fix(ui): animate finding group collapse

- Keep after-row content mounted during exit - Animate inline resource container close state - Preserve existing finding group table behavior
feat(ui): add Combobox trigger transition
2026-06-09 21:04:53 +00:00 · 2026-06-05 14:55:00 +02:00 · 2026-06-05 14:54:52 +02:00 · 2026-06-05 14:54:45 +02:00 · 2026-06-05 14:54:37 +02:00 · 2026-06-05 14:49:09 +02:00
706 changed files with 38761 additions and 4693 deletions
@@ -0,0 +1,17 @@
+{
+  "name": "prowler-plugins",
+  "description": "Prowler Cloud Security for Claude Code",
+  "owner": {
+    "name": "Prowler",
+    "email": "support@prowler.com"
+  },
+  "plugins": [
+    {
+      "name": "prowler",
+      "source": "./claude_plugins/prowler",
+      "description": "Prowler for Claude Code — cloud security and compliance skills powered by the Prowler MCP server. Bundles compliance triage and remediation; more skills coming.",
+      "category": "security",
+      "homepage": "https://prowler.com"
+    }
+  ]
+}
@@ -11,7 +11,14 @@ envs = "wt step copy-ignored"
 [[pre-start]]
 deps = "uv sync"

-# Block 3: reminder - last visible output before `wt switch` returns.
+# Block 3: prepare pnpm via corepack.
+[[pre-start]]
+corepack-enable = "corepack enable"
+
+[[pre-start]]
+corepack-install = "cd ui && corepack install"
+
+# Block 4: reminder - last visible output before `wt switch` returns.
 # Hooks can't mutate the parent shell, so venv activation is manual.
 [[pre-start]]
 reminder = "echo '>> Reminder: activate the venv in this shell with: source .venv/bin/activate'"
@@ -145,7 +145,7 @@ SENTRY_RELEASE=local
 NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}

 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.27.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.29.0

 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -6,17 +6,17 @@
 version: 2
 updates:
  # v5
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 25
-    target-branch: master
-    labels:
-      - "dependencies"
-      - "pip"
-    cooldown:
-      default-days: 7
+  # - package-ecosystem: "pip"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "monthly"
+  #   open-pull-requests-limit: 25
+  #   target-branch: master
+  #   labels:
+  #     - "dependencies"
+  #     - "pip"
+  #   cooldown:
+  #     default-days: 7

  # Dependabot Updates are temporary disabled - 2025/03/19
  # - package-ecosystem: "pip"
@@ -66,17 +66,17 @@ updates:
    cooldown:
      default-days: 7

-  - package-ecosystem: "pre-commit"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 25
-    target-branch: master
-    labels:
-      - "dependencies"
-      - "pre-commit"
-    cooldown:
-      default-days: 7
+  # - package-ecosystem: "pre-commit"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "monthly"
+  #   open-pull-requests-limit: 25
+  #   target-branch: master
+  #   labels:
+  #     - "dependencies"
+  #     - "pre-commit"
+  #   cooldown:
+  #     default-days: 7

  # Dependabot Updates are temporary disabled - 2025/04/15
  # v4.6
@@ -0,0 +1,140 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:best-practices",
+    ":enablePreCommit",
+    ":semanticCommits",
+    ":enableVulnerabilityAlertsWithLabel(security)",
+    "docker:enableMajor",
+    "helpers:pinGitHubActionDigestsToSemver",
+    "helpers:disableTypesNodeMajor",
+    "security:openssf-scorecard",
+    "customManagers:githubActionsVersions",
+    "customManagers:dockerfileVersions"
+  ],
+  "timezone": "Europe/Madrid",
+  "baseBranchPatterns": [
+    "master"
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "dependencyDashboardTitle": "Dependency Dashboard",
+  "prConcurrentLimit": 20,
+  "prHourlyLimit": 10,
+  "vulnerabilityAlerts": {
+    "prHourlyLimit": 0,
+    "prConcurrentLimit": 0
+  },
+  "configMigration": true,
+  "minimumReleaseAge": "7 days",
+  "rangeStrategy": "pin",
+  "packageRules": [
+    {
+      "description": "Patches: 1st of every month, Madrid overnight window (22:00-06:00)",
+      "matchUpdateTypes": [
+        "patch"
+      ],
+      "schedule": [
+        "* 22-23,0-5 1 * *"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "Minors: 8th of every 3 months, Madrid overnight window (22:00-06:00)",
+      "matchUpdateTypes": [
+        "minor"
+      ],
+      "schedule": [
+        "* 22-23,0-5 8 */3 *"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "Majors: 15th of every 3 months, Madrid overnight window",
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "schedule": [
+        "* 22-23,0-5 15 */3 *"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "GitHub Actions - single grouped PR, no changelog, scope=ci",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "groupName": "github-actions",
+      "semanticCommitScope": "ci",
+      "addLabels": [
+        "no-changelog"
+      ]
+    },
+    {
+      "description": "Docker images - single grouped PR, no changelog, scope=docker",
+      "matchManagers": [
+        "dockerfile",
+        "docker-compose"
+      ],
+      "groupName": "docker",
+      "semanticCommitScope": "docker",
+      "addLabels": [
+        "no-changelog"
+      ]
+    },
+    {
+      "description": "Pre-commit hooks - single grouped PR, scope=pre-commit",
+      "matchManagers": [
+        "pre-commit"
+      ],
+      "groupName": "pre-commit hooks",
+      "semanticCommitScope": "pre-commit",
+      "addLabels": [
+        "no-changelog"
+      ]
+    },
+    {
+      "description": "UI - scope=ui",
+      "matchFileNames": [
+        "ui/**"
+      ],
+      "semanticCommitScope": "ui"
+    },
+    {
+      "description": "API - scope=api",
+      "matchFileNames": [
+        "api/**"
+      ],
+      "semanticCommitScope": "api"
+    },
+    {
+      "description": "MCP server - scope=mcp",
+      "matchFileNames": [
+        "mcp_server/**"
+      ],
+      "semanticCommitScope": "mcp"
+    },
+    {
+      "description": "Python SDK (root) - scope=sdk",
+      "matchFileNames": [
+        "pyproject.toml",
+        "poetry.lock",
+        "util/prowler-bulk-provisioning/**"
+      ],
+      "semanticCommitScope": "sdk"
+    },
+    {
+      "description": "UI devDependencies - no changelog",
+      "matchFileNames": [
+        "ui/**"
+      ],
+      "matchDepTypes": [
+        "devDependencies"
+      ],
+      "addLabels": [
+        "no-changelog"
+      ]
+    }
+  ]
+}
@@ -35,7 +35,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -53,7 +53,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -44,7 +44,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -61,12 +61,12 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/api-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          category: '/language:${{ matrix.language }}'
@@ -46,7 +46,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block

@@ -65,7 +65,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -108,7 +108,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -122,6 +122,7 @@ jobs:
            github.com:443
            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            pypi.org:443
            registry-1.docker.io:443
            release-assets.githubusercontent.com:443
@@ -132,14 +133,18 @@ jobs:
        with:
          persist-credentials: false

-      - name: Pin prowler SDK to latest master commit
-        if: github.event_name == 'push'
+      - name: Refresh prowler SDK pin to current branch tip
        run: |
-          LATEST_SHA=$(git ls-remote https://github.com/prowler-cloud/prowler.git refs/heads/master | cut -f1)
-          sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml
+          # api/pyproject.toml has `@master` on master and `@v5.X` on release
+          # branches (set by prepare-release.yml). uv lock --upgrade-package
+          # re-resolves whichever ref is present against the current branch tip
+          # and writes the SHA into api/uv.lock. The Dockerfile runs
+          # `uv sync --locked`, which is what actually drives the install.
+          pip install --no-cache-dir "uv==0.11.14"
+          (cd api && uv lock --upgrade-package prowler)

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -150,7 +155,7 @@ jobs:
      - name: Build and push API container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -170,7 +175,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -179,8 +184,9 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -230,7 +236,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -277,7 +283,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -50,7 +50,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: api/Dockerfile

@@ -72,7 +72,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -83,6 +83,7 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            debian.map.fastlydns.net:80
            release-assets.githubusercontent.com:443
            objects.githubusercontent.com:443
@@ -103,7 +104,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: api/**
          files_ignore: |
@@ -118,7 +119,7 @@ jobs:

      - name: Build container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.API_WORKING_DIR }}
          push: false
@@ -50,7 +50,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -73,7 +73,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -78,7 +78,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -102,7 +102,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -30,7 +30,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -29,7 +29,7 @@ jobs:
      patch_version: ${{ steps.detect.outputs.patch_version }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -75,7 +75,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -139,6 +139,17 @@ jobs:
          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml

+      - name: Regenerate lockfiles after version bump
+        run: |
+          set -e
+          # The bumps above edit pyproject.toml / api/pyproject.toml but leave
+          # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in
+          # the container builds. Refresh both with the uv version the images
+          # pin (plain `uv lock`, no --upgrade: only the version line changes).
+          pip install --no-cache-dir "uv==0.11.14"
+          uv lock
+          (cd api && uv lock)
+
      - name: Bump UI version (.env)
        run: |
          set -e
@@ -155,7 +166,7 @@ jobs:
        run: git --no-pager diff

      - name: Create PR for next versions to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -191,7 +202,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -240,6 +251,17 @@ jobs:
          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml

+      - name: Regenerate lockfiles after version bump
+        run: |
+          set -e
+          # The bumps above edit pyproject.toml / api/pyproject.toml but leave
+          # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in
+          # the container builds. Refresh both with the uv version the images
+          # pin (plain `uv lock`, no --upgrade: only the version line changes).
+          pip install --no-cache-dir "uv==0.11.14"
+          uv lock
+          (cd api && uv lock)
+
      - name: Bump UI version (.env)
        run: |
          set -e
@@ -249,7 +271,7 @@ jobs:
        run: git --no-pager diff

      - name: Create PR for first patch versions to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -285,7 +307,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -341,6 +363,17 @@ jobs:
          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml

+      - name: Regenerate lockfiles after version bump
+        run: |
+          set -e
+          # The bumps above edit pyproject.toml / api/pyproject.toml but leave
+          # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in
+          # the container builds. Refresh both with the uv version the images
+          # pin (plain `uv lock`, no --upgrade: only the version line changes).
+          pip install --no-cache-dir "uv==0.11.14"
+          uv lock
+          (cd api && uv lock)
+
      - name: Bump UI version (.env)
        run: |
          set -e
@@ -350,7 +383,7 @@ jobs:
        run: git --no-pager diff

      - name: Create PR for next patch versions to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -51,6 +51,6 @@ jobs:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@a16621b09c6db4281f81a93cb393b05dcd7b7165 # v0.5.5
        with:
          token: ${{ github.token }}
@@ -22,7 +22,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          # We can't block as Trufflehog needs to verify secrets against vendors
          egress-policy: audit
@@ -44,6 +44,6 @@ jobs:

      - name: Scan diff for secrets with TruffleHog
        # Action auto-injects --since-commit/--branch from event payload; passing them in extra_args produces duplicate flags.
-        uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
+        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3
        with:
          extra_args: --results=verified,unknown
@@ -33,7 +33,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -22,7 +22,7 @@ jobs:
      issues: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -66,12 +66,12 @@ jobs:
      title: ${{ steps.compute-text.outputs.title }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Check workflow file timestamps
@@ -135,12 +135,12 @@ jobs:
      secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Checkout repository
@@ -870,12 +870,12 @@ jobs:
      total_count: ${{ steps.missing_tool.outputs.total_count }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Download agent output artifact
@@ -982,12 +982,12 @@ jobs:
      success: ${{ steps.parse_results.outputs.success }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Download agent artifacts
@@ -1091,12 +1091,12 @@ jobs:
      activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_rate_limit.outputs.rate_limit_ok == 'true') }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Add eyes reaction for immediate feedback
@@ -1164,12 +1164,12 @@ jobs:
      process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
+        uses: github/gh-aw/actions/setup@4d44d0e89851a877f4ddc0cb6c0197e42b1016c5 # v0.73.0
        with:
          destination: /opt/gh-aw/actions
      - name: Download agent output artifact
@@ -27,12 +27,12 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Apply labels to PR
-        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
+        uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
        with:
          sync-labels: true

@@ -46,7 +46,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -0,0 +1,60 @@
+name: 'Docs: Markdown Lint'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  markdown-lint:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            registry.npmjs.org:443
+            release-assets.githubusercontent.com:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: ui/.nvmrc
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          package_json_file: ui/package.json
+          run_install: false
+
+      - name: Run markdownlint
+        # Pin must match .pre-commit-config.yaml so prek and CI behave identically.
+        # pnpm dlx doesn't accept --ignore-scripts as a flag; the env var
+        # disables postinstall scripts on transitives the same way.
+        env:
+          pnpm_config_ignore_scripts: 'true'
+        run: pnpm dlx markdownlint-cli@0.45.0 '**/*.md'
@@ -45,7 +45,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block

@@ -64,7 +64,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -106,7 +106,7 @@ jobs:
      packages: write
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -114,6 +114,7 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            ghcr.io:443
            pkg-containers.githubusercontent.com:443
            files.pythonhosted.org:443
@@ -125,7 +126,7 @@ jobs:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -136,7 +137,7 @@ jobs:
      - name: Build and push MCP container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -164,18 +165,19 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            github.com:443
            release-assets.githubusercontent.com:443

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -225,7 +227,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -272,7 +274,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -50,7 +50,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: mcp_server/Dockerfile

@@ -71,7 +71,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -99,7 +99,7 @@ jobs:

      - name: Check for MCP changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: mcp_server/**
          files_ignore: |
@@ -112,7 +112,7 @@ jobs:

      - name: Build MCP container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.MCP_WORKING_DIR }}
          push: false
@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -67,7 +67,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -113,7 +113,7 @@ jobs:

      - name: Publish prowler-mcp package to PyPI
        if: steps.pypi-check.outputs.skip != 'true'
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
        with:
          packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/
          print-hash: true
@@ -0,0 +1,75 @@
+name: 'MCP: Security'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+    paths:
+      - 'mcp_server/pyproject.toml'
+      - 'mcp_server/uv.lock'
+      - '.github/workflows/mcp-security.yml'
+      - '.github/actions/osv-scanner/**'
+      - '.github/scripts/osv-scan.sh'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+    paths:
+      - 'mcp_server/pyproject.toml'
+      - 'mcp_server/uv.lock'
+      - '.github/workflows/mcp-security.yml'
+      - '.github/actions/osv-scanner/**'
+      - '.github/scripts/osv-scan.sh'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  mcp-security-scans:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write # osv-scanner action posts/updates a PR comment with findings
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+            objects.githubusercontent.com:443
+            release-assets.githubusercontent.com:443
+            api.osv.dev:443
+            api.deps.dev:443
+            osv-vulnerabilities.storage.googleapis.com:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # zizmor: ignore[artipacked]
+          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+
+      - name: Check for MCP dependency changes
+        id: check-changes
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        with:
+          files: |
+            mcp_server/pyproject.toml
+            mcp_server/uv.lock
+            .github/workflows/mcp-security.yml
+            .github/actions/osv-scanner/**
+            .github/scripts/osv-scan.sh
+
+      - name: Dependency vulnerability scan with osv-scanner
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: ./.github/actions/osv-scanner
+        with:
+          lockfile: mcp_server/uv.lock
@@ -48,7 +48,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -61,7 +61,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Build ${{ matrix.component }} container (linux/arm64)
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ matrix.context }}
          file: ${{ matrix.dockerfile }}
@@ -83,7 +83,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -31,7 +31,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -52,7 +52,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -35,7 +35,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -56,7 +56,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            prowler/providers/**/services/**/*.metadata.json
@@ -28,7 +28,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -47,7 +47,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: '**'

@@ -26,7 +26,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -29,7 +29,7 @@ jobs:
      pull-requests: write
    steps:
    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
      with:
        egress-policy: audit

@@ -338,7 +338,7 @@ jobs:

    - name: Create PR for API dependency update
      if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
      with:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
@@ -0,0 +1,57 @@
+name: 'CI: Renovate Config Validate'
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+    paths:
+      - '.github/renovate.json'
+      - '.pre-commit-config.yaml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions: {}
+
+env:
+  # renovate: datasource=pypi depName=prek
+  PREK_VERSION: '0.4.0'
+
+jobs:
+  validate:
+    name: Validate Renovate config
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            codeload.github.com:443
+            release-assets.githubusercontent.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            registry.npmjs.org:443
+            nodejs.org:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+
+      - name: Install prek
+        run: uv tool install "prek==${PREK_VERSION}"
+
+      - name: Validate Renovate config
+        run: prek run renovate-config-validator --files .github/renovate.json
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -32,7 +32,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -48,7 +48,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ./**
          files_ignore: |
@@ -51,7 +51,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -66,12 +66,12 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/sdk-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          category: '/language:${{ matrix.language }}'
@@ -60,7 +60,7 @@ jobs:
      contents: read
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -98,7 +98,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -141,7 +141,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -149,6 +149,7 @@ jobs:
            public.ecr.aws:443
            registry-1.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            auth.docker.io:443
            debian.map.fastlydns.net:80
            github.com:443
@@ -167,13 +168,13 @@ jobs:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -187,7 +188,7 @@ jobs:
      - name: Build and push SDK container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          file: ${{ env.DOCKERFILE_PATH }}
@@ -208,7 +209,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -216,19 +217,20 @@ jobs:
            auth.docker.io:443
            public.ecr.aws:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            github.com:443
            release-assets.githubusercontent.com:443
            api.ecr-public.us-east-1.amazonaws.com:443


      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -265,7 +267,7 @@ jobs:
      # Push to toniblyx/prowler only for current version (latest/stable/release tags)
      - name: Login to DockerHub (toniblyx)
        if: needs.setup.outputs.latest_tag == 'latest'
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.TONIBLYX_DOCKERHUB_USERNAME }}
          password: ${{ secrets.TONIBLYX_DOCKERHUB_PASSWORD }}
@@ -290,7 +292,7 @@ jobs:
      # Re-login as prowlercloud for cleanup of intermediate tags
      - name: Login to DockerHub (prowlercloud)
        if: always()
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -318,7 +320,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -41,7 +41,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -55,7 +55,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: Dockerfile

@@ -77,7 +77,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -85,6 +85,7 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            api.github.com:443
            mirror.gcr.io:443
            check.trivy.dev:443
@@ -108,7 +109,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ./**
          files_ignore: |
@@ -137,7 +138,7 @@ jobs:

      - name: Build SDK container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          push: false
@@ -28,7 +28,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -66,7 +66,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -85,7 +85,7 @@ jobs:
        run: uv build

      - name: Publish Prowler package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
        with:
          print-hash: true

@@ -102,7 +102,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -129,6 +129,6 @@ jobs:
        run: uv build

      - name: Publish prowler-cloud package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
        with:
          print-hash: true
@@ -27,7 +27,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -47,7 +47,7 @@ jobs:
        run: pip install boto3

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -58,7 +58,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -55,7 +55,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -47,7 +47,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -69,7 +69,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files:
            ./**
@@ -32,7 +32,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -46,6 +46,7 @@ jobs:
            schema.ocsf.io:443
            registry-1.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
            o26192.ingest.us.sentry.io:443
            management.azure.com:443
@@ -69,7 +70,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ./**
          files_ignore: |
@@ -102,7 +103,7 @@ jobs:
      - name: Check if AWS files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-aws
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/aws/**
@@ -232,7 +233,7 @@ jobs:
      - name: Check if Azure files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-azure
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/azure/**
@@ -256,7 +257,7 @@ jobs:
      - name: Check if GCP files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-gcp
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/gcp/**
@@ -280,7 +281,7 @@ jobs:
      - name: Check if Kubernetes files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-kubernetes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/kubernetes/**
@@ -304,7 +305,7 @@ jobs:
      - name: Check if GitHub files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-github
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/github/**
@@ -328,7 +329,7 @@ jobs:
      - name: Check if Okta files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-okta
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/okta/**
@@ -352,7 +353,7 @@ jobs:
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-nhn
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/nhn/**
@@ -376,7 +377,7 @@ jobs:
      - name: Check if M365 files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-m365
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/m365/**
@@ -400,7 +401,7 @@ jobs:
      - name: Check if IaC files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-iac
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/iac/**
@@ -424,7 +425,7 @@ jobs:
      - name: Check if MongoDB Atlas files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/mongodbatlas/**
@@ -448,7 +449,7 @@ jobs:
      - name: Check if OCI files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-oraclecloud
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/oraclecloud/**
@@ -472,7 +473,7 @@ jobs:
      - name: Check if OpenStack files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-openstack
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/openstack/**
@@ -496,7 +497,7 @@ jobs:
      - name: Check if Google Workspace files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-googleworkspace
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/googleworkspace/**
@@ -520,7 +521,7 @@ jobs:
      - name: Check if Vercel files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-vercel
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/vercel/**
@@ -540,11 +541,59 @@ jobs:
          flags: prowler-py${{ matrix.python-version }}-vercel
          files: ./vercel_coverage.xml

+      # Scaleway Provider
+      - name: Check if Scaleway files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-scaleway
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        with:
+          files: |
+            ./prowler/**/scaleway/**
+            ./tests/**/scaleway/**
+            ./uv.lock
+
+      - name: Run Scaleway tests
+        if: steps.changed-scaleway.outputs.any_changed == 'true'
+        run: uv run pytest -n auto --cov=./prowler/providers/scaleway --cov-report=xml:scaleway_coverage.xml tests/providers/scaleway
+
+      - name: Upload Scaleway coverage to Codecov
+        if: steps.changed-scaleway.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-scaleway
+          files: ./scaleway_coverage.xml
+
+      # StackIT Provider
+      - name: Check if StackIT files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-stackit
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        with:
+          files: |
+            ./prowler/**/stackit/**
+            ./tests/**/stackit/**
+            ./uv.lock
+
+      - name: Run StackIT tests
+        if: steps.changed-stackit.outputs.any_changed == 'true'
+        run: uv run pytest -n auto --cov=./prowler/providers/stackit --cov-report=xml:stackit_coverage.xml tests/providers/stackit
+
+      - name: Upload StackIT coverage to Codecov
+        if: steps.changed-stackit.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-stackit
+          files: ./stackit_coverage.xml
+
      # Lib
      - name: Check if Lib files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-lib
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/lib/**
@@ -568,7 +617,7 @@ jobs:
      - name: Check if Config files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-config
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/config/**
@@ -52,7 +52,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -68,7 +68,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6

      - name: Setup Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -47,7 +47,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -62,12 +62,12 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          category: '/language:${{ matrix.language }}'
@@ -48,7 +48,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -67,7 +67,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -110,12 +110,13 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
            registry-1.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            auth.docker.io:443
            registry.npmjs.org:443
            dl-cdn.alpinelinux.org:443
@@ -129,7 +130,7 @@ jobs:
          persist-credentials: false

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -140,7 +141,7 @@ jobs:
      - name: Build and push UI container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          build-args: |
@@ -163,7 +164,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -172,9 +173,10 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443

      - name: Login to DockerHub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -224,7 +226,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -271,7 +273,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -50,7 +50,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ui/Dockerfile

@@ -72,7 +72,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -100,7 +100,7 @@ jobs:

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ui/**
          files_ignore: |
@@ -114,7 +114,7 @@ jobs:

      - name: Build UI container
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ${{ env.UI_WORKING_DIR }}
          target: prod
@@ -85,7 +85,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -172,7 +172,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: '24.13.0'
+          node-version-file: 'ui/.nvmrc'

      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
@@ -184,7 +184,7 @@ jobs:
        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm and Next.js cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -204,7 +204,7 @@ jobs:
        run: pnpm run build

      - name: Cache Playwright browsers
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
@@ -295,7 +295,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

@@ -39,7 +39,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -59,7 +59,7 @@ jobs:

      - name: Check for UI dependency changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/package.json
@@ -16,7 +16,6 @@ concurrency:

 env:
  UI_WORKING_DIR: ./ui
-  NODE_VERSION: "24.13.0"

 permissions: {}

@@ -32,7 +31,7 @@ jobs:

    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: block
          allowed-endpoints: >
@@ -54,7 +53,7 @@ jobs:

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/**
@@ -67,7 +66,7 @@ jobs:
      - name: Get changed source files for targeted tests
        id: changed-source
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/**/*.ts
@@ -83,7 +82,7 @@ jobs:
      - name: Check for critical path changes (run all tests)
        id: critical-changes
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/lib/**
@@ -93,11 +92,11 @@ jobs:
            ui/vitest.config.ts
            ui/vitest.setup.ts

-      - name: Setup Node.js ${{ env.NODE_VERSION }}
+      - name: Setup Node.js
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: ${{ env.NODE_VERSION }}
+          node-version-file: 'ui/.nvmrc'

      - name: Setup pnpm
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -113,7 +112,7 @@ jobs:

      - name: Setup pnpm and Next.js cache
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -162,7 +161,7 @@ jobs:
      - name: Cache Playwright browsers
        if: steps.check-changes.outputs.any_changed == 'true'
        id: playwright-cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-chromium-${{ hashFiles('ui/pnpm-lock.yaml') }}
@@ -60,7 +60,6 @@ htmlcov/
 **/mcp-config.json
 **/mcpServers.json
 .mcp/
-.mcp.json

 # AI Coding Assistants - Cursor
 .cursorignore
@@ -0,0 +1,10 @@
+{
+  "extends": "markdownlint/style/prettier",
+  "first-line-h1": false,
+  "no-duplicate-heading": {
+    "siblings_only": true
+  },
+  "no-inline-html": false,
+  "line-length": false,
+  "no-bare-urls": false
+}
@@ -0,0 +1,16 @@
+node_modules/
+ui/node_modules/
+.git/
+.venv/
+**/.venv/
+dist/
+build/
+htmlcov/
+.next/
+ui/.next/
+ui/out/
+contrib/
+
+# Auto-generated content (keepachangelog format legitimately repeats section headings).
+# Revisit with the team — see beads task on markdownlint rule triage.
+**/CHANGELOG.md
@@ -49,6 +49,14 @@ repos:
        files: ^\.github/(workflows|actions)/.+\.ya?ml$|^\.github/dependabot\.ya?ml$
        priority: 30

+  ## RENOVATE
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 43.150.0
+    hooks:
+      - id: renovate-config-validator
+        files: ^\.github/renovate\.json$
+        priority: 10
+
  ## BASH
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.11.0
@@ -125,6 +133,13 @@ repos:
        pass_filenames: false
        priority: 50

+  ## MARKDOWN
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.45.0
+    hooks:
+      - id: markdownlint
+        priority: 30
+
  ## CONTAINERS
  - repo: https://github.com/hadolint/hadolint
    rev: v2.14.0
@@ -1,2 +1,3 @@
 .envrc
 ui/.env.local
+openspec/
@@ -11,6 +11,7 @@
 Use these skills for detailed patterns on-demand:

 ### Generic Skills (Any Project)
+
 | Skill | Description | URL |
 |-------|-------------|-----|
 | `typescript` | Const types, flat interfaces, utility types | [SKILL.md](skills/typescript/SKILL.md) |
@@ -28,6 +29,7 @@ Use these skills for detailed patterns on-demand:
 | `tdd` | Test-Driven Development workflow | [SKILL.md](skills/tdd/SKILL.md) |

 ### Prowler-Specific Skills
+
 | Skill | Description | URL |
 |-------|-------------|-----|
 | `prowler` | Project overview, component navigation | [SKILL.md](skills/prowler/SKILL.md) |
@@ -1,4 +1,4 @@
-# Do you want to learn on how to...
+# Do you want to learn on how to

 - [Contribute with your code or fixes to Prowler](https://docs.prowler.com/developer-guide/introduction)
 - [Create a new provider](https://docs.prowler.com/developer-guide/provider)
@@ -32,5 +32,6 @@ Provider-specific developer notes:

 Want some swag as appreciation for your contribution?

