope="function")
@@ -51,45 +46,6 @@ def get_not_completed_scans(providers_fixture):
    return scan_1, scan_2


-@pytest.fixture(scope="function")
-def findings_with_categories_fixture(scans_fixture, resources_fixture):
-    scan = scans_fixture[0]
-    resource = resources_fixture[0]
-
-    finding = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_with_categories",
-        scan=scan,
-        delta="new",
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="test_check",
-        check_metadata={"CheckId": "test_check"},
-        categories=["gen-ai", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding.add_resources([resource])
-    return finding
-
-
-@pytest.fixture(scope="function")
-def scan_category_summary_fixture(scans_fixture):
-    scan = scans_fixture[0]
-    return ScanCategorySummary.objects.create(
-        tenant_id=scan.tenant_id,
-        scan=scan,
-        category="existing-category",
-        severity=Severity.critical,
-        total_findings=1,
-        failed_findings=0,
-        new_failed_findings=0,
-    )
-
-
@pytest.mark.django_db
 class TestBackfillResourceScanSummaries:
    def test_already_backfilled(self, resource_scan_summary_data):
@@ -216,47 +172,3 @@ class TestBackfillComplianceSummaries:
            assert summary.requirements_failed == expected_counts["requirements_failed"]
            assert summary.requirements_manual == expected_counts["requirements_manual"]
            assert summary.total_requirements == expected_counts["total_requirements"]
-
-
-@pytest.mark.django_db
-class TestBackfillScanCategorySummaries:
-    def test_already_backfilled(self, scan_category_summary_fixture):
-        tenant_id = scan_category_summary_fixture.tenant_id
-        scan_id = scan_category_summary_fixture.scan_id
-
-        result = backfill_scan_category_summaries(str(tenant_id), str(scan_id))
-
-        assert result == {"status": "already backfilled"}
-
-    def test_not_completed_scan(self, get_not_completed_scans):
-        for scan in get_not_completed_scans:
-            result = backfill_scan_category_summaries(str(scan.tenant_id), str(scan.id))
-            assert result == {"status": "scan is not completed"}
-
-    def test_no_categories_to_backfill(self, scans_fixture):
-        scan = scans_fixture[1]  # Failed scan with no findings
-        result = backfill_scan_category_summaries(str(scan.tenant_id), str(scan.id))
-        assert result == {"status": "no categories to backfill"}
-
-    def test_successful_backfill(self, findings_with_categories_fixture):
-        finding = findings_with_categories_fixture
-        tenant_id = str(finding.tenant_id)
-        scan_id = str(finding.scan_id)
-
-        result = backfill_scan_category_summaries(tenant_id, scan_id)
-
-        # 2 categories × 1 severity = 2 rows
-        assert result == {"status": "backfilled", "categories_count": 2}
-
-        summaries = ScanCategorySummary.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        )
-        assert summaries.count() == 2
-        categories = set(summaries.values_list("category", flat=True))
-        assert categories == {"gen-ai", "security"}
-
-        for summary in summaries:
-            assert summary.severity == Severity.critical
-            assert summary.total_findings == 1
-            assert summary.failed_findings == 1
-            assert summary.new_failed_findings == 1
@@ -28,7 +28,6 @@ class TestScheduleProviderScan:
                    "tenant_id": str(provider_instance.tenant_id),
                    "provider_id": str(provider_instance.id),
                },
-                countdown=5,
            )

            task_name = f"scan-perform-scheduled-{provider_instance.id}"
@@ -20,7 +20,6 @@ from tasks.jobs.scan import (
    _process_finding_micro_batch,
    _store_resources,
    aggregate_attack_surface,
-    aggregate_category_counts,
    aggregate_findings,
    create_compliance_requirements,
    perform_prowler_scan,
@@ -1378,7 +1377,6 @@ class TestProcessFindingMicroBatch:
        unique_resources: set[tuple[str, str]] = set()
        scan_resource_cache: set[tuple[str, str, str, str]] = set()
        mute_rules_cache = {}
-        scan_categories_cache: dict[tuple[str, str], dict[str, int]] = {}

        with (
            patch("tasks.jobs.scan.rls_transaction", new=noop_rls_transaction),
@@ -1396,7 +1394,6 @@ class TestProcessFindingMicroBatch:
                unique_resources,
                scan_resource_cache,
                mute_rules_cache,
-                scan_categories_cache,
            )

        created_finding = Finding.objects.get(uid=finding.uid)
@@ -1489,7 +1486,6 @@ class TestProcessFindingMicroBatch:
        unique_resources: set[tuple[str, str]] = set()
        scan_resource_cache: set[tuple[str, str, str, str]] = set()
        mute_rules_cache = {finding.uid: "Muted via rule"}
-        scan_categories_cache: dict[tuple[str, str], dict[str, int]] = {}

        with (
            patch("tasks.jobs.scan.rls_transaction", new=noop_rls_transaction),
@@ -1507,7 +1503,6 @@ class TestProcessFindingMicroBatch:
                unique_resources,
                scan_resource_cache,
                mute_rules_cache,
-                scan_categories_cache,
            )

        existing_resource.refresh_from_db()
@@ -1615,7 +1610,6 @@ class TestProcessFindingMicroBatch:
        unique_resources: set[tuple[str, str]] = set()
        scan_resource_cache: set[tuple[str, str, str, str]] = set()
        mute_rules_cache = {}
-        scan_categories_cache: dict[tuple[str, str], dict[str, int]] = {}

        with (
            patch("tasks.jobs.scan.rls_transaction", new=noop_rls_transaction),
@@ -1634,7 +1628,6 @@ class TestProcessFindingMicroBatch:
                unique_resources,
                scan_resource_cache,
                mute_rules_cache,
-                scan_categories_cache,
            )

        # Verify the long UID finding was NOT created
@@ -1655,118 +1648,6 @@ class TestProcessFindingMicroBatch:
            for call in warning_calls
        )

-    def test_process_finding_micro_batch_tracks_categories(
-        self, tenants_fixture, scans_fixture
-    ):
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-        provider = scan.provider
-
-        finding1 = FakeFinding(
-            uid="finding-cat-1",
-            status=StatusChoices.PASS,
-            status_extended="all good",
-            severity=Severity.low,
-            check_id="genai_check",
-            resource_uid="arn:aws:bedrock:::model/test",
-            resource_name="test-model",
-            region="us-east-1",
-            service_name="bedrock",
-            resource_type="model",
-            resource_tags={},
-            resource_metadata={},
-            resource_details={},
-            partition="aws",
-            raw={},
-            compliance={},
-            metadata={"categories": ["gen-ai", "security"]},
-            muted=False,
-        )
-
-        finding2 = FakeFinding(
-            uid="finding-cat-2",
-            status=StatusChoices.FAIL,
-            status_extended="bad",
-            severity=Severity.high,
-            check_id="iam_check",
-            resource_uid="arn:aws:iam:::user/test",
-            resource_name="test-user",
-            region="us-east-1",
-            service_name="iam",
-            resource_type="user",
-            resource_tags={},
-            resource_metadata={},
-            resource_details={},
-            partition="aws",
-            raw={},
-            compliance={},
-            metadata={"categories": ["security", "iam"]},
-            muted=False,
-        )
-
-        resource_cache = {}
-        tag_cache = {}
-        last_status_cache = {}
-        resource_failed_findings_cache = {}
-        unique_resources: set[tuple[str, str]] = set()
-        scan_resource_cache: set[tuple[str, str, str, str]] = set()
-        mute_rules_cache = {}
-        scan_categories_cache: dict[tuple[str, str], dict[str, int]] = {}
-
-        with (
-            patch("tasks.jobs.scan.rls_transaction", new=noop_rls_transaction),
-            patch("api.db_utils.rls_transaction", new=noop_rls_transaction),
-        ):
-            _process_finding_micro_batch(
-                str(tenant.id),
-                [finding1, finding2],
-                scan,
-                provider,
-                resource_cache,
-                tag_cache,
-                last_status_cache,
-                resource_failed_findings_cache,
-                unique_resources,
-                scan_resource_cache,
-                mute_rules_cache,
-                scan_categories_cache,
-            )
-
-        # finding1: PASS, severity=low, categories=["gen-ai", "security"]
-        # finding2: FAIL, severity=high, categories=["security", "iam"]
-        # Keys are (category, severity) tuples
-        assert set(scan_categories_cache.keys()) == {
-            ("gen-ai", "low"),
-            ("security", "low"),
-            ("security", "high"),
-            ("iam", "high"),
-        }
-        assert scan_categories_cache[("gen-ai", "low")] == {
-            "total": 1,
-            "failed": 0,
-            "new_failed": 0,
-        }
-        assert scan_categories_cache[("security", "low")] == {
-            "total": 1,
-            "failed": 0,
-            "new_failed": 0,
-        }
-        assert scan_categories_cache[("security", "high")] == {
-            "total": 1,
-            "failed": 1,
-            "new_failed": 1,
-        }
-        assert scan_categories_cache[("iam", "high")] == {
-            "total": 1,
-            "failed": 1,
-            "new_failed": 1,
-        }
-
-        created_finding1 = Finding.objects.get(uid="finding-cat-1")
-        created_finding2 = Finding.objects.get(uid="finding-cat-2")
-        assert set(created_finding1.categories) == {"gen-ai", "security"}
-        assert set(created_finding2.categories) == {"security", "iam"}
-

@pytest.mark.django_db
 class TestCreateComplianceRequirements:
@@ -3875,150 +3756,3 @@ class TestAggregateAttackSurface:
            aggregate_attack_surface(str(tenant.id), str(scan.id))

        mock_select_related.assert_called_once_with("provider")
-
-
-class TestAggregateCategoryCounts:
-    """Test aggregate_category_counts helper function."""
-
-    def test_aggregate_category_counts_basic(self):
-        """Test basic category counting for a non-muted PASS finding."""
-        cache: dict[tuple[str, str], dict[str, int]] = {}
-        aggregate_category_counts(
-            categories=["security", "iam"],
-            severity="high",
-            status="PASS",
-            delta=None,
-            muted=False,
-            cache=cache,
-        )
-
-        assert ("security", "high") in cache
-        assert ("iam", "high") in cache
-        assert cache[("security", "high")] == {"total": 1, "failed": 0, "new_failed": 0}
-        assert cache[("iam", "high")] == {"total": 1, "failed": 0, "new_failed": 0}
-
-    def test_aggregate_category_counts_fail_not_muted(self):
-        """Test category counting for a non-muted FAIL finding."""
-        cache: dict[tuple[str, str], dict[str, int]] = {}
-        aggregate_category_counts(
-            categories=["security"],
-            severity="critical",
-            status="FAIL",
-            delta=None,
-            muted=False,
-            cache=cache,
-        )
-
-        assert cache[("security", "critical")] == {
-            "total": 1,
-            "failed": 1,
-            "new_failed": 0,
-        }
-
-    def test_aggregate_category_counts_new_fail(self):
-        """Test category counting for a new FAIL finding (delta='new')."""
-        cache: dict[tuple[str, str], dict[str, int]] = {}
-        aggregate_category_counts(
-            categories=["gen-ai"],
-            severity="high",
-            status="FAIL",
-            delta="new",
-            muted=False,
-            cache=cache,
-        )
-
-        assert cache[("gen-ai", "high")] == {"total": 1, "failed": 1, "new_failed": 1}
-
-    def test_aggregate_category_counts_muted_finding(self):
-        """Test that muted findings are excluded from all counts."""
-        cache: dict[tuple[str, str], dict[str, int]] = {}
-        aggregate_category_counts(
-            categories=["security"],
-            severity="high",
-            status="FAIL",
-            delta="new",
-            muted=True,
-            cache=cache,
-        )
-
-        assert cache[("security", "high")] == {"total": 0, "failed": 0, "new_failed": 0}
-
-    def test_aggregate_category_counts_accumulates(self):
-        """Test that multiple calls accumulate counts."""
-        cache: dict[tuple[str, str], dict[str, int]] = {}
-
-        # First finding: PASS
-        aggregate_category_counts(
-            categories=["security"],
-            severity="high",
-            status="PASS",
-            delta=None,
-            muted=False,
-            cache=cache,
-        )
-
-        # Second finding: FAIL (new)
-        aggregate_category_counts(
-            categories=["security"],
-            severity="high",
-            status="FAIL",
-            delta="new",
-            muted=False,
-            cache=cache,
-        )
-
-        # Third finding: FAIL (changed)
-        aggregate_category_counts(
-            categories=["security"],
-            severity="high",
-            status="FAIL",
-            delta="changed",
-            muted=False,
-            cache=cache,
-        )
-
-        assert cache[("security", "high")] == {"total": 3, "failed": 2, "new_failed": 1}
-
-    def test_aggregate_category_counts_empty_categories(self):
-        """Test with empty categories list."""
-        cache: dict[tuple[str, str], dict[str, int]] = {}
-        aggregate_category_counts(
-            categories=[],
-            severity="high",
-            status="FAIL",
-            delta="new",
-            muted=False,
-            cache=cache,
-        )
-
-        assert cache == {}
-
-    def test_aggregate_category_counts_changed_delta(self):
-        """Test that changed delta increments failed but not new_failed."""
-        cache: dict[tuple[str, str], dict[str, int]] = {}
-        aggregate_category_counts(
-            categories=["iam"],
-            severity="medium",
-            status="FAIL",
-            delta="changed",
-            muted=False,
-            cache=cache,
-        )
-
-        assert cache[("iam", "medium")] == {"total": 1, "failed": 1, "new_failed": 0}
-
-    def test_aggregate_category_counts_multiple_categories_single_finding(self):
-        """Test single finding with multiple categories."""
-        cache: dict[tuple[str, str], dict[str, int]] = {}
-        aggregate_category_counts(
-            categories=["security", "compliance", "data-protection"],
-            severity="low",
-            status="FAIL",
-            delta="new",
-            muted=False,
-            cache=cache,
-        )
-
-        assert len(cache) == 3
-        for cat in ["security", "compliance", "data-protection"]:
-            assert cache[(cat, "low")] == {"total": 1, "failed": 1, "new_failed": 1}
@@ -213,5 +213,3 @@ Also is important to keep all code examples as short as possible, including the
 | software-supply-chain   | Detects or prevents tampering, unauthorized packages, or third-party risks in software supply chain                                                                                               |
 | e3                      | M365-specific controls enabled by or dependent on an E3 license (e.g., baseline security policies, conditional access)                                                                            |
 | e5                      | M365-specific controls enabled by or dependent on an E5 license (e.g., advanced threat protection, audit, DLP, and eDiscovery)                                                                    |
-| privilege-escalation    | Detects IAM policies or permissions that allow identities to elevate their privileges beyond their intended scope, potentially gaining administrator or higher-level access through specific action combinations |
-| ec2-imdsv1              | Identifies EC2 instances using Instance Metadata Service version 1 (IMDSv1), which is vulnerable to SSRF attacks and should be replaced with IMDSv2 for enhanced security                        |
@@ -1,447 +0,0 @@
---
-title: 'Extending the MCP Server'
---
-
-This guide explains how to extend the Prowler MCP Server with new tools and features.
-
-<Info>
-**New to Prowler MCP Server?** Start with the user documentation:
- [Overview](/getting-started/products/prowler-mcp) - Key capabilities, use cases, and deployment options
- [Installation](/getting-started/installation/prowler-mcp) - Install locally or use the managed server
- [Configuration](/getting-started/basic-usage/prowler-mcp) - Configure Claude Desktop, Cursor, and other MCP hosts
- [Tools Reference](/getting-started/basic-usage/prowler-mcp-tools) - Complete list of all available tools
-</Info>
-
-## Introduction
-
-The Prowler MCP Server brings the entire Prowler ecosystem to AI assistants through the [Model Context Protocol (MCP)](https://modelcontextprotocol.io). It enables seamless integration with AI tools like Claude Desktop, Cursor, and other MCP clients.
-
-The server follows a modular architecture with three independent sub-servers:
-
-| Sub-Server | Auth Required | Description |
-|------------|---------------|-------------|
-| Prowler App | Yes | Full access to Prowler Cloud and Self-Managed features |
-| Prowler Hub | No | Security checks catalog with **over 1000 checks**, fixers, and **70+ compliance frameworks** |
-| Prowler Documentation | No | Full-text search and retrieval of official documentation |
-
-<Note>
-For a complete list of tools and their descriptions, see the [Tools Reference](/getting-started/basic-usage/prowler-mcp-tools).
-</Note>
-
-## Architecture Overview
-
-The MCP Server architecture is illustrated in the [Overview documentation](/getting-started/products/prowler-mcp#mcp-server-architecture). AI assistants connect through the MCP protocol to access Prowler's three main components.
-
-### Server Structure
-
-The main server orchestrates three sub-servers with prefixed namespacing:
-
-```
-mcp_server/prowler_mcp_server/
-├── server.py                 # Main orchestrator
-├── main.py                   # CLI entry point
-├── prowler_hub/
-├── prowler_app/
-│   ├── tools/                # Tool implementations
-│   ├── models/               # Pydantic models
-│   └── utils/                # API client, auth, loader
-└── prowler_documentation/
-```
-
-### Tool Registration Patterns
-
-The MCP Server uses two patterns for tool registration:
-
-1. **Direct Decorators** (Prowler Hub/Docs): Tools are registered using `@mcp.tool()` decorators
-2. **Auto-Discovery** (Prowler App): All public methods of `BaseTool` subclasses are auto-registered
-
-## Adding Tools to Prowler App
-
-### Step 1: Create the Tool Class
-
-Create a new file or add to an existing file in `prowler_app/tools/`:
-
-```python
-# prowler_app/tools/new_feature.py
-from typing import Any
-
-from pydantic import Field
-
-from prowler_mcp_server.prowler_app.models.new_feature import (
-    FeatureListResponse,
-    DetailedFeature,
-)
-from prowler_mcp_server.prowler_app.tools.base import BaseTool
-
-
-class NewFeatureTools(BaseTool):
-    """Tools for managing new features."""
-
-    async def list_features(
-        self,
-        status: str | None = Field(
-            default=None,
-            description="Filter by status (active, inactive, pending)"
-        ),
-        page_size: int = Field(
-            default=50,
-            description="Number of results per page (1-100)"
-        ),
-    ) -> dict[str, Any]:
-        """List all features with optional filtering.
-
-        Returns a lightweight list of features optimized for LLM consumption.
-        Use get_feature for complete information about a specific feature.
-        """
-        # Validate parameters
-        self.api_client.validate_page_size(page_size)
-
-        # Build query parameters
-        params: dict[str, Any] = {"page[size]": page_size}
-        if status:
-            params["filter[status]"] = status
-
-        # Make API request
-        clean_params = self.api_client.build_filter_params(params)
-        response = await self.api_client.get("/api/v1/features", params=clean_params)
-
-        # Transform to LLM-friendly format
-        return FeatureListResponse.from_api_response(response).model_dump()
-
-    async def get_feature(
-        self,
-        feature_id: str = Field(description="The UUID of the feature"),
-    ) -> dict[str, Any]:
-        """Get detailed information about a specific feature.
-
-        Returns complete feature details including configuration and metadata.
-        """
-        try:
-            response = await self.api_client.get(f"/api/v1/features/{feature_id}")
-            return DetailedFeature.from_api_response(response["data"]).model_dump()
-        except Exception as e:
-            self.logger.error(f"Failed to get feature {feature_id}: {e}")
-            return {"error": str(e), "status": "failed"}
-```
-
-### Step 2: Create the Models
-
-Create corresponding models in `prowler_app/models/`:
-
-```python
-# prowler_app/models/new_feature.py
-from typing import Any
-
-from pydantic import Field
-
-from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
-
-
-class SimplifiedFeature(MinimalSerializerMixin):
-    """Lightweight feature for list operations."""
-
-    id: str = Field(description="Unique feature identifier")
-    name: str = Field(description="Feature name")
-    status: str = Field(description="Current status")
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "SimplifiedFeature":
-        """Transform API response to simplified format."""
-        attributes = data.get("attributes", {})
-        return cls(
-            id=data["id"],
-            name=attributes["name"],
-            status=attributes["status"],
-        )
-
-
-class DetailedFeature(SimplifiedFeature):
-    """Extended feature with complete details."""
-
-    description: str | None = Field(default=None, description="Feature description")
-    configuration: dict[str, Any] | None = Field(default=None, description="Configuration")
-    created_at: str = Field(description="Creation timestamp")
-    updated_at: str = Field(description="Last update timestamp")
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "DetailedFeature":
-        """Transform API response to detailed format."""
-        attributes = data.get("attributes", {})
-        return cls(
-            id=data["id"],
-            name=attributes["name"],
-            status=attributes["status"],
-            description=attributes.get("description"),
-            configuration=attributes.get("configuration"),
-            created_at=attributes["created_at"],
-            updated_at=attributes["updated_at"],
-        )
-
-
-class FeatureListResponse(MinimalSerializerMixin):
-    """Response wrapper for feature list operations."""
-
-    count: int = Field(description="Total number of features")
-    features: list[SimplifiedFeature] = Field(description="List of features")
-
-    @classmethod
-    def from_api_response(cls, response: dict[str, Any]) -> "FeatureListResponse":
-        """Transform API response to list format."""
-        data = response.get("data", [])
-        features = [SimplifiedFeature.from_api_response(item) for item in data]
-        return cls(count=len(features), features=features)
-```
-
-### Step 3: Verify Auto-Discovery
-
-No manual registration is needed. The `tool_loader.py` automatically discovers and registers all `BaseTool` subclasses. Verify your tool is loaded by checking the server logs:
-
-```
-INFO - Auto-registered 2 tools from NewFeatureTools
-INFO - Loaded and registered: NewFeatureTools
-```
-
-## Adding Tools to Prowler Hub/Docs
-
-For Prowler Hub or Documentation tools, use the `@mcp.tool()` decorator directly:
-
-```python
-# prowler_hub/server.py
-from fastmcp import FastMCP
-
-hub_mcp_server = FastMCP("prowler-hub")
-
-@hub_mcp_server.tool()
-async def get_new_artifact(
-    artifact_id: str,
-) -> dict:
-    """Fetch a specific artifact from Prowler Hub.
-
-    Args:
-        artifact_id: The unique identifier of the artifact
-
-    Returns:
-        Dictionary containing artifact details
-    """
-    response = prowler_hub_client.get(f"/artifact/{artifact_id}")
-    response.raise_for_status()
-    return response.json()
-```
-
-## Model Design Patterns
-
-### MinimalSerializerMixin
-
-All models should use `MinimalSerializerMixin` to optimize responses for LLM consumption:
-
-```python
-from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
-
-class MyModel(MinimalSerializerMixin):
-    """Model that excludes empty values from serialization."""
-    required_field: str
-    optional_field: str | None = None  # Excluded if None
-    empty_list: list = []              # Excluded if empty
-```
-
-This mixin automatically excludes:
- `None` values
- Empty strings
- Empty lists
- Empty dictionaries
-
-### Two-Tier Model Pattern
-
-Use two-tier models for efficient responses:
-
- **Simplified**: Lightweight models for list operations
- **Detailed**: Extended models for single-item retrieval
-
-```python
-class SimplifiedItem(MinimalSerializerMixin):
-    """Use for list operations - minimal fields."""
-    id: str
-    name: str
-    status: str
-
-class DetailedItem(SimplifiedItem):
-    """Use for get operations - extends simplified with details."""
-    description: str | None = None
-    configuration: dict | None = None
-    created_at: str
-    updated_at: str
-```
-
-### Factory Method Pattern
-
-Always implement `from_api_response()` for API transformation:
-
-```python
-@classmethod
-def from_api_response(cls, data: dict[str, Any]) -> "MyModel":
-    """Transform API response to model.
-
-    This method handles the JSON:API format used by Prowler API,
-    extracting attributes and relationships as needed.
-    """
-    attributes = data.get("attributes", {})
-    return cls(
-        id=data["id"],
-        name=attributes["name"],
-        # ... map other fields
-    )
-```
-
-## API Client Usage
-
-The `ProwlerAPIClient` is a singleton that handles authentication and HTTP requests:
-
-```python
-class MyTools(BaseTool):
-    async def my_tool(self) -> dict:
-        # GET request
-        response = await self.api_client.get("/api/v1/endpoint", params={"key": "value"})
-
-        # POST request
-        response = await self.api_client.post(
-            "/api/v1/endpoint",
-            json_data={"data": {"type": "items", "attributes": {...}}}
-        )
-
-        # PATCH request
-        response = await self.api_client.patch(
-            f"/api/v1/endpoint/{id}",
-            json_data={"data": {"attributes": {...}}}
-        )
-
-        # DELETE request
-        response = await self.api_client.delete(f"/api/v1/endpoint/{id}")
-```
-
-### Helper Methods
-
-The API client provides useful helper methods:
-
-```python
-# Validate page size (1-1000)
-self.api_client.validate_page_size(page_size)
-
-# Normalize date range with max days limit
-date_range = self.api_client.normalize_date_range(date_from, date_to, max_days=2)
-
-# Build filter parameters (handles type conversion)
-clean_params = self.api_client.build_filter_params({
-    "filter[status]": "active",
-    "filter[severity__in]": ["high", "critical"],  # Converts to comma-separated
-    "filter[muted]": True,  # Converts to "true"
-})
-
-# Poll async task until completion
-result = await self.api_client.poll_task_until_complete(
-    task_id=task_id,
-    timeout=60,
-    poll_interval=1.0
-)
-```
-
-## Best Practices
-
-### Tool Docstrings
-
-Tool docstrings become description that is going to be read by the LLM. Provide clear usage instructions and common workflows:
-
-```python
-async def search_items(self, status: str = Field(...)) -> dict:
-    """Search items with advanced filtering.
-
-    Returns a lightweight list optimized for LLM consumption.
-    Use get_item for complete details about a specific item.
-
-    Common workflows:
-    - Find critical items: status="critical"
-    - Find recent items: Use date_from parameter
-    """
-```
-
-### Error Handling
-
-Return structured error responses instead of raising exceptions:
-
-```python
-async def get_item(self, item_id: str) -> dict:
-    try:
-        response = await self.api_client.get(f"/api/v1/items/{item_id}")
-        return DetailedItem.from_api_response(response["data"]).model_dump()
-    except Exception as e:
-        self.logger.error(f"Failed to get item {item_id}: {e}")
-        return {"error": str(e), "status": "failed"}
-```
-
-### Parameter Descriptions
-
-Use Pydantic `Field()` with clear descriptions. This also helps LLMs understand
-the purpose of each parameter, so be as descriptive as possible:
-
-```python
-async def list_items(
-    self,
-    severity: list[str] = Field(
-        default=[],
-        description="Filter by severity levels (critical, high, medium, low)"
-    ),
-    status: str | None = Field(
-        default=None,
-        description="Filter by status (PASS, FAIL, MANUAL)"
-    ),
-    page_size: int = Field(
-        default=50,
-        description="Results per page"
-    ),
-) -> dict:
-```
-
-## Development Commands
-
-```bash
-# Navigate to MCP server directory
-cd mcp_server
-
-# Run in STDIO mode (default)
-uv run prowler-mcp
-
-# Run in HTTP mode
-uv run prowler-mcp --transport http --host 0.0.0.0 --port 8000
-
-# Run with environment variables
-PROWLER_APP_API_KEY="pk_xxx" uv run prowler-mcp
-```
-
-For complete installation and deployment options, see:
- [Installation Guide](/getting-started/installation/prowler-mcp#from-source-development) - Development setup instructions
- [Configuration Guide](/getting-started/basic-usage/prowler-mcp) - MCP client configuration
-
-For development I recommend to use the [Model Context Protocol Inspector](https://github.com/modelcontextprotocol/inspector) as MCP client to test and debug your tools.
-
-## Related Documentation
-
-<CardGroup cols={2}>
-  <Card title="MCP Server Overview" icon="circle-info" href="/getting-started/products/prowler-mcp">
-    Key capabilities, use cases, and deployment options
-  </Card>
-  <Card title="Tools Reference" icon="wrench" href="/getting-started/basic-usage/prowler-mcp-tools">
-    Complete reference of all available tools
-  </Card>
-  <Card title="Prowler Hub" icon="database" href="/getting-started/products/prowler-hub">
-    Security checks and compliance frameworks catalog
-  </Card>
-  <Card title="Lighthouse AI" icon="robot" href="/getting-started/products/prowler-lighthouse-ai">
-    AI-powered security analyst
-  </Card>
-</CardGroup>
-
-## Additional Resources
-
- [MCP Protocol Specification](https://modelcontextprotocol.io) - Model Context Protocol details
- [Prowler API Documentation](https://api.prowler.com/api/v1/docs) - API reference
- [Prowler Hub API](https://hub.prowler.com/api/docs) - Hub API reference
- [GitHub Repository](https://github.com/prowler-cloud/prowler) - Source code
@@ -63,82 +63,6 @@ Other Commands for Running Tests
 Refer to the [pytest documentation](https://docs.pytest.org/en/7.1.x/getting-started.html) for more details.

