chore: merge master

fix(sdk): scope scan_id by provider and account
- Generate scan_id per provider account pair - Adjust OCSF scan_id test to cover multiple accounts
2026-06-10 13:32:44 +00:00 · 2026-02-26 19:13:58 +01:00 · 2026-02-26 19:05:32 +01:00 · 2026-02-26 17:16:51 +01:00
985 changed files with 8869 additions and 50757 deletions
@@ -26,26 +26,16 @@ runs:
      if: github.event_name == 'pull_request' && github.base_ref == 'master' && github.repository == 'prowler-cloud/prowler'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
-      env:
-        HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
      run: |
        BRANCH_NAME="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
-        UPSTREAM="prowler-cloud/prowler"
-        if [ "$HEAD_REPO" != "$UPSTREAM" ]; then
-          echo "Fork PR detected (${HEAD_REPO}), rewriting VCS URL to fork"
-          sed -i "s|git+https://github.com/prowler-cloud/prowler\([^@]*\)@master|git+https://github.com/${HEAD_REPO}\1@$BRANCH_NAME|g" pyproject.toml
-        else
-          echo "Same-repo PR, using branch: $BRANCH_NAME"
-          sed -i "s|\(git+https://github.com/prowler-cloud/prowler[^@]*\)@master|\1@$BRANCH_NAME|g" pyproject.toml
-        fi
+        echo "Using branch: $BRANCH_NAME"
+        sed -i "s|\(git+https://github.com/prowler-cloud/prowler[^@]*\)@master|\1@$BRANCH_NAME|g" pyproject.toml

    - name: Install poetry
      shell: bash
      run: |
        python -m pip install --upgrade pip
-        pipx install poetry==${INPUTS_POETRY_VERSION}
-      env:
-        INPUTS_POETRY_VERSION: ${{ inputs.poetry-version }}
+        pipx install poetry==${{ inputs.poetry-version }}

    - name: Update poetry.lock with latest Prowler commit
      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
@@ -26,18 +26,16 @@ runs:
      id: status
      shell: bash
      run: |
-        if [[ "${INPUTS_STEP_OUTCOME}" == "success" ]]; then
+        if [[ "${{ inputs.step-outcome }}" == "success" ]]; then
          echo "STATUS_TEXT=Completed" >> $GITHUB_ENV
          echo "STATUS_COLOR=#6aa84f" >> $GITHUB_ENV
-        elif [[ "${INPUTS_STEP_OUTCOME}" == "failure" ]]; then
+        elif [[ "${{ inputs.step-outcome }}" == "failure" ]]; then
          echo "STATUS_TEXT=Failed" >> $GITHUB_ENV
          echo "STATUS_COLOR=#fc3434" >> $GITHUB_ENV
        else
          # No outcome provided - pending/in progress state
          echo "STATUS_COLOR=#dbab09" >> $GITHUB_ENV
        fi
-      env:
-        INPUTS_STEP_OUTCOME: ${{ inputs.step-outcome }}

    - name: Send Slack notification (new message)
      if: inputs.update-ts == ''
@@ -69,11 +67,8 @@ runs:
      id: slack-notification
      shell: bash
      run: |
-        if [[ "${INPUTS_UPDATE_TS}" == "" ]]; then
-          echo "ts=${STEPS_SLACK_NOTIFICATION_POST_OUTPUTS_TS}" >> $GITHUB_OUTPUT
+        if [[ "${{ inputs.update-ts }}" == "" ]]; then
+          echo "ts=${{ steps.slack-notification-post.outputs.ts }}" >> $GITHUB_OUTPUT
        else
-          echo "ts=${INPUTS_UPDATE_TS}" >> $GITHUB_OUTPUT
+          echo "ts=${{ inputs.update-ts }}" >> $GITHUB_OUTPUT
        fi
-      env:
-        INPUTS_UPDATE_TS: ${{ inputs.update-ts }}
-        STEPS_SLACK_NOTIFICATION_POST_OUTPUTS_TS: ${{ steps.slack-notification-post.outputs.ts }}
@@ -54,7 +54,7 @@ runs:
          trivy-db-${{ runner.os }}-

    - name: Run Trivy vulnerability scan (JSON)
-      uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
      with:
        image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
        format: 'json'
@@ -63,11 +63,10 @@ runs:
        exit-code: '0'
        scanners: 'vuln'
        timeout: '5m'
-        version: 'v0.69.2'

    - name: Run Trivy vulnerability scan (SARIF)
      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
-      uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
      with:
        image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
        format: 'sarif'
@@ -76,7 +75,6 @@ runs:
        exit-code: '0'
        scanners: 'vuln'
        timeout: '5m'
-        version: 'v0.69.2'

    - name: Upload Trivy results to GitHub Security tab
      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
@@ -107,14 +105,11 @@ runs:

        echo "### 🔒 Container Security Scan" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
-        echo "**Image:** \`${INPUTS_IMAGE_NAME}:${INPUTS_IMAGE_TAG}\`" >> $GITHUB_STEP_SUMMARY
+        echo "**Image:** \`${{ inputs.image-name }}:${{ inputs.image-tag }}\`" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "- 🔴 Critical: $CRITICAL" >> $GITHUB_STEP_SUMMARY
        echo "- 🟠 High: $HIGH" >> $GITHUB_STEP_SUMMARY
        echo "- **Total**: $TOTAL" >> $GITHUB_STEP_SUMMARY
-      env:
-        INPUTS_IMAGE_NAME: ${{ inputs.image-name }}
-        INPUTS_IMAGE_TAG: ${{ inputs.image-tag }}

    - name: Comment scan results on PR
      if: inputs.create-pr-comment == 'true' && github.event_name == 'pull_request'
@@ -128,7 +123,7 @@ runs:
          const comment = require('./.github/scripts/trivy-pr-comment.js');

          // Unique identifier to find our comment
-          const marker = `<!-- trivy-scan-comment:${process.env.IMAGE_NAME} -->`;
+          const marker = '<!-- trivy-scan-comment:${{ inputs.image-name }} -->';
          const body = marker + '\n' + comment;

          // Find existing comment
@@ -164,9 +159,6 @@ runs:
      if: inputs.fail-on-critical == 'true' && steps.security-check.outputs.critical != '0'
      shell: bash
      run: |
-        echo "::error::Found ${STEPS_SECURITY_CHECK_OUTPUTS_CRITICAL} critical vulnerabilities"
+        echo "::error::Found ${{ steps.security-check.outputs.critical }} critical vulnerabilities"
        echo "::warning::Please update packages or use a different base image"
        exit 1
-
-      env:
-        STEPS_SECURITY_CHECK_OUTPUTS_CRITICAL: ${{ steps.security-check.outputs.critical }}
@@ -15,8 +15,6 @@ updates:
    labels:
      - "dependencies"
      - "pip"
-    cooldown:
-      default-days: 7

  # Dependabot Updates are temporary disabled - 2025/03/19
  # - package-ecosystem: "pip"
@@ -39,8 +37,6 @@ updates:
    labels:
      - "dependencies"
      - "github_actions"
-    cooldown:
-      default-days: 7

  # Dependabot Updates are temporary disabled - 2025/03/19
  # - package-ecosystem: "npm"
@@ -63,8 +59,6 @@ updates:
    labels:
      - "dependencies"
      - "docker"
-    cooldown:
-      default-days: 7

