chore(deps): bump actions/cache from 5.0.4 to 5.0.5

Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-05-19 18:53:33 +00:00 · 2026-05-12 14:35:23 +00:00
374 changed files with 22793 additions and 27844 deletions
@@ -2,19 +2,20 @@
 # Runs automatically on `wt switch --create`.

 # Block 1: setup + copy gitignored env files (.envrc, ui/.env.local)
-# from the primary worktree - patterns selected via .worktreeinclude.
+# from the primary worktree — patterns selected via .worktreeinclude.
 [[pre-start]]
 skills = "./skills/setup.sh --claude"
+python = "poetry env use python3.12"
 envs = "wt step copy-ignored"

-# Block 2: install Python deps (uv manages the venv on `uv sync`).
+# Block 2: install Python deps (requires `poetry env use` from block 1).
 [[pre-start]]
-deps = "uv sync"
+deps = "poetry install --with dev"

-# Block 3: reminder - last visible output before `wt switch` returns.
+# Block 3: reminder — last visible output before `wt switch` returns.
 # Hooks can't mutate the parent shell, so venv activation is manual.
 [[pre-start]]
-reminder = "echo '>> Reminder: activate the venv in this shell with: source .venv/bin/activate'"
+reminder = "echo '>> Reminder: activate the venv in this shell with: eval $(poetry env activate)'"

 # Background: pnpm install runs while you start working.
 # Tail logs via `wt config state logs`.
@@ -1,169 +0,0 @@
-name: 'OSV-Scanner'
-description: 'Install osv-scanner and scan a lockfile, failing on HIGH/CRITICAL/UNKNOWN severity findings. Posts/updates a PR comment with findings on pull_request events (requires pull-requests: write).'
-author: 'Prowler'
-
-inputs:
-  lockfile:
-    description: 'Path to the lockfile to scan, relative to the repository root (e.g. uv.lock, api/uv.lock, ui/pnpm-lock.yaml).'
-    required: true
-  severity-levels:
-    description: 'Comma-separated severity levels that fail the scan. Default: HIGH,CRITICAL,UNKNOWN.'
-    required: false
-    default: 'HIGH,CRITICAL,UNKNOWN'
-  version:
-    description: 'osv-scanner release tag to install. When overriding, you MUST also override binary-sha256.'
-    required: false
-    default: 'v2.3.8'
-  binary-sha256:
-    description: 'Expected SHA256 of osv-scanner_linux_amd64 for the given version. Default tracks v2.3.8. See https://github.com/google/osv-scanner/releases/download/<version>/osv-scanner_SHA256SUMS.'
-    required: false
-    default: 'bc98e15319ed0d515e3f9235287ba53cdc5535d576d24fd573978ecfe9ab92dc'
-  post-pr-comment:
-    description: 'Post or update a PR comment with the scan report. Only effective on pull_request events. Requires pull-requests: write permission on the caller job.'
-    required: false
-    default: 'true'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Install osv-scanner
-      shell: bash
-      env:
-        OSV_SCANNER_VERSION: ${{ inputs.version }}
-      # Download the binary AND the published SHA256SUMS file, then verify the
-      # binary checksum against the upstream-signed manifest. Aborts on mismatch.
-      run: |
-        set -euo pipefail
-        if command -v osv-scanner >/dev/null 2>&1; then
-          INSTALLED="$(osv-scanner --version 2>&1 | awk '/scanner version/ {print $NF; exit}')"
-          if [ "v${INSTALLED}" = "${OSV_SCANNER_VERSION}" ]; then
-            echo "osv-scanner ${OSV_SCANNER_VERSION} already installed."
-            exit 0
-          fi
-        fi
-        BASE="https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}"
-        BIN_NAME="osv-scanner_linux_amd64"
-        curl -fSL --retry 3 "${BASE}/${BIN_NAME}" -o "${RUNNER_TEMP}/${BIN_NAME}"
-        curl -fSL --retry 3 "${BASE}/osv-scanner_SHA256SUMS" -o "${RUNNER_TEMP}/osv-scanner_SHA256SUMS"
-        (cd "${RUNNER_TEMP}" && sha256sum --check --ignore-missing osv-scanner_SHA256SUMS)
-        chmod +x "${RUNNER_TEMP}/${BIN_NAME}"
-        sudo mv "${RUNNER_TEMP}/${BIN_NAME}" /usr/local/bin/osv-scanner
-        rm -f "${RUNNER_TEMP}/osv-scanner_SHA256SUMS"
-        osv-scanner --version
-
-    - name: Run osv-scanner
-      id: scan
-      shell: bash
-      working-directory: ${{ github.workspace }}
-      env:
-        OSV_LOCKFILE: ${{ inputs.lockfile }}
-        OSV_SEVERITY_LEVELS: ${{ inputs.severity-levels }}
-        OSV_REPORT_FILE: ${{ runner.temp }}/osv-scanner-findings.json
-      # Per-vulnerability ignores (reason + expiry) live in osv-scanner.toml at the repo root, if present.
-      # Severity filter is enforced in the wrapper via OSV_SEVERITY_LEVELS.
-      # `continue-on-error: true` lets the PR-comment step run even when findings exist;
-      # the gate step below re-fails the job from the wrapper exit code.
-      continue-on-error: true
-      run: ./.github/scripts/osv-scan.sh --lockfile="${OSV_LOCKFILE}"
-
-    - name: Post osv-scanner report on PR
-      if: >-
-        always()
-        && inputs.post-pr-comment == 'true'
-        && github.event_name == 'pull_request'
-        && github.event.pull_request.head.repo.full_name == github.repository
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-      env:
-        OSV_REPORT_FILE: ${{ runner.temp }}/osv-scanner-findings.json
-        OSV_LOCKFILE: ${{ inputs.lockfile }}
-        OSV_SEVERITY_LEVELS: ${{ inputs.severity-levels }}
-      with:
-        script: |
-          const fs = require('fs');
-          const lockfile = process.env.OSV_LOCKFILE;
-          const severityLevels = process.env.OSV_SEVERITY_LEVELS;
-          const reportFile = process.env.OSV_REPORT_FILE;
-          const marker = `<!-- osv-scanner-report:${lockfile} -->`;
-          const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-
-          let findings = [];
-          if (fs.existsSync(reportFile)) {
-            try {
-              findings = JSON.parse(fs.readFileSync(reportFile, 'utf8'));
-            } catch (err) {
-              core.warning(`Could not parse ${reportFile}: ${err.message}`);
-              return;
-            }
-          }
-
-          const { data: comments } = await github.rest.issues.listComments({
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            issue_number: context.issue.number,
-          });
-          const existing = comments.find(c => c.body?.includes(marker));
-
-          if (findings.length === 0) {
-            if (existing) {
-              await github.rest.issues.deleteComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: existing.id,
-              });
-              core.info(`Deleted stale osv-scanner comment for ${lockfile}.`);
-            } else {
-              core.info(`No findings and no stale comment for ${lockfile}.`);
-            }
-            return;
-          }
-
-          const sevIcon = (s) => ({
-            CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🟢', UNKNOWN: '⚪',
-          }[s] || '⚪');
-          const escape = (s) => String(s ?? '').replace(/\|/g, '\\|').replace(/\n/g, ' ');
-          const rows = findings.map(f =>
-            `| ${sevIcon(f.severity)} ${f.severity}${f.score ? ` (${f.score})` : ''} | \`${escape(f.id)}\` | \`${escape(f.ecosystem)}/${escape(f.package)}\` | \`${escape(f.version)}\` | ${escape(f.summary || '(no summary)')} |`
-          );
-
-          const body = [
-            marker,
-            `## 🔒 osv-scanner: ${findings.length} finding(s) in \`${lockfile}\``,
-            '',
-            `Severity gate: \`${severityLevels}\``,
-            '',
-            '| Severity | ID | Package | Version | Summary |',
-            '|----------|----|---------|---------|---------|',
-            ...rows,
-            '',
-            `To accept a finding, add an \`[[IgnoredVulns]]\` entry to \`osv-scanner.toml\` at the repo root with a reason and \`ignoreUntil\`.`,
-            '',
-            `<sub>[View run](${runUrl})</sub>`,
-          ].join('\n');
-
-          if (existing) {
-            await github.rest.issues.updateComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              comment_id: existing.id,
-              body,
-            });
-            core.info(`Updated osv-scanner comment for ${lockfile}.`);
-          } else {
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-              body,
-            });
-            core.info(`Posted new osv-scanner comment for ${lockfile}.`);
-          }
-
-    - name: Enforce osv-scanner severity gate
-      shell: bash
-      env:
-        SCAN_OUTCOME: ${{ steps.scan.outcome }}
-      run: |
-        if [ "${SCAN_OUTCOME}" != "success" ]; then
-          echo "osv-scanner gate: scan reported findings (outcome=${SCAN_OUTCOME})" >&2
-          exit 1
-        fi
@@ -1,5 +1,5 @@
-name: 'Setup Python with uv'
-description: 'Setup Python environment with uv and install dependencies'
+name: 'Setup Python with Poetry'
+description: 'Setup Python environment with Poetry and install dependencies'
 author: 'Prowler'

 inputs:
@@ -7,15 +7,23 @@ inputs:
    description: 'Python version to use'
    required: true
  working-directory:
-    description: 'Working directory for uv'
+    description: 'Working directory for Poetry'
    required: false
    default: '.'
-  uv-version:
-    description: 'uv version to install'
+  poetry-version:
+    description: 'Poetry version to install'
    required: false
-    default: '0.11.14'
+    default: '2.3.4'
  install-dependencies:
-    description: 'Install Python dependencies with uv'
+    description: 'Install Python dependencies with Poetry'
+    required: false
+    default: 'true'
+  update-lock:
+    description: 'Run `poetry lock` during setup. Only enable when a prior step mutates pyproject.toml (e.g. API `@master` VCS rewrite). Default: false.'
+    required: false
+    default: 'false'
+  enable-cache:
+    description: 'Whether to enable Poetry dependency caching via actions/setup-python'
    required: false
    default: 'true'

@@ -39,52 +47,54 @@ runs:
          sed -i "s|\(git+https://github.com/prowler-cloud/prowler[^@]*\)@master|\1@$BRANCH_NAME|g" pyproject.toml
        fi

-    - name: Update uv.lock with latest Prowler commit
+    - name: Install poetry
+      shell: bash
+      run: |
+        python -m pip install --upgrade pip
+        pipx install poetry==${INPUTS_POETRY_VERSION}
+      env:
+        INPUTS_POETRY_VERSION: ${{ inputs.poetry-version }}
+
+    - name: Update poetry.lock with latest Prowler commit
      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: |
        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
        echo "Latest commit hash: $LATEST_COMMIT"
-        sed -i "s|\(git = \"https://github\.com/prowler-cloud/prowler\.git?rev=master\)#[a-f0-9]\{40\}\"|\1#${LATEST_COMMIT}\"|g" uv.lock
-        echo "Updated uv.lock entry:"
-        grep "prowler-cloud/prowler" uv.lock
+        sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
+          s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
+        }' poetry.lock
+        echo "Updated resolved_reference:"
+        grep -A2 -B2 "resolved_reference" poetry.lock

-    - name: Update uv.lock SDK commit (prowler repo on push)
-      if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'prowler-cloud/prowler'
+    - name: Update poetry.lock (prowler repo only)
+      if: github.repository == 'prowler-cloud/prowler' && inputs.update-lock == 'true'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
-      run: |
-        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
-        echo "Latest commit hash: $LATEST_COMMIT"
-        sed -i "s|\(git = \"https://github\.com/prowler-cloud/prowler\.git?rev=master\)#[a-f0-9]\{40\}\"|\1#${LATEST_COMMIT}\"|g" uv.lock
-        echo "Updated uv.lock entry:"
-        grep "prowler-cloud/prowler" uv.lock
-
-    - name: Install uv
-      shell: bash
-      env:
-        UV_VERSION: ${{ inputs.uv-version }}
-      run: pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir "uv==${UV_VERSION}"
+      run: poetry lock

    - name: Set up Python ${{ inputs.python-version }}
      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ inputs.python-version }}
-        cache: 'pip'
+        # Disable cache when callers skip dependency install: Poetry 2.3.4 creates
+        # the venv in a path setup-python can't hash, breaking the post-step save-cache.
+        cache: ${{ inputs.enable-cache == 'true' && 'poetry' || '' }}
+        cache-dependency-path: ${{ inputs.enable-cache == 'true' && format('{0}/poetry.lock', inputs.working-directory) || '' }}

    - name: Install Python dependencies
      if: inputs.install-dependencies == 'true'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: |
-        uv sync --no-install-project
-        uv run pip list
+        poetry install --no-root
+        poetry run pip list

    - name: Update Prowler Cloud API Client
      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: |
-        uv remove prowler-cloud-api-client
-        uv add ./prowler-cloud-api-client
+        poetry remove prowler-cloud-api-client
+        poetry add ./prowler-cloud-api-client
@@ -72,11 +72,6 @@ provider/vercel:
      - any-glob-to-any-file: "prowler/providers/vercel/**"
      - any-glob-to-any-file: "tests/providers/vercel/**"

-provider/okta:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/okta/**"
-      - any-glob-to-any-file: "tests/providers/okta/**"
-
 github_actions:
  - changed-files:
      - any-glob-to-any-file: ".github/workflows/*"
@@ -114,8 +109,6 @@ mutelist:
      - any-glob-to-any-file: "tests/providers/googleworkspace/lib/mutelist/**"
      - any-glob-to-any-file: "prowler/providers/vercel/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/vercel/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/okta/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/okta/lib/mutelist/**"

 integration/s3:
  - changed-files:
@@ -36,7 +36,6 @@ Please add a detailed description of how to review this PR.

 #### UI
 - [ ] All issue/task requirements work as expected on the UI
- [ ] If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
@@ -49,7 +48,7 @@ Please add a detailed description of how to review this PR.
 - [ ] Performance test results (if applicable)
 - [ ] Any other relevant evidence of the implementation (if applicable)
 - [ ] Verify if API specs need to be regenerated.
- [ ] Check if version updates are required (e.g., specs, uv, etc.).
+- [ ] Check if version updates are required (e.g., specs, Poetry, etc.).
 - [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/api/CHANGELOG.md), if applicable.

 ### License
@@ -1,122 +0,0 @@
-#!/usr/bin/env bash
-# Run osv-scanner and fail when findings match the configured severity levels.
-#
-# Replaces `safety check --policy-file .safety-policy.yml`. Used by:
-#   - .github/actions/osv-scanner/action.yml (composite action)
-#   - .github/workflows/api-security.yml, sdk-security.yml, ui-security.yml
-#
-# Severity levels (comma-separated) are read from OSV_SEVERITY_LEVELS.
-# Default: HIGH,CRITICAL,UNKNOWN — preserves prior .safety-policy.yml policy
-#   (ignore-cvss-severity-below: 7 + ignore-cvss-unknown-severity: False).
-# osv-scanner has no native CVSS threshold (google/osv-scanner#1400, closed
-# not-planned). Severity is derived from $group.max_severity (numeric CVSS
-# score string) which osv-scanner emits per group.
-#
-# CVSS v3 score → categorical label:
-#   CRITICAL  >= 9.0
-#   HIGH      >= 7.0
-#   MEDIUM    >= 4.0
-#   LOW       >  0.0
-#   UNKNOWN   no score available
-#
-# Per-vulnerability ignores (with reason + expiry) live in osv-scanner.toml at
-# the repo root, if it exists. Without that file, osv-scanner uses defaults.
-#
-# Usage:
-#   osv-scan.sh [osv-scanner pass-through args...]
-# Examples:
-#   osv-scan.sh --lockfile=uv.lock
-#   osv-scan.sh --recursive .
-#   OSV_SEVERITY_LEVELS=CRITICAL osv-scan.sh --lockfile=uv.lock
-
-set -euo pipefail
-
-ROOT="$(git rev-parse --show-toplevel)"
-CONFIG="${ROOT}/osv-scanner.toml"
-SEVERITY_LEVELS="${OSV_SEVERITY_LEVELS:-HIGH,CRITICAL,UNKNOWN}"
-
-for bin in osv-scanner jq; do
-  if ! command -v "${bin}" >/dev/null 2>&1; then
-    echo "error: ${bin} not found in PATH" >&2
-    exit 2
-  fi
-done
-
-SCAN_ARGS=()
-if [ -f "${CONFIG}" ]; then
-  SCAN_ARGS+=(--config="${CONFIG}")
-fi
-
-# Exit codes: 0=clean, 1=findings, 127=no supported files, 128=internal error.
-STDERR="$(mktemp)"
-trap 'rm -f "${STDERR}"' EXIT
-
-set +e
-OUTPUT="$(osv-scanner scan source "${SCAN_ARGS[@]}" --format=json "$@" 2>"${STDERR}")"
-RC=$?
-set -e
-
-case "${RC}" in
-  0|1) ;;
-  127) echo "osv-scanner: no supported lockfiles in scan target"; exit 0 ;;
-  *)
-    echo "osv-scanner: exited with code ${RC}" >&2
-    [ -s "${STDERR}" ] && cat "${STDERR}" >&2
-    exit "${RC}"
-    ;;
-esac
-
-# Build a JSON array of normalized severity levels for jq.
-SEVERITY_JSON="$(printf '%s' "${SEVERITY_LEVELS}" | jq -Rc '
-  split(",") | map(ascii_upcase | sub("^\\s+"; "") | sub("\\s+$"; ""))
-')"
-
-# Walk each vulnerability, look up its group's max_severity (numeric CVSS),
-# map to a categorical label, then filter by OSV_SEVERITY_LEVELS.
-FINDINGS="$(printf '%s' "${OUTPUT}" | jq --argjson sevs "${SEVERITY_JSON}" '
-  [ .results[]?.packages[]?
-    | . as $pkg
-    | ($pkg.groups // []) as $groups
-    | ($pkg.vulnerabilities // [])[]
-    | . as $vuln
-    | ([ $groups[] | select((.ids // []) | index($vuln.id)) ][0] // {}) as $group
-    | (($group.max_severity // "") | tonumber? // null) as $score
-    | (if   $score == null then "UNKNOWN"
-       elif $score >= 9.0 then "CRITICAL"
-       elif $score >= 7.0 then "HIGH"
-       elif $score >= 4.0 then "MEDIUM"
-       elif $score >  0   then "LOW"
-       else                    "UNKNOWN"
-       end) as $label
-    | {
-        id: $vuln.id,
-        severity: $label,
-        score: $score,
-        summary: ($vuln.summary // null),
-        package: $pkg.package.name,
-        version: $pkg.package.version,
-        ecosystem: $pkg.package.ecosystem
-      }
-    | select(.severity as $s | $sevs | any(. == $s))
-  ]
-')"
-
-COUNT="$(printf '%s' "${FINDINGS}" | jq 'length')"
-
-# Write the findings JSON to OSV_REPORT_FILE so callers (e.g. the composite
-# action's PR-comment step) can consume the same data the gate decision uses.
-if [ -n "${OSV_REPORT_FILE:-}" ]; then
-  printf '%s' "${FINDINGS}" > "${OSV_REPORT_FILE}"
-fi
-
-if [ "${COUNT}" -gt 0 ]; then
-  echo "osv-scanner: ${COUNT} finding(s) at severity ${SEVERITY_LEVELS}"
-  printf '%s' "${FINDINGS}" | jq -r '
-    .[] | "  [\(.severity)\(if .score then " \(.score)" else "" end)] \(.id) \(.ecosystem)/\(.package)@\(.version) — \(.summary // "(no summary)")"
-  '
-  echo
-  echo "To accept a finding, create osv-scanner.toml at the repo root with a reason and ignoreUntil."
-  exit 1
-fi
-
-echo "osv-scanner: no findings at severity levels: ${SEVERITY_LEVELS}"
@@ -43,7 +43,6 @@ jobs:
            pypi.org:443
            files.pythonhosted.org:443
            api.github.com:443
-            raw.githubusercontent.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -64,25 +63,26 @@ jobs:
            api/CHANGELOG.md
            api/AGENTS.md

-      - name: Setup Python with uv
+      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}
          working-directory: ./api
+          update-lock: 'true'

-      - name: uv lock check
+      - name: Poetry check
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv lock --check
+        run: poetry check --lock

      - name: Ruff lint
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run ruff check . --exclude contrib
+        run: poetry run ruff check . --exclude contrib

      - name: Ruff format
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run ruff format --check . --exclude contrib
+        run: poetry run ruff format --check . --exclude contrib

      - name: Pylint
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run pylint --disable=W,C,R,E -j 0 -rn -sn src/
+        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/
@@ -9,9 +9,7 @@ on:
      - 'api/**'
      - '.github/workflows/api-tests.yml'
      - '.github/workflows/api-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
+      - '.github/actions/setup-python-poetry/**'
  pull_request:
    branches:
      - "master"
@@ -20,9 +18,7 @@ on:
      - 'api/**'
      - '.github/workflows/api-tests.yml'
      - '.github/workflows/api-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
+      - '.github/actions/setup-python-poetry/**'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -39,7 +35,6 @@ jobs:
    timeout-minutes: 15
    permissions:
      contents: read
-      pull-requests: write # osv-scanner action posts/updates a PR comment with findings
    strategy:
      matrix:
        python-version:
@@ -57,12 +52,10 @@ jobs:
            pypi.org:443
            files.pythonhosted.org:443
            github.com:443
+            auth.safetycli.com:443
+            pyup.io:443
+            data.safetycli.com:443
            api.github.com:443
-            objects.githubusercontent.com:443
-            release-assets.githubusercontent.com:443
-            api.osv.dev:443
-            api.deps.dev:443
-            osv-vulnerabilities.storage.googleapis.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -77,34 +70,30 @@ jobs:
          files: |
            api/**
            .github/workflows/api-security.yml
-            .github/actions/osv-scanner/**
-            .github/scripts/osv-scan.sh
+            .safety-policy.yml
          files_ignore: |
            api/docs/**
            api/README.md
            api/CHANGELOG.md
            api/AGENTS.md

-      - name: Setup Python with uv
+      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}
          working-directory: ./api
+          update-lock: 'true'

      - name: Bandit
        if: steps.check-changes.outputs.any_changed == 'true'
-        # Exclude .venv because uv places the project venv inside ./api; otherwise
-        # bandit would recurse into installed third-party packages.
-        run: uv run bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r .
+        run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .

-      - name: Dependency vulnerability scan with osv-scanner
+      - name: Safety
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/osv-scanner
-        with:
-          lockfile: api/uv.lock
+        # Accepted CVEs, severity threshold, and ignore expirations live in ../.safety-policy.yml
+        run: poetry run safety check --policy-file ../.safety-policy.yml

      - name: Vulture
-        # Run even when osv-scanner reports findings so dead-code signal isn't masked by SCA failures.
-        if: ${{ !cancelled() && steps.check-changes.outputs.any_changed == 'true' }}
-        run: uv run vulture --exclude "contrib,tests,conftest.py,.venv" --min-confidence 100 .
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .
@@ -87,7 +87,6 @@ jobs:
            files.pythonhosted.org:443
            cli.codecov.io:443
            keybase.io:443
-            raw.githubusercontent.com:443
            ingest.codecov.io:443
            storage.googleapis.com:443
            o26192.ingest.us.sentry.io:443
@@ -113,16 +112,17 @@ jobs:
            api/CHANGELOG.md
            api/AGENTS.md

-      - name: Setup Python with uv
+      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}
          working-directory: ./api
+          update-lock: 'true'

      - name: Run tests with pytest
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run pytest --cov=./src/backend --cov-report=xml src/backend
+        run: poetry run pytest --cov=./src/backend --cov-report=xml src/backend

      - name: Upload coverage reports to Codecov
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -59,7 +59,7 @@ jobs:
            ui/**
            prowler/**
            mcp_server/**
-            uv.lock
+            poetry.lock
            pyproject.toml

      - name: Check for folder changes and changelog presence
@@ -84,9 +84,9 @@ jobs:
              fi
            done

-            # Check root-level dependency files (uv.lock, pyproject.toml)
+            # Check root-level dependency files (poetry.lock, pyproject.toml)
            # These are associated with the prowler folder changelog
-            root_deps_changed=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep -E "^(uv\.lock|pyproject\.toml)$" || true)
+            root_deps_changed=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep -E "^(poetry\.lock|pyproject\.toml)$" || true)
            if [ -n "$root_deps_changed" ]; then
              echo "Detected changes in root dependency files: $root_deps_changed"
              # Check if prowler/CHANGELOG.md was already updated (might have been caught above)
@@ -40,11 +40,12 @@ jobs:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        persist-credentials: false

-    - name: Setup Python with uv
-      uses: ./.github/actions/setup-python-uv
+    - name: Setup Python with Poetry
+      uses: ./.github/actions/setup-python-poetry
      with:
        python-version: '3.12'
        install-dependencies: 'false'
+        enable-cache: 'false'

    - name: Configure Git
      run: |
@@ -338,11 +339,10 @@ jobs:
          exit 1
        fi

-        # Update uv lock file
-        echo "Updating uv.lock file..."
-        pip install --no-cache-dir uv==0.11.14
+        # Update poetry lock file
+        echo "Updating poetry.lock file..."
        cd api
-        uv lock
+        poetry lock
        cd ..

        echo "✓ Prepared prowler dependency update to: $UPDATED_PROWLER_REF"
@@ -357,7 +357,7 @@ jobs:
        base: ${{ env.BRANCH_NAME }}
        add-paths: |
          api/pyproject.toml
-          api/uv.lock
+          api/poetry.lock
        title: "chore(api): Update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}"
        body: |
          ### Description
@@ -366,7 +366,7 @@ jobs:

          **Changes:**
          - Updates `api/pyproject.toml` prowler dependency from `@master` to `@${{ env.BRANCH_NAME }}`
-          - Updates `api/uv.lock` file with resolved dependencies
+          - Updates `api/poetry.lock` file with resolved dependencies

          This PR should be merged into the `${{ env.BRANCH_NAME }}` release branch.

@@ -71,26 +71,24 @@ jobs:
            contrib/**
            **/AGENTS.md

-      - name: Setup Python with uv
+      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}

-      - name: Check uv lock file
+      - name: Check Poetry lock file
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv lock --check
+        run: poetry check --lock

      - name: Lint with flake8
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude .venv,contrib,ui,api,skills,mcp_server
+        run: poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api,skills

      - name: Check format with black
        if: steps.check-changes.outputs.any_changed == 'true'
-        # mcp_server has its own pyproject and uses ruff format, exclude it so SDK black
-        # does not fight ruff over rules it never formatted.
-        run: uv run black --exclude "\.venv|api|ui|skills|mcp_server" --check .
+        run: poetry run black --exclude "api|ui|skills" --check .

      - name: Lint with pylint
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
+        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
@@ -73,10 +73,20 @@ jobs:
        with:
          persist-credentials: false

+      - name: Setup Python with Poetry
+        uses: ./.github/actions/setup-python-poetry
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          install-dependencies: 'false'
+          enable-cache: 'false'
+
+      - name: Inject poetry-bumpversion plugin
+        run: pipx inject poetry poetry-bumpversion
+
      - name: Get Prowler version and set tags
        id: get-prowler-version
        run: |
-          PROWLER_VERSION="$(grep -E '^version = ' pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')"
+          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
          echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"

          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
@@ -9,7 +9,7 @@ on:
      - 'prowler/**'
      - 'Dockerfile*'
      - 'pyproject.toml'
-      - 'uv.lock'
+      - 'poetry.lock'
      - '.github/workflows/sdk-container-checks.yml'
  pull_request:
    branches:
@@ -19,7 +19,7 @@ on:
      - 'prowler/**'
      - 'Dockerfile*'
      - 'pyproject.toml'
-      - 'uv.lock'
+      - 'poetry.lock'
      - '.github/workflows/sdk-container-checks.yml'

 concurrency:
@@ -75,14 +75,15 @@ jobs:
        with:
          persist-credentials: false

-      - name: Setup Python with uv
-        uses: ./.github/actions/setup-python-uv
+      - name: Setup Python with Poetry
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          install-dependencies: 'false'
+          enable-cache: 'false'

      - name: Build Prowler package
-        run: uv build
+        run: poetry build

      - name: Publish Prowler package to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
@@ -111,11 +112,12 @@ jobs:
        with:
          persist-credentials: false

-      - name: Setup Python with uv
-        uses: ./.github/actions/setup-python-uv
+      - name: Setup Python with Poetry
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          install-dependencies: 'false'
+          enable-cache: 'false'

      - name: Install toml package
        run: pip install toml
@@ -126,7 +128,7 @@ jobs:
          python util/replicate_pypi_package.py

      - name: Build prowler-cloud package
-        run: uv build
+        run: poetry build

      - name: Publish prowler-cloud package to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
@@ -9,12 +9,10 @@ on:
      - 'prowler/**'
      - 'tests/**'
      - 'pyproject.toml'
-      - 'uv.lock'
+      - 'poetry.lock'
      - '.github/workflows/sdk-tests.yml'
      - '.github/workflows/sdk-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
+      - '.github/actions/setup-python-poetry/**'
  pull_request:
    branches:
      - 'master'
@@ -23,12 +21,10 @@ on:
      - 'prowler/**'
      - 'tests/**'
      - 'pyproject.toml'
-      - 'uv.lock'
+      - 'poetry.lock'
      - '.github/workflows/sdk-tests.yml'
      - '.github/workflows/sdk-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
+      - '.github/actions/setup-python-poetry/**'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -43,7 +39,6 @@ jobs:
    timeout-minutes: 15
    permissions:
      contents: read
-      pull-requests: write # osv-scanner action posts/updates a PR comment with findings

    steps:
      - name: Harden Runner
@@ -54,12 +49,10 @@ jobs:
            pypi.org:443
            files.pythonhosted.org:443
            github.com:443
+            auth.safetycli.com:443
+            pyup.io:443
+            data.safetycli.com:443
            api.github.com:443
-            objects.githubusercontent.com:443
-            release-assets.githubusercontent.com:443
-            api.osv.dev:443
-            api.deps.dev:443
-            osv-vulnerabilities.storage.googleapis.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -94,23 +87,21 @@ jobs:
            contrib/**
            **/AGENTS.md

-      - name: Setup Python with uv
+      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: '3.12'

      - name: Security scan with Bandit
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run bandit -q -lll -x '*_test.py,./.venv/,./contrib/,./api/,./ui' -r .
+        run: poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r .

