chore(api): Bump version to v1.24.1 (#10672 )

Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
chore(release): Bump version to v5.23.1 (#10670 )
2026-06-09 21:04:53 +00:00 · 2026-04-13 22:18:33 +02:00 · 2026-04-13 22:18:22 +02:00 · 2026-04-13 22:18:04 +02:00 · 2026-04-13 22:17:51 +02:00 · 2026-04-13 15:42:47 +02:00
1665 changed files with 39231 additions and 128294 deletions
@@ -1,22 +0,0 @@
-# Prowler worktree automation for worktrunk (wt CLI).
-# Runs automatically on `wt switch --create`.
-
-# Block 1: setup + copy gitignored env files (.envrc, ui/.env.local)
-# from the primary worktree - patterns selected via .worktreeinclude.
-[[pre-start]]
-skills = "./skills/setup.sh --claude"
-envs = "wt step copy-ignored"
-
-# Block 2: install Python deps (uv manages the venv on `uv sync`).
-[[pre-start]]
-deps = "uv sync"
-
-# Block 3: reminder - last visible output before `wt switch` returns.
-# Hooks can't mutate the parent shell, so venv activation is manual.
-[[pre-start]]
-reminder = "echo '>> Reminder: activate the venv in this shell with: source .venv/bin/activate'"
-
-# Background: pnpm install runs while you start working.
-# Tail logs via `wt config state logs`.
-[post-start]
-ui = "cd ui && pnpm install"
@@ -145,7 +145,7 @@ SENTRY_RELEASE=local
 NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}

 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.27.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.23.1

 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -1,15 +1,14 @@
 # SDK
-/* @prowler-cloud/detection-remediation
-/prowler/ @prowler-cloud/detection-remediation
-/prowler/compliance/ @prowler-cloud/compliance
-/tests/ @prowler-cloud/detection-remediation
-/dashboard/ @prowler-cloud/detection-remediation
-/docs/ @prowler-cloud/detection-remediation
-/examples/ @prowler-cloud/detection-remediation
-/util/ @prowler-cloud/detection-remediation
-/contrib/ @prowler-cloud/detection-remediation
-/permissions/ @prowler-cloud/detection-remediation
-/codecov.yml @prowler-cloud/detection-remediation @prowler-cloud/api
+/* @prowler-cloud/sdk
+/prowler/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+/tests/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+/dashboard/ @prowler-cloud/sdk
+/docs/ @prowler-cloud/sdk
+/examples/ @prowler-cloud/sdk
+/util/ @prowler-cloud/sdk
+/contrib/ @prowler-cloud/sdk
+/permissions/ @prowler-cloud/sdk
+/codecov.yml @prowler-cloud/sdk @prowler-cloud/api

 # API
 /api/ @prowler-cloud/api
@@ -18,7 +17,7 @@
 /ui/ @prowler-cloud/ui

 # AI
-/mcp_server/ @prowler-cloud/detection-remediation
+/mcp_server/ @prowler-cloud/ai

 # Platform
 /.github/ @prowler-cloud/platform
@@ -1,15 +0,0 @@
-# These are supported funding model platforms
-
-github: [prowler-cloud]
-# patreon: # Replace with a single Patreon username
-# open_collective: # Replace with a single Open Collective username
-# ko_fi: # Replace with a single Ko-fi username
-# tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
-# community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
-# liberapay: # Replace with a single Liberapay username
-# issuehunt: # Replace with a single IssueHunt username
-# lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
-# polar: # Replace with a single Polar username
-# buy_me_a_coffee: # Replace with a single Buy Me a Coffee username
-# thanks_dev: # Replace with a single thanks.dev username
-# custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
@@ -1,143 +0,0 @@
-name: "🔎 New Check Request"
-description: Request a new Prowler security check
-title: "[New Check]: "
-labels: ["feature-request", "status/needs-triage"]
-
-body:
-  - type: checkboxes
-    id: search
-    attributes:
-      label: Existing check search
-      description: Confirm this check does not already exist before opening a new request.
-      options:
-        - label: I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist.
-          required: true
-
-  - type: markdown
-    attributes:
-      value: |
-        Use this form to describe the security condition that Prowler should evaluate.
-
-        The most useful inputs for [Prowler Studio](https://github.com/prowler-cloud/prowler-studio) are:
-        - What should be detected
-        - What PASS and FAIL mean
-        - Vendor docs, API references, SDK methods, CLI commands, or reference code
-
-  - type: dropdown
-    id: provider
-    attributes:
-      label: Provider
-      description: Cloud or platform this check targets.
-      options:
-        - AWS
-        - Azure
-        - GCP
-        - Kubernetes
-        - GitHub
-        - Microsoft 365
-        - OCI
-        - Alibaba Cloud
-        - Cloudflare
-        - MongoDB Atlas
-        - Google Workspace
-        - OpenStack
-        - Vercel
-        - NHN
-        - Other / New provider
-    validations:
-      required: true
-
-  - type: input
-    id: other_provider_name
-    attributes:
-      label: New provider name
-      description: Only fill this if you selected "Other / New provider" above.
-      placeholder: "NewProviderName"
-    validations:
-      required: false
-
-  - type: input
-    id: service_name
-    attributes:
-      label: Service or product area
-      description: Optional. Main service, product, or feature to audit.
-      placeholder: "s3, bedrock, entra, repository, apiserver"
-    validations:
-      required: false
-
-  - type: input
-    id: suggested_check_name
-    attributes:
-      label: Suggested check name
-      description: Optional. Use `snake_case` following `<service>_<resource>_<best_practice>`, with lowercase letters and underscores only.
-      placeholder: "bedrock_guardrail_sensitive_information_filter_enabled"
-    validations:
-      required: false
-
-  - type: textarea
-    id: context
-    attributes:
-      label: Context and goal
-      description: Describe the security problem, why it matters, and what this new check should help detect.
-      placeholder: |-
-        - Security condition to validate:
-        - Why it matters:
-        - Resource, feature, or configuration involved:
-    validations:
-      required: true
-
-  - type: textarea
-    id: expected_behavior
-    attributes:
-      label: Expected behavior
-      description: Explain what the check should evaluate and what PASS, FAIL, or MANUAL should mean.
-      placeholder: |-
-        - Resource or scope to evaluate:
-        - PASS when:
-        - FAIL when:
-        - MANUAL when (if applicable):
-        - Exclusions, thresholds, or edge cases:
-    validations:
-      required: true
-
-  - type: textarea
-    id: references
-    attributes:
-      label: References
-      description: Add vendor docs, API references, SDK methods, CLI commands, endpoint docs, sample payloads, or similar reference material.
-      placeholder: |-
-        - Product or service documentation:
-        - API or SDK reference:
-        - CLI command or endpoint documentation:
-        - Sample payload or response:
-        - Security advisory or benchmark:
-    validations:
-      required: true
-
-  - type: dropdown
-    id: severity
-    attributes:
-      label: Suggested severity
-      description: Your best estimate. Reviewers will confirm during triage.
-      options:
-        - Critical
-        - High
-        - Medium
-        - Low
-        - Informational
-        - Not sure
-    validations:
-      required: true
-
-  - type: textarea
-    id: implementation_notes
-    attributes:
-      label: Additional implementation notes
-      description: Optional. Add permissions, unsupported regions, config knobs, product limitations, or anything else that may affect implementation.
-      placeholder: |-
-        - Required permissions or scopes:
-        - Region, tenant, or subscription limitations:
-        - Configurable behavior or thresholds:
-        - Other constraints:
-    validations:
-      required: false
@@ -1,169 +0,0 @@
-name: 'OSV-Scanner'
-description: 'Install osv-scanner and scan a lockfile, failing on HIGH/CRITICAL/UNKNOWN severity findings. Posts/updates a PR comment with findings on pull_request events (requires pull-requests: write).'
-author: 'Prowler'
-
-inputs:
-  lockfile:
-    description: 'Path to the lockfile to scan, relative to the repository root (e.g. uv.lock, api/uv.lock, ui/pnpm-lock.yaml).'
-    required: true
-  severity-levels:
-    description: 'Comma-separated severity levels that fail the scan. Default: HIGH,CRITICAL,UNKNOWN.'
-    required: false
-    default: 'HIGH,CRITICAL,UNKNOWN'
-  version:
-    description: 'osv-scanner release tag to install. When overriding, you MUST also override binary-sha256.'
-    required: false
-    default: 'v2.3.8'
-  binary-sha256:
-    description: 'Expected SHA256 of osv-scanner_linux_amd64 for the given version. Default tracks v2.3.8. See https://github.com/google/osv-scanner/releases/download/<version>/osv-scanner_SHA256SUMS.'
-    required: false
-    default: 'bc98e15319ed0d515e3f9235287ba53cdc5535d576d24fd573978ecfe9ab92dc'
-  post-pr-comment:
-    description: 'Post or update a PR comment with the scan report. Only effective on pull_request events. Requires pull-requests: write permission on the caller job.'
-    required: false
-    default: 'true'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Install osv-scanner
-      shell: bash
-      env:
-        OSV_SCANNER_VERSION: ${{ inputs.version }}
-      # Download the binary AND the published SHA256SUMS file, then verify the
-      # binary checksum against the upstream-signed manifest. Aborts on mismatch.
-      run: |
-        set -euo pipefail
-        if command -v osv-scanner >/dev/null 2>&1; then
-          INSTALLED="$(osv-scanner --version 2>&1 | awk '/scanner version/ {print $NF; exit}')"
-          if [ "v${INSTALLED}" = "${OSV_SCANNER_VERSION}" ]; then
-            echo "osv-scanner ${OSV_SCANNER_VERSION} already installed."
-            exit 0
-          fi
-        fi
-        BASE="https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}"
-        BIN_NAME="osv-scanner_linux_amd64"
-        curl -fSL --retry 3 "${BASE}/${BIN_NAME}" -o "${RUNNER_TEMP}/${BIN_NAME}"
-        curl -fSL --retry 3 "${BASE}/osv-scanner_SHA256SUMS" -o "${RUNNER_TEMP}/osv-scanner_SHA256SUMS"
-        (cd "${RUNNER_TEMP}" && sha256sum --check --ignore-missing osv-scanner_SHA256SUMS)
-        chmod +x "${RUNNER_TEMP}/${BIN_NAME}"
-        sudo mv "${RUNNER_TEMP}/${BIN_NAME}" /usr/local/bin/osv-scanner
-        rm -f "${RUNNER_TEMP}/osv-scanner_SHA256SUMS"
-        osv-scanner --version
-
-    - name: Run osv-scanner
-      id: scan
-      shell: bash
-      working-directory: ${{ github.workspace }}
-      env:
-        OSV_LOCKFILE: ${{ inputs.lockfile }}
-        OSV_SEVERITY_LEVELS: ${{ inputs.severity-levels }}
-        OSV_REPORT_FILE: ${{ runner.temp }}/osv-scanner-findings.json
-      # Per-vulnerability ignores (reason + expiry) live in osv-scanner.toml at the repo root, if present.
-      # Severity filter is enforced in the wrapper via OSV_SEVERITY_LEVELS.
-      # `continue-on-error: true` lets the PR-comment step run even when findings exist;
-      # the gate step below re-fails the job from the wrapper exit code.
-      continue-on-error: true
-      run: ./.github/scripts/osv-scan.sh --lockfile="${OSV_LOCKFILE}"
-
-    - name: Post osv-scanner report on PR
-      if: >-
-        always()
-        && inputs.post-pr-comment == 'true'
-        && github.event_name == 'pull_request'
-        && github.event.pull_request.head.repo.full_name == github.repository
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-      env:
-        OSV_REPORT_FILE: ${{ runner.temp }}/osv-scanner-findings.json
-        OSV_LOCKFILE: ${{ inputs.lockfile }}
-        OSV_SEVERITY_LEVELS: ${{ inputs.severity-levels }}
-      with:
-        script: |
-          const fs = require('fs');
-          const lockfile = process.env.OSV_LOCKFILE;
-          const severityLevels = process.env.OSV_SEVERITY_LEVELS;
-          const reportFile = process.env.OSV_REPORT_FILE;
-          const marker = `<!-- osv-scanner-report:${lockfile} -->`;
-          const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-
-          let findings = [];
-          if (fs.existsSync(reportFile)) {
-            try {
-              findings = JSON.parse(fs.readFileSync(reportFile, 'utf8'));
-            } catch (err) {
-              core.warning(`Could not parse ${reportFile}: ${err.message}`);
-              return;
-            }
-          }
-
-          const { data: comments } = await github.rest.issues.listComments({
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            issue_number: context.issue.number,
-          });
-          const existing = comments.find(c => c.body?.includes(marker));
-
-          if (findings.length === 0) {
-            if (existing) {
-              await github.rest.issues.deleteComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: existing.id,
-              });
-              core.info(`Deleted stale osv-scanner comment for ${lockfile}.`);
-            } else {
-              core.info(`No findings and no stale comment for ${lockfile}.`);
-            }
-            return;
-          }
-
-          const sevIcon = (s) => ({
-            CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🟢', UNKNOWN: '⚪',
-          }[s] || '⚪');
-          const escape = (s) => String(s ?? '').replace(/\|/g, '\\|').replace(/\n/g, ' ');
-          const rows = findings.map(f =>
-            `| ${sevIcon(f.severity)} ${f.severity}${f.score ? ` (${f.score})` : ''} | \`${escape(f.id)}\` | \`${escape(f.ecosystem)}/${escape(f.package)}\` | \`${escape(f.version)}\` | ${escape(f.summary || '(no summary)')} |`
-          );
-
-          const body = [
-            marker,
-            `## 🔒 osv-scanner: ${findings.length} finding(s) in \`${lockfile}\``,
-            '',
-            `Severity gate: \`${severityLevels}\``,
-            '',
-            '| Severity | ID | Package | Version | Summary |',
-            '|----------|----|---------|---------|---------|',
-            ...rows,
-            '',
-            `To accept a finding, add an \`[[IgnoredVulns]]\` entry to \`osv-scanner.toml\` at the repo root with a reason and \`ignoreUntil\`.`,
-            '',
-            `<sub>[View run](${runUrl})</sub>`,
-          ].join('\n');
-
-          if (existing) {
-            await github.rest.issues.updateComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              comment_id: existing.id,
-              body,
-            });
-            core.info(`Updated osv-scanner comment for ${lockfile}.`);
-          } else {
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-              body,
-            });
-            core.info(`Posted new osv-scanner comment for ${lockfile}.`);
-          }
-
-    - name: Enforce osv-scanner severity gate
-      shell: bash
-      env:
-        SCAN_OUTCOME: ${{ steps.scan.outcome }}
-      run: |
-        if [ "${SCAN_OUTCOME}" != "success" ]; then
-          echo "osv-scanner gate: scan reported findings (outcome=${SCAN_OUTCOME})" >&2
-          exit 1
-        fi
@@ -1,5 +1,5 @@
-name: 'Setup Python with uv'
-description: 'Setup Python environment with uv and install dependencies'
+name: 'Setup Python with Poetry'
+description: 'Setup Python environment with Poetry and install dependencies'
 author: 'Prowler'

 inputs:
@@ -7,15 +7,15 @@ inputs:
    description: 'Python version to use'
    required: true
  working-directory:
-    description: 'Working directory for uv'
+    description: 'Working directory for Poetry'
    required: false
    default: '.'
-  uv-version:
-    description: 'uv version to install'
+  poetry-version:
+    description: 'Poetry version to install'
    required: false
-    default: '0.11.14'
+    default: '2.1.1'
  install-dependencies:
-    description: 'Install Python dependencies with uv'
+    description: 'Install Python dependencies with Poetry'
    required: false
    default: 'true'

@@ -39,52 +39,65 @@ runs:
          sed -i "s|\(git+https://github.com/prowler-cloud/prowler[^@]*\)@master|\1@$BRANCH_NAME|g" pyproject.toml
        fi

-    - name: Update uv.lock with latest Prowler commit
+    - name: Install poetry
+      shell: bash
+      run: |
+        python -m pip install --upgrade pip
+        pipx install poetry==${INPUTS_POETRY_VERSION}
+      env:
+        INPUTS_POETRY_VERSION: ${{ inputs.poetry-version }}
+
+    - name: Update poetry.lock with latest Prowler commit
      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: |
        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
        echo "Latest commit hash: $LATEST_COMMIT"
-        sed -i "s|\(git = \"https://github\.com/prowler-cloud/prowler\.git?rev=master\)#[a-f0-9]\{40\}\"|\1#${LATEST_COMMIT}\"|g" uv.lock
-        echo "Updated uv.lock entry:"
-        grep "prowler-cloud/prowler" uv.lock
+        sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
+          s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
+        }' poetry.lock
+        echo "Updated resolved_reference:"
+        grep -A2 -B2 "resolved_reference" poetry.lock

-    - name: Update uv.lock SDK commit (prowler repo on push)
+    - name: Update SDK resolved_reference to latest commit (prowler repo on push)
      if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'prowler-cloud/prowler'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: |
        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
        echo "Latest commit hash: $LATEST_COMMIT"
-        sed -i "s|\(git = \"https://github\.com/prowler-cloud/prowler\.git?rev=master\)#[a-f0-9]\{40\}\"|\1#${LATEST_COMMIT}\"|g" uv.lock
-        echo "Updated uv.lock entry:"
-        grep "prowler-cloud/prowler" uv.lock
+        sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
+          s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
+        }' poetry.lock
+        echo "Updated resolved_reference:"
+        grep -A2 -B2 "resolved_reference" poetry.lock

-    - name: Install uv
+    - name: Update poetry.lock (prowler repo only)
+      if: github.repository == 'prowler-cloud/prowler'
      shell: bash
-      env:
-        UV_VERSION: ${{ inputs.uv-version }}
-      run: pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir "uv==${UV_VERSION}"
+      working-directory: ${{ inputs.working-directory }}
+      run: poetry lock

    - name: Set up Python ${{ inputs.python-version }}
      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ inputs.python-version }}
-        cache: 'pip'
+        cache: 'poetry'
+        cache-dependency-path: ${{ inputs.working-directory }}/poetry.lock

    - name: Install Python dependencies
      if: inputs.install-dependencies == 'true'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: |
-        uv sync --no-install-project
-        uv run pip list
+        poetry install --no-root
+        poetry run pip list

    - name: Update Prowler Cloud API Client
      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: |
-        uv remove prowler-cloud-api-client
-        uv add ./prowler-cloud-api-client
+        poetry remove prowler-cloud-api-client
+        poetry add ./prowler-cloud-api-client
@@ -66,18 +66,6 @@ updates:
    cooldown:
      default-days: 7

-  - package-ecosystem: "pre-commit"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 25
-    target-branch: master
-    labels:
-      - "dependencies"
-      - "pre-commit"
-    cooldown:
-      default-days: 7
-
  # Dependabot Updates are temporary disabled - 2025/04/15
  # v4.6
  # - package-ecosystem: "pip"
@@ -72,11 +72,6 @@ provider/vercel:
      - any-glob-to-any-file: "prowler/providers/vercel/**"
      - any-glob-to-any-file: "tests/providers/vercel/**"

-provider/okta:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/okta/**"
-      - any-glob-to-any-file: "tests/providers/okta/**"
-
 github_actions:
  - changed-files:
      - any-glob-to-any-file: ".github/workflows/*"
@@ -114,8 +109,6 @@ mutelist:
      - any-glob-to-any-file: "tests/providers/googleworkspace/lib/mutelist/**"
      - any-glob-to-any-file: "prowler/providers/vercel/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/vercel/lib/mutelist/**"
-      - any-glob-to-any-file: "prowler/providers/okta/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/okta/lib/mutelist/**"

 integration/s3:
  - changed-files:
@@ -36,7 +36,6 @@ Please add a detailed description of how to review this PR.

 #### UI
 - [ ] All issue/task requirements work as expected on the UI
- [ ] If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
@@ -49,7 +48,7 @@ Please add a detailed description of how to review this PR.
 - [ ] Performance test results (if applicable)
 - [ ] Any other relevant evidence of the implementation (if applicable)
 - [ ] Verify if API specs need to be regenerated.
- [ ] Check if version updates are required (e.g., specs, uv, etc.).
+- [ ] Check if version updates are required (e.g., specs, Poetry, etc.).
 - [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/api/CHANGELOG.md), if applicable.

 ### License
@@ -1,122 +0,0 @@
-#!/usr/bin/env bash
-# Run osv-scanner and fail when findings match the configured severity levels.
-#
-# Replaces `safety check --policy-file .safety-policy.yml`. Used by:
-#   - .github/actions/osv-scanner/action.yml (composite action)
-#   - .github/workflows/api-security.yml, sdk-security.yml, ui-security.yml
-#
-# Severity levels (comma-separated) are read from OSV_SEVERITY_LEVELS.
-# Default: HIGH,CRITICAL,UNKNOWN — preserves prior .safety-policy.yml policy
-#   (ignore-cvss-severity-below: 7 + ignore-cvss-unknown-severity: False).
-# osv-scanner has no native CVSS threshold (google/osv-scanner#1400, closed
-# not-planned). Severity is derived from $group.max_severity (numeric CVSS
-# score string) which osv-scanner emits per group.
-#
-# CVSS v3 score → categorical label:
-#   CRITICAL  >= 9.0
-#   HIGH      >= 7.0
-#   MEDIUM    >= 4.0
-#   LOW       >  0.0
-#   UNKNOWN   no score available
-#
-# Per-vulnerability ignores (with reason + expiry) live in osv-scanner.toml at
-# the repo root, if it exists. Without that file, osv-scanner uses defaults.
-#
-# Usage:
-#   osv-scan.sh [osv-scanner pass-through args...]
-# Examples:
-#   osv-scan.sh --lockfile=uv.lock
-#   osv-scan.sh --recursive .
-#   OSV_SEVERITY_LEVELS=CRITICAL osv-scan.sh --lockfile=uv.lock
-
-set -euo pipefail
-
-ROOT="$(git rev-parse --show-toplevel)"
-CONFIG="${ROOT}/osv-scanner.toml"
-SEVERITY_LEVELS="${OSV_SEVERITY_LEVELS:-HIGH,CRITICAL,UNKNOWN}"
-
-for bin in osv-scanner jq; do
-  if ! command -v "${bin}" >/dev/null 2>&1; then
-    echo "error: ${bin} not found in PATH" >&2
-    exit 2
-  fi
-done
-
-SCAN_ARGS=()
-if [ -f "${CONFIG}" ]; then
-  SCAN_ARGS+=(--config="${CONFIG}")
-fi
-
-# Exit codes: 0=clean, 1=findings, 127=no supported files, 128=internal error.
-STDERR="$(mktemp)"
-trap 'rm -f "${STDERR}"' EXIT
-
-set +e
-OUTPUT="$(osv-scanner scan source "${SCAN_ARGS[@]}" --format=json "$@" 2>"${STDERR}")"
-RC=$?
-set -e
-
-case "${RC}" in
-  0|1) ;;
-  127) echo "osv-scanner: no supported lockfiles in scan target"; exit 0 ;;
-  *)
-    echo "osv-scanner: exited with code ${RC}" >&2
-    [ -s "${STDERR}" ] && cat "${STDERR}" >&2
-    exit "${RC}"
-    ;;
-esac
-
-# Build a JSON array of normalized severity levels for jq.
-SEVERITY_JSON="$(printf '%s' "${SEVERITY_LEVELS}" | jq -Rc '
-  split(",") | map(ascii_upcase | sub("^\\s+"; "") | sub("\\s+$"; ""))
-')"
-
-# Walk each vulnerability, look up its group's max_severity (numeric CVSS),
-# map to a categorical label, then filter by OSV_SEVERITY_LEVELS.
-FINDINGS="$(printf '%s' "${OUTPUT}" | jq --argjson sevs "${SEVERITY_JSON}" '
-  [ .results[]?.packages[]?
-    | . as $pkg
-    | ($pkg.groups // []) as $groups
-    | ($pkg.vulnerabilities // [])[]
-    | . as $vuln
-    | ([ $groups[] | select((.ids // []) | index($vuln.id)) ][0] // {}) as $group
-    | (($group.max_severity // "") | tonumber? // null) as $score
-    | (if   $score == null then "UNKNOWN"
-       elif $score >= 9.0 then "CRITICAL"
-       elif $score >= 7.0 then "HIGH"
-       elif $score >= 4.0 then "MEDIUM"
-       elif $score >  0   then "LOW"
-       else                    "UNKNOWN"
-       end) as $label
-    | {
-        id: $vuln.id,
-        severity: $label,
-        score: $score,
-        summary: ($vuln.summary // null),
-        package: $pkg.package.name,
-        version: $pkg.package.version,
-        ecosystem: $pkg.package.ecosystem
-      }
-    | select(.severity as $s | $sevs | any(. == $s))
-  ]
-')"
-
-COUNT="$(printf '%s' "${FINDINGS}" | jq 'length')"
-
-# Write the findings JSON to OSV_REPORT_FILE so callers (e.g. the composite
-# action's PR-comment step) can consume the same data the gate decision uses.
-if [ -n "${OSV_REPORT_FILE:-}" ]; then
-  printf '%s' "${FINDINGS}" > "${OSV_REPORT_FILE}"
-fi
-
-if [ "${COUNT}" -gt 0 ]; then
-  echo "osv-scanner: ${COUNT} finding(s) at severity ${SEVERITY_LEVELS}"
-  printf '%s' "${FINDINGS}" | jq -r '
-    .[] | "  [\(.severity)\(if .score then " \(.score)" else "" end)] \(.id) \(.ecosystem)/\(.package)@\(.version) — \(.summary // "(no summary)")"
-  '
-  echo
-  echo "To accept a finding, create osv-scanner.toml at the repo root with a reason and ignoreUntil."
-  exit 1
-fi
-
-echo "osv-scanner: no findings at severity levels: ${SEVERITY_LEVELS}"
@@ -0,0 +1,289 @@
+name: 'API: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get current API version
+        id: get_api_version
+        run: |
+          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
+          echo "current_api_version=${CURRENT_API_VERSION}" >> "${GITHUB_OUTPUT}"
+          echo "Current API version: $CURRENT_API_VERSION"
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next API minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+
+          # API version follows Prowler minor + 1
+          # For Prowler 5.17.0 -> API 1.18.0
+          # For next master (Prowler 5.18.0) -> API 1.19.0
+          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
+
+          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
+          echo "Current API version: $CURRENT_API_VERSION"
+          echo "Next API minor version (for master): $NEXT_API_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
+
+      - name: Bump API versions in files for master
+        run: |
+          set -e
+
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
+          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_VERSION}\"|" api/src/backend/api/v1/views.py
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next API minor version to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
+          branch: api-version-bump-to-v${{ env.NEXT_API_VERSION }}
+          title: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler API version to v${{ env.NEXT_API_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first API patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          # API version follows Prowler minor + 1
+          # For Prowler 5.17.0 release -> version branch v5.17 should have API 1.18.1
+          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
+
+          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
+          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
+
+      - name: Bump API versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
+          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${FIRST_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first API patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
+          branch: api-version-bump-to-v${{ env.FIRST_API_PATCH_VERSION }}
+          title: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler API version to v${{ env.FIRST_API_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next API patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          # Extract current API patch to increment it
+          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            API_PATCH=${BASH_REMATCH[3]}
+
+            # API version follows Prowler minor + 1
+            # Keep same API minor (based on Prowler minor), increment patch
+            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
+
+            echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+            echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
+            echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+            echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
+            echo "Current API version: $CURRENT_API_VERSION"
+            echo "Next API patch version: $NEXT_API_PATCH_VERSION"
+            echo "Target branch: $VERSION_BRANCH"
+          else
+            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
+            exit 1
+          fi
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
+
+      - name: Bump API versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
+          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next API patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
+          branch: api-version-bump-to-v${{ env.NEXT_API_PATCH_VERSION }}
+          title: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler API version to v${{ env.NEXT_API_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -17,8 +17,6 @@ concurrency:
 env:
  API_WORKING_DIR: ./api

-permissions: {}
-
 jobs:
  api-code-quality:
    runs-on: ubuntu-latest
@@ -43,7 +41,6 @@ jobs:
            pypi.org:443
            files.pythonhosted.org:443
            api.github.com:443
-            raw.githubusercontent.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -64,25 +61,25 @@ jobs:
            api/CHANGELOG.md
            api/AGENTS.md

-      - name: Setup Python with uv
+      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}
          working-directory: ./api

-      - name: uv lock check
+      - name: Poetry check
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv lock --check
+        run: poetry check --lock

      - name: Ruff lint
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run ruff check . --exclude contrib
+        run: poetry run ruff check . --exclude contrib

      - name: Ruff format
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run ruff format --check . --exclude contrib
+        run: poetry run ruff format --check . --exclude contrib

      - name: Pylint
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run pylint --disable=W,C,R,E -j 0 -rn -sn src/
+        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/
@@ -24,8 +24,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  api-analyze:
    name: CodeQL Security Analysis
@@ -33,8 +33,6 @@ env:
  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api

-permissions: {}
-
 jobs:
  setup:
    if: github.repository == 'prowler-cloud/prowler'
@@ -158,7 +156,7 @@ jobs:
          tags: |
            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

  # Create and push multi-architecture manifest
  create-manifest:
@@ -5,16 +5,10 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'api/**'
-      - '.github/workflows/api-container-checks.yml'
  pull_request:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'api/**'
-      - '.github/workflows/api-container-checks.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -24,8 +18,6 @@ env:
  API_WORKING_DIR: ./api
  IMAGE_NAME: prowler-api

-permissions: {}
-
 jobs:
  api-dockerfile-lint:
    if: github.repository == 'prowler-cloud/prowler'
@@ -63,7 +55,16 @@ jobs:

  api-container-build-and-scan:
    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            arch: amd64
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            arch: arm64
    timeout-minutes: 30
    permissions:
      contents: read
@@ -116,22 +117,23 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

-      - name: Build container
+      - name: Build container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ env.API_WORKING_DIR }}
          push: false
          load: true
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
+          platforms: ${{ matrix.platform }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
+          cache-from: type=gha,scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

-      - name: Scan container with Trivy
+      - name: Scan container with Trivy for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ github.sha }}-${{ matrix.arch }}
          fail-on-critical: 'false'
          severity: 'CRITICAL'
@@ -5,24 +5,10 @@ on:
    branches:
      - "master"
      - "v5.*"
-    paths:
-      - 'api/**'
-      - '.github/workflows/api-tests.yml'
-      - '.github/workflows/api-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
  pull_request:
    branches:
      - "master"
      - "v5.*"
-    paths:
-      - 'api/**'
-      - '.github/workflows/api-tests.yml'
-      - '.github/workflows/api-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -31,15 +17,12 @@ concurrency:
 env:
  API_WORKING_DIR: ./api

-permissions: {}
-
 jobs:
  api-security-scans:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
-      pull-requests: write # osv-scanner action posts/updates a PR comment with findings
    strategy:
      matrix:
        python-version:
@@ -57,13 +40,10 @@ jobs:
            pypi.org:443
            files.pythonhosted.org:443
            github.com:443
+            auth.safetycli.com:443
+            pyup.io:443
+            data.safetycli.com:443
            api.github.com:443
-            objects.githubusercontent.com:443
-            raw.githubusercontent.com:443
-            release-assets.githubusercontent.com:443
-            api.osv.dev:443
-            api.deps.dev:443
-            osv-vulnerabilities.storage.googleapis.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -78,34 +58,30 @@ jobs:
          files: |
            api/**
            .github/workflows/api-security.yml
-            .github/actions/osv-scanner/**
-            .github/scripts/osv-scan.sh
          files_ignore: |
            api/docs/**
            api/README.md
            api/CHANGELOG.md
            api/AGENTS.md

-      - name: Setup Python with uv
+      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}
          working-directory: ./api

      - name: Bandit
        if: steps.check-changes.outputs.any_changed == 'true'
-        # Exclude .venv because uv places the project venv inside ./api; otherwise
-        # bandit would recurse into installed third-party packages.
-        run: uv run bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r .
+        run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .

