docs(changelog): move #11222 entry to 5.28.0

code_zip is typed Any in LambdaCode and the check only calls
extractall(dir), so a MagicMock side_effect that writes the fixture files
into the check's temp dir avoids constructing a real archive.

.github/workflows/api-bump-version.yml

@@ -1,291 +0,0 @@
-name: 'API: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-permissions: {}
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Get current API version
-        id: get_api_version
-        run: |
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-          echo "current_api_version=${CURRENT_API_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current API version: $CURRENT_API_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Calculate next API minor version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 -> API 1.18.0
-          # For next master (Prowler 5.18.0) -> API 1.19.0
-          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "Current API version: $CURRENT_API_VERSION"
-          echo "Next API minor version (for master): $NEXT_API_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
-
-      - name: Bump API versions in files for master
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
-
-      - name: Calculate first API patch version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 release -> version branch v5.17 should have API 1.18.1
-          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${FIRST_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.FIRST_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.FIRST_API_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Calculate next API patch version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # Extract current API patch to increment it
-          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            API_PATCH=${BASH_REMATCH[3]}
-
-            # API version follows Prowler minor + 1
-            # Keep same API minor (based on Prowler minor), increment patch
-            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
-
-            echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-            echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-            echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-            echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
-            echo "Current API version: $CURRENT_API_VERSION"
-            echo "Next API patch version: $NEXT_API_PATCH_VERSION"
-            echo "Target branch: $VERSION_BRANCH"
-          else
-            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
-            exit 1
-          fi
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/api-security.yml

@@ -59,6 +59,7 @@ jobs:
             github.com:443
             api.github.com:443
             objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
             release-assets.githubusercontent.com:443
             api.osv.dev:443
             api.deps.dev:443

.github/workflows/bump-version.yml

@@ -0,0 +1,376 @@
+name: 'Release: Bump Versions'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: release-bump-versions-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  DOCS_FILE: docs/getting-started/installation/prowler-app.mdx
+
+permissions: {}
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-master:
+    name: Bump versions on master (minor release)
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout master
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: master
+          persist-credentials: false
+
+      - name: Compute next versions for master
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          # SDK / UI / docs mirror the Prowler version directly.
+          NEXT_SDK_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+
+          # API is an independent stream: 1.<prowler_minor + 1>.X
+          # After Prowler 5.M.0 release, master moves on to next API minor: 1.(M+2).0
+          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
+
+          # Read current versions to drive sed replacements.
+          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
+          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' "${DOCS_FILE}")
+
+          echo "NEXT_SDK_VERSION=${NEXT_SDK_VERSION}" >> "${GITHUB_ENV}"
+          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Released Prowler version: $PROWLER_VERSION"
+          echo "Next SDK/UI version (master): $NEXT_SDK_VERSION"
+          echo "Next API version (master):   $NEXT_API_VERSION  (current: $CURRENT_API_VERSION)"
+          echo "Docs target version:         $PROWLER_VERSION   (current: $CURRENT_DOCS_VERSION)"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Decide whether to bump docs on master
+        id: docs_decision
+        run: |
+          # Skip docs bump if master is already at or ahead of the release version
+          # (re-run, or patch shipped against an older minor line).
+          HIGHEST=$(printf '%s\n%s\n' "${CURRENT_DOCS_VERSION}" "${PROWLER_VERSION}" | sort -V | tail -n1)
+          if [[ "${CURRENT_DOCS_VERSION}" == "${PROWLER_VERSION}" || "${HIGHEST}" != "${PROWLER_VERSION}" ]]; then
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+            echo "Skipping docs bump: current ($CURRENT_DOCS_VERSION) >= release ($PROWLER_VERSION)"
+          else
+            echo "skip=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Bump SDK version (pyproject.toml, config.py)
+        run: |
+          set -e
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_SDK_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_SDK_VERSION}\"|" prowler/config/config.py
+
+      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
+        run: |
+          set -e
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+      - name: Bump UI version (.env)
+        run: |
+          set -e
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_SDK_VERSION}|" .env
+
+      - name: Bump docs versions (prowler-app.mdx)
+        if: steps.docs_decision.outputs.skip == 'false'
+        run: |
+          set -e
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
+
+      - name: Show consolidated diff
+        run: git --no-pager diff
+
+      - name: Create PR for next versions to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(release): Bump versions to v${{ env.NEXT_SDK_VERSION }}'
+          branch: release-version-bump-to-v${{ env.NEXT_SDK_VERSION }}
+          title: 'chore(release): Bump versions to v${{ env.NEXT_SDK_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler versions on master after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            | Area | File(s) | New version |
+            | --- | --- | --- |
+            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.NEXT_SDK_VERSION }} |
+            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.NEXT_API_VERSION }} |
+            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.NEXT_SDK_VERSION }} |
+            | Docs | `docs/getting-started/installation/prowler-app.mdx` (`PROWLER_UI_VERSION`, `PROWLER_API_VERSION`) | v${{ env.PROWLER_VERSION }} (skipped if already at or ahead) |
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-minor-version-branch:
+    name: Bump versions on version branch (minor release)
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Compute first patch versions for version branch
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          # SDK / UI first patch mirrors Prowler version directly.
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+
+          # API on this branch stays on the 1.<MINOR+1>.X stream, starting at .1
+          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
+
+          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
+
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Released Prowler version:     $PROWLER_VERSION"
+          echo "Version branch:               $VERSION_BRANCH"
+          echo "First SDK/UI patch:           $FIRST_PATCH_VERSION"
+          echo "First API patch:              $FIRST_API_PATCH_VERSION  (current: $CURRENT_API_VERSION)"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump SDK version (pyproject.toml, config.py)
+        run: |
+          set -e
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
+
+      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
+        run: |
+          set -e
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+      - name: Bump UI version (.env)
+        run: |
+          set -e
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
+
+      - name: Show consolidated diff
+        run: git --no-pager diff
+
+      - name: Create PR for first patch versions to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(release): Bump versions to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: release-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(release): Bump versions to v${{ env.FIRST_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler versions on `${{ env.VERSION_BRANCH }}` after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            | Area | File(s) | New version |
+            | --- | --- | --- |
+            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.FIRST_PATCH_VERSION }} |
+            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.FIRST_API_PATCH_VERSION }} |
+            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.FIRST_PATCH_VERSION }} |
+            | Docs | (not touched on version branches) | — |
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version-branch:
+    name: Bump versions on version branch (patch release)
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Compute next patch versions
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          # SDK / UI patch mirrors Prowler version directly.
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+
+          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
+
+          # API on this branch stays on 1.<MINOR+1>.X; bump its patch component.
+          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            API_PATCH=${BASH_REMATCH[3]}
+            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
+          else
+            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
+            exit 1
+          fi
+
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Released Prowler version:     $PROWLER_VERSION"
+          echo "Version branch:               $VERSION_BRANCH"
+          echo "Next SDK/UI patch:            $NEXT_PATCH_VERSION"
+          echo "Next API patch:               $NEXT_API_PATCH_VERSION  (current: $CURRENT_API_VERSION)"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+
+      - name: Bump SDK version (pyproject.toml, config.py)
+        run: |
+          set -e
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
+
+      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
+        run: |
+          set -e
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+      - name: Bump UI version (.env)
+        run: |
+          set -e
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
+
+      - name: Show consolidated diff
+        run: git --no-pager diff
+
+      - name: Create PR for next patch versions to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(release): Bump versions to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: release-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(release): Bump versions to v${{ env.NEXT_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler versions on `${{ env.VERSION_BRANCH }}` after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            | Area | File(s) | New version |
+            | --- | --- | --- |
+            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.NEXT_PATCH_VERSION }} |
+            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.NEXT_API_PATCH_VERSION }} |
+            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.NEXT_PATCH_VERSION }} |
+            | Docs | (not touched on version branches) | — |
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/docs-bump-version.yml

@@ -1,97 +0,0 @@
-name: 'Docs: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-  DOCS_FILE: docs/getting-started/installation/prowler-app.mdx
-
-permissions: {}
-
-jobs:
-  bump-version:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Validate release version
-        run: |
-          if [[ ! $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-          if (( ${BASH_REMATCH[1]} != 5 )); then
-            echo "::error::Releasing another Prowler major version, aborting..."
-            exit 1
-          fi
-
-      - name: Checkout master branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ env.BASE_BRANCH }}
-          persist-credentials: false
-
-      - name: Read current docs version on master
-        id: docs_version
-        run: |
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' "${DOCS_FILE}")
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "Current docs version on master: $CURRENT_DOCS_VERSION"
-          echo "Target release version: $PROWLER_VERSION"
-
-          # Skip if master is already at or ahead of the release version
-          # (re-run, or patch shipped against an older minor line)
-          HIGHEST=$(printf '%s\n%s\n' "${CURRENT_DOCS_VERSION}" "${PROWLER_VERSION}" | sort -V | tail -n1)
-          if [[ "${CURRENT_DOCS_VERSION}" == "${PROWLER_VERSION}" || "${HIGHEST}" != "${PROWLER_VERSION}" ]]; then
-            echo "skip=true" >> "${GITHUB_OUTPUT}"
-            echo "Skipping bump: current ($CURRENT_DOCS_VERSION) >= release ($PROWLER_VERSION)"
-          else
-            echo "skip=false" >> "${GITHUB_OUTPUT}"
-          fi
-
-      - name: Bump versions in documentation
-        if: steps.docs_version.outputs.skip == 'false'
-        run: |
-          set -e
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to master
-        if: steps.docs_version.outputs.skip == 'false'
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.BASE_BRANCH }}
-          commit-message: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-bump-to-v${{ env.PROWLER_VERSION }}
-          title: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/mcp-container-checks.yml

@@ -79,6 +79,7 @@ jobs:
             registry-1.docker.io:443
             auth.docker.io:443
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
             ghcr.io:443
             pkg-containers.githubusercontent.com:443
             files.pythonhosted.org:443

.github/workflows/mcp-pypi-release.yml

@@ -88,7 +88,8 @@ jobs:
 
       # The MCP server version (mcp_server/pyproject.toml) is decoupled from the Prowler release
       # version: it only changes when MCP code changes. mcp-bump-version.yml normally keeps it in
-      # sync with mcp_server/CHANGELOG.md, but this publish workflow still runs on every release.
+      # sync with mcp_server/CHANGELOG.md (separate from the release bump-version.yml), but this
+      # publish workflow still runs on every release.
       # Pre-flight PyPI check covers the legitimate "no MCP changes for this release" case (and any
       # workflow_dispatch re-runs) without failing with HTTP 400 (version exists).
       - name: Check if prowler-mcp version already exists on PyPI

.github/workflows/prepare-release.yml

@@ -53,7 +53,7 @@ jobs:
 
     - name: Parse version and determine branch
       run: |
-        # Validate version format (reusing pattern from sdk-bump-version.yml)
+        # Validate version format (reusing pattern from bump-version.yml)
         if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
           MAJOR_VERSION=${BASH_REMATCH[1]}
           MINOR_VERSION=${BASH_REMATCH[2]}
@@ -299,17 +299,6 @@ jobs:
         fi
         echo "✓ api/pyproject.toml prowler dependency: $CURRENT_PROWLER_REF"
 
-    - name: Verify API version in api/src/backend/api/v1/views.py
-      if: ${{ env.HAS_API_CHANGES == 'true' }}
-      run: |
-        CURRENT_API_VERSION=$(grep 'spectacular_settings.VERSION = ' api/src/backend/api/v1/views.py | sed -E 's/.*spectacular_settings.VERSION = "([^"]+)".*/\1/' | tr -d '[:space:]')
-        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
-        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
-          echo "ERROR: API version mismatch in views.py (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
-          exit 1
-        fi
-        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"
-
     - name: Verify API version in api/src/backend/api/specs/v1.yaml
       if: ${{ env.HAS_API_CHANGES == 'true' }}
       run: |

.github/workflows/sdk-bump-version.yml

@@ -1,247 +0,0 @@
-name: 'SDK: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-permissions: {}
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Bump versions in files for master
-        run: |
-          set -e
-
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: sdk-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler version to v${{ env.NEXT_MINOR_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Bump versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: sdk-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-
-      - name: Bump versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: sdk-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler version to v${{ env.NEXT_PATCH_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/ui-bump-version.yml

@@ -1,253 +0,0 @@
-name: 'UI: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-permissions: {}
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Bump UI version in .env for master
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_MINOR_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/ui-container-checks.yml

@@ -80,6 +80,7 @@ jobs:
             registry-1.docker.io:443
             auth.docker.io:443
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
             registry.npmjs.org:443
             dl-cdn.alpinelinux.org:443
             fonts.googleapis.com:443

.github/zizmor.yml

@@ -1,22 +1,19 @@
 rules:
   secrets-outside-env:
     ignore:
-      - api-bump-version.yml
       - api-container-build-push.yml
       - api-tests.yml
       - backport.yml
-      - docs-bump-version.yml
+      - bump-version.yml
       - issue-triage.lock.yml
       - mcp-container-build-push.yml
       - nightly-arm64-container-builds.yml
       - pr-merged.yml
       - prepare-release.yml
-      - sdk-bump-version.yml
       - sdk-container-build-push.yml
       - sdk-refresh-aws-services-regions.yml
       - sdk-refresh-oci-regions.yml
       - sdk-tests.yml
-      - ui-bump-version.yml
       - ui-container-build-push.yml
       - ui-e2e-tests-v2.yml
   superfluous-actions:

README.md

@@ -104,23 +104,24 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 
 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
 |---|---|---|---|---|---|---|
-| AWS | 595 | 84 | 43 | 17 | Official | UI, API, CLI |
+| AWS | 600 | 84 | 44 | 18 | Official | UI, API, CLI |
 | Azure | 167 | 22 | 19 | 16 | Official | UI, API, CLI |
 | GCP | 102 | 18 | 17 | 12 | Official | UI, API, CLI |
 | Kubernetes | 83 | 7 | 7 | 11 | Official | UI, API, CLI |
 | GitHub | 24 | 3 | 1 | 5 | Official | UI, API, CLI |
-| M365 | 101 | 10 | 4 | 10 | Official | UI, API, CLI |
+| M365 | 102 | 10 | 4 | 10 | Official | UI, API, CLI |
 | OCI | 51 | 14 | 4 | 10 | Official | UI, API, CLI |
-| Alibaba Cloud | 61 | 9 | 4 | 9 | Official | UI, API, CLI |
+| Alibaba Cloud | 63 | 9 | 4 | 9 | Official | UI, API, CLI |
 | Cloudflare | 29 | 3 | 0 | 5 | Official | UI, API, CLI |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
 | MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
 | Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 25 | 4 | 2 | 4 | Official | UI, API, CLI |
+| Google Workspace | 39 | 5 | 2 | 5 | Official | UI, API, CLI |
 | OpenStack | 34 | 5 | 0 | 9 | Official | UI, API, CLI |
-| Vercel | 26 | 6 | 0 | 5 | Official | UI, API, CLI |
+| Vercel | 26 | 6 | 0 | 8 | Official | UI, API, CLI |
 | Okta | 1 | 1 | 0 | 1 | Official | CLI |
+| Scaleway [Contact us](https://prowler.com/contact) | 1 | 1 | 0 | 1 | Unofficial | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |
 
 > [!Note]

api/CHANGELOG.md

@@ -2,29 +2,24 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
-## [1.28.0] (Prowler UNRELEASED)
+## [1.28.0] (Prowler v5.27.0)
 
 ### 🚀 Added
 
 - GIN index on `findings(categories, resource_services, resource_regions, resource_types)` to speed up `/api/v1/finding-groups` array filters [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
+- `GET /health/live` and `GET /health/ready` Kubernetes-style probe endpoints following the IETF Health Check Response Format (`application/health+json`). Readiness verifies PostgreSQL, Valkey and Neo4j connectivity and returns 503 with per-dependency detail when any is unreachable [(#11200)](https://github.com/prowler-cloud/prowler/pull/11200)
 
 ### 🔄 Changed
 
-- Replace `poetry` with `uv` (`0.11.14`) as the API package manager; migrate `pyproject.toml` to `[dependency-groups]` and regenerate as `uv.lock` [(#10775)](https://github.com/prowler-cloud/prowler/pull/10775)
+- Replace `poetry` with `uv` as package manager [(#10775)](https://github.com/prowler-cloud/prowler/pull/10775)
 - Remove orphaned `gin_resources_search_idx` declaration from `Resource.Meta.indexes` (DB index dropped in `0072_drop_unused_indexes`) [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
 - PDF compliance reports cap detail tables at 100 failed findings per check (configurable via `DJANGO_PDF_MAX_FINDINGS_PER_CHECK`) to bound worker memory on large scans [(#11160)](https://github.com/prowler-cloud/prowler/pull/11160)
 
 ### 🐞 Fixed
 
-- `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` and, in one-shot scan-worker deployments, from burning a fresh container per redelivery [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
+- `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
+- Attack Paths: `BEDROCK-001` and `BEDROCK-002` now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)
 
----
-
-## [1.27.2] (Prowler UNRELEASED)
-
-### 🐞 Fixed
-
-- Attack Paths: BEDROCK-001 and BEDROCK-002 now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)
 
 ---
 

api/src/backend/api/health.py

@@ -0,0 +1,254 @@
+"""Liveness and readiness endpoints following the IETF Health Check Response
+Format (draft-inadarei-api-health-check-06).
+
+Liveness reports only process status. Readiness verifies that PostgreSQL,
+Valkey and Neo4j are reachable and returns per-dependency detail when any
+of them is unreachable.
+"""
+
+from __future__ import annotations
+
+import logging
+import threading
+import time
+from contextlib import suppress
+from datetime import datetime, timezone
+from typing import Any
+
+import redis
+from config.version import API_VERSION, RELEASE_ID
+from django.conf import settings
+from django.db import connections
+from drf_spectacular.utils import extend_schema
+from rest_framework import status
+from rest_framework.renderers import JSONRenderer
+from rest_framework.response import Response
+from rest_framework.throttling import ScopedRateThrottle
+from rest_framework.views import APIView
+
+logger = logging.getLogger(__name__)
+
+SERVICE_ID = "prowler-api"
+SERVICE_DESCRIPTION = "Prowler API"
+
+# Status vocabulary from the IETF draft (section 3.1).
+STATUS_PASS = "pass"
+STATUS_FAIL = "fail"
+STATUS_WARN = "warn"
+
+# Short socket timeout so a stuck Valkey cannot stall the probe.
+# Neo4j inherits its driver-level ``connection_acquisition_timeout``.
+VALKEY_PROBE_TIMEOUT_SECONDS = 2
+
+# Brief cache window so high-frequency probes (ALB target groups, scrapers)
+# do not stampede the actual dependency checks.
+CACHE_CONTROL_HEADER = "max-age=3, must-revalidate"
+
+# In-process readiness cache. Caps real dependency hits to roughly
+# (gunicorn workers / TTL) per second regardless of incoming RPS or the
+# source-IP distribution. Kept in sync with the Cache-Control max-age.
+# Access is guarded by a lock so concurrent readers do not race on the
+# read-decide-write cycle of the double-checked locking pattern below.
+READINESS_CACHE_TTL_SECONDS = 3.0
+_readiness_cache: tuple[float, dict[str, Any], int] | None = None
+_readiness_cache_lock = threading.Lock()
+
+
+class HealthJSONRenderer(JSONRenderer):
+    """Emits responses with the ``application/health+json`` content type."""
+
+    media_type = "application/health+json"
+    format = "health"
+
+
+def _now_iso() -> str:
+    return (
+        datetime.now(timezone.utc)
+        .isoformat(timespec="milliseconds")
+        .replace("+00:00", "Z")
+    )
+
+
+def _measure(name: str, check_fn) -> tuple[dict[str, Any], float]:
+    """Time ``check_fn`` and return ``(result, elapsed_ms)``.
+
+    ``check_fn`` returns ``None`` on success or raises on failure. The full
+    exception is logged for operator diagnostics under ``name``; the
+    response payload intentionally omits the error detail to avoid leaking
+    infrastructure information (DNS names, ports, credentials, certificate
+    chains) to anonymous clients.
+    """
+    started = time.perf_counter()
+    try:
+        check_fn()
+    except Exception:
+        elapsed_ms = (time.perf_counter() - started) * 1000
+        logger.warning("Health probe '%s' failed", name, exc_info=True)
+        return ({"status": STATUS_FAIL}, elapsed_ms)
+    elapsed_ms = (time.perf_counter() - started) * 1000
+    return ({"status": STATUS_PASS}, elapsed_ms)
+
+
+def _probe_postgres() -> None:
+    with connections["default"].cursor() as cursor:
+        cursor.execute("SELECT 1")
+        cursor.fetchone()
+
+
+def _probe_valkey() -> None:
+    client = redis.Redis.from_url(
+        settings.CELERY_BROKER_URL,
+        socket_connect_timeout=VALKEY_PROBE_TIMEOUT_SECONDS,
+        socket_timeout=VALKEY_PROBE_TIMEOUT_SECONDS,
+    )
+    try:
+        if not client.ping():
+            raise RuntimeError("PING did not return PONG")
+    finally:
+        # Best-effort cleanup: a failure releasing the socket (e.g. broken
+        # connection, half-closed by the server) must not mask the probe
+        # result. Narrowed to the exception types redis-py and the stdlib
+        # socket layer can raise on close.
+        with suppress(redis.RedisError, OSError):
+            client.close()
+
+
+def _probe_neo4j() -> None:
+    # Lazy import: avoids pulling attack_paths into the boot import graph.
+    from api.attack_paths.database import get_driver
+
+    get_driver().verify_connectivity()
+
+
+def _build_check_entry(
+    component_id: str,
+    component_type: str,
+    result: dict[str, Any],
+    elapsed_ms: float,
+) -> dict[str, Any]:
+    entry: dict[str, Any] = {
+        "componentId": component_id,
+        "componentType": component_type,
+        "observedValue": round(elapsed_ms, 2),
+        "observedUnit": "ms",
+        "status": result["status"],
+        "time": _now_iso(),
+    }
+    if "output" in result:
+        entry["output"] = result["output"]
+    return entry
+
+
+def _aggregate_status(check_entries: list[dict[str, Any]]) -> str:
+    statuses = {entry["status"] for entry in check_entries}
+    if STATUS_FAIL in statuses:
+        return STATUS_FAIL
+    if STATUS_WARN in statuses:
+        return STATUS_WARN
+    return STATUS_PASS
+
+
+def _base_payload(overall_status: str) -> dict[str, Any]:
+    return {
+        "status": overall_status,
+        "version": API_VERSION,
+        "releaseId": RELEASE_ID,
+        "serviceId": SERVICE_ID,
+        "description": SERVICE_DESCRIPTION,
+    }
+
+
+def _readiness_payload() -> tuple[dict[str, Any], int]:
+    global _readiness_cache
+
+    # Lock-free fast path: a stale snapshot still satisfies the freshness
+    # check correctly because we re-check after acquiring the lock below.
+    snapshot = _readiness_cache
+    if (
+        snapshot is not None
+        and time.monotonic() - snapshot[0] < READINESS_CACHE_TTL_SECONDS
+    ):
+        return snapshot[1], snapshot[2]
+
+    with _readiness_cache_lock:
+        # Double-checked locking: another thread may have refreshed while
+        # we were waiting on the lock.
+        snapshot = _readiness_cache
+        if (
+            snapshot is not None
+            and time.monotonic() - snapshot[0] < READINESS_CACHE_TTL_SECONDS
+        ):
+            return snapshot[1], snapshot[2]
+
+        postgres_result, postgres_ms = _measure("postgres", _probe_postgres)
+        valkey_result, valkey_ms = _measure("valkey", _probe_valkey)
+        neo4j_result, neo4j_ms = _measure("neo4j", _probe_neo4j)
+
+        entries = [
+            _build_check_entry("postgres", "datastore", postgres_result, postgres_ms),
+            _build_check_entry("valkey", "datastore", valkey_result, valkey_ms),
+            _build_check_entry("neo4j", "datastore", neo4j_result, neo4j_ms),
+        ]
+        overall = _aggregate_status(entries)
+
+        payload = _base_payload(overall)
+        payload["checks"] = {
+            "postgres:responseTime": [entries[0]],
+            "valkey:responseTime": [entries[1]],
+            "neo4j:responseTime": [entries[2]],
+        }
+
+        http_status = (
+            status.HTTP_503_SERVICE_UNAVAILABLE
+            if overall == STATUS_FAIL
+            else status.HTTP_200_OK
+        )
+        _readiness_cache = (time.monotonic(), payload, http_status)
+        return payload, http_status
+
+
+def _health_response(payload: dict[str, Any], http_status: int) -> Response:
+    response = Response(payload, status=http_status)
+    response["Cache-Control"] = CACHE_CONTROL_HEADER
+    return response
+
+
+@extend_schema(exclude=True)
+class LivenessView(APIView):
+    """Liveness probe. Always 200 when the process can serve requests.
+
+    Dependencies are intentionally not consulted: a failing liveness probe
+    triggers a container restart, which must not happen for transient
+    dependency outages. Throttled per-IP so the endpoint cannot be used as
+    a cheap availability oracle for the process.
+    """
+
+    authentication_classes: list = []
+    permission_classes: list = []
+    renderer_classes = [HealthJSONRenderer]
+    throttle_classes = [ScopedRateThrottle]
+    throttle_scope = "health-live"
+
+    def get(self, _request, *_args, **_kwargs):
+        return _health_response(_base_payload(STATUS_PASS), status.HTTP_200_OK)
+
+
+@extend_schema(exclude=True)
+class ReadinessView(APIView):
+    """Readiness probe.
+
+    Returns 200 when PostgreSQL, Valkey and Neo4j all respond, or 503 with
+    per-dependency detail when any of them is unreachable. Per-IP throttle
+    plus the short in-process result cache cap the real dependency hits
+    regardless of inbound traffic shape.
+    """
+
+    authentication_classes: list = []
+    permission_classes: list = []
+    renderer_classes = [HealthJSONRenderer]
+    throttle_classes = [ScopedRateThrottle]
+    throttle_scope = "health-ready"
+
+    def get(self, _request, *_args, **_kwargs):
+        payload, http_status = _readiness_payload()
+        return _health_response(payload, http_status)

