chore(changelog): update with latest changes (#9157)

Co-authored-by: César Arroba <19954079+cesararroba@users.noreply.github.com>
Co-authored-by: César Arroba <cesar@prowler.com>

.env

@@ -35,6 +35,8 @@ POSTGRES_DB=prowler_db
 # POSTGRES_REPLICA_USER=prowler
 # POSTGRES_REPLICA_PASSWORD=postgres
 # POSTGRES_REPLICA_DB=prowler_db
+# POSTGRES_REPLICA_MAX_ATTEMPTS=3
+# POSTGRES_REPLICA_RETRY_BASE_DELAY=0.5
 
 # Celery-Prowler task settings
 TASK_RETRY_DELAY_SECONDS=0.1

.github/actions/setup-python-poetry/action.yml

@@ -22,8 +22,8 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Replace @master with current branch in pyproject.toml
-      if: github.event_name == 'pull_request' && github.base_ref == 'master'
+    - name: Replace @master with current branch in pyproject.toml (prowler repo only)
+      if: github.event_name == 'pull_request' && github.base_ref == 'master' && github.repository == 'prowler-cloud/prowler'
       shell: bash
       working-directory: ${{ inputs.working-directory }}
       run: |
@@ -37,8 +37,8 @@ runs:
         python -m pip install --upgrade pip
         pipx install poetry==${{ inputs.poetry-version }}
 
-    - name: Update SDK resolved_reference to latest commit
-      if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    - name: Update poetry.lock with latest Prowler commit
+      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
       shell: bash
       working-directory: ${{ inputs.working-directory }}
       run: |
@@ -50,7 +50,21 @@ runs:
         echo "Updated resolved_reference:"
         grep -A2 -B2 "resolved_reference" poetry.lock
 
-    - name: Update poetry.lock
+    - name: Update SDK resolved_reference to latest commit (prowler repo on push)
+      if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'prowler-cloud/prowler'
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
+        echo "Latest commit hash: $LATEST_COMMIT"
+        sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
+          s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
+        }' poetry.lock
+        echo "Updated resolved_reference:"
+        grep -A2 -B2 "resolved_reference" poetry.lock
+
+    - name: Update poetry.lock (prowler repo only)
+      if: github.repository == 'prowler-cloud/prowler'
       shell: bash
       working-directory: ${{ inputs.working-directory }}
       run: poetry lock
@@ -69,3 +83,11 @@ runs:
       run: |
         poetry install --no-root
         poetry run pip list
+
+    - name: Update Prowler Cloud API Client
+      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        poetry remove prowler-cloud-api-client
+        poetry add ./prowler-cloud-api-client

.github/actions/trivy-scan/action.yml

@@ -45,22 +45,13 @@ outputs:
 runs:
   using: 'composite'
   steps:
-    - name: Run Trivy vulnerability scan (SARIF)
-      if: inputs.upload-sarif == 'true'
-      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+    - name: Cache Trivy vulnerability database
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
-        image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
-        format: 'sarif'
-        output: 'trivy-results.sarif'
-        severity: 'CRITICAL,HIGH'
-        exit-code: '0'
-
-    - name: Upload Trivy results to GitHub Security tab
-      if: inputs.upload-sarif == 'true'
-      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
-      with:
-        sarif_file: 'trivy-results.sarif'
-        category: 'trivy-container'
+        path: ~/.cache/trivy
+        key: trivy-db-${{ runner.os }}-${{ github.run_id }}
+        restore-keys: |
+          trivy-db-${{ runner.os }}-
 
     - name: Run Trivy vulnerability scan (JSON)
       uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
@@ -70,6 +61,27 @@ runs:
         output: 'trivy-report.json'
         severity: ${{ inputs.severity }}
         exit-code: '0'
+        scanners: 'vuln'
+        timeout: '5m'
+
+    - name: Run Trivy vulnerability scan (SARIF)
+      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+      with:
+        image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH'
+        exit-code: '0'
+        scanners: 'vuln'
+        timeout: '5m'
+
+    - name: Upload Trivy results to GitHub Security tab
+      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+      with:
+        sarif_file: 'trivy-results.sarif'
+        category: 'trivy-container'
 
     - name: Upload Trivy report artifact
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -109,20 +121,20 @@ runs:
       with:
         script: |
           const comment = require('./.github/scripts/trivy-pr-comment.js');
-          
+
           // Unique identifier to find our comment
           const marker = '<!-- trivy-scan-comment:${{ inputs.image-name }} -->';
           const body = marker + '\n' + comment;
-          
+
           // Find existing comment
           const { data: comments } = await github.rest.issues.listComments({
             owner: context.repo.owner,
             repo: context.repo.repo,
             issue_number: context.issue.number,
           });
-          
+
           const existingComment = comments.find(c => c.body?.includes(marker));
-          
+
           if (existingComment) {
             // Update existing comment
             await github.rest.issues.updateComment({

.github/workflows/api-code-quality.yml

@@ -0,0 +1,71 @@
+name: 'API: Code Quality'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  API_WORKING_DIR: ./api
+
+jobs:
+  api-code-quality:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        python-version:
+          - '3.12'
+    defaults:
+      run:
+        working-directory: ./api
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for API changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            api/**
+            .github/workflows/api-code-quality.yml
+          files_ignore: |
+            api/docs/**
+            api/README.md
+            api/CHANGELOG.md
+
+      - name: Setup Python with Poetry
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: ./.github/actions/setup-python-poetry
+        with:
+          python-version: ${{ matrix.python-version }}
+          working-directory: ./api
+
+      - name: Poetry check
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry check --lock
+
+      - name: Ruff lint
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run ruff check . --exclude contrib
+
+      - name: Ruff format
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run ruff format --check . --exclude contrib
+
+      - name: Pylint
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/

.github/workflows/api-codeql.yml

@@ -25,7 +25,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  analyze:
+  api-analyze:
     name: CodeQL Security Analysis
     runs-on: ubuntu-latest
     timeout-minutes: 30

.github/workflows/api-container-checks.yml

@@ -0,0 +1,89 @@
+name: 'API: Container Checks'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  API_WORKING_DIR: ./api
+  IMAGE_NAME: prowler-api
+
+jobs:
+  api-dockerfile-lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check if Dockerfile changed
+        id: dockerfile-changed
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: api/Dockerfile
+
+      - name: Lint Dockerfile with Hadolint
+        if: steps.dockerfile-changed.outputs.any_changed == 'true'
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: api/Dockerfile
+          ignore: DL3013
+
+  api-container-build-and-scan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for API changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: api/**
+          files_ignore: |
+            api/docs/**
+            api/README.md
+            api/CHANGELOG.md
+
+      - name: Set up Docker Buildx
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build container
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.API_WORKING_DIR }}
+          push: false
+          load: true
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan container with Trivy
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
+        uses: ./.github/actions/trivy-scan
+        with:
+          image-name: ${{ env.IMAGE_NAME }}
+          image-tag: ${{ github.sha }}
+          fail-on-critical: 'false'
+          severity: 'CRITICAL'

.github/workflows/api-pull-request.yml

@@ -1,228 +0,0 @@
-name: 'API: Pull Request'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - '.github/workflows/api-pull-request.yml'
-      - 'api/**'
-      - '!api/docs/**'
-      - '!api/README.md'
-      - '!api/CHANGELOG.md'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - '.github/workflows/api-pull-request.yml'
-      - 'api/**'
-      - '!api/docs/**'
-      - '!api/README.md'
-      - '!api/CHANGELOG.md'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  POSTGRES_HOST: localhost
-  POSTGRES_PORT: 5432
-  POSTGRES_ADMIN_USER: prowler
-  POSTGRES_ADMIN_PASSWORD: S3cret
-  POSTGRES_USER: prowler_user
-  POSTGRES_PASSWORD: prowler
-  POSTGRES_DB: postgres-db
-  VALKEY_HOST: localhost
-  VALKEY_PORT: 6379
-  VALKEY_DB: 0
-  API_WORKING_DIR: ./api
-  IMAGE_NAME: prowler-api
-
-jobs:
-  code-quality:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.12'
-    defaults:
-      run:
-        working-directory: ./api
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Setup Python with Poetry
-        uses: ./.github/actions/setup-python-poetry
-        with:
-          python-version: ${{ matrix.python-version }}
-          working-directory: ./api
-
-      - name: Poetry check
-        run: poetry check --lock
-
-      - name: Ruff lint
-        run: poetry run ruff check . --exclude contrib
-
-      - name: Ruff format
-        run: poetry run ruff format --check . --exclude contrib
-
-      - name: Pylint
-        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/
-
-  security-scans:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.12'
-    defaults:
-      run:
-        working-directory: ./api
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Setup Python with Poetry
-        uses: ./.github/actions/setup-python-poetry
-        with:
-          python-version: ${{ matrix.python-version }}
-          working-directory: ./api
-
-      - name: Bandit
-        run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
-
-      - name: Safety
-        # 76352, 76353, 77323 come from SDK, but they cannot upgrade it yet. It does not affect API
-        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
-        run: poetry run safety check --ignore 70612,66963,74429,76352,76353,77323,77744,77745
-
-      - name: Vulture
-        run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .
-
-  tests:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.12'
-    defaults:
-      run:
-        working-directory: ./api
-
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
-          POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
-          POSTGRES_USER: ${{ env.POSTGRES_USER }}
-          POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
-          POSTGRES_DB: ${{ env.POSTGRES_DB }}
-        ports:
-          - 5432:5432
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-      valkey:
-        image: valkey/valkey:7-alpine3.19
-        env:
-          VALKEY_HOST: ${{ env.VALKEY_HOST }}
-          VALKEY_PORT: ${{ env.VALKEY_PORT }}
-          VALKEY_DB: ${{ env.VALKEY_DB }}
-        ports:
-          - 6379:6379
-        options: >-
-          --health-cmd "valkey-cli ping"
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Setup Python with Poetry
-        uses: ./.github/actions/setup-python-poetry
-        with:
-          python-version: ${{ matrix.python-version }}
-          working-directory: ./api
-
-      - name: Run tests with pytest
-        run: poetry run pytest --cov=./src/backend --cov-report=xml src/backend
-
-      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: api
-
-  dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Lint Dockerfile with Hadolint
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
-        with:
-          dockerfile: api/Dockerfile
-          ignore: DL3013
-
-  container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Build container
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.API_WORKING_DIR }}
-          push: false
-          load: true
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan container with Trivy
-        uses: ./.github/actions/trivy-scan
-        with:
-          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}
-          fail-on-critical: 'false'
-          severity: 'CRITICAL'

.github/workflows/api-security.yml

@@ -0,0 +1,69 @@
+name: 'API: Security'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  API_WORKING_DIR: ./api
+
+jobs:
+  api-security-scans:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        python-version:
+          - '3.12'
+    defaults:
+      run:
+        working-directory: ./api
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for API changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            api/**
+            .github/workflows/api-security.yml
+          files_ignore: |
+            api/docs/**
+            api/README.md
+            api/CHANGELOG.md
+
+      - name: Setup Python with Poetry
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: ./.github/actions/setup-python-poetry
+        with:
+          python-version: ${{ matrix.python-version }}
+          working-directory: ./api
+
+      - name: Bandit
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
+
+      - name: Safety
+        if: steps.check-changes.outputs.any_changed == 'true'
+        # 76352, 76353, 77323 come from SDK, but they cannot upgrade it yet. It does not affect API
+        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
+        run: poetry run safety check --ignore 70612,66963,74429,76352,76353,77323,77744,77745
+
+      - name: Vulture
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .

.github/workflows/api-tests.yml

@@ -0,0 +1,107 @@
+name: 'API: Tests'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  POSTGRES_HOST: localhost
+  POSTGRES_PORT: 5432
+  POSTGRES_ADMIN_USER: prowler
+  POSTGRES_ADMIN_PASSWORD: S3cret
+  POSTGRES_USER: prowler_user
+  POSTGRES_PASSWORD: prowler
+  POSTGRES_DB: postgres-db
+  VALKEY_HOST: localhost
+  VALKEY_PORT: 6379
+  VALKEY_DB: 0
+  API_WORKING_DIR: ./api
+
+jobs:
+  api-tests:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        python-version:
+          - '3.12'
+    defaults:
+      run:
+        working-directory: ./api
+
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
+          POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
+          POSTGRES_USER: ${{ env.POSTGRES_USER }}
+          POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
+          POSTGRES_DB: ${{ env.POSTGRES_DB }}
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+      valkey:
+        image: valkey/valkey:7-alpine3.19
+        env:
+          VALKEY_HOST: ${{ env.VALKEY_HOST }}
+          VALKEY_PORT: ${{ env.VALKEY_PORT }}
+          VALKEY_DB: ${{ env.VALKEY_DB }}
+        ports:
+          - 6379:6379
+        options: >-
+          --health-cmd "valkey-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for API changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            api/**
+            .github/workflows/api-tests.yml
+          files_ignore: |
+            api/docs/**
+            api/README.md
+            api/CHANGELOG.md
+
+      - name: Setup Python with Poetry
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: ./.github/actions/setup-python-poetry
+        with:
+          python-version: ${{ matrix.python-version }}
+          working-directory: ./api
+
+      - name: Run tests with pytest
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run pytest --cov=./src/backend --cov-report=xml src/backend
+
+      - name: Upload coverage reports to Codecov
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: api

.github/workflows/mcp-container-checks.yml

@@ -0,0 +1,87 @@
+name: 'MCP: Container Checks'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  MCP_WORKING_DIR: ./mcp_server
+  IMAGE_NAME: prowler-mcp
+
+jobs:
+  mcp-dockerfile-lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check if Dockerfile changed
+        id: dockerfile-changed
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: mcp_server/Dockerfile
+
+      - name: Lint Dockerfile with Hadolint
+        if: steps.dockerfile-changed.outputs.any_changed == 'true'
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: mcp_server/Dockerfile
+
+  mcp-container-build-and-scan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for MCP changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: mcp_server/**
+          files_ignore: |
+            mcp_server/README.md
+            mcp_server/CHANGELOG.md
+
+      - name: Set up Docker Buildx
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build MCP container
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.MCP_WORKING_DIR }}
+          push: false
+          load: true
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan MCP container with Trivy
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
+        uses: ./.github/actions/trivy-scan
+        with:
+          image-name: ${{ env.IMAGE_NAME }}
+          image-tag: ${{ github.sha }}
+          fail-on-critical: 'false'
+          severity: 'CRITICAL'