  # Dependabot Updates are temporary disabled - 2025/04/15
  # v4.6
@@ -1,350 +0,0 @@
-#!/usr/bin/env bash
-#
-# Test script for E2E test path resolution logic from ui-e2e-tests-v2.yml.
-# Validates that the shell logic correctly transforms E2E_TEST_PATHS into
-# Playwright-compatible paths.
-#
-# Usage: .github/scripts/test-e2e-path-resolution.sh
-
-set -euo pipefail
-
-# -- Colors ------------------------------------------------------------------
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# -- Counters ----------------------------------------------------------------
-TOTAL=0
-PASSED=0
-FAILED=0
-
-# -- Temp directory setup & cleanup ------------------------------------------
-TMPDIR_ROOT="$(mktemp -d)"
-trap 'rm -rf "$TMPDIR_ROOT"' EXIT
-
-# ---------------------------------------------------------------------------
-# create_test_tree DIR [SUBDIRS_WITH_TESTS...]
-#
-# Creates a fake ui/tests/ tree inside DIR.
-# All standard subdirs are created (empty).
-# For each name in SUBDIRS_WITH_TESTS, a fake .spec.ts file is placed inside.
-# ---------------------------------------------------------------------------
-create_test_tree() {
-  local base="$1"; shift
-  local all_subdirs=(
-    auth home invitations profile providers scans
-    setups sign-in-base sign-up attack-paths findings
-    compliance browse manage-groups roles users overview
-    integrations
-  )
-
-  for d in "${all_subdirs[@]}"; do
-    mkdir -p "${base}/tests/${d}"
-  done
-
-  # Populate requested subdirs with a fake test file
-  for d in "$@"; do
-    mkdir -p "${base}/tests/${d}"
-    touch "${base}/tests/${d}/example.spec.ts"
-  done
-}
-
-# ---------------------------------------------------------------------------
-# resolve_paths E2E_TEST_PATHS WORKING_DIR
-#
-# Extracted EXACT logic from .github/workflows/ui-e2e-tests-v2.yml lines 212-250.
-# Outputs space-separated TEST_PATHS, or "SKIP" if no tests found.
-# Must be run with WORKING_DIR as the cwd equivalent (we cd into it).
-# ---------------------------------------------------------------------------
-resolve_paths() {
-  local E2E_TEST_PATHS="$1"
-  local WORKING_DIR="$2"
-
-  (
-    cd "$WORKING_DIR"
-
-    # --- Line 212-214: strip ui/ prefix, strip **, deduplicate ---------------
-    TEST_PATHS="${E2E_TEST_PATHS}"
-    TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u)
-
-    # --- Line 216: drop setup helpers ----------------------------------------
-    TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/' || true)
-
-    # --- Lines 219-230: safety net for bare tests/ --------------------------
-    if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-      SPECIFIC_DIRS=""
-      for dir in tests/*/; do
-        [[ "$dir" == "tests/setups/" ]] && continue
-        SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"$'\n'
-      done
-      TEST_PATHS=$(echo "$TEST_PATHS" | grep -vx 'tests/' || true)
-      TEST_PATHS="${TEST_PATHS}"$'\n'"${SPECIFIC_DIRS}"
-      TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^$' | sort -u)
-    fi
-
-    # --- Lines 231-234: bail if empty ----------------------------------------
-    if [[ -z "$TEST_PATHS" ]]; then
-      echo "SKIP"
-      return
-    fi
-
-    # --- Lines 236-245: filter dirs with no test files -----------------------
-    VALID_PATHS=""
-    while IFS= read -r p; do
-      [[ -z "$p" ]] && continue
-      if find "$p" -name '*.spec.ts' -o -name '*.test.ts' 2>/dev/null | head -1 | grep -q .; then
-        VALID_PATHS="${VALID_PATHS}${p}"$'\n'
-      fi
-    done <<< "$TEST_PATHS"
-    VALID_PATHS=$(echo "$VALID_PATHS" | grep -v '^$')
-
-    # --- Lines 246-249: bail if all empty ------------------------------------
-    if [[ -z "$VALID_PATHS" ]]; then
-      echo "SKIP"
-      return
-    fi
-
-    # --- Line 250: final output (space-separated) ---------------------------
-    echo "$VALID_PATHS" | tr '\n' ' ' | sed 's/ $//'
-  )
-}
-
-# ---------------------------------------------------------------------------
-# run_test NAME INPUT EXPECTED_TYPE [EXPECTED_VALUE]
-#
-# EXPECTED_TYPE is one of:
-#   "contains <path>"  — output must contain this path
-#   "equals <value>"   — output must exactly equal this value
-#   "skip"             — expect SKIP (no runnable tests)
-#   "not_contains <p>" — output must NOT contain this path
-#
-# Multiple expectations can be specified by calling assert_* after run_test.
-# For convenience, run_test supports a single assertion inline.
-# ---------------------------------------------------------------------------
-CURRENT_RESULT=""
-CURRENT_TEST_NAME=""
-
-run_test() {
-  local name="$1"
-  local input="$2"
-  local expect_type="$3"
-  local expect_value="${4:-}"
-
-  TOTAL=$((TOTAL + 1))
-  CURRENT_TEST_NAME="$name"
-
-  # Create a fresh temp tree per test
-  local test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-  mkdir -p "$test_dir"
-
-  # Default populated dirs: scans, providers, auth, home, profile, sign-up, sign-in-base
-  create_test_tree "$test_dir" scans providers auth home profile sign-up sign-in-base
-
-  CURRENT_RESULT=$(resolve_paths "$input" "$test_dir")
-
-  _check "$expect_type" "$expect_value"
-}
-
-# Like run_test but lets caller specify which subdirs have test files.
-run_test_custom_tree() {
-  local name="$1"
-  local input="$2"
-  local expect_type="$3"
-  local expect_value="${4:-}"
-  shift 4
-  local populated_dirs=("$@")
-
-  TOTAL=$((TOTAL + 1))
-  CURRENT_TEST_NAME="$name"
-
-  local test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-  mkdir -p "$test_dir"
-
-  create_test_tree "$test_dir" "${populated_dirs[@]}"
-
-  CURRENT_RESULT=$(resolve_paths "$input" "$test_dir")
-
-  _check "$expect_type" "$expect_value"
-}
-
-_check() {
-  local expect_type="$1"
-  local expect_value="$2"
-
-  case "$expect_type" in
-    skip)
-      if [[ "$CURRENT_RESULT" == "SKIP" ]]; then
-        _pass
-      else
-        _fail "expected SKIP, got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    contains)
-      if [[ "$CURRENT_RESULT" == *"$expect_value"* ]]; then
-        _pass
-      else
-        _fail "expected to contain '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    not_contains)
-      if [[ "$CURRENT_RESULT" != *"$expect_value"* ]]; then
-        _pass
-      else
-        _fail "expected NOT to contain '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    equals)
-      if [[ "$CURRENT_RESULT" == "$expect_value" ]]; then
-        _pass
-      else
-        _fail "expected exactly '$expect_value', got: '$CURRENT_RESULT'"
-      fi
-      ;;
-    *)
-      _fail "unknown expect_type: $expect_type"
-      ;;
-  esac
-}
-
-_pass() {
-  PASSED=$((PASSED + 1))
-  printf '%b  PASS%b %s\n' "$GREEN" "$RESET" "$CURRENT_TEST_NAME"
-}
-
-_fail() {
-  FAILED=$((FAILED + 1))
-  printf '%b  FAIL%b %s\n' "$RED" "$RESET" "$CURRENT_TEST_NAME"
-  printf "        %s\n" "$1"
-}
-
-# ===========================================================================
-# TEST CASES
-# ===========================================================================
-
-echo ""
-printf '%bE2E Path Resolution Tests%b\n' "$BOLD" "$RESET"
-echo "=========================================="
-
-# 1. Normal single module
-run_test \
-  "1. Normal single module" \
-  "ui/tests/scans/**" \
-  "contains" "tests/scans/"
-
-# 2. Multiple modules
-run_test \
-  "2. Multiple modules — scans present" \
-  "ui/tests/scans/** ui/tests/providers/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "2. Multiple modules — providers present" \
-  "ui/tests/scans/** ui/tests/providers/**" \
-  "contains" "tests/providers/"
-
-# 3. Broad pattern (many modules)
-run_test \
-  "3. Broad pattern — no bare tests/" \
-  "ui/tests/auth/** ui/tests/scans/** ui/tests/providers/** ui/tests/home/** ui/tests/profile/**" \
-  "not_contains" "tests/ "
-
-# 4. Empty directory
-run_test \
-  "4. Empty directory — skipped" \
-  "ui/tests/attack-paths/**" \
-  "skip"
-
-# 5. Mix of populated and empty dirs
-run_test \
-  "5. Mix populated+empty — scans present" \
-  "ui/tests/scans/** ui/tests/attack-paths/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "5. Mix populated+empty — attack-paths absent" \
-  "ui/tests/scans/** ui/tests/attack-paths/**" \
-  "not_contains" "tests/attack-paths/"
-
-# 6. All empty directories
-run_test \
-  "6. All empty directories" \
-  "ui/tests/attack-paths/** ui/tests/findings/**" \
-  "skip"
-
-# 7. Setup paths filtered
-run_test \
-  "7. Setup paths filtered out" \
-  "ui/tests/setups/**" \
-  "skip"
-
-# 8. Bare tests/ from broad pattern — safety net expands
-run_test \
-  "8. Bare tests/ expands — scans present" \
-  "ui/tests/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "8. Bare tests/ expands — setups excluded" \
-  "ui/tests/**" \
-  "not_contains" "tests/setups/"
-
-# 9. Bare tests/ with all empty subdirs (only setups has files)
-run_test_custom_tree \
-  "9. Bare tests/ — only setups has files" \
-  "ui/tests/**" \
-  "skip" "" \
-  setups
-
-# 10. Duplicate paths
-run_test \
-  "10. Duplicate paths — deduplicated" \
-  "ui/tests/scans/** ui/tests/scans/**" \
-  "equals" "tests/scans/"
-
-# 11. Empty input
-TOTAL=$((TOTAL + 1))
-CURRENT_TEST_NAME="11. Empty input"
-test_dir="${TMPDIR_ROOT}/test_${TOTAL}"
-mkdir -p "$test_dir"
-create_test_tree "$test_dir" scans providers
-CURRENT_RESULT=$(resolve_paths "" "$test_dir")
-_check "skip" ""
-
-# 12. Trailing/leading whitespace
-run_test \
-  "12. Whitespace handling" \
-  "  ui/tests/scans/**  " \
-  "contains" "tests/scans/"
-
-# 13. Path without ui/ prefix
-run_test \
-  "13. Path without ui/ prefix" \
-  "tests/scans/**" \
-  "contains" "tests/scans/"
-
-# 14. Setup mixed with valid paths — only valid pass through
-run_test \
-  "14. Setups + valid — setups filtered" \
-  "ui/tests/setups/** ui/tests/scans/**" \
-  "contains" "tests/scans/"
-
-run_test \
-  "14. Setups + valid — setups absent" \
-  "ui/tests/setups/** ui/tests/scans/**" \
-  "not_contains" "tests/setups/"
-
-# ===========================================================================
-# SUMMARY
-# ===========================================================================
-
-echo ""
-echo "=========================================="
-if [[ "$FAILED" -eq 0 ]]; then
-  printf '%b%bAll tests passed: %d/%d%b\n' "$GREEN" "$BOLD" "$PASSED" "$TOTAL" "$RESET"
-else
-  printf '%b%b%d/%d passed, %d FAILED%b\n' "$RED" "$BOLD" "$PASSED" "$TOTAL" "$FAILED" "$RESET"
-fi
-echo ""
-
-exit "$FAILED"
@@ -224,24 +224,8 @@ modules:
    tests:
      - api/src/backend/api/tests/test_views.py
    e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # API view changes can break UI
+      - ui/tests/**

  - name: api-serializers
    match:
@@ -250,24 +234,8 @@ modules:
    tests:
      - api/src/backend/api/tests/**
    e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # Serializer changes affect API responses → UI
+      - ui/tests/**

  - name: api-filters
    match:
@@ -439,24 +407,8 @@ modules:
      - ui/components/ui/**
    tests: []
    e2e:
-      # All E2E test suites (explicit to avoid triggering auth setups in tests/setups/)
-      - ui/tests/auth/**
-      - ui/tests/sign-in/**
-      - ui/tests/sign-up/**
-      - ui/tests/sign-in-base/**
-      - ui/tests/scans/**
-      - ui/tests/providers/**
-      - ui/tests/findings/**
-      - ui/tests/compliance/**
-      - ui/tests/invitations/**
-      - ui/tests/roles/**
-      - ui/tests/users/**
-      - ui/tests/integrations/**
-      - ui/tests/resources/**
-      - ui/tests/profile/**
-      - ui/tests/lighthouse/**
-      - ui/tests/home/**
-      - ui/tests/attack-paths/**
+      # Shared components can affect any E2E
+      - ui/tests/**

  - name: ui-attack-paths
    match:
@@ -28,9 +28,7 @@ jobs:
      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Get current API version
        id: get_api_version
@@ -80,15 +78,13 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Calculate next API minor version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"

          # API version follows Prowler minor + 1
          # For Prowler 5.17.0 -> API 1.18.0
@@ -101,10 +97,6 @@ jobs:
          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
          echo "Current API version: $CURRENT_API_VERSION"
          echo "Next API minor version (for master): $NEXT_API_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}

      - name: Bump API versions in files for master
        run: |
@@ -118,7 +110,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -137,16 +129,15 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false

      - name: Calculate first API patch version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}

          # API version follows Prowler minor + 1
@@ -160,10 +151,6 @@ jobs:
          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
          echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}

      - name: Bump API versions in files for version branch
        run: |
@@ -177,7 +164,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -205,16 +192,14 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Calculate next API patch version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
+          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}

          # Extract current API patch to increment it
@@ -237,11 +222,6 @@ jobs:
            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
            exit 1
          fi
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}

      - name: Bump API versions in files for version branch
        run: |
@@ -255,7 +235,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -33,14 +33,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -42,17 +42,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/api-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{ matrix.language }}'
@@ -57,9 +57,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Notify container push started
        id: slack-notification
@@ -95,18 +93,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Pin prowler SDK to latest master commit
-        if: github.event_name == 'push'
-        run: |
-          LATEST_SHA=$(git ls-remote https://github.com/prowler-cloud/prowler.git refs/heads/master | cut -f1)
-          sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -117,7 +107,7 @@ jobs:
      - name: Build and push API container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -135,7 +125,7 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -148,36 +138,30 @@ jobs:
        run: |
          docker buildx imagetools create \
            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64

      - name: Create and push manifests for release event
        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
        run: |
          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${RELEASE_TAG} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64

      - name: Install regctl
        if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@f61d18f46c86af724a9c804cb9ff2a6fec741c7c # main

      - name: Cleanup intermediate architecture tags
        if: always()
        run: |
          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
          echo "Cleanup completed"
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}

  notify-release-completed:
    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -186,21 +170,16 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Determine overall outcome
        id: outcome
        run: |
-          if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then
+          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
            echo "outcome=success" >> $GITHUB_OUTPUT
          else
            echo "outcome=failure" >> $GITHUB_OUTPUT
          fi
-        env:
-          NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }}
-          NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }}

      - name: Notify container push completed
        uses: ./.github/actions/slack-notification
@@ -28,14 +28,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: api/Dockerfile

@@ -66,14 +63,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: api/**
          files_ignore: |
@@ -88,7 +82,7 @@ jobs:

      - name: Build container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.API_WORKING_DIR }}
          push: false
@@ -33,14 +33,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -64,9 +61,8 @@ jobs:

      - name: Safety
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check --ignore 79023,79027,86217
+        run: poetry run safety check --ignore 79023,79027
        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
-        # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`

      - name: Vulture
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -43,7 +43,7 @@ jobs:

    services:
      postgres:
-        image: postgres:17@sha256:2cd82735a36356842d5eb1ef80db3ae8f1154172f0f653db48fde079b2a0b7f7
+        image: postgres
        env:
          POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
          POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
@@ -73,14 +73,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -1,7 +1,6 @@
 name: 'Tools: Backport'

 on:
-  # zizmor: ignore[dangerous-triggers] - intentional: needs write access for backport PRs, no PR code checkout
  pull_request_target:
    branches:
      - 'master'
@@ -1,44 +0,0 @@
-name: 'CI: Zizmor'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - '.github/**'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - '.github/**'
-  schedule:
-    - cron: '30 06 * * *'
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  zizmor:
-    if: github.repository == 'prowler-cloud/prowler'
-    name: GitHub Actions Security Audit
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      security-events: write
-      contents: read
-      actions: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
-        with:
-          token: ${{ github.token }}
@@ -25,9 +25,8 @@ jobs:
      - name: Create backport label for minor releases
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
        run: |
-          RELEASE_TAG="${GITHUB_EVENT_RELEASE_TAG_NAME}"
+          RELEASE_TAG="${{ github.event.release.tag_name }}"

          if [ -z "$RELEASE_TAG" ]; then
            echo "Error: No release tag provided"
@@ -28,9 +28,7 @@ jobs:
      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Get current documentation version
        id: get_docs_version
@@ -80,15 +78,13 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Calculate next minor version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"

          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
@@ -97,10 +93,6 @@ jobs:
          echo "Current documentation version: $CURRENT_DOCS_VERSION"
          echo "Current release version: $PROWLER_VERSION"
          echo "Next minor version: $NEXT_MINOR_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}

      - name: Bump versions in documentation for master
        run: |
@@ -114,7 +106,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for documentation update to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -137,16 +129,15 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false

      - name: Calculate first patch version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"

          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -157,10 +148,6 @@ jobs:

          echo "First patch version: $FIRST_PATCH_VERSION"
          echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}

      - name: Bump versions in documentation for version branch
        run: |
@@ -174,7 +161,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -205,16 +192,14 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Calculate next patch version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
+          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"

          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -227,11 +212,6 @@ jobs:
          echo "Current release version: $PROWLER_VERSION"
          echo "Next patch version: $NEXT_PATCH_VERSION"
          echo "Target branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}

      - name: Bump versions in documentation for patch version
        run: |
@@ -245,7 +225,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -23,10 +23,9 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
-          persist-credentials: false