-# Prowler Developer Guide
-https://goto.prowler.com/devguide
+## Prowler Developer Guide
+
+<https://goto.prowler.com/devguide>
@@ -76,11 +76,11 @@ USER prowler
 WORKDIR /home/prowler

 # Copy necessary files
-COPY prowler/  /home/prowler/prowler/
-COPY dashboard/ /home/prowler/dashboard/
-COPY pyproject.toml uv.lock /home/prowler/
-COPY README.md /home/prowler/
-COPY prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py
+COPY --chown=prowler:prowler prowler/  /home/prowler/prowler/
+COPY --chown=prowler:prowler dashboard/ /home/prowler/dashboard/
+COPY --chown=prowler:prowler pyproject.toml uv.lock /home/prowler/
+COPY --chown=prowler:prowler README.md /home/prowler/
+COPY --chown=prowler:prowler prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py

 # Install Python dependencies
 ENV HOME='/home/prowler'
@@ -89,7 +89,7 @@ ENV PATH="${HOME}/.local/bin:${PATH}"
 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir uv==0.11.14

-RUN uv sync --compile-bytecode && \
+RUN uv sync --locked --compile-bytecode && \
    rm -rf ~/.cache/uv

 # Install PowerShell modules
@@ -100,4 +100,4 @@ RUN pip uninstall dash-html-components -y && \
    pip uninstall dash-core-components -y

 USER prowler
-ENTRYPOINT [".venv/bin/prowler"]
+ENTRYPOINT ["/home/prowler/.venv/bin/prowler"]
@@ -1,6 +1,6 @@
 <p align="center">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
+  <img align="center" alt="Prowler logo" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png#gh-light-mode-only" width="50%" height="50%">
+  <img align="center" alt="Prowler logo" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
 </p>
 <p align="center">
  <b><i>Prowler</b> is the Open Cloud Security Platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
@@ -22,8 +22,8 @@
  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=downloads"></a>
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
-  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
-  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
+  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img alt="Codecov coverage" src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
+  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img alt="Linux Foundation insights health score" src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
 </p>
 <p align="center">
    <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
@@ -36,7 +36,7 @@
 </p>
 <hr>
 <p align="center">
-  <img align="center" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
+  <img align="center" alt="Prowler Cloud demo" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
 </p>

 # Description
@@ -122,6 +122,7 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 | Vercel | 26 | 6 | 0 | 8 | Official | UI, API, CLI |
 | Okta | 1 | 1 | 0 | 1 | Official | CLI |
 | Scaleway [Contact us](https://prowler.com/contact) | 1 | 1 | 0 | 1 | Unofficial | CLI |
+| StackIT [Contact us](https://prowler.com/contact) | 4 | 1 | 0 | 1 | Unofficial | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
@@ -146,11 +147,11 @@ Prowler App offers flexible installation methods tailored to various environment

 ### Docker Compose

-**Requirements**
+#### Requirements

-* `Docker Compose` installed: https://docs.docker.com/compose/install/.
+- `Docker Compose` installed: https://docs.docker.com/compose/install/.

-**Commands**
+#### Commands

 ``` console
 VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
@@ -175,14 +176,14 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md

 ### From GitHub

-**Requirements**
+#### Requirements

-* `git` installed.
-* `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
-* `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
-* `Docker Compose` installed: https://docs.docker.com/compose/install/.
+- `git` installed.
+- `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
+- `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
+- `Docker Compose` installed: https://docs.docker.com/compose/install/.

-**Commands to run the API**
+#### Commands to run the API

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -199,7 +200,7 @@ gunicorn -c config/guniconf.py config.wsgi:application

 > After completing the setup, access the API documentation at http://localhost:8080/api/v1/docs.

-**Commands to run the API Worker**
+#### Commands to run the API Worker

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -212,7 +213,7 @@ cd src/backend
 python -m celery -A config.celery worker -l info -E
 ```

-**Commands to run the API Scheduler**
+#### Commands to run the API Scheduler

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -225,7 +226,7 @@ cd src/backend
 python -m celery -A config.celery beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler
 ```

-**Commands to run the UI**
+#### Commands to run the UI

 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -237,7 +238,7 @@ pnpm start

 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.

-**Pre-commit Hooks Setup**
+#### Pre-commit Hooks Setup

 Some pre-commit hooks require tools installed on your system:

@@ -257,14 +258,14 @@ prowler -v

 ### Containers

-**Available Versions of Prowler CLI**
+#### Available Versions of Prowler CLI

 The following versions of Prowler CLI are available, depending on your requirements:

 - `latest`: Synchronizes with the `master` branch. Note that this version is not stable.
 - `v4-latest`: Synchronizes with the `v4` branch. Note that this version is not stable.
 - `v3-latest`: Synchronizes with the `v3` branch. Note that this version is not stable.
- `<x.y.z>` (release): Stable releases corresponding to specific versions. You can find the complete list of releases [here](https://github.com/prowler-cloud/prowler/releases).
+- `<x.y.z>` (release): Stable releases corresponding to specific versions. See the [complete list of Prowler releases](https://github.com/prowler-cloud/prowler/releases).
 - `stable`: Always points to the latest release.
 - `v4-stable`: Always points to the latest release for v4.
 - `v3-stable`: Always points to the latest release for v3.
@@ -293,7 +294,7 @@ python prowler-cli.py -v

 # 🛡️ GitHub Action

-The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.
+The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.

 ```yaml
 name: Prowler IaC Scan
@@ -338,7 +339,7 @@ Full configuration, per-provider authentication, and SARIF examples: [Prowler Gi

 ## Prowler CLI

-**Running Prowler**
+### Running Prowler

 Prowler can be executed across various environments, offering flexibility to meet your needs. It can be run from:

@@ -22,7 +22,7 @@ inputs:
    required: false
    default: json-ocsf
  push-to-cloud:
-    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli
+    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-import-findings#using-the-cli
    required: false
    default: "false"
  flags:
@@ -299,7 +299,7 @@ runs:
            echo ""
            echo "**Get started in 3 steps:**"
            echo "1. Create an account at [cloud.prowler.com](https://cloud.prowler.com)"
-            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli))"
+            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-import-findings#using-the-cli))"
            echo "3. Add \`PROWLER_CLOUD_API_KEY\` to your GitHub secrets and set \`push-to-cloud: true\` on this action"
            echo ""
            echo "See [prowler.com/pricing](https://prowler.com/pricing) for plan details."
@@ -10,7 +10,7 @@
 > - [`jsonapi`](../skills/jsonapi/SKILL.md) - Strict JSON:API v1.1 spec compliance
 > - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns

-### Auto-invoke Skills
+## Auto-invoke Skills

 When performing these actions, ALWAYS invoke the corresponding skill FIRST:

@@ -81,7 +81,7 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 ## DECISION TREES

 ### Serializer Selection
-```
+```text
 Read → <Model>Serializer
 Create → <Model>CreateSerializer
 Update → <Model>UpdateSerializer
@@ -89,7 +89,7 @@ Nested read → <Model>IncludeSerializer
 ```

 ### Task vs View
-```
+```text
 < 100ms → View
 > 100ms or external API → Celery task
 Needs retry → Celery task
@@ -105,7 +105,7 @@ Django 5.1.x | DRF 3.15.x | djangorestframework-jsonapi 7.x | Celery 5.4.x | Pos

 ## PROJECT STRUCTURE

-```
+```text
 api/src/backend/
 ├── api/                    # Main Django app
 │   ├── v1/                # API version 1 (views, serializers, urls)
@@ -2,6 +2,31 @@

 All notable changes to the **Prowler API** are documented in this file.

+## [1.30.0] (Prowler UNRELEASED)
+
+### 🔄 Changed
+
+- Scan finding ingestion: bulk-resolve `Resource`/`ResourceTag` rows, replace per-mapping `SELECT FOR UPDATE` with deferred `ResourceTagMapping.bulk_create(ignore_conflicts=True)`, wrap each micro-batch in a single `rls_transaction`, and raise `SCAN_DB_BATCH_SIZE` to 1000 [(#11249)](https://github.com/prowler-cloud/prowler/pull/11249)
+
+---
+
+## [1.29.1] (Prowler v5.28.1)
+
+### 🐞 Fixed
+
+- `finding-groups` slow response with finding-level filters such as `region`; check title and description are now read from the daily summaries, which drops sorting by `check_title` [(#11326)](https://github.com/prowler-cloud/prowler/pull/11326)
+
+---
+
+## [1.29.0] (Prowler v5.28.0)
+
+### 🚀 Added
+
+- `okta` provider support [(#11184)](https://github.com/prowler-cloud/prowler/pull/11184)
+- `resource.metadata` attribute included in `/api/v1/findings?include=resources` [(#11187)](https://github.com/prowler-cloud/prowler/pull/11187)
+
+---
+
 ## [1.28.0] (Prowler v5.27.0)

 ### 🚀 Added
@@ -20,7 +45,6 @@ All notable changes to the **Prowler API** are documented in this file.
 - `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
 - Attack Paths: `BEDROCK-001` and `BEDROCK-002` now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)

-
 ---

 ## [1.27.1] (Prowler v5.26.1)
@@ -89,7 +89,7 @@ WORKDIR /home/prowler
 # Ensure output directory exists
 RUN mkdir -p /tmp/prowler_api_output

-COPY pyproject.toml uv.lock ./
+COPY --chown=prowler:prowler pyproject.toml uv.lock ./

 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir uv==0.11.14
@@ -97,13 +97,13 @@ RUN pip install --no-cache-dir --upgrade pip && \
 ENV PATH="/home/prowler/.local/bin:$PATH"

 # Add `--no-install-project` to avoid installing the current project as a package
-RUN uv sync --no-install-project && \
+RUN uv sync --locked --no-install-project && \
    rm -rf ~/.cache/uv

 RUN .venv/bin/python .venv/lib/python3.12/site-packages/prowler/providers/m365/lib/powershell/m365_powershell.py

-COPY src/backend/ ./backend/
-COPY docker-entrypoint.sh ./docker-entrypoint.sh
+COPY --chown=prowler:prowler src/backend/ ./backend/
+COPY --chown=prowler:prowler docker-entrypoint.sh ./docker-entrypoint.sh

 WORKDIR /home/prowler/backend

@@ -2,7 +2,7 @@

 This repository contains the JSON API and Task Runner components for Prowler, which facilitate a complete backend that interacts with the Prowler SDK and is used by the Prowler UI.

-# Components
+## Components
 The Prowler API is composed of the following components:

 - The JSON API, which is an API built with Django Rest Framework.
@@ -10,13 +10,13 @@ The Prowler API is composed of the following components:
 - The PostgreSQL database, which is used to store the data.
 - The Valkey database, which is an in-memory database which is used as a message broker for the Celery workers.

-## Note about Valkey
+### Note about Valkey

 [Valkey](https://valkey.io/) is an open source (BSD) high performance key/value datastore.

 Valkey exposes a Redis 7.2 compliant API. Any service that exposes the Redis API can be used with Prowler API.

-# Modify environment variables
+## Modify environment variables

 Under the root path of the project, you can find a file called `.env`. This file shows all the environment variables that the project uses. You should review it and set the values for the variables you want to change.

@@ -24,7 +24,7 @@ If you don’t set `DJANGO_TOKEN_SIGNING_KEY` or `DJANGO_TOKEN_VERIFYING_KEY`, t

 **Important note**: Every Prowler version (or repository branches and tags) could have different variables set in its `.env` file. Please use the `.env` file that corresponds with each version.

-## Local deployment
+### Local deployment
 Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the virtual environment, not before. Otherwise, variables will not be loaded properly.

 To do this, you can run:
@@ -34,12 +34,12 @@ set -a
 source .env
 ```

-# 🚀 Production deployment
-## Docker deployment
+## 🚀 Production deployment
+### Docker deployment

 This method requires `docker` and `docker compose`.

-### Clone the repository
+#### Clone the repository

 ```console
 # HTTPS
@@ -50,13 +50,13 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-### Build the base image
+#### Build the base image

 ```console
 docker compose --profile prod build
 ```

-### Run the production service
+#### Run the production service

 This command will start the Django production server and the Celery worker and also the Valkey and PostgreSQL databases.

@@ -68,7 +68,7 @@ You can access the server in `http://localhost:8080`.

 > **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.

-### View the Production Server Logs
+#### View the Production Server Logs

 To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:

@@ -133,13 +133,13 @@ gunicorn -c config/guniconf.py config.wsgi:application

 > By default, the Gunicorn server will try to use as many workers as your machine can handle. You can manually change that in the `src/backend/config/guniconf.py` file.

-# 🧪 Development guide
+## 🧪 Development guide

-## Local deployment
+### Local deployment

 To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `uv` and `docker compose` are installed.

-### Clone the repository
+#### Clone the repository

 ```console
 # HTTPS
@@ -150,7 +150,7 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-### Start the PostgreSQL Database and Valkey
+#### Start the PostgreSQL Database and Valkey

 The PostgreSQL database (version 16.3) and Valkey (version 7) are required for the development environment. To make development easier, we have provided a `docker-compose` file that will start these components for you.

@@ -161,7 +161,7 @@ The PostgreSQL database (version 16.3) and Valkey (version 7) are required for t
 docker compose up postgres valkey -d
 ```

-### Install the Python dependencies
+#### Install the Python dependencies

 > You must have uv installed

@@ -169,7 +169,7 @@ docker compose up postgres valkey -d
 uv sync
 ```

-### Apply migrations
+#### Apply migrations

 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

@@ -178,7 +178,7 @@ cd src/backend
 python manage.py migrate --database admin
 ```

-### Run the Django development server
+#### Run the Django development server

 ```console
 cd src/backend
@@ -188,7 +188,7 @@ python manage.py runserver
 You can access the server in `http://localhost:8000`.
 All changes in the code will be automatically reloaded in the server.

-### Run the Celery worker
+#### Run the Celery worker

 ```console
 python -m celery -A config.celery worker -l info -E
@@ -196,11 +196,11 @@ python -m celery -A config.celery worker -l info -E

 The Celery worker does not detect and reload changes in the code, so you need to restart it manually when you make changes.

-## Docker deployment
+### Docker deployment

 This method requires `docker` and `docker compose`.

-### Clone the repository
+#### Clone the repository

 ```console
 # HTTPS
@@ -211,13 +211,13 @@ git clone git@github.com:prowler-cloud/api.git

 ```

-### Build the base image
+#### Build the base image

 ```console
 docker compose --profile dev build
 ```

-### Run the development service
+#### Run the development service

 This command will start the Django development server and the Celery worker and also the Valkey and PostgreSQL databases.

@@ -230,7 +230,7 @@ All changes in the code will be automatically reloaded in the server.

 > **NOTE:** notice how the port is different. When developing using docker, the port will be `8080` to prevent conflicts.

-### View the development server logs
+#### View the development server logs

 To view the logs for any component (e.g., Django, Celery worker), you can use the following command with a wildcard. This command will follow logs for any container that matches the specified pattern:

@@ -238,7 +238,7 @@ To view the logs for any component (e.g., Django, Celery worker), you can use th
 docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
 ```

-## Applying migrations
+### Applying migrations

 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

@@ -247,7 +247,7 @@ cd src/backend
 uv run python manage.py migrate --database admin
 ```

-## Apply fixtures
+### Apply fixtures

 Fixtures are used to populate the database with initial development data.

@@ -258,7 +258,7 @@ uv run python manage.py loaddata api/fixtures/0_dev_users.json --database admin

 > The default credentials are `dev@prowler.com:Thisisapassword123@` or `dev2@prowler.com:Thisisapassword123@`

-## Run tests
+### Run tests

 Note that the tests will fail if you use the same `.env` file as the development environment.

@@ -269,7 +269,7 @@ cd src/backend
 uv run pytest
 ```

-# Custom commands
+## Custom commands

 Django provides a way to create custom commands that can be run from the command line.

@@ -281,7 +281,7 @@ To run a custom command, you need to be in the `prowler/api/src/backend` directo
 uv run python manage.py <command_name>
 ```

-## Generate dummy data
+### Generate dummy data

 ```console
 python manage.py findings --tenant
@@ -298,7 +298,7 @@ This command creates, for a given tenant, a provider, scan and a set of findings
 >
 > The last step is required to access the findings details, since the UI needs that to print all the information.

