chore: merge master

- Generate scan_id per provider account pair
- Adjust OCSF scan_id test to cover multiple accounts

.github/actions/setup-python-poetry/action.yml

@@ -35,9 +35,7 @@ runs:
       shell: bash
       run: |
         python -m pip install --upgrade pip
-        pipx install poetry==${INPUTS_POETRY_VERSION}
-      env:
-        INPUTS_POETRY_VERSION: ${{ inputs.poetry-version }}
+        pipx install poetry==${{ inputs.poetry-version }}
 
     - name: Update poetry.lock with latest Prowler commit
       if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'

.github/actions/slack-notification/action.yml

@@ -26,18 +26,16 @@ runs:
       id: status
       shell: bash
       run: |
-        if [[ "${INPUTS_STEP_OUTCOME}" == "success" ]]; then
+        if [[ "${{ inputs.step-outcome }}" == "success" ]]; then
           echo "STATUS_TEXT=Completed" >> $GITHUB_ENV
           echo "STATUS_COLOR=#6aa84f" >> $GITHUB_ENV
-        elif [[ "${INPUTS_STEP_OUTCOME}" == "failure" ]]; then
+        elif [[ "${{ inputs.step-outcome }}" == "failure" ]]; then
           echo "STATUS_TEXT=Failed" >> $GITHUB_ENV
           echo "STATUS_COLOR=#fc3434" >> $GITHUB_ENV
         else
           # No outcome provided - pending/in progress state
           echo "STATUS_COLOR=#dbab09" >> $GITHUB_ENV
         fi
-      env:
-        INPUTS_STEP_OUTCOME: ${{ inputs.step-outcome }}
 
     - name: Send Slack notification (new message)
       if: inputs.update-ts == ''
@@ -69,11 +67,8 @@ runs:
       id: slack-notification
       shell: bash
       run: |
-        if [[ "${INPUTS_UPDATE_TS}" == "" ]]; then
-          echo "ts=${STEPS_SLACK_NOTIFICATION_POST_OUTPUTS_TS}" >> $GITHUB_OUTPUT
+        if [[ "${{ inputs.update-ts }}" == "" ]]; then
+          echo "ts=${{ steps.slack-notification-post.outputs.ts }}" >> $GITHUB_OUTPUT
         else
-          echo "ts=${INPUTS_UPDATE_TS}" >> $GITHUB_OUTPUT
+          echo "ts=${{ inputs.update-ts }}" >> $GITHUB_OUTPUT
         fi
-      env:
-        INPUTS_UPDATE_TS: ${{ inputs.update-ts }}
-        STEPS_SLACK_NOTIFICATION_POST_OUTPUTS_TS: ${{ steps.slack-notification-post.outputs.ts }}

.github/actions/trivy-scan/action.yml

@@ -54,7 +54,7 @@ runs:
           trivy-db-${{ runner.os }}-
 
     - name: Run Trivy vulnerability scan (JSON)
-      uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
       with:
         image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
         format: 'json'
@@ -63,11 +63,10 @@ runs:
         exit-code: '0'
         scanners: 'vuln'
         timeout: '5m'
-        version: 'v0.69.2'
 
     - name: Run Trivy vulnerability scan (SARIF)
       if: inputs.upload-sarif == 'true' && github.event_name == 'push'
-      uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
       with:
         image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
         format: 'sarif'
@@ -76,7 +75,6 @@ runs:
         exit-code: '0'
         scanners: 'vuln'
         timeout: '5m'
-        version: 'v0.69.2'
 
     - name: Upload Trivy results to GitHub Security tab
       if: inputs.upload-sarif == 'true' && github.event_name == 'push'
@@ -107,14 +105,11 @@ runs:
 
         echo "### 🔒 Container Security Scan" >> $GITHUB_STEP_SUMMARY
         echo "" >> $GITHUB_STEP_SUMMARY
-        echo "**Image:** \`${INPUTS_IMAGE_NAME}:${INPUTS_IMAGE_TAG}\`" >> $GITHUB_STEP_SUMMARY
+        echo "**Image:** \`${{ inputs.image-name }}:${{ inputs.image-tag }}\`" >> $GITHUB_STEP_SUMMARY
         echo "" >> $GITHUB_STEP_SUMMARY
         echo "- 🔴 Critical: $CRITICAL" >> $GITHUB_STEP_SUMMARY
         echo "- 🟠 High: $HIGH" >> $GITHUB_STEP_SUMMARY
         echo "- **Total**: $TOTAL" >> $GITHUB_STEP_SUMMARY
-      env:
-        INPUTS_IMAGE_NAME: ${{ inputs.image-name }}
-        INPUTS_IMAGE_TAG: ${{ inputs.image-tag }}
 
     - name: Comment scan results on PR
       if: inputs.create-pr-comment == 'true' && github.event_name == 'pull_request'
@@ -128,7 +123,7 @@ runs:
           const comment = require('./.github/scripts/trivy-pr-comment.js');
 
           // Unique identifier to find our comment
-          const marker = `<!-- trivy-scan-comment:${process.env.IMAGE_NAME} -->`;
+          const marker = '<!-- trivy-scan-comment:${{ inputs.image-name }} -->';
           const body = marker + '\n' + comment;
 
           // Find existing comment
@@ -164,9 +159,6 @@ runs:
       if: inputs.fail-on-critical == 'true' && steps.security-check.outputs.critical != '0'
       shell: bash
       run: |
-        echo "::error::Found ${STEPS_SECURITY_CHECK_OUTPUTS_CRITICAL} critical vulnerabilities"
+        echo "::error::Found ${{ steps.security-check.outputs.critical }} critical vulnerabilities"
         echo "::warning::Please update packages or use a different base image"
         exit 1
-
-      env:
-        STEPS_SECURITY_CHECK_OUTPUTS_CRITICAL: ${{ steps.security-check.outputs.critical }}

.github/dependabot.yml

@@ -15,8 +15,6 @@ updates:
     labels:
       - "dependencies"
       - "pip"
-    cooldown:
-      default-days: 7
 
   # Dependabot Updates are temporary disabled - 2025/03/19
   # - package-ecosystem: "pip"
@@ -39,8 +37,6 @@ updates:
     labels:
       - "dependencies"
       - "github_actions"
-    cooldown:
-      default-days: 7
 
   # Dependabot Updates are temporary disabled - 2025/03/19
   # - package-ecosystem: "npm"
@@ -63,8 +59,6 @@ updates:
     labels:
       - "dependencies"
       - "docker"
-    cooldown:
-      default-days: 7
 
   # Dependabot Updates are temporary disabled - 2025/04/15
   # v4.6

.github/scripts/test-e2e-path-resolution.sh

@@ -1,350 +0,0 @@
-#!/usr/bin/env bash
-#
-# Test script for E2E test path resolution logic from ui-e2e-tests-v2.yml.
-# Validates that the shell logic correctly transforms E2E_TEST_PATHS into
-# Playwright-compatible paths.
-#
-# Usage: .github/scripts/test-e2e-path-resolution.sh
-
-set -euo pipefail
-
-# -- Colors ------------------------------------------------------------------
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# -- Counters ----------------------------------------------------------------
-TOTAL=0
-PASSED=0
-FAILED=0
-
-# -- Temp directory setup & cleanup ------------------------------------------
-TMPDIR_ROOT="$(mktemp -d)"
-trap 'rm -rf "$TMPDIR_ROOT"' EXIT
-
-# ---------------------------------------------------------------------------
-# create_test_tree DIR [SUBDIRS_WITH_TESTS...]
-#
-# Creates a fake ui/tests/ tree inside DIR.
-# All standard subdirs are created (empty).
-# For each name in SUBDIRS_WITH_TESTS, a fake .spec.ts file is placed inside.
-# ---------------------------------------------------------------------------
-create_test_tree() {
-  local base="$1"; shift
-  local all_subdirs=(
-    auth home invitations profile providers scans
-    setups sign-in-base sign-up attack-paths findings
-    compliance browse manage-groups roles users overview
-    integrations
-  )
-
-  for d in "${all_subdirs[@]}"; do
-    mkdir -p "${base}/tests/${d}"
-  done
-
-  # Populate requested subdirs with a fake test file
-  for d in "$@"; do
-    mkdir -p "${base}/tests/${d}"
-    touch "${base}/tests/${d}/example.spec.ts"
-  done
-}
-
-# ---------------------------------------------------------------------------
-# resolve_paths E2E_TEST_PATHS WORKING_DIR
-#
-# Extracted EXACT logic from .github/workflows/ui-e2e-tests-v2.yml lines 212-250.
-# Outputs space-separated TEST_PATHS, or "SKIP" if no tests found.
-# Must be run with WORKING_DIR as the cwd equivalent (we cd into it).
-# ---------------------------------------------------------------------------
-resolve_paths() {
-  local E2E_TEST_PATHS="$1"
-  local WORKING_DIR="$2"
-
-  (
-    cd "$WORKING_DIR"
-
-    # --- Line 212-214: strip ui/ prefix, strip **, deduplicate ---------------
-    TEST_PATHS="${E2E_TEST_PATHS}"
-    TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u)
-
-    # --- Line 216: drop setup helpers ----------------------------------------
-    TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/' || true)
-
-    # --- Lines 219-230: safety net for bare tests/ --------------------------
-    if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-      SPECIFIC_DIRS=""
-      for dir in tests/*/; do
-        [[ "$dir" == "tests/setups/" ]] && continue
-        SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"$'\n'
-      done
-      TEST_PATHS=$(echo "$TEST_PATHS" | grep -vx 'tests/' || true)
-      TEST_PATHS="${TEST_PATHS}"$'\n'"${SPECIFIC_DIRS}"
-      TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^$' | sort -u)
-    fi
-
-    # --- Lines 231-234: bail if empty ----------------------------------------
-    if [[ -z "$TEST_PATHS" ]]; then
-      echo "SKIP"
-      return
-    fi
-
-    # --- Lines 236-245: filter dirs with no test files -----------------------
-    VALID_PATHS=""
-    while IFS= read -r p; do
-      [[ -z "$p" ]] && continue
-      if find "$p" -name '*.spec.ts' -o -name '*.test.ts' 2>/dev/null | head -1 | grep -q .; then
-        VALID_PATHS="${VALID_PATHS}${p}"$'\n'
-      fi
-    done <<< "$TEST_PATHS"
-    VALID_PATHS=$(echo "$VALID_PATHS" | grep -v '^$')
-
-    # --- Lines 246-249: bail if all empty ------------------------------------
-    if [[ -z "$VALID_PATHS" ]]; then
-      echo "SKIP"
-      return
-    fi
-
-    # --- Line 250: final output (space-separated) ---------------------------
-    echo "$VALID_PATHS" | tr '\n' ' ' | sed 's/ $//'
-  )
-}
-
-# ---------------------------------------------------------------------------
-# run_test NAME INPUT EXPECTED_TYPE [EXPECTED_VALUE]
-#
-# EXPECTED_TYPE is one of:
-#   "contains <path>"  — output must contain this path
-#   "equals <value>"   — output must exactly equal this value
-#   "skip"             — expect SKIP (no runnable tests)
-#   "not_contains <p>" — output must NOT contain this path
-#
-# Multiple expectations can be specified by calling assert_* after run_test.
-# For convenience, run_test supports a single assertion inline.
-# ---------------------------------------------------------------------------
-CURRENT_RESULT=""
-CURRENT_TEST_NAME=""
-
-run_test() {
-  local name="$1"
-  local input="$2"
-  local expect_type="$3"
-  local expect_value="${4:-}"
-
-  TOTAL=$((TOTAL + 1))
-  CURRENT_TEST_NAME="$name"
-
-  # Create a fresh temp tree per test
-  local test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-  mkdir -p "$test_dir"
-
-  # Default populated dirs: scans, providers, auth, home, profile, sign-up, sign-in-base
-  create_test_tree "$test_dir" scans providers auth home profile sign-up sign-in-base
-
-  CURRENT_RESULT=$(resolve_paths "$input" "$test_dir")
-
-  _check "$expect_type" "$expect_value"
-}
-
-# Like run_test but lets caller specify which subdirs have test files.
-run_test_custom_tree() {
-  local name="$1"
-  local input="$2"
-  local expect_type="$3"
-  local expect_value="${4:-}"
-  shift 4
-  local populated_dirs=("$@")
-
-  TOTAL=$((TOTAL + 1))
-  CURRENT_TEST_NAME="$name"
-
-  local test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-  mkdir -p "$test_dir"
-
-  create_test_tree "$test_dir" "${populated_dirs[@]}"
-
-  CURRENT_RESULT=$(resolve_paths "$input" "$test_dir")
-
-  _check "$expect_type" "$expect_value"
-}
-
-_check() {
-  local expect_type="$1"
-  local expect_value="$2"
-
-  case "$expect_type" in
-    skip)
-      if [[ "$CURRENT_RESULT" == "SKIP" ]]; then
-        _pass
-      else
-        _fail "expected SKIP, got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    contains)
-      if [[ "$CURRENT_RESULT" == *"$expect_value"* ]]; then
-        _pass
-      else
-        _fail "expected to contain '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    not_contains)
-      if [[ "$CURRENT_RESULT" != *"$expect_value"* ]]; then
-        _pass
-      else
-        _fail "expected NOT to contain '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    equals)
-      if [[ "$CURRENT_RESULT" == "$expect_value" ]]; then
-        _pass
-      else
-        _fail "expected exactly '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    *)
-      _fail "unknown expect_type: $expect_type"
-      ;;
-  esac
-}
-
-_pass() {
-  PASSED=$((PASSED + 1))
-  printf '%b  PASS%b %s\n' "$GREEN" "$RESET" "$CURRENT_TEST_NAME"
-}
-
-_fail() {
-  FAILED=$((FAILED + 1))
-  printf '%b  FAIL%b %s\n' "$RED" "$RESET" "$CURRENT_TEST_NAME"
-  printf "        %s\n" "$1"
-}
-
-# ===========================================================================
-# TEST CASES
-# ===========================================================================
-
-echo ""
-printf '%bE2E Path Resolution Tests%b\n' "$BOLD" "$RESET"
-echo "=========================================="
-
-# 1. Normal single module
-run_test \
-  "1. Normal single module" \
-  "ui/tests/scans/**" \
-  "contains" "tests/scans/"
-
-# 2. Multiple modules
-run_test \
-  "2. Multiple modules — scans present" \
-  "ui/tests/scans/** ui/tests/providers/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "2. Multiple modules — providers present" \
-  "ui/tests/scans/** ui/tests/providers/**" \
-  "contains" "tests/providers/"
-
-# 3. Broad pattern (many modules)
-run_test \
-  "3. Broad pattern — no bare tests/" \
-  "ui/tests/auth/** ui/tests/scans/** ui/tests/providers/** ui/tests/home/** ui/tests/profile/**" \
-  "not_contains" "tests/ "
-
-# 4. Empty directory
-run_test \
-  "4. Empty directory — skipped" \
-  "ui/tests/attack-paths/**" \
-  "skip"
-
-# 5. Mix of populated and empty dirs
-run_test \
-  "5. Mix populated+empty — scans present" \
-  "ui/tests/scans/** ui/tests/attack-paths/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "5. Mix populated+empty — attack-paths absent" \
-  "ui/tests/scans/** ui/tests/attack-paths/**" \
-  "not_contains" "tests/attack-paths/"
-
-# 6. All empty directories
-run_test \
-  "6. All empty directories" \
-  "ui/tests/attack-paths/** ui/tests/findings/**" \
-  "skip"
-
-# 7. Setup paths filtered
-run_test \
-  "7. Setup paths filtered out" \
-  "ui/tests/setups/**" \
-  "skip"
-
-# 8. Bare tests/ from broad pattern — safety net expands
-run_test \
-  "8. Bare tests/ expands — scans present" \
-  "ui/tests/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "8. Bare tests/ expands — setups excluded" \
-  "ui/tests/**" \
-  "not_contains" "tests/setups/"
-
-# 9. Bare tests/ with all empty subdirs (only setups has files)
-run_test_custom_tree \
-  "9. Bare tests/ — only setups has files" \
-  "ui/tests/**" \
-  "skip" "" \
-  setups
-
-# 10. Duplicate paths
-run_test \
-  "10. Duplicate paths — deduplicated" \
-  "ui/tests/scans/** ui/tests/scans/**" \
-  "equals" "tests/scans/"
-
-# 11. Empty input
-TOTAL=$((TOTAL + 1))
-CURRENT_TEST_NAME="11. Empty input"
-test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-mkdir -p "$test_dir"
-create_test_tree "$test_dir" scans providers
-CURRENT_RESULT=$(resolve_paths "" "$test_dir")
-_check "skip" ""
-
-# 12. Trailing/leading whitespace
-run_test \
-  "12. Whitespace handling" \
-  "  ui/tests/scans/**  " \
-  "contains" "tests/scans/"
-
-# 13. Path without ui/ prefix
-run_test \
-  "13. Path without ui/ prefix" \
-  "tests/scans/**" \
-  "contains" "tests/scans/"
-
-# 14. Setup mixed with valid paths — only valid pass through
-run_test \
-  "14. Setups + valid — setups filtered" \
-  "ui/tests/setups/** ui/tests/scans/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "14. Setups + valid — setups absent" \
-  "ui/tests/setups/** ui/tests/scans/**" \
-  "not_contains" "tests/setups/"
-
-# ===========================================================================
-# SUMMARY
-# ===========================================================================
-
-echo ""
-echo "=========================================="
-if [[ "$FAILED" -eq 0 ]]; then
-  printf '%b%bAll tests passed: %d/%d%b\n' "$GREEN" "$BOLD" "$PASSED" "$TOTAL" "$RESET"
-else
-  printf '%b%b%d/%d passed, %d FAILED%b\n' "$RED" "$BOLD" "$PASSED" "$TOTAL" "$FAILED" "$RESET"
-fi
-echo ""
-
-exit "$FAILED"