-      - name: Dependency vulnerability scan with osv-scanner
+      - name: Safety
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/osv-scanner
-        with:
-          lockfile: api/uv.lock
+        run: poetry run safety check --ignore 79023,79027,86217,71600
+        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
+        # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`
+        # TODO: 71600 CVE-2024-1135 false positive - fixed in gunicorn 22.0.0, project uses 23.0.0

      - name: Vulture
-        # Run even when osv-scanner reports findings so dead-code signal isn't masked by SCA failures.
-        if: ${{ !cancelled() && steps.check-changes.outputs.any_changed == 'true' }}
-        run: uv run vulture --exclude "contrib,tests,conftest.py,.venv" --min-confidence 100 .
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .
@@ -30,8 +30,6 @@ env:
  VALKEY_DB: 0
  API_WORKING_DIR: ./api

-permissions: {}
-
 jobs:
  api-tests:
    runs-on: ubuntu-latest
@@ -87,7 +85,6 @@ jobs:
            files.pythonhosted.org:443
            cli.codecov.io:443
            keybase.io:443
-            raw.githubusercontent.com:443
            ingest.codecov.io:443
            storage.googleapis.com:443
            o26192.ingest.us.sentry.io:443
@@ -113,16 +110,16 @@ jobs:
            api/CHANGELOG.md
            api/AGENTS.md

-      - name: Setup Python with uv
+      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}
          working-directory: ./api

      - name: Run tests with pytest
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run pytest --cov=./src/backend --cov-report=xml src/backend
+        run: poetry run pytest --cov=./src/backend --cov-report=xml src/backend

      - name: Upload coverage reports to Codecov
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -17,8 +17,6 @@ env:
  BACKPORT_LABEL_PREFIX: backport-to-
  BACKPORT_LABEL_IGNORE: was-backported

-permissions: {}
-
 jobs:
  backport:
    if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport')) && !(contains(github.event.pull_request.labels.*.name, 'was-backported'))
@@ -35,7 +33,6 @@ jobs:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
-            github.com:443

      - name: Check labels
        id: label_check
@@ -1,376 +0,0 @@
-name: 'Release: Bump Versions'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: release-bump-versions-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  DOCS_FILE: docs/getting-started/installation/prowler-app.mdx
-
-permissions: {}
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-master:
-    name: Bump versions on master (minor release)
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout master
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: master
-          persist-credentials: false
-
-      - name: Compute next versions for master
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-
-          # SDK / UI / docs mirror the Prowler version directly.
-          NEXT_SDK_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-
-          # API is an independent stream: 1.<prowler_minor + 1>.X
-          # After Prowler 5.M.0 release, master moves on to next API minor: 1.(M+2).0
-          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
-
-          # Read current versions to drive sed replacements.
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' "${DOCS_FILE}")
-
-          echo "NEXT_SDK_VERSION=${NEXT_SDK_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Released Prowler version: $PROWLER_VERSION"
-          echo "Next SDK/UI version (master): $NEXT_SDK_VERSION"
-          echo "Next API version (master):   $NEXT_API_VERSION  (current: $CURRENT_API_VERSION)"
-          echo "Docs target version:         $PROWLER_VERSION   (current: $CURRENT_DOCS_VERSION)"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Decide whether to bump docs on master
-        id: docs_decision
-        run: |
-          # Skip docs bump if master is already at or ahead of the release version
-          # (re-run, or patch shipped against an older minor line).
-          HIGHEST=$(printf '%s\n%s\n' "${CURRENT_DOCS_VERSION}" "${PROWLER_VERSION}" | sort -V | tail -n1)
-          if [[ "${CURRENT_DOCS_VERSION}" == "${PROWLER_VERSION}" || "${HIGHEST}" != "${PROWLER_VERSION}" ]]; then
-            echo "skip=true" >> "${GITHUB_OUTPUT}"
-            echo "Skipping docs bump: current ($CURRENT_DOCS_VERSION) >= release ($PROWLER_VERSION)"
-          else
-            echo "skip=false" >> "${GITHUB_OUTPUT}"
-          fi
-
-      - name: Bump SDK version (pyproject.toml, config.py)
-        run: |
-          set -e
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_SDK_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_SDK_VERSION}\"|" prowler/config/config.py
-
-      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
-        run: |
-          set -e
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-      - name: Bump UI version (.env)
-        run: |
-          set -e
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_SDK_VERSION}|" .env
-
-      - name: Bump docs versions (prowler-app.mdx)
-        if: steps.docs_decision.outputs.skip == 'false'
-        run: |
-          set -e
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
-
-      - name: Show consolidated diff
-        run: git --no-pager diff
-
-      - name: Create PR for next versions to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(release): Bump versions to v${{ env.NEXT_SDK_VERSION }}'
-          branch: release-version-bump-to-v${{ env.NEXT_SDK_VERSION }}
-          title: 'chore(release): Bump versions to v${{ env.NEXT_SDK_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler versions on master after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            | Area | File(s) | New version |
-            | --- | --- | --- |
-            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.NEXT_SDK_VERSION }} |
-            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.NEXT_API_VERSION }} |
-            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.NEXT_SDK_VERSION }} |
-            | Docs | `docs/getting-started/installation/prowler-app.mdx` (`PROWLER_UI_VERSION`, `PROWLER_API_VERSION`) | v${{ env.PROWLER_VERSION }} (skipped if already at or ahead) |
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-minor-version-branch:
-    name: Bump versions on version branch (minor release)
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
-
-      - name: Compute first patch versions for version branch
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # SDK / UI first patch mirrors Prowler version directly.
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-
-          # API on this branch stays on the 1.<MINOR+1>.X stream, starting at .1
-          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
-
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Released Prowler version:     $PROWLER_VERSION"
-          echo "Version branch:               $VERSION_BRANCH"
-          echo "First SDK/UI patch:           $FIRST_PATCH_VERSION"
-          echo "First API patch:              $FIRST_API_PATCH_VERSION  (current: $CURRENT_API_VERSION)"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Bump SDK version (pyproject.toml, config.py)
-        run: |
-          set -e
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
-
-      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
-        run: |
-          set -e
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-      - name: Bump UI version (.env)
-        run: |
-          set -e
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
-
-      - name: Show consolidated diff
-        run: git --no-pager diff
-
-      - name: Create PR for first patch versions to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump versions to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: release-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(release): Bump versions to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler versions on `${{ env.VERSION_BRANCH }}` after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            | Area | File(s) | New version |
-            | --- | --- | --- |
-            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.FIRST_PATCH_VERSION }} |
-            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.FIRST_API_PATCH_VERSION }} |
-            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.FIRST_PATCH_VERSION }} |
-            | Docs | (not touched on version branches) | — |
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version-branch:
-    name: Bump versions on version branch (patch release)
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Compute next patch versions
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # SDK / UI patch mirrors Prowler version directly.
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-
-          # API on this branch stays on 1.<MINOR+1>.X; bump its patch component.
-          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            API_PATCH=${BASH_REMATCH[3]}
-            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
-          else
-            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
-            exit 1
-          fi
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Released Prowler version:     $PROWLER_VERSION"
-          echo "Version branch:               $VERSION_BRANCH"
-          echo "Next SDK/UI patch:            $NEXT_PATCH_VERSION"
-          echo "Next API patch:               $NEXT_API_PATCH_VERSION  (current: $CURRENT_API_VERSION)"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-
-      - name: Bump SDK version (pyproject.toml, config.py)
-        run: |
-          set -e
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
-
-      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
-        run: |
-          set -e
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-      - name: Bump UI version (.env)
-        run: |
-          set -e
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
-
-      - name: Show consolidated diff
-        run: git --no-pager diff
-
-      - name: Create PR for next patch versions to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump versions to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: release-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(release): Bump versions to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler versions on `${{ env.VERSION_BRANCH }}` after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            | Area | File(s) | New version |
-            | --- | --- | --- |
-            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.NEXT_PATCH_VERSION }} |
-            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.NEXT_API_PATCH_VERSION }} |
-            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.NEXT_PATCH_VERSION }} |
-            | Docs | (not touched on version branches) | — |
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -21,8 +21,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  zizmor:
    if: github.repository == 'prowler-cloud/prowler'
@@ -9,8 +9,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.issue.number }}
  cancel-in-progress: false

-permissions: {}
-
 jobs:
  update-labels:
    if: contains(github.event.issue.labels.*.name, 'status/awaiting-response')
@@ -4,6 +4,8 @@ on:
  pull_request:
    branches:
      - 'master'
+      - 'v3'
+      - 'v4.*'
      - 'v5.*'
    types:
      - 'opened'
@@ -14,8 +16,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  conventional-commit-check:
    runs-on: ubuntu-latest
@@ -13,8 +13,6 @@ env:
  BACKPORT_LABEL_PREFIX: backport-to-
  BACKPORT_LABEL_COLOR: B60205

-permissions: {}
-
 jobs:
  create-label:
    runs-on: ubuntu-latest
@@ -43,11 +41,14 @@ jobs:

          echo "Processing release tag: $RELEASE_TAG"

+          # Remove 'v' prefix if present (e.g., v3.2.0 -> 3.2.0)
          VERSION_ONLY="${RELEASE_TAG#v}"

+          # Check if it's a minor version (X.Y.0)
          if [[ "$VERSION_ONLY" =~ ^([0-9]+)\.([0-9]+)\.0$ ]]; then
            echo "Release $RELEASE_TAG (version $VERSION_ONLY) is a minor version. Proceeding to create backport label."

+            # Extract X.Y from X.Y.0 (e.g., 5.6 from 5.6.0)
            MAJOR="${BASH_REMATCH[1]}"
            MINOR="${BASH_REMATCH[2]}"
            TWO_DIGIT_VERSION="${MAJOR}.${MINOR}"
@@ -59,6 +60,7 @@ jobs:
            echo "Label name: $LABEL_NAME"
            echo "Label description: $LABEL_DESC"

+            # Check if label already exists
            if gh label list --repo ${{ github.repository }} --limit 1000 | grep -q "^${LABEL_NAME}[[:space:]]"; then
              echo "Label '$LABEL_NAME' already exists."
            else
@@ -0,0 +1,282 @@
+name: 'Docs: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get current documentation version
+        id: get_docs_version
+        run: |
+          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' docs/getting-started/installation/prowler-app.mdx)
+          echo "current_docs_version=${CURRENT_DOCS_VERSION}" >> "${GITHUB_OUTPUT}"
+          echo "Current documentation version: $CURRENT_DOCS_VERSION"
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+
+          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
+          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Current documentation version: $CURRENT_DOCS_VERSION"
+          echo "Current release version: $PROWLER_VERSION"
+          echo "Next minor version: $NEXT_MINOR_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
+
+      - name: Bump versions in documentation for master
+        run: |
+          set -e
+
+          # Update prowler-app.mdx with current release version
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for documentation update to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
+          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
+            - All `*.mdx` files with `<VersionBadge>` components
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "First patch version: $FIRST_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
+
+      - name: Bump versions in documentation for version branch
+        run: |
+          set -e
+
+          # Update prowler-app.mdx with current release version
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for documentation update to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}-branch
+          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Current documentation version: $CURRENT_DOCS_VERSION"
+          echo "Current release version: $PROWLER_VERSION"
+          echo "Next patch version: $NEXT_PATCH_VERSION"
+          echo "Target branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
+
+      - name: Bump versions in documentation for patch version
+        run: |
+          set -e
+
+          # Update prowler-app.mdx with current release version
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for documentation update to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
+          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -14,8 +14,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  scan-secrets:
    runs-on: ubuntu-latest
@@ -27,23 +25,19 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
-          # We can't block as Trufflehog needs to verify secrets against vendors
-          egress-policy: audit
-          # allowed-endpoints: >
-          #   github.com:443
-          #   ghcr.io:443
-          #   pkg-containers.githubusercontent.com:443
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          # PRs only need the diff range; push to master/release walks the new range from event.before.
-          # 50 is enough headroom for the longest realistic PR/push chain without paying for a full clone.
-          fetch-depth: 50
+          fetch-depth: 0
          persist-credentials: false

-      - name: Scan diff for secrets with TruffleHog
-        # Action auto-injects --since-commit/--branch from event payload; passing them in extra_args produces duplicate flags.
+      - name: Scan for secrets with TruffleHog
        uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
        with:
-          extra_args: --results=verified,unknown
+          extra_args: '--results=verified,unknown'
@@ -21,8 +21,6 @@ concurrency:
 env:
  CHART_PATH: contrib/k8s/helm/prowler-app

-permissions: {}
-
 jobs:
  helm-lint:
    if: github.repository == 'prowler-cloud/prowler'
@@ -13,8 +13,6 @@ concurrency:
 env:
  CHART_PATH: contrib/k8s/helm/prowler-app

-permissions: {}
-
 jobs:
  release-helm-chart:
    if: github.repository == 'prowler-cloud/prowler'
@@ -9,8 +9,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.issue.number }}
  cancel-in-progress: false

-permissions: {}
-
 jobs:
  lock:
    if: |
@@ -15,8 +15,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  labeler:
    runs-on: ubuntu-latest
@@ -62,7 +60,7 @@ jobs:
            "Alan-TheGentleman"
            "alejandrobailo"
            "amitsharm"
-            # "andoniaf"
+            "andoniaf"
            "cesararroba"
            "danibarranqueroo"
            "HugoPBrito"
@@ -32,8 +32,6 @@ env:
  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-mcp

-permissions: {}
-
 jobs:
  setup:
    if: github.repository == 'prowler-cloud/prowler'
@@ -152,7 +150,7 @@ jobs:
            org.opencontainers.image.created=${{ github.event_name == 'release' && github.event.release.published_at || github.event.head_commit.timestamp }}
            ${{ github.event_name == 'release' && format('org.opencontainers.image.version={0}', env.RELEASE_TAG) || '' }}
          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

  # Create and push multi-architecture manifest
  create-manifest:
@@ -5,16 +5,10 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'mcp_server/**'
-      - '.github/workflows/mcp-container-checks.yml'
  pull_request:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'mcp_server/**'
-      - '.github/workflows/mcp-container-checks.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -24,8 +18,6 @@ env:
  MCP_WORKING_DIR: ./mcp_server
  IMAGE_NAME: prowler-mcp

-permissions: {}
-
 jobs:
  mcp-dockerfile-lint:
    if: github.repository == 'prowler-cloud/prowler'
@@ -62,7 +54,16 @@ jobs:

  mcp-container-build-and-scan:
    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            arch: amd64
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            arch: arm64
    timeout-minutes: 30
    permissions:
      contents: read
@@ -79,7 +80,6 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            ghcr.io:443
            pkg-containers.githubusercontent.com:443
            files.pythonhosted.org:443
@@ -87,9 +87,6 @@ jobs:
            api.github.com:443
            mirror.gcr.io:443
            check.trivy.dev:443
-            get.trivy.dev:443
-            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -110,22 +107,23 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

-      - name: Build MCP container
+      - name: Build MCP container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: ${{ env.MCP_WORKING_DIR }}
          push: false
          load: true
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
+          platforms: ${{ matrix.platform }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
+          cache-from: type=gha,scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

-      - name: Scan MCP container with Trivy
+      - name: Scan MCP container with Trivy for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ github.sha }}-${{ matrix.arch }}
          fail-on-critical: 'false'
          severity: 'CRITICAL'
@@ -14,8 +14,6 @@ env:
  PYTHON_VERSION: "3.12"
  WORKING_DIRECTORY: ./mcp_server

-permissions: {}
-
 jobs:
  validate-release:
    if: github.repository == 'prowler-cloud/prowler'
@@ -86,33 +84,11 @@ jobs:
        with:
          python-version: ${{ env.PYTHON_VERSION }}

-      # The MCP server version (mcp_server/pyproject.toml) is decoupled from the Prowler release
-      # version: it only changes when MCP code changes. mcp-bump-version.yml normally keeps it in
-      # sync with mcp_server/CHANGELOG.md (separate from the release bump-version.yml), but this
-      # publish workflow still runs on every release.
-      # Pre-flight PyPI check covers the legitimate "no MCP changes for this release" case (and any
-      # workflow_dispatch re-runs) without failing with HTTP 400 (version exists).
-      - name: Check if prowler-mcp version already exists on PyPI
-        id: pypi-check
-        working-directory: ${{ env.WORKING_DIRECTORY }}
-        run: |
-          MCP_VERSION=$(grep '^version' pyproject.toml | head -1 | sed -E 's/^version[[:space:]]*=[[:space:]]*"([^"]+)".*/\1/')
-          echo "mcp_version=${MCP_VERSION}" >> "$GITHUB_OUTPUT"
-          if curl -fsS "https://pypi.org/pypi/prowler-mcp/${MCP_VERSION}/json" >/dev/null 2>&1; then
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-            echo "::notice title=Skipping prowler-mcp publish::Version ${MCP_VERSION} already exists on PyPI; bump mcp_server/pyproject.toml to publish a new release."
-          else
-            echo "skip=false" >> "$GITHUB_OUTPUT"
-            echo "::notice title=Publishing prowler-mcp::Version ${MCP_VERSION} not on PyPI yet; proceeding."
-          fi
-
      - name: Build prowler-mcp package
-        if: steps.pypi-check.outputs.skip != 'true'
        working-directory: ${{ env.WORKING_DIRECTORY }}
        run: uv build

      - name: Publish prowler-mcp package to PyPI
-        if: steps.pypi-check.outputs.skip != 'true'
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/
@@ -1,98 +0,0 @@
-name: 'Nightly: ARM64 Container Builds'
-
-# Mitigation for amd64-only PR container-checks: build amd64+arm64 nightly against
-# master to keep arm-specific Dockerfile regressions caught quickly. Build only —
-# no push, no Trivy (weekly checks already cover that).
-
-on:
-  schedule:
-    - cron: '0 4 * * *'
-  workflow_dispatch: {}
-
-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: false
-
-permissions: {}
-
-jobs:
-  build-arm64:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-24.04-arm
-    timeout-minutes: 60
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - component: sdk
-            context: .
-            dockerfile: ./Dockerfile
-            image_name: prowler
-          - component: api
-            context: ./api
-            dockerfile: ./api/Dockerfile
-            image_name: prowler-api
-          - component: ui
-            context: ./ui
-            dockerfile: ./ui/Dockerfile
-            image_name: prowler-ui
-            target: prod
-            build_args: |
-              NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX
-          - component: mcp
-            context: ./mcp_server
-            dockerfile: ./mcp_server/Dockerfile
-            image_name: prowler-mcp
-
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-
-      - name: Build ${{ matrix.component }} container (linux/arm64)
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
-        with:
-          context: ${{ matrix.context }}
-          file: ${{ matrix.dockerfile }}
-          target: ${{ matrix.target }}
-          push: false
-          load: false
-          platforms: linux/arm64
-          tags: ${{ matrix.image_name }}:nightly-arm64
-          build-args: ${{ matrix.build_args }}
-          cache-from: type=gha,scope=arm64
-          cache-to: type=gha,mode=min,scope=arm64
-
-  notify-failure:
-    needs: build-arm64
-    if: failure() && github.event_name == 'schedule'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Notify Slack on failure
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-        with:
-          method: chat.postMessage
-          token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload: |
-            channel: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-            text: ":rotating_light: Nightly arm64 container build failed for prowler — <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|view run>"
-          errors: true
@@ -16,8 +16,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  check-changelog:
    if: contains(github.event.pull_request.labels.*.name, 'no-changelog') == false
@@ -41,15 +39,10 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          fetch-depth: 1
+          fetch-depth: 0
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

-      - name: Fetch PR base ref for tj-actions/changed-files
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-        run: git fetch --depth=1 origin "${BASE_REF}"
-
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
@@ -59,7 +52,7 @@ jobs:
            ui/**
            prowler/**
            mcp_server/**
-            uv.lock
+            poetry.lock
            pyproject.toml

      - name: Check for folder changes and changelog presence
@@ -84,9 +77,9 @@ jobs:
              fi
            done

-            # Check root-level dependency files (uv.lock, pyproject.toml)
+            # Check root-level dependency files (poetry.lock, pyproject.toml)
            # These are associated with the prowler folder changelog
-            root_deps_changed=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep -E "^(uv\.lock|pyproject\.toml)$" || true)
+            root_deps_changed=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep -E "^(poetry\.lock|pyproject\.toml)$" || true)
            if [ -n "$root_deps_changed" ]; then
              echo "Detected changes in root dependency files: $root_deps_changed"
              # Check if prowler/CHANGELOG.md was already updated (might have been caught above)
@@ -16,17 +16,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  check-compliance-mapping:
-    if: >-
-      github.event.pull_request.state == 'open' &&
-      contains(github.event.pull_request.labels.*.name, 'no-compliance-check') == false &&
-      (
-        (github.event.action != 'labeled' && github.event.action != 'unlabeled')
-        || github.event.label.name == 'no-compliance-check'
-      )
+    if: contains(github.event.pull_request.labels.*.name, 'no-compliance-check') == false
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
@@ -45,15 +37,10 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          fetch-depth: 1
+          fetch-depth: 0
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

-      - name: Fetch PR base ref for tj-actions/changed-files
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-        run: git fetch --depth=1 origin "${BASE_REF}"
-
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
@@ -15,8 +15,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  check-conflicts:
    runs-on: ubuntu-latest
@@ -36,14 +34,8 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 1
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
-
-      - name: Fetch PR base ref for tj-actions/changed-files
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-        run: git fetch --depth=1 origin "${BASE_REF}"
+          fetch-depth: 0
+          persist-credentials: false

      - name: Get changed files
        id: changed-files
@@ -12,8 +12,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: false

-permissions: {}
-
 jobs:
  trigger-cloud-pull-request:
    if: |
@@ -17,8 +17,6 @@ concurrency:
 env:
  PROWLER_VERSION: ${{ inputs.prowler_version }}

-permissions: {}
-
 jobs:
  prepare-release:
    if: github.event_name == 'workflow_dispatch' && github.repository == 'prowler-cloud/prowler'
@@ -40,11 +38,15 @@ jobs:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        persist-credentials: false

-    - name: Setup Python with uv
-      uses: ./.github/actions/setup-python-uv
+    - name: Set up Python
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.12'
-        install-dependencies: 'false'
+
+    - name: Install Poetry
+      run: |
+        python3 -m pip install --user poetry==2.1.1
+        echo "$HOME/.local/bin" >> $GITHUB_PATH

    - name: Configure Git
      run: |
@@ -53,7 +55,7 @@ jobs:

    - name: Parse version and determine branch
      run: |
-        # Validate version format (reusing pattern from bump-version.yml)
+        # Validate version format (reusing pattern from sdk-bump-version.yml)
        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
          MAJOR_VERSION=${BASH_REMATCH[1]}
          MINOR_VERSION=${BASH_REMATCH[2]}
@@ -299,6 +301,17 @@ jobs:
        fi
        echo "✓ api/pyproject.toml prowler dependency: $CURRENT_PROWLER_REF"

+    - name: Verify API version in api/src/backend/api/v1/views.py
+      if: ${{ env.HAS_API_CHANGES == 'true' }}
+      run: |
+        CURRENT_API_VERSION=$(grep 'spectacular_settings.VERSION = ' api/src/backend/api/v1/views.py | sed -E 's/.*spectacular_settings.VERSION = "([^"]+)".*/\1/' | tr -d '[:space:]')
+        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
+          echo "ERROR: API version mismatch in views.py (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
+          exit 1
+        fi
+        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"
+
    - name: Verify API version in api/src/backend/api/specs/v1.yaml
      if: ${{ env.HAS_API_CHANGES == 'true' }}
      run: |
@@ -327,11 +340,10 @@ jobs:
          exit 1
        fi

-        # Update uv lock file
-        echo "Updating uv.lock file..."
-        pip install --no-cache-dir uv==0.11.14
+        # Update poetry lock file
+        echo "Updating poetry.lock file..."
        cd api
-        uv lock
+        poetry lock
        cd ..

        echo "✓ Prepared prowler dependency update to: $UPDATED_PROWLER_REF"
@@ -346,7 +358,7 @@ jobs:
        base: ${{ env.BRANCH_NAME }}
        add-paths: |
          api/pyproject.toml
-          api/uv.lock
+          api/poetry.lock
        title: "chore(api): Update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}"
        body: |
          ### Description
@@ -355,7 +367,7 @@ jobs:

          **Changes:**
          - Updates `api/pyproject.toml` prowler dependency from `@master` to `@${{ env.BRANCH_NAME }}`
-          - Updates `api/uv.lock` file with resolved dependencies
+          - Updates `api/poetry.lock` file with resolved dependencies

          This PR should be merged into the `${{ env.BRANCH_NAME }}` release branch.

@@ -0,0 +1,245 @@
+name: 'SDK: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next minor version: $NEXT_MINOR_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump versions in files for master
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next minor version to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          branch: version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
+          title: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.NEXT_MINOR_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "First patch version: $FIRST_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next patch version: $NEXT_PATCH_VERSION"
+          echo "Target branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+
+      - name: Bump versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.NEXT_PATCH_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -5,16 +5,11 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'tests/providers/**/*_test.py'
-      - '.github/workflows/sdk-check-duplicate-test-names.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  check-duplicate-test-names:
    if: github.repository == 'prowler-cloud/prowler'
@@ -14,8 +14,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  sdk-code-quality:
    if: github.repository == 'prowler-cloud/prowler'
@@ -71,26 +69,35 @@ jobs:
            contrib/**
            **/AGENTS.md

-      - name: Setup Python with uv
+      - name: Install Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ matrix.python-version }}
+          cache: 'poetry'

-      - name: Check uv lock file
+      - name: Install dependencies
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv lock --check
+        run: |
+          poetry install --no-root
+          poetry run pip list
+
+      - name: Check Poetry lock file
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry check --lock

      - name: Lint with flake8
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude .venv,contrib,ui,api,skills,mcp_server
+        run: poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api,skills

      - name: Check format with black
        if: steps.check-changes.outputs.any_changed == 'true'
-        # mcp_server has its own pyproject and uses ruff format, exclude it so SDK black
-        # does not fight ruff over rules it never formatted.
-        run: uv run black --exclude "\.venv|api|ui|skills|mcp_server" --check .
+        run: poetry run black --exclude "api|ui|skills" --check .