      - name: Scan for secrets with TruffleHog
        uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
@@ -1,48 +0,0 @@
-name: 'Helm: Chart Checks'
-# DISCLAIMER: This workflow is not maintained by the Prowler team. Refer to contrib/k8s/helm/prowler-app for the source code.
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'contrib/k8s/helm/prowler-app/**'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'contrib/k8s/helm/prowler-app/**'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  CHART_PATH: contrib/k8s/helm/prowler-app
-
-jobs:
-  helm-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
-
-      - name: Update chart dependencies
-        run: helm dependency update ${{ env.CHART_PATH }}
-
-      - name: Lint Helm chart
-        run: helm lint ${{ env.CHART_PATH }}
-
-      - name: Validate Helm chart template rendering
-        run: helm template prowler ${{ env.CHART_PATH }}
@@ -1,54 +0,0 @@
-name: 'Helm: Chart Release'
-# DISCLAIMER: This workflow is not maintained by the Prowler team. Refer to contrib/k8s/helm/prowler-app for the source code.
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  CHART_PATH: contrib/k8s/helm/prowler-app
-
-jobs:
-  release-helm-chart:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: Set up Helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
-
-      - name: Set appVersion from release tag
-        run: |
-          RELEASE_TAG="${GITHUB_EVENT_RELEASE_TAG_NAME}"
-          echo "Setting appVersion to ${RELEASE_TAG}"
-          sed -i "s/^appVersion:.*/appVersion: \"${RELEASE_TAG}\"/" ${{ env.CHART_PATH }}/Chart.yaml
-        env:
-          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
-
-      - name: Login to GHCR
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${GITHUB_ACTOR} --password-stdin
-
-      - name: Update chart dependencies
-        run: helm dependency update ${{ env.CHART_PATH }}
-
-      - name: Package Helm chart
-        run: helm package ${{ env.CHART_PATH }} --destination .helm-packages
-
-      - name: Push chart to GHCR
-        run: |
-          PACKAGE=$(ls .helm-packages/*.tgz)
-          helm push "$PACKAGE" oci://ghcr.io/${{ github.repository_owner }}/charts
@@ -1,7 +1,6 @@
 name: 'Tools: PR Labeler'

 on:
-  # zizmor: ignore[dangerous-triggers] - intentional: needs write access to apply labels, no PR code checkout
  pull_request_target:
    branches:
      - 'master'
@@ -56,9 +56,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Notify container push started
        id: slack-notification
@@ -93,12 +91,10 @@ jobs:
      packages: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -109,7 +105,7 @@ jobs:
      - name: Build and push MCP container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -135,7 +131,7 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -148,36 +144,30 @@ jobs:
        run: |
          docker buildx imagetools create \
            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64

      - name: Create and push manifests for release event
        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
        run: |
          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${RELEASE_TAG} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64

      - name: Install regctl
        if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@main

      - name: Cleanup intermediate architecture tags
        if: always()
        run: |
          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
          echo "Cleanup completed"
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}

  notify-release-completed:
    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -186,21 +176,16 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Determine overall outcome
        id: outcome
        run: |
-          if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then
+          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
            echo "outcome=success" >> $GITHUB_OUTPUT
          else
            echo "outcome=failure" >> $GITHUB_OUTPUT
          fi
-        env:
-          NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }}
-          NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }}

      - name: Notify container push completed
        uses: ./.github/actions/slack-notification
@@ -28,14 +28,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: mcp_server/Dockerfile

@@ -65,14 +62,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for MCP changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: mcp_server/**
          files_ignore: |
@@ -85,7 +79,7 @@ jobs:

      - name: Build MCP container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.MCP_WORKING_DIR }}
          push: false
@@ -29,7 +29,7 @@ jobs:
      - name: Parse and validate version
        id: parse-version
        run: |
-          PROWLER_VERSION="${RELEASE_TAG}"
+          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"

          # Extract major version
@@ -60,17 +60,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7
-        with:
-          enable-cache: false
+        uses: astral-sh/setup-uv@v7

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -29,15 +29,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            api/**
@@ -52,11 +50,11 @@ jobs:
        run: |
          missing_changelogs=""

-          if [[ "${STEPS_CHANGED_FILES_OUTPUTS_ANY_CHANGED}" == "true" ]]; then
+          if [[ "${{ steps.changed-files.outputs.any_changed }}" == "true" ]]; then
            # Check monitored folders
            for folder in $MONITORED_FOLDERS; do
              # Get files changed in this folder
-              changed_in_folder=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep "^${folder}/" || true)
+              changed_in_folder=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "^${folder}/" || true)

              if [ -n "$changed_in_folder" ]; then
                echo "Detected changes in ${folder}/"
@@ -71,11 +69,11 @@ jobs:

            # Check root-level dependency files (poetry.lock, pyproject.toml)
            # These are associated with the prowler folder changelog
-            root_deps_changed=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep -E "^(poetry\.lock|pyproject\.toml)$" || true)
+            root_deps_changed=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep -E "^(poetry\.lock|pyproject\.toml)$" || true)
            if [ -n "$root_deps_changed" ]; then
              echo "Detected changes in root dependency files: $root_deps_changed"
              # Check if prowler/CHANGELOG.md was already updated (might have been caught above)
-              prowler_changelog_updated=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep "^prowler/CHANGELOG.md$" || true)
+              prowler_changelog_updated=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "^prowler/CHANGELOG.md$" || true)
              if [ -z "$prowler_changelog_updated" ]; then
                # Only add if prowler wasn't already flagged
                if ! echo "$missing_changelogs" | grep -q "prowler"; then
@@ -91,9 +89,6 @@ jobs:
            echo -e "${missing_changelogs}"
            echo "EOF"
          } >> $GITHUB_OUTPUT
-        env:
-          STEPS_CHANGED_FILES_OUTPUTS_ANY_CHANGED: ${{ steps.changed-files.outputs.any_changed }}
-          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}

      - name: Find existing changelog comment
        if: github.event.pull_request.head.repo.full_name == github.repository
@@ -1,7 +1,6 @@
 name: 'Tools: PR Conflict Checker'

 on:
-  # zizmor: ignore[dangerous-triggers] - intentional: needs write access for conflict labels/comments, checkout uses PR head SHA for read-only grep
  pull_request_target:
    types:
      - 'opened'
@@ -26,15 +25,14 @@ jobs:

    steps:
      - name: Checkout PR head
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
-          persist-credentials: false

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: '**'

@@ -47,7 +45,7 @@ jobs:
          HAS_CONFLICTS=false

          # Check each changed file for conflict markers
-          for file in ${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}; do
+          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
            if [ -f "$file" ]; then
              echo "Checking file: $file"

@@ -72,8 +70,6 @@ jobs:
            echo "has_conflicts=false" >> $GITHUB_OUTPUT
            echo "No conflict markers found in changed files"
          fi
-        env:
-          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}

      - name: Manage conflict label
        env:
@@ -1,7 +1,6 @@
 name: 'Tools: PR Merged'

 on:
-  # zizmor: ignore[dangerous-triggers] - intentional: needs read access to merged PR metadata, no PR code checkout
  pull_request_target:
    branches:
      - 'master'
@@ -26,10 +25,8 @@ jobs:
      - name: Calculate short commit SHA
        id: vars
        run: |
-          SHORT_SHA="${GITHUB_EVENT_PULL_REQUEST_MERGE_COMMIT_SHA}"
-          echo "short_sha=${SHORT_SHA::7}" >> $GITHUB_OUTPUT
-        env:
-          GITHUB_EVENT_PULL_REQUEST_MERGE_COMMIT_SHA: ${{ github.event.pull_request.merge_commit_sha }}
+          SHORT_SHA="${{ github.event.pull_request.merge_commit_sha }}"
+          echo "SHORT_SHA=${SHORT_SHA::7}" >> $GITHUB_ENV

      - name: Trigger Cloud repository pull request
        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
@@ -40,7 +37,7 @@ jobs:
          client-payload: |
            {
              "PROWLER_COMMIT_SHA": "${{ github.event.pull_request.merge_commit_sha }}",
-              "PROWLER_COMMIT_SHORT_SHA": "${{ steps.vars.outputs.short_sha }}",
+              "PROWLER_COMMIT_SHORT_SHA": "${{ env.SHORT_SHA }}",
              "PROWLER_PR_NUMBER": "${{ github.event.pull_request.number }}",
              "PROWLER_PR_TITLE": ${{ toJson(github.event.pull_request.title) }},
              "PROWLER_PR_LABELS": ${{ toJson(github.event.pull_request.labels.*.name) }},
@@ -27,14 +27,13 @@ jobs:
      pull-requests: write
    steps:
    - name: Checkout repository
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        fetch-depth: 0
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-        persist-credentials: false

    - name: Set up Python
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
      with:
        python-version: '3.12'

@@ -345,7 +344,7 @@ jobs:

    - name: Create PR for API dependency update
      if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+      uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
      with:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
@@ -67,23 +67,18 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Calculate next minor version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}

          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"

          echo "Current version: $PROWLER_VERSION"
          echo "Next minor version: $NEXT_MINOR_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}

      - name: Bump versions in files for master
        run: |
@@ -96,7 +91,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -115,15 +110,14 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false

      - name: Calculate first patch version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}

          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -133,9 +127,6 @@ jobs:

          echo "First patch version: $FIRST_PATCH_VERSION"
          echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}

      - name: Bump versions in files for version branch
        run: |
@@ -148,7 +139,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -176,15 +167,13 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Calculate next patch version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}

          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -195,10 +184,6 @@ jobs:
          echo "Current version: $PROWLER_VERSION"
          echo "Next patch version: $NEXT_PATCH_VERSION"
          echo "Target branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}

      - name: Bump versions in files for version branch
        run: |
@@ -211,7 +196,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -20,9 +20,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for duplicate test names across providers
        run: |
@@ -31,14 +31,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ./**
          files_ignore: |
@@ -67,7 +64,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'poetry'
@@ -49,17 +49,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/sdk-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{ matrix.language }}'
@@ -61,12 +61,10 @@ jobs:
      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -117,9 +115,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Notify container push started
        id: slack-notification
@@ -155,18 +151,16 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -180,7 +174,7 @@ jobs:
      - name: Build and push SDK container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ${{ env.DOCKERFILE_PATH }}
@@ -199,13 +193,13 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -220,44 +214,36 @@ jobs:
        if: github.event_name == 'push'
        run: |
          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }}
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
+            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64

      - name: Create and push manifests for release event
        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
        run: |
          docker buildx imagetools create \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_PROWLER_VERSION: ${{ needs.setup.outputs.prowler_version }}
-          NEEDS_SETUP_OUTPUTS_STABLE_TAG: ${{ needs.setup.outputs.stable_tag }}
-          NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }}
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
+            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
+            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
+            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.prowler_version }} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.stable_tag }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64

      - name: Install regctl
        if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@main

      - name: Cleanup intermediate architecture tags
        if: always()
        run: |
          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64" || true
          echo "Cleanup completed"
-        env:
-          NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }}

  notify-release-completed:
    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -266,21 +252,16 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Determine overall outcome
        id: outcome
        run: |
-          if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then
+          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
            echo "outcome=success" >> $GITHUB_OUTPUT
          else
            echo "outcome=failure" >> $GITHUB_OUTPUT
          fi
-        env:
-          NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }}
-          NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }}

      - name: Notify container push completed
        uses: ./.github/actions/slack-notification
@@ -27,14 +27,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: Dockerfile

@@ -65,14 +62,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ./**
          files_ignore: |
@@ -101,7 +95,7 @@ jobs:

      - name: Build SDK container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          push: false
@@ -28,7 +28,7 @@ jobs:
      - name: Parse and validate version
        id: parse-version
        run: |
-          PROWLER_VERSION="${RELEASE_TAG}"
+          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"

          # Extract major version
@@ -59,17 +59,16 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Poetry
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'poetry'

      - name: Build Prowler package
        run: poetry build
@@ -92,17 +91,16 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Poetry
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'poetry'

      - name: Install toml package
        run: pip install toml
@@ -25,13 +25,12 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: 'master'
-          persist-credentials: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
@@ -40,7 +39,7 @@ jobs:
        run: pip install boto3

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -51,7 +50,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -83,14 +82,9 @@ jobs:

      - name: PR creation result
        run: |
-          if [[ "${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER}" ]]; then
-            echo "✓ Pull request #${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER} created successfully"
-            echo "URL: ${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL}"
+          if [[ "${{ steps.create-pr.outputs.pull-request-number }}" ]]; then
+            echo "✓ Pull request #${{ steps.create-pr.outputs.pull-request-number }} created successfully"
+            echo "URL: ${{ steps.create-pr.outputs.pull-request-url }}"
          else
            echo "✓ No changes detected - AWS regions are up to date"
          fi
-
-        env:
-          STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.create-pr.outputs.pull-request-number }}
-
-          STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL: ${{ steps.create-pr.outputs.pull-request-url }}
@@ -23,13 +23,12 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: 'master'
-          persist-credentials: false

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
@@ -48,7 +47,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -72,13 +71,12 @@ jobs:
            This PR updates the `OCI_COMMERCIAL_REGIONS` dictionary in `prowler/providers/oraclecloud/config.py` with the latest regions fetched from the OCI Identity API (`list_regions()`).