.github/test-impact.yml

@@ -224,24 +224,8 @@ modules:
     tests:
       - api/src/backend/api/tests/test_views.py
     e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # API view changes can break UI
+      - ui/tests/**
 
   - name: api-serializers
     match:
@@ -250,24 +234,8 @@ modules:
     tests:
       - api/src/backend/api/tests/**
     e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # Serializer changes affect API responses → UI
+      - ui/tests/**
 
   - name: api-filters
     match:
@@ -439,24 +407,8 @@ modules:
       - ui/components/ui/**
     tests: []
     e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # Shared components can affect any E2E
+      - ui/tests/**
 
   - name: ui-attack-paths
     match:

.github/workflows/api-bump-version.yml

@@ -29,8 +29,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Get current API version
         id: get_api_version
@@ -81,14 +79,12 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Calculate next API minor version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
 
           # API version follows Prowler minor + 1
           # For Prowler 5.17.0 -> API 1.18.0
@@ -101,10 +97,6 @@ jobs:
           echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
           echo "Current API version: $CURRENT_API_VERSION"
           echo "Next API minor version (for master): $NEXT_API_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
 
       - name: Bump API versions in files for master
         run: |
@@ -140,13 +132,12 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
 
       - name: Calculate first API patch version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
           VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
 
           # API version follows Prowler minor + 1
@@ -160,10 +151,6 @@ jobs:
           echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
           echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
           echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
 
       - name: Bump API versions in files for version branch
         run: |
@@ -206,15 +193,13 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Calculate next API patch version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
+          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
           VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
 
           # Extract current API patch to increment it
@@ -237,11 +222,6 @@ jobs:
             echo "::error::Invalid API version format: $CURRENT_API_VERSION"
             exit 1
           fi
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
 
       - name: Bump API versions in files for version branch
         run: |

.github/workflows/api-code-quality.yml

@@ -34,9 +34,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for API changes
         id: check-changes

.github/workflows/api-codeql.yml

@@ -43,8 +43,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9

.github/workflows/api-container-build-push.yml

@@ -58,8 +58,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Notify container push started
         id: slack-notification
@@ -96,8 +94,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Login to DockerHub
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -142,22 +138,18 @@ jobs:
         run: |
           docker buildx imagetools create \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
 
       - name: Create and push manifests for release event
         if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         run: |
           docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${RELEASE_TAG} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
 
       - name: Install regctl
         if: always()
@@ -167,11 +159,9 @@ jobs:
         if: always()
         run: |
           echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
           echo "Cleanup completed"
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
 
   notify-release-completed:
     if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -181,20 +171,15 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Determine overall outcome
         id: outcome
         run: |
-          if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then
+          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
             echo "outcome=success" >> $GITHUB_OUTPUT
           else
             echo "outcome=failure" >> $GITHUB_OUTPUT
           fi
-        env:
-          NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }}
-          NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }}
 
       - name: Notify container push completed
         uses: ./.github/actions/slack-notification

.github/workflows/api-container-checks.yml

@@ -29,9 +29,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
@@ -67,9 +64,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for API changes
         id: check-changes

.github/workflows/api-security.yml

@@ -34,9 +34,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for API changes
         id: check-changes

.github/workflows/api-tests.yml

@@ -43,7 +43,7 @@ jobs:
 
     services:
       postgres:
-        image: postgres:17@sha256:2cd82735a36356842d5eb1ef80db3ae8f1154172f0f653db48fde079b2a0b7f7
+        image: postgres
         env:
           POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
           POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
@@ -74,9 +74,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for API changes
         id: check-changes

.github/workflows/backport.yml

@@ -1,7 +1,6 @@
 name: 'Tools: Backport'
 
 on:
-  # zizmor: ignore[dangerous-triggers] - intentional: needs write access for backport PRs, no PR code checkout
   pull_request_target:
     branches:
       - 'master'

.github/workflows/ci-zizmor.yml

@@ -1,44 +0,0 @@
-name: 'CI: Zizmor'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - '.github/**'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - '.github/**'
-  schedule:
-    - cron: '30 06 * * *'
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  zizmor:
-    if: github.repository == 'prowler-cloud/prowler'
-    name: GitHub Actions Security Audit
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      security-events: write
-      contents: read
-      actions: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
-        with:
-          token: ${{ github.token }}

.github/workflows/create-backport-label.yml

@@ -25,9 +25,8 @@ jobs:
       - name: Create backport label for minor releases
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
         run: |
-          RELEASE_TAG="${GITHUB_EVENT_RELEASE_TAG_NAME}"
+          RELEASE_TAG="${{ github.event.release.tag_name }}"
 
           if [ -z "$RELEASE_TAG" ]; then
             echo "Error: No release tag provided"

.github/workflows/docs-bump-version.yml

@@ -29,8 +29,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Get current documentation version
         id: get_docs_version
@@ -81,14 +79,12 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Calculate next minor version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
 
           NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
           echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
@@ -97,10 +93,6 @@ jobs:
           echo "Current documentation version: $CURRENT_DOCS_VERSION"
           echo "Current release version: $PROWLER_VERSION"
           echo "Next minor version: $NEXT_MINOR_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
 
       - name: Bump versions in documentation for master
         run: |
@@ -140,13 +132,12 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
 
       - name: Calculate first patch version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
 
           FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
           VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -157,10 +148,6 @@ jobs:
 
           echo "First patch version: $FIRST_PATCH_VERSION"
           echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
 
       - name: Bump versions in documentation for version branch
         run: |
@@ -206,15 +193,13 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Calculate next patch version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
+          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
 
           NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
           VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -227,11 +212,6 @@ jobs:
           echo "Current release version: $PROWLER_VERSION"
           echo "Next patch version: $NEXT_PATCH_VERSION"
           echo "Target branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
 
       - name: Bump versions in documentation for patch version
         run: |

.github/workflows/find-secrets.yml

@@ -26,7 +26,6 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
-          persist-credentials: false
 
       - name: Scan for secrets with TruffleHog
         uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4

.github/workflows/helm-chart-checks.yml

@@ -1,48 +0,0 @@
-name: 'Helm: Chart Checks'
-# DISCLAIMER: This workflow is not maintained by the Prowler team. Refer to contrib/k8s/helm/prowler-app for the source code.
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'contrib/k8s/helm/prowler-app/**'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'contrib/k8s/helm/prowler-app/**'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  CHART_PATH: contrib/k8s/helm/prowler-app
-
-jobs:
-  helm-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
-
-      - name: Update chart dependencies
-        run: helm dependency update ${{ env.CHART_PATH }}
-
-      - name: Lint Helm chart
-        run: helm lint ${{ env.CHART_PATH }}
-
-      - name: Validate Helm chart template rendering
-        run: helm template prowler ${{ env.CHART_PATH }}

.github/workflows/helm-chart-release.yml

@@ -1,54 +0,0 @@
-name: 'Helm: Chart Release'
-# DISCLAIMER: This workflow is not maintained by the Prowler team. Refer to contrib/k8s/helm/prowler-app for the source code.
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  CHART_PATH: contrib/k8s/helm/prowler-app
-
-jobs:
-  release-helm-chart:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Set up Helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
-
-      - name: Set appVersion from release tag
-        run: |
-          RELEASE_TAG="${GITHUB_EVENT_RELEASE_TAG_NAME}"
-          echo "Setting appVersion to ${RELEASE_TAG}"
-          sed -i "s/^appVersion:.*/appVersion: \"${RELEASE_TAG}\"/" ${{ env.CHART_PATH }}/Chart.yaml
-        env:
-          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
-
-      - name: Login to GHCR
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${GITHUB_ACTOR} --password-stdin
-
-      - name: Update chart dependencies
-        run: helm dependency update ${{ env.CHART_PATH }}
-
-      - name: Package Helm chart
-        run: helm package ${{ env.CHART_PATH }} --destination .helm-packages
-
-      - name: Push chart to GHCR
-        run: |
-          PACKAGE=$(ls .helm-packages/*.tgz)
-          helm push "$PACKAGE" oci://ghcr.io/${{ github.repository_owner }}/charts

.github/workflows/labeler.yml

@@ -1,7 +1,6 @@
 name: 'Tools: PR Labeler'
 
 on:
-  # zizmor: ignore[dangerous-triggers] - intentional: needs write access to apply labels, no PR code checkout
   pull_request_target:
     branches:
       - 'master'

.github/workflows/mcp-container-build-push.yml

@@ -57,8 +57,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Notify container push started
         id: slack-notification
@@ -94,8 +92,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Login to DockerHub
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -148,36 +144,30 @@ jobs:
         run: |
           docker buildx imagetools create \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
 
       - name: Create and push manifests for release event
         if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         run: |
           docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${RELEASE_TAG} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
 
       - name: Install regctl
         if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@main
 
       - name: Cleanup intermediate architecture tags
         if: always()
         run: |
           echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
           echo "Cleanup completed"
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
 
   notify-release-completed:
     if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -187,20 +177,15 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Determine overall outcome
         id: outcome
         run: |
-          if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then
+          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
             echo "outcome=success" >> $GITHUB_OUTPUT
           else
             echo "outcome=failure" >> $GITHUB_OUTPUT
           fi
-        env:
-          NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }}
-          NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }}
 
       - name: Notify container push completed
         uses: ./.github/actions/slack-notification

.github/workflows/mcp-container-checks.yml

@@ -29,9 +29,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
@@ -66,9 +63,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for MCP changes
         id: check-changes

.github/workflows/mcp-pypi-release.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Parse and validate version
         id: parse-version
         run: |
-          PROWLER_VERSION="${RELEASE_TAG}"
+          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
           echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
 
           # Extract major version
@@ -61,13 +61,9 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7
-        with:
-          enable-cache: false
+        uses: astral-sh/setup-uv@v7
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0

.github/workflows/pr-check-changelog.yml

@@ -32,8 +32,6 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Get changed files
         id: changed-files
@@ -52,11 +50,11 @@ jobs:
         run: |
           missing_changelogs=""
 
-          if [[ "${STEPS_CHANGED_FILES_OUTPUTS_ANY_CHANGED}" == "true" ]]; then
+          if [[ "${{ steps.changed-files.outputs.any_changed }}" == "true" ]]; then
             # Check monitored folders
             for folder in $MONITORED_FOLDERS; do
               # Get files changed in this folder
-              changed_in_folder=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep "^${folder}/" || true)
+              changed_in_folder=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "^${folder}/" || true)
 
               if [ -n "$changed_in_folder" ]; then
                 echo "Detected changes in ${folder}/"
@@ -71,11 +69,11 @@ jobs:
 
             # Check root-level dependency files (poetry.lock, pyproject.toml)
             # These are associated with the prowler folder changelog
-            root_deps_changed=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep -E "^(poetry\.lock|pyproject\.toml)$" || true)
+            root_deps_changed=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep -E "^(poetry\.lock|pyproject\.toml)$" || true)
             if [ -n "$root_deps_changed" ]; then
               echo "Detected changes in root dependency files: $root_deps_changed"
               # Check if prowler/CHANGELOG.md was already updated (might have been caught above)
-              prowler_changelog_updated=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep "^prowler/CHANGELOG.md$" || true)
+              prowler_changelog_updated=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "^prowler/CHANGELOG.md$" || true)
               if [ -z "$prowler_changelog_updated" ]; then
                 # Only add if prowler wasn't already flagged
                 if ! echo "$missing_changelogs" | grep -q "prowler"; then
@@ -91,9 +89,6 @@ jobs:
             echo -e "${missing_changelogs}"
             echo "EOF"
           } >> $GITHUB_OUTPUT
-        env:
-          STEPS_CHANGED_FILES_OUTPUTS_ANY_CHANGED: ${{ steps.changed-files.outputs.any_changed }}
-          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
 
       - name: Find existing changelog comment
         if: github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/pr-conflict-checker.yml

@@ -1,7 +1,6 @@
 name: 'Tools: PR Conflict Checker'
 
 on:
-  # zizmor: ignore[dangerous-triggers] - intentional: needs write access for conflict labels/comments, checkout uses PR head SHA for read-only grep
   pull_request_target:
     types:
       - 'opened'
@@ -30,7 +29,6 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
-          persist-credentials: false
 
       - name: Get changed files
         id: changed-files
@@ -47,7 +45,7 @@ jobs:
           HAS_CONFLICTS=false
 
           # Check each changed file for conflict markers
-          for file in ${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}; do
+          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
             if [ -f "$file" ]; then
               echo "Checking file: $file"
 
@@ -72,8 +70,6 @@ jobs:
             echo "has_conflicts=false" >> $GITHUB_OUTPUT
             echo "No conflict markers found in changed files"
           fi
-        env:
-          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
 
       - name: Manage conflict label
         env:

.github/workflows/pr-merged.yml

@@ -1,7 +1,6 @@
 name: 'Tools: PR Merged'
 
 on:
-  # zizmor: ignore[dangerous-triggers] - intentional: needs read access to merged PR metadata, no PR code checkout
   pull_request_target:
     branches:
       - 'master'
@@ -26,10 +25,8 @@ jobs:
       - name: Calculate short commit SHA
         id: vars
         run: |
-          SHORT_SHA="${GITHUB_EVENT_PULL_REQUEST_MERGE_COMMIT_SHA}"
-          echo "short_sha=${SHORT_SHA::7}" >> $GITHUB_OUTPUT
-        env:
-          GITHUB_EVENT_PULL_REQUEST_MERGE_COMMIT_SHA: ${{ github.event.pull_request.merge_commit_sha }}
+          SHORT_SHA="${{ github.event.pull_request.merge_commit_sha }}"
+          echo "SHORT_SHA=${SHORT_SHA::7}" >> $GITHUB_ENV
 
       - name: Trigger Cloud repository pull request
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
@@ -40,7 +37,7 @@ jobs:
           client-payload: |
             {
               "PROWLER_COMMIT_SHA": "${{ github.event.pull_request.merge_commit_sha }}",
-              "PROWLER_COMMIT_SHORT_SHA": "${{ steps.vars.outputs.short_sha }}",
+              "PROWLER_COMMIT_SHORT_SHA": "${{ env.SHORT_SHA }}",
               "PROWLER_PR_NUMBER": "${{ github.event.pull_request.number }}",
               "PROWLER_PR_TITLE": ${{ toJson(github.event.pull_request.title) }},
               "PROWLER_PR_LABELS": ${{ toJson(github.event.pull_request.labels.*.name) }},

.github/workflows/prepare-release.yml

@@ -31,7 +31,6 @@ jobs:
       with:
         fetch-depth: 0
         token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0

.github/workflows/sdk-bump-version.yml

@@ -68,22 +68,17 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Calculate next minor version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
 
           NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
           echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
 
           echo "Current version: $PROWLER_VERSION"
           echo "Next minor version: $NEXT_MINOR_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
 
       - name: Bump versions in files for master
         run: |
@@ -118,12 +113,11 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
 
       - name: Calculate first patch version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
 
           FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
           VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -133,9 +127,6 @@ jobs:
 
           echo "First patch version: $FIRST_PATCH_VERSION"
           echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
 
       - name: Bump versions in files for version branch
         run: |
@@ -177,14 +168,12 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Calculate next patch version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
 
           NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
           VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -195,10 +184,6 @@ jobs:
           echo "Current version: $PROWLER_VERSION"
           echo "Next patch version: $NEXT_PATCH_VERSION"
           echo "Target branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
 
       - name: Bump versions in files for version branch
         run: |

.github/workflows/sdk-check-duplicate-test-names.yml

@@ -21,8 +21,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Check for duplicate test names across providers
         run: |

.github/workflows/sdk-code-quality.yml

@@ -32,9 +32,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for SDK changes
         id: check-changes

.github/workflows/sdk-codeql.yml

@@ -50,8 +50,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9

.github/workflows/sdk-container-build-push.yml

@@ -62,8 +62,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
@@ -118,8 +116,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Notify container push started
         id: slack-notification
@@ -156,8 +152,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Login to DockerHub
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -220,44 +214,36 @@ jobs:
         if: github.event_name == 'push'
         run: |
           docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }}
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
+            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
 