      - name: Lint with pylint
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
+        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
@@ -30,8 +30,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  sdk-analyze:
    if: github.repository == 'prowler-cloud/prowler'
@@ -3,7 +3,9 @@ name: 'SDK: Container Build and Push'
 on:
  push:
    branches:
-      - 'master'
+      - 'v3'      # For v3-latest
+      - 'v4.6'    # For v4-latest
+      - 'master'  # For latest
    paths-ignore:
      - '.github/**'
      - '!.github/workflows/sdk-container-build-push.yml'
@@ -45,8 +47,6 @@ env:
  # AWS configuration (for ECR)
  AWS_REGION: us-east-1

-permissions: {}
-
 jobs:
  setup:
    if: github.repository == 'prowler-cloud/prowler'
@@ -54,6 +54,7 @@ jobs:
    timeout-minutes: 5
    outputs:
      prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }}
+      prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
      latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }}
      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
    permissions:
@@ -73,19 +74,48 @@ jobs:
        with:
          persist-credentials: false

+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install Poetry
+        run: |
+          pipx install poetry==2.1.1
+          pipx inject poetry poetry-bumpversion
+
      - name: Get Prowler version and set tags
        id: get-prowler-version
        run: |
-          PROWLER_VERSION="$(grep -E '^version = ' pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')"
+          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
          echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"

+          # Extract major version
          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
-          if [[ "${PROWLER_VERSION_MAJOR}" != "5" ]]; then
-            echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}"
-            exit 1
-          fi
-          echo "latest_tag=latest" >> "${GITHUB_OUTPUT}"
-          echo "stable_tag=stable" >> "${GITHUB_OUTPUT}"
+          echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
+
+          # Set version-specific tags
+          case ${PROWLER_VERSION_MAJOR} in
+            3)
+              echo "latest_tag=v3-latest" >> "${GITHUB_OUTPUT}"
+              echo "stable_tag=v3-stable" >> "${GITHUB_OUTPUT}"
+              echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable"
+              ;;
+            4)
+              echo "latest_tag=v4-latest" >> "${GITHUB_OUTPUT}"
+              echo "stable_tag=v4-stable" >> "${GITHUB_OUTPUT}"
+              echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable"
+              ;;
+            5)
+              echo "latest_tag=latest" >> "${GITHUB_OUTPUT}"
+              echo "stable_tag=stable" >> "${GITHUB_OUTPUT}"
+              echo "✓ Prowler v5 detected - tags: latest, stable"
+              ;;
+            *)
+              echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}"
+              exit 1
+              ;;
+          esac

  notify-release-started:
    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -196,7 +226,7 @@ jobs:
          tags: |
            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-${{ matrix.arch }}
          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

  # Create and push multi-architecture manifest
  create-manifest:
@@ -354,3 +384,39 @@ jobs:
          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
          step-outcome: ${{ steps.outcome.outputs.outcome }}
          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
+
+  dispatch-v3-deployment:
+    needs: [setup, container-build-push]
+    if: always() && needs.setup.outputs.prowler_version_major == '3' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Calculate short SHA
+        id: short-sha
+        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+
+      - name: Dispatch v3 deployment (latest)
+        if: github.event_name == 'push'
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
+          event-type: dispatch
+          client-payload: '{"version":"v3-latest","tag":"${{ steps.short-sha.outputs.short_sha }}"}'
+
+      - name: Dispatch v3 deployment (release)
+        if: github.event_name == 'release'
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
+          event-type: dispatch
+          client-payload: '{"version":"release","tag":"${{ needs.setup.outputs.prowler_version }}"}'
@@ -5,22 +5,10 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'Dockerfile*'
-      - 'pyproject.toml'
-      - 'uv.lock'
-      - '.github/workflows/sdk-container-checks.yml'
  pull_request:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'Dockerfile*'
-      - 'pyproject.toml'
-      - 'uv.lock'
-      - '.github/workflows/sdk-container-checks.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,8 +17,6 @@ concurrency:
 env:
  IMAGE_NAME: prowler

-permissions: {}
-
 jobs:
  sdk-dockerfile-lint:
    if: github.repository == 'prowler-cloud/prowler'
@@ -68,7 +54,16 @@ jobs:

  sdk-container-build-and-scan:
    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            arch: amd64
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            arch: arm64
    timeout-minutes: 30
    permissions:
      contents: read
@@ -90,7 +85,6 @@ jobs:
            check.trivy.dev:443
            debian.map.fastlydns.net:80
            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443
            pypi.org:443
            files.pythonhosted.org:443
            www.powershellgallery.com:443
@@ -135,22 +129,23 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

-      - name: Build SDK container
+      - name: Build SDK container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: .
          push: false
          load: true
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
+          platforms: ${{ matrix.platform }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
+          cache-from: type=gha,scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

-      - name: Scan SDK container with Trivy
+      - name: Scan SDK container with Trivy for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ github.sha }}-${{ matrix.arch }}
          fail-on-critical: 'false'
          severity: 'CRITICAL'
@@ -13,8 +13,6 @@ env:
  RELEASE_TAG: ${{ github.event.release.tag_name }}
  PYTHON_VERSION: '3.12'

-permissions: {}
-
 jobs:
  validate-release:
    if: github.repository == 'prowler-cloud/prowler'
@@ -75,14 +73,16 @@ jobs:
        with:
          persist-credentials: false

-      - name: Setup Python with uv
-        uses: ./.github/actions/setup-python-uv
+      - name: Install Poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
-          install-dependencies: 'false'

      - name: Build Prowler package
-        run: uv build
+        run: poetry build

      - name: Publish Prowler package to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
@@ -111,11 +111,13 @@ jobs:
        with:
          persist-credentials: false

-      - name: Setup Python with uv
-        uses: ./.github/actions/setup-python-uv
+      - name: Install Poetry
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
-          install-dependencies: 'false'

      - name: Install toml package
        run: pip install toml
@@ -126,7 +128,7 @@ jobs:
          python util/replicate_pypi_package.py

      - name: Build prowler-cloud package
-        run: uv build
+        run: poetry build

      - name: Publish prowler-cloud package to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
@@ -13,8 +13,6 @@ env:
  PYTHON_VERSION: '3.12'
  AWS_REGION: 'us-east-1'

-permissions: {}
-
 jobs:
  refresh-aws-regions:
    if: github.repository == 'prowler-cloud/prowler'
@@ -12,8 +12,6 @@ concurrency:
 env:
  PYTHON_VERSION: '3.12'

-permissions: {}
-
 jobs:
  refresh-oci-regions:
    if: github.repository == 'prowler-cloud/prowler'
@@ -5,37 +5,15 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'tests/**'
-      - 'pyproject.toml'
-      - 'uv.lock'
-      - '.github/workflows/sdk-tests.yml'
-      - '.github/workflows/sdk-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
  pull_request:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'tests/**'
-      - 'pyproject.toml'
-      - 'uv.lock'
-      - '.github/workflows/sdk-tests.yml'
-      - '.github/workflows/sdk-security.yml'
-      - '.github/actions/setup-python-uv/**'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  sdk-security-scans:
    if: github.repository == 'prowler-cloud/prowler'
@@ -43,7 +21,6 @@ jobs:
    timeout-minutes: 15
    permissions:
      contents: read
-      pull-requests: write # osv-scanner action posts/updates a PR comment with findings

    steps:
      - name: Harden Runner
@@ -54,12 +31,10 @@ jobs:
            pypi.org:443
            files.pythonhosted.org:443
            github.com:443
+            auth.safetycli.com:443
+            pyup.io:443
+            data.safetycli.com:443
            api.github.com:443
-            objects.githubusercontent.com:443
-            release-assets.githubusercontent.com:443
-            api.osv.dev:443
-            api.deps.dev:443
-            osv-vulnerabilities.storage.googleapis.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -94,23 +69,29 @@ jobs:
            contrib/**
            **/AGENTS.md

-      - name: Setup Python with uv
+      - name: Install Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python 3.12
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.12'
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry install --no-root

      - name: Security scan with Bandit
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: uv run bandit -q -lll -x '*_test.py,./.venv/,./contrib/,./api/,./ui' -r .
+        run: poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r .

-      - name: Dependency vulnerability scan with osv-scanner
+      - name: Security scan with Safety
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/osv-scanner
-        with:
-          lockfile: uv.lock
+        run: poetry run safety check -r pyproject.toml

      - name: Dead code detection with Vulture
-        # Run even when osv-scanner reports findings so dead-code signal isn't masked by SCA failures.
-        if: ${{ !cancelled() && steps.check-changes.outputs.any_changed == 'true' }}
-        run: uv run vulture --exclude ".venv,contrib,api,ui" --min-confidence 100 .
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .
@@ -14,8 +14,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  sdk-tests:
    if: github.repository == 'prowler-cloud/prowler'
@@ -92,11 +90,20 @@ jobs:
            contrib/**
            **/AGENTS.md

-      - name: Setup Python with uv
+      - name: Install Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-uv
+        run: pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.check-changes.outputs.any_changed == 'true'
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ matrix.python-version }}
+          cache: 'poetry'
+
+      - name: Install dependencies
+        if: steps.check-changes.outputs.any_changed == 'true'
+        run: poetry install --no-root

      # AWS Provider
      - name: Check if AWS files changed
@@ -107,7 +114,7 @@ jobs:
          files: |
            ./prowler/**/aws/**
            ./tests/**/aws/**
-            ./uv.lock
+            ./poetry.lock

      - name: Resolve AWS services under test
        if: steps.changed-aws.outputs.any_changed == 'true'
@@ -209,11 +216,11 @@ jobs:
          echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'"

          if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then
-            uv run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
+            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
          elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then
            echo "No AWS service paths detected; skipping AWS tests."
          else
-            uv run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
+            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
          fi
        env:
          STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }}
@@ -237,11 +244,11 @@ jobs:
          files: |
            ./prowler/**/azure/**
            ./tests/**/azure/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Azure tests
        if: steps.changed-azure.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure
+        run: poetry run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure

      - name: Upload Azure coverage to Codecov
        if: steps.changed-azure.outputs.any_changed == 'true'
@@ -261,11 +268,11 @@ jobs:
          files: |
            ./prowler/**/gcp/**
            ./tests/**/gcp/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run GCP tests
        if: steps.changed-gcp.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp
+        run: poetry run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp

      - name: Upload GCP coverage to Codecov
        if: steps.changed-gcp.outputs.any_changed == 'true'
@@ -285,11 +292,11 @@ jobs:
          files: |
            ./prowler/**/kubernetes/**
            ./tests/**/kubernetes/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Kubernetes tests
        if: steps.changed-kubernetes.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes
+        run: poetry run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes

      - name: Upload Kubernetes coverage to Codecov
        if: steps.changed-kubernetes.outputs.any_changed == 'true'
@@ -309,11 +316,11 @@ jobs:
          files: |
            ./prowler/**/github/**
            ./tests/**/github/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run GitHub tests
        if: steps.changed-github.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github
+        run: poetry run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github

      - name: Upload GitHub coverage to Codecov
        if: steps.changed-github.outputs.any_changed == 'true'
@@ -324,30 +331,6 @@ jobs:
          flags: prowler-py${{ matrix.python-version }}-github
          files: ./github_coverage.xml

-      # Okta Provider
-      - name: Check if Okta files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-okta
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files: |
-            ./prowler/**/okta/**
-            ./tests/**/okta/**
-            ./uv.lock
-
-      - name: Run Okta tests
-        if: steps.changed-okta.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/okta --cov-report=xml:okta_coverage.xml tests/providers/okta
-
-      - name: Upload Okta coverage to Codecov
-        if: steps.changed-okta.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-okta
-          files: ./okta_coverage.xml
-
      # NHN Provider
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -357,11 +340,11 @@ jobs:
          files: |
            ./prowler/**/nhn/**
            ./tests/**/nhn/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run NHN tests
        if: steps.changed-nhn.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn
+        run: poetry run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn

      - name: Upload NHN coverage to Codecov
        if: steps.changed-nhn.outputs.any_changed == 'true'
@@ -381,11 +364,11 @@ jobs:
          files: |
            ./prowler/**/m365/**
            ./tests/**/m365/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run M365 tests
        if: steps.changed-m365.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365
+        run: poetry run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365

      - name: Upload M365 coverage to Codecov
        if: steps.changed-m365.outputs.any_changed == 'true'
@@ -405,11 +388,11 @@ jobs:
          files: |
            ./prowler/**/iac/**
            ./tests/**/iac/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run IaC tests
        if: steps.changed-iac.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac
+        run: poetry run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac

      - name: Upload IaC coverage to Codecov
        if: steps.changed-iac.outputs.any_changed == 'true'
@@ -429,11 +412,11 @@ jobs:
          files: |
            ./prowler/**/mongodbatlas/**
            ./tests/**/mongodbatlas/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run MongoDB Atlas tests
        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodbatlas_coverage.xml tests/providers/mongodbatlas
+        run: poetry run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodbatlas_coverage.xml tests/providers/mongodbatlas

      - name: Upload MongoDB Atlas coverage to Codecov
        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
@@ -453,11 +436,11 @@ jobs:
          files: |
            ./prowler/**/oraclecloud/**
            ./tests/**/oraclecloud/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run OCI tests
        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/oraclecloud --cov-report=xml:oraclecloud_coverage.xml tests/providers/oraclecloud
+        run: poetry run pytest -n auto --cov=./prowler/providers/oraclecloud --cov-report=xml:oraclecloud_coverage.xml tests/providers/oraclecloud

      - name: Upload OCI coverage to Codecov
        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
@@ -477,11 +460,11 @@ jobs:
          files: |
            ./prowler/**/openstack/**
            ./tests/**/openstack/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run OpenStack tests
        if: steps.changed-openstack.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/openstack --cov-report=xml:openstack_coverage.xml tests/providers/openstack
+        run: poetry run pytest -n auto --cov=./prowler/providers/openstack --cov-report=xml:openstack_coverage.xml tests/providers/openstack

      - name: Upload OpenStack coverage to Codecov
        if: steps.changed-openstack.outputs.any_changed == 'true'
@@ -501,11 +484,11 @@ jobs:
          files: |
            ./prowler/**/googleworkspace/**
            ./tests/**/googleworkspace/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Google Workspace tests
        if: steps.changed-googleworkspace.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/googleworkspace --cov-report=xml:googleworkspace_coverage.xml tests/providers/googleworkspace
+        run: poetry run pytest -n auto --cov=./prowler/providers/googleworkspace --cov-report=xml:googleworkspace_coverage.xml tests/providers/googleworkspace

      - name: Upload Google Workspace coverage to Codecov
        if: steps.changed-googleworkspace.outputs.any_changed == 'true'
@@ -525,11 +508,11 @@ jobs:
          files: |
            ./prowler/**/vercel/**
            ./tests/**/vercel/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Vercel tests
        if: steps.changed-vercel.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/providers/vercel --cov-report=xml:vercel_coverage.xml tests/providers/vercel
+        run: poetry run pytest -n auto --cov=./prowler/providers/vercel --cov-report=xml:vercel_coverage.xml tests/providers/vercel

      - name: Upload Vercel coverage to Codecov
        if: steps.changed-vercel.outputs.any_changed == 'true'
@@ -549,11 +532,11 @@ jobs:
          files: |
            ./prowler/lib/**
            ./tests/lib/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Lib tests
        if: steps.changed-lib.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib
+        run: poetry run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib

      - name: Upload Lib coverage to Codecov
        if: steps.changed-lib.outputs.any_changed == 'true'
@@ -573,11 +556,11 @@ jobs:
          files: |
            ./prowler/config/**
            ./tests/config/**
-            ./uv.lock
+            ./poetry.lock

      - name: Run Config tests
        if: steps.changed-config.outputs.any_changed == 'true'
-        run: uv run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config
+        run: poetry run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config

      - name: Upload Config coverage to Codecov
        if: steps.changed-config.outputs.any_changed == 'true'
@@ -31,8 +31,6 @@ on:
        description: "Whether there are UI E2E tests to run"
        value: ${{ jobs.analyze.outputs.has-ui-e2e }}

-permissions: {}
-
 jobs:
  analyze:
    runs-on: ubuntu-latest
@@ -0,0 +1,251 @@
+name: 'UI: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next minor version: $NEXT_MINOR_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump UI version in .env for master
+        run: |
+          set -e
+
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next minor version to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          branch: ui-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
+          title: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler UI version to v${{ env.NEXT_MINOR_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "First patch version: $FIRST_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump UI version in .env for version branch
+        run: |
+          set -e
+
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: ui-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler UI version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next patch version: $NEXT_PATCH_VERSION"
+          echo "Target branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+
+      - name: Bump UI version in .env for version branch
+        run: |
+          set -e
+
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: ui-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler UI version to v${{ env.NEXT_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -26,8 +26,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  ui-analyze:
    if: github.repository == 'prowler-cloud/prowler'
@@ -35,8 +35,6 @@ env:
  # Build args
  NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1

-permissions: {}
-
 jobs:
  setup:
    if: github.repository == 'prowler-cloud/prowler'
@@ -151,7 +149,7 @@ jobs:
          tags: |
            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

  # Create and push multi-architecture manifest
  create-manifest:
@@ -5,16 +5,10 @@ on:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'ui/**'
-      - '.github/workflows/ui-container-checks.yml'
  pull_request:
    branches:
      - 'master'
      - 'v5.*'
-    paths:
-      - 'ui/**'
-      - '.github/workflows/ui-container-checks.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -24,8 +18,6 @@ env:
  UI_WORKING_DIR: ./ui
  IMAGE_NAME: prowler-ui

-permissions: {}
-
 jobs:
  ui-dockerfile-lint:
    if: github.repository == 'prowler-cloud/prowler'
@@ -63,7 +55,16 @@ jobs:

  ui-container-build-and-scan:
    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            arch: amd64
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            arch: arm64
    timeout-minutes: 30
    permissions:
      contents: read
@@ -80,7 +81,6 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            registry.npmjs.org:443
            dl-cdn.alpinelinux.org:443
            fonts.googleapis.com:443
@@ -89,8 +89,6 @@ jobs:
            mirror.gcr.io:443
            check.trivy.dev:443
            get.trivy.dev:443
-            release-assets.githubusercontent.com:443
-            objects.githubusercontent.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -112,7 +110,7 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

-      - name: Build UI container
+      - name: Build UI container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
@@ -120,17 +118,18 @@ jobs:
          target: prod
          push: false
          load: true
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
+          platforms: ${{ matrix.platform }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
+          cache-from: type=gha,scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
          build-args: |
            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX

-      - name: Scan UI container with Trivy
+      - name: Scan UI container with Trivy for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ github.sha }}-${{ matrix.arch }}
          fail-on-critical: 'false'
          severity: 'CRITICAL'
@@ -15,12 +15,6 @@ on:
      - 'ui/**'
      - 'api/**'  # API changes can affect UI E2E

-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
 jobs:
  # First, analyze which tests need to run
  impact-analysis:
@@ -130,12 +124,6 @@ jobs:
          echo "AWS_ACCESS_KEY_ID=${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}" >> .env
          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}" >> .env

-      - name: Build API image from current code
-        # docker-compose.yml references prowlercloud/prowler-api:latest from the registry,
-        # which lags behind PR changes; build locally so E2E exercises the API image
-        # produced by this PR.
-        run: docker build -t prowlercloud/prowler-api:latest ./api
-
      - name: Start API services
        run: |
          export PROWLER_API_VERSION=latest
@@ -164,7 +152,7 @@ jobs:
            for fixture in api/fixtures/dev/*.json; do
              if [ -f "$fixture" ]; then
                echo "Loading $fixture"
-                uv run python manage.py loaddata "$fixture" --database admin
+                poetry run python manage.py loaddata "$fixture" --database admin
              fi
            done
          '
@@ -276,7 +264,7 @@ jobs:
        with:
          name: playwright-report
          path: ui/playwright-report/
-          retention-days: 7
+          retention-days: 30

      - name: Cleanup services
        if: always()
@@ -1,75 +0,0 @@
-name: 'UI: Security'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'ui/package.json'
-      - 'ui/pnpm-lock.yaml'
-      - '.github/workflows/ui-security.yml'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'ui/package.json'
-      - 'ui/pnpm-lock.yaml'
-      - '.github/workflows/ui-security.yml'
-      - '.github/actions/osv-scanner/**'
-      - '.github/scripts/osv-scan.sh'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  ui-security-scans:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write # osv-scanner action posts/updates a PR comment with findings
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            api.github.com:443
-            objects.githubusercontent.com:443
-            release-assets.githubusercontent.com:443
-            api.osv.dev:443
-            api.deps.dev:443
-            osv-vulnerabilities.storage.googleapis.com:443
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
-
-      - name: Check for UI dependency changes
-        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files: |
-            ui/package.json
-            ui/pnpm-lock.yaml
-            .github/workflows/ui-security.yml
-            .github/actions/osv-scanner/**
-            .github/scripts/osv-scan.sh
-
-      - name: Dependency vulnerability scan with osv-scanner
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/osv-scanner
-        with:
-          lockfile: ui/pnpm-lock.yaml
@@ -1,14 +1,14 @@
-name: "UI: Tests"
+name: 'UI: Tests'

 on:
  push:
    branches:
-      - "master"
-      - "v5.*"
+      - 'master'
+      - 'v5.*'
  pull_request:
    branches:
-      - "master"
-      - "v5.*"
+      - 'master'
+      - 'v5.*'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -16,9 +16,7 @@ concurrency:

 env:
  UI_WORKING_DIR: ./ui
-  NODE_VERSION: "24.13.0"
-
-permissions: {}
+  NODE_VERSION: '24.13.0'

 jobs:
  ui-tests:
@@ -42,9 +40,6 @@ jobs:
            fonts.gstatic.com:443
            api.github.com:443
            release-assets.githubusercontent.com:443
-            cdn.playwright.dev:443
-            objects.githubusercontent.com:443
-            playwright.download.prss.microsoft.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -132,15 +127,11 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        run: pnpm run healthcheck

-      - name: Run pnpm audit
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run audit
-
      - name: Run unit tests (all - critical paths changed)
        if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed == 'true'
        run: |
          echo "Critical paths changed - running ALL unit tests"
-          pnpm run test:unit
+          pnpm run test:run

      - name: Run unit tests (related to changes only)
        if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed != 'true' && steps.changed-source.outputs.all_changed_files != ''
@@ -149,7 +140,7 @@ jobs:
          echo "${STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES}"
          # Convert space-separated to vitest related format (remove ui/ prefix for relative paths)
          CHANGED_FILES=$(echo "${STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | sed 's|^ui/||' | tr '\n' ' ')
-          pnpm exec vitest related $CHANGED_FILES --run --project unit
+          pnpm exec vitest related $CHANGED_FILES --run
        env:
          STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-source.outputs.all_changed_files }}

@@ -157,25 +148,7 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed != 'true' && steps.changed-source.outputs.all_changed_files == ''
        run: |
          echo "Only test files changed - running ALL unit tests"
-          pnpm run test:unit
-
-      - name: Cache Playwright browsers
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: playwright-cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
-        with:
-          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-chromium-${{ hashFiles('ui/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-chromium-
-
-      - name: Install Playwright Chromium browser
-        if: steps.check-changes.outputs.any_changed == 'true' && steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm exec playwright install chromium
-
-      - name: Run browser tests
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run test:browser
+          pnpm run test:run

      - name: Build application
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -1,19 +1,21 @@
 rules:
  secrets-outside-env:
    ignore:
+      - api-bump-version.yml
      - api-container-build-push.yml
      - api-tests.yml
      - backport.yml
-      - bump-version.yml
+      - docs-bump-version.yml
      - issue-triage.lock.yml
      - mcp-container-build-push.yml
-      - nightly-arm64-container-builds.yml
      - pr-merged.yml
      - prepare-release.yml
+      - sdk-bump-version.yml
      - sdk-container-build-push.yml
      - sdk-refresh-aws-services-regions.yml
      - sdk-refresh-oci-regions.yml
      - sdk-tests.yml
+      - ui-bump-version.yml
      - ui-container-build-push.yml
      - ui-e2e-tests-v2.yml
  superfluous-actions:
@@ -84,7 +84,6 @@ continue.json
 .continuerc.json

 # AI Coding Assistants - OpenCode
-.opencode/
 opencode.json

 # AI Coding Assistants - GitHub Copilot
@@ -151,8 +150,6 @@ node_modules

 # Persistent data
 _data/
-/openspec/
-/.gitmodules

 # AI Instructions (generated by skills/setup.sh from AGENTS.md)
 CLAUDE.md
@@ -1,175 +1,149 @@
-# Priority tiers (lower = runs first, same priority = concurrent):
-#   P0  — fast file fixers
-#   P10 — validators and guards
-#   P20 — auto-formatters
-#   P30 — linters
-#   P40 — security scanners
-#   P50 — dependency validation
-
-default_install_hook_types: [pre-commit]
-
 repos:
-  ## GENERAL (prek built-in — no external repo needed)
-  - repo: builtin
+  ## GENERAL
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
    hooks:
      - id: check-merge-conflict
-        priority: 10
      - id: check-yaml
-        args: ["--allow-multiple-documents"]
-        exclude: (prowler/config/llm_config.yaml|contrib/)
-        priority: 10
+        args: ["--unsafe"]
+        exclude: prowler/config/llm_config.yaml
      - id: check-json
-        priority: 10
      - id: end-of-file-fixer
-        priority: 0
      - id: trailing-whitespace
-        priority: 0
      - id: no-commit-to-branch
-        priority: 10
      - id: pretty-format-json
        args: ["--autofix", --no-sort-keys, --no-ensure-ascii]
-        priority: 10

  ## TOML
  - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.16.0
+    rev: v2.13.0
    hooks:
      - id: pretty-format-toml
        args: [--autofix]
        files: pyproject.toml
-        priority: 20

  ## GITHUB ACTIONS
  - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.24.1
+    rev: v1.6.0
    hooks:
      - id: zizmor
-        # zizmor only audits workflows, composite actions and dependabot
-        # config; broader paths trip exit 3 ("no audit was performed").
-        files: ^\.github/(workflows|actions)/.+\.ya?ml$|^\.github/dependabot\.ya?ml$
-        priority: 30
+        files: ^\.github/

  ## BASH
  - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.11.0
+    rev: v0.10.0
    hooks:
      - id: shellcheck
        exclude: contrib
-        priority: 30

-  ## PYTHON — SDK (prowler/, tests/, dashboard/, util/, scripts/)
+  ## PYTHON
  - repo: https://github.com/myint/autoflake
-    rev: v2.3.3
+    rev: v2.3.1
    hooks:
      - id: autoflake
-        name: "SDK - autoflake"
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
-        args: ["--in-place", "--remove-all-unused-imports", "--remove-unused-variable"]
-        priority: 20
+        exclude: ^skills/
+        args:
+          [
+            "--in-place",
+            "--remove-all-unused-imports",
+            "--remove-unused-variable",
+          ]

  - repo: https://github.com/pycqa/isort
-    rev: 8.0.1
+    rev: 5.13.2
    hooks:
      - id: isort
-        name: "SDK - isort"
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
+        exclude: ^skills/
        args: ["--profile", "black"]
-        priority: 20

  - repo: https://github.com/psf/black
-    rev: 26.3.1
+    rev: 24.4.2
    hooks:
      - id: black
-        name: "SDK - black"
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
-        priority: 20
+        exclude: ^skills/

  - repo: https://github.com/pycqa/flake8
-    rev: 7.3.0
+    rev: 7.0.0
    hooks:
      - id: flake8
-        name: "SDK - flake8"
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
+        exclude: (contrib|^skills/)
        args: ["--ignore=E266,W503,E203,E501,W605"]
-        priority: 30

-  ## PYTHON — API + MCP Server (ruff)
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.11
+  - repo: https://github.com/python-poetry/poetry
+    rev: 2.1.1
    hooks:
-      - id: ruff
-        name: "API + MCP - ruff check"
-        files: { glob: ["{api,mcp_server}/**/*.py"] }
-        args: ["--fix"]
-        priority: 30
-      - id: ruff-format
-        name: "API + MCP - ruff format"
-        files: { glob: ["{api,mcp_server}/**/*.py"] }
-        priority: 20
-
-  ## PYTHON — uv (API + SDK)
-  - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.11.14
-    hooks:
-      - id: uv-lock
-        name: API - uv-lock
-        args: ["--check", "--project=./api"]
-        files: { glob: ["api/{pyproject.toml,uv.lock}"] }
+      - id: poetry-check
+        name: API - poetry-check
+        args: ["--directory=./api"]
        pass_filenames: false
-        priority: 50

-      - id: uv-lock
-        name: SDK - uv-lock
-        args: ["--check", "--project=./"]
-        files: { glob: ["{pyproject.toml,uv.lock}"] }
+      - id: poetry-lock
+        name: API - poetry-lock
+        args: ["--directory=./api"]
+        pass_filenames: false
+
+      - id: poetry-check
+        name: SDK - poetry-check
+        args: ["--directory=./"]
+        pass_filenames: false
+
+      - id: poetry-lock
+        name: SDK - poetry-lock
+        args: ["--directory=./"]
        pass_filenames: false
-        priority: 50

-  ## CONTAINERS
  - repo: https://github.com/hadolint/hadolint
-    rev: v2.14.0
+    rev: v2.13.0-beta
    hooks:
      - id: hadolint
        args: ["--ignore=DL3013"]
-        priority: 30

-  ## LOCAL HOOKS
  - repo: local
    hooks:
      - id: pylint
-        name: "SDK - pylint"
-        entry: pylint --disable=W,C,R,E -j 0 -rn -sn
+        name: pylint
+        entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
        language: system
-        types: [python]
-        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
-        priority: 30
+        files: '.*\.py'

      - id: trufflehog
        name: TruffleHog
        description: Detect secrets in your data.
-        entry: bash -c 'trufflehog --no-update git file://. --since-commit HEAD --only-verified --fail'
+        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
        # For running trufflehog in docker, use the following entry instead:
        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
        language: system
-        pass_filenames: false
        stages: ["pre-commit", "pre-push"]
-        priority: 40

      - id: bandit
        name: bandit
        description: "Bandit is a tool for finding common security issues in Python code"
-        entry: bandit -q -lll
+        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/,./skills/' -r .'
        language: system
-        types: [python]
        files: '.*\.py'
-        exclude: { glob: ["{contrib,skills}/**", "**/.venv/**", "**/*_test.py"] }
-        priority: 40
+
+      - id: safety
+        name: safety
+        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
+        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
+        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
+        # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`
+        # TODO: 71600 CVE-2024-1135 false positive - fixed in gunicorn 22.0.0, project uses 23.0.0
+        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027,86217,71600'
+        language: system

      - id: vulture
        name: vulture
        description: "Vulture finds unused code in Python programs."
-        entry: vulture --min-confidence 100
+        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/,skills/" --min-confidence 100 .'
        language: system
-        types: [python]
        files: '.*\.py'
-        priority: 40
+
+      - id: ui-checks
+        name: UI - Husky Pre-commit
+        description: "Run UI pre-commit checks (Claude Code validation + healthcheck)"
+        entry: bash -c 'cd ui && .husky/pre-commit'
+        language: system
+        files: '^ui/.*\.(ts|tsx|js|jsx|json|css)$'
+        pass_filenames: false
+        verbose: true
@@ -11,11 +11,15 @@ build:
    python: "3.11"
  jobs:
    post_create_environment:
-      - python -m pip install uv==0.11.14
+      # Install poetry
+      # https://python-poetry.org/docs/#installing-manually
+      - python -m pip install poetry
    post_install:
+      # Install dependencies with 'docs' dependency group
+      # https://python-poetry.org/docs/managing-dependencies/#dependency-groups
      # VIRTUAL_ENV needs to be set manually for now.
      # See https://github.com/readthedocs/readthedocs.org/pull/11152/
-      - VIRTUAL_ENV=${READTHEDOCS_VIRTUALENV_PATH} uv sync --group docs --no-install-project
+      - VIRTUAL_ENV=${READTHEDOCS_VIRTUALENV_PATH} python -m poetry install --only=docs

 mkdocs:
  configuration: mkdocs.yml
@@ -1,2 +0,0 @@
-.envrc
-ui/.env.local
@@ -15,7 +15,7 @@ Use these skills for detailed patterns on-demand:
 |-------|-------------|-----|
 | `typescript` | Const types, flat interfaces, utility types | [SKILL.md](skills/typescript/SKILL.md) |
 | `react-19` | No useMemo/useCallback, React Compiler | [SKILL.md](skills/react-19/SKILL.md) |
-| `nextjs-16` | App Router, Server Actions, proxy.ts, streaming | [SKILL.md](skills/nextjs-16/SKILL.md) |
+| `nextjs-15` | App Router, Server Actions, streaming | [SKILL.md](skills/nextjs-15/SKILL.md) |
 | `tailwind-4` | cn() utility, no var() in className | [SKILL.md](skills/tailwind-4/SKILL.md) |
 | `playwright` | Page Object Model, MCP workflow, selectors | [SKILL.md](skills/playwright/SKILL.md) |
 | `pytest` | Fixtures, mocking, markers, parametrize | [SKILL.md](skills/pytest/SKILL.md) |
@@ -60,14 +60,11 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 |--------|-------|
 | Add changelog entry for a PR or feature | `prowler-changelog` |
 | Adding DRF pagination or permissions | `django-drf` |
-| Adding a compliance output formatter (per-provider class + table dispatcher) | `prowler-compliance` |
-| Adding indexes or constraints to database tables | `django-migration-psql` |
 | Adding new providers | `prowler-provider` |
 | Adding privilege escalation detection queries | `prowler-attack-paths-query` |
 | Adding services to existing providers | `prowler-provider` |
 | After creating/modifying a skill | `skill-sync` |
-| App Router / Server Actions | `nextjs-16` |
-| Auditing check-to-requirement mappings as a cloud auditor | `prowler-compliance` |
+| App Router / Server Actions | `nextjs-15` |
 | Building AI chat features | `ai-sdk-5` |
 | Committing changes | `prowler-commit` |
 | Configuring MCP servers in agentic workflows | `gh-aw` |
@@ -81,7 +78,6 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Creating a git commit | `prowler-commit` |
 | Creating new checks | `prowler-sdk-check` |
 | Creating new skills | `skill-creator` |
-| Creating or reviewing Django migrations | `django-migration-psql` |
 | Creating/modifying Prowler UI components | `prowler-ui` |
 | Creating/modifying models, views, serializers | `prowler-api` |
 | Creating/updating compliance frameworks | `prowler-compliance` |
@@ -89,7 +85,6 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Debugging gh-aw compilation errors | `gh-aw` |
 | Fill .github/pull_request_template.md (Context/Description/Steps to review/Checklist) | `prowler-pr` |
 | Fixing bug | `tdd` |
-| Fixing compliance JSON bugs (duplicate IDs, empty Section, stale refs) | `prowler-compliance` |
 | General Prowler development questions | `prowler` |
 | Implementing JSON:API endpoints | `django-drf` |
 | Implementing feature | `tdd` |
@@ -107,8 +102,6 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Review changelog format and conventions | `prowler-changelog` |
 | Reviewing JSON:API compliance | `jsonapi` |
 | Reviewing compliance framework PRs | `prowler-compliance-review` |
-| Running makemigrations or pgmakemigrations | `django-migration-psql` |
-| Syncing compliance framework with upstream catalog | `prowler-compliance` |
 | Testing RLS tenant isolation | `prowler-test-api` |
 | Testing hooks or utilities | `vitest` |
 | Troubleshoot why a skill is missing from AGENTS.md auto-invoke | `skill-sync` |
@@ -136,7 +129,6 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Writing React components | `react-19` |
 | Writing TypeScript types/interfaces | `typescript` |
 | Writing Vitest tests | `vitest` |
-| Writing data backfill or data migration | `django-migration-psql` |
 | Writing documentation | `prowler-docs` |
 | Writing unit tests for UI | `vitest` |

@@ -148,9 +140,9 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,

 | Component | Location | Tech Stack |
 |-----------|----------|------------|
-| SDK | `prowler/` | Python 3.10+, uv |
+| SDK | `prowler/` | Python 3.10+, Poetry |
 | API | `api/` | Django 5.1, DRF, Celery |
-| UI | `ui/` | Next.js 16, React 19, Tailwind 4 |
+| UI | `ui/` | Next.js 15, React 19, Tailwind 4 |
 | MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
 | Dashboard | `dashboard/` | Dash, Plotly |

@@ -160,13 +152,13 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,

 ```bash
 # Setup
-uv sync
-uv run prek install
+poetry install --with dev
+poetry run pre-commit install

 # Code quality
-uv run make lint
-uv run make format
-uv run prek run --all-files
+poetry run make lint
+poetry run make format
+poetry run pre-commit run --all-files
 ```

 ---
@@ -1,34 +1,11 @@
 # Do you want to learn on how to...