-      - name: Dependency vulnerability scan with osv-scanner
+      - name: Security scan with Safety
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/osv-scanner
-        with:
-          lockfile: uv.lock
+        # Accepted CVEs, severity threshold, and ignore expirations live in .safety-policy.yml
+        run: poetry run safety check -r pyproject.toml --policy-file .safety-policy.yml

      - name: Dead code detection with Vulture
-        # Run even when osv-scanner reports findings so dead-code signal isn't masked by SCA failures.
-        if: ${{ !cancelled() && steps.check-changes.outputs.any_changed == 'true' }}
-        run: uv run vulture --exclude ".venv,contrib,api,ui" --min-confidence 100 .
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .
@@ -92,9 +92,9 @@ jobs:
            contrib/**
            **/AGENTS.md

-      - name: Setup Python with uv
+      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}

@@ -107,7 +107,7 @@ jobs:
          files: |
            ./prowler/**/aws/**
            ./tests/**/aws/**
-            ./uv.lock
+            ./poetry.lock

      - name: Resolve AWS services under test
        if: steps.changed-aws.outputs.any_changed == 'true'
@@ -209,11 +209,11 @@ jobs:
          echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'"

          if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then
-            uv run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
          elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then
            echo "No AWS service paths detected; skipping AWS tests."
          else
-            uv run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
          fi
        env:
          STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }}
@@ -237,11 +237,11 @@ jobs:
          files: |
            ./prowler/**/azure/**
            ./tests/**/azure/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Azure tests
        if: steps.changed-azure.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure
+        run: poetry run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure

      - name: Upload Azure coverage to Codecov
        if: steps.changed-azure.outputs.any_changed == 'true'
@@ -261,11 +261,11 @@ jobs:
          files: |
            ./prowler/**/gcp/**
            ./tests/**/gcp/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run GCP tests
        if: steps.changed-gcp.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp
+        run: poetry run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp

      - name: Upload GCP coverage to Codecov
        if: steps.changed-gcp.outputs.any_changed == 'true'
@@ -285,11 +285,11 @@ jobs:
          files: |
            ./prowler/**/kubernetes/**
            ./tests/**/kubernetes/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Kubernetes tests
        if: steps.changed-kubernetes.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes
+        run: poetry run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes

      - name: Upload Kubernetes coverage to Codecov
        if: steps.changed-kubernetes.outputs.any_changed == 'true'
@@ -309,11 +309,11 @@ jobs:
          files: |
            ./prowler/**/github/**
            ./tests/**/github/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run GitHub tests
        if: steps.changed-github.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github
+        run: poetry run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github

      - name: Upload GitHub coverage to Codecov
        if: steps.changed-github.outputs.any_changed == 'true'
@@ -324,30 +324,6 @@ jobs:
          flags: prowler-py${{ matrix.python-version }}-github
          files: ./github_coverage.xml

-      # Okta Provider
-      - name: Check if Okta files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-okta
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files: |
-            ./prowler/**/okta/**
-            ./tests/**/okta/**
-            ./uv.lock
-
-      - name: Run Okta tests
-        if: steps.changed-okta.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/okta --cov-report=xml:okta_coverage.xml tests/providers/okta
-
-      - name: Upload Okta coverage to Codecov
-        if: steps.changed-okta.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-okta
-          files: ./okta_coverage.xml
-
      # NHN Provider
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -357,11 +333,11 @@ jobs:
          files: |
            ./prowler/**/nhn/**
            ./tests/**/nhn/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run NHN tests
        if: steps.changed-nhn.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn
+        run: poetry run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn

      - name: Upload NHN coverage to Codecov
        if: steps.changed-nhn.outputs.any_changed == 'true'
@@ -381,11 +357,11 @@ jobs:
          files: |
            ./prowler/**/m365/**
            ./tests/**/m365/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run M365 tests
        if: steps.changed-m365.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365
+        run: poetry run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365

      - name: Upload M365 coverage to Codecov
        if: steps.changed-m365.outputs.any_changed == 'true'
@@ -405,11 +381,11 @@ jobs:
          files: |
            ./prowler/**/iac/**
            ./tests/**/iac/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run IaC tests
        if: steps.changed-iac.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac
+        run: poetry run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac

      - name: Upload IaC coverage to Codecov
        if: steps.changed-iac.outputs.any_changed == 'true'
@@ -429,11 +405,11 @@ jobs:
          files: |
            ./prowler/**/mongodbatlas/**
            ./tests/**/mongodbatlas/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run MongoDB Atlas tests
        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodbatlas_coverage.xml tests/providers/mongodbatlas
+        run: poetry run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodbatlas_coverage.xml tests/providers/mongodbatlas

      - name: Upload MongoDB Atlas coverage to Codecov
        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
@@ -453,11 +429,11 @@ jobs:
          files: |
            ./prowler/**/oraclecloud/**
            ./tests/**/oraclecloud/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run OCI tests
        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/oraclecloud --cov-report=xml:oraclecloud_coverage.xml tests/providers/oraclecloud
+        run: poetry run pytest -n auto --cov=./prowler/providers/oraclecloud --cov-report=xml:oraclecloud_coverage.xml tests/providers/oraclecloud

      - name: Upload OCI coverage to Codecov
        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
@@ -477,11 +453,11 @@ jobs:
          files: |
            ./prowler/**/openstack/**
            ./tests/**/openstack/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run OpenStack tests
        if: steps.changed-openstack.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/openstack --cov-report=xml:openstack_coverage.xml tests/providers/openstack
+        run: poetry run pytest -n auto --cov=./prowler/providers/openstack --cov-report=xml:openstack_coverage.xml tests/providers/openstack

      - name: Upload OpenStack coverage to Codecov
        if: steps.changed-openstack.outputs.any_changed == 'true'
@@ -501,11 +477,11 @@ jobs:
          files: |
            ./prowler/**/googleworkspace/**
            ./tests/**/googleworkspace/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Google Workspace tests
        if: steps.changed-googleworkspace.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/googleworkspace --cov-report=xml:googleworkspace_coverage.xml tests/providers/googleworkspace
+        run: poetry run pytest -n auto --cov=./prowler/providers/googleworkspace --cov-report=xml:googleworkspace_coverage.xml tests/providers/googleworkspace

      - name: Upload Google Workspace coverage to Codecov
        if: steps.changed-googleworkspace.outputs.any_changed == 'true'
@@ -525,11 +501,11 @@ jobs:
          files: |
            ./prowler/**/vercel/**
            ./tests/**/vercel/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Vercel tests
        if: steps.changed-vercel.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/vercel --cov-report=xml:vercel_coverage.xml tests/providers/vercel
+        run: poetry run pytest -n auto --cov=./prowler/providers/vercel --cov-report=xml:vercel_coverage.xml tests/providers/vercel

      - name: Upload Vercel coverage to Codecov
        if: steps.changed-vercel.outputs.any_changed == 'true'
@@ -549,11 +525,11 @@ jobs:
          files: |
            ./prowler/lib/**
            ./tests/lib/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Lib tests
        if: steps.changed-lib.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib
+        run: poetry run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib

      - name: Upload Lib coverage to Codecov
        if: steps.changed-lib.outputs.any_changed == 'true'
@@ -573,11 +549,11 @@ jobs:
          files: |
            ./prowler/config/**
            ./tests/config/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Config tests
        if: steps.changed-config.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config
+        run: poetry run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config

      - name: Upload Config coverage to Codecov
        if: steps.changed-config.outputs.any_changed == 'true'
@@ -130,12 +130,6 @@ jobs:
          echo "AWS_ACCESS_KEY_ID=${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}" >> .env
          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}" >> .env

-      - name: Build API image from current code
-        # docker-compose.yml references prowlercloud/prowler-api:latest from the registry,
-        # which lags behind PR changes; build locally so E2E exercises the API image
-        # produced by this PR.
-        run: docker build -t prowlercloud/prowler-api:latest ./api
-
      - name: Start API services
        run: |
          export PROWLER_API_VERSION=latest
@@ -164,7 +158,7 @@ jobs:
            for fixture in api/fixtures/dev/*.json; do
              if [ -f "$fixture" ]; then
                echo "Loading $fixture"
-                uv run python manage.py loaddata "$fixture" --database admin
+                poetry run python manage.py loaddata "$fixture" --database admin
              fi
            done
          '
@@ -184,7 +178,7 @@ jobs:
        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm and Next.js cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -204,7 +198,7 @@ jobs:
        run: pnpm run build

      - name: Cache Playwright browsers
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
@@ -1,75 +0,0 @@
-name: 'UI: Security'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'ui/package.json'
-      - 'ui/pnpm-lock.yaml'
-      - '.github/workflows/ui-security.yml'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'ui/package.json'
-      - 'ui/pnpm-lock.yaml'
-      - '.github/workflows/ui-security.yml'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  ui-security-scans:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write # osv-scanner action posts/updates a PR comment with findings
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            api.github.com:443
-            objects.githubusercontent.com:443
-            release-assets.githubusercontent.com:443
-            api.osv.dev:443
-            api.deps.dev:443
-            osv-vulnerabilities.storage.googleapis.com:443
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
-
-      - name: Check for UI dependency changes
-        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files: |
-            ui/package.json
-            ui/pnpm-lock.yaml
-            .github/workflows/ui-security.yml
-            .github/actions/osv-scanner/**
-            .github/scripts/osv-scan.sh
-
-      - name: Dependency vulnerability scan with osv-scanner
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/osv-scanner
-        with:
-          lockfile: ui/pnpm-lock.yaml
@@ -113,7 +113,7 @@ jobs:

      - name: Setup pnpm and Next.js cache
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -132,10 +132,6 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        run: pnpm run healthcheck

-      - name: Run pnpm audit
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run audit
-
      - name: Run unit tests (all - critical paths changed)
        if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed == 'true'
        run: |
@@ -162,7 +158,7 @@ jobs:
      - name: Cache Playwright browsers
        if: steps.check-changes.outputs.any_changed == 'true'
        id: playwright-cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-chromium-${{ hashFiles('ui/pnpm-lock.yaml') }}
@@ -107,21 +107,35 @@ repos:
        files: { glob: ["{api,mcp_server}/**/*.py"] }
        priority: 20

-  ## PYTHON — uv (API + SDK)
-  - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.11.14
+  ## PYTHON — Poetry
+  - repo: https://github.com/python-poetry/poetry
+    rev: 2.3.4
    hooks:
-      - id: uv-lock
-        name: API - uv-lock
-        args: ["--check", "--project=./api"]
-        files: { glob: ["api/{pyproject.toml,uv.lock}"] }
+      - id: poetry-check
+        name: API - poetry-check
+        args: ["--directory=./api"]
+        files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
        pass_filenames: false
        priority: 50

-      - id: uv-lock
-        name: SDK - uv-lock
-        args: ["--check", "--project=./"]
-        files: { glob: ["{pyproject.toml,uv.lock}"] }
+      - id: poetry-lock
+        name: API - poetry-lock
+        args: ["--directory=./api"]
+        files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
+        pass_filenames: false
+        priority: 50
+
+      - id: poetry-check
+        name: SDK - poetry-check
+        args: ["--directory=./"]
+        files: { glob: ["{pyproject.toml,poetry.lock}"] }
+        pass_filenames: false
+        priority: 50
+
+      - id: poetry-lock
+        name: SDK - poetry-lock
+        args: ["--directory=./"]
+        files: { glob: ["{pyproject.toml,poetry.lock}"] }
        pass_filenames: false
        priority: 50

@@ -165,6 +179,16 @@ repos:
        exclude: { glob: ["{contrib,skills}/**", "**/.venv/**", "**/*_test.py"] }
        priority: 40

+      - id: safety
+        name: safety
+        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
+        # Accepted CVEs, severity threshold, and ignore expirations live in .safety-policy.yml
+        entry: safety check --policy-file .safety-policy.yml
+        language: system
+        pass_filenames: false
+        files: { glob: ["**/pyproject.toml", "**/poetry.lock", "**/requirements*.txt", ".safety-policy.yml"] }
+        priority: 40
+
      - id: vulture
        name: vulture
        description: "Vulture finds unused code in Python programs."
@@ -11,11 +11,15 @@ build:
    python: "3.11"
  jobs:
    post_create_environment:
-      - python -m pip install uv==0.11.14
+      # Install poetry
+      # https://python-poetry.org/docs/#installing-manually
+      - python -m pip install poetry==2.3.4
    post_install:
+      # Install dependencies with 'docs' dependency group
+      # https://python-poetry.org/docs/managing-dependencies/#dependency-groups
      # VIRTUAL_ENV needs to be set manually for now.
      # See https://github.com/readthedocs/readthedocs.org/pull/11152/
-      - VIRTUAL_ENV=${READTHEDOCS_VIRTUALENV_PATH} uv sync --group docs --no-install-project
+      - VIRTUAL_ENV=${READTHEDOCS_VIRTUALENV_PATH} python -m poetry install --only=docs

 mkdocs:
  configuration: mkdocs.yml
@@ -0,0 +1,58 @@
+# Safety policy for `safety check` (Safety CLI 3.x, v2 schema).
+# Applied in: .pre-commit-config.yaml, .github/workflows/api-security.yml,
+# .github/workflows/sdk-security.yml via `--policy-file`.
+#
+# Validate: poetry run safety validate policy_file --path .safety-policy.yml
+
+security:
+  # Scan unpinned requirements too. Prowler pins via poetry.lock, so this is
+  # defensive against accidental unpinned entries.
+  ignore-unpinned-requirements: False
+
+  # CVSS severity filter. 7 = report only HIGH (7.0–8.9) and CRITICAL (9.0–10.0).
+  # Reference: 9=CRITICAL only, 7=CRITICAL+HIGH, 4=CRITICAL+HIGH+MEDIUM.
+  ignore-cvss-severity-below: 7
+
+  # Unknown severity is unrated, not safe. Keep False so unrated CVEs still fail
+  # the build and get a human eye. Flip to True only if noise is unmanageable.
+  ignore-cvss-unknown-severity: False
+
+  # Fail the build when a non-ignored vulnerability is found.
+  continue-on-vulnerability-error: False
+
+  # Explicit accepted vulnerabilities. Each entry MUST have a reason and an
+  # expiry. Expired entries fail the scan, forcing re-audit.
+  ignore-vulnerabilities:
+    77744:
+      reason: "Botocore requires urllib3 1.X. Remove once upgraded to urllib3 2.X."
+      expires: '2026-10-22'
+    77745:
+      reason: "Botocore requires urllib3 1.X. Remove once upgraded to urllib3 2.X."
+      expires: '2026-10-22'
+    79023:
+      reason: "knack ReDoS; blocked until azure-cli-core (via cartography) allows knack >=0.13.0."
+      expires: '2026-10-22'
+    79027:
+      reason: "knack ReDoS; blocked until azure-cli-core (via cartography) allows knack >=0.13.0."
+      expires: '2026-10-22'
+    86217:
+      reason: "alibabacloud-tea-openapi==0.4.3 blocks upgrade to cryptography >=46.0.0."
+      expires: '2026-10-22'
+    71600:
+      reason: "CVE-2024-1135 false positive. Fixed in gunicorn 22.0.0; project uses 23.0.0."
+      expires: '2026-10-22'
+    70612:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'
+    66963:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'
+    74429:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'
+    76352:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'
+    76353:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'
@@ -15,7 +15,7 @@ Use these skills for detailed patterns on-demand:
 |-------|-------------|-----|
 | `typescript` | Const types, flat interfaces, utility types | [SKILL.md](skills/typescript/SKILL.md) |
 | `react-19` | No useMemo/useCallback, React Compiler | [SKILL.md](skills/react-19/SKILL.md) |
-| `nextjs-16` | App Router, Server Actions, proxy.ts, streaming | [SKILL.md](skills/nextjs-16/SKILL.md) |
+| `nextjs-15` | App Router, Server Actions, streaming | [SKILL.md](skills/nextjs-15/SKILL.md) |
 | `tailwind-4` | cn() utility, no var() in className | [SKILL.md](skills/tailwind-4/SKILL.md) |
 | `playwright` | Page Object Model, MCP workflow, selectors | [SKILL.md](skills/playwright/SKILL.md) |
 | `pytest` | Fixtures, mocking, markers, parametrize | [SKILL.md](skills/pytest/SKILL.md) |
@@ -60,14 +60,11 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 |--------|-------|
 | Add changelog entry for a PR or feature | `prowler-changelog` |
 | Adding DRF pagination or permissions | `django-drf` |
-| Adding a compliance output formatter (per-provider class + table dispatcher) | `prowler-compliance` |
-| Adding indexes or constraints to database tables | `django-migration-psql` |
 | Adding new providers | `prowler-provider` |
 | Adding privilege escalation detection queries | `prowler-attack-paths-query` |
 | Adding services to existing providers | `prowler-provider` |
 | After creating/modifying a skill | `skill-sync` |
-| App Router / Server Actions | `nextjs-16` |
-| Auditing check-to-requirement mappings as a cloud auditor | `prowler-compliance` |
+| App Router / Server Actions | `nextjs-15` |
 | Building AI chat features | `ai-sdk-5` |
 | Committing changes | `prowler-commit` |
 | Configuring MCP servers in agentic workflows | `gh-aw` |
@@ -81,7 +78,6 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Creating a git commit | `prowler-commit` |
 | Creating new checks | `prowler-sdk-check` |
 | Creating new skills | `skill-creator` |
-| Creating or reviewing Django migrations | `django-migration-psql` |
 | Creating/modifying Prowler UI components | `prowler-ui` |
 | Creating/modifying models, views, serializers | `prowler-api` |
 | Creating/updating compliance frameworks | `prowler-compliance` |
@@ -89,7 +85,6 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Debugging gh-aw compilation errors | `gh-aw` |
 | Fill .github/pull_request_template.md (Context/Description/Steps to review/Checklist) | `prowler-pr` |
 | Fixing bug | `tdd` |
-| Fixing compliance JSON bugs (duplicate IDs, empty Section, stale refs) | `prowler-compliance` |
 | General Prowler development questions | `prowler` |
 | Implementing JSON:API endpoints | `django-drf` |
 | Implementing feature | `tdd` |
@@ -107,8 +102,6 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Review changelog format and conventions | `prowler-changelog` |
 | Reviewing JSON:API compliance | `jsonapi` |
 | Reviewing compliance framework PRs | `prowler-compliance-review` |
-| Running makemigrations or pgmakemigrations | `django-migration-psql` |
-| Syncing compliance framework with upstream catalog | `prowler-compliance` |
 | Testing RLS tenant isolation | `prowler-test-api` |
 | Testing hooks or utilities | `vitest` |
 | Troubleshoot why a skill is missing from AGENTS.md auto-invoke | `skill-sync` |
@@ -136,7 +129,6 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Writing React components | `react-19` |
 | Writing TypeScript types/interfaces | `typescript` |
 | Writing Vitest tests | `vitest` |
-| Writing data backfill or data migration | `django-migration-psql` |
 | Writing documentation | `prowler-docs` |
 | Writing unit tests for UI | `vitest` |

@@ -148,9 +140,9 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,

 | Component | Location | Tech Stack |
 |-----------|----------|------------|
-| SDK | `prowler/` | Python 3.10+, uv |
+| SDK | `prowler/` | Python 3.10+, Poetry 2.3+ |
 | API | `api/` | Django 5.1, DRF, Celery |
-| UI | `ui/` | Next.js 16, React 19, Tailwind 4 |
+| UI | `ui/` | Next.js 15, React 19, Tailwind 4 |
 | MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
 | Dashboard | `dashboard/` | Dash, Plotly |

@@ -160,13 +152,13 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,

 ```bash
 # Setup
-uv sync
-uv run prek install
+poetry install --with dev
+poetry run prek install

 # Code quality
-uv run make lint
-uv run make format
-uv run prek run --all-files
+poetry run make lint
+poetry run make format
+poetry run prek run --all-files
 ```

 ---
@@ -78,7 +78,7 @@ WORKDIR /home/prowler
 # Copy necessary files
 COPY prowler/  /home/prowler/prowler/
 COPY dashboard/ /home/prowler/dashboard/
-COPY pyproject.toml uv.lock /home/prowler/
+COPY pyproject.toml /home/prowler
 COPY README.md /home/prowler/
 COPY prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py

@@ -87,17 +87,17 @@ ENV HOME='/home/prowler'
 ENV PATH="${HOME}/.local/bin:${PATH}"
 #hadolint ignore=DL3013
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir uv==0.11.14
+    pip install --no-cache-dir poetry==2.3.4

-RUN uv sync --compile-bytecode && \
-    rm -rf ~/.cache/uv
+RUN poetry install --compile && \
+    rm -rf ~/.cache/pip

 # Install PowerShell modules
-RUN .venv/bin/python prowler/providers/m365/lib/powershell/m365_powershell.py
+RUN poetry run python prowler/providers/m365/lib/powershell/m365_powershell.py

 # Remove deprecated dash dependencies
 RUN pip uninstall dash-html-components -y && \
    pip uninstall dash-core-components -y

 USER prowler
-ENTRYPOINT [".venv/bin/prowler"]
+ENTRYPOINT ["poetry", "run", "prowler"]
@@ -23,7 +23,7 @@ format: ## Format Code

 lint: ## Lint Code
 	@echo "Running flake8..."
-	flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude .venv,contrib
+	flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib
 	@echo "Running black... "
 	black --check .
 	@echo "Running pylint..."
@@ -35,7 +35,7 @@ pypi-clean: ## Delete the distribution files

 pypi-build: ## Build package
 	$(MAKE) pypi-clean && \
-	uv build
+	poetry build

 pypi-upload: ## Upload package
 	python3 -m twine upload --repository pypi dist/*
@@ -56,3 +56,4 @@ run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, MCP,

 ##@ Development Environment
 build-and-run-api-dev: build-no-cache-dev run-api-dev
+
@@ -117,10 +117,9 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 | MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
 | Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 25 | 4 | 2 | 4 | Official | UI, API, CLI |
+| Google Workspace | 25 | 4 | 2 | 4 | Official | CLI |
 | OpenStack | 34 | 5 | 0 | 9 | Official | UI, API, CLI |
-| Vercel | 26 | 6 | 0 | 5 | Official | UI, API, CLI |
-| Okta | 1 | 1 | 0 | 1 | Official | CLI |
+| Vercel | 26 | 6 | 0 | 5 | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
@@ -177,7 +176,7 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md
 **Requirements**

 * `git` installed.
-* `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
+* `poetry` v2 installed: [poetry installation](https://python-poetry.org/docs/#installation).
 * `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
 * `Docker Compose` installed: https://docs.docker.com/compose/install/.

@@ -186,8 +185,8 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md
 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler/api
-uv sync
-source .venv/bin/activate
+poetry install
+eval $(poetry env activate)
 set -a
 source .env
 docker compose up postgres valkey -d
@@ -195,6 +194,11 @@ cd src/backend
 python manage.py migrate --database admin
 gunicorn -c config/guniconf.py config.wsgi:application
 ```
+> [!IMPORTANT]
+> As of Poetry v2.0.0, the `poetry shell` command has been deprecated. Use `poetry env activate` instead for environment activation.
+>
+> If your Poetry version is below v2.0.0, continue using `poetry shell` to activate your environment.
+> For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.

 > After completing the setup, access the API documentation at http://localhost:8080/api/v1/docs.

@@ -203,8 +207,8 @@ gunicorn -c config/guniconf.py config.wsgi:application
 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler/api
-uv sync
-source .venv/bin/activate
+poetry install
+eval $(poetry env activate)
 set -a
 source .env
 cd src/backend
@@ -216,8 +220,8 @@ python -m celery -A config.celery worker -l info -E
 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler/api
-uv sync
-source .venv/bin/activate
+poetry install
+eval $(poetry env activate)
 set -a
 source .env
 cd src/backend
@@ -278,18 +282,24 @@ The container images are available here:

 ### From GitHub

-Python >=3.10, <3.13 is required with [uv](https://docs.astral.sh/uv/):
+Python >=3.10, <3.13 is required with pip and Poetry:

 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler
-uv sync
-source .venv/bin/activate
+eval $(poetry env activate)
+poetry install
 python prowler-cli.py -v
 ```
 > [!IMPORTANT]
 > To clone Prowler on Windows, configure Git to support long file paths by running the following command: `git config core.longpaths true`.

+> [!IMPORTANT]
+> As of Poetry v2.0.0, the `poetry shell` command has been deprecated. Use `poetry env activate` instead for environment activation.
+>
+> If your Poetry version is below v2.0.0, continue using `poetry shell` to activate your environment.
+> For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.
+
 # 🛡️ GitHub Action

 The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.
@@ -167,7 +167,7 @@ runs:

    - name: Upload SARIF to GitHub Code Scanning
      if: always() && inputs.upload-sarif == 'true' && steps.find-sarif.outputs.sarif_path != ''
-      uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+      uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
      with:
        sarif_file: ${{ steps.find-sarif.outputs.sarif_path }}
        category: ${{ inputs.sarif-category }}
@@ -124,24 +124,24 @@ api/src/backend/

 ```bash
 # Development
-uv run python src/backend/manage.py runserver
-uv run celery -A config.celery worker -l INFO
+poetry run python src/backend/manage.py runserver
+poetry run celery -A config.celery worker -l INFO

 # Database
-uv run python src/backend/manage.py makemigrations
-uv run python src/backend/manage.py migrate
+poetry run python src/backend/manage.py makemigrations
+poetry run python src/backend/manage.py migrate

 # Testing & Linting
-uv run pytest -x --tb=short
-uv run make lint
+poetry run pytest -x --tb=short
+poetry run make lint
 ```

 ---

 ## QA CHECKLIST

- [ ] `uv run pytest` passes
- [ ] `uv run make lint` passes
+- [ ] `poetry run pytest` passes
+- [ ] `poetry run make lint` passes
 - [ ] Migrations created if models changed
 - [ ] New endpoints have `@extend_schema` decorators
 - [ ] RLS properly applied for tenant data
@@ -10,21 +10,7 @@ All notable changes to the **Prowler API** are documented in this file.

 ### 🔄 Changed

- Replace `poetry` with `uv` (`0.11.14`) as the API package manager; migrate `pyproject.toml` to `[dependency-groups]` and regenerate as `uv.lock` [(#10775)](https://github.com/prowler-cloud/prowler/pull/10775)
 - Remove orphaned `gin_resources_search_idx` declaration from `Resource.Meta.indexes` (DB index dropped in `0072_drop_unused_indexes`) [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
- PDF compliance reports cap detail tables at 100 failed findings per check (configurable via `DJANGO_PDF_MAX_FINDINGS_PER_CHECK`) to bound worker memory on large scans [(#11160)](https://github.com/prowler-cloud/prowler/pull/11160)
-
-### 🐞 Fixed
-
- `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` and, in one-shot scan-worker deployments, from burning a fresh container per redelivery [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
-
---
-
-## [1.27.2] (Prowler UNRELEASED)
-
-### 🐞 Fixed
-
- Attack Paths: BEDROCK-001 and BEDROCK-002 now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)

 ---

@@ -14,7 +14,6 @@ ENV ZIZMOR_VERSION=${ZIZMOR_VERSION}
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
    wget \
-    git \
    libicu72 \
    gcc \
    g++ \
@@ -89,18 +88,18 @@ WORKDIR /home/prowler
 # Ensure output directory exists
 RUN mkdir -p /tmp/prowler_api_output

-COPY pyproject.toml uv.lock ./
+COPY pyproject.toml ./

 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir uv==0.11.14
+    pip install --no-cache-dir poetry==2.3.4

 ENV PATH="/home/prowler/.local/bin:$PATH"

-# Add `--no-install-project` to avoid installing the current project as a package
-RUN uv sync --no-install-project && \
-    rm -rf ~/.cache/uv
+# Add `--no-root` to avoid installing the current project as a package
+RUN poetry install --no-root && \
+    rm -rf ~/.cache/pip

-RUN .venv/bin/python .venv/lib/python3.12/site-packages/prowler/providers/m365/lib/powershell/m365_powershell.py
+RUN poetry run python "$(poetry env info --path)/src/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py"

 COPY src/backend/ ./backend/
 COPY docker-entrypoint.sh ./docker-entrypoint.sh
@@ -25,11 +25,12 @@ If you don’t set `DJANGO_TOKEN_SIGNING_KEY` or `DJANGO_TOKEN_VERIFYING_KEY`, t
 **Important note**: Every Prowler version (or repository branches and tags) could have different variables set in its `.env` file. Please use the `.env` file that corresponds with each version.

 ## Local deployment
-Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the virtual environment, not before. Otherwise, variables will not be loaded properly.
+Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the Poetry interpreter, not before. Otherwise, variables will not be loaded properly.

 To do this, you can run:

 ```console
+poetry shell
 set -a
 source .env
 ```
@@ -77,7 +78,7 @@ docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')

 ## Local deployment

-To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `uv` and `docker compose` are installed.
+To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `poetry` and `docker compose` are installed.

 ### Clone the repository

@@ -89,10 +90,11 @@ git clone https://github.com/prowler-cloud/api.git
 git clone git@github.com:prowler-cloud/api.git

 ```
-### Install all dependencies with uv
+### Install all dependencies with Poetry

 ```console
-uv sync
+poetry install
+poetry shell
 ```

 ## Start the PostgreSQL Database and Valkey
@@ -137,7 +139,7 @@ gunicorn -c config/guniconf.py config.wsgi:application

 ## Local deployment

-To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `uv` and `docker compose` are installed.
+To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `poetry` and `docker compose` are installed.

 ### Clone the repository

@@ -163,10 +165,11 @@ docker compose up postgres valkey -d

 ### Install the Python dependencies

-> You must have uv installed
+> You must have Poetry installed

 ```console
-uv sync
+poetry install
+poetry shell
 ```

 ### Apply migrations
@@ -243,8 +246,9 @@ docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

 ```console
+poetry shell
 cd src/backend
-uv run python manage.py migrate --database admin
+python manage.py migrate --database admin
 ```

 ## Apply fixtures
@@ -252,8 +256,9 @@ uv run python manage.py migrate --database admin
 Fixtures are used to populate the database with initial development data.

 ```console
+poetry shell
 cd src/backend
-uv run python manage.py loaddata api/fixtures/0_dev_users.json --database admin
+python manage.py loaddata api/fixtures/0_dev_users.json --database admin
 ```

 > The default credentials are `dev@prowler.com:Thisisapassword123@` or `dev2@prowler.com:Thisisapassword123@`
@@ -265,8 +270,9 @@ Note that the tests will fail if you use the same `.env` file as the development
 For best results, run in a new shell with no environment variables set.

 ```console
+poetry shell
 cd src/backend
-uv run pytest
+pytest
 ```

 # Custom commands
@@ -278,7 +284,8 @@ Django provides a way to create custom commands that can be run from the command
 To run a custom command, you need to be in the `prowler/api/src/backend` directory and run:

 ```console
-uv run python manage.py <command_name>
+poetry shell
+python manage.py <command_name>
 ```

 ## Generate dummy data
@@ -301,7 +308,7 @@ This command creates, for a given tenant, a provider, scan and a set of findings
 ### Example

 ```console
-~/backend $ uv run python manage.py findings --tenant
+~/backend $ poetry run python manage.py findings --tenant
 fffb1893-3fc7-4623-a5d9-fae47da1c528 --findings 25000 --re
 sources 1000 --batch 5000 --alias test-script

@@ -5,9 +5,9 @@ apply_migrations() {
  echo "Applying database migrations..."

  # Fix Inconsistent migration history after adding sites app
-  uv run python manage.py check_and_fix_socialaccount_sites_migration --database admin
+  poetry run python manage.py check_and_fix_socialaccount_sites_migration --database admin

-  uv run python manage.py migrate --database admin
+  poetry run python manage.py migrate --database admin
 }

 apply_fixtures() {
@@ -15,19 +15,19 @@ apply_fixtures() {
  for fixture in api/fixtures/dev/*.json; do
    if [ -f "$fixture" ]; then
      echo "Loading $fixture"
-      uv run python manage.py loaddata "$fixture" --database admin
+      poetry run python manage.py loaddata "$fixture" --database admin
    fi
  done
 }

 start_dev_server() {
  echo "Starting the development server..."
-  uv run python manage.py runserver 0.0.0.0:"${DJANGO_PORT:-8080}"
+  poetry run python manage.py runserver 0.0.0.0:"${DJANGO_PORT:-8080}"
 }

 start_prod_server() {
  echo "Starting the Gunicorn server..."
-  uv run gunicorn -c config/guniconf.py config.wsgi:application
+  poetry run gunicorn -c config/guniconf.py config.wsgi:application
 }

 resolve_worker_hostname() {
@@ -47,7 +47,7 @@ resolve_worker_hostname() {

 start_worker() {
  echo "Starting the worker..."
-  uv run python -m celery -A config.celery worker \
+  poetry run python -m celery -A config.celery worker \
    -n "$(resolve_worker_hostname)" \
    -l "${DJANGO_LOGGING_LEVEL:-info}" \
    -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans \
@@ -56,7 +56,7 @@ start_worker() {

 start_worker_beat() {
  echo "Starting the worker-beat..."
-  uv run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
+  poetry run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
 }

 manage_db_partitions() {
@@ -64,7 +64,7 @@ manage_db_partitions() {
    echo "Managing DB partitions..."
    # For now we skip the deletion of partitions until we define the data retention policy
    # --yes auto approves the operation without the need of an interactive terminal
-    uv run python manage.py pgpartition --using admin --skip-delete --yes
+    poetry run python manage.py pgpartition --using admin --skip-delete --yes
  fi
 }

@@ -1,24 +1,6 @@
-[dependency-groups]
-dev = [
-  "bandit==1.7.9",
-  "coverage==7.5.4",
-  "django-silk==5.3.2",
-  "docker==7.1.0",
-  "filelock==3.20.3",
-  "freezegun==1.5.1",
-  "mypy==1.10.1",
-  "pylint==3.2.5",
-  "pytest==9.0.3",
-  "pytest-cov==5.0.0",
-  "pytest-django==4.8.0",
-  "pytest-env==1.1.3",
-  "pytest-randomly==3.15.0",
-  "pytest-xdist==3.6.1",
-  "ruff==0.5.0",
-  "tqdm==4.67.1",
-  "vulture==2.14",
-  "prek==0.3.9"
-]
+[build-system]
+build-backend = "poetry.core.masonry.api"
+requires = ["poetry-core"]

 [project]
 authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
@@ -42,14 +24,14 @@ dependencies = [
  "drf-spectacular-jsonapi==0.5.1",
  "defusedxml==0.7.1",
  "gunicorn==23.0.0",
-  "lxml==6.1.0",
+  "lxml==5.3.2",
  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
  "psycopg2-binary==2.9.9",
  "pytest-celery[redis] (==1.3.0)",
  "sentry-sdk[django] (==2.56.0)",
  "uuid6==2024.7.10",
  "openai (==1.109.1)",
-  "xmlsec==1.3.17",
+  "xmlsec==1.3.14",
  "h2 (==4.3.0)",
  "markdown (==3.10.2)",
  "drf-simple-apikey (==2.2.1)",
@@ -70,380 +52,26 @@ package-mode = false
 requires-python = ">=3.11,<3.13"
 version = "1.28.0"