            - Government regions (`OCI_GOVERNMENT_REGIONS`) are preserved unchanged
-            - DOD regions (`OCI_US_DOD_REGIONS`) are preserved unchanged
            - Region display names are mapped from Oracle's official documentation

            ### Checklist

            - [x] This is an automated update from OCI official sources
-            - [x] Government regions (us-langley-1, us-luke-1) and DOD regions (us-gov-ashburn-1, us-gov-phoenix-1, us-gov-chicago-1) are preserved
+            - [x] Government regions (us-langley-1, us-luke-1) preserved
            - [x] No manual review of region data required

            ### License
@@ -87,14 +85,9 @@ jobs:

      - name: PR creation result
        run: |
-          if [[ "${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER}" ]]; then
-            echo "✓ Pull request #${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER} created successfully"
-            echo "URL: ${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL}"
+          if [[ "${{ steps.create-pr.outputs.pull-request-number }}" ]]; then
+            echo "✓ Pull request #${{ steps.create-pr.outputs.pull-request-number }} created successfully"
+            echo "URL: ${{ steps.create-pr.outputs.pull-request-url }}"
          else
            echo "✓ No changes detected - OCI regions are up to date"
          fi
-
-        env:
-          STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.create-pr.outputs.pull-request-number }}
-
-          STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL: ${{ steps.create-pr.outputs.pull-request-url }}
@@ -24,16 +24,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
-          files:
+          files: 
            ./**
            .github/workflows/sdk-security.yml
          files_ignore: |
@@ -62,7 +59,7 @@ jobs:

      - name: Set up Python 3.12
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: '3.12'
          cache: 'poetry'
@@ -31,14 +31,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ./**
          files_ignore: |
@@ -67,7 +64,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'poetry'
@@ -80,7 +77,7 @@ jobs:
      - name: Check if AWS files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-aws
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/aws/**
@@ -122,7 +119,7 @@ jobs:
              "wafv2": ["cognito", "elbv2"],
          }

-          changed_raw = os.environ.get("STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES", "")
+          changed_raw = """${{ steps.changed-aws.outputs.all_changed_files }}"""
          # all_changed_files is space-separated, not newline-separated
          # Strip leading "./" if present for consistent path handling
          changed_files = [Path(f.lstrip("./")) for f in changed_raw.split() if f]
@@ -177,25 +174,20 @@ jobs:
          else:
              print("AWS service test paths: none detected")
          PY
-        env:
-          STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-aws.outputs.all_changed_files }}

      - name: Run AWS tests
        if: steps.changed-aws.outputs.any_changed == 'true'
        run: |
-          echo "AWS run_all=${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}"
-          echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'"
+          echo "AWS run_all=${{ steps.aws-services.outputs.run_all }}"
+          echo "AWS service_paths='${{ steps.aws-services.outputs.service_paths }}'"

-          if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then
+          if [ "${{ steps.aws-services.outputs.run_all }}" = "true" ]; then
            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
-          elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then
+          elif [ -z "${{ steps.aws-services.outputs.service_paths }}" ]; then
            echo "No AWS service paths detected; skipping AWS tests."
          else
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${{ steps.aws-services.outputs.service_paths }}
          fi
-        env:
-          STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }}
-          STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS: ${{ steps.aws-services.outputs.service_paths }}

      - name: Upload AWS coverage to Codecov
        if: steps.changed-aws.outputs.any_changed == 'true'
@@ -210,7 +202,7 @@ jobs:
      - name: Check if Azure files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-azure
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/azure/**
@@ -234,7 +226,7 @@ jobs:
      - name: Check if GCP files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-gcp
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/gcp/**
@@ -258,7 +250,7 @@ jobs:
      - name: Check if Kubernetes files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-kubernetes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/kubernetes/**
@@ -282,7 +274,7 @@ jobs:
      - name: Check if GitHub files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-github
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/github/**
@@ -306,7 +298,7 @@ jobs:
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-nhn
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/nhn/**
@@ -330,7 +322,7 @@ jobs:
      - name: Check if M365 files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-m365
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/m365/**
@@ -354,7 +346,7 @@ jobs:
      - name: Check if IaC files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-iac
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/iac/**
@@ -378,7 +370,7 @@ jobs:
      - name: Check if MongoDB Atlas files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/mongodbatlas/**
@@ -402,7 +394,7 @@ jobs:
      - name: Check if OCI files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-oraclecloud
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/oraclecloud/**
@@ -426,7 +418,7 @@ jobs:
      - name: Check if OpenStack files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-openstack
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/openstack/**
@@ -450,7 +442,7 @@ jobs:
      - name: Check if Google Workspace files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-googleworkspace
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/**/googleworkspace/**
@@ -474,7 +466,7 @@ jobs:
      - name: Check if Lib files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-lib
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/lib/**
@@ -498,7 +490,7 @@ jobs:
      - name: Check if Config files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-config
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ./prowler/config/**
@@ -48,17 +48,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1

      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: '3.12'

@@ -69,60 +66,47 @@ jobs:
        id: impact
        run: |
          echo "Changed files:"
-          echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n'
+          echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n'
          echo ""
-          python .github/scripts/test-impact.py ${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}
-        env:
-          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+          python .github/scripts/test-impact.py ${{ steps.changed-files.outputs.all_changed_files }}

      - name: Set convenience flags
        id: set-flags
        run: |
-          if [[ -n "${STEPS_IMPACT_OUTPUTS_SDK_TESTS}" ]]; then
+          if [[ -n "${{ steps.impact.outputs.sdk-tests }}" ]]; then
            echo "has-sdk-tests=true" >> $GITHUB_OUTPUT
          else
            echo "has-sdk-tests=false" >> $GITHUB_OUTPUT
          fi
-
-          if [[ -n "${STEPS_IMPACT_OUTPUTS_API_TESTS}" ]]; then
+          
+          if [[ -n "${{ steps.impact.outputs.api-tests }}" ]]; then
            echo "has-api-tests=true" >> $GITHUB_OUTPUT
          else
            echo "has-api-tests=false" >> $GITHUB_OUTPUT
          fi
-
-          if [[ -n "${STEPS_IMPACT_OUTPUTS_UI_E2E}" ]]; then
+          
+          if [[ -n "${{ steps.impact.outputs.ui-e2e }}" ]]; then
            echo "has-ui-e2e=true" >> $GITHUB_OUTPUT
          else
            echo "has-ui-e2e=false" >> $GITHUB_OUTPUT
          fi
-        env:
-          STEPS_IMPACT_OUTPUTS_SDK_TESTS: ${{ steps.impact.outputs.sdk-tests }}
-          STEPS_IMPACT_OUTPUTS_API_TESTS: ${{ steps.impact.outputs.api-tests }}
-          STEPS_IMPACT_OUTPUTS_UI_E2E: ${{ steps.impact.outputs.ui-e2e }}

      - name: Summary
        run: |
          echo "## Test Impact Analysis" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
-
-          if [[ "${STEPS_IMPACT_OUTPUTS_RUN_ALL}" == "true" ]]; then
+          
+          if [[ "${{ steps.impact.outputs.run-all }}" == "true" ]]; then
            echo "🚨 **Critical path changed - running ALL tests**" >> $GITHUB_STEP_SUMMARY
          else
            echo "### Affected Modules" >> $GITHUB_STEP_SUMMARY
-            echo "\`${STEPS_IMPACT_OUTPUTS_MODULES}\`" >> $GITHUB_STEP_SUMMARY
+            echo "\`${{ steps.impact.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
-
+            
            echo "### Tests to Run" >> $GITHUB_STEP_SUMMARY
            echo "| Category | Paths |" >> $GITHUB_STEP_SUMMARY
            echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-            echo "| SDK Tests | \`${STEPS_IMPACT_OUTPUTS_SDK_TESTS:-none}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| API Tests | \`${STEPS_IMPACT_OUTPUTS_API_TESTS:-none}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| UI E2E | \`${STEPS_IMPACT_OUTPUTS_UI_E2E:-none}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| SDK Tests | \`${{ steps.impact.outputs.sdk-tests || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| API Tests | \`${{ steps.impact.outputs.api-tests || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| UI E2E | \`${{ steps.impact.outputs.ui-e2e || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY
          fi
-
-        env:
-          STEPS_IMPACT_OUTPUTS_RUN_ALL: ${{ steps.impact.outputs.run-all }}
-          STEPS_IMPACT_OUTPUTS_SDK_TESTS: ${{ steps.impact.outputs.sdk-tests }}
-          STEPS_IMPACT_OUTPUTS_API_TESTS: ${{ steps.impact.outputs.api-tests }}
-          STEPS_IMPACT_OUTPUTS_UI_E2E: ${{ steps.impact.outputs.ui-e2e }}
-          STEPS_IMPACT_OUTPUTS_MODULES: ${{ steps.impact.outputs.modules }}
@@ -67,23 +67,18 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Calculate next minor version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}

          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"

          echo "Current version: $PROWLER_VERSION"
          echo "Next minor version: $NEXT_MINOR_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}

      - name: Bump UI version in .env for master
        run: |
@@ -95,7 +90,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -117,15 +112,14 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false

      - name: Calculate first patch version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}

          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -135,9 +129,6 @@ jobs:

          echo "First patch version: $FIRST_PATCH_VERSION"
          echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}

      - name: Bump UI version in .env for version branch
        run: |
@@ -149,7 +140,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -180,15 +171,13 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Calculate next patch version
        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
+          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}

          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
@@ -199,10 +188,6 @@ jobs:
          echo "Current version: $PROWLER_VERSION"
          echo "Next patch version: $NEXT_PATCH_VERSION"
          echo "Target branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}

      - name: Bump UI version in .env for version branch
        run: |
@@ -214,7 +199,7 @@ jobs:
          git --no-pager diff

      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -45,17 +45,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: '/language:${{ matrix.language }}'
@@ -59,9 +59,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Notify container push started
        id: slack-notification
@@ -97,12 +95,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -113,7 +109,7 @@ jobs:
      - name: Build and push UI container for ${{ matrix.arch }}
        id: container-push
        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          build-args: |
@@ -134,7 +130,7 @@ jobs:

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -147,36 +143,30 @@ jobs:
        run: |
          docker buildx imagetools create \
            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64

      - name: Create and push manifests for release event
        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
        run: |
          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${RELEASE_TAG} \
+            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64

      - name: Install regctl
        if: always()
-        uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
+        uses: regclient/actions/regctl-installer@main

      - name: Cleanup intermediate architecture tags
        if: always()
        run: |
          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
+          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
          echo "Cleanup completed"
-        env:
-          NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }}

  notify-release-completed:
    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -185,21 +175,16 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Determine overall outcome
        id: outcome
        run: |
-          if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then
+          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
            echo "outcome=success" >> $GITHUB_OUTPUT
          else
            echo "outcome=failure" >> $GITHUB_OUTPUT
          fi
-        env:
-          NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }}
-          NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }}

      - name: Notify container push completed
        uses: ./.github/actions/slack-notification
@@ -28,14 +28,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ui/Dockerfile

@@ -66,14 +63,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: ui/**
          files_ignore: |
@@ -87,7 +81,7 @@ jobs:

      - name: Build UI container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.UI_WORKING_DIR }}
          target: prod
@@ -15,9 +15,6 @@ on:
      - 'ui/**'
      - 'api/**'  # API changes can affect UI E2E

-permissions:
-  contents: read
-
 jobs:
  # First, analyze which tests need to run
  impact-analysis:
@@ -78,25 +75,21 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Show test scope
        run: |
          echo "## E2E Test Scope" >> $GITHUB_STEP_SUMMARY
-          if [[ "${RUN_ALL_TESTS}" == "true" ]]; then
+          if [[ "${{ env.RUN_ALL_TESTS }}" == "true" ]]; then
            echo "Running **ALL** E2E tests (critical path changed)" >> $GITHUB_STEP_SUMMARY
          else
-            echo "Running tests matching: \`${E2E_TEST_PATHS}\`" >> $GITHUB_STEP_SUMMARY
+            echo "Running tests matching: \`${{ env.E2E_TEST_PATHS }}\`" >> $GITHUB_STEP_SUMMARY
          fi
          echo ""
-          echo "Affected modules: \`${NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES}\`" >> $GITHUB_STEP_SUMMARY
-        env:
-          NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES: ${{ needs.impact-analysis.outputs.modules }}
+          echo "Affected modules: \`${{ needs.impact-analysis.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY

      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1
+        uses: helm/kind-action@v1
        with:
          cluster_name: kind

@@ -152,12 +145,12 @@ jobs:
          '

      - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version: '24.13.0'

      - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@v4
        with:
          version: 10
          run_install: false
@@ -166,7 +159,7 @@ jobs:
        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - name: Setup pnpm and Next.js cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -186,7 +179,7 @@ jobs:
        run: pnpm run build