       - name: Create and push manifests for release event
         if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         run: |
           docker buildx imagetools create \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_PROWLER_VERSION: ${{ needs.setup.outputs.prowler_version }}
-          NEEDS_SETUP_OUTPUTS_STABLE_TAG: ${{ needs.setup.outputs.stable_tag }}
-          NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }}
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
+            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
+            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.prowler_version }} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.stable_tag }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
 
       - name: Install regctl
         if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@main
 
       - name: Cleanup intermediate architecture tags
         if: always()
         run: |
           echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64" || true
           echo "Cleanup completed"
-        env:
-          NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }}
 
   notify-release-completed:
     if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -267,20 +253,15 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Determine overall outcome
         id: outcome
         run: |
-          if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then
+          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
             echo "outcome=success" >> $GITHUB_OUTPUT
           else
             echo "outcome=failure" >> $GITHUB_OUTPUT
           fi
-        env:
-          NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }}
-          NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }}
 
       - name: Notify container push completed
         uses: ./.github/actions/slack-notification

.github/workflows/sdk-container-checks.yml

@@ -28,9 +28,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
@@ -66,9 +63,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for SDK changes
         id: check-changes

.github/workflows/sdk-pypi-release.yml

@@ -28,7 +28,7 @@ jobs:
       - name: Parse and validate version
         id: parse-version
         run: |
-          PROWLER_VERSION="${RELEASE_TAG}"
+          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
           echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
 
           # Extract major version
@@ -60,8 +60,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Install Poetry
         run: pipx install poetry==2.1.1
@@ -70,6 +68,7 @@ jobs:
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'poetry'
 
       - name: Build Prowler package
         run: poetry build
@@ -93,8 +92,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Install Poetry
         run: pipx install poetry==2.1.1
@@ -103,6 +100,7 @@ jobs:
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'poetry'
 
       - name: Install toml package
         run: pip install toml

.github/workflows/sdk-refresh-aws-services-regions.yml

@@ -28,7 +28,6 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: 'master'
-          persist-credentials: false
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
@@ -83,14 +82,9 @@ jobs:
 
       - name: PR creation result
         run: |
-          if [[ "${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER}" ]]; then
-            echo "✓ Pull request #${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER} created successfully"
-            echo "URL: ${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL}"
+          if [[ "${{ steps.create-pr.outputs.pull-request-number }}" ]]; then
+            echo "✓ Pull request #${{ steps.create-pr.outputs.pull-request-number }} created successfully"
+            echo "URL: ${{ steps.create-pr.outputs.pull-request-url }}"
           else
             echo "✓ No changes detected - AWS regions are up to date"
           fi
-
-        env:
-          STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.create-pr.outputs.pull-request-number }}
-
-          STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL: ${{ steps.create-pr.outputs.pull-request-url }}

.github/workflows/sdk-refresh-oci-regions.yml

@@ -26,7 +26,6 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: 'master'
-          persist-credentials: false
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
@@ -86,14 +85,9 @@ jobs:
 
       - name: PR creation result
         run: |
-          if [[ "${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER}" ]]; then
-            echo "✓ Pull request #${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER} created successfully"
-            echo "URL: ${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL}"
+          if [[ "${{ steps.create-pr.outputs.pull-request-number }}" ]]; then
+            echo "✓ Pull request #${{ steps.create-pr.outputs.pull-request-number }} created successfully"
+            echo "URL: ${{ steps.create-pr.outputs.pull-request-url }}"
           else
             echo "✓ No changes detected - OCI regions are up to date"
           fi
-
-        env:
-          STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.create-pr.outputs.pull-request-number }}
-
-          STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL: ${{ steps.create-pr.outputs.pull-request-url }}

.github/workflows/sdk-security.yml

@@ -25,15 +25,12 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for SDK changes
         id: check-changes
         uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
         with:
-          files:
+          files: 
             ./**
             .github/workflows/sdk-security.yml
           files_ignore: |

.github/workflows/sdk-tests.yml

@@ -32,9 +32,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for SDK changes
         id: check-changes
@@ -122,7 +119,7 @@ jobs:
               "wafv2": ["cognito", "elbv2"],
           }
 
-          changed_raw = os.environ.get("STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES", "")
+          changed_raw = """${{ steps.changed-aws.outputs.all_changed_files }}"""
           # all_changed_files is space-separated, not newline-separated
           # Strip leading "./" if present for consistent path handling
           changed_files = [Path(f.lstrip("./")) for f in changed_raw.split() if f]
@@ -177,25 +174,20 @@ jobs:
           else:
               print("AWS service test paths: none detected")
           PY
-        env:
-          STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-aws.outputs.all_changed_files }}
 
       - name: Run AWS tests
         if: steps.changed-aws.outputs.any_changed == 'true'
         run: |
-          echo "AWS run_all=${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}"
-          echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'"
+          echo "AWS run_all=${{ steps.aws-services.outputs.run_all }}"
+          echo "AWS service_paths='${{ steps.aws-services.outputs.service_paths }}'"
 
-          if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then
+          if [ "${{ steps.aws-services.outputs.run_all }}" = "true" ]; then
             poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
-          elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then
+          elif [ -z "${{ steps.aws-services.outputs.service_paths }}" ]; then
             echo "No AWS service paths detected; skipping AWS tests."
           else
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${{ steps.aws-services.outputs.service_paths }}
           fi
-        env:
-          STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }}
-          STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS: ${{ steps.aws-services.outputs.service_paths }}
 
       - name: Upload AWS coverage to Codecov
         if: steps.changed-aws.outputs.any_changed == 'true'

.github/workflows/test-impact-analysis.yml

@@ -49,9 +49,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Get changed files
         id: changed-files
@@ -69,60 +66,47 @@ jobs:
         id: impact
         run: |
           echo "Changed files:"
-          echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n'
+          echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n'
           echo ""
-          python .github/scripts/test-impact.py ${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}
-        env:
-          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+          python .github/scripts/test-impact.py ${{ steps.changed-files.outputs.all_changed_files }}
 
       - name: Set convenience flags
         id: set-flags
         run: |
-          if [[ -n "${STEPS_IMPACT_OUTPUTS_SDK_TESTS}" ]]; then
+          if [[ -n "${{ steps.impact.outputs.sdk-tests }}" ]]; then
             echo "has-sdk-tests=true" >> $GITHUB_OUTPUT
           else
             echo "has-sdk-tests=false" >> $GITHUB_OUTPUT
           fi
-
-          if [[ -n "${STEPS_IMPACT_OUTPUTS_API_TESTS}" ]]; then
+          
+          if [[ -n "${{ steps.impact.outputs.api-tests }}" ]]; then
             echo "has-api-tests=true" >> $GITHUB_OUTPUT
           else
             echo "has-api-tests=false" >> $GITHUB_OUTPUT
           fi
-
-          if [[ -n "${STEPS_IMPACT_OUTPUTS_UI_E2E}" ]]; then
+          
+          if [[ -n "${{ steps.impact.outputs.ui-e2e }}" ]]; then
             echo "has-ui-e2e=true" >> $GITHUB_OUTPUT
           else
             echo "has-ui-e2e=false" >> $GITHUB_OUTPUT
           fi
-        env:
-          STEPS_IMPACT_OUTPUTS_SDK_TESTS: ${{ steps.impact.outputs.sdk-tests }}
-          STEPS_IMPACT_OUTPUTS_API_TESTS: ${{ steps.impact.outputs.api-tests }}
-          STEPS_IMPACT_OUTPUTS_UI_E2E: ${{ steps.impact.outputs.ui-e2e }}
 
       - name: Summary
         run: |
           echo "## Test Impact Analysis" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-
-          if [[ "${STEPS_IMPACT_OUTPUTS_RUN_ALL}" == "true" ]]; then
+          
+          if [[ "${{ steps.impact.outputs.run-all }}" == "true" ]]; then
             echo "🚨 **Critical path changed - running ALL tests**" >> $GITHUB_STEP_SUMMARY
           else
             echo "### Affected Modules" >> $GITHUB_STEP_SUMMARY
-            echo "\`${STEPS_IMPACT_OUTPUTS_MODULES}\`" >> $GITHUB_STEP_SUMMARY
+            echo "\`${{ steps.impact.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY
-
+            
             echo "### Tests to Run" >> $GITHUB_STEP_SUMMARY
             echo "| Category | Paths |" >> $GITHUB_STEP_SUMMARY
             echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-            echo "| SDK Tests | \`${STEPS_IMPACT_OUTPUTS_SDK_TESTS:-none}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| API Tests | \`${STEPS_IMPACT_OUTPUTS_API_TESTS:-none}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| UI E2E | \`${STEPS_IMPACT_OUTPUTS_UI_E2E:-none}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| SDK Tests | \`${{ steps.impact.outputs.sdk-tests || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| API Tests | \`${{ steps.impact.outputs.api-tests || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| UI E2E | \`${{ steps.impact.outputs.ui-e2e || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY
           fi
-
-        env:
-          STEPS_IMPACT_OUTPUTS_RUN_ALL: ${{ steps.impact.outputs.run-all }}
-          STEPS_IMPACT_OUTPUTS_SDK_TESTS: ${{ steps.impact.outputs.sdk-tests }}
-          STEPS_IMPACT_OUTPUTS_API_TESTS: ${{ steps.impact.outputs.api-tests }}
-          STEPS_IMPACT_OUTPUTS_UI_E2E: ${{ steps.impact.outputs.ui-e2e }}
-          STEPS_IMPACT_OUTPUTS_MODULES: ${{ steps.impact.outputs.modules }}

.github/workflows/ui-bump-version.yml

@@ -68,22 +68,17 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Calculate next minor version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
 
           NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
           echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
 
           echo "Current version: $PROWLER_VERSION"
           echo "Next minor version: $NEXT_MINOR_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
 
       - name: Bump UI version in .env for master
         run: |
@@ -120,12 +115,11 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
 
       - name: Calculate first patch version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
 
           FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
           VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -135,9 +129,6 @@ jobs:
 
           echo "First patch version: $FIRST_PATCH_VERSION"
           echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
 
       - name: Bump UI version in .env for version branch
         run: |
@@ -181,14 +172,12 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Calculate next patch version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
 
           NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
           VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -199,10 +188,6 @@ jobs:
           echo "Current version: $PROWLER_VERSION"
           echo "Next patch version: $NEXT_PATCH_VERSION"
           echo "Target branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
 
       - name: Bump UI version in .env for version branch
         run: |

.github/workflows/ui-codeql.yml

@@ -46,8 +46,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9

.github/workflows/ui-container-build-push.yml

@@ -60,8 +60,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Notify container push started
         id: slack-notification
@@ -98,8 +96,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Login to DockerHub
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -147,36 +143,30 @@ jobs:
         run: |
           docker buildx imagetools create \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
 
       - name: Create and push manifests for release event
         if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         run: |
           docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${RELEASE_TAG} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
 
       - name: Install regctl
         if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@main
 
       - name: Cleanup intermediate architecture tags
         if: always()
         run: |
           echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
           echo "Cleanup completed"
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
 
   notify-release-completed:
     if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -186,20 +176,15 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Determine overall outcome
         id: outcome
         run: |
-          if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then
+          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
             echo "outcome=success" >> $GITHUB_OUTPUT
           else
             echo "outcome=failure" >> $GITHUB_OUTPUT
           fi
-        env:
-          NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }}
-          NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }}
 
       - name: Notify container push completed
         uses: ./.github/actions/slack-notification

.github/workflows/ui-container-checks.yml

@@ -29,9 +29,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
@@ -67,9 +64,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for UI changes
         id: check-changes

.github/workflows/ui-e2e-tests-v2.yml

@@ -15,9 +15,6 @@ on:
       - 'ui/**'
       - 'api/**'  # API changes can affect UI E2E
 
-permissions:
-  contents: read
-
 jobs:
   # First, analyze which tests need to run
   impact-analysis:
@@ -79,24 +76,20 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
 
       - name: Show test scope
         run: |
           echo "## E2E Test Scope" >> $GITHUB_STEP_SUMMARY
-          if [[ "${RUN_ALL_TESTS}" == "true" ]]; then
+          if [[ "${{ env.RUN_ALL_TESTS }}" == "true" ]]; then
             echo "Running **ALL** E2E tests (critical path changed)" >> $GITHUB_STEP_SUMMARY
           else
-            echo "Running tests matching: \`${E2E_TEST_PATHS}\`" >> $GITHUB_STEP_SUMMARY
+            echo "Running tests matching: \`${{ env.E2E_TEST_PATHS }}\`" >> $GITHUB_STEP_SUMMARY
           fi
           echo ""
-          echo "Affected modules: \`${NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES}\`" >> $GITHUB_STEP_SUMMARY
-        env:
-          NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES: ${{ needs.impact-analysis.outputs.modules }}
+          echo "Affected modules: \`${{ needs.impact-analysis.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY
 
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1
+        uses: helm/kind-action@v1
         with:
           cluster_name: kind
 
@@ -157,7 +150,7 @@ jobs:
           node-version: '24.13.0'
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@v4
         with:
           version: 10
           run_install: false
@@ -202,52 +195,23 @@ jobs:
       - name: Run E2E tests
         working-directory: ./ui
         run: |
-          if [[ "${RUN_ALL_TESTS}" == "true" ]]; then
+          if [[ "${{ env.RUN_ALL_TESTS }}" == "true" ]]; then
             echo "Running ALL E2E tests..."
             pnpm run test:e2e
           else
-            echo "Running targeted E2E tests: ${E2E_TEST_PATHS}"
+            echo "Running targeted E2E tests: ${{ env.E2E_TEST_PATHS }}"
             # Convert glob patterns to playwright test paths
             # e.g., "ui/tests/providers/**" -> "tests/providers"
-            TEST_PATHS="${E2E_TEST_PATHS}"
+            TEST_PATHS="${{ env.E2E_TEST_PATHS }}"
             # Remove ui/ prefix and convert ** to empty (playwright handles recursion)
             TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u)
             # Drop auth setup helpers (not runnable test suites)
             TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/')
-            # Safety net: if bare "tests/" appears (from broad patterns like ui/tests/**),
-            # expand to specific subdirs to avoid Playwright discovering setup files
-            if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-              echo "Expanding bare 'tests/' to specific subdirs (excluding setups)..."
-              SPECIFIC_DIRS=""
-              for dir in tests/*/; do
-                [[ "$dir" == "tests/setups/" ]] && continue
-                SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"$'\n'
-              done
-              # Replace "tests/" with specific dirs, keep other paths
-              TEST_PATHS=$(echo "$TEST_PATHS" | grep -vx 'tests/')
-              TEST_PATHS="${TEST_PATHS}"$'\n'"${SPECIFIC_DIRS}"
-              TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^$' | sort -u)
-            fi
             if [[ -z "$TEST_PATHS" ]]; then
               echo "No runnable E2E test paths after filtering setups"
               exit 0
             fi
-            # Filter out directories that don't contain any test files
-            VALID_PATHS=""
-            while IFS= read -r p; do
-              [[ -z "$p" ]] && continue
-              if find "$p" -name '*.spec.ts' -o -name '*.test.ts' 2>/dev/null | head -1 | grep -q .; then
-                VALID_PATHS="${VALID_PATHS}${p}"$'\n'
-              else
-                echo "Skipping empty test directory: $p"
-              fi
-            done <<< "$TEST_PATHS"
-            VALID_PATHS=$(echo "$VALID_PATHS" | grep -v '^$' || true)
-            if [[ -z "$VALID_PATHS" ]]; then
-              echo "No test files found in any resolved paths — skipping E2E"
-              exit 0
-            fi
-            TEST_PATHS=$(echo "$VALID_PATHS" | tr '\n' ' ')
+            TEST_PATHS=$(echo "$TEST_PATHS" | tr '\n' ' ')
             echo "Resolved test paths: $TEST_PATHS"
             pnpm exec playwright test $TEST_PATHS
           fi
@@ -280,8 +244,6 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "No UI E2E tests needed for this change." >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Affected modules: \`${NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES}\`" >> $GITHUB_STEP_SUMMARY
+          echo "Affected modules: \`${{ needs.impact-analysis.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "To run all tests, modify a file in a critical path (e.g., \`ui/lib/**\`)." >> $GITHUB_STEP_SUMMARY
-        env:
-          NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES: ${{ needs.impact-analysis.outputs.modules }}

.github/workflows/ui-tests.yml

@@ -31,9 +31,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Check for UI changes
         id: check-changes
@@ -84,7 +81,7 @@ jobs:
 