-### Example
+#### Example

 ```console
 ~/backend $ uv run python manage.py findings --tenant
@@ -68,7 +68,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.28.0"
+version = "1.30.0"

 [tool.uv]
 # Transitive pins matching master to avoid silent drift; bump deliberately.
@@ -0,0 +1,41 @@
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0092_findings_arrays_gin_index_parent"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="provider",
+            field=api.db_utils.ProviderEnumField(
+                choices=[
+                    ("aws", "AWS"),
+                    ("azure", "Azure"),
+                    ("gcp", "GCP"),
+                    ("kubernetes", "Kubernetes"),
+                    ("m365", "M365"),
+                    ("github", "GitHub"),
+                    ("mongodbatlas", "MongoDB Atlas"),
+                    ("iac", "IaC"),
+                    ("oraclecloud", "Oracle Cloud Infrastructure"),
+                    ("alibabacloud", "Alibaba Cloud"),
+                    ("cloudflare", "Cloudflare"),
+                    ("openstack", "OpenStack"),
+                    ("image", "Image"),
+                    ("googleworkspace", "Google Workspace"),
+                    ("vercel", "Vercel"),
+                    ("okta", "Okta"),
+                ],
+                default="aws",
+            ),
+        ),
+        migrations.RunSQL(
+            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'okta';",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+    ]
@@ -296,6 +296,7 @@ class Provider(RowLevelSecurityProtectedModel):
        IMAGE = "image", _("Image")
        GOOGLEWORKSPACE = "googleworkspace", _("Google Workspace")
        VERCEL = "vercel", _("Vercel")
+        OKTA = "okta", _("Okta")

    @staticmethod
    def validate_aws_uid(value):
@@ -354,6 +355,26 @@ class Provider(RowLevelSecurityProtectedModel):
                pointer="/data/attributes/uid",
            )

+    @staticmethod
+    def validate_okta_uid(value):
+        if not re.match(
+            r"^[a-z0-9][a-z0-9-]*\.("
+            r"okta\.com|oktapreview\.com|okta-emea\.com|"
+            r"okta-gov\.com|okta\.mil|okta-miltest\.com|trex-govcloud\.com"
+            r")$",
+            value,
+        ):
+            raise ModelValidationError(
+                detail=(
+                    "Okta provider ID must be a valid Okta-managed org domain "
+                    "(e.g., acme.okta.com, also .oktapreview.com / .okta-emea.com "
+                    "/ .okta-gov.com / .okta.mil / .okta-miltest.com / "
+                    ".trex-govcloud.com), without scheme or path."
+                ),
+                code="okta-uid",
+                pointer="/data/attributes/uid",
+            )
+
    @staticmethod
    def validate_kubernetes_uid(value):
        if not re.match(
@@ -480,6 +501,12 @@ class Provider(RowLevelSecurityProtectedModel):

    def clean(self):
        super().clean()
+        if self.provider == self.ProviderChoices.OKTA and self.uid:
+            # Mirror the SDK, which lowercases the org domain before connecting.
+            # Without this the API would reject Acme.okta.com even though the
+            # SDK would accept it, and stored uids could disagree with the
+            # authenticated org domain.
+            self.uid = self.uid.strip().lower()
        getattr(self, f"validate_{self.provider}_uid")(self.uid)

    def save(self, *args, **kwargs):
@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: Prowler API
-  version: 1.28.0
+  version: 1.30.0
  description: |-
    Prowler API specification.

@@ -373,6 +373,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -389,6 +390,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -412,6 +414,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -430,6 +433,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -1453,6 +1457,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -1469,6 +1474,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -1491,6 +1497,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -1509,6 +1516,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -1997,6 +2005,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -2013,6 +2022,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -2035,6 +2045,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -2053,6 +2064,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -2584,6 +2596,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -2600,6 +2613,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -2622,6 +2636,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -2640,6 +2655,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -3134,6 +3150,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -3150,6 +3167,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -3173,6 +3191,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -3191,6 +3210,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -3740,6 +3760,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -3756,6 +3777,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -3779,6 +3801,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -3797,6 +3820,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -4254,6 +4278,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -4270,6 +4295,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -4293,6 +4319,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -4311,6 +4338,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -4766,6 +4794,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -4782,6 +4811,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -4805,6 +4835,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -4823,6 +4854,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -5266,6 +5298,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -5282,6 +5315,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -5305,6 +5339,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -5323,6 +5358,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -7156,6 +7192,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7172,6 +7209,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7195,6 +7233,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7213,6 +7252,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -7335,6 +7375,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7351,6 +7392,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7374,6 +7416,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7392,6 +7435,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -7503,6 +7547,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7519,6 +7564,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7541,6 +7587,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7559,6 +7606,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -7702,6 +7750,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7718,6 +7767,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7741,6 +7791,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7759,6 +7810,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -7915,6 +7967,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -7931,6 +7984,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -7954,6 +8008,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -7972,6 +8027,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -8122,6 +8178,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8138,6 +8195,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8160,6 +8218,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8178,6 +8237,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -8370,6 +8430,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8386,6 +8447,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8409,6 +8471,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8427,6 +8490,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -8548,6 +8612,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8564,6 +8629,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8587,6 +8653,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8605,6 +8672,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -8750,6 +8818,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -8766,6 +8835,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -8789,6 +8859,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -8807,6 +8878,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -9593,6 +9665,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -9609,6 +9682,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider__in]
        schema:
@@ -9632,6 +9706,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -9650,6 +9725,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -9673,6 +9749,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -9689,6 +9766,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -9712,6 +9790,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -9730,6 +9809,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - name: filter[search]
@@ -10400,6 +10480,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -10416,6 +10497,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -10439,6 +10521,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -10457,6 +10540,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -10951,6 +11035,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -10967,6 +11052,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -10990,6 +11076,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -11008,6 +11095,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -11315,6 +11403,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -11331,6 +11420,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -11354,6 +11444,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -11372,6 +11463,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -11685,6 +11777,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -11701,6 +11794,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -11724,6 +11818,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -11742,6 +11837,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -12580,6 +12676,7 @@ paths:
          - openstack
          - oraclecloud
          - vercel
+          - okta
        description: |-
          * `aws` - AWS
          * `azure` - Azure
@@ -12596,6 +12693,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
      - in: query
        name: filter[provider_type__in]
        schema:
@@ -12619,6 +12717,7 @@ paths:
            - openstack
            - oraclecloud
            - vercel
+            - okta
        description: |-
          Multiple values may be separated by commas.

@@ -12637,6 +12736,7 @@ paths:
          * `image` - Image
          * `googleworkspace` - Google Workspace
          * `vercel` - Vercel
+          * `okta` - Okta
        explode: false
        style: form
      - in: query
@@ -20115,6 +20215,23 @@ components:
                    required:
                    - clouds_yaml_content
                    - clouds_yaml_cloud
+                  - type: object
+                    title: Okta OAuth Credentials
+                    properties:
+                      okta_client_id:
+                        type: string
+                        description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
+                      okta_private_key:
+                        type: string
+                        description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
+                      okta_scopes:
+                        type: array
+                        items:
+                          type: string
+                        description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
+                    required:
+                      - okta_client_id
+                      - okta_private_key
                  - type: object
                    title: Vercel API Token
                    properties:
@@ -21127,6 +21244,7 @@ components:
              - image
              - googleworkspace
              - vercel
+              - okta
              type: string
              description: |-
                * `aws` - AWS
@@ -21144,6 +21262,7 @@ components:
                * `image` - Image
                * `googleworkspace` - Google Workspace
                * `vercel` - Vercel
+                * `okta` - Okta
              x-spec-enum-id: 91f917e0c3ab97e8
            uid:
              type: string
@@ -21265,6 +21384,7 @@ components:
              - image
              - googleworkspace
              - vercel
+              - okta
              type: string
              x-spec-enum-id: 91f917e0c3ab97e8
              description: |-
@@ -21285,6 +21405,7 @@ components:
                * `image` - Image
                * `googleworkspace` - Google Workspace
                * `vercel` - Vercel
+                * `okta` - Okta
            uid:
              type: string
              title: Unique identifier for the provider, set by the provider
@@ -21337,6 +21458,7 @@ components:
                  - image
                  - googleworkspace
                  - vercel
+                  - okta
                  type: string
                  x-spec-enum-id: 91f917e0c3ab97e8
                  description: |-
@@ -21357,6 +21479,7 @@ components:
                    * `image` - Image
                    * `googleworkspace` - Google Workspace
                    * `vercel` - Vercel
+                    * `okta` - Okta
                uid:
                  type: string
                  minLength: 3
@@ -22206,6 +22329,23 @@ components:
                required:
                - clouds_yaml_content
                - clouds_yaml_cloud
+              - type: object
+                title: Okta OAuth Credentials
+                properties:
+                  okta_client_id:
+                    type: string
+                    description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
+                  okta_private_key:
+                    type: string
+                    description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
+                  okta_scopes:
+                    type: array
+                    items:
+                      type: string
+                    description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
+                required:
+                  - okta_client_id
+                  - okta_private_key
              - type: object
                title: Vercel API Token
                properties:
@@ -22631,6 +22771,23 @@ components:
                    required:
                    - clouds_yaml_content
                    - clouds_yaml_cloud
+                  - type: object
+                    title: Okta OAuth Credentials
+                    properties:
+                      okta_client_id:
+                        type: string
+                        description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
+                      okta_private_key:
+                        type: string
+                        description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
+                      okta_scopes:
+                        type: array
+                        items:
+                          type: string
+                        description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
+                    required:
+                      - okta_client_id
+                      - okta_private_key
                  - type: object
                    title: Vercel API Token
                    properties:
@@ -23066,6 +23223,23 @@ components:
                required:
                - clouds_yaml_content
                - clouds_yaml_cloud
+              - type: object
+                title: Okta OAuth Credentials
+                properties:
+                  okta_client_id:
+                    type: string
+                    description: Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.
+                  okta_private_key:
+                    type: string
+                    description: PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.
+                  okta_scopes:
+                    type: array
+                    items:
+                      type: string
+                    description: OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.
+                required:
+                  - okta_client_id
+                  - okta_private_key
              - type: object
                title: Vercel API Token
                properties:
@@ -31,6 +31,7 @@ from prowler.providers.image.image_provider import ImageProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
 from prowler.providers.m365.m365_provider import M365Provider
 from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
+from prowler.providers.okta.okta_provider import OktaProvider
 from prowler.providers.openstack.openstack_provider import OpenstackProvider
 from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
 from prowler.providers.vercel.vercel_provider import VercelProvider
@@ -130,6 +131,7 @@ class TestReturnProwlerProvider:
            (Provider.ProviderChoices.OPENSTACK.value, OpenstackProvider),
            (Provider.ProviderChoices.IMAGE.value, ImageProvider),
            (Provider.ProviderChoices.VERCEL.value, VercelProvider),
+            (Provider.ProviderChoices.OKTA.value, OktaProvider),
        ],
    )
    def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -238,6 +240,31 @@ class TestProwlerProviderConnectionTest:
            raise_on_exception=False,
        )

+    @patch("api.utils.return_prowler_provider")
+    def test_prowler_provider_connection_test_okta_provider(
+        self, mock_return_prowler_provider
+    ):
+        """Test connection test for Okta provider passes org domain and provider_id."""
+        provider = MagicMock()
+        provider.uid = "acme.okta.com"
+        provider.provider = Provider.ProviderChoices.OKTA.value
+        provider.secret.secret = {
+            "okta_client_id": "0oa123456789abcdef",
+            "okta_private_key": "-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----",
+            "okta_scopes": ["okta.policies.read"],
+        }
+        mock_return_prowler_provider.return_value = MagicMock()
+
+        prowler_provider_connection_test(provider)
+        mock_return_prowler_provider.return_value.test_connection.assert_called_once_with(
+            okta_client_id="0oa123456789abcdef",
+            okta_private_key="-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----",
+            okta_scopes=["okta.policies.read"],
+            okta_org_domain="acme.okta.com",
+            provider_id="acme.okta.com",
+            raise_on_exception=False,
+        )
+
    @patch("api.utils.return_prowler_provider")
    def test_prowler_provider_connection_test_image_provider_no_creds(
        self, mock_return_prowler_provider
@@ -308,6 +335,10 @@ class TestGetProwlerProviderKwargs:
                Provider.ProviderChoices.VERCEL.value,
                {"team_id": "provider_uid"},
            ),
+            (
+                Provider.ProviderChoices.OKTA.value,
+                {"okta_org_domain": "provider_uid"},
+            ),
        ],
    )
    def test_get_prowler_provider_kwargs(self, provider_type, expected_extra_kwargs):
@@ -1625,6 +1625,21 @@ class TestProviderViewSet:
                    "uid": "C12",
                    "alias": "Google Workspace Minimum Length",
                },
+                {
+                    "provider": "okta",
+                    "uid": "acme.okta.com",
+                    "alias": "Okta Org",
+                },
+                {
+                    "provider": "okta",
+                    "uid": "agency.okta-gov.com",
+                    "alias": "Okta Gov Org",
+                },
+                {
+                    "provider": "okta",
+                    "uid": "agency.okta.mil",
+                    "alias": "Okta Mil Org",
+                },
            ]
        ),
    )
@@ -2143,6 +2158,24 @@ class TestProviderViewSet:
                    "googleworkspace-uid",
                    "uid",
                ),
+                (
+                    {
+                        "provider": "okta",
+                        "uid": "https://acme.okta.com",
+                        "alias": "test",
+                    },
+                    "okta-uid",
+                    "uid",
+                ),
+                (
+                    {
+                        "provider": "okta",
+                        "uid": "acme.example.com",
+                        "alias": "test",
+                    },
+                    "okta-uid",
+                    "uid",
+                ),
            ]
        ),
    )
@@ -2163,6 +2196,25 @@ class TestProviderViewSet:
            == f"/data/attributes/{error_pointer}"
        )

+    @pytest.mark.parametrize(
+        "input_uid,stored_uid",
+        [
+            ("Acme.okta.com", "acme.okta.com"),
+            ("  ACME.OKTA.COM  ", "acme.okta.com"),
+            ("Agency.Okta-Gov.com", "agency.okta-gov.com"),
+        ],
+    )
+    def test_providers_create_okta_uid_normalized(
+        self, authenticated_client, input_uid, stored_uid
+    ):
+        response = authenticated_client.post(
+            reverse("provider-list"),
+            data={"provider": "okta", "uid": input_uid, "alias": "Okta"},
+            format="json",
+        )
+        assert response.status_code == status.HTTP_201_CREATED
+        assert Provider.objects.get().uid == stored_uid
+
    def test_providers_partial_update(self, authenticated_client, providers_fixture):
        provider1, *_ = providers_fixture
        new_alias = "This is the new name"
@@ -2320,17 +2372,17 @@ class TestProviderViewSet:
                ),
                ("alias", "aws_testing_1", 1),
                ("alias.icontains", "aws", 2),
-                ("inserted_at", TODAY, 13),
+                ("inserted_at", TODAY, 14),
                (
                    "inserted_at.gte",
                    "2024-01-01",
-                    13,
+                    14,
                ),
                ("inserted_at.lte", "2024-01-01", 0),
                (
                    "updated_at.gte",
                    "2024-01-01",
-                    13,
+                    14,
                ),
                ("updated_at.lte", "2024-01-01", 0),
            ]
@@ -2963,6 +3015,19 @@ class TestProviderSecretViewSet:
                    "api_token": "fake-vercel-api-token-for-testing",
                },
            ),
+            # Okta with inline private key credentials
+            (
+                Provider.ProviderChoices.OKTA.value,
+                ProviderSecret.TypeChoices.STATIC,
+                {
+                    "okta_client_id": "0oa123456789abcdef",
+                    "okta_private_key": "-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----",
+                    "okta_scopes": [
+                        "okta.policies.read",
+                        "okta.groups.read",
+                    ],
+                },
+            ),
        ],
    )
    def test_provider_secrets_create_valid(
@@ -3075,6 +3140,46 @@ class TestProviderSecretViewSet:
            == f"/data/attributes/{error_pointer}"
        )

+    def test_provider_secrets_invalid_create_okta_missing_private_key(
+        self,
+        providers_fixture,
+        authenticated_client,
+    ):
+        okta_provider = next(
+            provider
+            for provider in providers_fixture
+            if provider.provider == Provider.ProviderChoices.OKTA.value
+        )
+        data = {
+            "data": {
+                "type": "provider-secrets",
+                "attributes": {
+                    "name": "Okta Secret",
+                    "secret_type": ProviderSecret.TypeChoices.STATIC,
+                    "secret": {
+                        "okta_client_id": "0oa123456789abcdef",
+                    },
+                },
+                "relationships": {
+                    "provider": {
+                        "data": {"type": "providers", "id": str(okta_provider.id)}
+                    }
+                },
+            }
+        }
+
+        response = authenticated_client.post(
+            reverse("providersecret-list"),
+            data=json.dumps(data),
+            content_type="application/vnd.api+json",
+        )
+
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
+        assert response.json()["errors"][0]["code"] == "required"
+        assert response.json()["errors"][0]["source"]["pointer"] == (
+            "/data/attributes/secret/okta_private_key"
+        )
+
    def test_provider_secrets_partial_update(
        self, authenticated_client, provider_secret_fixture
    ):
@@ -7053,6 +7158,32 @@ class TestFindingViewSet:
            "id"
        ] == str(finding_1.resources.first().id)

+    def test_findings_retrieve_include_resource_metadata(
+        self, authenticated_client, findings_fixture
+    ):
+        finding_1, *_ = findings_fixture
+        resource = finding_1.resources.first()
+        resource.metadata = '{"VulnerabilityID": "CVE-2026-0001"}'
+        resource.details = "Python 3.12 base image"
+        resource.save()
+
+        response = authenticated_client.get(
+            reverse("finding-detail", kwargs={"pk": finding_1.id}),
+            {"include": "resources"},
+        )
+        assert response.status_code == status.HTTP_200_OK
+
+        included_resource = next(
+            item
+            for item in response.json()["included"]
+            if item["type"] == "resources" and item["id"] == str(resource.id)
+        )
+        assert (
+            included_resource["attributes"]["metadata"]
+            == '{"VulnerabilityID": "CVE-2026-0001"}'
+        )
+        assert included_resource["attributes"]["details"] == "Python 3.12 base image"
+
    def test_findings_invalid_retrieve(self, authenticated_client):
        response = authenticated_client.get(
            reverse("finding-detail", kwargs={"pk": "random_id"}),
@@ -15790,6 +15921,12 @@ class TestFindingGroupViewSet:
        assert attrs["fail_count"] == 0
        assert attrs["resources_total"] == 1
        assert attrs["resources_fail"] == 0
+        # check_title / check_description are resolved post-pagination from the
+        # summary table, not from the finding's check_metadata.
+        assert attrs["check_title"] == "Ensure EC2 instances do not have public IPs"
+        assert (
+            attrs["check_description"] == "EC2 instances should use private IPs only."
+        )

    def test_finding_groups_status_pass_when_no_fail(
        self, authenticated_client, finding_groups_fixture
@@ -17031,6 +17168,12 @@ class TestFindingGroupViewSet:
        assert attrs["fail_count"] == 0
        assert attrs["resources_total"] == 1
        assert attrs["resources_fail"] == 0
+        # check_title / check_description are resolved post-pagination from the
+        # summary table, not from the finding's check_metadata.
+        assert attrs["check_title"] == "Ensure EC2 instances do not have public IPs"
+        assert (
+            attrs["check_description"] == "EC2 instances should use private IPs only."
+        )

    def test_finding_groups_latest_status_in_filter(
        self, authenticated_client, finding_groups_fixture
@@ -17288,18 +17431,20 @@ class TestFindingGroupViewSet:
        check_ids = [item["id"] for item in data]
        assert check_ids == sorted(check_ids)

-    def test_finding_groups_latest_sort_by_check_title(
+    def test_finding_groups_latest_sort_by_check_title_not_supported(
        self, authenticated_client, finding_groups_fixture
    ):
-        """Test /latest supports sorting by check_title."""
+        """check_title is not a sortable field for finding groups.
+
+        Titles live in the TOASTed check_metadata blob and are resolved after
+        pagination from the summary table, so they cannot drive DB-level
+        ordering. Requesting that sort is rejected.
+        """
        response = authenticated_client.get(
            reverse("finding-group-latest"),
            {"sort": "check_title"},
        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        check_titles = [item["attributes"]["check_title"] for item in data]
-        assert check_titles == sorted(check_titles)
+        assert response.status_code == status.HTTP_400_BAD_REQUEST

    @pytest.mark.parametrize(
        "endpoint_name", ["finding-group-list", "finding-group-latest"]
@@ -37,6 +37,7 @@ if TYPE_CHECKING:
    from prowler.providers.mongodbatlas.mongodbatlas_provider import (
        MongodbatlasProvider,
    )
+    from prowler.providers.okta.okta_provider import OktaProvider
    from prowler.providers.openstack.openstack_provider import OpenstackProvider
    from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
    from prowler.providers.vercel.vercel_provider import VercelProvider
@@ -93,6 +94,7 @@ def return_prowler_provider(
    | KubernetesProvider
    | M365Provider
    | MongodbatlasProvider
+    | OktaProvider
    | OpenstackProvider
    | OraclecloudProvider
    | VercelProvider
@@ -181,6 +183,10 @@ def return_prowler_provider(
            from prowler.providers.vercel.vercel_provider import VercelProvider

            prowler_provider = VercelProvider
+        case Provider.ProviderChoices.OKTA.value:
+            from prowler.providers.okta.okta_provider import OktaProvider
+
+            prowler_provider = OktaProvider
        case _:
            raise ValueError(f"Provider type {provider.provider} not supported")
    return prowler_provider
@@ -246,6 +252,11 @@ def get_prowler_provider_kwargs(
            **prowler_provider_kwargs,
            "team_id": provider.uid,
        }
+    elif provider.provider == Provider.ProviderChoices.OKTA.value:
+        prowler_provider_kwargs = {
+            **prowler_provider_kwargs,
+            "okta_org_domain": provider.uid,
+        }
    elif provider.provider == Provider.ProviderChoices.IMAGE.value:
        # Detect whether uid is a registry URL (e.g. "docker.io/andoniaf") or
        # a concrete image reference (e.g. "docker.io/andoniaf/myimage:latest").
@@ -290,6 +301,7 @@ def initialize_prowler_provider(
    | KubernetesProvider
    | M365Provider
    | MongodbatlasProvider
+    | OktaProvider
    | OpenstackProvider
    | OraclecloudProvider
    | VercelProvider
@@ -351,6 +363,14 @@ def prowler_provider_connection_test(provider: Provider) -> Connection:
            "raise_on_exception": False,
        }
        return prowler_provider.test_connection(**vercel_kwargs)
+    elif provider.provider == Provider.ProviderChoices.OKTA.value:
+        okta_kwargs = {
+            **prowler_provider_kwargs,
+            "okta_org_domain": provider.uid,
+            "provider_id": provider.uid,
+            "raise_on_exception": False,
+        }
+        return prowler_provider.test_connection(**okta_kwargs)
    elif provider.provider == Provider.ProviderChoices.IMAGE.value:
        image_kwargs = {
            "image": provider.uid,
@@ -404,6 +404,26 @@ from rest_framework_json_api import serializers
                },
                "required": ["clouds_yaml_content", "clouds_yaml_cloud"],
            },
+            {
+                "type": "object",
+                "title": "Okta OAuth Credentials",
+                "properties": {
+                    "okta_client_id": {
+                        "type": "string",
+                        "description": "Client ID of the Okta API Services app used for OAuth 2.0 private-key JWT authentication.",
+                    },
+                    "okta_private_key": {
+                        "type": "string",
+                        "description": "PEM-encoded private key whose matching public key (JWK) is registered on the Okta service app.",
+                    },
+                    "okta_scopes": {
+                        "type": "array",
+                        "items": {"type": "string"},
+                        "description": "OAuth scopes to request. Optional; defaults to the minimum set required to run the currently enabled Okta checks.",
+                    },
+                },
+                "required": ["okta_client_id", "okta_private_key"],
+            },
            {
                "type": "object",
                "title": "Vercel API Token",
@@ -1397,6 +1397,7 @@ class ResourceIncludeSerializer(RLSSerializer):
            "service",
            "type_",
            "tags",
+            "metadata",
            "details",
            "partition",
        ]
@@ -1404,6 +1405,7 @@ class ResourceIncludeSerializer(RLSSerializer):
            "id": {"read_only": True},
            "inserted_at": {"read_only": True},
            "updated_at": {"read_only": True},
+            "metadata": {"read_only": True},
            "details": {"read_only": True},
            "partition": {"read_only": True},
        }
@@ -1543,6 +1545,8 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                serializer = GCPProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.GOOGLEWORKSPACE.value:
                serializer = GoogleWorkspaceProviderSecret(data=secret)
+            elif provider_type == Provider.ProviderChoices.OKTA.value:
+                serializer = OktaProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.GITHUB.value:
                serializer = GithubProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.IAC.value:
@@ -1688,6 +1692,15 @@ class GoogleWorkspaceProviderSecret(serializers.Serializer):
        resource_name = "provider-secrets"


+class OktaProviderSecret(serializers.Serializer):
+    okta_client_id = serializers.CharField()
+    okta_private_key = serializers.CharField()
+    okta_scopes = serializers.ListField(child=serializers.CharField(), required=False)
+
+    class Meta:
+        resource_name = "provider-secrets"
+
+
 class MongoDBAtlasProviderSecret(serializers.Serializer):
    atlas_public_key = serializers.CharField()
    atlas_private_key = serializers.CharField()
@@ -7369,6 +7369,15 @@ class FindingGroupViewSet(BaseRLSViewSet):
            output_field=IntegerField(),
        )

+        # `check_title` / `check_description` are intentionally NOT resolved
+        # here. They live in the large JSONB `check_metadata` blob (TOASTed),
+        # so reading them per finding row is very expensive, and pulling them
+        # in via a correlated subquery makes Django add the subquery to GROUP
+        # BY, which re-evaluates it once per input row. They are identical for
+        # every finding of a `check_id`, so `_post_process_aggregation` fills
+        # them from the summary table's plain columns in a single batched
+        # lookup scoped to the paginated page.
+
        # `pass_count`, `fail_count` and `manual_count` only count non-muted
        # findings. Muted findings are tracked separately via the
        # `*_muted_count` fields.
@@ -7439,15 +7448,6 @@ class FindingGroupViewSet(BaseRLSViewSet):
                agg_failing_since=Min(
                    "first_seen_at", filter=Q(status="FAIL", muted=False)
                ),
-                check_title=Coalesce(
-                    Max(KeyTextTransform("checktitle", "check_metadata")),
-                    Max(KeyTextTransform("CheckTitle", "check_metadata")),
-                    Max(KeyTextTransform("Checktitle", "check_metadata")),
-                ),
-                check_description=Coalesce(
-                    Max(KeyTextTransform("description", "check_metadata")),
-                    Max(KeyTextTransform("Description", "check_metadata")),
-                ),
            )
            .annotate(
                # Group is muted only if it has zero non-muted findings.
@@ -7484,14 +7484,17 @@ class FindingGroupViewSet(BaseRLSViewSet):

    def _get_latest_findings_per_provider(self, filtered_queryset):
        """Keep only findings from each provider's most recent completed scan."""
-        latest_scan_ids = (
+        # Materialize to a literal IN list. Left as a subquery, Postgres can't
+        # estimate the match count and picks a serial nested loop on
+        # resource_finding_mappings when one scan dominates findings
+        latest_scan_ids = list(
            Scan.objects.filter(
                tenant_id=self.request.tenant_id,
                state=StateChoices.COMPLETED,
            )
            .order_by("provider_id", "-completed_at", "-inserted_at")
            .distinct("provider_id")
-            .values("id")
+            .values_list("id", flat=True)
        )
        return filtered_queryset.filter(scan_id__in=latest_scan_ids)

@@ -7503,9 +7506,38 @@ class FindingGroupViewSet(BaseRLSViewSet):
        - Computes aggregated status (FAIL > PASS > MANUAL); the orthogonal
          ``muted`` boolean is already on the row from the SQL aggregation
        - Converts provider string to list
+        - Fills check_title / check_description for the findings path
        """
+        rows = list(aggregated_data)
+
+        # The findings-aggregation path omits check_title / check_description
+        # (they sit in TOASTed JSONB; see _aggregate_findings). Fill them from
+        # the summary table's plain columns in one query scoped to this page.
+        # The summary-aggregation path already carries them, so skip it there.
+        if rows and "check_title" not in rows[0]:
+            check_ids = [row["check_id"] for row in rows]
+            role = get_role(self.request.user, self.request.tenant_id)
+            summaries = FindingGroupDailySummary.objects.filter(
+                tenant_id=self.request.tenant_id,
+                check_id__in=check_ids,
+            )
+            # Scope to the user's providers, mirroring get_queryset(), so titles
+            # are read only from providers the user can see.
+            if not role.unlimited_visibility:
+                summaries = summaries.filter(provider__in=get_providers(role))
+            metadata_by_check = {
+                item["check_id"]: item
+                for item in summaries.order_by("check_id", "-inserted_at")
+                .distinct("check_id")
+                .values("check_id", "check_title", "check_description")
+            }
+            for row in rows:
+                metadata = metadata_by_check.get(row["check_id"], {})
+                row["check_title"] = metadata.get("check_title")
+                row["check_description"] = metadata.get("check_description")
+
        results = []
-        for row in aggregated_data:
+        for row in rows:
            # Convert severity order back to string
            severity_order = row.get("severity_order", 1)
            row["severity"] = SEVERITY_ORDER_REVERSE.get(
@@ -7551,7 +7583,6 @@ class FindingGroupViewSet(BaseRLSViewSet):

    _FINDING_GROUP_SORT_MAP = {
        "check_id": "check_id",
-        "check_title": "check_title",
        "severity": "severity_order",
        "status": "status_order",
        "muted": "muted",
@@ -571,6 +571,12 @@ def providers_fixture(tenants_fixture):
        alias="vercel_testing",
        tenant_id=tenant.id,
    )
+    provider14 = Provider.objects.create(
+        provider="okta",
+        uid="acme.okta.com",
+        alias="okta_testing",
+        tenant_id=tenant.id,
+    )

    return (
        provider1,
@@ -586,6 +592,7 @@ def providers_fixture(tenants_fixture):
        provider11,
        provider12,
        provider13,
+        provider14,
    )


@@ -42,7 +42,6 @@ from api.db_utils import (
    SET_CONFIG_QUERY,
    psycopg_connection,
    rls_transaction,
-    update_objects_in_batches,
 )
 from api.exceptions import ProviderConnectionError
 from api.models import (
@@ -59,6 +58,7 @@ from api.models import (
    ResourceFindingMapping,
    ResourceScanSummary,
    ResourceTag,
+    ResourceTagMapping,
    Scan,
    ScanCategorySummary,
    ScanGroupSummary,
@@ -97,8 +97,16 @@ COMPLIANCE_REQUIREMENT_COPY_COLUMNS = (
 )
 # Controls how many findings we process per micro-batch before flushing to DB writes
 FINDINGS_MICRO_BATCH_SIZE = env.int("DJANGO_FINDINGS_MICRO_BATCH_SIZE", default=3000)
-# Controls how many rows each ORM bulk_create/bulk_update call sends to Postgres
-SCAN_DB_BATCH_SIZE = env.int("DJANGO_SCAN_DB_BATCH_SIZE", default=500)
+# Controls how many rows each ORM bulk_create/bulk_update call sends to Postgres.
+SCAN_DB_BATCH_SIZE = env.int("DJANGO_SCAN_DB_BATCH_SIZE", default=1000)
+# Throttle scan progress persistence: minimum progress delta (fraction 0-1)
+# between two persisted progress updates.
+PROGRESS_THROTTLE_DELTA = env.float("DJANGO_SCAN_PROGRESS_THROTTLE_DELTA", default=0.01)
+# Throttle scan progress persistence: maximum seconds without persisting progress
+# regardless of delta (so slow checks still show progress in the UI).
+PROGRESS_THROTTLE_SECONDS = env.float(
+    "DJANGO_SCAN_PROGRESS_THROTTLE_SECONDS", default=10.0
+)

 ATTACK_SURFACE_PROVIDER_COMPATIBILITY = {
    "internet-exposed": None,  # Compatible with all providers
@@ -528,16 +536,26 @@ def _process_finding_micro_batch(
    """
    # Accumulate objects for bulk operations
    findings_to_create = []
-    mappings_to_create = []
    dirty_resources = {}
+    resources_with_new_tag_mappings: set[str] = set()
    resource_denormalized_data = []  # (finding_instance, resource_instance) pairs
+    tag_mappings_to_create: list[ResourceTagMapping] = []
    skipped_findings_count = 0  # Track findings skipped due to UID length

-    # Prefetch last statuses for all findings in this batch
-    # TEMPORARY WORKAROUND: Filter out UIDs > 300 chars to avoid query errors
-    finding_uids = [
-        f.uid for f in findings_batch if f is not None and len(f.uid) <= 300
-    ]
+    # Separate findings into those persistable (uid <= 300) and over-limit.
+    # Resources/tags ARE still resolved for over-limit findings to preserve the
+    # original behavior (resources are persisted even when their finding is dropped).
+    non_null_findings = [f for f in findings_batch if f is not None]
+    persistable_findings = [f for f in non_null_findings if len(f.uid) <= 300]
+    skipped_findings_count = len(non_null_findings) - len(persistable_findings)
+    none_count = len(findings_batch) - len(non_null_findings)
+    if none_count:
+        logger.error(
+            f"{none_count} None finding(s) detected on scan {scan_instance.id}."
+        )
+
+    # Prefetch last statuses for all persistable findings in this batch (read replica)
+    finding_uids = [f.uid for f in persistable_findings]
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
        last_statuses = {
            item["uid"]: (item["status"], item["first_seen_at"])
@@ -548,281 +566,411 @@ def _process_finding_micro_batch(
            .order_by("uid", "-inserted_at")
            .distinct("uid")
        }
-        # Update cache
        for uid, data in last_statuses.items():
            if uid not in last_status_cache:
                last_status_cache[uid] = data

-    # Process each finding in the batch
-    for finding in findings_batch:
-        if finding is None:
-            logger.error(f"None finding detected on scan {scan_instance.id}.")
-            continue
+    # All DB writes for this micro-batch run inside ONE rls_transaction,
+    # with deadlock-retry at micro-batch granularity instead of per-finding.
+    for attempt in range(CELERY_DEADLOCK_ATTEMPTS):
+        try:
+            with rls_transaction(tenant_id):
+                # 1) Pre-resolve Resources in bulk
+                # Collect all uids referenced by this batch that are not in cache yet.
+                # NOTE: we intentionally include empty-string uids here. The SDK
+                # explicitly emits findings with `resource_uid=""` for some flows
+                # (IaC scans, some Azure/GCP/K8s checks). The original
+                # `get_or_create` behavior was to create/share a Resource with
+                # uid="" for these findings rather than dropping them. Preserve
+                # that behavior; do NOT filter by truthiness.
+                batch_resource_uids: set[str] = set()
+                for f in non_null_findings:
+                    if f.resource_uid not in resource_cache:
+                        batch_resource_uids.add(f.resource_uid)

-        # Process resource with deadlock retry
-        for attempt in range(CELERY_DEADLOCK_ATTEMPTS):
-            try:
-                with rls_transaction(tenant_id):
-                    resource_uid = finding.resource_uid
-                    if resource_uid not in resource_cache:
-                        check_metadata = finding.get_metadata()
-                        group = check_metadata.get("resourcegroup") or None
-                        resource_instance, _ = Resource.objects.get_or_create(
+                if batch_resource_uids:
+                    existing_resources = {
+                        r.uid: r
+                        for r in Resource.objects.filter(
                            tenant_id=tenant_id,
-                            provider=provider_instance,
-                            uid=resource_uid,
-                            defaults={
-                                "region": finding.region,
-                                "service": finding.service_name,
-                                "type": finding.resource_type,
-                                "name": finding.resource_name,
-                                "groups": [group] if group else None,
-                            },
+                            provider_id=provider_instance.id,
+                            uid__in=batch_resource_uids,
                        )
-                        resource_cache[resource_uid] = resource_instance
-                        resource_failed_findings_cache[resource_uid] = 0
-                    else:
-                        resource_instance = resource_cache[resource_uid]
-                break
-            except (OperationalError, IntegrityError) as db_err:
-                if attempt < CELERY_DEADLOCK_ATTEMPTS - 1:
-                    logger.warning(
-                        f"{'Deadlock error' if isinstance(db_err, OperationalError) else 'Integrity error'} "
-                        f"detected when processing resource {resource_uid} on scan {scan_instance.id}. Retrying..."
+                    }
+                    missing_uids = batch_resource_uids - existing_resources.keys()
+                    if missing_uids:
+                        # Build defaults from the first finding referencing each uid.
+                        first_finding_per_uid: dict[str, ProwlerFinding] = {}
+                        for f in non_null_findings:
+                            if f.resource_uid in missing_uids:
+                                first_finding_per_uid.setdefault(f.resource_uid, f)
+                        resources_to_create = []
+                        for uid in missing_uids:
+                            f = first_finding_per_uid[uid]
+                            check_metadata = f.get_metadata()
+                            group = check_metadata.get("resourcegroup") or None
+                            resources_to_create.append(
+                                Resource(
+                                    tenant_id=tenant_id,
+                                    provider=provider_instance,
+                                    uid=uid,
+                                    region=f.region,
+                                    service=f.service_name,
+                                    type=f.resource_type,
+                                    name=f.resource_name,
+                                    groups=[group] if group else None,
+                                )
+                            )
+                        Resource.objects.bulk_create(
+                            resources_to_create,
+                            batch_size=SCAN_DB_BATCH_SIZE,
+                            ignore_conflicts=True,
+                            unique_fields=["tenant_id", "provider_id", "uid"],
+                        )
+                        # Re-fetch to obtain instances we just created AND any
+                        # created concurrently by another scan against the same provider.
+                        existing_resources.update(
+                            {
+                                r.uid: r
+                                for r in Resource.objects.filter(
+                                    tenant_id=tenant_id,
+                                    provider_id=provider_instance.id,
+                                    uid__in=missing_uids,
+                                )
+                            }
+                        )
+                    for uid, r in existing_resources.items():
+                        resource_cache[uid] = r
+                        resource_failed_findings_cache.setdefault(uid, 0)
+
+                # 2) Pre-resolve ResourceTags in bulk
+                batch_tag_kv: set[tuple[str, str]] = set()
+                for f in non_null_findings:
+                    for k, v in f.resource_tags.items():
+                        if (k, v) not in tag_cache:
+                            batch_tag_kv.add((k, v))
+
+                if batch_tag_kv:
+                    keys_to_query = {k for k, _ in batch_tag_kv}
+                    existing_tags = {
+                        (t.key, t.value): t
+                        for t in ResourceTag.objects.filter(
+                            tenant_id=tenant_id, key__in=keys_to_query
+                        )
+                        if (t.key, t.value) in batch_tag_kv
+                    }
+                    missing_kv = batch_tag_kv - existing_tags.keys()
+                    if missing_kv:
+                        ResourceTag.objects.bulk_create(
+                            [
+                                ResourceTag(tenant_id=tenant_id, key=k, value=v)
+                                for k, v in missing_kv
+                            ],
+                            batch_size=SCAN_DB_BATCH_SIZE,
+                            ignore_conflicts=True,
+                            unique_fields=["tenant_id", "key", "value"],
+                        )
+                        existing_tags.update(
+                            {
+                                (t.key, t.value): t
+                                for t in ResourceTag.objects.filter(
+                                    tenant_id=tenant_id,
+                                    key__in={k for k, _ in missing_kv},
+                                )
+                                if (t.key, t.value) in missing_kv
+                            }
+                        )
+                    tag_cache.update(existing_tags)
+
+                # 3) Per-finding in-memory processing
+                for finding in non_null_findings:
+                    resource_uid = finding.resource_uid
+                    resource_instance = resource_cache.get(resource_uid)
+                    if resource_instance is None:
+                        # Should be unreachable after the pre-resolve step. Defensive log.
+                        logger.error(
+                            f"Resource {resource_uid} missing from cache after pre-resolve "
+                            f"on scan {scan_instance.id}; skipping finding."
+                        )
+                        continue
+
+                    # Detect resource field changes (defer save until end-of-batch bulk_update).
+                    check_metadata = finding.get_metadata()
+                    group = check_metadata.get("resourcegroup") or None
+                    updated = False
+                    if finding.region and resource_instance.region != finding.region:
+                        resource_instance.region = finding.region
+                        updated = True
+                    if resource_instance.service != finding.service_name:
+                        resource_instance.service = finding.service_name
+                        updated = True
+                    if resource_instance.type != finding.resource_type:
+                        resource_instance.type = finding.resource_type
+                        updated = True
+                    if resource_instance.metadata != finding.resource_metadata:
+                        resource_instance.metadata = json.dumps(
+                            finding.resource_metadata, cls=CustomEncoder
+                        )
+                        updated = True
+                    if resource_instance.details != finding.resource_details:
+                        resource_instance.details = finding.resource_details
+                        updated = True
+                    if resource_instance.partition != finding.partition:
+                        resource_instance.partition = finding.partition
+                        updated = True
+                    if group and (
+                        not resource_instance.groups
+                        or group not in resource_instance.groups
+                    ):
+                        resource_instance.groups = (resource_instance.groups or []) + [
+                            group
+                        ]
+                        updated = True
+
+                    if updated:
+                        dirty_resources[resource_uid] = resource_instance
+
+                    # Accumulate ResourceTagMapping rows; bulk_create at end of block.
+                    for k, v in finding.resource_tags.items():
+                        tag_instance = tag_cache.get((k, v))
+                        if tag_instance is None:
+                            # Should not happen after pre-resolve; skip defensively.
+                            continue
+                        tag_mappings_to_create.append(
+                            ResourceTagMapping(
+                                tenant_id=tenant_id,
+                                resource=resource_instance,
+                                tag=tag_instance,
+                            )
+                        )
+
+                    unique_resources.add(
+                        (resource_instance.uid, resource_instance.region)
                    )
-                    time.sleep(0.1 * (2**attempt))
-                    continue
-                else:
-                    raise db_err

-        # Track resource field changes (defer save)
-        updated = False
-        check_metadata = finding.get_metadata()
-        group = check_metadata.get("resourcegroup") or None
-        if finding.region and resource_instance.region != finding.region:
-            resource_instance.region = finding.region
-            updated = True
-        if resource_instance.service != finding.service_name:
-            resource_instance.service = finding.service_name
-            updated = True
-        if resource_instance.type != finding.resource_type:
-            resource_instance.type = finding.resource_type
-            updated = True
-        if resource_instance.metadata != finding.resource_metadata:
-            resource_instance.metadata = json.dumps(
-                finding.resource_metadata, cls=CustomEncoder
-            )
-            updated = True
-        if resource_instance.details != finding.resource_details:
-            resource_instance.details = finding.resource_details
-            updated = True
-        if resource_instance.partition != finding.partition:
-            resource_instance.partition = finding.partition
-            updated = True
-        if group and (
-            not resource_instance.groups or group not in resource_instance.groups
-        ):
-            resource_instance.groups = (resource_instance.groups or []) + [group]
-            updated = True
+                    # TEMPORARY WORKAROUND: Skip findings with UID > 300 chars
+                    # TODO: Remove this after implementing text field migration for finding.uid
+                    if len(finding.uid) > 300:
+                        logger.warning(
+                            f"Skipping finding with UID exceeding 300 characters. "
+                            f"Length: {len(finding.uid)}, "
+                            f"Check: {finding.check_id}, "
+                            f"Resource: {finding.resource_name}, "
+                            f"UID: {finding.uid}"
+                        )
+                        continue

-        if updated:
-            dirty_resources[resource_uid] = resource_instance
-
-        # Process tags
-        tags = []
-        with rls_transaction(tenant_id):
-            for key, value in finding.resource_tags.items():
-                tag_key = (key, value)
-                if tag_key not in tag_cache:
-                    tag_instance, _ = ResourceTag.objects.get_or_create(
-                        tenant_id=tenant_id, key=key, value=value
+                    finding_uid = finding.uid
+                    last_status, last_first_seen_at = last_status_cache.get(
+                        finding_uid, (None, None)
                    )
-                    tag_cache[tag_key] = tag_instance
-                else:
-                    tag_instance = tag_cache[tag_key]
-                tags.append(tag_instance)
-            resource_instance.upsert_or_delete_tags(tags=tags)

-        unique_resources.add((resource_instance.uid, resource_instance.region))
+                    status = FindingStatus[finding.status]
+                    delta = _create_finding_delta(last_status, status)

-        # Prepare finding data
-        finding_uid = finding.uid
+                    if not last_first_seen_at:
+                        last_first_seen_at = datetime.now(tz=timezone.utc)

-        # TEMPORARY WORKAROUND: Skip findings with UID > 300 chars
-        # TODO: Remove this after implementing text field migration for finding.uid
-        if len(finding_uid) > 300:
-            skipped_findings_count += 1
-            logger.warning(
-                f"Skipping finding with UID exceeding 300 characters. "
-                f"Length: {len(finding_uid)}, "
-                f"Check: {finding.check_id}, "
-                f"Resource: {finding.resource_name}, "
-                f"UID: {finding_uid}"
-            )
-            continue
+                    # Determine if finding should be muted and why
+                    # Priority: mutelist processor (highest) > manual mute rules
+                    is_muted = False
+                    muted_reason = None
+                    if finding.muted:
+                        is_muted = True
+                        muted_reason = "Muted by mutelist"
+                    elif finding_uid in mute_rules_cache:
+                        is_muted = True
+                        muted_reason = mute_rules_cache[finding_uid]

-        last_status, last_first_seen_at = last_status_cache.get(
-            finding_uid, (None, None)
-        )
+                    if status == FindingStatus.FAIL and not is_muted:
+                        resource_failed_findings_cache[resource_uid] += 1

-        status = FindingStatus[finding.status]
-        delta = _create_finding_delta(last_status, status)
+                    check_metadata["compliance"] = finding.compliance
+                    finding_instance = Finding(
+                        tenant_id=tenant_id,
+                        uid=finding_uid,
+                        delta=delta,
+                        check_metadata=check_metadata,
+                        status=status,
+                        status_extended=finding.status_extended,
+                        severity=finding.severity,
+                        impact=finding.severity,
+                        raw_result=finding.raw,
+                        check_id=finding.check_id,
+                        scan=scan_instance,
+                        first_seen_at=last_first_seen_at,
+                        muted=is_muted,
+                        muted_at=datetime.now(tz=timezone.utc) if is_muted else None,
+                        muted_reason=muted_reason,
+                        compliance=finding.compliance,
+                        categories=check_metadata.get("categories", []) or [],
+                        resource_groups=check_metadata.get("resourcegroup") or None,
+                        # Denormalized resource arrays populated directly on insert
+                        # (was previously a separate bulk_update; saves a CASE WHEN
+                        # over thousands of rows per micro-batch).
+                        resource_regions=[resource_instance.region]
+                        if resource_instance.region
+                        else [],
+                        resource_services=[resource_instance.service]
+                        if resource_instance.service
+                        else [],
+                        resource_types=[resource_instance.type]
+                        if resource_instance.type
+                        else [],
+                    )
+                    findings_to_create.append(finding_instance)
+                    resource_denormalized_data.append(
+                        (finding_instance, resource_instance)
+                    )

-        if not last_first_seen_at:
-            last_first_seen_at = datetime.now(tz=timezone.utc)
+                    scan_resource_cache.add(
+                        (
+                            str(resource_instance.id),
+                            resource_instance.service,
+                            resource_instance.region,
+                            resource_instance.type,
+                        )
+                    )

-        # Determine if finding should be muted and why
-        # Priority: mutelist processor (highest) > manual mute rules
-        is_muted = False
-        muted_reason = None
+                    aggregate_category_counts(
+                        categories=check_metadata.get("categories", []) or [],
+                        severity=finding.severity.value,
+                        status=status.value,
+                        delta=delta.value if delta else None,
+                        muted=is_muted,
+                        cache=scan_categories_cache,
+                    )

-        # Check mutelist processor first (highest priority)
-        if finding.muted:
-            is_muted = True
-            muted_reason = "Muted by mutelist"
-        # If not muted by mutelist, check manual mute rules
-        elif finding_uid in mute_rules_cache:
-            is_muted = True
-            muted_reason = mute_rules_cache[finding_uid]
+                    aggregate_resource_group_counts(
+                        resource_group=check_metadata.get("resourcegroup") or None,
+                        severity=finding.severity.value,
+                        status=status.value,
+                        delta=delta.value if delta else None,
+                        muted=is_muted,
+                        resource_uid=resource_instance.uid if resource_instance else "",
+                        cache=scan_resource_groups_cache,
+                        group_resources_cache=group_resources_cache,
+                    )

-        # Increment failed_findings_count cache if needed
-        if status == FindingStatus.FAIL and not is_muted:
-            resource_failed_findings_cache[resource_uid] += 1
+                # 4) Bulk create ResourceTagMappings
+                # Replaces the original per-resource `upsert_or_delete_tags`
+                # (which did one `update_or_create` + SELECT FOR UPDATE per mapping).
+                if tag_mappings_to_create:
+                    # Pre-SELECT existing pairs: `bulk_create(ignore_conflicts=True)`
+                    # does not populate `pk`, so we cannot tell new vs existing from
+                    # the result; we need that to bump `updated_at` only on resources
+                    # that actually gain a mapping.
+                    candidate_resource_ids = {
+                        m.resource_id for m in tag_mappings_to_create
+                    }
+                    candidate_tag_ids = {m.tag_id for m in tag_mappings_to_create}
+                    existing_pairs = set(
+                        ResourceTagMapping.objects.filter(
+                            tenant_id=tenant_id,
+                            resource_id__in=candidate_resource_ids,
+                            tag_id__in=candidate_tag_ids,
+                        ).values_list("resource_id", "tag_id")
+                    )
+                    resource_uid_by_id = {
+                        str(r.id): uid for uid, r in resource_cache.items()
+                    }
+                    for m in tag_mappings_to_create:
+                        if (m.resource_id, m.tag_id) not in existing_pairs:
+                            uid = resource_uid_by_id.get(str(m.resource_id))
+                            if uid is not None:
+                                resources_with_new_tag_mappings.add(uid)

-        # Create finding object (don't save yet)
-        check_metadata = finding.get_metadata()
-        check_metadata["compliance"] = finding.compliance
-        finding_instance = Finding(
-            tenant_id=tenant_id,
-            uid=finding_uid,
-            delta=delta,
-            check_metadata=check_metadata,
-            status=status,
-            status_extended=finding.status_extended,
-            severity=finding.severity,
-            impact=finding.severity,
-            raw_result=finding.raw,
-            check_id=finding.check_id,
-            scan=scan_instance,
-            first_seen_at=last_first_seen_at,
-            muted=is_muted,
-            muted_at=datetime.now(tz=timezone.utc) if is_muted else None,
-            muted_reason=muted_reason,
-            compliance=finding.compliance,
-            categories=check_metadata.get("categories", []) or [],
-            resource_groups=check_metadata.get("resourcegroup") or None,
-        )
-        findings_to_create.append(finding_instance)
-        resource_denormalized_data.append((finding_instance, resource_instance))
+                    ResourceTagMapping.objects.bulk_create(
+                        tag_mappings_to_create,
+                        batch_size=SCAN_DB_BATCH_SIZE,