      - name: Cache Playwright browsers
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
@@ -202,52 +195,23 @@ jobs:
      - name: Run E2E tests
        working-directory: ./ui
        run: |
-          if [[ "${RUN_ALL_TESTS}" == "true" ]]; then
+          if [[ "${{ env.RUN_ALL_TESTS }}" == "true" ]]; then
            echo "Running ALL E2E tests..."
            pnpm run test:e2e
          else
-            echo "Running targeted E2E tests: ${E2E_TEST_PATHS}"
+            echo "Running targeted E2E tests: ${{ env.E2E_TEST_PATHS }}"
            # Convert glob patterns to playwright test paths
            # e.g., "ui/tests/providers/**" -> "tests/providers"
-            TEST_PATHS="${E2E_TEST_PATHS}"
+            TEST_PATHS="${{ env.E2E_TEST_PATHS }}"
            # Remove ui/ prefix and convert ** to empty (playwright handles recursion)
            TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u)
            # Drop auth setup helpers (not runnable test suites)
            TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^tests/setups/')
-            # Safety net: if bare "tests/" appears (from broad patterns like ui/tests/**),
-            # expand to specific subdirs to avoid Playwright discovering setup files
-            if echo "$TEST_PATHS" | grep -qx 'tests/'; then
-              echo "Expanding bare 'tests/' to specific subdirs (excluding setups)..."
-              SPECIFIC_DIRS=""
-              for dir in tests/*/; do
-                [[ "$dir" == "tests/setups/" ]] && continue
-                SPECIFIC_DIRS="${SPECIFIC_DIRS}${dir}"$'\n'
-              done
-              # Replace "tests/" with specific dirs, keep other paths
-              TEST_PATHS=$(echo "$TEST_PATHS" | grep -vx 'tests/')
-              TEST_PATHS="${TEST_PATHS}"$'\n'"${SPECIFIC_DIRS}"
-              TEST_PATHS=$(echo "$TEST_PATHS" | grep -v '^$' | sort -u)
-            fi
            if [[ -z "$TEST_PATHS" ]]; then
              echo "No runnable E2E test paths after filtering setups"
              exit 0
            fi
-            # Filter out directories that don't contain any test files
-            VALID_PATHS=""
-            while IFS= read -r p; do
-              [[ -z "$p" ]] && continue
-              if find "$p" -name '*.spec.ts' -o -name '*.test.ts' 2>/dev/null | head -1 | grep -q .; then
-                VALID_PATHS="${VALID_PATHS}${p}"$'\n'
-              else
-                echo "Skipping empty test directory: $p"
-              fi
-            done <<< "$TEST_PATHS"
-            VALID_PATHS=$(echo "$VALID_PATHS" | grep -v '^$' || true)
-            if [[ -z "$VALID_PATHS" ]]; then
-              echo "No test files found in any resolved paths — skipping E2E"
-              exit 0
-            fi
-            TEST_PATHS=$(echo "$VALID_PATHS" | tr '\n' ' ')
+            TEST_PATHS=$(echo "$TEST_PATHS" | tr '\n' ' ')
            echo "Resolved test paths: $TEST_PATHS"
            pnpm exec playwright test $TEST_PATHS
          fi
@@ -280,8 +244,6 @@ jobs:
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "No UI E2E tests needed for this change." >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Affected modules: \`${NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES}\`" >> $GITHUB_STEP_SUMMARY
+          echo "Affected modules: \`${{ needs.impact-analysis.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "To run all tests, modify a file in a critical path (e.g., \`ui/lib/**\`)." >> $GITHUB_STEP_SUMMARY
-        env:
-          NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES: ${{ needs.impact-analysis.outputs.modules }}
@@ -30,14 +30,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # zizmor: ignore[artipacked]
-          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ui/**
@@ -50,7 +47,7 @@ jobs:
      - name: Get changed source files for targeted tests
        id: changed-source
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ui/**/*.ts
@@ -66,7 +63,7 @@ jobs:
      - name: Check for critical path changes (run all tests)
        id: critical-changes
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files: |
            ui/lib/**
@@ -78,13 +75,13 @@ jobs:

      - name: Setup Node.js ${{ env.NODE_VERSION }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version: ${{ env.NODE_VERSION }}

      - name: Setup pnpm
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@v4
        with:
          version: 10
          run_install: false
@@ -96,7 +93,7 @@ jobs:

      - name: Setup pnpm and Next.js cache
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ${{ env.STORE_PATH }}
@@ -125,12 +122,10 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed != 'true' && steps.changed-source.outputs.all_changed_files != ''
        run: |
          echo "Running tests related to changed files:"
-          echo "${STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES}"
+          echo "${{ steps.changed-source.outputs.all_changed_files }}"
          # Convert space-separated to vitest related format (remove ui/ prefix for relative paths)
-          CHANGED_FILES=$(echo "${STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | sed 's|^ui/||' | tr '\n' ' ')
+          CHANGED_FILES=$(echo "${{ steps.changed-source.outputs.all_changed_files }}" | tr ' ' '\n' | sed 's|^ui/||' | tr '\n' ' ')
          pnpm exec vitest related $CHANGED_FILES --run
-        env:
-          STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-source.outputs.all_changed_files }}

      - name: Run unit tests (test files only changed)
        if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed != 'true' && steps.changed-source.outputs.all_changed_files == ''
@@ -163,6 +163,3 @@ GEMINI.md
 .codex/skills
 .github/skills
 .gemini/skills
-
-# Claude Code
-.claude/*
@@ -22,13 +22,6 @@ repos:
        args: [--autofix]
        files: pyproject.toml

-  ## GITHUB ACTIONS
-  - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.6.0
-    hooks:
-      - id: zizmor
-        files: ^\.github/
-
  ## BASH
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.10.0
@@ -127,8 +120,7 @@ repos:
        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
-        # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`
-        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027,86217'
+        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027'
        language: system

      - id: vulture
@@ -46,8 +46,6 @@ Use these skills for detailed patterns on-demand:
 | `prowler-commit` | Professional commits (conventional-commits) | [SKILL.md](skills/prowler-commit/SKILL.md) |
 | `prowler-pr` | Pull request conventions | [SKILL.md](skills/prowler-pr/SKILL.md) |
 | `prowler-docs` | Documentation style guide | [SKILL.md](skills/prowler-docs/SKILL.md) |
-| `django-migration-psql` | Django migration best practices for PostgreSQL | [SKILL.md](skills/django-migration-psql/SKILL.md) |
-| `postgresql-indexing` | PostgreSQL indexing, EXPLAIN, monitoring, maintenance | [SKILL.md](skills/postgresql-indexing/SKILL.md) |
 | `prowler-attack-paths-query` | Create Attack Paths openCypher queries | [SKILL.md](skills/prowler-attack-paths-query/SKILL.md) |
 | `gh-aw` | GitHub Agentic Workflows (gh-aw) | [SKILL.md](skills/gh-aw/SKILL.md) |
 | `skill-creator` | Create new AI agent skills | [SKILL.md](skills/skill-creator/SKILL.md) |
@@ -87,15 +85,15 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Fixing bug | `tdd` |
 | General Prowler development questions | `prowler` |
 | Implementing JSON:API endpoints | `django-drf` |
-| Implementing feature | `tdd` |
 | Importing Copilot Custom Agents into workflows | `gh-aw` |
+| Implementing feature | `tdd` |
 | Inspect PR CI checks and gates (.github/workflows/*) | `prowler-ci` |
 | Inspect PR CI workflows (.github/workflows/*): conventional-commit, pr-check-changelog, pr-conflict-checker, labeler | `prowler-pr` |
 | Mapping checks to compliance controls | `prowler-compliance` |
 | Mocking AWS with moto in tests | `prowler-test-sdk` |
 | Modifying API responses | `jsonapi` |
-| Modifying component | `tdd` |
 | Modifying gh-aw workflow frontmatter or safe-outputs | `gh-aw` |
+| Modifying component | `tdd` |
 | Refactoring code | `tdd` |
 | Regenerate AGENTS.md Auto-invoke tables (sync.sh) | `skill-sync` |
 | Review PR requirements: template, title conventions, changelog gate | `prowler-pr` |
@@ -6,7 +6,7 @@ LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}

-ARG TRIVY_VERSION=0.69.2
+ARG TRIVY_VERSION=0.66.0
 ENV TRIVY_VERSION=${TRIVY_VERSION}

 # hadolint ignore=DL3008
@@ -109,16 +109,14 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 | GCP | 100 | 13 | 15 | 11 | Official | UI, API, CLI |
 | Kubernetes | 83 | 7 | 7 | 9 | Official | UI, API, CLI |
 | GitHub | 21 | 2 | 1 | 2 | Official | UI, API, CLI |
-| M365 | 89 | 9 | 4 | 5 | Official | UI, API, CLI |
-| OCI | 48 | 13 | 3 | 10 | Official | UI, API, CLI |
+| M365 | 75 | 7 | 4 | 4 | Official | UI, API, CLI |
+| OCI | 51 | 13 | 3 | 12 | Official | UI, API, CLI |
 | Alibaba Cloud | 61 | 9 | 3 | 9 | Official | UI, API, CLI |
-| Cloudflare | 29 | 2 | 0 | 5 | Official | UI, API, CLI |
+| Cloudflare | 29 | 2 | 0 | 5 | Official | CLI, API |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
-| MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 3 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
-| Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 1 | 1 | 0 | 1 | Official | CLI |
-| OpenStack | 27 | 4 | 0 | 8 | Official | UI, API, CLI |
+| OpenStack | 1 | 1 | 0 | 2 | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
@@ -150,17 +148,21 @@ Prowler App offers flexible installation methods tailored to various environment
 **Commands**

 ``` console
-VERSION=$(curl -s https://api.github.com/repos/prowler-cloud/prowler/releases/latest | jq -r .tag_name)
-curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/docker-compose.yml"
-# Environment variables can be customized in the .env file. Using default values in production environments is not recommended.
-curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/.env"
+curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml
+curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env
 docker compose up -d
 ```

-> [!WARNING]
-> 🔒 For a secure setup, the API auto-generates a unique key pair, `DJANGO_TOKEN_SIGNING_KEY` and `DJANGO_TOKEN_VERIFYING_KEY`, and stores it in `~/.config/prowler-api` (non-container) or the bound Docker volume in `_data/api` (container). Never commit or reuse static/default keys. To rotate keys, delete the stored key files and restart the API.
+> Containers are built for `linux/amd64`.

-Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
+### Configuring Your Workstation for Prowler App
+
+If your workstation's architecture is incompatible, you can resolve this by:
+
+- **Setting the environment variable**: `DOCKER_DEFAULT_PLATFORM=linux/amd64`
+- **Using the following flag in your Docker command**: `--platform linux/amd64`
+
+> Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.

 ### Common Issues with Docker Pull Installation

@@ -4,8 +4,6 @@
 > - [`prowler-api`](../skills/prowler-api/SKILL.md) - Models, Serializers, Views, RLS patterns
 > - [`prowler-test-api`](../skills/prowler-test-api/SKILL.md) - Testing patterns (pytest-django)
 > - [`prowler-attack-paths-query`](../skills/prowler-attack-paths-query/SKILL.md) - Attack Paths openCypher queries
-> - [`django-migration-psql`](../skills/django-migration-psql/SKILL.md) - Migration best practices for PostgreSQL
-> - [`postgresql-indexing`](../skills/postgresql-indexing/SKILL.md) - PostgreSQL indexing, EXPLAIN, monitoring, maintenance
 > - [`django-drf`](../skills/django-drf/SKILL.md) - Generic DRF patterns
 > - [`jsonapi`](../skills/jsonapi/SKILL.md) - Strict JSON:API v1.1 spec compliance
 > - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns
@@ -18,20 +16,14 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 |--------|-------|
 | Add changelog entry for a PR or feature | `prowler-changelog` |
 | Adding DRF pagination or permissions | `django-drf` |
-| Adding indexes or constraints to database tables | `django-migration-psql` |
 | Adding privilege escalation detection queries | `prowler-attack-paths-query` |
-| Analyzing query performance with EXPLAIN | `postgresql-indexing` |
 | Committing changes | `prowler-commit` |
 | Create PR that requires changelog entry | `prowler-changelog` |
 | Creating API endpoints | `jsonapi` |
 | Creating Attack Paths queries | `prowler-attack-paths-query` |
 | Creating ViewSets, serializers, or filters in api/ | `django-drf` |
 | Creating a git commit | `prowler-commit` |
-| Creating or modifying PostgreSQL indexes | `postgresql-indexing` |
-| Creating or reviewing Django migrations | `django-migration-psql` |
 | Creating/modifying models, views, serializers | `prowler-api` |
-| Debugging slow queries or missing indexes | `postgresql-indexing` |
-| Dropping or reindexing PostgreSQL indexes | `postgresql-indexing` |
 | Fixing bug | `tdd` |
 | Implementing JSON:API endpoints | `django-drf` |
 | Implementing feature | `tdd` |
@@ -40,14 +32,12 @@ When performing these actions, ALWAYS invoke the corresponding skill FIRST:
 | Refactoring code | `tdd` |
 | Review changelog format and conventions | `prowler-changelog` |
 | Reviewing JSON:API compliance | `jsonapi` |
-| Running makemigrations or pgmakemigrations | `django-migration-psql` |
 | Testing RLS tenant isolation | `prowler-test-api` |
 | Update CHANGELOG.md in any component | `prowler-changelog` |
 | Updating existing Attack Paths queries | `prowler-attack-paths-query` |
 | Working on task | `tdd` |
 | Writing Prowler API tests | `prowler-test-api` |
 | Writing Python tests with pytest | `pytest` |
-| Writing data backfill or data migration | `django-migration-psql` |