       - name: Setup pnpm
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@v4
         with:
           version: 10
           run_install: false
@@ -125,12 +122,10 @@ jobs:
         if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed != 'true' && steps.changed-source.outputs.all_changed_files != ''
         run: |
           echo "Running tests related to changed files:"
-          echo "${STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES}"
+          echo "${{ steps.changed-source.outputs.all_changed_files }}"
           # Convert space-separated to vitest related format (remove ui/ prefix for relative paths)
-          CHANGED_FILES=$(echo "${STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | sed 's|^ui/||' | tr '\n' ' ')
+          CHANGED_FILES=$(echo "${{ steps.changed-source.outputs.all_changed_files }}" | tr ' ' '\n' | sed 's|^ui/||' | tr '\n' ' ')
           pnpm exec vitest related $CHANGED_FILES --run
-        env:
-          STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-source.outputs.all_changed_files }}
 
       - name: Run unit tests (test files only changed)
         if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed != 'true' && steps.changed-source.outputs.all_changed_files == ''

Dockerfile

@@ -6,7 +6,7 @@ LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 
-ARG TRIVY_VERSION=0.69.2
+ARG TRIVY_VERSION=0.66.0
 ENV TRIVY_VERSION=${TRIVY_VERSION}
 
 # hadolint ignore=DL3008

README.md

@@ -109,16 +109,14 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 | GCP | 100 | 13 | 15 | 11 | Official | UI, API, CLI |
 | Kubernetes | 83 | 7 | 7 | 9 | Official | UI, API, CLI |
 | GitHub | 21 | 2 | 1 | 2 | Official | UI, API, CLI |
-| M365 | 89 | 9 | 4 | 5 | Official | UI, API, CLI |
-| OCI | 48 | 13 | 3 | 10 | Official | UI, API, CLI |
+| M365 | 75 | 7 | 4 | 4 | Official | UI, API, CLI |
+| OCI | 51 | 13 | 3 | 12 | Official | UI, API, CLI |
 | Alibaba Cloud | 61 | 9 | 3 | 9 | Official | UI, API, CLI |
-| Cloudflare | 29 | 2 | 0 | 5 | Official | UI, API, CLI |
+| Cloudflare | 29 | 2 | 0 | 5 | Official | CLI, API |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
-| MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 3 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
-| Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 1 | 1 | 0 | 1 | Official | CLI |
-| OpenStack | 27 | 4 | 0 | 8 | Official | UI, API, CLI |
+| OpenStack | 1 | 1 | 0 | 2 | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |
 
 > [!Note]
@@ -150,17 +148,21 @@ Prowler App offers flexible installation methods tailored to various environment
 **Commands**
 
 ``` console
-VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
-curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/docker-compose.yml"
-# Environment variables can be customized in the .env file. Using default values in production environments is not recommended.
-curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/.env"
+curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml
+curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env
 docker compose up -d
 ```
 
-> [!WARNING]
-> 🔒 For a secure setup, the API auto-generates a unique key pair, `DJANGO_TOKEN_SIGNING_KEY` and `DJANGO_TOKEN_VERIFYING_KEY`, and stores it in `~/.config/prowler-api` (non-container) or the bound Docker volume in `_data/api` (container). Never commit or reuse static/default keys. To rotate keys, delete the stored key files and restart the API.
+> Containers are built for `linux/amd64`.
 
-Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
+### Configuring Your Workstation for Prowler App
+
+If your workstation's architecture is incompatible, you can resolve this by:
+
+- **Setting the environment variable**: `DOCKER_DEFAULT_PLATFORM=linux/amd64`
+- **Using the following flag in your Docker command**: `--platform linux/amd64`
+
+> Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
 
 ### Common Issues with Docker Pull Installation
 

api/CHANGELOG.md

@@ -2,25 +2,7 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
-## [1.21.0] (Prowler UNRELEASED)
-
-### 🔄 Changed
-
-- Attack Paths: Migrate network exposure queries from APOC to standard openCypher for Neo4j and Neptune compatibility [(#10266)](https://github.com/prowler-cloud/prowler/pull/10266)
-- `POST /api/v1/providers` returns `409 Conflict` if already exists [(#10293)](https://github.com/prowler-cloud/prowler/pull/10293)
-
----
-
-## [1.20.1] (Prowler UNRELEASED)
-
-### 🐞 Fixed
-
-- Attack Paths: Add missing logging for query execution and exception details in scan error handling [(#10269)](https://github.com/prowler-cloud/prowler/pull/10269)
-- Attack Paths: Upgrade Cartography from 0.129.0 to 0.132.0, fixing `exposed_internet` not set on ELB/ELBv2 nodes [(#10272)](https://github.com/prowler-cloud/prowler/pull/10272)
-
----
-
-## [1.20.0] (Prowler v5.19.0)
+## [1.20.0] (Prowler UNRELEASED)
 
 ### 🚀 Added
 
@@ -29,26 +11,29 @@ All notable changes to the **Prowler API** are documented in this file.
 - PDF report for the CSA CCM compliance framework [(#10088)](https://github.com/prowler-cloud/prowler/pull/10088)
 - `image` provider support for container image scanning [(#10128)](https://github.com/prowler-cloud/prowler/pull/10128)
 - Attack Paths: Custom query and Cartography schema endpoints (temporarily blocked) [(#10149)](https://github.com/prowler-cloud/prowler/pull/10149)
-- `googleworkspace` provider support [(#10247)](https://github.com/prowler-cloud/prowler/pull/10247)
 
 ### 🔄 Changed
 
 - Attack Paths: Queries definition now has short description and attribution [(#9983)](https://github.com/prowler-cloud/prowler/pull/9983)
 - Attack Paths: Internet node is created while scan [(#9992)](https://github.com/prowler-cloud/prowler/pull/9992)
 - Attack Paths: Add full paths set from [pathfinding.cloud](https://pathfinding.cloud/) [(#10008)](https://github.com/prowler-cloud/prowler/pull/10008)
+- Support CSA CCM 4.0 for the AWS provider [(#10018)](https://github.com/prowler-cloud/prowler/pull/10018)
+- Support CSA CCM 4.0 for the GCP provider [(#10042)](https://github.com/prowler-cloud/prowler/pull/10042)
+- Support CSA CCM 4.0 for the Azure provider [(#10039)](https://github.com/prowler-cloud/prowler/pull/10039)
+- Support CSA CCM 4.0 for the Oracle Cloud provider [(#10057)](https://github.com/prowler-cloud/prowler/pull/10057)
+- Support CSA CCM 4.0 for the Alibaba Cloud provider [(#10061)](https://github.com/prowler-cloud/prowler/pull/10061)
 - Attack Paths: Mark attack Paths scan as failed when Celery task fails outside job error handling [(#10065)](https://github.com/prowler-cloud/prowler/pull/10065)
 - Attack Paths: Remove legacy per-scan `graph_database` and `is_graph_database_deleted` fields from AttackPathsScan model [(#10077)](https://github.com/prowler-cloud/prowler/pull/10077)
 - Attack Paths: Add `graph_data_ready` field to decouple query availability from scan state [(#10089)](https://github.com/prowler-cloud/prowler/pull/10089)
+- AI agent guidelines with TDD and testing skills references [(#9925)](https://github.com/prowler-cloud/prowler/pull/9925)
 - Attack Paths: Upgrade Cartography from fork 0.126.1 to upstream 0.129.0 and Neo4j driver from 5.x to 6.x [(#10110)](https://github.com/prowler-cloud/prowler/pull/10110)
 - Attack Paths: Query results now filtered by provider, preventing future cross-tenant and cross-provider data leakage [(#10118)](https://github.com/prowler-cloud/prowler/pull/10118)
 - Attack Paths: Add private labels and properties in Attack Paths graphs for avoiding future overlapping with Cartography's ones [(#10124)](https://github.com/prowler-cloud/prowler/pull/10124)
 - Attack Paths: Query endpoint executes them in read only mode [(#10140)](https://github.com/prowler-cloud/prowler/pull/10140)
 - Attack Paths: `Accept` header query endpoints also accepts `text/plain`, supporting compact plain-text format for LLM consumption [(#10162)](https://github.com/prowler-cloud/prowler/pull/10162)
-- Bump Trivy from 0.69.1 to 0.69.2 [(#10210)](https://github.com/prowler-cloud/prowler/pull/10210)
 
 ### 🐞 Fixed
 
-- PDF compliance reports consistency with UI: exclude resourceless findings and fix ENS MANUAL status handling [(#10270)](https://github.com/prowler-cloud/prowler/pull/10270)
 - Attack Paths: Orphaned temporary Neo4j databases are now cleaned up on scan failure and provider deletion [(#10101)](https://github.com/prowler-cloud/prowler/pull/10101)
 - Attack Paths: scan no longer raises `DatabaseError` when provider is deleted mid-scan [(#10116)](https://github.com/prowler-cloud/prowler/pull/10116)
 - Tenant compliance summaries recalculated after provider deletion [(#10172)](https://github.com/prowler-cloud/prowler/pull/10172)
@@ -61,7 +46,7 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ---
 
-## [1.19.3] (Prowler v5.18.3)
+## [1.19.3] (Prowler UNRELEASED)
 
 ### 🐞 Fixed
 

api/Dockerfile

@@ -5,7 +5,7 @@ LABEL maintainer="https://github.com/prowler-cloud/api"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 
-ARG TRIVY_VERSION=0.69.2
+ARG TRIVY_VERSION=0.69.1
 ENV TRIVY_VERSION=${TRIVY_VERSION}
 
 # hadolint ignore=DL3008
@@ -24,6 +24,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     python3-dev \
     && rm -rf /var/lib/apt/lists/*
 
+# Cartography depends on `dockerfile` which has no pre-built arm64 wheel and requires Go to compile
+# hadolint ignore=DL3008
+RUN if [ "$(uname -m)" = "aarch64" ]; then \
+        apt-get update && apt-get install -y --no-install-recommends golang-go \
+        && rm -rf /var/lib/apt/lists/* ; \
+    fi
+
 # Install PowerShell
 RUN ARCH=$(uname -m) && \
     if [ "$ARCH" = "x86_64" ]; then \

api/poetry.lock

@@ -1822,14 +1822,14 @@ crt = ["awscrt (==0.27.6)"]
 
 [[package]]
 name = "cartography"
-version = "0.132.0"
+version = "0.129.0"
 description = "Explore assets and their relationships across your technical infrastructure."
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "cartography-0.132.0-py3-none-any.whl", hash = "sha256:c070aa51d0ab4479cb043cae70b35e7df49f2fb5f1fa95ccf10000bbeb952262"},
-    {file = "cartography-0.132.0.tar.gz", hash = "sha256:7c6332bc57fd2629d7b83aee7bd95a7b2edb0d51ef746efa0461399e0b66625c"},
+    {file = "cartography-0.129.0-py3-none-any.whl", hash = "sha256:d42c840369be9e4d0ac4d024074e3732416e40bab3d9a3023b6a247918daed4c"},
+    {file = "cartography-0.129.0.tar.gz", hash = "sha256:cb47d603e652554a4cbcc1a868c96014eb02b3d5cc1affea0428b2ed7fa61699"},
 ]
 
 [package.dependencies]
@@ -1864,8 +1864,8 @@ boto3 = ">=1.15.1"
 botocore = ">=1.18.1"
 cloudflare = ">=4.1.0,<5.0.0"
 crowdstrike-falconpy = ">=0.5.1"
-cryptography = "*"
 dnspython = ">=1.15.0"
+dockerfile = ">=3.0.0"
 duo-client = "*"
 google-api-python-client = ">=1.7.8"
 google-auth = ">=2.37.0"
@@ -3095,6 +3095,21 @@ docs = ["myst-parser (==0.18.0)", "sphinx (==5.1.1)"]
 ssh = ["paramiko (>=2.4.3)"]
 websockets = ["websocket-client (>=1.3.0)"]
 
+[[package]]
+name = "dockerfile"
+version = "3.4.0"
+description = "Parse a dockerfile into a high-level representation using the official go parser."
+optional = false
+python-versions = ">=3.9"
+groups = ["main"]
+files = [
+    {file = "dockerfile-3.4.0-cp39-abi3-macosx_13_0_x86_64.whl", hash = "sha256:ed33446a76007cbb3f28c247f189cc06db34667d4f59a398a5c44912d7c13f36"},
+    {file = "dockerfile-3.4.0-cp39-abi3-macosx_14_0_arm64.whl", hash = "sha256:a4549d4f038483c25906d4fec56bb6ffe82ae26e0f80a15f2c0fedbb50712053"},
+    {file = "dockerfile-3.4.0-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:b95102bd82e6f67c836186b51c13114aa586a20e8cb6441bde24d4070542009d"},
+    {file = "dockerfile-3.4.0-cp39-abi3-win_amd64.whl", hash = "sha256:30202187f1885f99ac839fd41ca8150b2fd0a66fac12db0166361d0c4622e71a"},
+    {file = "dockerfile-3.4.0.tar.gz", hash = "sha256:238bb950985c55a525daef8bbfe994a0230aa0978c419f4caa4d9ce0a37343f1"},
+]
+
 [[package]]
 name = "dogpile-cache"
 version = "1.5.0"
@@ -9382,4 +9397,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "6e38c38b1f8dc05b881f49703fa445eec299527e6697992b18e4613534fbcdb6"
+content-hash = "42759b370c9e38da727e73f9d8ec0fa61bc6137eab18f11ccd7deff79a0dee69"

api/pyproject.toml

@@ -37,7 +37,7 @@ dependencies = [
   "matplotlib (>=3.10.6,<4.0.0)",
   "reportlab (>=4.4.4,<5.0.0)",
   "neo4j (>=6.0.0,<7.0.0)",
-  "cartography (==0.132.0)",
+  "cartography (==0.129.0)",
   "gevent (>=25.9.1,<26.0.0)",
   "werkzeug (>=3.1.4)",
   "sqlparse (>=0.5.4)",
@@ -49,7 +49,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.21.0"
+version = "1.20.0"
 
 [project.scripts]
 celery = "src.backend.config.settings.celery"

api/src/backend/api/attack_paths/queries/aws.py

@@ -16,7 +16,8 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(
     description="Detect EC2 instances with SSH exposed to the internet that can assume higher-privileged roles to read tagged sensitive S3 buckets despite bucket-level public access blocks.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet
 
         MATCH path_s3 = (aws:AWSAccount {{id: $provider_uid}})--(s3:S3Bucket)--(t:AWSTag)
         WHERE toLower(t.key) = toLower($tag_key) AND toLower(t.value) = toLower($tag_value)
@@ -31,7 +32,8 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(
 
         MATCH path_assume_role = (ec2)-[p:STS_ASSUMEROLE_ALLOW*1..9]-(r:AWSRole)
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
+        YIELD rel AS can_access
 
         UNWIND nodes(path_s3) + nodes(path_ec2) + nodes(path_role) + nodes(path_assume_role) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -179,12 +181,14 @@ AWS_EC2_INSTANCES_INTERNET_EXPOSED = AttackPathsQueryDefinition(
     description="Find EC2 instances flagged as exposed to the internet within the selected account.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet
 
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)
         WHERE ec2.exposed_internet = true
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
+        YIELD rel AS can_access
 
         UNWIND nodes(path) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -201,14 +205,16 @@ AWS_SECURITY_GROUPS_OPEN_INTERNET_FACING = AttackPathsQueryDefinition(
     description="Find internet-facing resources associated with security groups that allow inbound access from '0.0.0.0/0'.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet
 
         // Match EC2 instances that are internet-exposed with open security groups (0.0.0.0/0)
         MATCH path_ec2 = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)--(sg:EC2SecurityGroup)--(ipi:IpPermissionInbound)--(ir:IpRange)
         WHERE ec2.exposed_internet = true
             AND ir.range = "0.0.0.0/0"
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
+        YIELD rel AS can_access
 
         UNWIND nodes(path_ec2) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -225,12 +231,14 @@ AWS_CLASSIC_ELB_INTERNET_EXPOSED = AttackPathsQueryDefinition(
     description="Find Classic Load Balancers exposed to the internet along with their listeners.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet
 
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elb:LoadBalancer)--(listener:ELBListener)
         WHERE elb.exposed_internet = true
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elb)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, elb)
+        YIELD rel AS can_access
 
         UNWIND nodes(path) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -247,12 +255,14 @@ AWS_ELBV2_INTERNET_EXPOSED = AttackPathsQueryDefinition(
     description="Find ELBv2 load balancers exposed to the internet along with their listeners.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet
 
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elbv2:LoadBalancerV2)--(listener:ELBV2Listener)
         WHERE elbv2.exposed_internet = true
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elbv2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, elbv2)
+        YIELD rel AS can_access
 
         UNWIND nodes(path) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -269,15 +279,31 @@ AWS_PUBLIC_IP_RESOURCE_LOOKUP = AttackPathsQueryDefinition(
     description="Given a public IP address, find the related AWS resource and its adjacent node within the selected account.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet
 