+                        ignore_conflicts=True,
+                        unique_fields=["tenant_id", "resource_id", "tag_id"],
+                    )

-        # Track for scan summary
-        scan_resource_cache.add(
-            (
-                str(resource_instance.id),
-                resource_instance.service,
-                resource_instance.region,
-                resource_instance.type,
-            )
-        )
+                # 5) Bulk create Findings
+                if findings_to_create:
+                    Finding.objects.bulk_create(
+                        findings_to_create, batch_size=SCAN_DB_BATCH_SIZE
+                    )

-        # Track categories with counts for ScanCategorySummary by (category, severity)
-        aggregate_category_counts(
-            categories=check_metadata.get("categories", []) or [],
-            severity=finding.severity.value,
-            status=status.value,
-            delta=delta.value if delta else None,
-            muted=is_muted,
-            cache=scan_categories_cache,
-        )
+                # 6) Bulk create ResourceFindingMapping rows
+                mappings_to_create = [
+                    ResourceFindingMapping(
+                        tenant_id=tenant_id,
+                        resource=resource_instance,
+                        finding=finding_instance,
+                    )
+                    for finding_instance, resource_instance in resource_denormalized_data
+                ]
+                if mappings_to_create:
+                    created_mappings = ResourceFindingMapping.objects.bulk_create(
+                        mappings_to_create,
+                        batch_size=SCAN_DB_BATCH_SIZE,
+                        ignore_conflicts=True,
+                        unique_fields=["tenant_id", "resource_id", "finding_id"],
+                    )
+                    inserted = sum(1 for m in created_mappings if m.pk)
+                    if inserted != len(mappings_to_create):
+                        logger.error(
+                            f"scan {scan_instance.id}: expected "
+                            f"{len(mappings_to_create)} ResourceFindingMapping rows, "
+                            f"inserted {inserted}. Rolling back micro-batch."
+                        )

-        # Track resource groups with counts for ScanGroupSummary
-        aggregate_resource_group_counts(
-            resource_group=check_metadata.get("resourcegroup") or None,
-            severity=finding.severity.value,
-            status=status.value,
-            delta=delta.value if delta else None,
-            muted=is_muted,
-            resource_uid=resource_instance.uid if resource_instance else "",
-            cache=scan_resource_groups_cache,
-            group_resources_cache=group_resources_cache,
-        )
-
-    # Bulk operations within single transaction
-    with rls_transaction(tenant_id):
-        # Bulk create findings
-        if findings_to_create:
-            Finding.objects.bulk_create(
-                findings_to_create, batch_size=SCAN_DB_BATCH_SIZE
-            )
-
-        # Bulk create resource-finding mappings
-        for finding_instance, resource_instance in resource_denormalized_data:
-            mappings_to_create.append(
-                ResourceFindingMapping(
-                    tenant_id=tenant_id,
-                    resource=resource_instance,
-                    finding=finding_instance,
+                # 7) Bulk update Resources
+                # Union of:
+                #  - resources whose fields changed (dirty_resources)
+                #  - resources that got new tag mappings (need updated_at bump,
+                #    preserving the original `self.save(update_fields=["updated_at"])`
+                #    behavior of `upsert_or_delete_tags`)
+                all_resource_uids_to_touch = (
+                    set(dirty_resources.keys()) | resources_with_new_tag_mappings
                )
-            )
-
-        if mappings_to_create:
-            created_mappings = ResourceFindingMapping.objects.bulk_create(
-                mappings_to_create,
-                batch_size=SCAN_DB_BATCH_SIZE,
-                ignore_conflicts=True,
-                unique_fields=["tenant_id", "resource_id", "finding_id"],
-            )
-            inserted = sum(1 for m in created_mappings if m.pk)
-            if inserted != len(mappings_to_create):
-                logger.error(
-                    f"scan {scan_instance.id}: expected "
-                    f"{len(mappings_to_create)} ResourceFindingMapping rows, "
-                    f"inserted {inserted}. Rolling back micro-batch."
+                if all_resource_uids_to_touch:
+                    now_utc = datetime.now(tz=timezone.utc)
+                    resources_to_bulk_update = []
+                    for uid in all_resource_uids_to_touch:
+                        # Use the instance from dirty_resources if present (has mutated
+                        # fields), otherwise the cached one (for updated_at bump only).
+                        r = dirty_resources.get(uid) or resource_cache.get(uid)
+                        if r is None:
+                            continue
+                        # Manually bump updated_at since bulk_update bypasses auto_now.
+                        r.updated_at = now_utc
+                        resources_to_bulk_update.append(r)
+                    if resources_to_bulk_update:
+                        Resource.objects.bulk_update(
+                            resources_to_bulk_update,
+                            [
+                                "metadata",
+                                "details",
+                                "partition",
+                                "region",
+                                "service",
+                                "type",
+                                "groups",
+                                "updated_at",
+                            ],
+                            batch_size=1000,
+                        )
+            # Successful execution: leave deadlock retry loop.
+            break
+        except (OperationalError, IntegrityError) as db_err:
+            if attempt < CELERY_DEADLOCK_ATTEMPTS - 1:
+                logger.warning(
+                    f"{'Deadlock error' if isinstance(db_err, OperationalError) else 'Integrity error'} "
+                    f"on micro-batch for scan {scan_instance.id}. Retrying (attempt {attempt + 1})..."
                )
-
-        # Update finding denormalized arrays
-        findings_to_update = []
-        for finding_instance, resource_instance in resource_denormalized_data:
-            if not finding_instance.resource_regions:
-                finding_instance.resource_regions = []
-            if not finding_instance.resource_services:
-                finding_instance.resource_services = []
-            if not finding_instance.resource_types:
-                finding_instance.resource_types = []
-
-            if resource_instance.region not in finding_instance.resource_regions:
-                finding_instance.resource_regions.append(resource_instance.region)
-            if resource_instance.service not in finding_instance.resource_services:
-                finding_instance.resource_services.append(resource_instance.service)
-            if resource_instance.type not in finding_instance.resource_types:
-                finding_instance.resource_types.append(resource_instance.type)
-
-            findings_to_update.append(finding_instance)
-
-        if findings_to_update:
-            Finding.objects.bulk_update(
-                findings_to_update,
-                ["resource_regions", "resource_services", "resource_types"],
-                batch_size=SCAN_DB_BATCH_SIZE,
-            )
-
-    # Bulk update dirty resources
-    if dirty_resources:
-        update_objects_in_batches(
-            tenant_id=tenant_id,
-            model=Resource,
-            objects=list(dirty_resources.values()),
-            fields=[
-                "metadata",
-                "details",
-                "partition",
-                "region",
-                "service",
-                "type",
-                "groups",
-            ],
-            batch_size=1000,
-        )
+                time.sleep(0.1 * (2**attempt))
+                # Clear accumulators that we appended to inside the failed transaction
+                # so the retry produces consistent results.
+                findings_to_create.clear()
+                resource_denormalized_data.clear()
+                tag_mappings_to_create.clear()
+                dirty_resources.clear()
+                resources_with_new_tag_mappings.clear()
+                continue
+            raise

    # Log skipped findings summary
    if skipped_findings_count > 0:
@@ -873,7 +1021,7 @@ def perform_prowler_scan(
        scan_instance = Scan.objects.get(pk=scan_id)
        scan_instance.state = StateChoices.EXECUTING
        scan_instance.started_at = datetime.now(tz=timezone.utc)
-        scan_instance.save()
+        scan_instance.save(update_fields=["state", "started_at", "updated_at"])

    # Find the mutelist processor if it exists
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
@@ -918,7 +1066,13 @@ def perform_prowler_scan(
                provider_instance.connection_last_checked_at = datetime.now(
                    tz=timezone.utc
                )
-                provider_instance.save()
+                provider_instance.save(
+                    update_fields=[
+                        "connected",
+                        "connection_last_checked_at",
+                        "updated_at",
+                    ]
+                )

        # If the provider is not connected, raise an exception outside the transaction.
        # If raised within the transaction, the transaction will be rolled back and the provider will not be marked
@@ -933,6 +1087,13 @@ def perform_prowler_scan(
        last_status_cache = {}
        resource_failed_findings_cache = defaultdict(int)

+        # Throttle scan_instance progress writes to avoid hammering the writer:
+        # only persist when progress moves by at least `PROGRESS_THROTTLE_DELTA`
+        # OR `PROGRESS_THROTTLE_SECONDS` have elapsed. The final progress (1.0)
+        # always persists in the `finally` block below.
+        last_persisted_progress = -1.0
+        last_persisted_progress_at = 0.0
+
        for progress, findings in prowler_scan.scan():
            # Process findings in micro-batches
            findings_list = list(findings)
@@ -959,10 +1120,20 @@ def perform_prowler_scan(
                    group_resources_cache=group_resources_cache,
                )

-            # Update scan progress
-            with rls_transaction(tenant_id):
-                scan_instance.progress = progress
-                scan_instance.save()
+            # Throttled progress save (the final save in the `finally` block
+            # below always runs regardless of throttle).
+            now = time.time()
+            progress_delta = progress - last_persisted_progress
+            elapsed = now - last_persisted_progress_at
+            if (
+                progress_delta >= PROGRESS_THROTTLE_DELTA
+                or elapsed >= PROGRESS_THROTTLE_SECONDS
+            ):
+                with rls_transaction(tenant_id):
+                    scan_instance.progress = progress
+                    scan_instance.save(update_fields=["progress", "updated_at"])
+                last_persisted_progress = progress
+                last_persisted_progress_at = now

        scan_instance.state = StateChoices.COMPLETED

@@ -976,13 +1147,16 @@ def perform_prowler_scan(
                    resources_to_update.append(resource_instance)

            if resources_to_update:
-                update_objects_in_batches(
-                    tenant_id=tenant_id,
-                    model=Resource,
-                    objects=resources_to_update,
-                    fields=["failed_findings_count"],
-                    batch_size=1000,
-                )
+                # Single rls_transaction wrapping the bulk_update (previously
+                # `update_objects_in_batches` opened one rls_transaction per
+                # chunk; for tenants with many resources this collapsed N
+                # BEGINs/COMMITs into 1).
+                with rls_transaction(tenant_id):
+                    Resource.objects.bulk_update(
+                        resources_to_update,
+                        ["failed_findings_count"],
+                        batch_size=SCAN_DB_BATCH_SIZE,
+                    )

    except Exception as e:
        logger.error(f"Error performing scan {scan_id}: {e}")
@@ -994,7 +1168,16 @@ def perform_prowler_scan(
            scan_instance.duration = time.time() - start_time
            scan_instance.completed_at = datetime.now(tz=timezone.utc)
            scan_instance.unique_resource_count = len(unique_resources)
-            scan_instance.save()
+            scan_instance.save(
+                update_fields=[
+                    "state",
+                    "duration",
+                    "completed_at",
+                    "unique_resource_count",
+                    "progress",
+                    "updated_at",
+                ]
+            )

    if exception is not None:
        raise exception
@@ -4494,7 +4494,7 @@ dependencies = [

 [[package]]
 name = "prowler-api"
-version = "1.28.0"
+version = "1.30.0"
 source = { virtual = "." }
 dependencies = [
    { name = "cartography" },
@@ -0,0 +1,30 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
+  "name": "prowler",
+  "version": "0.1.0",
+  "description": "Prowler for Claude Code — cloud security and compliance skills powered by the Prowler MCP server. Bundles compliance triage and remediation; more skills coming.",
+  "author": {
+    "name": "Prowler",
+    "email": "support@prowler.com",
+    "url": "https://prowler.com"
+  },
+  "homepage": "https://docs.prowler.com",
+  "repository": "https://github.com/prowler-cloud/prowler",
+  "license": "Apache-2.0",
+  "keywords": [
+    "prowler",
+    "security",
+    "compliance",
+    "cloud-security",
+    "mcp"
+  ],
+  "userConfig": {
+    "api_key": {
+      "type": "string",
+      "title": "Prowler API key",
+      "description": "API key token used to authenticate with Prowler Cloud / Prowler App via the Prowler MCP server. Create one at https://cloud.prowler.com.",
+      "sensitive": true,
+      "required": true
+    }
+  }
+}
@@ -0,0 +1,9 @@
+{
+  "prowler": {
+    "type": "http",
+    "url": "https://mcp.prowler.com/mcp",
+    "headers": {
+      "Authorization": "Bearer ${user_config.api_key}"
+    }
+  }
+}
@@ -0,0 +1,80 @@
+# Prowler for Claude Code
+
+End-to-end cloud security and compliance from inside [Claude Code](https://www.claude.com/product/claude-code), powered by the [Prowler MCP server](https://docs.prowler.com/projects/prowler-mcp/). The plugin lets Claude walk a Prowler Cloud-connected account through a compliance assessment and remediate findings until the chosen security or industry framework is compliant.
+
+> **Preview**: this plugin is under active development. Report issues at <https://github.com/prowler-cloud/prowler/issues> or join the [Slack community](https://goto.prowler.com/slack).
+
+## Requirements
+
+- [Claude Code](https://www.claude.com/product/claude-code) installed and signed in.
+- A [Prowler Cloud](https://cloud.prowler.com) account (the free tier is enough to start).
+- A Prowler API key — create one at <https://cloud.prowler.com/profile>.
+
+## Installation
+
+Inside a Claude Code session:
+
+```text
+/plugin marketplace add prowler-cloud/prowler
+/plugin install prowler@prowler-plugins
+```
+
+Or, if you already have the repo checked out locally:
+
+```text
+/plugin marketplace add /absolute/path/to/prowler
+/plugin install prowler@prowler-plugins
+```
+
+## Configuration
+
+On first install, Claude Code prompts for your **Prowler API key**. It is stored securely (macOS keychain or `~/.claude/.credentials.json`) and used to authenticate against Prowler Cloud.
+
+To rotate the key, uninstall and reinstall the plugin — Claude Code will prompt again.
+
+## Verify the install
+
+In a Claude Code session:
+
+```text
+/mcp          → "prowler" appears as a connected server
+/plugin       → "prowler" enabled, skill listed as prowler:framework-compliance-triage
+```
+
+If `/mcp` reports the `prowler` server as failed, the most common cause is a rejected API key — re-issue one in Prowler Cloud and reinstall the plugin so it re-prompts.
+
+## Usage
+
+Open a conversation that mentions the framework you want to comply with. Examples:
+
+- *"Make my AWS production account compliant with CIS 4.0."*
+- *"Make my current Terraform project compliant with the Prowler ThreatScore Compliance Framework based on the latest scan results."*
+- *"Help me get to 100% on PCI-DSS for this GCP project."*
+
+You pick a **primary tool** (Terraform, gh / az / aws CLI, web console, or mixed) and a **mode**:
+
+- **Claude-assisted** (default). Claude shows each fix — target resource, exact commands, side effects, reversibility — and waits for your go-ahead before applying.
+- **Claude autonomous**. Claude presents a single up-front plan grouped by shared fixes, waits for one confirmation, then proceeds. It pauses mid-loop if a fix has wide blast radius or a finding is not applicable.
+
+Claude tracks progress in a markdown report under `.prowler/` at your project root — one file per framework × account. Open it any time to see exactly where the flow is. When all findings are addressed, Claude proposes a fresh Prowler scan to verify everything end-to-end.
+
+## Uninstalling
+
+```text
+/plugin uninstall prowler@prowler-plugins
+/plugin marketplace remove prowler-plugins
+```
+
+The stored API key is removed automatically.
+
+## Troubleshooting
+
+| Symptom | Likely cause | Fix |
+|---|---|---|
+| `/mcp` shows `prowler` as failed | Rejected API key | Generate a new one in Prowler Cloud and reinstall the plugin to re-prompt. |
+| Skill not invoked when expected | The skill description didn't match the prompt | Mention the framework name plus "compliance" or "compliant" in your prompt. |
+| "Framework not supported" | Prowler Hub does not list the framework for that provider | Open an issue or PR at <https://github.com/prowler-cloud/prowler>. |
+
+## License
+
+Apache 2.0 — see [LICENSE](../../LICENSE).
@@ -0,0 +1,199 @@
+---
+name: framework-compliance-triage
+description: Make a cloud account compliant with a security or industry framework using Prowler Cloud.
+---
+
+# Framework compliance
+
+Iterative, interactive flow that takes a cloud account through setup, reporting, and remediation until it complies with the chosen security or industry framework.
+
+## Checkpoints
+
+This skill uses **checkpoints** to mark moments where you must stop, post a clear question or summary to the user, and wait for the reply before continuing. Each checkpoint is rendered like this:
+
+> **Checkpoint — <name>**
+>
+> What to present, and what to wait for.
+
+Treat every checkpoint as a hard stop:
+
+- Do not skip a checkpoint because the user previously said "go ahead", "just do it", or similar. Confirmations are scoped to a single checkpoint and do not transfer to later ones.
+- Do not bundle two checkpoints into one message. Post one, wait for the reply, then continue.
+- Do not infer the user's answer from context or proceed on silence. Ask explicitly and wait.
+- If a checkpoint is conditional (e.g. only fires when multiple accounts exist), evaluate the condition first; if it does not apply, continue without prompting.
+- If the user's initial message already answers the question a checkpoint asks (e.g. "make my AWS subscription compliant with CIS using Terraform autonomously"), treat the checkpoint as satisfied for the parts they covered, and only ask for what is still missing.
+
+## 1. Initial Prowler Cloud setup
+
+> **Checkpoint — Provider and framework selection**
+>
+> If the user has not already specified both the provider and the framework, ask explicitly and wait for the answer. If they have specified them in their opening message, skip this checkpoint.
+
+Confirm both are supported by the Prowler Hub MCP:
+
+- Enumerate supported providers with `prowler_hub_list_providers`.
+- Enumerate frameworks for the chosen provider with `prowler_hub_list_compliances`, passing the provider `id` as the only element of the `provider` input list.
+
+If the framework is not supported, tell the user, suggest they request it or contribute it themselves, and end the flow. Otherwise continue.
+
+### 1.1 Connect to Prowler Cloud
+
+Verify the Prowler MCP connection by calling `prowler_app_search_providers` — a successful response returns the list of providers. If the call fails, walk the user through troubleshooting: internet connectivity, Prowler Cloud credentials, and permissions on the Prowler Cloud account.
+For getting accurate information about configurations use `prowler_docs_search` to pull relevant instructions from the Prowler documentation.
+
+### 1.2 Verify the provider is configured (or configure it)
+
+Call `prowler_app_search_providers` to check whether the target provider (AWS account, Azure Subscription, GitHub Account...) exists in the user's Prowler Cloud account. Handle the result based on what's found:
+
+- **Provider not present.** Guide the user through adding and configuring it. Retrieve the relevant connection, credential, and permission instructions with `prowler_docs_search`.
+- **Provider present but misconfigured** (missing credentials, insufficient permissions, etc.). Walk the user through fixing the configuration, pulling the relevant guidance with `prowler_docs_search`.
+- **Provider present and configured.** Continue.
+
+> **Checkpoint — Account selection** *(conditional: more than one account of the chosen provider is configured)*
+>
+> List the accounts with helpful detail (account name, uid, last scan date) and ask which one to use. Wait for the answer. If only one account exists, skip this checkpoint and use it.
+
+### 1.3 Review compliance report for the provider account
+
+The flow needs at least one completed scan with a compliance report available.
+
+Look for a completed scan first: call `prowler_app_list_scans` with the selected `provider_id` and `state: ["completed"]`, then call `prowler_app_get_compliance_overview` with each `scan_id` to find one whose compliance report is available. If one is found, continue to the next section.
+
+If no completed scan has a report, call `prowler_app_list_scans` again with `state: ["available", "executing"]` to detect a scan in progress.
+
+> **Checkpoint — Scan-in-progress decision** *(conditional: an in-progress scan was detected)*
+>
+> Tell the user a scan is already running and ask whether to wait for it to complete or start a fresh one. Wait for the answer.
+
+If no scan is running (or the user chose to start a fresh one), trigger a new scan with `prowler_app_trigger_scan` and the `provider_id`. The link `https://cloud.prowler.com/scans?filter%5Bprovider_uid__in%5D={provider_id}` lets the user monitor progress.
+
+When a scan is in progress (either pre-existing and elected to wait, or just triggered), stop the flow and ask the user to return when it's completed — restart this section to re-check the results.
+
+## 2. Compliance report
+
+Every iteration of the remediation loop reads and writes a single markdown file per provider account and framework, stored at `${CLAUDE_PROJECT_DIR}/.prowler/compliance-<compliance_id>-<provider_uid>.md`. Sanitize `<provider_uid>` to `[a-zA-Z0-9_-]` by replacing anything else with `-`. Create `.prowler/` if missing.
+
+Across iterations, edit only: status tags on failed requirements and their findings, the per-requirement `Fix plan` / `Fix applied` sub-bullets added during sections 3.3–3.4, the **Global remediation approach** block, and the **Activity log** (append-only, newest on top). Requirement descriptions, finding IDs, and the entire **Manual review requirements** section are read-only after first render.
+
+Status taxonomy for failed requirements and their findings:
+
+- `[FAIL]` — failing in the latest scan.
+- `[IN PROGRESS]` — picked up by section 3.3.
+- `[FIXED-UNVERIFIED]` — remediation applied; not yet confirmed.
+- `[PASS]` — passing in the latest scan (set when a rescan in section 3.5 confirms the fix).
+- `[SKIPPED]` — user explicitly deferred.
+
+### Report template
+
+A fresh report is rendered like this (substituting values from the `prowler_app_get_compliance_framework_state_details` Prowler MCP tool response):
+
+````markdown
+# Compliance report: <compliance_id>
+
+**Provider account**: <display name + uid>
+**Scan ID**: <scan_id>
+**Generated**: <ISO timestamp>
+**Last update**: <ISO timestamp>
+**Status**: <passed>/<total> passing (<pct>%) · <failed> failing · <manual_review> manual review
+
+## Global remediation approach
+<!-- Filled by section 3.1. -->
+- **Primary tool**: _Terraform | Azure CLI | AWS CLI | web console | mixed_
+- **Mode**: _Claude autonomous | Claude-assisted_
+- **Notes**:
+
+## Activity log
+- <ISO timestamp> — Report initialized from scan `<scan_id>`.
+
+## Failed requirements
+
+### <code> — [FAIL]
+**Description**: <text>
+**Findings** (<n>):
+- [FAIL] `<finding_id>`
+
+## Manual review requirements
+- **<code>** — [PENDING]: <description>
+````
+
+### 2.1 Generate or refresh the report
+
+Resolve the report path for the current `compliance_id` and provider account.
+
+If the file does not exist, call `prowler_app_get_compliance_framework_state_details` for the target scan, render the template above, and write the file with one initialization entry in the activity log.
+
+If the file exists, read it and compare its `Scan ID` to the target scan from section 1.3. When the scan matches, reuse the file and summarize remaining `[FAIL]` and `[IN PROGRESS]` items in chat.
+
+> **Checkpoint — Report refresh** *(conditional: the file's `Scan ID` differs from the current target scan)*
+>
+> Tell the user the report on disk was generated from a different scan and ask whether to refresh it from the new scan. Wait for the answer.
+
+On confirmation, regenerate the failed-requirements section from the new `prowler_app_get_compliance_framework_state_details` response, carry forward the **Global remediation approach** block and the full activity log, and append an activity-log entry noting the scan change.
+
+Once the file is current, surface the top failing requirements in chat: sort by finding count descending, show the top 5 with their codes and counts, and point to the file path for the full list.
+
+## 3. Remediation loop
+
+### 3.1 Define the global remediation approach
+
+Two modes are available:
+
+- **Claude-assisted** (default when the user has not specified): per-requirement confirmation. For each requirement Claude shows the target resource, exact commands, side effects, and reversibility, then waits for explicit go-ahead before applying.
+- **Claude autonomous**: no per-requirement gate, but Claude still presents one batch-level fix plan up front (§3.2) and waits for a single confirmation, and pauses if a finding looks not applicable, requires a paid feature, or has wide blast radius (breaks dev workflow, forces collaborator changes, is hard to reverse).
+
+If the user phrases their request as "just do it" or similar, treat that as autonomous **with** the batch-plan confirmation still required — the confirmation is a property of the skill, not the user's verbosity preference.
+
+> **Checkpoint — Global remediation approach**
+>
+> Ask the user which tool to use for fixes (Terraform, gh / az / aws CLI, web console, mixed...) and which mode to operate in. Wait for the answer before continuing. This checkpoint is non-negotiable: never assume a default tool, and never assume autonomous mode.
+
+Once answered, write the values into the **Global remediation approach** block of the report file.
+
+> **Checkpoint — Overwriting an existing approach** *(conditional: the block is already populated from a previous session)*
+>
+> Show the previous values and the new ones, and ask the user to confirm before overwriting. Wait for the answer.
+
+### 3.2 Present the batch fix plan *(autonomous mode only)*
+
+In **assisted** mode, skip this section — the per-requirement gate in §3.3 confirms each fix as it comes up. Only run §3.2 in **autonomous** mode, where the loop will otherwise apply fixes without further input.
+
+Before touching anything, post a single chat summary covering every `[FAIL]` requirement:
+
+- Group findings that share a fix (e.g. ten branch-protection requirements satisfied by one PUT call → present as one group).
+- For each group: target resource, exact tool calls, side effects, reversibility.
+- Call out findings that look **not applicable** to this target (e.g. an Organization-only check evaluated against a User account, a feature gated by a paid plan, a resource type the user doesn't have) and propose `[SKIPPED]` with the reason.
+- Call out findings that require manual user action Claude cannot perform.
+
+> **Checkpoint — Batch fix plan approval** *(conditional: autonomous mode)*
+>
+> Post the grouped plan and wait for explicit confirmation. Do not start any fix before the user replies.
+
+Once approved, the loop proceeds through the batch without further prompts unless something deviates from the approved plan.
+
+### 3.3 Pick the first FAIL requirement and inspect its findings
+
+Pick the first `[FAIL]` requirement at the top of the failed-requirements section. Move its status and every finding under it to `[IN PROGRESS]`, and add a `**Fix plan**:` sub-bullet describing what will be done.
+
+Call `prowler_app_get_finding_details` for each `finding_id` to retrieve the failing resource and the Prowler Hub's remediation guidance for that check using the tool `prowler_hub_get_check_details` with the `check_id` from the finding details. Summarize the guidance in chat, and append it to the `**Fix plan**` note for each finding.
+
+If a finding does not apply to the target resource (Organization-only check on a User account, paid-tier feature, missing resource type, etc.), set the requirement status to `[SKIPPED]` with the reason, log it in the activity log, and move on without attempting the fix — even if it was missed during §3.2.
+
+> **Checkpoint — Per-requirement approval** *(conditional: assisted mode)*
+>
+> Post the per-requirement plan in chat — resource, command, side effects, reversibility — and wait for confirmation before moving to §3.4. In **autonomous** mode, post the plan for transparency but proceed unless it deviates from the batch plan agreed in §3.2.
+
+### 3.4 Diagnose, fix, verify
+
+Read the remediation guidance returned in §3.3, identify the root cause, and apply the fix using the tool defined in the **Global remediation approach** block. After applying, verify via the same tool that applied the fix or via a provider API call when applicable. If the re-read shows the change did not land, leave the status at `[IN PROGRESS]`, surface the error to the user, and stop the loop for this requirement.
+
+When the change is in place, append a `**Fix applied**: <tool, summary, refs>` sub-bullet to the requirement, move each fixed finding to `[FIXED-UNVERIFIED]`, and add one activity-log entry describing the change. If no programmatic verification was possible (e.g. web console action), note in the activity log that confirmation depends on the rescan in §3.5.
+
+### 3.5 Loop
+
+Move to the next `[FAIL]` requirement and repeat from section 3.3.
+
+> **Checkpoint — Rescan trigger** *(conditional: no `[FAIL]` requirements remain; all are `[FIXED-UNVERIFIED]` or `[SKIPPED]`)*
+>
+> Summarize what was applied, list any `[SKIPPED]` items with reasons, and ask whether to trigger a fresh scan with `prowler_app_trigger_scan` to verify the fixes end-to-end. Wait for the answer.
+
+On confirmation, trigger the rescan. When it completes, restart section 2.1 with the carry-forward path — requirements no longer in the new FAIL list move to `[PASS]`, anything still failing reverts to `[FAIL]` with the previous fix attempt visible in the activity log.
@@ -134,7 +134,7 @@ Example 1 is vague and even potentially ambiguous. Verbs state your purpose and

 Explicit use of second-person pronouns (you) and possessives (your) should be minimized whenever possible. Those constructions are best reserved for cases when instructions are directly given in an imperative form:

-**Example of Improvement Through Avoiding Second Person Pronouns**
+### Example of Improvement Through Avoiding Second Person Pronouns

 **Original:**
 Prowler App can be installed in different ways, depending on your environment:
@@ -236,7 +236,7 @@ The use of bullet points is highly recommended when:
 * Information can be logically divided into multiple categories, each sharing characteristics, features, or other relevant classifications.
 * Items are significant enough as standalone concepts to deserve their own bullet point.

-**Example of Improvement Through Bullet Points**
+#### Example of Improvement Through Bullet Points

 **Original:**
 It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMS, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme), and your custom security frameworks.
@@ -0,0 +1,730 @@
+---
+title: 'StackIT Provider'
+---
+
+This page details the [StackIT Cloud](https://www.stackit.de/) provider implementation in Prowler.
+
+By default, Prowler audits a single StackIT project per scan. To configure it, provide the project ID and either a service account key file path or inline service account key JSON.
+
+## StackIT Provider Classes Architecture
+
+The StackIT provider implementation follows the general [Provider structure](/developer-guide/provider). This section focuses on the StackIT-specific implementation, highlighting how the generic provider concepts are realized for StackIT in Prowler. For a full overview of the provider pattern, base classes, and extension guidelines, see [Provider documentation](/developer-guide/provider).
+
+### `StackitProvider` (Main Class)
+
+- **Location:** [`prowler/providers/stackit/stackit_provider.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/stackit_provider.py)
+- **Base Class:** Inherits from `Provider` (see [base class details](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/common/provider.py)).
+- **Purpose:** Central orchestrator for StackIT-specific logic, API authentication, credential validation, and configuration.
+- **Key StackIT Responsibilities:**
+    - Initializes StackIT SDK authentication via a service account key file or inline service account key JSON. The SDK mints and refreshes access tokens internally.
+    - Validates the service account credentials and project ID (UUID format validation).
+    - Loads and manages configuration, mutelist, and fixer settings.
+    - Provides properties and methods for downstream StackIT service classes to access credentials, identity, and configuration data.
+
+### Data Models
+
+- **Location:** [`prowler/providers/stackit/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/models.py)
+- **Purpose:** Define structured data for StackIT identity and output configuration.
+- **Key StackIT Models:**
+    - `StackITIdentityInfo`: Holds StackIT identity metadata, including project ID and project name (fetched automatically from Resource Manager API).
+    - `StackITOutputOptions`: Customizes default output filenames so StackIT reports include the audited project ID.
+    - IaaS resource models such as `SecurityGroup` and `SecurityGroupRule` are defined in the IaaS service module.
+
+### StackIT Services
+
+- **Location:** [`prowler/providers/stackit/services/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services)
+- **Purpose:** Implement StackIT service clients and resource collection logic following the generic [service pattern](/developer-guide/services#service-base-class).
+- **Current Implementation:** The `IaaSService` collects security groups, rules, and network interface usage across supported StackIT regions.
+
+### Exception Handling
+
+- **Location:** [`prowler/providers/stackit/exceptions/exceptions.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/exceptions/exceptions.py)
+- **Purpose:** Custom exception classes for StackIT-specific error handling, such as credential validation, API connection, and configuration errors.
+- **Key Exception Classes:**
+    - `StackITBaseException`: Base exception for all StackIT provider errors.
+    - `StackITCredentialsError`: Raised when credentials are invalid or missing.
+    - `StackITInvalidProjectIdError`: Raised when project ID is invalid or not in UUID format.
+    - `StackITAPIError`: Raised when StackIT API calls fail.
+
+## Authentication
+
+### Service Account Creation and Key Generation
+
+StackIT uses service account keys for API authentication. Service account keys are RSA key-pair based and provide secure, short-lived access tokens.
+
+### Creating a Service Account Key
+
+#### Method 1: Via StackIT Portal
+
+1. **Navigate to Service Accounts**
+   - Go to the [StackIT Portal](https://portal.stackit.cloud/)
+   - Select your project
+   - Click on **Service Accounts** in the left sidebar
+
+2. **Create or Select Service Account**
+   - If you don't have a service account, click **Create Service Account**
+   - Provide a name and description
+   - Assign necessary permissions:
+     - For IaaS security checks: `iaas.viewer` or `project.owner`
+     - For comprehensive audits: `project.owner`
+
+3. **Generate Service Account Key**
+   - Select your service account
+   - Navigate to **Service Account Keys**
+   - Click **Create key**
+   - Choose one of the following options:
+     - **STACKIT-generated key pair** (Recommended): Let STACKIT automatically generate an RSA key-pair
+     - **User-provided key pair**: Upload your own RSA 2048 public key
+
+4. **Download and Save the Key**
+   - Download the generated service account key file (JSON format)
+   - **Important**: Save the key securely - it contains your private key and will only be available once
+   - Store the key file in a secure location (e.g., `~/.stackit/sa_key.json`)
+
+#### Method 2: Via StackIT CLI
+
+```bash
+# Install STACKIT CLI (if not already installed)
+# Follow instructions at: https://github.com/stackitcloud/stackit-cli
+
+# Create service account key (STACKIT-generated)
+stackit service-account key create --email my-service-account@example.com
+
+# Or create with your own RSA 2048 public key
+# First, generate your RSA key pair:
+openssl genrsa -out private-key.pem 2048
+openssl rsa -in private-key.pem -pubout -out public-key.pem
+
+# Then create the key with your public key:
+stackit service-account key create \
+  --email my-service-account@example.com \
+  --public-key "$(cat public-key.pem)"
+```
+
+### Finding Your Project ID
+
+Your StackIT project ID is a UUID that can be found:
+
+1. In the StackIT Portal URL when viewing your project: `https://portal.stackit.cloud/projects/{PROJECT_ID}/...`
+2. In the project settings page
+3. Using the StackIT CLI: `stackit project list`
+
+### Passing the Service Account Key to Prowler
+
+Prowler accepts the service account credentials in two equivalent forms; both go through the same StackIT SDK flow and refresh access tokens internally.
+
+#### Option 1: Key File Path (key persisted on disk)
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
+
+prowler stackit
+```
+
+Or as CLI flags:
+
+```bash
+prowler stackit \
+  --stackit-service-account-key-path ~/.stackit/sa-key.json \
+  --stackit-project-id 12345678-1234-1234-1234-123456789abc
+```
+
+#### Option 2: Inline Key Content (CI/CD, secret managers)
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY="$(vault kv get -field=key stackit/sa)"
+export STACKIT_PROJECT_ID="12345678-1234-1234-1234-123456789abc"
+
+prowler stackit
+```
+
+Prefer the environment variable over the matching `--stackit-service-account-key` CLI flag; passing the secret on the command line leaks it through process listings and shell history.
+
+### Credential Lookup Order
+
+Prowler resolves credentials in this order:
+
+1. **Command-line arguments**:
+   - `--stackit-service-account-key`
+   - `--stackit-service-account-key-path`
+   - `--stackit-project-id`
+2. **Environment variables**:
+   - `STACKIT_SERVICE_ACCOUNT_KEY`
+   - `STACKIT_SERVICE_ACCOUNT_KEY_PATH`
+   - `STACKIT_PROJECT_ID`
+
+When both the inline key and the key file path are set, the inline content takes precedence.
+
+## Configuration
+
+### Command-Line Arguments
+
+StackIT-specific command-line arguments:
+
+| Argument | Description | Required | Default |
+|----------|-------------|----------|---------|
+| `--stackit-service-account-key-path` | Path to a StackIT service account key JSON file | Yes* | `$STACKIT_SERVICE_ACCOUNT_KEY_PATH` |
+| `--stackit-service-account-key` | Inline JSON content of a StackIT service account key (preferred env var: `STACKIT_SERVICE_ACCOUNT_KEY`) | Yes* | `$STACKIT_SERVICE_ACCOUNT_KEY` |
+| `--stackit-project-id` | StackIT project ID (UUID format) | Yes* | `$STACKIT_PROJECT_ID` |
+| `--stackit-region` | StackIT region(s) to scan | No | All available regions |
+
+\* Required unless provided via environment variables.
+
+### Input Validation
+
+The StackIT provider performs comprehensive input validation:
+
+- **Service Account Credentials**:
+  - At least one of `service_account_key_path` (file path) or `service_account_key` (inline JSON) must be supplied; both empty raises `StackITNonExistentTokenError`
+  - When both are provided the inline content takes precedence
+  - The key file path is logged as-is; the inline content is redacted in the credentials box
+
+- **Project ID**:
+  - Must not be empty
+  - Must be a valid UUID format (e.g., `12345678-1234-1234-1234-123456789abc`)
+  - Validated using Python's UUID constructor
+
+Invalid credentials will result in clear error messages before any API calls are made.
+
+## Available Services
+
+### IaaS (Infrastructure as a Service)
+
+- **Service Class:** `IaaSService`
+- **Location:** [`prowler/providers/stackit/services/iaas/iaas_service.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/stackit/services/iaas/iaas_service.py)
+- **SDK:** Uses the [stackit-iaas](https://pypi.org/project/stackit-iaas/) Python SDK
+- **Purpose:** Manages IaaS resources including security groups, servers, and network interfaces.
+
+**Supported Resources:**
+- Security Groups and Rules
+- Servers (Virtual Machines)
+- Network Interfaces (NICs)
+
+**Key Features:**
+- Automatic discovery of all security groups in the project
+- Security rule parsing with support for unrestricted access detection
+- Network interface analysis to determine whether security groups are in use
+- By default, reports only security groups attached to at least one NIC; `--scan-unused-services` includes unused security groups too
+
+## Available Checks
+
+The StackIT provider currently implements 4 security checks focused on network security:
+
+### 1. iaas_security_group_ssh_unrestricted
+
+- **Severity:** High
+- **Description:** Detects security groups that allow unrestricted SSH access (port 22) from the internet.
+- **Risk:** Unrestricted SSH access increases the attack surface and risk of brute-force attacks.
+- **Detection Logic:**
+  - Checks for ingress rules allowing TCP port 22
+  - Flags rules with `ip_range=None` or `ip_range="0.0.0.0/0"` or `ip_range="::/0"`
+  - Reports security groups attached to NICs by default, or all security groups when `--scan-unused-services` is enabled
+
+### 2. iaas_security_group_rdp_unrestricted
+
+- **Severity:** High
+- **Description:** Detects security groups that allow unrestricted RDP access (port 3389) from the internet.
+- **Risk:** Unrestricted RDP access enables potential unauthorized remote desktop access.
+- **Detection Logic:**
+  - Checks for ingress rules allowing TCP port 3389
+  - Flags unrestricted IP ranges (None, 0.0.0.0/0, ::/0)
+  - Reports security groups attached to NICs by default, or all security groups when `--scan-unused-services` is enabled
+
+### 3. iaas_security_group_database_unrestricted
+
+- **Severity:** High
+- **Description:** Detects security groups that allow unrestricted access to common database ports.
+- **Monitored Ports:**
+  - MySQL: 3306
+  - PostgreSQL: 5432
+  - MongoDB: 27017
+  - Redis: 6379
+  - SQL Server: 1433
+  - CouchDB: 5984
+- **Risk:** Unrestricted database access can lead to data breaches and unauthorized data access.
+
+### 4. iaas_security_group_all_traffic_unrestricted
+
+- **Severity:** Critical
+- **Description:** Detects security groups that allow all traffic from the internet.
+- **Detection Logic:**
+  - Checks for rules with `port_range=None` (all ports)
+  - Checks for rules with port range covering 0-65535 or 1-65535
+  - Flags unrestricted IP ranges
+  - Critical security misconfiguration requiring immediate remediation
+
+### Important Implementation Notes
+
+**Self-Referencing Security Group Rules:**
+
+Security group rules with `remoteSecurityGroupId` set are automatically filtered out from unrestricted access checks. These rules only allow traffic from instances within the same security group (self-referencing), not from the internet, and are therefore not flagged as security risks.
+
+**Rule Display Names:**
+
+All findings include user-friendly rule descriptions when available. If a security group rule has a description field set (the name shown in the StackIT UI), it will be displayed in the finding message along with the rule ID:
+- With description: `'Allow SSH from office' (sgr-abc123)`
+- Without description: `'sgr-abc123'`
+
+**Network Interface (NIC) Usage Filtering:**
+
+The IaaS service lists project NICs and records the security group IDs attached to them. Checks use that signal to decide whether a security group is in use:
+
+1. **Default behavior:** Report security groups attached to at least one NIC.
+2. **`--scan-unused-services`:** Report every security group, including unused ones.
+3. **FAIL logic:** Internet exposure is driven by security group rules that allow unrestricted source ranges, not by the presence of a public IP on the NIC.
+
+**Unrestricted IP Ranges:**
+
+The StackIT API represents "unrestricted" in two ways:
+- **`ip_range=null`**: No IP restriction specified (implicit unrestricted)
+- **`ip_range="0.0.0.0/0"` or `"::/0"`**: Explicitly configured to allow all IPs
+
+Both are flagged as unrestricted. A `null` value is **more permissive** than an explicit range and applies to all protocols/ports if other fields are also `null`.
+
+## Requirements
+
+### Python Version
+
+- **Minimum:** Python 3.10+
+- **Reason:** The StackIT SDK requires Python 3.10 or higher
+
+### Dependencies
+
+The StackIT provider requires the following Python packages (automatically installed with Prowler):
+
+- **stackit-core** (v0.2.0): Core SDK for StackIT API authentication and configuration
+- **stackit-iaas** (v1.4.0): IaaS service SDK for managing compute resources
+- **stackit-resourcemanager** (v0.8.0): Resource Manager SDK for fetching project metadata (e.g., project names)
+
+These dependencies are defined in `pyproject.toml` and installed automatically with:
+
+```bash
+poetry install
+```
+
+**Note:** The `stackit-resourcemanager` package enables automatic retrieval of project names for display in reports. If this package is not available, Prowler will still function normally but project names will be empty in the output.
+
+## Region Support
+
+### Supported Regions
+
+- **Available Regions:** `eu01` (Germany South) and `eu02` (Austria West)
+- **Default:** All scans use both `eu01` and `eu02` regions by default.
+
+### Multi-Region Scanning
+
+Prowler supports scanning multiple StackIT regions in a single execution. By default, it will scan all regions defined in the `stackit_regions_by_service.json` configuration file.
+
+### CLI Argument
+
+You can specify which regions to scan using the `--stackit-region` argument:
+
+```bash
+# Scan only eu01
+prowler stackit --stackit-region eu01
+
+# Scan both eu01 and eu02
+prowler stackit --stackit-region eu01 eu02
+```
+
+### Implementation Details
+
+- **Regional Clients:** Prowler generates a separate API client for each audited region.
+- **Service Iteration:** Each service (e.g., IaaS) iterates through the regional clients to fetch and audit resources.
+- **Identity Tracking:** The `audited_regions` are stored in the identity model for reporting.
+
+### Future Enhancements
+
+As StackIT adds more regions, they can be easily added to Prowler by updating the `prowler/providers/stackit/stackit_regions_by_service.json` file without requiring code changes.
+
+## Command Examples
+
+### Scan Specific Regions
+
+Scan only the `eu01` region:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --stackit-region eu01
+```
+
+Scan multiple regions:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --stackit-region eu01 eu02
+```
+
+### Scan Specific Checks
+
+Run only SSH unrestricted check:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --checks iaas_security_group_ssh_unrestricted
+```
+
+### Scan All Security Group Checks
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --services iaas
+```
+
+### Output Formats
+
+Generate JSON output:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --output-formats json
+```
+
+Generate HTML report:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --output-formats html
+```
+
+## Known Limitations
+
+### Current Limitations
+
+1. **Single Project Scope**: Only one project can be scanned at a time
+2. **Service Coverage**: Only the IaaS service is currently implemented
+3. **Check Coverage**: Limited to security group network security checks (4 checks total)
+4. **No Compliance Frameworks**: Compliance framework mappings are not yet implemented
+
+### Planned Enhancements
+
+- Multi-project scanning capability
+- Additional IaaS checks (volume encryption, server public IP exposure, backup status)
+- Compliance framework mappings (CIS, custom StackIT best practices)
+- StackIT CLI remediation examples in metadata
+
+## Troubleshooting
+
+### Authentication Errors
+
+**Error:** `StackIT service account key was rejected`
+
+**Solutions:**
+1. Re-issue the service account key in the StackIT Portal
+2. Verify the service account key file or inline JSON content is complete
+3. Check that the service account has the necessary permissions (`iaas.viewer` or `project.owner`)
+4. Ensure the service account key is provided through `STACKIT_SERVICE_ACCOUNT_KEY_PATH`, `STACKIT_SERVICE_ACCOUNT_KEY`, or the matching CLI arguments
+
+**Error:** `StackIT credentials not found or are invalid`
+
+**Solutions:**
+1. Ensure the project ID and one service account credential source are provided
+2. Check that credentials are set via environment variables or command-line arguments
+3. Verify there are no extra spaces or newlines in the credentials
+
+**Error:** `Invalid StackIT project ID format`
+
+**Solutions:**
+1. Verify the project ID is a valid UUID format: `12345678-1234-1234-1234-123456789abc`
+2. Copy the project ID directly from the StackIT Portal
+3. Ensure there are no extra spaces or quotes around the UUID
+
+### API Connection Errors
+
+**Error:** `Failed to connect to StackIT API`
+
+**Solutions:**
+1. Check your internet connection
+2. Verify the StackIT API endpoint is accessible from your network
+3. Check if there are any firewall rules blocking HTTPS connections
+4. Review the full error message for specific API error codes
+
+**Error:** `HTTP 403 Forbidden`
+
+**Solutions:**
+1. Verify the service account has the correct permissions
+2. Ensure the project ID is correct and you have access to it
+3. Check that the service account is enabled (not disabled or expired)
+4. Verify the service account key has not been revoked
+
+**Error:** `HTTP 404 Not Found`
+
+**Solutions:**
+1. Verify the project ID exists and is correct
+2. Check that the IaaS service is enabled in your project
+3. Ensure you're using the correct region (eu01)
+
+### Empty Results
+
+**Issue:** No security groups or findings reported
+
+**Solutions:**
+1. Verify that security groups exist in your project
+2. Check that the IaaS service is properly configured
+3. Ensure the service account has `iaas.viewer` permission
+4. Check Prowler logs for any API errors (use `--log-level DEBUG`)
+
+### Debug Mode
+
+Enable debug logging for detailed troubleshooting:
+
+```bash
+export STACKIT_SERVICE_ACCOUNT_KEY_PATH="$HOME/.stackit/sa-key.json"
+
+prowler stackit \
+  --stackit-project-id "your-project-id" \
+  --log-level DEBUG
+```
+
+This will show:
+- API authentication details (with inline service account keys redacted)
+- Resource discovery progress
+- Security rule parsing details
+- Any API errors or warnings
+
+## Specific Patterns in StackIT Services
+
+The generic service pattern is described in [service page](/developer-guide/services#service-structure-and-initialisation). You can find all the currently implemented services in the following locations:
+
+- Directly in the code, in location [`prowler/providers/stackit/services/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services)
+- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
+
+The best reference to understand how to implement a new service is following the [service implementation documentation](/developer-guide/services#adding-a-new-service) and taking other StackIT services as reference.
+
+### StackIT Service Common Patterns
+
+- Services communicate with StackIT using the StackIT Python SDK, you can find the documentation [here](https://github.com/stackitcloud/stackit-sdk-python).
+- Service constructors receive a `StackitProvider` instance and use it to access credentials, identity, and configuration.
+- The provider builds StackIT SDK `Configuration` objects from the service account key path or inline key content.
+- Resource containers **must** be initialized in the constructor, typically as lists or dictionaries.
+- Do not manipulate `os.environ` for credentials inside services. Use the provider session and SDK configuration helpers.
+- All StackIT resources are represented as Pydantic `BaseModel` classes, providing type safety and structured access to resource attributes.
+- StackIT SDK calls are wrapped in try/except blocks, with specific handling for API errors, always logging errors.
+- **Centralized Error Handling**: Use `provider.handle_api_error(exception)` for consistent authentication error detection across all services.
+- **SDK Warning Suppression**: StackIT SDK prints deprecation warnings to stderr - use the `suppress_stderr()` context manager during SDK initialization and API calls.
+- **Unrestricted Access Detection**: In StackIT API, `None` values mean "allow all" (more permissive than explicit 0.0.0.0/0).
+  - `protocol=None` → All protocols allowed
+  - `ip_range=None` → All source IPs allowed (unrestricted!)
+  - `port_range=None` → All ports allowed
+  - `remote_security_group_id` set → Only allows traffic from the same security group (not unrestricted!)
+
+### IaaS Service Specific Patterns
+
+**Security Group Discovery:**
+```python
+# List all security groups
+security_groups = client.list_security_groups(
+    project_id=self.project_id,
+    region=region,
+)
+
+# List network interfaces to determine security group usage
+nics = client.list_project_nics(
+    project_id=self.project_id,
+    region=region,
+)
+
+# Checks report in-use security groups by default. Use --scan-unused-services
+# to include security groups that are not attached to any NIC.
+```
+
+**Centralized Authentication Error Handling:**
+```python
+def _handle_api_call(self, api_function, *args, **kwargs):
+    """Wrapper for API calls with centralized error handling."""
+    try:
+        with suppress_stderr():  # Suppress SDK warnings
+            return api_function(*args, **kwargs)
+    except Exception as e:
+        # Use centralized error handler from provider
+        self.provider.handle_api_error(e)  # Detects 401 and raises StackITInvalidTokenError
+```
+
+**Unrestricted Access Detection:**
+```python
+def is_unrestricted(rule):
+    """Check if a rule allows unrestricted access."""
+    # Filter out self-referencing rules
+    if rule.remote_security_group_id is not None:
+        return False
+    # Check for unrestricted IP ranges
+    return rule.ip_range is None or rule.ip_range in ["0.0.0.0/0", "::/0"]
+
+def is_tcp(rule):
+    """Check if a rule applies to TCP protocol."""
+    # None means all protocols (including TCP)
+    return rule.protocol is None or rule.protocol.lower() in ["tcp", "all"]
+
+def includes_port(rule, port):
+    """Check if a rule includes a specific port."""
+    # None means all ports
+    if rule.port_range is None:
+        return True
+    return rule.port_range.min <= port <= rule.port_range.max
+```
+
+## Specific Patterns in StackIT Checks
+
+The StackIT checks pattern is described in [checks page](/developer-guide/checks). You can find all the currently implemented checks:
+
+- Directly in the code, within each service folder, each check has its own folder named after the name of the check. (e.g. [`prowler/providers/stackit/services/iaas/iaas_security_group_ssh_unrestricted/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services/iaas/iaas_security_group_ssh_unrestricted))
+- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
+
+The best reference to understand how to implement a new check is following the [check creation documentation](/developer-guide/checks#creating-a-check) and taking other similar StackIT checks as reference.
+
+### Check Report Class
+
+The `CheckReportStackIT` class models a single finding for a StackIT resource in a check report. It is defined in [`prowler/lib/check/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py) and inherits from the generic `Check_Report` base class.
+
+#### Purpose
+
+`CheckReportStackIT` extends the base report structure with StackIT-specific fields, enabling detailed tracking of the resource, project, and location associated with each finding.
+
+#### Constructor and Attribute Population
+
+When you instantiate `CheckReportStackIT`, you must provide the check metadata and a resource object. The class will attempt to automatically populate its StackIT-specific attributes from the resource, using the following logic:
+
+- **`resource_id`**:
+    - Uses `resource.id` if present.
+    - Otherwise, uses `resource.resource_id` if present.
+    - Defaults to an empty string if none are available.
+
+- **`resource_name`**:
+    - Uses `resource.name` if present.
+    - Defaults to an empty string if not available.
+
+- **`project_id`**:
+    - Uses `resource.project_id` if present.
+    - Defaults to an empty string if not available (should be set in check logic).
+
+- **`location`**:
+    - Uses `resource.region` if present.
+    - Otherwise, uses `resource.location` if present.
+    - Defaults to an empty string if not available.
+
+If the resource object does not contain the required attributes, you must set them manually in the check logic.
+
+Other attributes are inherited from the `Check_Report` class, from which you **always** have to set the `status` and `status_extended` attributes in the check logic.
+
+#### Example Usage
+
+```python
+from prowler.lib.check.models import CheckReportStackIT
+
+report = CheckReportStackIT(
+    metadata=self.metadata(),
+    resource=security_group
+)
+report.status = "FAIL"
+report.status_extended = f"Security group {security_group.name} allows unrestricted SSH access from the internet."
+report.resource_id = security_group.id
+report.resource_name = security_group.name
+report.project_id = security_group.project_id
+report.location = security_group.region
+```
+
+### Common Check Pattern
+
+```python
+from prowler.lib.check.models import Check, CheckReportStackIT
+from prowler.providers.stackit.services.iaas.iaas_client import iaas_client
+
+class iaas_security_group_ssh_unrestricted(Check):
+    """Check if IaaS security groups allow unrestricted SSH access."""
+
+    def execute(self):
+        findings = []
+
+        for security_group in iaas_client.security_groups:
+            if not (iaas_client.scan_unused_services or security_group.in_use):
+                continue
+
+            report = CheckReportStackIT(
+                metadata=self.metadata(),
+                resource=security_group
+            )
+            report.status = "PASS"
+            report.status_extended = f"Security group {security_group.name} does not allow unrestricted SSH access."
+
+            # Check each rule
+            for rule in security_group.rules:
+                if (rule.is_ingress() and
+                    rule.is_tcp() and
+                    rule.includes_port(22) and
+                    rule.is_unrestricted()):
+                    report.status = "FAIL"
+                    report.status_extended = f"Security group {security_group.name} allows unrestricted SSH access from the internet."
+                    break
+
+            findings.append(report)
+
+        return findings
+```
+
+## Resources
+
+### Official StackIT Documentation
+
+- **StackIT Portal**: [https://portal.stackit.cloud/](https://portal.stackit.cloud/)
+- **StackIT Documentation**: [https://docs.stackit.cloud/](https://docs.stackit.cloud/)
+- **StackIT API Documentation**: [https://docs.api.eu01.stackit.cloud/](https://docs.api.eu01.stackit.cloud/)
+
+### Python SDK
+
+- **StackIT Python SDK (GitHub)**: [https://github.com/stackitcloud/stackit-sdk-python](https://github.com/stackitcloud/stackit-sdk-python)
+- **stackit-core (PyPI)**: [https://pypi.org/project/stackit-core/](https://pypi.org/project/stackit-core/)
+- **stackit-iaas (PyPI)**: [https://pypi.org/project/stackit-iaas/](https://pypi.org/project/stackit-iaas/)
+- **IaaS Models**: [https://github.com/stackitcloud/stackit-sdk-python/tree/main/services/iaas/src/stackit/iaas/models](https://github.com/stackitcloud/stackit-sdk-python/tree/main/services/iaas/src/stackit/iaas/models)
+
+### Prowler Resources
+
+- **Provider Implementation**: [`prowler/providers/stackit/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/)
+- **IaaS Service**: [`prowler/providers/stackit/services/iaas/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/stackit/services/iaas/)
+- **Prowler Hub**: [https://hub.prowler.com/](https://hub.prowler.com/)
+- **GitHub Issues**: [https://github.com/prowler-cloud/prowler/issues](https://github.com/prowler-cloud/prowler/issues)
+
+## Contributing
+
+If you'd like to contribute to the StackIT provider:
+
+1. **Add New Checks**: Follow the [check creation guide](/developer-guide/checks#creating-a-check) and use existing StackIT checks as templates
+2. **Enhance Services**: Implement additional IaaS resource discovery or add new services
+3. **Improve Documentation**: Add metadata enhancements, CLI remediation examples, or Terraform code samples
+4. **Report Issues**: Submit bug reports or feature requests on [GitHub](https://github.com/prowler-cloud/prowler/issues)
+
+### Quick Start for Contributors
+
+1. **Install dependencies**: `poetry install` (includes stackit-core and stackit-iaas)
+2. **Set credentials**: Export `STACKIT_SERVICE_ACCOUNT_KEY_PATH` and `STACKIT_PROJECT_ID`
+3. **Run checks**: `prowler stackit`
+4. **View code**: Start in `prowler/providers/stackit/`
+5. **Add checks**: Create new check directories under `services/iaas/`
+6. **Run tests**: `poetry run pytest tests/providers/stackit/ -v`
+
+### Code Quality Standards
+
+The StackIT provider should follow the same quality expectations as the rest of the Prowler SDK:
+
+- Keep service and check logic covered by unit tests.
+- Redact inline service account keys from generated output.
+- Keep documentation aligned with the implemented services and checks.
+- Follow existing provider, service, and check patterns before adding StackIT-specific abstractions.
@@ -73,6 +73,12 @@
              "getting-started/products/prowler-lighthouse-ai"
            ]
          },
+          {
+            "group": "Prowler for Claude Code",
+            "pages": [
+              "getting-started/products/prowler-claude-code-plugin"
+            ]
+          },
          {
            "group": "Prowler MCP Server",
            "pages": [
@@ -118,8 +124,8 @@
              "user-guide/tutorials/prowler-app-rbac",
              "user-guide/tutorials/prowler-app-multi-tenant",
              "user-guide/tutorials/prowler-app-api-keys",
-              "user-guide/tutorials/prowler-app-import-findings",
-              "user-guide/tutorials/prowler-app-alerts",
+              "user-guide/tutorials/prowler-import-findings",
+              "user-guide/tutorials/prowler-alerts",
              {
                "group": "Mutelist",
                "expanded": true,
@@ -333,6 +339,13 @@
                  "user-guide/providers/scaleway/authentication"
                ]
              },
+              {
+                "group": "StackIT",
+                "pages": [
+                  "user-guide/providers/stackit/getting-started-stackit",
+                  "user-guide/providers/stackit/authentication"
+                ]
+              },
              {
                "group": "Vercel",
                "pages": [
@@ -395,7 +408,8 @@
              "developer-guide/kubernetes-details",
              "developer-guide/m365-details",
              "developer-guide/github-details",
-              "developer-guide/llm-details"
+              "developer-guide/llm-details",
+              "developer-guide/stackit-details"
            ]
          },
          {
@@ -570,6 +584,14 @@
    {
      "source": "/contact",
      "destination": "/support"
+    },
+    {
+      "source": "/user-guide/tutorials/prowler-app-import-findings",
+      "destination": "/user-guide/tutorials/prowler-import-findings"
+    },
+    {
+      "source": "/user-guide/tutorials/prowler-app-alerts",
+      "destination": "/user-guide/tutorials/prowler-alerts"
    }
  ]
 }
@@ -118,8 +118,8 @@ To update the environment file:
 Edit the `.env` file and change version values:

 ```env
-PROWLER_UI_VERSION="5.26.1"
-PROWLER_API_VERSION="5.26.1"
+PROWLER_UI_VERSION="5.28.0"
+PROWLER_API_VERSION="5.28.0"
 ```

 <Note>
@@ -0,0 +1,101 @@
+---
+title: 'Prowler for Claude Code'
+---
+
+End-to-end cloud security and compliance from inside [Claude Code](https://www.claude.com/product/claude-code), powered by the [Prowler MCP server](/getting-started/products/prowler-mcp). The plugin lets Claude walk a Prowler Cloud-connected account through a compliance assessment and remediate findings until the chosen security or industry framework is compliant.
+
+<Warning>
+**Preview**: this plugin is under active development. Please report issues on [GitHub](https://github.com/prowler-cloud/prowler/issues) or join the [Slack community](https://goto.prowler.com/slack) for feedback.
+</Warning>
+
+## Requirements
+
+<CardGroup cols={3}>
+  <Card title="Claude Code" icon="terminal">
+    Installed and signed in. See the [official install guide](https://www.claude.com/product/claude-code).
+  </Card>
+  <Card title="Prowler Cloud account" icon="cloud">
+    The free tier is enough to start. Sign up at [cloud.prowler.com](https://cloud.prowler.com).
+  </Card>
+  <Card title="Prowler API key" icon="key">
+    Create one at [cloud.prowler.com/profile](https://cloud.prowler.com/profile).
+  </Card>
+</CardGroup>
+
+## Installation
+
+<Tabs>
+  <Tab title="From GitHub (recommended)">
+    Inside a Claude Code session:
+
+    ```text
+    /plugin marketplace add prowler-cloud/prowler
+    /plugin install prowler@prowler-plugins
+    ```
+  </Tab>
+  <Tab title="From a local clone">
+    If you already have the repository checked out:
+
+    ```text
+    /plugin marketplace add /absolute/path/to/prowler
+    /plugin install prowler@prowler-plugins
+    ```
+  </Tab>
+</Tabs>
+
+## Configuration
+
+On first install, Claude Code prompts for your **Prowler API key**. The value is stored securely (macOS keychain or `~/.claude/.credentials.json`) and used to authenticate against Prowler Cloud.
+
+<Note>
+To rotate the key, uninstall and reinstall the plugin — Claude Code will prompt again.
+</Note>
+
+## Verify the installation
+
+In a Claude Code session:
+
+```text
+/mcp          → "prowler" appears as a connected server
+/plugin       → "prowler" enabled, skill listed as prowler:framework-compliance-triage
+```
+
+If `/mcp` reports the `prowler` server as failed, the most common cause is a rejected API key — re-issue one in Prowler Cloud and reinstall the plugin so it re-prompts.
+
+## Usage
+
+Open a conversation that mentions the framework you want to comply with. Examples:
+
+- *"Make my AWS production account compliant with CIS 4.0."*
+- *"Make my current Terraform project compliant with Prowler ThreatScore Compliance Framework based on the latest scan results."*
+- *"Help me get to 100% on PCI-DSS for this GCP project."*
+
+You pick a **primary tool** (Terraform, gh / az / aws CLI, web console, or mixed) and a **mode**:
+
+<CardGroup cols={2}>
+  <Card title="Claude-assisted (default)" icon="hand">
+    Claude shows each fix — target resource, exact commands, side effects, reversibility — and waits for your go-ahead before applying.
+  </Card>
+  <Card title="Claude autonomous" icon="robot">
+    Claude presents a single up-front plan grouped by shared fixes, waits for one confirmation, then proceeds. It pauses mid-loop if a fix has wide blast radius or a finding is not applicable.
+  </Card>
+</CardGroup>
+
+Claude tracks progress in a markdown report under `.prowler/` at your project root — one file per framework × account. Open it any time to see exactly where the flow is. When all findings are addressed, Claude proposes a fresh Prowler scan to verify everything end-to-end.
+
+## Uninstalling
+
+```text
+/plugin uninstall prowler@prowler-plugins
+/plugin marketplace remove prowler-plugins
+```
+
+The stored API key is removed automatically.
+
+## Troubleshooting
+
+| Symptom | Likely cause | Fix |
+| --- | --- | --- |
+| `/mcp` shows `prowler` as failed | Rejected API key | Generate a new one in Prowler Cloud and reinstall the plugin to re-prompt. |
+| Skill not invoked when expected | The skill description didn't match the prompt | Mention the framework name plus "compliance" or "compliant" in your prompt. |
+| "Framework not supported" | Prowler Hub does not list the framework for that provider | Open an issue or PR at [github.com/prowler-cloud/prowler](https://github.com/prowler-cloud/prowler). |
@@ -32,10 +32,11 @@ Prowler supports a wide range of providers organized by category:
 | [Azure](/user-guide/providers/azure/getting-started-azure)                       | Official   | Subscriptions            | UI, API, CLI |
 | [Cloudflare](/user-guide/providers/cloudflare/getting-started-cloudflare)        | Official   | Accounts                 | UI, API, CLI |
 | [Google Cloud](/user-guide/providers/gcp/getting-started-gcp)                    | Official   | Projects                 | UI, API, CLI |
-| **NHN**                                                                          | Unofficial | Tenants                  | CLI          |
+| **NHN**                                                                          | [Contact us](https://prowler.com/contact) | Tenants                  | CLI          |
 | [OpenStack](/user-guide/providers/openstack/getting-started-openstack)           | Official   | Projects                 | UI, API, CLI |
 | [Oracle Cloud](/user-guide/providers/oci/getting-started-oci)                    | Official   | Tenancies / Compartments | UI, API, CLI |
-| [Scaleway](/user-guide/providers/scaleway/getting-started-scaleway) [Contact us](https://prowler.com/contact) | Unofficial   | Organizations            | CLI          |
+| [Scaleway](/user-guide/providers/scaleway/getting-started-scaleway)              | [Contact us](https://prowler.com/contact) | Organizations            | CLI          |
+| [StackIT](/user-guide/providers/stackit/getting-started-stackit)                 | [Contact us](https://prowler.com/contact) | Projects                 | CLI          |

 ### Infrastructure as Code Providers

@@ -9,6 +9,8 @@ Prowler Cloud runs on AWS with high availability built in.
 | Region | URL | Location |
 |--------|-----|----------|
 | **EU** | [cloud.prowler.com](https://cloud.prowler.com) | Ireland (`eu-west-1`) |
+| **US** | On-Demand | On-Demand |
+

 ## Business Continuity

@@ -14,7 +14,7 @@ All Prowler code goes through the same security pipeline, whether running on Pro
  Security tools and practices applied to all Prowler code.
 </Card>

-## Prowler Cloud vs Self-Managed
+## Prowler Cloud vs Prowler OSS (Self-Managed)

 | | Prowler Cloud | Self-Managed |
 |--|---------------|--------------|
@@ -2,97 +2,205 @@
 title: 'Software Security'
 ---

-Prowler follows a **security-by-design approach** throughout the software development lifecycle. All changes go through automated checks at every stage, from local development to production deployment.
+Prowler applies security-by-design across the development lifecycle. Every change passes automated checks at each stage: pre-commit hooks locally, multiple CI gates on pull requests, branch protection before merge, container scanning before publish, and registry monitoring after release.

-[Pre-commit](https://github.com/prowler-cloud/prowler/blob/master/.pre-commit-config.yaml) validations catch issues early, and [CI/CD pipelines](https://github.com/prowler-cloud/prowler/tree/master/.github) include multiple security gates ensuring code quality, secure configurations, and compliance with internal standards.
+All security tooling and configuration lives in the [Prowler GitHub repository](https://github.com/prowler-cloud/prowler): [pre-commit hooks](https://github.com/prowler-cloud/prowler/blob/master/.pre-commit-config.yaml), [CI/CD workflows](https://github.com/prowler-cloud/prowler/tree/master/.github/workflows), and [Dependabot configuration](https://github.com/prowler-cloud/prowler/blob/master/.github/dependabot.yml).

-Container registries are continuously scanned for vulnerabilities, with findings automatically reported to the security team for assessment and remediation. This process evolves alongside the stack as new languages, frameworks, and technologies are adopted, ensuring security practices remain comprehensive, proactive, and adaptable.
+## Coverage
+
+Security controls cover six domains, each detailed below:
+
+| Domain | What It Protects |
+|--------|------------------|
+| [**CI/CD**](#cicd-security) | GitHub Actions workflows, runners, third-party actions |
+| [**SAST**](#static-application-security-testing-sast) | Application source code |
+| [**SCA**](#software-composition-analysis-sca) | Third-party dependencies and their known vulnerabilities |
+| [**Supply-Chain Pinning**](#supply-chain-pinning) | Reproducible installs across Python, npm, GitHub Actions, container base images |
+| [**Containers**](#container-security) | Runtime images for UI, API, SDK, Model Context Protocol (MCP) Server |
+| [**Secrets**](#secrets-detection) | Credentials, tokens, API keys in code and git history |
+
+## CI/CD Security
+
+Every GitHub Actions workflow uses runner hardening, pinned action versions, and audited permissions.
+
+### Runner Hardening With StepSecurity
+
+- [**`step-security/harden-runner`**](https://github.com/step-security/harden-runner) runs as the first step in every workflow, pinned by commit SHA.
+- Workflows are being migrated to explicit egress controls: some already declare an egress allow-list with `egress-policy: block`, while others still run in `egress-policy: audit` until their allowed endpoints are fully defined.
+- **Global Block Policy** (StepSecurity) blocks known-malicious domains and IP addresses across every workflow run. This protection applies even in audit mode, so workflows that have not yet moved to `block` still resist known-bad egress.
+
+### Third-Party Action Pinning
+
+- Every third-party action reference uses a commit SHA with the version as a comment: `uses: org/action@<sha> # v1.2.3`.
+- Dependabot tracks the comment and proposes SHA-pinned upgrades on a monthly cadence.
+
+### Workflow Permissions
+
+- Workflows declare `permissions: {}` at the top level and grant the minimum required scopes per job.
+- Code review covers permission changes; zizmor enforces the rules (see below).
+
+### Workflow Security Audit With Zizmor
+
+- **[zizmor](https://github.com/zizmorcore/zizmor)** audits every workflow file for known security anti-patterns. Runs via [`ci-zizmor.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/ci-zizmor.yml).
+- Triggers on every push, every pull request that touches `.github/`, and on a daily schedule.
+- Results upload to the GitHub Security tab via Static Analysis Results Interchange Format (SARIF).
+- Key [audit rules](https://docs.zizmor.sh/audits/) the build gates on:
+  - **[PWN Request](https://docs.zizmor.sh/audits/#dangerous-triggers)** (`dangerous-triggers`): unsafe use of `pull_request_target` with checked-out PR code.
+  - **[Script Injection](https://docs.zizmor.sh/audits/#template-injection)** (`template-injection`): unsanitized `${{ github.event.* }}` expressions in `run:` blocks.
+  - **[artipacked](https://docs.zizmor.sh/audits/#artipacked)**: credential leakage through artifacts.
+  - **[Excessive permissions](https://docs.zizmor.sh/audits/#excessive-permissions)** (`excessive-permissions`): workflows with unneeded `write` scopes.
+
+### Branch Protection
+
+Pull requests to `master` and the active `v5.*` release branches must pass several required workflows before merge. These gates prevent specific classes of supply-chain and pipeline attacks from reaching the main branch:
+
+- **Compromised packages:** the **npm Package Compromised Updates** and **PyPI Package Compromised Updates** checks (StepSecurity) fail any PR that introduces a package version present in the compromised-package feed. Layered on top of osv-scanner.
+- **Premature releases:** the **npm Package Cooldown** and **PyPI Package Cooldown** checks (StepSecurity) fail any PR that introduces a package version published within the cooldown window. Layered on top of pnpm's `minimumReleaseAge`.
+- **Workflow exploitation:** the **PWN Request** and **Script Injection** checks (StepSecurity) reject the corresponding zizmor-detected anti-patterns at PR time. Layered on top of zizmor's audit.
+- **Vulnerable code or dependencies:** CodeQL (UI, API, SDK), osv-scanner (SDK, API, UI), Bandit (SDK, API), and Trivy (container images) must all pass.

 ## Static Application Security Testing (SAST)

-Multiple SAST tools are employed across the codebase to identify security vulnerabilities, code quality issues, and potential bugs during development.
+Multiple SAST tools run on every push and pull request to catch vulnerabilities and code-quality issues before merge.

-### CodeQL Analysis
+### Cross-Language

- **Scope:** UI (JavaScript/TypeScript), API (Python), and SDK (Python)
- **Frequency:** On every push and pull request, plus daily scheduled scans
- **Integration:** Results uploaded to GitHub Security tab via SARIF format
- **Purpose:** Identifies security vulnerabilities, coding errors, and potential exploits in source code
+- **CodeQL:** semantic code analysis for the UI (JavaScript/TypeScript), API (Python), and SDK (Python). Runs on every push and pull request, plus a daily scheduled scan, via [`sdk-codeql.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/sdk-codeql.yml), [`api-codeql.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/api-codeql.yml), and [`ui-codeql.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/ui-codeql.yml). Results upload to the GitHub Security tab via SARIF.

-### Python Security Scanners
+### Python (SDK + API)

- **Bandit:** Detects common security issues in Python code (SQL injection, hardcoded passwords, etc.)
-  - Configured to ignore test files and report only high-severity issues
-  - Runs on both SDK and API codebases
- **Pylint:** Static code analysis with security-focused checks
-  - Integrated into pre-commit hooks and CI/CD pipelines
+- **Bandit:** detects common Python security issues (SQL injection, hardcoded credentials, insecure deserialization). Runs in pre-commit and on every PR/push in [`sdk-security.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/sdk-security.yml) and [`api-security.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/api-security.yml).
+- **Pylint:** analyzes your code without actually running it. It checks for errors, enforces a coding standard, looks for code smells, and can suggest refactors. Runs in pre-commit and on every PR/push in [`sdk-code-quality.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/sdk-code-quality.yml) and [`api-code-quality.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/api-code-quality.yml).
+- **Vulture:** dead-code detection at `--min-confidence 100`. Unused code can hide incomplete implementations or stale security paths. Runs in pre-commit and on every PR/push in `sdk-security.yml` and `api-security.yml`.
+- **Flake8:** style and correctness checks for the SDK. Runs in pre-commit and on every PR/push in [`sdk-code-quality.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/sdk-code-quality.yml).

-### Code Quality & Dead Code Detection
+### JavaScript/TypeScript (UI)

- **Vulture:** Identifies unused code that could indicate incomplete implementations or security gaps
- **Flake8:** Style guide enforcement with security-relevant checks
- **Shellcheck:** Security and correctness checks for shell scripts
+- **TypeScript (`tsc`):** strict type checking for the UI. Catches whole classes of null/undefined and type-confusion bugs at build time. Runs on every PR/push via `pnpm run healthcheck` in [`ui-tests.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/ui-tests.yml).
+- **ESLint:** UI linting with a capped warning budget (`--max-warnings 40`). Runs on every PR/push via `pnpm run healthcheck` in `ui-tests.yml`.
+- **Knip:** dead-code and unused-export detection for the UI. The UI analogue to Vulture.
+
+<Note>
+Knip runs locally on demand via `pnpm run lint:knip` and is not yet wired into CI.
+</Note>
+
+### Shell
+
+- **Shellcheck:** correctness and security checks for shell scripts in `.github/scripts/` and `scripts/`. Runs in pre-commit on staged files.

 ## Software Composition Analysis (SCA)

-Dependencies are continuously monitored for known vulnerabilities with timely updates ensured.
+Dependencies are scanned against public vulnerability databases on every pull request and push, with results posted directly on the PR.

-### Dependency Vulnerability Scanning
+### Cross-Language

- **osv-scanner:** Scans lockfiles against the [OSV.dev](https://osv.dev) vulnerability database
-  - Runs in CI on every pull request and push for SDK, API, and UI
-  - Fails the build on `HIGH`, `CRITICAL`, and `UNKNOWN` severity findings
-  - Posts a per-lockfile report as a PR comment
-  - Per-vulnerability ignores (with reason and expiry) live in `osv-scanner.toml` at the repo root
- **Trivy:** Multi-purpose scanner for containers and dependencies
-  - Scans all container images (UI, API, SDK, MCP Server)
-  - Checks for vulnerabilities in OS packages and application dependencies
-  - Reports findings to GitHub Security tab
+- **osv-scanner:** scans lockfiles against the [OSV.dev](https://osv.dev) vulnerability database for SDK (`uv.lock`), API (`api/uv.lock`), and UI (`ui/pnpm-lock.yaml`). Runs via [`sdk-security.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/sdk-security.yml), [`api-security.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/api-security.yml), and [`ui-security.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/ui-security.yml).
+  - The action installs the `osv-scanner` binary and verifies its SHA-256 checksum against the upstream-signed `SHA256SUMS` manifest before running. Any mismatch aborts the scan.
+  - Gates the build on `HIGH`, `CRITICAL`, and `UNKNOWN` severity findings.
+  - Posts and updates a per-lockfile report as a pull request comment.
+  - Per-vulnerability ignores live in [`osv-scanner.toml`](https://github.com/prowler-cloud/prowler/blob/master/osv-scanner.toml) at the repo root, each with a reason and an expiry date.
+- **Trivy:** scans container images for OS-package and application-dependency vulnerabilities. Runs in [`sdk-container-checks.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/sdk-container-checks.yml), [`api-container-checks.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/api-container-checks.yml), [`ui-container-checks.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/ui-container-checks.yml), and [`mcp-container-checks.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/mcp-container-checks.yml). Trivy uploads SARIF to the GitHub Security tab and posts a scan summary on the PR.
+- **Dependabot:** [configured](https://github.com/prowler-cloud/prowler/blob/master/.github/dependabot.yml) for monthly updates of the SDK Python dependencies, GitHub Actions, Docker base images, and pre-commit hooks. Dependabot opens pull requests for known security advisories, so critical patches reach the team without delay. A 7-day default cooldown reduces exposure to compromised package releases.
+- **Renovate:** [configured](https://github.com/prowler-cloud/prowler/blob/master/.github/renovate.json) dependency update automation is transitioning from Dependabot to **Renovate** to gain finer control over update cadence, grouping, and per-component scope. Both tools currently run in parallel during the migration.

-### Automated Dependency Updates
+#### Renovate (Primary)

- **Dependabot:** Automated pull requests for dependency updates
-  - **Python (pip):** Monthly updates for SDK
-  - **GitHub Actions:** Monthly updates for workflow dependencies
-  - **Docker:** Monthly updates for base images
-  - Temporarily paused for API and UI to maintain stability during active development
-  - **Security-first approach:** Even when paused, Dependabot automatically creates pull requests for security vulnerabilities, ensuring critical security patches are never delayed
+Configuration: [`.github/renovate.json`](https://github.com/prowler-cloud/prowler/blob/master/.github/renovate.json)
+
+- **Coverage:** Python (SDK, API, MCP Server), npm (UI), GitHub Actions, Docker images, and Pre-commit hooks
+- **Range Strategy:** Versions are pinned to ensure reproducible builds
+- **Vulnerability Alerts:** GitHub Security Advisories generate immediate pull requests that bypass rate limits and scheduled windows, labeled `security` for prioritized triage
+
+#### Dependabot (Legacy)
+
+Configuration: [`.github/dependabot.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/dependabot.yml)
+
+Dependabot remains active for the SDK and shared automation ecosystems until the Renovate migration completes:
+
+- **Python (pip):** Monthly updates for SDK
+- **GitHub Actions:** Monthly updates for workflow dependencies
+- **Docker:** Monthly updates for base images
+- **Pre-commit:** Monthly updates for hook revisions
+
+Dependabot is paused for the API and UI; Renovate now handles those components. Even when paused, Dependabot continues to open pull requests for security vulnerabilities, ensuring critical patches are never delayed.
+
+### JavaScript/TypeScript (UI)
+
+- **pnpm audit:** runs `pnpm audit --audit-level critical` on every UI pull request and push as part of `pnpm run audit` in [`ui-tests.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/ui-tests.yml). Cross-checks the npm registry's advisory database in addition to the OSV scan and surfaces npm-specific advisories that may not yet have an OSV identifier.
+
+## Supply-Chain Pinning
+
+Pinning runs across Python, npm, GitHub Actions, and container base images. Every install resolves to the exact set of versions already vetted in CI, and any drift fails loudly instead of slipping in silently.
+
+### Python (uv)
+
+The SDK, API, and MCP Server all use [uv](https://docs.astral.sh/uv/) for dependency management. Each component has its own project manifest and lock file:
+
+| Component | Manifest | Lock File |
+|-----------|----------|-----------|
+| SDK | `pyproject.toml` | `uv.lock` |
+| API | `api/pyproject.toml` | `api/uv.lock` |
+| MCP Server | `mcp_server/pyproject.toml` | `mcp_server/uv.lock` |
+
+The controls applied across all three:
+
+- **Direct dependencies pinned to exact versions** (`==`). No version ranges in dependency lists.
+- **Transitive dependencies pinned** via `[tool.uv].constraint-dependencies` in the SDK and API manifests. The constraint set mirrors the versions locked in the corresponding `uv.lock`. A future `uv lock` preserves these versions instead of silently picking up newer releases, and the resolver fails when a constraint becomes infeasible, signaling that a deliberate bump is needed.
+- **Lock files committed.** CI installs strictly from the lock.
+- **uv itself pinned** in the [`setup-python-uv`](https://github.com/prowler-cloud/prowler/tree/master/.github/actions/setup-python-uv) composite action.
+
+<Note>
+The MCP Server has a small direct-dependency surface and does not yet declare a separate constraint set. Its lock file is the source of truth.
+</Note>
+
+### JavaScript/TypeScript (pnpm)
+
+The UI uses [pnpm](https://pnpm.io) with supply-chain controls configured in [`ui/pnpm-workspace.yaml`](https://github.com/prowler-cloud/prowler/blob/master/ui/pnpm-workspace.yaml).
+
+- **Minimum release age** (`minimumReleaseAge: 1440`): packages must publish at least 24 hours before install. This reduces exposure during the window when a compromised release has not yet been detected and yanked.
+- **Lifecycle script allow-list** (`strictDepBuilds: true` + `allowBuilds`): only explicitly approved packages may run `install` or `postinstall` scripts (currently `sharp`, `esbuild`, `@sentry/cli`, `@heroui/shared-utils`, `unrs-resolver`, `msw`). Any unlisted package with lifecycle scripts fails the install.
+- **Trust policy** (`trustPolicy: no-downgrade`): the install fails when a package's trust evidence drops, for example after a new publisher takes over.
+- **Block exotic subdeps** (`blockExoticSubdeps: true`): transitive dependencies cannot ship as git URLs or tarballs. Every package in the tree resolves from the configured registry.
+- **Transitive overrides** in [`ui/package.json`](https://github.com/prowler-cloud/prowler/blob/master/ui/package.json) force specific versions for transitive packages (`lodash`, `serialize-javascript`, `qs`, `rollup`, `minimatch`, `ajv`, and others).
+- **`pnpm-lock.yaml` committed** and CI installs strictly from the lock.
+- **pnpm itself pinned** via the `packageManager` field in `package.json` with an integrity hash.
+
+### GitHub Actions
+
+- Every third-party action reference uses a commit SHA, with the version in a trailing comment.
+- Dependabot opens monthly PRs to bump pinned SHAs.
+
+### Container Base Images
+
+- Every Dockerfile references base images by digest (`image@sha256:...`).
+- Dependabot opens monthly PRs to bump digests.

 ## Container Security

-All container images are scanned before deployment.
+Container images get scanned twice: once in CI before they push to a registry, and continuously after publish by the registries themselves.

-### Trivy Vulnerability Scanning
+### Pre-Publish (CI)

- Scans images for vulnerabilities and misconfigurations
- Generates SARIF reports uploaded to GitHub Security tab
- Creates PR comments with scan summaries
- Configurable to fail builds on critical findings
- Reports include CVE counts and remediation guidance
+- **Trivy** scans for OS-package and application-dependency vulnerabilities. Runs in [`sdk-container-checks.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/sdk-container-checks.yml), [`api-container-checks.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/api-container-checks.yml), [`ui-container-checks.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/ui-container-checks.yml), and [`mcp-container-checks.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/mcp-container-checks.yml). Trivy uploads SARIF to the GitHub Security tab and posts a summary on the PR. Builds can fail on critical findings when configured to.
+- **Hadolint** validates Dockerfile syntax and structure against secure-build best practices. Runs in pre-commit and in the same `*-container-checks.yml` workflows linked above.

-### Hadolint
+### Post-Publish (Registries)

- Validates Dockerfile syntax and structure
- Ensures secure image building practices
+- **Amazon ECR:** ECR continuously scans published images for vulnerabilities. New advisories disclosed after publish surface on the image without requiring a rebuild.
+- **Docker Hub:** Docker Hub continuously scans the same images mirrored from ECR.
+- The security team reviews findings from both registries for triage and remediation.

 ## Secrets Detection

-Prowler protects against accidental exposure of sensitive credentials.
-
-### TruffleHog
-
- Scans entire codebase and Git history for secrets
- Runs on every push and pull request
- Pre-commit hook prevents committing secrets
- Detects high-entropy strings, API keys, tokens, and credentials
- Configured to report verified and unknown findings
+- **[TruffleHog](https://github.com/trufflesecurity/trufflehog)** scans the codebase and git history on every push and pull request via [`find-secrets.yml`](https://github.com/prowler-cloud/prowler/blob/master/.github/workflows/find-secrets.yml). Detects high-entropy strings, API keys, tokens, and credentials, and reports verified and unknown findings.
+- A pre-commit hook runs the same check locally and blocks secrets before they leave the developer machine.

 ## Security Monitoring

- **GitHub Security Tab:** Centralized view of all security findings from CodeQL, Trivy, and other SARIF-compatible tools
- **Artifact Retention:** Security scan reports retained for post-deployment analysis
- **PR Comments:** Automated security feedback on pull requests for rapid remediation
+- **GitHub Security tab:** centralized view of findings from CodeQL, Trivy, zizmor, and any other SARIF-compatible tool.
+- **PR comments:** osv-scanner and Trivy post per-PR summaries so issues surface during review, not after merge.
+- **Artifact retention:** the build retains security scan reports for post-deployment analysis.

 ## Contact

-For questions regarding software security, visit the [Support page](/support).
+For questions about software security, see the [Support page](/support). To report a vulnerability, follow the [responsible disclosure process](https://prowler.com/.well-known/security.txt).
@@ -91,6 +91,7 @@ The following list includes all the Azure checks with configurable variables tha
 | `sqlserver_recommended_minimal_tls_version`                   | `recommended_minimal_tls_versions`               | List of Strings |
 | `vm_sufficient_daily_backup_retention_period`                 | `vm_backup_min_daily_retention_days`             | Integer         |
 | `vm_desired_sku_size`                                         | `desired_vm_sku_sizes`                           | List of Strings |
+| `storage_smb_channel_encryption_with_secure_algorithm`        | `recommended_smb_channel_encryption_algorithms`  | List of Strings |
 | `defender_attack_path_notifications_properly_configured`      | `defender_attack_path_minimal_risk_level`        | String          |
 | `apim_threat_detection_llm_jacking`                           | `apim_threat_detection_llm_jacking_threshold`    | Float           |
 | `apim_threat_detection_llm_jacking`                           | `apim_threat_detection_llm_jacking_minutes`      | Integer         |
@@ -165,6 +166,7 @@ The following list includes all the Okta checks with configurable variables that

 | Check Name                                                    | Value                              | Type    |
 |---------------------------------------------------------------|------------------------------------|---------|
+| `application_admin_console_session_idle_timeout_15min`        | `okta_admin_console_idle_timeout_max_minutes` | Integer |
 | `signon_global_session_idle_timeout_15min`                    | `okta_max_session_idle_minutes`    | Integer |

 ## Config YAML File Structure
@@ -534,6 +536,18 @@ azure:
      "1.3"
    ]

+  # Azure Storage
+  # azure.storage_smb_channel_encryption_with_secure_algorithm
+  # List of SMB channel encryption algorithms allowed on file shares. A storage
+  # account passes only if every enabled algorithm is in this list. Defaults to
+  # the value required by CIS (AES-256-GCM only, excluding weaker AES-128 ciphers).
+  recommended_smb_channel_encryption_algorithms:
+    [
+      "AES-256-GCM",
+      # "AES-128-CCM",
+      # "AES-128-GCM",
+    ]
+
  # Azure Virtual Machines
  # azure.vm_desired_sku_size
  # List of desired VM SKU sizes that are allowed in the organization
@@ -6,7 +6,7 @@ title: 'Run Prowler in CI/CD and Send Findings to Prowler Cloud'
 For new projects, use the official [Prowler GitHub Action](/user-guide/tutorials/prowler-app-github-action) — a Docker-based reusable action that runs scans, optionally pushes findings to Prowler Cloud, and uploads SARIF results to GitHub Code Scanning. The GitHub Actions examples below document the legacy pip-based flow.
 </Warning>

-This cookbook demonstrates how to integrate Prowler into CI/CD pipelines so that security scans run automatically and findings are sent to Prowler Cloud via [Import Findings](/user-guide/tutorials/prowler-app-import-findings). Examples cover GitHub Actions and GitLab CI.
+This cookbook demonstrates how to integrate Prowler into CI/CD pipelines so that security scans run automatically and findings are sent to Prowler Cloud via [Import Findings](/user-guide/tutorials/prowler-import-findings). Examples cover GitHub Actions and GitLab CI.

 ## Prerequisites

@@ -19,7 +19,7 @@ This cookbook demonstrates how to integrate Prowler into CI/CD pipelines so that

 Prowler CLI provides the `--push-to-cloud` flag, which uploads scan results directly to Prowler Cloud after a scan completes. Combined with the `PROWLER_CLOUD_API_KEY` environment variable, this enables fully automated ingestion without manual file uploads.

-For full details on the flag and API, refer to the [Import Findings](/user-guide/tutorials/prowler-app-import-findings) documentation.
+For full details on the flag and API, refer to the [Import Findings](/user-guide/tutorials/prowler-import-findings) documentation.

 <Note>
 The examples in this guide use AWS as the target provider, but the same approach applies to any provider supported by Prowler (Azure, GCP, Kubernetes, and others). Replace `prowler aws` with the desired provider command (e.g., `prowler gcp`, `prowler azure`) and configure the corresponding credentials in the CI/CD environment.
@@ -195,7 +195,7 @@ By default, Prowler exits with a non-zero code when it finds failing checks. Thi
 * **GitLab CI**: Add `allow_failure: true` to the job

 <Note>
-Ingestion failures (e.g., network issues reaching Prowler Cloud) do not affect the Prowler exit code. The scan completes normally and only a warning is emitted. See [Import Findings troubleshooting](/user-guide/tutorials/prowler-app-import-findings#troubleshooting) for details.
+Ingestion failures (e.g., network issues reaching Prowler Cloud) do not affect the Prowler exit code. The scan completes normally and only a warning is emitted. See [Import Findings troubleshooting](/user-guide/tutorials/prowler-import-findings#troubleshooting) for details.
 </Note>

 ### Caching Prowler Installation
@@ -2,7 +2,7 @@
 title: 'Run Kubernetes In-Cluster and Send Findings to Prowler Cloud'
 ---

-This cookbook walks through deploying Prowler inside a Kubernetes cluster on a recurring schedule and automatically sending findings to Prowler Cloud via [Import Findings](/user-guide/tutorials/prowler-app-import-findings). By the end, security scan results from the cluster appear in Prowler Cloud without any manual file uploads.
+This cookbook walks through deploying Prowler inside a Kubernetes cluster on a recurring schedule and automatically sending findings to Prowler Cloud via [Import Findings](/user-guide/tutorials/prowler-import-findings). By the end, security scan results from the cluster appear in Prowler Cloud without any manual file uploads.

 ## Prerequisites

@@ -181,7 +181,7 @@ Once the job completes and findings are pushed:
 2. Open the "Scans" section to verify the ingestion job status
 3. Browse findings under the Kubernetes provider

-For details on the ingestion workflow and status tracking, refer to the [Import Findings](/user-guide/tutorials/prowler-app-import-findings) documentation.
+For details on the ingestion workflow and status tracking, refer to the [Import Findings](/user-guide/tutorials/prowler-import-findings) documentation.

 ## Tips and Troubleshooting

@@ -204,4 +204,4 @@ For details on the ingestion workflow and status tracking, refer to the [Import
    --namespace prowler-ns
  ```