api/src/backend/api/tests/test_health.py

@@ -0,0 +1,445 @@
+"""Tests for the health endpoints.
+
+Cover the IETF response envelope, status code mapping (200 / 503), the
+``application/health+json`` media type and per-probe failure modes.
+"""
+
+from unittest.mock import patch
+
+import pytest
+from config import version as config_version
+from django.core.cache import cache
+from django.urls import reverse
+from rest_framework import status
+from rest_framework.test import APIClient
+
+from api import health
+
+
+HEALTH_MEDIA_TYPE = "application/health+json"
+
+
+@pytest.fixture(autouse=True)
+def _reset_health_state():
+    """Per-test isolation: clear throttle counters and the readiness cache.
+
+    DRF's ScopedRateThrottle persists state in Django's cache; without
+    clearing it the throttle budget would be shared across tests and trip
+    midway through the suite.
+    """
+    cache.clear()
+    health._readiness_cache = None
+    yield
+    cache.clear()
+    health._readiness_cache = None
+
+
+@pytest.fixture
+def api_client():
+    return APIClient()
+
+
+def _assert_health_envelope(body):
+    """Every health response must carry the RFC top-level descriptors."""
+    assert body["version"] == config_version.API_VERSION
+    assert body["releaseId"] == config_version.RELEASE_ID
+    assert body["serviceId"] == health.SERVICE_ID
+    assert body["description"] == health.SERVICE_DESCRIPTION
+
+
+class TestLivenessEndpoint:
+    def test_returns_200_with_pass_status(self, api_client):
+        response = api_client.get(reverse("health-live"))
+
+        assert response.status_code == status.HTTP_200_OK
+        assert response["Content-Type"].startswith(HEALTH_MEDIA_TYPE)
+        assert response["Cache-Control"] == health.CACHE_CONTROL_HEADER
+        body = response.json()
+        assert body["status"] == "pass"
+        _assert_health_envelope(body)
+
+    def test_does_not_require_authentication(self, api_client):
+        api_client.credentials()
+
+        response = api_client.get(reverse("health-live"))
+
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_does_not_run_dependency_checks(self, api_client):
+        with (
+            patch("api.health._probe_postgres") as mock_pg,
+            patch("api.health._probe_valkey") as mock_vk,
+            patch("api.health._probe_neo4j") as mock_neo,
+        ):
+            response = api_client.get(reverse("health-live"))
+
+        assert response.status_code == status.HTTP_200_OK
+        mock_pg.assert_not_called()
+        mock_vk.assert_not_called()
+        mock_neo.assert_not_called()
+
+
+class TestReadinessEndpoint:
+    @staticmethod
+    def _patch_probes():
+        return (
+            patch("api.health._probe_postgres", return_value=None),
+            patch("api.health._probe_valkey", return_value=None),
+            patch("api.health._probe_neo4j", return_value=None),
+        )
+
+    def test_returns_200_and_pass_when_all_dependencies_healthy(self, api_client):
+        with (
+            patch("api.health._probe_postgres"),
+            patch("api.health._probe_valkey"),
+            patch("api.health._probe_neo4j"),
+        ):
+            response = api_client.get(reverse("health-ready"))
+
+        assert response.status_code == status.HTTP_200_OK
+        assert response["Content-Type"].startswith(HEALTH_MEDIA_TYPE)
+        assert response["Cache-Control"] == health.CACHE_CONTROL_HEADER
+
+        body = response.json()
+        _assert_health_envelope(body)
+        assert body["status"] == "pass"
+
+        # Per RFC, `checks` values are arrays of one or more measurement
+        # objects. We use a single measurement per dependency.
+        assert set(body["checks"].keys()) == {
+            "postgres:responseTime",
+            "valkey:responseTime",
+            "neo4j:responseTime",
+        }
+        for key in body["checks"]:
+            entries = body["checks"][key]
+            assert isinstance(entries, list) and len(entries) == 1
+            entry = entries[0]
+            assert entry["status"] == "pass"
+            assert entry["componentType"] == "datastore"
+            assert entry["observedUnit"] == "ms"
+            assert isinstance(entry["observedValue"], (int, float))
+            assert entry["observedValue"] >= 0
+            assert "time" in entry
+            # `output` must not leak when the check passed.
+            assert "output" not in entry
+
+    def test_returns_503_and_fail_when_postgres_is_down(self, api_client):
+        with (
+            patch(
+                "api.health._probe_postgres",
+                side_effect=RuntimeError("connection refused"),
+            ),
+            patch("api.health._probe_valkey"),
+            patch("api.health._probe_neo4j"),
+        ):
+            response = api_client.get(reverse("health-ready"))
+
+        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
+        body = response.json()
+        assert body["status"] == "fail"
+        pg_entry = body["checks"]["postgres:responseTime"][0]
+        assert pg_entry["status"] == "fail"
+        # Exception detail is never echoed in the response, only logged.
+        assert "output" not in pg_entry
+        assert body["checks"]["valkey:responseTime"][0]["status"] == "pass"
+        assert body["checks"]["neo4j:responseTime"][0]["status"] == "pass"
+
+    def test_returns_503_and_fail_when_valkey_is_down(self, api_client):
+        with (
+            patch("api.health._probe_postgres"),
+            patch("api.health._probe_valkey", side_effect=ConnectionError("timeout")),
+            patch("api.health._probe_neo4j"),
+        ):
+            response = api_client.get(reverse("health-ready"))
+
+        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
+        body = response.json()
+        assert body["status"] == "fail"
+        vk_entry = body["checks"]["valkey:responseTime"][0]
+        assert vk_entry["status"] == "fail"
+        assert "output" not in vk_entry
+
+    def test_returns_503_and_fail_when_neo4j_is_down(self, api_client):
+        with (
+            patch("api.health._probe_postgres"),
+            patch("api.health._probe_valkey"),
+            patch(
+                "api.health._probe_neo4j",
+                side_effect=RuntimeError("ServiceUnavailable"),
+            ),
+        ):
+            response = api_client.get(reverse("health-ready"))
+
+        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
+        body = response.json()
+        assert body["status"] == "fail"
+        neo_entry = body["checks"]["neo4j:responseTime"][0]
+        assert neo_entry["status"] == "fail"
+        assert "output" not in neo_entry
+
+    def test_reports_all_failures_simultaneously(self, api_client):
+        with (
+            patch("api.health._probe_postgres", side_effect=RuntimeError("pg down")),
+            patch("api.health._probe_valkey", side_effect=RuntimeError("vk down")),
+            patch("api.health._probe_neo4j", side_effect=RuntimeError("neo down")),
+        ):
+            response = api_client.get(reverse("health-ready"))
+
+        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
+        body = response.json()
+        assert body["status"] == "fail"
+        for key in (
+            "postgres:responseTime",
+            "valkey:responseTime",
+            "neo4j:responseTime",
+        ):
+            entry = body["checks"][key][0]
+            assert entry["status"] == "fail"
+            # No dependency-specific error string leaks into the payload.
+            assert "output" not in entry
+
+    def test_does_not_leak_exception_detail_on_failure(self, api_client):
+        # Sanity check: an exception message resembling infra detail
+        # (host, port, credentials) must not surface in the response under
+        # any field.
+        sensitive = (
+            "connection to server at "
+            '"postgres-rw.prod.svc.cluster.local" (10.0.0.5), port 5432 '
+            'failed: FATAL: password authentication failed for user "prowler_user"'
+        )
+        with (
+            patch("api.health._probe_postgres", side_effect=RuntimeError(sensitive)),
+            patch("api.health._probe_valkey"),
+            patch("api.health._probe_neo4j"),
+        ):
+            response = api_client.get(reverse("health-ready"))
+
+        body = response.json()
+        assert "output" not in body["checks"]["postgres:responseTime"][0]
+        payload_text = response.content.decode()
+        for token in (
+            "postgres-rw",
+            "10.0.0.5",
+            "5432",
+            "prowler_user",
+            "password authentication failed",
+        ):
+            assert token not in payload_text
+
+    def test_does_not_require_authentication(self, api_client):
+        with (
+            patch("api.health._probe_postgres"),
+            patch("api.health._probe_valkey"),
+            patch("api.health._probe_neo4j"),
+        ):
+            api_client.credentials()
+            response = api_client.get(reverse("health-ready"))
+
+        assert response.status_code == status.HTTP_200_OK
+
+
+class TestReadinessCache:
+    """In-process cache caps the rate at which real probes hit the deps."""
+
+    def test_result_is_cached_for_ttl_seconds(self, api_client):
+        with (
+            patch("api.health._probe_postgres") as pg,
+            patch("api.health._probe_valkey") as vk,
+            patch("api.health._probe_neo4j") as neo,
+        ):
+            r1 = api_client.get(reverse("health-ready"))
+            r2 = api_client.get(reverse("health-ready"))
+
+        assert r1.status_code == status.HTTP_200_OK
+        assert r2.status_code == status.HTTP_200_OK
+        # Second request must not trigger fresh dep checks within the TTL.
+        assert pg.call_count == 1
+        assert vk.call_count == 1
+        assert neo.call_count == 1
+        # The cached payload is returned verbatim (same timestamps too).
+        assert r1.json() == r2.json()
+
+    def test_re_probes_after_cache_ttl_expires(self, api_client):
+        with (
+            patch("api.health._probe_postgres") as pg,
+            patch("api.health._probe_valkey"),
+            patch("api.health._probe_neo4j"),
+        ):
+            api_client.get(reverse("health-ready"))
+            assert pg.call_count == 1
+
+            # Rewind the cached timestamp past the TTL so the next request
+            # is forced to recompute.
+            cached_ts, payload, http_status_code = health._readiness_cache
+            health._readiness_cache = (
+                cached_ts - health.READINESS_CACHE_TTL_SECONDS - 0.1,
+                payload,
+                http_status_code,
+            )
+            api_client.get(reverse("health-ready"))
+
+        assert pg.call_count == 2
+
+    def test_cache_persists_a_failing_result(self, api_client):
+        # A failing readiness result is cached too; this is intentional so
+        # an attacker spamming the endpoint during an outage cannot amplify
+        # the dependency load.
+        with (
+            patch("api.health._probe_postgres", side_effect=RuntimeError("down")) as pg,
+            patch("api.health._probe_valkey"),
+            patch("api.health._probe_neo4j"),
+        ):
+            r1 = api_client.get(reverse("health-ready"))
+            r2 = api_client.get(reverse("health-ready"))
+
+        assert r1.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
+        assert r2.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
+        assert pg.call_count == 1
+
+
+class TestRateLimiting:
+    """The endpoints are unauthenticated and exposed; per-IP throttle caps
+    naive single-source floods."""
+
+    def test_live_blocks_after_budget_exhausted(self, api_client):
+        # Shrink the budget to 3 req per window so the test stays fast and
+        # deterministic. parse_rate runs once per throttle instance and
+        # each request gets a fresh instance, so this patch propagates.
+        from rest_framework.throttling import ScopedRateThrottle
+
+        with patch.object(ScopedRateThrottle, "parse_rate", return_value=(3, 60)):
+            statuses = [
+                api_client.get(reverse("health-live")).status_code for _ in range(4)
+            ]
+
+        assert statuses[:3] == [status.HTTP_200_OK] * 3
+        assert statuses[3] == status.HTTP_429_TOO_MANY_REQUESTS
+
+    def test_ready_blocks_after_budget_exhausted(self, api_client):
+        from rest_framework.throttling import ScopedRateThrottle
+
+        with (
+            patch("api.health._probe_postgres"),
+            patch("api.health._probe_valkey"),
+            patch("api.health._probe_neo4j"),
+            patch.object(ScopedRateThrottle, "parse_rate", return_value=(2, 60)),
+        ):
+            statuses = [
+                api_client.get(reverse("health-ready")).status_code for _ in range(3)
+            ]
+
+        assert statuses[:2] == [status.HTTP_200_OK] * 2
+        assert statuses[2] == status.HTTP_429_TOO_MANY_REQUESTS
+
+
+class TestProbeImplementations:
+    """Smoke tests for each probe primitive."""
+
+    @pytest.mark.django_db
+    def test_postgres_probe_succeeds_against_real_db(self):
+        assert health._probe_postgres() is None
+
+    def test_postgres_probe_propagates_db_errors(self):
+        class _BoomCursor:
+            def __enter__(self):
+                return self
+
+            def __exit__(self, *_):
+                return False
+
+            def execute(self, *_args, **_kwargs):
+                raise RuntimeError("boom")
+
+            def fetchone(self):  # pragma: no cover - never reached
+                return None
+
+        with patch("api.health.connections") as mock_connections:
+            mock_connections.__getitem__.return_value.cursor.return_value = (
+                _BoomCursor()
+            )
+            with pytest.raises(RuntimeError, match="boom"):
+                health._probe_postgres()
+
+    def test_valkey_probe_succeeds_when_ping_returns_true(self):
+        with patch("api.health.redis.Redis.from_url") as mock_from_url:
+            mock_from_url.return_value.ping.return_value = True
+            assert health._probe_valkey() is None
+
+    def test_valkey_probe_raises_when_ping_returns_false(self):
+        with patch("api.health.redis.Redis.from_url") as mock_from_url:
+            mock_from_url.return_value.ping.return_value = False
+            with pytest.raises(RuntimeError, match="PING"):
+                health._probe_valkey()
+
+    def test_valkey_probe_propagates_connection_errors(self):
+        with patch("api.health.redis.Redis.from_url") as mock_from_url:
+            mock_from_url.return_value.ping.side_effect = ConnectionError("nope")
+            with pytest.raises(ConnectionError, match="nope"):
+                health._probe_valkey()
+
+    def test_valkey_probe_suppresses_redis_error_on_close(self):
+        # A redis-py-level failure releasing the socket must not mask a
+        # successful PING (best-effort cleanup contract).
+        import redis as redis_pkg
+
+        with patch("api.health.redis.Redis.from_url") as mock_from_url:
+            client = mock_from_url.return_value
+            client.ping.return_value = True
+            client.close.side_effect = redis_pkg.RedisError("connection reset")
+
+            assert health._probe_valkey() is None
+
+        client.close.assert_called_once_with()
+
+    def test_valkey_probe_suppresses_oserror_on_close(self):
+        # Socket-layer failures (OSError family) on close are also part of
+        # the swallowed scope.
+        with patch("api.health.redis.Redis.from_url") as mock_from_url:
+            client = mock_from_url.return_value
+            client.ping.return_value = True
+            client.close.side_effect = OSError("EBADF")
+
+            assert health._probe_valkey() is None
+
+        client.close.assert_called_once_with()
+
+    def test_valkey_probe_lets_unexpected_close_errors_propagate(self):
+        # The suppress() is deliberately narrow: anything outside
+        # (redis.RedisError, OSError) must surface so it is not silently
+        # hidden.
+        with patch("api.health.redis.Redis.from_url") as mock_from_url:
+            client = mock_from_url.return_value
+            client.ping.return_value = True
+            client.close.side_effect = RuntimeError("bug")
+
+            with pytest.raises(RuntimeError, match="bug"):
+                health._probe_valkey()
+
+    def test_neo4j_probe_calls_verify_connectivity(self):
+        with patch("api.attack_paths.database.get_driver") as mock_get_driver:
+            mock_get_driver.return_value.verify_connectivity.return_value = None
+            assert health._probe_neo4j() is None
+            mock_get_driver.return_value.verify_connectivity.assert_called_once_with()
+
+    def test_neo4j_probe_propagates_driver_errors(self):
+        with patch("api.attack_paths.database.get_driver") as mock_get_driver:
+            mock_get_driver.return_value.verify_connectivity.side_effect = RuntimeError(
+                "unreachable"
+            )
+            with pytest.raises(RuntimeError, match="unreachable"):
+                health._probe_neo4j()
+
+
+class TestStatusAggregation:
+    def test_pass_when_all_checks_pass(self):
+        entries = [{"status": "pass"}, {"status": "pass"}]
+        assert health._aggregate_status(entries) == "pass"
+
+    def test_warn_when_any_check_warns_and_none_fail(self):
+        entries = [{"status": "pass"}, {"status": "warn"}]
+        assert health._aggregate_status(entries) == "warn"
+
+    def test_fail_when_any_check_fails(self):
+        entries = [{"status": "pass"}, {"status": "warn"}, {"status": "fail"}]
+        assert health._aggregate_status(entries) == "fail"

api/src/backend/api/tests/test_version.py

@@ -0,0 +1,40 @@
+"""Drift checks for the API version constants.
+
+Guarantee that ``config.version`` always reflects the canonical
+``[project].version`` declared in ``api/pyproject.toml``.
+"""
+
+import tomllib
+from pathlib import Path
+
+import pytest
+from config import version as config_version
+
+
+@pytest.fixture(scope="module")
+def pyproject_data():
+    here = Path(__file__).resolve()
+    for directory in here.parents:
+        candidate = directory / "pyproject.toml"
+        if not candidate.is_file():
+            continue
+        with candidate.open("rb") as f:
+            data = tomllib.load(f)
+        if data.get("project", {}).get("name") == "prowler-api":
+            return data
+    raise AssertionError("api/pyproject.toml not reachable from the test runner")
+
+
+def test_release_id_matches_pyproject(pyproject_data):
+    assert config_version.RELEASE_ID == pyproject_data["project"]["version"]
+
+
+def test_api_version_is_major_of_release_id():
+    assert config_version.API_VERSION == config_version.RELEASE_ID.split(".", 1)[0]
+    assert config_version.API_VERSION.isdigit()
+
+
+def test_api_version_matches_v1_url_prefix():
+    # The public contract version surfaced in the health payload must match
+    # the URL namespace the API is published under.
+    assert config_version.API_VERSION == "1"

api/src/backend/api/v1/views.py

@@ -21,6 +21,7 @@ from celery import chain, states
 from celery.result import AsyncResult
 from config.custom_logging import BackendLogger
 from config.env import env
+from config.version import RELEASE_ID
 from config.settings.social_login import (
     GITHUB_OAUTH_CALLBACK_URL,
     GOOGLE_OAUTH_CALLBACK_URL,
@@ -424,7 +425,7 @@ class SchemaView(SpectacularAPIView):
 
     def get(self, request, *args, **kwargs):
         spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.28.0"
+        spectacular_settings.VERSION = RELEASE_ID
         spectacular_settings.DESCRIPTION = (
             "Prowler API specification.\n\nThis file is auto-generated."
         )

api/src/backend/config/django/base.py

@@ -118,6 +118,8 @@ REST_FRAMEWORK = {
         "attack-paths-custom-query": env(
             "DJANGO_THROTTLE_ATTACK_PATHS_CUSTOM_QUERY", default="10/min"
         ),
+        "health-live": env("DJANGO_THROTTLE_HEALTH_LIVE", default="120/min"),
+        "health-ready": env("DJANGO_THROTTLE_HEALTH_READY", default="60/min"),
     },
 }
 

api/src/backend/config/urls.py

@@ -1,5 +1,9 @@
 from django.urls import include, path
 
+from api.health import LivenessView, ReadinessView
+
 urlpatterns = [
     path("api/v1/", include("api.v1.urls")),
+    path("health/live", LivenessView.as_view(), name="health-live"),
+    path("health/ready", ReadinessView.as_view(), name="health-ready"),
 ]

api/src/backend/config/version.py

@@ -0,0 +1,41 @@
+"""Single source of truth for the API version.
+
+The semantic version is read once from ``api/pyproject.toml`` at module
+import; consumers (health payload, OpenAPI schema) read the resulting
+constants. Fails fast at boot if the file cannot be located, so a
+packaging mistake surfaces immediately rather than serving stale data.
+"""
+
+from __future__ import annotations
+
+import tomllib
+from pathlib import Path
+
+_PROJECT_NAME = "prowler-api"
+
+
+def _discover_release_id() -> str:
+    here = Path(__file__).resolve()
+    for directory in here.parents:
+        candidate = directory / "pyproject.toml"
+        if not candidate.is_file():
+            continue
+        with candidate.open("rb") as f:
+            data = tomllib.load(f)
+        project = data.get("project") or {}
+        if project.get("name") != _PROJECT_NAME:
+            continue
+        version = project.get("version")
+        if not isinstance(version, str) or not version:
+            raise RuntimeError(
+                f"{candidate} declares an empty or invalid [project].version"
+            )
+        return version
+    raise RuntimeError(
+        f"Could not locate the {_PROJECT_NAME} pyproject.toml from {here}"
+    )
+
+
+RELEASE_ID: str = _discover_release_id()
+# Public contract major (e.g. "1"); matches the /api/v1/ namespace.
+API_VERSION: str = RELEASE_ID.split(".", 1)[0]

contrib/k8s/helm/prowler-api/values.yaml

@@ -590,13 +590,16 @@ resources: {}
   #   memory: 128Mi
 
 # This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+# /health/live succeeds while the process answers; /health/ready also
+# checks PostgreSQL, Valkey and Neo4j connectivity and returns 503 when
+# any of them is unreachable.
 livenessProbe:
   httpGet:
-    path: /
+    path: /health/live
     port: http
 readinessProbe:
   httpGet:
-    path: /
+    path: /health/ready
     port: http
 