- [Contribute with your code or fixes to Prowler](https://docs.prowler.com/developer-guide/introduction)
- [Create a new provider](https://docs.prowler.com/developer-guide/provider)
- [Create a new service](https://docs.prowler.com/developer-guide/services)
- [Create a new check for a provider](https://docs.prowler.com/developer-guide/checks)
- [Create a new security compliance framework](https://docs.prowler.com/developer-guide/security-compliance-framework)
- [Add a custom output format](https://docs.prowler.com/developer-guide/outputs)
- [Add a new integration](https://docs.prowler.com/developer-guide/integrations)
- [Contribute with documentation](https://docs.prowler.com/developer-guide/documentation)
- [Write unit tests](https://docs.prowler.com/developer-guide/unit-testing)
- [Write integration tests](https://docs.prowler.com/developer-guide/integration-testing)
- [Write end-to-end tests](https://docs.prowler.com/developer-guide/end2end-testing)
- [Debug Prowler](https://docs.prowler.com/developer-guide/debugging)
- [Configure checks](https://docs.prowler.com/developer-guide/configurable-checks)
- [Rename checks](https://docs.prowler.com/developer-guide/renaming-checks)
- [Follow the check metadata guidelines](https://docs.prowler.com/developer-guide/check-metadata-guidelines)
- [Extend the MCP server](https://docs.prowler.com/developer-guide/mcp-server)
- [Extend Lighthouse AI](https://docs.prowler.com/developer-guide/lighthouse-architecture)
- [Add AI skills](https://docs.prowler.com/developer-guide/ai-skills)
-
-Provider-specific developer notes:
-
- [AWS](https://docs.prowler.com/developer-guide/aws-details)
- [Azure](https://docs.prowler.com/developer-guide/azure-details)
- [Google Cloud](https://docs.prowler.com/developer-guide/gcp-details)
- [Alibaba Cloud](https://docs.prowler.com/developer-guide/alibabacloud-details)
- [Kubernetes](https://docs.prowler.com/developer-guide/kubernetes-details)
- [Microsoft 365](https://docs.prowler.com/developer-guide/m365-details)
- [GitHub](https://docs.prowler.com/developer-guide/github-details)
- [LLM](https://docs.prowler.com/developer-guide/llm-details)
+- Contribute with your code or fixes to Prowler
+- Create a new check for a provider
+- Create a new security compliance framework
+- Add a custom output format
+- Add a new integration
+- Contribute with documentation

 Want some swag as appreciation for your contribution?

@@ -6,12 +6,9 @@ LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}

-ARG TRIVY_VERSION=0.70.0
+ARG TRIVY_VERSION=0.69.2
 ENV TRIVY_VERSION=${TRIVY_VERSION}

-ARG ZIZMOR_VERSION=1.24.1
-ENV ZIZMOR_VERSION=${ZIZMOR_VERSION}
-
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
    wget libicu72 libunwind8 libssl3 libcurl4 ca-certificates apt-transport-https gnupg \
@@ -51,22 +48,6 @@ RUN ARCH=$(uname -m) && \
    mkdir -p /tmp/.cache/trivy && \
    chmod 777 /tmp/.cache/trivy

-# Install zizmor for GitHub Actions workflow scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        ZIZMOR_ARCH="x86_64-unknown-linux-gnu" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        ZIZMOR_ARCH="aarch64-unknown-linux-gnu" ; \
-    else \
-        echo "Unsupported architecture for zizmor: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-${ZIZMOR_ARCH}.tar.gz" -O /tmp/zizmor.tar.gz && \
-    mkdir -p /tmp/zizmor-extract && \
-    tar zxf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract && \
-    mv /tmp/zizmor-extract/zizmor /usr/local/bin/zizmor && \
-    chmod +x /usr/local/bin/zizmor && \
-    rm -rf /tmp/zizmor.tar.gz /tmp/zizmor-extract
-
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
@@ -78,7 +59,7 @@ WORKDIR /home/prowler
 # Copy necessary files
 COPY prowler/  /home/prowler/prowler/
 COPY dashboard/ /home/prowler/dashboard/
-COPY pyproject.toml uv.lock /home/prowler/
+COPY pyproject.toml /home/prowler
 COPY README.md /home/prowler/
 COPY prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py

@@ -87,17 +68,17 @@ ENV HOME='/home/prowler'
 ENV PATH="${HOME}/.local/bin:${PATH}"
 #hadolint ignore=DL3013
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir uv==0.11.14
+    pip install --no-cache-dir poetry

-RUN uv sync --compile-bytecode && \
-    rm -rf ~/.cache/uv
+RUN poetry install --compile && \
+    rm -rf ~/.cache/pip

 # Install PowerShell modules
-RUN .venv/bin/python prowler/providers/m365/lib/powershell/m365_powershell.py
+RUN poetry run python prowler/providers/m365/lib/powershell/m365_powershell.py

 # Remove deprecated dash dependencies
 RUN pip uninstall dash-html-components -y && \
    pip uninstall dash-core-components -y

 USER prowler
-ENTRYPOINT [".venv/bin/prowler"]
+ENTRYPOINT ["poetry", "run", "prowler"]
@@ -23,7 +23,7 @@ format: ## Format Code

 lint: ## Lint Code
 	@echo "Running flake8..."
-	flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude .venv,contrib
+	flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib
 	@echo "Running black... "
 	black --check .
 	@echo "Running pylint..."
@@ -35,7 +35,7 @@ pypi-clean: ## Delete the distribution files

 pypi-build: ## Build package
 	$(MAKE) pypi-clean && \
-	uv build
+	poetry build

 pypi-upload: ## Upload package
 	python3 -m twine upload --repository pypi dist/*
@@ -56,3 +56,4 @@ run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, MCP,

 ##@ Development Environment
 build-and-run-api-dev: build-no-cache-dev run-api-dev
+
@@ -104,24 +104,22 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically

 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
 |---|---|---|---|---|---|---|
-| AWS | 600 | 84 | 44 | 18 | Official | UI, API, CLI |
-| Azure | 167 | 22 | 19 | 16 | Official | UI, API, CLI |
-| GCP | 102 | 18 | 17 | 12 | Official | UI, API, CLI |
-| Kubernetes | 83 | 7 | 7 | 11 | Official | UI, API, CLI |
-| GitHub | 24 | 3 | 1 | 5 | Official | UI, API, CLI |
-| M365 | 102 | 10 | 4 | 10 | Official | UI, API, CLI |
-| OCI | 51 | 14 | 4 | 10 | Official | UI, API, CLI |
-| Alibaba Cloud | 63 | 9 | 4 | 9 | Official | UI, API, CLI |
-| Cloudflare | 29 | 3 | 0 | 5 | Official | UI, API, CLI |
+| AWS | 572 | 83 | 41 | 17 | Official | UI, API, CLI |
+| Azure | 165 | 20 | 18 | 13 | Official | UI, API, CLI |
+| GCP | 100 | 13 | 15 | 11 | Official | UI, API, CLI |
+| Kubernetes | 83 | 7 | 7 | 9 | Official | UI, API, CLI |
+| GitHub | 21 | 2 | 1 | 2 | Official | UI, API, CLI |
+| M365 | 89 | 9 | 4 | 5 | Official | UI, API, CLI |
+| OCI | 48 | 13 | 3 | 10 | Official | UI, API, CLI |
+| Alibaba Cloud | 61 | 9 | 3 | 9 | Official | UI, API, CLI |
+| Cloudflare | 29 | 2 | 0 | 5 | Official | UI, API, CLI |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
 | MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
 | Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 39 | 5 | 2 | 5 | Official | UI, API, CLI |
-| OpenStack | 34 | 5 | 0 | 9 | Official | UI, API, CLI |
-| Vercel | 26 | 6 | 0 | 8 | Official | UI, API, CLI |
-| Okta | 1 | 1 | 0 | 1 | Official | CLI |
-| Scaleway [Contact us](https://prowler.com/contact) | 1 | 1 | 0 | 1 | Unofficial | CLI |
+| Google Workspace | 1 | 1 | 0 | 1 | Official | CLI |
+| OpenStack | 27 | 4 | 0 | 8 | Official | UI, API, CLI |
+| Vercel | 30 | 6 | 0 | 5 | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
@@ -178,7 +176,7 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md
 **Requirements**

 * `git` installed.
-* `uv` installed: [uv installation](https://docs.astral.sh/uv/getting-started/installation/).
+* `poetry` v2 installed: [poetry installation](https://python-poetry.org/docs/#installation).
 * `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
 * `Docker Compose` installed: https://docs.docker.com/compose/install/.

@@ -187,8 +185,8 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md
 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler/api
-uv sync
-source .venv/bin/activate
+poetry install
+eval $(poetry env activate)
 set -a
 source .env
 docker compose up postgres valkey -d
@@ -196,6 +194,11 @@ cd src/backend
 python manage.py migrate --database admin
 gunicorn -c config/guniconf.py config.wsgi:application
 ```
+> [!IMPORTANT]
+> As of Poetry v2.0.0, the `poetry shell` command has been deprecated. Use `poetry env activate` instead for environment activation.
+>
+> If your Poetry version is below v2.0.0, continue using `poetry shell` to activate your environment.
+> For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.

 > After completing the setup, access the API documentation at http://localhost:8080/api/v1/docs.

@@ -204,8 +207,8 @@ gunicorn -c config/guniconf.py config.wsgi:application
 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler/api
-uv sync
-source .venv/bin/activate
+poetry install
+eval $(poetry env activate)
 set -a
 source .env
 cd src/backend
@@ -217,8 +220,8 @@ python -m celery -A config.celery worker -l info -E
 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler/api
-uv sync
-source .venv/bin/activate
+poetry install
+eval $(poetry env activate)
 set -a
 source .env
 cd src/backend
@@ -243,7 +246,14 @@ Some pre-commit hooks require tools installed on your system:

 1. **Install [TruffleHog](https://github.com/trufflesecurity/trufflehog#install)** (secret scanning) — see the [official installation options](https://github.com/trufflesecurity/trufflehog#install).

-2. **Install [Hadolint](https://github.com/hadolint/hadolint#install)** (Dockerfile linting) — see the [official installation options](https://github.com/hadolint/hadolint#install).
+2. **Install [Safety](https://github.com/pyupio/safety)** (dependency vulnerability checking):
+
+    ```console
+    # Requires a Python environment (e.g. via pyenv)
+    pip install safety
+    ```
+
+3. **Install [Hadolint](https://github.com/hadolint/hadolint#install)** (Dockerfile linting) — see the [official installation options](https://github.com/hadolint/hadolint#install).

 ## Prowler CLI
 ### Pip package
@@ -279,47 +289,23 @@ The container images are available here:

 ### From GitHub

-Python >=3.10, <3.13 is required with [uv](https://docs.astral.sh/uv/):
+Python >=3.10, <3.13 is required with pip and Poetry:

 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler
-uv sync
-source .venv/bin/activate
+eval $(poetry env activate)
+poetry install
 python prowler-cli.py -v
 ```
 > [!IMPORTANT]
 > To clone Prowler on Windows, configure Git to support long file paths by running the following command: `git config core.longpaths true`.

-# 🛡️ GitHub Action
-
-The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.
-
-```yaml
-name: Prowler IaC Scan
-on:
-  pull_request:
-
-permissions:
-  contents: read
-  security-events: write
-  actions: read
-
-jobs:
-  prowler:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: prowler-cloud/prowler@5.25
-        with:
-          provider: iac
-          output-formats: sarif json-ocsf
-          upload-sarif: true
-          flags: --severity critical high
-```
-
-Full configuration, per-provider authentication, and SARIF examples: [Prowler GitHub Action tutorial](docs/user-guide/tutorials/prowler-app-github-action.mdx). Marketplace listing: [Prowler Security Scan](https://github.com/marketplace/actions/prowler-security-scan).
+> [!IMPORTANT]
+> As of Poetry v2.0.0, the `poetry shell` command has been deprecated. Use `poetry env activate` instead for environment activation.
+>
+> If your Poetry version is below v2.0.0, continue using `poetry shell` to activate your environment.
+> For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.

 # ✏️ High level architecture

@@ -1,307 +0,0 @@
-name: Prowler Security Scan
-description: Run Prowler cloud security scanner using the official Docker image
-branding:
-  icon: cloud
-  color: green
-
-inputs:
-  provider:
-    description: Cloud provider to scan (e.g. aws, azure, gcp, github, kubernetes, iac). See https://docs.prowler.com for supported providers.
-    required: true
-  image-tag:
-    description: >
-      Docker image tag for prowlercloud/prowler.
-      Default is "stable" (latest release). Available tags:
-      "stable" (latest release), "latest" (master branch, not stable),
-      "<x.y.z>" (pinned release version).
-      See all tags at https://hub.docker.com/r/prowlercloud/prowler/tags
-    required: false
-    default: stable
-  output-formats:
-    description: Output format(s) for scan results (e.g. "json-ocsf", "sarif json-ocsf")
-    required: false
-    default: json-ocsf
-  push-to-cloud:
-    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli
-    required: false
-    default: "false"
-  flags:
-    description: 'Additional CLI flags passed to the Prowler scan (e.g. "--severity critical high --compliance cis_aws"). Values containing spaces can be quoted, e.g. "--resource-tag ''Environment=My Server''".'
-    required: false
-    default: ""
-  extra-env:
-    description: >
-      Space-, newline-, or comma-separated list of host environment variable NAMES to forward to the Prowler container
-      (e.g. "AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN" for AWS,
-      "GITHUB_PERSONAL_ACCESS_TOKEN" for GitHub, "CLOUDFLARE_API_TOKEN" for Cloudflare).
-      List names only; set the values via `env:` at the workflow or job level (typically from `secrets.*`).
-      See the README for per-provider examples.
-    required: false
-    default: ""
-  upload-sarif:
-    description: 'Upload SARIF results to GitHub Code Scanning (requires "sarif" in output-formats and both `security-events: write` and `actions: read` permissions)'
-    required: false
-    default: "false"
-  sarif-file:
-    description: Path to the SARIF file to upload (auto-detected from output/ if not set)
-    required: false
-    default: ""
-  sarif-category:
-    description: Category for the SARIF upload (used to distinguish multiple analyses)
-    required: false
-    default: prowler
-  fail-on-findings:
-    description: Fail the workflow step when Prowler detects findings (exit code 3). By default the action tolerates findings and succeeds.
-    required: false
-    default: "false"
-
-runs:
-  using: composite
-  steps:
-    - name: Validate inputs
-      shell: bash
-      env:
-        INPUT_IMAGE_TAG: ${{ inputs.image-tag }}
-        INPUT_UPLOAD_SARIF: ${{ inputs.upload-sarif }}
-        INPUT_OUTPUT_FORMATS: ${{ inputs.output-formats }}
-      run: |
-        # Validate image tag format (alphanumeric, dots, hyphens, underscores only)
-        if [[ ! "$INPUT_IMAGE_TAG" =~ ^[a-zA-Z0-9._-]+$ ]]; then
-          echo "::error::Invalid image-tag '${INPUT_IMAGE_TAG}'. Must contain only alphanumeric characters, dots, hyphens, and underscores."
-          exit 1
-        fi
-
-        # Warn if upload-sarif is enabled but sarif not in output-formats
-        if [ "$INPUT_UPLOAD_SARIF" = "true" ]; then
-          if [[ ! "$INPUT_OUTPUT_FORMATS" =~ (^|[[:space:]])sarif($|[[:space:]]) ]]; then
-            echo "::warning::upload-sarif is enabled but 'sarif' is not included in output-formats ('${INPUT_OUTPUT_FORMATS}'). SARIF upload will fail unless you add 'sarif' to output-formats."
-          fi
-        fi
-
-    - name: Run Prowler scan
-      shell: bash
-      env:
-        INPUT_PROVIDER: ${{ inputs.provider }}
-        INPUT_IMAGE_TAG: ${{ inputs.image-tag }}
-        INPUT_OUTPUT_FORMATS: ${{ inputs.output-formats }}
-        INPUT_PUSH_TO_CLOUD: ${{ inputs.push-to-cloud }}
-        INPUT_FLAGS: ${{ inputs.flags }}
-        INPUT_EXTRA_ENV: ${{ inputs.extra-env }}
-        INPUT_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }}
-      run: |
-        set -e
-
-        # Parse space-separated inputs with shlex so values with spaces can be quoted
-        # (e.g. `--resource-tag 'Environment=My Server'`).
-        mapfile -t OUTPUT_FORMATS < <(python3 -c 'import shlex, os; [print(t) for t in shlex.split(os.environ.get("INPUT_OUTPUT_FORMATS", ""))]')
-        mapfile -t EXTRA_FLAGS < <(python3 -c 'import shlex, os; [print(t) for t in shlex.split(os.environ.get("INPUT_FLAGS", ""))]')
-        mapfile -t EXTRA_ENV_NAMES < <(python3 -c 'import shlex, os; [print(t) for t in shlex.split(os.environ.get("INPUT_EXTRA_ENV", "").replace(",", " "))]')
-
-        env_args=()
-        for var in "${EXTRA_ENV_NAMES[@]}"; do
-          [ -z "$var" ] && continue
-          if [[ ! "$var" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]]; then
-            echo "::error::Invalid env var name '${var}' in extra-env. Names must match ^[A-Za-z_][A-Za-z0-9_]*$."
-            exit 1
-          fi
-          env_args+=("-e" "$var")
-        done
-
-        push_args=()
-        if [ "$INPUT_PUSH_TO_CLOUD" = "true" ]; then
-          push_args=("--push-to-cloud")
-          env_args+=("-e" "PROWLER_CLOUD_API_KEY")
-        fi
-
-        mkdir -p "$GITHUB_WORKSPACE/output"
-        chmod 777 "$GITHUB_WORKSPACE/output"
-
-        set +e
-        docker run --rm \
-          "${env_args[@]}" \
-          -v "$GITHUB_WORKSPACE:/home/prowler/workspace" \
-          -v "$GITHUB_WORKSPACE/output:/home/prowler/workspace/output" \
-          -w /home/prowler/workspace \
-          "prowlercloud/prowler:${INPUT_IMAGE_TAG}" \
-          "$INPUT_PROVIDER" \
-          --output-formats "${OUTPUT_FORMATS[@]}" \
-          "${push_args[@]}" \
-          "${EXTRA_FLAGS[@]}"
-        exit_code=$?
-        set -e
-
-        # Exit code 3 = findings detected
-        if [ "$exit_code" -eq 3 ] && [ "$INPUT_FAIL_ON_FINDINGS" != "true" ]; then
-          echo "::notice::Prowler detected findings (exit code 3). Set fail-on-findings to 'true' to fail the workflow on findings."
-          exit 0
-        fi
-        exit $exit_code
-
-    - name: Upload scan results
-      if: always()
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-      with:
-        name: prowler-${{ inputs.provider }}
-        path: output/
-        retention-days: 30
-        if-no-files-found: warn
-
-    - name: Find SARIF file
-      if: always() && inputs.upload-sarif == 'true'
-      id: find-sarif
-      shell: bash
-      env:
-        INPUT_SARIF_FILE: ${{ inputs.sarif-file }}
-      run: |
-        if [ -n "$INPUT_SARIF_FILE" ]; then
-          echo "sarif_path=$INPUT_SARIF_FILE" >> "$GITHUB_OUTPUT"
-        else
-          sarif_file=$(find output/ -name '*.sarif' -type f | head -1)
-          if [ -z "$sarif_file" ]; then
-            echo "::warning::No .sarif file found in output/. Ensure 'sarif' is included in output-formats."
-            echo "sarif_path=" >> "$GITHUB_OUTPUT"
-          else
-            echo "sarif_path=$sarif_file" >> "$GITHUB_OUTPUT"
-          fi
-        fi
-
-    - name: Upload SARIF to GitHub Code Scanning
-      if: always() && inputs.upload-sarif == 'true' && steps.find-sarif.outputs.sarif_path != ''
-      uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
-      with:
-        sarif_file: ${{ steps.find-sarif.outputs.sarif_path }}
-        category: ${{ inputs.sarif-category }}
-
-    - name: Write scan summary
-      if: always()
-      shell: bash
-      env:
-        INPUT_PROVIDER: ${{ inputs.provider }}
-        INPUT_UPLOAD_SARIF: ${{ inputs.upload-sarif }}
-        INPUT_PUSH_TO_CLOUD: ${{ inputs.push-to-cloud }}
-        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        REPO_URL: ${{ github.server_url }}/${{ github.repository }}
-        BRANCH: ${{ github.head_ref || github.ref_name }}
-        GH_TOKEN: ${{ github.token }}
-      run: |
-        set +e
-
-        # Build a link to the scan step in the workflow logs. Requires `actions: read`
-        # on the caller's GITHUB_TOKEN; silently skips the link if unavailable.
-        scan_step_url=""
-        if [ -n "${GH_TOKEN:-}" ] && command -v gh >/dev/null 2>&1; then
-          job_info=$(gh api \
-            "repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT:-1}/jobs" \
-            --jq ".jobs[] | select(.runner_name == \"${RUNNER_NAME:-}\")" 2>/dev/null)
-          if [ -n "$job_info" ]; then
-            job_id=$(jq -r '.id // empty' <<<"$job_info")
-            step_number=$(jq -r '[.steps[]? | select((.name // "") | test("Run Prowler scan"; "i")) | .number] | first // empty' <<<"$job_info")
-            if [ -z "$step_number" ]; then
-              step_number=$(jq -r '[.steps[]? | select(.status == "in_progress") | .number] | first // empty' <<<"$job_info")
-            fi
-            if [ -n "$job_id" ] && [ -n "$step_number" ]; then
-              scan_step_url="${REPO_URL}/actions/runs/${GITHUB_RUN_ID}/job/${job_id}#step:${step_number}:1"
-            elif [ -n "$job_id" ]; then
-              scan_step_url="${REPO_URL}/actions/runs/${GITHUB_RUN_ID}/job/${job_id}"
-            fi
-          fi
-        fi
-
-        # Map provider code to a properly-cased display name.
-        case "$INPUT_PROVIDER" in
-          alibabacloud)    provider_name="Alibaba Cloud" ;;
-          aws)             provider_name="AWS" ;;
-          azure)           provider_name="Azure" ;;
-          cloudflare)      provider_name="Cloudflare" ;;
-          gcp)             provider_name="GCP" ;;
-          github)          provider_name="GitHub" ;;
-          googleworkspace) provider_name="Google Workspace" ;;
-          iac)             provider_name="IaC" ;;
-          image)           provider_name="Container Image" ;;
-          kubernetes)      provider_name="Kubernetes" ;;
-          llm)             provider_name="LLM" ;;
-          m365)            provider_name="Microsoft 365" ;;
-          mongodbatlas)    provider_name="MongoDB Atlas" ;;
-          nhn)             provider_name="NHN" ;;
-          openstack)       provider_name="OpenStack" ;;
-          oraclecloud)     provider_name="Oracle Cloud" ;;
-          vercel)          provider_name="Vercel" ;;
-          *)               provider_name="${INPUT_PROVIDER^}" ;;
-        esac
-
-        ocsf_file=$(find output/ -name '*.ocsf.json' -type f 2>/dev/null | head -1)
-
-        {
-          echo "## Prowler ${provider_name} Scan Summary"
-          echo ""
-
-          counts=""
-          if [ -n "$ocsf_file" ] && [ -s "$ocsf_file" ]; then
-            counts=$(jq -r '[
-                length,
-                ([.[] | select(.status_code == "FAIL")] | length),
-                ([.[] | select(.status_code == "PASS")] | length),
-                ([.[] | select(.status_code == "MUTED")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "Critical")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "High")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "Medium")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "Low")] | length),
-                ([.[] | select(.status_code == "FAIL" and .severity == "Informational")] | length)
-              ] | @tsv' "$ocsf_file" 2>/dev/null)
-          fi
-
-          if [ -n "$counts" ]; then
-            read -r total fail pass muted critical high medium low info <<<"$counts"
-
-            line="**${fail:-0} failing** · ${pass:-0} passing"
-            [ "${muted:-0}" -gt 0 ] && line="${line} · ${muted} muted"
-            echo "${line} — ${total:-0} checks total"
-            echo ""
-            echo "| Severity | Failing |"
-            echo "|----------|---------|"
-            echo "| ‼️ Critical | ${critical:-0} |"
-            echo "| 🔴 High | ${high:-0} |"
-            echo "| 🟠 Medium | ${medium:-0} |"
-            echo "| 🔵 Low | ${low:-0} |"
-            echo "| ⚪ Informational | ${info:-0} |"
-            echo ""
-          else
-            echo "_No findings report was produced. Check the scan logs above._"
-            echo ""
-          fi
-
-          if [ -n "$scan_step_url" ]; then
-            echo "**Scan logs:** [view in workflow run](${scan_step_url})"
-            echo ""
-          fi
-
-          echo "**Get the full report:** [\`prowler-${INPUT_PROVIDER}\` artifact](${RUN_URL}#artifacts)"
-
-          if [ "$INPUT_UPLOAD_SARIF" = "true" ] && [ -n "$BRANCH" ]; then
-            encoded_branch=$(jq -nr --arg b "$BRANCH" '$b|@uri')
-            echo ""
-            echo "**See results in GitHub Code Security:** [open alerts on \`${BRANCH}\`](${REPO_URL}/security/code-scanning?query=is%3Aopen+branch%3A${encoded_branch})"
-          fi
-
-          if [ "$INPUT_PUSH_TO_CLOUD" != "true" ]; then
-            echo ""
-            echo "---"
-            echo ""
-            echo "### Scale ${provider_name} security with Prowler Cloud ☁️"
-            echo ""
-            echo "Send this scan's findings to **[Prowler Cloud](https://cloud.prowler.com)** and get:"
-            echo ""
-            echo "- **Unified findings** across every cloud, SaaS provider (M365, Google Workspace, GitHub, MongoDB Atlas), IaC repo, Kubernetes cluster, and container image"
-            echo "- **Posture over time** with alerts, and notifications"
-            echo "- **Prowler Lighthouse AI**: agentic assistant that triages findings, explains root cause and helps with remediation"
-            echo "- **50+ Compliance frameworks** mapped automatically"
-            echo "- **Enterprise-ready platform**: SOC 2 Type 2, SSO/SAML, AWS Security Hub, S3 and Jira integrations"
-            echo ""
-            echo "**Get started in 3 steps:**"
-            echo "1. Create an account at [cloud.prowler.com](https://cloud.prowler.com)"
-            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli))"
-            echo "3. Add \`PROWLER_CLOUD_API_KEY\` to your GitHub secrets and set \`push-to-cloud: true\` on this action"
-            echo ""
-            echo "See [prowler.com/pricing](https://prowler.com/pricing) for plan details."
-          fi
-        } >> "$GITHUB_STEP_SUMMARY"
@@ -124,24 +124,24 @@ api/src/backend/

 ```bash
 # Development
-uv run python src/backend/manage.py runserver
-uv run celery -A config.celery worker -l INFO
+poetry run python src/backend/manage.py runserver
+poetry run celery -A config.celery worker -l INFO

 # Database
-uv run python src/backend/manage.py makemigrations
-uv run python src/backend/manage.py migrate
+poetry run python src/backend/manage.py makemigrations
+poetry run python src/backend/manage.py migrate

 # Testing & Linting
-uv run pytest -x --tb=short
-uv run make lint
+poetry run pytest -x --tb=short
+poetry run make lint
 ```