-* **Failed uploads**: If the push to Prowler Cloud fails, the scan still completes and findings are saved locally in the container. Check the [Import Findings troubleshooting section](/user-guide/tutorials/prowler-app-import-findings#troubleshooting) for common error messages.
+* **Failed uploads**: If the push to Prowler Cloud fails, the scan still completes and findings are saved locally in the container. Check the [Import Findings troubleshooting section](/user-guide/tutorials/prowler-import-findings#troubleshooting) for common error messages.
@@ -18,7 +18,7 @@ Prowler requests the following read-only OAuth 2.0 scopes:
 | `https://www.googleapis.com/auth/admin.directory.domain.readonly` | Read access to domain information |
 | `https://www.googleapis.com/auth/admin.directory.customer.readonly` | Read access to customer information (Customer ID) |
 | `https://www.googleapis.com/auth/admin.directory.orgunit.readonly` | Read access to organizational unit hierarchy (identifies the root OU for policy filtering) |
-| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar, Gmail, Chat, and Drive service checks) |
+| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar, Chat, Drive, Gmail, Groups, Marketplace, Security, and Sites service checks) |
 | `https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly` | Read access to admin roles and role assignments |

 <Warning>
@@ -40,7 +40,7 @@ In the [Google Cloud Console](https://console.cloud.google.com), select the targ
 | API | Required For |
 |-----|--------------|
 | **Admin SDK API** | Directory service checks (users, roles, domains) |
-| **Cloud Identity API** | Calendar, Gmail, Chat, and Drive service checks (domain-level application policies) |
+| **Cloud Identity API** | All service checks except Directory (domain-level application policies) |