.github/workflows/sdk-code-quality.yml

@@ -0,0 +1,90 @@
+name: 'SDK: Code Quality'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sdk-code-quality:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        python-version:
+          - '3.9'
+          - '3.10'
+          - '3.11'
+          - '3.12'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for SDK changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: ./**
+          files_ignore: |
+            .github/**
+            prowler/CHANGELOG.md
+            docs/**
+            permissions/**
+            api/**
+            ui/**
+            dashboard/**
+            mcp_server/**
+            README.md
+            mkdocs.yml
+            .backportrc.json
+            .env
+            docker-compose*
+            examples/**
+            .gitignore
+            contrib/**
+
+      - name: Install Poetry
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: |
+          poetry install --no-root
+          poetry run pip list
+
+      - name: Check Poetry lock file
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry check --lock
+
+      - name: Lint with flake8
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api
+
+      - name: Check format with black
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run black --exclude api ui --check .
+
+      - name: Lint with pylint
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/

.github/workflows/sdk-codeql.yml

@@ -36,8 +36,9 @@ on:
     - cron: '00 12 * * *'
 
 jobs:
-  analyze:
-    name: Analyze
+  sdk-analyze:
+    if: github.repository == 'prowler-cloud/prowler'
+    name: CodeQL Security Analysis
     runs-on: ubuntu-latest
     permissions:
       actions: read

.github/workflows/sdk-container-checks.yml

@@ -0,0 +1,103 @@
+name: 'SDK: Container Checks'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  IMAGE_NAME: prowler
+
+jobs:
+  sdk-dockerfile-lint:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check if Dockerfile changed
+        id: dockerfile-changed
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: Dockerfile
+
+      - name: Lint Dockerfile with Hadolint
+        if: steps.dockerfile-changed.outputs.any_changed == 'true'
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: Dockerfile
+          ignore: DL3013
+
+  sdk-container-build-and-scan:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for SDK changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: ./**
+          files_ignore: |
+            .github/**
+            prowler/CHANGELOG.md
+            docs/**
+            permissions/**
+            api/**
+            ui/**
+            dashboard/**
+            mcp_server/**
+            README.md
+            mkdocs.yml
+            .backportrc.json
+            .env
+            docker-compose*
+            examples/**
+            .gitignore
+            contrib/**
+
+      - name: Set up Docker Buildx
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build SDK container
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          push: false
+          load: true
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan SDK container with Trivy
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: ./.github/actions/trivy-scan
+        with:
+          image-name: ${{ env.IMAGE_NAME }}
+          image-tag: ${{ github.sha }}
+          fail-on-critical: 'false'
+          severity: 'CRITICAL'

.github/workflows/sdk-pull-request.yml

@@ -1,286 +0,0 @@
-name: SDK - Pull Request
-
-on:
-  push:
-    branches:
-      - "master"
-      - "v3"
-      - "v4.*"
-      - "v5.*"
-  pull_request:
-    branches:
-      - "master"
-      - "v3"
-      - "v4.*"
-      - "v5.*"
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12"]
-
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Test if changes are in not ignored paths
-        id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: ./**
-          files_ignore: |
-            .github/**
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            prowler/CHANGELOG.md
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-
-      - name: Install poetry
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          python -m pip install --upgrade pip
-          pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ matrix.python-version }}
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: "poetry"
-
-      - name: Install dependencies
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry install --no-root
-          poetry run pip list
-          VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \
-            grep '"tag_name":' | \
-            sed -E 's/.*"v([^"]+)".*/\1/' \
-            ) && curl -L -o /tmp/hadolint "https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64" \
-            && chmod +x /tmp/hadolint
-
-      - name: Poetry check
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry check --lock
-
-      - name: Lint with flake8
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api
-
-      - name: Checking format with black
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry run black --exclude api ui --check .
-
-      - name: Lint with pylint
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
-
-      - name: Bandit
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r .
-
-      - name: Safety
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry run safety check --ignore 70612 -r pyproject.toml
-
-      - name: Vulture
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .
-
-      - name: Dockerfile - Check if Dockerfile has changed
-        id: dockerfile-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            Dockerfile
-
-      - name: Hadolint
-        if: steps.dockerfile-changed-files.outputs.any_changed == 'true'
-        run: |
-          /tmp/hadolint Dockerfile --ignore=DL3013
-
-      # Test AWS
-      - name: AWS - Check if any file has changed
-        id: aws-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/aws/**
-            ./tests/providers/aws/**
-            ./poetry.lock
-
-      - name: AWS - Test
-        if: steps.aws-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
-
-      # Test Azure
-      - name: Azure - Check if any file has changed
-        id: azure-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/azure/**
-            ./tests/providers/azure/**
-            ./poetry.lock
-
-      - name: Azure - Test
-        if: steps.azure-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure
-
-      # Test GCP
-      - name: GCP - Check if any file has changed
-        id: gcp-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/gcp/**
-            ./tests/providers/gcp/**
-            ./poetry.lock
-
-      - name: GCP - Test
-        if: steps.gcp-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp
-
-      # Test Kubernetes
-      - name: Kubernetes - Check if any file has changed
-        id: kubernetes-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/kubernetes/**
-            ./tests/providers/kubernetes/**
-            ./poetry.lock
-
-      - name: Kubernetes - Test
-        if: steps.kubernetes-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes
-
-      # Test GitHub
-      - name: GitHub - Check if any file has changed
-        id: github-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/github/**
-            ./tests/providers/github/**
-            ./poetry.lock
-
-      - name: GitHub - Test
-        if: steps.github-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github
-
-      # Test NHN
-      - name: NHN - Check if any file has changed
-        id: nhn-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/nhn/**
-            ./tests/providers/nhn/**
-            ./poetry.lock
-
-      - name: NHN - Test
-        if: steps.nhn-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn
-
-      # Test M365
-      - name: M365 - Check if any file has changed
-        id: m365-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/m365/**
-            ./tests/providers/m365/**
-            ./poetry.lock
-
-      - name: M365 - Test
-        if: steps.m365-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365
-
-      # Test IaC
-      - name: IaC - Check if any file has changed
-        id: iac-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/iac/**
-            ./tests/providers/iac/**
-            ./poetry.lock
-
-      - name: IaC - Test
-        if: steps.iac-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac
-
-      # Test MongoDB Atlas
-      - name: MongoDB Atlas - Check if any file has changed
-        id: mongodb-atlas-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/mongodbatlas/**
-            ./tests/providers/mongodbatlas/**
-            .poetry.lock
-
-      - name: MongoDB Atlas - Test
-        if: steps.mongodb-atlas-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodb_atlas_coverage.xml tests/providers/mongodbatlas
-
-      # Test OCI
-      - name: OCI - Check if any file has changed
-        id: oci-changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        with:
-          files: |
-            ./prowler/providers/oraclecloud/**
-            ./tests/providers/oraclecloud/**
-            ./poetry.lock
-
-      - name: OCI - Test
-        if: steps.oci-changed-files.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/providers/oraclecloud --cov-report=xml:oci_coverage.xml tests/providers/oraclecloud
-
-      # Common Tests
-      - name: Lib - Test
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib
-
-      - name: Config - Test
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        run: |
-          poetry run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config
-
-      # Codecov
-      - name: Upload coverage reports to Codecov
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler
-          files: ./aws_coverage.xml,./azure_coverage.xml,./gcp_coverage.xml,./kubernetes_coverage.xml,./github_coverage.xml,./nhn_coverage.xml,./m365_coverage.xml,./oci_coverage.xml,./lib_coverage.xml,./config_coverage.xml

.github/workflows/sdk-security.yml

@@ -0,0 +1,77 @@
+name: 'SDK: Security'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sdk-security-scans:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for SDK changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: ./**
+          files_ignore: |
+            .github/**
+            prowler/CHANGELOG.md
+            docs/**
+            permissions/**
+            api/**
+            ui/**
+            dashboard/**
+            mcp_server/**
+            README.md
+            mkdocs.yml
+            .backportrc.json
+            .env
+            docker-compose*
+            examples/**
+            .gitignore
+            contrib/**
+
+      - name: Install Poetry
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python 3.12
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: '3.12'
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry install --no-root
+
+      - name: Security scan with Bandit
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r .
+
+      - name: Security scan with Safety
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run safety check --ignore 70612 -r pyproject.toml
+
+      - name: Dead code detection with Vulture
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .

.github/workflows/sdk-tests.yml

@@ -0,0 +1,360 @@
+name: 'SDK: Tests'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sdk-tests:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 120
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        python-version:
+          - '3.9'
+          - '3.10'
+          - '3.11'
+          - '3.12'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for SDK changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: ./**
+          files_ignore: |
+            .github/**
+            prowler/CHANGELOG.md
+            docs/**
+            permissions/**
+            api/**
+            ui/**
+            dashboard/**
+            mcp_server/**
+            README.md
+            mkdocs.yml
+            .backportrc.json
+            .env
+            docker-compose*
+            examples/**
+            .gitignore
+            contrib/**
+
+      - name: Install Poetry
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry install --no-root
+
+      # AWS Provider
+      - name: Check if AWS files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-aws
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/aws/**
+            ./tests/**/aws/**
+            ./poetry.lock
+
+      - name: Run AWS tests
+        if: steps.changed-aws.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
+
+      - name: Upload AWS coverage to Codecov
+        if: steps.changed-aws.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-aws
+          files: ./aws_coverage.xml
+
+      # Azure Provider
+      - name: Check if Azure files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-azure
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/azure/**
+            ./tests/**/azure/**
+            ./poetry.lock
+
+      - name: Run Azure tests
+        if: steps.changed-azure.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure
+
+      - name: Upload Azure coverage to Codecov
+        if: steps.changed-azure.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-azure
+          files: ./azure_coverage.xml
+
+      # GCP Provider
+      - name: Check if GCP files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-gcp
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/gcp/**
+            ./tests/**/gcp/**
+            ./poetry.lock
+
+      - name: Run GCP tests
+        if: steps.changed-gcp.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp
+
+      - name: Upload GCP coverage to Codecov
+        if: steps.changed-gcp.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-gcp
+          files: ./gcp_coverage.xml
+
+      # Kubernetes Provider
+      - name: Check if Kubernetes files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-kubernetes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/kubernetes/**
+            ./tests/**/kubernetes/**
+            ./poetry.lock
+
+      - name: Run Kubernetes tests
+        if: steps.changed-kubernetes.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes
+
+      - name: Upload Kubernetes coverage to Codecov
+        if: steps.changed-kubernetes.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-kubernetes
+          files: ./kubernetes_coverage.xml
+
+      # GitHub Provider
+      - name: Check if GitHub files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-github
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/github/**
+            ./tests/**/github/**
+            ./poetry.lock
+
+      - name: Run GitHub tests
+        if: steps.changed-github.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github
+
+      - name: Upload GitHub coverage to Codecov
+        if: steps.changed-github.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-github
+          files: ./github_coverage.xml
+
+      # NHN Provider
+      - name: Check if NHN files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-nhn
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/nhn/**
+            ./tests/**/nhn/**
+            ./poetry.lock
+
+      - name: Run NHN tests
+        if: steps.changed-nhn.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn
+
+      - name: Upload NHN coverage to Codecov
+        if: steps.changed-nhn.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-nhn
+          files: ./nhn_coverage.xml
+
+      # M365 Provider
+      - name: Check if M365 files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-m365
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/m365/**
+            ./tests/**/m365/**
+            ./poetry.lock
+
+      - name: Run M365 tests
+        if: steps.changed-m365.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365
+
+      - name: Upload M365 coverage to Codecov
+        if: steps.changed-m365.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-m365
+          files: ./m365_coverage.xml
+
+      # IaC Provider
+      - name: Check if IaC files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-iac
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/iac/**
+            ./tests/**/iac/**
+            ./poetry.lock
+
+      - name: Run IaC tests
+        if: steps.changed-iac.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac
+
+      - name: Upload IaC coverage to Codecov
+        if: steps.changed-iac.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-iac
+          files: ./iac_coverage.xml
+
+      # MongoDB Atlas Provider
+      - name: Check if MongoDB Atlas files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-mongodbatlas
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/mongodbatlas/**
+            ./tests/**/mongodbatlas/**
+            ./poetry.lock
+
+      - name: Run MongoDB Atlas tests
+        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodbatlas_coverage.xml tests/providers/mongodbatlas
+
+      - name: Upload MongoDB Atlas coverage to Codecov
+        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-mongodbatlas
+          files: ./mongodbatlas_coverage.xml
+
+      # OCI Provider
+      - name: Check if OCI files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-oraclecloud
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/**/oraclecloud/**
+            ./tests/**/oraclecloud/**
+            ./poetry.lock
+
+      - name: Run OCI tests
+        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/oraclecloud --cov-report=xml:oraclecloud_coverage.xml tests/providers/oraclecloud
+
+      - name: Upload OCI coverage to Codecov
+        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-oraclecloud
+          files: ./oraclecloud_coverage.xml
+
+      # Lib
+      - name: Check if Lib files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-lib
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/lib/**
+            ./tests/lib/**
+            ./poetry.lock
+
+      - name: Run Lib tests
+        if: steps.changed-lib.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib
+
+      - name: Upload Lib coverage to Codecov
+        if: steps.changed-lib.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-lib
+          files: ./lib_coverage.xml
+
+      # Config
+      - name: Check if Config files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-config
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/config/**
+            ./tests/config/**
+            ./poetry.lock
+
+      - name: Run Config tests
+        if: steps.changed-config.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config
+
+      - name: Upload Config coverage to Codecov
+        if: steps.changed-config.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-config
+          files: ./config_coverage.xml