 ---

 ## QA CHECKLIST

- [ ] `uv run pytest` passes
- [ ] `uv run make lint` passes
+- [ ] `poetry run pytest` passes
+- [ ] `poetry run make lint` passes
 - [ ] Migrations created if models changed
 - [ ] New endpoints have `@extend_schema` decorators
 - [ ] RLS properly applied for tenant data
@@ -2,155 +2,6 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.28.0] (Prowler v5.27.0)
-
-### 🚀 Added
-
- GIN index on `findings(categories, resource_services, resource_regions, resource_types)` to speed up `/api/v1/finding-groups` array filters [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
- `GET /health/live` and `GET /health/ready` Kubernetes-style probe endpoints following the IETF Health Check Response Format (`application/health+json`). Readiness verifies PostgreSQL, Valkey and Neo4j connectivity and returns 503 with per-dependency detail when any is unreachable [(#11200)](https://github.com/prowler-cloud/prowler/pull/11200)
-
-### 🔄 Changed
-
- Replace `poetry` with `uv` as package manager [(#10775)](https://github.com/prowler-cloud/prowler/pull/10775)
- Remove orphaned `gin_resources_search_idx` declaration from `Resource.Meta.indexes` (DB index dropped in `0072_drop_unused_indexes`) [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
- PDF compliance reports cap detail tables at 100 failed findings per check (configurable via `DJANGO_PDF_MAX_FINDINGS_PER_CHECK`) to bound worker memory on large scans [(#11160)](https://github.com/prowler-cloud/prowler/pull/11160)
-
-### 🐞 Fixed
-
- `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
- Attack Paths: `BEDROCK-001` and `BEDROCK-002` now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)
-
-
---
-
-## [1.27.1] (Prowler v5.26.1)
-
-### 🐞 Fixed
-
- `POST /api/v1/scans` was intermittently failing with `Scan matching query does not exist` in the `scan-perform` worker; the Celery task is now published via `transaction.on_commit` so the worker cannot read the Scan before the dispatch-wide transaction commits [(#11122)](https://github.com/prowler-cloud/prowler/pull/11122)
-
---
-
-## [1.27.0] (Prowler v5.26.0)
-
-### 🚀 Added
-
- `scan-reset-ephemeral-resources` post-scan task zeroes `failed_findings_count` for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort [(#10929)](https://github.com/prowler-cloud/prowler/pull/10929)
-
-### 🔄 Changed
-
- ASD Essential Eight (AWS) compliance framework support [(#10982)](https://github.com/prowler-cloud/prowler/pull/10982)
-
-### 🔐 Security
-
- `trivy` binary from 0.69.2 to 0.70.0 and `cryptography` from 46.0.6 to 46.0.7 (transitive via prowler SDK) in the API image for CVE-2026-33186 and CVE-2026-39892 [(#10978)](https://github.com/prowler-cloud/prowler/pull/10978)
-
---
-
-## [1.26.1] (Prowler v5.25.1)
-
-### 🐞 Fixed
-
- Attack Paths: AWS scans no longer fail when enabled regions cannot be retrieved, and scans stuck in `scheduled` state are now cleaned up after the stale threshold [(#10917)](https://github.com/prowler-cloud/prowler/pull/10917)
- Scan report and compliance downloads now redirect to a presigned S3 URL instead of streaming through the API worker, preventing gunicorn timeouts on large files [(#10927)](https://github.com/prowler-cloud/prowler/pull/10927)
-
---
-
-## [1.26.0] (Prowler v5.25.0)
-
-### 🚀 Added
-
- CIS Benchmark PDF report generation for scans, exposing the latest CIS version per provider via `GET /scans/{id}/cis/{name}/` [(#10650)](https://github.com/prowler-cloud/prowler/pull/10650)
- `/overviews/resource-groups` (resource inventory), `/overviews/categories` and `/overviews/attack-surfaces` now reflect newly-muted findings without waiting for the next scan. The post-mute `reaggregate-all-finding-group-summaries` task now also dispatches `aggregate_scan_resource_group_summaries_task`, `aggregate_scan_category_summaries_task` and `aggregate_attack_surface_task` per latest scan of every `(provider, day)` pair, rebuilding `ScanGroupSummary`, `ScanCategorySummary` and `AttackSurfaceOverview` alongside the tables already covered in #10827 [(#10843)](https://github.com/prowler-cloud/prowler/pull/10843)
- Install zizmor v1.24.1 in API Docker image for GitHub Actions workflow scanning [(#10607)](https://github.com/prowler-cloud/prowler/pull/10607)
-
-### 🔄 Changed
-
- Allows tenant owners to expel users from their organizations [(#10787)](https://github.com/prowler-cloud/prowler/pull/10787)
- `aggregate_findings`, `aggregate_attack_surface`, `aggregate_scan_resource_group_summaries` and `aggregate_scan_category_summaries` now upsert via `bulk_create(update_conflicts=True, ...)` instead of the prior `ignore_conflicts=True` / plain INSERT / `already backfilled` short-circuit. Re-runs triggered by the post-mute reaggregation pipeline no longer trip the `unique_*_per_scan` constraints nor silently drop updates, and are race-safe under concurrent writers (e.g. scan completion overlapping with a fresh mute rule) [(#10843)](https://github.com/prowler-cloud/prowler/pull/10843)
- Rename the scan-category and scan-resource-group summary aggregators from `backfill_*` to `aggregate_*` [(#10843)](https://github.com/prowler-cloud/prowler/pull/10843)
-
-### 🐞 Fixed
-
- `generate_outputs_task` crashing with `KeyError` for compliance frameworks listed by `get_compliance_frameworks` but not loadable by `Compliance.get_bulk` [(#10903)](https://github.com/prowler-cloud/prowler/pull/10903)
-
---
-
-## [1.25.4] (Prowler v5.24.4)
-
-### 🚀 Added
-
- `DJANGO_SENTRY_TRACES_SAMPLE_RATE` env var (default `0.02`) enables Sentry performance tracing for the API [(#10873)](https://github.com/prowler-cloud/prowler/pull/10873)
-
-### 🔄 Changed
-
- Attack Paths: Neo4j driver `connection_acquisition_timeout` is now configurable via `NEO4J_CONN_ACQUISITION_TIMEOUT` (default lowered from 120 s to 15 s) [(#10873)](https://github.com/prowler-cloud/prowler/pull/10873)
-
-### 🐞 Fixed
-
- `/tmp/prowler_api_output` saturation in compliance report workers: the final `rmtree` in `generate_compliance_reports` now only waits on frameworks actually generated for the provider (so unsupported frameworks no longer leave a placeholder `results` entry that blocks cleanup), output directories are created lazily per enabled framework, and both `generate_compliance_reports` and `generate_outputs_task` run an opportunistic stale cleanup at task start with a 48h age threshold, a per-host `fcntl` throttle, a 50-deletions-per-run cap, and guards that protect EXECUTING scans and scans whose `output_location` still points to a local path (metadata lookups routed through the admin DB so RLS does not hide those rows) [(#10874)](https://github.com/prowler-cloud/prowler/pull/10874)
-
---
-
-## [1.25.3] (Prowler v5.24.3)
-
-### 🚀 Added
-
- `/overviews/findings`, `/overviews/findings-severity` and `/overviews/services` now reflect newly-muted findings without waiting for the next scan. The post-mute `reaggregate-all-finding-group-summaries` task was extended to re-run the same per-scan pipeline that scan completion runs (`ScanSummary`, `DailySeveritySummary`, `FindingGroupDailySummary`) on the latest scan of every `(provider, day)` pair, keeping the pre-aggregated tables in sync with `Finding.muted` updates [(#10827)](https://github.com/prowler-cloud/prowler/pull/10827)
-
-### 🐞 Fixed
-
- Finding groups aggregated `status` now treats muted findings as resolved: a group is `FAIL` only while at least one non-muted FAIL remains, otherwise it is `PASS` (including fully-muted groups). The `filter[status]` filter and the `sort=status` ordering share the same semantics, keeping `status` consistent with `fail_count` and the orthogonal `muted` flag [(#10825)](https://github.com/prowler-cloud/prowler/pull/10825)
- `aggregate_findings` is now idempotent: it deletes the scan's existing `ScanSummary` rows before `bulk_create`, so re-runs (such as the post-mute reaggregation pipeline) no longer violate the `unique_scan_summary` constraint and no longer abort the downstream `DailySeveritySummary` / `FindingGroupDailySummary` recomputation for the affected scan [(#10827)](https://github.com/prowler-cloud/prowler/pull/10827)
- Attack Paths: Findings on AWS were silently dropped during the Neo4j merge for resources whose Cartography node is keyed by a short identifier (e.g. EC2 instances) rather than the full ARN [(#10839)](https://github.com/prowler-cloud/prowler/pull/10839)
-
---
-
-## [1.25.2] (Prowler v5.24.2)
-
-### 🔄 Changed
-
- Finding groups `/resources` endpoints now materialize the filtered finding IDs into a Python list before filtering `ResourceFindingMapping`, so PostgreSQL switches from a Merge Semi Join that read hundreds of thousands of RFM index entries to a Nested Loop Index Scan over `finding_id`. The `has_mappings.exists()` pre-check is removed, and a request-scoped cache deduplicates the finding-id round-trip across the helpers that build different RFM querysets [(#10816)](https://github.com/prowler-cloud/prowler/pull/10816)
-
-### 🐞 Fixed
-
- `/finding-groups/latest/<check_id>/resources` now selects the latest completed scan per provider by `-completed_at` (then `-inserted_at`) instead of `-inserted_at`, matching the `/finding-groups/latest` summary path and the daily-summary upsert so overlapping scans no longer produce diverging `delta`/`new_count` between the two endpoints [(#10802)](https://github.com/prowler-cloud/prowler/pull/10802)
-
-
-## [1.25.1] (Prowler v5.24.1)
-
-### 🔄 Changed
-
- Attack Paths: Restore `SYNC_BATCH_SIZE` and `FINDINGS_BATCH_SIZE` defaults to 1000, upgrade Cartography to 0.135.0, enable Celery queue priority for cleanup task, rewrite Finding insertion, remove AWS graph cleanup and add timing logs [(#10729)](https://github.com/prowler-cloud/prowler/pull/10729)
-
-### 🐞 Fixed
-
- Finding group resources endpoints now include findings without associated resources (orphaned IaC findings) as simulated resource rows, and return one row per finding when multiple findings share a resource [(#10708)](https://github.com/prowler-cloud/prowler/pull/10708)
- Attack Paths: Missing `tenant_id` filter while getting related findings after scan completes [(#10722)](https://github.com/prowler-cloud/prowler/pull/10722)
- Finding group counters `pass_count`, `fail_count` and `manual_count` now exclude muted findings [(#10753)](https://github.com/prowler-cloud/prowler/pull/10753)
- Silent data loss in `ResourceFindingMapping` bulk insert that left findings orphaned when `INSERT ... ON CONFLICT DO NOTHING` dropped rows without raising; added explicit `unique_fields` [(#10724)](https://github.com/prowler-cloud/prowler/pull/10724)
- `DELETE /tenants/{tenant_pk}/memberships/{id}` now deletes the expelled user's account when the removed membership was their last one, and blacklists every outstanding refresh token for that user so their existing sessions can no longer mint new access tokens [(#10787)](https://github.com/prowler-cloud/prowler/pull/10787)
-
---
-
-## [1.25.0] (Prowler v5.24.0)
-
-### 🔄 Changed
-
- Bump Poetry to `2.3.4` in Dockerfile and pre-commit hooks. Regenerate `api/poetry.lock` [(#10681)](https://github.com/prowler-cloud/prowler/pull/10681)
- Attack Paths: Remove dead `cleanup_findings` no-op and its supporting `prowler_finding_lastupdated` index [(#10684)](https://github.com/prowler-cloud/prowler/pull/10684)
-
-### 🐞 Fixed
-
- Worker-beat race condition on cold start: replaced `sleep 15` with API service healthcheck dependency (Docker Compose) and init containers (Helm), aligned Gunicorn default port to `8080` [(#10603)](https://github.com/prowler-cloud/prowler/pull/10603)
- API container startup crash on Linux due to root-owned bind-mount preventing JWT key generation [(#10646)](https://github.com/prowler-cloud/prowler/pull/10646)
-
-### 🔐 Security
-
- `pytest` from 8.2.2 to 9.0.3 to fix CVE-2025-71176 [(#10678)](https://github.com/prowler-cloud/prowler/pull/10678)
-
---
-
 ## [1.24.0] (Prowler v5.23.0)

 ### 🚀 Added
@@ -161,7 +12,6 @@ All notable changes to the **Prowler API** are documented in this file.
 - Finding groups list and latest endpoints support `sort=delta`, ordering by `new_count` then `changed_count` so groups with the most new findings rank highest [(#10606)](https://github.com/prowler-cloud/prowler/pull/10606)
 - Finding group resources endpoints (`/finding-groups/{check_id}/resources` and `/finding-groups/latest/{check_id}/resources`) now expose `finding_id` per row, pointing to the most recent matching Finding for each resource. UUIDv7 ordering guarantees `Max(finding__id)` resolves to the latest snapshot [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
 - Handle CIS and CISA SCuBA compliance framework from google workspace [(#10629)](https://github.com/prowler-cloud/prowler/pull/10629)
- Sort support for all finding group counter fields: `pass_muted_count`, `fail_muted_count`, `manual_muted_count`, and all `new_*`/`changed_*` status-mute breakdown counters [(#10655)](https://github.com/prowler-cloud/prowler/pull/10655)

 ### 🔄 Changed

@@ -5,16 +5,12 @@ LABEL maintainer="https://github.com/prowler-cloud/api"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}

-ARG TRIVY_VERSION=0.70.0
+ARG TRIVY_VERSION=0.69.2
 ENV TRIVY_VERSION=${TRIVY_VERSION}

-ARG ZIZMOR_VERSION=1.24.1
-ENV ZIZMOR_VERSION=${ZIZMOR_VERSION}
-
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
    wget \
-    git \
    libicu72 \
    gcc \
    g++ \
@@ -26,7 +22,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    libtool \
    libxslt1-dev \
    python3-dev \
-    git \
    && rm -rf /var/lib/apt/lists/*

 # Install PowerShell
@@ -62,22 +57,6 @@ RUN ARCH=$(uname -m) && \
    mkdir -p /tmp/.cache/trivy && \
    chmod 777 /tmp/.cache/trivy

-# Install zizmor for GitHub Actions workflow scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        ZIZMOR_ARCH="x86_64-unknown-linux-gnu" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        ZIZMOR_ARCH="aarch64-unknown-linux-gnu" ; \
-    else \
-        echo "Unsupported architecture for zizmor: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-${ZIZMOR_ARCH}.tar.gz" -O /tmp/zizmor.tar.gz && \
-    mkdir -p /tmp/zizmor-extract && \
-    tar zxf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract && \
-    mv /tmp/zizmor-extract/zizmor /usr/local/bin/zizmor && \
-    chmod +x /usr/local/bin/zizmor && \
-    rm -rf /tmp/zizmor.tar.gz /tmp/zizmor-extract
-
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
@@ -89,18 +68,18 @@ WORKDIR /home/prowler
 # Ensure output directory exists
 RUN mkdir -p /tmp/prowler_api_output

-COPY pyproject.toml uv.lock ./
+COPY pyproject.toml ./

 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir uv==0.11.14
+    pip install --no-cache-dir poetry

 ENV PATH="/home/prowler/.local/bin:$PATH"

-# Add `--no-install-project` to avoid installing the current project as a package
-RUN uv sync --no-install-project && \
-    rm -rf ~/.cache/uv
+# Add `--no-root` to avoid installing the current project as a package
+RUN poetry install --no-root && \
+    rm -rf ~/.cache/pip

-RUN .venv/bin/python .venv/lib/python3.12/site-packages/prowler/providers/m365/lib/powershell/m365_powershell.py
+RUN poetry run python "$(poetry env info --path)/src/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py"

 COPY src/backend/ ./backend/
 COPY docker-entrypoint.sh ./docker-entrypoint.sh
@@ -25,11 +25,12 @@ If you don’t set `DJANGO_TOKEN_SIGNING_KEY` or `DJANGO_TOKEN_VERIFYING_KEY`, t
 **Important note**: Every Prowler version (or repository branches and tags) could have different variables set in its `.env` file. Please use the `.env` file that corresponds with each version.

 ## Local deployment
-Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the virtual environment, not before. Otherwise, variables will not be loaded properly.
+Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the Poetry interpreter, not before. Otherwise, variables will not be loaded properly.

 To do this, you can run:

 ```console
+poetry shell
 set -a
 source .env
 ```
@@ -77,7 +78,7 @@ docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')

 ## Local deployment

-To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `uv` and `docker compose` are installed.
+To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `poetry` and `docker compose` are installed.

 ### Clone the repository

@@ -89,10 +90,11 @@ git clone https://github.com/prowler-cloud/api.git
 git clone git@github.com:prowler-cloud/api.git

 ```
-### Install all dependencies with uv
+### Install all dependencies with Poetry

 ```console
-uv sync
+poetry install
+poetry shell
 ```

 ## Start the PostgreSQL Database and Valkey
@@ -137,7 +139,7 @@ gunicorn -c config/guniconf.py config.wsgi:application

 ## Local deployment

-To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `uv` and `docker compose` are installed.
+To use this method, you'll need to set up a Python virtual environment (version ">=3.11,<3.13") and keep dependencies updated. Additionally, ensure that `poetry` and `docker compose` are installed.

 ### Clone the repository

@@ -163,10 +165,11 @@ docker compose up postgres valkey -d

 ### Install the Python dependencies

-> You must have uv installed
+> You must have Poetry installed

 ```console
-uv sync
+poetry install
+poetry shell
 ```

 ### Apply migrations
@@ -243,8 +246,9 @@ docker logs -f $(docker ps --format "{{.Names}}" | grep 'api-')
 For migrations, you need to force the `admin` database router. Assuming you have the correct environment variables and Python virtual environment, run:

 ```console
+poetry shell
 cd src/backend
-uv run python manage.py migrate --database admin
+python manage.py migrate --database admin
 ```

 ## Apply fixtures
@@ -252,8 +256,9 @@ uv run python manage.py migrate --database admin
 Fixtures are used to populate the database with initial development data.

 ```console
+poetry shell
 cd src/backend
-uv run python manage.py loaddata api/fixtures/0_dev_users.json --database admin
+python manage.py loaddata api/fixtures/0_dev_users.json --database admin
 ```

 > The default credentials are `dev@prowler.com:Thisisapassword123@` or `dev2@prowler.com:Thisisapassword123@`
@@ -265,8 +270,9 @@ Note that the tests will fail if you use the same `.env` file as the development
 For best results, run in a new shell with no environment variables set.

 ```console
+poetry shell
 cd src/backend
-uv run pytest
+pytest
 ```

 # Custom commands
@@ -278,7 +284,8 @@ Django provides a way to create custom commands that can be run from the command
 To run a custom command, you need to be in the `prowler/api/src/backend` directory and run:

 ```console
-uv run python manage.py <command_name>
+poetry shell
+python manage.py <command_name>
 ```

 ## Generate dummy data
@@ -301,7 +308,7 @@ This command creates, for a given tenant, a provider, scan and a set of findings
 ### Example

 ```console
-~/backend $ uv run python manage.py findings --tenant
+~/backend $ poetry run python manage.py findings --tenant
 fffb1893-3fc7-4623-a5d9-fae47da1c528 --findings 25000 --re
 sources 1000 --batch 5000 --alias test-script

@@ -5,9 +5,9 @@ apply_migrations() {
  echo "Applying database migrations..."

  # Fix Inconsistent migration history after adding sites app
-  uv run python manage.py check_and_fix_socialaccount_sites_migration --database admin
+  poetry run python manage.py check_and_fix_socialaccount_sites_migration --database admin

-  uv run python manage.py migrate --database admin
+  poetry run python manage.py migrate --database admin
 }

 apply_fixtures() {
@@ -15,19 +15,19 @@ apply_fixtures() {
  for fixture in api/fixtures/dev/*.json; do
    if [ -f "$fixture" ]; then
      echo "Loading $fixture"
-      uv run python manage.py loaddata "$fixture" --database admin
+      poetry run python manage.py loaddata "$fixture" --database admin
    fi
  done
 }

 start_dev_server() {
  echo "Starting the development server..."
-  uv run python manage.py runserver 0.0.0.0:"${DJANGO_PORT:-8080}"
+  poetry run python manage.py runserver 0.0.0.0:"${DJANGO_PORT:-8080}"
 }

 start_prod_server() {
  echo "Starting the Gunicorn server..."
-  uv run gunicorn -c config/guniconf.py config.wsgi:application
+  poetry run gunicorn -c config/guniconf.py config.wsgi:application
 }

 resolve_worker_hostname() {
@@ -47,7 +47,7 @@ resolve_worker_hostname() {

 start_worker() {
  echo "Starting the worker..."
-  uv run python -m celery -A config.celery worker \
+  poetry run python -m celery -A config.celery worker \
    -n "$(resolve_worker_hostname)" \
    -l "${DJANGO_LOGGING_LEVEL:-info}" \
    -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans \
@@ -56,7 +56,8 @@ start_worker() {

 start_worker_beat() {
  echo "Starting the worker-beat..."
-  uv run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
+  sleep 15
+  poetry run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
 }

 manage_db_partitions() {
@@ -64,7 +65,7 @@ manage_db_partitions() {
    echo "Managing DB partitions..."
    # For now we skip the deletion of partitions until we define the data retention policy
    # --yes auto approves the operation without the need of an interactive terminal
-    uv run python manage.py pgpartition --using admin --skip-delete --yes
+    poetry run python manage.py pgpartition --using admin --skip-delete --yes
  fi
 }

@@ -1,24 +1,6 @@
-[dependency-groups]
-dev = [
-  "bandit==1.7.9",
-  "coverage==7.5.4",
-  "django-silk==5.3.2",
-  "docker==7.1.0",
-  "filelock==3.20.3",
-  "freezegun==1.5.1",
-  "mypy==1.10.1",
-  "pylint==3.2.5",
-  "pytest==9.0.3",
-  "pytest-cov==5.0.0",
-  "pytest-django==4.8.0",
-  "pytest-env==1.1.3",
-  "pytest-randomly==3.15.0",
-  "pytest-xdist==3.6.1",
-  "ruff==0.5.0",
-  "tqdm==4.67.1",
-  "vulture==2.14",
-  "prek==0.3.9"
-]
+[build-system]
+build-backend = "poetry.core.masonry.api"
+requires = ["poetry-core"]

 [project]
 authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
@@ -42,21 +24,21 @@ dependencies = [
  "drf-spectacular-jsonapi==0.5.1",
  "defusedxml==0.7.1",
  "gunicorn==23.0.0",
-  "lxml==6.1.0",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
+  "lxml==5.3.2",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@v5.23",
  "psycopg2-binary==2.9.9",
  "pytest-celery[redis] (==1.3.0)",
  "sentry-sdk[django] (==2.56.0)",
  "uuid6==2024.7.10",
  "openai (==1.109.1)",
-  "xmlsec==1.3.17",
+  "xmlsec==1.3.14",
  "h2 (==4.3.0)",
  "markdown (==3.10.2)",
  "drf-simple-apikey (==2.2.1)",
  "matplotlib (==3.10.8)",
  "reportlab (==4.4.10)",
  "neo4j (==6.1.0)",
-  "cartography (==0.135.0)",
+  "cartography (==0.132.0)",
  "gevent (==25.9.1)",
  "werkzeug (==3.1.7)",
  "sqlparse (==0.5.5)",
@@ -68,382 +50,28 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.28.0"
+version = "1.24.1"

-[tool.uv]
-# Transitive pins matching master to avoid silent drift; bump deliberately.
-constraint-dependencies = [
-  "about-time==4.2.1",
-  "adal==1.2.7",
-  "aioboto3==15.5.0",
-  "aiobotocore==2.25.1",
-  "aiofiles==24.1.0",
-  "aiohappyeyeballs==2.6.1",
-  "aiohttp==3.13.5",
-  "aioitertools==0.13.0",
-  "aiosignal==1.4.0",
-  "alibabacloud-actiontrail20200706==2.4.1",
-  "alibabacloud-credentials==1.0.3",
-  "alibabacloud-credentials-api==1.0.0",
-  "alibabacloud-cs20151215==6.1.0",
-  "alibabacloud-darabonba-array==0.1.0",
-  "alibabacloud-darabonba-encode-util==0.0.2",
-  "alibabacloud-darabonba-map==0.0.1",
-  "alibabacloud-darabonba-signature-util==0.0.4",
-  "alibabacloud-darabonba-string==0.0.4",
-  "alibabacloud-darabonba-time==0.0.1",
-  "alibabacloud-ecs20140526==7.2.5",
-  "alibabacloud-endpoint-util==0.0.4",
-  "alibabacloud-gateway-oss==0.0.17",
-  "alibabacloud-gateway-oss-util==0.0.3",
-  "alibabacloud-gateway-sls==0.4.0",
-  "alibabacloud-gateway-sls-util==0.4.0",
-  "alibabacloud-gateway-spi==0.0.3",
-  "alibabacloud-openapi-util==0.2.4",
-  "alibabacloud-oss-util==0.0.6",
-  "alibabacloud-oss20190517==1.0.6",
-  "alibabacloud-ram20150501==1.2.0",
-  "alibabacloud-rds20140815==12.0.0",
-  "alibabacloud-sas20181203==6.1.0",
-  "alibabacloud-sls20201230==5.9.0",
-  "alibabacloud-sts20150401==1.1.6",
-  "alibabacloud-tea==0.4.3",
-  "alibabacloud-tea-openapi==0.4.4",
-  "alibabacloud-tea-util==0.3.14",
-  "alibabacloud-tea-xml==0.0.3",
-  "alibabacloud-vpc20160428==6.13.0",
-  "alive-progress==3.3.0",
-  "aliyun-log-fastpb==0.2.0",
-  "amqp==5.3.1",
-  "annotated-types==0.7.0",
-  "anyio==4.12.1",
-  "applicationinsights==0.11.10",
-  "apscheduler==3.11.2",
-  "argcomplete==3.5.3",
-  "asgiref==3.11.0",
-  "astroid==3.2.4",
-  "async-timeout==5.0.1",
-  "attrs==25.4.0",
-  "authlib==1.6.9",
-  "autopep8==2.3.2",
-  "awsipranges==0.3.3",
-  "azure-cli-core==2.83.0",
-  "azure-cli-telemetry==1.1.0",
-  "azure-common==1.1.28",
-  "azure-core==1.38.1",
-  "azure-identity==1.21.0",
-  "azure-keyvault-certificates==4.10.0",
-  "azure-keyvault-keys==4.10.0",
-  "azure-keyvault-secrets==4.10.0",
-  "azure-mgmt-apimanagement==5.0.0",
-  "azure-mgmt-applicationinsights==4.1.0",
-  "azure-mgmt-authorization==4.0.0",
-  "azure-mgmt-compute==34.0.0",
-  "azure-mgmt-containerinstance==10.1.0",
-  "azure-mgmt-containerregistry==12.0.0",
-  "azure-mgmt-containerservice==34.1.0",
-  "azure-mgmt-core==1.6.0",
-  "azure-mgmt-cosmosdb==9.7.0",
-  "azure-mgmt-databricks==2.0.0",
-  "azure-mgmt-datafactory==9.2.0",
-  "azure-mgmt-eventgrid==10.4.0",
-  "azure-mgmt-eventhub==11.2.0",
-  "azure-mgmt-keyvault==10.3.1",
-  "azure-mgmt-loganalytics==12.0.0",
-  "azure-mgmt-logic==10.0.0",
-  "azure-mgmt-monitor==6.0.2",
-  "azure-mgmt-network==28.1.0",
-  "azure-mgmt-postgresqlflexibleservers==1.1.0",
-  "azure-mgmt-rdbms==10.1.0",
-  "azure-mgmt-recoveryservices==3.1.0",
-  "azure-mgmt-recoveryservicesbackup==9.2.0",
-  "azure-mgmt-resource==24.0.0",
-  "azure-mgmt-search==9.1.0",
-  "azure-mgmt-security==7.0.0",
-  "azure-mgmt-sql==3.0.1",
-  "azure-mgmt-storage==22.1.1",
-  "azure-mgmt-subscription==3.1.1",
-  "azure-mgmt-synapse==2.0.0",
-  "azure-mgmt-web==8.0.0",
-  "azure-monitor-query==2.0.0",
-  "azure-storage-blob==12.24.1",
-  "azure-synapse-artifacts==0.21.0",
-  "backoff==2.2.1",
-  "bandit==1.7.9",
-  "billiard==4.2.4",
-  "blinker==1.9.0",
-  "boto3==1.40.61",
-  "botocore==1.40.61",
-  "cartography==0.135.0",
-  "celery==5.6.2",
-  "certifi==2026.1.4",
-  "cffi==2.0.0",
-  "charset-normalizer==3.4.4",
-  "circuitbreaker==2.1.3",
-  "click==8.3.1",
-  "click-didyoumean==0.3.1",
-  "click-plugins==1.1.1.2",
-  "click-repl==0.3.0",
-  "cloudflare==4.3.1",
-  "colorama==0.4.6",
-  "contextlib2==21.6.0",
-  "contourpy==1.3.3",
-  "coverage==7.5.4",
-  "cron-descriptor==1.4.5",
-  "crowdstrike-falconpy==1.6.0",
-  "cryptography==46.0.7",
-  "cycler==0.12.1",
-  "darabonba-core==1.0.5",
-  "dash==3.1.1",
-  "dash-bootstrap-components==2.0.3",
-  "debugpy==1.8.20",
-  "decorator==5.2.1",
-  "defusedxml==0.7.1",
-  "detect-secrets==1.5.0",
-  "dill==0.4.1",
-  "distro==1.9.0",
-  "dj-rest-auth==7.0.1",
-  "django==5.1.15",
-  "django-allauth==65.15.0",
-  "django-celery-beat==2.9.0",
-  "django-celery-results==2.6.0",
-  "django-cors-headers==4.4.0",
-  "django-environ==0.11.2",
-  "django-filter==24.3",
-  "django-guid==3.5.0",
-  "django-postgres-extra==2.0.9",
-  "django-silk==5.3.2",
-  "django-timezone-field==7.2.1",
-  "djangorestframework==3.15.2",
-  "djangorestframework-jsonapi==7.0.2",
-  "djangorestframework-simplejwt==5.5.1",
-  "dnspython==2.8.0",
-  "docker==7.1.0",
-  "dogpile-cache==1.5.0",
-  "dparse==0.6.4",
-  "drf-extensions==0.8.0",
-  "drf-nested-routers==0.95.0",
-  "drf-simple-apikey==2.2.1",
-  "drf-spectacular==0.27.2",
-  "drf-spectacular-jsonapi==0.5.1",
-  "dulwich==0.23.0",
-  "duo-client==5.5.0",
-  "durationpy==0.10",
-  "email-validator==2.2.0",
-  "execnet==2.1.2",
-  "filelock==3.20.3",
-  "flask==3.1.3",
-  "fonttools==4.62.1",
-  "freezegun==1.5.1",
-  "frozenlist==1.8.0",
-  "gevent==25.9.1",
-  "google-api-core==2.29.0",
-  "google-api-python-client==2.163.0",
-  "google-auth==2.48.0",
-  "google-auth-httplib2==0.2.0",
-  "google-cloud-access-context-manager==0.3.0",
-  "google-cloud-asset==4.2.0",
-  "google-cloud-org-policy==1.16.0",
-  "google-cloud-os-config==1.23.0",
-  "google-cloud-resource-manager==1.16.0",
-  "googleapis-common-protos==1.72.0",
-  "gprof2dot==2025.4.14",
-  "graphemeu==0.7.2",
-  "greenlet==3.3.1",
-  "grpc-google-iam-v1==0.14.3",
-  "grpcio==1.76.0",
-  "grpcio-status==1.76.0",
-  "gunicorn==23.0.0",
-  "h11==0.16.0",
-  "h2==4.3.0",
-  "hpack==4.1.0",
-  "httpcore==1.0.9",
-  "httplib2==0.31.2",
-  "httpx==0.28.1",
-  "humanfriendly==10.0",
-  "hyperframe==6.1.0",
-  "iamdata==0.1.202602021",
-  "idna==3.11",
-  "importlib-metadata==8.7.1",
-  "inflection==0.5.1",
-  "iniconfig==2.3.0",
-  "iso8601==2.1.0",
-  "isodate==0.7.2",
-  "isort==5.13.2",
-  "itsdangerous==2.2.0",
-  "jinja2==3.1.6",
-  "jiter==0.13.0",
-  "jmespath==1.1.0",
-  "joblib==1.5.3",
-  "jsonpatch==1.33",
-  "jsonpickle==4.1.1",
-  "jsonpointer==3.0.0",
-  "jsonschema==4.23.0",
-  "jsonschema-specifications==2025.9.1",
-  "keystoneauth1==5.13.0",
-  "kiwisolver==1.4.9",
-  "knack==0.11.0",
-  "kombu==5.6.2",
-  "kubernetes==32.0.1",
-  "lxml==6.1.0",
-  "lz4==4.4.5",
-  "markdown==3.10.2",
-  "markdown-it-py==4.0.0",
-  "markupsafe==3.0.3",
-  "marshmallow==4.3.0",
-  "matplotlib==3.10.8",
-  "mccabe==0.7.0",
-  "mdurl==0.1.2",
-  "microsoft-kiota-abstractions==1.9.9",
-  "microsoft-kiota-authentication-azure==1.9.9",
-  "microsoft-kiota-http==1.9.9",
-  "microsoft-kiota-serialization-form==1.9.9",
-  "microsoft-kiota-serialization-json==1.9.9",
-  "microsoft-kiota-serialization-multipart==1.9.9",
-  "microsoft-kiota-serialization-text==1.9.9",
-  "microsoft-security-utilities-secret-masker==1.0.0b4",
-  "msal==1.35.0b1",
-  "msal-extensions==1.2.0",
-  "msgraph-core==1.3.8",
-  "msgraph-sdk==1.55.0",
-  "msrest==0.7.1",
-  "msrestazure==0.6.4.post1",
-  "multidict==6.7.1",
-  "mypy==1.10.1",
-  "mypy-extensions==1.1.0",
-  "narwhals==2.16.0",
-  "neo4j==6.1.0",
-  "nest-asyncio==1.6.0",
-  "nltk==3.9.4",
-  "numpy==2.0.2",
-  "oauthlib==3.3.1",
-  "oci==2.169.0",
-  "openai==1.109.1",
-  "openstacksdk==4.2.0",
-  "opentelemetry-api==1.39.1",
-  "opentelemetry-sdk==1.39.1",
-  "opentelemetry-semantic-conventions==0.60b1",
-  "os-service-types==1.8.2",
-  "packageurl-python==0.17.6",
-  "packaging==26.0",
-  "pagerduty==6.1.0",
-  "pandas==2.2.3",
-  "pbr==7.0.3",
-  "pillow==12.2.0",
-  "pkginfo==1.12.1.2",
-  "platformdirs==4.5.1",
-  "plotly==6.5.2",
-  "pluggy==1.6.0",
-  "policyuniverse==1.5.1.20231109",
-  "portalocker==2.10.1",
-  "prek==0.3.9",
-  "prompt-toolkit==3.0.52",
-  "propcache==0.4.1",
-  "proto-plus==1.27.0",
-  "protobuf==6.33.5",
-  "psutil==7.2.2",
-  "psycopg2-binary==2.9.9",
-  "py-deviceid==0.1.1",
-  "py-iam-expand==0.1.0",
-  "py-ocsf-models==0.8.1",
-  "pyasn1==0.6.3",
-  "pyasn1-modules==0.4.2",
-  "pycodestyle==2.14.0",
-  "pycparser==3.0",
-  "pydantic==2.12.5",
-  "pydantic-core==2.41.5",
-  "pygithub==2.8.0",
-  "pygments==2.20.0",
-  "pyjwt==2.12.1",
-  "pylint==3.2.5",
-  "pymsalruntime==0.18.1",
-  "pynacl==1.6.2",
-  "pyopenssl==26.0.0",
-  "pyparsing==3.3.2",
-  "pyreadline3==3.5.4",
-  "pysocks==1.7.1",
-  "pytest==9.0.3",
-  "pytest-celery==1.3.0",
-  "pytest-cov==5.0.0",
-  "pytest-django==4.8.0",
-  "pytest-docker-tools==3.1.9",
-  "pytest-env==1.1.3",
-  "pytest-randomly==3.15.0",
-  "pytest-xdist==3.6.1",
-  "python-crontab==3.3.0",
-  "python-dateutil==2.9.0.post0",
-  "python-digitalocean==1.17.0",
-  "python3-saml==1.16.0",
-  "pytz==2025.1",
-  "pywin32==311",
-  "pyyaml==6.0.3",
-  "redis==7.1.0",
-  "referencing==0.37.0",
-  "regex==2026.1.15",
-  "reportlab==4.4.10",
-  "requests==2.33.1",
-  "requests-file==3.0.1",
-  "requests-oauthlib==2.0.0",
-  "requestsexceptions==1.4.0",
-  "retrying==1.4.2",
-  "rich==14.3.2",
-  "rpds-py==0.30.0",
-  "rsa==4.9.1",
-  "ruamel-yaml==0.19.1",
-  "ruff==0.5.0",
-  "s3transfer==0.14.0",
-  "scaleway==2.10.3",
-  "scaleway-core==2.10.3",
-  "schema==0.7.5",
-  "sentry-sdk==2.56.0",
-  "setuptools==80.10.2",
-  "shellingham==1.5.4",
-  "shodan==1.31.0",
-  "six==1.17.0",
-  "slack-sdk==3.39.0",
-  "sniffio==1.3.1",
-  "sqlparse==0.5.5",
-  "statsd==4.0.1",
-  "std-uritemplate==2.0.8",
-  "stevedore==5.6.0",
-  "tabulate==0.9.0",
-  "tenacity==9.1.2",
-  "tldextract==5.3.1",
-  "tomlkit==0.14.0",
-  "tqdm==4.67.1",
-  "typer==0.21.1",
-  "types-aiobotocore-ecr==3.1.1",
-  "typing-extensions==4.15.0",
-  "typing-inspection==0.4.2",
-  "tzdata==2025.3",
-  "tzlocal==5.3.1",
-  "uritemplate==4.2.0",
-  "urllib3==2.7.0",
-  "uuid6==2024.7.10",
-  "vine==5.1.0",
-  "vulture==2.14",
-  "wcwidth==0.5.3",
-  "websocket-client==1.9.0",
-  "werkzeug==3.1.7",
-  "workos==6.0.4",
-  "wrapt==1.17.3",
-  "xlsxwriter==3.2.9",
-  "xmlsec==1.3.17",
-  "xmltodict==1.0.2",
-  "yarl==1.22.0",
-  "zipp==3.23.0",
-  "zope-event==6.1",
-  "zope-interface==8.2",
-  "zstd==1.5.7.3"
-]
-# prowler@master needs okta==3.4.2; cartography 0.135.0 declares okta<1.0.0 for an
-# integration prowler does not import.
-#
-# prowler@master hard-pins microsoft-kiota-abstractions==1.9.2 in [project.dependencies].
-# The microsoft-kiota-http security bump to 1.9.9 (GHSA-7j59-v9qr-6fq9) requires
-# microsoft-kiota-abstractions>=1.9.9, which a constraint cannot satisfy against the
-# SDK's hard pin; override it to the patched, kiota-aligned version.
-override-dependencies = [
-  "okta==3.4.2",
-  "microsoft-kiota-abstractions==1.9.9"
-]
+[project.scripts]
+celery = "src.backend.config.settings.celery"
+
+[tool.poetry.group.dev.dependencies]
+bandit = "1.7.9"
+coverage = "7.5.4"
+django-silk = "5.3.2"
+docker = "7.1.0"
+filelock = "3.20.3"
+freezegun = "1.5.1"
+marshmallow = "==3.26.2"
+mypy = "1.10.1"
+pylint = "3.2.5"
+pytest = "8.2.2"
+pytest-cov = "5.0.0"
+pytest-django = "4.8.0"
+pytest-env = "1.1.3"
+pytest-randomly = "3.15.0"
+pytest-xdist = "3.6.1"
+ruff = "0.5.0"
+safety = "3.7.0"
+tqdm = "4.67.1"
+vulture = "2.14"
@@ -52,7 +52,7 @@ class ApiConfig(AppConfig):
            "check_and_fix_socialaccount_sites_migration",
        ]