 #This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/

contrib/k8s/helm/prowler-app/values.yaml

@@ -270,20 +270,23 @@ api:
   # 3m30s to setup DB
   # startupProbe:
   #   httpGet:
-  #     path: /api/v1/docs
+  #     path: /health/live
   #     port: http
 
   # This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  # /health/live succeeds while the process answers; /health/ready also
+  # checks PostgreSQL, Valkey and Neo4j connectivity and returns 503 when
+  # any of them is unreachable.
   livenessProbe:
     failureThreshold: 10
     httpGet:
-      path: /api/v1/docs
+      path: /health/live
       port: http
     periodSeconds: 20
   readinessProbe:
     failureThreshold: 10
     httpGet:
-      path: /api/v1/docs
+      path: /health/ready
       port: http
     periodSeconds: 20
 

docker-compose-dev.yml

@@ -37,7 +37,7 @@ services:
       neo4j:
         condition: service_healthy
     healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"]
+      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/health/live || exit 1"]
       interval: 10s
       timeout: 5s
       retries: 12
@@ -211,6 +211,7 @@ services:
       interval: 10s
       timeout: 5s
       retries: 3
+      start_period: 60s
 
 volumes:
   outputs:

docker-compose.yml

@@ -33,7 +33,7 @@ services:
       neo4j:
         condition: service_healthy
     healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"]
+      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/health/live || exit 1"]
       interval: 10s
       timeout: 5s
       retries: 12
@@ -176,6 +176,7 @@ services:
       interval: 10s
       timeout: 5s
       retries: 3
+      start_period: 60s
 
 volumes:
   output:

docs/docs.json

@@ -326,6 +326,13 @@
                   "user-guide/providers/openstack/authentication"
                 ]
               },
+              {
+                "group": "Scaleway",
+                "pages": [
+                  "user-guide/providers/scaleway/getting-started-scaleway",
+                  "user-guide/providers/scaleway/authentication"
+                ]
+              },
               {
                 "group": "Vercel",
                 "pages": [

docs/introduction.mdx

@@ -35,6 +35,7 @@ Prowler supports a wide range of providers organized by category:
 | **NHN**                                                                          | Unofficial | Tenants                  | CLI          |
 | [OpenStack](/user-guide/providers/openstack/getting-started-openstack)           | Official   | Projects                 | UI, API, CLI |
 | [Oracle Cloud](/user-guide/providers/oci/getting-started-oci)                    | Official   | Tenancies / Compartments | UI, API, CLI |
+| [Scaleway](/user-guide/providers/scaleway/getting-started-scaleway) [Contact us](https://prowler.com/contact) | Unofficial   | Organizations            | CLI          |
 
 ### Infrastructure as Code Providers
 

docs/user-guide/providers/scaleway/authentication.mdx

@@ -0,0 +1,37 @@
+---
+title: 'Scaleway Authentication in Prowler'
+---
+
+Prowler authenticates to Scaleway using a **Scaleway API key** (access key + secret key). The integration is read-only and only needs permission to list IAM users and API keys in the audited organization.
+
+## Prerequisites
+
+1. A Scaleway organization with IAM access.
+2. A Scaleway API key with at least the `IAMReadOnly` policy bound to a dedicated IAM user (do not use the account root user).
+3. Your organization ID (visible at the top right of the Scaleway console).
+
+## Authentication Method
+
+Prowler reads credentials **exclusively** from the standard Scaleway environment variables. There are no credential CLI flags, so secrets are never exposed in shell history or process listings.
+
+| Variable | Purpose |
+|---|---|
+| `SCW_ACCESS_KEY` | API key access key |
+| `SCW_SECRET_KEY` | API key secret key |
+| `SCW_DEFAULT_ORGANIZATION_ID` | Optional, required when the key bearer is an application |
+| `SCW_DEFAULT_PROJECT_ID` | Optional, default project for project-scoped resources |
+| `SCW_DEFAULT_REGION` | Optional, defaults to `fr-par` |
+
+The scope variables can also be passed as CLI flags (`--organization-id`, `--project-id`, `--region`), which override the corresponding environment variables.
+
+```bash
+export SCW_ACCESS_KEY="SCW..."
+export SCW_SECRET_KEY="..."
+export SCW_DEFAULT_ORGANIZATION_ID="..."
+
+prowler scaleway
+```
+
+## Required Scaleway Permissions
+
+The API key bearer needs read access to the IAM API in order to list users and API keys. The `IAMReadOnly` policy is sufficient. Refer to the [Scaleway IAM policy reference](https://www.scaleway.com/en/docs/identity-and-access-management/iam/reference-content/permission-sets/) for the full list of permissions.

docs/user-guide/providers/scaleway/getting-started-scaleway.mdx

@@ -0,0 +1,37 @@
+---
+title: "Getting Started With Scaleway on Prowler"
+---
+
+Prowler for Scaleway scans IAM resources in your Scaleway organization for security misconfigurations. The current release ships one check that flags API keys still owned by the account root user.
+
+## Prerequisites
+
+1. A Scaleway organization with IAM access.
+2. A Scaleway API key with at least the `IAMReadOnly` policy bound to a dedicated IAM user (do not use the account root user).
+3. Your organization ID (visible at the top right of the Scaleway console).
+
+## Authentication
+
+Prowler authenticates to Scaleway with a Scaleway API key. See [Scaleway Authentication in Prowler](./authentication) for the full setup, environment variables, CLI flags, and required permissions.
+
+## Run a scan
+
+```bash
+export SCW_ACCESS_KEY="SCW..."
+export SCW_SECRET_KEY="..."
+export SCW_DEFAULT_ORGANIZATION_ID="..."
+
+prowler scaleway
+```
+
+To run only the IAM root-key check:
+
+```bash
+prowler scaleway --check iam_api_keys_no_root_owned
+```
+
+## Checks shipped
+
+| Check ID | Severity | Description |
+|---|---|---|
+| `iam_api_keys_no_root_owned` | Critical | Fails when any Scaleway IAM API key is still owned by the account root user. |

mcp_server/CHANGELOG.md

@@ -2,11 +2,11 @@
 
 All notable changes to the **Prowler MCP Server** are documented in this file.
 
-## [0.7.0] (Prowler UNRELEASED)
+## [0.7.0] (Prowler v5.27.0)
 
 ### 🚀 Added
 
-- MCP Server tools for Prowler Finding Groups Management [(#11140)](https://github.com/prowler-cloud/prowler/pull/11140)
+- Finding Groups tools [(#11140)](https://github.com/prowler-cloud/prowler/pull/11140)
 
 ### 🔐 Security
 

mcp_server/prowler_mcp_server/server.py

@@ -41,12 +41,22 @@ async def setup_main_server():
         logger.error(f"Failed to import Prowler Documentation server: {e}")
 
 
-# Add health check endpoint
+# Response follows the IETF Health Check Response Format
+# (draft-inadarei-api-health-check-06). `version` is the contract version of
+# this endpoint; `releaseId` is the package build version.
 @prowler_mcp_server.custom_route("/health", methods=["GET"])
-async def health_check(request) -> JSONResponse:
+async def health_check(_request) -> JSONResponse:
     """Health check endpoint."""
     return JSONResponse(
-        {"status": "healthy", "service": "prowler-mcp-server", "version": __version__}
+        {
+            "status": "pass",
+            "version": "1",
+            "releaseId": __version__,
+            "serviceId": "prowler-mcp-server",
+            "description": "Prowler MCP Server",
+        },
+        media_type="application/health+json",
+        headers={"Cache-Control": "no-store"},
     )
 
 

mcp_server/pyproject.toml

@@ -2,6 +2,11 @@
 build-backend = "setuptools.build_meta"
 requires = ["setuptools>=61.0", "wheel"]
 
+[dependency-groups]
+dev = [
+  "pytest==8.3.5"
+]
+
 [project]
 dependencies = [
   "fastmcp==2.14.0",
@@ -16,5 +21,8 @@ version = "0.5.0"
 [project.scripts]
 prowler-mcp = "prowler_mcp_server.main:main"
 
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+
 [tool.uv]
 package = true

mcp_server/tests/test_health.py

@@ -0,0 +1,46 @@
+"""Tests for the Prowler MCP Server health endpoint."""
+
+from starlette.testclient import TestClient
+
+from prowler_mcp_server import __version__
+from prowler_mcp_server.server import app
+
+
+def test_health_returns_ietf_pass_response():
+    """GET /health returns 200 with the IETF health-check body and headers."""
+    client = TestClient(app)
+
+    response = client.get("/health")
+
+    assert response.status_code == 200
+    assert response.headers["content-type"] == "application/health+json"
+    assert response.headers["cache-control"] == "no-store"
+    assert response.json() == {
+        "status": "pass",
+        "version": "1",
+        "releaseId": __version__,
+        "serviceId": "prowler-mcp-server",
+        "description": "Prowler MCP Server",
+    }
+
+
+def test_health_release_id_matches_package_version():
+    """The endpoint must surface the current package __version__ as releaseId.
+
+    Drift between the response and the installed package would mislead any
+    monitoring tool that uses releaseId to identify the running build.
+    """
+    client = TestClient(app)
+
+    response = client.get("/health")
+
+    assert response.json()["releaseId"] == __version__
+
+
+def test_health_rejects_non_get_methods():
+    """The endpoint only exposes GET; other verbs return 405."""
+    client = TestClient(app)
+
+    response = client.post("/health")
+
+    assert response.status_code == 405

mcp_server/uv.lock

@@ -443,6 +443,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/fa/5e/f8e9a1d23b9c20a551a8a02ea3637b4642e22c2626e3a13a9a29cdea99eb/importlib_metadata-8.7.1-py3-none-any.whl", hash = "sha256:5a1f80bf1daa489495071efbb095d75a634cf28a8bc299581244063b53176151", size = 27865, upload-time = "2025-12-21T10:00:18.329Z" },
 ]
 
+[[package]]
+name = "iniconfig"
+version = "2.3.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/72/34/14ca021ce8e5dfedc35312d08ba8bf51fdd999c576889fc2c24cb97f4f10/iniconfig-2.3.0.tar.gz", hash = "sha256:c76315c77db068650d49c5b56314774a7804df16fee4402c1f19d6d15d8c4730", size = 20503, upload-time = "2025-10-18T21:55:43.219Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/cb/b1/3846dd7f199d53cb17f49cba7e651e9ce294d8497c8c150530ed11865bb8/iniconfig-2.3.0-py3-none-any.whl", hash = "sha256:f631c04d2c48c52b84d0d0549c99ff3859c98df65b3101406327ecc7d53fbf12", size = 7484, upload-time = "2025-10-18T21:55:41.639Z" },
+]
+
 [[package]]
 name = "jaraco-classes"
 version = "3.4.0"
@@ -676,6 +685,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/cf/df/d3f1ddf4bb4cb50ed9b1139cc7b1c54c34a1e7ce8fd1b9a37c0d1551a6bd/opentelemetry_api-1.39.1-py3-none-any.whl", hash = "sha256:2edd8463432a7f8443edce90972169b195e7d6a05500cd29e6d13898187c9950", size = 66356, upload-time = "2025-12-11T13:32:17.304Z" },
 ]
 
+[[package]]
+name = "packaging"
+version = "26.2"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/d7/f1/e7a6dd94a8d4a5626c03e4e99c87f241ba9e350cd9e6d75123f992427270/packaging-26.2.tar.gz", hash = "sha256:ff452ff5a3e828ce110190feff1178bb1f2ea2281fa2075aadb987c2fb221661", size = 228134, upload-time = "2026-04-24T20:15:23.917Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/df/b2/87e62e8c3e2f4b32e5fe99e0b86d576da1312593b39f47d8ceef365e95ed/packaging-26.2-py3-none-any.whl", hash = "sha256:5fc45236b9446107ff2415ce77c807cee2862cb6fac22b8a73826d0693b0980e", size = 100195, upload-time = "2026-04-24T20:15:22.081Z" },
+]
+
 [[package]]
 name = "pathable"
 version = "0.4.4"
@@ -703,6 +721,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/73/cb/ac7874b3e5d58441674fb70742e6c374b28b0c7cb988d37d991cde47166c/platformdirs-4.5.0-py3-none-any.whl", hash = "sha256:e578a81bb873cbb89a41fcc904c7ef523cc18284b7e3b3ccf06aca1403b7ebd3", size = 18651, upload-time = "2025-10-08T17:44:47.223Z" },
 ]
 
+[[package]]
+name = "pluggy"
+version = "1.6.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/f9/e2/3e91f31a7d2b083fe6ef3fa267035b518369d9511ffab804f839851d2779/pluggy-1.6.0.tar.gz", hash = "sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3", size = 69412, upload-time = "2025-05-15T12:30:07.975Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/54/20/4d324d65cc6d9205fabedc306948156824eb9f0ee1633355a8f7ec5c66bf/pluggy-1.6.0-py3-none-any.whl", hash = "sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746", size = 20538, upload-time = "2025-05-15T12:30:06.134Z" },
+]
+
 [[package]]
 name = "prometheus-client"
 version = "0.24.1"
@@ -721,12 +748,20 @@ dependencies = [
     { name = "httpx" },
 ]
 
+[package.dev-dependencies]
+dev = [
+    { name = "pytest" },
+]
+
 [package.metadata]
 requires-dist = [
     { name = "fastmcp", specifier = "==2.14.0" },
     { name = "httpx", specifier = "==0.28.1" },
 ]
 
+[package.metadata.requires-dev]
+dev = [{ name = "pytest", specifier = "==8.3.5" }]
+
 [[package]]
 name = "py-key-value-aio"
 version = "0.3.0"
@@ -906,6 +941,21 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/1e/bc/22540e73c5f5ae18f02924cd3954a6c9a4aa6b713c841a94c98335d333a1/pyperclip-1.10.0-py3-none-any.whl", hash = "sha256:596fbe55dc59263bff26e61d2afbe10223e2fccb5210c9c96a28d6887cfcc7ec", size = 11062, upload-time = "2025-09-18T00:53:59.252Z" },
 ]
 
+[[package]]
+name = "pytest"
+version = "8.3.5"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "colorama", marker = "sys_platform == 'win32'" },
+    { name = "iniconfig" },
+    { name = "packaging" },
+    { name = "pluggy" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/ae/3c/c9d525a414d506893f0cd8a8d0de7706446213181570cdbd766691164e40/pytest-8.3.5.tar.gz", hash = "sha256:f4efe70cc14e511565ac476b57c279e12a855b11f48f212af1080ef2263d3845", size = 1450891, upload-time = "2025-03-02T12:54:54.503Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/30/3d/64ad57c803f1fa1e963a7946b6e0fea4a70df53c1a7fed304586539c2bac/pytest-8.3.5-py3-none-any.whl", hash = "sha256:c69214aa47deac29fad6c2a4f590b9c4a9fdb16a403176fe154b79c0b4d4d820", size = 343634, upload-time = "2025-03-02T12:54:52.069Z" },
+]
+
 [[package]]
 name = "python-dotenv"
 version = "1.1.1"

prowler/CHANGELOG.md

@@ -2,7 +2,15 @@
 
 All notable changes to the **Prowler SDK** are documented in this file.
 
-## [5.27.0] (Prowler UNRELEASED)
+## [5.28.0] (Prowler v5.28.0)
+
+### 🔄 Changed
+
+- `awslambda_function_no_secrets_in_code` now supports a `secrets_ignore_files` audit-config option to skip files inside the deployment package by glob pattern (e.g. `*.deps.json`), suppressing .NET dependency-manifest false positives without masking real secrets [(#11222)](https://github.com/prowler-cloud/prowler/pull/11222)
+
+---
+
+## [5.27.0] (Prowler v5.27.0)
 
 ### 🚀 Added
 
@@ -12,11 +20,14 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `cloudtrail_bedrock_logging_enabled` check for AWS provider [(#10858)](https://github.com/prowler-cloud/prowler/pull/10858)
 - Okta provider with OAuth 2.0 authentication and `signon_global_session_idle_timeout_15min` check [(#11079)](https://github.com/prowler-cloud/prowler/pull/11079)
 - `sagemaker_domain_sso_configured` check for AWS provider [(#11094)](https://github.com/prowler-cloud/prowler/pull/11094)
+- Scaleway provider with `iam_api_keys_no_root_owned` check [(#11166)](https://github.com/prowler-cloud/prowler/pull/11166)
 
 ### 🔄 Changed
 
 - `entra_emergency_access_exclusion` check for M365 provider now scopes the exclusion requirement to enabled Conditional Access policies with a `Block` grant control instead of every enabled policy, focusing on the lockout-relevant policy set [(#10849)](https://github.com/prowler-cloud/prowler/pull/10849)
 - AWS IAM customer-managed policy checks no longer emit `FAIL` on unattached policies unless `--scan-unused-services` is enabled [(#11150)](https://github.com/prowler-cloud/prowler/pull/11150)
+- Replace `poetry` with `uv` as package manager [(#11162)](https://github.com/prowler-cloud/prowler/pull/11162)
+- Replace `safety` with `osv-scanner` for dependency vulnerability scanning in SDK CI and pre-commit [(#11167)](https://github.com/prowler-cloud/prowler/pull/11167)
 
 ### 🐞 Fixed
 
@@ -25,16 +36,9 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `zone_waf_enabled` check for Cloudflare provider now appends a plan-aware hint to the FAIL `status_extended`: a possible-false-positive note on paid plans (Pro, Business, Enterprise) where the legacy `waf` zone setting can read `off` even though WAF managed rulesets are deployed via the dashboard, and a "not available on the Cloudflare Free plan" note on Free zones [(#9896)](https://github.com/prowler-cloud/prowler/pull/9896)
 - Google Workspace Gmail checks sharing a single resource row, causing the service field to be overwritten by the last check executed [(#11169)](https://github.com/prowler-cloud/prowler/pull/11169)
 - Google Workspace Drive and Calendar services missing server-side policy filters [(#11195)](https://github.com/prowler-cloud/prowler/pull/11195)
-- `VercelSession.token` is now excluded from serialization and representation to prevent the Vercel API token from leaking through `.dict()`, `.json()` or logs [(#11198)](https://github.com/prowler-cloud/prowler/pull/11198)
-
----
-
-## [5.26.2] (Prowler UNRELEASED)
-
-### 🐞 Fixed
-
 - `entra_users_mfa_capable` and `entra_break_glass_account_fido2_security_key_registered` report a preventive FAIL per affected user (with the missing permission named) when the M365 service principal lacks `AuditLog.Read.All`, instead of mass false positives [(#10907)](https://github.com/prowler-cloud/prowler/pull/10907)
-- Update duplicated GCP CIS requirements IDs [(#11180)](https://github.com/prowler-cloud/prowler/pull/11180)
+- Duplicated GCP CIS requirements IDs [(#11180)](https://github.com/prowler-cloud/prowler/pull/11180)
+- `VercelSession.token` is now excluded from serialization and representation to prevent the Vercel API token from leaking through `.dict()`, `.json()` or logs [(#11198)](https://github.com/prowler-cloud/prowler/pull/11198)
 
 ---
 

prowler/__main__.py

@@ -157,6 +157,7 @@ from prowler.providers.nhn.models import NHNOutputOptions
 from prowler.providers.okta.models import OktaOutputOptions
 from prowler.providers.openstack.models import OpenStackOutputOptions
 from prowler.providers.oraclecloud.models import OCIOutputOptions
+from prowler.providers.scaleway.models import ScalewayOutputOptions
 from prowler.providers.vercel.models import VercelOutputOptions
 
 
@@ -431,6 +432,10 @@ def prowler():
         output_options = OktaOutputOptions(
             args, bulk_checks_metadata, global_provider.identity
         )
+    elif provider == "scaleway":
+        output_options = ScalewayOutputOptions(
+            args, bulk_checks_metadata, global_provider.identity
+        )
 
     # Run the quick inventory for the provider if available
     if hasattr(args, "quick_inventory") and args.quick_inventory:

prowler/config/config.py

@@ -75,6 +75,7 @@ class Provider(str, Enum):
     ALIBABACLOUD = "alibabacloud"
     OPENSTACK = "openstack"
     IMAGE = "image"
+    SCALEWAY = "scaleway"
     VERCEL = "vercel"
     OKTA = "okta"
 

prowler/config/config.yaml

@@ -390,6 +390,20 @@ aws:
   # Patterns to ignore in the secrets checks
   secrets_ignore_patterns: []
 