.github/workflows/ui-codeql.yml

@@ -28,8 +28,9 @@ on:
     - cron: "00 12 * * *"
 
 jobs:
-  analyze:
-    name: Analyze
+  ui-analyze:
+    if: github.repository == 'prowler-cloud/prowler'
+    name: CodeQL Security Analysis
     runs-on: ubuntu-latest
     permissions:
       actions: read

.github/workflows/ui-container-checks.yml

@@ -0,0 +1,91 @@
+name: 'UI: Container Checks'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  UI_WORKING_DIR: ./ui
+  IMAGE_NAME: prowler-ui
+
+jobs:
+  ui-dockerfile-lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check if Dockerfile changed
+        id: dockerfile-changed
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: ui/Dockerfile
+
+      - name: Lint Dockerfile with Hadolint
+        if: steps.dockerfile-changed.outputs.any_changed == 'true'
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: ui/Dockerfile
+          ignore: DL3018
+
+  ui-container-build-and-scan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for UI changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: ui/**
+          files_ignore: |
+            ui/CHANGELOG.md
+            ui/README.md
+
+      - name: Set up Docker Buildx
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build UI container
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.UI_WORKING_DIR }}
+          target: prod
+          push: false
+          load: true
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX
+
+      - name: Scan UI container with Trivy
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
+        uses: ./.github/actions/trivy-scan
+        with:
+          image-name: ${{ env.IMAGE_NAME }}
+          image-tag: ${{ github.sha }}
+          fail-on-critical: 'false'
+          severity: 'CRITICAL'

.github/workflows/ui-pull-request.yml

@@ -1,65 +0,0 @@
-name: UI - Pull Request
-
-on:
-  push:
-    branches:
-      - "master"
-      - "v5.*"
-    paths:
-      - ".github/workflows/ui-pull-request.yml"
-      - "ui/**"
-  pull_request:
-    branches:
-      - master
-      - "v5.*"
-    paths:
-      - 'ui/**'
-env:
-  UI_WORKING_DIR: ./ui
-  IMAGE_NAME: prowler-ui
-
-jobs:
-  test-and-coverage:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
-        node-version: [20.x]
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-      - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-          cache-dependency-path: './ui/package-lock.json'
-      - name: Install dependencies
-        working-directory: ./ui
-        run: npm ci
-      - name: Run Healthcheck
-        working-directory: ./ui
-        run: npm run healthcheck
-      - name: Build the application
-        working-directory: ./ui
-        run: npm run build
-
-  test-container-build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-      - name: Build Container
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.UI_WORKING_DIR }}
-          # Always build using `prod` target
-          target: prod
-          push: false
-          tags: ${{ env.IMAGE_NAME }}:latest
-          outputs: type=docker
-          build-args: |
-            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX

.github/workflows/ui-tests.yml

@@ -0,0 +1,64 @@
+name: 'UI: Tests'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  UI_WORKING_DIR: ./ui
+  NODE_VERSION: '20.x'
+
+jobs:
+  ui-tests:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: ./ui
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Check for UI changes
+        id: check-changes
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ui/**
+            .github/workflows/ui-tests.yml
+          files_ignore: |
+            ui/CHANGELOG.md
+            ui/README.md
+
+      - name: Setup Node.js ${{ env.NODE_VERSION }}
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: npm ci
+
+      - name: Run healthcheck
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: npm run healthcheck
+
+      - name: Build application
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: npm run build

api/CHANGELOG.md

@@ -2,6 +2,15 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
+## [1.14.1] (Prowler 5.13.1)
+
+### Fixed
+- `/api/v1/overviews/providers` collapses data by provider type so the UI receives a single aggregated record per cloud family even when multiple accounts exist [(#9053)](https://github.com/prowler-cloud/prowler/pull/9053)
+- Added retry logic to database transactions to handle Aurora read replica connection failures during scale-down events [(#9064)](https://github.com/prowler-cloud/prowler/pull/9064)
+- Security Hub integrations stop failing when they read relationships via the replica by allowing replica relations and saving updates through the primary [(#9080)](https://github.com/prowler-cloud/prowler/pull/9080)
+
+---
+
 ## [1.14.0] (Prowler 5.13.0)
 
 ### Added

api/poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.2.0 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.1.3 and should not be changed by hand.
 
 [[package]]
 name = "about-time"
@@ -1164,6 +1164,18 @@ files = [
     {file = "charset_normalizer-3.4.3.tar.gz", hash = "sha256:6fce4b8500244f6fcb71465d4a4930d132ba9ab8e71a7859e6a5d59851068d14"},
 ]
 
+[[package]]
+name = "circuitbreaker"
+version = "2.1.3"
+description = "Python Circuit Breaker pattern implementation"
+optional = false
+python-versions = "*"
+groups = ["main"]
+files = [
+    {file = "circuitbreaker-2.1.3-py3-none-any.whl", hash = "sha256:87ba6a3ed03fdc7032bc175561c2b04d52ade9d5faf94ca2b035fbdc5e6b1dd1"},
+    {file = "circuitbreaker-2.1.3.tar.gz", hash = "sha256:1a4baee510f7bea3c91b194dcce7c07805fe96c4423ed5594b75af438531d084"},
+]
+
 [[package]]
 name = "click"
 version = "8.2.1"
@@ -4046,6 +4058,29 @@ rsa = ["cryptography (>=3.0.0)"]
 signals = ["blinker (>=1.4.0)"]
 signedtoken = ["cryptography (>=3.0.0)", "pyjwt (>=2.0.0,<3)"]
 
+[[package]]
+name = "oci"
+version = "2.160.3"
+description = "Oracle Cloud Infrastructure Python SDK"
+optional = false
+python-versions = "*"
+groups = ["main"]
+files = [
+    {file = "oci-2.160.3-py3-none-any.whl", hash = "sha256:858bff3e697098bdda44833d2476bfb4632126f0182178e7dbde4dbd156d71f0"},
+    {file = "oci-2.160.3.tar.gz", hash = "sha256:57514889be3b713a8385d86e3ba8a33cf46e3563c2a7e29a93027fb30b8a2537"},
+]
+
+[package.dependencies]
+certifi = "*"
+circuitbreaker = {version = ">=1.3.1,<3.0.0", markers = "python_version >= \"3.7\""}
+cryptography = ">=3.2.1,<46.0.0"
+pyOpenSSL = ">=17.5.0,<25.0.0"
+python-dateutil = ">=2.5.3,<3.0.0"
+pytz = ">=2016.10"
+
+[package.extras]
+adk = ["docstring-parser (>=0.16) ; python_version >= \"3.10\" and python_version < \"4\"", "mcp (>=1.6.0) ; python_version >= \"3.10\" and python_version < \"4\"", "pydantic (>=2.10.6) ; python_version >= \"3.10\" and python_version < \"4\"", "rich (>=13.9.4) ; python_version >= \"3.10\" and python_version < \"4\""]
+
 [[package]]
 name = "openai"
 version = "1.101.0"
@@ -4634,6 +4669,7 @@ markdown = "3.9.0"
 microsoft-kiota-abstractions = "1.9.2"
 msgraph-sdk = "1.23.0"
 numpy = "2.0.2"
+oci = "2.160.3"
 pandas = "2.2.3"
 py-iam-expand = "0.1.0"
 py-ocsf-models = "0.5.0"
@@ -4650,8 +4686,8 @@ tzlocal = "5.3.1"
 [package.source]
 type = "git"
 url = "https://github.com/prowler-cloud/prowler.git"
-reference = "master"
-resolved_reference = "a52697bfdfee83d14a49c11dcbe96888b5cd767e"
+reference = "v5.13"
+resolved_reference = "b1856e42f0143a64e8cc26c7aa3c7643bd1083d3"
 
 [[package]]
 name = "psutil"
@@ -5136,6 +5172,25 @@ cffi = ">=1.4.1"
 docs = ["sphinx (>=1.6.5)", "sphinx-rtd-theme"]
 tests = ["hypothesis (>=3.27.0)", "pytest (>=3.2.1,!=3.3.0)"]
 
+[[package]]
+name = "pyopenssl"
+version = "24.3.0"
+description = "Python wrapper module around the OpenSSL library"
+optional = false
+python-versions = ">=3.7"
+groups = ["main"]
+files = [
+    {file = "pyOpenSSL-24.3.0-py3-none-any.whl", hash = "sha256:e474f5a473cd7f92221cc04976e48f4d11502804657a08a989fb3be5514c904a"},
+    {file = "pyopenssl-24.3.0.tar.gz", hash = "sha256:49f7a019577d834746bc55c5fce6ecbcec0f2b4ec5ce1cf43a9a173b8138bb36"},
+]
+
+[package.dependencies]
+cryptography = ">=41.0.5,<45"
+
+[package.extras]
+docs = ["sphinx (!=5.2.0,!=5.2.0.post0,!=7.2.5)", "sphinx_rtd_theme"]
+test = ["pretend", "pytest (>=3.0.1)", "pytest-rerunfailures"]
+
 [[package]]
 name = "pyparsing"
 version = "3.2.3"
@@ -6786,4 +6841,4 @@ type = ["pytest-mypy"]
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "3c9164d668d37d6373eb5200bbe768232ead934d9312b9c68046b1df922789f3"
+content-hash = "8fcb616e55530e7940019d3da33e955b026b9105e1216a3c5f39b411c015b6d7"

api/pyproject.toml

@@ -24,7 +24,7 @@ dependencies = [
   "drf-spectacular-jsonapi==0.5.1",
   "gunicorn==23.0.0",
   "lxml==5.3.2",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@v5.13",
   "psycopg2-binary==2.9.9",
   "pytest-celery[redis] (>=1.0.1,<2.0.0)",
   "sentry-sdk[django] (>=2.20.0,<3.0.0)",
@@ -43,7 +43,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.14.0"
+version = "1.14.1"
 
 [project.scripts]
 celery = "src.backend.config.settings.celery"

api/src/backend/api/db_router.py

@@ -48,8 +48,9 @@ class MainRouter:
         return db == self.admin_db
 
     def allow_relation(self, obj1, obj2, **hints):  # noqa: F841
-        # Allow relations if both objects are in either "default" or "admin" db connectors
-        if {obj1._state.db, obj2._state.db} <= {self.default_db, self.admin_db}:
+        # Allow relations when both objects originate from allowed connectors
+        allowed_dbs = {self.default_db, self.admin_db, self.replica_db}
+        if {obj1._state.db, obj2._state.db} <= allowed_dbs:
             return True
         return None
 

api/src/backend/api/db_utils.py

@@ -1,18 +1,35 @@
 import re
 import secrets
+import time
 import uuid
 from contextlib import contextmanager
 from datetime import datetime, timedelta, timezone
 
+from celery.utils.log import get_task_logger
+from config.env import env
 from django.conf import settings
 from django.contrib.auth.models import BaseUserManager
-from django.db import DEFAULT_DB_ALIAS, connection, connections, models, transaction
+from django.db import (
+    DEFAULT_DB_ALIAS,
+    OperationalError,
+    connection,
+    connections,
+    models,
+    transaction,
+)
 from django_celery_beat.models import PeriodicTask
 from psycopg2 import connect as psycopg2_connect
 from psycopg2.extensions import AsIs, new_type, register_adapter, register_type
 from rest_framework_json_api.serializers import ValidationError
 
-from api.db_router import get_read_db_alias, reset_read_db_alias, set_read_db_alias
+from api.db_router import (
+    READ_REPLICA_ALIAS,
+    get_read_db_alias,
+    reset_read_db_alias,
+    set_read_db_alias,
+)
+
+logger = get_task_logger(__name__)
 
 DB_USER = settings.DATABASES["default"]["USER"] if not settings.TESTING else "test"
 DB_PASSWORD = (
@@ -28,6 +45,9 @@ TASK_RUNNER_DB_TABLE = "django_celery_results_taskresult"
 POSTGRES_TENANT_VAR = "api.tenant_id"
 POSTGRES_USER_VAR = "api.user_id"
 
+REPLICA_MAX_ATTEMPTS = env.int("POSTGRES_REPLICA_MAX_ATTEMPTS", default=3)
+REPLICA_RETRY_BASE_DELAY = env.float("POSTGRES_REPLICA_RETRY_BASE_DELAY", default=0.5)
+
 SET_CONFIG_QUERY = "SELECT set_config(%s, %s::text, TRUE);"
 
 
@@ -71,24 +91,51 @@ def rls_transaction(
     if db_alias not in connections:
         db_alias = DEFAULT_DB_ALIAS
 
-    router_token = None
-    try:
-        if db_alias != DEFAULT_DB_ALIAS:
-            router_token = set_read_db_alias(db_alias)
+    alias = db_alias
+    is_replica = READ_REPLICA_ALIAS and alias == READ_REPLICA_ALIAS
+    max_attempts = REPLICA_MAX_ATTEMPTS if is_replica else 1
 
-        with transaction.atomic(using=db_alias):
-            conn = connections[db_alias]
-            with conn.cursor() as cursor:
-                try:
-                    # just in case the value is a UUID object
-                    uuid.UUID(str(value))
-                except ValueError:
-                    raise ValidationError("Must be a valid UUID")
-                cursor.execute(SET_CONFIG_QUERY, [parameter, value])
-                yield cursor
-    finally:
-        if router_token is not None:
-            reset_read_db_alias(router_token)
+    for attempt in range(1, max_attempts + 1):
+        router_token = None
+
+        # On final attempt, fallback to primary
+        if attempt == max_attempts and is_replica:
+            logger.warning(
+                f"RLS transaction failed after {attempt - 1} attempts on replica, "
+                f"falling back to primary DB"
+            )
+            alias = DEFAULT_DB_ALIAS
+
+        conn = connections[alias]
+        try:
+            if alias != DEFAULT_DB_ALIAS:
+                router_token = set_read_db_alias(alias)
+
+            with transaction.atomic(using=alias):
+                with conn.cursor() as cursor:
+                    try:
+                        # just in case the value is a UUID object
+                        uuid.UUID(str(value))
+                    except ValueError:
+                        raise ValidationError("Must be a valid UUID")
+                    cursor.execute(SET_CONFIG_QUERY, [parameter, value])
+                    yield cursor
+            return
+        except OperationalError as e:
+            # If on primary or max attempts reached, raise
+            if not is_replica or attempt == max_attempts:
+                raise
+
+            # Retry with exponential backoff
+            delay = REPLICA_RETRY_BASE_DELAY * (2 ** (attempt - 1))
+            logger.info(
+                f"RLS transaction failed on replica (attempt {attempt}/{max_attempts}), "
+                f"retrying in {delay}s. Error: {e}"
+            )
+            time.sleep(delay)
+        finally:
+            if router_token is not None:
+                reset_read_db_alias(router_token)
 
 
 class CustomUserManager(BaseUserManager):

api/src/backend/api/specs/v1.yaml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: Prowler API
-  version: 1.14.0
+  version: 1.14.1
   description: |-
     Prowler API specification.
 