 </Note>
-
-## AWS Service Dependency Table (CI Optimization)
-
-To optimize CI pipeline execution time, the GitHub Actions workflow for AWS tests uses a **service dependency table** that determines which tests to run based on changed files. This ensures that when a service is modified, all dependent services are also tested.
-
-### How It Works
-
-The dependency table is defined in `.github/workflows/sdk-tests.yml` within the "Resolve AWS services under test" step. When files in a specific AWS service are changed:
-
-1. Tests for the changed service are run
-2. Tests for all services that **depend on** the changed service are also run
-
-For example, if you modify the `ec2` service, tests will also run for `dlm`, `dms`, `elbv2`, `emr`, `inspector2`, `rds`, `redshift`, `route53`, `shield`, `ssm`, and `workspaces` because these services use the EC2 client.
-
-### Current Dependency Table
-
-The table maps a service (key) to the list of services that depend on it (values):
-
-| Service | Dependent Services |
-|---------|-------------------|
-| `acm` | `elb` |
-| `autoscaling` | `dynamodb` |
-| `awslambda` | `ec2`, `inspector2` |
-| `backup` | `dynamodb`, `ec2`, `rds` |
-| `cloudfront` | `shield` |
-| `cloudtrail` | `awslambda`, `cloudwatch` |
-| `cloudwatch` | `bedrock` |
-| `ec2` | `dlm`, `dms`, `elbv2`, `emr`, `inspector2`, `rds`, `redshift`, `route53`, `shield`, `ssm` |
-| `ecr` | `inspector2` |
-| `elb` | `shield` |
-| `elbv2` | `shield` |
-| `globalaccelerator` | `shield` |
-| `iam` | `bedrock`, `cloudtrail`, `cloudwatch`, `codebuild` |
-| `kafka` | `firehose` |
-| `kinesis` | `firehose` |
-| `kms` | `kafka` |
-| `organizations` | `iam`, `servicecatalog` |
-| `route53` | `shield` |
-| `s3` | `bedrock`, `cloudfront`, `cloudtrail`, `macie` |
-| `ssm` | `ec2` |
-| `vpc` | `awslambda`, `ec2`, `efs`, `elasticache`, `neptune`, `networkfirewall`, `rds`, `redshift`, `workspaces` |
-| `waf` | `elbv2` |
-| `wafv2` | `cognito`, `elbv2` |
-
-### When to Update the Table
-
-You must update the dependency table when:
-
-1. **A new check or service uses another service's client**: If your check imports a client from another service (e.g., `from prowler.providers.aws.services.ec2.ec2_client import ec2_client` in a non-ec2 check), add your service to the dependent services list of that client's service.
-
-2. **A service relationship changes**: If you remove or add a service client dependency in an existing check, update the table accordingly.
-
-### How to Update the Table
-
-1. Open `.github/workflows/sdk-tests.yml`
-2. Find the `dependents` dictionary in the "Resolve AWS services under test" step
-3. Add or modify entries as needed
-4. **Update this documentation page** (`docs/developer-guide/unit-testing.mdx`) to reflect the changes in the [Current Dependency Table](#current-dependency-table) section above
-
-```python
-dependents = {
-    # ... existing entries ...
-    "service_being_used": ["service_that_uses_it"],
-}
-```
-
-**Example**: If you create a new check in the `newservice` service that imports `ec2_client`, add `newservice` to the `ec2` entry:
-
-```python
-"ec2": ["dlm", "dms", "elbv2", "emr", "inspector2", "newservice", "rds", "redshift", "route53", "shield", "ssm"],
-```
-
-<Warning>
-Failing to update this table when adding cross-service dependencies may result in CI tests passing even when related functionality is broken, as the dependent service tests won't be triggered.
-</Warning>
-
 ## AWS Testing Approaches

 For AWS provider, different testing approaches apply based on API coverage based on several criteria.
@@ -19,7 +19,9 @@
        "groups": [
          {
            "group": "Welcome",
-            "pages": ["introduction"]
+            "pages": [
+              "introduction"
+            ]
          },
          {
            "group": "Prowler Cloud",
@@ -49,7 +51,9 @@
          },
          {
            "group": "Prowler Lighthouse AI",
-            "pages": ["getting-started/products/prowler-lighthouse-ai"]
+            "pages": [
+              "getting-started/products/prowler-lighthouse-ai"
+            ]
          },
          {
            "group": "Prowler MCP Server",
@@ -149,7 +153,9 @@
              "user-guide/cli/tutorials/quick-inventory",
              {
                "group": "Tutorials",
-                "pages": ["user-guide/cli/tutorials/parallel-execution"]
+                "pages": [
+                  "user-guide/cli/tutorials/parallel-execution"
+                ]
              }
            ]
          },
@@ -237,7 +243,9 @@
              },
              {
                "group": "LLM",
-                "pages": ["user-guide/providers/llm/getting-started-llm"]
+                "pages": [
+                  "user-guide/providers/llm/getting-started-llm"
+                ]
              },
              {
                "group": "Oracle Cloud Infrastructure",
@@ -250,7 +258,9 @@
          },
          {
            "group": "Compliance",
-            "pages": ["user-guide/compliance/tutorials/threatscore"]
+            "pages": [
+              "user-guide/compliance/tutorials/threatscore"
+            ]
          }
        ]
      },
@@ -267,8 +277,7 @@
              "developer-guide/outputs",
              "developer-guide/integrations",
              "developer-guide/security-compliance-framework",
-              "developer-guide/lighthouse",
-              "developer-guide/mcp-server"
+              "developer-guide/lighthouse"
            ]
          },
          {
@@ -304,15 +313,21 @@
      },
      {
        "tab": "Security",
-        "pages": ["security"]
+        "pages": [
+          "security"
+        ]
      },
      {
        "tab": "Contact Us",
-        "pages": ["contact"]
+        "pages": [
+          "contact"
+        ]
      },
      {
        "tab": "Troubleshooting",
-        "pages": ["troubleshooting"]
+        "pages": [
+          "troubleshooting"
+        ]
      },
      {
        "tab": "About Us",
@@ -10,7 +10,7 @@ Complete reference guide for all tools available in the Prowler MCP Server. Tool
 |----------|------------|------------------------|
 | Prowler Hub | 10 tools | No |
 | Prowler Documentation | 2 tools | No |
-| Prowler Cloud/App | 22 tools | Yes |
+| Prowler Cloud/App | 28 tools | Yes |

 ## Tool Naming Convention

@@ -20,66 +20,6 @@ All tools follow a consistent naming pattern with prefixes:
 - `prowler_docs_*` - Prowler documentation search and retrieval
 - `prowler_app_*` - Prowler Cloud and App (Self-Managed) management tools

-## Prowler Cloud/App Tools
-
-Manage Prowler Cloud or Prowler App (Self-Managed) features. **Requires authentication.**
-
-<Note>
-These tools require a valid API key. See the [Configuration Guide](/getting-started/basic-usage/prowler-mcp) for authentication setup.
-</Note>
-
-### Findings Management
-
-Tools for searching, viewing, and analyzing security findings across all cloud providers.
-
- **`prowler_app_search_security_findings`** - Search and filter security findings with advanced filtering options (severity, status, provider, region, service, check ID, date range, muted status)
- **`prowler_app_get_finding_details`** - Get comprehensive details about a specific finding including remediation guidance, check metadata, and resource relationships
- **`prowler_app_get_findings_overview`** - Get aggregate statistics and trends about security findings as a markdown report
-
-### Provider Management
-
-Tools for managing cloud provider connections in Prowler.
-
- **`prowler_app_search_providers`** - Search and view configured providers with their connection status
- **`prowler_app_connect_provider`** - Register and connect a provider with credentials for security scanning
- **`prowler_app_delete_provider`** - Permanently remove a provider from Prowler
-
-### Scan Management
-
-Tools for managing and monitoring security scans.
-
- **`prowler_app_list_scans`** - List and filter security scans across all providers
- **`prowler_app_get_scan`** - Get comprehensive details about a specific scan (progress, duration, resource counts)
- **`prowler_app_trigger_scan`** - Trigger a manual security scan for a provider
- **`prowler_app_schedule_daily_scan`** - Schedule automated daily scans for continuous monitoring
- **`prowler_app_update_scan`** - Update scan name for better organization
-
-### Resources Management
-
-Tools for searching, viewing, and analyzing cloud resources discovered by Prowler.
-
- **`prowler_app_list_resources`** - List and filter cloud resources with advanced filtering options (provider, region, service, resource type, tags)
- **`prowler_app_get_resource`** - Get comprehensive details about a specific resource including configuration, metadata, and finding relationships
- **`prowler_app_get_resources_overview`** - Get aggregate statistics about cloud resources as a markdown report
-
-### Muting Management
-
-Tools for managing finding muting, including pattern-based bulk muting (mutelist) and finding-specific mute rules.
-
-#### Mutelist (Pattern-Based Muting)
-
- **`prowler_app_get_mutelist`** - Retrieve the current mutelist configuration for the tenant
- **`prowler_app_set_mutelist`** - Create or update the mutelist configuration for pattern-based bulk muting
- **`prowler_app_delete_mutelist`** - Remove the mutelist configuration from the tenant
-
-#### Mute Rules (Finding-Specific Muting)
-
- **`prowler_app_list_mute_rules`** - Search and filter mute rules with pagination support
- **`prowler_app_get_mute_rule`** - Retrieve comprehensive details about a specific mute rule
- **`prowler_app_create_mute_rule`** - Create a new mute rule to mute specific findings with documentation and audit trail
- **`prowler_app_update_mute_rule`** - Update a mute rule's name, reason, or enabled status
- **`prowler_app_delete_mute_rule`** - Delete a mute rule from the system
-
 ## Prowler Hub Tools

 Access Prowler's security check catalog and compliance frameworks. **No authentication required.**
@@ -113,6 +53,60 @@ Search and access official Prowler documentation. **No authentication required.*
 - **`prowler_docs_search`** - Search the official Prowler documentation using full-text search
 - **`prowler_docs_get_document`** - Retrieve the full markdown content of a specific documentation file

+## Prowler Cloud/App Tools
+
+Manage Prowler Cloud or Prowler App (Self-Managed) features. **Requires authentication.**
+
+<Note>
+These tools require a valid API key. See the [Configuration Guide](/getting-started/basic-usage/prowler-mcp) for authentication setup.
+</Note>
+
+### Findings Management
+
+- **`prowler_app_list_findings`** - List security findings with advanced filtering
+- **`prowler_app_get_finding`** - Get detailed information about a specific finding
+- **`prowler_app_get_latest_findings`** - Retrieve latest findings from the most recent scans
+- **`prowler_app_get_findings_metadata`** - Get unique metadata values from filtered findings
+- **`prowler_app_get_latest_findings_metadata`** - Get metadata from latest findings across all providers
+
+### Provider Management
+
+- **`prowler_app_list_providers`** - List all providers with filtering options
+- **`prowler_app_create_provider`** - Create a new provider in the current tenant
+- **`prowler_app_get_provider`** - Get detailed information about a specific provider
+- **`prowler_app_update_provider`** - Update provider details (alias, etc.)
+- **`prowler_app_delete_provider`** - Delete a specific provider
+- **`prowler_app_test_provider_connection`** - Test provider connection status
+
+### Provider Secrets Management
+
+- **`prowler_app_list_provider_secrets`** - List all provider secrets with filtering
+- **`prowler_app_add_provider_secret`** - Add or update credentials for a provider
+- **`prowler_app_get_provider_secret`** - Get detailed information about a provider secret
+- **`prowler_app_update_provider_secret`** - Update provider secret details
+- **`prowler_app_delete_provider_secret`** - Delete a provider secret
+
+### Scan Management
+
+- **`prowler_app_list_scans`** - List all scans with filtering options
+- **`prowler_app_create_scan`** - Trigger a manual scan for a specific provider
+- **`prowler_app_get_scan`** - Get detailed information about a specific scan
+- **`prowler_app_update_scan`** - Update scan details
+- **`prowler_app_get_scan_compliance_report`** - Download compliance report as CSV
+- **`prowler_app_get_scan_report`** - Download ZIP file containing complete scan report
+
+### Schedule Management
+
+- **`prowler_app_schedules_daily_scan`** - Create a daily scheduled scan for a provider
+
+### Processor Management
+
+- **`prowler_app_processors_list`** - List all processors with filtering
+- **`prowler_app_processors_create`** - Create a new processor (currently only mute lists supported)
+- **`prowler_app_processors_retrieve`** - Get processor details by ID
+- **`prowler_app_processors_partial_update`** - Update processor configuration
+- **`prowler_app_processors_destroy`** - Delete a processor
+
 ## Usage Tips

 - Use natural language to interact with the tools through your AI assistant
@@ -139,7 +139,7 @@ STDIO mode is only available when running the MCP server locally.
          "args": ["/absolute/path/to/prowler/mcp_server/"],
          "env": {
            "PROWLER_APP_API_KEY": "<your-api-key-here>",
-            "API_BASE_URL": "https://api.prowler.com/api/v1"
+            "PROWLER_API_BASE_URL": "https://api.prowler.com"
          }
        }
      }
@@ -147,7 +147,7 @@ STDIO mode is only available when running the MCP server locally.
    ```

    <Note>
-    Replace `/absolute/path/to/prowler/mcp_server/` with the actual path. The `API_BASE_URL` is optional and defaults to Prowler Cloud API.
+    Replace `/absolute/path/to/prowler/mcp_server/` with the actual path. The `PROWLER_API_BASE_URL` is optional and defaults to Prowler Cloud API.
    </Note>

  </Tab>
@@ -167,7 +167,7 @@ STDIO mode is only available when running the MCP server locally.
            "--env",
            "PROWLER_APP_API_KEY=<your-api-key-here>",
            "--env",
-            "API_BASE_URL=https://api.prowler.com/api/v1",
+            "PROWLER_API_BASE_URL=https://api.prowler.com",
            "prowlercloud/prowler-mcp"
          ]
        }
@@ -176,7 +176,7 @@ STDIO mode is only available when running the MCP server locally.
    ```

    <Note>
-    The `API_BASE_URL` is optional and defaults to Prowler Cloud API.
+    The `PROWLER_API_BASE_URL` is optional and defaults to Prowler Cloud API.
    </Note>

  </Tab>
@@ -52,7 +52,7 @@ Choose one of the following installation methods:
    ```bash
    docker run --rm -i \
      -e PROWLER_APP_API_KEY="pk_your_api_key" \
-      -e API_BASE_URL="https://api.prowler.com/api/v1" \
+      -e PROWLER_API_BASE_URL="https://api.prowler.com" \
      prowlercloud/prowler-mcp
    ```

@@ -181,19 +181,19 @@ Configure the server using environment variables:
 | Variable | Description | Required | Default |
 |----------|-------------|----------|---------|
 | `PROWLER_APP_API_KEY` | Prowler API key | Only for STDIO mode | - |
-| `API_BASE_URL` | Custom Prowler API endpoint | No | `https://api.prowler.com/api/v1` |
+| `PROWLER_API_BASE_URL` | Custom Prowler API endpoint | No | `https://api.prowler.com` |
 | `PROWLER_MCP_TRANSPORT_MODE` | Default transport mode (overwritten by `--transport` argument) | No | `stdio` |

 <CodeGroup>
 ```bash macOS/Linux
 export PROWLER_APP_API_KEY="pk_your_api_key_here"
-export API_BASE_URL="https://api.prowler.com/api/v1"
+export PROWLER_API_BASE_URL="https://api.prowler.com"
 export PROWLER_MCP_TRANSPORT_MODE="http"
 ```

 ```bash Windows PowerShell
 $env:PROWLER_APP_API_KEY="pk_your_api_key_here"
-$env:API_BASE_URL="https://api.prowler.com/api/v1"
+$env:PROWLER_API_BASE_URL="https://api.prowler.com"
 $env:PROWLER_MCP_TRANSPORT_MODE="http"
 ```
 </CodeGroup>
@@ -208,7 +208,7 @@ For convenience, create a `.env` file in the `mcp_server` directory:

 ```bash .env
 PROWLER_APP_API_KEY=pk_your_api_key_here
-API_BASE_URL=https://api.prowler.com/api/v1
+PROWLER_API_BASE_URL=https://api.prowler.com
 PROWLER_MCP_TRANSPORT_MODE=stdio
 ```

@@ -6,7 +6,7 @@ title: "Overview"

 **Why this matters**: Every engineer has asked, “What does this check actually do?” Prowler Hub answers that question in one place, lets you pin to a specific version, and pulls definitions into your own tools or dashboards.

-![](/images/products/prowler-hub.png)
+![](/images/products/prowler-hub.webp)

 <Card title="Go to Prowler Hub" href="https://hub.prowler.com" />

@@ -14,4 +14,4 @@ Prowler Hub also provides a fully documented public API that you can integrate i

 📚 Explore the API docs at: https://hub.prowler.com/api/docs

-Whether you’re customizing policies, managing compliance, or enhancing visibility, Prowler Hub is built to support your security operations.
+Whether you’re customizing policies, managing compliance, or enhancing visibility, Prowler Hub is built to support your security operations.
@@ -19,11 +19,12 @@ The Prowler MCP Server provides three main integration points:
 ### 1. Prowler Cloud and Prowler App (Self-Managed)

 Full access to Prowler Cloud platform and self-managed Prowler App for:
- **Findings Analysis**: Query, filter, and analyze security findings across all your cloud environments
- **Provider Management**: Create, configure, and manage your configured Prowler providers (AWS, Azure, GCP, etc.)
- **Scan Orchestration**: Trigger on-demand scans and schedule recurring security assessments
- **Resource Inventory**: Search and view detailed information about your audited resources
- **Muting Management**: Create and manage muting lists/rules to suppress non-relevant findings
+- **Provider Management**: Create, configure, and manage cloud providers (AWS, Azure, GCP, etc.).
+- **Scan Orchestration**: Trigger on-demand scans and schedule recurring security assessments.
+- **Findings Analysis**: Query, filter, and analyze security findings across all your cloud environments.
+- **Compliance Reporting**: Generate compliance reports for various frameworks (CIS, PCI-DSS, HIPAA, etc.).
+- **Secrets Management**: Securely manage provider credentials and connection details.
+- **Processor Configuration**: Set up the [Prowler Mutelist](/user-guide/tutorials/prowler-app-mute-findings) to mute findings.

 ### 2. Prowler Hub

@@ -48,10 +49,7 @@ The following diagram illustrates the Prowler MCP Server architecture and its in
 <img className="block dark:hidden" src="/images/prowler_mcp_schema_light.png" alt="Prowler MCP Server Schema" />
 <img className="hidden dark:block" src="/images/prowler_mcp_schema_dark.png" alt="Prowler MCP Server Schema" />

-The architecture shows how AI assistants connect through the MCP protocol to access Prowler's three main components:
- Prowler Cloud/App for security operations
- Prowler Hub for security knowledge
- Prowler Documentation for guidance and reference.
+The architecture shows how AI assistants connect through the MCP protocol to access Prowler's three main components: Prowler Cloud/App for security operations, Prowler Hub for security knowledge, and Prowler Documentation for guidance and reference.

 ## Use Cases

@@ -59,12 +57,12 @@ The Prowler MCP Server enables powerful workflows through AI assistants:

 **Security Operations**
 - "Show me all critical findings from my AWS production accounts"
- "Register my new AWS account in Prowler and run a scheduled scan every day"
- "List all muted findings and detect what findgings are muted by a not enough good reason in relation to their severity"
+- "What is my compliance status for the PCI standards accross all my AWS accounts according to the latest Prowler scan results?"
+- "Register my new AWS account in Prowler and run an scheduled scan every day"

 **Security Research**
- "Explain what the S3 bucket public access Prowler check does"
- "Find all Prowler checks related to encryption at rest"
+- "Explain what the S3 bucket public access check does"
+- "Find all checks related to encryption at rest"
 - "What is the latest version of the CIS that Prowler is covering per provider?"

 **Documentation & Learning**
@@ -24,80 +24,6 @@ We enforce [pre-commit](https://github.com/prowler-cloud/prowler/blob/master/.pr

 Our container registries are continuously scanned for vulnerabilities, with findings automatically reported to our security team for assessment and remediation. This process evolves alongside our stack as we adopt new languages, frameworks, and technologies, ensuring our security practices remain comprehensive, proactive, and adaptable.

-### Static Application Security Testing (SAST)
-
-We employ multiple SAST tools across our codebase to identify security vulnerabilities, code quality issues, and potential bugs during development:
-
-#### CodeQL Analysis
- **Scope**: UI (JavaScript/TypeScript), API (Python), and SDK (Python)
- **Frequency**: On every push and pull request, plus daily scheduled scans
- **Integration**: Results uploaded to GitHub Security tab via SARIF format
- **Purpose**: Identifies security vulnerabilities, coding errors, and potential exploits in source code
-
-#### Python Security Scanners
- **Bandit**: Detects common security issues in Python code (SQL injection, hardcoded passwords, etc.)
-  - Configured to ignore test files and report only high-severity issues
-  - Runs on both SDK and API codebases
- **Pylint**: Static code analysis with security-focused checks
-  - Integrated into pre-commit hooks and CI/CD pipelines
-
-#### Code Quality & Dead Code Detection
- **Vulture**: Identifies unused code that could indicate incomplete implementations or security gaps
- **Flake8**: Style guide enforcement with security-relevant checks
- **Shellcheck**: Security and correctness checks for shell scripts
-
-### Software Composition Analysis (SCA)
-
-We continuously monitor our dependencies for known vulnerabilities and ensure timely updates:
-
-#### Dependency Vulnerability Scanning
- **Safety**: Scans Python dependencies against known vulnerability databases
-  - Runs on every commit via pre-commit hooks
-  - Integrated into CI/CD for SDK and API
-  - Configured with selective ignores for tracked exceptions
- **Trivy**: Multi-purpose scanner for containers and dependencies
-  - Scans all container images (UI, API, SDK, MCP Server)
-  - Checks for vulnerabilities in OS packages and application dependencies
-  - Reports findings to GitHub Security tab
-
-#### Automated Dependency Updates
- **Dependabot**: Automated pull requests for dependency updates
-  - **Python (pip)**: Monthly updates for SDK
-  - **GitHub Actions**: Monthly updates for workflow dependencies
-  - **Docker**: Monthly updates for base images
-  - Temporarily paused for API and UI to maintain stability during active development
-  - **Security-first approach**: Even when paused, Dependabot automatically creates pull requests for security vulnerabilities, ensuring critical security patches are never delayed
-
-### Container Security
-
-All container images are scanned before deployment:
-
- **Trivy Vulnerability Scanning**:
-  - Scans images for vulnerabilities and misconfigurations
-  - Generates SARIF reports uploaded to GitHub Security tab
-  - Creates PR comments with scan summaries
-  - Configurable to fail builds on critical findings
-  - Reports include CVE counts and remediation guidance
- **Hadolint**: Dockerfile linting to enforce best practices
-  - Validates Dockerfile syntax and structure
-  - Ensures secure image building practices
-
-### Secrets Detection
-
-We protect against accidental exposure of sensitive credentials:
-
- **TruffleHog**: Scans entire codebase and Git history for secrets
-  - Runs on every push and pull request
-  - Pre-commit hook prevents committing secrets
-  - Detects high-entropy strings, API keys, tokens, and credentials
-  - Configured to report verified and unknown findings
-
-### Security Monitoring
-
- **GitHub Security Tab**: Centralized view of all security findings from CodeQL, Trivy, and other SARIF-compatible tools
- **Artifact Retention**: Security scan reports retained for post-deployment analysis
- **PR Comments**: Automated security feedback on pull requests for rapid remediation
-
 ## Reporting Vulnerabilities

 At Prowler, we consider the security of our open source software and systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
@@ -5,26 +5,18 @@ import { VersionBadge } from "/snippets/version-badge.mdx"

 Prowler's Infrastructure as Code (IaC) provider enables scanning of local or remote infrastructure code for security and compliance issues using [Trivy](https://trivy.dev/). This provider supports a wide range of IaC frameworks, allowing assessment of code before deployment.

-## Supported IaC Formats
+## Supported Scanners

-Prowler IaC provider scans the following Infrastructure as Code configurations for misconfigurations and secrets:
+The IaC provider leverages [Trivy](https://trivy.dev/latest/docs/scanner/vulnerability/) to support multiple scanners, including:

-| Configuration Type | File Patterns                                |
-|--------------------|----------------------------------------------|
-| Kubernetes         | `*.yml`, `*.yaml`, `*.json`                  |
-| Docker             | `Dockerfile`, `Containerfile`                |
-| Terraform          | `*.tf`, `*.tf.json`, `*.tfvars`              |
-| Terraform Plan     | `tfplan`, `*.tfplan`, `*.json`               |
-| CloudFormation     | `*.yml`, `*.yaml`, `*.json`                  |
-| Azure ARM Template | `*.json`                                     |
-| Helm               | `*.yml`, `*.yaml`, `*.tpl`, `*.tar.gz`, etc. |
-| YAML               | `*.yaml`, `*.yml`                            |
-| JSON               | `*.json`                                     |
-| Ansible            | `*.yml`, `*.yaml`, `*.json`, `*.ini`, without extension |
+- Vulnerability
+- Misconfiguration
+- Secret
+- License

 ## How It Works

- Prowler App leverages [Trivy](https://trivy.dev/docs/latest/guide/coverage/iac/#scanner) to scan local directories (or specified paths) for supported IaC files, or scans remote repositories.
+- The IaC provider scans local directories (or specified paths) for supported IaC files, or scans remote repositories.
 - No cloud credentials or authentication are required for local scans.
 - For remote repository scans, authentication can be provided via [git URL](https://git-scm.com/docs/git-clone#_git_urls), CLI flags or environment variables.
  - Check the [IaC Authentication](/user-guide/providers/iac/authentication) page for more details.
@@ -35,10 +27,6 @@ Prowler IaC provider scans the following Infrastructure as Code configurations f

 <VersionBadge version="5.14.0" />

-### Supported Scanners
-
-Scanner selection is not configurable in Prowler App. Default scanners, misconfig and secret, run automatically during each scan.
-
 ### Step 1: Access Prowler Cloud/App

 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
@@ -75,17 +63,6 @@ Scanner selection is not configurable in Prowler App. Default scanners, misconfi

 <VersionBadge version="5.8.0" />

-### Supported Scanners
-
-Prowler CLI supports the following scanners:
-
- [Vulnerability](https://trivy.dev/docs/latest/guide/scanner/vulnerability/)
- [Misconfiguration](https://trivy.dev/docs/latest/guide/scanner/misconfiguration/)
- [Secret](https://trivy.dev/docs/latest/guide/scanner/secret/)
- [License](https://trivy.dev/docs/latest/guide/scanner/license/)
-
-By default, only misconfiguration and secret scanners run during a scan. To specify which scanners to use, refer to the [Specify Scanners](#specify-scanners) section below.
-
 ### Usage

 Use the `iac` argument to run Prowler with the IaC provider. Specify the directory or repository to scan, frameworks to include, and paths to exclude.
@@ -126,7 +103,7 @@ Authentication for private repositories can be provided using one of the followi

 #### Specify Scanners

-To run only specific scanners, use the `--scanners` flag. For example, to scan only for vulnerabilities and misconfigurations:
+Scan only vulnerability and misconfiguration scanners:

 ```sh
 prowler iac --scan-path ./my-iac-directory --scanners vuln misconfig
@@ -47,43 +47,8 @@ If you are adding an **EKS**, **GKE**, **AKS** or external cluster, follow these
    kubectl create token prowler-sa -n prowler-ns --duration=0
    ```

-    - **Security Note:** The `--duration=0` option generates a non-expiring token, which may pose a security risk if not managed properly. Choose an appropriate expiration time based on security policies. For a limited-time token, set `--duration=<TIME>` (e.g., `--duration=24h`).
-    <Note>
-    **Important:** If the token expires, Prowler Cloud can no longer authenticate with the cluster. Generate a new token and **remove and re-add the provider in Prowler Cloud** with the updated `kubeconfig`.
-    </Note>
-    <Tip>
-    **Token Expiration Limits**
-
-
-    When the Kubernetes cluster has `--service-account-max-token-expiration` configured, any token requested with a duration exceeding the maximum allowed value (including `--duration=0`) is automatically reduced to the cluster's maximum token expiration time. As an alternative solution, create a legacy Secret manually. Although Kubernetes no longer creates these secrets automatically, manual creation and linking to a ServiceAccount is still supported. These tokens do not expire until the secret or ServiceAccount is deleted.
-
-      **Steps:**
-
-      1. Create a `secret-sa.yaml` file (or any preferred name) with the following content:
-
-         ```yaml
-         apiVersion: v1
-         kind: Secret
-         metadata:
-           name: prowler-token-long-lived
-           namespace: prowler-ns
-           annotations:
-             kubernetes.io/service-account.name: "prowler-sa"
-         type: kubernetes.io/service-account-token
-         ```
-
-      2. Apply the secret:
-
-         ```console
-         kubectl apply -f secret-sa.yaml
-         ```
-
-      3. Retrieve the token (which will be permanent):
-
-         ```console
-         kubectl get secret prowler-token-long-lived -n prowler-ns -o jsonpath='{.data.token}' | base64 --decode
-         ```
-     </Tip>
+    - **Security Note:** The `--duration=0` option generates a non-expiring token, which may pose a security risk if not managed properly. Users should decide on an appropriate expiration time based on their security policies. If a limited-time token is preferred, set `--duration=<TIME>` (e.g., `--duration=24h`).
+    - **Important:** If the token expires, Prowler Cloud will no longer be able to authenticate with the cluster. In this case, you will need to generate a new token and **remove and re-add the provider in Prowler Cloud** with the updated `kubeconfig`.

 3. Update your `kubeconfig` to use the ServiceAccount token:

@@ -2,83 +2,18 @@
 title: 'Getting Started with MongoDB Atlas'
 ---

-import { VersionBadge } from "/snippets/version-badge.mdx"
-
-Prowler supports MongoDB Atlas both from the CLI and from Prowler Cloud. This guide walks you through the requirements, how to connect the provider in the UI, and how to run scans from the command line.
-
-## Prerequisites
-
-Before you begin, make sure you have:
-
-1. A MongoDB Atlas organization with **API Access** enabled.
-2. An **Organization ID** (24-character hex string).
-3. An **API Key pair** (public and private keys) with appropriate permissions:
-   - **Organization Read Only**: Provides read-only access to everything in the organization, including all projects in the organization. This permission is sufficient for most security checks.
-   - **Organization Owner**: Required to audit the [Auditing configuration](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/group/endpoint-auditing) for projects. Database auditing tracks database operations and security events, including authentication attempts, data definition language (DDL) changes, user and role modifications, and privilege grants. This configuration is essential for security monitoring, forensics, and compliance. Without **Organization Owner** permission, the `projects_auditing_enabled` check cannot retrieve the audit configuration status.
-4. Prowler App access (cloud or self-hosted) or the Prowler CLI (`pip install prowler`).
-
-For detailed instructions on creating API keys, see the [MongoDB Atlas authentication guide](./authentication.mdx).
-
-<Warning>
-If **Require IP Access List for the Atlas Administration API** is enabled in your organization settings, you **must** add the IP address of the host running Prowler (or the public IP of Prowler Cloud) to the organization IP Access List or Atlas will reject every API call. You can manage this under **Settings → Organization Settings → Security**. See step 7 of the [authentication guide](./authentication.mdx) for detailed instructions, and refer to the [Prowler Cloud public IP list](../../tutorials/prowler-cloud-public-ips) when using Prowler Cloud.
-</Warning>
-
-<CardGroup cols={2}>
-  <Card title="Prowler Cloud" icon="cloud" href="#prowler-cloud">
-    Onboard MongoDB Atlas using Prowler Cloud
-  </Card>
-  <Card title="Prowler CLI" icon="terminal" href="#prowler-cli">
-    Onboard MongoDB Atlas using Prowler CLI
-  </Card>
-</CardGroup>
-
-## Prowler Cloud
-
-<VersionBadge version="5.15.0" />
-
-### Step 1: Add the provider
-
-1. Navigate to **Cloud Providers** and click **Add Cloud Provider**.
-   ![Add provider list](./img/add-provider-list.png)
-2. Select **MongoDB Atlas** from the provider list.
-3. Enter your **Organization ID** (24 hex characters). This value is visible in the Atlas UI under **Organization Settings**.
-   ![Add organization ID](./img/add-org-id.png)
-4. (Optional) Add a friendly alias to identify this organization in dashboards.
-
-### Step 2: Provide API credentials
-
-1. Click **Next** to open the credentials form.
-2. Paste the **Atlas Public Key** and **Atlas Private Key** generated in the Atlas console.
-   ![Add credentials](./img/add-credentials.png)
-
-### Step 3: Test the connection and start scanning
-
-1. Click **Test connection** to ensure Prowler App can reach the Atlas API.
-2. Save the credentials. The provider will appear in the list with its current connection status.
-3. Launch a scan from the provider row or from the **Scans** page.
-   ![Launch scan](./img/launch-scan.png)
-
---
-
 ## Prowler CLI

-<VersionBadge version="5.12.0" />
+### Authentication Methods

-You can also run MongoDB Atlas assessments directly from the CLI. Both command-line flags and environment variables are supported.
+#### Command-Line Arguments

-### Step 1: Select an authentication method
-
-Choose one of the following authentication methods:
-
-#### Command-line arguments

 ```bash
-prowler mongodbatlas \
-  --atlas-public-key <public_key> \
-  --atlas-private-key <private_key>
+prowler mongodbatlas --atlas-public-key <public_key> --atlas-private-key <private_key>
 ```

-#### Environment variables
+#### Environment Variables