+  # aws.awslambda_function_no_secrets_in_code
+  # Glob patterns of file names inside the Lambda deployment package to skip
+  # when scanning for secrets. Useful to suppress known false positives such
+  # as .NET dependency manifests.
+  # Example:
+  #   secrets_ignore_files:
+  #     - "*.deps.json"
+  # WARNING: use at your own risk. Any file whose name matches one of these
+  # patterns is fully excluded from secret scanning, so a real secret placed
+  # in such a file will NOT be detected. Keep patterns as narrow and specific
+  # as possible; this is not recommended unless you have confirmed the matched
+  # files only ever contain false positives.
+  secrets_ignore_files: []
+
   # AWS Secrets Manager Configuration
   # aws.secretsmanager_secret_unused
   # Maximum number of days a secret can be unused

prowler/lib/check/check.py

@@ -741,6 +741,10 @@ def execute(
                 is_finding_muted_args["team_id"] = (
                     team.id if team else global_provider.identity.user_id
                 )
+            elif global_provider.type == "scaleway":
+                is_finding_muted_args["organization_id"] = (
+                    global_provider.identity.organization_id
+                )
             elif global_provider.type == "oraclecloud":
                 is_finding_muted_args["tenancy_id"] = (
                     global_provider.identity.tenancy_id

prowler/lib/check/models.py

@@ -1318,6 +1318,54 @@ class CheckReportVercel(Check_Report):
         return "global"
 
 
+@dataclass
+class CheckReportScaleway(Check_Report):
+    """Contains the Scaleway Check's finding information.
+
+    Scaleway scans run at the organization level. Most IAM/account-level
+    resources are global; regional resources expose a ``region`` attribute
+    on the underlying object, which we surface as the report ``region``.
+    """
+
+    resource_name: str
+    resource_id: str
+    organization_id: str
+
+    def __init__(
+        self,
+        metadata: Dict,
+        resource: Any,
+        resource_name: str = None,
+        resource_id: str = None,
+        organization_id: str = None,
+    ) -> None:
+        """Initialize the Scaleway Check's finding information.
+
+        Args:
+            metadata: Check metadata dictionary.
+            resource: The Scaleway resource being checked.
+            resource_name: Override for resource name.
+            resource_id: Override for resource ID.
+            organization_id: Override for the organization ID.
+        """
+        super().__init__(metadata, resource)
+        self.resource_name = resource_name or getattr(
+            resource, "name", getattr(resource, "resource_name", "")
+        )
+        self.resource_id = resource_id or getattr(
+            resource, "id", getattr(resource, "resource_id", "")
+        )
+        self.organization_id = organization_id or getattr(
+            resource, "organization_id", ""
+        )
+        self._region = getattr(resource, "region", None) or "global"
+
+    @property
+    def region(self) -> str:
+        """Scaleway regional resources expose their own region; IAM is global."""
+        return self._region
+
+
 # Testing Pending
 def load_check_metadata(metadata_file: str) -> CheckMetadata:
     """

prowler/lib/cli/parser.py

@@ -29,10 +29,10 @@ class ProwlerArgumentParser:
         self.parser = argparse.ArgumentParser(
             prog="prowler",
             formatter_class=RawTextHelpFormatter,
-            usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,vercel,dashboard,iac,image,llm} ...",
+            usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,scaleway,vercel,dashboard,iac,image,llm} ...",
             epilog="""
 Available Cloud Providers:
-  {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,iac,llm,image,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,vercel}
+  {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,iac,llm,image,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,scaleway,vercel}
     aws                 AWS Provider
     azure               Azure Provider
     gcp                 GCP Provider
@@ -50,6 +50,7 @@ Available Cloud Providers:
     image               Container Image Provider
     nhn                 NHN Provider (Unofficial)
     mongodbatlas        MongoDB Atlas Provider
+    scaleway            Scaleway Provider
     vercel              Vercel Provider
 
 Available components:

prowler/lib/outputs/finding.py

@@ -442,6 +442,18 @@ class Finding(BaseModel):
                 output_data["resource_uid"] = check_output.resource_id
                 output_data["region"] = "global"
 
+            elif provider.type == "scaleway":
+                output_data["auth_method"] = "api_key"
+                output_data["account_uid"] = get_nested_attribute(
+                    provider, "identity.organization_id"
+                )
+                output_data["account_name"] = get_nested_attribute(
+                    provider, "identity.bearer_email"
+                ) or get_nested_attribute(provider, "identity.organization_id")
+                output_data["resource_name"] = check_output.resource_name
+                output_data["resource_uid"] = check_output.resource_id
+                output_data["region"] = check_output.region
+
             elif provider.type == "alibabacloud":
                 output_data["auth_method"] = get_nested_attribute(
                     provider, "identity.identity_arn"

prowler/lib/outputs/html/html.py

@@ -1450,6 +1450,77 @@ class HTML(Output):
             )
             return ""
 
+    @staticmethod
+    def get_scaleway_assessment_summary(provider: Provider) -> str:
+        """
+        get_scaleway_assessment_summary gets the HTML assessment summary for the Scaleway provider
+
+        Args:
+            provider (Provider): the Scaleway provider object
+
+        Returns:
+            str: HTML assessment summary for the Scaleway provider
+        """
+        try:
+            assessment_items = f"""
+                            <li class="list-group-item">
+                                <b>Organization ID:</b> {provider.identity.organization_id}
+                            </li>"""
+
+            credentials_items = """
+                            <li class="list-group-item">
+                                <b>Authentication:</b> API Key
+                            </li>"""
+
+            access_key = getattr(provider.session, "access_key", None)
+            if access_key:
+                credentials_items += f"""
+                            <li class="list-group-item">
+                                <b>Access Key:</b> {access_key}
+                            </li>"""
+
+            bearer_type = getattr(provider.identity, "bearer_type", None)
+            bearer_email = getattr(provider.identity, "bearer_email", None)
+            bearer_id = getattr(provider.identity, "bearer_id", None)
+            if bearer_type:
+                bearer_label = bearer_email or bearer_id or "-"
+                credentials_items += f"""
+                            <li class="list-group-item">
+                                <b>Bearer:</b> {bearer_type} ({bearer_label})
+                            </li>"""
+
+            region = getattr(provider.session, "default_region", None)
+            if region:
+                credentials_items += f"""
+                            <li class="list-group-item">
+                                <b>Default Region:</b> {region}
+                            </li>"""
+
+            return f"""
+                <div class="col-md-2">
+                    <div class="card">
+                        <div class="card-header">
+                            Scaleway Assessment Summary
+                        </div>
+                        <ul class="list-group list-group-flush">{assessment_items}
+                        </ul>
+                    </div>
+                </div>
+                <div class="col-md-4">
+                    <div class="card">
+                        <div class="card-header">
+                            Scaleway Credentials
+                        </div>
+                        <ul class="list-group list-group-flush">{credentials_items}
+                        </ul>
+                    </div>
+                </div>"""
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+            )
+            return ""
+
     @staticmethod
     def get_assessment_summary(provider: Provider) -> str:
         """

prowler/lib/outputs/outputs.py

@@ -42,6 +42,8 @@ def stdout_report(finding, color, verbose, status, fix):
         details = finding.region
     if finding.check_metadata.Provider == "okta":
         details = finding.region
+    if finding.check_metadata.Provider == "scaleway":
+        details = finding.region
 
     if (verbose or fix) and (not status or finding.status in status):
         if finding.muted:

prowler/lib/outputs/summary_table.py

@@ -111,6 +111,9 @@ def display_summary_table(
         elif provider.type == "okta":
             entity_type = "Okta Org"
             audited_entities = provider.identity.org_domain
+        elif provider.type == "scaleway":
+            entity_type = "Organization"
+            audited_entities = provider.identity.organization_id
 
         # Check if there are findings and that they are not all MANUAL
         if findings and not all(finding.status == "MANUAL" for finding in findings):

prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py

@@ -1,3 +1,4 @@
+import fnmatch
 import os
 import tempfile
 
@@ -13,6 +14,11 @@ class awslambda_function_no_secrets_in_code(Check):
             secrets_ignore_patterns = awslambda_client.audit_config.get(
                 "secrets_ignore_patterns", []
             )
+            # Glob patterns of file names inside the deployment package to skip
+            # when scanning for secrets (e.g. "*.deps.json" for .NET Lambdas).
+            secrets_ignore_files = awslambda_client.audit_config.get(
+                "secrets_ignore_files", []
+            )
             for function, function_code in awslambda_client._get_function_code():
                 if function_code:
                     report = Check_Report_AWS(
@@ -29,6 +35,14 @@ class awslambda_function_no_secrets_in_code(Check):
                         files_in_zip = next(os.walk(tmp_dir_name))[2]
                         secrets_findings = []
                         for file in files_in_zip:
+                            # Skip files whose name matches an ignore pattern
+                            # so known false-positive files (e.g. .NET
+                            # *.deps.json) do not raise spurious findings.
+                            if any(
+                                fnmatch.fnmatch(file, pattern)
+                                for pattern in secrets_ignore_files
+                            ):
+                                continue
                             detect_secrets_output = detect_secrets_scan(
                                 file=f"{tmp_dir_name}/{file}",
                                 excluded_secrets=secrets_ignore_patterns,

prowler/providers/common/provider.py

@@ -416,6 +416,18 @@ class Provider(ABC):
                         mutelist_path=arguments.mutelist_file,
                         fixer_config=fixer_config,
                     )
+                elif "scaleway" in provider_class_name.lower():
+                    # Credentials are read from the SCW_ACCESS_KEY /
+                    # SCW_SECRET_KEY env vars by the provider itself; there
+                    # are no credential CLI flags to avoid leaking secrets.
+                    provider_class(
+                        organization_id=getattr(arguments, "organization_id", None),
+                        project_id=getattr(arguments, "project_id", None),
+                        region=getattr(arguments, "region", None),
+                        config_path=arguments.config_file,
+                        mutelist_path=arguments.mutelist_file,
+                        fixer_config=fixer_config,
+                    )
 
         except TypeError as error:
             logger.critical(

prowler/providers/scaleway/exceptions/exceptions.py

@@ -0,0 +1,99 @@
+# Exceptions codes from 15000 to 15999 are reserved for Scaleway exceptions
+from prowler.exceptions.exceptions import ProwlerException
+
+
+class ScalewayBaseException(ProwlerException):
+    """Base exception for Scaleway provider errors."""
+
+    SCALEWAY_ERROR_CODES = {
+        (15000, "ScalewayCredentialsError"): {
+            "message": "Scaleway credentials not found or invalid.",
+            "remediation": (
+                "Set the SCW_ACCESS_KEY and SCW_SECRET_KEY environment variables "
+                "with a valid Scaleway API key. Generate one at "
+                "https://console.scaleway.com/iam/api-keys."
+            ),
+        },
+        (15001, "ScalewayAuthenticationError"): {
+            "message": "Authentication to the Scaleway API failed.",
+            "remediation": (
+                "Verify your Scaleway API key is valid, has not expired, and that "
+                "the bearer has IAM read permissions on the target organization."
+            ),
+        },
+        (15002, "ScalewaySessionError"): {
+            "message": "Failed to create a Scaleway API session.",
+            "remediation": (
+                "Check network connectivity and ensure the Scaleway API is "
+                "reachable at https://api.scaleway.com."
+            ),
+        },
+        (15003, "ScalewayIdentityError"): {
+            "message": "Failed to retrieve Scaleway identity information.",
+            "remediation": (
+                "Ensure the API key has permissions to read IAM users and the "
+                "owning organization metadata."
+            ),
+        },
+        (15004, "ScalewayAPIError"): {
+            "message": "An error occurred while calling the Scaleway API.",
+            "remediation": (
+                "Check the Scaleway API status at https://status.scaleway.com "
+                "and retry. Run with --log-level DEBUG for the full traceback."
+            ),
+        },
+    }
+
+    def __init__(self, code, file=None, original_exception=None, message=None):
+        provider = "Scaleway"
+        error_info = self.SCALEWAY_ERROR_CODES.get((code, self.__class__.__name__))
+        if error_info is None:
+            error_info = {
+                "message": message or "Unknown Scaleway error.",
+                "remediation": "Check the Scaleway API documentation for more details.",
+            }
+        elif message:
+            error_info = error_info.copy()
+            error_info["message"] = message
+        super().__init__(
+            code=code,
+            source=provider,
+            file=file,
+            original_exception=original_exception,
+            error_info=error_info,
+        )
+
+
+class ScalewayCredentialsError(ScalewayBaseException):
+    def __init__(self, file=None, original_exception=None, message=None):
+        super().__init__(
+            15000, file=file, original_exception=original_exception, message=message
+        )
+
+
+class ScalewayAuthenticationError(ScalewayBaseException):
+    def __init__(self, file=None, original_exception=None, message=None):
+        super().__init__(
+            15001, file=file, original_exception=original_exception, message=message
+        )
+
+
+class ScalewaySessionError(ScalewayBaseException):
+    def __init__(self, file=None, original_exception=None, message=None):
+        super().__init__(
+            15002, file=file, original_exception=original_exception, message=message
+        )
+
+
+class ScalewayIdentityError(ScalewayBaseException):
+    def __init__(self, file=None, original_exception=None, message=None):
+        super().__init__(
+            15003, file=file, original_exception=original_exception, message=message
+        )
+
+
+class ScalewayAPIError(ScalewayBaseException):
+    def __init__(self, file=None, original_exception=None, message=None):
+        super().__init__(
+            15004, file=file, original_exception=original_exception, message=message
+        )

prowler/providers/scaleway/lib/arguments/arguments.py

@@ -0,0 +1,36 @@
+def init_parser(self):
+    """Init the Scaleway provider CLI parser."""
+    scaleway_parser = self.subparsers.add_parser(
+        "scaleway",
+        parents=[self.common_providers_parser],
+        help="Scaleway Provider",
+    )
+
+    # Authentication
+    # Credentials are read exclusively from the standard Scaleway environment
+    # variables (SCW_ACCESS_KEY / SCW_SECRET_KEY) to avoid leaking secrets into
+    # shell history and process listings. There are no credential CLI flags.
+
+    # Scope
+    scope_subparser = scaleway_parser.add_argument_group("Scope")
+    scope_subparser.add_argument(
+        "--organization-id",
+        nargs="?",
+        default=None,
+        metavar="SCW_DEFAULT_ORGANIZATION_ID",
+        help="Scaleway organization ID to scope the audit.",
+    )
+    scope_subparser.add_argument(
+        "--project-id",
+        nargs="?",
+        default=None,
+        metavar="SCW_DEFAULT_PROJECT_ID",
+        help="Default Scaleway project ID for project-scoped resources.",
+    )
+    scope_subparser.add_argument(
+        "--region",
+        nargs="?",
+        default=None,
+        metavar="SCW_DEFAULT_REGION",
+        help="Default Scaleway region (fr-par, nl-ams, pl-waw).",
+    )

prowler/providers/scaleway/lib/mutelist/mutelist.py

@@ -0,0 +1,20 @@
+from prowler.lib.check.models import CheckReportScaleway
+from prowler.lib.mutelist.mutelist import Mutelist
+from prowler.lib.outputs.utils import unroll_dict, unroll_tags
+
+
+class ScalewayMutelist(Mutelist):
+    """Scaleway-specific mutelist helper."""
+
+    def is_finding_muted(
+        self,
+        finding: CheckReportScaleway,
+        organization_id: str,
+    ) -> bool:
+        return self.is_muted(
+            organization_id,
+            finding.check_metadata.CheckID,
+            finding.region or "global",
+            finding.resource_id or finding.resource_name,
+            unroll_dict(unroll_tags(finding.resource_tags)),
+        )

prowler/providers/scaleway/lib/service/service.py

@@ -0,0 +1,44 @@
+from prowler.lib.logger import logger
+from prowler.providers.scaleway.exceptions.exceptions import ScalewayAPIError
+
+
+class ScalewayService:
+    """Base class for Scaleway services.
+
+    Centralizes the provider context (audit/fixer configuration, the
+    scoping organization, the authenticated ``scaleway.Client``) so each
+    service only worries about which Scaleway API to call.
+    """
+
+    def __init__(self, service: str, provider):
+        self.provider = provider
+        self.audit_config = provider.audit_config
+        self.fixer_config = provider.fixer_config
+        self.service = service.lower() if not service.islower() else service
+
+        # Shared authenticated client and the organization in scope
+        self.client = provider.session.client
+        self.organization_id = provider.identity.organization_id
+
+    def _safe_call(self, label: str, fn, *args, **kwargs):
+        """Run a Scaleway SDK call and surface failures as ScalewayAPIError.
+
+        Args:
+            label: Human-readable label for the call (used in logs).
+            fn: SDK function to invoke.
+
+        Returns:
+            The SDK function result, or ``None`` if the call failed.
+        """
+        try:
+            return fn(*args, **kwargs)
+        except Exception as error:
+            logger.error(
+                f"{self.service} - {label} failed: "
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            raise ScalewayAPIError(
+                file=__file__,
+                original_exception=error,
+                message=f"Scaleway API call '{label}' failed.",
+            )

prowler/providers/scaleway/models.py

@@ -0,0 +1,55 @@
+from typing import Any, Literal, Optional
+
+from pydantic.v1 import BaseModel, Field
+
+from prowler.config.config import output_file_timestamp
+from prowler.providers.common.models import ProviderOutputOptions
+
+ScalewayBearerType = Literal["user", "application"]
+
+
+class ScalewaySession(BaseModel):
+    """Scaleway API session information.
+
+    Stores the credentials and the underlying ``scaleway.Client`` so every
+    service can reuse the same authenticated client.
+    """
+
+    access_key: str
+    # Excluded from serialization and repr: the whole authentication relies
+    # on this secret, so it must never leak through .dict()/.json()/logs.
+    secret_key: str = Field(exclude=True, repr=False)
+    organization_id: Optional[str] = None
+    default_project_id: Optional[str] = None
+    default_region: Optional[str] = None
+    client: Any = Field(default=None, exclude=True)
+
+    class Config:
+        arbitrary_types_allowed = True
+
+
+class ScalewayIdentityInfo(BaseModel):
+    """Scaleway identity and scoping information."""
+
+    organization_id: str
+    bearer_id: Optional[str] = None
+    bearer_type: Optional[ScalewayBearerType] = None
+    bearer_email: Optional[str] = None
+    account_root_user_id: Optional[str] = None
+
+
+class ScalewayOutputOptions(ProviderOutputOptions):
+    """Customize output filenames for Scaleway scans."""
+
+    def __init__(self, arguments, bulk_checks_metadata, identity: ScalewayIdentityInfo):
+        super().__init__(arguments, bulk_checks_metadata)
+        if (
+            not hasattr(arguments, "output_filename")
+            or arguments.output_filename is None
+        ):
+            account_fragment = identity.organization_id or "scaleway"
+            self.output_filename = (
+                f"prowler-output-{account_fragment}-{output_file_timestamp}"
+            )
+        else:
+            self.output_filename = arguments.output_filename