 ---

@@ -2,44 +2,7 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.22.0] (Prowler v5.21.0)
-
-### 🚀 Added
-
- `CORS_ALLOWED_ORIGINS` configurable via environment variable [(#10355)](https://github.com/prowler-cloud/prowler/pull/10355)
- Attack Paths: Tenant and provider related labels to the nodes so they can be easily filtered on custom queries [(#10308)](https://github.com/prowler-cloud/prowler/pull/10308)
-
-### 🔄 Changed
-
- Attack Paths: Complete migration to private graph labels and properties, removing deprecated dual-write support [(#10268)](https://github.com/prowler-cloud/prowler/pull/10268)
- Attack Paths: Reduce sync and findings memory usage with smaller batches, cursor iteration, and sequential sessions [(#10359)](https://github.com/prowler-cloud/prowler/pull/10359)
-
-### 🐞 Fixed
-
- Attack Paths: Recover `graph_data_ready` flag when scan fails during graph swap, preventing query endpoints from staying blocked until the next successful scan [(#10354)](https://github.com/prowler-cloud/prowler/pull/10354)
-
-### 🔐 Security
-
- Use `psycopg2.sql` to safely compose DDL in `PostgresEnumMigration`, preventing SQL injection via f-string interpolation [(#10166)](https://github.com/prowler-cloud/prowler/pull/10166)
-
---
-
-## [1.21.0] (Prowler v5.20.0)
-
-### 🔄 Changed
-
- Attack Paths: Migrate network exposure queries from APOC to standard openCypher for Neo4j and Neptune compatibility [(#10266)](https://github.com/prowler-cloud/prowler/pull/10266)
- `POST /api/v1/providers` returns `409 Conflict` if already exists [(#10293)](https://github.com/prowler-cloud/prowler/pull/10293)
-
-### 🐞 Fixed
-
- Attack Paths: Security hardening for custom query endpoint (Cypher blocklist, input validation, rate limiting, Helm lockdown) [(#10238)](https://github.com/prowler-cloud/prowler/pull/10238)
- Attack Paths: Missing logging for query execution and exception details in scan error handling [(#10269)](https://github.com/prowler-cloud/prowler/pull/10269)
- Attack Paths: Upgrade Cartography from 0.129.0 to 0.132.0, fixing `exposed_internet` not set on ELB/ELBv2 nodes [(#10272)](https://github.com/prowler-cloud/prowler/pull/10272)
-
---
-
-## [1.20.0] (Prowler v5.19.0)
+## [1.20.0] (Prowler UNRELEASED)

 ### 🚀 Added

@@ -48,26 +11,29 @@ All notable changes to the **Prowler API** are documented in this file.
 - PDF report for the CSA CCM compliance framework [(#10088)](https://github.com/prowler-cloud/prowler/pull/10088)
 - `image` provider support for container image scanning [(#10128)](https://github.com/prowler-cloud/prowler/pull/10128)
 - Attack Paths: Custom query and Cartography schema endpoints (temporarily blocked) [(#10149)](https://github.com/prowler-cloud/prowler/pull/10149)
- `googleworkspace` provider support [(#10247)](https://github.com/prowler-cloud/prowler/pull/10247)

 ### 🔄 Changed

 - Attack Paths: Queries definition now has short description and attribution [(#9983)](https://github.com/prowler-cloud/prowler/pull/9983)
 - Attack Paths: Internet node is created while scan [(#9992)](https://github.com/prowler-cloud/prowler/pull/9992)
 - Attack Paths: Add full paths set from [pathfinding.cloud](https://pathfinding.cloud/) [(#10008)](https://github.com/prowler-cloud/prowler/pull/10008)
+- Support CSA CCM 4.0 for the AWS provider [(#10018)](https://github.com/prowler-cloud/prowler/pull/10018)
+- Support CSA CCM 4.0 for the GCP provider [(#10042)](https://github.com/prowler-cloud/prowler/pull/10042)
+- Support CSA CCM 4.0 for the Azure provider [(#10039)](https://github.com/prowler-cloud/prowler/pull/10039)
+- Support CSA CCM 4.0 for the Oracle Cloud provider [(#10057)](https://github.com/prowler-cloud/prowler/pull/10057)
+- Support CSA CCM 4.0 for the Alibaba Cloud provider [(#10061)](https://github.com/prowler-cloud/prowler/pull/10061)
 - Attack Paths: Mark attack Paths scan as failed when Celery task fails outside job error handling [(#10065)](https://github.com/prowler-cloud/prowler/pull/10065)
 - Attack Paths: Remove legacy per-scan `graph_database` and `is_graph_database_deleted` fields from AttackPathsScan model [(#10077)](https://github.com/prowler-cloud/prowler/pull/10077)
 - Attack Paths: Add `graph_data_ready` field to decouple query availability from scan state [(#10089)](https://github.com/prowler-cloud/prowler/pull/10089)
+- AI agent guidelines with TDD and testing skills references [(#9925)](https://github.com/prowler-cloud/prowler/pull/9925)
 - Attack Paths: Upgrade Cartography from fork 0.126.1 to upstream 0.129.0 and Neo4j driver from 5.x to 6.x [(#10110)](https://github.com/prowler-cloud/prowler/pull/10110)
 - Attack Paths: Query results now filtered by provider, preventing future cross-tenant and cross-provider data leakage [(#10118)](https://github.com/prowler-cloud/prowler/pull/10118)
 - Attack Paths: Add private labels and properties in Attack Paths graphs for avoiding future overlapping with Cartography's ones [(#10124)](https://github.com/prowler-cloud/prowler/pull/10124)
 - Attack Paths: Query endpoint executes them in read only mode [(#10140)](https://github.com/prowler-cloud/prowler/pull/10140)
 - Attack Paths: `Accept` header query endpoints also accepts `text/plain`, supporting compact plain-text format for LLM consumption [(#10162)](https://github.com/prowler-cloud/prowler/pull/10162)
- Bump Trivy from 0.69.1 to 0.69.2 [(#10210)](https://github.com/prowler-cloud/prowler/pull/10210)

 ### 🐞 Fixed

- PDF compliance reports consistency with UI: exclude resourceless findings and fix ENS MANUAL status handling [(#10270)](https://github.com/prowler-cloud/prowler/pull/10270)
 - Attack Paths: Orphaned temporary Neo4j databases are now cleaned up on scan failure and provider deletion [(#10101)](https://github.com/prowler-cloud/prowler/pull/10101)
 - Attack Paths: scan no longer raises `DatabaseError` when provider is deleted mid-scan [(#10116)](https://github.com/prowler-cloud/prowler/pull/10116)
 - Tenant compliance summaries recalculated after provider deletion [(#10172)](https://github.com/prowler-cloud/prowler/pull/10172)
@@ -80,7 +46,7 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.19.3] (Prowler v5.18.3)
+## [1.19.3] (Prowler UNRELEASED)

 ### 🐞 Fixed

@@ -5,7 +5,7 @@ LABEL maintainer="https://github.com/prowler-cloud/api"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}

-ARG TRIVY_VERSION=0.69.2
+ARG TRIVY_VERSION=0.69.1
 ENV TRIVY_VERSION=${TRIVY_VERSION}

 # hadolint ignore=DL3008
@@ -24,6 +24,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    python3-dev \
    && rm -rf /var/lib/apt/lists/*

+# Cartography depends on `dockerfile` which has no pre-built arm64 wheel and requires Go to compile
+# hadolint ignore=DL3008
+RUN if [ "$(uname -m)" = "aarch64" ]; then \
+        apt-get update && apt-get install -y --no-install-recommends golang-go \
+        && rm -rf /var/lib/apt/lists/* ; \
+    fi
+
 # Install PowerShell
 RUN ARCH=$(uname -m) && \
    if [ "$ARCH" = "x86_64" ]; then \
@@ -1822,14 +1822,14 @@ crt = ["awscrt (==0.27.6)"]

 [[package]]
 name = "cartography"
-version = "0.132.0"
+version = "0.129.0"
 description = "Explore assets and their relationships across your technical infrastructure."
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "cartography-0.132.0-py3-none-any.whl", hash = "sha256:c070aa51d0ab4479cb043cae70b35e7df49f2fb5f1fa95ccf10000bbeb952262"},
-    {file = "cartography-0.132.0.tar.gz", hash = "sha256:7c6332bc57fd2629d7b83aee7bd95a7b2edb0d51ef746efa0461399e0b66625c"},
+    {file = "cartography-0.129.0-py3-none-any.whl", hash = "sha256:d42c840369be9e4d0ac4d024074e3732416e40bab3d9a3023b6a247918daed4c"},
+    {file = "cartography-0.129.0.tar.gz", hash = "sha256:cb47d603e652554a4cbcc1a868c96014eb02b3d5cc1affea0428b2ed7fa61699"},
 ]

 [package.dependencies]
@@ -1864,8 +1864,8 @@ boto3 = ">=1.15.1"
 botocore = ">=1.18.1"
 cloudflare = ">=4.1.0,<5.0.0"
 crowdstrike-falconpy = ">=0.5.1"
-cryptography = "*"
 dnspython = ">=1.15.0"
+dockerfile = ">=3.0.0"
 duo-client = "*"
 google-api-python-client = ">=1.7.8"
 google-auth = ">=2.37.0"
@@ -3095,6 +3095,21 @@ docs = ["myst-parser (==0.18.0)", "sphinx (==5.1.1)"]
 ssh = ["paramiko (>=2.4.3)"]
 websockets = ["websocket-client (>=1.3.0)"]

+[[package]]
+name = "dockerfile"
+version = "3.4.0"
+description = "Parse a dockerfile into a high-level representation using the official go parser."
+optional = false
+python-versions = ">=3.9"
+groups = ["main"]
+files = [
+    {file = "dockerfile-3.4.0-cp39-abi3-macosx_13_0_x86_64.whl", hash = "sha256:ed33446a76007cbb3f28c247f189cc06db34667d4f59a398a5c44912d7c13f36"},
+    {file = "dockerfile-3.4.0-cp39-abi3-macosx_14_0_arm64.whl", hash = "sha256:a4549d4f038483c25906d4fec56bb6ffe82ae26e0f80a15f2c0fedbb50712053"},
+    {file = "dockerfile-3.4.0-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:b95102bd82e6f67c836186b51c13114aa586a20e8cb6441bde24d4070542009d"},
+    {file = "dockerfile-3.4.0-cp39-abi3-win_amd64.whl", hash = "sha256:30202187f1885f99ac839fd41ca8150b2fd0a66fac12db0166361d0c4622e71a"},
+    {file = "dockerfile-3.4.0.tar.gz", hash = "sha256:238bb950985c55a525daef8bbfe994a0230aa0978c419f4caa4d9ce0a37343f1"},
+]
+
 [[package]]
 name = "dogpile-cache"
 version = "1.5.0"
@@ -6730,7 +6745,7 @@ tzlocal = "5.3.1"
 type = "git"
 url = "https://github.com/prowler-cloud/prowler.git"
 reference = "master"
-resolved_reference = "b31145616064bd6727139777dca1cea9b977346a"
+resolved_reference = "6962622fd21401886371add25463f77228cd9c1f"

 [[package]]
 name = "psutil"
@@ -9382,4 +9397,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "6e38c38b1f8dc05b881f49703fa445eec299527e6697992b18e4613534fbcdb6"
+content-hash = "42759b370c9e38da727e73f9d8ec0fa61bc6137eab18f11ccd7deff79a0dee69"
@@ -37,7 +37,7 @@ dependencies = [
  "matplotlib (>=3.10.6,<4.0.0)",
  "reportlab (>=4.4.4,<5.0.0)",
  "neo4j (>=6.0.0,<7.0.0)",
-  "cartography (==0.132.0)",
+  "cartography (==0.129.0)",
  "gevent (>=25.9.1,<26.0.0)",
  "werkzeug (>=3.1.4)",
  "sqlparse (>=0.5.4)",
@@ -49,7 +49,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.23.0"
+version = "1.20.0"

 [project.scripts]
 celery = "src.backend.config.settings.celery"
@@ -1,21 +1,24 @@
 import atexit
 import logging
 import threading
+
+from typing import Any
+
 from contextlib import contextmanager
-from typing import Any, Iterator
+from typing import Iterator
 from uuid import UUID

 import neo4j
 import neo4j.exceptions
-from config.env import env
+
 from django.conf import settings
-from tasks.jobs.attack_paths.config import (
-    BATCH_SIZE,
-    PROVIDER_ID_PROPERTY,
-    PROVIDER_RESOURCE_LABEL,
-)

 from api.attack_paths.retryable_session import RetryableSession
+from config.env import env
+from tasks.jobs.attack_paths.config import (
+    BATCH_SIZE,
+    DEPRECATED_PROVIDER_RESOURCE_LABEL,
+)

 # Without this Celery goes crazy with Neo4j logging
 logging.getLogger("neo4j").setLevel(logging.ERROR)
@@ -32,7 +35,6 @@ READ_EXCEPTION_CODES = [
    "Neo.ClientError.Statement.AccessMode",
    "Neo.ClientError.Procedure.ProcedureNotFound",
 ]
-CLIENT_STATEMENT_EXCEPTION_PREFIX = "Neo.ClientError.Statement."