@@ -7521,6 +7521,72 @@ paths:
         '404':
           description: The scan has no reports, or the report generation task has
             not started yet
+  /api/v1/scans/{id}/threatscore:
+    get:
+      operationId: scans_threatscore_retrieve
+      description: Download a specific threatscore report (e.g., 'prowler_threatscore_aws')
+        as a PDF file.
+      summary: Retrieve threatscore report
+      parameters:
+      - in: query
+        name: fields[scans]
+        schema:
+          type: array
+          items:
+            type: string
+            enum:
+            - name
+            - trigger
+            - state
+            - unique_resource_count
+            - progress
+            - duration
+            - provider
+            - task
+            - inserted_at
+            - started_at
+            - completed_at
+            - scheduled_at
+            - next_scan_at
+            - processor
+            - url
+        description: endpoint return only specific fields in the response on a per-type
+          basis by including a fields[TYPE] query parameter.
+        explode: false
+      - in: path
+        name: id
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this scan.
+        required: true
+      - in: query
+        name: include
+        schema:
+          type: array
+          items:
+            type: string
+            enum:
+            - provider
+        description: include query parameter to allow the client to customize which
+          related resources should be returned.
+        explode: false
+      tags:
+      - Scan
+      security:
+      - JWT or API Key: []
+      responses:
+        '200':
+          description: PDF file containing the threatscore report
+        '202':
+          description: The task is in progress
+        '401':
+          description: API key missing or user not Authenticated
+        '403':
+          description: There is a problem with credentials
+        '404':
+          description: The scan has no threatscore reports, or the threatscore report
+            generation task has not started yet
   /api/v1/schedules/daily:
     post:
       operationId: schedules_daily_create

api/src/backend/api/tests/integration/test_rls_transaction.py

@@ -0,0 +1,39 @@
+"""Tests for rls_transaction retry and fallback logic."""
+
+import pytest
+from django.db import DEFAULT_DB_ALIAS
+from rest_framework_json_api.serializers import ValidationError
+
+from api.db_utils import rls_transaction
+
+
+@pytest.mark.django_db
+class TestRLSTransaction:
+    """Simple integration tests for rls_transaction using real DB."""
+
+    @pytest.fixture
+    def tenant(self, tenants_fixture):
+        return tenants_fixture[0]
+
+    def test_success_on_primary(self, tenant):
+        """Basic: transaction succeeds on primary database."""
+        with rls_transaction(str(tenant.id), using=DEFAULT_DB_ALIAS) as cursor:
+            cursor.execute("SELECT 1")
+            result = cursor.fetchone()
+            assert result == (1,)
+
+    def test_invalid_uuid_raises_validation_error(self):
+        """Invalid UUID raises ValidationError before DB operations."""
+        with pytest.raises(ValidationError, match="Must be a valid UUID"):
+            with rls_transaction("not-a-uuid", using=DEFAULT_DB_ALIAS):
+                pass
+
+    def test_custom_parameter_name(self, tenant):
+        """Test custom RLS parameter name."""
+        custom_param = "api.custom_id"
+        with rls_transaction(
+            str(tenant.id), parameter=custom_param, using=DEFAULT_DB_ALIAS
+        ) as cursor:
+            cursor.execute("SELECT current_setting(%s, true)", [custom_param])
+            result = cursor.fetchone()
+            assert result == (str(tenant.id),)

api/src/backend/api/tests/test_db_utils.py

@@ -1,12 +1,15 @@
 from datetime import datetime, timezone
 from enum import Enum
-from unittest.mock import patch
+from unittest.mock import MagicMock, patch
 
 import pytest
 from django.conf import settings
+from django.db import DEFAULT_DB_ALIAS, OperationalError
 from freezegun import freeze_time
+from rest_framework_json_api.serializers import ValidationError
 
 from api.db_utils import (
+    POSTGRES_TENANT_VAR,
     _should_create_index_on_partition,
     batch_delete,
     create_objects_in_batches,
@@ -14,11 +17,22 @@ from api.db_utils import (
     generate_api_key_prefix,
     generate_random_token,
     one_week_from_now,
+    rls_transaction,
     update_objects_in_batches,
 )
 from api.models import Provider
 
 
+@pytest.fixture
+def enable_read_replica():
+    """
+    Fixture to enable READ_REPLICA_ALIAS for tests that need replica functionality.
+    This avoids polluting the global test configuration.
+    """
+    with patch("api.db_utils.READ_REPLICA_ALIAS", "replica"):
+        yield "replica"
+
+
 class TestEnumToChoices:
     def test_enum_to_choices_simple(self):
         class Color(Enum):
@@ -339,3 +353,498 @@ class TestGenerateApiKeyPrefix:
             prefix = generate_api_key_prefix()
             random_part = prefix[3:]  # Strip 'pk_'
             assert all(char in allowed_chars for char in random_part)
+
+
+@pytest.mark.django_db
+class TestRlsTransaction:
+    def test_rls_transaction_valid_uuid_string(self, tenants_fixture):
+        """Test rls_transaction with valid UUID string."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with rls_transaction(tenant_id) as cursor:
+            assert cursor is not None
+            cursor.execute("SELECT current_setting(%s)", [POSTGRES_TENANT_VAR])
+            result = cursor.fetchone()
+            assert result[0] == tenant_id
+
+    def test_rls_transaction_valid_uuid_object(self, tenants_fixture):
+        """Test rls_transaction with UUID object."""
+        tenant = tenants_fixture[0]
+
+        with rls_transaction(tenant.id) as cursor:
+            assert cursor is not None
+            cursor.execute("SELECT current_setting(%s)", [POSTGRES_TENANT_VAR])
+            result = cursor.fetchone()
+            assert result[0] == str(tenant.id)
+
+    def test_rls_transaction_invalid_uuid_raises_validation_error(self):
+        """Test rls_transaction raises ValidationError for invalid UUID."""
+        invalid_uuid = "not-a-valid-uuid"
+
+        with pytest.raises(ValidationError, match="Must be a valid UUID"):
+            with rls_transaction(invalid_uuid):
+                pass
+
+    def test_rls_transaction_uses_default_database_when_no_alias(self, tenants_fixture):
+        """Test rls_transaction uses DEFAULT_DB_ALIAS when no alias specified."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=None):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                with patch("api.db_utils.transaction.atomic"):
+                    with rls_transaction(tenant_id):
+                        pass
+
+                mock_connections.__getitem__.assert_called_with(DEFAULT_DB_ALIAS)
+
+    def test_rls_transaction_uses_specified_alias(self, tenants_fixture):
+        """Test rls_transaction uses specified database alias via using parameter."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+        custom_alias = "custom_db"
+
+        with patch("api.db_utils.connections") as mock_connections:
+            mock_conn = MagicMock()
+            mock_cursor = MagicMock()
+            mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+            mock_connections.__getitem__.return_value = mock_conn
+            mock_connections.__contains__.return_value = True
+
+            with patch("api.db_utils.transaction.atomic"):
+                with patch("api.db_utils.set_read_db_alias") as mock_set_alias:
+                    with patch("api.db_utils.reset_read_db_alias") as mock_reset_alias:
+                        mock_set_alias.return_value = "test_token"
+                        with rls_transaction(tenant_id, using=custom_alias):
+                            pass
+
+                        mock_connections.__getitem__.assert_called_with(custom_alias)
+                        mock_set_alias.assert_called_once_with(custom_alias)
+                        mock_reset_alias.assert_called_once_with("test_token")
+
+    def test_rls_transaction_uses_read_replica_from_router(
+        self, tenants_fixture, enable_read_replica
+    ):
+        """Test rls_transaction uses read replica alias from router."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                with patch("api.db_utils.transaction.atomic"):
+                    with patch("api.db_utils.set_read_db_alias") as mock_set_alias:
+                        with patch(
+                            "api.db_utils.reset_read_db_alias"
+                        ) as mock_reset_alias:
+                            mock_set_alias.return_value = "test_token"
+                            with rls_transaction(tenant_id):
+                                pass
+
+                            mock_connections.__getitem__.assert_called()
+                            mock_set_alias.assert_called_once()
+                            mock_reset_alias.assert_called_once()
+
+    def test_rls_transaction_fallback_to_default_when_alias_not_in_connections(
+        self, tenants_fixture
+    ):
+        """Test rls_transaction falls back to DEFAULT_DB_ALIAS when alias not in connections."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+        invalid_alias = "nonexistent_db"
+
+        with patch("api.db_utils.get_read_db_alias", return_value=invalid_alias):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+
+                def contains_check(alias):
+                    return alias == DEFAULT_DB_ALIAS
+
+                mock_connections.__contains__.side_effect = contains_check
+                mock_connections.__getitem__.return_value = mock_conn
+
+                with patch("api.db_utils.transaction.atomic"):
+                    with rls_transaction(tenant_id):
+                        pass
+
+                    mock_connections.__getitem__.assert_called_with(DEFAULT_DB_ALIAS)
+
+    def test_rls_transaction_successful_execution_on_replica_no_retries(
+        self, tenants_fixture, enable_read_replica
+    ):
+        """Test successful execution on replica without retries."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                with patch("api.db_utils.transaction.atomic"):
+                    with patch("api.db_utils.set_read_db_alias", return_value="token"):
+                        with patch("api.db_utils.reset_read_db_alias"):
+                            with rls_transaction(tenant_id):
+                                pass
+
+                            assert mock_cursor.execute.call_count == 1
+
+    def test_rls_transaction_retry_with_exponential_backoff_on_operational_error(
+        self, tenants_fixture, enable_read_replica
+    ):
+        """Test retry with exponential backoff on OperationalError on replica."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                call_count = 0
+
+                def atomic_side_effect(*args, **kwargs):
+                    nonlocal call_count
+                    call_count += 1
+                    if call_count < 3:
+                        raise OperationalError("Connection error")
+                    return MagicMock(
+                        __enter__=MagicMock(return_value=None),
+                        __exit__=MagicMock(return_value=False),
+                    )
+
+                with patch(
+                    "api.db_utils.transaction.atomic", side_effect=atomic_side_effect
+                ):
+                    with patch("api.db_utils.time.sleep") as mock_sleep:
+                        with patch(
+                            "api.db_utils.set_read_db_alias", return_value="token"
+                        ):
+                            with patch("api.db_utils.reset_read_db_alias"):
+                                with patch("api.db_utils.logger") as mock_logger:
+                                    with rls_transaction(tenant_id):
+                                        pass
+
+                                    assert mock_sleep.call_count == 2
+                                    mock_sleep.assert_any_call(0.5)
+                                    mock_sleep.assert_any_call(1.0)
+                                    assert mock_logger.info.call_count == 2
+
+    def test_rls_transaction_max_three_attempts_for_replica(
+        self, tenants_fixture, enable_read_replica
+    ):
+        """Test maximum 3 attempts for replica database."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                with patch("api.db_utils.transaction.atomic") as mock_atomic:
+                    mock_atomic.side_effect = OperationalError("Persistent error")
+
+                    with patch("api.db_utils.time.sleep"):
+                        with patch(
+                            "api.db_utils.set_read_db_alias", return_value="token"
+                        ):
+                            with patch("api.db_utils.reset_read_db_alias"):
+                                with pytest.raises(OperationalError):
+                                    with rls_transaction(tenant_id):
+                                        pass
+
+                                assert mock_atomic.call_count == 3
+
+    def test_rls_transaction_only_one_attempt_for_primary(self, tenants_fixture):
+        """Test only 1 attempt for primary database."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=None):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                with patch("api.db_utils.transaction.atomic") as mock_atomic:
+                    mock_atomic.side_effect = OperationalError("Primary error")
+
+                    with pytest.raises(OperationalError):
+                        with rls_transaction(tenant_id):
+                            pass
+
+                    assert mock_atomic.call_count == 1
+
+    def test_rls_transaction_fallback_to_primary_after_max_attempts(
+        self, tenants_fixture, enable_read_replica
+    ):
+        """Test fallback to primary DB after max attempts on replica."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                call_count = 0
+
+                def atomic_side_effect(*args, **kwargs):
+                    nonlocal call_count
+                    call_count += 1
+                    if call_count < 3:
+                        raise OperationalError("Replica error")
+                    return MagicMock(
+                        __enter__=MagicMock(return_value=None),
+                        __exit__=MagicMock(return_value=False),
+                    )
+
+                with patch(
+                    "api.db_utils.transaction.atomic", side_effect=atomic_side_effect
+                ):
+                    with patch("api.db_utils.time.sleep"):
+                        with patch(
+                            "api.db_utils.set_read_db_alias", return_value="token"
+                        ):
+                            with patch("api.db_utils.reset_read_db_alias"):
+                                with patch("api.db_utils.logger") as mock_logger:
+                                    with rls_transaction(tenant_id):
+                                        pass
+
+                                    mock_logger.warning.assert_called_once()
+                                    warning_msg = mock_logger.warning.call_args[0][0]
+                                    assert "falling back to primary DB" in warning_msg
+
+    def test_rls_transaction_logger_warning_on_fallback(
+        self, tenants_fixture, enable_read_replica
+    ):
+        """Test logger warnings are emitted on fallback to primary."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                call_count = 0
+
+                def atomic_side_effect(*args, **kwargs):
+                    nonlocal call_count
+                    call_count += 1
+                    if call_count < 3:
+                        raise OperationalError("Replica error")
+                    return MagicMock(
+                        __enter__=MagicMock(return_value=None),
+                        __exit__=MagicMock(return_value=False),
+                    )
+
+                with patch(
+                    "api.db_utils.transaction.atomic", side_effect=atomic_side_effect
+                ):
+                    with patch("api.db_utils.time.sleep"):
+                        with patch(
+                            "api.db_utils.set_read_db_alias", return_value="token"
+                        ):
+                            with patch("api.db_utils.reset_read_db_alias"):
+                                with patch("api.db_utils.logger") as mock_logger:
+                                    with rls_transaction(tenant_id):
+                                        pass
+
+                                    assert mock_logger.info.call_count == 2
+                                    assert mock_logger.warning.call_count == 1
+
+    def test_rls_transaction_operational_error_raised_immediately_on_primary(
+        self, tenants_fixture
+    ):
+        """Test OperationalError raised immediately on primary without retry."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=None):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                with patch("api.db_utils.transaction.atomic") as mock_atomic:
+                    mock_atomic.side_effect = OperationalError("Primary error")
+
+                    with patch("api.db_utils.time.sleep") as mock_sleep:
+                        with pytest.raises(OperationalError):
+                            with rls_transaction(tenant_id):
+                                pass
+
+                        mock_sleep.assert_not_called()
+
+    def test_rls_transaction_operational_error_raised_after_max_attempts(
+        self, tenants_fixture, enable_read_replica
+    ):
+        """Test OperationalError raised after max attempts on replica."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                with patch("api.db_utils.transaction.atomic") as mock_atomic:
+                    mock_atomic.side_effect = OperationalError(
+                        "Persistent replica error"
+                    )
+
+                    with patch("api.db_utils.time.sleep"):
+                        with patch(
+                            "api.db_utils.set_read_db_alias", return_value="token"
+                        ):
+                            with patch("api.db_utils.reset_read_db_alias"):
+                                with pytest.raises(OperationalError):
+                                    with rls_transaction(tenant_id):
+                                        pass
+
+    def test_rls_transaction_router_token_set_for_non_default_alias(
+        self, tenants_fixture
+    ):
+        """Test router token is set when using non-default alias."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+        custom_alias = "custom_db"
+
+        with patch("api.db_utils.connections") as mock_connections:
+            mock_conn = MagicMock()
+            mock_cursor = MagicMock()
+            mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+            mock_connections.__getitem__.return_value = mock_conn
+            mock_connections.__contains__.return_value = True
+
+            with patch("api.db_utils.transaction.atomic"):
+                with patch("api.db_utils.set_read_db_alias") as mock_set_alias:
+                    with patch("api.db_utils.reset_read_db_alias") as mock_reset_alias:
+                        mock_set_alias.return_value = "test_token"
+                        with rls_transaction(tenant_id, using=custom_alias):
+                            pass
+
+                        mock_set_alias.assert_called_once_with(custom_alias)
+                        mock_reset_alias.assert_called_once_with("test_token")
+
+    def test_rls_transaction_router_token_reset_in_finally_block(self, tenants_fixture):
+        """Test router token is reset in finally block even on error."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+        custom_alias = "custom_db"
+
+        with patch("api.db_utils.connections") as mock_connections:
+            mock_conn = MagicMock()
+            mock_cursor = MagicMock()
+            mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+            mock_connections.__getitem__.return_value = mock_conn
+            mock_connections.__contains__.return_value = True
+
+            with patch("api.db_utils.transaction.atomic") as mock_atomic:
+                mock_atomic.side_effect = Exception("Unexpected error")
+
+                with patch("api.db_utils.set_read_db_alias", return_value="test_token"):
+                    with patch("api.db_utils.reset_read_db_alias") as mock_reset_alias:
+                        with pytest.raises(Exception):
+                            with rls_transaction(tenant_id, using=custom_alias):
+                                pass
+
+                        mock_reset_alias.assert_called_once_with("test_token")
+
+    def test_rls_transaction_router_token_not_set_for_default_alias(
+        self, tenants_fixture
+    ):
+        """Test router token is not set when using default alias."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with patch("api.db_utils.get_read_db_alias", return_value=None):
+            with patch("api.db_utils.connections") as mock_connections:
+                mock_conn = MagicMock()
+                mock_cursor = MagicMock()
+                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
+                mock_connections.__getitem__.return_value = mock_conn
+                mock_connections.__contains__.return_value = True
+
+                with patch("api.db_utils.transaction.atomic"):
+                    with patch("api.db_utils.set_read_db_alias") as mock_set_alias:
+                        with patch(
+                            "api.db_utils.reset_read_db_alias"
+                        ) as mock_reset_alias:
+                            with rls_transaction(tenant_id):
+                                pass
+
+                            mock_set_alias.assert_not_called()
+                            mock_reset_alias.assert_not_called()
+
+    def test_rls_transaction_set_config_query_executed_with_correct_params(
+        self, tenants_fixture
+    ):
+        """Test SET_CONFIG_QUERY executed with correct parameters."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with rls_transaction(tenant_id) as cursor:
+            cursor.execute("SELECT current_setting(%s)", [POSTGRES_TENANT_VAR])
+            result = cursor.fetchone()
+            assert result[0] == tenant_id
+
+    def test_rls_transaction_custom_parameter(self, tenants_fixture):
+        """Test rls_transaction with custom parameter name."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+        custom_param = "api.user_id"
+
+        with rls_transaction(tenant_id, parameter=custom_param) as cursor:
+            cursor.execute("SELECT current_setting(%s)", [custom_param])
+            result = cursor.fetchone()
+            assert result[0] == tenant_id
+
+    def test_rls_transaction_cursor_yielded_correctly(self, tenants_fixture):
+        """Test cursor is yielded correctly."""
+        tenant = tenants_fixture[0]
+        tenant_id = str(tenant.id)
+
+        with rls_transaction(tenant_id) as cursor:
+            assert cursor is not None
+            cursor.execute("SELECT 1")
+            result = cursor.fetchone()
+            assert result[0] == 1