prowler/providers/scaleway/scaleway_provider.py

@@ -0,0 +1,378 @@
+import os
+
+from colorama import Fore, Style
+from scaleway import Client
+from scaleway.iam.v1alpha1 import IamV1Alpha1API
+
+from prowler.config.config import (
+    default_config_file_path,
+    get_default_mute_file_path,
+    load_and_validate_config_file,
+)
+from prowler.lib.logger import logger
+from prowler.lib.utils.utils import print_boxes
+from prowler.providers.common.models import Audit_Metadata, Connection
+from prowler.providers.common.provider import Provider
+from prowler.providers.scaleway.exceptions.exceptions import (
+    ScalewayAuthenticationError,
+    ScalewayCredentialsError,
+    ScalewayIdentityError,
+    ScalewaySessionError,
+)
+from prowler.providers.scaleway.lib.mutelist.mutelist import ScalewayMutelist
+from prowler.providers.scaleway.models import (
+    ScalewayIdentityInfo,
+    ScalewaySession,
+)
+
+
+class ScalewayProvider(Provider):
+    """Scaleway provider.
+
+    Authenticates against the Scaleway API using an API key (access key +
+    secret key) and exposes a single global session that every service
+    reuses. Scaleway scopes everything to an organization, so the
+    organization ID is the audit identity.
+    """
+
+    _type: str = "scaleway"
+    _session: ScalewaySession
+    _identity: ScalewayIdentityInfo
+    _audit_config: dict
+    _fixer_config: dict
+    _mutelist: ScalewayMutelist
+    audit_metadata: Audit_Metadata
+
+    def __init__(
+        self,
+        # Authentication credentials
+        access_key: str = None,
+        secret_key: str = None,
+        organization_id: str = None,
+        project_id: str = None,
+        region: str = None,
+        # Provider configuration
+        config_path: str = None,
+        config_content: dict | None = None,
+        fixer_config: dict = {},
+        mutelist_path: str = None,
+        mutelist_content: dict = None,
+    ):
+        logger.info("Instantiating Scaleway provider...")
+
+        if config_content:
+            self._audit_config = config_content
+        else:
+            if not config_path:
+                config_path = default_config_file_path
+            self._audit_config = load_and_validate_config_file(self._type, config_path)
+
+        self._session = ScalewayProvider.setup_session(
+            access_key=access_key,
+            secret_key=secret_key,
+            organization_id=organization_id,
+            project_id=project_id,
+            region=region,
+        )
+
+        self._identity = ScalewayProvider.setup_identity(self._session)
+
+        self._fixer_config = fixer_config
+
+        if mutelist_content:
+            self._mutelist = ScalewayMutelist(mutelist_content=mutelist_content)
+        else:
+            if not mutelist_path:
+                mutelist_path = get_default_mute_file_path(self.type)
+            self._mutelist = ScalewayMutelist(mutelist_path=mutelist_path)
+
+        Provider.set_global_provider(self)
+
+    @property
+    def type(self):
+        return self._type
+
+    @property
+    def session(self):
+        return self._session
+
+    @property
+    def identity(self):
+        return self._identity
+
+    @property
+    def audit_config(self):
+        return self._audit_config
+
+    @property
+    def fixer_config(self):
+        return self._fixer_config
+
+    @property
+    def mutelist(self) -> ScalewayMutelist:
+        return self._mutelist
+
+    @staticmethod
+    def setup_session(
+        access_key: str = None,
+        secret_key: str = None,
+        organization_id: str = None,
+        project_id: str = None,
+        region: str = None,
+    ) -> ScalewaySession:
+        """Initialize the Scaleway API session.
+
+        Credentials can be provided as arguments (for API/SDK use) or read
+        from the official Scaleway environment variables:
+
+        - ``SCW_ACCESS_KEY``
+        - ``SCW_SECRET_KEY``
+        - ``SCW_DEFAULT_ORGANIZATION_ID``
+        - ``SCW_DEFAULT_PROJECT_ID``
+        - ``SCW_DEFAULT_REGION``
+
+        Args:
+            access_key: Scaleway API access key.
+            secret_key: Scaleway API secret key.
+            organization_id: Default organization ID to scope the audit.
+            project_id: Default project ID for project-scoped resources.
+            region: Default region.
+
+        Returns:
+            ScalewaySession: The initialized session, holding the
+            authenticated ``scaleway.Client``.
+
+        Raises:
+            ScalewayCredentialsError: Access or secret key missing.
+            ScalewaySessionError: Client instantiation failed.
+        """
+        access = access_key or os.environ.get("SCW_ACCESS_KEY", "")
+        secret = secret_key or os.environ.get("SCW_SECRET_KEY", "")
+        org = organization_id or os.environ.get("SCW_DEFAULT_ORGANIZATION_ID") or None
+        project = project_id or os.environ.get("SCW_DEFAULT_PROJECT_ID") or None
+        default_region = region or os.environ.get("SCW_DEFAULT_REGION") or "fr-par"
+
+        if not access or not secret:
+            raise ScalewayCredentialsError(
+                file=os.path.basename(__file__),
+                message=(
+                    "Scaleway credentials not found. Provide access_key and "
+                    "secret_key or set the SCW_ACCESS_KEY and SCW_SECRET_KEY "
+                    "environment variables."
+                ),
+            )
+
+        try:
+            client = Client(
+                access_key=access,
+                secret_key=secret,
+                default_organization_id=org,
+                default_project_id=project,
+                default_region=default_region,
+            )
+            return ScalewaySession(
+                access_key=access,
+                secret_key=secret,
+                organization_id=org,
+                default_project_id=project,
+                default_region=default_region,
+                client=client,
+            )
+        except Exception as error:
+            logger.critical(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+            )
+            raise ScalewaySessionError(
+                file=os.path.basename(__file__),
+                original_exception=error,
+            )
+
+    @staticmethod
+    def setup_identity(session: ScalewaySession) -> ScalewayIdentityInfo:
+        """Resolve the audit identity by calling Scaleway IAM.
+
+        Uses ``iam.get_api_key`` on the current access key to discover the
+        bearer (user vs application). When the bearer is a user, the
+        owning organization is read from the user record; otherwise we
+        require ``SCW_DEFAULT_ORGANIZATION_ID``.
+        """
+        try:
+            iam = IamV1Alpha1API(session.client)
+            current_key = iam.get_api_key(access_key=session.access_key)
+
+            bearer_id = current_key.user_id or current_key.application_id
+            bearer_type = (
+                "user"
+                if current_key.user_id
+                else ("application" if current_key.application_id else None)
+            )
+
+            organization_id = session.organization_id
+            bearer_email = None
+            account_root_user_id = None
+
+            # If the bearer is a user, resolve the org from the user record
+            # and surface the email + root user id for the credentials banner.
+            if current_key.user_id:
+                user = iam.get_user(user_id=current_key.user_id)
+                organization_id = organization_id or user.organization_id
+                bearer_email = user.email
+                account_root_user_id = user.account_root_user_id
+            elif current_key.application_id and not organization_id:
+                # Application keys do not expose the org directly without an
+                # extra call. The default org from env is preferred.
+                logger.warning(
+                    "Scaleway application-scoped API key without "
+                    "SCW_DEFAULT_ORGANIZATION_ID. Resource discovery may fail."
+                )
+            # NOTE: application-scoped keys never resolve account_root_user_id
+            # here (the IAM API does not expose it for an application bearer).
+            # The IAM service falls back to the org's user list to recover it;
+            # if that is unavailable, iam_api_keys_no_root_owned degrades to
+            # MANUAL rather than silently PASSing root-owned keys.
+
+            if not organization_id:
+                raise ScalewayIdentityError(
+                    file=os.path.basename(__file__),
+                    message=(
+                        "Could not determine the Scaleway organization ID. "
+                        "Set SCW_DEFAULT_ORGANIZATION_ID or use a user-scoped "
+                        "API key."
+                    ),
+                )
+
+            return ScalewayIdentityInfo(
+                organization_id=organization_id,
+                bearer_id=bearer_id,
+                bearer_type=bearer_type,
+                bearer_email=bearer_email,
+                account_root_user_id=account_root_user_id,
+            )
+        except ScalewayIdentityError:
+            raise
+        except Exception as error:
+            logger.critical(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+            )
+            raise ScalewayIdentityError(
+                file=os.path.basename(__file__),
+                original_exception=error,
+            )
+
+    @staticmethod
+    def validate_credentials(session: ScalewaySession) -> None:
+        """Smoke-test credentials by resolving the current API key.
+
+        Uses ``iam.get_api_key`` because it does not require any prior
+        knowledge of the bearer or the owning organization.
+
+        Args:
+            session: The Scaleway session to validate.
+
+        Raises:
+            ScalewayAuthenticationError: Authentication or authorization
+                failed against the Scaleway IAM API.
+        """
+        try:
+            iam = IamV1Alpha1API(session.client)
+            iam.get_api_key(access_key=session.access_key)
+        except Exception as error:
+            raise ScalewayAuthenticationError(
+                file=os.path.basename(__file__),
+                original_exception=error,
+            )
+
+    def print_credentials(self) -> None:
+        report_title = (
+            f"{Style.BRIGHT}Using the Scaleway credentials below:{Style.RESET_ALL}"
+        )
+        report_lines = [
+            f"Authentication: {Fore.YELLOW}API Key{Style.RESET_ALL}",
+            f"Access Key: {Fore.YELLOW}{self._session.access_key}{Style.RESET_ALL}",
+            f"Organization ID: {Fore.YELLOW}{self._identity.organization_id}{Style.RESET_ALL}",
+        ]
+        if self._identity.bearer_type:
+            report_lines.append(
+                f"Bearer: {Fore.YELLOW}{self._identity.bearer_type}"
+                f" ({self._identity.bearer_email or self._identity.bearer_id})"
+                f"{Style.RESET_ALL}"
+            )
+        if self._session.default_region:
+            report_lines.append(
+                f"Default Region: {Fore.YELLOW}{self._session.default_region}{Style.RESET_ALL}"
+            )
+
+        print_boxes(report_lines, report_title)
+
+    @staticmethod
+    def test_connection(
+        access_key: str = None,
+        secret_key: str = None,
+        organization_id: str = None,
+        raise_on_exception: bool = True,
+        provider_id: str = None,
+    ) -> Connection:
+        """Test connection to Scaleway.
+
+        Args:
+            access_key: Scaleway access key (falls back to SCW_ACCESS_KEY).
+            secret_key: Scaleway secret key (falls back to SCW_SECRET_KEY).
+            organization_id: Organization ID to scope the audit.
+            raise_on_exception: Whether to raise or return errors.
+            provider_id: Expected Scaleway organization ID. When provided,
+                the resolved identity must match it; otherwise the test
+                fails with ``ScalewayAuthenticationError``.
+
+        Returns:
+            Connection: Connection object with is_connected status.
+        """
+        try:
+            session = ScalewayProvider.setup_session(
+                access_key=access_key,
+                secret_key=secret_key,
+                organization_id=organization_id,
+            )
+            ScalewayProvider.validate_credentials(session)
+
+            # Guard for API callers that already know the expected
+            # organization: the credentials must point to that exact org.
+            if provider_id:
+                identity = ScalewayProvider.setup_identity(session)
+                if identity.organization_id != provider_id:
+                    raise ScalewayAuthenticationError(
+                        file=os.path.basename(__file__),
+                        message=(
+                            "The provided credentials do not have access to "
+                            f"the Scaleway organization with ID: {provider_id}"
+                        ),
+                    )
+
+            return Connection(is_connected=True)
+
+        except (
+            ScalewayCredentialsError,
+            ScalewaySessionError,
+            ScalewayAuthenticationError,
+            ScalewayIdentityError,
+        ) as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            if raise_on_exception:
+                raise error
+            return Connection(is_connected=False, error=error)
+
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            formatted_error = ScalewayAuthenticationError(
+                file=os.path.basename(__file__),
+                original_exception=error,
+            )
+            if raise_on_exception:
+                raise formatted_error
+            return Connection(is_connected=False, error=formatted_error)
+
+    def validate_arguments(self) -> None:
+        return None

prowler/providers/scaleway/services/iam/iam_api_keys_no_root_owned/iam_api_keys_no_root_owned.metadata.json

@@ -0,0 +1,37 @@
+{
+  "Provider": "scaleway",
+  "CheckID": "iam_api_keys_no_root_owned",
+  "CheckTitle": "Scaleway IAM API keys must not be owned by the account root user",
+  "CheckType": [],
+  "ServiceName": "iam",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "critical",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "IAM",
+  "Description": "**Scaleway API keys** are checked to ensure none is bound to the **account root user**. The account root user is the original Scaleway account owner; its credentials bypass IAM policies and grant unrestricted access to the entire organization.",
+  "Risk": "API keys owned by the **account root user** cannot be scoped down with IAM policies. Leaking one of these keys yields immediate full control over every project, resource and billing setting in the organization, and rotating them disrupts every automation depending on root credentials.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.scaleway.com/en/docs/identity-and-access-management/iam/concepts/#root-account",
+    "https://www.scaleway.com/en/docs/identity-and-access-management/iam/how-to/create-api-keys/"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "scw iam api-key delete <ACCESS_KEY>",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Scaleway console as a user with IAM admin permissions.\n2. Create a dedicated IAM user or application scoped with the minimum required policy.\n3. Generate a new API key for that bearer and roll it out to the workloads currently using the root key.\n4. Delete the API key owned by the account root user from the IAM > API keys page.",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Never use API keys owned by the **account root user** for automation. Create scoped **IAM users** or **applications**, attach **least-privilege policies**, and rotate any existing root API keys to that new bearer.",
+      "Url": "https://hub.prowler.com/check/iam_api_keys_no_root_owned"
+    }
+  },
+  "Categories": [
+    "identity-access"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/scaleway/services/iam/iam_api_keys_no_root_owned/iam_api_keys_no_root_owned.py

@@ -0,0 +1,94 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportScaleway
+from prowler.providers.scaleway.services.iam.iam_client import iam_client
+from prowler.providers.scaleway.services.iam.iam_service import (
+    ScalewayIAMDataUnavailable,
+)
+
+
+class iam_api_keys_no_root_owned(Check):
+    """Ensure no Scaleway IAM API key is owned by the account root user.
+
+    The account root user is the original Scaleway account owner. API keys
+    bound to that bearer bypass IAM policies and grant unrestricted access
+    to the entire organization; rotating or losing them is a critical
+    incident. Day-to-day automation should rely on IAM users or
+    applications scoped through policies instead.
+    """
+
+    def execute(self) -> List[CheckReportScaleway]:
+        """Iterate over the API keys cached by the IAM service.
+
+        The check degrades to ``MANUAL`` when the IAM service could not
+        load the prerequisite data (users or API keys) — emitting ``PASS``
+        in those cases would silently mask the very condition the check
+        exists to detect.
+
+        Returns:
+            One ``CheckReportScaleway`` per discovered API key. ``FAIL``
+            when the bearer is the account root user, ``PASS`` otherwise.
+            A single ``MANUAL`` report is emitted when underlying IAM data
+            is unavailable.
+        """
+        findings: List[CheckReportScaleway] = []
+
+        # If we could not even load the users we cannot tell who the root
+        # bearer is, so every API key would falsely PASS. Surface MANUAL
+        # explicitly so the operator investigates.
+        if not iam_client.users_loaded or not iam_client.api_keys_loaded:
+            placeholder = ScalewayIAMDataUnavailable(
+                organization_id=iam_client.organization_id
+            )
+            report = CheckReportScaleway(metadata=self.metadata(), resource=placeholder)
+            report.status = "MANUAL"
+            report.status_extended = (
+                "Could not retrieve Scaleway IAM users or API keys for "
+                f"organization {iam_client.organization_id}. Verify the "
+                "API key has the IAMReadOnly policy and rerun."
+            )
+            findings.append(report)
+            return findings
+
+        root_user_id = iam_client.account_root_user_id
+
+        # The account root user could not be resolved (typically an
+        # application-scoped API key with no IAM users visible). Without it
+        # every key would fall through to PASS, masking root-owned keys, so
+        # surface MANUAL instead of a silent clean result.
+        if not root_user_id:
+            placeholder = ScalewayIAMDataUnavailable(
+                organization_id=iam_client.organization_id
+            )
+            report = CheckReportScaleway(metadata=self.metadata(), resource=placeholder)
+            report.status = "MANUAL"
+            report.status_extended = (
+                "Could not determine the Scaleway account root user for "
+                f"organization {iam_client.organization_id}. This typically "
+                "happens with application-scoped API keys when no IAM users "
+                "are visible. Verify the API key has the IAMReadOnly policy "
+                "and rerun."
+            )
+            findings.append(report)
+            return findings
+
+        for api_key in iam_client.api_keys:
+            report = CheckReportScaleway(metadata=self.metadata(), resource=api_key)
+
+            if api_key.user_id == root_user_id:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Scaleway API key {api_key.access_key} is owned by the "
+                    f"account root user ({root_user_id}). Replace it with an "
+                    f"API key bound to a dedicated IAM user or application."
+                )
+            else:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Scaleway API key {api_key.access_key} is not owned by "
+                    f"the account root user."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/scaleway/services/iam/iam_client.py

@@ -0,0 +1,4 @@
+from prowler.providers.common.provider import Provider
+from prowler.providers.scaleway.services.iam.iam_service import IAM
+
+iam_client = IAM(Provider.get_global_provider())

prowler/providers/scaleway/services/iam/iam_service.py

@@ -0,0 +1,166 @@
+from typing import Optional
+
+from pydantic.v1 import BaseModel
+from scaleway.iam.v1alpha1 import IamV1Alpha1API
+
+from prowler.lib.logger import logger
+from prowler.providers.scaleway.lib.service.service import ScalewayService
+
+
+class IAM(ScalewayService):
+    """Scaleway IAM service.
+
+    Loads the users in scope plus every API key tied to the current
+    organization. Checks consume the materialized lists; nothing in this
+    class is lazy. Each load operation tracks success/failure separately
+    so checks can degrade to ``MANUAL`` when data is incomplete instead of
+    falsely passing.
+    """
+
+    def __init__(self, provider):
+        super().__init__("iam", provider)
+        self._api = IamV1Alpha1API(self.client)
+
+        # Cached state — populated eagerly during construction
+        self.users: list[ScalewayUser] = []
+        self.api_keys: list[ScalewayAPIKey] = []
+
+        # Load status flags — checks consult these to surface MANUAL when
+        # the underlying API call failed rather than reporting empty lists
+        # as a clean PASS.
+        self.users_loaded: bool = False
+        self.api_keys_loaded: bool = False
+
+        self._load_users()
+        self._load_api_keys()
+
+        # Prefer the root user id resolved at authentication time from the
+        # audit identity. Application-scoped API keys do not expose it on
+        # the identity, so fall back to the loaded user list (every user
+        # record carries the org's account_root_user_id). When neither is
+        # available the root-key check degrades to MANUAL instead of
+        # silently PASSing root-owned keys.
+        self.account_root_user_id: Optional[str] = (
+            provider.identity.account_root_user_id
+            or next(
+                (u.account_root_user_id for u in self.users if u.account_root_user_id),
+                None,
+            )
+        )
+
+    def _load_users(self) -> None:
+        """List every IAM user in the audited organization."""
+        try:
+            users = self._api.list_users_all(organization_id=self.organization_id)
+            for user in users:
+                self.users.append(
+                    ScalewayUser(
+                        id=user.id,
+                        email=user.email,
+                        username=user.username,
+                        organization_id=user.organization_id,
+                        account_root_user_id=user.account_root_user_id,
+                        mfa=bool(getattr(user, "mfa", False)),
+                        type_=(
+                            str(user.type_) if getattr(user, "type_", None) else None
+                        ),
+                        status=(
+                            str(user.status) if getattr(user, "status", None) else None
+                        ),
+                    )
+                )
+
+            self.users_loaded = True
+
+        except Exception as error:
+            logger.error(
+                f"{self.service} - Error listing users: "
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def _load_api_keys(self) -> None:
+        """List every API key in the audited organization."""
+        try:
+            api_keys = self._api.list_api_keys_all(organization_id=self.organization_id)
+            for key in api_keys:
+                self.api_keys.append(
+                    ScalewayAPIKey(
+                        access_key=key.access_key,
+                        description=key.description,
+                        user_id=key.user_id,
+                        application_id=key.application_id,
+                        default_project_id=key.default_project_id,
+                        editable=bool(key.editable),
+                        managed=bool(getattr(key, "managed", False)),
+                        creation_ip=key.creation_ip,
+                        created_at=str(key.created_at) if key.created_at else None,
+                        updated_at=str(key.updated_at) if key.updated_at else None,
+                        expires_at=str(key.expires_at) if key.expires_at else None,
+                    )
+                )
+
+            self.api_keys_loaded = True
+
+        except Exception as error:
+            logger.error(
+                f"{self.service} - Error listing API keys: "
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+
+class ScalewayUser(BaseModel):
+    """Subset of a Scaleway IAM user surface that the checks need."""
+
+    id: str
+    email: Optional[str] = None
+    username: Optional[str] = None
+    organization_id: Optional[str] = None
+    account_root_user_id: Optional[str] = None
+    mfa: bool = False
+    type_: Optional[str] = None
+    status: Optional[str] = None
+    # Provide name/id for CheckReportScaleway
+    name: str = ""
+
+    def __init__(self, **data):
+        super().__init__(**data)
+        self.name = self.email or self.username or self.id
+
+
+class ScalewayAPIKey(BaseModel):
+    """Subset of a Scaleway IAM API key surface that the checks need."""
+
+    access_key: str
+    description: Optional[str] = None
+    user_id: Optional[str] = None
+    application_id: Optional[str] = None
+    default_project_id: Optional[str] = None
+    editable: bool = False
+    managed: bool = False
+    creation_ip: Optional[str] = None
+    created_at: Optional[str] = None
+    updated_at: Optional[str] = None
+    expires_at: Optional[str] = None
+    # Provide name/id for CheckReportScaleway
+    name: str = ""
+    id: str = ""
+
+    def __init__(self, **data):
+        super().__init__(**data)
+        self.id = self.access_key
+        self.name = self.description or self.access_key
+
+
+class ScalewayIAMDataUnavailable(BaseModel):
+    """Stand-in resource used when the IAM service failed to load.
+
+    Lets checks materialize a ``MANUAL`` finding (instead of a silent
+    ``PASS``) when users or API keys could not be retrieved.
+    ``CheckReportScaleway`` reads ``name``/``id``/``organization_id``/
+    ``region`` off the resource, so exposing those is enough.
+    """
+
+    organization_id: str
+    name: str = "iam-data-unavailable"
+    id: str = "iam-data-unavailable"
+    region: str = "global"

pyproject.toml

@@ -111,7 +111,8 @@ dependencies = [
   "alibabacloud_actiontrail20200706==2.4.1",
   "alibabacloud_cs20151215==6.1.0",
   "alibabacloud-rds20140815==12.0.0",
-  "alibabacloud-sls20201230==5.9.0"
+  "alibabacloud-sls20201230==5.9.0",
+  "scaleway==2.10.3"
 ]
 description = "Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks."
 license = "Apache-2.0"

skills/prowler-changelog/SKILL.md

@@ -132,6 +132,19 @@ Before editing any `CHANGELOG.md`, always inspect the active release boundary:
 
 **Do not trust the current topmost matching section name.** A released block can contain the same section heading (`### 🚀 Added`, `### 🔄 Changed`, etc.). Always anchor edits to the `Prowler UNRELEASED` version block first.
 