 ```bash
 export ATLAS_PUBLIC_KEY=<public_key>
@@ -86,28 +21,33 @@ export ATLAS_PRIVATE_KEY=<private_key>
 prowler mongodbatlas
 ```

-### Step 2: Run the first scan

-#### Scan all projects and clusters
+
+### Scan All Projects and Clusters
+
+After storing API keys, run Prowler with the following command:
+
+```bash
+prowler mongodbatlas --atlas-public-key <key> --atlas-private-key <secret>
+```
+
+Alternatively, set API keys as environment variables:
+
+```bash
+export ATLAS_PUBLIC_KEY=<key>
+export ATLAS_PRIVATE_KEY=<secret>
+```
+
+Then run Prowler with the following command:

 ```bash
 prowler mongodbatlas
 ```

-This command enumerates all projects accessible to the API key and scans every cluster.
+### Scanning a Specific Project

-#### Scan a specific project
-
-Add the `--atlas-project-id` flag when you only want to assess one project:
+To scan a specific project, add the following argument to the command above:

 ```bash
 prowler mongodbatlas --atlas-project-id <project-id>
 ```
-
-### Additional tips
-
- Combine flags (for example, `--checks` or `--services`) just like with other providers.
- Use `--output-modes` to export findings in JSON, CSV, ASFF, etc.
- Rotate API keys regularly and update the stored credentials in Prowler App to maintain connectivity.
-
-For more examples (filters, outputs, scheduling), refer back to the [MongoDB Atlas documentation hub](./authentication.mdx) and the main Prowler CLI usage guide.
@@ -1,3 +1,3 @@
 PROWLER_APP_API_KEY="pk_your_api_key_here"
-API_BASE_URL="https://api.prowler.com/api/v1"
+PROWLER_API_BASE_URL="https://api.prowler.com"
 PROWLER_MCP_TRANSPORT_MODE="stdio"
@@ -1,310 +0,0 @@
-# Prowler MCP Server - AI Agent Ruleset
-
-**Complete guide for AI agents and developers working on the Prowler MCP Server - the Model Context Protocol server that provides AI agents access to the Prowler ecosystem.**
-
-## Project Overview
-
-The Prowler MCP Server brings the entire Prowler ecosystem to AI assistants through
-the Model Context Protocol (MCP). It enables seamless integration with AI tools
-like Claude Desktop, Cursor, and other MCP hosts, allowing interaction with
-Prowler's security capabilities through natural language.
-
---
-
-## Critical Rules
-
-### Tool Implementation
-
- **ALWAYS**: Extend `BaseTool` ABC for new Prowler App tools (auto-registration)
- **ALWAYS**: Use `@mcp.tool()` decorator for Hub/Docs tools (manual registration)
- **NEVER**: Manually register BaseTool subclasses (auto-discovered via `load_all_tools()`)
- **NEVER**: Import tools directly in server.py (tool_loader handles discovery)
-
-### Models
-
- **ALWAYS**: Use `MinimalSerializerMixin` for LLM-optimized responses
- **ALWAYS**: Implement `from_api_response()` factory method for API transformations
- **ALWAYS**: Use two-tier models (Simplified for lists, Detailed for single items)
- **NEVER**: Return raw API responses (transform to simplified models)
-
-### API Client
-
- **ALWAYS**: Use singleton `ProwlerAPIClient` via `self.api_client` in tools
- **ALWAYS**: Use `build_filter_params()` for query parameter normalization
- **NEVER**: Create new httpx clients in tools (use shared client)
-
---
-
-## Architecture
-
-### Three Sub-Servers Pattern
-
-The main server (`server.py`) orchestrates three independent sub-servers with prefixed tool namespacing:
-
-```python
-# server.py imports sub-servers with prefixes
-await prowler_mcp_server.import_server(hub_mcp_server, prefix="prowler_hub")
-await prowler_mcp_server.import_server(app_mcp_server, prefix="prowler_app")
-await prowler_mcp_server.import_server(docs_mcp_server, prefix="prowler_docs")
-```
-
-This pattern ensures:
- Failures in one sub-server do not block others
- Clear tool namespacing for LLM disambiguation
- Independent development and testing
-
-### Tool Naming Convention
-
-All tools follow a consistent naming pattern with prefixes:
- `prowler_hub_*` - Prowler Hub catalog and compliance tools
- `prowler_docs_*` - Prowler documentation search and retrieval
- `prowler_app_*` - Prowler Cloud and App (Self-Managed) management tools
-
-### Tool Registration Patterns
-
-**Pattern 1: Prowler Hub/Docs (Direct Decorators)**
-
-```python
-# prowler_hub/server.py or prowler_documentation/server.py
-hub_mcp_server = FastMCP("prowler-hub")
-
-@hub_mcp_server.tool()
-async def get_checks(providers: str | None = None) -> dict:
-    """Tool docstring becomes LLM description."""
-    # Direct implementation
-    response = prowler_hub_client.get("/check", params=params)
-    return response.json()
-```
-
-**Pattern 2: Prowler App (BaseTool Auto-Registration)**
-
-```python
-# prowler_app/tools/findings.py
-class FindingsTools(BaseTool):
-    async def search_security_findings(
-        self,
-        severity: list[str] = Field(default=[], description="Filter by severity")
-    ) -> dict:
-        """Docstring becomes LLM description."""
-        response = await self.api_client.get("/api/v1/findings")
-        return SimplifiedFinding.from_api_response(response).model_dump()
-```
-
-NOTE: Only public methods of `BaseTool` subclasses are registered as tools.
-
---
-
-## Tech Stack
-
- **Language**: Python 3.12+
- **MCP Framework**: FastMCP 2.13.1
- **HTTP Client**: httpx (async)
- **Validation**: Pydantic with MinimalSerializerMixin
- **Package Manager**: uv
-
---
-
-## Project Structure
-
-```
-mcp_server/
-├── README.md                              # User documentation
-├── AGENTS.md                              # This file - AI agent guidelines
-├── CHANGELOG.md                           # Version history
-├── pyproject.toml                         # Project metadata and dependencies
-├── Dockerfile                             # Container image definition
-├── entrypoint.sh                          # Docker entrypoint script
-└── prowler_mcp_server/
-    ├── __init__.py                        # Version info
-    ├── main.py                            # CLI entry point
-    ├── server.py                          # Main FastMCP server orchestration
-    ├── lib/
-    │   └── logger.py                      # Structured logging
-    ├── prowler_hub/
-    │   └── server.py                      # Hub tools (10 tools, no auth)
-    ├── prowler_app/
-    │   ├── server.py                      # App server initialization
-    │   ├── tools/
-    │   │   ├── base.py                    # BaseTool abstract class
-    │   │   ├── findings.py                # Findings tools
-    │   │   ├── providers.py               # Provider tools
-    │   │   ├── scans.py                   # Scan tools
-    │   │   ├── resources.py               # Resource tools
-    │   │   └── muting.py                  # Muting tools
-    │   ├── models/
-    │   │   ├── base.py                    # MinimalSerializerMixin
-    │   │   ├── findings.py                # Finding models
-    │   │   ├── providers.py               # Provider models
-    │   │   ├── scans.py                   # Scan models
-    │   │   ├── resources.py               # Resource models
-    │   │   └── muting.py                  # Muting models
-    │   └── utils/
-    │       ├── api_client.py              # ProwlerAPIClient singleton
-    │       ├── auth.py                    # ProwlerAppAuth (STDIO/HTTP)
-    │       └── tool_loader.py             # Auto-discovery and registration
-    └── prowler_documentation/
-        ├── server.py                      # Documentation tools (2 tools, no auth)
-        └── search_engine.py               # Mintlify API integration
-```
-
---
-
-## Commands
-
-NOTE: To run a python command always use `uv run <command>` from within the `mcp_server/` directory.
-
-### Development
-
-```bash
-# Navigate to MCP server directory
-cd mcp_server
-
-# Run in STDIO mode (default)
-uv run prowler-mcp
-
-# Run in HTTP mode
-uv run prowler-mcp --transport http --host 0.0.0.0 --port 8000
-
-# Run from anywhere using uvx
-uvx /path/to/prowler/mcp_server/
-```
-
---
-
-## Development Patterns
-
-### Adding New Tools to Prowler App
-
-1. **Create or extend a tool class** in `prowler_app/tools/`:
-
-```python
-# prowler_app/tools/new_feature.py
-from pydantic import Field
-from prowler_mcp_server.prowler_app.tools.base import BaseTool
-from prowler_mcp_server.prowler_app.models.new_feature import FeatureResponse
-
-class NewFeatureTools(BaseTool):
-    async def list_features(
-        self,
-        status: str | None = Field(default=None, description="Filter by status")
-    ) -> dict:
-        """List all features with optional filtering.
-
-        Returns a simplified list of features optimized for LLM consumption.
-        """
-        params = {}
-        if status:
-            params["filter[status]"] = status
-
-        clean_params = self.api_client.build_filter_params(params)
-        response = await self.api_client.get("/api/v1/features", params=clean_params)
-
-        return FeatureResponse.from_api_response(response).model_dump()
-```
-
-2. **Create corresponding models** in `prowler_app/models/`:
-
-```python
-# prowler_app/models/new_feature.py
-from pydantic import Field
-from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
-
-class SimplifiedFeature(MinimalSerializerMixin):
-    """Lightweight feature for list operations."""
-    id: str
-    name: str
-    status: str
-
-class DetailedFeature(SimplifiedFeature):
-    """Extended feature with complete details."""
-    description: str | None = None
-    created_at: str
-    updated_at: str
-
-    @classmethod
-    def from_api_response(cls, data: dict) -> "DetailedFeature":
-        """Transform API response to model."""
-        attributes = data.get("attributes", {})
-        return cls(
-            id=data["id"],
-            name=attributes["name"],
-            status=attributes["status"],
-            description=attributes.get("description"),
-            created_at=attributes["created_at"],
-            updated_at=attributes["updated_at"],
-        )
-```
-
-3. **No registration needed** - the tool loader auto-discovers BaseTool subclasses
-
-### Adding Tools to Prowler Hub/Docs
-
-Use the `@mcp.tool()` decorator directly:
-
-```python
-# prowler_hub/server.py
-@hub_mcp_server.tool()
-async def new_hub_tool(param: str) -> dict:
-    """Tool description for LLM."""
-    response = prowler_hub_client.get("/endpoint")
-    return response.json()
-```
-
---
-
-## Code Quality Standards
-
-### Tool Docstrings
-
-Tool docstrings become AI agent descriptions. Write them in a clear, concise manner focusing on LLM-relevant behavior:
-
-```python
-async def search_security_findings(
-    self,
-    severity: list[str] = Field(default=[], description="Filter by severity levels")
-) -> dict:
-    """Search security findings with advanced filtering.
-
-    Returns a lightweight list of findings optimized for LLM consumption.
-    Use get_finding_details for complete information about a specific finding.
-    """
-```
-
-### Model Design
-
- Use `MinimalSerializerMixin` to exclude None/empty values
- Implement `from_api_response()` for consistent API transformation
- Create two-tier models: Simplified (lists) and Detailed (single items)
-
-### Error Handling
-
-Return structured error responses rather than raising exceptions:
-
-```python
-try:
-    response = await self.api_client.get(f"/api/v1/items/{item_id}")
-    return DetailedItem.from_api_response(response["data"]).model_dump()
-except Exception as e:
-    self.logger.error(f"Failed to get item {item_id}: {e}")
-    return {"error": str(e), "status": "failed"}
-```
-
---
-
-## QA Checklist Before Commit
-
- [ ] Tool docstrings are clear and describe LLM-relevant behavior
- [ ] Models use `MinimalSerializerMixin` for LLM optimization
- [ ] API responses are transformed to simplified models
- [ ] No hardcoded secrets or API keys
- [ ] Error handling returns structured responses
- [ ] New tools are auto-discovered (BaseTool subclass) or properly decorated
- [ ] Parameter descriptions use Pydantic `Field()` with clear descriptions
-
---
-
-## References
-
- **Root Project Guide**: `../AGENTS.md`
- **FastMCP Documentation**: https://gofastmcp.com/llms.txt
- **Prowler API Documentation**: https://api.prowler.com/api/v1/docs
@@ -2,21 +2,11 @@

 All notable changes to the **Prowler MCP Server** are documented in this file.

-## [0.2.1] (UNRELEASED)
-
-### Changed
-
- Update API base URL environment variable to include complete path [(#9542)](https://github.com/prowler-cloud/prowler/pull/9300)
-
-## [0.2.0] (Prowler v5.15.0)
+## [0.2.0] (Prowler UNRELEASED)

 ### Added

 - Remove all Prowler App MCP tools; and add new MCP Server tools for Prowler Findings and Compliance [(#9300)](https://github.com/prowler-cloud/prowler/pull/9300)
- Add new MCP Server tools for Prowler Providers Management [(#9350)](https://github.com/prowler-cloud/prowler/pull/9350)
- Add new MCP Server tools for Prowler Resources Management [(#9380)](https://github.com/prowler-cloud/prowler/pull/9380)
- Add new MCP Server tools for Prowler Scans Management [(#9509)](https://github.com/prowler-cloud/prowler/pull/9509)
- Add new MCP Server tools for Prowler Muting Management [(#9510)](https://github.com/prowler-cloud/prowler/pull/9510)

 ---

@@ -1,59 +1,18 @@
 # Prowler MCP Server

-**Prowler MCP Server** brings the entire Prowler ecosystem to AI assistants through the [Model Context Protocol (MCP)](https://modelcontextprotocol.io). It enables seamless integration with AI tools like Claude Desktop, Cursor, and other MCP clients, allowing interaction with Prowler's security capabilities through natural language.
+> ⚠️ **Preview Feature**: This MCP server is currently in preview and under active development. Features and functionality may change. We welcome your feedback—please report any issues on [GitHub](https://github.com/prowler-cloud/prowler/issues) or join our [Slack community](https://goto.prowler.com/slack) to discuss and share your thoughts.

-> **Preview Feature**: This MCP server is currently under active development. Features and functionality may change. We welcome your feedback—please report any issues on [GitHub](https://github.com/prowler-cloud/prowler/issues) or join our [Slack community](https://goto.prowler.com/slack).
+Access the entire Prowler ecosystem through the Model Context Protocol (MCP). This server provides three main capabilities:

-## Key Capabilities
+- **Prowler Cloud and Prowler App (Self-Managed)**: Full access to Prowler Cloud platform and Prowler Self-Managed for managing providers, running scans, and analyzing security findings
+- **Prowler Hub**: Access to Prowler's security checks, fixers, and compliance frameworks catalog
+- **Prowler Documentation**: Search and retrieve official Prowler documentation

-### Prowler Cloud and Prowler App (Self-Managed)
+## Quick Start with Hosted Server (Recommended)

-Full access to Prowler Cloud platform and self-managed Prowler App for:
- **Findings Analysis**: Query, filter, and analyze security findings across all your cloud environments
- **Provider Management**: Create, configure, and manage your configured Prowler providers (AWS, Azure, GCP, etc.)
- **Scan Orchestration**: Trigger on-demand scans and schedule recurring security assessments
- **Resource Inventory**: Search and view detailed information about your audited resources
- **Muting Management**: Create and manage muting rules to suppress non-critical findings
+**The easiest way to use Prowler MCP is through our hosted server at `https://mcp.prowler.com/mcp`**

-### Prowler Hub
-
-Access to Prowler's comprehensive security knowledge base:
- **Security Checks Catalog**: Browse and search **over 1000 security checks** across multiple Prowler providers
- **Check Implementation**: View the Python code that powers each security check
- **Automated Fixers**: Access remediation scripts for common security issues
- **Compliance Frameworks**: Explore mappings to **over 70 compliance standards and frameworks**
- **Provider Services**: View available services and checks for each cloud provider
-
-### Prowler Documentation
-
-Search and retrieve official Prowler documentation:
- **Intelligent Search**: Full-text search across all Prowler documentation
- **Contextual Results**: Get relevant documentation pages with highlighted snippets
- **Document Retrieval**: Access complete markdown content of any documentation file
-
-## Documentation
-
-For comprehensive guides and tutorials, see the official documentation:
-
-| Guide | Description |
-|-------|-------------|
-| [Overview](https://docs.prowler.com/getting-started/products/prowler-mcp) | Key capabilities, use cases, and deployment options |
-| [Installation](https://docs.prowler.com/getting-started/installation/prowler-mcp) | Docker, PyPI, and source installation |
-| [Configuration](https://docs.prowler.com/getting-started/basic-usage/prowler-mcp) | Configure Claude Desktop, Cursor, and other MCP clients |
-| [Tools Reference](https://docs.prowler.com/getting-started/basic-usage/prowler-mcp-tools) | Complete reference of all tools |
-| [Developer Guide](https://docs.prowler.com/developer-guide/mcp-server) | How to extend with new tools |
-
-## Deployment Options
-
-Prowler MCP Server can be used in three ways:
-
-### 1. Prowler Cloud MCP Server (Recommended)
-
-**Use Prowler's managed MCP server at `https://mcp.prowler.com/mcp`**
-
- No installation required
- Managed and maintained by Prowler team
- Always up-to-date
+No installation required! Just configure your MCP client:

 ```json
 {
@@ -71,37 +30,70 @@ Prowler MCP Server can be used in three ways:
 }
 ```

-### 2. Local STDIO Mode
+**Configuration file locations:**
+- **Claude Desktop (macOS)**: `~/Library/Application Support/Claude/claude_desktop_config.json`
+- **Claude Desktop (Windows)**: `%AppData%\Claude\claude_desktop_config.json`
+- **Cursor**: `~/.cursor/mcp.json`

-**Run the server locally on your machine**
+Get your API key at [Prowler Cloud](https://cloud.prowler.com) → Settings → API Keys

- Runs as a subprocess of your MCP client
- Requires Python 3.12+ or Docker
+> **Benefits:** Always up-to-date, no maintenance, managed by Prowler team

-### 3. Self-Hosted HTTP Mode
+## Local/Self-Hosted Installation

-**Deploy your own remote MCP server**
+If you need to run the MCP server locally or self-host it, choose one of the following installation methods. **Configuration is the same** for both managed and local installations - just point to your local server URL instead of `https://mcp.prowler.com/mcp`.

- Full control over deployment
- Requires Python 3.12+ or Docker
+### Requirements

-See the [Installation Guide](https://docs.prowler.com/getting-started/installation/prowler-mcp) for complete instructions.
+- Python 3.12+ (for source/PyPI installation)
+- Docker (for Docker installation)
+- Network access to `https://hub.prowler.com` (for Prowler Hub)
+- Network access to `https://prowler.mintlify.app` (for Prowler Documentation)
+- Network access to Prowler Cloud and Prowler App (Self-Managed) API (optional, only for Prowler Cloud/App features)
+- Prowler Cloud account credentials (only for Prowler Cloud and Prowler App features)

-## Quick Installation
+### Installation Methods

-### Docker (Recommended)
+#### Option 1: Docker Hub (Recommended)
+
+Pull the official image from Docker Hub:

 ```bash
 docker pull prowlercloud/prowler-mcp
-
-# STDIO mode
-docker run --rm -i prowlercloud/prowler-mcp
-
-# HTTP mode
-docker run --rm -p 8000:8000 prowlercloud/prowler-mcp --transport http --host 0.0.0.0 --port 8000
 ```

-### From Source
+Run in STDIO mode:
+```bash
+docker run --rm -i prowlercloud/prowler-mcp
+```
+
+Run in HTTP mode:
+```bash
+docker run --rm -p 8000:8000 \
+  prowlercloud/prowler-mcp \
+  --transport http --host 0.0.0.0 --port 8000
+```
+
+With environment variables:
+```bash
+docker run --rm -i \
+  -e PROWLER_APP_API_KEY="pk_your_api_key" \
+  -e PROWLER_API_BASE_URL="https://api.prowler.com" \
+  prowlercloud/prowler-mcp
+```
+
+**Docker Hub:** [prowlercloud/prowler-mcp](https://hub.docker.com/r/prowlercloud/prowler-mcp)
+
+#### Option 2: PyPI Package (Coming Soon)
+
+```bash
+pip install prowler-mcp-server
+prowler-mcp --help
+```
+
+#### Option 3: From Source (Development)
+
+Clone the repository and use `uv`:

 ```bash
 git clone https://github.com/prowler-cloud/prowler.git
@@ -109,86 +101,400 @@ cd prowler/mcp_server
 uv run prowler-mcp --help
 ```

+Install [uv](https://docs.astral.sh/uv/) first if needed.
+
+#### Option 4: Build Docker Image from Source
+
+```bash
+git clone https://github.com/prowler-cloud/prowler.git
+cd prowler/mcp_server
+docker build -t prowler-mcp .
+docker run --rm -i prowler-mcp
+```
+
+## Running
+
+The Prowler MCP server supports two transport modes:
+- **STDIO mode** (default): For direct integration with MCP clients like Claude Desktop
+- **HTTP mode**: For remote access over HTTP with Bearer token authentication
+
+### Transport Modes
+
+#### STDIO Mode (Default)
+
+STDIO mode is the standard MCP transport for direct client integration:
+
+```bash
+cd prowler/mcp_server
+uv run prowler-mcp
+# or
+uv run prowler-mcp --transport stdio
+```
+
+#### HTTP Mode (Remote Server)
+
+HTTP mode allows the server to run as a remote service accessible over HTTP:
+
+```bash
+cd prowler/mcp_server
+# Run on default host and port (127.0.0.1:8000)
+uv run prowler-mcp --transport http
+
+# Run on custom host and port
+uv run prowler-mcp --transport http --host 0.0.0.0 --port 8080
+```
+
+For self-deployed MCP remote server, you can use also configure the server to use a custom API base URL with the environment variable `PROWLER_API_BASE_URL`; and the transport mode with the environment variable `PROWLER_MCP_TRANSPORT_MODE`.
+
+```bash
+export PROWLER_API_BASE_URL="https://api.prowler.com"
+export PROWLER_MCP_TRANSPORT_MODE="http"
+```
+
+### Using uv directly
+
+After installation, start the MCP server via the console script:
+
+```bash
+cd prowler/mcp_server
+uv run prowler-mcp
+```
+
+Alternatively, you can run from wherever you want using `uvx` command:
+
+```bash
+uvx /path/to/prowler/mcp_server/
+```
+
+### Using Docker
+
+#### STDIO Mode (Default)
+
+Run the pre-built Docker container in STDIO mode:
+
+```bash
+cd prowler/mcp_server
+docker run --rm --env-file ./.env -it prowler-mcp
+```
+
+#### HTTP Mode (Remote Server)
+
+Run as a remote HTTP server:
+
+```bash
+cd prowler/mcp_server
+# Run on port 8000 (accessible from host)
+docker run --rm --env-file ./.env -p 8000:8000 -it prowler-mcp --transport http --host 0.0.0.0 --port 8000
+
+# Run on custom port
+docker run --rm --env-file ./.env -p 8080:8080 -it prowler-mcp --transport http --host 0.0.0.0 --port 8080
+```
+
+## Production Deployment
+
+For production deployments that require customization, it is recommended to use the ASGI application that can be found in `prowler_mcp_server.server`. This can be run with uvicorn:
+
+```bash
+uvicorn prowler_mcp_server.server:app --host 0.0.0.0 --port 8000
+```
+
+For more details on production deployment options, see the [FastMCP production deployment guide](https://gofastmcp.com/deployment/http#production-deployment) and [uvicorn settings](https://www.uvicorn.org/settings/).
+
+## Command Line Arguments
+
+The Prowler MCP server supports the following command line arguments:
+
+```
+prowler-mcp [--transport {stdio,http}] [--host HOST] [--port PORT]
+```
+
+**Arguments:**
+- `--transport {stdio,http}`: Transport method (default: stdio)
+  - `stdio`: Standard input/output transport for direct MCP client integration
+  - `http`: HTTP transport for remote server access
+- `--host HOST`: Host to bind to for HTTP transport (default: 127.0.0.1)
+- `--port PORT`: Port to bind to for HTTP transport (default: 8000)
+
+**Examples:**
+```bash
+# Default STDIO mode
+prowler-mcp
+
+# Explicit STDIO mode
+prowler-mcp --transport stdio
+
+# HTTP mode with default host and port (127.0.0.1:8000)
+prowler-mcp --transport http
+
+# HTTP mode accessible from any network interface
+prowler-mcp --transport http --host 0.0.0.0
+
+# HTTP mode with custom port
+prowler-mcp --transport http --host 0.0.0.0 --port 8080
+```
+
 ## Available Tools

-For complete tool descriptions and parameters, see the [Tools Reference](https://docs.prowler.com/getting-started/basic-usage/prowler-mcp-tools).
+### Prowler Hub

-### Tool Naming Convention
+All tools are exposed under the `prowler_hub` prefix.

-All tools follow a consistent naming pattern with prefixes:
- `prowler_app_*` - Prowler Cloud and App (Self-Managed) management tools
- `prowler_hub_*` - Prowler Hub catalog and compliance tools
- `prowler_docs_*` - Prowler documentation search and retrieval
+- `prowler_hub_get_check_filters`: Return available filter values for checks (providers, services, severities, categories, compliances). Call this before `prowler_hub_get_checks` to build valid queries.
+- `prowler_hub_get_checks`: List checks with option of advanced filtering.
+- `prowler_hub_get_check_raw_metadata`: Fetch raw check metadata JSON (low-level version of get_checks).
+- `prowler_hub_get_check_code`: Fetch check implementation Python code from Prowler.
+- `prowler_hub_get_check_fixer`: Fetch check fixer Python code from Prowler (if it exists).
+- `prowler_hub_search_checks`: Full‑text search across check metadata.
+- `prowler_hub_get_compliance_frameworks`: List/filter compliance frameworks.
+- `prowler_hub_search_compliance_frameworks`: Full-text search across frameworks.
+- `prowler_hub_list_providers`: List Prowler official providers and their services.
+- `prowler_hub_get_artifacts_count`: Return total artifact count (checks + frameworks).

-## Architecture
+### Prowler Documentation

-```
-prowler_mcp_server/
-├── server.py                 # Main orchestrator (imports sub-servers with prefixes)
-├── main.py                   # CLI entry point
-├── prowler_hub/              # tools - no authentication required
-├── prowler_app/              # tools - authentication required
-│   ├── tools/                # Tool implementations
-│   ├── models/               # Pydantic models for LLM-optimized responses
-│   └── utils/                # API client, authentication, tool loader
-└── prowler_documentation/    # tools - no authentication required
+All tools are exposed under the `prowler_docs` prefix.
+
+- `prowler_docs_search`: Search the official Prowler documentation using fulltext search. Returns relevant documentation pages with highlighted snippets and relevance scores.
+- `prowler_docs_get_document`: Retrieve the full markdown content of a specific documentation file using the path from search results.
+
+### Prowler Cloud and Prowler App (Self-Managed)
+
+All tools are exposed under the `prowler_app` prefix.
+
+#### Findings Management
+- `prowler_app_list_findings`: List security findings from Prowler scans with advanced filtering
+- `prowler_app_get_finding`: Get detailed information about a specific security finding
+- `prowler_app_get_latest_findings`: Retrieve latest findings from the latest scans for each provider
+- `prowler_app_get_findings_metadata`: Fetch unique metadata values from filtered findings
+- `prowler_app_get_latest_findings_metadata`: Fetch metadata from latest findings across all providers
+
+#### Provider Management
+- `prowler_app_list_providers`: List all providers with filtering options
+- `prowler_app_create_provider`: Create a new provider in the current tenant
+- `prowler_app_get_provider`: Get detailed information about a specific provider
+- `prowler_app_update_provider`: Update provider details (alias, etc.)
+- `prowler_app_delete_provider`: Delete a specific provider
+- `prowler_app_test_provider_connection`: Test provider connection status
+
+#### Provider Secrets Management
+- `prowler_app_list_provider_secrets`: List all provider secrets with filtering
+- `prowler_app_add_provider_secret`: Add or update credentials for a provider
+- `prowler_app_get_provider_secret`: Get detailed information about a provider secret
+- `prowler_app_update_provider_secret`: Update provider secret details
+- `prowler_app_delete_provider_secret`: Delete a provider secret
+
+#### Scan Management
+- `prowler_app_list_scans`: List all scans with filtering options
+- `prowler_app_create_scan`: Trigger a manual scan for a specific provider
+- `prowler_app_get_scan`: Get detailed information about a specific scan
+- `prowler_app_update_scan`: Update scan details
+- `prowler_app_get_scan_compliance_report`: Download compliance report as CSV
+- `prowler_app_get_scan_report`: Download ZIP file containing scan report
+
+#### Schedule Management
+- `prowler_app_schedules_daily_scan`: Create a daily scheduled scan for a provider
+
+#### Processor Management
+- `prowler_app_processors_list`: List all processors with filtering
+- `prowler_app_processors_create`: Create a new processor. For now, only mute lists are supported.
+- `prowler_app_processors_retrieve`: Get processor details by ID
+- `prowler_app_processors_partial_update`: Update processor configuration
+- `prowler_app_processors_destroy`: Delete a processor
+
+## Configuration
+
+### Prowler Cloud and Prowler App (Self-Managed) Authentication
+
+> [!IMPORTANT]
+> Authentication is not needed for using Prowler Hub or Prowler Documentation features.
+
+The Prowler MCP server supports different authentication in Prowler Cloud and Prowler App (Self-Managed) methods depending on the transport mode:
+
+#### STDIO Mode Authentication
+
+For STDIO mode, authentication is handled via environment variables using an API key:
+
+```bash
+# Required for Prowler Cloud and Prowler App (Self-Managed) authentication
+export PROWLER_APP_API_KEY="pk_your_api_key_here"
+
+# Optional - for custom API endpoint, in case not provided Prowler Cloud API will be used
+export PROWLER_API_BASE_URL="https://api.prowler.com"
 ```

-**Key Features:**
- **Modular Design**: Three independent sub-servers with prefixed namespacing
- **Auto-Discovery**: Prowler App tools are automatically discovered and registered
- **LLM Optimization**: Response models minimize token usage by excluding empty values
- **Dual Transport**: Supports both STDIO (local) and HTTP (remote) modes
+#### HTTP Mode Authentication

-## Use Cases
+For HTTP mode (remote server), authentication is handled via Bearer tokens. The MCP server supports both JWT tokens and API keys:

-The Prowler MCP Server enables powerful workflows through AI assistants:
+**Option 1: Using API Keys (Recommended)**
+Use your Prowler API key directly in the MCP client configuration with Bearer token format:
+```
+Authorization: Bearer pk_your_api_key_here
+```

-**Security Operations**
- "Show me all critical findings from my AWS production accounts"
- "Register my new AWS account in Prowler and run a scheduled scan every day"
- "List all muted findings and detect what findgings are muted by a not enough good reason in relation to their severity"
+**Option 2: Using JWT Tokens**
+You need to obtain a JWT token from Prowler Cloud/App and include the generated token in the MCP client configuration. To get a valid token, you can use the following command (replace the email and password with your own credentials):

-**Security Research**
- "Explain what the S3 bucket public access Prowler check does"
- "Find all Prowler checks related to encryption at rest"
- "What is the latest version of the CIS that Prowler is covering per provider?"
+```bash
+curl -X POST https://api.prowler.com/api/v1/tokens \
+  -H "Content-Type: application/vnd.api+json" \
+  -H "Accept: application/vnd.api+json" \
+  -d '{
+    "data": {
+      "type": "tokens",
+      "attributes": {
+        "email": "your-email@example.com",
+        "password": "your-password"
+      }
+    }
+  }'
+```

-**Documentation & Learning**
- "How do I configure Prowler to scan my GCP organization?"
- "What authentication methods does Prowler support for Azure?"
- "How can I contribute with a new security check to Prowler?"
+The response will be a JWT token that you can use to [authenticate your MCP client](#http-mode-configuration-remote-server).