-        # Skip eager Neo4j init for tests, some Django commands, and Celery (prefork pool: driver must stay lazy, no post_fork hook)
+        # Skip Neo4j initialization during tests, some Django commands, and Celery
        if getattr(settings, "TESTING", False) or (
            len(sys.argv) > 1
            and (
@@ -64,7 +64,7 @@ class ApiConfig(AppConfig):
            )
        ):
            logger.info(
-                "Skipping eager Neo4j init: tests, some Django commands, or Celery prefork pool (driver stays lazy)"
+                "Skipping Neo4j initialization because tests, some Django commands or Celery"
            )

        else:
@@ -28,7 +28,6 @@ READ_QUERY_TIMEOUT_SECONDS = env.int(
    "ATTACK_PATHS_READ_QUERY_TIMEOUT_SECONDS", default=30
 )
 MAX_CUSTOM_QUERY_NODES = env.int("ATTACK_PATHS_MAX_CUSTOM_QUERY_NODES", default=250)
-CONN_ACQUISITION_TIMEOUT = env.int("NEO4J_CONN_ACQUISITION_TIMEOUT", default=15)
 READ_EXCEPTION_CODES = [
    "Neo.ClientError.Statement.AccessMode",
    "Neo.ClientError.Procedure.ProcedureNotFound",
@@ -63,7 +62,7 @@ def init_driver() -> neo4j.Driver:
                auth=(config["USER"], config["PASSWORD"]),
                keep_alive=True,
                max_connection_lifetime=7200,
-                connection_acquisition_timeout=CONN_ACQUISITION_TIMEOUT,
+                connection_acquisition_timeout=120,
                max_connection_pool_size=50,
            )
            _driver.verify_connectivity()
@@ -484,8 +484,8 @@ AWS_BEDROCK_PRIVESC_PASSROLE_CODE_INTERPRETER = AttackPathsQueryDefinition(
                OR action = '*'
            )

-        // Find roles that trust the Bedrock AgentCore service (can be passed to a code interpreter)
-        MATCH path_target = (aws)--(target_role:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {{arn: 'bedrock-agentcore.amazonaws.com'}})
+        // Find roles that trust Bedrock service (can be passed to Bedrock)
+        MATCH path_target = (aws)--(target_role:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {{arn: 'bedrock.amazonaws.com'}})
        WHERE any(resource IN stmt_passrole.resource WHERE
            resource = '*'
            OR target_role.arn CONTAINS resource
@@ -536,8 +536,8 @@ AWS_BEDROCK_PRIVESC_INVOKE_CODE_INTERPRETER = AttackPathsQueryDefinition(
                OR action = '*'
            )

-        // Find roles that trust the Bedrock AgentCore service (already attached to existing code interpreters)
-        MATCH path_target = (aws)--(target_role:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {{arn: 'bedrock-agentcore.amazonaws.com'}})
+        // Find roles that trust Bedrock service (already attached to existing code interpreters)
+        MATCH path_target = (aws)--(target_role:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {{arn: 'bedrock.amazonaws.com'}})

        WITH collect(path_principal) + collect(path_target) AS paths
        UNWIND paths AS p
@@ -1,6 +1,7 @@
 from collections.abc import Iterable, Mapping

 from api.models import Provider
+from prowler.config.config import get_available_compliance_frameworks
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.check.models import CheckMetadata

@@ -94,12 +95,12 @@ PROWLER_CHECKS = LazyChecksMapping()


 def get_compliance_frameworks(provider_type: Provider.ProviderChoices) -> list[str]:
-    """List compliance frameworks the API can load for `provider_type`.
+    """
+    Retrieve and cache the list of available compliance frameworks for a specific cloud provider.

-    The list is sourced from `Compliance.get_bulk` so that the names
-    returned here are guaranteed to be loadable by the bulk loader. This
-    prevents downstream key mismatches (e.g. CSV report generation iterating
-    framework names and looking them up in the bulk dict).
+    This function lazily loads and caches the available compliance frameworks (e.g., CIS, MITRE, ISO)
+    for each provider type (AWS, Azure, GCP, etc.) on first access. Subsequent calls for the same
+    provider will return the cached result.

    Args:
        provider_type (Provider.ProviderChoices): The cloud provider type for which to retrieve
@@ -111,8 +112,8 @@ def get_compliance_frameworks(provider_type: Provider.ProviderChoices) -> list[s
    """
    global AVAILABLE_COMPLIANCE_FRAMEWORKS
    if provider_type not in AVAILABLE_COMPLIANCE_FRAMEWORKS:
-        AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type] = list(
-            Compliance.get_bulk(provider_type).keys()
+        AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type] = (
+            get_available_compliance_frameworks(provider_type)
        )

    return AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type]
@@ -330,7 +330,6 @@ class MembershipFilter(FilterSet):
        model = Membership
        fields = {
            "tenant": ["exact"],
-            "user": ["exact"],
            "role": ["exact"],
            "date_joined": ["date", "gte", "lte"],
        }
@@ -1,254 +0,0 @@
-"""Liveness and readiness endpoints following the IETF Health Check Response
-Format (draft-inadarei-api-health-check-06).
-
-Liveness reports only process status. Readiness verifies that PostgreSQL,
-Valkey and Neo4j are reachable and returns per-dependency detail when any
-of them is unreachable.
-"""
-
-from __future__ import annotations
-
-import logging
-import threading
-import time
-from contextlib import suppress
-from datetime import datetime, timezone
-from typing import Any
-
-import redis
-from config.version import API_VERSION, RELEASE_ID
-from django.conf import settings
-from django.db import connections
-from drf_spectacular.utils import extend_schema
-from rest_framework import status
-from rest_framework.renderers import JSONRenderer
-from rest_framework.response import Response
-from rest_framework.throttling import ScopedRateThrottle
-from rest_framework.views import APIView
-
-logger = logging.getLogger(__name__)
-
-SERVICE_ID = "prowler-api"
-SERVICE_DESCRIPTION = "Prowler API"
-
-# Status vocabulary from the IETF draft (section 3.1).
-STATUS_PASS = "pass"
-STATUS_FAIL = "fail"
-STATUS_WARN = "warn"
-
-# Short socket timeout so a stuck Valkey cannot stall the probe.
-# Neo4j inherits its driver-level ``connection_acquisition_timeout``.
-VALKEY_PROBE_TIMEOUT_SECONDS = 2
-
-# Brief cache window so high-frequency probes (ALB target groups, scrapers)
-# do not stampede the actual dependency checks.
-CACHE_CONTROL_HEADER = "max-age=3, must-revalidate"
-
-# In-process readiness cache. Caps real dependency hits to roughly
-# (gunicorn workers / TTL) per second regardless of incoming RPS or the
-# source-IP distribution. Kept in sync with the Cache-Control max-age.
-# Access is guarded by a lock so concurrent readers do not race on the
-# read-decide-write cycle of the double-checked locking pattern below.
-READINESS_CACHE_TTL_SECONDS = 3.0
-_readiness_cache: tuple[float, dict[str, Any], int] | None = None
-_readiness_cache_lock = threading.Lock()
-
-
-class HealthJSONRenderer(JSONRenderer):
-    """Emits responses with the ``application/health+json`` content type."""
-
-    media_type = "application/health+json"
-    format = "health"
-
-
-def _now_iso() -> str:
-    return (
-        datetime.now(timezone.utc)
-        .isoformat(timespec="milliseconds")
-        .replace("+00:00", "Z")
-    )
-
-
-def _measure(name: str, check_fn) -> tuple[dict[str, Any], float]:
-    """Time ``check_fn`` and return ``(result, elapsed_ms)``.
-
-    ``check_fn`` returns ``None`` on success or raises on failure. The full
-    exception is logged for operator diagnostics under ``name``; the
-    response payload intentionally omits the error detail to avoid leaking
-    infrastructure information (DNS names, ports, credentials, certificate
-    chains) to anonymous clients.
-    """
-    started = time.perf_counter()
-    try:
-        check_fn()
-    except Exception:
-        elapsed_ms = (time.perf_counter() - started) * 1000
-        logger.warning("Health probe '%s' failed", name, exc_info=True)
-        return ({"status": STATUS_FAIL}, elapsed_ms)
-    elapsed_ms = (time.perf_counter() - started) * 1000
-    return ({"status": STATUS_PASS}, elapsed_ms)
-
-
-def _probe_postgres() -> None:
-    with connections["default"].cursor() as cursor:
-        cursor.execute("SELECT 1")
-        cursor.fetchone()
-
-
-def _probe_valkey() -> None:
-    client = redis.Redis.from_url(
-        settings.CELERY_BROKER_URL,
-        socket_connect_timeout=VALKEY_PROBE_TIMEOUT_SECONDS,
-        socket_timeout=VALKEY_PROBE_TIMEOUT_SECONDS,
-    )
-    try:
-        if not client.ping():
-            raise RuntimeError("PING did not return PONG")
-    finally:
-        # Best-effort cleanup: a failure releasing the socket (e.g. broken
-        # connection, half-closed by the server) must not mask the probe
-        # result. Narrowed to the exception types redis-py and the stdlib
-        # socket layer can raise on close.
-        with suppress(redis.RedisError, OSError):
-            client.close()
-
-
-def _probe_neo4j() -> None:
-    # Lazy import: avoids pulling attack_paths into the boot import graph.
-    from api.attack_paths.database import get_driver
-
-    get_driver().verify_connectivity()
-
-
-def _build_check_entry(
-    component_id: str,
-    component_type: str,
-    result: dict[str, Any],
-    elapsed_ms: float,
-) -> dict[str, Any]:
-    entry: dict[str, Any] = {
-        "componentId": component_id,
-        "componentType": component_type,
-        "observedValue": round(elapsed_ms, 2),
-        "observedUnit": "ms",
-        "status": result["status"],
-        "time": _now_iso(),
-    }
-    if "output" in result:
-        entry["output"] = result["output"]
-    return entry
-
-
-def _aggregate_status(check_entries: list[dict[str, Any]]) -> str:
-    statuses = {entry["status"] for entry in check_entries}
-    if STATUS_FAIL in statuses:
-        return STATUS_FAIL
-    if STATUS_WARN in statuses:
-        return STATUS_WARN
-    return STATUS_PASS
-
-
-def _base_payload(overall_status: str) -> dict[str, Any]:
-    return {
-        "status": overall_status,
-        "version": API_VERSION,
-        "releaseId": RELEASE_ID,
-        "serviceId": SERVICE_ID,
-        "description": SERVICE_DESCRIPTION,
-    }
-
-
-def _readiness_payload() -> tuple[dict[str, Any], int]:
-    global _readiness_cache
-
-    # Lock-free fast path: a stale snapshot still satisfies the freshness
-    # check correctly because we re-check after acquiring the lock below.
-    snapshot = _readiness_cache
-    if (
-        snapshot is not None
-        and time.monotonic() - snapshot[0] < READINESS_CACHE_TTL_SECONDS
-    ):
-        return snapshot[1], snapshot[2]
-
-    with _readiness_cache_lock:
-        # Double-checked locking: another thread may have refreshed while
-        # we were waiting on the lock.
-        snapshot = _readiness_cache
-        if (
-            snapshot is not None
-            and time.monotonic() - snapshot[0] < READINESS_CACHE_TTL_SECONDS
-        ):
-            return snapshot[1], snapshot[2]
-
-        postgres_result, postgres_ms = _measure("postgres", _probe_postgres)
-        valkey_result, valkey_ms = _measure("valkey", _probe_valkey)
-        neo4j_result, neo4j_ms = _measure("neo4j", _probe_neo4j)
-
-        entries = [
-            _build_check_entry("postgres", "datastore", postgres_result, postgres_ms),
-            _build_check_entry("valkey", "datastore", valkey_result, valkey_ms),
-            _build_check_entry("neo4j", "datastore", neo4j_result, neo4j_ms),
-        ]
-        overall = _aggregate_status(entries)
-
-        payload = _base_payload(overall)
-        payload["checks"] = {
-            "postgres:responseTime": [entries[0]],
-            "valkey:responseTime": [entries[1]],
-            "neo4j:responseTime": [entries[2]],
-        }
-
-        http_status = (
-            status.HTTP_503_SERVICE_UNAVAILABLE
-            if overall == STATUS_FAIL
-            else status.HTTP_200_OK
-        )
-        _readiness_cache = (time.monotonic(), payload, http_status)
-        return payload, http_status
-
-
-def _health_response(payload: dict[str, Any], http_status: int) -> Response:
-    response = Response(payload, status=http_status)
-    response["Cache-Control"] = CACHE_CONTROL_HEADER
-    return response
-
-
-@extend_schema(exclude=True)
-class LivenessView(APIView):
-    """Liveness probe. Always 200 when the process can serve requests.
-
-    Dependencies are intentionally not consulted: a failing liveness probe
-    triggers a container restart, which must not happen for transient
-    dependency outages. Throttled per-IP so the endpoint cannot be used as
-    a cheap availability oracle for the process.
-    """
-
-    authentication_classes: list = []
-    permission_classes: list = []
-    renderer_classes = [HealthJSONRenderer]
-    throttle_classes = [ScopedRateThrottle]
-    throttle_scope = "health-live"
-
-    def get(self, _request, *_args, **_kwargs):
-        return _health_response(_base_payload(STATUS_PASS), status.HTTP_200_OK)
-
-
-@extend_schema(exclude=True)
-class ReadinessView(APIView):
-    """Readiness probe.
-
-    Returns 200 when PostgreSQL, Valkey and Neo4j all respond, or 503 with
-    per-dependency detail when any of them is unreachable. Per-IP throttle
-    plus the short in-process result cache cap the real dependency hits
-    regardless of inbound traffic shape.
-    """
-
-    authentication_classes: list = []
-    permission_classes: list = []
-    renderer_classes = [HealthJSONRenderer]
-    throttle_classes = [ScopedRateThrottle]
-    throttle_scope = "health-ready"
-
-    def get(self, _request, *_args, **_kwargs):
-        payload, http_status = _readiness_payload()
-        return _health_response(payload, http_status)
@@ -1,23 +0,0 @@
-from django.db import migrations
-
-TASK_NAME = "attack-paths-cleanup-stale-scans"
-
-
-def set_cleanup_priority(apps, schema_editor):
-    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
-    PeriodicTask.objects.filter(name=TASK_NAME).update(priority=0)
-
-
-def unset_cleanup_priority(apps, schema_editor):
-    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
-    PeriodicTask.objects.filter(name=TASK_NAME).update(priority=None)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0089_backfill_finding_group_status_muted"),
-    ]
-
-    operations = [
-        migrations.RunPython(set_cleanup_priority, unset_cleanup_priority),
-    ]
@@ -1,31 +0,0 @@
-from functools import partial
-
-from django.db import migrations
-
-from api.db_utils import create_index_on_partitions, drop_index_on_partitions
-
-
-class Migration(migrations.Migration):
-    atomic = False
-
-    dependencies = [
-        ("api", "0090_attack_paths_cleanup_priority"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            partial(
-                create_index_on_partitions,
-                parent_table="findings",
-                index_name="gin_find_arrays_idx",
-                columns="categories, resource_services, resource_regions, resource_types",
-                method="GIN",
-                all_partitions=True,
-            ),
-            reverse_code=partial(
-                drop_index_on_partitions,
-                parent_table="findings",
-                index_name="gin_find_arrays_idx",
-            ),
-        )
-    ]
@@ -1,73 +0,0 @@
-import django.contrib.postgres.indexes
-from django.db import migrations
-
-INDEX_NAME = "gin_find_arrays_idx"
-PARENT_TABLE = "findings"
-
-
-def create_parent_and_attach(apps, schema_editor):
-    with schema_editor.connection.cursor() as cursor:
-        # Idempotent: the parent index may already exist if it was created
-        # manually on an environment before this migration ran.
-        cursor.execute(
-            f"CREATE INDEX IF NOT EXISTS {INDEX_NAME} ON ONLY {PARENT_TABLE} "
-            f"USING gin (categories, resource_services, resource_regions, resource_types)"
-        )
-        cursor.execute(
-            "SELECT inhrelid::regclass::text "
-            "FROM pg_inherits "
-            "WHERE inhparent = %s::regclass",
-            [PARENT_TABLE],
-        )
-        for (partition,) in cursor.fetchall():
-            child_idx = f"{partition.replace('.', '_')}_{INDEX_NAME}"
-            # ALTER INDEX ... ATTACH PARTITION has no IF NOT ATTACHED clause,
-            # so check pg_inherits first to keep the migration re-runnable.
-            cursor.execute(
-                """
-                SELECT 1
-                FROM pg_inherits i
-                JOIN pg_class p ON p.oid = i.inhparent
-                JOIN pg_class c ON c.oid = i.inhrelid
-                WHERE p.relname = %s AND c.relname = %s
-                """,
-                [INDEX_NAME, child_idx],
-            )
-            if cursor.fetchone() is None:
-                cursor.execute(f"ALTER INDEX {INDEX_NAME} ATTACH PARTITION {child_idx}")
-
-
-def drop_parent_index(apps, schema_editor):
-    with schema_editor.connection.cursor() as cursor:
-        cursor.execute(f"DROP INDEX IF EXISTS {INDEX_NAME}")
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0091_findings_arrays_gin_index_partitions"),
-    ]
-
-    operations = [
-        migrations.SeparateDatabaseAndState(
-            state_operations=[
-                migrations.AddIndex(
-                    model_name="finding",
-                    index=django.contrib.postgres.indexes.GinIndex(
-                        fields=[
-                            "categories",
-                            "resource_services",
-                            "resource_regions",
-                            "resource_types",
-                        ],
-                        name=INDEX_NAME,
-                    ),
-                ),
-            ],
-            database_operations=[
-                migrations.RunPython(
-                    create_parent_and_attach,
-                    reverse_code=drop_parent_index,
-                ),
-            ],
-        ),
-    ]
@@ -595,40 +595,10 @@ class Scan(RowLevelSecurityProtectedModel):
    objects = ActiveProviderManager()
    all_objects = models.Manager()

-    _SCOPING_SCANNER_ARG_KEYS_CACHE: tuple[str, ...] | None = None
-
-    @classmethod
-    def get_scoping_scanner_arg_keys(cls) -> tuple[str, ...]:
-        """Return the scanner_args keys that mark a scan as scoped.
-
-        Derived from ``prowler.lib.scan.scan.Scan.__init__`` so the API stays
-        in sync with whatever the SDK actually accepts as filters. Cached at
-        class level — the signature is stable for the process lifetime.
-        """
-        if cls._SCOPING_SCANNER_ARG_KEYS_CACHE is None:
-            import inspect
-
-            from prowler.lib.scan.scan import Scan as ProwlerScan
-
-            params = inspect.signature(ProwlerScan.__init__).parameters
-            cls._SCOPING_SCANNER_ARG_KEYS_CACHE = tuple(
-                name for name in params if name not in ("self", "provider")
-            )
-        return cls._SCOPING_SCANNER_ARG_KEYS_CACHE
-
    class TriggerChoices(models.TextChoices):
        SCHEDULED = "scheduled", _("Scheduled")
        MANUAL = "manual", _("Manual")

-    # Trigger values for scans that ran the SDK end-to-end. Imported scans (or
-    # any future trigger) are intentionally NOT in this set — they may carry
-    # only a partial slice of resources, so post-scan logic that depends on a
-    # full-scope sweep (e.g. resetting ephemeral resource findings) must skip
-    # them by default.
-    LIVE_SCAN_TRIGGERS = frozenset(
-        (TriggerChoices.SCHEDULED.value, TriggerChoices.MANUAL.value)
-    )
-
    id = models.UUIDField(primary_key=True, default=uuid7, editable=False)
    name = models.CharField(
        blank=True, null=True, max_length=100, validators=[MinLengthValidator(3)]
@@ -711,24 +681,6 @@ class Scan(RowLevelSecurityProtectedModel):
    class JSONAPIMeta:
        resource_name = "scans"

-    def is_full_scope(self) -> bool:
-        """Return True if this scan ran with no scoping filters at all.
-
-        Used to gate post-scan operations (such as resetting the
-        failed_findings_count of resources missing from the scan) that are only
-        safe when the scan covered every check, service, and category. Imported
-        scans are NOT full-scope by definition — they may carry only a partial
-        slice of resources, so they're rejected via ``trigger`` even before the
-        scanner_args check.
-        """
-        if self.trigger not in self.LIVE_SCAN_TRIGGERS:
-            return False
-        scanner_args = self.scanner_args or {}
-        for key in self.get_scoping_scanner_arg_keys():
-            if scanner_args.get(key):
-                return False
-        return True
-

 class AttackPathsScan(RowLevelSecurityProtectedModel):
    objects = ActiveProviderManager()
@@ -946,6 +898,7 @@ class Resource(RowLevelSecurityProtectedModel):
                OpClass(Upper("name"), name="gin_trgm_ops"),
                name="res_name_trgm_idx",
            ),
+            GinIndex(fields=["text_search"], name="gin_resources_search_idx"),
            models.Index(fields=["tenant_id", "id"], name="resources_tenant_id_idx"),
            models.Index(
                fields=["tenant_id", "provider_id"],
@@ -1151,15 +1104,6 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
                fields=["tenant_id", "scan_id", "check_id"],
                name="find_tenant_scan_check_idx",
            ),
-            GinIndex(
-                fields=[
-                    "categories",
-                    "resource_services",
-                    "resource_regions",
-                    "resource_types",
-                ],
-                name="gin_find_arrays_idx",
-            ),
        ]

    class JSONAPIMeta:
@@ -12,8 +12,6 @@ from unittest.mock import MagicMock, patch
 import neo4j
 import pytest

-import api.attack_paths.database as db_module
-

 class TestLazyInitialization:
    """Test that Neo4j driver is initialized lazily on first use."""
@@ -21,6 +19,8 @@ class TestLazyInitialization:
    @pytest.fixture(autouse=True)
    def reset_module_state(self):
        """Reset module-level singleton state before each test."""
+        import api.attack_paths.database as db_module
+
        original_driver = db_module._driver

        db_module._driver = None
@@ -31,6 +31,8 @@ class TestLazyInitialization:

    def test_driver_not_initialized_at_import(self):
        """Driver should be None after module import (no eager connection)."""
+        import api.attack_paths.database as db_module
+
        assert db_module._driver is None

    @patch("api.attack_paths.database.settings")
@@ -39,6 +41,8 @@ class TestLazyInitialization:
        self, mock_driver_factory, mock_settings
    ):
        """init_driver() should create connection only when called."""
+        import api.attack_paths.database as db_module
+
        mock_driver = MagicMock()
        mock_driver_factory.return_value = mock_driver
        mock_settings.DATABASES = {
@@ -65,6 +69,8 @@ class TestLazyInitialization:
        self, mock_driver_factory, mock_settings
    ):
        """Subsequent calls should return cached driver without reconnecting."""
+        import api.attack_paths.database as db_module
+
        mock_driver = MagicMock()
        mock_driver_factory.return_value = mock_driver
        mock_settings.DATABASES = {
@@ -93,6 +99,8 @@ class TestLazyInitialization:
        self, mock_driver_factory, mock_settings
    ):
        """get_driver() should use init_driver() for lazy initialization."""
+        import api.attack_paths.database as db_module
+
        mock_driver = MagicMock()
        mock_driver_factory.return_value = mock_driver
        mock_settings.DATABASES = {
@@ -110,50 +118,14 @@ class TestLazyInitialization:
        mock_driver_factory.assert_called_once()


-class TestConnectionAcquisitionTimeout:
-    """Test that the connection acquisition timeout is configurable."""
-
-    @pytest.fixture(autouse=True)
-    def reset_module_state(self):
-        original_driver = db_module._driver
-        original_timeout = db_module.CONN_ACQUISITION_TIMEOUT
-
-        db_module._driver = None
-
-        yield
-
-        db_module._driver = original_driver
-        db_module.CONN_ACQUISITION_TIMEOUT = original_timeout
-
-    @patch("api.attack_paths.database.settings")
-    @patch("api.attack_paths.database.neo4j.GraphDatabase.driver")
-    def test_driver_receives_configured_timeout(
-        self, mock_driver_factory, mock_settings
-    ):
-        """init_driver() should pass CONN_ACQUISITION_TIMEOUT to the neo4j driver."""
-        mock_driver_factory.return_value = MagicMock()
-        mock_settings.DATABASES = {
-            "neo4j": {
-                "HOST": "localhost",
-                "PORT": 7687,
-                "USER": "neo4j",
-                "PASSWORD": "password",
-            }
-        }
-        db_module.CONN_ACQUISITION_TIMEOUT = 42
-
-        db_module.init_driver()
-
-        _, kwargs = mock_driver_factory.call_args
-        assert kwargs["connection_acquisition_timeout"] == 42
-
-
 class TestAtexitRegistration:
    """Test that atexit cleanup handler is registered correctly."""