+## Mandatory Human Confirmation Gate
+
+Before creating or editing any changelog file (`CHANGELOG.md`), the agent MUST stop and get explicit user confirmation. This applies even when the changelog gate is failing, the required edit seems obvious, or the user asked to "fix the changelog".
+
+Present the proposed changelog action before writing:
+
+1. Target file path.
+2. Target version block and section.
+3. Exact entry to add, move, remove, or rewrite.
+4. Reason the changelog is needed.
+
+Only proceed after an explicit approval such as "confirm", "approved", "sí", or equivalent. If the user rejects or does not answer, do not edit or create the changelog. Offer alternatives such as adding `no-changelog` when appropriate.
+
 ## Adding a Changelog Entry
 
 ### Step 1: Determine Affected Component(s)

tests/lib/cli/parser_test.py

@@ -17,7 +17,7 @@ prowler_command = "prowler"
 
 # capsys
 # https://docs.pytest.org/en/7.1.x/how-to/capture-stdout-stderr.html
-prowler_default_usage_error = "usage: prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,vercel,dashboard,iac,image,llm} ..."
+prowler_default_usage_error = "usage: prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,scaleway,vercel,dashboard,iac,image,llm} ..."
 
 
 def mock_get_available_providers():

tests/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code_test.py

@@ -53,6 +53,43 @@ def get_lambda_code_with_secrets(code):
     )
 
 
+LAMBDA_DEPS_JSON_WITH_SECRET = """
+{
+  "runtimeTarget": { "name": ".NETCoreApp,Version=v8.0" },
+  "libraries": {
+    "AWSSDK.SecretsManager/3.7.0": {
+      "type": "package",
+      "password": "test-deps-json-password"
+    }
+  }
+}
+"""
+
+
+def get_lambda_code_from_files(files: dict) -> LambdaCode:
+    # The check only calls code_zip.extractall(dir); mock it to drop the
+    # given files into the temporary directory the check creates, so no
+    # real archive needs to be built.
+    code_zip = mock.MagicMock()
+
+    def _extractall(path):
+        for name, content in files.items():
+            with open(f"{path}/{name}", "w") as fd:
+                fd.write(content)
+
+    code_zip.extractall.side_effect = _extractall
+    return LambdaCode(location="", code_zip=code_zip)
+
+
+def mock_get_function_code_with_deps_json_secret():
+    yield create_lambda_function(), get_lambda_code_from_files(
+        {
+            "lambda_function.py": LAMBDA_FUNCTION_CODE_WITHOUT_SECRETS,
+            "myapp.deps.json": LAMBDA_DEPS_JSON_WITH_SECRET,
+        }
+    )
+
+
 def mock_get_function_codewith_secrets():
     yield create_lambda_function(), get_lambda_code_with_secrets(
         LAMBDA_FUNCTION_CODE_WITH_SECRETS
@@ -201,3 +238,67 @@ class Test_awslambda_function_no_secrets_in_code:
                 == f"No secrets found in Lambda function {LAMBDA_FUNCTION_NAME} code."
             )
             assert result[0].resource_tags == []
+
+    def test_function_code_deps_json_secret_not_ignored(self):
+        lambda_client = mock.MagicMock
+        lambda_client.functions = {LAMBDA_FUNCTION_ARN: create_lambda_function()}
+        lambda_client._get_function_code = mock_get_function_code_with_deps_json_secret
+        lambda_client.audit_config = {"secrets_ignore_patterns": []}
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_aws_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.aws.services.awslambda.awslambda_function_no_secrets_in_code.awslambda_function_no_secrets_in_code.awslambda_client",
+                new=lambda_client,
+            ),
+        ):
+            from prowler.providers.aws.services.awslambda.awslambda_function_no_secrets_in_code.awslambda_function_no_secrets_in_code import (
+                awslambda_function_no_secrets_in_code,
+            )
+
+            check = awslambda_function_no_secrets_in_code()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert "myapp.deps.json" in result[0].status_extended
+
+    def test_function_code_deps_json_secret_ignored_by_file_pattern(self):
+        lambda_client = mock.MagicMock
+        lambda_client.functions = {LAMBDA_FUNCTION_ARN: create_lambda_function()}
+        lambda_client._get_function_code = mock_get_function_code_with_deps_json_secret
+        lambda_client.audit_config = {
+            "secrets_ignore_patterns": [],
+            "secrets_ignore_files": ["*.deps.json"],
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_aws_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.aws.services.awslambda.awslambda_function_no_secrets_in_code.awslambda_function_no_secrets_in_code.awslambda_client",
+                new=lambda_client,
+            ),
+        ):
+            from prowler.providers.aws.services.awslambda.awslambda_function_no_secrets_in_code.awslambda_function_no_secrets_in_code import (
+                awslambda_function_no_secrets_in_code,
+            )
+
+            check = awslambda_function_no_secrets_in_code()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == AWS_REGION_US_EAST_1
+            assert result[0].resource_id == LAMBDA_FUNCTION_NAME
+            assert result[0].resource_arn == LAMBDA_FUNCTION_ARN
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"No secrets found in Lambda function {LAMBDA_FUNCTION_NAME} code."
+            )
+            assert result[0].resource_tags == []

tests/providers/scaleway/scaleway_fixtures.py

@@ -0,0 +1,96 @@
+from unittest.mock import MagicMock
+
+from prowler.providers.scaleway.models import (
+    ScalewayIdentityInfo,
+    ScalewaySession,
+)
+from prowler.providers.scaleway.services.iam.iam_service import (
+    ScalewayAPIKey,
+    ScalewayUser,
+)
+
+# Scaleway Identity
+ORGANIZATION_ID = "b4ce0bfc-38fc-4c53-8757-548be64add26"
+ROOT_USER_ID = "00000000-0000-0000-0000-000000000001"
+MEMBER_USER_ID = "00000000-0000-0000-0000-000000000002"
+APPLICATION_ID = "00000000-0000-0000-0000-000000000003"
+BEARER_EMAIL = "pedro@prowler.com"
+
+# Scaleway Credentials
+ACCESS_KEY = "SCWAE000000000000000"
+SECRET_KEY = "00000000-0000-0000-0000-000000000000"
+
+# API Key Constants
+ROOT_API_KEY = "SCWROOT00000000000000"
+USER_API_KEY = "SCWUSER00000000000000"
+APP_API_KEY = "SCWAPP000000000000000"
+
+
+def set_mocked_scaleway_provider(
+    access_key: str = ACCESS_KEY,
+    secret_key: str = SECRET_KEY,
+    identity: ScalewayIdentityInfo = None,
+    audit_config: dict = None,
+):
+    """Create a mocked ScalewayProvider for testing."""
+    provider = MagicMock()
+    provider.type = "scaleway"
+    provider.session = ScalewaySession(
+        access_key=access_key,
+        secret_key=secret_key,
+        organization_id=ORGANIZATION_ID,
+        default_project_id=None,
+        default_region="fr-par",
+        client=MagicMock(),
+    )
+    provider.identity = identity or ScalewayIdentityInfo(
+        organization_id=ORGANIZATION_ID,
+        bearer_id=ROOT_USER_ID,
+        bearer_type="user",
+        bearer_email=BEARER_EMAIL,
+        account_root_user_id=ROOT_USER_ID,
+    )
+    provider.audit_config = audit_config or {}
+    provider.fixer_config = {}
+
+    return provider
+
+
+def make_user(
+    user_id: str = ROOT_USER_ID,
+    email: str = BEARER_EMAIL,
+    account_root_user_id: str = ROOT_USER_ID,
+    mfa: bool = True,
+) -> ScalewayUser:
+    return ScalewayUser(
+        id=user_id,
+        email=email,
+        username=email.split("@")[0] if email else None,
+        organization_id=ORGANIZATION_ID,
+        account_root_user_id=account_root_user_id,
+        mfa=mfa,
+        type_="owner" if user_id == account_root_user_id else "member",
+        status="activated",
+    )
+
+
+def make_api_key(
+    access_key: str = USER_API_KEY,
+    user_id: str = MEMBER_USER_ID,
+    application_id: str = None,
+    description: str = "test key",
+    expires_at: str = None,
+) -> ScalewayAPIKey:
+    return ScalewayAPIKey(
+        access_key=access_key,
+        description=description,
+        user_id=user_id,
+        application_id=application_id,
+        default_project_id=None,
+        editable=True,
+        managed=False,
+        creation_ip=None,
+        created_at="2026-01-01T00:00:00Z",
+        updated_at="2026-01-01T00:00:00Z",
+        expires_at=expires_at,
+    )

tests/providers/scaleway/scaleway_provider_test.py

@@ -0,0 +1,106 @@
+import os
+from unittest import mock
+
+import pytest
+
+from prowler.providers.scaleway.exceptions.exceptions import (
+    ScalewayAuthenticationError,
+    ScalewayCredentialsError,
+    ScalewayIdentityError,
+)
+from prowler.providers.scaleway.models import ScalewaySession
+from prowler.providers.scaleway.scaleway_provider import ScalewayProvider
+from tests.providers.scaleway.scaleway_fixtures import (
+    ACCESS_KEY,
+    BEARER_EMAIL,
+    ORGANIZATION_ID,
+    ROOT_USER_ID,
+    SECRET_KEY,
+)
+
+
+class Test_ScalewayProvider_setup_session:
+    def test_missing_access_key_raises_credentials_error(self):
+        with mock.patch.dict(
+            os.environ, {"SCW_ACCESS_KEY": "", "SCW_SECRET_KEY": ""}, clear=False
+        ):
+            os.environ.pop("SCW_ACCESS_KEY", None)
+            os.environ.pop("SCW_SECRET_KEY", None)
+            with pytest.raises(ScalewayCredentialsError):
+                ScalewayProvider.setup_session()
+
+    def test_returns_session_with_credentials(self):
+        session = ScalewayProvider.setup_session(
+            access_key=ACCESS_KEY,
+            secret_key=SECRET_KEY,
+            organization_id=ORGANIZATION_ID,
+        )
+        assert isinstance(session, ScalewaySession)
+        assert session.access_key == ACCESS_KEY
+        assert session.organization_id == ORGANIZATION_ID
+        assert session.default_region == "fr-par"
+
+
+class Test_ScalewayProvider_setup_identity:
+    def _build_session(self):
+        return ScalewaySession(
+            access_key=ACCESS_KEY,
+            secret_key=SECRET_KEY,
+            organization_id=ORGANIZATION_ID,
+            default_region="fr-par",
+            client=mock.MagicMock(),
+        )
+
+    def test_resolves_user_bearer_identity(self):
+        session = self._build_session()
+        api_key = mock.MagicMock(user_id=ROOT_USER_ID, application_id=None)
+        user = mock.MagicMock(
+            email=BEARER_EMAIL,
+            organization_id=ORGANIZATION_ID,
+            account_root_user_id=ROOT_USER_ID,
+        )
+
+        with mock.patch(
+            "prowler.providers.scaleway.scaleway_provider.IamV1Alpha1API"
+        ) as iam_cls:
+            iam = iam_cls.return_value
+            iam.get_api_key.return_value = api_key
+            iam.get_user.return_value = user
+
+            identity = ScalewayProvider.setup_identity(session)
+
+        assert identity.organization_id == ORGANIZATION_ID
+        assert identity.bearer_type == "user"
+        assert identity.bearer_id == ROOT_USER_ID
+        assert identity.bearer_email == BEARER_EMAIL
+        assert identity.account_root_user_id == ROOT_USER_ID
+
+    def test_missing_organization_raises_identity_error(self):
+        session = self._build_session()
+        session.organization_id = None
+        api_key = mock.MagicMock(user_id=None, application_id="app-id")
+
+        with mock.patch(
+            "prowler.providers.scaleway.scaleway_provider.IamV1Alpha1API"
+        ) as iam_cls:
+            iam = iam_cls.return_value
+            iam.get_api_key.return_value = api_key
+
+            with pytest.raises(ScalewayIdentityError):
+                ScalewayProvider.setup_identity(session)
+
+
+class Test_ScalewayProvider_validate_credentials:
+    def test_invalid_credentials_raise_authentication_error(self):
+        session = ScalewaySession(
+            access_key=ACCESS_KEY,
+            secret_key=SECRET_KEY,
+            organization_id=ORGANIZATION_ID,
+            client=mock.MagicMock(),
+        )
+        with mock.patch(
+            "prowler.providers.scaleway.scaleway_provider.IamV1Alpha1API"
+        ) as iam_cls:
+            iam_cls.return_value.get_api_key.side_effect = Exception("expired")
+            with pytest.raises(ScalewayAuthenticationError):
+                ScalewayProvider.validate_credentials(session)

tests/providers/scaleway/services/iam/iam_api_keys_no_root_owned/iam_api_keys_no_root_owned_test.py

@@ -0,0 +1,204 @@
+from unittest import mock
+
+from tests.providers.scaleway.scaleway_fixtures import (
+    APP_API_KEY,
+    APPLICATION_ID,
+    MEMBER_USER_ID,
+    ORGANIZATION_ID,
+    ROOT_API_KEY,
+    ROOT_USER_ID,
+    USER_API_KEY,
+    make_api_key,
+    set_mocked_scaleway_provider,
+)
+
+
+def _patch_clients(iam_client_mock):
+    """Patch both the provider and the iam_client singleton."""
+    return [
+        mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=set_mocked_scaleway_provider(),
+        ),
+        mock.patch(
+            "prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned.iam_client",
+            new=iam_client_mock,
+        ),
+    ]
+
+
+class Test_iam_api_keys_no_root_owned:
+    def test_no_api_keys_returns_empty_findings(self):
+        iam_client = mock.MagicMock()
+        iam_client.users_loaded = True
+        iam_client.api_keys_loaded = True
+        iam_client.account_root_user_id = ROOT_USER_ID
+        iam_client.api_keys = []
+        iam_client.organization_id = ORGANIZATION_ID
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_scaleway_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned.iam_client",
+                new=iam_client,
+            ),
+        ):
+            from prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned import (
+                iam_api_keys_no_root_owned,
+            )
+
+            result = iam_api_keys_no_root_owned().execute()
+            assert result == []
+
+    def test_root_api_key_fails(self):
+        iam_client = mock.MagicMock()
+        iam_client.users_loaded = True
+        iam_client.api_keys_loaded = True
+        iam_client.account_root_user_id = ROOT_USER_ID
+        iam_client.api_keys = [
+            make_api_key(access_key=ROOT_API_KEY, user_id=ROOT_USER_ID)
+        ]
+        iam_client.organization_id = ORGANIZATION_ID
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_scaleway_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned.iam_client",
+                new=iam_client,
+            ),
+        ):
+            from prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned import (
+                iam_api_keys_no_root_owned,
+            )
+
+            result = iam_api_keys_no_root_owned().execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert result[0].resource_id == ROOT_API_KEY
+            assert ROOT_USER_ID in result[0].status_extended
+
+    def test_user_api_key_passes(self):
+        iam_client = mock.MagicMock()
+        iam_client.users_loaded = True
+        iam_client.api_keys_loaded = True
+        iam_client.account_root_user_id = ROOT_USER_ID
+        iam_client.api_keys = [
+            make_api_key(access_key=USER_API_KEY, user_id=MEMBER_USER_ID)
+        ]
+        iam_client.organization_id = ORGANIZATION_ID
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_scaleway_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned.iam_client",
+                new=iam_client,
+            ),
+        ):
+            from prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned import (
+                iam_api_keys_no_root_owned,
+            )
+
+            result = iam_api_keys_no_root_owned().execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].resource_id == USER_API_KEY
+
+    def test_application_api_key_passes(self):
+        iam_client = mock.MagicMock()
+        iam_client.users_loaded = True
+        iam_client.api_keys_loaded = True
+        iam_client.account_root_user_id = ROOT_USER_ID
+        iam_client.api_keys = [
+            make_api_key(
+                access_key=APP_API_KEY, user_id=None, application_id=APPLICATION_ID
+            )
+        ]
+        iam_client.organization_id = ORGANIZATION_ID
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_scaleway_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned.iam_client",
+                new=iam_client,
+            ),
+        ):
+            from prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned import (
+                iam_api_keys_no_root_owned,
+            )
+
+            result = iam_api_keys_no_root_owned().execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+
+    def test_users_load_failure_returns_manual(self):
+        iam_client = mock.MagicMock()
+        iam_client.users_loaded = False
+        iam_client.api_keys_loaded = True
+        iam_client.account_root_user_id = None
+        iam_client.api_keys = [
+            make_api_key(access_key=ROOT_API_KEY, user_id=ROOT_USER_ID)
+        ]
+        iam_client.organization_id = ORGANIZATION_ID
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_scaleway_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned.iam_client",
+                new=iam_client,
+            ),
+        ):
+            from prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned import (
+                iam_api_keys_no_root_owned,
+            )
+
+            result = iam_api_keys_no_root_owned().execute()
+            assert len(result) == 1
+            assert result[0].status == "MANUAL"
+            assert "Could not retrieve" in result[0].status_extended
+
+    def test_root_user_unresolved_returns_manual(self):
+        # Data loaded fine but account_root_user_id could not be resolved
+        # (e.g. application-scoped key). A root-owned key must NOT slip
+        # through as PASS — the check degrades to MANUAL instead.
+        iam_client = mock.MagicMock()
+        iam_client.users_loaded = True
+        iam_client.api_keys_loaded = True
+        iam_client.account_root_user_id = None
+        iam_client.api_keys = [
+            make_api_key(access_key=ROOT_API_KEY, user_id=ROOT_USER_ID)
+        ]
+        iam_client.organization_id = ORGANIZATION_ID
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_scaleway_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned.iam_client",
+                new=iam_client,
+            ),
+        ):
+            from prowler.providers.scaleway.services.iam.iam_api_keys_no_root_owned.iam_api_keys_no_root_owned import (
+                iam_api_keys_no_root_owned,
+            )
+
+            result = iam_api_keys_no_root_owned().execute()
+            assert len(result) == 1
+            assert result[0].status == "MANUAL"
+            assert "account root user" in result[0].status_extended

tests/providers/scaleway/services/iam/scaleway_iam_service_test.py

@@ -0,0 +1,138 @@
+from unittest import mock
+
+from prowler.providers.scaleway.models import ScalewayIdentityInfo
+from prowler.providers.scaleway.services.iam.iam_service import IAM
+from tests.providers.scaleway.scaleway_fixtures import (
+    APPLICATION_ID,
+    MEMBER_USER_ID,
+    ORGANIZATION_ID,
+    ROOT_USER_ID,
+    USER_API_KEY,
+    set_mocked_scaleway_provider,
+)
+
+
+def _application_identity() -> ScalewayIdentityInfo:
+    """Identity produced by an application-scoped API key: the IAM API
+    never exposes account_root_user_id for an application bearer."""
+    return ScalewayIdentityInfo(
+        organization_id=ORGANIZATION_ID,
+        bearer_id=APPLICATION_ID,
+        bearer_type="application",
+        bearer_email=None,
+        account_root_user_id=None,
+    )
+
+
+def _mock_user(
+    user_id: str, account_root_user_id: str = ROOT_USER_ID, email: str = "u@example.com"
+):
+    user = mock.MagicMock()
+    user.id = user_id
+    user.email = email
+    user.username = email.split("@")[0]
+    user.organization_id = ORGANIZATION_ID
+    user.account_root_user_id = account_root_user_id
+    user.mfa = True
+    user.type_ = "owner" if user_id == account_root_user_id else "member"
+    user.status = "activated"
+    return user
+
+
+def _mock_api_key(access_key: str, user_id: str = None, application_id: str = None):
+    key = mock.MagicMock()
+    key.access_key = access_key
+    key.description = "test"
+    key.user_id = user_id
+    key.application_id = application_id
+    key.default_project_id = None
+    key.editable = True
+    key.managed = False
+    key.creation_ip = None
+    key.created_at = None
+    key.updated_at = None
+    key.expires_at = None
+    return key
+
+
+class Test_IAM_service:
+    def test_loads_users_and_api_keys(self):
+        provider = set_mocked_scaleway_provider()
+
+        with mock.patch(
+            "prowler.providers.scaleway.services.iam.iam_service.IamV1Alpha1API"
+        ) as iam_cls:
+            api = iam_cls.return_value
+            api.list_users_all.return_value = [
+                _mock_user(ROOT_USER_ID),
+                _mock_user(MEMBER_USER_ID, email="m@example.com"),
+            ]
+            api.list_api_keys_all.return_value = [
+                _mock_api_key(USER_API_KEY, user_id=MEMBER_USER_ID),
+                _mock_api_key("SCWAPP", application_id=APPLICATION_ID),
+            ]
+
+            iam = IAM(provider)
+
+        assert iam.users_loaded is True
+        assert iam.api_keys_loaded is True
+        assert iam.account_root_user_id == ROOT_USER_ID
+        assert len(iam.users) == 2
+        assert len(iam.api_keys) == 2
+
+    def test_marks_users_unloaded_on_error(self):
+        provider = set_mocked_scaleway_provider()
+
+        with mock.patch(
+            "prowler.providers.scaleway.services.iam.iam_service.IamV1Alpha1API"
+        ) as iam_cls:
+            api = iam_cls.return_value
+            api.list_users_all.side_effect = Exception("denied")
+            api.list_api_keys_all.return_value = []
+
+            iam = IAM(provider)
+
+        assert iam.users_loaded is False
+        assert iam.api_keys_loaded is True
+        # account_root_user_id comes from the audit identity, not the user
+        # list, so a failed user listing must not blind the root-key check.
+        assert iam.account_root_user_id == ROOT_USER_ID
+
+    def test_application_key_resolves_root_user_from_user_list(self):
+        # Application-scoped API key: identity.account_root_user_id is None,
+        # so it must be recovered from the loaded user list. Otherwise the
+        # root-key check would silently PASS root-owned keys.
+        provider = set_mocked_scaleway_provider(identity=_application_identity())
+
+        with mock.patch(
+            "prowler.providers.scaleway.services.iam.iam_service.IamV1Alpha1API"
+        ) as iam_cls:
+            api = iam_cls.return_value
+            api.list_users_all.return_value = [
+                _mock_user(ROOT_USER_ID),
+                _mock_user(MEMBER_USER_ID, email="m@example.com"),
+            ]
+            api.list_api_keys_all.return_value = []
+
+            iam = IAM(provider)
+
+        assert iam.account_root_user_id == ROOT_USER_ID
+
+    def test_account_root_user_id_none_when_unresolvable(self):
+        # Application key + no user record exposes account_root_user_id:
+        # nothing to fall back to, so it stays None and the root-key check
+        # will degrade to MANUAL downstream.
+        provider = set_mocked_scaleway_provider(identity=_application_identity())
+
+        with mock.patch(
+            "prowler.providers.scaleway.services.iam.iam_service.IamV1Alpha1API"
+        ) as iam_cls:
+            api = iam_cls.return_value
+            api.list_users_all.return_value = [
+                _mock_user(MEMBER_USER_ID, account_root_user_id=None)
+            ]
+            api.list_api_keys_all.return_value = []
+
+            iam = IAM(provider)
+
+        assert iam.account_root_user_id is None

ui/CHANGELOG.md

@@ -2,40 +2,33 @@
 
 All notable changes to the **Prowler UI** are documented in this file.
 