-        MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x)-[q]-(y)
-        WHERE (x:EC2PrivateIp AND x.public_ip = $ip)
-           OR (x:EC2Instance AND x.publicipaddress = $ip)
-           OR (x:NetworkInterface AND x.public_ip = $ip)
-           OR (x:ElasticIPAddress AND x.public_ip = $ip)
+        CALL () {{
+            MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:EC2PrivateIp)-[q]-(y)
+            WHERE x.public_ip = $ip
+            RETURN path, x
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(x)
+            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:EC2Instance)-[q]-(y)
+            WHERE x.publicipaddress = $ip
+            RETURN path, x
+
+            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:NetworkInterface)-[q]-(y)
+            WHERE x.public_ip = $ip
+            RETURN path, x
+
+            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:ElasticIPAddress)-[q]-(y)
+            WHERE x.public_ip = $ip
+            RETURN path, x
+        }}
+
+        WITH path, x, internet
+
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, x)
+        YIELD rel AS can_access
 
         UNWIND nodes(path) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})

api/src/backend/api/migrations/0084_googleworkspace_provider.py

@@ -1,39 +0,0 @@
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0083_image_provider"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                    ("cloudflare", "Cloudflare"),
-                    ("openstack", "OpenStack"),
-                    ("image", "Image"),
-                    ("googleworkspace", "Google Workspace"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'googleworkspace';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]

api/src/backend/api/models.py

@@ -293,7 +293,6 @@ class Provider(RowLevelSecurityProtectedModel):
         CLOUDFLARE = "cloudflare", _("Cloudflare")
         OPENSTACK = "openstack", _("OpenStack")
         IMAGE = "image", _("Image")
-        GOOGLEWORKSPACE = "googleworkspace", _("Google Workspace")
 
     @staticmethod
     def validate_aws_uid(value):
@@ -343,15 +342,6 @@ class Provider(RowLevelSecurityProtectedModel):
                 pointer="/data/attributes/uid",
             )
 
-    @staticmethod
-    def validate_googleworkspace_uid(value):
-        if not re.match(r"^C[0-9a-zA-Z]+$", value):
-            raise ModelValidationError(
-                detail="Google Workspace Customer ID must start with 'C' followed by one or more alphanumeric characters (e.g., C01234abc, C12345678).",
-                code="googleworkspace-uid",
-                pointer="/data/attributes/uid",
-            )
-
     @staticmethod
     def validate_kubernetes_uid(value):
         if not re.match(

api/src/backend/api/tests/test_utils.py

@@ -23,9 +23,6 @@ from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.cloudflare.cloudflare_provider import CloudflareProvider
 from prowler.providers.gcp.gcp_provider import GcpProvider
 from prowler.providers.github.github_provider import GithubProvider
-from prowler.providers.googleworkspace.googleworkspace_provider import (
-    GoogleworkspaceProvider,
-)
 from prowler.providers.iac.iac_provider import IacProvider
 from prowler.providers.image.image_provider import ImageProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
@@ -116,7 +113,6 @@ class TestReturnProwlerProvider:
         [
             (Provider.ProviderChoices.AWS.value, AwsProvider),
             (Provider.ProviderChoices.GCP.value, GcpProvider),
-            (Provider.ProviderChoices.GOOGLEWORKSPACE.value, GoogleworkspaceProvider),
             (Provider.ProviderChoices.AZURE.value, AzureProvider),
             (Provider.ProviderChoices.KUBERNETES.value, KubernetesProvider),
             (Provider.ProviderChoices.M365.value, M365Provider),
@@ -252,10 +248,6 @@ class TestGetProwlerProviderKwargs:
                 Provider.ProviderChoices.GCP.value,
                 {"project_ids": ["provider_uid"]},
             ),
-            (
-                Provider.ProviderChoices.GOOGLEWORKSPACE.value,
-                {},
-            ),
             (
                 Provider.ProviderChoices.KUBERNETES.value,
                 {"context": "provider_uid"},

api/src/backend/api/tests/test_views.py

@@ -1190,26 +1190,6 @@ class TestProviderViewSet:
                     "uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
                     "alias": "OpenStack Project",
                 },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "C01234abc",
-                    "alias": "Google Workspace Customer",
-                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "C12345678",
-                    "alias": "Google Workspace All Digits",
-                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "CABCDEF123",
-                    "alias": "Google Workspace Uppercase",
-                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "C12",
-                    "alias": "Google Workspace Minimum Length",
-                },
             ]
         ),
     )
@@ -1362,11 +1342,7 @@ class TestProviderViewSet:
         response = authenticated_client.post(
             reverse("provider-list"), data=provider_json_payload, format="json"
         )
-        assert response.status_code == status.HTTP_409_CONFLICT
-        error = response.json()["errors"][0]
-        assert error["detail"] == "Provider already exists."
-        assert error["code"] == "conflict"
-        assert error["source"]["pointer"] == "/data/attributes/uid"
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
 
         mock_delete_task.reset_mock()
         mock_delete_task.return_value = task_mock
@@ -1658,36 +1634,6 @@ class TestProviderViewSet:
                     "min_length",
                     "uid",
                 ),
-                # Google Workspace UID validation - missing 'C' prefix
-                (
-                    {
-                        "provider": "googleworkspace",
-                        "uid": "01234abc",
-                        "alias": "test",
-                    },
-                    "googleworkspace-uid",
-                    "uid",
-                ),
-                # Google Workspace UID validation - contains special characters
-                (
-                    {
-                        "provider": "googleworkspace",
-                        "uid": "C0123-abc",
-                        "alias": "test",
-                    },
-                    "googleworkspace-uid",
-                    "uid",
-                ),
-                # Google Workspace UID validation - lowercase 'c' prefix
-                (
-                    {
-                        "provider": "googleworkspace",
-                        "uid": "c12345678",
-                        "alias": "test",
-                    },
-                    "googleworkspace-uid",
-                    "uid",
-                ),
             ]
         ),
     )
@@ -1861,21 +1807,21 @@ class TestProviderViewSet:
                 (
                     "uid.icontains",
                     "1",
-                    11,
+                    10,
                 ),
                 ("alias", "aws_testing_1", 1),
                 ("alias.icontains", "aws", 2),
-                ("inserted_at", TODAY, 12),
+                ("inserted_at", TODAY, 11),
                 (
                     "inserted_at.gte",
                     "2024-01-01",
-                    12,
+                    11,
                 ),
                 ("inserted_at.lte", "2024-01-01", 0),
                 (
                     "updated_at.gte",
                     "2024-01-01",
-                    12,
+                    11,
                 ),
                 ("updated_at.lte", "2024-01-01", 0),
             ]
@@ -2491,15 +2437,6 @@ class TestProviderSecretViewSet:
                     "clouds_yaml_cloud": "mycloud",
                 },
             ),
-            # Google Workspace with service account credentials
-            (
-                Provider.ProviderChoices.GOOGLEWORKSPACE.value,
-                ProviderSecret.TypeChoices.STATIC,
-                {
-                    "credentials_content": '{"type": "service_account", "project_id": "test-project", "private_key_id": "key123", "private_key": "-----BEGIN PRIVATE KEY-----\\ntest\\n-----END PRIVATE KEY-----\\n", "client_email": "test@test-project.iam.gserviceaccount.com", "client_id": "123456789"}',
-                    "delegated_user": "admin@example.com",
-                },
-            ),
         ],
     )
     def test_provider_secrets_create_valid(

api/src/backend/api/utils.py

@@ -27,9 +27,6 @@ if TYPE_CHECKING:
     from prowler.providers.cloudflare.cloudflare_provider import CloudflareProvider
     from prowler.providers.gcp.gcp_provider import GcpProvider
     from prowler.providers.github.github_provider import GithubProvider
-    from prowler.providers.googleworkspace.googleworkspace_provider import (
-        GoogleworkspaceProvider,
-    )
     from prowler.providers.iac.iac_provider import IacProvider
     from prowler.providers.image.image_provider import ImageProvider
     from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
@@ -86,7 +83,6 @@ def return_prowler_provider(
     | CloudflareProvider
     | GcpProvider
     | GithubProvider
-    | GoogleworkspaceProvider
     | IacProvider
     | ImageProvider
     | KubernetesProvider
@@ -101,7 +97,7 @@ def return_prowler_provider(
         provider (Provider): The provider object containing the provider type and associated secrets.
 
     Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | GoogleworkspaceProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: The corresponding provider class.
+        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: The corresponding provider class.
 
     Raises:
         ValueError: If the provider type specified in `provider.provider` is not supported.
@@ -115,12 +111,6 @@ def return_prowler_provider(
             from prowler.providers.gcp.gcp_provider import GcpProvider
 
             prowler_provider = GcpProvider
-        case Provider.ProviderChoices.GOOGLEWORKSPACE.value:
-            from prowler.providers.googleworkspace.googleworkspace_provider import (
-                GoogleworkspaceProvider,
-            )
-
-            prowler_provider = GoogleworkspaceProvider
         case Provider.ProviderChoices.AZURE.value:
             from prowler.providers.azure.azure_provider import AzureProvider
 
@@ -273,7 +263,6 @@ def initialize_prowler_provider(
     | CloudflareProvider
     | GcpProvider
     | GithubProvider
-    | GoogleworkspaceProvider
     | IacProvider
     | ImageProvider
     | KubernetesProvider
@@ -289,7 +278,7 @@ def initialize_prowler_provider(
         mutelist_processor (Processor): The mutelist processor object containing the mutelist configuration.
 
     Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | GoogleworkspaceProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: An instance of the corresponding provider class
+        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: An instance of the corresponding provider class
             initialized with the provider's secrets.
     """
     prowler_provider = return_prowler_provider(provider)

api/src/backend/api/v1/serializer_utils/providers.py

@@ -191,22 +191,6 @@ from rest_framework_json_api import serializers
                 },
                 "required": ["service_account_key"],
             },
-            {
-                "type": "object",
-                "title": "Google Workspace Service Account",
-                "properties": {
-                    "credentials_content": {
-                        "type": "string",
-                        "description": "The service account JSON credentials content for Google Workspace API access with domain-wide delegation enabled.",
-                    },
-                    "delegated_user": {
-                        "type": "string",
-                        "format": "email",
-                        "description": "The email address of the Google Workspace super admin user to impersonate for domain-wide delegation.",
-                    },
-                },
-                "required": ["credentials_content", "delegated_user"],
-            },
             {
                 "type": "object",
                 "title": "Kubernetes Static Credentials",

api/src/backend/api/v1/serializers.py

@@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth import authenticate
 from django.contrib.auth.models import update_last_login
 from django.contrib.auth.password_validation import validate_password
-from django.core.exceptions import ValidationError as DjangoValidationError
 from django.db import IntegrityError
 from drf_spectacular.utils import extend_schema_field
 from jwt.exceptions import InvalidKeyError
@@ -960,26 +959,6 @@ class ProviderCreateSerializer(RLSSerializer, BaseWriteSerializer):
             },
         }
 
-    def create(self, validated_data):
-        try:
-            return super().create(validated_data)
-        except DjangoValidationError as e:
-            if "unique_provider_uids" in str(e):
-                raise ConflictException(
-                    detail="Provider already exists.",
-                    pointer="/data/attributes/uid",
-                )
-            raise
-        except IntegrityError as e:
-            # Handle race conditions where the unique constraint is enforced at the DB level
-            # after validation has already passed.
-            if "unique_provider_uids" in str(e):
-                raise ConflictException(
-                    detail="Provider already exists.",
-                    pointer="/data/attributes/uid",
-                )
-            raise
-
 
 class ProviderUpdateSerializer(BaseWriteSerializer):
     """
@@ -1541,8 +1520,6 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                 serializer = AzureProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.GCP.value:
                 serializer = GCPProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.GOOGLEWORKSPACE.value:
-                serializer = GoogleWorkspaceProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.GITHUB.value:
                 serializer = GithubProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.IAC.value:
@@ -1678,14 +1655,6 @@ class GCPServiceAccountProviderSecret(serializers.Serializer):
         resource_name = "provider-secrets"
 
 
-class GoogleWorkspaceProviderSecret(serializers.Serializer):
-    credentials_content = serializers.CharField()
-    delegated_user = serializers.EmailField()
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
 class MongoDBAtlasProviderSecret(serializers.Serializer):
     atlas_public_key = serializers.CharField()
     atlas_private_key = serializers.CharField()

api/src/backend/api/v1/views.py

@@ -3,7 +3,6 @@ import glob
 import json
 import logging
 import os
-import time
 
 from collections import defaultdict
 from copy import deepcopy
@@ -408,7 +407,7 @@ class SchemaView(SpectacularAPIView):
 
     def get(self, request, *args, **kwargs):
         spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.21.0"
+        spectacular_settings.VERSION = "1.20.0"
         spectacular_settings.DESCRIPTION = (
             "Prowler API specification.\n\nThis file is auto-generated."
         )
@@ -2571,35 +2570,14 @@ class AttackPathsScanViewSet(BaseRLSViewSet):
             provider_id,
         )
 
-        start = time.monotonic()
         graph = attack_paths_views_helpers.execute_query(
             database_name,
             query_definition,
             parameters,
             provider_id,
         )
-        query_duration = time.monotonic() - start
         graph_database.clear_cache(database_name)
 
-        result_nodes = len(graph.get("nodes", []))
-        result_relationships = len(graph.get("relationships", []))
-        logger.info(
-            "attack_paths_query_run",
-            extra={
-                "user_id": str(request.user.id),
-                "tenant_id": str(attack_paths_scan.provider.tenant_id),
-                "metadata": {
-                    "query_id": query_definition.id,
-                    "provider": query_definition.provider,
-                    "scan_id": pk,
-                    "provider_id": provider_id,
-                    "result_nodes": result_nodes,
-                    "result_relationships": result_relationships,
-                    "query_duration": round(query_duration, 3),
-                },
-            },
-        )
-
         status_code = status.HTTP_200_OK
         if not graph.get("nodes"):
             status_code = status.HTTP_404_NOT_FOUND
@@ -2640,35 +2618,13 @@ class AttackPathsScanViewSet(BaseRLSViewSet):
         )
         provider_id = str(attack_paths_scan.provider_id)
 
-        start = time.monotonic()
         graph = attack_paths_views_helpers.execute_custom_query(
             database_name,
             serializer.validated_data["query"],
             provider_id,
         )
-        query_duration = time.monotonic() - start
         graph_database.clear_cache(database_name)
 
-        query_length = len(serializer.validated_data["query"])
-        result_nodes = len(graph.get("nodes", []))
-        result_relationships = len(graph.get("relationships", []))
-        logger.info(
-            "attack_paths_custom_query_run",
-            extra={
-                "user_id": str(request.user.id),
-                "tenant_id": str(attack_paths_scan.provider.tenant_id),
-                "metadata": {
-                    "provider": attack_paths_scan.provider.provider,
-                    "scan_id": pk,
-                    "provider_id": provider_id,
-                    "query_length": query_length,
-                    "result_nodes": result_nodes,
-                    "result_relationships": result_relationships,
-                    "query_duration": round(query_duration, 3),
-                },
-            },
-        )
-
         status_code = status.HTTP_200_OK
         if not graph.get("nodes"):
             status_code = status.HTTP_404_NOT_FOUND

api/src/backend/config/custom_logging.py

@@ -2,7 +2,6 @@ import json
 import logging
 from enum import StrEnum
 
-
 from config.env import env
 from django_guid.log_filters import CorrelationId
 
@@ -63,8 +62,6 @@ class NDJSONFormatter(logging.Formatter):
             log_record["duration"] = record.duration
         if hasattr(record, "status_code"):
             log_record["status_code"] = record.status_code
-        if hasattr(record, "metadata"):
-            log_record["metadata"] = record.metadata
 
         if record.exc_info:
             log_record["exc_info"] = self.formatException(record.exc_info)
@@ -110,8 +107,6 @@ class HumanReadableFormatter(logging.Formatter):
             log_components.append(f"done in {record.duration}s:")
         if hasattr(record, "status_code"):
             log_components.append(f"{record.status_code}")
-        if hasattr(record, "metadata"):
-            log_components.append(f"metadata={record.metadata}")
 
         if record.exc_info:
             log_components.append(self.formatException(record.exc_info))

api/src/backend/conftest.py

@@ -543,12 +543,6 @@ def providers_fixture(tenants_fixture):
         alias="openstack_testing",
         tenant_id=tenant.id,
     )
-    provider12 = Provider.objects.create(
-        provider="googleworkspace",
-        uid="C12345678",
-        alias="googleworkspace_testing",
-        tenant_id=tenant.id,
-    )
 
     return (
         provider1,
@@ -562,7 +556,6 @@ def providers_fixture(tenants_fixture):
         provider9,
         provider10,
         provider11,
-        provider12,
     )
 