    @pytest.fixture(autouse=True)
    def reset_module_state(self):
        """Reset module-level singleton state before each test."""
+        import api.attack_paths.database as db_module
+
        original_driver = db_module._driver

        db_module._driver = None
@@ -169,6 +141,8 @@ class TestAtexitRegistration:
        self, mock_driver_factory, mock_atexit_register, mock_settings
    ):
        """atexit.register should be called on first initialization."""
+        import api.attack_paths.database as db_module
+
        mock_driver_factory.return_value = MagicMock()
        mock_settings.DATABASES = {
            "neo4j": {
@@ -194,6 +168,8 @@ class TestAtexitRegistration:
        The double-checked locking on _driver ensures the atexit registration
        block only executes once (when _driver is first created).
        """
+        import api.attack_paths.database as db_module
+
        mock_driver_factory.return_value = MagicMock()
        mock_settings.DATABASES = {
            "neo4j": {
@@ -218,6 +194,8 @@ class TestCloseDriver:
    @pytest.fixture(autouse=True)
    def reset_module_state(self):
        """Reset module-level singleton state before each test."""
+        import api.attack_paths.database as db_module
+
        original_driver = db_module._driver

        db_module._driver = None
@@ -228,6 +206,8 @@ class TestCloseDriver:

    def test_close_driver_closes_and_clears_driver(self):
        """close_driver() should close the driver and set it to None."""
+        import api.attack_paths.database as db_module
+
        mock_driver = MagicMock()
        db_module._driver = mock_driver

@@ -238,6 +218,8 @@ class TestCloseDriver:

    def test_close_driver_handles_none_driver(self):
        """close_driver() should handle case where driver is None."""
+        import api.attack_paths.database as db_module
+
        db_module._driver = None

        # Should not raise
@@ -247,6 +229,8 @@ class TestCloseDriver:

    def test_close_driver_clears_driver_even_on_close_error(self):
        """Driver should be cleared even if close() raises an exception."""
+        import api.attack_paths.database as db_module
+
        mock_driver = MagicMock()
        mock_driver.close.side_effect = Exception("Connection error")
        db_module._driver = mock_driver
@@ -262,6 +246,8 @@ class TestExecuteReadQuery:
    """Test read query execution helper."""

    def test_execute_read_query_calls_read_session_and_returns_result(self):
+        import api.attack_paths.database as db_module
+
        tx = MagicMock()
        expected_graph = MagicMock()
        run_result = MagicMock()
@@ -303,6 +289,8 @@ class TestExecuteReadQuery:
        assert result is expected_graph

    def test_execute_read_query_defaults_parameters_to_empty_dict(self):
+        import api.attack_paths.database as db_module
+
        tx = MagicMock()
        run_result = MagicMock()
        run_result.graph.return_value = MagicMock()
@@ -337,6 +325,8 @@ class TestGetSessionReadOnly:

    @pytest.fixture(autouse=True)
    def reset_module_state(self):
+        import api.attack_paths.database as db_module
+
        original_driver = db_module._driver
        db_module._driver = None
        yield
@@ -351,6 +341,8 @@ class TestGetSessionReadOnly:
    )
    def test_get_session_raises_write_query_not_allowed(self, neo4j_code):
        """Read-mode Neo4j errors should raise `WriteQueryNotAllowedException`."""
+        import api.attack_paths.database as db_module
+
        mock_session = MagicMock()
        neo4j_error = neo4j.exceptions.Neo4jError._hydrate_neo4j(
            code=neo4j_code,
@@ -370,6 +362,8 @@ class TestGetSessionReadOnly:

    def test_get_session_raises_generic_exception_for_other_errors(self):
        """Non-read-mode Neo4j errors should raise GraphDatabaseQueryException."""
+        import api.attack_paths.database as db_module
+
        mock_session = MagicMock()
        neo4j_error = neo4j.exceptions.Neo4jError._hydrate_neo4j(
            code="Neo.ClientError.Statement.SyntaxError",
@@ -394,6 +388,8 @@ class TestThreadSafety:
    @pytest.fixture(autouse=True)
    def reset_module_state(self):
        """Reset module-level singleton state before each test."""
+        import api.attack_paths.database as db_module
+
        original_driver = db_module._driver

        db_module._driver = None
@@ -408,6 +404,8 @@ class TestThreadSafety:
        self, mock_driver_factory, mock_settings
    ):
        """Multiple threads calling init_driver() should create only one driver."""
+        import api.attack_paths.database as db_module
+
        mock_driver = MagicMock()
        mock_driver_factory.return_value = mock_driver
        mock_settings.DATABASES = {
@@ -450,6 +448,8 @@ class TestHasProviderData:
    """Test has_provider_data helper for checking provider nodes in Neo4j."""

    def test_returns_true_when_nodes_exist(self):
+        import api.attack_paths.database as db_module
+
        mock_session = MagicMock()
        mock_result = MagicMock()
        mock_result.single.return_value = MagicMock()  # non-None record
@@ -468,6 +468,8 @@ class TestHasProviderData:
        mock_session.run.assert_called_once()

    def test_returns_false_when_no_nodes(self):
+        import api.attack_paths.database as db_module
+
        mock_session = MagicMock()
        mock_result = MagicMock()
        mock_result.single.return_value = None
@@ -484,6 +486,8 @@ class TestHasProviderData:
            assert db_module.has_provider_data("db-tenant-abc", "provider-123") is False

    def test_returns_false_when_database_not_found(self):
+        import api.attack_paths.database as db_module
+
        session_ctx = MagicMock()
        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
            message="Database does not exist",
@@ -499,6 +503,8 @@ class TestHasProviderData:
            )

    def test_raises_on_other_errors(self):
+        import api.attack_paths.database as db_module
+
        session_ctx = MagicMock()
        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
            message="Connection refused",
@@ -1,18 +1,13 @@
 from unittest.mock import MagicMock, patch

-import pytest
-
-from api import compliance as compliance_module
 from api.compliance import (
    generate_compliance_overview_template,
    generate_scan_compliance,
-    get_compliance_frameworks,
    get_prowler_provider_checks,
    get_prowler_provider_compliance,
    load_prowler_checks,
 )
 from api.models import Provider
-from prowler.lib.check.compliance_models import Compliance


 class TestCompliance:
@@ -255,58 +250,3 @@ class TestCompliance:
        }

        assert template == expected_template
-
-
-@pytest.fixture
-def reset_compliance_cache():
-    """Reset the module-level cache so each test starts cold."""
-    previous = dict(compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS)
-    compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.clear()
-    try:
-        yield
-    finally:
-        compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.clear()
-        compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.update(previous)
-
-
-class TestGetComplianceFrameworks:
-    def test_returns_keys_from_compliance_get_bulk(self, reset_compliance_cache):
-        with patch("api.compliance.Compliance") as mock_compliance:
-            mock_compliance.get_bulk.return_value = {
-                "cis_1.4_aws": MagicMock(),
-                "mitre_attack_aws": MagicMock(),
-            }
-            result = get_compliance_frameworks(Provider.ProviderChoices.AWS)
-
-        assert sorted(result) == ["cis_1.4_aws", "mitre_attack_aws"]
-        mock_compliance.get_bulk.assert_called_once_with(Provider.ProviderChoices.AWS)
-
-    def test_caches_result_per_provider(self, reset_compliance_cache):
-        with patch("api.compliance.Compliance") as mock_compliance:
-            mock_compliance.get_bulk.return_value = {"cis_1.4_aws": MagicMock()}
-            get_compliance_frameworks(Provider.ProviderChoices.AWS)
-            get_compliance_frameworks(Provider.ProviderChoices.AWS)
-
-        # Cached after first call.
-        assert mock_compliance.get_bulk.call_count == 1
-
-    @pytest.mark.parametrize(
-        "provider_type",
-        [choice.value for choice in Provider.ProviderChoices],
-    )
-    def test_listing_is_subset_of_bulk(self, reset_compliance_cache, provider_type):
-        """Regression for CLOUD-API-40S: every name returned by
-        ``get_compliance_frameworks`` must be loadable via ``Compliance.get_bulk``.
-
-        A divergence here is what produced ``KeyError: 'csa_ccm_4.0'`` in
-        ``generate_outputs_task`` after universal/multi-provider compliance
-        JSONs were introduced at the top-level ``prowler/compliance/`` path.
-        """
-        bulk_keys = set(Compliance.get_bulk(provider_type).keys())
-        listed = set(get_compliance_frameworks(provider_type))
-
-        missing = listed - bulk_keys
-        assert not missing, (
-            f"get_compliance_frameworks({provider_type!r}) returned names not "
-            f"loadable by Compliance.get_bulk: {sorted(missing)}"
-        )
@@ -1,445 +0,0 @@
-"""Tests for the health endpoints.
-
-Cover the IETF response envelope, status code mapping (200 / 503), the
-``application/health+json`` media type and per-probe failure modes.
-"""
-
-from unittest.mock import patch
-
-import pytest
-from config import version as config_version
-from django.core.cache import cache
-from django.urls import reverse
-from rest_framework import status
-from rest_framework.test import APIClient
-
-from api import health
-
-
-HEALTH_MEDIA_TYPE = "application/health+json"
-
-
-@pytest.fixture(autouse=True)
-def _reset_health_state():
-    """Per-test isolation: clear throttle counters and the readiness cache.
-
-    DRF's ScopedRateThrottle persists state in Django's cache; without
-    clearing it the throttle budget would be shared across tests and trip
-    midway through the suite.
-    """
-    cache.clear()
-    health._readiness_cache = None
-    yield
-    cache.clear()
-    health._readiness_cache = None
-
-
-@pytest.fixture
-def api_client():
-    return APIClient()
-
-
-def _assert_health_envelope(body):
-    """Every health response must carry the RFC top-level descriptors."""
-    assert body["version"] == config_version.API_VERSION
-    assert body["releaseId"] == config_version.RELEASE_ID
-    assert body["serviceId"] == health.SERVICE_ID
-    assert body["description"] == health.SERVICE_DESCRIPTION
-
-
-class TestLivenessEndpoint:
-    def test_returns_200_with_pass_status(self, api_client):
-        response = api_client.get(reverse("health-live"))
-
-        assert response.status_code == status.HTTP_200_OK
-        assert response["Content-Type"].startswith(HEALTH_MEDIA_TYPE)
-        assert response["Cache-Control"] == health.CACHE_CONTROL_HEADER
-        body = response.json()
-        assert body["status"] == "pass"
-        _assert_health_envelope(body)
-
-    def test_does_not_require_authentication(self, api_client):
-        api_client.credentials()
-
-        response = api_client.get(reverse("health-live"))
-
-        assert response.status_code == status.HTTP_200_OK
-
-    def test_does_not_run_dependency_checks(self, api_client):
-        with (
-            patch("api.health._probe_postgres") as mock_pg,
-            patch("api.health._probe_valkey") as mock_vk,
-            patch("api.health._probe_neo4j") as mock_neo,
-        ):
-            response = api_client.get(reverse("health-live"))
-
-        assert response.status_code == status.HTTP_200_OK
-        mock_pg.assert_not_called()
-        mock_vk.assert_not_called()
-        mock_neo.assert_not_called()
-
-
-class TestReadinessEndpoint:
-    @staticmethod
-    def _patch_probes():
-        return (
-            patch("api.health._probe_postgres", return_value=None),
-            patch("api.health._probe_valkey", return_value=None),
-            patch("api.health._probe_neo4j", return_value=None),
-        )
-
-    def test_returns_200_and_pass_when_all_dependencies_healthy(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_200_OK
-        assert response["Content-Type"].startswith(HEALTH_MEDIA_TYPE)
-        assert response["Cache-Control"] == health.CACHE_CONTROL_HEADER
-
-        body = response.json()
-        _assert_health_envelope(body)
-        assert body["status"] == "pass"
-
-        # Per RFC, `checks` values are arrays of one or more measurement
-        # objects. We use a single measurement per dependency.
-        assert set(body["checks"].keys()) == {
-            "postgres:responseTime",
-            "valkey:responseTime",
-            "neo4j:responseTime",
-        }
-        for key in body["checks"]:
-            entries = body["checks"][key]
-            assert isinstance(entries, list) and len(entries) == 1
-            entry = entries[0]
-            assert entry["status"] == "pass"
-            assert entry["componentType"] == "datastore"
-            assert entry["observedUnit"] == "ms"
-            assert isinstance(entry["observedValue"], (int, float))
-            assert entry["observedValue"] >= 0
-            assert "time" in entry
-            # `output` must not leak when the check passed.
-            assert "output" not in entry
-
-    def test_returns_503_and_fail_when_postgres_is_down(self, api_client):
-        with (
-            patch(
-                "api.health._probe_postgres",
-                side_effect=RuntimeError("connection refused"),
-            ),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        pg_entry = body["checks"]["postgres:responseTime"][0]
-        assert pg_entry["status"] == "fail"
-        # Exception detail is never echoed in the response, only logged.
-        assert "output" not in pg_entry
-        assert body["checks"]["valkey:responseTime"][0]["status"] == "pass"
-        assert body["checks"]["neo4j:responseTime"][0]["status"] == "pass"
-
-    def test_returns_503_and_fail_when_valkey_is_down(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey", side_effect=ConnectionError("timeout")),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        vk_entry = body["checks"]["valkey:responseTime"][0]
-        assert vk_entry["status"] == "fail"
-        assert "output" not in vk_entry
-
-    def test_returns_503_and_fail_when_neo4j_is_down(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch(
-                "api.health._probe_neo4j",
-                side_effect=RuntimeError("ServiceUnavailable"),
-            ),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        neo_entry = body["checks"]["neo4j:responseTime"][0]
-        assert neo_entry["status"] == "fail"
-        assert "output" not in neo_entry
-
-    def test_reports_all_failures_simultaneously(self, api_client):
-        with (
-            patch("api.health._probe_postgres", side_effect=RuntimeError("pg down")),
-            patch("api.health._probe_valkey", side_effect=RuntimeError("vk down")),
-            patch("api.health._probe_neo4j", side_effect=RuntimeError("neo down")),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        for key in (
-            "postgres:responseTime",
-            "valkey:responseTime",
-            "neo4j:responseTime",
-        ):
-            entry = body["checks"][key][0]
-            assert entry["status"] == "fail"
-            # No dependency-specific error string leaks into the payload.
-            assert "output" not in entry
-
-    def test_does_not_leak_exception_detail_on_failure(self, api_client):
-        # Sanity check: an exception message resembling infra detail
-        # (host, port, credentials) must not surface in the response under
-        # any field.
-        sensitive = (
-            "connection to server at "
-            '"postgres-rw.prod.svc.cluster.local" (10.0.0.5), port 5432 '
-            'failed: FATAL: password authentication failed for user "prowler_user"'
-        )
-        with (
-            patch("api.health._probe_postgres", side_effect=RuntimeError(sensitive)),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        body = response.json()
-        assert "output" not in body["checks"]["postgres:responseTime"][0]
-        payload_text = response.content.decode()
-        for token in (
-            "postgres-rw",
-            "10.0.0.5",
-            "5432",
-            "prowler_user",
-            "password authentication failed",
-        ):
-            assert token not in payload_text
-
-    def test_does_not_require_authentication(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            api_client.credentials()
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_200_OK
-
-
-class TestReadinessCache:
-    """In-process cache caps the rate at which real probes hit the deps."""
-
-    def test_result_is_cached_for_ttl_seconds(self, api_client):
-        with (
-            patch("api.health._probe_postgres") as pg,
-            patch("api.health._probe_valkey") as vk,
-            patch("api.health._probe_neo4j") as neo,
-        ):
-            r1 = api_client.get(reverse("health-ready"))
-            r2 = api_client.get(reverse("health-ready"))
-
-        assert r1.status_code == status.HTTP_200_OK
-        assert r2.status_code == status.HTTP_200_OK
-        # Second request must not trigger fresh dep checks within the TTL.
-        assert pg.call_count == 1
-        assert vk.call_count == 1
-        assert neo.call_count == 1
-        # The cached payload is returned verbatim (same timestamps too).
-        assert r1.json() == r2.json()
-
-    def test_re_probes_after_cache_ttl_expires(self, api_client):
-        with (
-            patch("api.health._probe_postgres") as pg,
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            api_client.get(reverse("health-ready"))
-            assert pg.call_count == 1
-
-            # Rewind the cached timestamp past the TTL so the next request
-            # is forced to recompute.
-            cached_ts, payload, http_status_code = health._readiness_cache
-            health._readiness_cache = (
-                cached_ts - health.READINESS_CACHE_TTL_SECONDS - 0.1,
-                payload,
-                http_status_code,
-            )
-            api_client.get(reverse("health-ready"))
-
-        assert pg.call_count == 2
-
-    def test_cache_persists_a_failing_result(self, api_client):
-        # A failing readiness result is cached too; this is intentional so
-        # an attacker spamming the endpoint during an outage cannot amplify
-        # the dependency load.
-        with (
-            patch("api.health._probe_postgres", side_effect=RuntimeError("down")) as pg,
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            r1 = api_client.get(reverse("health-ready"))
-            r2 = api_client.get(reverse("health-ready"))
-
-        assert r1.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        assert r2.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        assert pg.call_count == 1
-
-
-class TestRateLimiting:
-    """The endpoints are unauthenticated and exposed; per-IP throttle caps
-    naive single-source floods."""
-
-    def test_live_blocks_after_budget_exhausted(self, api_client):
-        # Shrink the budget to 3 req per window so the test stays fast and
-        # deterministic. parse_rate runs once per throttle instance and
-        # each request gets a fresh instance, so this patch propagates.
-        from rest_framework.throttling import ScopedRateThrottle
-
-        with patch.object(ScopedRateThrottle, "parse_rate", return_value=(3, 60)):
-            statuses = [
-                api_client.get(reverse("health-live")).status_code for _ in range(4)
-            ]
-
-        assert statuses[:3] == [status.HTTP_200_OK] * 3
-        assert statuses[3] == status.HTTP_429_TOO_MANY_REQUESTS
-
-    def test_ready_blocks_after_budget_exhausted(self, api_client):
-        from rest_framework.throttling import ScopedRateThrottle
-
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-            patch.object(ScopedRateThrottle, "parse_rate", return_value=(2, 60)),
-        ):
-            statuses = [
-                api_client.get(reverse("health-ready")).status_code for _ in range(3)
-            ]
-
-        assert statuses[:2] == [status.HTTP_200_OK] * 2
-        assert statuses[2] == status.HTTP_429_TOO_MANY_REQUESTS
-
-
-class TestProbeImplementations:
-    """Smoke tests for each probe primitive."""
-
-    @pytest.mark.django_db
-    def test_postgres_probe_succeeds_against_real_db(self):
-        assert health._probe_postgres() is None
-
-    def test_postgres_probe_propagates_db_errors(self):
-        class _BoomCursor:
-            def __enter__(self):
-                return self
-
-            def __exit__(self, *_):
-                return False
-
-            def execute(self, *_args, **_kwargs):
-                raise RuntimeError("boom")
-
-            def fetchone(self):  # pragma: no cover - never reached
-                return None
-
-        with patch("api.health.connections") as mock_connections:
-            mock_connections.__getitem__.return_value.cursor.return_value = (
-                _BoomCursor()
-            )
-            with pytest.raises(RuntimeError, match="boom"):
-                health._probe_postgres()
-
-    def test_valkey_probe_succeeds_when_ping_returns_true(self):
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            mock_from_url.return_value.ping.return_value = True
-            assert health._probe_valkey() is None
-
-    def test_valkey_probe_raises_when_ping_returns_false(self):
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            mock_from_url.return_value.ping.return_value = False
-            with pytest.raises(RuntimeError, match="PING"):
-                health._probe_valkey()
-
-    def test_valkey_probe_propagates_connection_errors(self):
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            mock_from_url.return_value.ping.side_effect = ConnectionError("nope")
-            with pytest.raises(ConnectionError, match="nope"):
-                health._probe_valkey()
-
-    def test_valkey_probe_suppresses_redis_error_on_close(self):
-        # A redis-py-level failure releasing the socket must not mask a
-        # successful PING (best-effort cleanup contract).
-        import redis as redis_pkg
-
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            client = mock_from_url.return_value
-            client.ping.return_value = True
-            client.close.side_effect = redis_pkg.RedisError("connection reset")
-
-            assert health._probe_valkey() is None
-
-        client.close.assert_called_once_with()
-
-    def test_valkey_probe_suppresses_oserror_on_close(self):
-        # Socket-layer failures (OSError family) on close are also part of
-        # the swallowed scope.
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            client = mock_from_url.return_value
-            client.ping.return_value = True
-            client.close.side_effect = OSError("EBADF")
-
-            assert health._probe_valkey() is None
-
-        client.close.assert_called_once_with()
-
-    def test_valkey_probe_lets_unexpected_close_errors_propagate(self):
-        # The suppress() is deliberately narrow: anything outside
-        # (redis.RedisError, OSError) must surface so it is not silently
-        # hidden.
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            client = mock_from_url.return_value
-            client.ping.return_value = True
-            client.close.side_effect = RuntimeError("bug")
-
-            with pytest.raises(RuntimeError, match="bug"):
-                health._probe_valkey()
-
-    def test_neo4j_probe_calls_verify_connectivity(self):
-        with patch("api.attack_paths.database.get_driver") as mock_get_driver:
-            mock_get_driver.return_value.verify_connectivity.return_value = None
-            assert health._probe_neo4j() is None
-            mock_get_driver.return_value.verify_connectivity.assert_called_once_with()
-
-    def test_neo4j_probe_propagates_driver_errors(self):
-        with patch("api.attack_paths.database.get_driver") as mock_get_driver:
-            mock_get_driver.return_value.verify_connectivity.side_effect = RuntimeError(
-                "unreachable"
-            )
-            with pytest.raises(RuntimeError, match="unreachable"):
-                health._probe_neo4j()
-
-
-class TestStatusAggregation:
-    def test_pass_when_all_checks_pass(self):
-        entries = [{"status": "pass"}, {"status": "pass"}]
-        assert health._aggregate_status(entries) == "pass"
-
-    def test_warn_when_any_check_warns_and_none_fail(self):
-        entries = [{"status": "pass"}, {"status": "warn"}]
-        assert health._aggregate_status(entries) == "warn"
-
-    def test_fail_when_any_check_fails(self):
-        entries = [{"status": "pass"}, {"status": "warn"}, {"status": "fail"}]
-        assert health._aggregate_status(entries) == "fail"
@@ -1,40 +0,0 @@
-"""Drift checks for the API version constants.
-
-Guarantee that ``config.version`` always reflects the canonical
-``[project].version`` declared in ``api/pyproject.toml``.
-"""
-
-import tomllib
-from pathlib import Path
-
-import pytest
-from config import version as config_version
-
-
-@pytest.fixture(scope="module")
-def pyproject_data():
-    here = Path(__file__).resolve()
-    for directory in here.parents:
-        candidate = directory / "pyproject.toml"
-        if not candidate.is_file():
-            continue
-        with candidate.open("rb") as f:
-            data = tomllib.load(f)
-        if data.get("project", {}).get("name") == "prowler-api":
-            return data
-    raise AssertionError("api/pyproject.toml not reachable from the test runner")
-
-
-def test_release_id_matches_pyproject(pyproject_data):
-    assert config_version.RELEASE_ID == pyproject_data["project"]["version"]
-
-
-def test_api_version_is_major_of_release_id():
-    assert config_version.API_VERSION == config_version.RELEASE_ID.split(".", 1)[0]
-    assert config_version.API_VERSION.isdigit()
-
-
-def test_api_version_matches_v1_url_prefix():
-    # The public contract version surfaced in the health payload must match
-    # the URL namespace the API is published under.
-    assert config_version.API_VERSION == "1"
@@ -32,11 +32,6 @@ from django_celery_results.models import TaskResult
 from rest_framework import status
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.response import Response
-from rest_framework_simplejwt.token_blacklist.models import (
-    BlacklistedToken,
-    OutstandingToken,
-)
-from rest_framework_simplejwt.tokens import RefreshToken

 from api.attack_paths import (
    AttackPathsQueryDefinition,
@@ -52,7 +47,6 @@ from api.models import (
    Finding,
    Integration,
    Invitation,
-    InvitationRoleRelationship,
    LighthouseProviderConfiguration,
    LighthouseProviderModels,
    LighthouseTenantConfiguration,
@@ -63,7 +57,6 @@ from api.models import (
    ProviderGroupMembership,
    ProviderSecret,
    Resource,
-    ResourceFindingMapping,
    Role,
    RoleProviderGroupRelationship,
    SAMLConfiguration,
@@ -752,39 +745,6 @@ class TestTenantViewSet:
        # Test user + 2 extra users for tenant 2
        assert len(response.json()["data"]) == 3

-    def test_tenants_list_memberships_filter_by_user(
-        self, authenticated_client, tenants_fixture, extra_users
-    ):
-        _, tenant2, _ = tenants_fixture
-        _, user3_membership = extra_users
-        user3, membership3 = user3_membership
-
-        response = authenticated_client.get(
-            reverse("tenant-membership-list", kwargs={"tenant_pk": tenant2.id}),
-            {"filter[user]": str(user3.id)},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-        assert data[0]["id"] == str(membership3.id)
-
-    def test_tenants_list_memberships_filter_by_user_no_match(
-        self, authenticated_client, tenants_fixture, extra_users
-    ):
-        _, tenant2, _ = tenants_fixture
-        unrelated_user = User.objects.create_user(
-            name="unrelated",
-            password=TEST_PASSWORD,
-            email="unrelated@gmail.com",
-        )
-
-        response = authenticated_client.get(
-            reverse("tenant-membership-list", kwargs={"tenant_pk": tenant2.id}),
-            {"filter[user]": str(unrelated_user.id)},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert response.json()["data"] == []
-
    def test_tenants_list_memberships_as_member(
        self, authenticated_client, tenants_fixture, extra_users
    ):
@@ -842,7 +802,6 @@ class TestTenantViewSet:
    ):
        _, tenant2, _ = tenants_fixture
        user_membership = Membership.objects.get(tenant=tenant2, user__email=TEST_USER)
-        user_id = user_membership.user_id
        response = authenticated_client.delete(
            reverse(
                "tenant-membership-detail",
@@ -851,127 +810,6 @@ class TestTenantViewSet:
        )
        assert response.status_code == status.HTTP_403_FORBIDDEN
        assert Membership.objects.filter(id=user_membership.id).exists()
-        assert User.objects.filter(id=user_id).exists()
-
-    def test_expel_user_deletes_account_if_last_membership(
-        self, authenticated_client, tenants_fixture, extra_users
-    ):
-        # TEST_USER is OWNER of tenant2; user3 is MEMBER only in tenant2
-        _, tenant2, _ = tenants_fixture
-        _, user3_membership = extra_users
-        user3, membership3 = user3_membership
-
-        assert Membership.objects.filter(user=user3).count() == 1
-
-        response = authenticated_client.delete(
-            reverse(
-                "tenant-membership-detail",
-                kwargs={"tenant_pk": tenant2.id, "pk": membership3.id},
-            )
-        )
-        assert response.status_code == status.HTTP_204_NO_CONTENT
-        assert not Membership.objects.filter(id=membership3.id).exists()
-        assert not User.objects.filter(id=user3.id).exists()
-
-    def test_expel_user_blacklists_refresh_tokens(
-        self, authenticated_client, tenants_fixture, extra_users
-    ):
-        _, tenant2, _ = tenants_fixture
-        _, user3_membership = extra_users
-        user3, membership3 = user3_membership
-
-        # Issue two refresh tokens to simulate active sessions
-        RefreshToken.for_user(user3)
-        RefreshToken.for_user(user3)
-        outstanding_ids = list(
-            OutstandingToken.objects.filter(user=user3).values_list("id", flat=True)
-        )
-        assert len(outstanding_ids) == 2
-        assert not BlacklistedToken.objects.filter(
-            token_id__in=outstanding_ids
-        ).exists()
-
-        response = authenticated_client.delete(
-            reverse(
-                "tenant-membership-detail",
-                kwargs={"tenant_pk": tenant2.id, "pk": membership3.id},
-            )
-        )
-        assert response.status_code == status.HTTP_204_NO_CONTENT
-        assert (
-            BlacklistedToken.objects.filter(token_id__in=outstanding_ids).count() == 2
-        )
-
-    def test_expel_user_blacklists_refresh_tokens_is_idempotent(
-        self, authenticated_client, tenants_fixture, extra_users
-    ):
-        # Regression test for the bulk blacklisting path: if one of the
-        # user's refresh tokens is already blacklisted when the expel
-        # endpoint runs, the remaining tokens must still be blacklisted
-        # and the already-blacklisted one must not be duplicated.
-        tenant1, tenant2, _ = tenants_fixture
-        _, user3_membership = extra_users
-        user3, membership3 = user3_membership
-
-        # Keep the user alive after the expel so the assertions below can
-        # still query OutstandingToken by user_id.
-        Membership.objects.create(
-            user=user3,
-            tenant=tenant1,
-            role=Membership.RoleChoices.MEMBER,
-        )
-
-        RefreshToken.for_user(user3)
-        RefreshToken.for_user(user3)
-        outstanding_ids = list(
-            OutstandingToken.objects.filter(user=user3).values_list("id", flat=True)
-        )
-        assert len(outstanding_ids) == 2
-
-        # Pre-blacklist one of the two tokens to simulate a prior revocation.
-        BlacklistedToken.objects.create(token_id=outstanding_ids[0])
-        assert (
-            BlacklistedToken.objects.filter(token_id__in=outstanding_ids).count() == 1
-        )
-
-        response = authenticated_client.delete(
-            reverse(
-                "tenant-membership-detail",
-                kwargs={"tenant_pk": tenant2.id, "pk": membership3.id},
-            )
-        )
-        assert response.status_code == status.HTTP_204_NO_CONTENT
-
-        blacklisted = BlacklistedToken.objects.filter(token_id__in=outstanding_ids)
-        assert blacklisted.count() == 2
-        assert set(blacklisted.values_list("token_id", flat=True)) == set(
-            outstanding_ids
-        )
-
-    def test_expel_user_keeps_account_if_has_other_memberships(
-        self, authenticated_client, tenants_fixture, extra_users
-    ):
-        tenant1, tenant2, _ = tenants_fixture
-        _, user3_membership = extra_users
-        user3, membership3 = user3_membership
-
-        # Give user3 an additional membership in tenant1 so they are not orphaned
-        other_membership = Membership.objects.create(
-            user=user3,
-            tenant=tenant1,
-            role=Membership.RoleChoices.MEMBER,
-        )
-
-        response = authenticated_client.delete(
-            reverse(
-                "tenant-membership-detail",
-                kwargs={"tenant_pk": tenant2.id, "pk": membership3.id},
-            )
-        )
-        assert response.status_code == status.HTTP_204_NO_CONTENT
-        assert not Membership.objects.filter(id=membership3.id).exists()
-        assert User.objects.filter(id=user3.id).exists()
-        assert Membership.objects.filter(id=other_membership.id).exists()

    def test_tenants_delete_another_membership_as_owner(
        self, authenticated_client, tenants_fixture, extra_users
@@ -1043,128 +881,6 @@ class TestTenantViewSet:
        assert response.status_code == status.HTTP_404_NOT_FOUND
        assert Membership.objects.filter(id=other_membership.id).exists()