api/src/backend/api/tests/test_views.py

@@ -41,6 +41,7 @@ from api.models import (
     ProviderGroup,
     ProviderGroupMembership,
     ProviderSecret,
+    Resource,
     Role,
     RoleProviderGroupRelationship,
     SAMLConfiguration,
@@ -5781,8 +5782,62 @@ class TestOverviewViewSet:
         assert response.json()["data"][0]["attributes"]["findings"]["pass"] == 2
         assert response.json()["data"][0]["attributes"]["findings"]["fail"] == 1
         assert response.json()["data"][0]["attributes"]["findings"]["muted"] == 1
-        # Since we rely on completed scans, there are only 2 resources now
-        assert response.json()["data"][0]["attributes"]["resources"]["total"] == 2
+        # Aggregated resources include all AWS providers present in the tenant
+        assert response.json()["data"][0]["attributes"]["resources"]["total"] == 3
+
+    def test_overview_providers_aggregates_same_provider_type(
+        self,
+        authenticated_client,
+        scan_summaries_fixture,
+        resources_fixture,
+        providers_fixture,
+        tenants_fixture,
+    ):
+        tenant = tenants_fixture[0]
+        _provider1, provider2, *_ = providers_fixture
+
+        scan = Scan.objects.create(
+            name="overview scan aws account 2",
+            provider=provider2,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.COMPLETED,
+            tenant=tenant,
+        )
+
+        ScanSummary.objects.create(
+            tenant=tenant,
+            scan=scan,
+            check_id="check-aws-two",
+            service="service-extra",
+            severity="medium",
+            region="region-extra",
+            _pass=3,
+            fail=2,
+            muted=1,
+            total=6,
+        )
+
+        Resource.objects.create(
+            tenant_id=tenant.id,
+            provider=provider2,
+            uid="arn:aws:ec2:us-west-2:123456789013:instance/i-aggregation",
+            name="Aggregated Instance",
+            region="us-west-2",
+            service="ec2",
+            type="prowler-test",
+        )
+
+        response = authenticated_client.get(reverse("overview-providers"))
+        assert response.status_code == status.HTTP_200_OK
+        data = response.json()["data"]
+        assert len(data) == 1
+        attributes = data[0]["attributes"]
+
+        assert attributes["findings"]["total"] == 10
+        assert attributes["findings"]["pass"] == 5
+        assert attributes["findings"]["fail"] == 3
+        assert attributes["findings"]["muted"] == 2
+        assert attributes["resources"]["total"] == 4
 
     def test_overview_services_list_no_required_filters(
         self, authenticated_client, scan_summaries_fixture

api/src/backend/api/v1/views.py

@@ -307,7 +307,7 @@ class SchemaView(SpectacularAPIView):
 
     def get(self, request, *args, **kwargs):
         spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.14.0"
+        spectacular_settings.VERSION = "1.14.1"
         spectacular_settings.DESCRIPTION = (
             "Prowler API specification.\n\nThis file is auto-generated."
         )
@@ -3776,10 +3776,7 @@ class OverviewViewSet(BaseRLSViewSet):
 
         findings_aggregated = (
             queryset.filter(scan_id__in=latest_scan_ids)
-            .values(
-                "scan__provider_id",
-                provider=F("scan__provider__provider"),
-            )
+            .values(provider=F("scan__provider__provider"))
             .annotate(
                 findings_passed=Coalesce(Sum("_pass"), 0),
                 findings_failed=Coalesce(Sum("fail"), 0),
@@ -3788,13 +3785,16 @@ class OverviewViewSet(BaseRLSViewSet):
             )
         )
 
-        resources_aggregated = (
-            Resource.all_objects.filter(tenant_id=tenant_id)
-            .values("provider_id")
-            .annotate(total_resources=Count("id"))
-        )
+        resources_queryset = Resource.all_objects.filter(tenant_id=tenant_id)
+        if hasattr(self, "allowed_providers"):
+            resources_queryset = resources_queryset.filter(
+                provider__in=self.allowed_providers
+            )
+        resources_aggregated = resources_queryset.values(
+            provider_type=F("provider__provider")
+        ).annotate(total_resources=Count("id"))
         resource_map = {
-            row["provider_id"]: row["total_resources"] for row in resources_aggregated
+            row["provider_type"]: row["total_resources"] for row in resources_aggregated
         }
 
         overview = []
@@ -3802,7 +3802,7 @@ class OverviewViewSet(BaseRLSViewSet):
             overview.append(
                 {
                     "provider": row["provider"],
-                    "total_resources": resource_map.get(row["scan__provider_id"], 0),
+                    "total_resources": resource_map.get(row["provider"], 0),
                     "total_findings": row["total_findings"],
                     "findings_passed": row["findings_passed"],
                     "findings_failed": row["findings_failed"],

api/src/backend/tasks/jobs/integrations.py

@@ -5,7 +5,7 @@ from celery.utils.log import get_task_logger
 from config.django.base import DJANGO_FINDINGS_BATCH_SIZE
 from tasks.utils import batched
 
-from api.db_router import READ_REPLICA_ALIAS
+from api.db_router import READ_REPLICA_ALIAS, MainRouter
 from api.db_utils import rls_transaction
 from api.models import Finding, Integration, Provider
 from api.utils import initialize_prowler_integration, initialize_prowler_provider
@@ -179,7 +179,7 @@ def get_security_hub_client_from_integration(
         if the connection was successful and the SecurityHub client or connection object.
     """
     # Get the provider associated with this integration
-    with rls_transaction(tenant_id):
+    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
         provider_relationship = integration.integrationproviderrelationship_set.first()
         if not provider_relationship:
             return Connection(
@@ -208,7 +208,7 @@ def get_security_hub_client_from_integration(
             regions_status[region] = region in connection.enabled_regions
 
         # Save regions information in the integration configuration
-        with rls_transaction(tenant_id):
+        with rls_transaction(tenant_id, using=MainRouter.default_db):
             integration.configuration["regions"] = regions_status
             integration.save()
 
@@ -223,7 +223,7 @@ def get_security_hub_client_from_integration(
         return True, security_hub
     else:
         # Reset regions information if connection fails
-        with rls_transaction(tenant_id):
+        with rls_transaction(tenant_id, using=MainRouter.default_db):
             integration.configuration["regions"] = {}
             integration.save()
 
@@ -334,8 +334,11 @@ def upload_security_hub_integration(
                                         f"Security Hub connection failed for integration {integration.id}: "
                                         f"{security_hub.error}"
                                     )
-                                    integration.connected = False
-                                    integration.save()
+                                    with rls_transaction(
+                                        tenant_id, using=MainRouter.default_db
+                                    ):
+                                        integration.connected = False
+                                        integration.save()
                                     break  # Skip this integration
 
                                 security_hub_client = security_hub

api/src/backend/tasks/tests/test_integrations.py

@@ -9,6 +9,7 @@ from tasks.jobs.integrations import (
     upload_security_hub_integration,
 )
 
+from api.db_router import READ_REPLICA_ALIAS, MainRouter
 from api.models import Integration
 from api.utils import prowler_integration_connection_test
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHubConnection
@@ -880,7 +881,8 @@ class TestSecurityHubIntegrationUploads:
         # Verify RLS transaction was used correctly
         # Should be called twice: once for getting provider info, once for resetting regions
         assert mock_rls.call_count == 2
-        mock_rls.assert_any_call(tenant_id)
+        mock_rls.assert_any_call(tenant_id, using=READ_REPLICA_ALIAS)
+        mock_rls.assert_any_call(tenant_id, using=MainRouter.default_db)
 
         # Verify test_connection was called with integration credentials (not provider's)
         mock_test_connection.assert_called_once_with(

prowler/CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to the **Prowler SDK** are documented in this file.
 