 # Module-level process-wide driver singleton
 _driver: neo4j.Driver | None = None
@@ -106,7 +108,6 @@ def get_session(
    except neo4j.exceptions.Neo4jError as exc:
        if (
            default_access_mode == neo4j.READ_ACCESS
-            and exc.code
            and exc.code in READ_EXCEPTION_CODES
        ):
            message = "Read query not allowed"
@@ -114,10 +115,6 @@ def get_session(
            raise WriteQueryNotAllowedException(message=message, code=code)

        message = exc.message if exc.message is not None else str(exc)
-
-        if exc.code and exc.code.startswith(CLIENT_STATEMENT_EXCEPTION_PREFIX):
-            raise ClientStatementException(message=message, code=exc.code)
-
        raise GraphDatabaseQueryException(message=message, code=exc.code)

    finally:
@@ -175,7 +172,7 @@ def drop_subgraph(database: str, provider_id: str) -> int:
            while deleted_count > 0:
                result = session.run(
                    f"""
-                    MATCH (n:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+                    MATCH (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL} {{provider_id: $provider_id}})
                    WITH n LIMIT $batch_size
                    DETACH DELETE n
                    RETURN COUNT(n) AS deleted_nodes_count
@@ -193,29 +190,6 @@ def drop_subgraph(database: str, provider_id: str) -> int:
    return deleted_nodes


-def has_provider_data(database: str, provider_id: str) -> bool:
-    """
-    Check if any ProviderResource node exists for this provider.
-
-    Returns `False` if the database doesn't exist.
-    """
-    query = (
-        f"MATCH (n:{PROVIDER_RESOURCE_LABEL} "
-        f"{{{PROVIDER_ID_PROPERTY}: $provider_id}}) "
-        "RETURN 1 LIMIT 1"
-    )
-
-    try:
-        with get_session(database, default_access_mode=neo4j.READ_ACCESS) as session:
-            result = session.run(query, {"provider_id": provider_id})
-            return result.single() is not None
-
-    except GraphDatabaseQueryException as exc:
-        if exc.code == "Neo.ClientError.Database.DatabaseNotFound":
-            return False
-        raise
-
-
 def clear_cache(database: str) -> None:
    query = "CALL db.clearQueryCaches()"

@@ -253,7 +227,3 @@ class GraphDatabaseQueryException(Exception):

 class WriteQueryNotAllowedException(GraphDatabaseQueryException):
    pass
-
-
-class ClientStatementException(GraphDatabaseQueryException):
-    pass
@@ -3,7 +3,7 @@ from api.attack_paths.queries.types import (
    AttackPathsQueryDefinition,
    AttackPathsQueryParameterDefinition,
 )
-from tasks.jobs.attack_paths.config import PROVIDER_ID_PROPERTY, PROWLER_FINDING_LABEL
+from tasks.jobs.attack_paths.config import PROWLER_FINDING_LABEL


 # Custom Attack Path Queries
@@ -16,7 +16,8 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(
    description="Detect EC2 instances with SSH exposed to the internet that can assume higher-privileged roles to read tagged sensitive S3 buckets despite bucket-level public access blocks.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        MATCH path_s3 = (aws:AWSAccount {{id: $provider_uid}})--(s3:S3Bucket)--(t:AWSTag)
        WHERE toLower(t.key) = toLower($tag_key) AND toLower(t.value) = toLower($tag_value)
@@ -31,7 +32,8 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(

        MATCH path_assume_role = (ec2)-[p:STS_ASSUMEROLE_ALLOW*1..9]-(r:AWSRole)

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
+        YIELD rel AS can_access

        UNWIND nodes(path_s3) + nodes(path_ec2) + nodes(path_role) + nodes(path_assume_role) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -179,12 +181,14 @@ AWS_EC2_INSTANCES_INTERNET_EXPOSED = AttackPathsQueryDefinition(
    description="Find EC2 instances flagged as exposed to the internet within the selected account.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)
        WHERE ec2.exposed_internet = true

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
+        YIELD rel AS can_access

        UNWIND nodes(path) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -201,14 +205,16 @@ AWS_SECURITY_GROUPS_OPEN_INTERNET_FACING = AttackPathsQueryDefinition(
    description="Find internet-facing resources associated with security groups that allow inbound access from '0.0.0.0/0'.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        // Match EC2 instances that are internet-exposed with open security groups (0.0.0.0/0)
        MATCH path_ec2 = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)--(sg:EC2SecurityGroup)--(ipi:IpPermissionInbound)--(ir:IpRange)
        WHERE ec2.exposed_internet = true
            AND ir.range = "0.0.0.0/0"

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
+        YIELD rel AS can_access

        UNWIND nodes(path_ec2) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -225,12 +231,14 @@ AWS_CLASSIC_ELB_INTERNET_EXPOSED = AttackPathsQueryDefinition(
    description="Find Classic Load Balancers exposed to the internet along with their listeners.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elb:LoadBalancer)--(listener:ELBListener)
        WHERE elb.exposed_internet = true

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elb)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, elb)
+        YIELD rel AS can_access

        UNWIND nodes(path) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -247,12 +255,14 @@ AWS_ELBV2_INTERNET_EXPOSED = AttackPathsQueryDefinition(
    description="Find ELBv2 load balancers exposed to the internet along with their listeners.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

        MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elbv2:LoadBalancerV2)--(listener:ELBV2Listener)
        WHERE elbv2.exposed_internet = true

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elbv2)
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, elbv2)
+        YIELD rel AS can_access

        UNWIND nodes(path) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -269,15 +279,31 @@ AWS_PUBLIC_IP_RESOURCE_LOOKUP = AttackPathsQueryDefinition(
    description="Given a public IP address, find the related AWS resource and its adjacent node within the selected account.",
    provider="aws",
    cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
+        YIELD node AS internet

-        MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x)-[q]-(y)
-        WHERE (x:EC2PrivateIp AND x.public_ip = $ip)
-           OR (x:EC2Instance AND x.publicipaddress = $ip)
-           OR (x:NetworkInterface AND x.public_ip = $ip)
-           OR (x:ElasticIPAddress AND x.public_ip = $ip)
+        CALL () {{
+            MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:EC2PrivateIp)-[q]-(y)
+            WHERE x.public_ip = $ip
+            RETURN path, x

-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(x)
+            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:EC2Instance)-[q]-(y)
+            WHERE x.publicipaddress = $ip
+            RETURN path, x
+
+            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:NetworkInterface)-[q]-(y)
+            WHERE x.public_ip = $ip
+            RETURN path, x
+
+            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:ElasticIPAddress)-[q]-(y)
+            WHERE x.public_ip = $ip
+            RETURN path, x
+        }}
+
+        WITH path, x, internet
+
+        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, x)
+        YIELD rel AS can_access

        UNWIND nodes(path) as n
        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -1,7 +1,7 @@
-from tasks.jobs.attack_paths.config import PROVIDER_ID_PROPERTY, PROVIDER_RESOURCE_LABEL
+from tasks.jobs.attack_paths.config import DEPRECATED_PROVIDER_RESOURCE_LABEL

 CARTOGRAPHY_SCHEMA_METADATA = f"""
-    MATCH (n:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+    MATCH (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL} {{provider_id: $provider_id}})
    WHERE n._module_name STARTS WITH 'cartography:'
      AND NOT n._module_name IN ['cartography:ontology', 'cartography:prowler']
      AND n._module_version IS NOT NULL
@@ -1,5 +1,4 @@
 import logging
-import re

 from typing import Any, Iterable

@@ -13,12 +12,7 @@ from api.attack_paths.queries.schema import (
    RAW_SCHEMA_URL,
 )
 from config.custom_logging import BackendLogger
-from tasks.jobs.attack_paths.config import (
-    INTERNAL_LABELS,
-    INTERNAL_PROPERTIES,
-    PROVIDER_ID_PROPERTY,
-    is_dynamic_isolation_label,
-)
+from tasks.jobs.attack_paths.config import INTERNAL_LABELS, INTERNAL_PROPERTIES

 logger = logging.getLogger(BackendLogger.API)

@@ -123,38 +117,6 @@ def execute_query(

 # Custom query helpers

-# Patterns that indicate SSRF or dangerous procedure calls
-# Defense-in-depth layer - the primary control is `neo4j.READ_ACCESS`
-_BLOCKED_PATTERNS = [
-    re.compile(r"\bLOAD\s+CSV\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.load\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.import\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.export\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.cypher\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.systemdb\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.config\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.periodic\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.do\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.trigger\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.custom\b", re.IGNORECASE),
-]
-
-# Strip string literals so patterns inside quotes don't cause false positives
-# Handles escaped quotes (\' and \") inside strings
-_STRING_LITERALS = re.compile(r"'(?:[^'\\]|\\.)*'|\"(?:[^\"\\]|\\.)*\"")
-
-
-def validate_custom_query(cypher: str) -> None:
-    """Reject queries containing known SSRF or dangerous procedure patterns.
-
-    Raises ValidationError if a blocked pattern is found.
-    String literals are stripped before matching to avoid false positives.
-    """
-    stripped = _STRING_LITERALS.sub("", cypher)
-    for pattern in _BLOCKED_PATTERNS:
-        if pattern.search(stripped):
-            raise ValidationError({"query": "Query contains a blocked operation"})
-

 def normalize_custom_query_payload(raw_data):
    if not isinstance(raw_data, dict):
@@ -173,8 +135,6 @@ def execute_custom_query(
    cypher: str,
    provider_id: str,
 ) -> dict[str, Any]:
-    validate_custom_query(cypher)
-
    try:
        graph = graph_database.execute_read_query(
            database=database_name,
@@ -183,9 +143,6 @@ def execute_custom_query(
        serialized = _serialize_graph(graph, provider_id)
        return _truncate_graph(serialized)

-    except graph_database.ClientStatementException as exc:
-        raise ValidationError({"query": exc.message})
-
    except graph_database.WriteQueryNotAllowedException:
        raise PermissionDenied(
            "Attack Paths query execution failed: read-only queries are enforced"
@@ -258,7 +215,7 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
    nodes = []
    kept_node_ids = set()
    for node in graph.nodes:
-        if node._properties.get(PROVIDER_ID_PROPERTY) != provider_id:
+        if node._properties.get("provider_id") != provider_id:
            continue

        kept_node_ids.add(node.element_id)
@@ -270,15 +227,9 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
            },
        )

-    filtered_count = len(graph.nodes) - len(nodes)
-    if filtered_count > 0:
-        logger.debug(
-            f"Filtered {filtered_count} nodes without matching provider_id={provider_id}"
-        )
-
    relationships = []
    for relationship in graph.relationships:
-        if relationship._properties.get(PROVIDER_ID_PROPERTY) != provider_id:
+        if relationship._properties.get("provider_id") != provider_id:
            continue

        if (
@@ -306,11 +257,7 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:


 def _filter_labels(labels: Iterable[str]) -> list[str]:
-    return [
-        label
-        for label in labels
-        if label not in INTERNAL_LABELS and not is_dynamic_isolation_label(label)
-    ]
+    return [label for label in labels if label not in INTERNAL_LABELS]


 def _serialize_properties(properties: dict[str, Any]) -> dict[str, Any]:
@@ -18,7 +18,6 @@ from django.db import (
 )
 from django_celery_beat.models import PeriodicTask
 from psycopg2 import connect as psycopg2_connect
-from psycopg2 import sql as psycopg2_sql
 from psycopg2.extensions import AsIs, new_type, register_adapter, register_type
 from rest_framework_json_api.serializers import ValidationError

@@ -281,23 +280,15 @@ class PostgresEnumMigration:
        self.enum_values = enum_values

    def create_enum_type(self, apps, schema_editor):  # noqa: F841
+        string_enum_values = ", ".join([f"'{value}'" for value in self.enum_values])
        with schema_editor.connection.cursor() as cursor:
            cursor.execute(
-                psycopg2_sql.SQL("CREATE TYPE {} AS ENUM ({})").format(
-                    psycopg2_sql.Identifier(self.enum_name),
-                    psycopg2_sql.SQL(", ").join(
-                        psycopg2_sql.Literal(v) for v in self.enum_values
-                    ),
-                )
+                f"CREATE TYPE {self.enum_name} AS ENUM ({string_enum_values});"
            )

    def drop_enum_type(self, apps, schema_editor):  # noqa: F841
        with schema_editor.connection.cursor() as cursor:
-            cursor.execute(
-                psycopg2_sql.SQL("DROP TYPE {}").format(
-                    psycopg2_sql.Identifier(self.enum_name)
-                )
-            )
+            cursor.execute(f"DROP TYPE {self.enum_name};")


 class PostgresEnumField(models.Field):
@@ -1,39 +0,0 @@
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0083_image_provider"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                    ("cloudflare", "Cloudflare"),
-                    ("openstack", "OpenStack"),
-                    ("image", "Image"),
-                    ("googleworkspace", "Google Workspace"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'googleworkspace';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]
@@ -1,31 +0,0 @@
-# Generated by Django 5.1.15 on 2026-03-18
-
-from django.contrib.postgres.indexes import GinIndex, OpClass
-from django.contrib.postgres.operations import AddIndexConcurrently
-from django.db import migrations
-from django.db.models.functions import Upper
-
-
-class Migration(migrations.Migration):
-    atomic = False
-
-    dependencies = [
-        ("api", "0084_googleworkspace_provider"),
-    ]
-
-    operations = [
-        AddIndexConcurrently(
-            model_name="findinggroupdailysummary",
-            index=GinIndex(
-                OpClass(Upper("check_id"), name="gin_trgm_ops"),
-                name="fgds_check_id_trgm_idx",
-            ),
-        ),
-        AddIndexConcurrently(
-            model_name="findinggroupdailysummary",
-            index=GinIndex(
-                OpClass(Upper("check_title"), name="gin_trgm_ops"),
-                name="fgds_check_title_trgm_idx",
-            ),
-        ),
-    ]
@@ -293,7 +293,6 @@ class Provider(RowLevelSecurityProtectedModel):
        CLOUDFLARE = "cloudflare", _("Cloudflare")
        OPENSTACK = "openstack", _("OpenStack")
        IMAGE = "image", _("Image")
-        GOOGLEWORKSPACE = "googleworkspace", _("Google Workspace")