-[tool.uv]
-# Transitive pins matching master to avoid silent drift; bump deliberately.
-constraint-dependencies = [
-  "about-time==4.2.1",
-  "adal==1.2.7",
-  "aioboto3==15.5.0",
-  "aiobotocore==2.25.1",
-  "aiofiles==24.1.0",
-  "aiohappyeyeballs==2.6.1",
-  "aiohttp==3.13.5",
-  "aioitertools==0.13.0",
-  "aiosignal==1.4.0",
-  "alibabacloud-actiontrail20200706==2.4.1",
-  "alibabacloud-credentials==1.0.3",
-  "alibabacloud-credentials-api==1.0.0",
-  "alibabacloud-cs20151215==6.1.0",
-  "alibabacloud-darabonba-array==0.1.0",
-  "alibabacloud-darabonba-encode-util==0.0.2",
-  "alibabacloud-darabonba-map==0.0.1",
-  "alibabacloud-darabonba-signature-util==0.0.4",
-  "alibabacloud-darabonba-string==0.0.4",
-  "alibabacloud-darabonba-time==0.0.1",
-  "alibabacloud-ecs20140526==7.2.5",
-  "alibabacloud-endpoint-util==0.0.4",
-  "alibabacloud-gateway-oss==0.0.17",
-  "alibabacloud-gateway-oss-util==0.0.3",
-  "alibabacloud-gateway-sls==0.4.0",
-  "alibabacloud-gateway-sls-util==0.4.0",
-  "alibabacloud-gateway-spi==0.0.3",
-  "alibabacloud-openapi-util==0.2.4",
-  "alibabacloud-oss-util==0.0.6",
-  "alibabacloud-oss20190517==1.0.6",
-  "alibabacloud-ram20150501==1.2.0",
-  "alibabacloud-rds20140815==12.0.0",
-  "alibabacloud-sas20181203==6.1.0",
-  "alibabacloud-sls20201230==5.9.0",
-  "alibabacloud-sts20150401==1.1.6",
-  "alibabacloud-tea==0.4.3",
-  "alibabacloud-tea-openapi==0.4.4",
-  "alibabacloud-tea-util==0.3.14",
-  "alibabacloud-tea-xml==0.0.3",
-  "alibabacloud-vpc20160428==6.13.0",
-  "alive-progress==3.3.0",
-  "aliyun-log-fastpb==0.2.0",
-  "amqp==5.3.1",
-  "annotated-types==0.7.0",
-  "anyio==4.12.1",
-  "applicationinsights==0.11.10",
-  "apscheduler==3.11.2",
-  "argcomplete==3.5.3",
-  "asgiref==3.11.0",
-  "astroid==3.2.4",
-  "async-timeout==5.0.1",
-  "attrs==25.4.0",
-  "authlib==1.6.9",
-  "autopep8==2.3.2",
-  "awsipranges==0.3.3",
-  "azure-cli-core==2.83.0",
-  "azure-cli-telemetry==1.1.0",
-  "azure-common==1.1.28",
-  "azure-core==1.38.1",
-  "azure-identity==1.21.0",
-  "azure-keyvault-certificates==4.10.0",
-  "azure-keyvault-keys==4.10.0",
-  "azure-keyvault-secrets==4.10.0",
-  "azure-mgmt-apimanagement==5.0.0",
-  "azure-mgmt-applicationinsights==4.1.0",
-  "azure-mgmt-authorization==4.0.0",
-  "azure-mgmt-compute==34.0.0",
-  "azure-mgmt-containerinstance==10.1.0",
-  "azure-mgmt-containerregistry==12.0.0",
-  "azure-mgmt-containerservice==34.1.0",
-  "azure-mgmt-core==1.6.0",
-  "azure-mgmt-cosmosdb==9.7.0",
-  "azure-mgmt-databricks==2.0.0",
-  "azure-mgmt-datafactory==9.2.0",
-  "azure-mgmt-eventgrid==10.4.0",
-  "azure-mgmt-eventhub==11.2.0",
-  "azure-mgmt-keyvault==10.3.1",
-  "azure-mgmt-loganalytics==12.0.0",
-  "azure-mgmt-logic==10.0.0",
-  "azure-mgmt-monitor==6.0.2",
-  "azure-mgmt-network==28.1.0",
-  "azure-mgmt-postgresqlflexibleservers==1.1.0",
-  "azure-mgmt-rdbms==10.1.0",
-  "azure-mgmt-recoveryservices==3.1.0",
-  "azure-mgmt-recoveryservicesbackup==9.2.0",
-  "azure-mgmt-resource==24.0.0",
-  "azure-mgmt-search==9.1.0",
-  "azure-mgmt-security==7.0.0",
-  "azure-mgmt-sql==3.0.1",
-  "azure-mgmt-storage==22.1.1",
-  "azure-mgmt-subscription==3.1.1",
-  "azure-mgmt-synapse==2.0.0",
-  "azure-mgmt-web==8.0.0",
-  "azure-monitor-query==2.0.0",
-  "azure-storage-blob==12.24.1",
-  "azure-synapse-artifacts==0.21.0",
-  "backoff==2.2.1",
-  "bandit==1.7.9",
-  "billiard==4.2.4",
-  "blinker==1.9.0",
-  "boto3==1.40.61",
-  "botocore==1.40.61",
-  "cartography==0.135.0",
-  "celery==5.6.2",
-  "certifi==2026.1.4",
-  "cffi==2.0.0",
-  "charset-normalizer==3.4.4",
-  "circuitbreaker==2.1.3",
-  "click==8.3.1",
-  "click-didyoumean==0.3.1",
-  "click-plugins==1.1.1.2",
-  "click-repl==0.3.0",
-  "cloudflare==4.3.1",
-  "colorama==0.4.6",
-  "contextlib2==21.6.0",
-  "contourpy==1.3.3",
-  "coverage==7.5.4",
-  "cron-descriptor==1.4.5",
-  "crowdstrike-falconpy==1.6.0",
-  "cryptography==46.0.7",
-  "cycler==0.12.1",
-  "darabonba-core==1.0.5",
-  "dash==3.1.1",
-  "dash-bootstrap-components==2.0.3",
-  "debugpy==1.8.20",
-  "decorator==5.2.1",
-  "defusedxml==0.7.1",
-  "detect-secrets==1.5.0",
-  "dill==0.4.1",
-  "distro==1.9.0",
-  "dj-rest-auth==7.0.1",
-  "django==5.1.15",
-  "django-allauth==65.15.0",
-  "django-celery-beat==2.9.0",
-  "django-celery-results==2.6.0",
-  "django-cors-headers==4.4.0",
-  "django-environ==0.11.2",
-  "django-filter==24.3",
-  "django-guid==3.5.0",
-  "django-postgres-extra==2.0.9",
-  "django-silk==5.3.2",
-  "django-timezone-field==7.2.1",
-  "djangorestframework==3.15.2",
-  "djangorestframework-jsonapi==7.0.2",
-  "djangorestframework-simplejwt==5.5.1",
-  "dnspython==2.8.0",
-  "docker==7.1.0",
-  "dogpile-cache==1.5.0",
-  "dparse==0.6.4",
-  "drf-extensions==0.8.0",
-  "drf-nested-routers==0.95.0",
-  "drf-simple-apikey==2.2.1",
-  "drf-spectacular==0.27.2",
-  "drf-spectacular-jsonapi==0.5.1",
-  "dulwich==0.23.0",
-  "duo-client==5.5.0",
-  "durationpy==0.10",
-  "email-validator==2.2.0",
-  "execnet==2.1.2",
-  "filelock==3.20.3",
-  "flask==3.1.3",
-  "fonttools==4.62.1",
-  "freezegun==1.5.1",
-  "frozenlist==1.8.0",
-  "gevent==25.9.1",
-  "google-api-core==2.29.0",
-  "google-api-python-client==2.163.0",
-  "google-auth==2.48.0",
-  "google-auth-httplib2==0.2.0",
-  "google-cloud-access-context-manager==0.3.0",
-  "google-cloud-asset==4.2.0",
-  "google-cloud-org-policy==1.16.0",
-  "google-cloud-os-config==1.23.0",
-  "google-cloud-resource-manager==1.16.0",
-  "googleapis-common-protos==1.72.0",
-  "gprof2dot==2025.4.14",
-  "graphemeu==0.7.2",
-  "greenlet==3.3.1",
-  "grpc-google-iam-v1==0.14.3",
-  "grpcio==1.76.0",
-  "grpcio-status==1.76.0",
-  "gunicorn==23.0.0",
-  "h11==0.16.0",
-  "h2==4.3.0",
-  "hpack==4.1.0",
-  "httpcore==1.0.9",
-  "httplib2==0.31.2",
-  "httpx==0.28.1",
-  "humanfriendly==10.0",
-  "hyperframe==6.1.0",
-  "iamdata==0.1.202602021",
-  "idna==3.11",
-  "importlib-metadata==8.7.1",
-  "inflection==0.5.1",
-  "iniconfig==2.3.0",
-  "iso8601==2.1.0",
-  "isodate==0.7.2",
-  "isort==5.13.2",
-  "itsdangerous==2.2.0",
-  "jinja2==3.1.6",
-  "jiter==0.13.0",
-  "jmespath==1.1.0",
-  "joblib==1.5.3",
-  "jsonpatch==1.33",
-  "jsonpickle==4.1.1",
-  "jsonpointer==3.0.0",
-  "jsonschema==4.23.0",
-  "jsonschema-specifications==2025.9.1",
-  "keystoneauth1==5.13.0",
-  "kiwisolver==1.4.9",
-  "knack==0.11.0",
-  "kombu==5.6.2",
-  "kubernetes==32.0.1",
-  "lxml==6.1.0",
-  "lz4==4.4.5",
-  "markdown==3.10.2",
-  "markdown-it-py==4.0.0",
-  "markupsafe==3.0.3",
-  "marshmallow==4.3.0",
-  "matplotlib==3.10.8",
-  "mccabe==0.7.0",
-  "mdurl==0.1.2",
-  "microsoft-kiota-abstractions==1.9.9",
-  "microsoft-kiota-authentication-azure==1.9.9",
-  "microsoft-kiota-http==1.9.9",
-  "microsoft-kiota-serialization-form==1.9.9",
-  "microsoft-kiota-serialization-json==1.9.9",
-  "microsoft-kiota-serialization-multipart==1.9.9",
-  "microsoft-kiota-serialization-text==1.9.9",
-  "microsoft-security-utilities-secret-masker==1.0.0b4",
-  "msal==1.35.0b1",
-  "msal-extensions==1.2.0",
-  "msgraph-core==1.3.8",
-  "msgraph-sdk==1.55.0",
-  "msrest==0.7.1",
-  "msrestazure==0.6.4.post1",
-  "multidict==6.7.1",
-  "mypy==1.10.1",
-  "mypy-extensions==1.1.0",
-  "narwhals==2.16.0",
-  "neo4j==6.1.0",
-  "nest-asyncio==1.6.0",
-  "nltk==3.9.4",
-  "numpy==2.0.2",
-  "oauthlib==3.3.1",
-  "oci==2.169.0",
-  "openai==1.109.1",
-  "openstacksdk==4.2.0",
-  "opentelemetry-api==1.39.1",
-  "opentelemetry-sdk==1.39.1",
-  "opentelemetry-semantic-conventions==0.60b1",
-  "os-service-types==1.8.2",
-  "packageurl-python==0.17.6",
-  "packaging==26.0",
-  "pagerduty==6.1.0",
-  "pandas==2.2.3",
-  "pbr==7.0.3",
-  "pillow==12.2.0",
-  "pkginfo==1.12.1.2",
-  "platformdirs==4.5.1",
-  "plotly==6.5.2",
-  "pluggy==1.6.0",
-  "policyuniverse==1.5.1.20231109",
-  "portalocker==2.10.1",
-  "prek==0.3.9",
-  "prompt-toolkit==3.0.52",
-  "propcache==0.4.1",
-  "proto-plus==1.27.0",
-  "protobuf==6.33.5",
-  "psutil==7.2.2",
-  "psycopg2-binary==2.9.9",
-  "py-deviceid==0.1.1",
-  "py-iam-expand==0.1.0",
-  "py-ocsf-models==0.8.1",
-  "pyasn1==0.6.3",
-  "pyasn1-modules==0.4.2",
-  "pycodestyle==2.14.0",
-  "pycparser==3.0",
-  "pydantic==2.12.5",
-  "pydantic-core==2.41.5",
-  "pygithub==2.8.0",
-  "pygments==2.20.0",
-  "pyjwt==2.12.1",
-  "pylint==3.2.5",
-  "pymsalruntime==0.18.1",
-  "pynacl==1.6.2",
-  "pyopenssl==26.0.0",
-  "pyparsing==3.3.2",
-  "pyreadline3==3.5.4",
-  "pysocks==1.7.1",
-  "pytest==9.0.3",
-  "pytest-celery==1.3.0",
-  "pytest-cov==5.0.0",
-  "pytest-django==4.8.0",
-  "pytest-docker-tools==3.1.9",
-  "pytest-env==1.1.3",
-  "pytest-randomly==3.15.0",
-  "pytest-xdist==3.6.1",
-  "python-crontab==3.3.0",
-  "python-dateutil==2.9.0.post0",
-  "python-digitalocean==1.17.0",
-  "python3-saml==1.16.0",
-  "pytz==2025.1",
-  "pywin32==311",
-  "pyyaml==6.0.3",
-  "redis==7.1.0",
-  "referencing==0.37.0",
-  "regex==2026.1.15",
-  "reportlab==4.4.10",
-  "requests==2.33.1",
-  "requests-file==3.0.1",
-  "requests-oauthlib==2.0.0",
-  "requestsexceptions==1.4.0",
-  "retrying==1.4.2",
-  "rich==14.3.2",
-  "rpds-py==0.30.0",
-  "rsa==4.9.1",
-  "ruamel-yaml==0.19.1",
-  "ruff==0.5.0",
-  "s3transfer==0.14.0",
-  "scaleway==2.10.3",
-  "scaleway-core==2.10.3",
-  "schema==0.7.5",
-  "sentry-sdk==2.56.0",
-  "setuptools==80.10.2",
-  "shellingham==1.5.4",
-  "shodan==1.31.0",
-  "six==1.17.0",
-  "slack-sdk==3.39.0",
-  "sniffio==1.3.1",
-  "sqlparse==0.5.5",
-  "statsd==4.0.1",
-  "std-uritemplate==2.0.8",
-  "stevedore==5.6.0",
-  "tabulate==0.9.0",
-  "tenacity==9.1.2",
-  "tldextract==5.3.1",
-  "tomlkit==0.14.0",
-  "tqdm==4.67.1",
-  "typer==0.21.1",
-  "types-aiobotocore-ecr==3.1.1",
-  "typing-extensions==4.15.0",
-  "typing-inspection==0.4.2",
-  "tzdata==2025.3",
-  "tzlocal==5.3.1",
-  "uritemplate==4.2.0",
-  "urllib3==2.7.0",
-  "uuid6==2024.7.10",
-  "vine==5.1.0",
-  "vulture==2.14",
-  "wcwidth==0.5.3",
-  "websocket-client==1.9.0",
-  "werkzeug==3.1.7",
-  "workos==6.0.4",
-  "wrapt==1.17.3",
-  "xlsxwriter==3.2.9",
-  "xmlsec==1.3.17",
-  "xmltodict==1.0.2",
-  "yarl==1.22.0",
-  "zipp==3.23.0",
-  "zope-event==6.1",
-  "zope-interface==8.2",
-  "zstd==1.5.7.3"
-]
-# prowler@master needs okta==3.4.2; cartography 0.135.0 declares okta<1.0.0 for an
-# integration prowler does not import.
-#
-# prowler@master hard-pins microsoft-kiota-abstractions==1.9.2 in [project.dependencies].
-# The microsoft-kiota-http security bump to 1.9.9 (GHSA-7j59-v9qr-6fq9) requires
-# microsoft-kiota-abstractions>=1.9.9, which a constraint cannot satisfy against the
-# SDK's hard pin; override it to the patched, kiota-aligned version.
-override-dependencies = [
-  "okta==3.4.2",
-  "microsoft-kiota-abstractions==1.9.9"
-]
+[project.scripts]
+celery = "src.backend.config.settings.celery"
+
+[tool.poetry.group.dev.dependencies]
+bandit = "1.7.9"
+coverage = "7.5.4"
+django-silk = "5.3.2"
+docker = "7.1.0"
+filelock = "3.20.3"
+freezegun = "1.5.1"
+mypy = "1.10.1"
+prek = "0.3.9"
+pylint = "3.2.5"
+pytest = "9.0.3"
+pytest-cov = "5.0.0"
+pytest-django = "4.8.0"
+pytest-env = "1.1.3"
+pytest-randomly = "3.15.0"
+pytest-xdist = "3.6.1"
+ruff = "0.5.0"
+safety = "3.7.0"
+tqdm = "4.67.1"
+vulture = "2.14"
@@ -484,8 +484,8 @@ AWS_BEDROCK_PRIVESC_PASSROLE_CODE_INTERPRETER = AttackPathsQueryDefinition(
                OR action = '*'
            )

-        // Find roles that trust the Bedrock AgentCore service (can be passed to a code interpreter)
-        MATCH path_target = (aws)--(target_role:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {{arn: 'bedrock-agentcore.amazonaws.com'}})
+        // Find roles that trust Bedrock service (can be passed to Bedrock)
+        MATCH path_target = (aws)--(target_role:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {{arn: 'bedrock.amazonaws.com'}})
        WHERE any(resource IN stmt_passrole.resource WHERE
            resource = '*'
            OR target_role.arn CONTAINS resource
@@ -536,8 +536,8 @@ AWS_BEDROCK_PRIVESC_INVOKE_CODE_INTERPRETER = AttackPathsQueryDefinition(
                OR action = '*'
            )

-        // Find roles that trust the Bedrock AgentCore service (already attached to existing code interpreters)
-        MATCH path_target = (aws)--(target_role:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {{arn: 'bedrock-agentcore.amazonaws.com'}})
+        // Find roles that trust Bedrock service (already attached to existing code interpreters)
+        MATCH path_target = (aws)--(target_role:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {{arn: 'bedrock.amazonaws.com'}})

        WITH collect(path_principal) + collect(path_target) AS paths
        UNWIND paths AS p
@@ -20,15 +20,11 @@ from tasks.jobs.reports import (
    ThreatScoreReportGenerator,
 )
 from tasks.jobs.threatscore import compute_threatscore_metrics
-from tasks.jobs.threatscore_utils import (
-    _aggregate_requirement_statistics_from_database,
-    _get_compliance_check_ids,
-)
+from tasks.jobs.threatscore_utils import _aggregate_requirement_statistics_from_database

 from api.db_router import READ_REPLICA_ALIAS, MainRouter
 from api.db_utils import rls_transaction
 from api.models import Provider, Scan, ScanSummary, StateChoices, ThreatScoreSnapshot
-from api.utils import initialize_prowler_provider
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.finding import Finding as FindingOutput

@@ -431,7 +427,6 @@ def generate_threatscore_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report based on Prowler ThreatScore framework.
@@ -460,7 +455,6 @@ def generate_threatscore_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        only_failed=only_failed,
    )

@@ -475,7 +469,6 @@ def generate_ens_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report for ENS RD2022 framework.
@@ -502,7 +495,6 @@ def generate_ens_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        include_manual=include_manual,
    )

@@ -518,7 +510,6 @@ def generate_nis2_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report for NIS2 Directive (EU) 2022/2555.
@@ -546,7 +537,6 @@ def generate_nis2_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        only_failed=only_failed,
        include_manual=include_manual,
    )
@@ -563,7 +553,6 @@ def generate_csa_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report for CSA Cloud Controls Matrix (CCM) v4.0.
@@ -591,7 +580,6 @@ def generate_csa_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        only_failed=only_failed,
        include_manual=include_manual,
    )
@@ -608,7 +596,6 @@ def generate_cis_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report for a specific CIS Benchmark variant.
@@ -640,7 +627,6 @@ def generate_cis_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        only_failed=only_failed,
        include_manual=include_manual,
    )
@@ -785,17 +771,6 @@ def generate_compliance_reports(
        results["csa"] = {"upload": False, "path": ""}
        generate_csa = False

-    # Load the framework definitions for this provider once. We use this map
-    # both to pick the latest CIS variant and to precompute the set of
-    # check_ids each framework consumes (for findings_cache eviction).
-    frameworks_bulk: dict = {}
-    try:
-        frameworks_bulk = Compliance.get_bulk(provider_type)
-    except Exception as e:
-        logger.error("Error loading compliance frameworks for %s: %s", provider_type, e)
-        # Fall through; individual frameworks will still try and fail
-        # gracefully if their compliance_id is missing.
-
    # For CIS we do NOT pre-check the provider against a hard-coded whitelist
    # (that list drifts the moment a new CIS JSON ships). Instead, we inspect
    # the dynamically loaded framework map and pick the latest available CIS
@@ -803,6 +778,7 @@ def generate_compliance_reports(
    latest_cis: str | None = None
    if generate_cis:
        try:
+            frameworks_bulk = Compliance.get_bulk(provider_type)
            latest_cis = _pick_latest_cis_variant(
                name for name in frameworks_bulk.keys() if name.startswith("cis_")
            )
@@ -839,84 +815,10 @@ def generate_compliance_reports(
        tenant_id, scan_id
    )

-    # Initialize the Prowler provider once for the whole report batch. Each
-    # generator used to re-init this in _load_compliance_data, paying the
-    # boto3/Azure-SDK construction cost 5 times per scan. The instance is
-    # only used by FindingOutput.transform_api_finding to enrich findings,
-    # so a single shared instance is correct.
-    logger.info("Initializing prowler_provider once for all reports (scan %s)", scan_id)
-    try:
-        with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-            prowler_provider = initialize_prowler_provider(provider_obj)
-    except Exception as init_error:
-        # If init fails the generators will fall back to lazy init in
-        # _load_compliance_data; we just log and continue.
-        logger.warning(
-            "Could not pre-initialize prowler_provider for scan %s: %s",
-            scan_id,
-            init_error,
-        )
-        prowler_provider = None
-
-    # Create shared findings cache up front so the eviction closure below
-    # can reference it. Defined BEFORE the closure to avoid the UnboundLocalError
-    # trap if an early-return is later inserted between the closure and its
-    # first use.
-    findings_cache: dict[str, list[FindingOutput]] = {}
+    # Create shared findings cache
+    findings_cache = {}
    logger.info("Created shared findings cache for all reports")

-    # Precompute the set of check_ids each framework consumes. After a
-    # framework finishes, every check_id that no remaining framework still
-    # needs is evicted from findings_cache so the dict does not keep
-    # growing through the batch (PROWLER-1733).
-    pending_checks_by_framework: dict[str, set[str]] = {}
-    if generate_threatscore:
-        pending_checks_by_framework["threatscore"] = _get_compliance_check_ids(
-            frameworks_bulk.get(f"prowler_threatscore_{provider_type}")
-        )
-    if generate_ens:
-        pending_checks_by_framework["ens"] = _get_compliance_check_ids(
-            frameworks_bulk.get(f"ens_rd2022_{provider_type}")
-        )
-    if generate_nis2:
-        pending_checks_by_framework["nis2"] = _get_compliance_check_ids(
-            frameworks_bulk.get(f"nis2_{provider_type}")
-        )
-    if generate_csa:
-        pending_checks_by_framework["csa"] = _get_compliance_check_ids(
-            frameworks_bulk.get(f"csa_ccm_4.0_{provider_type}")
-        )
-    if generate_cis and latest_cis:
-        pending_checks_by_framework["cis"] = _get_compliance_check_ids(
-            frameworks_bulk.get(latest_cis)
-        )
-
-    def _evict_after_framework(done_key: str) -> int:
-        """Drop from findings_cache every check_id no pending framework still needs."""
-        done = pending_checks_by_framework.pop(done_key, set())
-        still_needed: set[str] = (
-            set().union(*pending_checks_by_framework.values())
-            if pending_checks_by_framework
-            else set()
-        )
-        exclusive = done - still_needed
-        evicted = 0
-        for cid in exclusive:
-            if findings_cache.pop(cid, None) is not None:
-                evicted += 1
-        if evicted:
-            logger.info(
-                "Evicted %d exclusive check entries from findings_cache after %s "
-                "(remaining cache size: %d)",
-                evicted,
-                done_key,
-                len(findings_cache),
-            )
-            # Release the lists' memory now instead of waiting for the next
-            # gc cycle; FindingOutput instances retain quite a bit of state.
-            gc.collect()
-        return evicted
-
    generated_report_keys: list[str] = []
    output_paths: dict[str, str] = {}
    out_dir: str | None = None
@@ -1005,7 +907,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            # Compute and store ThreatScore metrics snapshot
@@ -1083,15 +984,9 @@ def generate_compliance_reports(
                logger.warning("ThreatScore report saved locally at %s", out_dir)

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=threatscore scan_id=%s tenant_id=%s",
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating ThreatScore report: %s", e)
            results["threatscore"] = {"upload": False, "path": "", "error": str(e)}

-        _evict_after_framework("threatscore")
-
    # Generate ENS report
    if generate_ens:
        generated_report_keys.append("ens")
@@ -1111,7 +1006,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            upload_uri_ens = _upload_to_s3(
@@ -1126,15 +1020,9 @@ def generate_compliance_reports(
                logger.warning("ENS report saved locally at %s", out_dir)

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=ens scan_id=%s tenant_id=%s",
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating ENS report: %s", e)
            results["ens"] = {"upload": False, "path": "", "error": str(e)}

-        _evict_after_framework("ens")
-
    # Generate NIS2 report
    if generate_nis2:
        generated_report_keys.append("nis2")
@@ -1155,7 +1043,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            upload_uri_nis2 = _upload_to_s3(
@@ -1170,15 +1057,9 @@ def generate_compliance_reports(
                logger.warning("NIS2 report saved locally at %s", out_dir)

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=nis2 scan_id=%s tenant_id=%s",
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating NIS2 report: %s", e)
            results["nis2"] = {"upload": False, "path": "", "error": str(e)}

-        _evict_after_framework("nis2")
-
    # Generate CSA CCM report
    if generate_csa:
        generated_report_keys.append("csa")
@@ -1199,7 +1080,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            upload_uri_csa = _upload_to_s3(
@@ -1214,15 +1094,9 @@ def generate_compliance_reports(
                logger.warning("CSA CCM report saved locally at %s", out_dir)

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=csa scan_id=%s tenant_id=%s",
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating CSA CCM report: %s", e)
            results["csa"] = {"upload": False, "path": "", "error": str(e)}

-        _evict_after_framework("csa")
-
    # Generate CIS Benchmark report for the latest available version only.
    # CIS ships multiple versions per provider (e.g. cis_1.4_aws, cis_5.0_aws,
    # cis_6.0_aws); we dynamically pick the highest semantic version at run
@@ -1245,7 +1119,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            upload_uri_cis = _upload_to_s3(
@@ -1274,22 +1147,14 @@ def generate_compliance_reports(
                )

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=cis variant=%s scan_id=%s tenant_id=%s",
-                latest_cis,
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating CIS report %s: %s", latest_cis, e)
            results["cis"] = {
                "upload": False,
                "path": "",
                "error": str(e),
            }
        finally:
-            # Free ReportLab/matplotlib memory before moving on. CIS is
-            # always the last framework, so evicting its entries clears the
-            # cache entirely (subject to its check_ids set).
-            _evict_after_framework("cis")
+            # Free ReportLab/matplotlib memory before moving on.
            gc.collect()

    # Clean up temporary files only if all generated reports were
@@ -1,9 +1,6 @@
 import gc
 import os
-import resource as _resource_module
-import time
 from abc import ABC, abstractmethod
-from contextlib import contextmanager
 from dataclasses import dataclass, field
 from typing import Any

@@ -44,7 +41,6 @@ from .config import (
    COLOR_LIGHT_BLUE,
    COLOR_LIGHTER_BLUE,
    COLOR_PROWLER_DARK_GREEN,
-    FINDINGS_TABLE_CHUNK_SIZE,
    PADDING_LARGE,
    PADDING_SMALL,
    FrameworkConfig,
@@ -52,46 +48,6 @@ from .config import (

 logger = get_task_logger(__name__)

-
-@contextmanager
-def _log_phase(phase: str, **tags: Any):
-    """Log start/end timing and RSS deltas around a long-running task section.
-
-    Generic helper: callers pass arbitrary ``key=value`` tags
-    (e.g. ``scan_id``, ``framework``, ``provider_id``) and they are
-    emitted as part of the structured log line, so Grafana/Datadog/
-    CloudWatch queries can pivot by whichever dimension is relevant to
-    the task. ``getrusage`` returns KB on Linux and bytes on macOS;
-    the values are still useful in relative terms even though units
-    differ across platforms.
-    """
-    tag_str = " ".join(f"{key}={value}" for key, value in tags.items())
-    suffix = f" {tag_str}" if tag_str else ""
-
-    start = time.perf_counter()
-    rss_before = _resource_module.getrusage(_resource_module.RUSAGE_SELF).ru_maxrss
-    logger.info("phase_start phase=%s%s rss_kb=%d", phase, suffix, rss_before)
-    try:
-        yield
-    except Exception:
-        elapsed = time.perf_counter() - start
-        logger.exception(
-            "phase_failed phase=%s%s elapsed_s=%.2f", phase, suffix, elapsed
-        )
-        raise
-    else:
-        elapsed = time.perf_counter() - start
-        rss_after = _resource_module.getrusage(_resource_module.RUSAGE_SELF).ru_maxrss
-        logger.info(
-            "phase_end phase=%s%s elapsed_s=%.2f rss_kb=%d delta_rss_kb=%d",
-            phase,
-            suffix,
-            elapsed,
-            rss_after,
-            rss_after - rss_before,
-        )
-
-
 # Register fonts (done once at module load)
 _fonts_registered: bool = False

@@ -379,7 +335,6 @@ class BaseComplianceReportGenerator(ABC):
        provider_obj: Provider | None = None,
        requirement_statistics: dict[str, dict[str, int]] | None = None,
        findings_cache: dict[str, list[FindingOutput]] | None = None,
-        prowler_provider: Any | None = None,
        **kwargs,
    ) -> None:
        """Generate the PDF compliance report.
@@ -396,35 +351,23 @@ class BaseComplianceReportGenerator(ABC):
            provider_obj: Optional pre-fetched Provider object
            requirement_statistics: Optional pre-aggregated statistics
            findings_cache: Optional pre-loaded findings cache
-            prowler_provider: Optional pre-initialized Prowler provider. When
-                generating multiple reports for the same scan the master
-                function initializes this once and passes it in to avoid
-                re-running boto3/Azure-SDK setup per framework.
            **kwargs: Additional framework-specific arguments
        """
-        framework = self.config.display_name
        logger.info(
-            "report_generation_start framework=%s scan_id=%s compliance_id=%s",
-            framework,
-            scan_id,
-            compliance_id,
+            "Generating %s report for scan %s", self.config.display_name, scan_id
        )

        try:
            # 1. Load compliance data
-            with _log_phase(
-                "load_compliance_data", scan_id=scan_id, framework=framework
-            ):
-                data = self._load_compliance_data(
-                    tenant_id=tenant_id,
-                    scan_id=scan_id,
-                    compliance_id=compliance_id,
-                    provider_id=provider_id,
-                    provider_obj=provider_obj,
-                    requirement_statistics=requirement_statistics,
-                    findings_cache=findings_cache,
-                    prowler_provider=prowler_provider,
-                )
+            data = self._load_compliance_data(
+                tenant_id=tenant_id,
+                scan_id=scan_id,
+                compliance_id=compliance_id,
+                provider_id=provider_id,
+                provider_obj=provider_obj,
+                requirement_statistics=requirement_statistics,
+                findings_cache=findings_cache,
+            )

            # 2. Create PDF document
            doc = self._create_document(output_path, data)
@@ -434,54 +377,37 @@ class BaseComplianceReportGenerator(ABC):
            elements = []

            # Cover page (lightweight)
-            with _log_phase("cover_page", scan_id=scan_id, framework=framework):
-                elements.extend(self.create_cover_page(data))
-                elements.append(PageBreak())
+            elements.extend(self.create_cover_page(data))
+            elements.append(PageBreak())

            # Executive summary (framework-specific)
-            with _log_phase("executive_summary", scan_id=scan_id, framework=framework):
-                elements.extend(self.create_executive_summary(data))
+            elements.extend(self.create_executive_summary(data))

            # Body sections (charts + requirements index)
            # Override _build_body_sections() in subclasses to change section order
-            with _log_phase("body_sections", scan_id=scan_id, framework=framework):
-                elements.extend(self._build_body_sections(data))
+            elements.extend(self._build_body_sections(data))

            # Detailed findings - heaviest section, loads findings on-demand
-            with _log_phase("detailed_findings", scan_id=scan_id, framework=framework):
-                elements.extend(self.create_detailed_findings(data, **kwargs))
-                gc.collect()  # Free findings data after processing
+            logger.info("Building detailed findings section...")
+            elements.extend(self.create_detailed_findings(data, **kwargs))
+            gc.collect()  # Free findings data after processing

            # 4. Build the PDF
-            logger.info(
-                "doc_build_about_to_run framework=%s scan_id=%s elements=%d",
-                framework,
-                scan_id,
-                len(elements),
-            )
-            with _log_phase("doc_build", scan_id=scan_id, framework=framework):
-                self._build_pdf(doc, elements, data)
+            logger.info("Building PDF document with %d elements...", len(elements))
+            self._build_pdf(doc, elements, data)

            # Final cleanup
            del elements
            gc.collect()

-            logger.info(
-                "report_generation_end framework=%s scan_id=%s output_path=%s",
-                framework,
-                scan_id,
-                output_path,
-            )
+            logger.info("Successfully generated report at %s", output_path)

-        except Exception:
-            # logger.exception captures the full traceback; the contextual
-            # keys keep production search-by-scan-id viable.
-            logger.exception(
-                "report_generation_failed framework=%s scan_id=%s compliance_id=%s",
-                framework,
-                scan_id,
-                compliance_id,
-            )
+        except Exception as e:
+            import traceback
+
+            tb_lineno = e.__traceback__.tb_lineno if e.__traceback__ else "unknown"
+            logger.error("Error generating report, line %s -- %s", tb_lineno, e)
+            logger.error("Full traceback:\n%s", traceback.format_exc())
            raise

    def _build_body_sections(self, data: ComplianceData) -> list:
@@ -712,25 +638,15 @@ class BaseComplianceReportGenerator(ABC):
        for req in requirements:
            check_ids_to_load.extend(req.checks)

-        # Load findings on-demand only for the checks that will be displayed.
-        # When ``only_failed`` is active at requirement level, also push the
-        # FAIL filter down to the finding level: a requirement marked FAIL
-        # because 1/1000 findings failed must not render a table dominated by
-        # 999 PASS rows. That hides the actual failure under noise and
-        # makes the per-check cap truncate the wrong rows.
-        # ``total_counts`` is populated with the pre-cap total per check_id
-        # (FAIL-only when only_failed is active) so the "Showing first N of
-        # M" banner uses the same denominator the reader cares about.
+        # Load findings on-demand only for the checks that will be displayed
+        # Uses the shared findings cache to avoid duplicate queries across reports
        logger.info("Loading findings on-demand for %d requirements", len(requirements))
-        total_counts: dict[str, int] = {}
        findings_by_check_id = _load_findings_for_requirement_checks(
            data.tenant_id,
            data.scan_id,
            check_ids_to_load,
            data.prowler_provider,
            data.findings_by_check_id,  # Pass the cache to update it
-            total_counts_out=total_counts,
-            only_failed_findings=only_failed,
        )

        for req in requirements:
@@ -762,31 +678,9 @@ class BaseComplianceReportGenerator(ABC):
                        )
                    )
                else:
-                    # Surface truncation BEFORE the tables so readers see it
-                    # at the same scroll position as the data itself, not
-                    # after thousands of rendered rows.
-                    loaded = len(findings)
-                    total = total_counts.get(check_id, loaded)
-                    if total > loaded:
-                        kind = "failed findings" if only_failed else "findings"
-                        elements.append(
-                            Paragraph(
-                                f"<b>&#9888; Showing first {loaded:,} of "
-                                f"{total:,} {kind} for this check.</b> "
-                                f"Use the CSV or JSON-OCSF export for the full "
-                                f"list. The PDF caps detail rows to keep "
-                                f"the report readable and bounded in size.",
-                                self.styles["normal"],
-                            )
-                        )
-                        elements.append(Spacer(1, 0.05 * inch))
-
-                    # Create chunked findings tables to prevent OOM when a
-                    # single check has thousands of findings (ReportLab
-                    # resolves layout per Flowable, so many small tables
-                    # render contiguously with a bounded memory peak).
-                    findings_tables = self._create_findings_tables(findings)
-                    elements.extend(findings_tables)
+                    # Create findings table
+                    findings_table = self._create_findings_table(findings)
+                    elements.append(findings_table)

                elements.append(Spacer(1, 0.1 * inch))

@@ -841,7 +735,6 @@ class BaseComplianceReportGenerator(ABC):
        provider_obj: Provider | None,
        requirement_statistics: dict | None,
        findings_cache: dict | None,
-        prowler_provider: Any | None = None,
    ) -> ComplianceData:
        """Load and aggregate compliance data from the database.