 

api/src/backend/tasks/jobs/attack_paths/aws.py

@@ -43,7 +43,6 @@ def start_aws_ingestion(
         "aws_guardduty_severity_threshold": cartography_config.aws_guardduty_severity_threshold,
         "aws_cloudtrail_management_events_lookback_hours": cartography_config.aws_cloudtrail_management_events_lookback_hours,
         "experimental_aws_inspector_batch": cartography_config.experimental_aws_inspector_batch,
-        "aws_tagging_api_cleanup_batch": cartography_config.aws_tagging_api_cleanup_batch,
     }
 
     boto3_session = get_boto3_session(prowler_api_provider, prowler_sdk_provider)
@@ -117,30 +116,6 @@ def start_aws_ingestion(
         neo4j_session,
         common_job_parameters,
     )
-
-    if all(
-        s in requested_syncs
-        for s in ["ecs", "ec2:load_balancer_v2", "ec2:load_balancer_v2:expose"]
-    ):
-        logger.info(
-            f"Syncing lb_container_exposure scoped analysis for AWS account {prowler_api_provider.uid}"
-        )
-        cartography_aws.run_scoped_analysis_job(
-            "aws_lb_container_exposure.json",
-            neo4j_session,
-            common_job_parameters,
-        )
-
-    if all(s in requested_syncs for s in ["ec2:network_acls", "ec2:load_balancer_v2"]):
-        logger.info(
-            f"Syncing lb_nacl_direct scoped analysis for AWS account {prowler_api_provider.uid}"
-        )
-        cartography_aws.run_scoped_analysis_job(
-            "aws_lb_nacl_direct.json",
-            neo4j_session,
-            common_job_parameters,
-        )
-
     db_utils.update_attack_paths_scan_progress(attack_paths_scan, 91)
 
     logger.info(f"Syncing metadata for AWS account {prowler_api_provider.uid}")
@@ -264,9 +239,8 @@ def sync_aws_account(
                 failed_syncs[func_name] = exception_message
 
                 logger.warning(
-                    f"Caught exception syncing function {func_name} from AWS account {prowler_api_provider.uid}: {e}. "
-                    "Continuing to the next AWS sync function.",
-                    exc_info=True,
+                    f"Caught exception syncing function {func_name} from AWS account {prowler_api_provider.uid}. We "
+                    "are continuing on to the next AWS sync function.",
                 )
 
                 continue

api/src/backend/tasks/jobs/attack_paths/scan.py

@@ -1,58 +1,3 @@
-"""
-Attack Paths scan orchestrator.
-
-Runs the full scan lifecycle for a single provider, called from a Celery task.
-The idea is simple: ingest everything into a throwaway Neo4j database, enrich
-it with Prowler-specific data, then swap it into the tenant's long-lived
-database so queries never see a half-built graph.
-
-Two databases are involved:
-- Temporary (db-tmp-scan-<attack_paths_scan_id>): short-lived, single-provider, dropped after sync.
-- Tenant (db-tenant-<tenant_uuid>): long-lived, multi-provider, what the API queries against.
-
-Pipeline steps:
-
-1. Resolve the Prowler provider and SDK credentials from the scan ID.
-   Retrieve or create the AttackPathsScan row. Exit early if the provider
-   type has no ingestion function (only AWS is supported today).
-
-2. Create a fresh temporary Neo4j database and set up Cartography indexes
-   plus ProwlerFinding indexes before writing any data.
-
-3. Run the provider-specific Cartography ingestion (e.g. aws.start_aws_ingestion).
-   This iterates over cloud services and writes the standard Cartography nodes
-   (AWSAccount, EC2Instance, IAMRole, etc.) and relationships (RESOURCE,
-   POLICY, STATEMENT, TRUSTS_AWS_PRINCIPAL, ...) into the temp database.
-   Wrapped in call_within_event_loop because some Cartography modules use async.
-
-4. Run Cartography post-processing: ontology for label propagation and
-   analysis for derived relationships.
-
-5. Create an Internet singleton node and add CAN_ACCESS relationships to
-   internet-exposed resources (EC2Instance, LoadBalancer, LoadBalancerV2).
-
-6. Stream Prowler findings from Postgres in batches. Each finding becomes a
-   ProwlerFinding node linked to its cloud-resource node via HAS_FINDING.
-   Before that, an _AWSResource label (provider-specific) is added to all
-   nodes connected to the AWSAccount so finding lookups can use an index.
-   Stale findings from previous scans are cleaned up.
-
-7. Sync the temp database into the tenant database:
-   - Drop the old provider subgraph (matched by _provider_id property).
-     graph_data_ready is set to False for all scans of this provider while
-     the swap happens so the API doesn't serve partial data.
-   - Copy nodes and relationships in batches. Every synced node gets a
-     _ProviderResource label and _provider_id / _provider_element_id
-     properties for multi-provider isolation.
-   - Set graph_data_ready back to True.
-
-8. Drop the temporary database, mark the AttackPathsScan as COMPLETED.
-
-On failure the temp database is dropped, the scan is marked FAILED, and the
-exception propagates to Celery.
-
-"""
-
 import logging
 import time
 
@@ -267,20 +212,18 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
         try:
             graph_database.drop_database(tmp_cartography_config.neo4j_database)
 
-        except Exception as e:
+        except Exception:
             logger.error(
-                f"Failed to drop temporary Neo4j database {tmp_cartography_config.neo4j_database} during cleanup: {e}",
-                exc_info=True,
+                f"Failed to drop temporary Neo4j database {tmp_cartography_config.neo4j_database} during cleanup"
             )
 
         try:
             db_utils.finish_attack_paths_scan(
                 attack_paths_scan, StateChoices.FAILED, ingestion_exceptions
             )
-        except Exception as e:
-            logger.error(
-                f"Could not mark attack paths scan {attack_paths_scan.id} as FAILED (row may have been deleted): {e}",
-                exc_info=True,
+        except Exception:
+            logger.warning(
+                f"Could not mark attack paths scan {attack_paths_scan.id} as FAILED (row may have been deleted)"
             )
 
         raise

api/src/backend/tasks/jobs/reports/ens.py

@@ -336,6 +336,7 @@ class ENSReportGenerator(BaseComplianceReportGenerator):
         for req in data.requirements:
             if req.status == StatusChoices.MANUAL:
                 continue
+
             m = get_requirement_metadata(req.id, data.attributes_by_requirement_id)
             if m:
                 marco = getattr(m, "Marco", "Otros")
@@ -364,12 +365,9 @@ class ENSReportGenerator(BaseComplianceReportGenerator):
                 elements.append(Paragraph(f"{categoria_name}", self.styles["h3"]))
 
                 for req in reqs:
-                    if req["status"] == StatusChoices.PASS:
-                        status_indicator = "✓"
-                    elif req["status"] == StatusChoices.MANUAL:
-                        status_indicator = "⊙"
-                    else:
-                        status_indicator = "✗"
+                    status_indicator = (
+                        "✓" if req["status"] == StatusChoices.PASS else "✗"
+                    )
                     nivel_badge = f"[{req['nivel'].upper()}]" if req["nivel"] else ""
                     elements.append(
                         Paragraph(
@@ -843,14 +841,11 @@ class ENSReportGenerator(BaseComplianceReportGenerator):
             elements.append(Spacer(1, 0.15 * inch))
 
             # Status and Nivel badges row
-            status_text = str(req.status).upper()
-            status_color = (
-                COLOR_HIGH_RISK if req.status == StatusChoices.FAIL else COLOR_GRAY
-            )
+            status_color = COLOR_HIGH_RISK  # FAIL
             nivel_color = nivel_colors.get(nivel, COLOR_GRAY)
 
             badges_row1 = [
-                ["State:", status_text, "", f"Nivel: {nivel.upper()}"],
+                ["State:", "FAIL", "", f"Nivel: {nivel.upper()}"],
             ]
             badges_table1 = Table(
                 badges_row1,

api/src/backend/tasks/jobs/threatscore_utils.py

@@ -35,27 +35,19 @@ def _aggregate_requirement_statistics_from_database(
         }
     """
     requirement_statistics_by_check_id = {}
-    # TODO: take into account that now the relation is 1 finding == 1 resource, review this when the logic changes
+
     with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
         aggregated_statistics_queryset = (
             Finding.all_objects.filter(
-                tenant_id=tenant_id,
-                scan_id=scan_id,
-                muted=False,
-                resources__provider__is_deleted=False,
+                tenant_id=tenant_id, scan_id=scan_id, muted=False
             )
             .values("check_id")
             .annotate(
                 total_findings=Count(
                     "id",
-                    distinct=True,
                     filter=Q(status__in=[StatusChoices.PASS, StatusChoices.FAIL]),
                 ),
-                passed_findings=Count(
-                    "id",
-                    distinct=True,
-                    filter=Q(status=StatusChoices.PASS),
-                ),
+                passed_findings=Count("id", filter=Q(status=StatusChoices.PASS)),
             )
         )
 

api/src/backend/tasks/tests/test_reports.py

@@ -29,7 +29,7 @@ from tasks.jobs.threatscore_utils import (
     _load_findings_for_requirement_checks,
 )
 
-from api.models import Finding, Resource, ResourceFindingMapping, StatusChoices
+from api.models import Finding, StatusChoices
 from prowler.lib.check.models import Severity
 
 matplotlib.use("Agg")  # Use non-interactive backend for tests
@@ -39,50 +39,43 @@ matplotlib.use("Agg")  # Use non-interactive backend for tests
 class TestAggregateRequirementStatistics:
     """Test suite for _aggregate_requirement_statistics_from_database function."""
 
-    def _create_finding_with_resource(
-        self, tenant, scan, uid, check_id, status, severity=Severity.high
-    ):
-        """Helper to create a finding linked to a resource (matching scan processing behavior)."""
-        finding = Finding.objects.create(
-            tenant_id=tenant.id,
-            scan=scan,
-            uid=uid,
-            check_id=check_id,
-            status=status,
-            severity=severity,
-            impact=severity,
-            check_metadata={},
-            raw_result={},
-        )
-        resource = Resource.objects.create(
-            tenant_id=tenant.id,
-            provider=scan.provider,
-            uid=f"resource-{uid}",
-            name=f"resource-{uid}",
-            region="us-east-1",
-            service="test",
-            type="test::resource",
-        )
-        ResourceFindingMapping.objects.create(
-            tenant_id=tenant.id,
-            finding=finding,
-            resource=resource,
-        )
-        return finding
-
     def test_aggregates_findings_correctly(self, tenants_fixture, scans_fixture):
         """Verify correct pass/total counts per check are aggregated from database."""
         tenant = tenants_fixture[0]
         scan = scans_fixture[0]
 
-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-1",
+            check_id="check_1",
+            status=StatusChoices.PASS,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
         )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-2", "check_1", StatusChoices.FAIL
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-2",
+            check_id="check_1",
+            status=StatusChoices.FAIL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
         )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-3", "check_2", StatusChoices.PASS, Severity.medium
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-3",
+            check_id="check_2",
+            status=StatusChoices.PASS,
+            severity=Severity.medium,
+            impact=Severity.medium,
+            check_metadata={},
+            raw_result={},
         )
 
         result = _aggregate_requirement_statistics_from_database(
@@ -113,73 +106,17 @@ class TestAggregateRequirementStatistics:
         tenant = tenants_fixture[0]
         scan = scans_fixture[0]
 
-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.FAIL
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-1",
+            check_id="check_1",
+            status=StatusChoices.FAIL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
         )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-2", "check_1", StatusChoices.FAIL
-        )
-
-        result = _aggregate_requirement_statistics_from_database(
-            str(tenant.id), str(scan.id)
-        )
-
-        assert result["check_1"]["passed"] == 0
-        assert result["check_1"]["total"] == 2
-
-    def test_multiple_findings_same_check(self, tenants_fixture, scans_fixture):
-        """Verify multiple findings for same check are correctly aggregated."""
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        for i in range(5):
-            self._create_finding_with_resource(
-                tenant,
-                scan,
-                f"finding-{i}",
-                "check_1",
-                StatusChoices.PASS if i % 2 == 0 else StatusChoices.FAIL,
-            )
-
-        result = _aggregate_requirement_statistics_from_database(
-            str(tenant.id), str(scan.id)
-        )
-
-        assert result["check_1"]["passed"] == 3
-        assert result["check_1"]["total"] == 5
-
-    def test_mixed_statuses(self, tenants_fixture, scans_fixture):
-        """Verify MANUAL status is not counted in total or passed."""
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
-        )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-2", "check_1", StatusChoices.MANUAL
-        )
-
-        result = _aggregate_requirement_statistics_from_database(
-            str(tenant.id), str(scan.id)
-        )
-
-        # MANUAL findings are excluded from the aggregation query
-        # since it only counts PASS and FAIL statuses
-        assert result["check_1"]["passed"] == 1
-        assert result["check_1"]["total"] == 1
-
-    def test_excludes_findings_without_resources(self, tenants_fixture, scans_fixture):
-        """Verify findings without resources are excluded from aggregation."""
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        # Finding WITH resource → should be counted
-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
-        )
-
-        # Finding WITHOUT resource → should be EXCLUDED
         Finding.objects.create(
             tenant_id=tenant.id,
             scan=scan,
@@ -196,15 +133,40 @@ class TestAggregateRequirementStatistics:
             str(tenant.id), str(scan.id)
         )
 
-        assert result["check_1"]["passed"] == 1
-        assert result["check_1"]["total"] == 1
+        assert result["check_1"]["passed"] == 0
+        assert result["check_1"]["total"] == 2
 
-    def test_multiple_resources_no_double_count(self, tenants_fixture, scans_fixture):
-        """Verify a finding with multiple resources is only counted once."""
+    def test_multiple_findings_same_check(self, tenants_fixture, scans_fixture):
+        """Verify multiple findings for same check are correctly aggregated."""
         tenant = tenants_fixture[0]
         scan = scans_fixture[0]
 
-        finding = Finding.objects.create(
+        for i in range(5):
+            Finding.objects.create(
+                tenant_id=tenant.id,
+                scan=scan,
+                uid=f"finding-{i}",
+                check_id="check_1",
+                status=StatusChoices.PASS if i % 2 == 0 else StatusChoices.FAIL,
+                severity=Severity.high,
+                impact=Severity.high,
+                check_metadata={},
+                raw_result={},
+            )
+
+        result = _aggregate_requirement_statistics_from_database(
+            str(tenant.id), str(scan.id)
+        )
+
+        assert result["check_1"]["passed"] == 3
+        assert result["check_1"]["total"] == 5
+
+    def test_mixed_statuses(self, tenants_fixture, scans_fixture):
+        """Verify MANUAL status is counted in total but not passed."""
+        tenant = tenants_fixture[0]
+        scan = scans_fixture[0]
+
+        Finding.objects.create(
             tenant_id=tenant.id,
             scan=scan,
             uid="finding-1",
@@ -215,27 +177,24 @@ class TestAggregateRequirementStatistics:
             check_metadata={},
             raw_result={},
         )
-        # Link two resources to the same finding
-        for i in range(2):
-            resource = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"resource-{i}",
-                name=f"resource-{i}",
-                region="us-east-1",
-                service="test",
-                type="test::resource",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id,
-                finding=finding,
-                resource=resource,
-            )
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-2",
+            check_id="check_1",
+            status=StatusChoices.MANUAL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
+        )
 
         result = _aggregate_requirement_statistics_from_database(
             str(tenant.id), str(scan.id)
         )
 
+        # MANUAL findings are excluded from the aggregation query
+        # since it only counts PASS and FAIL statuses
         assert result["check_1"]["passed"] == 1
         assert result["check_1"]["total"] == 1
 

contrib/k8s/helm/prowler-app/.gitignore

@@ -1 +0,0 @@
-charts/

contrib/k8s/helm/prowler-app/Chart.yaml

@@ -13,8 +13,6 @@ keywords:
   - gcp
   - kubernetes
 maintainers:
-  - name: Dani
-    email: andre.gomes@promptlyhealth.com
   - name: Mihai
     email: mihai.legat@gmail.com
 dependencies:

dashboard/__main__.py

@@ -21,7 +21,7 @@ print(
     f"{Fore.GREEN}Loading all CSV files from the folder {folder_path_overview} ...\n{Style.RESET_ALL}"
 )
 cli.show_server_banner = lambda *x: click.echo(
-    f"{Fore.YELLOW}NOTE:{Style.RESET_ALL} If you are using {Fore.GREEN}{Style.BRIGHT}Prowler Cloud{Style.RESET_ALL} with the S3 integration or that integration \nfrom {Fore.CYAN}{Style.BRIGHT}Prowler CLI{Style.RESET_ALL} and you want to use your data from your S3 bucket,\nrun: `{orange_color}aws s3 cp s3://<your-bucket>/output/csv ./output --recursive{Style.RESET_ALL}`\nand then run `prowler dashboard` again to load the new files."
+    f"{Fore.YELLOW}NOTE:{Style.RESET_ALL} If you are using {Fore.GREEN}{Style.BRIGHT}Prowler SaaS{Style.RESET_ALL} with the S3 integration or that integration \nfrom {Fore.CYAN}{Style.BRIGHT}Prowler Open Source{Style.RESET_ALL} and you want to use your data from your S3 bucket,\nrun: `{orange_color}aws s3 cp s3://<your-bucket>/output/csv ./output --recursive{Style.RESET_ALL}`\nand then run `prowler dashboard` again to load the new files."
 )
 
 # Initialize the app - incorporate css

docs/developer-guide/checks.mdx

@@ -315,7 +315,6 @@ The type of resource being audited. This field helps categorize and organize fin
 - **Kubernetes**: Use types shown under `KIND` from `kubectl api-resources`.
 - **Oracle Cloud Infrastructure**: Use types from [Oracle Cloud Infrastructure documentation](https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/Search/Tasks/queryingresources_topic-Listing_Supported_Resource_Types.htm).
 - **OpenStack**: Use types from [OpenStack Heat resource types](https://docs.openstack.org/heat/latest/template_guide/openstack.html).
-- **Alibaba Cloud**: Use types from [Alibaba Cloud ROS resource types](https://www.alibabacloud.com/help/en/ros/developer-reference/list-of-resource-types-by-service).
 - **Any other provider**: Use `NotDefined` due to lack of standardized resource types in their SDK or documentation.
 