 For each API:

@@ -49,7 +49,7 @@ For each API:
 3. Click **Enable**

 <Note>
-Both APIs must be enabled in the same GCP project that hosts the Service Account. Calendar, Gmail, Chat, and Drive checks will return no findings if the Cloud Identity API is not enabled.
+Both APIs must be enabled in the same GCP project that hosts the Service Account. All service checks except Directory will return no findings if the Cloud Identity API is not enabled.
 </Note>

 ### Step 3: Create a Service Account
@@ -178,7 +178,7 @@ If Prowler connects but returns empty results or permission errors for specific

 ### Policy API Checks Return No Findings

-If the Directory checks run successfully but the Calendar, Gmail, Chat, or Drive checks return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:
+If the Directory checks run successfully but other service checks (Calendar, Chat, Drive, Gmail, Groups, Marketplace, Security, Sites) return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:

 - The **Cloud Identity API** is enabled in the GCP project hosting the Service Account (Step 2)
 - The scope `https://www.googleapis.com/auth/cloud-identity.policies.readonly` is included in the Domain-Wide Delegation OAuth scopes list in the Admin Console (Step 5)
@@ -30,23 +30,49 @@ If a different authentication method is needed (SSWS API token, OAuth with user

 ### Required OAuth Scopes

-For the initial check (`signon_global_session_idle_timeout_15min`) only one scope is required:
+The bundled checks require the following read-only scopes:

 - `okta.policies.read`
+- `okta.brands.read`
+- `okta.apps.read`

-Additional scopes will be needed as more services and checks are added, this are the current ones needed:
+Additional scopes will be needed as more services and checks are added. These are the current ones needed:

 | Scope | Used by |
 |---|---|
-| `okta.policies.read` | Sign-on / password / authentication policies |
+| `okta.policies.read` | Sign-on, password, and authentication policies |
+| `okta.brands.read` | Sign-in page customizations (DOD Notice and Consent Banner check) |
+| `okta.apps.read` | First-party app settings (Okta Admin Console session), integrated app inventory, and the Authentication Policies bound to Okta applications |

 ### Required Admin Role

-The service application must be assigned the built-in **Read-Only Administrator** role.
+The service application must be assigned **one** of the following Okta admin roles:

-Okta's Management API enforces a two-layer authorization model: an OAuth **scope** decides which API endpoints the token can call, and an **admin role** decides whether the call returns data. With only a scope granted, the token mint succeeds but every read returns `403 Forbidden`. The Read-Only Administrator role is the minimum that lets the granted `okta.*.read` scopes actually return configuration data to Prowler's checks — without it, the credential probe at provider startup fails and the scan never gets to evaluate any check.
+- **Read-Only Administrator** — covers every `signon` check and runs `application_authentication_policy_network_zone_enforced` against the apps it can see. **Visibility caveat:** under Read-Only Administrator the `/api/v1/apps` endpoint returns only the apps the service application is itself assigned to — typically just the service app's own row (for example, `Prowler Scanner`). The check still produces a finding for that app, but the rest of the org's app inventory is invisible at this role level.
+- **Super Administrator** — required additionally to evaluate five application-service checks that target Okta's first-party apps (Okta Admin Console, Okta Dashboard). With Super Administrator, `application_authentication_policy_network_zone_enforced` also evaluates the full org-wide app inventory instead of the service-app-only slice.

-Read-Only Administrator is intentionally the narrowest role that satisfies this requirement and aligns with the least-privilege guidance in DISA STIG.
+Okta's Management API enforces a two-layer authorization model: an OAuth **scope** decides which API endpoints the token can call, and an **admin role** decides whether the call returns data. With only a scope granted, the token mint succeeds but every read returns `403 Forbidden`. Read-Only Administrator is the minimum role that lets the granted `okta.*.read` scopes return configuration data to Prowler's checks; without it, the credential probe at provider startup fails and the scan never gets to evaluate any check.
+
+#### When Super Administrator is required
+
+Four checks need to resolve the Authentication Policy bound to Okta's first-party apps (Okta Admin Console, Okta Dashboard) and depend on `/api/v1/apps` returning those system apps — which Okta restricts to Super Administrator:
+
+| Check | STIG |
+|---|---|
+| `application_admin_console_mfa_required` | V-273193 |
+| `application_admin_console_phishing_resistant_authentication` | V-273191 |
+| `application_dashboard_mfa_required` | V-273194 |
+| `application_dashboard_phishing_resistant_authentication` | V-273190 |
+
+Okta filters the first-party apps (`saasure`, `okta_enduser`) out of `/api/v1/apps` for every role below Super Administrator, so `okta.apps.read` alone is not enough. The `okta.apps.manageFirstPartyApps` permission exists only in the paid Okta Identity Governance role `ACCESS_REQUESTS_ADMIN` and cannot be added to custom roles ([Okta Permissions Catalog](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions)).
+
+A fifth check — `application_admin_console_session_idle_timeout_15min` (STIG V-273187) — also requires Super Administrator: it calls `GET /api/v1/first-party-app-settings/admin-console`, which returns `403 E0000006` for every role below Super Administrator.
+
+When the service app runs with Read-Only Administrator, the five checks listed in this section return **MANUAL** instead of PASS/FAIL — the rest of the scan keeps running.
+
+<Note>
+Read-Only Administrator stays the recommended default for the least-privilege framing that aligns with DISA STIG. Assign Super Administrator on a separate run when full coverage of the first-party app checks is needed.
+</Note>

 ## Step-by-Step Setup

@@ -96,19 +122,21 @@ Okta displays the private key **only once**. If you close the modal without copy

 ### 5. Grant the required OAuth scopes

-On the app, open the **Okta API Scopes** tab and click **Grant** on every scope Prowler needs. For the initial release, granting only `okta.policies.read` is sufficient.
+On the app, open the **Okta API Scopes** tab and click **Grant** on every scope Prowler needs. The bundled checks require `okta.policies.read`, `okta.brands.read`, and `okta.apps.read`.