+## [v5.13.1] (Prowler v5.13.1)
+
+### Fixed
+- Add `resource_name` for checks under `logging` for the GCP provider [(#9023)](https://github.com/prowler-cloud/prowler/pull/9023)
+- Fix `ec2_instance_with_outdated_ami` check to handle None AMIs [(#9046)](https://github.com/prowler-cloud/prowler/pull/9046)
+- Handle timestamp when transforming compliance findings in CCC [(#9042)](https://github.com/prowler-cloud/prowler/pull/9042)
+- Update `resource_id` for admincenter service and avoid unnecessary msgraph requests [(#9019)](https://github.com/prowler-cloud/prowler/pull/9019)
+
+---
+
 ## [v5.13.0] (Prowler v5.13.0)
 
 ### Added

prowler/config/config.py

@@ -12,7 +12,7 @@ from prowler.lib.logger import logger
 
 timestamp = datetime.today()
 timestamp_utc = datetime.now(timezone.utc).replace(tzinfo=timezone.utc)
-prowler_version = "5.13.0"
+prowler_version = "5.13.1"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 square_logo_img = "https://prowler.com/wp-content/uploads/logo-html.png"
 aws_logo = "https://user-images.githubusercontent.com/38561120/235953920-3e3fba08-0795-41dc-b480-9bea57db9f2e.png"

prowler/lib/outputs/compliance/ccc/ccc_aws.py

@@ -1,3 +1,4 @@
+from prowler.config.config import timestamp
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.compliance.ccc.models import CCC_AWSModel
 from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -44,7 +45,7 @@ class CCC_AWS(ComplianceOutput):
                             Description=compliance.Description,
                             AccountId=finding.account_uid,
                             Region=finding.region,
-                            AssessmentDate=str(finding.timestamp),
+                            AssessmentDate=str(timestamp),
                             Requirements_Id=requirement.Id,
                             Requirements_Description=requirement.Description,
                             Requirements_Attributes_FamilyName=attribute.FamilyName,
@@ -73,7 +74,7 @@ class CCC_AWS(ComplianceOutput):
                         Description=compliance.Description,
                         AccountId="",
                         Region="",
-                        AssessmentDate=str(finding.timestamp),
+                        AssessmentDate=str(timestamp),
                         Requirements_Id=requirement.Id,
                         Requirements_Description=requirement.Description,
                         Requirements_Attributes_FamilyName=attribute.FamilyName,

prowler/lib/outputs/compliance/ccc/ccc_azure.py

@@ -1,3 +1,4 @@
+from prowler.config.config import timestamp
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.compliance.ccc.models import CCC_AzureModel
 from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -44,7 +45,7 @@ class CCC_Azure(ComplianceOutput):
                             Description=compliance.Description,
                             SubscriptionId=finding.account_uid,
                             Location=finding.region,
-                            AssessmentDate=str(finding.timestamp),
+                            AssessmentDate=str(timestamp),
                             Requirements_Id=requirement.Id,
                             Requirements_Description=requirement.Description,
                             Requirements_Attributes_FamilyName=attribute.FamilyName,
@@ -73,7 +74,7 @@ class CCC_Azure(ComplianceOutput):
                         Description=compliance.Description,
                         SubscriptionId="",
                         Location="",
-                        AssessmentDate=str(finding.timestamp),
+                        AssessmentDate=str(timestamp),
                         Requirements_Id=requirement.Id,
                         Requirements_Description=requirement.Description,
                         Requirements_Attributes_FamilyName=attribute.FamilyName,

prowler/lib/outputs/compliance/ccc/ccc_gcp.py

@@ -1,3 +1,4 @@
+from prowler.config.config import timestamp
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.compliance.ccc.models import CCC_GCPModel
 from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -44,7 +45,7 @@ class CCC_GCP(ComplianceOutput):
                             Description=compliance.Description,
                             ProjectId=finding.account_uid,
                             Location=finding.region,
-                            AssessmentDate=str(finding.timestamp),
+                            AssessmentDate=str(timestamp),
                             Requirements_Id=requirement.Id,
                             Requirements_Description=requirement.Description,
                             Requirements_Attributes_FamilyName=attribute.FamilyName,
@@ -73,7 +74,7 @@ class CCC_GCP(ComplianceOutput):
                         Description=compliance.Description,
                         ProjectId="",
                         Location="",
-                        AssessmentDate=str(finding.timestamp),
+                        AssessmentDate=str(timestamp),
                         Requirements_Id=requirement.Id,
                         Requirements_Description=requirement.Description,
                         Requirements_Attributes_FamilyName=attribute.FamilyName,

prowler/providers/aws/services/ec2/ec2_instance_with_outdated_ami/ec2_instance_with_outdated_ami.py

@@ -31,7 +31,7 @@ class ec2_instance_with_outdated_ami(Check):
                 (image for image in ec2_client.images if image.id == instance.image_id),
                 None,
             )
-            if ami.owner == "amazon":
+            if ami and ami.owner == "amazon":
                 report = Check_Report_AWS(metadata=self.metadata(), resource=instance)
                 report.status = "PASS"
                 report.status_extended = (

prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.py

@@ -14,35 +14,37 @@ class logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled(
                 'resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"'
                 in metric.filter
             ):
+                metric_name = getattr(metric, "name", None) or "unknown"
                 report = Check_Report_GCP(
                     metadata=self.metadata(),
                     resource=metric,
+                    resource_id=metric_name,
+                    project_id=metric.project_id,
                     location=logging_client.region,
-                    resource_name=metric.name if metric.name else "Log Metric Filter",
+                    resource_name=(
+                        metric_name if metric_name != "unknown" else "Log Metric Filter"
+                    ),
                 )
                 projects_with_metric.add(metric.project_id)
                 report.status = "FAIL"
-                report.status_extended = f"Log metric filter {metric.name} found but no alerts associated in project {metric.project_id}."
+                report.status_extended = f"Log metric filter {metric_name} found but no alerts associated in project {metric.project_id}."
                 for alert_policy in monitoring_client.alert_policies:
                     for filter in alert_policy.filters:
-                        if metric.name in filter:
+                        if metric_name in filter:
                             report.status = "PASS"
-                            report.status_extended = f"Log metric filter {metric.name} found with alert policy {alert_policy.display_name} associated in project {metric.project_id}."
+                            report.status_extended = f"Log metric filter {metric_name} found with alert policy {alert_policy.display_name} associated in project {metric.project_id}."
                             break
                 findings.append(report)
 
         for project in logging_client.project_ids:
             if project not in projects_with_metric:
+                project_obj = logging_client.projects.get(project)
                 report = Check_Report_GCP(
                     metadata=self.metadata(),
-                    resource=logging_client.projects[project],
+                    resource=project_obj,
                     project_id=project,
                     location=logging_client.region,
-                    resource_name=(
-                        logging_client.projects[project].name
-                        if logging_client.projects[project].name
-                        else "GCP Project"
-                    ),
+                    resource_name=(getattr(project_obj, "name", None) or "GCP Project"),
                 )
                 report.status = "FAIL"
                 report.status_extended = f"There are no log metric filters or alerts associated in project {project}."

prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.py

@@ -14,35 +14,38 @@ class logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled(
                 '(protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")'
                 in metric.filter
             ):
+                metric_name = getattr(metric, "name", None) or "unknown"
                 report = Check_Report_GCP(
                     metadata=self.metadata(),
                     resource=metric,
+                    resource_id=metric_name,
+                    project_id=metric.project_id,
                     location=logging_client.region,
-                    resource_name=metric.name if metric.name else "Log Metric Filter",
+                    resource_name=(
+                        metric_name if metric_name != "unknown" else "Log Metric Filter"
+                    ),
                 )
                 projects_with_metric.add(metric.project_id)
                 report.status = "FAIL"
-                report.status_extended = f"Log metric filter {metric.name} found but no alerts associated in project {metric.project_id}."
+                report.status_extended = f"Log metric filter {metric_name} found but no alerts associated in project {metric.project_id}."
                 for alert_policy in monitoring_client.alert_policies:
                     for filter in alert_policy.filters:
-                        if metric.name in filter:
+                        if metric_name in filter:
                             report.status = "PASS"
-                            report.status_extended = f"Log metric filter {metric.name} found with alert policy {alert_policy.display_name} associated in project {metric.project_id}."
+                            report.status_extended = f"Log metric filter {metric_name} found with alert policy {alert_policy.display_name} associated in project {metric.project_id}."
                             break
                 findings.append(report)
 
         for project in logging_client.project_ids:
             if project not in projects_with_metric:
+                project_obj = logging_client.projects.get(project)
                 report = Check_Report_GCP(
                     metadata=self.metadata(),
-                    resource=logging_client.projects[project],
+                    resource=project_obj,
+                    resource_id=project,
                     project_id=project,
                     location=logging_client.region,
-                    resource_name=(
-                        logging_client.projects[project].name
-                        if logging_client.projects[project].name
-                        else "GCP Project"
-                    ),
+                    resource_name=(getattr(project_obj, "name", None) or "GCP Project"),
                 )
                 report.status = "FAIL"
                 report.status_extended = f"There are no log metric filters or alerts associated in project {project}."

prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.py

@@ -12,32 +12,32 @@ class logging_sink_created(Check):
 
         for project in logging_client.project_ids:
             if project not in projects_with_logging_sink.keys():
+                project_obj = logging_client.projects.get(project)
                 report = Check_Report_GCP(
                     metadata=self.metadata(),
-                    resource=logging_client.projects[project],
+                    resource=project_obj,
+                    resource_id=project,
                     project_id=project,
                     location=logging_client.region,
-                    resource_name=(
-                        logging_client.projects[project].name
-                        if logging_client.projects[project].name
-                        else "GCP Project"
-                    ),
+                    resource_name=(getattr(project_obj, "name", None) or "GCP Project"),
                 )
                 report.status = "FAIL"
                 report.status_extended = f"There are no logging sinks to export copies of all the log entries in project {project}."
                 findings.append(report)
             else:
+                sink = projects_with_logging_sink[project]
+                sink_name = getattr(sink, "name", None) or "unknown"
                 report = Check_Report_GCP(
                     metadata=self.metadata(),
-                    resource=projects_with_logging_sink[project],
+                    resource=sink,
+                    resource_id=sink_name,
+                    project_id=project,
                     location=logging_client.region,
                     resource_name=(
-                        projects_with_logging_sink[project].name
-                        if projects_with_logging_sink[project].name
-                        else "Logging Sink"
+                        sink_name if sink_name != "unknown" else "Logging Sink"
                     ),
                 )
                 report.status = "PASS"
-                report.status_extended = f"Sink {projects_with_logging_sink[project].name} is enabled exporting copies of all the log entries in project {project}."
+                report.status_extended = f"Sink {sink_name} is enabled exporting copies of all the log entries in project {project}."
                 findings.append(report)
         return findings

prowler/providers/m365/services/admincenter/admincenter_service.py

@@ -45,13 +45,13 @@ class AdminCenter(M365Service):
             asyncio.gather(
                 self._get_directory_roles(),
                 self._get_groups(),
-                self._get_domains(),
+                self._get_password_policy(),
             )
         )
 
         self.directory_roles = attributes[0]
         self.groups = attributes[1]
-        self.domains = attributes[2]
+        self.password_policy = attributes[2]
 
         if created_loop:
             asyncio.set_event_loop(None)
@@ -192,34 +192,31 @@ class AdminCenter(M365Service):
             )
         return groups
 
-    async def _get_domains(self):
-        logger.info("M365 - Getting domains...")
-        domains = {}
+    async def _get_password_policy(self):
+        logger.info("M365 - Getting password policy...")
+        password_policy = None
         try:
+            logger.info("M365 - Getting domains...")
             domains_list = await self.client.domains.get()
-            domains.update({})
-            for domain in domains_list.value:
-                if domain:
-                    password_validity_period = getattr(
-                        domain, "password_validity_period_in_days", None
-                    )
-                    if password_validity_period is None:
-                        password_validity_period = 0
+            for domain in getattr(domains_list, "value", []) or []:
+                if not domain:
+                    continue
+                password_validity_period = getattr(
+                    domain, "password_validity_period_in_days", None
+                )
+                if password_validity_period is None:
+                    password_validity_period = 0
 
-                    domains.update(
-                        {
-                            domain.id: Domain(
-                                id=domain.id,
-                                password_validity_period=password_validity_period,
-                            )
-                        }
-                    )
+                password_policy = PasswordPolicy(
+                    password_validity_period=password_validity_period,
+                )
+                break
 
         except Exception as error:
             logger.error(
                 f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
-        return domains
+        return password_policy
 
 
 class User(BaseModel):
@@ -242,8 +239,7 @@ class Group(BaseModel):
     visibility: Optional[str]
 
 
-class Domain(BaseModel):
-    id: str
+class PasswordPolicy(BaseModel):
     password_validity_period: int
 
 

prowler/providers/m365/services/admincenter/admincenter_settings_password_never_expire/admincenter_settings_password_never_expire.py

@@ -7,11 +7,11 @@ from prowler.providers.m365.services.admincenter.admincenter_client import (
 
 
 class admincenter_settings_password_never_expire(Check):
-    """Check if domains have a 'Password never expires' policy.
+    """Check if the tenant enforces a 'Password never expires' policy.
 
-    This check verifies whether the password policy for each domain is set to never expire.
-    If the domain password validity period is set to `2147483647`, the policy is considered to
-    have 'password never expires'.
+    This check verifies whether the tenant-wide password policy (surfaced through the first
+    domain returned by Microsoft 365) is set to never expire. If the password validity period
+    is set to `2147483647`, the policy is considered to have 'password never expires'.
 