-## Requirements
+### MCP Client Configuration

-**For Prowler Cloud MCP Server:**
- Prowler Cloud account and API key (only for Prowler Cloud/App features)
+Configure your MCP client, like Claude Desktop, Cursor, etc, to connect to the server. The configuration depends on whether you're running in STDIO mode (local) or HTTP mode (remote).

-**For self-hosted STDIO/HTTP Mode:**
- Python 3.12+ or Docker
- Network access to:
-  - `https://hub.prowler.com` (for Prowler Hub)
-  - `https://docs.prowler.com` (for Prowler Documentation)
-  - Prowler Cloud API or self-hosted Prowler App API (for Prowler Cloud/App features)
+#### STDIO Mode Configuration

-> **No Authentication Required**: Prowler Hub and Prowler Documentation features work without authentication. A Prowler API key is only required to access Prowler Cloud or Prowler App (Self-Managed) features.
+For local execution, configure your MCP client to launch the server directly. Below are examples for both direct execution and Docker deployment; consult your client's documentation for exact locations.

-## Configuring MCP Hosts
+##### Using uvx (Direct Execution)

-To configure your MCP host (Claude Code, Cursor, etc.) see the [Configuration Guide](https://docs.prowler.com/getting-started/basic-usage/prowler-mcp) for detailed setup instructions.
+```json
+{
+  "mcpServers": {
+    "prowler": {
+      "command": "uvx",
+      "args": ["/path/to/prowler/mcp_server/"],
+      "env": {
+        "PROWLER_APP_API_KEY": "pk_your_api_key_here",
+        "PROWLER_API_BASE_URL": "https://api.prowler.com"  // Optional, in case not provided Prowler Cloud API will be used
+      }
+    }
+  }
+}
+```

-## Contributing
+##### Using Docker

-For developers looking to extend the MCP server with new tools or features:
+```json
+{
+  "mcpServers": {
+    "prowler": {
+      "command": "docker",
+      "args": [
+        "run", "--rm", "-i",
+        "--env", "PROWLER_APP_API_KEY=pk_your_api_key_here",
+        "--env", "PROWLER_API_BASE_URL=https://api.prowler.com",  // Optional, in case not provided Prowler Cloud API will be used
+        "prowler-mcp"
+      ]
+    }
+  }
+}
+```

- **[Developer Guide](https://docs.prowler.com/developer-guide/mcp-server)**: Step-by-step instructions for adding new tools
- **[AGENTS.md](./AGENTS.md)**: AI agent guidelines and coding patterns
+#### HTTP Mode Configuration (Remote Server)

-## Related Products
+For HTTP mode, you can configure your MCP client to connect to a remote Prowler MCP server.

- **[Prowler Hub](https://hub.prowler.com)**: Browse security checks and compliance frameworks
- **[Prowler Cloud](https://cloud.prowler.com)**: Managed Prowler platform
- **[Lighthouse AI](https://docs.prowler.com/getting-started/products/prowler-lighthouse-ai)**: AI security analyst
+Most MCP clients don't natively support HTTP transport with Bearer token authentication. However, you can use the `mcp-remote` proxy tool to connect any MCP client to remote HTTP servers.
+
+##### Using mcp-remote Proxy (Recommended for Claude Desktop)
+
+For clients like Claude Desktop that don't support HTTP transport natively, use the `mcp-remote` npm package as a proxy:
+
+**Using API Key (Recommended):**
+```json
+{
+  "mcpServers": {
+    "prowler": {
+      "command": "npx",
+      "args": [
+        "mcp-remote",
+        "https://mcp.prowler.com/mcp",
+        "--header",
+        "Authorization: Bearer pk_your_api_key_here"
+      ]
+    }
+  }
+}
+```
+
+**Using JWT Token:**
+```json
+{
+  "mcpServers": {
+    "prowler": {
+      "command": "npx",
+      "args": [
+        "mcp-remote",
+        "https://mcp.prowler.com/mcp",
+        "--header",
+        "Authorization: Bearer <your-jwt-token-here>"
+      ]
+    }
+  }
+}
+```
+
+> **Note:** Replace `https://mcp.prowler.com/mcp` with your actual MCP server URL (use `http://localhost:8000/mcp` for local deployment). The `mcp-remote` package is automatically installed by `npx` on first use.
+
+> **Info:** The `mcp-remote` tool acts as a bridge, converting STDIO protocol (used by Claude Desktop) to HTTP requests (used by the remote MCP server). Learn more at [mcp-remote on npm](https://www.npmjs.com/package/mcp-remote).
+
+##### Direct HTTP Configuration (For Compatible Clients)
+
+For clients that natively support HTTP transport with Bearer token authentication:
+
+**Using API Key:**
+```json
+{
+  "mcpServers": {
+    "prowler": {
+      "url": "https://mcp.prowler.com/mcp",
+      "headers": {
+        "Authorization": "Bearer pk_your_api_key_here"
+      }
+    }
+  }
+}
+```
+
+**Using JWT Token:**
+```json
+{
+  "mcpServers": {
+    "prowler": {
+      "url": "https://mcp.prowler.com/mcp",
+      "headers": {
+        "Authorization": "Bearer <your-jwt-token-here>"
+      }
+    }
+  }
+}
+```
+
+> **Note:** Replace `mcp.prowler.com` with your actual server hostname and adjust the port if needed (e.g., `http://localhost:8000/mcp` for local deployment).
+
+### Claude Desktop (macOS/Windows)
+
+Add the example server to Claude Desktop's config file, then restart the app.
+
+- macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
+- Windows: `%AppData%\Claude\claude_desktop_config.json` (e.g. `C:\\Users\\<you>\\AppData\\Roaming\\Claude\\claude_desktop_config.json`)
+
+### Cursor (macOS/Linux)
+
+If you want to have it globally available, add the example server to Cursor's config file, then restart the app.
+
+- macOS/Linux: `~/.cursor/mcp.json`
+
+If you want to have it only for the current project, add the example server to the project's root in a new `.cursor/mcp.json` file.
+
+## Documentation
+
+For detailed documentation about the Prowler MCP Server, including guides, tutorials, and use cases, visit the [official Prowler documentation](https://docs.prowler.com).

 ## License

@@ -1,6 +1,7 @@
 """Pydantic models for Prowler App MCP Server."""

 from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
+
 from prowler_mcp_server.prowler_app.models.findings import (
    CheckMetadata,
    CheckRemediation,
@@ -9,12 +10,6 @@ from prowler_mcp_server.prowler_app.models.findings import (
    FindingsOverview,
    SimplifiedFinding,
 )
-from prowler_mcp_server.prowler_app.models.muting import (
-    DetailedMuteRule,
-    MutelistResponse,
-    MuteRulesListResponse,
-    SimplifiedMuteRule,
-)

 __all__ = [
    # Base models
@@ -26,9 +21,4 @@ __all__ = [
    "FindingsListResponse",
    "FindingsOverview",
    "SimplifiedFinding",
-    # Muting models
-    "DetailedMuteRule",
-    "MutelistResponse",
-    "MuteRulesListResponse",
-    "SimplifiedMuteRule",
 ]
@@ -27,19 +27,18 @@ class MinimalSerializerMixin(BaseModel):
            Dictionary with non-empty values only
        """
        data = handler(self)
-        return {k: v for k, v in data.items() if not self._should_exclude(k, v)}
+        return {k: v for k, v in data.items() if not self._should_exclude(v)}

-    def _should_exclude(self, key: str, value: Any) -> bool:
-        """Determine if a key-value pair should be excluded from serialization.
+    def _should_exclude(self, value: Any) -> bool:
+        """Determine if a value should be excluded from serialization.

        Override this method in subclasses for custom exclusion logic.

        Args:
-            key: Field name
            value: Field value

        Returns:
-            True if the field should be excluded, False otherwise
+            True if the value should be excluded, False otherwise
        """
        # None values
        if value is None:
@@ -1,196 +0,0 @@
-"""Pydantic models for simplified muting responses."""
-
-from typing import Any
-
-from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
-from pydantic import BaseModel, ConfigDict, Field
-
-
-class MutelistResponse(MinimalSerializerMixin, BaseModel):
-    """Simplified mutelist response with Prowler configuration.
-
-    Represents a mutelist configuration that defines which findings
-    should be automatically muted based on account patterns, check IDs, regions,
-    resources, tags, and exceptions.
-    """
-
-    model_config = ConfigDict(frozen=True)
-
-    id: str = Field(
-        description="Unique UUIDv4 identifier for this mutelist in Prowler database"
-    )
-    configuration: dict[str, Any] = Field(
-        description="Mutelist configuration following Prowler format with nested structure: Mutelist → Accounts → Checks → Regions/Resources/Tags/Exceptions"
-    )
-    inserted_at: str | None = Field(
-        default=None,
-        description="ISO 8601 timestamp when this mutelist was created",
-    )
-    updated_at: str | None = Field(
-        default=None,
-        description="ISO 8601 timestamp when this mutelist was last modified",
-    )
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "MutelistResponse":
-        """Transform JSON:API processor response to simplified format.
-
-        The configuration structure follows the Prowler mutelist format:
-        {
-            "Mutelist": {
-                "Accounts": {
-                    "<account-pattern>": {
-                        "Checks": {
-                            "<check-id>": {
-                                "Regions": [...],
-                                "Resources": [...],
-                                "Tags": [...],
-                                "Exceptions": {...}
-                            }
-                        }
-                    }
-                }
-            }
-        }
-        """
-        attributes = data.get("attributes", {})
-
-        return cls(
-            id=data["id"],
-            configuration=attributes.get("configuration", {}),
-            inserted_at=attributes.get("inserted_at"),
-            updated_at=attributes.get("updated_at"),
-        )
-
-
-class SimplifiedMuteRule(MinimalSerializerMixin, BaseModel):
-    """Simplified mute rule for list/search operations.
-
-    Provides lightweight mute rule information without the full list of finding UIDs.
-    Use this for listing and searching operations where you need basic rule information
-    but don't need the complete list of affected findings.
-    """
-
-    model_config = ConfigDict(frozen=True)
-
-    id: str = Field(
-        description="Unique UUIDv4 identifier for this mute rule in Prowler database"
-    )
-    name: str = Field(description="Human-readable name for this mute rule")
-    reason: str = Field(description="Documented reason for muting these findings")
-    enabled: bool = Field(
-        description="Whether this mute rule is currently active and applying muting to findings"
-    )
-    finding_count: int = Field(
-        description="Number of findings currently muted by this rule", ge=0
-    )
-    inserted_at: str | None = Field(
-        default=None,
-        description="ISO 8601 timestamp when this mute rule was created",
-    )
-    updated_at: str | None = Field(
-        default=None,
-        description="ISO 8601 timestamp when this mute rule was last modified",
-    )
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "SimplifiedMuteRule":
-        """Transform JSON:API mute rule response to simplified format."""
-        attributes = data.get("attributes", {})
-
-        # Calculate finding count from finding_uids list length
-        finding_uids = attributes.get("finding_uids", [])
-
-        return cls(
-            id=data["id"],
-            name=attributes["name"],
-            reason=attributes["reason"],
-            enabled=attributes["enabled"],
-            finding_count=len(finding_uids),
-            inserted_at=attributes.get("inserted_at"),
-            updated_at=attributes.get("updated_at"),
-        )
-
-
-class DetailedMuteRule(SimplifiedMuteRule):
-    """Detailed mute rule with complete information including finding UIDs.
-
-    Extends SimplifiedMuteRule with the full list of finding UIDs being muted and
-    creator information (user/service account that created the rule).
-    Use this when you need complete context about a specific mute rule, including
-    all affected findings and audit trail information.
-    """
-
-    finding_uids: list[str] = Field(
-        description="List of finding UIDs that are muted by this rule"
-    )
-    user_creator_id: str | None = Field(
-        default=None,
-        description="UUIDv4 identifier of the Prowler user from the tenant that created this rule",
-    )
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "DetailedMuteRule":
-        """Transform JSON:API mute rule response to detailed format."""
-        attributes = data.get("attributes", {})
-        relationships = data.get("relationships", {})
-
-        # Extract creator information
-        user_creator_id = None
-        creator_data = relationships.get("created_by", {}).get("data")
-        if creator_data:
-            user_creator_id = creator_data.get("id")
-
-        finding_uids = attributes.get("finding_uids", [])
-
-        return cls(
-            id=data["id"],
-            name=attributes["name"],
-            reason=attributes["reason"],
-            enabled=attributes["enabled"],
-            finding_count=len(finding_uids),
-            finding_uids=finding_uids,
-            inserted_at=attributes.get("inserted_at"),
-            updated_at=attributes.get("updated_at"),
-            user_creator_id=user_creator_id,
-        )
-
-
-class MuteRulesListResponse(BaseModel):
-    """Simplified response for mute rules list queries with pagination.
-
-    Contains a list of simplified mute rules and pagination metadata.
-    Use this for paginated list/search operations to get multiple rules efficiently.
-    """
-
-    model_config = ConfigDict(frozen=True)
-
-    mute_rules: list[SimplifiedMuteRule] = Field(
-        description="List of simplified mute rules matching the query filters"
-    )
-    total_num_mute_rules: int = Field(
-        description="Total number of mute rules matching the query across all pages",
-        ge=0,
-    )
-    total_num_pages: int = Field(
-        description="Total number of pages available for the query results", ge=0
-    )
-    current_page: int = Field(
-        description="Current page number in the paginated results (1-indexed)", ge=1
-    )
-
-    @classmethod
-    def from_api_response(cls, response: dict[str, Any]) -> "MuteRulesListResponse":
-        """Transform JSON:API response to simplified format."""
-        data = response.get("data", [])
-        meta = response.get("meta", {})
-        pagination = meta.get("pagination", {})
-
-        mute_rules = [SimplifiedMuteRule.from_api_response(item) for item in data]
-
-        return cls(
-            mute_rules=mute_rules,
-            total_num_mute_rules=pagination.get("count", 0),
-            total_num_pages=pagination.get("pages", 1),
-            current_page=pagination.get("page", 1),
-        )
@@ -1,134 +0,0 @@
-"""Pydantic models for simplified provider responses."""
-
-from typing import Any, Literal
-
-from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
-from pydantic import BaseModel
-
-
-class SimplifiedProvider(MinimalSerializerMixin, BaseModel):
-    """Simplified provider for list/search operations."""
-
-    id: str
-    uid: str
-    alias: str | None = None
-    provider: str
-    connected: bool | None = None
-    secret_type: Literal["role", "service_account", "static"] | None = None
-
-    def _should_exclude(self, key: str, value: Any) -> bool:
-        """Override to always include connected and secret_type fields even when None."""
-        # Always include these fields regardless of value (None has semantic meaning)
-        if key == "connected" or key == "secret_type":
-            return False
-        # Use parent class logic for other fields
-        return super()._should_exclude(key, value)
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "SimplifiedProvider":
-        """Transform JSON:API provider response to simplified format."""
-        attributes = data["attributes"]
-        connection_data = attributes.get("connection", {})
-
-        return cls(
-            id=data["id"],
-            uid=attributes["uid"],
-            alias=attributes.get("alias"),
-            provider=attributes["provider"],
-            connected=connection_data.get("connected"),
-            secret_type=None,  # Will be populated separately via secret endpoint
-        )
-
-
-class DetailedProvider(SimplifiedProvider):
-    """Detailed provider with complete information for deep analysis.
-
-    Extends SimplifiedProvider with temporal metadata and relationships.
-    Use this when you need complete context about a specific provider.
-    """
-
-    inserted_at: str | None = None
-    updated_at: str | None = None
-    last_checked_at: str | None = None
-    provider_group_ids: list[str] | None = None
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "DetailedProvider":
-        """Transform JSON:API provider response to detailed format."""
-        attributes = data["attributes"]
-        connection_data = attributes.get("connection", {})
-        relationships = data.get("relationships", {})
-
-        # Extract provider groups relationship
-        provider_group_ids = None
-        groups_data = relationships.get("provider_groups", {}).get("data", [])
-        if groups_data:
-            provider_group_ids = [group["id"] for group in groups_data]
-
-        return cls(
-            id=data["id"],
-            uid=attributes["uid"],
-            alias=attributes.get("alias"),
-            provider=attributes["provider"],
-            connected=connection_data.get("connected"),
-            inserted_at=attributes.get("inserted_at"),
-            updated_at=attributes.get("updated_at"),
-            last_checked_at=connection_data.get("last_checked_at"),
-            provider_group_ids=provider_group_ids,
-        )
-
-
-class ProvidersListResponse(BaseModel):
-    """Simplified response for providers list queries."""
-
-    providers: list[SimplifiedProvider]
-    total_num_providers: int
-    total_num_pages: int
-    current_page: int
-
-    @classmethod
-    def from_api_response(cls, response: dict[str, Any]) -> "ProvidersListResponse":
-        """Transform JSON:API response to simplified format."""
-        data = response["data"]
-        meta = response["meta"]
-        pagination = meta["pagination"]
-
-        providers = [SimplifiedProvider.from_api_response(item) for item in data]
-
-        return cls(
-            providers=providers,
-            total_num_providers=pagination["count"],
-            total_num_pages=pagination["pages"],
-            current_page=pagination["page"],
-        )
-
-
-class ProviderConnectionStatus(MinimalSerializerMixin, BaseModel):
-    """Result of provider connection operation."""
-
-    provider: DetailedProvider
-    connected: Literal["connected", "failed", "not_tested"]
-    error: str | None = None
-
-    @classmethod
-    def create(
-        cls,
-        provider_data: dict[str, Any],
-        connection_status: dict[str, Any],
-    ) -> "ProviderConnectionStatus":
-        """Create connection status from provider data and connection test result."""
-
-        connected: str | None = connection_status.get("connected", None)
-
-        if connected is None:
-            connected = "not_tested"
-        elif connected:
-            connected = "connected"
-        else:
-            connected = "failed"
-
-        return cls(
-            provider=DetailedProvider.from_api_response(provider_data),
-            connected=connected,
-            error=connection_status.get("error", None),
-        )
@@ -1,137 +0,0 @@
-"""Pydantic models for simplified resources responses."""
-
-from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
-from pydantic import BaseModel
-
-
-class SimplifiedResource(MinimalSerializerMixin, BaseModel):
-    """Simplified resource with only LLM-relevant information for list operations."""
-
-    id: str
-    uid: str
-    name: str
-    region: str
-    service: str
-    type: str
-    failed_findings_count: int
-    tags: dict[str, str] | None = None
-    provider_id: str | None = None
-
-    @classmethod
-    def from_api_response(cls, data: dict) -> "SimplifiedResource":
-        """Transform JSON:API resource response to simplified format."""
-        attributes = data["attributes"]
-        relationships = data.get("relationships", {})
-
-        # Extract provider information from relationships if available
-        provider_id = None
-        provider_data = relationships.get("provider", {}).get("data", {})
-        if provider_data:
-            provider_id = provider_data["id"]
-
-        return cls(
-            id=data["id"],
-            uid=attributes["uid"],
-            name=attributes["name"],
-            region=attributes["region"],
-            service=attributes["service"],
-            type=attributes["type"],
-            failed_findings_count=attributes["failed_findings_count"],
-            tags=attributes["tags"],
-            provider_id=provider_id,
-        )
-
-
-class DetailedResource(SimplifiedResource):
-    """Detailed resource with comprehensive information for deep analysis.
-
-    Extends SimplifiedResource with tags, metadata, configuration details,
-    temporal information, and relationships.
-    Use this when you need complete context about a specific resource.
-    """
-
-    metadata: str | None = None
-    partition: str | None = None
-    inserted_at: str
-    updated_at: str
-    finding_ids: list[str] | None = None
-
-    @classmethod
-    def from_api_response(cls, data: dict) -> "DetailedResource":
-        """Transform JSON:API resource response to detailed format."""
-        attributes = data["attributes"]
-        relationships = data.get("relationships", {})
-
-        # Parse findings relationship
-        finding_ids = None
-        findings_data = relationships.get("findings", {}).get("data", [])
-        if findings_data:
-            finding_ids = [f["id"] for f in findings_data]
-
-        # Extract provider information from relationships if available
-        provider_id = None
-        provider_data = relationships.get("provider", {}).get("data", {})
-        if provider_data:
-            provider_id = provider_data["id"]
-
-        return cls(
-            id=data["id"],
-            uid=attributes["uid"],
-            name=attributes["name"],
-            region=attributes["region"],
-            service=attributes["service"],
-            type=attributes["type"],
-            failed_findings_count=attributes["failed_findings_count"],
-            tags=attributes["tags"],
-            metadata=attributes["metadata"],
-            partition=attributes["partition"],
-            inserted_at=attributes["inserted_at"],
-            updated_at=attributes["updated_at"],
-            finding_ids=finding_ids,
-            provider_id=provider_id,
-        )
-
-
-class ResourcesListResponse(BaseModel):
-    """Simplified response for resources list queries."""
-
-    resources: list[SimplifiedResource]
-    total_num_resources: int
-    total_num_pages: int
-    current_page: int
-
-    @classmethod
-    def from_api_response(cls, response: dict) -> "ResourcesListResponse":
-        """Transform JSON:API response to simplified format."""
-        data = response["data"]
-        meta = response["meta"]
-        pagination = meta["pagination"]
-
-        resources = [SimplifiedResource.from_api_response(item) for item in data]
-
-        return cls(
-            resources=resources,
-            total_num_resources=pagination["count"],
-            total_num_pages=pagination["pages"],
-            current_page=pagination["page"],
-        )
-
-
-class ResourcesMetadataResponse(BaseModel):
-    """Metadata response with unique filter values for resource discovery."""
-
-    services: list[str] | None = None
-    regions: list[str] | None = None
-    types: list[str] | None = None
-
-    @classmethod
-    def from_api_response(cls, response: dict) -> "ResourcesMetadataResponse":
-        """Transform JSON:API metadata response to simplified format."""
-        data = response["data"]
-        attributes = data["attributes"]
-
-        return cls(
-            services=attributes.get("services"),
-            regions=attributes.get("regions"),
-            types=attributes.get("types"),
-        )
@@ -1,222 +0,0 @@
-"""Data models for Prowler scans.
-
-This module provides Pydantic models for representing Prowler security scans
-with two-tier complexity:
- SimplifiedScan: For list operations with essential fields
- DetailedScan: Extends simplified with additional operational fields
-
-All models inherit from MinimalSerializerMixin to exclude None/empty values
-for optimal LLM token usage.
-"""
-
-from typing import Any, Literal
-
-from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
-from pydantic import BaseModel, ConfigDict, Field
-
-
-class SimplifiedScan(MinimalSerializerMixin, BaseModel):
-    """Simplified scan representation for list operations.
-
-    Includes core scan fields for efficient overview.
-    Used by list_scans() tool.
-    """
-
-    model_config = ConfigDict(frozen=True)
-
-    id: str = Field(
-        description="Unique UUIDv4 identifier for this scan in Prowler database"
-    )
-    name: str | None = Field(
-        default=None,
-        description="Optional custom name for the scan to help identify it",
-    )
-    trigger: Literal["manual", "scheduled"] = Field(
-        description="How the scan was initiated: 'manual' (user-triggered) or 'scheduled' (automated)"
-    )
-    state: Literal[
-        "available", "scheduled", "executing", "completed", "failed", "cancelled"
-    ] = Field(
-        description="Current state of the scan: available, scheduled, executing, completed, failed, or cancelled"
-    )
-    started_at: str | None = Field(
-        default=None, description="ISO 8601 timestamp when the scan started execution"
-    )
-    completed_at: str | None = Field(
-        default=None,
-        description="ISO 8601 timestamp when the scan finished (completed or failed)",
-    )
-    provider_id: str = Field(
-        description="UUIDv4 identifier of the provider this scan is associated with"
-    )
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "SimplifiedScan":
-        """Transform JSON:API scan response to simplified model.
-
-        Args:
-            data: Scan data from API response['data'] (single item or list item)
-
-        Returns:
-            SimplifiedScan instance
-        """
-        attributes = data["attributes"]
-        relationships = data.get("relationships", {})
-
-        provider_id = relationships.get("provider", {}).get("data", {}).get("id", None)
-
-        return cls(
-            id=data["id"],
-            name=attributes.get("name"),
-            trigger=attributes["trigger"],
-            state=attributes["state"],
-            started_at=attributes.get("started_at"),
-            completed_at=attributes.get("completed_at"),
-            provider_id=provider_id,
-        )
-
-
-class DetailedScan(SimplifiedScan):
-    """Detailed scan representation with full operational data.
-
-    Extends SimplifiedScan with progress, duration, resources, and relationships.
-    Used by get_scan() and create_scan() tools.
-    """
-
-    model_config = ConfigDict(frozen=True)
-
-    progress: int | None = Field(
-        default=None, description="Scan completion progress as percentage (0-100)"
-    )
-    duration: int | None = Field(
-        default=None,
-        description="Total scan duration in seconds from start to completion",
-    )
-    unique_resource_count: int | None = Field(
-        default=None,
-        description="Number of unique cloud resources discovered during the scan",
-    )
-    inserted_at: str | None = Field(
-        default=None,
-        description="ISO 8601 timestamp when the scan was created in the database",
-    )
-    scheduled_at: str | None = Field(
-        default=None,
-        description="ISO 8601 timestamp when the scan was scheduled to run",
-    )
-    next_scan_at: str | None = Field(
-        default=None,
-        description="ISO 8601 timestamp for the next scheduled scan (for recurring scans)",
-    )
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "DetailedScan":
-        """Transform JSON:API scan response to detailed model.
-
-        Args:
-            data: Scan data from API response['data']
-
-        Returns:
-            DetailedScan instance with all fields populated
-        """
-        attributes = data["attributes"]
-        relationships = data.get("relationships", {})
-
-        # Extract provider ID from relationship
-        provider_rel = relationships.get("provider", {}).get("data", {})
-        provider_id = provider_rel.get("id", "")
-
-        # Extract task relationship
-        task_rel = relationships.get("task", {}).get("data")
-        task_id = task_rel.get("id") if task_rel else None
-
-        # Extract processor relationship
-        processor_rel = relationships.get("processor", {}).get("data")
-        processor_id = processor_rel.get("id") if processor_rel else None
-
-        return cls(
-            id=data["id"],
-            name=attributes.get("name"),
-            trigger=attributes["trigger"],
-            state=attributes["state"],
-            started_at=attributes.get("started_at"),
-            completed_at=attributes.get("completed_at"),
-            provider_id=provider_id,
-            progress=attributes.get("progress"),
-            duration=attributes.get("duration"),
-            unique_resource_count=attributes.get("unique_resource_count"),
-            inserted_at=attributes.get("inserted_at"),
-            scheduled_at=attributes.get("scheduled_at"),
-            next_scan_at=attributes.get("next_scan_at"),
-            task_id=task_id,
-            processor_id=processor_id,
-        )
-
-
-class ScansListResponse(BaseModel):
-    """Response model for list_scans() with pagination metadata.
-
-    Follows established pattern from FindingsListResponse and ProvidersListResponse.
-    """
-
-    scans: list[SimplifiedScan]
-    total_num_scans: int
-    total_num_pages: int
-    current_page: int
-
-    @classmethod
-    def from_api_response(cls, response: dict[str, Any]) -> "ScansListResponse":
-        """Transform JSON:API list response to scans list with pagination.
-
-        Args:
-            response: Full API response with data and meta
-
-        Returns:
-            ScansListResponse with simplified scans and pagination metadata
-        """
-        data = response.get("data", [])
-        meta = response.get("meta", {})
-        pagination = meta.get("pagination", {})
-
-        # Transform each scan
-        scans = [SimplifiedScan.from_api_response(item) for item in data]
-
-        return cls(
-            scans=scans,
-            total_num_scans=pagination.get("count", 0),
-            total_num_pages=pagination.get("pages", 0),
-            current_page=pagination.get("page", 1),
-        )
-
-
-class ScanCreationResult(MinimalSerializerMixin, BaseModel):
-    """Result of scan creation operation.
-
-    Used by trigger_scan() to communicate the outcome of scan creation.
-    Status indicates whether scan was created successfully or failed.
-    """
-
-    scan: DetailedScan | None = Field(
-        default=None,
-        description="Detailed scan information if creation succeeded, None otherwise",
-    )
-    status: Literal["success", "failed"] = Field(
-        description="Outcome of scan creation: success (scan created successfully) or failed (error)"
-    )
-    message: str = Field(
-        description="Human-readable message describing the scan creation result"
-    )
-
-
-class ScheduleCreationResult(MinimalSerializerMixin, BaseModel):
-    """Result of async schedule creation operation.
-
-    Used by schedule_daily_scan() to communicate scheduling outcome.
-    """
-
-    scheduled: bool = Field(
-        description="Whether the daily scan schedule was created successfully"
-    )
-    message: str = Field(
-        description="Human-readable message describing the scheduling result"
-    )
@@ -33,7 +33,7 @@ class BaseTool(ABC):

            async def search_security_findings(self, severity: list[str] = Field(...)):
                # Implementation with access to self.api_client
-                response = await self.api_client.get("/findings")
+                response = await self.api_client.get("/api/v1/findings")
                return response
    """

@@ -6,14 +6,13 @@ across all cloud providers.

 from typing import Any, Literal

-from pydantic import Field
-
 from prowler_mcp_server.prowler_app.models.findings import (
    DetailedFinding,
    FindingsListResponse,
    FindingsOverview,
 )
 from prowler_mcp_server.prowler_app.tools.base import BaseTool
+from pydantic import Field


 class FindingsTools(BaseTool):
@@ -123,11 +122,11 @@ class FindingsTools(BaseTool):

        if date_range is None:
            # No dates provided - use latest findings endpoint
-            endpoint = "/findings/latest"
+            endpoint = "/api/v1/findings/latest"
            params = {}
        else:
            # Dates provided - use historical findings endpoint
-            endpoint = "/findings"
+            endpoint = "/api/v1/findings"
            params = {
                "filter[inserted_at__gte]": date_range[0],
                "filter[inserted_at__lte]": date_range[1],
@@ -229,7 +228,7 @@ class FindingsTools(BaseTool):

        # Get API response and transform to detailed format
        api_response = await self.api_client.get(
-            f"/findings/{finding_id}", params=params
+            f"/api/v1/findings/{finding_id}", params=params
        )
        detailed_finding = DetailedFinding.from_api_response(
            api_response.get("data", {})
@@ -282,7 +281,7 @@ class FindingsTools(BaseTool):

        # Get API response and transform to simplified format
        api_response = await self.api_client.get(
-            "/overviews/findings", params=clean_params
+            "/api/v1/overviews/findings", params=clean_params
        )
        overview = FindingsOverview.from_api_response(api_response)