-    def test_delete_membership_cleans_up_orphaned_role_grants(
-        self, authenticated_client, tenants_fixture
-    ):
-        """Test that deleting a membership removes UserRoleRelationship records
-        for that tenant while preserving grants in other tenants."""
-        tenant1, tenant2, _ = tenants_fixture
-
-        # Create a user with memberships in both tenants
-        user = User.objects.create_user(
-            name="Multi-tenant User",
-            password=TEST_PASSWORD,
-            email="multitenant@test.com",
-        )
-
-        # Create memberships in both tenants
-        Membership.objects.create(
-            user=user, tenant=tenant1, role=Membership.RoleChoices.MEMBER
-        )
-        membership2 = Membership.objects.create(
-            user=user, tenant=tenant2, role=Membership.RoleChoices.MEMBER
-        )
-
-        # Create roles in both tenants
-        role1 = Role.objects.create(
-            name="Test Role 1", tenant=tenant1, manage_providers=True
-        )
-        role2 = Role.objects.create(
-            name="Test Role 2", tenant=tenant2, manage_scans=True
-        )
-
-        # Create user role relationships for both tenants
-        UserRoleRelationship.objects.create(user=user, role=role1, tenant=tenant1)
-        UserRoleRelationship.objects.create(user=user, role=role2, tenant=tenant2)
-
-        # Verify initial state
-        assert UserRoleRelationship.objects.filter(user=user, tenant=tenant1).exists()
-        assert UserRoleRelationship.objects.filter(user=user, tenant=tenant2).exists()
-        assert Role.objects.filter(id=role1.id).exists()
-        assert Role.objects.filter(id=role2.id).exists()
-
-        # Delete membership from tenant2 (authenticated user is owner of tenant2)
-        response = authenticated_client.delete(
-            reverse(
-                "tenant-membership-detail",
-                kwargs={"tenant_pk": tenant2.id, "pk": membership2.id},
-            )
-        )
-
-        assert response.status_code == status.HTTP_204_NO_CONTENT
-
-        # Verify the membership was deleted
-        assert not Membership.objects.filter(id=membership2.id).exists()
-
-        # Verify UserRoleRelationship for tenant2 was deleted
-        assert not UserRoleRelationship.objects.filter(
-            user=user, tenant=tenant2
-        ).exists()
-
-        # Verify UserRoleRelationship for tenant1 is preserved
-        assert UserRoleRelationship.objects.filter(user=user, tenant=tenant1).exists()
-
-        # Verify orphaned role2 was deleted (no more user or invitation relationships)
-        assert not Role.objects.filter(id=role2.id).exists()
-
-        # Verify role1 is preserved (still has user relationship)
-        assert Role.objects.filter(id=role1.id).exists()
-
-        # Verify the user still exists (has other memberships)
-        assert User.objects.filter(id=user.id).exists()
-
-    def test_delete_membership_preserves_role_with_invitation_relationship(
-        self, authenticated_client, tenants_fixture
-    ):
-        """Test that roles are not deleted if they have invitation relationships."""
-        _, tenant2, _ = tenants_fixture
-
-        # Create a user with membership
-        user = User.objects.create_user(
-            name="Test User", password=TEST_PASSWORD, email="testuser@test.com"
-        )
-        membership = Membership.objects.create(
-            user=user, tenant=tenant2, role=Membership.RoleChoices.MEMBER
-        )
-
-        # Create a role and user relationship
-        role = Role.objects.create(
-            name="Shared Role", tenant=tenant2, manage_providers=True
-        )
-        UserRoleRelationship.objects.create(user=user, role=role, tenant=tenant2)
-
-        # Create an invitation with the same role
-        invitation = Invitation.objects.create(email="pending@test.com", tenant=tenant2)
-        InvitationRoleRelationship.objects.create(
-            invitation=invitation, role=role, tenant=tenant2
-        )
-
-        # Verify initial state
-        assert UserRoleRelationship.objects.filter(user=user, role=role).exists()
-        assert InvitationRoleRelationship.objects.filter(
-            invitation=invitation, role=role
-        ).exists()
-        assert Role.objects.filter(id=role.id).exists()
-
-        # Delete the membership
-        response = authenticated_client.delete(
-            reverse(
-                "tenant-membership-detail",
-                kwargs={"tenant_pk": tenant2.id, "pk": membership.id},
-            )
-        )
-
-        assert response.status_code == status.HTTP_204_NO_CONTENT
-
-        # Verify UserRoleRelationship was deleted
-        assert not UserRoleRelationship.objects.filter(user=user, role=role).exists()
-
-        # Verify role is preserved because invitation relationship exists
-        assert Role.objects.filter(id=role.id).exists()
-        assert InvitationRoleRelationship.objects.filter(
-            invitation=invitation, role=role
-        ).exists()
-
    def test_tenants_list_no_permissions(
        self, authenticated_client_no_permissions_rbac, tenants_fixture
    ):
@@ -3841,14 +3557,9 @@ class TestScanViewSet:
            "prowler-output-123_threatscore_report.pdf",
        )

-        presigned_url = (
-            "https://test-bucket.s3.amazonaws.com/"
-            "tenant-id/scan-id/threatscore/prowler-output-123_threatscore_report.pdf"
-            "?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=300"
-        )
        mock_s3_client = Mock()
        mock_s3_client.list_objects_v2.return_value = {"Contents": [{"Key": pdf_key}]}
-        mock_s3_client.generate_presigned_url.return_value = presigned_url
+        mock_s3_client.get_object.return_value = {"Body": io.BytesIO(b"pdf-bytes")}

        mock_env_str.return_value = bucket
        mock_get_s3_client.return_value = mock_s3_client
@@ -3857,26 +3568,19 @@ class TestScanViewSet:
        url = reverse("scan-threatscore", kwargs={"pk": scan.id})
        response = authenticated_client.get(url)

-        assert response.status_code == status.HTTP_302_FOUND
-        assert response["Location"] == presigned_url
-        mock_s3_client.list_objects_v2.assert_called_once()
-        mock_s3_client.generate_presigned_url.assert_called_once_with(
-            "get_object",
-            Params={
-                "Bucket": bucket,
-                "Key": pdf_key,
-                "ResponseContentDisposition": (
-                    'attachment; filename="prowler-output-123_threatscore_report.pdf"'
-                ),
-                "ResponseContentType": "application/pdf",
-            },
-            ExpiresIn=300,
+        assert response.status_code == status.HTTP_200_OK
+        assert response["Content-Type"] == "application/pdf"
+        assert response["Content-Disposition"].endswith(
+            '"prowler-output-123_threatscore_report.pdf"'
        )
+        assert response.content == b"pdf-bytes"
+        mock_s3_client.list_objects_v2.assert_called_once()
+        mock_s3_client.get_object.assert_called_once_with(Bucket=bucket, Key=pdf_key)

    def test_report_s3_success(self, authenticated_client, scans_fixture, monkeypatch):
        """
-        When output_location is an S3 URL and the object exists,
-        the view should return a 302 redirect to a presigned S3 URL.
+        When output_location is an S3 URL and the S3 client returns the file successfully,
+        the view should return the ZIP file with HTTP 200 and proper headers.
        """
        scan = scans_fixture[0]
        bucket = "test-bucket"
@@ -3890,33 +3594,22 @@ class TestScanViewSet:
            type("env", (), {"str": lambda self, *args, **kwargs: "test-bucket"})(),
        )

-        presigned_url = (
-            "https://test-bucket.s3.amazonaws.com/report.zip"
-            "?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=300"
-        )
-
        class FakeS3Client:
-            def head_object(self, Bucket, Key):
+            def get_object(self, Bucket, Key):
                assert Bucket == bucket
                assert Key == key
-                return {}
-
-            def generate_presigned_url(self, ClientMethod, Params, ExpiresIn):
-                assert ClientMethod == "get_object"
-                assert Params["Bucket"] == bucket
-                assert Params["Key"] == key
-                assert Params["ResponseContentDisposition"] == (
-                    'attachment; filename="report.zip"'
-                )
-                assert ExpiresIn == 300
-                return presigned_url
+                return {"Body": io.BytesIO(b"s3 zip content")}

        monkeypatch.setattr("api.v1.views.get_s3_client", lambda: FakeS3Client())

        url = reverse("scan-report", kwargs={"pk": scan.id})
        response = authenticated_client.get(url)
-        assert response.status_code == status.HTTP_302_FOUND
-        assert response["Location"] == presigned_url
+        assert response.status_code == 200
+        expected_filename = os.path.basename("report.zip")
+        content_disposition = response.get("Content-Disposition")
+        assert content_disposition.startswith('attachment; filename="')
+        assert f'filename="{expected_filename}"' in content_disposition
+        assert response.content == b"s3 zip content"

    def test_report_s3_success_no_local_files(
        self, authenticated_client, scans_fixture, monkeypatch
@@ -4055,31 +3748,23 @@ class TestScanViewSet:
        )

        match_key = "path/compliance/mitre_attack_aws.csv"
-        presigned_url = (
-            "https://test-bucket.s3.amazonaws.com/path/compliance/mitre_attack_aws.csv"
-            "?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=300"
-        )

        class FakeS3Client:
            def list_objects_v2(self, Bucket, Prefix):
                return {"Contents": [{"Key": match_key}]}

-            def generate_presigned_url(self, ClientMethod, Params, ExpiresIn):
-                assert ClientMethod == "get_object"
-                assert Params["Key"] == match_key
-                assert Params["ResponseContentDisposition"] == (
-                    'attachment; filename="mitre_attack_aws.csv"'
-                )
-                assert ExpiresIn == 300
-                return presigned_url
+            def get_object(self, Bucket, Key):
+                return {"Body": io.BytesIO(b"ignored")}

        monkeypatch.setattr("api.v1.views.get_s3_client", lambda: FakeS3Client())

        framework = match_key.split("/")[-1].split(".")[0]
        url = reverse("scan-compliance", kwargs={"pk": scan.id, "name": framework})
        resp = authenticated_client.get(url)
-        assert resp.status_code == status.HTTP_302_FOUND
-        assert resp["Location"] == presigned_url
+        assert resp.status_code == status.HTTP_200_OK
+        cd = resp["Content-Disposition"]
+        assert cd.startswith('attachment; filename="')
+        assert cd.endswith('filename="mitre_attack_aws.csv"')

    def test_compliance_s3_not_found(
        self, authenticated_client, scans_fixture, monkeypatch
@@ -4144,51 +3829,6 @@ class TestScanViewSet:
            assert cd.startswith('attachment; filename="')
            assert cd.endswith(f'filename="{fname.name}"')

-    def test_cis_no_output(self, authenticated_client, scans_fixture):
-        """CIS PDF endpoint must 404 when the scan has no output_location."""
-        scan = scans_fixture[0]
-        scan.state = StateChoices.COMPLETED
-        scan.output_location = ""
-        scan.save()
-
-        url = reverse("scan-cis", kwargs={"pk": scan.id})
-        resp = authenticated_client.get(url)
-        assert resp.status_code == status.HTTP_404_NOT_FOUND
-        assert (
-            resp.json()["errors"]["detail"]
-            == "The scan has no reports, or the CIS report generation task has not started yet."
-        )
-
-    def test_cis_local_file(self, authenticated_client, scans_fixture, monkeypatch):
-        """CIS PDF endpoint must serve the latest generated PDF."""
-        scan = scans_fixture[0]
-        scan.state = StateChoices.COMPLETED
-
-        with tempfile.TemporaryDirectory() as tmp:
-            tmp_path = Path(tmp)
-            base = tmp_path / "reports"
-            cis_dir = base / "cis"
-            cis_dir.mkdir(parents=True, exist_ok=True)
-            fname = cis_dir / "prowler-output-aws-20260101000000_cis_report.pdf"
-            fname.write_bytes(b"%PDF-1.4 fake pdf")
-
-            scan.output_location = str(base / "scan.zip")
-            scan.save()
-
-            monkeypatch.setattr(
-                glob,
-                "glob",
-                lambda p: [str(fname)] if p.endswith("*_cis_report.pdf") else [],
-            )
-
-            url = reverse("scan-cis", kwargs={"pk": scan.id})
-            resp = authenticated_client.get(url)
-            assert resp.status_code == status.HTTP_200_OK
-            assert resp["Content-Type"] == "application/pdf"
-            cd = resp["Content-Disposition"]
-            assert cd.startswith('attachment; filename="')
-            assert cd.endswith(f'filename="{fname.name}"')
-
    @patch("api.v1.views.Task.objects.get")
    @patch("api.v1.views.TaskSerializer")
    def test__get_task_status_returns_none_if_task_not_executing(
@@ -4282,8 +3922,8 @@ class TestScanViewSet:
        scan.save()

        fake_client = MagicMock()
-        fake_client.head_object.side_effect = ClientError(
-            {"Error": {"Code": "NoSuchKey"}}, "HeadObject"
+        fake_client.get_object.side_effect = ClientError(
+            {"Error": {"Code": "NoSuchKey"}}, "GetObject"
        )
        mock_get_s3_client.return_value = fake_client

@@ -4306,8 +3946,8 @@ class TestScanViewSet:
        scan.save()

        fake_client = MagicMock()
-        fake_client.head_object.side_effect = ClientError(
-            {"Error": {"Code": "AccessDenied"}}, "HeadObject"
+        fake_client.get_object.side_effect = ClientError(
+            {"Error": {"Code": "AccessDenied"}}, "GetObject"
        )
        mock_get_s3_client.return_value = fake_client

@@ -15805,15 +15445,15 @@ class TestFindingGroupViewSet:
        # iam_password_policy has only PASS findings
        assert data[0]["attributes"]["status"] == "PASS"

-    def test_finding_groups_fully_muted_group_is_pass(
+    def test_finding_groups_fully_muted_group_reflects_underlying_status(
        self, authenticated_client, finding_groups_fixture
    ):
-        """A fully-muted group reports status=PASS and muted=True.
+        """A fully-muted group still surfaces its underlying status (no MUTED).

-        rds_encryption has 2 muted FAIL findings. Muted findings are treated
-        as resolved/accepted, so the group is no longer actionable and its
-        status must be PASS. The `muted` flag is True because every finding
-        in the group is muted.
+        rds_encryption has 2 muted FAIL findings, so the group must report
+        status=FAIL (the orthogonal `muted` boolean signals it isn't actionable).
+        The status×muted breakdown lets clients answer 'how many failing
+        findings are muted in this group'.
        """
        response = authenticated_client.get(
            reverse("finding-group-list"),
@@ -15823,9 +15463,9 @@ class TestFindingGroupViewSet:
        data = response.json()["data"]
        assert len(data) == 1
        attrs = data[0]["attributes"]
-        assert attrs["status"] == "PASS"
+        assert attrs["status"] == "FAIL"
        assert attrs["muted"] is True
-        assert attrs["fail_count"] == 0
+        assert attrs["fail_count"] == 2
        assert attrs["fail_muted_count"] == 2
        assert attrs["pass_muted_count"] == 0
        assert attrs["manual_muted_count"] == 0
@@ -15838,83 +15478,6 @@ class TestFindingGroupViewSet:
            == attrs["muted_count"]
        )

-    def test_finding_groups_status_ignores_muted_failures(
-        self,
-        authenticated_client,
-        tenants_fixture,
-        scans_fixture,
-        resources_fixture,
-    ):
-        """Muted FAIL findings must not drive the aggregated status.
-
-        When a group mixes one non-muted PASS with one muted FAIL, the
-        actionable outcome is PASS: there are no unmuted failures left. The
-        aggregated `status` must reflect that (not FAIL), while `muted`
-        stays False because the group still has a non-muted finding.
-        """
-        tenant = tenants_fixture[0]
-        scan1, *_ = scans_fixture
-        resource1, *_ = resources_fixture
-
-        pass_finding = Finding.objects.create(
-            tenant_id=tenant.id,
-            uid="fg_mixed_muted_pass",
-            scan=scan1,
-            delta=None,
-            status=Status.PASS,
-            severity=Severity.low,
-            impact=Severity.low,
-            check_id="mixed_muted_check",
-            check_metadata={
-                "CheckId": "mixed_muted_check",
-                "checktitle": "Mixed muted check",
-                "Description": "Fixture for muted status aggregation.",
-            },
-            first_seen_at="2024-01-11T00:00:00Z",
-            muted=False,
-        )
-        pass_finding.add_resources([resource1])
-
-        fail_muted_finding = Finding.objects.create(
-            tenant_id=tenant.id,
-            uid="fg_mixed_muted_fail",
-            scan=scan1,
-            delta=None,
-            status=Status.FAIL,
-            severity=Severity.high,
-            impact=Severity.high,
-            check_id="mixed_muted_check",
-            check_metadata={
-                "CheckId": "mixed_muted_check",
-                "checktitle": "Mixed muted check",
-                "Description": "Fixture for muted status aggregation.",
-            },
-            first_seen_at="2024-01-12T00:00:00Z",
-            muted=True,
-        )
-        fail_muted_finding.add_resources([resource1])
-
-        # filter[region] forces finding-level aggregation so we exercise the
-        # raw-findings path without touching the daily summary fixture.
-        response = authenticated_client.get(
-            reverse("finding-group-list"),
-            {
-                "filter[inserted_at]": TODAY,
-                "filter[check_id]": "mixed_muted_check",
-                "filter[region]": "us-east-1",
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-        attrs = data[0]["attributes"]
-        assert attrs["status"] == "PASS"
-        assert attrs["muted"] is False
-        assert attrs["pass_count"] == 1
-        assert attrs["fail_count"] == 0
-        assert attrs["fail_muted_count"] == 1
-        assert attrs["muted_count"] == 1
-
    def test_finding_groups_status_filter(
        self, authenticated_client, finding_groups_fixture
    ):
@@ -16467,36 +16030,6 @@ class TestFindingGroupViewSet:
        # s3_bucket_public_access has 2 findings with 2 different resources
        assert len(data) == 2

-    def test_resources_id_matches_resource_id_for_mapped_findings(
-        self, authenticated_client, finding_groups_fixture
-    ):
-        """Findings with a resource expose the resource id as row id (hot path contract)."""
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-resources", kwargs={"pk": "s3_bucket_public_access"}
-            ),
-            {"filter[inserted_at]": TODAY},
-        )
-
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert data, "expected resources in response"
-
-        resource_ids = set(
-            ResourceFindingMapping.objects.filter(
-                finding__check_id="s3_bucket_public_access",
-            ).values_list("resource_id", flat=True)
-        )
-        finding_ids = set(
-            Finding.objects.filter(
-                check_id="s3_bucket_public_access",
-            ).values_list("id", flat=True)
-        )
-
-        returned_ids = {item["id"] for item in data}
-        assert returned_ids <= {str(rid) for rid in resource_ids}
-        assert returned_ids.isdisjoint({str(fid) for fid in finding_ids})
-
    def test_resources_fields(self, authenticated_client, finding_groups_fixture):
        """Test resource fields (uid, name, service, region, type) have valid values."""
        response = authenticated_client.get(
@@ -17513,57 +17046,6 @@ class TestFindingGroupViewSet:
        # Descending boolean: True (1) before False (0)
        assert muted_values == sorted(muted_values, reverse=True)

-    @pytest.mark.parametrize(
-        "endpoint_name", ["finding-group-list", "finding-group-latest"]
-    )
-    @pytest.mark.parametrize(
-        "sort_field",
-        [
-            "pass_muted_count",
-            "fail_muted_count",
-            "manual_muted_count",
-            "new_fail_count",
-            "new_fail_muted_count",
-            "new_pass_count",
-            "new_pass_muted_count",
-            "new_manual_count",
-            "new_manual_muted_count",
-            "changed_fail_count",
-            "changed_fail_muted_count",
-            "changed_pass_count",
-            "changed_pass_muted_count",
-            "changed_manual_count",
-            "changed_manual_muted_count",
-        ],
-    )
-    def test_finding_groups_sort_by_counter_fields(
-        self,
-        authenticated_client,
-        finding_groups_fixture,
-        endpoint_name,
-        sort_field,
-    ):
-        """All counter fields are accepted as sort parameters (asc and desc)."""
-        params = {"sort": f"-{sort_field}"}
-        if endpoint_name == "finding-group-list":
-            params["filter[inserted_at]"] = TODAY
-
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) > 0
-
-        desc_values = [item["attributes"][sort_field] for item in data]
-        assert desc_values == sorted(desc_values, reverse=True)
-
-        params["sort"] = sort_field
-        response = authenticated_client.get(reverse(endpoint_name), params)
-        assert response.status_code == status.HTTP_200_OK
-        asc_values = [
-            item["attributes"][sort_field] for item in response.json()["data"]
-        ]
-        assert asc_values == sorted(asc_values)
-
    @pytest.mark.parametrize(
        "endpoint_name", ["finding-group-list", "finding-group-latest"]
    )
@@ -17707,111 +17189,3 @@ class TestFindingGroupViewSet:
            attrs = item["attributes"]
            assert "finding_id" in attrs
            assert attrs["finding_id"] in rds_finding_ids
-
-    def test_latest_resources_picks_scan_by_completed_at_when_overlap(
-        self,
-        authenticated_client,
-        tenants_fixture,
-        providers_fixture,
-        resources_fixture,
-    ):
-        """Overlapping scans on the same provider must resolve to the scan
-        with the latest completed_at, matching the /latest summary path and
-        the daily-summary upsert (keyed on midnight(completed_at)). Picking
-        by inserted_at here produced /resources and /latest reading from
-        different scans and reporting diverging delta/new counts.
-        """
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        resource = resources_fixture[0]
-        check_id = "overlap_regression_check"
-
-        t0 = datetime.now(timezone.utc) - timedelta(hours=5)
-        t1 = t0 + timedelta(hours=1)
-        t1_end = t1 + timedelta(minutes=30)
-        t2 = t0 + timedelta(hours=4)
-
-        scan_long = Scan.objects.create(
-            name="long overlap scan",
-            provider=provider,
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.COMPLETED,
-            tenant_id=tenant.id,
-            started_at=t0,
-            completed_at=t2,
-        )
-        scan_short = Scan.objects.create(
-            name="short overlap scan",
-            provider=provider,
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.COMPLETED,
-            tenant_id=tenant.id,
-            started_at=t1,
-            completed_at=t1_end,
-        )
-        # inserted_at is auto_now_add so override with .update() to recreate
-        # the overlap shape: short scan inserted later but completed earlier.
-        Scan.all_objects.filter(pk=scan_long.pk).update(inserted_at=t0)
-        Scan.all_objects.filter(pk=scan_short.pk).update(inserted_at=t1)
-        scan_long.refresh_from_db()
-        scan_short.refresh_from_db()
-
-        assert scan_short.inserted_at > scan_long.inserted_at
-        assert scan_long.completed_at > scan_short.completed_at
-
-        long_finding = Finding.objects.create(
-            tenant_id=tenant.id,
-            uid=f"{check_id}_long",
-            scan=scan_long,
-            delta=None,
-            status=Status.FAIL,
-            status_extended="long scan finding",
-            impact=Severity.high,
-            impact_extended="high",
-            severity=Severity.high,
-            raw_result={"status": Status.FAIL, "severity": Severity.high},
-            check_id=check_id,
-            check_metadata={
-                "CheckId": check_id,
-                "checktitle": "Overlap regression",
-                "Description": "Overlapping scan regression.",
-            },
-            first_seen_at=t0,
-            muted=False,
-        )
-        long_finding.add_resources([resource])
-
-        short_finding = Finding.objects.create(
-            tenant_id=tenant.id,
-            uid=f"{check_id}_short",
-            scan=scan_short,
-            delta="new",
-            status=Status.FAIL,
-            status_extended="short scan finding",
-            impact=Severity.high,
-            impact_extended="high",
-            severity=Severity.high,
-            raw_result={"status": Status.FAIL, "severity": Severity.high},
-            check_id=check_id,
-            check_metadata={
-                "CheckId": check_id,
-                "checktitle": "Overlap regression",
-                "Description": "Overlapping scan regression.",
-            },
-            first_seen_at=t1,
-            muted=False,
-        )
-        short_finding.add_resources([resource])
-
-        response = authenticated_client.get(
-            reverse(
-                "finding-group-latest_resources",
-                kwargs={"check_id": check_id},
-            ),
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) == 1
-        attrs = data[0]["attributes"]
-        assert attrs["finding_id"] == str(long_finding.id)
-        assert attrs["delta"] is None
@@ -4225,11 +4225,10 @@ class FindingGroupResourceSerializer(BaseSerializerV1):
    Serializer for Finding Group Resources - resources within a finding group.

    Returns individual resources with their current status, severity,
-    and timing information. Orphan findings (without any resource) expose the
-    finding id as `id` so the row stays identifiable in the UI.
+    and timing information.
    """

-    id = serializers.UUIDField(source="row_id")
+    id = serializers.UUIDField(source="resource_id")
    resource = serializers.SerializerMethodField()
    provider = serializers.SerializerMethodField()
    finding_id = serializers.UUIDField()
@@ -17,10 +17,8 @@ celery_app.config_from_object("django.conf:settings", namespace="CELERY")
 celery_app.conf.update(result_extended=True, result_expires=None)

 celery_app.conf.broker_transport_options = {
-    "visibility_timeout": BROKER_VISIBILITY_TIMEOUT,
-    "queue_order_strategy": "priority",
+    "visibility_timeout": BROKER_VISIBILITY_TIMEOUT
 }
-celery_app.conf.task_default_priority = 6
 celery_app.conf.result_backend_transport_options = {
    "visibility_timeout": BROKER_VISIBILITY_TIMEOUT
 }
@@ -118,8 +118,6 @@ REST_FRAMEWORK = {
        "attack-paths-custom-query": env(
            "DJANGO_THROTTLE_ATTACK_PATHS_CUSTOM_QUERY", default="10/min"
        ),
-        "health-live": env("DJANGO_THROTTLE_HEALTH_LIVE", default="120/min"),
-        "health-ready": env("DJANGO_THROTTLE_HEALTH_READY", default="60/min"),
    },
 }

@@ -15,7 +15,7 @@ from config.django.production import LOGGING as DJANGO_LOGGERS, DEBUG  # noqa: E
 from config.custom_logging import BackendLogger  # noqa: E402

 BIND_ADDRESS = env("DJANGO_BIND_ADDRESS", default="127.0.0.1")
-PORT = env("DJANGO_PORT", default=8080)
+PORT = env("DJANGO_PORT", default=8000)

 # Server settings
 bind = f"{BIND_ADDRESS}:{PORT}"
@@ -120,7 +120,6 @@ sentry_sdk.init(
    # see https://docs.sentry.io/platforms/python/data-management/data-collected/ for more info
    before_send=before_send,
    send_default_pii=True,
-    traces_sample_rate=env.float("DJANGO_SENTRY_TRACES_SAMPLE_RATE", default=0.02),
    _experiments={
        # Set continuous_profiling_auto_start to True
        # to automatically start the profiler on when
@@ -1,9 +1,5 @@
 from django.urls import include, path

-from api.health import LivenessView, ReadinessView
-
 urlpatterns = [
    path("api/v1/", include("api.v1.urls")),
-    path("health/live", LivenessView.as_view(), name="health-live"),
-    path("health/ready", ReadinessView.as_view(), name="health-ready"),
 ]
@@ -1,41 +0,0 @@
-"""Single source of truth for the API version.
-
-The semantic version is read once from ``api/pyproject.toml`` at module
-import; consumers (health payload, OpenAPI schema) read the resulting
-constants. Fails fast at boot if the file cannot be located, so a
-packaging mistake surfaces immediately rather than serving stale data.
-"""
-
-from __future__ import annotations
-
-import tomllib
-from pathlib import Path
-
-_PROJECT_NAME = "prowler-api"
-
-
-def _discover_release_id() -> str:
-    here = Path(__file__).resolve()
-    for directory in here.parents:
-        candidate = directory / "pyproject.toml"
-        if not candidate.is_file():
-            continue
-        with candidate.open("rb") as f:
-            data = tomllib.load(f)
-        project = data.get("project") or {}
-        if project.get("name") != _PROJECT_NAME:
-            continue
-        version = project.get("version")
-        if not isinstance(version, str) or not version:
-            raise RuntimeError(
-                f"{candidate} declares an empty or invalid [project].version"
-            )
-        return version
-    raise RuntimeError(
-        f"Could not locate the {_PROJECT_NAME} pyproject.toml from {here}"
-    )
-
-
-RELEASE_ID: str = _discover_release_id()
-# Public contract major (e.g. "1"); matches the /api/v1/ namespace.
-API_VERSION: str = RELEASE_ID.split(".", 1)[0]
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Prowler Bot	832b01ae2a	chore(api): Bump version to v1.24.1 (#10672 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-04-13 22:18:33 +02:00
Prowler Bot	51d821fd67	chore(release): Bump version to v5.23.1 (#10670 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-04-13 22:18:22 +02:00
Prowler Bot	25682479e3	docs: Update version to v5.23.0 (#10671 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-04-13 22:18:04 +02:00
Prowler Bot	9d48a894b1	chore(ui): Bump version to v5.23.1 (#10669 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>	2026-04-13 22:17:51 +02:00
Prowler Bot	43da3fb29e	chore(api): Update prowler dependency to v5.23 for release 5.23.0 (#10660 ) Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com> Co-authored-by: César Arroba <19954079+cesararroba@users.noreply.github.com>	2026-04-13 15:42:47 +02:00
Adrián Peña	e7a67eff5d	chore: update pyjwt (#10661 )	2026-04-13 15:26:22 +02:00