@@ -853,9 +746,6 @@ class BaseComplianceReportGenerator(ABC):
            provider_obj: Optional pre-fetched Provider
            requirement_statistics: Optional pre-aggregated statistics
            findings_cache: Optional pre-loaded findings
-            prowler_provider: Optional pre-initialized Prowler provider. When
-                the master function initializes it once and passes it in,
-                we skip the per-report ``initialize_prowler_provider`` call.

        Returns:
            Aggregated ComplianceData object
@@ -865,8 +755,7 @@ class BaseComplianceReportGenerator(ABC):
            if provider_obj is None:
                provider_obj = Provider.objects.get(id=provider_id)

-            if prowler_provider is None:
-                prowler_provider = initialize_prowler_provider(provider_obj)
+            prowler_provider = initialize_prowler_provider(provider_obj)
            provider_type = provider_obj.provider

            # Load compliance framework
@@ -934,32 +823,13 @@ class BaseComplianceReportGenerator(ABC):
    ) -> SimpleDocTemplate:
        """Create the PDF document template.

-        Validates that ``output_path`` is a filesystem path string with an
-        existing parent directory. SimpleDocTemplate technically accepts a
-        BytesIO too, but we want every report to land on disk so the
-        Celery worker doesn't hold the full PDF in memory while uploading
-        to S3.
-
        Args:
            output_path: Path for the output PDF
            data: Compliance data for metadata

        Returns:
            Configured SimpleDocTemplate
-
-        Raises:
-            TypeError: ``output_path`` is not a string.
-            FileNotFoundError: The parent directory does not exist.
        """
-        if not isinstance(output_path, str):
-            raise TypeError(
-                "output_path must be a filesystem path string; "
-                f"got {type(output_path).__name__}"
-            )
-        parent_dir = os.path.dirname(output_path)
-        if parent_dir and not os.path.isdir(parent_dir):
-            raise FileNotFoundError(f"Output directory does not exist: {parent_dir}")
-
        return SimpleDocTemplate(
            output_path,
            pagesize=letter,
@@ -1006,10 +876,47 @@ class BaseComplianceReportGenerator(ABC):
            onLaterPages=add_footer,
        )

-    # Column layout shared by all findings sub-tables. Defined as a method so
-    # subclasses can override it without re-implementing the chunking logic.
-    def _findings_table_columns(self) -> list[ColumnConfig]:
-        return [
+    def _create_findings_table(self, findings: list[FindingOutput]) -> Any:
+        """Create a findings table.
+
+        Args:
+            findings: List of finding objects
+
+        Returns:
+            ReportLab Table element
+        """
+
+        def get_finding_title(f):
+            metadata = getattr(f, "metadata", None)
+            if metadata:
+                return getattr(metadata, "CheckTitle", getattr(f, "check_id", ""))
+            return getattr(f, "check_id", "")
+
+        def get_resource_name(f):
+            name = getattr(f, "resource_name", "")
+            if not name:
+                name = getattr(f, "resource_uid", "")
+            return name
+
+        def get_severity(f):
+            metadata = getattr(f, "metadata", None)
+            if metadata:
+                return getattr(metadata, "Severity", "").capitalize()
+            return ""
+
+        # Convert findings to dicts for the table
+        data = []
+        for f in findings:
+            item = {
+                "title": get_finding_title(f),
+                "resource_name": get_resource_name(f),
+                "severity": get_severity(f),
+                "status": getattr(f, "status", "").upper(),
+                "region": getattr(f, "region", "global"),
+            }
+            data.append(item)
+
+        columns = [
            ColumnConfig("Finding", 2.5 * inch, "title"),
            ColumnConfig("Resource", 3 * inch, "resource_name"),
            ColumnConfig("Severity", 0.9 * inch, "severity"),
@@ -1017,122 +924,9 @@ class BaseComplianceReportGenerator(ABC):
            ColumnConfig("Region", 0.9 * inch, "region"),
        ]

-    @staticmethod
-    def _finding_to_row(f: FindingOutput) -> dict[str, str]:
-        """Project a FindingOutput onto the row dict the table expects.
-
-        Kept defensive: missing metadata or attributes return empty strings
-        rather than raising, so a single malformed finding never breaks the
-        whole report.
-        """
-        metadata = getattr(f, "metadata", None)
-        title = (
-            getattr(metadata, "CheckTitle", getattr(f, "check_id", ""))
-            if metadata
-            else getattr(f, "check_id", "")
-        )
-        resource_name = getattr(f, "resource_name", "") or getattr(
-            f, "resource_uid", ""
-        )
-        severity = getattr(metadata, "Severity", "").capitalize() if metadata else ""
-        return {
-            "title": title,
-            "resource_name": resource_name,
-            "severity": severity,
-            "status": getattr(f, "status", "").upper(),
-            "region": getattr(f, "region", "global"),
-        }
-
-    def _create_findings_tables(
-        self,
-        findings: list[FindingOutput],
-        chunk_size: int | None = None,
-    ) -> list[Any]:
-        """Build a list of small findings tables to keep ``doc.build()`` memory bounded.
-
-        ReportLab resolves layout (column widths, row heights, page-breaks)
-        per Flowable. A single ``LongTable`` of 15k rows forces all of that
-        to be computed at once and reliably OOMs the worker on large scans.
-        Splitting into chunks of ``chunk_size`` rows produces an equivalent-
-        looking PDF (LongTable repeats headers; chunks render contiguously)
-        with a bounded memory peak per chunk.
-
-        Args:
-            findings: List of finding objects for a single check.
-            chunk_size: Rows per sub-table. ``None`` uses
-                ``FINDINGS_TABLE_CHUNK_SIZE`` from config.
-
-        Returns:
-            List of ReportLab flowables (interleaved ``Table``/``LongTable``
-            and small ``Spacer`` between chunks). Empty list when there are
-            no findings.
-        """
-        if not findings:
-            return []
-
-        chunk_size = chunk_size or FINDINGS_TABLE_CHUNK_SIZE
-
-        # Build all rows first so we can chunk without re-walking the
-        # FindingOutput list. Malformed findings are skipped with a logged
-        # exception, never enough to abort the entire report.
-        rows: list[dict[str, str]] = []
-        for f in findings:
-            try:
-                rows.append(self._finding_to_row(f))
-            except Exception:
-                logger.exception(
-                    "Skipping malformed finding while building table for check %s",
-                    getattr(f, "check_id", "unknown"),
-                )
-
-        if not rows:
-            return []
-
-        columns = self._findings_table_columns()
-
-        flowables: list = []
-        total = len(rows)
-        for start in range(0, total, chunk_size):
-            chunk = rows[start : start + chunk_size]
-            flowables.append(
-                create_data_table(
-                    data=chunk,
-                    columns=columns,
-                    header_color=self.config.primary_color,
-                    normal_style=self.styles["normal_center"],
-                )
-            )
-            # A tiny spacer between chunks keeps them visually contiguous
-            # without forcing a page-break (KeepTogether would negate the
-            # memory benefit of chunking).
-            if start + chunk_size < total:
-                flowables.append(Spacer(1, 0.05 * inch))
-
-        if total > chunk_size:
-            logger.debug(
-                "Built %d findings sub-tables (chunk_size=%d, total_findings=%d)",
-                (total + chunk_size - 1) // chunk_size,
-                chunk_size,
-                total,
-            )
-
-        return flowables
-
-    def _create_findings_table(self, findings: list[FindingOutput]) -> Any:
-        """Deprecated alias kept for backwards compatibility.
-
-        Returns the first chunk produced by ``_create_findings_tables``.
-        New callers MUST use ``_create_findings_tables``, which returns a
-        list of flowables and is what ``create_detailed_findings`` invokes.
-        """
-        flowables = self._create_findings_tables(findings)
-        if flowables:
-            return flowables[0]
-        # Empty input → return an empty (header-only) table so callers that
-        # used to receive a Table never get None.
        return create_data_table(
-            data=[],
-            columns=self._findings_table_columns(),
+            data=data,
+            columns=columns,
            header_color=self.config.primary_color,
            normal_style=self.styles["normal_center"],
        )
@@ -1,11 +1,9 @@
 import gc
 import io
 import math
-import time
 from typing import Callable

 import matplotlib
-from celery.utils.log import get_task_logger

 # Use non-interactive Agg backend for memory efficiency in server environments
 # This MUST be set before importing pyplot
@@ -22,26 +20,6 @@ from .config import (  # noqa: E402
    CHART_DPI_DEFAULT,
 )

-logger = get_task_logger(__name__)
-
-
-def _log_chart_built(name: str, dpi: int, buffer: io.BytesIO, started: float) -> None:
-    """Emit a structured DEBUG line summarising a chart render.
-
-    Centralised so the formatting stays consistent across all chart helpers
-    and so we never accidentally pay for buffer.getbuffer().nbytes when
-    debug logging is disabled.
-    """
-    if logger.isEnabledFor(10):  # logging.DEBUG
-        logger.debug(
-            "chart_built name=%s dpi=%d bytes=%d elapsed_s=%.2f",
-            name,
-            dpi,
-            buffer.getbuffer().nbytes,
-            time.perf_counter() - started,
-        )
-
-
 # Use centralized DPI setting from config
 DEFAULT_CHART_DPI = CHART_DPI_DEFAULT

@@ -99,7 +77,6 @@ def create_vertical_bar_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    if color_func is None:
        color_func = get_chart_color_for_percentage

@@ -145,7 +122,6 @@ def create_vertical_bar_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("vertical_bar", dpi, buffer, _started)
    return buffer


@@ -180,7 +156,6 @@ def create_horizontal_bar_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    if color_func is None:
        color_func = get_chart_color_for_percentage

@@ -232,7 +207,6 @@ def create_horizontal_bar_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("horizontal_bar", dpi, buffer, _started)
    return buffer


@@ -265,7 +239,6 @@ def create_radar_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    num_vars = len(labels)
    angles = [n / float(num_vars) * 2 * math.pi for n in range(num_vars)]

@@ -302,7 +275,6 @@ def create_radar_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("radar", dpi, buffer, _started)
    return buffer


@@ -331,7 +303,6 @@ def create_pie_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    fig, ax = plt.subplots(figsize=figsize)

    _, _, autotexts = ax.pie(
@@ -359,7 +330,6 @@ def create_pie_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("pie", dpi, buffer, _started)
    return buffer


@@ -392,7 +362,6 @@ def create_stacked_bar_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    fig, ax = plt.subplots(figsize=figsize)

    # Default colors if not provided
@@ -432,5 +401,4 @@ def create_stacked_bar_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("stacked_bar", dpi, buffer, _started)
    return buffer
@@ -475,15 +475,8 @@ def create_data_table(
            else:
                value = item.get(col.field, "")

-            # Wrap every string cell in Paragraph so the data rows keep the
-            # caller-supplied font/colour/alignment. Skipping Paragraph for
-            # short cells (a tempting micro-optimisation) breaks visual
-            # consistency: ReportLab Table falls back to Helvetica/black for
-            # raw strings, mixing fonts within the same table.
-            # ``escape_html`` keeps ``<``/``>``/``&`` in resource names from
-            # breaking Paragraph's mini-HTML parser.
            if normal_style and isinstance(value, str):
-                value = Paragraph(escape_html(value), normal_style)
+                value = Paragraph(value, normal_style)
            row.append(value)
        table_data.append(row)

@@ -515,26 +508,17 @@ def create_data_table(
    for idx, col in enumerate(columns):
        styles.append(("ALIGN", (idx, 0), (idx, -1), col.align))

-    # Alternate row backgrounds: single O(1) ROWBACKGROUNDS style entry.
-    # The previous implementation appended N per-row BACKGROUND commands,
-    # which scaled the TableStyle list linearly with row count. ReportLab
-    # cycles through the colour list row-by-row so the visual is identical.
-    # The ALTERNATE_ROWS_MAX_SIZE cap is preserved to mirror legacy
-    # behaviour (very large tables stay plain), but the memory cost of the
-    # styles list is now constant regardless of row count.
+    # Alternate row backgrounds - skip for very large tables as it adds memory overhead
    if (
        alternate_rows
        and len(table_data) > 1
        and len(table_data) <= ALTERNATE_ROWS_MAX_SIZE
    ):
-        styles.append(
-            (
-                "ROWBACKGROUNDS",
-                (0, 1),
-                (-1, -1),
-                [colors.white, colors.Color(0.98, 0.98, 0.98)],
-            )
-        )
+        for i in range(1, len(table_data)):
+            if i % 2 == 0:
+                styles.append(
+                    ("BACKGROUND", (0, i), (-1, i), colors.Color(0.98, 0.98, 0.98))
+                )

    table.setStyle(TableStyle(styles))
    return table
@@ -1,4 +1,3 @@
-import os
 from dataclasses import dataclass, field

 from reportlab.lib import colors
@@ -24,47 +23,6 @@ ALTERNATE_ROWS_MAX_SIZE = 200
 # Larger = fewer queries but more memory per batch
 FINDINGS_BATCH_SIZE = 2000

-# Maximum rows per findings sub-table. ReportLab resolves layout per Flowable;
-# splitting a huge findings list into multiple smaller tables keeps the peak
-# memory of doc.build() bounded. A single 15k-row LongTable would force
-# ReportLab to compute all column widths/row heights/page-breaks at once and
-# OOM the worker; 300-row chunks are rendered contiguously with negligible
-# visual impact.
-FINDINGS_TABLE_CHUNK_SIZE = 300
-
-# Maximum findings rendered per check in the detailed-findings section.
-#
-# Product behaviour: compliance PDFs render at most ``MAX_FINDINGS_PER_CHECK``
-# **failed** findings per check (PASS rows are excluded at SQL level by the
-# ``only_failed`` flag that all four list-rendering frameworks default to:
-# ThreatScore, NIS2, CSA, CIS; ENS does not render finding tables). Above
-# this cap each affected check renders an in-PDF banner
-# ("Showing first 100 of N failed findings for this check. Use the CSV
-# or JSON export for the full list") so the reader knows the table is
-# truncated and where to find the full data.
-#
-# Why a cap exists at all:
-#   * ``FindingOutput.transform_api_finding`` is O(N) per finding (Pydantic
-#     v1 validation + nested model construction).
-#   * ReportLab resolves layout per Flowable; thousands of sub-tables make
-#     ``doc.build()`` very slow and grow the PDF unboundedly.
-#   * A human-readable executive/auditor PDF does not need 12,000 rows for
-#     one check; that is forensic data and lives in the CSV/JSON exports.
-#
-# Why 100 specifically:
-#   * Covers ~99% of real scans without truncation (most checks emit far
-#     fewer than 100 findings even in enterprise estates).
-#   * Worst-case rendered rows = 100 × ~500 checks = 50k rows across all
-#     frameworks, which keeps RSS bounded and a 5-framework run completes
-#     in minutes instead of hours.
-#
-# Override at runtime via ``DJANGO_PDF_MAX_FINDINGS_PER_CHECK``:
-#   * Set to ``0`` to disable the cap entirely (load every finding; only
-#     advisable for small scans).
-#   * Set to a larger value (e.g. ``500``) for forensic detail in big runs;
-#     watch RSS in the Celery worker.
-MAX_FINDINGS_PER_CHECK = int(os.environ.get("DJANGO_PDF_MAX_FINDINGS_PER_CHECK", "100"))
-

 # =============================================================================
 # Base colors
@@ -1,8 +1,6 @@
 from celery.utils.log import get_task_logger
 from config.django.base import DJANGO_FINDINGS_BATCH_SIZE
-from django.db.models import Count, F, Q, Window
-from django.db.models.functions import RowNumber
-from tasks.jobs.reports.config import MAX_FINDINGS_PER_CHECK
+from django.db.models import Count, Q

 from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
@@ -156,8 +154,6 @@ def _load_findings_for_requirement_checks(
    check_ids: list[str],
    prowler_provider,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    total_counts_out: dict[str, int] | None = None,
-    only_failed_findings: bool = False,
 ) -> dict[str, list[FindingOutput]]:
    """
    Load findings for specific check IDs on-demand with optional caching.
@@ -182,23 +178,6 @@ def _load_findings_for_requirement_checks(
        prowler_provider: The initialized Prowler provider instance.
        findings_cache (dict, optional): Cache of already loaded findings.
            If provided, checks are first looked up in cache before querying database.
-        total_counts_out (dict, optional): If provided, populated with
-            ``{check_id: total_findings_in_db}`` BEFORE any per-check cap is
-            applied. Lets callers render a "Showing first N of M" banner for
-            truncated checks. Only populated for ``check_ids`` actually
-            queried (cache hits keep whatever value the caller already had).
-            When ``only_failed_findings=True`` the total is FAIL-only.
-        only_failed_findings (bool): When True, push the ``status=FAIL``
-            filter down into the SQL query so PASS rows are never loaded
-            from the DB nor pydantic-transformed. This matches the
-            ``only_failed`` requirement-level filter applied at PDF render
-            time: a requirement marked FAIL because 1/1000 findings failed
-            shouldn't render a table of 999 PASS rows. That hides the
-            actual failure under noise and wastes the per-check cap on
-            irrelevant data. NOTE: the findings cache stores whatever the
-            first caller asked for, so all callers in a single
-            ``generate_compliance_reports`` run MUST pass the same flag
-            (which they do: it threads from ``only_failed`` defaults).

    Returns:
        dict[str, list[FindingOutput]]: Dictionary mapping check_id to list of FindingOutput objects.
@@ -243,88 +222,17 @@ def _load_findings_for_requirement_checks(
        )

        with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-            base_qs = Finding.all_objects.filter(
-                tenant_id=tenant_id,
-                scan_id=scan_id,
-                check_id__in=check_ids_to_load,
+            # Use iterator with chunk_size for memory-efficient streaming
+            # chunk_size controls how many rows Django fetches from DB at once
+            findings_queryset = (
+                Finding.all_objects.filter(
+                    tenant_id=tenant_id,
+                    scan_id=scan_id,
+                    check_id__in=check_ids_to_load,
+                )
+                .order_by("check_id", "uid")
+                .iterator(chunk_size=DJANGO_FINDINGS_BATCH_SIZE)
            )
-            if only_failed_findings:
-                # Push the FAIL filter down into SQL: DB returns ~N×FAIL
-                # rows instead of N×ALL, and we never spend pydantic CPU on
-                # PASS findings the PDF would never render.
-                base_qs = base_qs.filter(status=StatusChoices.FAIL)
-
-            # Aggregate totals once so we (a) know which checks need capping
-            # and (b) can surface "Showing first N of M" in the PDF banner.
-            # Cheap: a single COUNT grouped by check_id.
-            totals: dict[str, int] = {
-                row["check_id"]: row["total"]
-                for row in base_qs.values("check_id").annotate(total=Count("id"))
-            }
-            if total_counts_out is not None:
-                total_counts_out.update(totals)
-
-            cap = MAX_FINDINGS_PER_CHECK
-            checks_over_cap = (
-                {cid for cid, n in totals.items() if n > cap} if cap > 0 else set()
-            )
-
-            # Use iterator with chunk_size for memory-efficient streaming.
-            # FindingOutput.transform_api_finding (prowler/lib/outputs/finding.py)
-            # reads finding.resources.first() and resource.tags.all() per
-            # finding, which without prefetch generates 2N queries per chunk.
-            # prefetch_related runs once per iterator chunk (Django >=4.1) and
-            # collapses that into a constant 2 extra queries per chunk.
-            if checks_over_cap:
-                # Two-step query so we can both cap rows per check AND attach
-                # prefetch_related on the streamed results:
-                #
-                #   1) ``ranked`` annotates every matching finding with a
-                #      per-check row number via a window function. The
-                #      partition keeps numbering independent per check, and
-                #      ordering by ``uid`` makes the "first N" selection
-                #      deterministic across runs (same scan → same rows).
-                #
-                #   2) The outer ``Finding.all_objects.filter(id__in=...)``
-                #      keeps only IDs whose row number is within the cap and
-                #      re-opens a plain queryset on it. Django cannot combine
-                #      ``Window`` annotations with ``prefetch_related`` on the
-                #      same queryset (the window is evaluated post-aggregation
-                #      and the prefetch loader fights with it), so the inner
-                #      SELECT becomes a subquery and the outer queryset is
-                #      free to prefetch resources/tags as usual.
-                #
-                # PostgreSQL only materialises
-                # ``cap * |checks_over_cap| + sum(uncapped)`` rows for the
-                # window step, vs the full table scan the previous path did.
-                ranked = base_qs.annotate(
-                    rn=Window(
-                        expression=RowNumber(),
-                        partition_by=[F("check_id")],
-                        order_by=F("uid").asc(),
-                    )
-                )
-                findings_queryset = (
-                    Finding.all_objects.filter(
-                        id__in=ranked.filter(rn__lte=cap).values("id")
-                    )
-                    .prefetch_related("resources", "resources__tags")
-                    .order_by("check_id", "uid")
-                    .iterator(chunk_size=DJANGO_FINDINGS_BATCH_SIZE)
-                )
-                logger.info(
-                    "Per-check cap=%d active for %d checks (max %d each); "
-                    "skipping transform for surplus rows",
-                    cap,
-                    len(checks_over_cap),
-                    cap,
-                )
-            else:
-                findings_queryset = (
-                    base_qs.prefetch_related("resources", "resources__tags")
-                    .order_by("check_id", "uid")
-                    .iterator(chunk_size=DJANGO_FINDINGS_BATCH_SIZE)
-                )

            # Pre-initialize empty lists for all check_ids to load
            # This avoids repeated dict lookups and 'if not in' checks
@@ -340,11 +248,7 @@ def _load_findings_for_requirement_checks(
                findings_count += 1

            logger.info(
-                "Loaded %d findings for %d checks (truncated %d checks total=%d)",
-                findings_count,
-                len(check_ids_to_load),
-                len(checks_over_cap),
-                sum(totals.values()),
+                f"Loaded {findings_count} findings for {len(check_ids_to_load)} checks"
            )

    # Build result dict using cache references (no data duplication)
@@ -354,40 +258,3 @@ def _load_findings_for_requirement_checks(
    }

    return result
-
-
-def _get_compliance_check_ids(compliance_obj) -> set[str]:
-    """Return the union of all check_ids referenced by a compliance framework.
-
-    Used by the master report orchestrator to know which checks each
-    framework consumes from the shared ``findings_cache``, so that once a
-    framework finishes the entries no other pending framework needs can be
-    evicted from the cache (PROWLER-1733).
-
-    Args:
-        compliance_obj: A loaded Compliance framework object exposing a
-            ``Requirements`` iterable, each requirement carrying ``Checks``.
-            ``None`` is treated as "no checks" rather than raising, so the
-            caller can pass ``frameworks_bulk.get(...)`` directly without
-            an extra existence check.
-
-    Returns:
-        Set of check_id strings (empty if ``compliance_obj`` is ``None``).
-    """
-    if compliance_obj is None:
-        return set()
-    checks: set[str] = set()
-    requirements = getattr(compliance_obj, "Requirements", None) or []
-    try:
-        # Defensive: Mock objects (used in unit tests) return another Mock
-        # for any attribute access, which is truthy but not iterable. Treat
-        # any non-iterable Requirements value as "no checks".
-        for req in requirements:
-            req_checks = getattr(req, "Checks", None) or []
-            try:
-                checks.update(req_checks)
-            except TypeError:
-                continue
-    except TypeError:
-        return set()
-    return checks
@@ -69,7 +69,7 @@ from tasks.utils import (

 from api.compliance import get_compliance_frameworks
 from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import delete_related_daily_task, rls_transaction
+from api.db_utils import rls_transaction
 from api.decorators import handle_provider_deletion, set_tenant
 from api.models import Finding, Integration, Provider, Scan, ScanSummary, StateChoices
 from api.utils import initialize_prowler_provider
@@ -274,17 +274,6 @@ def perform_scan_task(
    Returns:
        dict: The result of the scan execution, typically including the status and results of the performed checks.
    """
-    with rls_transaction(tenant_id):
-        if not Provider.objects.filter(pk=provider_id).exists():
-            logger.warning(
-                "scan-perform skipped: provider %s no longer exists "
-                "(tenant=%s, scan=%s)",
-                provider_id,
-                tenant_id,
-                scan_id,
-            )
-            return None
-
    result = perform_prowler_scan(
        tenant_id=tenant_id,
        scan_id=scan_id,
@@ -321,16 +310,6 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
    task_id = self.request.id

    with rls_transaction(tenant_id):
-        if not Provider.objects.filter(pk=provider_id).exists():
-            logger.warning(
-                "scheduled scan-perform skipped: provider %s no longer exists "
-                "(tenant=%s)",
-                provider_id,
-                tenant_id,
-            )
-            delete_related_daily_task(provider_id)
-            return None
-
        periodic_task_instance = PeriodicTask.objects.get(
            name=f"scan-perform-scheduled-{provider_id}"
        )
@@ -44,8 +44,6 @@ from api.models import (
    Finding,
    Resource,
    ResourceFindingMapping,
-    ResourceTag,
-    ResourceTagMapping,
    StateChoices,
    StatusChoices,
 )
@@ -369,317 +367,6 @@ class TestLoadFindingsForChecks:

        assert result == {}

-    def test_prefetch_avoids_n_plus_one(self, tenants_fixture, scans_fixture):
-        """Loading N findings must NOT execute O(N) extra queries for resources/tags.
-
-        Regression test for PROWLER-1733. ``FindingOutput.transform_api_finding``
-        reads ``finding.resources.first()`` and ``resource.tags.all()`` per
-        finding. Without ``prefetch_related`` that's 2N additional queries;
-        with prefetch it collapses to a small constant per iterator chunk.
-        """
-        from django.test.utils import CaptureQueriesContext
-        from django.db import connections
-
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        # Build N findings, each linked to one resource that owns 2 tags.
-        N = 20
-        for i in range(N):
-            finding = Finding.objects.create(
-                tenant_id=tenant.id,
-                scan=scan,
-                uid=f"f-prefetch-{i}",
-                check_id="aws_check_prefetch",
-                status=StatusChoices.FAIL,
-                severity=Severity.high,
-                impact=Severity.high,
-                check_metadata={
-                    "provider": "aws",
-                    "checkid": "aws_check_prefetch",
-                    "checktitle": "t",
-                    "checktype": [],
-                    "servicename": "s",
-                    "subservicename": "",
-                    "severity": "high",
-                    "resourcetype": "r",
-                    "description": "",
-                    "risk": "",
-                    "relatedurl": "",
-                    "remediation": {
-                        "recommendation": {"text": "", "url": ""},
-                        "code": {
-                            "nativeiac": "",
-                            "terraform": "",
-                            "cli": "",
-                            "other": "",
-                        },
-                    },
-                    "resourceidtemplate": "",
-                    "categories": [],
-                    "dependson": [],
-                    "relatedto": [],
-                    "notes": "",
-                },
-                raw_result={},
-            )
-            resource = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"r-prefetch-{i}",
-                name=f"r-prefetch-{i}",
-                metadata="{}",
-                details="",
-                region="us-east-1",
-                service="s",
-                type="t::r",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id, finding=finding, resource=resource
-            )
-            for k in ("env", "owner"):
-                tag, _ = ResourceTag.objects.get_or_create(
-                    tenant_id=tenant.id, key=k, value=f"v-{i}-{k}"
-                )
-                ResourceTagMapping.objects.create(
-                    tenant_id=tenant.id, resource=resource, tag=tag
-                )
-
-        mock_provider = Mock()
-        mock_provider.type = "aws"
-        mock_provider.identity.account = "test"
-
-        # Patch transform_api_finding to a no-op so the test isolates queries
-        # to the queryset/prefetch path (transform itself is exercised by
-        # the integration tests above and not by this regression check).
-        with patch(
-            "tasks.jobs.threatscore_utils.FindingOutput.transform_api_finding",
-            side_effect=lambda model, provider: Mock(check_id=model.check_id),
-        ):
-            with CaptureQueriesContext(
-                connections["default_read_replica"]
-                if "default_read_replica" in connections.databases
-                else connections["default"]
-            ) as ctx:
-                _load_findings_for_requirement_checks(
-                    str(tenant.id),
-                    str(scan.id),
-                    ["aws_check_prefetch"],
-                    mock_provider,
-                )
-
-        # Expected: a small constant number of queries irrespective of N.
-        # Pre-fix this would be ~1 + 2*N. We give some slack for RLS SET
-        # LOCAL statements that the rls_transaction emits.
-        assert len(ctx.captured_queries) < N, (
-            f"Expected O(1) queries with prefetch_related; got "
-            f"{len(ctx.captured_queries)} for N={N} (N+1 regression?)"
-        )
-
-    def test_max_findings_per_check_cap(self, tenants_fixture, scans_fixture):
-        """When a check exceeds ``MAX_FINDINGS_PER_CHECK``, only ``cap`` rows
-        are loaded AND ``total_counts_out`` reports the pre-cap total.
-
-        Guards the PROWLER-1733 truncation knob: prevents both runaway memory
-        and silent data loss in the PDF (the banner relies on knowing the
-        real total).
-        """
-        from unittest.mock import patch as _patch
-
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        # Create 12 findings for a single check; cap to 5.
-        check_id = "aws_check_cap_test"
-        for i in range(12):
-            finding = Finding.objects.create(
-                tenant_id=tenant.id,
-                scan=scan,
-                uid=f"f-cap-{i:02d}",
-                check_id=check_id,
-                status=StatusChoices.FAIL,
-                severity=Severity.high,
-                impact=Severity.high,
-                check_metadata={},
-                raw_result={},
-            )
-            resource = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"r-cap-{i:02d}",
-                name=f"r-cap-{i:02d}",
-                metadata="{}",
-                details="",
-                region="us-east-1",
-                service="s",
-                type="t::r",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id, finding=finding, resource=resource
-            )
-
-        mock_provider = Mock(type="aws")
-        mock_provider.identity.account = "test"
-
-        totals: dict = {}
-        # Patch the cap to a small value AND skip the heavy transform so we
-        # only assert on row counts and totals.
-        with (
-            _patch("tasks.jobs.threatscore_utils.MAX_FINDINGS_PER_CHECK", 5),
-            _patch(
-                "tasks.jobs.threatscore_utils.FindingOutput.transform_api_finding",
-                side_effect=lambda model, provider: Mock(check_id=model.check_id),
-            ),
-        ):
-            result = _load_findings_for_requirement_checks(
-                str(tenant.id),
-                str(scan.id),
-                [check_id],
-                mock_provider,
-                total_counts_out=totals,
-            )
-
-        assert (
-            len(result[check_id]) == 5
-        ), f"cap=5 should yield exactly 5 loaded findings, got {len(result[check_id])}"
-        assert (
-            totals[check_id] == 12
-        ), f"total_counts_out should report the pre-cap total (12), got {totals[check_id]}"
-
-    def test_only_failed_findings_pushes_down_to_sql(
-        self, tenants_fixture, scans_fixture
-    ):
-        """When ``only_failed_findings=True``, PASS rows are excluded by the
-        DB filter, not just visually hidden afterwards.
-
-        Regression for the consistency fix: previously the requirement-level
-        ``only_failed`` flag filtered which requirements appeared, but inside
-        each rendered requirement the table still showed PASS rows mixed
-        with FAIL, which combined with ``MAX_FINDINGS_PER_CHECK`` could
-        truncate to 1000 PASS findings and hide the actual failure.
-        """
-        from unittest.mock import patch as _patch
-
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-        check_id = "aws_check_only_failed_test"
-
-        # Mix PASS and FAIL so the filter has something to drop.
-        for i in range(6):
-            status = StatusChoices.FAIL if i % 2 == 0 else StatusChoices.PASS
-            finding = Finding.objects.create(
-                tenant_id=tenant.id,
-                scan=scan,
-                uid=f"f-of-{i:02d}",
-                check_id=check_id,
-                status=status,
-                severity=Severity.high,
-                impact=Severity.high,
-                check_metadata={},
-                raw_result={},
-            )
-            resource = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"r-of-{i:02d}",
-                name=f"r-of-{i:02d}",
-                metadata="{}",
-                details="",
-                region="us-east-1",
-                service="s",
-                type="t::r",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id, finding=finding, resource=resource
-            )
-
-        mock_provider = Mock(type="aws")
-        mock_provider.identity.account = "test"
-
-        totals: dict = {}
-        with _patch(
-            "tasks.jobs.threatscore_utils.FindingOutput.transform_api_finding",
-            side_effect=lambda model, provider: Mock(
-                check_id=model.check_id, status=model.status
-            ),
-        ):
-            result = _load_findings_for_requirement_checks(
-                str(tenant.id),
-                str(scan.id),
-                [check_id],
-                mock_provider,
-                total_counts_out=totals,
-                only_failed_findings=True,
-            )
-
-        # 3 FAIL + 3 PASS in DB; FAIL-only filter should load just 3.
-        loaded = result[check_id]
-        assert len(loaded) == 3, f"expected 3 FAIL findings, got {len(loaded)}"
-        statuses = {getattr(f, "status", None) for f in loaded}
-        assert statuses == {
-            StatusChoices.FAIL
-        }, f"expected all loaded findings to be FAIL; got statuses {statuses}"
-        # total_counts must reflect the FAIL-only total, not the global total.
-        assert (
-            totals[check_id] == 3
-        ), f"total_counts should be FAIL-only (3), got {totals[check_id]}"
-
-    def test_max_findings_per_check_disabled(self, tenants_fixture, scans_fixture):
-        """``MAX_FINDINGS_PER_CHECK=0`` disables the cap; load all rows."""
-        from unittest.mock import patch as _patch
-
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        check_id = "aws_check_uncapped"
-        for i in range(8):
-            f = Finding.objects.create(
-                tenant_id=tenant.id,
-                scan=scan,
-                uid=f"f-unc-{i:02d}",
-                check_id=check_id,
-                status=StatusChoices.FAIL,
-                severity=Severity.high,
-                impact=Severity.high,
-                check_metadata={},
-                raw_result={},
-            )
-            r = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"r-unc-{i:02d}",
-                name=f"r-unc-{i:02d}",
-                metadata="{}",
-                details="",
-                region="us-east-1",
-                service="s",
-                type="t::r",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id, finding=f, resource=r
-            )
-
-        mock_provider = Mock(type="aws")
-        mock_provider.identity.account = "test"
-        totals: dict = {}
-        with (
-            _patch("tasks.jobs.threatscore_utils.MAX_FINDINGS_PER_CHECK", 0),
-            _patch(
-                "tasks.jobs.threatscore_utils.FindingOutput.transform_api_finding",
-                side_effect=lambda model, provider: Mock(check_id=model.check_id),
-            ),
-        ):
-            result = _load_findings_for_requirement_checks(
-                str(tenant.id),
-                str(scan.id),
-                [check_id],
-                mock_provider,
-                total_counts_out=totals,
-            )
-
-        assert len(result[check_id]) == 8
-        assert totals[check_id] == 8
-

 class TestCleanupStaleTmpOutputDirectories:
    """Unit tests for opportunistic stale cleanup under tmp output root."""
@@ -1168,181 +855,6 @@ class TestGenerateComplianceReportsOptimized:
        assert result["cis"] == {"upload": False, "path": ""}
        mock_cis.assert_not_called()