@@ -1,471 +0,0 @@
-"""Muting tools for Prowler App MCP Server.
-
-This module provides tools for managing finding muting in Prowler, including:
- Mutelist management (pattern-based bulk muting)
- Mute rules management (finding-specific muting)
-"""
-
-import json
-from typing import Any
-
-from pydantic import Field
-
-from prowler_mcp_server.prowler_app.models.muting import (
-    DetailedMuteRule,
-    MutelistResponse,
-    MuteRulesListResponse,
-)
-from prowler_mcp_server.prowler_app.tools.base import BaseTool
-
-
-class MutingTools(BaseTool):
-    """Tools for muting operations.
-
-    Provides tools for:
-    - Managing mutelist (pattern-based bulk muting)
-    - Managing mute rules (finding-specific muting)
-    """
-
-    # ===== MUTELIST TOOLS =====
-
-    async def get_mutelist(self) -> dict[str, Any]:
-        """Retrieve the current mutelist configuration for the tenant.
-
-        IMPORTANT: Only one mutelist can exist per tenant. Returns an error message if no mutelist exists.
-        For detailed information about mutelist structure and configuration, search Prowler documentation
-        using prowler_docs_search tool available in this MCP Server.
-
-        The mutelist includes:
-        - Core identification: id (UUID for processor operations)
-        - Configuration: Nested structure with Accounts → Checks → Regions/Resources/Tags/Exceptions patterns
-        - Temporal data: inserted_at, updated_at timestamps
-
-        Workflow:
-        1. Use this tool to check if a mutelist is configured
-        2. Examine current muting patterns before making updates
-        3. Use prowler_app_set_mutelist to create or update the configuration
-        """
-        self.logger.info("Retrieving mutelist configuration...")
-
-        # Query processors filtered by type=mutelist
-        params = {
-            "filter[processor_type]": "mutelist",
-            "fields[processors]": "processor_type,configuration,inserted_at,updated_at",
-        }
-
-        clean_params = self.api_client.build_filter_params(params)
-        api_response = await self.api_client.get("/processors", params=clean_params)
-
-        data = api_response.get("data", [])
-
-        if len(data) == 0:
-            return {
-                "error": "No mutelist found",
-                "message": "No mutelist configuration exists for this tenant. Use prowler_app_set_mutelist to create one.",
-            }
-
-        # Return the first (and only) mutelist
-        mutelist = MutelistResponse.from_api_response(data[0])
-        return mutelist.model_dump()
-
-    async def set_mutelist(
-        self,
-        configuration: dict[str, Any] | str = Field(
-            description="""Mutelist configuration object following the Accounts/Checks/Regions/Resources/Tags/Exceptions structure.
-Accepts either a dictionary or JSON string. The configuration replaces the entire mutelist (not merged with existing).
-
-Structure:
-{
-    "Mutelist": {
-        "Accounts": {
-            "<account-pattern>": {  // "*" for all accounts, or specific account ID
-                "Checks": {
-                    "<check-id>": {  // Prowler check ID
-                        "Regions": ["us-east-1", "eu-west-1"],  // Optional
-                        "Resources": ["arn:aws:s3:::my-bucket"],  // Optional
-                        "Tags": ["Environment:dev"],  // Optional
-                        "Exceptions": {  // Optional
-                            "Accounts": ["123456789012"],
-                            "Regions": ["us-west-2"],
-                            "Resources": ["arn:aws:s3:::critical-bucket"]
-                        }
-                    }
-                }
-            }
-        }
-    }
-}"""
-        ),
-    ) -> dict[str, Any]:
-        """Create or update the mutelist configuration for pattern-based bulk muting.
-
-        IMPORTANT: Automatically creates a new mutelist or updates the existing one (only one mutelist per tenant).
-        The configuration completely replaces any existing mutelist (not merged).
-        For detailed information about mutelist structure and configuration, search Prowler documentation
-        using prowler_docs_search tool available in this MCP Server.
-
-        Default behavior:
-        - Creates new mutelist if none exists
-        - Updates existing mutelist with complete replacement
-        - Applies to findings from future scans
-
-        The mutelist supports:
-        - Account patterns: Specific account IDs or "*" for all
-        - Check-based muting: Per-check ID configuration
-        - Scope filtering: Regions, Resources, Tags
-        - Exceptions: Accounts, Regions, Resources to exclude from muting
-
-        Workflow:
-        1. Use prowler_app_get_mutelist to check existing configuration
-        2. Build configuration object following Prowler mutelist format
-        3. Use this tool to create or update the mutelist
-        4. Verify with prowler_app_get_mutelist
-        """
-        self.logger.info("Setting mutelist configuration...")
-
-        # Parse configuration if it's a string
-        if isinstance(configuration, str):
-            configuration = json.loads(configuration)
-
-        # Check if mutelist already exists
-        existing_mutelist = await self.get_mutelist()
-
-        if "error" in existing_mutelist:
-            # Create new mutelist
-            self.logger.info("Creating new mutelist...")
-            create_body = {
-                "data": {
-                    "type": "processors",
-                    "attributes": {
-                        "processor_type": "mutelist",
-                        "configuration": configuration,
-                    },
-                }
-            }
-
-            api_response = await self.api_client.post(
-                "/processors", json_data=create_body
-            )
-            mutelist = MutelistResponse.from_api_response(api_response.get("data", {}))
-            return mutelist.model_dump()
-        else:
-            # Update existing mutelist
-            self.logger.info(f"Updating existing mutelist {existing_mutelist['id']}...")
-            update_body = {
-                "data": {
-                    "type": "processors",
-                    "id": existing_mutelist["id"],
-                    "attributes": {
-                        "configuration": configuration,
-                    },
-                }
-            }
-
-            api_response = await self.api_client.patch(
-                f"/processors/{existing_mutelist['id']}", json_data=update_body
-            )
-            mutelist = MutelistResponse.from_api_response(api_response.get("data", {}))
-            return mutelist.model_dump()
-
-    async def delete_mutelist(self) -> dict[str, Any]:
-        """Remove the mutelist configuration from the tenant.
-
-        WARNING: This is a destructive operation that cannot be undone.
-        - The mutelist will need to be re-created with prowler_app_set_mutelist
-        - New findings from future scans will NOT be muted by the deleted mutelist
-        - Previously muted findings remain muted (deletion doesn't un-mute them)
-
-        Workflow:
-        1. Use prowler_app_get_mutelist to confirm what will be deleted
-        2. Use this tool to permanently remove the mutelist
-        3. New scans will no longer apply mutelist-based muting
-        """
-        self.logger.info("Deleting mutelist configuration...")
-
-        # Get existing mutelist
-        existing_mutelist = await self.get_mutelist()
-
-        if "error" in existing_mutelist:
-            return {
-                "success": False,
-                "message": "No mutelist found to delete",
-            }
-
-        # Delete the mutelist
-        mutelist_id = existing_mutelist["id"]
-        await self.api_client.delete(f"/processors/{mutelist_id}")
-
-        return {
-            "success": True,
-            "message": "Mutelist deleted successfully",
-        }
-
-    # ===== MUTE RULES TOOLS =====
-
-    async def list_mute_rules(
-        self,
-        name: str | None = Field(
-            default=None,
-            description="Filter by exact rule name",
-        ),
-        enabled: (
-            bool | str | None
-        ) = Field(  # Wrong `str` hint type due to bad MCP Clients implementation
-            default=None,
-            description="Filter by enabled status. True for enabled rules only, False for disabled rules only. If not specified, returns both enabled and disabled rules. Strings 'true' and 'false' are also accepted.",
-        ),
-        search: str | None = Field(
-            default=None,
-            description="Free-text search term across multiple fields (name, reason). Use this for general keyword search.",
-        ),
-        page_size: int = Field(
-            default=50, description="Number of results to return per page."
-        ),
-        page_number: int = Field(
-            default=1,
-            description="Page number to retrieve (1-indexed)",
-        ),
-    ) -> dict[str, Any]:
-        """Search and filter mute rules with pagination support.
-
-        IMPORTANT: This tool returns LIGHTWEIGHT mute rules without the full list of finding UIDs.
-        Use prowler_app_get_mute_rule to get complete details including all finding UIDs and creator information.
-
-        Default behavior:
-        - Returns all mute rules (both enabled and disabled)
-        - Returns 50 rules per page
-        - Includes basic rule information without full finding UID lists
-
-        Each mute rule includes:
-        - Core identification: id (UUID for prowler_app_get_mute_rule), name
-        - Contextual information: reason, enabled status
-        - State tracking: finding_count (number of findings currently muted)
-        - Temporal data: inserted_at, updated_at timestamps
-
-        Workflow:
-        1. Use this tool to search and filter mute rules by name, enabled status, or keywords
-        2. Use prowler_app_get_mute_rule with the mute rule 'id' to get complete details including all finding UIDs
-        3. Use prowler_app_update_mute_rule or prowler_app_delete_mute_rule to modify rules
-        """
-        self.logger.info("Listing mute rules...")
-        self.api_client.validate_page_size(page_size)
-
-        params = {
-            "fields[mute-rules]": "name,reason,enabled,finding_uids,inserted_at,updated_at",
-            "page[size]": page_size,
-            "page[number]": page_number,
-        }
-
-        # Build filter parameters
-        if name:
-            params["filter[name]"] = name
-        if enabled is not None:
-            if isinstance(enabled, bool):
-                params["filter[enabled]"] = enabled
-            else:
-                if enabled.lower() == "true":
-                    params["filter[enabled]"] = True
-                elif enabled.lower() == "false":
-                    params["filter[enabled]"] = False
-                else:
-                    raise ValueError(
-                        f"Invalid enabled value: {enabled}. Valid values are True, False, 'true', 'false' or None."
-                    )
-        if search:
-            params["filter[search]"] = search
-
-        clean_params = self.api_client.build_filter_params(params)
-        api_response = await self.api_client.get("/mute-rules", params=clean_params)
-
-        simplified_response = MuteRulesListResponse.from_api_response(api_response)
-        return simplified_response.model_dump()
-
-    async def get_mute_rule(
-        self,
-        rule_id: str = Field(
-            description="UUID of the mute rule to retrieve. Must be a valid UUID format (e.g., '019ac0d6-90d5-73e9-9acf-c22e256f1bac')."
-        ),
-    ) -> dict[str, Any]:
-        """Retrieve comprehensive details about a specific mute rule by its ID.
-
-        IMPORTANT: This tool returns COMPLETE mute rule details including the full list of finding UIDs.
-        Use this after finding a rule via prowler_app_list_mute_rules.
-
-        This tool provides ALL information that prowler_app_list_mute_rules returns PLUS:
-        - finding_uids: Complete list of finding UIDs that are muted by this rule
-        - user_creator_id: UUID of the user who created the rule (audit trail)
-
-        Workflow:
-        1. Use prowler_app_list_mute_rules to find rules by name or filter criteria
-        2. Use this tool with the rule 'id' to get complete details
-        3. Examine finding_uids list to understand which findings are muted
-        4. Use prowler_app_update_mute_rule or prowler_app_delete_mute_rule to modify if needed
-        """
-        self.logger.info(f"Retrieving mute rule {rule_id}...")
-
-        params = {
-            "include": "created_by",
-        }
-
-        api_response = await self.api_client.get(
-            f"/mute-rules/{rule_id}", params=params
-        )
-
-        detailed_rule = DetailedMuteRule.from_api_response(api_response.get("data", {}))
-        return detailed_rule.model_dump()
-
-    async def create_mute_rule(
-        self,
-        name: str = Field(
-            description="Name for the mute rule. Should be descriptive and meaningful (e.g., 'Dev S3 Public Access', 'Test Environment IMDSv1')."
-        ),
-        reason: str = Field(
-            description="Reason for muting these findings. Document why this security issue is acceptable or intentional (e.g., 'Development environment with controlled access', 'Legacy application requires IMDSv1')."
-        ),
-        finding_ids: list[str] = Field(
-            description="List of finding IDs (UUIDs) to mute. Get these from the prowler_app_search_security_findings tool. Must provide at least 1 finding ID."
-        ),
-    ) -> dict[str, Any]:
-        """Create a new mute rule to mute specific findings with documentation and audit trail.
-
-        IMPORTANT: This immediately mutes the specified findings AND all previous findings with matching UIDs (this could take some time to complete).
-        The rule is enabled by default. Muting is permanent.
-
-        Default behavior:
-        - Rule is created in enabled state
-        - Applies to current and previous findings with matching UIDs
-        - Records creator for audit trail
-
-        The mute rule includes:
-        - Core identification: id (UUID for prowler_app_get_mute_rule), name, reason
-        - Configuration: enabled status, finding_uids list
-        - Audit trail: user_creator_id (UUID of the Prowler user from the tenant that created the rule), timestamps when the rule was created and last modified
-
-        Workflow:
-        1. Use prowler_app_search_security_findings to identify findings to mute
-        2. Use this tool with finding IDs, descriptive name, and documented reason
-        3. Verify with prowler_app_get_mute_rule to confirm rule creation
-        4. Check findings are muted with prowler_app_search_security_findings (filter by muted=true)
-        """
-        self.logger.info(f"Creating mute rule '{name}'...")
-
-        create_body = {
-            "data": {
-                "type": "mute-rules",
-                "attributes": {
-                    "name": name,
-                    "reason": reason,
-                    "finding_ids": finding_ids,
-                },
-            }
-        }
-
-        api_response = await self.api_client.post("/mute-rules", json_data=create_body)
-
-        detailed_rule = DetailedMuteRule.from_api_response(api_response.get("data", {}))
-        return detailed_rule.model_dump()
-
-    async def update_mute_rule(
-        self,
-        rule_id: str = Field(
-            description="UUID of the mute rule to update. Must be a valid UUID format."
-        ),
-        name: str | None = Field(
-            default=None,
-            description="New name for the rule. If not specified, name remains unchanged.",
-        ),
-        reason: str | None = Field(
-            default=None,
-            description="New reason for the rule. If not specified, reason remains unchanged.",
-        ),
-        enabled: bool | None = Field(
-            default=None,
-            description="Enable (True) or disable (False) the rule. If not specified, enabled status remains unchanged. IMPORTANT: Disabling a rule does not un-mute findings - they remain muted.",
-        ),
-    ) -> dict[str, Any]:
-        """Update a mute rule's name, reason, or enabled status.
-
-        IMPORTANT: Cannot change which findings are muted (finding_uids are immutable).
-        Disabling a rule does NOT un-mute findings - they remain muted permanently.
-
-        Default behavior:
-        - Only specified fields are updated
-        - Unspecified fields remain unchanged
-        - If no parameters provided, returns current rule state
-
-        Updatable fields:
-        - name: Change rule name for better organization
-        - reason: Update documentation/justification
-        - enabled: Toggle rule active status (doesn't affect already-muted findings)
-
-        Workflow:
-        1. Use prowler_app_get_mute_rule to see current rule state
-        2. Use this tool to update name, reason, or enabled status
-        3. Verify changes with prowler_app_get_mute_rule
-        """
-        self.logger.info(f"Updating mute rule {rule_id}...")
-
-        # Build update body with only provided fields
-        attributes = {}
-        if name is not None:
-            attributes["name"] = name
-        if reason is not None:
-            attributes["reason"] = reason
-        if enabled is not None:
-            attributes["enabled"] = enabled
-
-        if not attributes:
-            # No updates provided, just return current state
-            return await self.get_mute_rule(rule_id)
-
-        update_body = {
-            "data": {
-                "type": "mute-rules",
-                "id": rule_id,
-                "attributes": attributes,
-            }
-        }
-
-        api_response = await self.api_client.patch(
-            f"/mute-rules/{rule_id}", json_data=update_body
-        )
-
-        detailed_rule = DetailedMuteRule.from_api_response(api_response.get("data", {}))
-        return detailed_rule.model_dump()
-
-    async def delete_mute_rule(
-        self,
-        rule_id: str = Field(
-            description="UUID of the mute rule to delete. Must be a valid UUID format."
-        ),
-    ) -> dict[str, Any]:
-        """Delete a mute rule from the system.
-
-        WARNING: Findings that were muted by this rule REMAIN MUTED after deletion.
-        This only removes the rule itself from management, not the muting effect on findings.
-        The muted findings will stay muted permanently.
-
-        Deletion behavior:
-        - Rule is permanently removed from the system
-        - Muted findings remain muted (deletion doesn't un-mute them)
-        - Cannot be undone - rule must be recreated to restore
-
-        Workflow:
-        1. Use prowler_app_get_mute_rule to review what will be deleted
-        2. Use this tool to permanently remove the rule
-        3. Verify deletion with prowler_app_list_mute_rules (rule should no longer appear)
-        """
-        self.logger.info(f"Deleting mute rule {rule_id}...")
-
-        result = await self.api_client.delete(f"/mute-rules/{rule_id}")
-
-        if result.get("success"):
-            return {
-                "success": True,
-                "message": "Mute rule deleted successfully",
-            }
-        else:
-            return {
-                "success": False,
-                "message": "Failed to delete mute rule",
-            }
@@ -1,620 +0,0 @@
-"""Provider Management tools for Prowler App MCP Server.
-
-This module provides tools for managing provider connections,
-including searching, connecting, and deleting providers.
-"""
-
-from typing import Any
-
-from pydantic import Field
-
-from prowler_mcp_server.prowler_app.models.providers import (
-    ProviderConnectionStatus,
-    ProvidersListResponse,
-)
-from prowler_mcp_server.prowler_app.tools.base import BaseTool
-
-
-class ProvidersTools(BaseTool):
-    """Tools for provider management operations
-
-    Provides tools for:
-    - prowler_app_search_providers: Search and view configured providers with their connection status
-    - prowler_app_connect_provider: Connect or register a provider for security scanning in Prowler
-    - prowler_app_delete_provider: Permanently remove a provider from Prowler
-    """
-
-    async def search_providers(
-        self,
-        provider_id: list[str] = Field(
-            default=[],
-            description="Filter by Prowler's internal UUID(s) (v4) for the provider(s), generated when the provider is registered in the system.",
-        ),
-        provider_uid: list[str] = Field(
-            default=[],
-            description="Filter by provider's unique identifier(s), this ID is the one provided by the provider itself. Format varies by provider type: AWS Account ID (12 digits), Azure Subscription ID (UUID), GCP Project ID (string), Kubernetes namespace, GitHub username/organization, M365 domain ID, etc. All supported provider types are listed in the Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server",
-        ),
-        provider_type: list[str] = Field(
-            default=[],
-            description="Filter by provider type. Valid values include: 'aws', 'azure', 'gcp', 'kubernetes'... For more valid values, please refer to Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server.",
-        ),
-        alias: str | None = Field(
-            default=None,
-            description="Search by provider alias/friendly name. Partial match supported (case-insensitive). Use this to find providers by their human-readable name (e.g., 'Production', 'Dev', 'AWS Main')",
-        ),
-        connected: (
-            bool | str | None
-        ) = Field(  # Wrong `str` hint type due to bad MCP Clients implementation
-            default=None,
-            description="Filter by connection status. True returns only successfully connected providers (credentials work), False returns only providers with failed connections (credentials invalid). If not specified, returns all connected, failed and not tested providers. Strings 'true' and 'false' are also accepted.",
-        ),
-        page_size: int = Field(
-            default=50, description="Number of results to return per page"
-        ),
-        page_number: int = Field(
-            default=1,
-            description="Page number to retrieve (1-indexed)",
-        ),
-    ) -> dict[str, Any]:
-        """Search and view configured providers to be scanned with Prowler.
-
-        This tool returns a unified view of all providers configured in Prowler.
-
-        For getting more details about what types of providers are available to be scanned with Prowler or
-        what are the UIDs are accepted for each provider type, please refer to Prowler Hub/Prowler Documentation
-        that you can also find in form of tools in this MCP Server.
-
-        Each provider includes:
-        - Provider identification: Prowler Internal ID, External Provider UID, Provider Alias
-        - Provider context: Provider Type
-        - Connection status: Connected (true), Failed (false), Not Tested (null)
-        """
-        self.api_client.validate_page_size(page_size)
-
-        params = {
-            "fields[providers]": "uid,alias,provider,connection,secret",
-            "page[number]": page_number,
-            "page[size]": page_size,
-        }
-
-        # Build filter parameters
-        if provider_id:
-            params["filter[id__in]"] = provider_id
-        if provider_uid:
-            params["filter[uid__in]"] = provider_uid
-        if provider_type:
-            params["filter[provider__in]"] = provider_type
-        if alias:
-            params["filter[alias__icontains]"] = alias
-        if connected is not None:
-            if isinstance(connected, bool):
-                params["filter[connected]"] = connected
-            else:
-                if connected.lower() == "true":
-                    params["filter[connected]"] = True
-                elif connected.lower() == "false":
-                    params["filter[connected]"] = False
-                else:
-                    raise ValueError(
-                        f"Invalid connected value: {connected}. Valid values are True, False, 'true', 'false' or None."
-                    )
-
-        clean_params = self.api_client.build_filter_params(params)
-
-        api_response = await self.api_client.get("/providers", params=clean_params)
-        simplified_response = ProvidersListResponse.from_api_response(api_response)
-
-        # Fetch secret_type for each provider that has a secret
-        for provider in simplified_response.providers:
-            # Get the provider data from the API response to access relationships
-            provider_data = next(
-                (
-                    provider_api_response
-                    for provider_api_response in api_response["data"]
-                    if provider_api_response["id"] == provider.id
-                ),
-                None,
-            )
-            if provider_data:
-                secret_relationship = provider_data.get("relationships", {}).get(
-                    "secret", {}
-                )
-                secret_data = secret_relationship.get("data")
-                if secret_data:
-                    secret_id = secret_data["id"]
-                    provider.secret_type = await self._get_secret_type(secret_id)
-
-        return simplified_response.model_dump()
-
-    async def connect_provider(
-        self,
-        provider_uid: str = Field(
-            description="Provider's unique identifier. For supported UID provider formats, please refer to Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server"
-        ),
-        provider_type: str = Field(
-            description="Type of provider to be scanned with Prowler. Valid values include: 'aws', 'azure', 'gcp', 'kubernetes'... For more valid values, please refer to Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server."
-        ),
-        alias: str | None = Field(
-            default=None,
-            description="Human-friendly name for this provider. Optional but recommended for easy identification. Use descriptive names to distinguish multiple accounts of the same type.",
-        ),
-        credentials: dict[str, Any] | None = Field(
-            default=None,
-            description="Provider-specific credentials for authentication. Optional - if not provided, provider is created but not connected. Structure varies by provider type. For supported provider types, please refer to Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server",
-        ),
-    ) -> dict[str, Any]:
-        """Register a provider to be scanned with Prowler.
-
-        This tool will register a provider in Prowler App, even if the UID is wrong.
-        If the provider is already registered, it will be updated with the new provided alias or credentials if provided.
-        If credentials are provided, they will be added to the indicated provider, if the provider does not exist, it will be created and the credentials will be added to it.
-        If the connection test is successful, the provider will be connected.
-        If the connection test fails, the provider will be created but not connected.
-        The tool always returns the provider details after its registration or update.
-
-        Example Input:
-        - AWS Static Credentials:
-        ```json
-        {
-            "provider_uid": "123456789012",
-            "provider_type": "aws",
-            "alias": "production-aws-account",
-            "credentials": {
-                "aws_access_key_id": "AKIA...",
-                "aws_secret_access_key": "...",
-                "aws_session_token": "..."
-            }
-        }
-        ```
-        - AWS Assume Role:
-        ```json
-        {
-            "provider_uid": "987654321098",
-            "provider_type": "aws",
-            "alias": "staging-aws-account",
-            "credentials": {
-                "role_arn": "arn:aws:iam::987654321098:role/ProwlerScanRole",
-                "external_id": "...",
-                "aws_access_key_id": "AKIA...",   # Optional
-                "aws_secret_access_key": "...",   # Optional
-                "aws_session_token": "...",   # Optional
-                "session_duration": 3600,   # Optional
-                "role_session_name": "..."   # Optional
-            }
-        }
-        ```
-        - Azure/M365 Static Credentials:
-        ```json
-        {
-            "provider_uid": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d",
-            "provider_type": "azure",
-            "alias": "production-azure-subscription",
-            "credentials": {
-                "client_id": "...",
-                "client_secret": "...",
-                "tenant_id": "..."
-            }
-        }
-        ```
-        - GCP Service Account Account Key:
-        ```json
-        {
-            "provider_uid": "my-gcp-project-prod",
-            "provider_type": "gcp",
-            "alias": "production-gcp-project",
-            "credentials": {
-                "service_account_key": {
-                    "type": "service_account",
-                    "project_id": "...",
-                    "private_key_id": "...",
-                    "private_key": "...",
-                    "client_email": "...",
-                }
-            }
-        }
-        ```
-        - Kubernetes Static Credentials:
-        ```json
-        {
-            "provider_uid": "prod-k8s-cluster",
-            "provider_type": "kubernetes",
-            "alias": "production-kubernetes-cluster",
-            "credentials": {
-                "kubeconfig_content": "..."
-            }
-        }
-        ```
-        - GitHub OAuth App Token:
-        ```json
-        {
-            "provider_uid": "my-organization",
-            "provider_type": "github",
-            "alias": "my-github-organization",
-            "credentials": {
-                "oauth_app_token": "..."
-            }
-        }
-
-        NOTE: THERE ARE MORE PROVIDER TYPES AND CREDENTIAL TYPES AVAILABLE, PLEASE REFER TO THE Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server.
-        """
-        # Step 1: Check if provider already exists
-        prowler_provider_id = await self._check_provider_exists(provider_uid)
-
-        # Step 2: Create or update provider
-        if prowler_provider_id is None:
-            prowler_provider_id = await self._create_provider(
-                provider_uid, provider_type, alias
-            )
-        elif alias:
-            await self._update_provider_alias(prowler_provider_id, alias)
-
-        # Step 3: Handle credentials if provided and capture secret response
-        secret_response = None
-        if credentials:
-            secret_response = await self._store_credentials(
-                prowler_provider_id, credentials
-            )
-
-        # Step 4: Test connection
-        connection_status = await self._test_connection(prowler_provider_id)
-
-        # Step 5: Get final provider state with relationships
-        final_provider = await self._get_final_provider_state(prowler_provider_id)
-
-        # Transform to structured response using model
-        connection_result = ProviderConnectionStatus.create(
-            provider_data=final_provider["data"],
-            connection_status=connection_status,
-        )
-
-        if secret_response:
-            # We just stored credentials, use the secret_type from the response
-            connection_result.provider.secret_type = (
-                secret_response.get("data", {}).get("attributes", {}).get("secret_type")
-            )
-        else:
-            # No new credentials provided, check if provider has an existing secret
-            secret_data = (
-                final_provider.get("data", {})
-                .get("relationships", {})
-                .get("secret", {})
-                .get("data")
-            )
-            if secret_data:
-                # Provider has existing secret, fetch its type
-                secret_id = secret_data["id"]
-                connection_result.provider.secret_type = await self._get_secret_type(
-                    secret_id
-                )
-
-        return connection_result.model_dump()
-
-    async def delete_provider(
-        self,
-        provider_id: str = Field(
-            description="Prowler's internal UUID (v4) for the provider to permanently remove, generated when the provider was registered in the system. Use `prowler_app_search_providers` tool to find the provider_id if you only know the alias or the provider's own identifier (provider_uid)"
-        ),
-    ) -> dict[str, Any]:
-        """Permanently remove a registered provider from Prowler.
-
-        WARNING: This is a destructive operation that cannot be undone. The provider will need to be
-        re-added with prowler_app_connect_provider if you want to scan it again.
-
-        The tool always returns the deletion status and message.
-        """
-        self.logger.info(f"Deleting provider {provider_id}...")
-        try:
-            # Initiate the deletion task
-            task_response = await self.api_client.delete(f"/providers/{provider_id}")
-            task_id = task_response.get("data", {}).get("id")
-
-            # Poll until task completes (with 60 second timeout)
-            await self.api_client.poll_task_until_complete(
-                task_id=task_id, timeout=60, poll_interval=1.0
-            )
-
-            # If we reach here, the task completed successfully
-            return {
-                "deleted": True,
-                "message": f"Provider {provider_id} deleted successfully",
-            }
-        except Exception as e:
-            self.logger.error(f"Provider deletion failed: {e}")
-            return {
-                "deleted": False,
-                "message": f"Provider {provider_id} deletion failed: {str(e)}",
-            }
-
-    # Private helper methods
-
-    async def _check_provider_exists(self, provider_uid: str) -> str | None:
-        """Check if a provider already exists by its UID.
-
-        Args:
-            provider_uid: The provider's unique identifier (e.g., AWS account ID)
-
-        Returns:
-            The Prowler-generated provider ID if exists, None otherwise
-
-        Raises:
-            Exception: If multiple providers with the same UID are found (data integrity issue)
-            Exception: If API request fails
-        """
-        self.logger.info(f"Checking if provider {provider_uid} exists...")
-        response = await self.api_client.get(
-            "/providers", params={"filter[uid]": provider_uid}
-        )
-        providers = response.get("data", [])
-
-        if len(providers) == 0:
-            self.logger.info(f"Provider {provider_uid} does not exist")
-            return None
-        elif len(providers) == 1:
-            prowler_provider_id = providers[0].get("id")
-            self.logger.info(
-                f"Provider {provider_uid} exists with ID {prowler_provider_id}"
-            )
-            return prowler_provider_id
-        else:
-            # Multiple providers with the same UID is a data integrity issue