-## [1.27.0] (Prowler UNRELEASED)
+## [1.27.0] (Prowler v5.27.0)
 
 ### 🚀 Added
 
-- UI health endpoint at `GET /api/health` for Docker Compose liveness checks [(#11145)](https://github.com/prowler-cloud/prowler/pull/11145)
-- AWS findings and resource details now expose a "View in AWS Console" link that opens the resource directly in the AWS Console via the universal `/go/view` ARN resolver. The per-provider external link is rendered by a new shared `ExternalResourceLink` component, which also covers the existing IaC repository link [(#9172)](https://github.com/prowler-cloud/prowler/pull/9172)
+- Health endpoint at `GET /api/health` for Docker Compose liveness checks [(#11145)](https://github.com/prowler-cloud/prowler/pull/11145)
+- AWS findings and resource details now expose a "View in AWS Console" link that opens the resource directly in the AWS Console via the universal `/go/view` ARN resolver [(#9172)](https://github.com/prowler-cloud/prowler/pull/9172)
+- Lighthouse AI: Prowler App Finding Groups MCP tools [(#11140)](https://github.com/prowler-cloud/prowler/pull/11140)
 
 ### 🔄 Changed
 
-- Trimmed unused npm dependencies [(#11115)](https://github.com/prowler-cloud/prowler/pull/11115)
-- Faster, stricter pre-commit: prek lints and formats only staged UI files (husky removed), with Prettier and ESLint (`--max-warnings 40`, stale-disable detection) now covering the full UI workspace, including `public/` assets (only the auto-generated `public/mockServiceWorker.js` stays ignored) [(#11118)](https://github.com/prowler-cloud/prowler/pull/11118)
-- Lighthouse now accepts Prowler App Finding Groups MCP tools [(#11140)](https://github.com/prowler-cloud/prowler/pull/11140)
+- Trimmed unused `npm` dependencies [(#11115)](https://github.com/prowler-cloud/prowler/pull/11115)
+- Faster, stricter pre-commit: prek lints and formats only staged UI files (husky removed), with Prettier and ESLint (`--max-warnings 40`, stale-disable detection) now covering the full UI workspace, including `public/` assets [(#11118)](https://github.com/prowler-cloud/prowler/pull/11118)
 - Attack Paths graph now uses React Flow with improved layout, interactions, export, minimap, and browser test coverage [(#10686)](https://github.com/prowler-cloud/prowler/pull/10686)
 - SAML ACS URL is only shown if the email domain is configured [(#11144)](https://github.com/prowler-cloud/prowler/pull/11144)
+- "View Resource" action in the finding resource detail drawer is now an icon-only link rendered next to the resource name (instead of a text button in the UID row), keeping the "View in AWS Console" link unchanged [(#11193)](https://github.com/prowler-cloud/prowler/pull/11193)
 
 ### 🐞 Fixed
 
 - Mute Findings modal now enforces the 100-character limit on the rule name input with a live counter and inline error, matching the existing reason field behaviour [(#11158)](https://github.com/prowler-cloud/prowler/pull/11158)
+- Finding drawer no longer renders literal backticks around inline code in Risk, Description and Remediation sections [(#11142)](https://github.com/prowler-cloud/prowler/pull/11142)
+- Launch Scan first-provider wizard continues after provider creation instead of resetting the Scans page [(#11136)](https://github.com/prowler-cloud/prowler/pull/11136)
+- Attack Paths graph nodes now wrap long resource and finding labels, indicate truncated values with `…`, and show the full value in an immediate tooltip [(#11197)](https://github.com/prowler-cloud/prowler/pull/11197)
 
 ### 🔐 Security
 
-- UI npm dependencies updated to patched versions for Next.js, Vite, LangChain, XML parsing, lodash, and related transitive packages [(#11171)](https://github.com/prowler-cloud/prowler/pull/11171)
-
----
-
-## [1.26.2] (Prowler 5.26.2)
-
-### 🐞 Fixed
-
-- Finding drawer no longer renders literal backticks around inline code in Risk, Description and Remediation sections [(#11142)](https://github.com/prowler-cloud/prowler/pull/11142)
-
-### 🐞 Fixed
-
-- Launch Scan first-provider wizard continues after provider creation instead of resetting the Scans page [(#11136)](https://github.com/prowler-cloud/prowler/pull/11136)
+- `npm` dependencies updated to patched versions for Next.js, Vite, LangChain, XML parsing, lodash, and related transitive packages [(#11173)](https://github.com/prowler-cloud/prowler/pull/11173)
+- Hardened `npm` supply chain controls [(#11157)](https://github.com/prowler-cloud/prowler/pull/11157)
 
 ---
 

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_components/graph/nodes/finding-node.test.tsx

@@ -1,4 +1,5 @@
 import { render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
 import { type NodeProps, Position } from "@xyflow/react";
 import { describe, expect, it, vi } from "vitest";
 
@@ -91,5 +92,26 @@ describe("FindingNode", () => {
       expect(screen.getByText("logging")).toBeInTheDocument();
       expect(screen.getByText("medium")).toBeInTheDocument();
     });
+
+    it("should expose the full finding title as an immediate tooltip when truncated", async () => {
+      // Given
+      const title =
+        "Ensure administrator access policies are rotated regularly";
+      const props = buildNodeProps(buildFindingNode("high", title));
+
+      // When
+      render(<FindingNode {...props} />);
+
+      // Then
+      expect(screen.getByText("Ensure")).toBeInTheDocument();
+      expect(screen.getByText("administrator")).toBeInTheDocument();
+      expect(screen.getByText("access policies")).toBeInTheDocument();
+      expect(screen.getByText("are rotated…")).toBeInTheDocument();
+      expect(screen.getByText("high")).toBeInTheDocument();
+
+      await userEvent.hover(screen.getByTestId("attack-path-finding-node"));
+
+      expect(await screen.findAllByText(title)).not.toHaveLength(0);
+    });
   });
 });

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_components/graph/nodes/finding-node.tsx

@@ -2,21 +2,27 @@
 
 import { type NodeProps, Position } from "@xyflow/react";
 
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipTrigger,
+} from "@/components/shadcn/tooltip";
 import type { GraphNode } from "@/types/attack-paths";
 
 import { resolveNodeColors, resolveNodeVisual } from "../../../_lib";
+import { FINDING_NODE_DIMENSIONS } from "../../../_lib/node-dimensions";
+import { getNodeLabelDisplay } from "../../../_lib/node-label-lines";
 import { HiddenHandles } from "./hidden-handles";
-import { getNodeLabelLines } from "./node-label-lines";
 
 interface FindingNodeData {
   graphNode: GraphNode;
   [key: string]: unknown;
 }
 
-const NODE_WIDTH = 150;
-const NODE_HEIGHT = 112;
-const TITLE_MAX_CHARS = 18;
-const TITLE_MAX_LINES = 2;
+const NODE_WIDTH = FINDING_NODE_DIMENSIONS.WIDTH;
+const NODE_HEIGHT = FINDING_NODE_DIMENSIONS.HEIGHT;
+const TITLE_MAX_CHARS = FINDING_NODE_DIMENSIONS.LABEL_MAX_CHARS;
+const TITLE_MAX_LINES = FINDING_NODE_DIMENSIONS.LABEL_MAX_LINES;
 const BADGE_SIZE = 44;
 const BADGE_RADIUS = BADGE_SIZE / 2;
 const BADGE_CENTER_X = NODE_WIDTH / 2;
@@ -29,7 +35,7 @@ const ICON_Y = BADGE_CENTER_Y - ICON_SIZE / 2;
 const TEXT_X = BADGE_CENTER_X;
 const TITLE_Y = 66;
 const TITLE_LINE_HEIGHT = 13;
-const SEVERITY_Y = 94;
+const SEVERITY_Y = 118;
 
 const severityLabel = (severity: unknown): string | undefined => {
   if (!severity) return undefined;
@@ -59,7 +65,7 @@ export const FindingNode = ({ data, selected }: NodeProps) => {
       graphNode.properties?.id ||
       "Finding",
   );
-  const displayTitleLines = getNodeLabelLines(
+  const displayTitle = getNodeLabelDisplay(
     title,
     TITLE_MAX_CHARS,
     TITLE_MAX_LINES,
@@ -72,6 +78,85 @@ export const FindingNode = ({ data, selected }: NodeProps) => {
   const badgeStrokeWidth = selected ? 4 : 2.5;
   const glowRadius = selected ? 32 : 30;
   const glowOpacity = selected ? 0.34 : 0.28;
+  const nodeSvg = (
+    <svg
+      width={NODE_WIDTH}
+      height={NODE_HEIGHT}
+      className="overflow-visible"
+      tabIndex={displayTitle.isTruncated ? 0 : undefined}
+      data-testid="attack-path-finding-node"
+    >
+      <circle
+        cx={BADGE_CENTER_X}
+        cy={BADGE_CENTER_Y}
+        r={glowRadius}
+        stroke={borderColor}
+        strokeOpacity={glowOpacity}
+        strokeWidth={8}
+        fill={borderColor}
+        fillOpacity={glowOpacity / 2}
+        pointerEvents="none"
+      />
+      <circle
+        cx={BADGE_CENTER_X}
+        cy={BADGE_CENTER_Y}
+        r={BADGE_RADIUS}
+        fill={fillColor}
+        fillOpacity={0.95}
+        stroke={borderColor}
+        strokeWidth={badgeStrokeWidth}
+        className={selected ? "selected-node" : undefined}
+      />
+      <g
+        aria-label={iconLabel}
+        data-testid={toFindingIconTestId(severity)}
+        role="img"
+        transform={`translate(${ICON_X}, ${ICON_Y})`}
+      >
+        <Icon
+          aria-hidden="true"
+          color="#ffffff"
+          focusable="false"
+          height={ICON_SIZE}
+          role="presentation"
+          size={ICON_SIZE}
+          strokeWidth={2.4}
+          width={ICON_SIZE}
+        />
+      </g>
+      <text
+        x={TEXT_X}
+        y={TITLE_Y}
+        textAnchor="middle"
+        dominantBaseline="middle"
+        fill="#ffffff"
+        style={{ textShadow: "0 1px 2px rgba(0,0,0,0.5)" }}
+        pointerEvents="none"
+      >
+        {displayTitle.lines.map((line, index) => (
+          <tspan
+            key={`${line}-${index}`}
+            x={TEXT_X}
+            y={TITLE_Y + index * TITLE_LINE_HEIGHT}
+            fontSize="11px"
+            fontWeight="600"
+          >
+            {line}
+          </tspan>
+        ))}
+        {severity && (
+          <tspan
+            x={TEXT_X}
+            y={SEVERITY_Y}
+            fontSize="9px"
+            fill="rgba(255,255,255,0.82)"
+          >
+            {severity}
+          </tspan>
+        )}
+      </text>
+    </svg>
+  );
 
   return (
     <>
@@ -81,77 +166,14 @@ export const FindingNode = ({ data, selected }: NodeProps) => {
         targetPosition={Position.Left}
         targetStyle={{ left: BADGE_LEFT_X, top: BADGE_CENTER_Y }}
       />
-      <svg width={NODE_WIDTH} height={NODE_HEIGHT} className="overflow-visible">
-        <circle
-          cx={BADGE_CENTER_X}
-          cy={BADGE_CENTER_Y}
-          r={glowRadius}
-          stroke={borderColor}
-          strokeOpacity={glowOpacity}
-          strokeWidth={8}
-          fill={borderColor}
-          fillOpacity={glowOpacity / 2}
-          pointerEvents="none"
-        />
-        <circle
-          cx={BADGE_CENTER_X}
-          cy={BADGE_CENTER_Y}
-          r={BADGE_RADIUS}
-          fill={fillColor}
-          fillOpacity={0.95}
-          stroke={borderColor}
-          strokeWidth={badgeStrokeWidth}
-          className={selected ? "selected-node" : undefined}
-        />
-        <g
-          aria-label={iconLabel}
-          data-testid={toFindingIconTestId(severity)}
-          role="img"
-          transform={`translate(${ICON_X}, ${ICON_Y})`}
-        >
-          <Icon
-            aria-hidden="true"
-            color="#ffffff"
-            focusable="false"
-            height={ICON_SIZE}
-            role="presentation"
-            size={ICON_SIZE}
-            strokeWidth={2.4}
-            width={ICON_SIZE}
-          />
-        </g>
-        <text
-          x={TEXT_X}
-          y={TITLE_Y}
-          textAnchor="middle"
-          dominantBaseline="middle"
-          fill="#ffffff"
-          style={{ textShadow: "0 1px 2px rgba(0,0,0,0.5)" }}
-          pointerEvents="none"
-        >
-          {displayTitleLines.map((line, index) => (
-            <tspan
-              key={`${line}-${index}`}
-              x={TEXT_X}
-              y={TITLE_Y + index * TITLE_LINE_HEIGHT}
-              fontSize="11px"
-              fontWeight="600"
-            >
-              {line}
-            </tspan>
-          ))}
-          {severity && (
-            <tspan
-              x={TEXT_X}
-              y={SEVERITY_Y}
-              fontSize="9px"
-              fill="rgba(255,255,255,0.82)"
-            >
-              {severity}
-            </tspan>
-          )}
-        </text>
-      </svg>
+      {displayTitle.isTruncated ? (
+        <Tooltip>
+          <TooltipTrigger asChild>{nodeSvg}</TooltipTrigger>
+          <TooltipContent>{title}</TooltipContent>
+        </Tooltip>
+      ) : (
+        nodeSvg
+      )}
     </>
   );
 };

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_components/graph/nodes/node-label-lines.ts

@@ -1,48 +0,0 @@
-const splitByMaxChars = (text: string, maxChars: number): string[] => {
-  const words = text.trim().split(/\s+/).filter(Boolean);
-  const lines: string[] = [];
-  let currentLine = "";
-
-  for (const word of words) {
-    if (!currentLine) {
-      currentLine = word;
-      continue;
-    }
-
-    const nextLine = `${currentLine} ${word}`;
-    if (nextLine.length <= maxChars) {
-      currentLine = nextLine;
-      continue;
-    }
-
-    lines.push(currentLine);
-    currentLine = word;
-  }
-
-  if (currentLine) lines.push(currentLine);
-  return lines;
-};
-
-const splitLongToken = (text: string, maxChars: number): string[] => {
-  const lines: string[] = [];
-
-  for (let index = 0; index < text.length; index += maxChars) {
-    lines.push(text.slice(index, index + maxChars));
-  }
-
-  return lines;
-};
-
-export const getNodeLabelLines = (
-  text: string,
-  maxChars: number,
-  maxLines: number,
-): string[] => {
-  if (!text.trim()) return [];
-
-  const rawLines = text.includes(" ")
-    ? splitByMaxChars(text, maxChars)
-    : splitLongToken(text, maxChars);
-
-  return rawLines.slice(0, maxLines);
-};

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_components/graph/nodes/resource-node.test.tsx

@@ -1,4 +1,5 @@
 import { render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
 import { type NodeProps, Position } from "@xyflow/react";
 import { describe, expect, it, vi } from "vitest";
 
@@ -84,5 +85,41 @@ describe("ResourceNode", () => {
       expect(screen.getByText("main-vpc")).toBeInTheDocument();
       expect(screen.getByText("VPC")).toBeInTheDocument();
     });
+
+    it("should show up to four readable lines for long resource names", () => {
+      // Given
+      const props = buildNodeProps(
+        buildGraphNode("AWSRole", "AWSReservedSSO_AdministratorAccessExtra"),
+      );
+
+      // When
+      const { container } = render(<ResourceNode {...props} />);
+
+      // Then
+      expect(screen.getByText("AWSReservedSSO_A")).toBeInTheDocument();
+      expect(screen.getByText("dministratorAcce")).toBeInTheDocument();
+      expect(screen.getByText("ssExtra")).toBeInTheDocument();
+      expect(screen.getByText("AWS Role")).toBeInTheDocument();
+      expect(container.querySelector("title")).toBeNull();
+    });
+
+    it("should expose the full resource name as an immediate tooltip when truncated", async () => {
+      // Given
+      const name =
+        "arn:aws:iam::998057895221:role/OrganizationAccountAccessRole/integration";
+      const props = buildNodeProps(buildGraphNode("AWSRole", name));
+
+      // When
+      render(<ResourceNode {...props} />);
+
+      // Then
+      expect(screen.getByText("arn:aws:iam::998")).toBeInTheDocument();
+      expect(screen.getByText("057895221:role/O")).toBeInTheDocument();
+      expect(screen.getByText("ntAccessRole/in…")).toBeInTheDocument();
+
+      await userEvent.hover(screen.getByTestId("attack-path-resource-node"));
+
+      expect(await screen.findAllByText(name)).not.toHaveLength(0);
+    });
   });
 });

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_components/graph/nodes/resource-node.tsx

@@ -2,11 +2,17 @@
 
 import { type NodeProps, Position } from "@xyflow/react";
 
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipTrigger,
+} from "@/components/shadcn/tooltip";
 import type { GraphNode } from "@/types/attack-paths";
 
 import { resolveNodeColors, resolveNodeVisual } from "../../../_lib";
+import { RESOURCE_NODE_DIMENSIONS } from "../../../_lib/node-dimensions";
+import { getNodeLabelDisplay } from "../../../_lib/node-label-lines";
 import { HiddenHandles } from "./hidden-handles";
-import { getNodeLabelLines } from "./node-label-lines";
 
 interface ResourceNodeData {
   graphNode: GraphNode;
@@ -14,10 +20,10 @@ interface ResourceNodeData {
   [key: string]: unknown;
 }
 
-const NODE_WIDTH = 136;
-const NODE_HEIGHT = 112;
-const NAME_MAX_CHARS = 16;
-const NAME_MAX_LINES = 2;
+const NODE_WIDTH = RESOURCE_NODE_DIMENSIONS.WIDTH;
+const NODE_HEIGHT = RESOURCE_NODE_DIMENSIONS.HEIGHT;
+const NAME_MAX_CHARS = RESOURCE_NODE_DIMENSIONS.LABEL_MAX_CHARS;
+const NAME_MAX_LINES = RESOURCE_NODE_DIMENSIONS.LABEL_MAX_LINES;
 const BADGE_SIZE = 44;
 const BADGE_RADIUS = BADGE_SIZE / 2;
 const BADGE_CENTER_X = NODE_WIDTH / 2;
@@ -30,7 +36,7 @@ const ICON_Y = BADGE_CENTER_Y - ICON_SIZE / 2;
 const TEXT_X = BADGE_CENTER_X;
 const NAME_Y = 66;
 const NAME_LINE_HEIGHT = 13;
-const TYPE_Y = 94;
+const TYPE_Y = 118;
 
 const toIconTestId = (description: string): string =>
   `attack-path-node-icon-${description
@@ -52,13 +58,90 @@ export const ResourceNode = ({ data, selected }: NodeProps) => {
   const visual = resolveNodeVisual(graphNode);
   const Icon = visual.Icon;
 
-  const displayNameLines = getNodeLabelLines(
+  const displayName = getNodeLabelDisplay(
     visual.displayName,
     NAME_MAX_CHARS,
     NAME_MAX_LINES,
   );
   const typeLabel = visual.description;
   const iconLabel = `${visual.description} icon`;
+  const nodeSvg = (
+    <svg
+      width={NODE_WIDTH}
+      height={NODE_HEIGHT}
+      className="overflow-visible"
+      tabIndex={displayName.isTruncated ? 0 : undefined}
+      data-testid="attack-path-resource-node"
+    >
+      {glowRadius > 0 && (
+        <circle
+          cx={BADGE_CENTER_X}
+          cy={BADGE_CENTER_Y}
+          r={glowRadius}
+          fill={borderColor}
+          fillOpacity={glowOpacity}
+          pointerEvents="none"
+        />
+      )}
+      <circle
+        cx={BADGE_CENTER_X}
+        cy={BADGE_CENTER_Y}
+        r={BADGE_RADIUS}
+        fill={fillColor}
+        fillOpacity={0.92}
+        stroke={borderColor}
+        strokeWidth={badgeStrokeWidth}
+        className={selected ? "selected-node" : undefined}
+      />
+      <g
+        aria-label={iconLabel}
+        data-testid={toIconTestId(visual.description)}
+        role="img"
+        transform={`translate(${ICON_X}, ${ICON_Y})`}
+      >
+        <Icon
+          aria-hidden="true"
+          className="rounded-md"
+          focusable="false"
+          height={ICON_SIZE}
+          role="presentation"
+          size={ICON_SIZE}
+          width={ICON_SIZE}
+        />
+      </g>
+      <text
+        x={TEXT_X}
+        y={NAME_Y}
+        textAnchor="middle"
+        dominantBaseline="middle"
+        fill="#ffffff"
+        style={{ textShadow: "0 1px 2px rgba(0,0,0,0.5)" }}
+        pointerEvents="none"
+      >
+        {displayName.lines.map((line, index) => (
+          <tspan
+            key={`${line}-${index}`}
+            x={TEXT_X}
+            y={NAME_Y + index * NAME_LINE_HEIGHT}
+            fontSize="11px"
+            fontWeight="600"
+          >
+            {line}
+          </tspan>
+        ))}
+        {typeLabel && (
+          <tspan
+            x={TEXT_X}
+            y={TYPE_Y}
+            fontSize="9px"
+            fill="rgba(255,255,255,0.8)"
+          >
+            {typeLabel}
+          </tspan>
+        )}
+      </text>
+    </svg>
+  );
 
   return (
     <>
@@ -68,75 +151,14 @@ export const ResourceNode = ({ data, selected }: NodeProps) => {
         targetPosition={Position.Left}
         targetStyle={{ left: BADGE_LEFT_X, top: BADGE_CENTER_Y }}
       />
-      <svg width={NODE_WIDTH} height={NODE_HEIGHT} className="overflow-visible">
-        {glowRadius > 0 && (
-          <circle
-            cx={BADGE_CENTER_X}
-            cy={BADGE_CENTER_Y}
-            r={glowRadius}
-            fill={borderColor}
-            fillOpacity={glowOpacity}
-            pointerEvents="none"
-          />
-        )}
-        <circle
-          cx={BADGE_CENTER_X}
-          cy={BADGE_CENTER_Y}
-          r={BADGE_RADIUS}
-          fill={fillColor}
-          fillOpacity={0.92}
-          stroke={borderColor}
-          strokeWidth={badgeStrokeWidth}
-          className={selected ? "selected-node" : undefined}
-        />
-        <g
-          aria-label={iconLabel}
-          data-testid={toIconTestId(visual.description)}
-          role="img"
-          transform={`translate(${ICON_X}, ${ICON_Y})`}
-        >
-          <Icon
-            aria-hidden="true"
-            className="rounded-md"
-            focusable="false"
-            height={ICON_SIZE}
-            role="presentation"
-            size={ICON_SIZE}
-            width={ICON_SIZE}
-          />
-        </g>
-        <text
-          x={TEXT_X}
-          y={NAME_Y}
-          textAnchor="middle"
-          dominantBaseline="middle"
-          fill="#ffffff"
-          style={{ textShadow: "0 1px 2px rgba(0,0,0,0.5)" }}
-          pointerEvents="none"
-        >
-          {displayNameLines.map((line, index) => (
-            <tspan
-              key={`${line}-${index}`}
-              x={TEXT_X}
-              y={NAME_Y + index * NAME_LINE_HEIGHT}
-              fontSize="11px"
-              fontWeight="600"
-            >
-              {line}
-            </tspan>
-          ))}
-          {typeLabel && (
-            <tspan
-              x={TEXT_X}
-              y={TYPE_Y}
-              fontSize="9px"
-              fill="rgba(255,255,255,0.8)"
-            >
-              {typeLabel}
-            </tspan>
-          )}
-        </text>
-      </svg>
+      {displayName.isTruncated ? (
+        <Tooltip>
+          <TooltipTrigger asChild>{nodeSvg}</TooltipTrigger>
+          <TooltipContent>{visual.displayName}</TooltipContent>
+        </Tooltip>
+      ) : (
+        nodeSvg
+      )}
     </>
   );
 };

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_lib/export.test.ts

@@ -126,6 +126,50 @@ describe("exportGraphAsPNG", () => {
     expect(link?.href).toBe("data:image/png;base64,AAAA");
   });
 