 ![Okta — grant OAuth scopes](/user-guide/providers/okta/images/grant-permissions.png)

-### 6. Assign the Read-Only Administrator role
+### 6. Assign an admin role

 On the app, open the **Admin roles** tab and click **Edit assignments → Add assignment**:

- **Role:** Read-Only Administrator
+- **Role:** Read-Only Administrator (default) — covers every `signon` check and runs the per-app network-zone check against the apps the service app can see (typically only the service app's own row).
 - **Resources:** All resources

 Save the changes.

+To additionally evaluate the first-party application checks (Okta Admin Console / Okta Dashboard idle timeout, MFA, and phishing-resistant authentication) and to widen the per-app network-zone check to the full org-wide app inventory, assign **Super Administrator** instead. Without Super Administrator, the five first-party checks return MANUAL and the network-zone check is limited to the service app's own visibility — the rest of the scan still runs. See [Required Admin Role](#required-admin-role) for the full breakdown.
+
 ![Okta — grant Read-Only role](/user-guide/providers/okta/images/grant-roles.png)

 ### 7. [Optional] Verify DPoP setting
@@ -130,8 +158,8 @@ export OKTA_PRIVATE_KEY_FILE="/secure/path/to/prowler-okta.pem"
 # or
 export OKTA_PRIVATE_KEY="$(cat /secure/path/to/prowler-okta.pem)"

-# Optional — defaults to "okta.policies.read"
-export OKTA_SCOPES="okta.policies.read"
+# Optional — defaults to "okta.policies.read,okta.brands.read,okta.apps.read"
+export OKTA_SCOPES="okta.policies.read,okta.brands.read,okta.apps.read"

 uv run python prowler-cli.py okta
 ```
@@ -172,8 +200,12 @@ Prowler validates credentials at startup by listing one sign-on policy. This err

 Raised when the credential probe succeeds at the OAuth layer but the request is rejected because the service app lacks the required scope or admin role:

- **`invalid_scope`** — the `okta.policies.read` scope is not granted on the service app. Grant it from **Okta API Scopes**.
- **`Forbidden` / `not authorized`** — the **Read-Only Administrator** role is not assigned to the service app. Assign it from **Admin roles**.
+- **`invalid_scope`** — one of the requested scopes (`okta.policies.read`, `okta.brands.read`, or `okta.apps.read`) is not granted on the service app. Grant the missing scope from **Okta API Scopes**.
+- **`Forbidden` / `not authorized`** — no admin role is assigned to the service app. Assign **Read-Only Administrator** (or **Super Administrator** for the first-party application checks) from **Admin roles**.
+
+### Application-service checks return MANUAL on first-party apps
+
+When the service app runs with Read-Only Administrator, the five application-service checks targeting the Okta Admin Console and Okta Dashboard return MANUAL. This is by design — Okta restricts the underlying endpoints (`/api/v1/first-party-app-settings/{appName}` and `/api/v1/apps` for first-party app `name` values `saasure` / `okta_enduser`) to **Super Administrator**. Assign the Super Administrator role to the service app to evaluate those checks. See [Required Admin Role](#required-admin-role) for the full list.

 ### `invalid_dpop_proof`

@@ -12,7 +12,7 @@ Set up authentication for Okta with the [Okta Authentication](/user-guide/provid

 - An Okta organization. The UI examples below use **Identity Engine** terminology such as **Global Session Policy**; Classic Engine exposes the equivalent sign-on policy concepts under older names.
 - A **Super Administrator** account on that organization for the one-time service-app setup.
- An **API Services** app integration in the Okta Admin Console with the `okta.policies.read` scope granted and the **Read-Only Administrator** role assigned.
+- An **API Services** app integration in the Okta Admin Console with the `okta.policies.read`, `okta.brands.read`, and `okta.apps.read` scopes granted and an admin role assigned. **Read-Only Administrator** covers every `signon` check and runs the per-app network-zone check against the apps the service app can see (under Read-Only Administrator that is typically only the service app's own row — the rest of the org's app inventory stays invisible). **Super Administrator** is required additionally to evaluate the five first-party application checks (Okta Admin Console / Okta Dashboard idle timeout, MFA, phishing-resistant authentication) and to widen the network-zone check to the full app inventory — see [Okta Authentication](/user-guide/providers/okta/authentication#required-admin-role) for the full breakdown.
 - Python 3.10+ and Prowler 5.27.0 or later installed locally.

 <CardGroup cols={2}>
@@ -26,10 +26,51 @@ Set up authentication for Okta with the [Okta Authentication](/user-guide/provid

 ## Prowler Cloud

+<VersionBadge version="5.28.0" />
+
+### Step 1: Add the Provider
+
+1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app).
+2. Navigate to "Configuration" > "Providers".
+
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
+
+3. Click "Add Provider".
+
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
+
+4. Select "Okta".
+
+    ![Select Okta](/user-guide/providers/okta/images/select-okta-provider.png)
+
+5. Enter the **Org Domain** of the target Okta organization and an optional alias, then click "Next".
+
+    ![Add Okta Org Domain](/user-guide/providers/okta/images/okta-org-domain-form.png)
+
 <Note>
-Prowler Cloud onboarding for Okta is coming soon. Track the [Prowler GitHub repository](https://github.com/prowler-cloud/prowler) for release updates. Use the [Prowler CLI](#prowler-cli) workflow below in the meantime.
+The Org Domain must be the bare hostname of an Okta-managed organization — for example, `acme.okta.com`, `acme.oktapreview.com`, `acme.okta-emea.com`, `acme.okta-gov.com`, `acme.okta.mil`, `acme.okta-miltest.com`, or `acme.trex-govcloud.com`. Omit the `https://` scheme, any path, and any trailing slash.
 </Note>

+### Step 2: Provide Credentials
+
+Prowler Cloud authenticates to Okta with the **OAuth 2.0 Private Key JWT** flow exposed by an Okta **API Services** app. The service application, keypair, scope grants, and Read-Only Administrator role are set up once in the Okta Admin Console — full instructions are in the [Okta Authentication](/user-guide/providers/okta/authentication) guide.
+
+1. Enter the **Client ID** of the Okta API Services app (for example, `0oa123456789abcdef`).
+2. Paste the **Private Key** whose matching public key (JWK) is registered on the service app. Both PEM-encoded RSA keys and JWK JSON documents are accepted.
+3. Click "Next".
+
+    ![Okta Credentials Form](/user-guide/providers/okta/images/okta-credentials-form.png)
+
+<Note>
+The private key is transmitted over TLS and stored as an encrypted secret in the backend. Rotate or revoke the matching public key from the Okta Admin Console at any time to invalidate the credential without changes on the Prowler side.
+</Note>
+
+### Step 3: Launch the Scan
+
+1. Review the connection summary. Prowler Cloud runs a credential probe against the Okta Management API before saving — a failed probe surfaces the underlying Okta error (`invalid_scope`, `Forbidden`, invalid credentials, etc.) so the configuration can be corrected before the first scan.
+2. Choose the scan schedule: run a single scan or set up daily scans (every 24 hours).
+3. Click **Launch Scan** to start auditing the Okta organization.
+
 ---

 ## Prowler CLI
@@ -44,8 +85,8 @@ Follow the [Okta Authentication](/user-guide/providers/okta/authentication) guid
 export OKTA_ORG_DOMAIN="acme.okta.com"
 export OKTA_CLIENT_ID="0oa1234567890abcdef"
 export OKTA_PRIVATE_KEY_FILE="/secure/path/to/prowler-okta.pem"
-# Optional — defaults to "okta.policies.read"
-export OKTA_SCOPES="okta.policies.read"
+# Optional — defaults to "okta.policies.read,okta.brands.read,okta.apps.read"
+export OKTA_SCOPES="okta.policies.read,okta.brands.read,okta.apps.read"
 ```

 The private key file may contain either a PEM-encoded RSA key or a JWK JSON document.
@@ -87,6 +128,9 @@ okta:
  # okta.signon_global_session_idle_timeout_15min
  # Defaults to 15 minutes per DISA STIG V-273186.
  okta_max_session_idle_minutes: 15
+  # okta.application_admin_console_session_idle_timeout_15min
+  # Defaults to 15 minutes per DISA STIG V-273187.
+  okta_admin_console_idle_timeout_max_minutes: 15
 ```

 To use a custom configuration:
@@ -99,9 +143,10 @@ prowler okta --config-file /path/to/config.yaml

 Prowler for Okta includes security checks across the following services:

-| Service     | Description                                                                         |
-| ----------- | ----------------------------------------------------------------------------------- |
-| **Sign-On** | Global session policy controls (idle timeout, lifetime, rule priority and ordering) |
+| Service         | Description                                                                                                                            |
+| --------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
+| **Sign-On**     | Global session policy controls (idle timeout, lifetime, rule priority and ordering)                                                    |
+| **Application** | Okta Admin Console sign-on settings plus Authentication Policy controls for Okta applications (session idle, MFA, phishing resistance, network zones) |

 ## Troubleshooting

@@ -113,20 +158,22 @@ This is stricter than simply finding the same timeout value somewhere else in th

 ### Default Scopes

-Prowler requests a fixed set of OAuth scopes on every token exchange. The default is a single scope that covers the bundled initial check:
+Prowler requests a fixed set of OAuth scopes on every token exchange. The defaults cover every bundled check across the Sign-On and Application services:

 - `okta.policies.read`
+- `okta.brands.read`
+- `okta.apps.read`

-The service app must have that scope granted in the **Okta API Scopes** tab. When the granted set is narrower than the requested set, the token request fails with an `invalid_scope` error and the scan stops at provider initialization.
+The service app must have these scopes granted in the **Okta API Scopes** tab. When the granted set is narrower than the requested set, the token request fails with an `invalid_scope` error and the scan stops at provider initialization.

 When additional checks are enabled — or when running against a service app that exposes a different scope set — override the default with `OKTA_SCOPES` (comma-separated string for the env var) or `--okta-scopes` (space-separated list for the CLI):

 ```bash
 # Environment variable — comma-separated
-export OKTA_SCOPES="okta.policies.read,okta.apps.read,okta.users.read"
+export OKTA_SCOPES="okta.policies.read,okta.brands.read,okta.apps.read,okta.users.read"

 # CLI flag — space-separated
-prowler okta --okta-scopes okta.policies.read okta.apps.read okta.users.read
+prowler okta --okta-scopes okta.policies.read okta.brands.read okta.apps.read okta.users.read
 ```

 For the full catalog of OAuth scopes exposed by the Okta Management API, refer to the [Okta OAuth 2.0 scopes documentation](https://developer.okta.com/docs/api/oauth2/).
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Alan Buscaglia	65c0425729	fix(ui): animate finding group collapse - Keep after-row content mounted during exit - Animate inline resource container close state - Preserve existing finding group table behavior	2026-06-05 14:55:00 +02:00
Alan Buscaglia	5828cce644	feat(ui): add Combobox trigger transition - Animate combobox trigger and chevron state - Keep trigger accessible with a stable label - Cover Combobox motion with focused unit tests	2026-06-05 14:54:52 +02:00
Alan Buscaglia	87bd2e78a1	feat(ui): add Drawer content transition - Animate drawer overlay and directional content states - Preserve reduced-motion behavior - Cover Drawer motion with focused unit tests	2026-06-05 14:54:45 +02:00
Alan Buscaglia	ccae4afe68	feat(ui): add Dialog content transition - Animate dialog overlay and content states - Preserve reduced-motion behavior - Cover Dialog motion with focused unit tests	2026-06-05 14:54:37 +02:00
Alan Buscaglia	0e2bb99f02	feat(ui): add Tabs content transition - Animate tab panels when switching active content - Preserve reduced-motion behavior - Cover shared Tabs motion with focused unit tests	2026-06-05 14:49:09 +02:00
Alan Buscaglia	8fb59682d5	feat(ui): add multiselect selection microinteractions - Animate selected pills and item feedback in multiselect components - Add checkbox state transitions for provider group selections - Cover shared selection motion with focused unit tests	2026-06-05 14:44:25 +02:00
Alan Buscaglia	799f062ee0	feat(ui): add Tooltip open close microinteraction - Add visible Tooltip motion timing and easing - Preserve reduced-motion fallbacks - Cover Tooltip motion contract with unit tests	2026-06-05 13:47:11 +02:00
Alan Buscaglia	51945f5cc5	feat(ui): add Dropdown open close microinteraction - Add visible Dropdown motion timing and easing - Align submenu motion with dropdown content - Cover reduced-motion behavior with unit tests	2026-06-05 13:46:53 +02:00
Alan Buscaglia	b93e3f9d04	feat(ui): add Select open close microinteraction - Add visible Select close motion without open-state conflicts - Preserve reduced-motion behavior - Cover controlled and uncontrolled close flows	2026-06-05 13:04:16 +02:00
Alan Buscaglia	ef4d05a782	feat(ui): add Popover open close microinteraction - Add explicit timing for Popover state transitions - Add reduced-motion fallback utilities - Cover controlled Popover motion behavior	2026-06-05 12:16:27 +02:00
Alan Buscaglia	7185e539c8	feat(ui): add Button press microinteraction - Add targeted transition recipe for shared Button states - Add press and reduced-motion behavior - Cover link and menu motion exceptions	2026-06-05 12:00:35 +02:00
Alejandro Bailo	74251350bc	feat(ui): add new scan jobs view (#11258 )	2026-05-28 19:20:39 +02:00
Pablo Fernandez Guerra (PFE)	8f745cdbe6	chore(ui): upgrade pnpm to 11 and harden supply-chain defaults (#11225 ) Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com>	2026-05-28 14:39:57 +02:00
Adrián Peña	81226cd837	perf(api): use literal scan_ids in finding-groups /latest aggregation (#11380 )	2026-05-28 13:46:15 +02:00
Johannes Engler	a2824f7166	feat(stackit): add new provider with 4 checks (#9237 ) Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Sergio Garcia <hello@mistercloudsec.com> Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com> Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>	2026-05-28 13:16:38 +02:00
Hugo Pereira Brito	edbbd86828	fix(openstack): move exception codes off the Alibaba Cloud range (#11382 )	2026-05-28 11:52:45 +02:00
lydiavilchez	c58dad2ca4	feat(googleworkspace): add rules service checks (#11379 ) Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>	2026-05-28 11:17:33 +02:00
lydiavilchez	b4befe3a10	feat(googleworkspace): add security service checks (#11356 ) Co-authored-by: pedrooot <pedromarting3@gmail.com> Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com>	2026-05-28 10:15:10 +02:00
Alan Buscaglia	d98933c2e7	fix(ui): improve invitation error messages (#11376 )	2026-05-28 09:37:28 +02:00
Pedro Martín	03dfa3816d	docs: fix alerts/import-findings URLs and pricing note (#11378 )	2026-05-27 17:26:50 +02:00
Pablo Fernandez Guerra (PFE)	ad1261ce54	ci(docs): add markdownlint foundation (prek + CI) (#11210 ) Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 16:42:01 +02:00
Juan Pablo	3252f9cf19	fix(compliance/ens): remap resilience VPC checks out of mp.com.4 (#11372 ) Co-authored-by: Juan Pablo Mora <juanpablo.mora@logalty.com> Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>	2026-05-27 13:10:58 +02:00
Hugo Pereira Brito	f1cdf3df15	feat(ui): improve dark mode contrast for editorial readability (#11073 )	2026-05-27 12:49:50 +02:00
Pedro Martín	03ddb8a708	fix(ui): show compliance data when opening compliance sidebar (#11374 )	2026-05-27 11:18:32 +02:00
Daniel Barranquero	2678c6bc9f	feat(okta): add application service with 6 new checks (#11358 )	2026-05-27 11:16:18 +02:00
Pedro Martín	48c071297f	fix(sdk): align compliance CSV row emission with framework JSON (#11370 )	2026-05-27 11:06:23 +02:00
Prowler Bot	7e9a16d022	feat(aws): Update regions for AWS services (#11349 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-05-27 10:36:28 +02:00
Pedro Martín	84b388f649	fix(ui): honor page size select in compliance req findings (#11365 ) Co-authored-by: Pepe Fagoaga <pepe@prowler.com>	2026-05-26 15:35:33 +02:00
Rubén De la Torre Vico	671d0c746c	fix(mcp_server): preserve authorization header in HTTP mode (#11366 ) Co-authored-by: Pepe Fagoaga <pepe@prowler.com>	2026-05-26 15:25:46 +02:00
Pepe Fagoaga	0e4b117161	chore: SDK changelog v5.28.1 (#11363 )	2026-05-26 12:15:19 +02:00
Alan Buscaglia	a70bc3c1c7	fix(ui): avoid report preflight timeouts (#11350 ) Co-authored-by: Adrián Jesús Peña Rodríguez <adrianjpr@gmail.com>	2026-05-26 11:47:34 +02:00
Pedro Martín	723d161c63	fix(az-m365): asyncio.run() in Azure/M365 Celery worker event (#11360 )	2026-05-26 11:26:39 +02:00
Aline Almeida	d560020592	fix(gcp): match enable-oslogin metadata case-insensitively (#11341 ) Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>	2026-05-26 10:35:26 +02:00
Pedro Martín	00451f8239	feat(compliance): add AWS AI Security Framework for AWS (#11353 )	2026-05-26 10:20:39 +02:00
Adrián Peña	329dfdf8e6	perf(api): reduce DB load in scan hot loop by 13x (#11249 ) Co-authored-by: Pepe Fagoaga <pepe@prowler.com>	2026-05-25 19:09:28 +02:00
Hugo Pereira Brito	4c59af93eb	fix(azure): require all SMB channel encryption algorithms to be secure (storage_smb_channel_encryption_with_secure_algorithm) (#11327 ) Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>	2026-05-25 18:28:21 +02:00
Hugo Pereira Brito	6ca8e726f7	feat(azure): add storage_account_public_network_access_disabled and fix CIS storage mapping (#11334 )	2026-05-25 18:17:41 +02:00
Pepe Fagoaga	546eb2d85a	chore: changelog v5.28.1 (#11347 )	2026-05-25 10:18:42 +02:00
Alan Buscaglia	ec3efc94f5	chore(ui): add changelog for scan report fix (#11338 )	2026-05-22 15:09:44 +02:00
Alan Buscaglia	6cffd0d17f	fix(ui): stream scan report downloads (#11330 )	2026-05-22 14:05:00 +02:00
Josema Camacho	528d32601b	perf(api): speed up finding-groups endpoint for finding-level filters (#11326 )	2026-05-22 13:59:05 +02:00
Prowler Bot	56b3044aae	chore(release): Bump versions to v5.29.0 (#11332 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-05-22 13:34:30 +02:00
Alejandro Bailo	3a096b1750	refactor(ui): improve resource detail and tab UX (#11325 )	2026-05-22 12:03:03 +02:00
Daniel Barranquero	6f01041178	docs: add okta provider prowler cloud onboarding (#11322 )	2026-05-22 10:29:59 +02:00
Pepe Fagoaga	13e2ede763	chore(changelog): prepare for v5.28.0 (#11321 )	2026-05-22 09:33:40 +02:00
Pedro Martín	c53ddfd532	fix(ui): resource tab scroll from container (#11320 )	2026-05-22 09:13:57 +02:00
Pepe Fagoaga	f86bd7b52e	fix(sdk): absolute ENTRYPOINT to work with uv (#11313 )	2026-05-22 08:25:59 +02:00
Kristofer Jussmann	6177fc6286	fix(oci): use home region for audit configuration API call (#10347 ) Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com>	2026-05-21 16:09:29 +01:00
Sandiyo Christan	0fd952ae2b	chore(m365): use PowerShell best practices for quoting credential variables (#9997 ) Co-authored-by: Hugo P.Brito <hugopbrit@gmail.com>	2026-05-21 15:17:23 +01:00
lydiavilchez	74622dd576	feat(googleworkspace): add sites, additional_services and marketplace service checks (#11281 )	2026-05-21 15:52:15 +02:00
Pablo Fernandez Guerra (PFE)	4dfa2b9748	chore(ci): disable Renovate patch, minor and major version bumps (#11312 ) Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com>	2026-05-21 15:20:10 +02:00
renovate[bot]	435424a680	chore(config): migrate Renovate config (#11300 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-05-21 15:16:58 +02:00
Pedro Martín	dbbefd0558	feat(compliance): add resource metadata tab inside req find (#11187 )	2026-05-21 15:09:43 +02:00
Pablo Fernandez Guerra (PFE)	e55d1d470e	chore(ci): add Renovate baseline config (#11181 ) Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com> Co-authored-by: Pepe Fagoaga <pepe@prowler.com>	2026-05-21 14:36:36 +02:00
César Arroba	ab69f3b665	ci(api): simplify SDK release pin to a single uv lock --upgrade-package (#11287 )	2026-05-21 13:56:31 +02:00
Rubén De la Torre Vico	a28f4994a8	fix(mcp): bump fastmcp and transitives to clear osv-scanner findings (#11284 )	2026-05-21 13:30:56 +02:00
Daniel Barranquero	349611d52d	feat(okta): 4 new signon service checks (#11224 )	2026-05-21 12:48:06 +02:00
César Arroba	10b965e3c7	chore: set SDK changelog version for fixes (#11282 )	2026-05-21 12:32:54 +02:00
Pepe Fagoaga	554a5024c1	chore(mcp): osv-scanner workflow (#11274 )	2026-05-21 11:53:31 +02:00
César Arroba	7d03bc5e17	fix(api): chown src/backend and docker-entrypoint to prowler user (#11276 )	2026-05-21 10:21:33 +02:00
dependabot[bot]	c660b35ed6	chore(deps): bump step-security/harden-runner from 2.19.1 to 2.19.3 (#11267 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 09:33:57 +02:00
dependabot[bot]	f3bac38a55	chore(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1 (#11273 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 09:31:30 +02:00
dependabot[bot]	61330937f7	chore(deps): bump actions/labeler from 6.0.1 to 6.1.0 (#11272 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 09:30:56 +02:00
Pablo Fernandez Guerra (PFE)	5ac978b9a3	chore(ui): add prettier-plugin-packagejson to enforce key ordering (#11172 ) Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-21 09:25:37 +02:00
Pepe Fagoaga	b4159bd590	chore: disable dependabot for SDK and pre-commit (#11265 )	2026-05-21 09:17:38 +02:00
dependabot[bot]	ef4d45d409	chore(deps): bump github/gh-aw from 0.43.23 to 0.73.0 (#10952 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 09:09:58 +02:00
dependabot[bot]	f210c26c2f	chore(deps): bump tj-actions/changed-files from 47.0.5 to 47.0.6 (#10963 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 09:09:43 +02:00
dependabot[bot]	a55a736363	chore(deps): bump docker/login-action from 4.0.0 to 4.1.0 (#10748 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 09:04:28 +02:00
dependabot[bot]	9f2af5abc2	chore(deps): bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 (#10742 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 09:04:17 +02:00
dependabot[bot]	fee98a58eb	chore(deps): bump trufflesecurity/trufflehog from 3.92.4 to 3.95.3 (#10961 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 08:59:49 +02:00
dependabot[bot]	1ab8f2f0ac	chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.5 (#10955 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 08:59:36 +02:00
dependabot[bot]	e7fbc8b391	chore(deps): bump docker/build-push-action from 7.0.0 to 7.1.0 (#10738 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 08:54:03 +02:00
dependabot[bot]	8caab36c3f	chore(deps): bump actions/cache from 5.0.4 to 5.0.5 (#10951 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 08:53:08 +02:00
dependabot[bot]	0c4794b060	chore(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#10745 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 08:52:33 +02:00
dependabot[bot]	782e3f238b	chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#10960 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 08:50:28 +02:00
dependabot[bot]	e1c7e0a99b	chore(deps): bump github/codeql-action from 4.32.4 to 4.35.4 (#10741 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 08:49:51 +02:00
dependabot[bot]	6ef70484c7	chore(deps): bump step-security/harden-runner from 2.16.0 to 2.19.1 (#10953 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-21 08:32:05 +02:00
Hugo Pereira Brito	621170d9c9	docs(introduction): replace Unofficial label with Contact us link (#11260 )	2026-05-20 15:19:36 +01:00
Pedro Martín	b6e2255e9e	chore(security): add osv-scanner findings for markdown & pyjwt (#11256 )	2026-05-20 15:58:04 +02:00
Pedro Martín	3ce8eae72f	docs(attack-paths): add advanced openCypher scenarios (#11257 )	2026-05-20 15:38:45 +02:00
Pedro Martín	81aa1883fd	docs(multi-tenant): clarify edit/delete organization permission (#11255 )	2026-05-20 14:10:41 +02:00
Simone	534dedb608	feat(sagemaker): add sagemaker_models_registry_in_use check (#11196 ) Co-authored-by: cascioli <simdon2015?gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>	2026-05-20 13:59:18 +02:00
BMO	cff1704d7b	feat(ses): add check for DKIM signing enabled on SES identities (#10923 ) Co-authored-by: Mohamed Solaiman <mohamedsolaiman@users.noreply.github.com> Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com> Co-authored-by: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>	2026-05-20 13:33:03 +02:00
lydiavilchez	0ca444895f	feat(googleworkspace): add groups service checks (#11186 )	2026-05-20 12:54:49 +02:00
Rubén De la Torre Vico	a9865209a1	docs(claude-plugin): add Prowler for Claude Code page and plugin README (#11253 )	2026-05-20 12:38:34 +02:00
Rubén De la Torre Vico	8526e8b4a6	feat(claude-plugin): add Prowler plugin and marketplace for Claude Code (#11248 )	2026-05-20 11:57:34 +02:00
Pepe Fagoaga	a52ef3c04a	fix(api): build container with latest SDK version for release (#11251 )	2026-05-20 11:40:05 +02:00
Daniel Barranquero	1f3f5c2e27	feat(ui): add okta provider support (#11213 ) Co-authored-by: alejandrobailo <alejandrobailo94@gmail.com>	2026-05-20 11:34:22 +02:00
Daniel Barranquero	6eebfcfe77	feat(api): add okta provider support (#11184 )	2026-05-20 10:46:29 +02:00
Pepe Fagoaga	9d8b69abda	fix(api): uv.lock permissions during docker build (#11243 ) Co-authored-by: Adrián Jesús Peña Rodríguez <adrianjpr@gmail.com>	2026-05-19 19:08:35 +02:00
Pedro Martín	60aa601e92	fix(docker): chown copied files to prowler pin uv sync --locked (#11234 )	2026-05-19 18:03:05 +02:00
Hugo Pereira Brito	fc1fd538bd	fix(ci): bump harden-runner to v2.19.3 so issue-triage jobs stop failing on ubuntu-slim (#11217 )	2026-05-19 16:06:13 +01:00
Hugo Pereira Brito	40c1761840	fix(s3): only emit shadow-resource finding when bucket name matches a predictable pattern (#11220 )	2026-05-19 15:46:05 +01:00
Pedro Martín	0ab0e8671d	fix(azure): skip system 'master' DB in sqlserver_tde_encrypted_with_cmk (#11233 )	2026-05-19 16:34:33 +02:00
Hugo Pereira Brito	7a7c828fc7	feat(m365/entra): add entra_app_registration_client_secret_unused check (consolidates #11097 and #11212 ) (#11232 ) Co-authored-by: shadyfox <git@twink.energy> Co-authored-by: Oleksandr Yizchak Sanin <alexaaander.sanin@gmail.com>	2026-05-19 15:14:32 +01:00
Pedro Martín	5cbe473eb9	chore(stepsecurity): add missing endpoints (#11223 )	2026-05-19 16:07:33 +02:00
Pepe Fagoaga	caf2f61563	docs: update security section with latest changes (#11231 ) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-05-19 16:03:58 +02:00
s1ns3nz0	9dc4deccb6	feat(gcp): add cloudsql_instance_cmek_encryption_enabled check (#11023 ) Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>	2026-05-19 15:52:16 +02:00
Prowler Bot	476e7d1010	chore(release): Bump versions to v5.28.0 (#11227 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-05-19 15:11:44 +02:00