-            raise Exception(
-                f"Data integrity error: Found {len(providers)} providers with UID '{provider_uid}'. "
-                f"Each provider UID should be unique. Please contact support or manually clean up duplicate providers."
-            )
-
-    async def _create_provider(
-        self, provider_uid: str, provider_type: str, alias: str | None
-    ) -> str:
-        """Create a new provider.
-
-        Args:
-            provider_uid: The provider's unique identifier
-            provider_type: Type of provider to be scanned with Prowler (aws, azure, gcp, etc.)
-            alias: Optional human-friendly name for the provider
-
-        Returns:
-            The provider UID (which is used as the ID)
-        """
-        self.logger.info(f"Creating provider {provider_uid} (type: {provider_type})...")
-        provider_body = {
-            "data": {
-                "type": "providers",
-                "attributes": {
-                    "uid": provider_uid,
-                    "provider": provider_type,
-                },
-            }
-        }
-        if alias:
-            provider_body["data"]["attributes"]["alias"] = alias
-
-        await self.api_client.post("/providers", json_data=provider_body)
-
-        provider_id = await self._check_provider_exists(provider_uid)
-        if provider_id is None:
-            raise Exception(f"Provider {provider_uid} creation failed")
-        return provider_id
-
-    async def _update_provider_alias(
-        self, prowler_provider_id: str, alias: str
-    ) -> None:
-        """Update the alias of an existing provider.
-
-        Args:
-            prowler_provider_id: The Prowler-generated provider ID
-            alias: New human-friendly name for the provider
-        """
-        self.logger.info(f"Updating provider {prowler_provider_id} alias...")
-        update_body = {
-            "data": {
-                "type": "providers",
-                "id": prowler_provider_id,
-                "attributes": {
-                    "alias": alias,
-                },
-            }
-        }
-        result = await self.api_client.patch(
-            f"/providers/{prowler_provider_id}", json_data=update_body
-        )
-        if result.get("data", {}).get("attributes", {}).get("alias") != alias:
-            raise Exception(f"Provider {prowler_provider_id} alias update failed")
-
-    def _determine_secret_type(self, credentials: dict[str, Any]) -> str:
-        """Determine the secret type from credentials structure.
-
-        Args:
-            credentials: The credentials dictionary
-
-        Returns:
-            Secret type: "role", "service_account", or "static"
-        """
-        if "role_arn" in credentials:
-            return "role"
-        elif "service_account_key" in credentials:
-            return "service_account"
-        else:
-            return "static"
-
-    async def _get_provider_secret_id(self, prowler_provider_id: str) -> str | None:
-        """Get the secret ID for a provider if it exists.
-
-        Args:
-            prowler_provider_id: The Prowler-generated provider ID
-
-        Returns:
-            The secret ID if exists, None otherwise
-        """
-        try:
-            response = await self.api_client.get(
-                "/providers/secrets",
-                params={"filter[provider]": prowler_provider_id},
-            )
-            secrets = response.get("data", [])
-
-            if len(secrets) > 0:
-                secret_id = secrets[0].get("id")
-                self.logger.info(
-                    f"Found existing secret {secret_id} for provider {prowler_provider_id}"
-                )
-                return secret_id
-            else:
-                self.logger.info(
-                    f"No existing secret found for provider {prowler_provider_id}"
-                )
-                return None
-        except Exception as e:
-            self.logger.error(f"Error checking for existing secret: {e}")
-            return None
-
-    async def _get_secret_type(self, secret_id: str) -> str | None:
-        """Get the secret type for a given secret ID.
-
-        Args:
-            secret_id: The secret ID from provider relationships
-
-        Returns:
-            The secret type ("role", "service_account", or "static") if found, None otherwise
-        """
-        try:
-            response = await self.api_client.get(
-                f"/providers/secrets/{secret_id}",
-                params={"fields[provider-secrets]": "secret_type"},
-            )
-            secret_type = (
-                response.get("data", {}).get("attributes", {}).get("secret_type")
-            )
-            return secret_type
-        except Exception as e:
-            self.logger.error(f"Error fetching secret type for {secret_id}: {e}")
-            return None
-
-    async def _store_credentials(
-        self, prowler_provider_id: str, credentials: dict[str, Any]
-    ) -> dict[str, Any]:
-        """Store or update credentials for a provider.
-
-        Args:
-            prowler_provider_id: The Prowler-generated provider ID
-            credentials: The credentials to store
-
-        Returns:
-            The API response with the secret data
-        """
-        self.logger.info(
-            f"Adding/updating credentials for provider {prowler_provider_id}..."
-        )
-
-        secret_type = self._determine_secret_type(credentials)
-
-        # Check if a secret already exists for this provider
-        existing_secret_id = await self._get_provider_secret_id(prowler_provider_id)
-
-        if existing_secret_id:
-            # Update existing secret
-            self.logger.info(f"Updating existing secret {existing_secret_id}...")
-            update_body = {
-                "data": {
-                    "type": "provider-secrets",
-                    "id": existing_secret_id,
-                    "attributes": {
-                        "secret_type": secret_type,
-                        "secret": credentials,
-                    },
-                    "relationships": {
-                        "provider": {
-                            "data": {
-                                "type": "providers",
-                                "id": prowler_provider_id,
-                            }
-                        }
-                    },
-                }
-            }
-            try:
-                response = await self.api_client.patch(
-                    f"/providers/secrets/{existing_secret_id}",
-                    json_data=update_body,
-                )
-                self.logger.info("Credentials updated successfully")
-                return response
-            except Exception as e:
-                self.logger.error(f"Error updating credentials: {e}")
-                raise
-        else:
-            # Create new secret
-            self.logger.info("Creating new secret...")
-            secret_body = {
-                "data": {
-                    "type": "provider-secrets",
-                    "attributes": {
-                        "secret_type": secret_type,
-                        "secret": credentials,
-                    },
-                    "relationships": {
-                        "provider": {
-                            "data": {
-                                "type": "providers",
-                                "id": prowler_provider_id,
-                            }
-                        }
-                    },
-                }
-            }
-
-            try:
-                response = await self.api_client.post(
-                    "/providers/secrets", json_data=secret_body
-                )
-                self.logger.info("Credentials added successfully")
-                return response
-            except Exception as e:
-                self.logger.error(f"Error adding credentials: {e}")
-                raise
-
-    async def _test_connection(self, prowler_provider_id: str) -> dict[str, Any]:
-        """Test connection to a provider.
-
-        Args:
-            prowler_provider_id: The Prowler-generated provider ID
-
-        Returns:
-            Connection status dictionary with 'connected' boolean and optional 'error' message
-        """
-        self.logger.info(f"Testing connection for provider {prowler_provider_id}...")
-        try:
-            # Initiate the connection test task
-            task_response = await self.api_client.post(
-                f"/providers/{prowler_provider_id}/connection", json_data={}
-            )
-            task_id = task_response.get("data", {}).get("id")
-
-            # Poll until task completes (with 60 second timeout)
-            completed_task = await self.api_client.poll_task_until_complete(
-                task_id=task_id, timeout=60, poll_interval=1.0
-            )
-
-            # Extract the result from the completed task
-            task_result = (
-                completed_task.get("data", {}).get("attributes", {}).get("result", {})
-            )
-
-            return task_result
-        except Exception as e:
-            self.logger.error(f"Connection test failed: {e}")
-            return {"connected": False, "error": str(e)}
-
-    async def _get_final_provider_state(
-        self, prowler_provider_id: str
-    ) -> dict[str, Any]:
-        """Get final provider state with relationships.
-
-        Args:
-            prowler_provider_id: The Prowler-generated provider ID
-
-        Returns:
-            Provider data dictionary
-        """
-        return await self.api_client.get(
-            f"/providers/{prowler_provider_id}",
-        )
@@ -1,345 +0,0 @@
-"""Cloud Resources tools for Prowler App MCP Server.
-
-This module provides tools for searching, viewing, and analyzing cloud resources
-across all providers.
-"""
-
-from typing import Any
-
-from pydantic import Field
-
-from prowler_mcp_server.prowler_app.models.resources import (
-    DetailedResource,
-    ResourcesListResponse,
-    ResourcesMetadataResponse,
-)
-from prowler_mcp_server.prowler_app.tools.base import BaseTool
-
-
-class ResourcesTools(BaseTool):
-    """Tools for cloud resources operations.
-
-    Provides tools for:
-    - Searching and filtering cloud resources
-    - Getting detailed resource information
-    - Viewing resources overview with statistics
-    """
-
-    async def list_resources(
-        self,
-        provider_type: list[str] = Field(
-            default=[],
-            description="Filter by  provider type. Multiple values allowed. If empty, all providers are returned. For valid values, please refer to Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server.",
-        ),
-        provider_alias: str | None = Field(
-            default=None,
-            description="Filter by specific provider alias/name (partial match supported). Useful for finding resources in specific accounts like 'production' or 'dev'.",
-        ),
-        provider_uid: str | None = Field(
-            default=None,
-            description="Filter by provider's native ID (e.g., AWS account ID, Azure subscription ID, GCP project ID). All supported provider types are listed in the Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server",
-        ),
-        region: list[str] = Field(
-            default=[],
-            description="Filter by regions. Multiple values allowed (e.g., us-east-1, westus2, europe-west1), format may vary depending on the provider. If empty, all regions are returned.",
-        ),
-        service: list[str] = Field(
-            default=[],
-            description="Filter by service. Multiple values allowed (e.g., s3, ec2, iam, keyvault). If empty, all services are returned.",
-        ),
-        resource_type: list[str] = Field(
-            default=[],
-            description="Filter by resource type. Format may vary depending on the provider. If empty, all resource types are returned.",
-        ),
-        resource_name: str | None = Field(
-            default=None,
-            description="Filter by resource name (partial match supported). Useful for finding specific resources like 'prod-db' or 'test-bucket'.",
-        ),
-        tag_key: str | None = Field(
-            default=None,
-            description="Filter resources by tag key (e.g., 'Environment', 'CostCenter', 'Owner').",
-        ),
-        tag_value: str | None = Field(
-            default=None,
-            description="Filter resources by tag value (e.g., 'production', 'staging', 'development').",
-        ),
-        date_from: str | None = Field(
-            default=None,
-            description="Start date for range query in ISO 8601 format (YYYY-MM-DD, e.g., '2025-01-15'). Full date required. IMPORTANT: Maximum date range is 2 days. If only date_from is provided, date_to is automatically set to 2 days later.",
-        ),
-        date_to: str | None = Field(
-            default=None,
-            description="End date for range query in ISO 8601 format (YYYY-MM-DD, e.g., '2025-01-15'). Full date required. If only date_to is provided, date_from is automatically set to 2 days earlier.",
-        ),
-        search: str | None = Field(
-            default=None, description="Free-text search term across resource details"
-        ),
-        page_size: int = Field(
-            default=50, description="Number of results to return per page (max 1000)"
-        ),
-        page_number: int = Field(
-            default=1, description="Page number to retrieve (1-indexed)"
-        ),
-    ) -> dict[str, Any]:
-        """List and filter all resources scanned by Prowler.
-
-        IMPORTANT: This tool returns LIGHTWEIGHT resource information. Use this for fast searching
-        and filtering across many resources. For complete configuration details, metadata, and finding
-        relationships, use prowler_app_get_resource on specific resources of interest.
-
-        This is the primary tool for browsing resources with rich filtering capabilities.
-        Returns current state by default (latest scan per provider). Specify dates to query
-        historical data (2-day maximum window).
-
-        Default behavior:
-        - Returns latest resources from most recent scans (no date parameters needed)
-        - Returns 50 results per page
-        - Sorted by service, region, and name for logical grouping
-
-        Date filtering:
-        - Without dates: queries resources from the most recent completed scan per provider (most efficient)
-        - With dates: queries historical resource state (2-day maximum range between date_from and date_to)
-
-        Each resource includes:
-        - Core identification: id (UUID for prowler_app_get_resource), uid, name
-        - Location context: region, service, type
-        - Security context: failed_findings_count (number of active security issues)
-        - Tags: tags associated with the resource
-
-        Useful Workflow:
-        1. Use this tool to search and filter resources by provider, region, service, tags, etc.
-        2. Use prowler_app_get_resource with the resource 'id' to get complete configuration and metadata
-        3. Use prowler_app_search_security_findings to find security issues for specific resources
-        4. Use prowler_app_get_finding_details to get details about the security issues for specific resources
-        """
-        # Validate page_size parameter
-        self.api_client.validate_page_size(page_size)
-
-        # Determine endpoint based on date parameters
-        date_range = self.api_client.normalize_date_range(
-            date_from, date_to, max_days=2
-        )
-
-        if date_range is None:
-            # No dates provided - use latest resources endpoint
-            endpoint = "/resources/latest"
-            params = {}
-        else:
-            # Dates provided - use historical resources endpoint
-            endpoint = "/resources"
-            params = {
-                "filter[updated_at__gte]": date_range[0],
-                "filter[updated_at__lte]": date_range[1],
-            }
-
-        # Build filter parameters
-        if provider_type:
-            params["filter[provider_type__in]"] = provider_type
-        if provider_alias:
-            params["filter[provider_alias__icontains]"] = provider_alias
-        if provider_uid:
-            params["filter[provider_uid__icontains]"] = provider_uid
-        if region:
-            params["filter[region__in]"] = region
-        if service:
-            params["filter[service__in]"] = service
-        if resource_type:
-            params["filter[type__in]"] = resource_type
-        if resource_name:
-            params["filter[name__icontains]"] = resource_name
-        if tag_key:
-            params["filter[tag_key]"] = tag_key
-        if tag_value:
-            params["filter[tag_value]"] = tag_value
-        if search:
-            params["filter[search]"] = search
-
-        # Pagination
-        params["page[size]"] = page_size
-        params["page[number]"] = page_number
-
-        # Return only LLM-relevant fields
-        params["fields[resources]"] = (
-            "uid,name,region,service,type,failed_findings_count,tags"
-        )
-        params["sort"] = "service,region,name"
-
-        # Convert lists to comma-separated strings
-        clean_params = self.api_client.build_filter_params(params)
-
-        # Get API response and transform to simplified format
-        api_response = await self.api_client.get(endpoint, params=clean_params)
-        simplified_response = ResourcesListResponse.from_api_response(api_response)
-
-        return simplified_response.model_dump()
-
-    async def get_resource(
-        self,
-        resource_id: str = Field(
-            description="Prowler's internal UUID (v4) for the resource to retrieve, generated when the resource was discovered in the system. Use `prowler_app_list_resources` tool to find the right ID"
-        ),
-    ) -> dict[str, Any]:
-        """Retrieve comprehensive details about a specific resource by its ID.
-
-        IMPORTANT: This tool provides COMPLETE resource details with all available information.
-        Use this after finding a specific resource via prowler_app_list_resources.
-
-        This tool provides ALL information that prowler_app_list_resources returns PLUS:
-
-        1. Configuration Details:
-           - metadata: Provider-specific configuration (tags, policies, encryption settings, network rules)
-           - partition: Provider-specific partition/region grouping (e.g., aws, aws-cn, aws-us-gov for AWS)
-
-        2. Temporal Tracking:
-           - inserted_at: When Prowler first discovered this resource
-           - updated_at: When resource configuration last changed
-
-        3. Security Relationships:
-           - finding_ids: Prowler's internal UUIDs (v4) of all security findings associated with this resource
-           - Use prowler_app_get_finding_details on these IDs to get remediation guidance
-
-        Useful Workflow:
-        1. Use prowler_app_list_resources to browse and filter across many resources
-        2. Use this tool to drill down into specific resources of interest
-        3. Use prowler_app_get_finding_details to get details about the security issues for specific resources
-        """
-        params = {}
-
-        # Get API response and transform to detailed format
-        api_response = await self.api_client.get(
-            f"/resources/{resource_id}", params=params
-        )
-        detailed_resource = DetailedResource.from_api_response(
-            api_response.get("data", {})
-        )
-
-        return detailed_resource.model_dump()
-
-    async def get_resources_overview(
-        self,
-        provider_type: list[str] = Field(
-            default=[],
-            description="Filter by  provider type. Multiple values allowed. If empty, all providers are returned. For valid values, please refer to Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server.",
-        ),
-        provider_alias: str | None = Field(
-            default=None,
-            description="Filter by specific provider alias/name (partial match supported).",
-        ),
-        provider_uid: str | None = Field(
-            default=None,
-            description="Filter by provider's native ID (e.g., AWS account ID, Azure subscription ID).",
-        ),
-        date_from: str | None = Field(
-            default=None,
-            description="Start date for range query in ISO 8601 format (YYYY-MM-DD). Maximum 2-day range.",
-        ),
-        date_to: str | None = Field(
-            default=None,
-            description="End date for range query in ISO 8601 format (YYYY-MM-DD).",
-        ),
-    ) -> dict[str, Any]:
-        """Generate a markdown overview of your resources with statistics and insights.
-
-        IMPORTANT: This tool provides HIGH-LEVEL STATISTICS without returning individual resources.
-        Use this when you need a summary view before drilling into details.
-
-        The report includes:
-        - Total number of resources
-        - Available services across your providers
-        - Regions where resources are deployed
-        - Resource types present in your providers
-
-        Output format: Markdown-formatted report ready to present to users or include in documentation.
-
-        Use cases:
-        - Understanding infrastructure footprint
-        - Identifying resource concentration (which regions, services)
-        - Multi-provider deployment auditing
-        - Resource inventory reporting
-        - Tags planning (by provider, service, region)
-        """
-        # Determine endpoint based on date parameters
-        date_range = self.api_client.normalize_date_range(
-            date_from, date_to, max_days=2
-        )
-
-        if date_range is None:
-            # No dates provided - use latest metadata endpoint
-            metadata_endpoint = "/resources/metadata/latest"
-            list_endpoint = "/resources/latest"
-            params = {}
-        else:
-            # Dates provided - use historical endpoints
-            metadata_endpoint = "/resources/metadata"
-            list_endpoint = "/resources"
-            params = {
-                "filter[updated_at__gte]": date_range[0],
-                "filter[updated_at__lte]": date_range[1],
-            }
-
-        # Build common filter parameters
-        if provider_type:
-            params["filter[provider_type__in]"] = provider_type
-        if provider_alias:
-            params["filter[provider_alias__icontains]"] = provider_alias
-        if provider_uid:
-            params["filter[provider_uid__icontains]"] = provider_uid
-
-        # Convert lists to comma-separated strings
-        clean_params = self.api_client.build_filter_params(params)
-
-        # Get metadata (services, regions, types)
-        metadata_params = clean_params.copy()
-        metadata_params["fields[resources-metadata]"] = "services,regions,types"
-        metadata_response = await self.api_client.get(
-            metadata_endpoint, params=metadata_params
-        )
-        metadata = ResourcesMetadataResponse.from_api_response(metadata_response)
-
-        # Get total count (using page_size=1 for efficiency)
-        count_params = clean_params.copy()
-        count_params["page[size]"] = 1
-        count_params["page[number]"] = 1
-        count_response = await self.api_client.get(list_endpoint, params=count_params)
-        total_resources = (
-            count_response.get("meta", {}).get("pagination", {}).get("count", 0)
-        )
-
-        # Build markdown report
-        report_lines = ["# Cloud Resources Overview", ""]
-
-        # Total resources
-        report_lines.append(f"**Total Resources**: {total_resources:,} resources")
-        report_lines.append("")
-
-        # Services
-        if metadata.services:
-            report_lines.append("## Services")
-            report_lines.append(f"**{len(metadata.services)}** unique services found")
-            report_lines.append("")
-            for i, service in enumerate(metadata.services, 1):
-                report_lines.append(f"{i}. {service}")
-            report_lines.append("")
-
-        # Regions
-        if metadata.regions:
-            report_lines.append("## Regions")
-            report_lines.append(f"**{len(metadata.regions)}** unique regions found")
-            report_lines.append("")
-            for i, region in enumerate(metadata.regions, 1):
-                report_lines.append(f"{i}. {region}")
-            report_lines.append("")
-
-        # Resource types
-        if metadata.types:
-            report_lines.append("## Resource Types")
-            report_lines.append(
-                f"**{len(metadata.types)}** unique resource types found"
-            )
-            report_lines.append("")
-            for i, rtype in enumerate(metadata.types, 1):
-                report_lines.append(f"{i}. {rtype}")
-            report_lines.append("")
-
-        report = "\n".join(report_lines)
-        return {"report": report}
@@ -1,327 +0,0 @@
-"""Security Scans tools for Prowler App MCP Server.
-
-This module provides tools for managing and monitoring Prowler security scans.
-"""
-
-from typing import Any, Literal
-
-from pydantic import Field
-
-from prowler_mcp_server.prowler_app.models.scans import (
-    DetailedScan,
-    ScanCreationResult,
-    ScansListResponse,
-    ScheduleCreationResult,
-)
-from prowler_mcp_server.prowler_app.tools.base import BaseTool
-
-
-class ScansTools(BaseTool):
-    """Tools for security scan operations.
-
-    Provides tools for:
-    - prowler_app_list_scans: Search and filter scans with rich filtering capabilities
-    - prowler_app_get_scan: Get comprehensive details about a specific scan
-    - prowler_app_trigger_scan: Trigger manual security scans for providers
-    - prowler_app_schedule_daily_scan: Schedule automated daily scans for continuous monitoring
-    - prowler_app_update_scan: Update scan names for better organization
-    """
-
-    async def list_scans(
-        self,
-        provider_id: list[str] = Field(
-            default=[],
-            description="Filter by Prowler's internal UUID(s) (v4) for specific provider(s), generated when the provider was registered. Use `prowler_app_search_providers` tool to find provider IDs",
-        ),
-        provider_type: list[str] = Field(
-            default=[],
-            description="Filter by cloud provider type. For all valid values, please refer to Prowler Hub/Prowler Documentation that you can also find in form of tools in this MCP Server",
-        ),
-        provider_alias: str | None = Field(
-            default=None,
-            description="Filter by provider alias/friendly name. Partial match supported (case-insensitive)",
-        ),
-        state: list[
-            Literal[
-                "available",
-                "scheduled",
-                "executing",
-                "completed",
-                "failed",
-                "cancelled",
-            ]
-        ] = Field(
-            default=[],
-            description="Filter by scan execution state.",
-        ),
-        trigger: Literal["manual", "scheduled"] | None = Field(
-            default=None,
-            description="Filter by how the scan was initiated. Options: 'manual' (user-initiated via prowler_app_trigger_scan), 'scheduled' (automated via prowler_app_schedule_daily_scan)",
-        ),
-        name: str | None = Field(
-            default=None,
-            description="Filter by scan name. Partial match supported (case-insensitive)",
-        ),
-        page_size: int = Field(
-            default=50,
-            description="Number of results to return per page",
-        ),
-        page_number: int = Field(
-            default=1,
-            description="Page number to retrieve (1-indexed)",
-        ),
-    ) -> dict[str, Any]:
-        """List and filter security scans across all providers with rich filtering capabilities.
-
-        IMPORTANT: This tool returns LIGHTWEIGHT scan information. Use this for fast searching and filtering
-        across many scans. For complete scan details including progress, duration, and resource counts,
-        use prowler_app_get_scan on specific scans of interest.
-
-        Default behavior:
-        - Returns all scans
-        - Returns 50 scans per page
-        - Includes all scan states (available, scheduled, executing, completed, failed, cancelled)
-
-        Each scan includes:
-        - Core identification: id (UUID for prowler_app_get_scan), name
-        - Execution context: state, trigger (manual/scheduled)
-        - Temporal data: started_at, completed_at
-        - Provider relationship: provider_id
-
-        Workflow:
-        1. Use this tool to search and filter scans by provider, state, or date range
-        2. Use prowler_app_get_scan with the scan 'id' to get progress, duration, and resource counts
-        3. Use prowler_app_search_security_findings filtered by scan dates to analyze scan results
-        """
-        # Validate pagination
-        self.api_client.validate_page_size(page_size)
-
-        # Build query parameters
-        params: dict[str, Any] = {
-            "page[size]": page_size,
-            "page[number]": page_number,
-        }
-
-        # Apply provider filters
-        if provider_id:
-            params["filter[provider__in]"] = provider_id
-        if provider_type:
-            params["filter[provider_type__in]"] = provider_type
-        if provider_alias:
-            params["filter[provider_alias__icontains]"] = provider_alias
-
-        # Apply scan filters
-        if state:
-            params["filter[state__in]"] = state
-        if trigger:
-            params["filter[trigger]"] = trigger
-        if name:
-            params["filter[name__icontains]"] = name
-
-        clean_params = self.api_client.build_filter_params(params)
-
-        api_response = await self.api_client.get("/scans", params=clean_params)
-        simplified_response = ScansListResponse.from_api_response(api_response)
-
-        return simplified_response.model_dump()
-
-    async def get_scan(
-        self,
-        scan_id: str = Field(
-            description="Prowler's internal UUID (v4) for the scan to retrieve, generated when the scan was created (e.g., '123e4567-e89b-12d3-a456-426614174000'). Use `prowler_app_list_scans` tool to find scan IDs"
-        ),
-    ) -> dict[str, Any]:
-        """Retrieve comprehensive details about a specific scan by its ID.
-
-        IMPORTANT: This tool returns COMPLETE scan details.
-        Use this after finding a specific scan via prowler_app_list_scans.
-
-        This tool provides ALL information that prowler_app_list_scans returns PLUS:
-
-        1. Execution Details:
-           - progress: Scan completion progress as percentage (0-100%)
-           - duration: Total scan duration in seconds from start to completion
-           - unique_resource_count: Number of unique cloud resources discovered during the scan
-
-        2. Temporal Metadata:
-           - inserted_at: When the scan was created in the database
-           - scheduled_at: When the scan was scheduled to run (for scheduled scans)
-           - next_scan_at: When the next scan will run (for recurring daily scans)
-
-        Useful for:
-        - Monitoring scan progress during execution (via progress field)
-        - Viewing scan results and metrics after completion
-        - Debugging failed scans with detailed state information
-        - Understanding scan scheduling patterns
-
-        Workflow:
-        1. Use prowler_app_list_scans to browse and filter scans
-        2. Use this tool with the scan 'id' to monitor progress or view detailed results
-        3. For completed scans, use prowler_app_search_security_findings filtered by date to analyze findings
-        """
-        # Fetch scan with all fields
-        params = {
-            "fields[scans]": "name,trigger,state,progress,duration,unique_resource_count,started_at,completed_at,scheduled_at,next_scan_at,inserted_at"
-        }
-
-        api_response = await self.api_client.get(f"/scans/{scan_id}", params=params)
-        detailed_scan = DetailedScan.from_api_response(api_response["data"])
-
-        return detailed_scan.model_dump()
-
-    async def trigger_scan(
-        self,
-        provider_id: str = Field(
-            description="Prowler's internal UUID (v4) for the provider to scan, generated when the provider was registered in the system (e.g., '4d0e2614-6385-4fa7-bf0b-c2e2f75c6877'). Use `prowler_app_search_providers` tool to find the provider ID"
-        ),
-        name: str | None = Field(
-            default=None,
-            description="Optional human-friendly name for the scan. Use descriptive names to identify scan purpose or context, e.g., 'Weekly Production Security Audit', 'Pre-Deployment Validation', 'Compliance Check Q4 2025'",
-        ),
-    ) -> dict[str, Any]:
-        """Trigger a manual security scan for a provider.
-
-        IMPORTANT: This tool returns immediately once the scan is created.
-        The scan will continue running in the background. Use `prowler_app_get_scan`
-        with the returned scan ID to monitor progress and check when it completes.
-
-        Example Useful Workflow:
-        1. Use `prowler_app_search_providers` to find the provider_id you want to scan
-        2. Use this tool to trigger the scan
-        3. Use `prowler_app_get_scan` with the returned scan 'id' to monitor progress
-        4. Once completed, use `prowler_app_search_security_findings` to analyze results
-        """
-        try:
-            # Build request data
-            request_data: dict[str, Any] = {
-                "data": {
-                    "type": "scans",
-                    "attributes": {},
-                    "relationships": {
-                        "provider": {
-                            "data": {
-                                "type": "providers",
-                                "id": provider_id,
-                            },
-                        },
-                    },
-                },
-            }
-            if name:
-                request_data["data"]["attributes"]["name"] = name
-
-            # Create scan (returns Task)
-            self.logger.info(f"Creating scan for provider {provider_id}")
-            task_response = await self.api_client.post("/scans", json_data=request_data)
-
-            scan_id = (
-                task_response.get("data", {})
-                .get("attributes", {})
-                .get("task_args", {})
-                .get("scan_id", None)
-            )
-
-            if not scan_id:
-                raise Exception("No scan_id returned from scan creation")
-
-            self.logger.info(f"Scan created successfully: {scan_id}")
-            scan_response = await self.api_client.get(f"/scans/{scan_id}")
-            scan_info = DetailedScan.from_api_response(scan_response["data"])
-
-            return ScanCreationResult(
-                scan=scan_info,
-                status="success",
-                message=f"Scan {scan_id} created successfully. The scan may take some time to complete. Use prowler_app_get_scan tool with this ID to monitor progress.",
-            ).model_dump()
-
-        except Exception as e:
-            self.logger.error(f"Scan creation failed: {e}")