+  it("renders exported long resource labels with the same wrapping as graph nodes", async () => {
+    const container = buildContainerWithViewport();
+    const longLabelGraphData: AttackPathGraphData = {
+      nodes: [
+        {
+          id: "role-1",
+          labels: ["AWSRole"],
+          properties: { name: "AWSReservedSSO_AdministratorAccessExtra" },
+        },
+      ],
+    };
+
+    await exportGraphAsPNG(container, bounds, "graph.png", longLabelGraphData);
+
+    const context = vi.mocked(HTMLCanvasElement.prototype.getContext).mock
+      .results[0]?.value as CanvasRenderingContext2D;
+    const fillText = vi.mocked(context.fillText);
+
+    expect(fillText).toHaveBeenCalledWith(
+      "AWSReservedSSO_A",
+      expect.any(Number),
+      expect.any(Number),
+      136,
+    );
+    expect(fillText).toHaveBeenCalledWith(
+      "dministratorAcce",
+      expect.any(Number),
+      expect.any(Number),
+      136,
+    );
+    expect(fillText).toHaveBeenCalledWith(
+      "ssExtra",
+      expect.any(Number),
+      expect.any(Number),
+      136,
+    );
+    expect(fillText).toHaveBeenCalledWith(
+      "AWS Role",
+      expect.any(Number),
+      expect.any(Number),
+      136,
+    );
+  });
+
   it("re-throws a generic export error when canvas is unavailable", async () => {
     const container = buildContainerWithViewport();
     vi.spyOn(HTMLCanvasElement.prototype, "getContext").mockReturnValue(null);

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_lib/export.ts

@@ -17,6 +17,11 @@ import {
   GRAPH_EDGE_COLOR_DARK,
 } from "./graph-colors";
 import { layoutWithDagre } from "./layout";
+import {
+  FINDING_NODE_DIMENSIONS,
+  RESOURCE_NODE_DIMENSIONS,
+} from "./node-dimensions";
+import { getNodeLabelDisplay } from "./node-label-lines";
 import { resolveNodeVisual } from "./node-visuals";
 
 interface ExportGraphOptions {
@@ -40,9 +45,7 @@ const BADGE_CENTER_Y = 26;
 const GLOW_RADIUS = 30;
 const LABEL_Y = 66;
 const LABEL_LINE_HEIGHT = 13;
-const TYPE_Y = 94;
-const RESOURCE_NAME_MAX_CHARS = 18;
-const RESOURCE_NAME_MAX_LINES = 2;
+const TYPE_Y = 118;
 
 const downloadBlob = (blob: Blob, filename: string) => {
   const url = URL.createObjectURL(blob);
@@ -165,33 +168,6 @@ const getResourcesWithFindings = (
   return resourcesWithFindings;
 };
 
-const getLabelLines = (label: string, maxChars: number, maxLines: number) => {
-  const words = label.split(/\s+/).filter(Boolean);
-  const lines: string[] = [];
-  let current = "";
-
-  words.forEach((word) => {
-    const next = current ? `${current} ${word}` : word;
-    if (next.length <= maxChars) {
-      current = next;
-      return;
-    }
-    if (current) lines.push(current);
-    current = word;
-  });
-
-  if (current) lines.push(current);
-  if (lines.length === 0) lines.push(label);
-
-  const visibleLines = lines.slice(0, maxLines);
-  if (lines.length > maxLines && visibleLines.length > 0) {
-    const lastIndex = visibleLines.length - 1;
-    visibleLines[lastIndex] = truncateLabel(visibleLines[lastIndex], maxChars);
-  }
-
-  return visibleLines;
-};
-
 const getFittedLayout = (graphData: AttackPathGraphData) => {
   const { rfNodes, rfEdges } = layoutWithDagre(
     graphData.nodes,
@@ -464,16 +440,21 @@ const drawNode = (
   context.textAlign = "center";
   context.textBaseline = "middle";
   context.font = "600 11px sans-serif";
-  getLabelLines(
+  const dimensions = isFinding
+    ? FINDING_NODE_DIMENSIONS
+    : RESOURCE_NODE_DIMENSIONS;
+  const labelMaxWidth = dimensions.WIDTH;
+
+  getNodeLabelDisplay(
     visual.displayName,
-    RESOURCE_NAME_MAX_CHARS,
-    RESOURCE_NAME_MAX_LINES,
-  ).forEach((line, index) => {
+    dimensions.LABEL_MAX_CHARS,
+    dimensions.LABEL_MAX_LINES,
+  ).lines.forEach((line, index) => {
     context.fillText(
       line,
       center.x,
       center.y + (LABEL_Y - BADGE_CENTER_Y) + index * LABEL_LINE_HEIGHT,
-      150,
+      labelMaxWidth,
     );
   });
 
@@ -483,7 +464,7 @@ const drawNode = (
     typeLabel,
     center.x,
     center.y + (TYPE_Y - BADGE_CENTER_Y),
-    150,
+    labelMaxWidth,
   );
 };
 

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_lib/layout.test.ts

@@ -40,12 +40,12 @@ describe("layoutWithDagre", () => {
     expect(byId.get("finding-1")).toMatchObject({
       type: "finding",
       width: 150,
-      height: 112,
+      height: 124,
     });
     expect(byId.get("resource-1")).toMatchObject({
       type: "resource",
       width: 136,
-      height: 112,
+      height: 124,
     });
     expect(byId.get("internet-1")).toMatchObject({
       type: "internet",

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_lib/layout.ts

@@ -8,12 +8,11 @@ import { type Edge, type Node, Position } from "@xyflow/react";
 
 import type { GraphEdge, GraphNode } from "@/types/attack-paths";
 
-// Node dimensions matching the rendered React Flow custom nodes.
-const RESOURCE_NODE_WIDTH = 136;
-const RESOURCE_NODE_HEIGHT = 112;
-const FINDING_NODE_WIDTH = 150;
-const FINDING_NODE_HEIGHT = 112;
-const INTERNET_DIAMETER = 80; // NODE_HEIGHT * 0.8 * 2
+import {
+  FINDING_NODE_DIMENSIONS,
+  INTERNET_NODE_DIMENSIONS,
+  RESOURCE_NODE_DIMENSIONS,
+} from "./node-dimensions";
 
 // Container relationships that get reversed for proper hierarchy
 const CONTAINER_RELATIONS = new Set([
@@ -49,10 +48,19 @@ const getNodeDimensions = (
   type: NodeType,
 ): { width: number; height: number } => {
   if (type === NODE_TYPE.FINDING)
-    return { width: FINDING_NODE_WIDTH, height: FINDING_NODE_HEIGHT };
+    return {
+      width: FINDING_NODE_DIMENSIONS.WIDTH,
+      height: FINDING_NODE_DIMENSIONS.HEIGHT,
+    };
   if (type === NODE_TYPE.INTERNET)
-    return { width: INTERNET_DIAMETER, height: INTERNET_DIAMETER };
-  return { width: RESOURCE_NODE_WIDTH, height: RESOURCE_NODE_HEIGHT };
+    return {
+      width: INTERNET_NODE_DIMENSIONS.DIAMETER,
+      height: INTERNET_NODE_DIMENSIONS.DIAMETER,
+    };
+  return {
+    width: RESOURCE_NODE_DIMENSIONS.WIDTH,
+    height: RESOURCE_NODE_DIMENSIONS.HEIGHT,
+  };
 };
 
 /**

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_lib/node-dimensions.ts

@@ -0,0 +1,17 @@
+export const RESOURCE_NODE_DIMENSIONS = {
+  WIDTH: 136,
+  HEIGHT: 124,
+  LABEL_MAX_CHARS: 16,
+  LABEL_MAX_LINES: 4,
+} as const;
+
+export const FINDING_NODE_DIMENSIONS = {
+  WIDTH: 150,
+  HEIGHT: 124,
+  LABEL_MAX_CHARS: 18,
+  LABEL_MAX_LINES: 4,
+} as const;
+
+export const INTERNET_NODE_DIMENSIONS = {
+  DIAMETER: 80,
+} as const;

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_lib/node-label-lines.test.ts

@@ -0,0 +1,31 @@
+import { describe, expect, it } from "vitest";
+
+import { getNodeLabelDisplay } from "./node-label-lines";
+
+describe("getNodeLabelDisplay", () => {
+  it("adds an ellipsis within the max width when wrapped label text exceeds the visible line budget", () => {
+    expect(
+      getNodeLabelDisplay("AWSReservedSSO_AdministratorAccess", 16, 2).lines,
+    ).toEqual(["AWSReservedSSO_A", "dministratorAcc…"]);
+  });
+
+  it("splits long tokens so unbroken identifiers do not overflow node labels", () => {
+    expect(
+      getNodeLabelDisplay("OrganizationAccountAccessRole", 16, 4).lines,
+    ).toEqual(["OrganizationAcco", "untAccessRole"]);
+  });
+
+  it("reports whether the visible label was truncated", () => {
+    expect(getNodeLabelDisplay("short-name", 16, 4)).toMatchObject({
+      isTruncated: false,
+      lines: ["short-name"],
+    });
+    expect(
+      getNodeLabelDisplay(
+        "arn:aws:iam::998057895221:role/OrganizationAccountAccessRole/integration",
+        16,
+        4,
+      ),
+    ).toMatchObject({ isTruncated: true });
+  });
+});

ui/app/(prowler)/attack-paths/(workflow)/query-builder/_lib/node-label-lines.ts

@@ -0,0 +1,64 @@
+const splitLongToken = (text: string, maxChars: number): string[] => {
+  const lines: string[] = [];
+
+  for (let index = 0; index < text.length; index += maxChars) {
+    lines.push(text.slice(index, index + maxChars));
+  }
+
+  return lines;
+};
+
+const splitByMaxChars = (text: string, maxChars: number): string[] => {
+  const words = text.trim().split(/\s+/).filter(Boolean);
+  const lines: string[] = [];
+  let currentLine = "";
+
+  for (const word of words) {
+    const wordLines = splitLongToken(word, maxChars);
+
+    for (const wordLine of wordLines) {
+      if (!currentLine) {
+        currentLine = wordLine;
+        continue;
+      }
+
+      const nextLine = `${currentLine} ${wordLine}`;
+      if (nextLine.length <= maxChars) {
+        currentLine = nextLine;
+        continue;
+      }
+
+      lines.push(currentLine);
+      currentLine = wordLine;
+    }
+  }
+
+  if (currentLine) lines.push(currentLine);
+  return lines;
+};
+
+const withEllipsis = (line: string, maxChars: number): string => {
+  if (maxChars <= 1) return "…";
+  return `${line.slice(0, maxChars - 1)}…`;
+};
+
+export const getNodeLabelDisplay = (
+  text: string,
+  maxChars: number,
+  maxLines: number,
+): { lines: string[]; isTruncated: boolean } => {
+  if (!text.trim()) return { lines: [], isTruncated: false };
+
+  const rawLines = splitByMaxChars(text, maxChars);
+  const isTruncated = rawLines.length > maxLines;
+  const visibleLines = rawLines.slice(0, maxLines);
+
+  if (isTruncated && visibleLines.length > 0) {
+    visibleLines[visibleLines.length - 1] = withEllipsis(
+      visibleLines[visibleLines.length - 1],
+      maxChars,
+    );
+  }
+
+  return { lines: visibleLines, isTruncated };
+};

ui/app/api/health/route.test.ts

@@ -3,8 +3,11 @@ import { afterEach, describe, expect, it, vi } from "vitest";
 import { GET } from "./route";
 
 interface HealthResponse {
-  status: "healthy";
-  service: "prowler-ui";
+  status: "pass";
+  version: string;
+  releaseId: string;
+  serviceId: "prowler-ui";
+  description: string;
 }
 
 const parseHealthResponse = async (response: Response) =>
@@ -16,12 +19,9 @@ describe("GET /api/health", () => {
     vi.unstubAllGlobals();
   });
 
-  it("should return a healthy response when the Next.js route handler responds", async () => {
+  it("should return an IETF-shaped healthy response when the Next.js route handler responds", async () => {
     // Given
-    const expectedBody: HealthResponse = {
-      status: "healthy",
-      service: "prowler-ui",
-    };
+    vi.stubEnv("NEXT_PUBLIC_PROWLER_RELEASE_VERSION", "1.28.0");
 
     // When
     const response = await GET();
@@ -29,8 +29,30 @@ describe("GET /api/health", () => {
 
     // Then
     expect(response.status).toBe(200);
+    expect(response.headers.get("Content-Type")).toBe(
+      "application/health+json",
+    );
     expect(response.headers.get("Cache-Control")).toBe("no-store");
-    expect(body).toEqual(expectedBody);
+    expect(body).toEqual({
+      status: "pass",
+      version: "1",
+      releaseId: "1.28.0",
+      serviceId: "prowler-ui",
+      description: "Prowler UI",
+    });
+  });
+
+  it("should fall back to 'unknown' when the release version env var is missing", async () => {
+    // Given
+    vi.stubEnv("NEXT_PUBLIC_PROWLER_RELEASE_VERSION", "");
+
+    // When
+    const response = await GET();
+    const body = await parseHealthResponse(response);
+
+    // Then
+    expect(response.status).toBe(200);
+    expect(body.releaseId).toBe("unknown");
   });
 
   it("should not call fetch while evaluating UI liveness", async () => {
@@ -60,10 +82,8 @@ describe("GET /api/health", () => {
 
     // Then
     expect(response.status).toBe(200);
-    expect(body).toEqual({
-      status: "healthy",
-      service: "prowler-ui",
-    });
+    expect(body.status).toBe("pass");
+    expect(body.serviceId).toBe("prowler-ui");
     expect(fetchMock).not.toHaveBeenCalled();
   });
 });

ui/app/api/health/route.ts

@@ -1,13 +1,18 @@
-const healthResponse = {
-  status: "healthy",
-  service: "prowler-ui",
-} as const;
-
 export const dynamic = "force-dynamic";
 
 export async function GET() {
-  return Response.json(healthResponse, {
+  const body = {
+    status: "pass",
+    version: "1",
+    releaseId: process.env.NEXT_PUBLIC_PROWLER_RELEASE_VERSION || "unknown",
+    serviceId: "prowler-ui",
+    description: "Prowler UI",
+  };
+
+  return new Response(JSON.stringify(body), {
+    status: 200,
     headers: {
+      "Content-Type": "application/health+json",
       "Cache-Control": "no-store",
     },
   });

ui/components/findings/table/resource-detail-drawer/resource-detail-drawer-content.test.tsx

@@ -46,10 +46,12 @@ vi.mock("next/link", () => ({
   default: ({
     children,
     href,
+    prefetch: _prefetch,
     ...props
   }: AnchorHTMLAttributes<HTMLAnchorElement> & {
     children: ReactNode;
     href: string;
+    prefetch?: boolean;
   }) => (
     <a href={href} {...props}>
       {children}
@@ -288,8 +290,21 @@ vi.mock("@/components/ui/entities/date-with-time", () => ({
 }));
 
 vi.mock("@/components/ui/entities/entity-info", () => ({
-  EntityInfo: ({ idAction }: { idAction?: ReactNode }) =>
-    idAction ? <span data-testid="entity-id-action">{idAction}</span> : null,
+  EntityInfo: ({
+    nameAction,
+    idAction,
+  }: {
+    nameAction?: ReactNode;
+    idAction?: ReactNode;
+  }) =>
+    nameAction || idAction ? (
+      <span>
+        {nameAction && (
+          <span data-testid="entity-name-action">{nameAction}</span>
+        )}
+        {idAction && <span data-testid="entity-id-action">{idAction}</span>}
+      </span>
+    ) : null,
 }));
 
 vi.mock("@/components/ui/table", () => ({
@@ -428,7 +443,7 @@ const mockFinding: ResourceDrawerFinding = {
 };
 
 describe("ResourceDetailDrawerContent — resource navigation", () => {
-  it("should render a View Resource link inline next to the resource UID", () => {
+  it("should render an icon-only View Resource link next to the resource name", () => {
     // Given
     render(
       <ResourceDetailDrawerContent
@@ -457,6 +472,12 @@ describe("ResourceDetailDrawerContent — resource navigation", () => {
     );
     expect(viewResourceLink).toHaveAttribute("target", "_blank");
     expect(viewResourceLink).toHaveAttribute("rel", "noopener noreferrer");
+    // Icon-only: accessible name comes from an sr-only span, not from an
+    // aria-label attribute, so the text lives in the DOM (more semantic).
+    expect(viewResourceLink).toHaveAccessibleName("View Resource");
+    expect(viewResourceLink).not.toHaveAttribute("aria-label");
+    const srOnlyLabel = viewResourceLink.querySelector(".sr-only");
+    expect(srOnlyLabel).toHaveTextContent("View Resource");
   });
 });
 const mockResourceRow: FindingResourceRow = {

ui/components/findings/table/resource-detail-drawer/resource-detail-drawer-content.tsx

@@ -441,8 +441,7 @@ export function ResourceDetailDrawerContent({
     findingUid: f?.uid,
     region: resourceRegion,
   });
-  const hasIdAction =
-    Boolean(resourceDetailHref) || Boolean(externalResourceTarget);
+  const hasIdAction = Boolean(externalResourceTarget);
   const findingRecommendationUrl = f?.remediation.recommendation.url;
   const checkRecommendationUrl = checkMeta.remediation.recommendation.url;
   const recommendationUrl = isNonEmptyString(findingRecommendationUrl)
@@ -712,32 +711,41 @@ export function ResourceDetailDrawerContent({
                       entityAlias={resourceName}
                       entityId={resourceUid}
                       idLabel="UID"
-                      idAction={
-                        hasIdAction ? (
-                          <span className="inline-flex items-center gap-2">
-                            {resourceDetailHref && (
+                      nameAction={
+                        resourceDetailHref ? (
+                          <Tooltip>
+                            <TooltipTrigger asChild>
                               <Button variant="link" size="link-sm" asChild>
                                 <Link
                                   href={resourceDetailHref}
                                   target="_blank"
                                   rel="noopener noreferrer"
+                                  prefetch={false}
                                 >
-                                  View Resource
-                                  <ExternalLink className="size-3" />
+                                  <span className="sr-only">View Resource</span>
+                                  <ExternalLink
+                                    className="size-3"
+                                    aria-hidden="true"
+                                  />
                                 </Link>
                               </Button>
-                            )}
-                            {externalResourceTarget && (
-                              <ExternalResourceLink
-                                providerType={providerType}
-                                resourceUid={resourceUid}
-                                providerUid={providerUid}
-                                resourceName={resourceName}
-                                findingUid={f?.uid}
-                                region={resourceRegion}
-                              />
-                            )}
-                          </span>
+                            </TooltipTrigger>
+                            <TooltipContent side="top">
+                              View Resource
+                            </TooltipContent>
+                          </Tooltip>
+                        ) : undefined
+                      }
+                      idAction={
+                        hasIdAction ? (
+                          <ExternalResourceLink
+                            providerType={providerType}
+                            resourceUid={resourceUid}
+                            providerUid={providerUid}
+                            resourceName={resourceName}
+                            findingUid={f?.uid}
+                            region={resourceRegion}
+                          />
                         ) : undefined
                       }
                     />

ui/components/ui/entities/entity-info.tsx

@@ -17,6 +17,8 @@ interface EntityInfoProps {
   icon?: ReactNode;
   /** Small icon rendered inline before the entity alias text */
   nameIcon?: ReactNode;
+  /** Inline element rendered after the entity alias (e.g. action link). */
+  nameAction?: ReactNode;
   entityAlias?: string;
   entityId?: string;
   badge?: string;
@@ -37,6 +39,7 @@ export const EntityInfo = ({
   cloudProvider,
   icon,
   nameIcon,
+  nameAction,
   entityAlias,
   entityId,
   badge,
@@ -74,6 +77,7 @@ export const EntityInfo = ({
                 ({badge})
               </span>
             )}
+            {nameAction && <span className="shrink-0">{nameAction}</span>}
           </div>
           {entityId && (
             <div className="flex min-w-0 items-center gap-2">

uv.lock

@@ -3315,6 +3315,7 @@ dependencies = [
     { name = "pygithub" },
     { name = "python-dateutil" },
     { name = "pytz" },
+    { name = "scaleway" },
     { name = "schema" },
     { name = "shodan" },
     { name = "slack-sdk" },
@@ -3419,6 +3420,7 @@ requires-dist = [
     { name = "pygithub", specifier = "==2.8.0" },
     { name = "python-dateutil", specifier = "==2.9.0.post0" },
     { name = "pytz", specifier = "==2025.1" },
+    { name = "scaleway", specifier = "==2.10.3" },
     { name = "schema", specifier = "==0.7.5" },
     { name = "shodan", specifier = "==1.31.0" },
     { name = "slack-sdk", specifier = "==3.39.0" },
@@ -4167,6 +4169,32 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/48/f0/ae7ca09223a81a1d890b2557186ea015f6e0502e9b8cb8e1813f1d8cfa4e/s3transfer-0.14.0-py3-none-any.whl", hash = "sha256:ea3b790c7077558ed1f02a3072fb3cb992bbbd253392f4b6e9e8976941c7d456", size = 85712, upload-time = "2025-09-09T19:23:30.041Z" },
 ]
 
+[[package]]
+name = "scaleway"
+version = "2.10.3"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "scaleway-core" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/64/ce/774eea10c35fb0f028d0ae2e45d404bc16d83ac5cdd12f410d348e6dd6a4/scaleway-2.10.3.tar.gz", hash = "sha256:b1f9dd1b1450767205234c6f5a345e5e25dc039c780253d698893b5c344ce594", size = 717421, upload-time = "2025-11-04T10:03:13.644Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e2/d6/2b41dfb4cac8bf51cc100050f70129aa5284d04344ceec1391176467b1cb/scaleway-2.10.3-py3-none-any.whl", hash = "sha256:dbf381440d6caf37c878cf16445a63f4969a4aac2257c9b72c744d10ff223a0c", size = 877950, upload-time = "2025-11-04T10:03:12.128Z" },
+]
+
+[[package]]
+name = "scaleway-core"
+version = "2.10.3"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "python-dateutil" },
+    { name = "pyyaml" },
+    { name = "requests" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/61/6a/9f53cc92ad2332f96b48bd4975e53e15b8099a148a4e7386d64d393538d5/scaleway_core-2.10.3.tar.gz", hash = "sha256:56432f755d694669429de51d51c1d0b3361b28dc2f939b28e4cb954610ee76be", size = 27282, upload-time = "2025-11-04T10:01:41.021Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/7c/d0/b6b133a27a94fc272d316f7bc8722be701130b93ee12c60c0c2413c16199/scaleway_core-2.10.3-py3-none-any.whl", hash = "sha256:fd4112144554d6adae22ff737555eeb0e38cb1063250b3e88c9aebc1b957793b", size = 33523, upload-time = "2025-11-04T10:01:40.106Z" },
+]
+
 [[package]]
 name = "schema"
 version = "0.7.5"