     Attributes:
         metadata: Metadata associated with the check (inherited from Check).
@@ -20,30 +20,32 @@ class admincenter_settings_password_never_expire(Check):
     def execute(self) -> List[CheckReportM365]:
         """Execute the check for password never expires policy.
 
-        This method iterates over all domains and checks if the password validity period is set
-        to `2147483647`, indicating that passwords for users in the domain never expire.
+        This method inspects the tenant-level password validity configuration (exposed through
+        the first available domain) and checks if the password validity period is set to
+        `2147483647`, indicating that passwords for users in the domain never expire.
 
         Returns:
             List[CheckReportM365]: A list of reports indicating whether the domain's password
             policy is set to never expire.
         """
         findings = []
-        for domain in admincenter_client.domains.values():
+        password_policy = getattr(admincenter_client, "password_policy", None)
+        if password_policy:
             report = CheckReportM365(
                 self.metadata(),
-                resource=domain,
-                resource_name=domain.id,
-                resource_id=domain.id,
+                resource=password_policy,
+                resource_name="Password Policy",
+                resource_id="passwordPolicy",
             )
             report.status = "FAIL"
             report.status_extended = (
-                f"Domain {domain.id} does not have a Password never expires policy."
+                "Tenant Password policy does not have a Password never expires policy."
             )
 
-            if domain.password_validity_period == 2147483647:
+            if password_policy.password_validity_period == 2147483647:
                 report.status = "PASS"
                 report.status_extended = (
-                    f"Domain {domain.id} Password policy is set to never expire."
+                    "Tenant Password policy is set to never expire."
                 )
 
             findings.append(report)

prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed.py

@@ -36,7 +36,7 @@ class sharepoint_external_sharing_managed(Check):
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "FAIL"
             report.status_extended = "SharePoint external sharing is not managed through domain restrictions."

prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_restricted/sharepoint_external_sharing_restricted.py

@@ -32,7 +32,7 @@ class sharepoint_external_sharing_restricted(Check):
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "FAIL"
             report.status_extended = (

prowler/providers/m365/services/sharepoint/sharepoint_guest_sharing_restricted/sharepoint_guest_sharing_restricted.py

@@ -33,7 +33,7 @@ class sharepoint_guest_sharing_restricted(Check):
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "FAIL"
             report.status_extended = "Guest sharing is not restricted; guest users can share items they do not own."

prowler/providers/m365/services/sharepoint/sharepoint_modern_authentication_required/sharepoint_modern_authentication_required.py

@@ -35,7 +35,7 @@ class sharepoint_modern_authentication_required(Check):
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "PASS"
             report.status_extended = "Microsoft 365 SharePoint does not allow access to apps that don't use modern authentication."

prowler/providers/m365/services/sharepoint/sharepoint_onedrive_sync_restricted_unmanaged_devices/sharepoint_onedrive_sync_restricted_unmanaged_devices.py

@@ -34,7 +34,7 @@ class sharepoint_onedrive_sync_restricted_unmanaged_devices(Check):
                 self.metadata(),
                 resource=settings if settings else {},
                 resource_name="SharePoint Settings",
-                resource_id=sharepoint_client.tenant_domain,
+                resource_id="sharepointSettings",
             )
             report.status = "PASS"
             report.status_extended = "Microsoft 365 SharePoint does not allow OneDrive sync to unmanaged devices."

pyproject.toml

@@ -76,7 +76,7 @@ maintainers = [{name = "Prowler Engineering", email = "engineering@prowler.com"}
 name = "prowler"
 readme = "README.md"
 requires-python = ">3.9.1,<3.13"
-version = "5.13.0"
+version = "5.13.1"
 
 [project.scripts]
 prowler = "prowler.__main__:prowler"

tests/providers/aws/services/ec2/ec2_instance_with_outdated_ami/ec2_instance_with_outdated_ami_test.py

@@ -103,6 +103,29 @@ def mock_make_api_call_outdated_ami(self, operation_name, kwarg):
     return make_api_call(self, operation_name, kwarg)
 
 
+def mock_make_api_call_missing_ami(self, operation_name, kwarg):
+    if operation_name == "DescribeInstances":
+        return {
+            "Reservations": [
+                {
+                    "Instances": [
+                        {
+                            "InstanceId": "i-0123456789abcdef0",
+                            "State": {"Name": "running"},
+                            "InstanceType": "t2.micro",
+                            "ImageId": "ami-missing",
+                            "LaunchTime": "2026-11-12T11:34:56.000Z",
+                            "PrivateDnsName": "ip-172-31-32-101.ec2.internal",
+                        }
+                    ]
+                }
+            ]
+        }
+    elif operation_name == "DescribeImages":
+        return {"Images": []}
+    return make_api_call(self, operation_name, kwarg)
+
+
 class Test_ec2_instance_with_outdated_ami:
     @mock_aws
     def test_ec2_no_instances(self):
@@ -219,3 +242,30 @@ class Test_ec2_instance_with_outdated_ami:
                 result[0].status_extended
                 == "EC2 Instance i-0123456789abcdef0 is using outdated AMI ami-87654321."
             )
+
+    @mock.patch(
+        "botocore.client.BaseClient._make_api_call", new=mock_make_api_call_missing_ami
+    )
+    def test_instance_missing_ami_details(self):
+        from prowler.providers.aws.services.ec2.ec2_service import EC2
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=aws_provider,
+            ),
+            mock.patch(
+                "prowler.providers.aws.services.ec2.ec2_instance_with_outdated_ami.ec2_instance_with_outdated_ami.ec2_client",
+                new=EC2(aws_provider),
+            ),
+        ):
+            from prowler.providers.aws.services.ec2.ec2_instance_with_outdated_ami.ec2_instance_with_outdated_ami import (
+                ec2_instance_with_outdated_ami,
+            )
+
+            check = ec2_instance_with_outdated_ami()
+            result = check.execute()
+
+            assert result == []

tests/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled_test.py

@@ -259,3 +259,141 @@ class Test_logging_log_metric_filter_and_alert_for_bucket_permission_changes_ena
             assert result[0].resource_name == "metric_name"
             assert result[0].project_id == GCP_PROJECT_ID
             assert result[0].location == GCP_EU1_LOCATION
+
+    def test_log_metric_filters_with_none_name(self):
+        """Test that metric with None name uses fallback 'Log Metric Filter'"""
+        logging_client = MagicMock()
+        monitoring_client = MagicMock()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_client",
+                new=logging_client,
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.monitoring_client",
+                new=monitoring_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled import (
+                logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled,
+            )
+
+            # Create a MagicMock metric object with name=None
+            metric = MagicMock()
+            metric.name = None
+            metric.filter = 'resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"'
+            metric.project_id = GCP_PROJECT_ID
+
+            logging_client.metrics = [metric]
+            logging_client.project_ids = [GCP_PROJECT_ID]
+            logging_client.region = GCP_EU1_LOCATION
+
+            monitoring_client.alert_policies = []
+
+            check = (
+                logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled()
+            )
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert result[0].resource_name == "Log Metric Filter"
+            assert (
+                result[0].resource_id == "unknown"
+            )  # resource_id should never be None
+            assert result[0].project_id == GCP_PROJECT_ID
+            assert result[0].location == GCP_EU1_LOCATION
+            # When name is None, the 'or' pattern makes it use "unknown"
+            assert "unknown" in result[0].status_extended
+
+    def test_log_metric_filters_with_missing_name_attribute(self):
+        """Test that metric without name attribute uses fallback 'Log Metric Filter'"""
+        logging_client = MagicMock()
+        monitoring_client = MagicMock()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_client",
+                new=logging_client,
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.monitoring_client",
+                new=monitoring_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled import (
+                logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled,
+            )
+
+            # Create a MagicMock metric object without name attribute
+            metric = MagicMock(spec=["filter", "project_id"])
+            metric.filter = 'resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"'
+            metric.project_id = GCP_PROJECT_ID
+
+            logging_client.metrics = [metric]
+            logging_client.project_ids = [GCP_PROJECT_ID]
+            logging_client.region = GCP_EU1_LOCATION
+
+            monitoring_client.alert_policies = []
+
+            check = (
+                logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled()
+            )
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert result[0].resource_name == "Log Metric Filter"
+            assert (
+                result[0].resource_id == "unknown"
+            )  # resource_id should never be None
+            assert result[0].project_id == GCP_PROJECT_ID
+            assert result[0].location == GCP_EU1_LOCATION
+
+    def test_project_not_in_projects_dict(self):
+        """Test that project not in projects dict uses None and fallback name"""
+        logging_client = MagicMock()
+        monitoring_client = MagicMock()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_client",
+                new=logging_client,
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.monitoring_client",
+                new=monitoring_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled import (
+                logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled,
+            )
+
+            logging_client.metrics = []
+            logging_client.project_ids = [GCP_PROJECT_ID]
+            logging_client.region = GCP_EU1_LOCATION
+            # Project is in project_ids but NOT in projects dict
+            logging_client.projects = {}
+
+            monitoring_client.alert_policies = []
+
+            check = (
+                logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled()
+            )
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert result[0].resource_name == "GCP Project"
+            assert result[0].project_id == GCP_PROJECT_ID
+            assert result[0].location == GCP_EU1_LOCATION

tests/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled_test.py

@@ -259,3 +259,136 @@ class Test_logging_log_metric_filter_and_alert_for_project_ownership_changes_ena
             assert result[0].resource_name == "metric_name"
             assert result[0].project_id == GCP_PROJECT_ID
             assert result[0].location == GCP_EU1_LOCATION
+
+    def test_log_metric_filters_with_none_name(self):
+        """Test that metric with None name uses fallback 'Log Metric Filter'"""
+        logging_client = MagicMock()
+        monitoring_client = MagicMock()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_client",
+                new=logging_client,
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.monitoring_client",
+                new=monitoring_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled import (
+                logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled,
+            )
+
+            # Create a MagicMock metric object with name=None
+            metric = MagicMock()
+            metric.name = None
+            metric.filter = '(protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")'
+            metric.project_id = GCP_PROJECT_ID
+
+            logging_client.metrics = [metric]
+            logging_client.project_ids = [GCP_PROJECT_ID]
+            logging_client.region = GCP_EU1_LOCATION
+
+            monitoring_client.alert_policies = []
+
+            check = (
+                logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled()
+            )
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert result[0].resource_name == "Log Metric Filter"
+            assert result[0].resource_id == "unknown"
+            assert result[0].project_id == GCP_PROJECT_ID
+            assert result[0].location == GCP_EU1_LOCATION
+            assert "unknown" in result[0].status_extended
+
+    def test_log_metric_filters_with_missing_name_attribute(self):
+        """Test that metric without name attribute uses fallback 'Log Metric Filter'"""
+        logging_client = MagicMock()
+        monitoring_client = MagicMock()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_client",
+                new=logging_client,
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.monitoring_client",
+                new=monitoring_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled import (
+                logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled,
+            )
+
+            # Create a MagicMock metric object without name attribute
+            metric = MagicMock(spec=["filter", "project_id"])
+            metric.filter = '(protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")'
+            metric.project_id = GCP_PROJECT_ID
+
+            logging_client.metrics = [metric]
+            logging_client.project_ids = [GCP_PROJECT_ID]
+            logging_client.region = GCP_EU1_LOCATION
+
+            monitoring_client.alert_policies = []
+
+            check = (
+                logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled()
+            )
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert result[0].resource_name == "Log Metric Filter"
+            assert result[0].resource_id == "unknown"
+            assert result[0].project_id == GCP_PROJECT_ID
+            assert result[0].location == GCP_EU1_LOCATION
+
+    def test_project_not_in_projects_dict(self):
+        """Test that project not in projects dict uses None and fallback name"""
+        logging_client = MagicMock()
+        monitoring_client = MagicMock()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_client",
+                new=logging_client,
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.monitoring_client",
+                new=monitoring_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.logging.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled import (
+                logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled,
+            )
+
+            logging_client.metrics = []
+            logging_client.project_ids = [GCP_PROJECT_ID]
+            logging_client.region = GCP_EU1_LOCATION
+            # Project is in project_ids but NOT in projects dict
+            logging_client.projects = {}
+
+            monitoring_client.alert_policies = []
+
+            check = (
+                logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled()
+            )
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert result[0].resource_name == "GCP Project"
+            assert result[0].project_id == GCP_PROJECT_ID
+            assert result[0].location == GCP_EU1_LOCATION

tests/providers/gcp/services/logging/logging_sink_created/logging_sink_created_test.py