-            return ScanCreationResult(
-                scan=None,
-                status="failed",
-                message=f"Scan creation failed: {str(e)}",
-            ).model_dump()
-
-    async def schedule_daily_scan(
-        self,
-        provider_id: str = Field(
-            description="Prowler's internal UUID (v4) for the provider to scan, generated when the provider was registered in the system (e.g., '4d0e2614-6385-4fa7-bf0b-c2e2f75c6877'). Use `prowler_app_search_providers` tool to find the provider ID"
-        ),
-    ) -> dict[str, Any]:
-        """Schedule automated daily scans for a provider for continuous security monitoring.
-
-        Creates a recurring daily scan schedule that will automatically trigger
-        scans every 24 hours (starting from the moment the schedule is created).
-        The schedule persists until manually removed and will execute even when
-        you're not actively using the system.
-
-        IMPORTANT: This tool returns immediately once the daily schedule is created.
-        The schedule will be set up in the background. Use `prowler_app_list_scans`
-        filtered by provider_id and trigger='scheduled' to view scheduled scans.
-
-        IMPORTANT: This creates a PERSISTENT schedule. The provider will be scanned
-        automatically every 24 hours until the provider is deleted.
-
-        Example Useful Workflow:
-        1. Use `prowler_app_search_providers` to find the provider_id you want to monitor
-        2. Use this tool to create the daily schedule
-        3. Use `prowler_app_list_scans` filtered by provider_id to view scheduled and completed scans
-        4. Monitor findings over time with `prowler_app_search_security_findings`
-        """
-        self.logger.info(f"Creating daily schedule for provider {provider_id}")
-        task_response = await self.api_client.post(
-            "/schedules/daily",
-            json_data={
-                "data": {
-                    "type": "daily-schedules",
-                    "attributes": {
-                        "provider_id": provider_id,
-                    },
-                },
-            },
-        )
-        task_state = (
-            task_response.get("data", {}).get("attributes", {}).get("state", None)
-        )
-
-        if task_state == "available":
-            return_message = "Daily schedule created successfully. The schedule is being set up in the background. Use prowler_app_list_scans with provider_id filter to view scheduled scans."
-        else:
-            return_message = "Daily schedule creation failed. Please try again later."
-
-        return ScheduleCreationResult(
-            scheduled=(task_state == "available"),
-            message=return_message,
-        ).model_dump()
-
-    async def update_scan(
-        self,
-        scan_id: str = Field(
-            description="Prowler's internal UUID (v4) for the scan to update, generated when the scan was created (e.g., '123e4567-e89b-12d3-a456-426614174000'). Use `prowler_app_list_scans` tool to find the scan ID if you only know the provider or scan name. Returns an error if the scan ID is invalid or not found."
-        ),
-        name: str = Field(
-            description="New human-friendly name for the scan (3-100 characters). Use descriptive names to improve organization and tracking, e.g., 'Production Security Audit - Q4 2025', 'Post-Deployment Compliance Check'. IMPORTANT: Only the scan name can be updated - other attributes (state, progress, duration) are read-only and managed by the system."
-        ),
-    ) -> dict[str, Any]:
-        """Update a scan's name for better organization and tracking.
-
-        IMPORTANT: Only the scan name can be updated. Other scan attributes
-        (state, progress, duration, etc.) are read-only and managed by the system.
-
-        Example Useful Workflow:
-        1. Use `prowler_app_list_scans` to find the scan you want to rename
-        2. Use this tool with the scan 'id' and new name
-        """
-        api_response = await self.api_client.patch(
-            f"/scans/{scan_id}",
-            json_data={
-                "data": {
-                    "type": "scans",
-                    "id": scan_id,
-                    "attributes": {"name": name},
-                },
-            },
-        )
-        detailed_scan = DetailedScan.from_api_response(api_response["data"])
-
-        return detailed_scan.model_dump()
@@ -1,6 +1,5 @@
 """Shared API client utilities for Prowler App tools."""

-import asyncio
 from datetime import datetime, timedelta
 from enum import Enum
 from typing import Any, Dict
@@ -84,13 +83,7 @@ class ProwlerAPIClient(metaclass=SingletonMeta):
            )
            response.raise_for_status()

-            if not response.content:
-                return {
-                    "success": True,
-                    "status_code": response.status_code,
-                }
-            else:
-                return response.json()
+            return response.json()
        except httpx.HTTPStatusError as e:
            logger.error(f"HTTP error during {method.value} {path}: {e}")
            error_detail: str = ""
@@ -187,68 +180,6 @@ class ProwlerAPIClient(metaclass=SingletonMeta):
        """
        return await self._make_request(HTTPMethod.DELETE, path, params=params)

-    async def poll_task_until_complete(
-        self,
-        task_id: str,
-        timeout: int = 60,
-        poll_interval: float = 1.0,
-    ) -> dict[str, any]:
-        """Poll a task until it reaches a terminal state.
-
-        This method polls the task endpoint at regular intervals until the task
-        completes, fails, or times out. It's designed for async operations like
-        provider connection tests and deletions that return task IDs.
-
-        Args:
-            task_id: The UUID of the task to poll (UUID object or string)
-            timeout: Maximum time to wait in seconds (default: 60)
-            poll_interval: Time between polls in seconds (default: 1.0)
-
-        Returns:
-            The complete task response when terminal state is reached
-
-        Raises:
-            Exception: If task fails, is cancelled, or timeout is exceeded
-        """
-        terminal_states = {"completed", "failed", "cancelled"}
-        start_time = asyncio.get_event_loop().time()
-        max_time = start_time + timeout
-
-        logger.info(
-            f"Polling task {task_id} (timeout: {timeout}s, interval: {poll_interval}s)"
-        )
-
-        while True:
-            # Check if we've exceeded the timeout
-            current_time = asyncio.get_event_loop().time()
-            if current_time >= max_time:
-                raise Exception(
-                    f"Task {task_id} polling timed out after {timeout} seconds. "
-                    f"The task may still be running. Try increasing the timeout or check task status manually."
-                )
-
-            # Fetch current task state
-            response = await self.get(f"/tasks/{task_id}")
-            task_data = response.get("data", {})
-            task_attrs = task_data.get("attributes", {})
-            state = task_attrs.get("state")
-
-            logger.debug(f"Task {task_id} state: {state}")
-
-            # Check if we've reached a terminal state
-            if state in terminal_states:
-                if state == "completed":
-                    logger.info(f"Task {task_id} completed successfully")
-                    return response
-                elif state == "failed":
-                    error_msg = task_attrs.get("error", "Unknown error")
-                    raise Exception(f"Task {task_id} failed: {error_msg}")
-                elif state == "cancelled":
-                    raise Exception(f"Task {task_id} was cancelled")
-
-            # Wait before next poll
-            await asyncio.sleep(poll_interval)
-
    def _validate_date_format(self, date_str: str, param_name: str) -> datetime:
        """Validate date string format.

@@ -322,14 +253,6 @@ class ProwlerAPIClient(metaclass=SingletonMeta):
        elif to_date and not from_date:
            from_date = to_date - timedelta(days=max_days - 1)

-        # Validate that date_from is before or equal to date_to
-        if from_date > to_date:
-            raise ValueError(
-                f"Invalid date range: date_from must be before or equal to date_to. "
-                f"Got date_from='{from_date.date()}' and date_to='{to_date.date()}'. "
-                f"Please swap the dates or use the correct order."
-            )
-
        # Validate range doesn't exceed max_days
        delta: int = (to_date - from_date).days + 1
        if delta > max_days:
@@ -15,7 +15,7 @@ class ProwlerAppAuth:
    def __init__(
        self,
        mode: str = os.getenv("PROWLER_MCP_TRANSPORT_MODE", "stdio"),
-        base_url: str = os.getenv("API_BASE_URL", "https://api.prowler.com/api/v1"),
+        base_url: str = os.getenv("PROWLER_API_BASE_URL", "https://api.prowler.com"),
    ):
        self.base_url = base_url.rstrip("/")
        logger.info(f"Using Prowler App API base URL: {self.base_url}")
@@ -2,41 +2,7 @@

 All notable changes to the **Prowler SDK** are documented in this file.

-## [5.16.0] (Prowler UNRELEASED)
-
-### Added
-
- `privilege-escalation` and `ec2-imdsv1` categories for AWS checks [(#9536)](https://github.com/prowler-cloud/prowler/pull/9536)
- Supported IaC formats and scanner documentation for the IaC provider [(#9553)](https://github.com/prowler-cloud/prowler/pull/9553)
-
-### Changed
- Update AWS Glue service metadata to new format [(#9258)](https://github.com/prowler-cloud/prowler/pull/9258)
- Update AWS Kafka service metadata to new format [(#9261)](https://github.com/prowler-cloud/prowler/pull/9261)
- Update AWS KMS service metadata to new format [(#9263)](https://github.com/prowler-cloud/prowler/pull/9263)
- Update AWS MemoryDB service metadata to new format [(#9266)](https://github.com/prowler-cloud/prowler/pull/9266)
- Update AWS Inspector v2 service metadata to new format [(#9260)](https://github.com/prowler-cloud/prowler/pull/9260)
- Update AWS Service Catalog service metadata to new format [(#9410)](https://github.com/prowler-cloud/prowler/pull/9410)
- Update AWS SNS service metadata to new format [(#9428)](https://github.com/prowler-cloud/prowler/pull/9428)
- Update AWS Trusted Advisor service metadata to new format [(#9435)](https://github.com/prowler-cloud/prowler/pull/9435)
-
---
-
-## [5.15.2] (Prowler UNRELEASED)
-
-### Fixed
- Fix typo `trustboundaries` category to `trust-boundaries` [(#9536)](https://github.com/prowler-cloud/prowler/pull/9536)
- Store MongoDB Atlas provider regions as lowercase [(#9554)](https://github.com/prowler-cloud/prowler/pull/9554)
-
---
-
-## [5.15.1] (Prowler v5.15.1)
-
-### Fixed
- Fix false negative in AWS `apigateway_restapi_logging_enabled` check by refining stage logging evaluation to ensure logging level is not set to "OFF" [(#9304)](https://github.com/prowler-cloud/prowler/pull/9304)
-
---
-
-## [5.15.0] (Prowler v5.15.0)
+## [v5.15.0] (Prowler UNRELEASED)

 ### Added
 - `cloudstorage_uses_vpc_service_controls` check for GCP provider [(#9256)](https://github.com/prowler-cloud/prowler/pull/9256)
@@ -50,6 +16,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update SOC2 - AWS with Processing Integrity requirements [(#9462)](https://github.com/prowler-cloud/prowler/pull/9462)
 - RBI Cyber Security Framework compliance for Azure provider [(#8822)](https://github.com/prowler-cloud/prowler/pull/8822)

+
 ### Changed
 - Update AWS Macie service metadata to new format [(#9265)](https://github.com/prowler-cloud/prowler/pull/9265)
 - Update AWS Lightsail service metadata to new format [(#9264)](https://github.com/prowler-cloud/prowler/pull/9264)
@@ -59,14 +26,17 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Macie service metadata to new format [(#9265)](https://github.com/prowler-cloud/prowler/pull/9265)
 - Update AWS Lightsail service metadata to new format [(#9264)](https://github.com/prowler-cloud/prowler/pull/9264)

+---
+
+## [v5.14.3] (Prowler UNRELEASED)
+
 ### Fixed
 - Fix duplicate requirement IDs in ISO 27001:2013 AWS compliance framework by adding unique letter suffixes
 - Removed incorrect threat-detection category from checks metadata [(#9489)](https://github.com/prowler-cloud/prowler/pull/9489)
- GCP `cloudstorage_uses_vpc_service_controls` check to handle VPC Service Controls blocked API access [(#9478)](https://github.com/prowler-cloud/prowler/pull/9478)

 ---

-## [5.14.2] (Prowler v5.14.2)
+## [v5.14.2] (Prowler 5.14.2)

 ### Fixed
 - Custom check folder metadata validation [(#9335)](https://github.com/prowler-cloud/prowler/pull/9335)
@@ -74,7 +44,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.14.1] (Prowler v5.14.1)
+## [v5.14.1] (Prowler v5.14.1)

 ### Fixed
 - `sharepoint_external_sharing_managed` check to handle external sharing disabled at organization level [(#9298)](https://github.com/prowler-cloud/prowler/pull/9298)
@@ -82,7 +52,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.14.0] (Prowler v5.14.0)
+## [v5.14.0] (Prowler v5.14.0)

 ### Added
 - GitHub provider check `organization_default_repository_permission_strict` [(#8785)](https://github.com/prowler-cloud/prowler/pull/8785)
@@ -160,7 +130,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.13.1] (Prowler v5.13.1)
+## [v5.13.1] (Prowler v5.13.1)

 ### Fixed
 - Add `resource_name` for checks under `logging` for the GCP provider [(#9023)](https://github.com/prowler-cloud/prowler/pull/9023)
@@ -176,7 +146,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.13.0] (Prowler v5.13.0)
+## [v5.13.0] (Prowler v5.13.0)

 ### Added
 - Support for AdditionalURLs in outputs [(#8651)](https://github.com/prowler-cloud/prowler/pull/8651)
@@ -234,7 +204,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.12.1] (Prowler v5.12.1)
+## [v5.12.1] (Prowler v5.12.1)

 ### Fixed
 - Replaced old check id with new ones for compliance files [(#8682)](https://github.com/prowler-cloud/prowler/pull/8682)
@@ -243,7 +213,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.12.0] (Prowler v5.12.0)
+## [v5.12.0] (Prowler v5.12.0)

 ### Added
 - Add more fields for the Jira ticket and handle custom fields errors [(#8601)](https://github.com/prowler-cloud/prowler/pull/8601)
@@ -279,7 +249,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.11.0] (Prowler v5.11.0)
+## [v5.11.0] (Prowler v5.11.0)

 ### Added
 - Certificate authentication for M365 provider [(#8404)](https://github.com/prowler-cloud/prowler/pull/8404)
@@ -310,7 +280,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.10.2] (Prowler v5.10.2)
+## [v5.10.2] (Prowler v5.10.2)

 ### Fixed
 - Order requirements by ID in Prowler ThreatScore AWS compliance framework [(#8495)](https://github.com/prowler-cloud/prowler/pull/8495)
@@ -324,14 +294,14 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.10.1] (Prowler v5.10.1)
+## [v5.10.1] (Prowler v5.10.1)

 ### Fixed
 - Remove invalid requirements from CIS 1.0 for GitHub provider [(#8472)](https://github.com/prowler-cloud/prowler/pull/8472)

 ---

-## [5.10.0] (Prowler v5.10.0)
+## [v5.10.0] (Prowler v5.10.0)

 ### Added
 - `bedrock_api_key_no_administrative_privileges` check for AWS provider [(#8321)](https://github.com/prowler-cloud/prowler/pull/8321)
@@ -371,14 +341,14 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.9.2] (Prowler v5.9.2)
+## [v5.9.2] (Prowler v5.9.2)

 ### Fixed
 - Use the correct resource name in `defender_domain_dkim_enabled` check [(#8334)](https://github.com/prowler-cloud/prowler/pull/8334)

 ---

-## [5.9.0] (Prowler v5.9.0)
+## [v5.9.0] (Prowler v5.9.0)

 ### Added
 - `storage_smb_channel_encryption_with_secure_algorithm` check for Azure provider [(#8123)](https://github.com/prowler-cloud/prowler/pull/8123)
@@ -412,7 +382,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.8.1] (Prowler v5.8.1)
+## [v5.8.1] (Prowler 5.8.1)

 ### Fixed
 - Detect wildcarded ARNs in sts:AssumeRole policy resources [(#8164)](https://github.com/prowler-cloud/prowler/pull/8164)
@@ -422,7 +392,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.8.0] (Prowler v5.8.0)
+## [v5.8.0] (Prowler v5.8.0)

 ### Added

@@ -484,7 +454,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.7.5] (Prowler v5.7.5)
+## [v5.7.5] (Prowler v5.7.5)

 ### Fixed
 - Use unified timestamp for all requirements [(#8059)](https://github.com/prowler-cloud/prowler/pull/8059)
@@ -502,7 +472,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.7.3] (Prowler v5.7.3)
+## [v5.7.3] (Prowler v5.7.3)

 ### Fixed
 - Automatically encrypt password in Microsoft365 provider [(#7784)](https://github.com/prowler-cloud/prowler/pull/7784)
@@ -510,7 +480,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.7.2] (Prowler v5.7.2)
+## [v5.7.2] (Prowler v5.7.2)

 ### Fixed
 - `m365_powershell test_credentials` to use sanitized credentials [(#7761)](https://github.com/prowler-cloud/prowler/pull/7761)
@@ -522,7 +492,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.7.0] (Prowler v5.7.0)
+## [v5.7.0] (Prowler v5.7.0)

 ### Added
 - Update the compliance list supported for each provider from docs [(#7694)](https://github.com/prowler-cloud/prowler/pull/7694)
@@ -550,7 +520,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.6.0] (Prowler v5.6.0)
+## [v5.6.0] (Prowler v5.6.0)

 ### Added
 - SOC2 compliance framework to Azure [(#7489)](https://github.com/prowler-cloud/prowler/pull/7489)
@@ -619,7 +589,7 @@ All notable changes to the **Prowler SDK** are documented in this file.

 ---

-## [5.5.1] (Prowler v5.5.1)
+## [v5.5.1] (Prowler v5.5.1)

 ### Fixed
 - Default name to contacts in Azure Defender [(#7483)](https://github.com/prowler-cloud/prowler/pull/7483)
@@ -38,7 +38,7 @@ class _MutableTimestamp:

 timestamp = _MutableTimestamp(datetime.today())
 timestamp_utc = _MutableTimestamp(datetime.now(timezone.utc))
-prowler_version = "5.16.0"
+prowler_version = "5.15.0"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 square_logo_img = "https://raw.githubusercontent.com/prowler-cloud/prowler/dc7d2d5aeb92fdf12e8604f42ef6472cd3e8e889/docs/img/prowler-logo-black.png"
 aws_logo = "https://user-images.githubusercontent.com/38561120/235953920-3e3fba08-0795-41dc-b480-9bea57db9f2e.png"
@@ -123,10 +123,7 @@ class APIGateway(AWSService):
                            waf = stage["webAclArn"]
                        if "methodSettings" in stage:
                            for settings in stage["methodSettings"].values():
-                                if (
-                                    settings.get("loggingLevel")
-                                    and settings.get("loggingLevel", "") != "OFF"
-                                ):
+                                if settings.get("loggingLevel"):
                                    logging = True
                                if settings.get("cachingEnabled"):
                                    cache_enabled = True
@@ -28,7 +28,7 @@
  },
  "Categories": [
    "gen-ai",
-    "trust-boundaries"
+    "trustboundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
@@ -28,7 +28,7 @@
  },
  "Categories": [
    "gen-ai",
-    "trust-boundaries"
+    "trustboundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
@@ -26,8 +26,7 @@
    }
  },
  "Categories": [
-    "internet-exposed",
-    "ec2-imdsv1"
+    "internet-exposed"
  ],
  "DependsOn": [],
  "RelatedTo": [],
@@ -25,9 +25,7 @@
      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#configuring-instance-metadata-options"
    }
  },
-  "Categories": [
-    "ec2-imdsv1"
-  ],
+  "Categories": [],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
@@ -26,7 +26,7 @@
    }
  },
  "Categories": [
-    "trust-boundaries"
+    "trustboundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
@@ -1,34 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_data_catalogs_connection_passwords_encryption_enabled",
-  "CheckTitle": "Glue data catalog connection password is encrypted with a KMS key",
+  "CheckTitle": "Check if Glue data catalog settings have encrypt connection password enabled.",
  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
-  "Severity": "high",
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
+  "Severity": "medium",
  "ResourceType": "Other",
-  "Description": "**AWS Glue Data Catalog** settings for **connection password encryption** are evaluated to confirm an AWS KMS key is configured to encrypt passwords stored in connection properties.",
-  "Risk": "Unencrypted connection passwords can be read from the catalog or responses, letting attackers or over-privileged users obtain database credentials. This jeopardizes confidentiality of linked data stores, enables unauthorized modifications, and can facilitate lateral movement across environments.",
+  "Description": "Check if Glue data catalog settings have encrypt connection password enabled.",
+  "Risk": "If not enabled sensitive information at rest is not protected.",
  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/aws-glue-api-jobs-security.html",
-    "https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html"
-  ],
  "Remediation": {
    "Code": {
-      "CLI": "aws glue put-data-catalog-encryption-settings --data-catalog-encryption-settings '{\"ConnectionPasswordEncryption\":{\"ReturnConnectionPasswordEncrypted\":true,\"AwsKmsKeyId\":\"<kms_key_arn>\"}}'",
-      "NativeIaC": "```yaml\n# CloudFormation: enable Glue Data Catalog connection password encryption\nResources:\n  <example_resource_name>:\n    Type: AWS::Glue::DataCatalogEncryptionSettings\n    Properties:\n      DataCatalogEncryptionSettings:\n        ConnectionPasswordEncryption:\n          ReturnConnectionPasswordEncrypted: true  # Critical: encrypts connection passwords\n          KmsKeyId: <kms_key_arn>  # Critical: KMS key used for encryption\n```",
-      "Other": "1. In the AWS Console, go to AWS Glue\n2. Click Settings (left menu)\n3. Under Data catalog settings, check Encrypt connection passwords\n4. Select your KMS key (symmetric CMK)\n5. Click Save",
-      "Terraform": "```hcl\n# Enable Glue Data Catalog connection password encryption\nresource \"aws_glue_data_catalog_encryption_settings\" \"<example_resource_name>\" {\n  data_catalog_encryption_settings {\n    # Critical: enables password encryption with a KMS key\n    connection_password_encryption {\n      return_connection_password_encrypted = true\n      aws_kms_key_id                       = \"<kms_key_arn>\"\n    }\n\n    # Required block for this resource; keep minimal\n    encryption_at_rest {\n      catalog_encryption_mode = \"DISABLED\"\n    }\n  }\n}\n```"
+      "CLI": "aws glue put-data-catalog-encryption-settings --data-catalog-encryption-settings ConnectionPasswordEncryption={ReturnConnectionPasswordEncrypted=True,AwsKmsKeyId=<ksm_key_arn>",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_37#cloudformation",
+      "Other": "",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_37#terraform"
    },
    "Recommendation": {
-      "Text": "Enable **connection password encryption** in the Data Catalog with a customer-managed KMS key.\n- Apply **least privilege** to the KMS key and Glue roles\n- Prefer keeping responses encrypted (`ReturnConnectionPasswordEncrypted`)\n- Rotate keys and monitor access for **defense in depth**",
-      "Url": "https://hub.prowler.com/check/glue_data_catalogs_connection_passwords_encryption_enabled"
+      "Text": "On the AWS Glue console, you can enable this option on the Data catalog settings page.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html"
    }
  },
  "Categories": [
@@ -1,35 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_data_catalogs_metadata_encryption_enabled",
-  "CheckTitle": "Glue Data Catalog metadata is encrypted with KMS",
+  "CheckTitle": "Check if Glue data catalog settings have metadata encryption enabled.",
  "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
  "Severity": "medium",
  "ResourceType": "Other",
-  "Description": "**AWS Glue Data Catalog** metadata is encrypted at rest when catalog settings use **SSE-KMS** with a KMS key.\n\nCatalogs that do not configure `SSE-KMS` for metadata are considered unencrypted.",
-  "Risk": "Unencrypted catalog metadata exposes schemas, partitions, and data locations, reducing **confidentiality**.\n\nAdversaries or over-privileged users can conduct **reconnaissance** and plan lateral movement; tampering with definitions can corrupt queries and results, impacting **integrity**.",
+  "Description": "Check if Glue data catalog settings have metadata encryption enabled.",
+  "Risk": "If not enabled sensitive information at rest is not protected.",
  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html",
-    "https://docs.amazonaws.cn/en_us/athena/latest/ug/encryption.html",
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/data-catalog-encryption-at-rest-with-cmk.html",
-    "https://support.icompaas.com/support/solutions/articles/62000233381-ensure-glue-data-catalogs-are-not-publicly-accessible-"
-  ],
  "Remediation": {
    "Code": {
-      "CLI": "aws glue put-data-catalog-encryption-settings --data-catalog-encryption-settings '{\"EncryptionAtRest\":{\"CatalogEncryptionMode\":\"SSE-KMS\"}}'",
-      "NativeIaC": "```yaml\n# Enable Glue Data Catalog metadata encryption with KMS\nResources:\n  <example_resource_name>:\n    Type: AWS::Glue::DataCatalogEncryptionSettings\n    Properties:\n      DataCatalogEncryptionSettings:\n        EncryptionAtRest:\n          CatalogEncryptionMode: SSE-KMS  # Critical: enables KMS encryption for catalog metadata\n```",
-      "Other": "1. In the AWS Console, go to AWS Glue\n2. Open Data Catalog > Settings\n3. Under Security configuration and encryption, check Metadata encryption\n4. Leave the default AWS managed key selected (or choose a KMS key)\n5. Click Save",
-      "Terraform": "```hcl\n# Enable Glue Data Catalog metadata encryption with KMS\nresource \"aws_glue_data_catalog_encryption_settings\" \"<example_resource_name>\" {\n  data_catalog_encryption_settings {\n    encryption_at_rest {\n      catalog_encryption_mode = \"SSE-KMS\" # Critical: turns on KMS encryption for catalog metadata\n    }\n  }\n}\n```"
+      "CLI": "aws glue put-data-catalog-encryption-settings --data-catalog-encryption-settings EncryptionAtRest={CatalogEncryptionMode=SSE-KMS,SseAwsKmsKeyId=<ksm_key_arn>",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_37#cloudformation",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/data-catalog-encryption-at-rest.html",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_37#terraform"
    },
    "Recommendation": {
-      "Text": "Enable metadata encryption with **`SSE-KMS`**, preferably using a **customer-managed KMS key** for control and rotation.\n\nApply **least privilege** to KMS and catalog access, restrict who can change settings, and monitor key usage. Use **defense in depth** by encrypting related analytics assets consistently.",
-      "Url": "https://hub.prowler.com/check/glue_data_catalogs_metadata_encryption_enabled"
+      "Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html"
    }
  },
  "Categories": [
@@ -1,35 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_data_catalogs_not_publicly_accessible",
-  "CheckTitle": "Glue Data Catalog is not publicly accessible via its resource policy",
+  "CheckTitle": "Ensure Glue Data Catalogs are not publicly accessible.",
  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
-    "TTPs/Initial Access",
-    "Effects/Data Exposure"
+    "Software and Configuration Checks/AWS Security Best Practices"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
+  "ResourceIdTemplate": "arn:aws:glue:region:account-id:catalog",
  "Severity": "high",
-  "ResourceType": "Other",
-  "Description": "**AWS Glue Data Catalog** resource policies are assessed for configurations that expose the catalog to anyone, such as `Principal: *`, broad resource scopes, or permissive conditions.\n\nThe finding highlights catalogs made public through overly permissive resource-based access.",
-  "Risk": "Public catalog access lets unauthorized actors enumerate schemas, S3 locations, and connection metadata, weakening **confidentiality**. If writes are exposed, attackers can alter databases/tables, corrupt lineage, and disrupt jobs and queries, harming **integrity** and **availability**, and enabling lateral movement to data stores.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/security_iam_service-with-iam.html?icmpid=docs_console_unmapped#security_iam_service-with-iam-resource-based-policies",
-    "https://docs.aws.amazon.com/glue/latest/dg/cross-account-access.html"
-  ],
+  "ResourceType": "AwsGlueDataCatalog",
+  "Description": "This control checks whether Glue Data Catalogs are not publicly accessible via resource policies.",
+  "Risk": "Publicly accessible Glue Data Catalogs can expose sensitive data schema and metadata, leading to potential security risks.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/security_iam_service-with-iam.html?icmpid=docs_console_unmapped#security_iam_service-with-iam-resource-based-policies",
  "Remediation": {
    "Code": {
      "CLI": "aws glue delete-resource-policy",
      "NativeIaC": "",
-      "Other": "1. Sign in to the AWS Console and open the Glue service\n2. In the left menu, click Settings\n3. Under Data catalog settings > Permissions, click Edit resource policy\n4. Remove any statement that has Principal set to * (public) or AWS: \"*\"; or delete the entire policy\n5. Click Save",
-      "Terraform": "```hcl\nresource \"aws_glue_resource_policy\" \"<example_resource_name>\" {\n  policy = jsonencode({\n    Version   = \"2012-10-17\",\n    Statement = [\n      {\n        Effect    = \"Allow\",\n        Principal = { AWS = \"arn:aws:iam::<ACCOUNT_ID>:root\" } # Critical: restricts to your account, removing any public (*) access\n        Action    = \"glue:*\",\n        Resource  = \"arn:aws:glue:<REGION>:<ACCOUNT_ID>:catalog\"\n      }\n    ]\n  })\n}\n```"
+      "Other": "",
+      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enforce **least privilege** on catalog resource policies:\n- Avoid `Principal: *` and wildcards\n- Grant only required actions to explicit principals\n- Prefer identity-based access or Lake Formation for sharing\n- Limit scope with precise ARNs/conditions and monitor changes for **defense in depth**",
-      "Url": "https://hub.prowler.com/check/glue_data_catalogs_not_publicly_accessible"
+      "Text": "Review Glue Data Catalog policies and ensure they are not publicly accessible. Implement the Principle of Least Privilege.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/security_iam_service-with-iam.html?icmpid=docs_console_unmapped#security_iam_service-with-iam-resource-based-policies"
    }
  },
  "Categories": [
@@ -1,34 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_database_connections_ssl_enabled",
-  "CheckTitle": "Glue connection has SSL enabled",
+  "CheckTitle": "Check if Glue database connection has SSL connection enabled.",
  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
-  "Severity": "high",
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
+  "Severity": "medium",
  "ResourceType": "Other",
-  "Description": "**AWS Glue connections** require **TLS/SSL** for JDBC when the `JDBC_ENFORCE_SSL` property is set to `true`.\n\nThis evaluates connection definitions to confirm SSL is enforced for traffic to external data stores.",
-  "Risk": "Absent TLS enforcement, JDBC traffic-including credentials, queries, and results-can be **intercepted or modified** in transit.\n\nThis enables:\n- Confidentiality loss via sniffing/MITM\n- Integrity tampering of queries/results\n- Credential theft leading to broader database access",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html",
-    "https://support.icompaas.com/support/solutions/articles/62000233690-ensure-glue-connections-have-ssl-enabled"
-  ],
+  "Description": "Check if Glue database connection has SSL connection enabled.",
+  "Risk": "Data exfiltration could happen if information is not protected in transit.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html",
  "Remediation": {
    "Code": {
-      "CLI": "aws glue update-connection --name <example_resource_name> --connection-input '{\"Name\":\"<example_resource_name>\",\"ConnectionType\":\"JDBC\",\"ConnectionProperties\":{\"JDBC_CONNECTION_URL\":\"<example_jdbc_url>\",\"JDBC_ENFORCE_SSL\":\"true\"}}'",
-      "NativeIaC": "```yaml\n# CloudFormation: Enable SSL on a Glue JDBC connection\nResources:\n  <example_resource_name>:\n    Type: AWS::Glue::Connection\n    Properties:\n      ConnectionInput:\n        ConnectionType: JDBC\n        ConnectionProperties:\n          JDBC_CONNECTION_URL: \"<example_jdbc_url>\"\n          JDBC_ENFORCE_SSL: \"true\"  # Critical: forces SSL for the JDBC connection\n```",
-      "Other": "1. Open the AWS Console and go to AWS Glue > Data Catalog > Connections\n2. Select the connection and click Edit\n3. In Connection properties (Advanced properties), add key JDBC_ENFORCE_SSL with value true (or check Require SSL)\n4. Click Save",
-      "Terraform": "```hcl\n# Terraform: Enable SSL on a Glue JDBC connection\nresource \"aws_glue_connection\" \"<example_resource_name>\" {\n  name            = \"<example_resource_name>\"\n  connection_type = \"JDBC\"\n\n  connection_properties = {\n    JDBC_CONNECTION_URL = \"<example_jdbc_url>\"\n    JDBC_ENFORCE_SSL    = \"true\"  # Critical: forces SSL for the JDBC connection\n  }\n}\n```"
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enforce **TLS** on all Glue connections (set `JDBC_ENFORCE_SSL=true`) and require encryption on target databases.\n\nApply **defense in depth**: validate certificates, restrict network exposure, prefer private connectivity, and use **least-privilege** credentials with rotation.",
-      "Url": "https://hub.prowler.com/check/glue_database_connections_ssl_enabled"
+      "Text": "Configure encryption settings for crawlers, ETL jobs and development endpoints using security configurations in AWS Glue.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html"
    }
  },
  "Categories": [
@@ -1,34 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_development_endpoints_cloudwatch_logs_encryption_enabled",
-  "CheckTitle": "Glue development endpoint has CloudWatch Logs encryption enabled",
+  "CheckTitle": "Check if Glue development endpoints have CloudWatch logs encryption enabled.",
  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
  "Severity": "medium",
  "ResourceType": "Other",
-  "Description": "**AWS Glue development endpoints** are assessed for an associated **security configuration** that enables **CloudWatch Logs encryption**. It confirms the endpoint references a configuration and that log encryption is not `DISABLED`.",
-  "Risk": "Unencrypted Glue logs erode **confidentiality**: credentials, connection strings, and data samples may be readable to unintended principals, enabling **lateral movement**.\nLack of KMS-backed encryption weakens **auditability** and **separation of duties**.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/cloud-watch-logs-encryption-enabled.html"
-  ],
+  "Description": "Check if Glue development endpoints have CloudWatch logs encryption enabled.",