 #### ResourceGroup

docs/developer-guide/provider.mdx

@@ -3406,40 +3406,6 @@ Use existing providers as templates, this will help you to understand better the
 
     - **Use Rules**: Use rules to ensure the code generated by AI is following the way of working in Prowler.
 
----
-
-## OCSF Field Requirements for Prowler Cloud Integration
-
-When implementing a new provider that supports the `--push-to-cloud` feature, specific OCSF fields must be correctly populated to ensure proper findings ingestion into Prowler Cloud.
-
-### Required OCSF Fields
-
-The following fields in the OCSF output are critical for successful ingestion:
-
-| Field | Requirement | Description |
-|-------|-------------|-------------|
-| `provider_uid` | Must match the UID used when registering the provider in the API | This identifier links findings to the correct provider in Prowler Cloud |
-| `provider` | Must be the provider name | The name of the provider (e.g., `aws`, `azure`, `gcp`, `googleworkspace`) |
-| `finding_info.uid` | Must be unique | Each finding must have a unique identifier to avoid duplicates |
-| `resources.uid` | Must have a value | The resource UID cannot be empty; it identifies the specific resource being assessed |
-
-### Implementation Reference
-
-These fields are set in the OCSF output generation. See the [OCSF output implementation](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/outputs/ocsf/ocsf.py) for reference.
-
-### Validation Checklist
-
-Before releasing a new provider with `--push-to-cloud` support:
-
-- [ ] Verify `provider_uid` matches the UID used in the API to register the provider
-- [ ] Confirm `provider` field contains the correct provider name
-- [ ] Ensure all `finding_info.uid` values are unique across findings
-- [ ] Validate that `resources.uid` is populated for every finding
-
-<Tip>
-  Use `python scripts/validate_ocsf_output.py output/*.ocsf.json` to automate these checks.
-</Tip>
-
 ## Checklist for New Providers
 
 ### CLI Integration Only

docs/developer-guide/test-impact-analysis.mdx

@@ -1,315 +0,0 @@
----
-title: 'Test Impact Analysis'
----
-
-Test impact analysis (TIA) determines which tests to run based on the files changed in a pull request. Instead of running the full test suite on every pull request, TIA maps changed files to the specific Prowler SDK, API, and end-to-end (E2E) tests that cover them. This approach reduces continuous integration (CI) time and resource usage while maintaining confidence that relevant code paths are tested.
-
-## Architecture
-
-### Components
-
-| Component | Path | Role |
-|-----------|------|------|
-| Configuration | `.github/test-impact.yml` | Defines ignored, critical, and module path mappings |
-| Analysis engine | `.github/scripts/test-impact.py` | Python script that evaluates changed files against the configuration |
-| Reusable workflow | `.github/workflows/test-impact-analysis.yml` | GitHub Actions reusable workflow that orchestrates the analysis |
-| E2E consumer | `.github/workflows/ui-e2e-tests-v2.yml` | Consumes TIA outputs to run targeted Playwright tests |
-
-### Flow Diagram
-
-```
-PR opened/updated
-       |
-       v
-+-------------------------------+
-| tj-actions/changed-files      |  Gets list of changed files from PR
-+-------------------------------+
-       |
-       v
-+-------------------------------+
-| test-impact.py                |
-|                               |
-|  1. Filter ignored paths      |  docs/**, *.md, .gitignore, etc.
-|  2. Check critical paths      |  prowler/lib/**, ui/lib/**, .github/workflows/**
-|  3. Match modules             |  Map remaining files to module definitions
-|  4. Categorize tests          |  Split into sdk-tests, api-tests, ui-e2e
-+-------------------------------+
-       |
-       v
-+-------------------------------+
-| GitHub Actions Outputs        |
-|                               |
-|  run-all: true/false          |
-|  sdk-tests: "tests/providers/aws/**"
-|  api-tests: "api/src/backend/api/tests/**"
-|  ui-e2e: "ui/tests/providers/**"
-|  modules: "sdk-aws,ui-providers"
-|  has-tests: true/false        |
-|  has-sdk-tests: true/false    |
-|  has-api-tests: true/false    |
-|  has-ui-e2e: true/false       |
-+-------------------------------+
-       |
-       v
-+-------------------------------+
-| Consumer Workflows            |
-|                               |
-|  ui-e2e-tests-v2.yml:         |
-|    - Path resolution pipeline |
-|    - Playwright execution     |
-+-------------------------------+
-```
-
-## Configuration Reference
-
-The configuration lives in `.github/test-impact.yml` and contains three sections.
-
-### `ignored` — Paths That Never Trigger Tests
-
-Files matching these patterns are filtered out before any analysis takes place. This section is intended for non-code files.
-
-```yaml
-ignored:
-  paths:
-    - docs/**
-    - "*.md"
-    - .gitignore
-    - skills/**
-    - ui/tests/setups/**   # E2E auth setup helpers (not runnable tests)
-```
-
-### `critical` — Paths That Trigger All Tests
-
-If any changed file matches a critical path, the system short-circuits and outputs `run-all: true`. All downstream consumers then run their complete test suites.
-
-```yaml
-critical:
-  paths:
-    - prowler/lib/**           # SDK core
-    - ui/lib/**                # UI shared utilities
-    - ui/playwright.config.ts  # Test infrastructure
-    - .github/workflows/**     # CI changes
-    - .github/test-impact.yml  # This config itself
-```
-
-### `modules` — Path-to-Test Mappings
-
-Each module maps source file patterns to the tests that cover them.
-
-```yaml
-- name: ui-providers           # Unique identifier
-  match:                       # Source file glob patterns
-    - ui/components/providers/**
-    - ui/actions/providers/**
-    - ui/app/**/providers/**
-    - ui/tests/providers/**    # Test file changes also trigger themselves
-  tests: []                    # SDK/API unit test patterns (empty for UI modules)
-  e2e:                         # Playwright E2E test patterns
-    - ui/tests/providers/**
-```
-
-#### Module Schema
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `name` | `string` | Unique module identifier (for example, `sdk-aws`, `ui-providers`, `api-views`) |
-| `match` | `list[glob]` | Source file patterns that trigger this module |
-| `tests` | `list[glob]` | Prowler SDK (`tests/`) or API (`api/`) unit test patterns to run |
-| `e2e` | `list[glob]` | UI E2E test patterns (`ui/tests/`) to run |
-
-#### Module Categories
-
-- **`sdk-*`:** Provider and lib modules. These only produce `tests` output, not `e2e`.
-- **`api-*`:** API views, serializers, filters, and role-based access control (RBAC). These produce `tests` and sometimes `e2e` (API changes can affect UI flows).
-- **`ui-*`:** UI feature modules. These only produce `e2e` output, not `tests`.
-
-## Path Resolution Pipeline
-
-The E2E consumer workflow (`.github/workflows/ui-e2e-tests-v2.yml`, lines 202–253) transforms the `ui-e2e` output from glob patterns into paths that Playwright can execute. This transformation follows a multi-step shell pipeline.
-
-### Step 1: Check Run Mode
-
-```bash
-if [[ "${RUN_ALL_TESTS}" == "true" ]]; then
-  pnpm run test:e2e    # Run everything, skip pipeline
-fi
-```
-
-### Step 2: Strip the `ui/` Prefix and `**` Suffix
-
-```bash
-# "ui/tests/providers/**" -> "tests/providers/"
-TEST_PATHS=$(echo "$E2E_TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g')
-```
-
-### Step 3: Filter Out Setup Paths
-
-```bash
-# Remove auth setup helpers (not runnable test suites)
-TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/')
-```
-
-### Step 4: Safety Net for Bare `tests/`
-
-If the pattern `ui/tests/**` was present in the output (from a critical path or a broad module like `ui-shadcn`), it resolves to bare `tests/` after stripping. This would cause Playwright to discover setup files in `tests/setups/`, so it gets expanded instead:
-
-```bash
-if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-  # Expand to specific subdirs, excluding tests/setups/
-  for dir in tests/*/; do
-    [[ "$dir" == "tests/setups/" ]] && continue
-    SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"
-  done
-fi
-```
-
-### Step 5: Empty Directory Check
-
-Directories that do not contain any `.spec.ts` or `.test.ts` files are skipped. This handles forward-looking patterns where a module is configured but tests have not been written yet.
-
-```bash
-if find "$p" -name '*.spec.ts' -o -name '*.test.ts' | head -1 | grep -q .; then
-  VALID_PATHS="${VALID_PATHS}${p}"
-else
-  echo "Skipping empty test directory: $p"
-fi
-```
-
-### Step 6: Execute Playwright
-
-```bash
-pnpm exec playwright test $TEST_PATHS
-# For example: pnpm exec playwright test tests/providers/ tests/scans/
-```
-
-## Playwright Project Mapping
-
-Playwright discovers tests by scanning the directories passed to it. The `playwright.config.ts` file defines projects with `testMatch` patterns that control which spec files each project claims:
-
-```
-tests/providers/providers.spec.ts  -> "providers" project  -> depends on admin.auth.setup
-tests/scans/scans.spec.ts          -> "scans" project      -> depends on admin.auth.setup
-tests/sign-in-base/*.spec.ts       -> "sign-in-base"       -> no auth dependency
-tests/auth/*.spec.ts               -> "auth"               -> no auth dependency
-tests/sign-up/sign-up.spec.ts      -> "sign-up"            -> no auth dependency
-tests/invitations/invitations.spec.ts -> "invitations"      -> depends on admin.auth.setup
-```
-
-Auth setup projects (`admin.auth.setup`, `manage-scans.auth.setup`, and others) create authenticated browser state files. Projects that declare them as `dependencies` wait for the setup to complete before running.
-
-When TIA runs only `tests/providers/`, Playwright still automatically runs `admin.auth.setup` because the `providers` project declares it as a dependency.
-
-## Edge Cases and Known Considerations
-
-### Forward-Looking Patterns (Empty Test Directories)
-
-A module can reference `ui/tests/attack-paths/**` before any tests exist there. The empty directory check (step 5) gracefully skips it instead of failing.
-
-### Broad Patterns and the Safety Net
-
-Modules like `ui-shadcn` and `api-views` list every E2E test suite explicitly to avoid using `ui/tests/**`. If a broad pattern does produce bare `tests/`, the safety net expands it to specific subdirectories, excluding `tests/setups/`.
-
-### Setup Files and Auth Dependencies
-
-`ui/tests/setups/**` is listed in the `ignored` section and also filtered in the path resolution pipeline. This double protection ensures setup files are never passed as test targets to Playwright. Auth setups run only when declared as project dependencies.
-
-### Critical Path Triggering Run-All
-
-Changes to `.github/workflows/**` or `.github/test-impact.yml` trigger `run-all: true`. This means editing any workflow file (even unrelated ones) runs the full test suite. This behavior is intentional — CI infrastructure changes should be validated broadly.
-
-### Unmatched Files
-
-Files that do not match any ignored, critical, or module pattern produce no test output. The `has-tests` flag is set to `false` and consumer workflows skip entirely via the `skip-e2e` job.
-
-## Adding New Test Modules
-
-To add tests for a new UI feature (for example, `dashboards`):
-
-1. **Add the module to `.github/test-impact.yml`:**
-
-```yaml
-- name: ui-dashboards
-  match:
-    - ui/components/dashboards/**
-    - ui/actions/dashboards/**
-    - ui/app/**/dashboards/**
-    - ui/tests/dashboards/**
-  tests: []
-  e2e:
-    - ui/tests/dashboards/**
-```
-
-2. **Create the test directory and spec file:**
-
-```
-ui/tests/dashboards/dashboards.spec.ts
-```
-
-3. **Add a Playwright project in `ui/playwright.config.ts`:**
-
-```typescript
-{
-  name: "dashboards",
-  testMatch: "dashboards.spec.ts",
-  dependencies: ["admin.auth.setup"],  // if tests need auth
-},
-```
-
-4. **Register E2E paths in shared UI modules (if applicable):**
-
-   If the feature uses shared UI components, add the E2E path to the `ui-shadcn` module so that changes to shared components also trigger dashboard tests:
-
-```yaml
-- name: ui-shadcn
-  match:
-    - ui/components/shadcn/**
-    - ui/components/ui/**
-  e2e:
-    - ui/tests/dashboards/**   # Add here
-    # ... existing paths
-```
-
-5. **Register E2E paths in API modules (if applicable):**
-
-   If API changes affect this feature, add the E2E path to the relevant `api-*` module (for example, `api-views`).
-
-## Troubleshooting
-
-### Tests Not Running When Expected
-
-1. Check whether the changed file matches an `ignored` pattern. The script logs `[IGNORED]` to stderr.
-2. Verify the file matches a module's `match` pattern. To test locally, run:
-   ```bash
-   python .github/scripts/test-impact.py path/to/changed/file.ts
-   ```
-3. Confirm the module has non-empty `e2e` (for E2E) or `tests` (for unit tests).
-4. Check the `has-ui-e2e` output — the consumer workflow gates on this flag.
-
-### Unexpected Auth Setup Errors
-
-Auth setup projects run automatically when a test project declares them as `dependencies`. If auth failures occur:
-
-- **Verify secrets:** Confirm that the `E2E_ADMIN_USER` and `E2E_ADMIN_PASSWORD` secrets are set.
-- **Check setup file existence:** Ensure the auth setup file exists in `ui/tests/setups/`.
-- **Validate test match patterns:** Ensure the `testMatch` pattern in `playwright.config.ts` correctly matches the setup file.
-
-### "No Tests Found" Errors
-
-This typically means the path resolution pipeline produced valid directories but Playwright could not match any spec files to a project:
-
-- **Check project configuration:** Verify that `playwright.config.ts` has a project with a `testMatch` pattern for the spec files in that directory.
-- **Verify file naming:** Confirm the spec file naming matches the expected pattern (for example, `feature.spec.ts`).
-
-### "No Runnable E2E Test Paths After Filtering Setups"
-
-All resolved paths were under `tests/setups/`. This indicates the module's `e2e` patterns only point to setup files, which is a configuration error. The module should be updated to point to actual test directories.
-
-### Debugging Locally
-
-```bash
-# See what the analysis engine produces for specific files
-python .github/scripts/test-impact.py ui/components/providers/some-file.tsx
-
-# Output goes to stderr (analysis log) and GITHUB_OUTPUT (structured output)
-# Without the GITHUB_OUTPUT env var, results print to stderr only
-```

docs/docs.json

@@ -99,7 +99,7 @@
               },
               "user-guide/tutorials/prowler-app-rbac",
               "user-guide/tutorials/prowler-app-api-keys",
-              "user-guide/tutorials/prowler-app-import-findings",
+              "user-guide/tutorials/prowler-app-findings-ingestion",
               {
                 "group": "Mutelist",
                 "expanded": true,
@@ -117,13 +117,6 @@
                   "user-guide/tutorials/prowler-app-jira-integration"
                 ]
               },
-              {
-                "group": "AWS Organizations",
-                "expanded": true,
-                "pages": [
-                  "user-guide/tutorials/prowler-cloud-aws-organizations"
-                ]
-              },
               {
                 "group": "Lighthouse AI",
                 "pages": [
@@ -131,7 +124,6 @@
                   "user-guide/tutorials/prowler-app-lighthouse-multi-llm"
                 ]
               },
-              "user-guide/tutorials/prowler-app-attack-paths",
               "user-guide/tutorials/prowler-cloud-public-ips",
               {
                 "group": "Tutorials",

docs/getting-started/basic-usage/prowler-mcp-tools.mdx

@@ -10,7 +10,7 @@ Complete reference guide for all tools available in the Prowler MCP Server. Tool
 |----------|------------|------------------------|
 | Prowler Hub | 10 tools | No |
 | Prowler Documentation | 2 tools | No |
-| Prowler Cloud/App | 27 tools | Yes |
+| Prowler Cloud/App | 24 tools | Yes |
 