@@ -211,3 +211,128 @@ class Test_logging_sink_created:
                 result[0].status_extended
                 == f"There are no logging sinks to export copies of all the log entries in project {GCP_PROJECT_ID}."
             )
+
+    def test_project_not_in_projects_dict(self):
+        """Test that project not in projects dict uses None and fallback name"""
+        logging_client = MagicMock()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created.logging_client",
+                new=logging_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created import (
+                logging_sink_created,
+            )
+
+            logging_client.project_ids = [GCP_PROJECT_ID]
+            logging_client.region = GCP_EU1_LOCATION
+            logging_client.sinks = []
+            # Project is in project_ids but NOT in projects dict
+            logging_client.projects = {}
+
+            check = logging_sink_created()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert result[0].resource_name == "GCP Project"
+            assert result[0].resource_id == GCP_PROJECT_ID
+            assert result[0].project_id == GCP_PROJECT_ID
+            assert result[0].location == GCP_EU1_LOCATION
+
+    def test_sink_with_none_name(self):
+        """Test that sink with None name uses fallback 'Logging Sink'"""
+        logging_client = MagicMock()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created.logging_client",
+                new=logging_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created import (
+                logging_sink_created,
+            )
+
+            # Create a MagicMock sink object with name=None
+            sink = MagicMock()
+            sink.name = None
+            sink.filter = "all"
+            sink.project_id = GCP_PROJECT_ID
+
+            logging_client.project_ids = [GCP_PROJECT_ID]
+            logging_client.region = GCP_EU1_LOCATION
+            logging_client.sinks = [sink]
+            logging_client.projects = {
+                GCP_PROJECT_ID: GCPProject(
+                    id=GCP_PROJECT_ID,
+                    number="123456789012",
+                    name="test",
+                    labels={},
+                    lifecycle_state="ACTIVE",
+                )
+            }
+
+            check = logging_sink_created()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].resource_name == "Logging Sink"
+            assert result[0].resource_id == "unknown"
+            assert result[0].project_id == GCP_PROJECT_ID
+            assert result[0].location == GCP_EU1_LOCATION
+            assert "unknown" in result[0].status_extended
+
+    def test_sink_with_missing_name_attribute(self):
+        """Test that sink without name attribute uses fallback 'Logging Sink'"""
+        logging_client = MagicMock()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            patch(
+                "prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created.logging_client",
+                new=logging_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.logging.logging_sink_created.logging_sink_created import (
+                logging_sink_created,
+            )
+
+            # Create a MagicMock sink object without name attribute
+            sink = MagicMock(spec=["filter", "project_id"])
+            sink.filter = "all"
+            sink.project_id = GCP_PROJECT_ID
+
+            logging_client.project_ids = [GCP_PROJECT_ID]
+            logging_client.region = GCP_EU1_LOCATION
+            logging_client.sinks = [sink]
+            logging_client.projects = {
+                GCP_PROJECT_ID: GCPProject(
+                    id=GCP_PROJECT_ID,
+                    number="123456789012",
+                    name="test",
+                    labels={},
+                    lifecycle_state="ACTIVE",
+                )
+            }
+
+            check = logging_sink_created()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].resource_name == "Logging Sink"
+            assert result[0].resource_id == "unknown"
+            assert result[0].project_id == GCP_PROJECT_ID
+            assert result[0].location == GCP_EU1_LOCATION

tests/providers/m365/services/admincenter/admincenter_settings_password_never_expire/admincenter_settings_password_never_expire_test.py

@@ -1,5 +1,4 @@
 from unittest import mock
-from uuid import uuid4
 
 from tests.providers.m365.m365_fixtures import DOMAIN, set_mocked_m365_provider
 
@@ -15,6 +14,7 @@ class Test_admincenter_settings_password_never_expire:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
             ),
@@ -27,7 +27,7 @@ class Test_admincenter_settings_password_never_expire:
                 admincenter_settings_password_never_expire,
             )
 
-            admincenter_client.domains = {}
+            admincenter_client.password_policy = None
 
             check = admincenter_settings_password_never_expire()
             result = check.execute()
@@ -43,6 +43,7 @@ class Test_admincenter_settings_password_never_expire:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
             ),
@@ -52,17 +53,15 @@ class Test_admincenter_settings_password_never_expire:
             ),
         ):
             from prowler.providers.m365.services.admincenter.admincenter_service import (
-                Domain,
+                PasswordPolicy,
             )
             from prowler.providers.m365.services.admincenter.admincenter_settings_password_never_expire.admincenter_settings_password_never_expire import (
                 admincenter_settings_password_never_expire,
             )
 
-            id_domain = str(uuid4())
-
-            admincenter_client.domains = {
-                id_domain: Domain(id=id_domain, password_validity_period=5),
-            }
+            admincenter_client.password_policy = PasswordPolicy(
+                password_validity_period=5
+            )
 
             check = admincenter_settings_password_never_expire()
             result = check.execute()
@@ -70,11 +69,11 @@ class Test_admincenter_settings_password_never_expire:
             assert result[0].status == "FAIL"
             assert (
                 result[0].status_extended
-                == f"Domain {id_domain} does not have a Password never expires policy."
+                == "Tenant Password policy does not have a Password never expires policy."
             )
-            assert result[0].resource == admincenter_client.domains[id_domain].dict()
-            assert result[0].resource_name == id_domain
-            assert result[0].resource_id == id_domain
+            assert result[0].resource == admincenter_client.password_policy.dict()
+            assert result[0].resource_name == "Password Policy"
+            assert result[0].resource_id == "passwordPolicy"
             assert result[0].location == "global"
 
     def test_admincenter_password_not_expire(self):
@@ -87,6 +86,7 @@ class Test_admincenter_settings_password_never_expire:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_exchange_online"
             ),
@@ -96,17 +96,15 @@ class Test_admincenter_settings_password_never_expire:
             ),
         ):
             from prowler.providers.m365.services.admincenter.admincenter_service import (
-                Domain,
+                PasswordPolicy,
             )
             from prowler.providers.m365.services.admincenter.admincenter_settings_password_never_expire.admincenter_settings_password_never_expire import (
                 admincenter_settings_password_never_expire,
             )
 
-            id_domain = str(uuid4())
-
-            admincenter_client.domains = {
-                id_domain: Domain(id=id_domain, password_validity_period=2147483647),
-            }
+            admincenter_client.password_policy = PasswordPolicy(
+                password_validity_period=2147483647
+            )
 
             check = admincenter_settings_password_never_expire()
             result = check.execute()
@@ -114,9 +112,9 @@ class Test_admincenter_settings_password_never_expire:
             assert result[0].status == "PASS"
             assert (
                 result[0].status_extended
-                == f"Domain {id_domain} Password policy is set to never expire."
+                == "Tenant Password policy is set to never expire."
             )
-            assert result[0].resource == admincenter_client.domains[id_domain].dict()
-            assert result[0].resource_name == id_domain
-            assert result[0].resource_id == id_domain
+            assert result[0].resource == admincenter_client.password_policy.dict()
+            assert result[0].resource_name == "Password Policy"
+            assert result[0].resource_id == "passwordPolicy"
             assert result[0].location == "global"

tests/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed_test.py

@@ -20,6 +20,7 @@ class Test_sharepoint_external_sharing_managed:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,
@@ -49,7 +50,7 @@ class Test_sharepoint_external_sharing_managed:
                 result[0].status_extended
                 == "SharePoint external sharing is not managed through domain restrictions."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -66,6 +67,7 @@ class Test_sharepoint_external_sharing_managed:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,
@@ -95,7 +97,7 @@ class Test_sharepoint_external_sharing_managed:
                 result[0].status_extended
                 == "SharePoint external sharing is managed through domain restrictions with mode 'allowList' but the list is empty."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -112,6 +114,7 @@ class Test_sharepoint_external_sharing_managed:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,
@@ -141,7 +144,7 @@ class Test_sharepoint_external_sharing_managed:
                 result[0].status_extended
                 == "SharePoint external sharing is managed through domain restrictions with mode 'blockList' but the list is empty."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -158,6 +161,7 @@ class Test_sharepoint_external_sharing_managed:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,
@@ -187,7 +191,7 @@ class Test_sharepoint_external_sharing_managed:
                 result[0].status_extended
                 == "SharePoint external sharing is managed through domain restrictions with mode 'allowList'."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -233,7 +237,7 @@ class Test_sharepoint_external_sharing_managed:
                 result[0].status_extended
                 == "SharePoint external sharing is managed through domain restrictions with mode 'blockList'."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -252,6 +256,7 @@ class Test_sharepoint_external_sharing_managed:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_managed.sharepoint_external_sharing_managed.sharepoint_client",
                 new=sharepoint_client,

tests/providers/m365/services/sharepoint/sharepoint_external_sharing_restricted/sharepoint_external_sharing_restricted_test.py

@@ -20,6 +20,7 @@ class Test_sharepoint_external_sharing_restricted:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_restricted.sharepoint_external_sharing_restricted.sharepoint_client",
                 new=sharepoint_client,
@@ -47,7 +48,7 @@ class Test_sharepoint_external_sharing_restricted:
             assert result[0].status_extended == (
                 "External sharing is restricted to external user sharing or more restrictive."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -64,6 +65,7 @@ class Test_sharepoint_external_sharing_restricted:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_restricted.sharepoint_external_sharing_restricted.sharepoint_client",
                 new=sharepoint_client,
@@ -91,7 +93,7 @@ class Test_sharepoint_external_sharing_restricted:
             assert result[0].status_extended == (
                 "External sharing is not restricted and guests users can access."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -110,6 +112,7 @@ class Test_sharepoint_external_sharing_restricted:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_external_sharing_restricted.sharepoint_external_sharing_restricted.sharepoint_client",
                 new=sharepoint_client,

tests/providers/m365/services/sharepoint/sharepoint_guest_sharing_restricted/sharepoint_guest_sharing_restricted_test.py

@@ -20,6 +20,7 @@ class Test_sharepoint_guest_sharing_restricted:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_guest_sharing_restricted.sharepoint_guest_sharing_restricted.sharepoint_client",
                 new=sharepoint_client,
@@ -48,7 +49,7 @@ class Test_sharepoint_guest_sharing_restricted:
             assert result[0].status_extended == (
                 "Guest sharing is restricted; guest users cannot share items they do not own."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -65,6 +66,7 @@ class Test_sharepoint_guest_sharing_restricted:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_guest_sharing_restricted.sharepoint_guest_sharing_restricted.sharepoint_client",
                 new=sharepoint_client,
@@ -93,7 +95,7 @@ class Test_sharepoint_guest_sharing_restricted:
             assert result[0].status_extended == (
                 "Guest sharing is not restricted; guest users can share items they do not own."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -112,6 +114,7 @@ class Test_sharepoint_guest_sharing_restricted:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_guest_sharing_restricted.sharepoint_guest_sharing_restricted.sharepoint_client",
                 new=sharepoint_client,

tests/providers/m365/services/sharepoint/sharepoint_modern_authentication_required/sharepoint_modern_authentication_required_test.py

@@ -17,6 +17,7 @@ class Test_sharepoint_modern_authentication_required:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_modern_authentication_required.sharepoint_modern_authentication_required.sharepoint_client",
                 new=sharepoint_client,
@@ -47,7 +48,7 @@ class Test_sharepoint_modern_authentication_required:
             assert result[0].status_extended == (
                 "Microsoft 365 SharePoint does not allow access to apps that don't use modern authentication."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -64,6 +65,7 @@ class Test_sharepoint_modern_authentication_required:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_modern_authentication_required.sharepoint_modern_authentication_required.sharepoint_client",
                 new=sharepoint_client,
@@ -94,7 +96,7 @@ class Test_sharepoint_modern_authentication_required:
             assert result[0].status_extended == (
                 "Microsoft 365 SharePoint allows access to apps that don't use modern authentication."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -113,6 +115,7 @@ class Test_sharepoint_modern_authentication_required:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_modern_authentication_required.sharepoint_modern_authentication_required.sharepoint_client",
                 new=sharepoint_client,

tests/providers/m365/services/sharepoint/sharepoint_onedrive_sync_restricted_unmanaged_devices/sharepoint_onedrive_sync_restricted_unmanaged_devices_test.py

@@ -21,6 +21,7 @@ class Test_sharepoint_onedrive_sync_restricted_unmanaged_devices:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_onedrive_sync_restricted_unmanaged_devices.sharepoint_onedrive_sync_restricted_unmanaged_devices.sharepoint_client",
                 new=sharepoint_client,
@@ -50,7 +51,7 @@ class Test_sharepoint_onedrive_sync_restricted_unmanaged_devices:
                 result[0].status_extended
                 == "Microsoft 365 SharePoint allows OneDrive sync to unmanaged devices."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -66,6 +67,7 @@ class Test_sharepoint_onedrive_sync_restricted_unmanaged_devices:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_onedrive_sync_restricted_unmanaged_devices.sharepoint_onedrive_sync_restricted_unmanaged_devices.sharepoint_client",
                 new=sharepoint_client,
@@ -95,7 +97,7 @@ class Test_sharepoint_onedrive_sync_restricted_unmanaged_devices:
                 result[0].status_extended
                 == "Microsoft 365 SharePoint does not allow OneDrive sync to unmanaged devices."
             )
-            assert result[0].resource_id == DOMAIN
+            assert result[0].resource_id == "sharepointSettings"
             assert result[0].location == "global"
             assert result[0].resource_name == "SharePoint Settings"
             assert result[0].resource == sharepoint_client.settings.dict()
@@ -114,6 +116,7 @@ class Test_sharepoint_onedrive_sync_restricted_unmanaged_devices:
                 "prowler.providers.common.provider.Provider.get_global_provider",
                 return_value=set_mocked_m365_provider(),
             ),
+            mock.patch("prowler.providers.m365.lib.service.service.M365PowerShell"),
             mock.patch(
                 "prowler.providers.m365.services.sharepoint.sharepoint_onedrive_sync_restricted_unmanaged_devices.sharepoint_onedrive_sync_restricted_unmanaged_devices.sharepoint_client",
                 new=sharepoint_client,

tests/providers/m365/services/sharepoint/sharepoint_service_test.py

@@ -29,13 +29,17 @@ async def mock_sharepoint_get_settings(_):
 )
 class Test_SharePoint_Service:
     def test_get_client(self):
-        sharepoint_client = SharePoint(
-            set_mocked_m365_provider(identity=M365IdentityInfo(tenant_domain=DOMAIN))
-        )
+        with patch("prowler.providers.m365.lib.service.service.M365PowerShell"):
+            sharepoint_client = SharePoint(
+                set_mocked_m365_provider(
+                    identity=M365IdentityInfo(tenant_domain=DOMAIN)
+                )
+            )
         assert sharepoint_client.client.__class__.__name__ == "GraphServiceClient"
 
     def test_get_settings(self):
-        sharepoint_client = SharePoint(set_mocked_m365_provider())
+        with patch("prowler.providers.m365.lib.service.service.M365PowerShell"):
+            sharepoint_client = SharePoint(set_mocked_m365_provider())
         settings = sharepoint_client.settings
         assert settings.sharingCapability == "ExternalUserAndGuestSharing"
         assert settings.sharingAllowedDomainList == ["allowed-domain.com"]