-    @patch("api.utils.initialize_prowler_provider")
-    @patch("tasks.jobs.report.rmtree")
-    @patch("tasks.jobs.report._upload_to_s3")
-    @patch("tasks.jobs.report.generate_cis_report")
-    @patch("tasks.jobs.report.generate_csa_report")
-    @patch("tasks.jobs.report.generate_nis2_report")
-    @patch("tasks.jobs.report.generate_ens_report")
-    @patch("tasks.jobs.report.generate_threatscore_report")
-    @patch("tasks.jobs.report._generate_compliance_output_directory")
-    @patch("tasks.jobs.report._aggregate_requirement_statistics_from_database")
-    @patch("tasks.jobs.report.Compliance.get_bulk")
-    @patch("tasks.jobs.report.Provider.objects.get")
-    @patch("tasks.jobs.report.ScanSummary.objects.filter")
-    def test_findings_cache_eviction_after_framework(
-        self,
-        mock_scan_summary_filter,
-        mock_provider_get,
-        mock_get_bulk,
-        mock_aggregate_stats,
-        mock_generate_output_dir,
-        mock_threatscore,
-        mock_ens,
-        mock_nis2,
-        mock_csa,
-        mock_cis,
-        mock_upload_to_s3,
-        mock_rmtree,
-        mock_init_provider,
-    ):
-        """After each framework finishes, exclusive entries are evicted.
-
-        Threat scenario for PROWLER-1733: the shared ``findings_cache`` used
-        to grow monotonically through all 5 frameworks. With the new
-        eviction logic, check_ids only used by ThreatScore are dropped when
-        ThreatScore finishes, before ENS runs.
-        """
-        from types import SimpleNamespace
-        from tasks.jobs import report as report_mod
-
-        mock_scan_summary_filter.return_value.exists.return_value = True
-        mock_provider_get.return_value = Mock(uid="provider-uid", provider="aws")
-        # ThreatScore consumes {tsc_only, shared}; ENS consumes {ens_only,
-        # shared}. After ThreatScore evicts, tsc_only must be gone but
-        # shared and ens_only must remain.
-        mock_get_bulk.return_value = {
-            "prowler_threatscore_aws": SimpleNamespace(
-                Requirements=[SimpleNamespace(Checks=["tsc_only", "shared"])]
-            ),
-            "ens_rd2022_aws": SimpleNamespace(
-                Requirements=[SimpleNamespace(Checks=["ens_only", "shared"])]
-            ),
-        }
-        mock_aggregate_stats.return_value = {}
-        mock_generate_output_dir.return_value = "/tmp/tenant/scan/x/prowler-out"
-        mock_upload_to_s3.return_value = "s3://bucket/tenant/scan/x/report.pdf"
-        mock_init_provider.return_value = Mock(name="prowler_provider")
-
-        # Seed the cache as if both frameworks had already loaded their
-        # findings. We mutate it indirectly: each generator wrapper is a
-        # Mock: make ThreatScore populate the cache, and have ENS observe
-        # the state at call time so we can introspect post-eviction.
-        observed_state: dict = {}
-
-        def _threatscore_side_effect(**kwargs):
-            cache = kwargs["findings_cache"]
-            cache["tsc_only"] = ["tsc-finding"]
-            cache["shared"] = ["shared-finding"]
-
-        def _ens_side_effect(**kwargs):
-            # ENS runs AFTER threatscore's _evict_after_framework("threatscore").
-            observed_state["cache_keys_when_ens_runs"] = set(
-                kwargs["findings_cache"].keys()
-            )
-            kwargs["findings_cache"]["ens_only"] = ["ens-finding"]
-
-        mock_threatscore.side_effect = _threatscore_side_effect
-        mock_ens.side_effect = _ens_side_effect
-
-        report_mod.generate_compliance_reports(
-            tenant_id=str(uuid.uuid4()),
-            scan_id=str(uuid.uuid4()),
-            provider_id=str(uuid.uuid4()),
-            generate_threatscore=True,
-            generate_ens=True,
-            generate_nis2=False,
-            generate_csa=False,
-            generate_cis=False,
-        )
-
-        # ``tsc_only`` was exclusive to ThreatScore → evicted before ENS ran.
-        # ``shared`` is still pending for ENS → must remain.
-        assert (
-            "tsc_only" not in observed_state["cache_keys_when_ens_runs"]
-        ), "tsc_only should have been evicted before ENS ran"
-        assert (
-            "shared" in observed_state["cache_keys_when_ens_runs"]
-        ), "shared must remain in cache because ENS still needs it"
-
-    @patch("tasks.jobs.report.initialize_prowler_provider")
-    @patch("tasks.jobs.report.rmtree")
-    @patch("tasks.jobs.report._upload_to_s3")
-    @patch("tasks.jobs.report.generate_cis_report")
-    @patch("tasks.jobs.report.generate_csa_report")
-    @patch("tasks.jobs.report.generate_nis2_report")
-    @patch("tasks.jobs.report.generate_ens_report")
-    @patch("tasks.jobs.report.generate_threatscore_report")
-    @patch("tasks.jobs.report._generate_compliance_output_directory")
-    @patch("tasks.jobs.report._aggregate_requirement_statistics_from_database")
-    @patch("tasks.jobs.report.Compliance.get_bulk")
-    @patch("tasks.jobs.report.Provider.objects.get")
-    @patch("tasks.jobs.report.ScanSummary.objects.filter")
-    def test_prowler_provider_initialized_once(
-        self,
-        mock_scan_summary_filter,
-        mock_provider_get,
-        mock_get_bulk,
-        mock_aggregate_stats,
-        mock_generate_output_dir,
-        mock_threatscore,
-        mock_ens,
-        mock_nis2,
-        mock_csa,
-        mock_cis,
-        mock_upload_to_s3,
-        mock_rmtree,
-        mock_init_provider,
-    ):
-        """``initialize_prowler_provider`` must be called exactly once for
-        the whole batch (PROWLER-1733). Previously each generator re-init'd
-        the SDK provider in ``_load_compliance_data`` → 5 inits per scan.
-        """
-        mock_scan_summary_filter.return_value.exists.return_value = True
-        mock_provider_get.return_value = Mock(uid="provider-uid", provider="aws")
-        # CIS variant discovery needs at least one cis_* key.
-        mock_get_bulk.return_value = {"cis_6.0_aws": Mock()}
-        mock_aggregate_stats.return_value = {}
-        mock_generate_output_dir.return_value = "/tmp/tenant/scan/x/prowler-out"
-        mock_upload_to_s3.return_value = "s3://bucket/tenant/scan/x/report.pdf"
-        mock_init_provider.return_value = Mock(name="prowler_provider")
-
-        generate_compliance_reports(
-            tenant_id=str(uuid.uuid4()),
-            scan_id=str(uuid.uuid4()),
-            provider_id=str(uuid.uuid4()),
-            generate_threatscore=True,
-            generate_ens=True,
-            generate_nis2=True,
-            generate_csa=True,
-            generate_cis=True,
-        )
-
-        # All 5 wrappers were invoked once each…
-        mock_threatscore.assert_called_once()
-        mock_ens.assert_called_once()
-        mock_nis2.assert_called_once()
-        mock_csa.assert_called_once()
-        mock_cis.assert_called_once()
-        # …but the SDK provider was initialized only once.
-        assert mock_init_provider.call_count == 1, (
-            f"expected 1 init, got {mock_init_provider.call_count} "
-            f"(prowler_provider must be shared across reports)"
-        )
-
-        # The shared instance must reach every wrapper as kwargs.
-        shared = mock_init_provider.return_value
-        for mock_wrapper in (
-            mock_threatscore,
-            mock_ens,
-            mock_nis2,
-            mock_csa,
-            mock_cis,
-        ):
-            _, call_kwargs = mock_wrapper.call_args
-            assert call_kwargs.get("prowler_provider") is shared
-
    @patch("tasks.jobs.report.rmtree")
    @patch("tasks.jobs.report._upload_to_s3")
    @patch("tasks.jobs.report.generate_threatscore_report")
@@ -1269,48 +1269,6 @@ class TestComponentEdgeCases:
        # Should be a LongTable for large datasets
        assert isinstance(table, LongTable)

-    def test_zebra_uses_rowbackgrounds_not_per_row_background(self, monkeypatch):
-        """The styles list must contain exactly one ROWBACKGROUNDS entry
-        regardless of row count, never N per-row BACKGROUND entries.
-        """
-        captured: dict = {}
-
-        # Capture the list passed to TableStyle. create_data_table builds a
-        # list of style tuples and wraps it in a TableStyle exactly once;
-        # by patching TableStyle we intercept that list.
-        import tasks.jobs.reports.components as comp_mod
-
-        original_table_style = comp_mod.TableStyle
-
-        def _capture_table_style(style_list):
-            captured["styles"] = list(style_list)
-            return original_table_style(style_list)
-
-        monkeypatch.setattr(comp_mod, "TableStyle", _capture_table_style)
-
-        data = [{"name": f"Item {i}"} for i in range(60)]
-        columns = [ColumnConfig("Name", 2 * inch, "name")]
-        comp_mod.create_data_table(data, columns, alternate_rows=True)
-
-        styles = captured["styles"]
-        # Count by command name.
-        names = [s[0] for s in styles if isinstance(s, tuple) and s]
-        # Exactly one ROWBACKGROUNDS entry.
-        assert names.count("ROWBACKGROUNDS") == 1
-        # Zero per-row BACKGROUND entries on data rows. (The header row
-        # BACKGROUND command is intentional and lives at coords (0,0)/(-1,0).)
-        data_row_bg = [
-            s
-            for s in styles
-            if isinstance(s, tuple)
-            and s[0] == "BACKGROUND"
-            and not (s[1] == (0, 0) and s[2] == (-1, 0))
-        ]
-        assert data_row_bg == [], (
-            f"expected no per-row BACKGROUND entries on data rows; "
-            f"got {len(data_row_bg)}"
-        )
-
    def test_create_risk_component_zero_values(self):
        """Test risk component with zero values."""
        component = create_risk_component(risk_level=0, weight=0, score=0)
@@ -1386,194 +1344,3 @@ class TestFrameworkConfigEdgeCases:
        assert get_framework_config("my_custom_threatscore_compliance") is not None
        assert get_framework_config("ens_something_else") is not None
        assert get_framework_config("nis2_gcp") is not None
-
-
-# =============================================================================
-# Findings Table Chunking Tests (PROWLER-1733)
-# =============================================================================
-#
-# These tests guard the OOM-prevention behaviour added in PROWLER-1733:
-# ``_create_findings_tables`` must split a list of findings into multiple
-# small sub-tables instead of producing one giant Table, which would force
-# ReportLab to resolve layout for all rows at once and OOM the worker on
-# scans with thousands of findings per check.
-
-
-class _DummyMetadata:
-    """Lightweight stand-in for FindingOutput.metadata used in chunking tests."""
-
-    def __init__(self, check_title: str = "Title", severity: str = "high"):
-        self.CheckTitle = check_title
-        self.Severity = severity
-
-
-class _DummyFinding:
-    """Lightweight stand-in for FindingOutput used in chunking tests.
-
-    The chunking code only reads a small set of attributes via ``getattr``,
-    so a duck-typed object is enough and lets the tests run without touching
-    the DB or pydantic deserialisation.
-    """
-
-    def __init__(
-        self,
-        check_id: str = "aws_check",
-        resource_name: str = "res-1",
-        resource_uid: str = "",
-        status: str = "FAIL",
-        region: str = "us-east-1",
-        with_metadata: bool = True,
-    ):
-        self.check_id = check_id
-        self.resource_name = resource_name
-        self.resource_uid = resource_uid
-        self.status = status
-        self.region = region
-        if with_metadata:
-            self.metadata = _DummyMetadata()
-        else:
-            self.metadata = None
-
-
-def _make_concrete_generator():
-    """Return a minimal concrete subclass of BaseComplianceReportGenerator."""
-
-    class _Concrete(BaseComplianceReportGenerator):
-        def create_executive_summary(self, data):
-            return []
-
-        def create_charts_section(self, data):
-            return []
-
-        def create_requirements_index(self, data):
-            return []
-
-    return _Concrete(FrameworkConfig(name="test", display_name="Test"))
-
-
-class TestFindingsTableChunking:
-    """Tests for ``_create_findings_tables`` (PROWLER-1733)."""
-
-    def test_chunking_produces_expected_number_of_subtables(self):
-        """5000 findings @ chunk_size=300 → 17 sub-tables + 16 spacers."""
-        generator = _make_concrete_generator()
-        findings = [_DummyFinding(check_id="c1") for _ in range(5000)]
-
-        flowables = generator._create_findings_tables(findings, chunk_size=300)
-
-        tables = [f for f in flowables if isinstance(f, (Table, LongTable))]
-        spacers = [f for f in flowables if isinstance(f, Spacer)]
-        # ceil(5000 / 300) == 17
-        assert len(tables) == 17
-        # Spacer between every pair of contiguous tables, not after the last
-        assert len(spacers) == 16
-
-    def test_chunk_size_param_overrides_default(self):
-        """250 findings @ chunk_size=100 → 3 sub-tables."""
-        generator = _make_concrete_generator()
-        findings = [_DummyFinding(check_id="c2") for _ in range(250)]
-
-        flowables = generator._create_findings_tables(findings, chunk_size=100)
-        tables = [f for f in flowables if isinstance(f, (Table, LongTable))]
-        assert len(tables) == 3
-
-    def test_empty_findings_returns_empty_list(self):
-        """No findings → no flowables. Callers can extend(...) safely."""
-        generator = _make_concrete_generator()
-        assert generator._create_findings_tables([]) == []
-
-    def test_single_chunk_has_no_spacer(self):
-        """A single sub-table must not emit a trailing spacer."""
-        generator = _make_concrete_generator()
-        findings = [_DummyFinding(check_id="c3") for _ in range(10)]
-
-        flowables = generator._create_findings_tables(findings, chunk_size=300)
-        assert len(flowables) == 1
-        assert isinstance(flowables[0], (Table, LongTable))
-
-    def test_malformed_finding_is_skipped(self):
-        """A broken finding must not abort the report; it is logged and skipped."""
-        generator = _make_concrete_generator()
-
-        class _Broken:
-            # No attributes at all; getattr() defaults will mostly cope, but
-            # we force an explicit error by making the metadata attribute
-            # itself raise on access.
-            @property
-            def metadata(self):
-                raise RuntimeError("boom")
-
-            check_id = "broken"
-
-        findings = [
-            _DummyFinding(check_id="c4"),
-            _Broken(),
-            _DummyFinding(check_id="c4"),
-        ]
-        flowables = generator._create_findings_tables(findings, chunk_size=300)
-        # Two good rows → one sub-table containing them; the broken one is
-        # logged and dropped, not propagated.
-        tables = [f for f in flowables if isinstance(f, (Table, LongTable))]
-        assert len(tables) == 1
-
-    def test_create_findings_table_alias_returns_first_chunk(self):
-        """The deprecated alias must keep returning a single Table flowable."""
-        generator = _make_concrete_generator()
-        findings = [_DummyFinding(check_id="c5") for _ in range(700)]
-
-        first = generator._create_findings_table(findings)
-        assert isinstance(first, (Table, LongTable))
-
-    def test_create_findings_table_alias_empty(self):
-        """Alias on empty input returns an empty (header-only) Table, not None."""
-        generator = _make_concrete_generator()
-        result = generator._create_findings_table([])
-        # The legacy alias never returned None; an empty header-only table
-        # is a strict superset of that contract.
-        assert isinstance(result, (Table, LongTable))
-
-
-# =============================================================================
-# Logging Context Manager Tests (PROWLER-1733)
-# =============================================================================
-
-
-class TestLogPhaseContextManager:
-    """Tests for ``_log_phase`` (PROWLER-1733).
-
-    The context manager emits structured ``phase_start`` / ``phase_end``
-    logs with ``scan_id``, ``framework`` and ``elapsed_s``, so Datadog/
-    CloudWatch queries can pivot by scan and find the slow section.
-    """
-
-    def test_emits_start_and_end_with_elapsed_and_rss(self, caplog):
-        from tasks.jobs.reports.base import _log_phase
-
-        caplog.set_level("INFO", logger="tasks.jobs.reports.base")
-        with _log_phase("unit_test_phase", scan_id="s-1", framework="Test FW"):
-            pass
-
-        messages = [r.getMessage() for r in caplog.records]
-        starts = [m for m in messages if "phase_start" in m]
-        ends = [m for m in messages if "phase_end" in m]
-
-        assert len(starts) == 1 and len(ends) == 1
-        assert "phase=unit_test_phase" in starts[0]
-        assert "scan_id=s-1" in starts[0]
-        assert "framework=Test FW" in starts[0]
-        assert "elapsed_s=" in ends[0]
-        assert "rss_kb=" in ends[0]
-        assert "delta_rss_kb=" in ends[0]
-
-    def test_failure_logs_phase_failed_and_reraises(self, caplog):
-        from tasks.jobs.reports.base import _log_phase
-
-        caplog.set_level("INFO", logger="tasks.jobs.reports.base")
-        with pytest.raises(RuntimeError, match="boom"):
-            with _log_phase("failing_phase", scan_id="s-2", framework="FW"):
-                raise RuntimeError("boom")
-
-        messages = [r.getMessage() for r in caplog.records]
-        assert any("phase_failed" in m and "failing_phase" in m for m in messages)
-        # No phase_end on the failure path.
-        assert not any("phase_end" in m for m in messages)
@@ -21,7 +21,6 @@ from tasks.tasks import (
    check_lighthouse_provider_connection_task,
    generate_outputs_task,
    perform_attack_paths_scan_task,
-    perform_scan_task,
    perform_scheduled_scan_task,
    reaggregate_all_finding_group_summaries_task,
    refresh_lighthouse_provider_models_task,
@@ -2455,57 +2454,6 @@ class TestPerformScheduledScanTask:
            == 1
        )

-    def test_no_op_when_provider_does_not_exist(self, tenants_fixture):
-        """Return None without raising when the provider was already deleted."""
-        tenant = tenants_fixture[0]
-        missing_provider_id = str(uuid.uuid4())
-        task_id = str(uuid.uuid4())
-        self._create_task_result(tenant.id, task_id)
-        # Orphan PeriodicTask left behind from a previous lifecycle.
-        self._create_periodic_task(missing_provider_id, tenant.id)
-        orphan_name = f"scan-perform-scheduled-{missing_provider_id}"
-        assert PeriodicTask.objects.filter(name=orphan_name).exists()
-
-        with (
-            patch("tasks.tasks.perform_prowler_scan") as mock_scan,
-            patch("tasks.tasks._perform_scan_complete_tasks") as mock_complete_tasks,
-            self._override_task_request(perform_scheduled_scan_task, id=task_id),
-        ):
-            result = perform_scheduled_scan_task.run(
-                tenant_id=str(tenant.id), provider_id=missing_provider_id
-            )
-
-        assert result is None
-        mock_scan.assert_not_called()
-        mock_complete_tasks.assert_not_called()
-        # Orphan PeriodicTask is cleaned up so beat stops re-firing it.
-        assert not PeriodicTask.objects.filter(name=orphan_name).exists()
-
-
-@pytest.mark.django_db
-class TestPerformScanTask:
-    """Unit tests for perform_scan_task."""
-
-    def test_no_op_when_provider_does_not_exist(self, tenants_fixture):
-        """Return None without raising when the provider was already deleted."""
-        tenant = tenants_fixture[0]
-        missing_provider_id = str(uuid.uuid4())
-        scan_id = str(uuid.uuid4())
-
-        with (
-            patch("tasks.tasks.perform_prowler_scan") as mock_scan,
-            patch("tasks.tasks._perform_scan_complete_tasks") as mock_complete_tasks,
-        ):
-            result = perform_scan_task.run(
-                tenant_id=str(tenant.id),
-                scan_id=scan_id,
-                provider_id=missing_provider_id,
-            )
-
-        assert result is None
-        mock_scan.assert_not_called()
-        mock_complete_tasks.assert_not_called()
-

@pytest.mark.django_db
 class TestReaggregateAllFindingGroupSummaries:
@@ -1,9 +1,8 @@
 #!/bin/bash
 # Run Prowler against All AWS Accounts in an AWS Organization

-# Activate uv-managed virtualenv
-# shellcheck disable=SC1091
-source .venv/bin/activate
+# Activate Poetry Environment
+eval "$(poetry env activate)"