 ## Tool Naming Convention
 
@@ -80,14 +80,6 @@ Tools for managing finding muting, including pattern-based bulk muting (mutelist
 - **`prowler_app_update_mute_rule`** - Update a mute rule's name, reason, or enabled status
 - **`prowler_app_delete_mute_rule`** - Delete a mute rule from the system
 
-### Attack Paths Analysis
-
-Tools for analyzing privilege escalation chains and security misconfigurations using graph-based analysis. Attack Paths maps relationships between cloud resources, permissions, and security findings to detect how privileges can be escalated and how misconfigurations can be exploited.
-
-- **`prowler_app_list_attack_paths_scans`** - List Attack Paths scans with filtering by provider, provider type, and scan state (available, scheduled, executing, completed, failed, cancelled)
-- **`prowler_app_list_attack_paths_queries`** - Discover available Attack Paths queries for a completed scan, including query names, descriptions, and required parameters
-- **`prowler_app_run_attack_paths_query`** - Execute an Attack Paths query against a completed scan and retrieve graph results with nodes (cloud resources, findings, virtual nodes) and relationships (access paths, role assumptions, security group memberships)
-
 ### Compliance Management
 
 Tools for viewing compliance status and framework details across all cloud providers.

docs/getting-started/installation/prowler-app.mdx

@@ -23,15 +23,9 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
     ```bash
     VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
     curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/docker-compose.yml"
-    # Environment variables can be customized in the .env file. Using default values in production environments is not recommended.
     curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/.env"
     docker compose up -d
     ```
-
-    <Callout icon="lock" iconType="regular" color="#e74c3c">
-      For a secure setup, the API auto-generates a unique key pair, `DJANGO_TOKEN_SIGNING_KEY` and `DJANGO_TOKEN_VERIFYING_KEY`, and stores it in `~/.config/prowler-api` (non-container) or the bound Docker volume in `_data/api` (container). Never commit or reuse static/default keys. To rotate keys, delete the stored key files and restart the API.
-    </Callout>
-
   </Tab>
   <Tab title="GitHub">
     _Requirements_:
@@ -121,8 +115,8 @@ To update the environment file:
 Edit the `.env` file and change version values:
 
 ```env
-PROWLER_UI_VERSION="5.19.0"
-PROWLER_API_VERSION="5.19.0"
+PROWLER_UI_VERSION="5.18.0"
+PROWLER_API_VERSION="5.18.0"
 ```
 
 <Note>

docs/getting-started/products/prowler-mcp.mdx

@@ -24,7 +24,6 @@ Full access to Prowler Cloud platform and self-managed Prowler App for:
 - **Scan Orchestration**: Trigger on-demand scans and schedule recurring security assessments
 - **Resource Inventory**: Search and view detailed information about your audited resources
 - **Muting Management**: Create and manage muting lists/rules to suppress non-relevant findings
-- **Attack Paths Analysis**: Analyze privilege escalation chains and security misconfigurations through graph-based analysis of cloud resource relationships
 
 ### 2. Prowler Hub
 
@@ -62,7 +61,6 @@ The Prowler MCP Server enables powerful workflows through AI assistants:
 - "Show me all critical findings from my AWS production accounts"
 - "Register my new AWS account in Prowler and run a scheduled scan every day"
 - "List all muted findings and detect what findgings are muted by a not enough good reason in relation to their severity"
-- "Run an attack paths query to find EC2 instances exposed to the Internet with access to sensitive S3 buckets"
 
 **Security Research**
 - "Explain what the S3 bucket public access Prowler check does"

docs/images/organizations/onboarding-flow.svg

@@ -1,71 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1100 420" font-family="'Inter', 'Segoe UI', system-ui, -apple-system, sans-serif">
-  <defs>
-    <filter id="shadow" x="-4%" y="-4%" width="108%" height="108%">
-      <feDropShadow dx="0" dy="2" stdDeviation="3" flood-opacity="0.08"/>
-    </filter>
-  </defs>
-
-  <!-- Title -->
-  <text x="550" y="40" text-anchor="middle" font-size="22" font-weight="700" fill="#4285F4">Onboarding Flow</text>
-
-  <!-- Step 1 -->
-  <rect x="30" y="70" width="220" height="220" rx="12" fill="#fff" stroke="#4285F4" stroke-width="2.5" stroke-dasharray="8 4" filter="url(#shadow)"/>
-  <circle cx="140" cy="100" r="22" fill="#4285F4"/>
-  <text x="140" y="107" text-anchor="middle" font-size="16" font-weight="700" fill="#fff">1</text>
-  <text x="140" y="145" text-anchor="middle" font-size="15" font-weight="700" fill="#1a1a2e">Create Management</text>
-  <text x="140" y="165" text-anchor="middle" font-size="15" font-weight="700" fill="#1a1a2e">Account Role</text>
-  <rect x="60" y="185" width="160" height="24" rx="12" fill="#E8F0FE"/>
-  <text x="140" y="201" text-anchor="middle" font-size="11" font-weight="600" fill="#4285F4">Quick Create or Manual</text>
-  <text x="140" y="232" text-anchor="middle" font-size="12" fill="#5f6368">Allows Prowler to</text>
-  <text x="140" y="248" text-anchor="middle" font-size="12" fill="#5f6368">discover your org</text>
-  <text x="140" y="264" text-anchor="middle" font-size="12" fill="#5f6368">structure</text>
-
-  <!-- Arrow 1→2 -->
-  <path d="M260 180 L290 180" stroke="#9aa0a6" stroke-width="2" fill="none" marker-end="url(#arrowhead)"/>
-  <defs>
-    <marker id="arrowhead" markerWidth="10" markerHeight="7" refX="9" refY="3.5" orient="auto">
-      <polygon points="0 0, 10 3.5, 0 7" fill="#9aa0a6"/>
-    </marker>
-  </defs>
-
-  <!-- Step 2 -->
-  <rect x="300" y="70" width="220" height="220" rx="12" fill="#fff" stroke="#7B61FF" stroke-width="2.5" filter="url(#shadow)"/>
-  <circle cx="410" cy="100" r="22" fill="#7B61FF"/>
-  <text x="410" y="107" text-anchor="middle" font-size="16" font-weight="700" fill="#fff">2</text>
-  <text x="410" y="145" text-anchor="middle" font-size="15" font-weight="700" fill="#1a1a2e">Deploy StackSet</text>
-  <rect x="340" y="165" width="140" height="24" rx="12" fill="#F3F0FF"/>
-  <text x="410" y="181" text-anchor="middle" font-size="11" font-weight="600" fill="#7B61FF">In AWS Console</text>
-  <text x="410" y="212" text-anchor="middle" font-size="12" fill="#5f6368">Creates ProwlerScan</text>
-  <text x="410" y="228" text-anchor="middle" font-size="12" fill="#5f6368">role in every</text>
-  <text x="410" y="244" text-anchor="middle" font-size="12" fill="#5f6368">member account</text>
-
-  <!-- Arrow 2→3 -->
-  <path d="M530 180 L560 180" stroke="#9aa0a6" stroke-width="2" fill="none" marker-end="url(#arrowhead)"/>
-
-  <!-- Step 3 -->
-  <rect x="570" y="70" width="220" height="220" rx="12" fill="#fff" stroke="#00BFA5" stroke-width="2.5" filter="url(#shadow)"/>
-  <circle cx="680" cy="100" r="22" fill="#00BFA5"/>
-  <text x="680" y="107" text-anchor="middle" font-size="16" font-weight="700" fill="#fff">3</text>
-  <text x="680" y="145" text-anchor="middle" font-size="15" font-weight="700" fill="#1a1a2e">Run the Wizard</text>
-  <rect x="615" y="165" width="130" height="24" rx="12" fill="#E0F7F4"/>
-  <text x="680" y="181" text-anchor="middle" font-size="11" font-weight="600" fill="#00BFA5">In Prowler Cloud</text>
-  <text x="680" y="212" text-anchor="middle" font-size="12" fill="#5f6368">Discovers accounts,</text>
-  <text x="680" y="228" text-anchor="middle" font-size="12" fill="#5f6368">tests connections</text>
-
-  <!-- Arrow 3→4 -->
-  <path d="M800 180 L830 180" stroke="#9aa0a6" stroke-width="2" fill="none" marker-end="url(#arrowhead)"/>
-
-  <!-- Step 4 -->
-  <rect x="840" y="70" width="220" height="220" rx="12" fill="#fff" stroke="#F9AB00" stroke-width="2.5" filter="url(#shadow)"/>
-  <circle cx="950" cy="100" r="22" fill="#F9AB00"/>
-  <text x="950" y="107" text-anchor="middle" font-size="16" font-weight="700" fill="#fff">4</text>
-  <text x="950" y="145" text-anchor="middle" font-size="15" font-weight="700" fill="#1a1a2e">Launch Scans</text>
-  <rect x="898" y="165" width="104" height="24" rx="12" fill="#FEF7E0"/>
-  <text x="950" y="181" text-anchor="middle" font-size="11" font-weight="600" fill="#F9AB00">Automatic</text>
-  <text x="950" y="212" text-anchor="middle" font-size="12" fill="#5f6368">Scans run on all</text>
-  <text x="950" y="228" text-anchor="middle" font-size="12" fill="#5f6368">connected accounts</text>
-  <text x="950" y="244" text-anchor="middle" font-size="12" fill="#5f6368">on your schedule</text>
-
-  <!-- Footer -->
-  <text x="550" y="340" text-anchor="middle" font-size="13" fill="#9aa0a6">Steps 1 and 2 are done once in AWS  |  Steps 3 and 4 are done in Prowler Cloud</text>
-</svg>

docs/images/organizations/two-roles-architecture.svg

@@ -1,96 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1100 520" font-family="'Inter', 'Segoe UI', system-ui, -apple-system, sans-serif">
-  <defs>
-    <filter id="shadow" x="-4%" y="-4%" width="108%" height="108%">
-      <feDropShadow dx="0" dy="2" stdDeviation="4" flood-opacity="0.08"/>
-    </filter>
-    <linearGradient id="mgmtHeader" x1="0" y1="0" x2="1" y2="0">
-      <stop offset="0%" stop-color="#4285F4"/>
-      <stop offset="100%" stop-color="#5E97F6"/>
-    </linearGradient>
-    <linearGradient id="memberHeader" x1="0" y1="0" x2="1" y2="0">
-      <stop offset="0%" stop-color="#00BFA5"/>
-      <stop offset="100%" stop-color="#1DE9B6"/>
-    </linearGradient>
-  </defs>
-
-  <!-- Title -->
-  <text x="550" y="36" text-anchor="middle" font-size="22" font-weight="700" fill="#4285F4">Two Roles Architecture</text>
-
-  <!-- ===== Management Account Card ===== -->
-  <rect x="30" y="60" width="440" height="380" rx="14" fill="#fff" stroke="#4285F4" stroke-width="2" filter="url(#shadow)"/>
-  <!-- Header bar -->
-  <rect x="30" y="60" width="440" height="44" rx="14" fill="url(#mgmtHeader)"/>
-  <rect x="30" y="90" width="440" height="14" fill="url(#mgmtHeader)"/>
-  <text x="250" y="88" text-anchor="middle" font-size="16" font-weight="700" fill="#fff">Management Account</text>
-
-  <!-- Inner card -->
-  <rect x="50" y="118" width="400" height="300" rx="10" fill="#F0F4FF" stroke="#C5D6F7" stroke-width="1"/>
-
-  <text x="250" y="148" text-anchor="middle" font-size="15" font-weight="700" fill="#4285F4">Management Role</text>
-
-  <!-- Purpose -->
-  <text x="70" y="178" font-size="13" font-weight="700" fill="#1a1a2e">Purpose:</text>
-  <text x="70" y="196" font-size="12" fill="#5f6368">Discover Organization structure + scan management account</text>
-
-  <!-- Permissions -->
-  <text x="70" y="222" font-size="13" font-weight="700" fill="#1a1a2e">Permissions:</text>
-  <text x="82" y="240" font-size="11" fill="#5f6368">SecurityAudit  (AWS managed policy)</text>
-  <text x="82" y="256" font-size="11" fill="#5f6368">ViewOnlyAccess  (AWS managed policy)</text>
-  <text x="82" y="272" font-size="11" fill="#5f6368">Additional read-only  (inline policy)</text>
-  <text x="82" y="288" font-size="11" fill="#4285F4" font-weight="600">organizations:DescribeAccount</text>
-  <text x="82" y="304" font-size="11" fill="#4285F4" font-weight="600">organizations:DescribeOrganization</text>
-  <text x="82" y="320" font-size="11" fill="#4285F4" font-weight="600">organizations:ListAccounts</text>
-  <text x="82" y="336" font-size="11" fill="#4285F4" font-weight="600">organizations:ListAccountsForParent</text>
-  <text x="82" y="352" font-size="11" fill="#4285F4" font-weight="600">organizations:ListOrganizationalUnitsForParent</text>
-  <text x="82" y="368" font-size="11" fill="#4285F4" font-weight="600">organizations:ListRoots</text>
-  <text x="82" y="384" font-size="11" fill="#4285F4" font-weight="600">organizations:ListTagsForResource</text>
-
-  <!-- Deploy badge -->
-  <rect x="115" y="400" width="270" height="28" rx="14" fill="#FFF3E0" stroke="#F9AB00" stroke-width="1.5"/>
-  <text x="250" y="419" text-anchor="middle" font-size="12" font-weight="700" fill="#E65100">Deploy: Quick Create link or Manual</text>
-
-  <!-- ===== Prowler Cloud connector ===== -->
-  <rect x="490" y="195" width="120" height="36" rx="8" fill="#F5F5F5" stroke="#E0E0E0" stroke-width="1"/>
-  <text x="550" y="218" text-anchor="middle" font-size="12" font-weight="600" fill="#5f6368">Prowler Cloud</text>
-
-  <!-- Connector lines -->
-  <line x1="490" y1="213" x2="470" y2="213" stroke="#9aa0a6" stroke-width="1.5" stroke-dasharray="4 3"/>
-  <line x1="610" y1="213" x2="630" y2="213" stroke="#9aa0a6" stroke-width="1.5" stroke-dasharray="4 3"/>
-
-  <!-- ===== Member Accounts Card ===== -->
-  <rect x="630" y="60" width="440" height="380" rx="14" fill="#fff" stroke="#00BFA5" stroke-width="2" filter="url(#shadow)"/>
-  <!-- Header bar -->
-  <rect x="630" y="60" width="440" height="44" rx="14" fill="url(#memberHeader)"/>
-  <rect x="630" y="90" width="440" height="14" fill="url(#memberHeader)"/>
-  <text x="850" y="88" text-anchor="middle" font-size="16" font-weight="700" fill="#fff">Member Accounts</text>
-
-  <!-- Inner card -->
-  <rect x="650" y="118" width="400" height="300" rx="10" fill="#E8F8F5" stroke="#B2DFDB" stroke-width="1"/>
-
-  <text x="850" y="148" text-anchor="middle" font-size="15" font-weight="700" fill="#00897B">ProwlerScan Role  (per account)</text>
-
-  <!-- Purpose -->
-  <text x="670" y="178" font-size="13" font-weight="700" fill="#1a1a2e">Purpose:</text>
-  <text x="670" y="196" font-size="12" fill="#5f6368">Security scanning of each account</text>
-
-  <!-- Permissions -->
-  <text x="670" y="222" font-size="13" font-weight="700" fill="#1a1a2e">Permissions:</text>
-  <text x="682" y="240" font-size="11" fill="#5f6368">SecurityAudit  (AWS managed policy)</text>
-  <text x="682" y="256" font-size="11" fill="#5f6368">ViewOnlyAccess  (AWS managed policy)</text>
-  <text x="682" y="272" font-size="11" fill="#5f6368">Additional read-only  (inline policy)</text>
-
-  <!-- Scope -->
-  <text x="670" y="302" font-size="13" font-weight="700" fill="#1a1a2e">Scope:</text>
-  <text x="682" y="320" font-size="12" fill="#5f6368">Read-only access across all AWS services</text>
-  <text x="682" y="338" font-size="12" fill="#5f6368">No write or modify permissions</text>
-
-  <!-- Deploy badge -->
-  <rect x="735" y="400" width="230" height="28" rx="14" fill="#E8F5E9" stroke="#66BB6A" stroke-width="1.5"/>
-  <text x="850" y="419" text-anchor="middle" font-size="12" font-weight="700" fill="#2E7D32">Deploy: via CloudFormation StackSet</text>
-
-  <!-- Footer labels -->
-  <text x="250" y="478" text-anchor="middle" font-size="14" font-weight="700" fill="#4285F4">Prowler discovers</text>
-  <text x="250" y="496" text-anchor="middle" font-size="12" fill="#5f6368">your org structure</text>
-  <text x="850" y="478" text-anchor="middle" font-size="14" font-weight="700" fill="#00BFA5">Prowler scans each</text>
-  <text x="850" y="496" text-anchor="middle" font-size="12" fill="#5f6368">account for findings</text>
-</svg>