+  "Risk": "If not enabled sensitive information at rest is not protected.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "```yaml\n# CloudFormation: Glue Security Configuration with CloudWatch Logs encryption enabled\nResources:\n  <example_resource_name>:\n    Type: AWS::Glue::SecurityConfiguration\n    Properties:\n      Name: <example_resource_name>\n      EncryptionConfiguration:\n        CloudWatchEncryption:\n          CloudWatchEncryptionMode: SSE-KMS  # Critical: enables CloudWatch Logs encryption\n          KmsKeyArn: <kms_key_arn>           # Critical: KMS key used for encrypting Glue logs\n```",
-      "Other": "1. In the AWS Console, go to Glue > Security configurations > Add security configuration\n2. Enter a name and enable CloudWatch Logs encryption\n3. Select a KMS key (or enter its ARN) and click Create\n4. Go to Glue > Dev endpoints\n5. Create a new Dev endpoint (or delete and recreate the existing one) and select the new Security configuration\n6. Create the endpoint to apply the encryption",
-      "Terraform": "```hcl\n# Glue Security Configuration with CloudWatch Logs encryption enabled\nresource \"aws_glue_security_configuration\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n\n  encryption_configuration {\n    cloudwatch_encryption {\n      cloudwatch_encryption_mode = \"SSE-KMS\"  # Critical: enables CloudWatch Logs encryption\n      kms_key_arn                = \"<kms_key_arn>\"  # Critical: KMS key used for encrypting Glue logs\n    }\n\n    # Required blocks for valid config (kept minimal)\n    job_bookmarks_encryption { job_bookmarks_encryption_mode = \"DISABLED\" }\n    s3_encryption             { s3_encryption_mode             = \"DISABLED\" }\n  }\n}\n```"
+      "CLI": "aws glue create-security-configuration --name cw-encrypted-sec-config --encryption-configuration {'CloudWatchEncryption': [{'CloudWatchEncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/cloud-watch-logs-encryption-enabled.html",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
    },
    "Recommendation": {
-      "Text": "Attach a **security configuration** to all development endpoints with **CloudWatch Logs encryption** enabled using a tightly scoped **KMS key**.\nApply **least privilege** to key and log access, rotate keys, and standardize configs via IaC to enforce **defense in depth**.",
-      "Url": "https://hub.prowler.com/check/glue_development_endpoints_cloudwatch_logs_encryption_enabled"
+      "Text": "Enable Encryption in the Security configurations.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
    }
  },
  "Categories": [
@@ -1,33 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_development_endpoints_job_bookmark_encryption_enabled",
-  "CheckTitle": "Glue development endpoint has Job Bookmark encryption enabled",
+  "CheckTitle": "Check if Glue development endpoints have Job bookmark encryption enabled.",
  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
  "Severity": "medium",
  "ResourceType": "Other",
-  "Description": "**AWS Glue development endpoints** are assessed for an attached **security configuration** where **job bookmark encryption** is enabled. Endpoints lacking a security configuration are also identified.",
-  "Risk": "Unencrypted job bookmarks stored in S3 can be read or altered, exposing dataset paths, partitions, and processing state. This enables data discovery, state tampering, and replay/skip of workloads, impacting **confidentiality**, **integrity**, and **availability** of ETL pipelines.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/job-bookmark-encryption-enabled.html"
-  ],
+  "Description": "Check if Glue development endpoints have Job bookmark encryption enabled.",
+  "Risk": "If not enabled sensitive information at rest is not protected.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "```yaml\n# CloudFormation: Enable Job Bookmark encryption and attach to the Dev Endpoint\nResources:\n  GlueSecurityConfiguration:\n    Type: AWS::Glue::SecurityConfiguration\n    Properties:\n      Name: <example_resource_name>\n      EncryptionConfiguration:\n        JobBookmarksEncryption:\n          JobBookmarksEncryptionMode: CSE-KMS  # Critical: enables Job Bookmark encryption\n          KmsKeyArn: <example_kms_key_arn>     # Critical: KMS key used for Job Bookmark encryption\n\n  GlueDevEndpoint:\n    Type: AWS::Glue::DevEndpoint\n    Properties:\n      RoleArn: <example_role_arn>\n      SecurityConfiguration: !Ref GlueSecurityConfiguration  # Critical: attach the security configuration to the Dev Endpoint\n```",
-      "Other": "1. In the AWS Console, go to Glue > Security configurations > Add security configuration\n2. Enter a name, then under Advanced settings enable Job bookmark encryption and select a KMS key (or enter its ARN); Save\n3. Go to Glue > Dev endpoints\n4. Create a new Dev endpoint (or recreate the existing one) and set Security configuration to the configuration created in step 2\n5. Create the endpoint to apply the setting",
-      "Terraform": "```hcl\n# Terraform: Enable Job Bookmark encryption and attach to the Dev Endpoint\nresource \"aws_glue_security_configuration\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n\n  encryption_configuration {\n    job_bookmarks_encryption {\n      job_bookmarks_encryption_mode = \"CSE-KMS\"   # Critical: enables Job Bookmark encryption\n      kms_key_arn                   = \"<example_kms_key_arn>\"  # Critical: KMS key used for Job Bookmark encryption\n    }\n  }\n}\n\nresource \"aws_glue_dev_endpoint\" \"<example_resource_name>\" {\n  name                   = \"<example_resource_name>\"\n  role_arn               = \"<example_role_arn>\"\n  security_configuration = aws_glue_security_configuration.<example_resource_name>.name  # Critical: attach the security configuration\n}\n```"
+      "CLI": "aws glue create-security-configuration --name jb-encrypted-sec-config --encryption-configuration {'JobBookmarksEncryption': [{'JobBookmarksEncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/job-bookmark-encryption-enabled.html",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
    },
    "Recommendation": {
-      "Text": "Attach a **security configuration** to each development endpoint and enable **job bookmark encryption** with a managed KMS key. Apply **least privilege** to S3 and KMS, rotate keys, and align logs and data stores with consistent encryption for **defense in depth**. Regularly audit endpoints for missing or outdated configurations.",
-      "Url": "https://hub.prowler.com/check/glue_development_endpoints_job_bookmark_encryption_enabled"
+      "Text": "Enable Encryption in the Security configurations.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
    }
  },
  "Categories": [
@@ -1,34 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_development_endpoints_s3_encryption_enabled",
-  "CheckTitle": "Glue development endpoint has S3 encryption enabled",
+  "CheckTitle": "Check if Glue development endpoints have S3 encryption enabled.",
  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
  "Severity": "medium",
  "ResourceType": "Other",
-  "Description": "**AWS Glue development endpoints** are evaluated for an attached **security configuration** with **S3 encryption**. Endpoints lacking a security configuration, or with `s3_encryption` set to `DISABLED`, are flagged by this check.",
-  "Risk": "Unencrypted S3 writes from dev endpoints leave ETL outputs, temp data, and scripts readable at rest. A misconfigured bucket or stolen creds can expose sensitive content, harming **confidentiality** and triggering compliance issues.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/s3-encryption-enabled.html",
-    "https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html"
-  ],
+  "Description": "Check if Glue development endpoints have S3 encryption enabled.",
+  "Risk": "Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html",
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "```yaml\n# CloudFormation: Glue Dev Endpoint with S3 encryption via Security Configuration\nResources:\n  SecurityConfig:\n    Type: AWS::Glue::SecurityConfiguration\n    Properties:\n      Name: <example_resource_name>\n      EncryptionConfiguration:\n        S3Encryptions:\n          - S3EncryptionMode: SSE-S3  # CRITICAL: enables S3 encryption for the security configuration\n\n  DevEndpoint:\n    Type: AWS::Glue::DevEndpoint\n    Properties:\n      EndpointName: <example_resource_name>\n      RoleArn: <example_role_arn>\n      SecurityConfiguration: !Ref SecurityConfig  # CRITICAL: attaches the encrypted security configuration to the dev endpoint\n```",
-      "Other": "1. In the AWS Console, go to AWS Glue > Security configurations > Create security configuration\n2. Under S3 encryption, select Server-side encryption (SSE-S3) and save\n3. Go to AWS Glue > Development endpoints > Create development endpoint\n4. Fill required fields and set Security configuration to the one created in step 2\n5. Create the endpoint and delete the old endpoint (without encryption) if it exists",
-      "Terraform": "```hcl\n# Terraform: Glue Dev Endpoint with S3 encryption\nresource \"aws_glue_security_configuration\" \"secure\" {\n  name = \"<example_resource_name>\"\n  encryption_configuration {\n    s3_encryption {\n      s3_encryption_mode = \"SSE-S3\"  # CRITICAL: enables S3 encryption\n    }\n  }\n}\n\nresource \"aws_glue_dev_endpoint\" \"dev\" {\n  name     = \"<example_resource_name>\"\n  role_arn = \"<example_role_arn>\"\n\n  security_configuration = aws_glue_security_configuration.secure.name  # CRITICAL: attaches encrypted security configuration\n}\n```"
+      "CLI": "aws glue create-security-configuration --name s3-encrypted-sec-config --encryption-configuration {'S3Encryption': [{'S3EncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/s3-encryption-enabled.html",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
    },
    "Recommendation": {
-      "Text": "Attach a **Glue security configuration** to each dev endpoint with **S3 encryption** enabled; prefer `SSE-KMS` with customer-managed keys. Enforce **least privilege** on IAM and KMS key policies, and extend encryption to logs and bookmarks for **defense in depth**.",
-      "Url": "https://hub.prowler.com/check/glue_development_endpoints_s3_encryption_enabled"
+      "Text": "Specify AWS KMS keys to use for input and output from S3 and EBS.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html"
    }
  },
  "Categories": [
@@ -1,35 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_etl_jobs_amazon_s3_encryption_enabled",
-  "CheckTitle": "Glue job has S3 encryption enabled",
+  "CheckTitle": "Check if Glue ETL Jobs have S3 encryption enabled.",
  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
-    "Effects/Data Exposure"
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Other",
-  "Description": "**AWS Glue ETL jobs** are validated to use **Amazon S3 at-rest encryption** (`SSE-S3` or `SSE-KMS`) when writing outputs, either through an attached security configuration or via job arguments. Jobs missing a security configuration or with S3 encryption disabled are identified.",
-  "Risk": "Storing job outputs in S3 without **at-rest encryption** weakens **confidentiality**. Plaintext objects can be exposed via misconfigured bucket policies, compromised credentials, or media reuse, and lack **KMS key controls**, rotation, and audit trails-hindering incident response and compliance.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/s3-encryption-enabled.html"
-  ],
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsGlueJob",
+  "Description": "Check if Glue ETL Jobs have S3 encryption enabled.",
+  "Risk": "If not enabled sensitive information at rest is not protected.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "```yaml\n# CloudFormation: Attach a Security Configuration with S3 encryption to a Glue job\nResources:\n  GlueSecurityConfiguration:\n    Type: AWS::Glue::SecurityConfiguration\n    Properties:\n      Name: <example_resource_name>\n      EncryptionConfiguration:\n        S3Encryptions:\n          - S3EncryptionMode: SSE-S3  # CRITICAL: Enables S3 encryption for Glue outputs\n\n  GlueJob:\n    Type: AWS::Glue::Job\n    Properties:\n      Name: <example_resource_name>\n      Role: <example_role_arn>\n      Command:\n        Name: glueetl\n        ScriptLocation: s3://<example_resource_name>/script.py\n      SecurityConfiguration: !Ref GlueSecurityConfiguration  # CRITICAL: Applies encrypted security configuration to the job\n```",
-      "Other": "1. In the AWS Console, go to AWS Glue > Security configurations > Create security configuration\n2. Enable S3 encryption and choose SSE-S3 (or SSE-KMS with your key)\n3. Save the configuration\n4. Go to AWS Glue > Jobs > select your job > Edit\n5. Under Job details, set Security configuration to the encrypted configuration you created\n6. Save the job",
-      "Terraform": "```hcl\n# Terraform: Attach a Security Configuration with S3 encryption to a Glue job\nresource \"aws_glue_security_configuration\" \"sec\" {\n  name = \"<example_resource_name>\"\n\n  s3_encryption {\n    s3_encryption_mode = \"SSE-S3\"  # CRITICAL: Enables S3 encryption for Glue outputs\n  }\n}\n\nresource \"aws_glue_job\" \"job\" {\n  name     = \"<example_resource_name>\"\n  role_arn = \"<example_role_arn>\"\n\n  command {\n    script_location = \"s3://<example_resource_name>/script.py\"\n  }\n\n  security_configuration = aws_glue_security_configuration.sec.name  # CRITICAL: Applies encrypted security configuration to the job\n}\n```"
+      "CLI": "aws glue create-security-configuration --name s3-encrypted-sec-config --encryption-configuration {'S3Encryption': [{'S3EncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/s3-encryption-enabled.html",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
    },
    "Recommendation": {
-      "Text": "Require **S3 encryption** for all Glue jobs via security configurations, preferring **SSE-KMS**. Apply **least privilege** to KMS keys, restrict key usage and rotate regularly. Enforce defense-in-depth with bucket policies that require encrypted writes, and monitor with key and S3 access logs.",
-      "Url": "https://hub.prowler.com/check/glue_etl_jobs_amazon_s3_encryption_enabled"
+      "Text": "Provide the encryption properties that are used by crawlers, jobs and development endpoints.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
    }
  },
  "Categories": [
@@ -1,35 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_etl_jobs_cloudwatch_logs_encryption_enabled",
-  "CheckTitle": "Glue ETL job has CloudWatch Logs encryption enabled",
+  "CheckTitle": "Check if Glue ETL Jobs have CloudWatch Logs encryption enabled.",
  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
-    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
  "Severity": "medium",
  "ResourceType": "AwsGlueJob",
-  "Description": "**AWS Glue ETL jobs** are evaluated for a **security configuration** with **CloudWatch Logs encryption** (`SSE-KMS`) enabled. Jobs without a security configuration, or with CloudWatch Logs encryption set to `DISABLED`, are highlighted.",
-  "Risk": "Unencrypted Glue logs weaken **confidentiality**.\n\nLog entries can expose credentials, PII, connection strings, and schema details. Anyone with log storage access can harvest secrets for **lateral movement** and data exfiltration, widening the blast radius of compromises.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/cloud-watch-logs-encryption-enabled.html"
-  ],
+  "Description": "Check if Glue ETL Jobs have CloudWatch Logs encryption enabled.",
+  "Risk": "If not enabled sensitive information at rest is not protected.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "```yaml\n# CloudFormation: enable CloudWatch Logs encryption and attach to the job\nResources:\n  ExampleSecurityConfiguration:\n    Type: AWS::Glue::SecurityConfiguration\n    Properties:\n      Name: <example_resource_name>\n      EncryptionConfiguration:\n        CloudWatchEncryption:  # Critical: enable CloudWatch Logs encryption for Glue\n          CloudWatchEncryptionMode: SSE-KMS  # Critical: must not be DISABLED\n          KmsKeyArn: <example_kms_key_arn>   # Critical: KMS key used for encryption\n\n  ExampleJob:\n    Type: AWS::Glue::Job\n    Properties:\n      Role: <example_role_arn>\n      Command:\n        Name: glueetl\n        ScriptLocation: s3://<example_script_path>\n      SecurityConfiguration: !Ref ExampleSecurityConfiguration  # Critical: attach security configuration to the job\n```",
-      "Other": "1. In the AWS Glue console, go to Security configurations > Add security configuration\n2. Enter a name, enable CloudWatch Logs encryption, select SSE-KMS, and choose/provide the KMS key ARN; Save\n3. Go to Jobs, select the target job, click Edit\n4. Set Security configuration to the one created in step 2\n5. Save changes",
-      "Terraform": "```hcl\n# Enable CloudWatch Logs encryption and attach to the Glue job\nresource \"aws_glue_security_configuration\" \"example_resource_name\" {\n  name = \"<example_resource_name>\"\n\n  encryption_configuration {\n    cloudwatch_encryption {\n      cloudwatch_encryption_mode = \"SSE-KMS\"          # Critical: enable CW Logs encryption\n      kms_key_arn                = \"<example_kms_key_arn>\" # Critical: KMS key for encryption\n    }\n  }\n}\n\nresource \"aws_glue_job\" \"example_resource_name\" {\n  name     = \"<example_resource_name>\"\n  role_arn = \"<example_role_arn>\"\n\n  command {\n    name            = \"glueetl\"\n    script_location = \"s3://<example_script_path>\"\n  }\n\n  security_configuration = aws_glue_security_configuration.example_resource_name.name # Critical: attach security config to job\n}\n```"
+      "CLI": "aws glue create-security-configuration --name cw-encrypted-sec-config --encryption-configuration {'CloudWatchEncryption': [{'CloudWatchEncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/cloud-watch-logs-encryption-enabled.html",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
    },
    "Recommendation": {
-      "Text": "Enable **at-rest encryption** for Glue logs via a **security configuration** using customer-managed KMS keys. Apply **least privilege** to KMS and CloudWatch Logs, rotate keys, and require all jobs to attach an approved configuration. Embed this baseline in IaC for consistent, **defense-in-depth** coverage.",
-      "Url": "https://hub.prowler.com/check/glue_etl_jobs_cloudwatch_logs_encryption_enabled"
+      "Text": "Enable Encryption in the Security configurations.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
    }
  },
  "Categories": [
@@ -1,33 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_etl_jobs_job_bookmark_encryption_enabled",
-  "CheckTitle": "Glue ETL job has Job bookmark encryption enabled",
+  "CheckTitle": "Check if Glue ETL Jobs have Job bookmark encryption enabled.",
  "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
  "Severity": "medium",
-  "ResourceType": "Other",
-  "Description": "**AWS Glue ETL jobs** should link a **security configuration** with **job bookmark encryption** enabled. Bookmark encryption must not be `DISABLED` (e.g., use `CSE-KMS`). Jobs lacking a security configuration are treated as not protecting bookmark metadata.",
-  "Risk": "Unencrypted **job bookmarks** in S3 expose execution state and data pointers, reducing **confidentiality**. Altered bookmarks can trigger reruns, skips, or reprocessing, harming **integrity**. Missing security configs may also leave logs and temporary objects unencrypted.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/job-bookmark-encryption-enabled.html"
-  ],
+  "ResourceType": "AwsGlueJob",
+  "Description": "Check if Glue ETL Jobs have Job bookmark encryption enabled.",
+  "Risk": "If not enabled sensitive information at rest is not protected.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "```yaml\n# CloudFormation: Enable Glue Job bookmark encryption via Security Configuration\nResources:\n  <example_resource_name>:\n    Type: AWS::Glue::SecurityConfiguration\n    Properties:\n      Name: <example_resource_name>\n      EncryptionConfiguration:\n        JobBookmarksEncryption:\n          JobBookmarksEncryptionMode: CSE-KMS  # CRITICAL: Enables job bookmark encryption\n          KmsKeyArn: <example_kms_key_arn>     # CRITICAL: KMS key used to encrypt job bookmarks\n```",
-      "Other": "1. In the AWS Console, go to AWS Glue > Security configurations > Add security configuration\n2. Enter a name and under Advanced settings enable Job bookmark encryption\n3. Select a KMS key (or paste the key ARN) and click Create\n4. Go to AWS Glue > Jobs, select the job, click Edit\n5. Under Advanced properties, set Security configuration to the one created above\n6. Click Save",
-      "Terraform": "```hcl\n# Terraform: Enable Glue Job bookmark encryption via Security Configuration\nresource \"aws_glue_security_configuration\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n\n  encryption_configuration {\n    job_bookmarks_encryption {\n      job_bookmarks_encryption_mode = \"CSE-KMS\"      # CRITICAL: Enables job bookmark encryption\n      kms_key_arn                    = \"<example_kms_key_arn>\"  # CRITICAL: KMS key for bookmarks\n    }\n  }\n}\n```"
+      "CLI": "aws glue create-security-configuration --name jb-encrypted-sec-config --encryption-configuration {'JobBookmarksEncryption': [{'JobBookmarksEncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/job-bookmark-encryption-enabled.html",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
    },
    "Recommendation": {
-      "Text": "Attach a **Glue security configuration** to every job and enable **job bookmark encryption** (e.g., `CSE-KMS`). Use **customer-managed KMS keys**, enforce **least privilege** on key usage, and rotate keys. For **defense in depth**, also encrypt **S3 temp data** and **CloudWatch logs** in the same configuration.",
-      "Url": "https://hub.prowler.com/check/glue_etl_jobs_job_bookmark_encryption_enabled"
+      "Text": "Enable Encryption in the Security configurations.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
    }
  },
  "Categories": [
@@ -1,34 +1,28 @@
 {
  "Provider": "aws",
  "CheckID": "glue_etl_jobs_logging_enabled",
-  "CheckTitle": "Glue ETL job has continuous CloudWatch logging enabled",
+  "CheckTitle": "[DEPRECATED] Check if Glue ETL Jobs have logging enabled.",
  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
  ],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
+  "ResourceIdTemplate": "arn:partition:glue:region:account-id:job/job-name",
  "Severity": "medium",
-  "ResourceType": "Other",
-  "Description": "**AWS Glue jobs** are assessed for **continuous CloudWatch logging**, confirming that runtime events and outputs are sent to **CloudWatch Logs** via the `--enable-continuous-cloudwatch-log` configuration.",
-  "Risk": "Missing job logs hide execution details and access patterns, enabling undetected credential abuse, data exfiltration in scripts, or tampering with transforms. This reduces confidentiality and integrity, hinders incident response, and can mask failures that impact availability.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/monitor-continuous-logging.html",
-    "https://docs.aws.amazon.com/glue/latest/dg/monitor-continuous-logging-enable.html",
-    "https://docs.aws.amazon.com/securityhub/latest/userguide/glue-controls.html#glue-2"
-  ],
+  "ResourceType": "AwsGlueJob",
+  "Description": "[DEPRECATED] Ensure that Glue ETL Jobs have CloudWatch logs enabled.",
+  "Risk": "Without logging enabled, AWS Glue jobs lack visibility into job activities and failures, making it difficult to detect unauthorized access, troubleshoot issues, and ensure compliance. This may result in untracked security incidents or operational issues that affect data processing.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/monitor-continuous-logging.html",
  "Remediation": {
    "Code": {
-      "CLI": "aws glue update-job --job-name <example_resource_name> --job-update '{\"DefaultArguments\":{\"--enable-continuous-cloudwatch-log\":\"true\"}}'",
-      "NativeIaC": "```yaml\nResources:\n  GlueJob:\n    Type: AWS::Glue::Job\n    Properties:\n      Role: \"<example_resource_id>\"\n      Command:\n        Name: glueetl\n        ScriptLocation: \"s3://<example_resource_name>/script.py\"\n      DefaultArguments:\n        \"--enable-continuous-cloudwatch-log\": \"true\"  # Critical: enables continuous CloudWatch logging to pass the check\n```",
-      "Other": "1. Open the AWS Glue console and go to Jobs\n2. Select the job and click Edit\n3. Expand Advanced properties\n4. Under Continuous logging, check Enable logs in CloudWatch\n5. Save",
-      "Terraform": "```hcl\nresource \"aws_glue_job\" \"<example_resource_name>\" {\n  name     = \"<example_resource_name>\"\n  role_arn = \"<example_resource_id>\"\n\n  command {\n    script_location = \"s3://<example_resource_name>/script.py\"\n  }\n\n  default_arguments = {\n    \"--enable-continuous-cloudwatch-log\" = \"true\" # Critical: enables continuous CloudWatch logging to pass the check\n  }\n}\n```"
+      "CLI": "aws glue update-job --job-name <job-name> --job-update \"Command={DefaultArguments={--enable-continuous-cloudwatch-log=true}}\"",
+      "NativeIaC": "",
+      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/glue-controls.html#glue-2",
+      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable **continuous logging** to **CloudWatch Logs** for all Glue jobs. Centralize logs with retention and KMS encryption, restrict read access, and alert on anomalies and failures. Apply **least privilege** to job roles and use **defense in depth** by correlating logs across services.",
-      "Url": "https://hub.prowler.com/check/glue_etl_jobs_logging_enabled"
+      "Text": "Enable logging for AWS Glue jobs to capture and monitor job events. Logging allows for better visibility into job performance, error detection, and security oversight.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/monitor-continuous-logging-enable.html"
    }
  },
  "Categories": [
@@ -1,34 +1,26 @@
 {
  "Provider": "aws",
  "CheckID": "glue_ml_transform_encrypted_at_rest",
-  "CheckTitle": "Glue ML Transform is encrypted at rest",
-  "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
-    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
-  ],
+  "CheckTitle": "Check if Glue ML Transform Encryption at Rest is Enabled",
+  "CheckType": [],
  "ServiceName": "glue",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
+  "ResourceIdTemplate": "arn:aws:glue:region:account-id:mlTransform/transform-id",
  "Severity": "medium",
  "ResourceType": "Other",
-  "Description": "**AWS Glue ML transforms** are evaluated for **encryption at rest** of transform user data using **KMS keys**. The finding highlights transforms where encryption is not configured.",
-  "Risk": "Without encryption, **confidentiality** is weakened: transform artifacts, mappings, and sample datasets may be readable via storage access, backups, or cross-account exposure. This can lead to data disclosure and aid **lateral movement** by revealing schemas and data relationships.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html",
-    "https://docs.aws.amazon.com/securityhub/latest/userguide/glue-controls.html#glue-3"
-  ],
+  "Description": "This control checks whether an AWS Glue machine learning transform is encrypted at rest. The control fails if the machine learning transform isn't encrypted at rest.",
+  "Risk": "Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it.",
+  "RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html",
  "Remediation": {
    "Code": {
-      "CLI": "aws glue update-ml-transform --transform-id <transform-id> --transform-encryption '{\"MlUserDataEncryption\":{\"MlUserDataEncryptionMode\":\"SSE-KMS\",\"KmsKeyId\":\"<kms-key-arn>\"}}'",
-      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::Glue::MLTransform\n    Properties:\n      Role: <example_resource_id>\n      InputRecordTables:\n        - DatabaseName: <example_resource_name>\n          TableName: <example_resource_name>\n      TransformParameters:\n        TransformType: FIND_MATCHES\n        FindMatchesParameters:\n          PrimaryKeyColumnName: <example_resource_name>\n      TransformEncryption:\n        MlUserDataEncryption:\n          MlUserDataEncryptionMode: SSE-KMS  # Critical: enables ML user data encryption at rest\n          KmsKeyId: <kms-key-arn>            # Critical: KMS key used for encryption\n```",
-      "Other": "1. In the AWS Management Console, open AWS Glue\n2. Go to Machine learning > Transforms and select the target transform\n3. Click Edit\n4. Under Encryption, enable ML user data encryption\n5. Choose an AWS KMS key\n6. Save changes",
-      "Terraform": "```hcl\nresource \"aws_glue_ml_transform\" \"<example_resource_name>\" {\n  name     = \"<example_resource_name>\"\n  role_arn = \"<example_resource_id>\"\n\n  input_record_tables {\n    database_name = \"<example_resource_name>\"\n    table_name    = \"<example_resource_name>\"\n  }\n\n  parameters {\n    transform_type = \"FIND_MATCHES\"\n    find_matches_parameters {\n      primary_key_column_name = \"<example_resource_name>\"\n    }\n  }\n\n  transform_encryption {\n    ml_user_data_encryption {\n      ml_user_data_encryption_mode = \"SSE-KMS\"   # Critical: enables encryption at rest\n      kms_key_id                   = \"<kms-key-arn>\" # Critical: KMS key used for encryption\n    }\n  }\n}\n```"
+      "CLI": "aws glue update-ml-transform --transform-id <transform-id> --encryption-at-rest {\"Enabled\":true,\"KmsKey\":\"<kms-key-arn>\"}",
+      "NativeIaC": "",
+      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/glue-controls.html#glue-3",
+      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable **KMS-backed encryption at rest** for all ML transforms and prefer **customer-managed keys**.\n- Apply **least privilege** key policies and rotate keys\n- Enforce **defense in depth** with network and IAM controls\n- Monitor key usage and transform access with audit logs",
-      "Url": "https://hub.prowler.com/check/glue_ml_transform_encrypted_at_rest"
+      "Text": "Enable encryption at rest for Glue ML Transforms using AWS KMS keys.",
+      "Url": "https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html"
    }
  },
  "Categories": [
@@ -26,9 +26,7 @@
      "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
    }
  },
-  "Categories": [
-    "privilege-escalation"
-  ],
+  "Categories": [],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
@@ -27,9 +27,7 @@
      "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
    }
  },
-  "Categories": [
-    "privilege-escalation"
-  ],
+  "Categories": [],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "CAF Security Epic: IAM"
@@ -26,7 +26,7 @@
    }
  },
  "Categories": [
-    "trust-boundaries"
+    "trustboundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
@@ -24,7 +24,7 @@
    }
  },
  "Categories": [
-    "trust-boundaries"
+    "trustboundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
@@ -24,7 +24,7 @@
    }
  },
  "Categories": [
-    "trust-boundaries"
+    "trustboundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
@@ -24,7 +24,7 @@
    }
  },
  "Categories": [
-    "trust-boundaries"
+    "trustboundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
@@ -1,39 +1,29 @@
 {
  "Provider": "aws",
  "CheckID": "inspector2_active_findings_exist",
-  "CheckTitle": "Inspector2 is enabled with no active findings",
+  "CheckTitle": "Check if Inspector2 active findings exist",
  "CheckAliases": [
    "inspector2_findings_exist"
  ],
-  "CheckType": [
-    "Software and Configuration Checks/Vulnerabilities/CVE",
-    "Software and Configuration Checks/Patch Management",
-    "Software and Configuration Checks/AWS Security Best Practices",
-    "Industry and Regulatory Standards/AWS Foundational Security Best Practices"
-  ],
+  "CheckType": [],
  "ServiceName": "inspector2",
  "SubServiceName": "",
-  "ResourceIdTemplate": "",
-  "Severity": "high",
+  "ResourceIdTemplate": "arn:aws:inspector2:region:account-id/detector-id",
+  "Severity": "medium",
  "ResourceType": "Other",
-  "Description": "**Amazon Inspector2** active findings are assessed across eligible resources when the service is `ENABLED`.\n\nIndicates whether any findings remain in the **Active** state versus none.",
-  "Risk": "**Unremediated Inspector2 findings** mean known vulnerabilities or exposures persist on workloads.\n\nThis enables:\n- Unauthorized access and data exfiltration (C)\n- Code tampering and privilege escalation (I)\n- Service disruption via exploitation or malware (A)",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector/amazon-inspector-findings.html",
-    "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html",
-    "https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html"
-  ],
+  "Description": "This check determines if there are any active findings in your AWS account that have been detected by AWS Inspector2. Inspector2 is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.",
+  "Risk": "Without using AWS Inspector, you may not be aware of all the security vulnerabilities in your AWS resources, which could lead to unauthorized access, data breaches, or other security incidents.",
+  "RelatedUrl": "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html",
  "Remediation": {
    "Code": {
-      "CLI": "aws inspector2 create-filter --name <example_resource_name> --action SUPPRESS --filter-criteria '{\"findingStatus\":[{\"comparison\":\"EQUALS\",\"value\":\"ACTIVE\"}]}'",
-      "NativeIaC": "```yaml\n# CloudFormation: Suppress all ACTIVE Inspector findings\nResources:\n  <example_resource_name>:\n    Type: AWS::InspectorV2::Filter\n    Properties:\n      Name: <example_resource_name>\n      Action: SUPPRESS  # critical: converts matching findings to Suppressed, not Active\n      FilterCriteria:\n        FindingStatus:\n          - Comparison: EQUALS\n            Value: ACTIVE  # critical: targets all active findings\n```",
-      "Other": "1. In the AWS Console, go to Amazon Inspector\n2. Open Suppression rules (or Filters) and click Create suppression rule\n3. Set condition: Finding status = Active\n4. Set action to Suppress and click Create\n5. Verify the Active findings count is 0 on the dashboard",
-      "Terraform": "```hcl\n# Terraform: Suppress all ACTIVE Inspector findings\nresource \"aws_inspector2_filter\" \"<example_resource_name>\" {\n  name   = \"<example_resource_name>\"\n  action = \"SUPPRESS\"  # critical: converts matching findings to Suppressed, not Active\n\n  filter_criteria {\n    finding_status {\n      comparison = \"EQUALS\"\n      value      = \"ACTIVE\"  # critical: targets all active findings\n    }\n  }\n}\n```"
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector/amazon-inspector-findings.html",
+      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Prioritize and remediate **Active findings** quickly: patch hosts and runtimes, update/rebuild images, fix vulnerable code, and close unintended exposure.\n\nApply **least privilege**, use **defense in depth**, and avoid broad suppressions. Integrate findings into CI/CD and vulnerability management for continuous prevention.",
-      "Url": "https://hub.prowler.com/check/inspector2_active_findings_exist"
+      "Text": "Review the active findings from Inspector2",
+      "Url": "https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html"
    }
  },
  "Categories": [],
--- a/Show More
+++ b/Show More