 # Show Prowler Version
 prowler -v
@@ -1,335 +0,0 @@
-# AWS Inventory Connectivity Graph
-
-A community-contributed tool that generates interactive connectivity graphs from Prowler AWS scans, visualizing relationships between AWS resources with zero additional API calls.
-
-## Overview
-
-This tool extends Prowler by producing two artifacts after a scan completes:
-
- **`<output>.inventory.json`** – Machine-readable graph (nodes + edges)
- **`<output>.inventory.html`** – Interactive D3.js force-directed visualization
-
-### Why?
-
-Prowler's existing outputs (CSV, ASFF, OCSF, HTML) report individual check findings but provide no cross-service topology view. Security engineers need to understand **how** resources are connected—which Lambda functions sit inside which VPC, which IAM roles can be assumed by which services, which event sources trigger which functions—before they can reason about attack paths, blast-radius, or lateral-movement risk.
-
-This tool fills that gap by building a connectivity graph from the service clients that are already loaded during a Prowler scan.
-
-## Features
-
-### Supported AWS Services
-
-The tool currently extracts connectivity information from:
-
- **Lambda** – Functions, VPC/subnet/SG edges, event source mappings, layers, DLQ, KMS
- **EC2** – Instances, security groups, subnet/VPC edges
- **VPC** – VPCs, subnets, peering connections
- **RDS** – DB instances, VPC/SG/cluster/KMS edges
- **ELBv2** – ALB/NLB load balancers, SG and VPC edges
- **S3** – Buckets, replication targets, logging buckets, KMS keys
- **IAM** – Roles, trust-relationship edges (who can assume what)
-
-### Edge Semantic Types
-
-Edges are typed for downstream filtering and attack-path analysis:
-
- `network` – Resources share a network path (VPC/subnet/SG)
- `iam` – IAM trust or permission relationship
- `triggers` – One resource can invoke another (event source → Lambda)
- `data_flow` – Data is written/read (Lambda → SQS dead-letter queue)
- `depends_on` – Soft dependency (Lambda layer, subnet belongs to VPC)
- `routes_to` – Traffic routing (LB → target)
- `replicates_to` – S3 replication
- `encrypts` – KMS key encrypts the resource
- `logs_to` – Logging relationship
-
-### Interactive HTML Graph Features
-
- Force-directed layout with drag-and-drop node pinning
- Zoom / pan (mouse wheel + click-drag on background)
- Per-service color-coded nodes with a legend
- Hover tooltips showing ARN + all metadata properties
- Service filter dropdown (show only Lambda, EC2, RDS, etc.)
- Adjustable link-distance and charge-strength physics sliders
- Edge labels on every arrow
-
-## Installation
-
-### Prerequisites
-
- Python 3.9.1 or higher
- Prowler installed and configured (see [Prowler documentation](https://docs.prowler.com/))
-
-### Setup
-
-1. Clone or download this directory to your local machine
-2. Ensure Prowler is installed and working
-3. No additional dependencies required beyond Prowler's existing requirements
-
-## Usage
-
-### Basic Usage
-
-Run Prowler with your desired checks, then use the inventory graph script:
-
-```bash
-# Run Prowler scan (example)
-prowler aws --output-formats csv
-
-# Generate inventory graph from the scan
-python contrib/inventory-graph/inventory_graph.py --output-directory ./output
-```
-
-### Command-Line Options
-
-```bash
-python contrib/inventory-graph/inventory_graph.py [OPTIONS]
-
-Options:
-  --output-directory DIR    Directory to save output files (default: ./output)
-  --output-filename NAME    Base filename without extension (default: prowler-inventory-<timestamp>)
-  --help                    Show this help message and exit
-```
-
-### Example Workflow
-
-```bash
-# 1. Run a Prowler scan on your AWS account
-prowler aws --profile my-aws-profile --output-formats csv html
-
-# 2. Generate the inventory graph
-python contrib/inventory-graph/inventory_graph.py \
-  --output-directory ./output \
-  --output-filename my-aws-inventory
-
-# 3. Open the HTML file in your browser
-open output/my-aws-inventory.inventory.html
-```
-
-### Integration with Prowler Scans
-
-The tool reads from already-loaded AWS service clients in memory (via `sys.modules`). This means:
-
- **Zero extra AWS API calls** – Uses data already collected during the Prowler scan
- **Graceful degradation** – Services not scanned are silently skipped
- **Flexible** – Works with any subset of Prowler checks
-
-## Output Files
-
-### JSON Output (`*.inventory.json`)
-
-Machine-readable graph structure:
-
-```json
-{
-  "generated_at": "2026-03-19T12:34:56Z",
-  "nodes": [
-    {
-      "id": "arn:aws:lambda:us-east-1:123456789012:function:my-function",
-      "type": "lambda_function",
-      "name": "my-function",
-      "service": "lambda",
-      "region": "us-east-1",
-      "account_id": "123456789012",
-      "properties": {
-        "runtime": "python3.9",
-        "vpc_id": "vpc-abc123"
-      }
-    }
-  ],
-  "edges": [
-    {
-      "source_id": "arn:aws:lambda:...",
-      "target_id": "arn:aws:ec2:...:vpc/vpc-abc123",
-      "edge_type": "network",
-      "label": "in-vpc"
-    }
-  ],
-  "stats": {
-    "node_count": 42,
-    "edge_count": 87
-  }
-}
-```
-
-### HTML Output (`*.inventory.html`)
-
-Self-contained interactive visualization that opens in any modern browser. No server or build step required.
-
-## Architecture
-
-### Design Decisions
-
-| Decision | Rationale |
-|----------|-----------|
-| **Read from sys.modules** | Zero extra AWS API calls; services not scanned are silently skipped |
-| **Self-contained HTML** | D3.js v7 via CDN; no server, no build step; opens in any browser |
-| **One extractor per service** | Each extractor is independently testable; adding a new service = one new file + one line in the registry |
-| **Typed edges** | Semantic types allow downstream consumers (attack-path tools, Neo4j import) to filter by relationship class |
-
-### Project Structure
-
-```
-contrib/inventory-graph/
-├── README.md                    # This file
-├── inventory_graph.py           # Main entry point script
-├── lib/
-│   ├── __init__.py
-│   ├── models.py                # ResourceNode, ResourceEdge, ConnectivityGraph dataclasses
-│   ├── graph_builder.py         # Reads loaded service clients from sys.modules
-│   ├── inventory_output.py      # write_json(), write_html()
-│   └── extractors/
-│       ├── __init__.py
-│       ├── lambda_extractor.py  # Lambda functions → VPC/subnet/SG/event-sources/layers/DLQ/KMS
-│       ├── ec2_extractor.py     # EC2 instances + security groups → subnet/VPC
-│       ├── vpc_extractor.py     # VPCs, subnets, peering connections
-│       ├── rds_extractor.py     # RDS instances → VPC/SG/cluster/KMS
-│       ├── elbv2_extractor.py   # ALB/NLB load balancers → SG/VPC
-│       ├── s3_extractor.py      # S3 buckets → replication targets/logging buckets/KMS keys
-│       └── iam_extractor.py     # IAM roles + trust-relationship edges
-└── examples/
-    └── sample_output.html       # Example output (optional)
-```
-
-## Testing
-
-### Smoke Test (No AWS Credentials Needed)
-
-```python
-import sys
-from unittest.mock import MagicMock
-
-# Wire a fake Lambda client
-mock_module = MagicMock()
-mock_fn = MagicMock()
-mock_fn.arn = "arn:aws:lambda:us-east-1:123:function:test"
-mock_fn.name = "test"
-mock_fn.region = "us-east-1"
-mock_fn.vpc_id = "vpc-abc"
-mock_fn.security_groups = ["sg-111"]
-mock_fn.subnet_ids = {"subnet-aaa"}
-mock_fn.environment = None
-mock_fn.kms_key_arn = None
-mock_fn.layers = []
-mock_fn.dead_letter_config = None
-mock_fn.event_source_mappings = []
-mock_module.awslambda_client.functions = {mock_fn.arn: mock_fn}
-mock_module.awslambda_client.audited_account = "123"
-sys.modules["prowler.providers.aws.services.awslambda.awslambda_client"] = mock_module
-
-from contrib.inventory_graph.lib.graph_builder import build_graph
-from contrib.inventory_graph.lib.inventory_output import write_json, write_html
-
-graph = build_graph()
-write_json(graph, "/tmp/test.inventory.json")
-write_html(graph, "/tmp/test.inventory.html")
-# Open /tmp/test.inventory.html in a browser
-```
-
-## Extending
-
-### Adding a New Service
-
-1. Create a new extractor file in `lib/extractors/` (e.g., `dynamodb_extractor.py`)
-2. Implement the `extract(client)` function that returns `(nodes, edges)`
-3. Register it in `lib/graph_builder.py` in the `_SERVICE_REGISTRY` tuple
-
-Example extractor template:
-
-```python
-from typing import List, Tuple
-from prowler.lib.outputs.inventory.models import ResourceNode, ResourceEdge
-
-def extract(client) -> Tuple[List[ResourceNode], List[ResourceEdge]]:
-    """Extract DynamoDB tables and their relationships."""
-    nodes = []
-    edges = []
-    
-    for table in client.tables:
-        nodes.append(
-            ResourceNode(
-                id=table.arn,
-                type="dynamodb_table",
-                name=table.name,
-                service="dynamodb",
-                region=table.region,
-                account_id=client.audited_account,
-                properties={"billing_mode": table.billing_mode}
-            )
-        )
-        
-        # Add edges for KMS encryption, streams, etc.
-        if table.kms_key_arn:
-            edges.append(
-                ResourceEdge(
-                    source_id=table.kms_key_arn,
-                    target_id=table.arn,
-                    edge_type="encrypts",
-                    label="encrypts"
-                )
-            )
-    
-    return nodes, edges
-```
-
-## Troubleshooting
-
-### No nodes discovered
-
-**Problem:** The tool reports "no nodes discovered" after running.
-
-**Solution:** Ensure you've run a Prowler scan first. The tool reads from in-memory service clients loaded during the scan. If no services were scanned, no nodes will be discovered.
-
-### Missing services in the graph
-
-**Problem:** Some AWS services are not appearing in the graph.
-
-**Solution:** The tool only includes services that have been scanned by Prowler. Run Prowler with the services you want to include, or run without service filters to scan all available services.
-
-### HTML file doesn't display properly
-
-**Problem:** The HTML visualization doesn't load or shows errors.
-
-**Solution:** 
- Ensure you're opening the file in a modern browser (Chrome, Firefox, Safari, Edge)
- Check your browser's console for JavaScript errors
- Verify the file was generated completely (check file size > 0)
- The HTML requires internet access to load D3.js from CDN
-
-## Roadmap
-
-Potential future enhancements:
-
- [ ] Support for additional AWS services (DynamoDB, SQS, SNS, etc.)
- [ ] Export to Neo4j / Cartography format
- [ ] Attack path analysis integration
- [ ] Multi-account/multi-region aggregation
- [ ] Custom edge type filtering in HTML UI
- [ ] Graph diff between two scans
-
-## Contributing
-
-This is a community contribution. If you'd like to enhance it:
-
-1. Fork the Prowler repository
-2. Make your changes in `contrib/inventory-graph/`
-3. Test thoroughly
-4. Submit a pull request with a clear description
-
-## License
-
-This tool is part of the Prowler project and is licensed under the Apache License 2.0.
-
-## Credits
-
- **Author:** [@sandiyochristan](https://github.com/sandiyochristan)
- **Related PR:** [#10382](https://github.com/prowler-cloud/prowler/pull/10382)
- **Prowler Project:** [prowler-cloud/prowler](https://github.com/prowler-cloud/prowler)
-
-## Support
-
-For issues or questions:
-
- Open an issue in the [Prowler repository](https://github.com/prowler-cloud/prowler/issues)
- Join the [Prowler Community Slack](https://goto.prowler.com/slack)
- Tag your issue with `contrib:inventory-graph`
@@ -1,181 +0,0 @@
-#!/usr/bin/env python3
-"""
-Example: Generate AWS Inventory Graph with Mock Data
-
-This example demonstrates how to use the inventory graph tool with mock AWS data.
-No AWS credentials required.
-"""
-
-import sys
-from pathlib import Path
-from unittest.mock import MagicMock
-
-# Add parent directory to path
-sys.path.insert(0, str(Path(__file__).parent.parent))
-
-from lib.graph_builder import build_graph
-from lib.inventory_output import write_json, write_html
-
-
-def create_mock_lambda_client():
-    """Create a mock Lambda client with sample data."""
-    mock_module = MagicMock()
-
-    # Create a mock Lambda function
-    mock_fn = MagicMock()
-    mock_fn.arn = "arn:aws:lambda:us-east-1:123456789012:function:my-test-function"
-    mock_fn.name = "my-test-function"
-    mock_fn.region = "us-east-1"
-    mock_fn.vpc_id = "vpc-abc123"
-    mock_fn.security_groups = ["sg-111222"]
-    mock_fn.subnet_ids = {"subnet-aaa111", "subnet-bbb222"}
-    mock_fn.environment = {"Variables": {"ENV": "production"}}
-    mock_fn.kms_key_arn = (
-        "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
-    )
-    mock_fn.layers = []
-    mock_fn.dead_letter_config = None
-    mock_fn.event_source_mappings = []
-
-    mock_module.awslambda_client.functions = {mock_fn.arn: mock_fn}
-    mock_module.awslambda_client.audited_account = "123456789012"
-
-    return mock_module
-
-
-def create_mock_ec2_client():
-    """Create a mock EC2 client with sample data."""
-    mock_module = MagicMock()
-
-    # Create a mock EC2 instance
-    mock_instance = MagicMock()
-    mock_instance.arn = (
-        "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0"
-    )
-    mock_instance.id = "i-1234567890abcdef0"
-    mock_instance.region = "us-east-1"
-    mock_instance.vpc_id = "vpc-abc123"
-    mock_instance.subnet_id = "subnet-aaa111"
-    mock_instance.security_groups = [MagicMock(id="sg-111222")]
-    mock_instance.state = "running"
-    mock_instance.type = "t3.micro"
-    mock_instance.tags = [{"Key": "Name", "Value": "test-instance"}]
-
-    # Create a mock security group
-    mock_sg = MagicMock()
-    mock_sg.arn = "arn:aws:ec2:us-east-1:123456789012:security-group/sg-111222"
-    mock_sg.id = "sg-111222"
-    mock_sg.name = "test-security-group"
-    mock_sg.region = "us-east-1"
-    mock_sg.vpc_id = "vpc-abc123"
-
-    mock_module.ec2_client.instances = [mock_instance]
-    mock_module.ec2_client.security_groups = [mock_sg]
-    mock_module.ec2_client.audited_account = "123456789012"
-
-    return mock_module
-
-
-def create_mock_vpc_client():
-    """Create a mock VPC client with sample data."""
-    mock_module = MagicMock()
-
-    # Create a mock VPC
-    mock_vpc = MagicMock()
-    mock_vpc.arn = "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-abc123"
-    mock_vpc.id = "vpc-abc123"
-    mock_vpc.region = "us-east-1"
-    mock_vpc.cidr_block = "10.0.0.0/16"
-    mock_vpc.tags = [{"Key": "Name", "Value": "test-vpc"}]
-
-    # Create mock subnets
-    mock_subnet1 = MagicMock()
-    mock_subnet1.arn = "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-aaa111"
-    mock_subnet1.id = "subnet-aaa111"
-    mock_subnet1.region = "us-east-1"
-    mock_subnet1.vpc_id = "vpc-abc123"
-    mock_subnet1.cidr_block = "10.0.1.0/24"
-    mock_subnet1.availability_zone = "us-east-1a"
-
-    mock_subnet2 = MagicMock()
-    mock_subnet2.arn = "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-bbb222"
-    mock_subnet2.id = "subnet-bbb222"
-    mock_subnet2.region = "us-east-1"
-    mock_subnet2.vpc_id = "vpc-abc123"
-    mock_subnet2.cidr_block = "10.0.2.0/24"
-    mock_subnet2.availability_zone = "us-east-1b"
-
-    mock_module.vpc_client.vpcs = [mock_vpc]
-    mock_module.vpc_client.subnets = [mock_subnet1, mock_subnet2]
-    mock_module.vpc_client.vpc_peering_connections = []
-    mock_module.vpc_client.audited_account = "123456789012"
-
-    return mock_module
-
-
-def main():
-    """Main function to demonstrate the inventory graph generation."""
-    print("=" * 70)
-    print("AWS Inventory Graph - Mock Data Example")
-    print("=" * 70)
-    print()
-
-    # Create mock clients and inject them into sys.modules
-    print("Creating mock AWS service clients...")
-    sys.modules["prowler.providers.aws.services.awslambda.awslambda_client"] = (
-        create_mock_lambda_client()
-    )
-    sys.modules["prowler.providers.aws.services.ec2.ec2_client"] = (
-        create_mock_ec2_client()
-    )
-    sys.modules["prowler.providers.aws.services.vpc.vpc_client"] = (
-        create_mock_vpc_client()
-    )
-    print("✓ Mock clients created")
-    print()
-
-    # Build the graph
-    print("Building connectivity graph...")
-    graph = build_graph()
-    print(f"✓ Graph built: {len(graph.nodes)} nodes, {len(graph.edges)} edges")
-    print()
-
-    # Display discovered nodes
-    print("Discovered nodes:")
-    for node in graph.nodes:
-        print(f"  - {node.type}: {node.name} ({node.region})")
-    print()
-
-    # Display discovered edges
-    print("Discovered edges:")
-    for edge in graph.edges:
-        source_node = next((n for n in graph.nodes if n.id == edge.source_id), None)
-        target_node = next((n for n in graph.nodes if n.id == edge.target_id), None)
-        source_name = source_node.name if source_node else edge.source_id
-        target_name = target_node.name if target_node else edge.target_id
-        print(f"  - {source_name} --[{edge.edge_type}]--> {target_name}")
-    print()
-
-    # Write outputs
-    output_dir = Path(__file__).parent
-    json_path = output_dir / "example_output.inventory.json"
-    html_path = output_dir / "example_output.inventory.html"
-
-    print("Writing output files...")
-    write_json(graph, str(json_path))
-    write_html(graph, str(html_path))
-    print(f"✓ JSON written to: {json_path}")
-    print(f"✓ HTML written to: {html_path}")
-    print()
-
-    print("=" * 70)
-    print("✓ Example complete!")
-    print("=" * 70)
-    print()
-    print(f"Open the HTML file to view the interactive graph:")
-    print(f"  open {html_path}")
-    print()
-
-
-if __name__ == "__main__":
-    main()
@@ -1,158 +0,0 @@
-#!/usr/bin/env python3
-"""
-AWS Inventory Connectivity Graph Generator
-
-A standalone tool that generates interactive connectivity graphs from Prowler AWS scans.
-This tool reads from already-loaded AWS service clients in memory and produces:
-  - JSON graph (nodes + edges)
-  - Interactive HTML visualization
-
-Usage:
-    python inventory_graph.py --output-directory ./output --output-filename my-inventory
-
-For more information, see README.md
-"""
-
-import argparse
-import os
-import sys
-from datetime import datetime
-from pathlib import Path
-
-# Add the contrib directory to the path so we can import the lib modules
-CONTRIB_DIR = Path(__file__).parent
-sys.path.insert(0, str(CONTRIB_DIR))
-
-from lib.graph_builder import build_graph
-from lib.inventory_output import write_json, write_html
-
-
-def parse_arguments():
-    """Parse command-line arguments."""
-    parser = argparse.ArgumentParser(
-        description="Generate AWS inventory connectivity graph from Prowler scan data",
-        formatter_class=argparse.RawDescriptionHelpFormatter,
-        epilog="""
-Examples:
-  # Generate graph with default settings
-  python inventory_graph.py
-
-  # Specify custom output directory and filename
-  python inventory_graph.py --output-directory ./my-output --output-filename aws-inventory
-
-  # After running a Prowler scan
-  prowler aws --profile my-profile
-  python inventory_graph.py --output-directory ./output
-
-For more information, see README.md
-        """,
-    )
-
-    parser.add_argument(
-        "--output-directory",
-        "-o",
-        default="./output",
-        help="Directory to save output files (default: ./output)",
-    )
-
-    parser.add_argument(
-        "--output-filename",
-        "-f",
-        default=None,
-        help="Base filename without extension (default: prowler-inventory-<timestamp>)",
-    )
-
-    parser.add_argument(
-        "--verbose",
-        "-v",
-        action="store_true",
-        help="Enable verbose output",
-    )
-
-    return parser.parse_args()
-
-
-def main():
-    """Main entry point for the inventory graph generator."""
-    args = parse_arguments()
-
-    # Set up output paths
-    output_dir = Path(args.output_directory)
-    output_dir.mkdir(parents=True, exist_ok=True)
-
-    # Generate filename with timestamp if not provided
-    if args.output_filename:
-        base_filename = args.output_filename
-    else:
-        timestamp = datetime.now().strftime("%Y%m%d%H%M%S")
-        base_filename = f"prowler-inventory-{timestamp}"
-
-    json_path = output_dir / f"{base_filename}.inventory.json"
-    html_path = output_dir / f"{base_filename}.inventory.html"
-
-    print("=" * 70)
-    print("AWS Inventory Connectivity Graph Generator")
-    print("=" * 70)
-    print()
-
-    # Build the graph from loaded service clients
-    if args.verbose:
-        print("Building connectivity graph from loaded AWS service clients...")
-
-    graph = build_graph()
-
-    # Check if any nodes were discovered
-    if not graph.nodes:
-        print("⚠️  WARNING: No nodes discovered!")
-        print()
-        print("This usually means:")
-        print("  1. No Prowler scan has been run yet in this Python session")
-        print("  2. No AWS service clients are loaded in memory")
-        print()
-        print("To fix this:")
-        print("  1. Run a Prowler scan first: prowler aws --output-formats csv")
-        print("  2. Then run this script in the same session")
-        print()
-        print(
-            "Alternatively, integrate this tool directly into Prowler's output pipeline."
-        )
-        sys.exit(1)
-
-    print(f"✓ Discovered {len(graph.nodes)} nodes and {len(graph.edges)} edges")
-    print()
-
-    # Write outputs
-    if args.verbose:
-        print(f"Writing JSON output to: {json_path}")
-    write_json(graph, str(json_path))
-
-    if args.verbose:
-        print(f"Writing HTML output to: {html_path}")
-    write_html(graph, str(html_path))
-
-    print()
-    print("=" * 70)
-    print("✓ Graph generation complete!")
-    print("=" * 70)
-    print()
-    print(f"📄 JSON: {json_path}")
-    print(f"🌐 HTML: {html_path}")
-    print()
-    print(f"Open the HTML file in your browser to explore the interactive graph:")
-    print(f"  open {html_path}")
-    print()
-
-
-if __name__ == "__main__":
-    try:
-        main()
-    except KeyboardInterrupt:
-        print("\n\nInterrupted by user. Exiting...")
-        sys.exit(130)
-    except Exception as e:
-        print(f"\n❌ Error: {e}", file=sys.stderr)
-        if "--verbose" in sys.argv or "-v" in sys.argv:
-            import traceback
-
-            traceback.print_exc()
-        sys.exit(1)
@@ -1,94 +0,0 @@
-from typing import List, Tuple
-
-from lib.models import ResourceEdge, ResourceNode
-
-
-def extract(client) -> Tuple[List[ResourceNode], List[ResourceEdge]]:
-    """
-    Extract EC2 instance and security-group nodes with their edges.
-
-    Edges produced:
-      - instance → security-group  [network]
-      - instance → subnet          [network]
-      - security-group → VPC       [network]
-    """
-    nodes: List[ResourceNode] = []
-    edges: List[ResourceEdge] = []
-
-    # EC2 Instances
-    for instance in client.instances:
-        name = instance.id
-        for tag in instance.tags or []:
-            if tag.get("Key") == "Name":
-                name = tag["Value"]
-                break
-
-        props = {
-            "instance_type": getattr(instance, "type", None),
-            "state": getattr(instance, "state", None),
-            "vpc_id": getattr(instance, "vpc_id", None),
-            "subnet_id": getattr(instance, "subnet_id", None),
-            "public_ip": getattr(instance, "public_ip_address", None),
-            "private_ip": getattr(instance, "private_ip_address", None),
-        }
-
-        nodes.append(
-            ResourceNode(
-                id=instance.arn,
-                type="ec2_instance",
-                name=name,
-                service="ec2",
-                region=instance.region,
-                account_id=client.audited_account,
-                properties={k: v for k, v in props.items() if v is not None},
-            )
-        )
-
-        for sg_id in instance.security_groups or []:
-            edges.append(
-                ResourceEdge(
-                    source_id=instance.arn,
-                    target_id=sg_id,
-                    edge_type="network",
-                    label="sg",
-                )
-            )
-
-        if instance.subnet_id:
-            edges.append(
-                ResourceEdge(
-                    source_id=instance.arn,
-                    target_id=instance.subnet_id,
-                    edge_type="network",
-                    label="subnet",
-                )
-            )
-
-    # Security Groups
-    for sg in client.security_groups.values():
-        name = (
-            sg.name if hasattr(sg, "name") else sg.id if hasattr(sg, "id") else sg.arn
-        )
-        nodes.append(
-            ResourceNode(
-                id=sg.arn,
-                type="security_group",
-                name=name,
-                service="ec2",
-                region=sg.region,
-                account_id=client.audited_account,
-                properties={"vpc_id": sg.vpc_id},
-            )
-        )
-
-        if sg.vpc_id:
-            edges.append(
-                ResourceEdge(
-                    source_id=sg.arn,
-                    target_id=sg.vpc_id,
-                    edge_type="network",
-                    label="in-vpc",
-                )
-            )
-
-    return nodes, edges
@@ -1,60 +0,0 @@
-from typing import List, Tuple
-
-from lib.models import ResourceEdge, ResourceNode
-
-
-def extract(client) -> Tuple[List[ResourceNode], List[ResourceEdge]]:
-    """
-    Extract ELBv2 (ALB/NLB) load balancer nodes and their edges.
-
-    Edges produced:
-      - load_balancer → security-group  [network]
-      - load_balancer → VPC             [network]
-    """
-    nodes: List[ResourceNode] = []
-    edges: List[ResourceEdge] = []
-
-    for lb in client.loadbalancersv2.values():
-        props = {
-            "type": getattr(lb, "type", None),
-            "scheme": getattr(lb, "scheme", None),
-            "dns_name": getattr(lb, "dns", None),
-            "vpc_id": getattr(lb, "vpc_id", None),
-        }
-
-        name = getattr(lb, "name", lb.arn.split("/")[-2] if "/" in lb.arn else lb.arn)
-
-        nodes.append(
-            ResourceNode(
-                id=lb.arn,
-                type="load_balancer",
-                name=name,
-                service="elbv2",
-                region=lb.region,
-                account_id=client.audited_account,
-                properties={k: v for k, v in props.items() if v is not None},
-            )
-        )
-
-        for sg_id in lb.security_groups or []:
-            edges.append(
-                ResourceEdge(
-                    source_id=lb.arn,
-                    target_id=sg_id,
-                    edge_type="network",
-                    label="sg",
-                )
-            )
-
-        vpc_id = getattr(lb, "vpc_id", None)
-        if vpc_id:
-            edges.append(
-                ResourceEdge(
-                    source_id=lb.arn,
-                    target_id=vpc_id,
-                    edge_type="network",
-                    label="in-vpc",
-                )
-            )
-
-    return nodes, edges
@@ -1,84 +0,0 @@
-import json
-from typing import Any, Dict, List, Tuple
-
-from prowler.lib.logger import logger
-from lib.models import ResourceEdge, ResourceNode
-
-
-def _parse_trust_principals(assume_role_policy: Any) -> List[str]:
-    """
-    Return a flat list of principal strings from an IAM assume-role policy document.
-    The policy may be a dict already or a JSON string.
-    """
-    if not assume_role_policy:
-        return []
-
-    if isinstance(assume_role_policy, str):
-        try:
-            assume_role_policy = json.loads(assume_role_policy)
-        except (json.JSONDecodeError, ValueError):
-            return []
-
-    principals = []
-    for statement in assume_role_policy.get("Statement", []):
-        principal = statement.get("Principal", {})
-        if isinstance(principal, str):
-            principals.append(principal)
-        elif isinstance(principal, dict):
-            for v in principal.values():
-                if isinstance(v, list):
-                    principals.extend(v)
-                else:
-                    principals.append(v)
-        elif isinstance(principal, list):
-            principals.extend(principal)
-
-    return principals
-
-
-def extract(client) -> Tuple[List[ResourceNode], List[ResourceEdge]]:
-    """
-    Extract IAM role nodes and their trust-relationship edges.
-
-    Edges produced:
-      - trusted-principal → role  [iam]  (who can assume this role)
-    """
-    nodes: List[ResourceNode] = []
-    edges: List[ResourceEdge] = []
-
-    for role in client.roles:
-        props: Dict[str, Any] = {
-            "path": getattr(role, "path", None),
-            "create_date": str(getattr(role, "create_date", "") or ""),
-        }
-
-        nodes.append(
-            ResourceNode(
-                id=role.arn,
-                type="iam_role",
-                name=role.name,
-                service="iam",
-                region="global",
-                account_id=client.audited_account,
-                properties={k: v for k, v in props.items() if v},
-            )
-        )
-
-        # Trust-relationship edges: principal → role (principal CAN assume role)
-        try:
-            for principal in _parse_trust_principals(role.assume_role_policy):
-                if principal and principal != "*":
-                    edges.append(
-                        ResourceEdge(
-                            source_id=principal,
-                            target_id=role.arn,
-                            edge_type="iam",
-                            label="can-assume",
-                        )
-                    )
-        except Exception as e:
-            logger.debug(
-                f"inventory iam_extractor: could not parse trust policy for {role.arn}: {e}"
-            )
-
-    return nodes, edges
@@ -1,118 +0,0 @@
-from typing import List, Tuple
-
-from lib.models import ResourceEdge, ResourceNode
-
-
-def extract(client) -> Tuple[List[ResourceNode], List[ResourceEdge]]:
-    """
-    Extract Lambda function nodes and their edges from an awslambda_client.
-
-    Edges produced:
-      - lambda → VPC         [network]
-      - lambda → subnet      [network]
-      - lambda → sg          [network]
-      - lambda → event-source[triggers]  (from EventSourceMapping)
-      - lambda → layer ARN   [depends_on]
-      - lambda → DLQ target  [data_flow]
-      - lambda → KMS key     [encrypts]
-    """
-    nodes: List[ResourceNode] = []
-    edges: List[ResourceEdge] = []
-
-    for fn in client.functions.values():
-        props = {
-            "runtime": fn.runtime,
-            "vpc_id": fn.vpc_id,
-        }
-        if fn.environment:
-            props["has_env_vars"] = True
-        if fn.kms_key_arn:
-            props["kms_key_arn"] = fn.kms_key_arn
-
-        nodes.append(
-            ResourceNode(
-                id=fn.arn,
-                type="lambda_function",
-                name=fn.name,
-                service="lambda",
-                region=fn.region,
-                account_id=client.audited_account,
-                properties=props,
-            )
-        )
-
-        # Network edges → VPC, subnets, security groups
-        if fn.vpc_id:
-            edges.append(
-                ResourceEdge(
-                    source_id=fn.arn,
-                    target_id=fn.vpc_id,
-                    edge_type="network",
-                    label="in-vpc",
-                )
-            )
-        for sg_id in fn.security_groups or []:
-            edges.append(
-                ResourceEdge(
-                    source_id=fn.arn,
-                    target_id=sg_id,
-                    edge_type="network",
-                    label="sg",
-                )
-            )
-        for subnet_id in fn.subnet_ids or set():
-            edges.append(
-                ResourceEdge(
-                    source_id=fn.arn,
-                    target_id=subnet_id,
-                    edge_type="network",
-                    label="subnet",
-                )
-            )
-
-        # Trigger edges from event source mappings
-        for esm in getattr(fn, "event_source_mappings", []):
-            edges.append(
-                ResourceEdge(
-                    source_id=esm.event_source_arn,
-                    target_id=fn.arn,
-                    edge_type="triggers",
-                    label=f"esm:{esm.state}",
-                )
-            )
-
-        # Layer dependency edges
-        for layer in getattr(fn, "layers", []):
-            edges.append(
-                ResourceEdge(
-                    source_id=fn.arn,
-                    target_id=layer.arn,
-                    edge_type="depends_on",
-                    label="layer",
-                )
-            )
-
-        # Dead-letter queue data-flow edge
-        dlq = getattr(fn, "dead_letter_config", None)
-        if dlq and dlq.target_arn:
-            edges.append(
-                ResourceEdge(
-                    source_id=fn.arn,
-                    target_id=dlq.target_arn,
-                    edge_type="data_flow",
-                    label="dlq",
-                )
-            )
-
-        # KMS encryption edge
-        if fn.kms_key_arn:
-            edges.append(
-                ResourceEdge(
-                    source_id=fn.kms_key_arn,
-                    target_id=fn.arn,
-                    edge_type="encrypts",
-                    label="kms",
-                )
-            )
-
-    return nodes, edges
@@ -1,86 +0,0 @@
-from typing import List, Tuple
-
-from lib.models import ResourceEdge, ResourceNode
-
-
-def extract(client) -> Tuple[List[ResourceNode], List[ResourceEdge]]:
-    """
-    Extract RDS DB instance nodes and their edges.
-
-    Edges produced:
-      - db_instance → security-group  [network]
-      - db_instance → VPC             [network]
-      - db_instance → cluster         [depends_on]
-      - db_instance → KMS key         [encrypts]
-    """
-    nodes: List[ResourceNode] = []
-    edges: List[ResourceEdge] = []
-
-    for db in client.db_instances.values():
-        props = {
-            "engine": getattr(db, "engine", None),
-            "engine_version": getattr(db, "engine_version", None),
-            "instance_class": getattr(db, "db_instance_class", None),
-            "vpc_id": getattr(db, "vpc_id", None),
-            "multi_az": getattr(db, "multi_az", None),
-            "publicly_accessible": getattr(db, "publicly_accessible", None),
-            "storage_encrypted": getattr(db, "storage_encrypted", None),
-        }
-
-        nodes.append(
-            ResourceNode(
-                id=db.arn,
-                type="rds_instance",
-                name=db.id,
-                service="rds",
-                region=db.region,
-                account_id=client.audited_account,
-                properties={k: v for k, v in props.items() if v is not None},
-            )
-        )
-
-        for sg in getattr(db, "security_groups", []):
-            sg_id = sg if isinstance(sg, str) else getattr(sg, "id", str(sg))
-            edges.append(
-                ResourceEdge(
-                    source_id=db.arn,
-                    target_id=sg_id,
-                    edge_type="network",
-                    label="sg",
-                )
-            )
-
-        vpc_id = getattr(db, "vpc_id", None)
-        if vpc_id:
-            edges.append(
-                ResourceEdge(
-                    source_id=db.arn,
-                    target_id=vpc_id,
-                    edge_type="network",
-                    label="in-vpc",
-                )
-            )
-
-        cluster_arn = getattr(db, "cluster_arn", None)
-        if cluster_arn:
-            edges.append(
-                ResourceEdge(
-                    source_id=db.arn,
-                    target_id=cluster_arn,
-                    edge_type="depends_on",
-                    label="cluster-member",
-                )
-            )
-
-        kms_key_id = getattr(db, "kms_key_id", None)
-        if kms_key_id:
-            edges.append(
-                ResourceEdge(
-                    source_id=kms_key_id,
-                    target_id=db.arn,
-                    edge_type="encrypts",
-                    label="kms",
-                )
-            )
-
-    return nodes, edges
@@ -1,92 +0,0 @@
-from typing import List, Tuple
-
-from lib.models import ResourceEdge, ResourceNode
-
-
-def extract(client) -> Tuple[List[ResourceNode], List[ResourceEdge]]:
-    """
-    Extract S3 bucket nodes and their edges.
-
-    Edges produced:
-      - bucket → replication-target bucket  [replicates_to]
-      - bucket → KMS key                    [encrypts]
-      - bucket → logging bucket             [logs_to]
-    """
-    nodes: List[ResourceNode] = []
-    edges: List[ResourceEdge] = []
-
-    for bucket in client.buckets.values():
-        encryption = getattr(bucket, "encryption", None)
-        versioning = getattr(bucket, "versioning_enabled", None)
-        logging = getattr(bucket, "logging", None)
-        public = getattr(bucket, "public_access_block", None)
-
-        props = {}
-        if versioning is not None:
-            props["versioning"] = versioning
-        if encryption:
-            enc_type = getattr(encryption, "type", str(encryption))
-            props["encryption"] = enc_type
-
-        nodes.append(
-            ResourceNode(
-                id=bucket.arn,
-                type="s3_bucket",
-                name=bucket.name,
-                service="s3",
-                region=bucket.region,
-                account_id=client.audited_account,
-                properties=props,
-            )
-        )
-
-        # Replication edges
-        for rule in getattr(bucket, "replication_rules", None) or []:
-            dest_bucket = getattr(rule, "destination_bucket", None)
-            if dest_bucket:
-                dest_arn = (
-                    dest_bucket
-                    if dest_bucket.startswith("arn:")
-                    else f"arn:aws:s3:::{dest_bucket}"
-                )
-                edges.append(
-                    ResourceEdge(
-                        source_id=bucket.arn,
-                        target_id=dest_arn,
-                        edge_type="replicates_to",
-                        label="s3-replication",
-                    )
-                )
-
-        # Logging edges
-        if logging:
-            target_bucket = getattr(logging, "target_bucket", None)
-            if target_bucket:
-                target_arn = (
-                    target_bucket
-                    if target_bucket.startswith("arn:")
-                    else f"arn:aws:s3:::{target_bucket}"
-                )
-                edges.append(
-                    ResourceEdge(
-                        source_id=bucket.arn,
-                        target_id=target_arn,
-                        edge_type="logs_to",
-                        label="access-logs",
-                    )
-                )
-
-        # KMS encryption edges
-        if encryption:
-            kms_arn = getattr(encryption, "kms_master_key_id", None)
-            if kms_arn:
-                edges.append(
-                    ResourceEdge(
-                        source_id=kms_arn,
-                        target_id=bucket.arn,
-                        edge_type="encrypts",
-                        label="kms",
-                    )
-                )
-
-    return nodes, edges
@@ -1,92 +0,0 @@
-from typing import List, Tuple
-
-from lib.models import ResourceEdge, ResourceNode
-
-
-def extract(client) -> Tuple[List[ResourceNode], List[ResourceEdge]]:
-    """
-    Extract VPC and subnet nodes with their edges.
-
-    Edges produced:
-      - subnet → VPC  [depends_on]
-      - peering connection between VPCs [network]
-    """
-    nodes: List[ResourceNode] = []
-    edges: List[ResourceEdge] = []
-
-    # VPCs
-    for vpc in client.vpcs.values():
-        name = vpc.id if hasattr(vpc, "id") else vpc.arn
-        for tag in vpc.tags or []:
-            if isinstance(tag, dict) and tag.get("Key") == "Name":
-                name = tag["Value"]
-                break
-
-        nodes.append(
-            ResourceNode(
-                id=vpc.arn,
-                type="vpc",
-                name=name,
-                service="vpc",
-                region=vpc.region,
-                account_id=client.audited_account,
-                properties={
-                    "cidr_block": getattr(vpc, "cidr_block", None),
-                    "is_default": getattr(vpc, "is_default", None),
-                },
-            )
-        )
-
-    # VPC Subnets
-    for subnet in client.vpc_subnets.values():
-        name = subnet.id if hasattr(subnet, "id") else subnet.arn
-        for tag in getattr(subnet, "tags", None) or []:
-            if isinstance(tag, dict) and tag.get("Key") == "Name":
-                name = tag["Value"]
-                break
-
-        nodes.append(
-            ResourceNode(
-                id=subnet.arn,
-                type="subnet",
-                name=name,
-                service="vpc",
-                region=subnet.region,
-                account_id=client.audited_account,
-                properties={
-                    "vpc_id": getattr(subnet, "vpc_id", None),
-                    "cidr_block": getattr(subnet, "cidr_block", None),
-                    "availability_zone": getattr(subnet, "availability_zone", None),
-                    "public": getattr(subnet, "public", None),
-                },
-            )
-        )
-
-        vpc_id = getattr(subnet, "vpc_id", None)
-        if vpc_id:
-            # Find the VPC ARN for this vpc_id
-            vpc_arn = next(
-                (v.arn for v in client.vpcs.values() if v.id == vpc_id),
-                vpc_id,
-            )
-            edges.append(
-                ResourceEdge(
-                    source_id=subnet.arn,
-                    target_id=vpc_arn,
-                    edge_type="depends_on",
-                    label="subnet-of",
-                )
-            )
-
-    # VPC Peering Connections
-    for peering in getattr(client, "vpc_peering_connections", {}).values():
-        edges.append(
-            ResourceEdge(
-                source_id=peering.arn,
-                target_id=getattr(peering, "accepter_vpc_id", peering.arn),
-                edge_type="network",
-                label="vpc-peer",
-            )
-        )
-
-    return nodes, edges
@@ -1,106 +0,0 @@
-"""
-graph_builder.py
----------------
-Builds a ConnectivityGraph by reading already-loaded AWS service clients from
-sys.modules.  Only services that were actually scanned (i.e. whose client
-module is already imported) contribute nodes and edges.  Unknown / unloaded
-services are silently skipped, so the output degrades gracefully when only a
-subset of checks has been run.
-"""
-
-import sys
-from typing import Tuple
-
-from prowler.lib.logger import logger
-from lib.models import ConnectivityGraph
-
-# Registry: (sys.modules key, attribute name inside that module, extractor module path)
-_SERVICE_REGISTRY: Tuple[Tuple[str, str, str], ...] = (
-    (
-        "prowler.providers.aws.services.awslambda.awslambda_client",
-        "awslambda_client",
-        "lib.extractors.lambda_extractor",
-    ),
-    (
-        "prowler.providers.aws.services.ec2.ec2_client",
-        "ec2_client",
-        "lib.extractors.ec2_extractor",
-    ),
-    (
-        "prowler.providers.aws.services.vpc.vpc_client",
-        "vpc_client",
-        "lib.extractors.vpc_extractor",
-    ),
-    (
-        "prowler.providers.aws.services.rds.rds_client",
-        "rds_client",
-        "lib.extractors.rds_extractor",
-    ),
-    (
-        "prowler.providers.aws.services.elbv2.elbv2_client",
-        "elbv2_client",
-        "lib.extractors.elbv2_extractor",
-    ),
-    (
-        "prowler.providers.aws.services.s3.s3_client",
-        "s3_client",
-        "lib.extractors.s3_extractor",
-    ),
-    (
-        "prowler.providers.aws.services.iam.iam_client",
-        "iam_client",
-        "lib.extractors.iam_extractor",
-    ),
-)
-
-
-def build_graph() -> ConnectivityGraph:
-    """
-    Iterate over every registered service, check whether its client module is
-    already loaded, and call the corresponding extractor.
-
-    Returns a ConnectivityGraph with all discovered nodes and edges.
-    Duplicate node IDs are silently deduplicated (first occurrence wins).
-    """
-    graph = ConnectivityGraph()
-    seen_node_ids: set = set()
-
-    for client_module_key, client_attr, extractor_module_key in _SERVICE_REGISTRY:
-        client_module = sys.modules.get(client_module_key)
-        if client_module is None:
-            continue
-
-        service_client = getattr(client_module, client_attr, None)
-        if service_client is None:
-            continue
-
-        extractor_module = sys.modules.get(extractor_module_key)
-        if extractor_module is None:
-            try:
-                import importlib
-
-                extractor_module = importlib.import_module(extractor_module_key)
-            except ImportError as e:
-                logger.debug(
-                    f"inventory graph_builder: cannot import extractor {extractor_module_key}: {e}"
-                )
-                continue
-
-        try:
-            nodes, edges = extractor_module.extract(service_client)
-        except Exception as e:
-            logger.error(
-                f"inventory graph_builder: extractor {extractor_module_key} failed: "
-                f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}]: {e}"
-            )
-            continue
-
-        for node in nodes:
-            if node.id not in seen_node_ids:
-                graph.add_node(node)
-                seen_node_ids.add(node.id)
-
-        for edge in edges:
-            graph.add_edge(edge)
-
-    return graph
@@ -1,502 +0,0 @@
-"""
-inventory_output.py
-------------------
-Writes the ConnectivityGraph produced by graph_builder to two files:
-
-  <output_path>.inventory.json  – machine-readable graph (nodes + edges)
-  <output_path>.inventory.html  – interactive D3.js force-directed graph
-"""
-
-import json
-import os
-from dataclasses import asdict
-from datetime import datetime
-from typing import Optional
-
-from prowler.lib.logger import logger
-from lib.models import ConnectivityGraph
-
-
-# ---------------------------------------------------------------------------
-# JSON output
-# ---------------------------------------------------------------------------
-
-
-def write_json(graph: ConnectivityGraph, file_path: str) -> None:
-    """Serialise the graph to a JSON file."""
-    try:
-        os.makedirs(os.path.dirname(file_path), exist_ok=True)
-        data = {
-            "generated_at": datetime.utcnow().isoformat() + "Z",
-            "nodes": [asdict(n) for n in graph.nodes],
-            "edges": [asdict(e) for e in graph.edges],
-            "stats": {
-                "node_count": len(graph.nodes),
-                "edge_count": len(graph.edges),
-            },
-        }
-        with open(file_path, "w", encoding="utf-8") as fh:
-            json.dump(data, fh, indent=2, default=str)
-        logger.info(f"Inventory graph JSON written to {file_path}")
-    except Exception as e:
-        logger.error(
-            f"inventory_output.write_json: {e.__class__.__name__}[{e.__traceback__.tb_lineno}]: {e}"
-        )
-
-
-# ---------------------------------------------------------------------------
-# HTML output (self-contained, D3.js CDN)
-# ---------------------------------------------------------------------------
-
-# Colour palette per node type
-_NODE_COLOURS = {
-    "lambda_function": "#f59e0b",
-    "ec2_instance": "#3b82f6",
-    "security_group": "#6366f1",
-    "vpc": "#10b981",
-    "subnet": "#34d399",
-    "rds_instance": "#ef4444",
-    "load_balancer": "#8b5cf6",
-    "s3_bucket": "#06b6d4",
-    "iam_role": "#f97316",
-    "default": "#94a3b8",
-}
-
-# Edge stroke colours per edge type
-_EDGE_COLOURS = {
-    "network": "#64748b",
-    "iam": "#f97316",
-    "triggers": "#a855f7",
-    "data_flow": "#0ea5e9",
-    "depends_on": "#94a3b8",
-    "routes_to": "#22c55e",
-    "replicates_to": "#ec4899",
-    "encrypts": "#eab308",
-    "logs_to": "#78716c",
-}
-
-_HTML_TEMPLATE = """\
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8"/>
-  <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-  <title>Prowler – AWS Connectivity Graph</title>
-  <script src="https://d3js.org/d3.v7.min.js"></script>
-  <style>
-    *, *::before, *::after {{ box-sizing: border-box; }}
-    body {{
-      margin: 0;
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-      background: #0f172a;
-      color: #e2e8f0;
-    }}
-    #header {{
-      padding: 12px 20px;
-      background: #1e293b;
-      border-bottom: 1px solid #334155;
-      display: flex;
-      align-items: center;
-      gap: 16px;
-    }}
-    #header h1 {{ margin: 0; font-size: 18px; font-weight: 700; }}
-    #header .stats {{ font-size: 13px; color: #94a3b8; }}
-    #controls {{
-      padding: 8px 20px;
-      background: #1e293b;
-      border-bottom: 1px solid #334155;
-      display: flex;
-      gap: 12px;
-      align-items: center;
-      flex-wrap: wrap;
-    }}
-    #controls label {{ font-size: 12px; color: #94a3b8; }}
-    #controls select, #controls input[type=range] {{
-      background: #0f172a;
-      color: #e2e8f0;
-      border: 1px solid #334155;
-      border-radius: 4px;
-      padding: 3px 6px;
-      font-size: 12px;
-    }}
-    #graph-container {{ width: 100%; height: calc(100vh - 100px); position: relative; }}
-    svg {{ width: 100%; height: 100%; }}
-    .node circle {{
-      stroke: #1e293b;
-      stroke-width: 1.5px;
-      cursor: pointer;
-      transition: r 0.15s;
-    }}
-    .node circle:hover {{ stroke-width: 3px; }}
-    .node text {{
-      font-size: 10px;
-      fill: #e2e8f0;
-      pointer-events: none;
-      text-shadow: 0 0 4px #0f172a;
-    }}
-    .link {{
-      stroke-opacity: 0.6;
-      stroke-width: 1.5px;
-    }}
-    .link-label {{
-      font-size: 8px;
-      fill: #94a3b8;
-      pointer-events: none;
-    }}
-    #tooltip {{
-      position: fixed;
-      background: #1e293b;
-      border: 1px solid #334155;
-      border-radius: 6px;
-      padding: 10px 14px;
-      font-size: 12px;
-      pointer-events: none;
-      max-width: 320px;
-      word-break: break-all;
-      z-index: 9999;
-      display: none;
-    }}
-    #tooltip strong {{ color: #f8fafc; }}
-    #tooltip .prop {{ color: #94a3b8; margin-top: 4px; }}
-    #legend {{
-      position: absolute;
-      top: 10px;
-      right: 10px;
-      background: rgba(30,41,59,0.9);
-      border: 1px solid #334155;
-      border-radius: 6px;
-      padding: 10px 14px;
-      font-size: 11px;
-    }}
-    #legend h3 {{ margin: 0 0 6px; font-size: 12px; }}
-    .legend-row {{ display: flex; align-items: center; gap: 6px; margin: 3px 0; }}
-    .legend-dot {{ width: 12px; height: 12px; border-radius: 50%; flex-shrink: 0; }}
-    .legend-line {{ width: 20px; height: 2px; flex-shrink: 0; }}
-  </style>
-</head>
-<body>
-<div id="header">
-  <h1>🔗 AWS Connectivity Graph</h1>
-  <span class="stats" id="stat-label">Generated: {generated_at}</span>
-</div>
-<div id="controls">
-  <label>Filter service:
-    <select id="filter-service">
-      <option value="">All services</option>
-    </select>
-  </label>
-  <label>Link distance:
-    <input type="range" id="link-distance" min="40" max="300" value="120"/>
-  </label>
-  <label>Charge strength:
-    <input type="range" id="charge-strength" min="-800" max="-20" value="-250"/>
-  </label>
-  <span class="stats" id="visible-count"></span>
-</div>
-<div id="graph-container">
-  <svg id="graph-svg"></svg>
-  <div id="tooltip"></div>
-  <div id="legend">
-    <h3>Node types</h3>
-    {legend_nodes_html}
-    <h3 style="margin-top:8px">Edge types</h3>
-    {legend_edges_html}
-  </div>
-</div>
-
-<script>
-const RAW_NODES = {nodes_json};
-const RAW_EDGES = {edges_json};
-const NODE_COLOURS = {node_colours_json};
-const EDGE_COLOURS = {edge_colours_json};
-
-// ── helpers ──────────────────────────────────────────────────────────────
-function nodeColour(d) {{
-  return NODE_COLOURS[d.type] || NODE_COLOURS["default"];
-}}
-function edgeColour(d) {{
-  return EDGE_COLOURS[d.edge_type] || "#94a3b8";
-}}
-function nodeRadius(d) {{
-  const base = {{
-    lambda_function: 9, ec2_instance: 10, vpc: 14, subnet: 8,
-    security_group: 7, rds_instance: 11, load_balancer: 12,
-    s3_bucket: 9, iam_role: 9
-  }};
-  return base[d.type] || 8;
-}}
-
-// ── filter controls ───────────────────────────────────────────────────────
-const services = [...new Set(RAW_NODES.map(n => n.service))].sort();
-const sel = document.getElementById("filter-service");
-services.forEach(s => {{
-  const o = document.createElement("option");
-  o.value = s; o.textContent = s;
-  sel.appendChild(o);
-}});
-
-// ── D3 setup ──────────────────────────────────────────────────────────────
-const svg = d3.select("#graph-svg");
-const container = svg.append("g");
-
-// zoom
-svg.call(
-  d3.zoom().scaleExtent([0.05, 8])
-    .on("zoom", e => container.attr("transform", e.transform))
-);
-
-// arrowhead marker
-const defs = svg.append("defs");
-defs.append("marker")
-  .attr("id", "arrow")
-  .attr("viewBox", "0 -5 10 10")
-  .attr("refX", 20).attr("refY", 0)
-  .attr("markerWidth", 6).attr("markerHeight", 6)
-  .attr("orient", "auto")
-  .append("path")
-    .attr("d", "M0,-5L10,0L0,5")
-    .attr("fill", "#94a3b8");
-
-// tooltip
-const tooltip = document.getElementById("tooltip");
-
-// ── simulation ────────────────────────────────────────────────────────────
-let simulation, linkSel, nodeSel, labelSel;
-
-function buildGraph(nodeFilter) {{
-  // Determine which nodes to show
-  const visibleNodes = nodeFilter
-    ? RAW_NODES.filter(n => n.service === nodeFilter)
-    : RAW_NODES;
-  const visibleIds = new Set(visibleNodes.map(n => n.id));
-
-  // Only show edges where BOTH endpoints are visible
-  const visibleEdges = RAW_EDGES.filter(
-    e => visibleIds.has(e.source_id) && visibleIds.has(e.target_id)
-  );
-
-  document.getElementById("visible-count").textContent =
-    `Showing ${{visibleNodes.length}} nodes · ${{visibleEdges.length}} edges`;
-
-  container.selectAll("*").remove();
-
-  if (simulation) simulation.stop();
-
-  const nodes = visibleNodes.map(n => ({{ ...n }}));
-  const nodeIndex = Object.fromEntries(nodes.map(n => [n.id, n]));
-
-  const links = visibleEdges.map(e => ({{
-    ...e,
-    source: nodeIndex[e.source_id] || e.source_id,
-    target: nodeIndex[e.target_id] || e.target_id,
-  }}));
-
-  const dist = +document.getElementById("link-distance").value;
-  const charge = +document.getElementById("charge-strength").value;
-
-  simulation = d3.forceSimulation(nodes)
-    .force("link", d3.forceLink(links).id(d => d.id).distance(dist))
-    .force("charge", d3.forceManyBody().strength(charge))
-    .force("center", d3.forceCenter(
-      document.getElementById("graph-container").clientWidth / 2,
-      document.getElementById("graph-container").clientHeight / 2
-    ))
-    .force("collision", d3.forceCollide().radius(d => nodeRadius(d) + 6));
-
-  // Edges
-  linkSel = container.append("g").attr("class", "links")
-    .selectAll("line")
-    .data(links)
-    .join("line")
-      .attr("class", "link")
-      .attr("stroke", edgeColour)
-      .attr("marker-end", "url(#arrow)");
-
-  // Edge labels
-  labelSel = container.append("g").attr("class", "link-labels")
-    .selectAll("text")
-    .data(links)
-    .join("text")
-      .attr("class", "link-label")
-      .text(d => d.label || "");
-
-  // Nodes
-  nodeSel = container.append("g").attr("class", "nodes")
-    .selectAll("g")
-    .data(nodes)
-    .join("g")
-      .attr("class", "node")
-      .call(
-        d3.drag()
-          .on("start", (event, d) => {{
-            if (!event.active) simulation.alphaTarget(0.3).restart();
-            d.fx = d.x; d.fy = d.y;
-          }})
-          .on("drag", (event, d) => {{ d.fx = event.x; d.fy = event.y; }})
-          .on("end", (event, d) => {{
-            if (!event.active) simulation.alphaTarget(0);
-            d.fx = null; d.fy = null;
-          }})
-      )
-      .on("mouseover", (event, d) => {{
-        const props = Object.entries(d.properties || {{}})
-          .map(([k, v]) => `<div class="prop"><b>${{k}}</b>: ${{v}}</div>`)
-          .join("");
-        tooltip.innerHTML = `
-          <strong>${{d.name}}</strong>
-          <div class="prop"><b>type</b>: ${{d.type}}</div>
-          <div class="prop"><b>service</b>: ${{d.service}}</div>
-          <div class="prop"><b>region</b>: ${{d.region}}</div>
-          <div class="prop"><b>account</b>: ${{d.account_id}}</div>
-          <div class="prop" style="word-break:break-all"><b>arn</b>: ${{d.id}}</div>
-          ${{props}}
-        `;
-        tooltip.style.display = "block";
-        tooltip.style.left = (event.clientX + 12) + "px";
-        tooltip.style.top  = (event.clientY - 10) + "px";
-      }})
-      .on("mousemove", event => {{
-        tooltip.style.left = (event.clientX + 12) + "px";
-        tooltip.style.top  = (event.clientY - 10) + "px";
-      }})
-      .on("mouseout", () => {{ tooltip.style.display = "none"; }});
-
-  nodeSel.append("circle")
-    .attr("r", nodeRadius)
-    .attr("fill", nodeColour);
-
-  nodeSel.append("text")
-    .attr("dx", d => nodeRadius(d) + 3)
-    .attr("dy", "0.35em")
-    .text(d => d.name.length > 24 ? d.name.slice(0, 22) + "…" : d.name);
-
-  simulation.on("tick", () => {{
-    linkSel
-      .attr("x1", d => d.source.x)
-      .attr("y1", d => d.source.y)
-      .attr("x2", d => d.target.x)
-      .attr("y2", d => d.target.y);
-
-    labelSel
-      .attr("x", d => (d.source.x + d.target.x) / 2)
-      .attr("y", d => (d.source.y + d.target.y) / 2);
-
-    nodeSel.attr("transform", d => `translate(${{d.x}},${{d.y}})`);
-  }});
-}}
-
-// Initial render
-buildGraph(null);
-
-// Filter change
-sel.addEventListener("change", () => buildGraph(sel.value || null));
-
-// Simulation control sliders — restart on change
-document.getElementById("link-distance").addEventListener("input", () => buildGraph(sel.value || null));
-document.getElementById("charge-strength").addEventListener("input", () => buildGraph(sel.value || null));
-</script>
-</body>
-</html>
-"""
-
-
-def _build_legend_html(colours: dict, shape: str) -> str:
-    rows = []
-    for key, colour in sorted(colours.items()):
-        if shape == "dot":
-            rows.append(
-                f'<div class="legend-row">'
-                f'<div class="legend-dot" style="background:{colour}"></div>'
-                f"<span>{key}</span></div>"
-            )
-        else:
-            rows.append(
-                f'<div class="legend-row">'
-                f'<div class="legend-line" style="background:{colour}"></div>'
-                f"<span>{key}</span></div>"
-            )
-    return "\n".join(rows)
-
-
-def write_html(graph: ConnectivityGraph, file_path: str) -> None:
-    """Render the graph as a self-contained interactive HTML page."""
-    try:
-        os.makedirs(os.path.dirname(file_path), exist_ok=True)
-
-        nodes_json = json.dumps(
-            [
-                {
-                    "id": n.id,
-                    "type": n.type,
-                    "name": n.name,
-                    "service": n.service,
-                    "region": n.region,
-                    "account_id": n.account_id,
-                    "properties": n.properties,
-                }
-                for n in graph.nodes
-            ],
-            indent=None,
-            default=str,
-        )
-        edges_json = json.dumps(
-            [
-                {
-                    "source_id": e.source_id,
-                    "target_id": e.target_id,
-                    "edge_type": e.edge_type,
-                    "label": e.label or "",
-                }
-                for e in graph.edges
-            ],
-            indent=None,
-            default=str,
-        )
-
-        html = _HTML_TEMPLATE.format(
-            generated_at=datetime.utcnow().strftime("%Y-%m-%d %H:%M UTC"),
-            nodes_json=nodes_json,
-            edges_json=edges_json,
-            node_colours_json=json.dumps(_NODE_COLOURS),
-            edge_colours_json=json.dumps(_EDGE_COLOURS),
-            legend_nodes_html=_build_legend_html(_NODE_COLOURS, "dot"),
-            legend_edges_html=_build_legend_html(_EDGE_COLOURS, "line"),
-        )
-
-        with open(file_path, "w", encoding="utf-8") as fh:
-            fh.write(html)
-
-        logger.info(f"Inventory graph HTML written to {file_path}")
-    except Exception as e:
-        logger.error(
-            f"inventory_output.write_html: {e.__class__.__name__}[{e.__traceback__.tb_lineno}]: {e}"
-        )
-
-
-# ---------------------------------------------------------------------------
-# Convenience entry-point called from __main__.py
-# ---------------------------------------------------------------------------
-
-
-def generate_inventory_outputs(output_path: str) -> None:
-    """
-    Build the connectivity graph from currently-loaded service clients and write
-    both JSON and HTML outputs.
-
-    Args:
-        output_path: base file path WITHOUT extension, e.g.
-                     "output/prowler-output-20240101120000".
-                     The function appends .inventory.json and .inventory.html.
-    """
-    from lib.graph_builder import build_graph
-
-    graph = build_graph()
-
-    if not graph.nodes:
-        logger.warning(
-            "Inventory graph: no nodes discovered. "
-            "Make sure at least one AWS service was scanned before generating the inventory."
-        )
-
-    write_json(graph, f"{output_path}.inventory.json")
-    write_html(graph, f"{output_path}.inventory.html")
@@ -1,71 +0,0 @@
-from dataclasses import dataclass, field
-from typing import Any, Dict, List, Optional
-
-
-@dataclass
-class ResourceNode:
-    """
-    Represents a single AWS resource as a node in the connectivity graph.
-
-    id        : globally unique identifier — always the resource ARN
-    type      : coarse resource type used for grouping/colour, e.g. "lambda_function"
-    name      : human-readable label shown on the graph
-    service   : AWS service name, e.g. "lambda", "ec2", "rds"
-    region    : AWS region the resource lives in
-    account_id: AWS account ID
-    properties: additional resource-specific metadata (runtime, vpc_id, etc.)
-    """
-
-    id: str
-    type: str
-    name: str
-    service: str
-    region: str
-    account_id: str
-    properties: Dict[str, Any] = field(default_factory=dict)
-
-
-@dataclass
-class ResourceEdge:
-    """
-    Represents a directional relationship between two resource nodes.
-
-    source_id  : ARN of the source node
-    target_id  : ARN of the target node
-    edge_type  : semantic type of the relationship, e.g.:
-                   "network"    – resources share a network path (VPC/subnet/SG)
-                   "iam"        – IAM trust or permission relationship
-                   "triggers"   – one resource can invoke another (event source → Lambda)
-                   "data_flow"  – data is written/read (Lambda → SQS dead-letter queue)
-                   "depends_on" – soft dependency (Lambda layer, subnet belongs to VPC)
-                   "routes_to"  – traffic routing (LB → target)
-                   "encrypts"   – KMS key encrypts the resource
-    label      : optional short label rendered on the edge in the HTML graph
-    """
-
-    source_id: str
-    target_id: str
-    edge_type: str
-    label: Optional[str] = None
-
-
-@dataclass
-class ConnectivityGraph:
-    """
-    Container for the full inventory connectivity graph.
-
-    nodes: all discovered resource nodes
-    edges: all discovered edges between nodes
-    """
-
-    nodes: List[ResourceNode] = field(default_factory=list)
-    edges: List[ResourceEdge] = field(default_factory=list)
-
-    def add_node(self, node: ResourceNode) -> None:
-        self.nodes.append(node)
-
-    def add_edge(self, edge: ResourceEdge) -> None:
-        self.edges.append(edge)
-
-    def node_ids(self) -> set:
-        return {n.id for n in self.nodes}
@@ -73,7 +73,7 @@ secrets:
  DJANGO_SECRETS_ENCRYPTION_KEY:
  DJANGO_BROKER_VISIBILITY_TIMEOUT: 86400

-releaseConfigRoot: /home/prowler/.venv/lib/python3.12/site-packages/
+releaseConfigRoot: /home/prowler/.cache/pypoetry/virtualenvs/prowler-api-NnJNioq7-py3.12/lib/python3.12/site-packages/
 releaseConfigPath: prowler/config/config.yaml

 mainConfig:
@@ -48,16 +48,10 @@ services:
      - path: .env
        required: false
    ports:
-      - ${UI_PORT:-3000}:3000
+      - ${UI_PORT:-3000}:${UI_PORT:-3000}
    depends_on:
      mcp-server:
        condition: service_healthy
-    healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:3000/api/health || exit 1"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-      start_period: 60s

  postgres:
    image: postgres:16.3-alpine3.20
@@ -467,7 +467,7 @@ Effective headers and section titles enhance document readability and structure,

    * **Example:**
        * How to Clone and Install Prowler from GitHub (header: Title case)
-            * How to install uv dependencies (subheading: Sentence case)
+            * How to install poetry dependencies (subheading: Sentence case)
 5.  **Using Keywords in Headers**
    Headers should include relevant keywords to improve document searchability:
    * **Good:** Scanning AWS Accounts in Parallel
@@ -10,10 +10,10 @@ This repository contains the Prowler Open Source documentation powered by [Mintl

 ## Local Development

-Install a reviewed version of the [Mintlify CLI](https://www.npmjs.com/package/mint) to preview documentation changes locally:
+Install the [Mintlify CLI](https://www.npmjs.com/package/mint) to preview documentation changes locally:

 ```bash
-npm install --global mint@4.2.560
+npm i -g mint
 ```

 Run the following command at the root of your documentation (where `mint.json` is located):
@@ -20,8 +20,8 @@ The most common high level steps to create a new check are:
 3. Create a check-specific folder. The path should follow this pattern: `prowler/providers/<provider>/services/<service>/<check_name_want_to_implement>`. Adhere to the [Naming Format for Checks](#naming-format-for-checks).
 4. Populate the folder with files as specified in [File Creation](#file-creation).
 5. Run the check locally to ensure it works as expected. For checking you can use the CLI in the next way:
-    - To ensure the check has been detected by Prowler: `uv run python prowler-cli.py <provider> --list-checks | grep <check_name>`.
-    - To run the check, to find possible issues: `uv run python prowler-cli.py <provider> --log-level ERROR --verbose --check <check_name>`.
+    - To ensure the check has been detected by Prowler: `poetry run python prowler-cli.py <provider> --list-checks | grep <check_name>`.
+    - To run the check, to find possible issues: `poetry run python prowler-cli.py <provider> --log-level ERROR --verbose --check <check_name>`.
 6. Create comprehensive tests for the check that cover multiple scenarios including both PASS (compliant) and FAIL (non-compliant) cases. For detailed information about test structure and implementation guidelines, refer to the [Testing](/developer-guide/unit-testing) documentation.
 7. If the check and its corresponding tests are working as expected, you can submit a PR to Prowler.

@@ -28,7 +28,7 @@ This includes the [AGENTS.md](https://github.com/prowler-cloud/prowler/blob/mast
 <Steps>
  <Step title="Install Mintlify CLI">
    ```bash
-    npm install --global mint@4.2.560
+    npm i -g mint
    ```
    For detailed instructions, check the [Mintlify documentation](https://www.mintlify.com/docs/installation).
  </Step>
@@ -80,7 +80,7 @@ Before proceeding, ensure the following:

 - Git is installed.
 - Python 3.10 or higher is installed.
- `uv` is installed to manage dependencies.
+- `poetry` is installed to manage dependencies.

 ### Forking the Prowler Repository

@@ -97,21 +97,28 @@ cd prowler

 ### Dependency Management and Environment Isolation

-To prevent conflicts between environments, we recommend using [`uv`](https://docs.astral.sh/uv/), a fast Python package and project manager. Install it by following the [official instructions](https://docs.astral.sh/uv/getting-started/installation/).
+To prevent conflicts between environments, we recommend using `poetry`, a Python dependency management solution. Install it by following the [instructions](https://python-poetry.org/docs/#installation).

 ### Installing Dependencies

 To install all required dependencies, including those needed for development, run:

 ```
-uv sync
-source .venv/bin/activate
+poetry install --with dev
+eval $(poetry env activate)
 ```

+<Warning>
+Starting from Poetry v2.0.0, `poetry shell` has been deprecated in favor of `poetry env activate`.
+If your poetry version is below 2.0.0 you must keep using `poetry shell` to activate your environment.
+In case you have any doubts, consult the [Poetry environment activation guide](https://python-poetry.org/docs/managing-environments/#activating-the-environment).
+
+</Warning>
+

 ### Pre-Commit Hooks

-This repository uses Git pre-commit hooks managed by the [prek](https://prek.j178.dev/) tool, it is installed with `uv sync`. Next, run the following command in the root of this repository:
+This repository uses Git pre-commit hooks managed by the [prek](https://prek.j178.dev/) tool, it is installed with `poetry install --with dev`. Next, run the following command in the root of this repository:

 ```shell
 prek install
@@ -148,11 +155,11 @@ Once installed, TruffleHog runs before each push and blocks the operation when v
 Before merging pull requests, several automated checks and utilities ensure code security and updated dependencies:

 <Note>
-These should have been already installed if `uv sync` was already run.
+These should have been already installed if `poetry install --with dev` was already run.

 </Note>
 - [`bandit`](https://pypi.org/project/bandit/) for code security review.
- [`osv-scanner`](https://github.com/google/osv-scanner) and [`dependabot`](https://github.com/features/security) for dependencies.
+- [`safety`](https://pypi.org/project/safety/) and [`dependabot`](https://github.com/features/security) for dependencies.
 - [`hadolint`](https://github.com/hadolint/hadolint) and [`dockle`](https://github.com/goodwithtech/dockle) for container security.
 - [`Snyk`](https://docs.snyk.io/integrations/snyk-container-integrations/container-security-with-docker-hub-integration) for container security in Docker Hub.
 - [`clair`](https://github.com/quay/clair) for container security in Amazon ECR.
@@ -176,7 +183,7 @@ These resources help ensure that AI-assisted contributions maintain consistency

 All dependencies are listed in the `pyproject.toml` file.

-The SDK keeps direct dependencies pinned to exact versions, while `uv.lock` records the full resolved dependency tree and the artifact hashes for every package. Use `uv sync` from the lock file instead of ad-hoc `pip` installs when you need a reproducible environment.
+The SDK keeps direct dependencies pinned to exact versions, while `poetry.lock` records the full resolved dependency tree and the artifact hashes for every package. Use `poetry install` from the lock file instead of ad-hoc `pip` installs when you need a reproducible environment.

 For proper code documentation, refer to the following and follow the code documentation practices presented there: [Google Python Style Guide - Comments and Docstrings](https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings).

@@ -202,8 +209,8 @@ prowler/
 ├── contrib/           # Community-contributed scripts or modules
 ├── kubernetes/        # Kubernetes deployment files
 ├── .github/           # GitHub-related files (workflows, issue templates, etc.)
-├── pyproject.toml     # Python project configuration (uv)
-├── uv.lock            # uv lock file
+├── pyproject.toml     # Python project configuration (Poetry)
+├── poetry.lock        # Poetry lock file
 ├── README.md          # Project overview and getting started
 ├── Makefile           # Common development commands
 ├── Dockerfile         # SDK Docker container
@@ -1277,12 +1277,10 @@ Dependencies ensure that your provider's required libraries are available when P
 **File:** `pyproject.toml`

 ```toml
-[project]
-requires-python = ">=3.10,<3.13"
-dependencies = [
-  # ... other dependencies
-  "your-sdk-library>=1.0.0,<2.0.0",  # Add your SDK dependency
-]
+[tool.poetry.dependencies]
+python = ">=3.10,<3.13"
+# ... other dependencies
+your-sdk-library = "^1.0.0"  # Add your SDK dependency
 ```

 #### Step 18: Create Tests
@@ -228,7 +228,7 @@ Each requirement links to the Prowler checks that, together, produce a PASS or F
 To discover available checks, run:

 ```bash
-uv run python prowler-cli.py <provider> --list-checks
+poetry run python prowler-cli.py <provider> --list-checks
 ```

 ## Supporting Multiple Providers
@@ -295,7 +295,7 @@ Follow the steps below before opening a pull request.
 ### 1. Run the Compliance Model Validator

 ```bash
-uv run python prowler-cli.py <provider> --list-compliance
+poetry run python prowler-cli.py <provider> --list-compliance
 ```

 The framework must appear in the output. A validation error indicates a schema mismatch between the JSON file and the attribute model.
@@ -303,7 +303,7 @@ The framework must appear in the output. A validation error indicates a schema m
 ### 2. Run a Scan Filtered by the Framework

 ```bash
-uv run python prowler-cli.py <provider> \
+poetry run python prowler-cli.py <provider> \
  --compliance <framework>_<version>_<provider> \
  --log-level ERROR
 ```
@@ -336,7 +336,7 @@ Compliance contributions require two layers of tests.
 Run the suite with:

 ```bash
-uv run pytest -n auto tests/lib/check/universal_compliance_models_test.py \
+poetry run pytest -n auto tests/lib/check/universal_compliance_models_test.py \
  tests/lib/outputs/compliance/
 ```

@@ -348,8 +348,8 @@ Before opening the pull request:

 1. Run the complete QA pipeline:
    ```bash
-    uv run pre-commit run --all-files
-    uv run pytest -n auto
+    poetry run pre-commit run --all-files
+    poetry run pytest -n auto
    ```
 2. Add a changelog entry under the `### 🚀 Added` section of `prowler/CHANGELOG.md`, describing the new framework and the providers it covers.
 3. Follow the [Pull Request Template](https://github.com/prowler-cloud/prowler/blob/master/.github/pull_request_template.md) and set the PR title using Conventional Commits, for example `feat(compliance): add My Framework 1.0 for AWS`.
@@ -23,7 +23,7 @@ Within this folder the following files are also to be created:
 - `<new_service_name>_service.py` – Contains all the logic and API calls of the service.
 - `<new_service_name>_client_.py` – Contains the initialization of the freshly created service's class so that the checks can use it.

-Once the files are create, you can check that the service has been created by running the following command: `uv run python prowler-cli.py <provider> --list-services | grep <new_service_name>`.
+Once the files are create, you can check that the service has been created by running the following command: `poetry run python prowler-cli.py <provider> --list-services | grep <new_service_name>`.

 ## Service Structure and Initialisation

@@ -332,13 +332,6 @@
                  "user-guide/providers/vercel/getting-started-vercel",
                  "user-guide/providers/vercel/authentication"
                ]
-              },
-              {
-                "group": "Okta",
-                "pages": [
-                  "user-guide/providers/okta/getting-started-okta",
-                  "user-guide/providers/okta/authentication"
-                ]
              }
            ]
          },
@@ -353,8 +346,7 @@
            "group": "Cookbooks",
            "pages": [
              "user-guide/cookbooks/kubernetes-in-cluster",
-              "user-guide/cookbooks/cicd-pipeline",
-              "user-guide/cookbooks/powerbi-cis-benchmarks"
+              "user-guide/cookbooks/cicd-pipeline"
            ]
          }
        ]
@@ -10,7 +10,7 @@ Complete reference guide for all tools available in the Prowler MCP Server. Tool
 |----------|------------|------------------------|
 | Prowler Hub | 10 tools | No |
 | Prowler Documentation | 2 tools | No |
-| Prowler Cloud/App | 32 tools | Yes |
+| Prowler Cloud/App | 29 tools | Yes |

 ## Tool Naming Convention

@@ -36,14 +36,6 @@ Tools for searching, viewing, and analyzing security findings across all cloud p
 - **`prowler_app_get_finding_details`** - Get comprehensive details about a specific finding including remediation guidance, check metadata, and resource relationships
 - **`prowler_app_get_findings_overview`** - Get aggregate statistics and trends about security findings as a markdown report

-### Finding Groups Management
-
-Tools for listing finding groups aggregated by check ID, viewing complete group counters, and drilling down into affected resources.
-
- **`prowler_app_list_finding_groups`** - List latest or historical finding groups with filters for provider, region, service, resource, category, check, severity, status, muted state, delta, date range, and sorting
- **`prowler_app_get_finding_group_details`** - Get complete details for a specific finding group including counters, description, timestamps, and impacted providers
- **`prowler_app_list_finding_group_resources`** - List actionable unmuted resources affected by a finding group by default, including nested resource and provider data plus the `finding_id` for remediation details. Set `include_muted` to include suppressed resources
-
 ### Provider Management

 Tools for managing cloud provider connections in Prowler.
@@ -44,21 +44,13 @@ Choose the configuration based on your deployment:

  <Tab title="Generic without Native HTTP Support">
    **Configuration:**
-    <Warning>
-    Avoid configuring MCP clients to run `npx mcp-remote` directly. `npx` can download and execute a new package version on each run. Install a reviewed version of `mcp-remote` in a dedicated local workspace, then point the MCP client to the installed binary.
-    </Warning>
-    ```bash
-    mkdir -p ~/.local/share/prowler-mcp-bridge
-    cd ~/.local/share/prowler-mcp-bridge
-    npm init -y
-    npm install --save-exact mcp-remote@0.1.38
-    ```
    ```json
    {
      "mcpServers": {
        "prowler": {
-          "command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote",
+          "command": "npx",
          "args": [
+            "mcp-remote",
            "https://mcp.prowler.com/mcp", // or your self-hosted Prowler MCP Server URL
            "--header",
            "Authorization: Bearer ${PROWLER_APP_API_KEY}"
@@ -80,20 +72,14 @@ Choose the configuration based on your deployment:
    2. Go to "Developer" tab
    3. Click in "Edit Config" button
    4. Edit the `claude_desktop_config.json` file with your favorite editor
-    5. Install a reviewed version of `mcp-remote` in a dedicated local workspace:
-    ```bash
-    mkdir -p ~/.local/share/prowler-mcp-bridge
-    cd ~/.local/share/prowler-mcp-bridge
-    npm init -y
-    npm install --save-exact mcp-remote@0.1.38
-    ```
-    6. Add the following configuration:
+    5. Add the following configuration:
    ```json
    {
      "mcpServers": {
        "prowler": {
-          "command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote",
+          "command": "npx",
          "args": [
+            "mcp-remote",
            "https://mcp.prowler.com/mcp",
            "--header",
            "Authorization: Bearer ${PROWLER_APP_API_KEY}"
@@ -37,8 +37,8 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
    _Requirements_:

    - `git` installed.
-    - `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
-    - `pnpm` installed through [Corepack](https://pnpm.io/installation#using-corepack) or the standalone [pnpm installation](https://pnpm.io/installation).
+    - `poetry` installed: [poetry installation](https://python-poetry.org/docs/#installation).
+    - `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
    - `Docker Compose` installed: https://docs.docker.com/compose/install/.

    <Warning>
@@ -49,8 +49,8 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
    ```bash
    git clone https://github.com/prowler-cloud/prowler \
    cd prowler/api \
-    uv sync \
-    source .venv/bin/activate \
+    poetry install \
+    eval $(poetry env activate) \
    set -a \
    source .env \
    docker compose up postgres valkey -d \
@@ -59,6 +59,11 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
    gunicorn -c config/guniconf.py config.wsgi:application
    ```

+    <Warning>
+      Starting from Poetry v2.0.0, `poetry shell` has been deprecated in favor of `poetry env activate`.
+
+      If your poetry version is below 2.0.0 you must keep using `poetry shell` to activate your environment. In case you have any doubts, consult the Poetry environment activation guide: https://python-poetry.org/docs/managing-environments/#activating-the-environment
+    </Warning>
    > Now, you can access the API documentation at http://localhost:8080/api/v1/docs.

    _Commands to run the API Worker_:
@@ -66,8 +71,8 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
    ```bash
    git clone https://github.com/prowler-cloud/prowler \
    cd prowler/api \
-    uv sync \
-    source .venv/bin/activate \
+    poetry install \
+    eval $(poetry env activate) \
    set -a \
    source .env \
    cd src/backend \
@@ -79,8 +84,8 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
    ```bash
    git clone https://github.com/prowler-cloud/prowler \
    cd prowler/api \
-    uv sync \
-    source .venv/bin/activate \
+    poetry install \
+    eval $(poetry env activate) \
    set -a \
    source .env \
    cd src/backend \
@@ -92,11 +97,9 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
    ```bash
    git clone https://github.com/prowler-cloud/prowler \
    cd prowler/ui \
-    corepack enable \
-    corepack install \
-    pnpm install --frozen-lockfile \
-    pnpm run build \
-    pnpm start
+    npm install \
+    npm run build \
+    npm start
    ```

    > Enjoy Prowler App at http://localhost:3000 by signing up with your email and password.
@@ -68,7 +68,7 @@ To install Prowler as a Python package, use `Python >= 3.10, <= 3.12`. Prowler i
    _Requirements for Developers_:

    * `git`
-    * `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
+    * `poetry` installed: [poetry installation](https://python-poetry.org/docs/#installation).
    * AWS, GCP, Azure and/or Kubernetes credentials

    _Commands_:
@@ -76,8 +76,8 @@ To install Prowler as a Python package, use `Python >= 3.10, <= 3.12`. Prowler i
    ```bash
    git clone https://github.com/prowler-cloud/prowler
    cd prowler
-    uv sync
-    uv run python prowler-cli.py -v
+    poetry install
+    poetry run python prowler-cli.py -v
    ```

    <Note>
@@ -47,12 +47,11 @@ Prowler supports a wide range of providers organized by category:
 | Provider                                                                                  | Support  | Audit Scope/Entities         | Interface    |
 | ----------------------------------------------------------------------------------------- | -------- | ---------------------------- | ------------ |
 | [GitHub](/user-guide/providers/github/getting-started-github)                             | Official | Organizations / Repositories | UI, API, CLI |
-| [Google Workspace](/user-guide/providers/googleworkspace/getting-started-googleworkspace)  | Official | Domains                      | UI, API, CLI |
+| [Google Workspace](/user-guide/providers/googleworkspace/getting-started-googleworkspace)  | Official | Domains                      | CLI          |
 | [LLM](/user-guide/providers/llm/getting-started-llm)                                     | Official | Models                       | CLI          |
 | [M365](/user-guide/providers/microsoft365/getting-started-m365)                           | Official | Tenants                      | UI, API, CLI |
 | [MongoDB Atlas](/user-guide/providers/mongodbatlas/getting-started-mongodbatlas)           | Official | Organizations                | UI, API, CLI |
-| [Okta](/user-guide/providers/okta/getting-started-okta)                                   | Official | Organizations                | CLI          |
-| [Vercel](/user-guide/providers/vercel/getting-started-vercel)                             | Official | Teams / Projects             | UI, API, CLI |
+| [Vercel](/user-guide/providers/vercel/getting-started-vercel)                             | Official | Teams / Projects             | CLI          |

 ### Kubernetes

@@ -39,11 +39,10 @@ Dependencies are continuously monitored for known vulnerabilities with timely up

 ### Dependency Vulnerability Scanning

- **osv-scanner:** Scans lockfiles against the [OSV.dev](https://osv.dev) vulnerability database
-  - Runs in CI on every pull request and push for SDK, API, and UI
-  - Fails the build on `HIGH`, `CRITICAL`, and `UNKNOWN` severity findings
-  - Posts a per-lockfile report as a PR comment
-  - Per-vulnerability ignores (with reason and expiry) live in `osv-scanner.toml` at the repo root
+- **Safety:** Scans Python dependencies against known vulnerability databases
+  - Runs on every commit via pre-commit hooks
+  - Integrated into CI/CD for SDK and API
+  - Configured with selective ignores for tracked exceptions
 - **Trivy:** Multi-purpose scanner for containers and dependencies
  - Scans all container images (UI, API, SDK, MCP Server)
  - Checks for vulnerabilities in OS packages and application dependencies
@@ -158,15 +158,6 @@ The following list includes all the Vercel checks with configurable variables th
 | `team_member_role_least_privilege`                   | `max_owners`                       | Integer         |
 | `team_no_stale_invitations`                         | `stale_invitation_threshold_days`  | Integer         |

-## Okta
-
-### Configurable Checks
-The following list includes all the Okta checks with configurable variables that can be changed in the configuration YAML file:
-
-| Check Name                                                    | Value                              | Type    |
-|---------------------------------------------------------------|------------------------------------|---------|
-| `signon_global_session_idle_timeout_15min`                    | `okta_max_session_idle_minutes`    | Integer |
-
 ## Config YAML File Structure

 <Note>
@@ -18,11 +18,9 @@ prowler <provider> --scan-unused-services

 #### ACM (AWS Certificate Manager)

-Certificates stored in ACM without active usage in AWS resources are excluded. By default, Prowler only scans actively used certificates. Unused certificates are not evaluated for expiration, transparency logging, or weak key algorithms.
+Certificates stored in ACM without active usage in AWS resources are excluded. By default, Prowler only scans actively used certificates. Unused certificates will not be checked if they are expired, if their expiring date is near or if they are good.

 - `acm_certificates_expiration_check`
- `acm_certificates_transparency_logs_enabled`
- `acm_certificates_with_secure_key_algorithms`

 #### Athena

@@ -30,13 +28,6 @@ Upon AWS account creation, Athena provisions a default primary workgroup for the

 - `athena_workgroup_encryption`
 - `athena_workgroup_enforce_configuration`
- `athena_workgroup_logging_enabled`
-
-#### Amazon Bedrock
-
-Generative AI workloads benefit from private VPC endpoint connectivity to keep prompt and model traffic off the public internet. Prowler only evaluates this configuration for VPCs in use (with active ENIs).
-
- `bedrock_vpc_endpoints_configured`

 #### AWS CloudTrail

@@ -47,23 +38,15 @@ AWS CloudTrail should have at least one trail with a data event to record all S3

 #### AWS Elastic Compute Cloud (EC2)

-If Amazon Elastic Block Store (EBS) default encryption is not enabled, sensitive data at rest remains unprotected in EC2. Prowler only generates a finding if EBS volumes exist where default encryption could be enforced.
+If Amazon Elastic Block Store (EBS) default encyption is not enabled, sensitive data at rest will remain unprotected in EC2. However, Prowler will only generate a finding if EBS volumes exist where default encryption could be enforced.

 - `ec2_ebs_default_encryption`

-**EBS Snapshot Public Access**: Public EBS snapshots can leak data. Prowler only evaluates the account-level block setting if EBS snapshots exist in the account.
-
- `ec2_ebs_snapshot_account_block_public_access`
-
-**EC2 Instance Metadata Service (IMDS)**: Enforcing IMDSv2 at the account level mitigates SSRF-based credential theft. Prowler only evaluates the account-level setting if EC2 instances exist in the account.
-
- `ec2_instance_account_imdsv2_enabled`
-
 **Security Groups**: Misconfigured security groups increase the attack surface.

 Prowler scans only attached security groups to report vulnerabilities in actively used configurations. Applies to:

- 20 security group-related checks, including open ports and ingress/egress traffic rules.
+- 15 security group-related checks, including open ports and ingress/egress traffic rules.

    - `ec2_securitygroup_allow_ingress_from_internet_to_port_X`
    - `ec2_securitygroup_default_restrict_traffic`
@@ -73,18 +56,6 @@ Prowler scans only attached security groups to report vulnerabilities in activel

    - `ec2_networkacl_allow_ingress_X_port`

-#### AWS Identity and Access Management (IAM)
-
-Customer-managed IAM policies that are not attached to any user, group, or role grant no effective permissions until a principal is bound to them. Prowler treats such policies as dormant by default and skips the content-evaluation checks below when `--scan-unused-services` is not set. Enable the flag to surface findings on unattached policies as well.
-
- `iam_policy_allows_privilege_escalation`
- `iam_policy_no_full_access_to_cloudtrail`
- `iam_policy_no_full_access_to_kms`
- `iam_policy_no_wildcard_marketplace_subscribe`
- `iam_no_custom_policy_permissive_role_assumption`
-
-The dedicated `iam_customer_unattached_policy_no_administrative_privileges` check still inspects unattached policies regardless of the flag, since its purpose is to highlight dormant administrator privileges.
-
 #### AWS Glue

 AWS Glue best practices recommend encrypting metadata and connection passwords in Data Catalogs.
@@ -100,12 +71,6 @@ Amazon Inspector is a vulnerability discovery service that automates continuous

 - `inspector2_is_enabled`

-#### AWS Key Management Service (KMS)
-
-Customer managed Customer Master Keys (CMKs) in the `Disabled` state cannot be used for cryptographic operations, so Prowler skips the unintentional-deletion check on them by default. Enable the flag to evaluate disabled CMKs as well.
-
- `kms_cmk_not_deleted_unintentionally`
-
 #### Amazon Macie

 Amazon Macie leverages machine learning to automatically discover, classify, and protect sensitive data in S3 buckets. Prowler only generates findings if Macie is disabled and there are S3 buckets in the AWS account.
@@ -118,15 +83,6 @@ A network firewall is essential for monitoring and controlling traffic within a

 - `networkfirewall_in_all_vpc`

-#### Amazon Relational Database Service (RDS)
-
-RDS event subscriptions notify operators of critical database events. Prowler only evaluates these subscription checks when RDS clusters or instances exist in the account.
-
- `rds_cluster_critical_event_subscription`
- `rds_instance_critical_event_subscription`
- `rds_instance_event_subscription_parameter_groups`
- `rds_instance_event_subscription_security_groups`
-
 #### Amazon S3

 To prevent unintended data exposure:
@@ -143,10 +99,6 @@ VPC settings directly impact network security and availability.

    - `vpc_flow_logs_enabled`

- VPC Endpoint for EC2: Routes EC2 API calls through a private VPC endpoint to keep traffic off the public internet. Prowler only evaluates this configuration for VPCs in use, i.e., those with active ENIs.
-
-    - `vpc_endpoint_for_ec2_enabled`
-
 - VPC Subnet Public IP Restrictions: Prevent unintended exposure of resources to the internet. Prowler only checks this configuration for VPCs in use, i.e., those with active ENIs.

    - `vpc_subnet_no_public_ip_by_default`
@@ -149,14 +149,6 @@ Prowler Cloud and App expose two formats:
 * **CSV report:** Every requirement, every check, and every finding for the selected scan and filters. Available for all supported frameworks.
 * **PDF report:** Curated executive-style report. Currently supported for Prowler ThreatScore, ENS RD2022, NIS2, and CSA CCM. Additional PDF reports are added in subsequent Prowler releases.

-<Note>
-**PDF detail section is capped at the first 100 failed findings per check.** The PDF is intended as an executive/auditor document, not a raw data dump: when a check produces more than 100 failed findings the report renders the first 100 and shows a banner pointing the reader to the CSV or JSON-OCSF export for the complete list. The compliance CSV and the scan outputs are never truncated.
-
-The cap is configurable per deployment via the `DJANGO_PDF_MAX_FINDINGS_PER_CHECK` environment variable on the Prowler API workers; set it to `0` to disable truncation entirely. The default value of `100` keeps the PDF readable and bounded in size on enterprise-scale scans (hundreds of thousands of findings) without affecting smaller scans, where the cap is rarely reached.
-
-Only **failed** findings are rendered in the detail section. PASS findings for the same check are excluded at query time. The PDF surfaces what needs attention, and the CSV/JSON exports surface everything for forensic review.
-</Note>
-
 #### Downloading From the Detail Page

 Inside any framework detail page, the **CSV** and **PDF** buttons in the header trigger the same downloads as the overview dropdown. The PDF button only appears for frameworks that support it.
@@ -1,168 +0,0 @@
---
-title: "Visualize Multi-Cloud CIS Benchmarks With Power BI"
-description: "Ingest Prowler compliance CSV exports into a ready-made Microsoft Power BI template that surfaces CIS Benchmark posture across AWS, Azure, Google Cloud, and Kubernetes."
---
-
-The Multi-Cloud CIS Benchmarks Power BI template turns Prowler compliance CSV exports into an interactive dashboard. The template ingests scan results from Prowler CLI or Prowler Cloud and renders cross-provider CIS Benchmark coverage, profile-level breakdowns, regional drill-downs, and time-series trends. Center for Internet Security (CIS) Benchmarks are industry-standard configuration baselines maintained by CIS.
-
-The template and its source files live in the Prowler repository under [`contrib/PowerBI/Multicloud CIS Benchmarks`](https://github.com/prowler-cloud/prowler/tree/master/contrib/PowerBI/Multicloud%20CIS%20Benchmarks).
-
-<img src="/images/powerbi/report-cover.png" alt="Multi-Cloud CIS Benchmarks Power BI report cover showing aggregated compliance posture across providers" width="900" />
-
-## Prerequisites
-
-The setup requires the following components:
-
-* **Microsoft Power BI Desktop:** free download from Microsoft.
-* **Prowler compliance CSV exports:** produced by Prowler CLI or downloaded from Prowler Cloud or Prowler App.
-* **Local directory:** holds the CSV exports that the template ingests at load time.
-
-## Supported CIS Benchmarks
-
-The template ships with predefined mappings for the following CIS Benchmark versions. Exports must match these versions for the dashboard to populate correctly:
-
-| Compliance Framework                           | Version  |
-| ---------------------------------------------- | -------- |
-| CIS Amazon Web Services Foundations Benchmark  | v6.0     |
-| CIS Microsoft Azure Foundations Benchmark      | v5.0     |
-| CIS Google Cloud Platform Foundation Benchmark | v4.0     |
-| CIS Kubernetes Benchmark                       | v1.12.0  |
-
-<Warning>
-Other CIS Benchmark versions are not recognized by the template. Confirm the framework version before running the scan or downloading the export.
-</Warning>
-
-## Setup
-
-### Step 1: Install Microsoft Power BI Desktop
-
-Download and install Microsoft Power BI Desktop from the official Microsoft site. The template is opened with this application.
-
-### Step 2: Generate Compliance CSV Exports
-
-Compliance CSV exports can be generated through Prowler CLI or downloaded from Prowler Cloud and Prowler App.
-
-#### Option A: Prowler CLI
-
-Run a scan with the `--compliance` flag pointing to the appropriate CIS framework, for example:
-
-```sh
-prowler aws --compliance cis_6.0_aws
-prowler azure --compliance cis_5.0_azure
-prowler gcp --compliance cis_4.0_gcp
-prowler kubernetes --compliance cis_1.12_kubernetes
-```
-
-The compliance CSV exports are written to `output/compliance/` by default.
-
-#### Option B: Prowler Cloud or Prowler App
-
-Open the Compliance section, select the desired CIS Benchmark, and download the CSV export.
-
-<img src="/images/powerbi/download-compliance-scan.png" alt="Compliance section in Prowler Cloud showing the CSV download option for a CIS Benchmark scan" width="900" />
-
-### Step 3: Create a Local Directory for the Exports
-
-Place every CSV export in a single local directory. The template parses filenames to detect the provider, so filenames must keep the provider keyword (`aws`, `azure`, `gcp`, or `kubernetes`).
-
-<Note>
-Time-series visualizations such as "Compliance Percent Over Time" require multiple scans from different dates in the same directory.
-</Note>
-
-### Step 4: Open the Power BI Template
-
-Download the template file [`Prowler Multicloud CIS Benchmarks.pbit`](https://github.com/prowler-cloud/prowler/raw/master/contrib/PowerBI/Multicloud%20CIS%20Benchmarks/Prowler%20Multicloud%20CIS%20Benchmarks.pbit) and open it. Power BI Desktop prompts for the full filepath to the directory created in step 3.
-
-### Step 5: Provide the Directory Filepath
-
-Enter the absolute filepath without quotation marks. The Windows "copy as path" feature wraps the path in quotation marks automatically; remove them before submitting.
-
-### Step 6: Save the Report as a `.pbix` File
-
-Once the filepath is submitted, the template ingests the CSV exports and renders the report. Save the populated report as a `.pbix` file for future use. Re-running the `.pbit` template generates a fresh report against an updated directory.
-
-## Validation
-
-To confirm the CSV exports were ingested correctly, open the "Configuration" tab inside the report.
-
-<img src="/images/powerbi/validation.png" alt="Configuration tab in the Power BI report displaying loaded CIS Benchmarks, the Prowler CSV folder path, and the list of ingested exports" width="900" />
-
-The "Configuration" tab exposes three tables:
-
-* **Loaded CIS Benchmarks:** lists the benchmarks and versions supported by the template. This table is defined by the template itself and is not editable. All benchmarks remain listed regardless of which provider exports were supplied.
-* **Prowler CSV Folder:** displays the absolute path provided during template load.
-* **Loaded Prowler Exports:** lists every CSV file detected in the directory. A green checkmark identifies the file used as the latest assessment for each provider and benchmark combination.
-
-## Report Sections
-
-The report is organized into three navigable pages:
-
-| Report Page | Purpose                                                                              |
-| ----------- | ------------------------------------------------------------------------------------ |
-| Overview    | Aggregates CIS Benchmark posture across AWS, Azure, Google Cloud, and Kubernetes.    |
-| Benchmark   | Focuses on a single CIS Benchmark with profile-level and regional filters.           |
-| Requirement | Drill-through page that surfaces details for a single benchmark requirement.         |
-
-### Overview Page
-
-The Overview page summarizes CIS Benchmark posture across every supported provider.
-
-<img src="/images/powerbi/overview-page.png" alt="Overview page in the Power BI report aggregating CIS Benchmark posture across AWS, Azure, Google Cloud, and Kubernetes" width="900" />
-
-The Overview page contains the following components:
-
-| Component                                | Description                                                                  |
-| ---------------------------------------- | ---------------------------------------------------------------------------- |
-| CIS Benchmark Overview                   | Table listing benchmark name, version, and overall compliance percentage.    |
-| Provider by Requirement Status           | Bar chart breaking down requirements by status and provider.                 |
-| Compliance Percent Heatmap               | Heatmap of compliance percentage by benchmark and profile level.             |
-| Profile Level by Requirement Status      | Bar chart breaking down requirements by status and profile level.            |
-| Compliance Percent Over Time by Provider | Line chart tracking overall compliance percentage over time by provider.     |
-
-### Benchmark Page
-
-The Benchmark page focuses on a single CIS Benchmark. The benchmark, profile level, and region can be selected through dropdown filters.
-
-<img src="/images/powerbi/benchmark-page.png" alt="Benchmark page in the Power BI report showing region heatmap, section breakdown, time-series trend, and the requirements table" width="900" />
-
-The Benchmark page contains the following components:
-
-| Component                                | Description                                                                                                                       |
-| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
-| Compliance Percent Heatmap               | Heatmap of compliance percentage by region and profile level.                                                                     |
-| Benchmark Section by Requirement Status  | Bar chart of requirements grouped by benchmark section and status.                                                                |
-| Compliance Percent Over Time by Region   | Line chart tracking compliance percentage over time by region.                                                                    |
-| Benchmark Requirements                   | Table listing requirement section, requirement number, requirement title, number of resources tested, status, and failing checks. |
-
-### Requirement Page
-
-The Requirement page is a drill-through view that exposes the full context of a single requirement. To populate the page, right-click a row in the "Benchmark Requirements" table on the Benchmark page and select "Drill through" > "Requirement".
-
-<img src="/images/powerbi/requirement-page.png" alt="Requirement drill-through page in the Power BI report showing rationale, remediation, regional breakdown, and the resource-level check results" width="900" />
-
-The Requirement page contains the following components:
-
-| Component                                  | Description                                                                                  |
-| ------------------------------------------ | -------------------------------------------------------------------------------------------- |
-| Title                                      | Requirement title.                                                                           |
-| Rationale                                  | Rationale for the requirement.                                                               |
-| Remediation                                | Remediation guidance for the requirement.                                                    |
-| Region by Check Status                     | Bar chart of Prowler check results grouped by region and status.                             |
-| Resource Checks for Benchmark Requirements | Table listing resource ID, resource name, status, description, and the underlying Prowler check. |
-
-## Walkthrough Video
-
-A full walkthrough is available on YouTube:
-
-[![Multi-Cloud CIS Benchmarks Power BI walkthrough video thumbnail](/images/powerbi/walkthrough-video-thumb.png)](https://www.youtube.com/watch?v=lfKFkTqBxjU)
-
-## Related Resources
-
-<CardGroup cols={2}>
-  <Card title="Compliance Frameworks" icon="shield-check" href="/user-guide/compliance/tutorials/compliance">
-    Review the Compliance workflow across Prowler Cloud, Prowler App, and Prowler CLI.
-  </Card>
-  <Card title="Prowler Dashboard" icon="chart-line" href="/user-guide/cli/tutorials/dashboard">
-    Explore the built-in local dashboard for Prowler CSV exports.
-  </Card>
-</CardGroup>
@@ -27,7 +27,7 @@ To download results from AWS CloudShell:

 ## Cloning Prowler from GitHub

-Due to the limited storage in AWS CloudShell's home directory, installing uv dependencies for running Prowler from GitHub can be problematic.
+Due to the limited storage in AWS CloudShell's home directory, installing Poetry dependencies for running Prowler from GitHub can be problematic.

 The following workaround ensures successful installation:

@@ -37,9 +37,17 @@ adduser prowler
 su prowler
 git clone https://github.com/prowler-cloud/prowler.git
 cd prowler
-pip install uv
-mkdir /tmp/uv-cache
-UV_CACHE_DIR=/tmp/uv-cache uv sync
-source .venv/bin/activate
+pip install poetry
+mkdir /tmp/poetry
+poetry config cache-dir /tmp/poetry
+eval $(poetry env activate)
+poetry install
 python prowler-cli.py -v
 ```
+
+<Warning>
+Starting from Poetry v2.0.0, `poetry shell` has been deprecated in favor of `poetry env activate`.
+
+If your Poetry version is below v2.0.0, continue using `poetry shell` to activate your environment. For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.
+
+</Warning>
@@ -44,15 +44,6 @@ User API Tokens are the recommended authentication method because they:
 Create a **User API Token**, not an Account API Token. User API Tokens are created from the profile settings and offer finer permission control.
 </Note>

-**Quick Setup:** Use these pre-configured links to open the Cloudflare Dashboard with the required permissions already selected:
-
- [Create User API Token](https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22zone%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22zone_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22dns%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Prowler%20Security%20Scanner) — creates a **User API Token** (recommended). Opens the **Create Custom Token** form prefilled with the four required read-only scopes (`Account Settings`, `Zone`, `Zone Settings`, `DNS`) and the name `Prowler Security Scanner`. Adjust **Account Resources** and **Zone Resources** to match the accounts and zones you want to scan, then click **Create Token**.
- [Create Account-Owned API Token](https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22zone%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22zone_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22dns%22%2C%22type%22%3A%22read%22%7D%5D&name=Prowler%20Security%20Scanner) — creates an [account-owned token](https://developers.cloudflare.com/fundamentals/api/how-to/account-owned-token-template/) instead. Use this for automation or CI/CD where the token should not depend on a specific user account remaining active. Requires the **Super Administrator** or **Administrator** role on the account.
-
-<Note>
-Template URLs only pre-fill the token creation form. Review the permissions, configure resources, and click **Create Token** to complete the process.
-</Note>
-
 ### Step 1: Create a User API Token

 1. Log into the [Cloudflare Dashboard](https://dash.cloudflare.com).
@@ -14,15 +14,6 @@ Set up authentication for Cloudflare with the [Cloudflare Authentication](/user-
 - Grant the required read-only permissions (`Account Settings:Read`, `Zone:Read`, `Zone Settings:Read`, `DNS:Read`)
 - Identify the Cloudflare Account ID to use as the provider identifier

-<Note>
-**Quick Setup:** Use these pre-configured links to create a token with the required permissions already selected:
-
- [Create User API Token](https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22zone%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22zone_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22dns%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Prowler%20Security%20Scanner) — creates a User API Token (recommended).
- [Create Account-Owned API Token](https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22zone%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22zone_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22dns%22%2C%22type%22%3A%22read%22%7D%5D&name=Prowler%20Security%20Scanner) — creates an [account-owned token](https://developers.cloudflare.com/fundamentals/api/how-to/account-owned-token-template/), better suited for automation and CI/CD.
-
-Both links open the Cloudflare Dashboard with the four required read-only scopes (`Account Settings`, `Zone`, `Zone Settings`, `DNS`) and the name `Prowler Security Scanner` prefilled. See [Cloudflare Authentication](/user-guide/providers/cloudflare/authentication#api-token-recommended) for the equivalent manual steps.
-</Note>
-
 <CardGroup cols={2}>
  <Card title="Prowler Cloud" icon="cloud" href="#prowler-cloud">
    Onboard Cloudflare using Prowler Cloud
@@ -153,8 +153,8 @@ Before running Prowler CLI for GitHub, ensure you have:
   # Install via pip
   pip install prowler

-   # Or via uv (from the cloned repo)
-   uv sync
+   # Or via poetry
+   poetry install
   ```

 2. **Authentication Credentials**
@@ -18,7 +18,7 @@ Prowler requests the following read-only OAuth 2.0 scopes:
 | `https://www.googleapis.com/auth/admin.directory.domain.readonly` | Read access to domain information |
 | `https://www.googleapis.com/auth/admin.directory.customer.readonly` | Read access to customer information (Customer ID) |
 | `https://www.googleapis.com/auth/admin.directory.orgunit.readonly` | Read access to organizational unit hierarchy (identifies the root OU for policy filtering) |
-| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar, Gmail, Chat, and Drive service checks) |
+| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar service checks) |
 | `https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly` | Read access to admin roles and role assignments |

 <Warning>
@@ -40,7 +40,7 @@ In the [Google Cloud Console](https://console.cloud.google.com), select the targ
 | API | Required For |
 |-----|--------------|
 | **Admin SDK API** | Directory service checks (users, roles, domains) |
-| **Cloud Identity API** | Calendar, Gmail, Chat, and Drive service checks (domain-level application policies) |
+| **Cloud Identity API** | Calendar service checks (domain-level sharing and invitation policies) |

 For each API:

@@ -49,7 +49,7 @@ For each API:
 3. Click **Enable**

 <Note>
-Both APIs must be enabled in the same GCP project that hosts the Service Account. Calendar, Gmail, Chat, and Drive checks will return no findings if the Cloud Identity API is not enabled.
+Both APIs must be enabled in the same GCP project that hosts the Service Account. Calendar checks will return no findings if the Cloud Identity API is not enabled.
 </Note>

 ### Step 3: Create a Service Account
@@ -176,9 +176,9 @@ If Prowler connects but returns empty results or permission errors for specific
 - Verify all scopes are authorized in the Admin Console
 - Ensure the delegated user is an active super administrator

-### Policy API Checks Return No Findings
+### Calendar Checks Return No Findings

-If the Directory checks run successfully but the Calendar, Gmail, Chat, or Drive checks return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:
+If the Directory checks run successfully but the Calendar checks (e.g., `calendar_external_sharing_primary_calendar`) return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:

 - The **Cloud Identity API** is enabled in the GCP project hosting the Service Account (Step 2)
 - The scope `https://www.googleapis.com/auth/cloud-identity.policies.readonly` is included in the Domain-Wide Delegation OAuth scopes list in the Admin Console (Step 5)
@@ -22,7 +22,7 @@ Install promptfoo using one of the following methods:

 **Using npm:**
 ```bash
-npm install --global promptfoo@0.121.11
+npm install -g promptfoo
 ```

 **Using Homebrew (macOS):**
@@ -46,7 +46,7 @@ Before you begin, ensure you have:
   ```bash
   pip install prowler
   # or for development:
-   uv sync
+   poetry install
   ```

 2. **OCI Python SDK** (automatically installed with Prowler):
@@ -1,186 +0,0 @@
---
-title: 'Okta Authentication in Prowler'
---
-
-import { VersionBadge } from "/snippets/version-badge.mdx"
-
-<VersionBadge version="5.27.0" />
-
-Prowler authenticates to Okta as a **service application** using **OAuth 2.0 with a private-key JWT** (Client Credentials grant). The integration is read-only by scope and follows DISA STIG guidance for least-privilege access.
-
-## Common Setup
-
-### Prerequisites
-
- An Okta organization. The UI examples below use **Identity Engine** terminology such as **Global Session Policy**; Classic Engine exposes equivalent sign-on policy concepts under older naming.
- A **Super Administrator** account on that organization for the one-time service-app setup.
- An **API Services** app integration created in the Okta Admin Console.
-
-### Authentication Method Overview
-
-| Method | Status | Use Case |
-|---|---|---|
-| **OAuth 2.0 (private-key JWT)** | Supported | Production scans, CI/CD, Prowler App. |
-
-The private-key JWT flow is the only supported authentication method in the initial release. The service application proves possession of a private key on every token request; Okta returns a short-lived access token, refreshed automatically by the SDK.
-
-<Note>
-If a different authentication method is needed (SSWS API token, OAuth with user delegation, etc.), please open a [feature request](https://github.com/prowler-cloud/prowler/issues/new?template=feature-request.yml) describing the use case.
-</Note>
-
-### Required OAuth Scopes
-
-For the initial check (`signon_global_session_idle_timeout_15min`) only one scope is required:
-
- `okta.policies.read`
-
-Additional scopes will be needed as more services and checks are added, this are the current ones needed:
-
-| Scope | Used by |
-|---|---|
-| `okta.policies.read` | Sign-on / password / authentication policies |
-
-### Required Admin Role
-
-The service application must be assigned the built-in **Read-Only Administrator** role.
-
-Okta's Management API enforces a two-layer authorization model: an OAuth **scope** decides which API endpoints the token can call, and an **admin role** decides whether the call returns data. With only a scope granted, the token mint succeeds but every read returns `403 Forbidden`. The Read-Only Administrator role is the minimum that lets the granted `okta.*.read` scopes actually return configuration data to Prowler's checks — without it, the credential probe at provider startup fails and the scan never gets to evaluate any check.
-
-Read-Only Administrator is intentionally the narrowest role that satisfies this requirement and aligns with the least-privilege guidance in DISA STIG.
-
-## Step-by-Step Setup
-
-### 1. Go to the admin console
-
-![Okta — admin console page](/user-guide/providers/okta/images/select-admin-console.png)
-
-### 2. [Optional] - Disable the privilege-escalation bypass (org-wide, one-time)
-
-In the Okta Admin Console, go to **Settings → Account → Public client app admins** and ensure it is **off**. When enabled, every API Services app can be auto-assigned the Super Administrator role after scopes are granted, which would invalidate the read-only premise of this integration.
-
-![Okta — disable Public client app admins](/user-guide/providers/okta/images/public-client-app-admins.png)
-
-### 3. Create the API Services app
-
-1. Go to **Applications → Applications**.
-
-![Okta — create API Services app](/user-guide/providers/okta/images/go-to-applications.png)
-
-2. **Create App Integration**
-
-![Okta — create App integration](/user-guide/providers/okta/images/create-new-application.png)
-
-3. Sign-in method: **API Services**. Click **Next**.
-4. Name the app (for example, `Prowler Scanner`) and click **Save**.
-5. Copy the displayed **Client ID** — you'll use it as `OKTA_CLIENT_ID`.
-
-![Okta — copy client id](/user-guide/providers/okta/images/copy-client-id.png)
-
-### 4. Switch to private-key authentication and generate a keypair
-
-On the new app's **General** tab, scroll to **Client Credentials**:
-
-1. Click **Edit**.
-2. Set **Client authentication** to **Public key / Private key**.
-3. Under **Public Keys**, click **Add key**.
-4. In the modal, click **Generate new key**. Okta creates a JWK pair.
-5. Click the **PEM** tab to switch the displayed format (or keep JWK — Prowler accepts both).
-6. Copy the entire `-----BEGIN PRIVATE KEY-----` block (or the JWK JSON).
-7. Click **Done**, then **Save**.
-
-<Warning>
-Okta displays the private key **only once**. If you close the modal without copying, you must generate a new key.
-</Warning>
-
-![Okta — create Public Key](/user-guide/providers/okta/images/create-public-key.png)
-
-### 5. Grant the required OAuth scopes
-
-On the app, open the **Okta API Scopes** tab and click **Grant** on every scope Prowler needs. For the initial release, granting only `okta.policies.read` is sufficient.
-
-![Okta — grant OAuth scopes](/user-guide/providers/okta/images/grant-permissions.png)
-
-### 6. Assign the Read-Only Administrator role
-
-On the app, open the **Admin roles** tab and click **Edit assignments → Add assignment**:
-
- **Role:** Read-Only Administrator
- **Resources:** All resources
-
-Save the changes.
-
-![Okta — grant Read-Only role](/user-guide/providers/okta/images/grant-roles.png)
-
-### 7. [Optional] Verify DPoP setting
-
-Prowler sends DPoP (Demonstrating Proof of Possession) proofs on every token request. The integration works whether the **Require Demonstrating Proof of Possession (DPoP) header in token requests** setting on the service app is on or off — but enabling it is the more secure default.
-
-## Prowler CLI Authentication
-
-### Using Environment Variables (Required for Secrets)
-
-Private key material **must** be supplied via environment variables — Prowler does not accept secrets through CLI flags.
-
-```bash
-export OKTA_ORG_DOMAIN="YOUR-ORG.okta.com"
-export OKTA_CLIENT_ID="0oa1234567890abcdef"
-
-# Either of the two — content takes precedence over file when both are set.
-export OKTA_PRIVATE_KEY_FILE="/secure/path/to/prowler-okta.pem"
-# or
-export OKTA_PRIVATE_KEY="$(cat /secure/path/to/prowler-okta.pem)"
-
-# Optional — defaults to "okta.policies.read"
-export OKTA_SCOPES="okta.policies.read"
-
-uv run python prowler-cli.py okta
-```
-
-### Non-Secret CLI Flags
-
-Non-secret values are also available as CLI flags for ergonomic overrides:
-
-| Flag | Equivalent env var |
-|---|---|
-| `--okta-org-domain` | `OKTA_ORG_DOMAIN` |
-| `--okta-client-id` | `OKTA_CLIENT_ID` |
-| `--okta-scopes` | `OKTA_SCOPES` |
-
-Run a single check directly:
-
-```bash
-uv run python prowler-cli.py okta --check signon_global_session_idle_timeout_15min
-```
-
-## Troubleshooting
-
-### `OktaInvalidOrgDomainError`
-
-The org domain must be `<org>.okta.com` (or `.oktapreview.com` / `.okta-emea.com` / `.okta-gov.com` / `.okta.mil` / `.okta-miltest.com` / `.trex-govcloud.com`). Pass the bare hostname only — no `https://` scheme, no path, no trailing slash. Custom (vanity) domains are not currently accepted.
-
-### `OktaPrivateKeyFileError`
-
-The file at `OKTA_PRIVATE_KEY_FILE` is missing, unreadable, or empty. Confirm the path and that the file contains a non-empty PEM block or JWK JSON document.
-
-### `OktaInvalidCredentialsError` at provider init
-
-Prowler validates credentials at startup by listing one sign-on policy. This error indicates the credential material itself was rejected:
-
- **`invalid_client`** — the public key registered in Okta does not match the private key on disk. Generate a fresh keypair and try again.
-
-### `OktaInsufficientPermissionsError` at provider init
-
-Raised when the credential probe succeeds at the OAuth layer but the request is rejected because the service app lacks the required scope or admin role:
-
- **`invalid_scope`** — the `okta.policies.read` scope is not granted on the service app. Grant it from **Okta API Scopes**.
- **`Forbidden` / `not authorized`** — the **Read-Only Administrator** role is not assigned to the service app. Assign it from **Admin roles**.
-
-### `invalid_dpop_proof`
-
-The org or the service app requires DPoP. The provider always sends DPoP proofs, so this error indicates the SDK could not build a valid proof — typically because the private key on disk does not match the public key uploaded to Okta. Regenerate the keypair.
-
-## Additional Resources
-
- [Implement OAuth 2.0 for an Okta service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/)
- [Okta Policy API reference](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/)
- [DISA STIG for Okta (V-273186)](https://stigviewer.com/stigs/okta/)
--- a/Show More
+++ b/Show More