    @staticmethod
    def validate_aws_uid(value):
@@ -343,15 +342,6 @@ class Provider(RowLevelSecurityProtectedModel):
                pointer="/data/attributes/uid",
            )

-    @staticmethod
-    def validate_googleworkspace_uid(value):
-        if not re.match(r"^C[0-9a-zA-Z]+$", value):
-            raise ModelValidationError(
-                detail="Google Workspace Customer ID must start with 'C' followed by one or more alphanumeric characters (e.g., C01234abc, C12345678).",
-                code="googleworkspace-uid",
-                pointer="/data/attributes/uid",
-            )
-
    @staticmethod
    def validate_kubernetes_uid(value):
        if not re.match(
@@ -1783,15 +1773,6 @@ class FindingGroupDailySummary(RowLevelSecurityProtectedModel):
                fields=["tenant_id", "provider", "inserted_at"],
                name="fgds_tenant_prov_ins_idx",
            ),
-            # Trigram indexes for case-insensitive search
-            GinIndex(
-                OpClass(Upper("check_id"), name="gin_trgm_ops"),
-                name="fgds_check_id_trgm_idx",
-            ),
-            GinIndex(
-                OpClass(Upper("check_title"), name="gin_trgm_ops"),
-                name="fgds_check_title_trgm_idx",
-            ),
        ]

    class JSONAPIMeta:
@@ -9,10 +9,6 @@ from rest_framework.exceptions import APIException, PermissionDenied, Validation

 from api.attack_paths import database as graph_database
 from api.attack_paths import views_helpers
-from tasks.jobs.attack_paths.config import (
-    PROVIDER_ELEMENT_ID_PROPERTY,
-    PROVIDER_ID_PROPERTY,
-)


 def _make_neo4j_error(message, code):
@@ -112,7 +108,7 @@ def test_execute_query_serializes_graph(
        labels=["AWSAccount"],
        properties={
            "name": "account",
-            PROVIDER_ID_PROPERTY: provider_id,
+            "provider_id": provider_id,
            "complex": {
                "items": [
                    attack_paths_graph_stub_classes.NativeValue("value"),
@@ -122,14 +118,14 @@ def test_execute_query_serializes_graph(
        },
    )
    node_2 = attack_paths_graph_stub_classes.Node(
-        "node-2", ["RDSInstance"], {PROVIDER_ID_PROPERTY: provider_id}
+        "node-2", ["RDSInstance"], {"provider_id": provider_id}
    )
    relationship = attack_paths_graph_stub_classes.Relationship(
        element_id="rel-1",
        rel_type="OWNS",
        start_node=node,
        end_node=node_2,
-        properties={"weight": 1, PROVIDER_ID_PROPERTY: provider_id},
+        properties={"weight": 1, "provider_id": provider_id},
    )
    graph = SimpleNamespace(nodes=[node, node_2], relationships=[relationship])

@@ -217,20 +213,20 @@ def test_serialize_graph_filters_by_provider_id(attack_paths_graph_stub_classes)
    provider_id = "provider-keep"

    node_keep = attack_paths_graph_stub_classes.Node(
-        "n1", ["AWSAccount"], {PROVIDER_ID_PROPERTY: provider_id}
+        "n1", ["AWSAccount"], {"provider_id": provider_id}
    )
    node_drop = attack_paths_graph_stub_classes.Node(
-        "n2", ["AWSAccount"], {PROVIDER_ID_PROPERTY: "provider-other"}
+        "n2", ["AWSAccount"], {"provider_id": "provider-other"}
    )

    rel_keep = attack_paths_graph_stub_classes.Relationship(
-        "r1", "OWNS", node_keep, node_keep, {PROVIDER_ID_PROPERTY: provider_id}
+        "r1", "OWNS", node_keep, node_keep, {"provider_id": provider_id}
    )
    rel_drop_by_provider = attack_paths_graph_stub_classes.Relationship(
-        "r2", "OWNS", node_keep, node_drop, {PROVIDER_ID_PROPERTY: "provider-other"}
+        "r2", "OWNS", node_keep, node_drop, {"provider_id": "provider-other"}
    )
    rel_drop_orphaned = attack_paths_graph_stub_classes.Relationship(
-        "r3", "OWNS", node_keep, node_drop, {PROVIDER_ID_PROPERTY: provider_id}
+        "r3", "OWNS", node_keep, node_drop, {"provider_id": provider_id}
    )

    graph = SimpleNamespace(
@@ -354,8 +350,10 @@ def test_serialize_properties_filters_internal_fields():
        "_module_name": "cartography:aws",
        "_module_version": "0.98.0",
        # Provider isolation
-        PROVIDER_ID_PROPERTY: "42",
-        PROVIDER_ELEMENT_ID_PROPERTY: "42:abc123",
+        "_provider_id": "42",
+        "_provider_element_id": "42:abc123",
+        "provider_id": "42",
+        "provider_element_id": "42:abc123",
    }

    result = views_helpers._serialize_properties(properties)
@@ -363,14 +361,6 @@ def test_serialize_properties_filters_internal_fields():
    assert result == {"name": "prod"}


-def test_filter_labels_strips_dynamic_isolation_labels():
-    labels = ["AWSRole", "_Tenant_abc123", "_Provider_def456", "_ProviderResource"]
-
-    result = views_helpers._filter_labels(labels)
-
-    assert result == ["AWSRole"]
-
-
 def test_serialize_graph_as_text_node_without_properties():
    graph = {
        "nodes": [{"id": "n1", "labels": ["AWSAccount"], "properties": {}}],
@@ -450,13 +440,13 @@ def test_execute_custom_query_serializes_graph(
 ):
    provider_id = "test-provider-123"
    node_1 = attack_paths_graph_stub_classes.Node(
-        "node-1", ["AWSAccount"], {PROVIDER_ID_PROPERTY: provider_id}
+        "node-1", ["AWSAccount"], {"provider_id": provider_id}
    )
    node_2 = attack_paths_graph_stub_classes.Node(
-        "node-2", ["RDSInstance"], {PROVIDER_ID_PROPERTY: provider_id}
+        "node-2", ["RDSInstance"], {"provider_id": provider_id}
    )
    relationship = attack_paths_graph_stub_classes.Relationship(
-        "rel-1", "OWNS", node_1, node_2, {PROVIDER_ID_PROPERTY: provider_id}
+        "rel-1", "OWNS", node_1, node_2, {"provider_id": provider_id}
    )

    graph_result = MagicMock()
@@ -511,72 +501,6 @@ def test_execute_custom_query_wraps_graph_errors():
    mock_logger.error.assert_called_once()


-# -- validate_custom_query ------------------------------------------------
-
-
-@pytest.mark.parametrize(
-    "cypher",
-    [
-        "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
-        "load csv from 'http://evil.com' as row return row",
-        "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
-        "CALL apoc.load.csvParams('http://evil.com/', {}, null) YIELD list RETURN list",
-        "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
-        "CALL apoc.export.csv.all('file.csv', {})",
-        "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
-        "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
-        "CALL apoc.config.list() YIELD key, value RETURN key, value",
-        "CALL apoc.periodic.iterate('MATCH (n) RETURN n', 'DELETE n', {batchSize: 100})",
-        "CALL apoc.do.when(true, 'CREATE (n) RETURN n', '', {}) YIELD value RETURN value",
-        "CALL apoc.trigger.add('t', 'RETURN 1', {phase: 'before'})",
-        "CALL apoc.custom.asProcedure('myProc', 'RETURN 1')",
-    ],
-    ids=[
-        "LOAD_CSV",
-        "LOAD_CSV_lowercase",
-        "apoc.load.json",
-        "apoc.load.csvParams",
-        "apoc.import.csv",
-        "apoc.export.csv",
-        "apoc.cypher.run",
-        "apoc.systemdb.graph",
-        "apoc.config.list",
-        "apoc.periodic.iterate",
-        "apoc.do.when",
-        "apoc.trigger.add",
-        "apoc.custom.asProcedure",
-    ],
-)
-def test_validate_custom_query_rejects_blocked_patterns(cypher):
-    with pytest.raises(ValidationError) as exc:
-        views_helpers.validate_custom_query(cypher)
-
-    assert "blocked operation" in str(exc.value.detail)
-
-
-@pytest.mark.parametrize(
-    "cypher",
-    [
-        "MATCH (n:AWSAccount) RETURN n LIMIT 10",
-        "MATCH (a)-[r]->(b) RETURN a, r, b",
-        "MATCH (n) WHERE n.name CONTAINS 'load' RETURN n",
-        "CALL apoc.create.vNode(['Label'], {}) YIELD node RETURN node",
-        "MATCH (n) WHERE n.name = 'apoc.load.json' RETURN n",
-        'MATCH (n) WHERE n.description = "LOAD CSV is cool" RETURN n',
-    ],
-    ids=[
-        "simple_match",
-        "traversal",
-        "contains_load_substring",
-        "apoc_virtual_node",
-        "apoc_load_inside_single_quotes",
-        "load_csv_inside_double_quotes",
-    ],
-)
-def test_validate_custom_query_allows_clean_queries(cypher):
-    views_helpers.validate_custom_query(cypher)
-
-
 # -- _truncate_graph ----------------------------------------------------------


@@ -442,78 +442,3 @@ class TestThreadSafety:
        # All threads got the same driver instance
        assert all(r is mock_driver for r in results)
        assert len(results) == 10
-
-
-class TestHasProviderData:
-    """Test has_provider_data helper for checking provider nodes in Neo4j."""
-
-    def test_returns_true_when_nodes_exist(self):
-        import api.attack_paths.database as db_module
-
-        mock_session = MagicMock()
-        mock_result = MagicMock()
-        mock_result.single.return_value = MagicMock()  # non-None record
-        mock_session.run.return_value = mock_result
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.return_value = mock_session
-        session_ctx.__exit__.return_value = False
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            assert db_module.has_provider_data("db-tenant-abc", "provider-123") is True
-
-        mock_session.run.assert_called_once()
-
-    def test_returns_false_when_no_nodes(self):
-        import api.attack_paths.database as db_module
-
-        mock_session = MagicMock()
-        mock_result = MagicMock()
-        mock_result.single.return_value = None
-        mock_session.run.return_value = mock_result
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.return_value = mock_session
-        session_ctx.__exit__.return_value = False
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            assert db_module.has_provider_data("db-tenant-abc", "provider-123") is False
-
-    def test_returns_false_when_database_not_found(self):
-        import api.attack_paths.database as db_module
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
-            message="Database does not exist",
-            code="Neo.ClientError.Database.DatabaseNotFound",
-        )
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            assert (
-                db_module.has_provider_data("db-tenant-gone", "provider-123") is False
-            )
-
-    def test_raises_on_other_errors(self):
-        import api.attack_paths.database as db_module
-
-        session_ctx = MagicMock()
-        session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
-            message="Connection refused",
-            code="Neo.TransientError.General.UnknownError",
-        )
-
-        with patch(
-            "api.attack_paths.database.get_session",
-            return_value=session_ctx,
-        ):
-            with pytest.raises(db_module.GraphDatabaseQueryException):
-                db_module.has_provider_data("db-tenant-abc", "provider-123")
@@ -6,12 +6,10 @@ import pytest
 from django.conf import settings
 from django.db import DEFAULT_DB_ALIAS, OperationalError
 from freezegun import freeze_time
-from psycopg2 import sql as psycopg2_sql
 from rest_framework_json_api.serializers import ValidationError

 from api.db_utils import (
    POSTGRES_TENANT_VAR,
-    PostgresEnumMigration,
    _should_create_index_on_partition,
    batch_delete,
    create_objects_in_batches,
@@ -912,61 +910,3 @@ class TestRlsTransaction:
            cursor.execute("SELECT 1")
            result = cursor.fetchone()
            assert result[0] == 1
-
-
-class TestPostgresEnumMigration:
-    """
-    Verify that PostgresEnumMigration builds DDL statements via psycopg2.sql
-    so that enum type names and values are always properly quoted — preventing
-    SQL injection through f-string interpolation.
-    """
-
-    def _make_mock_schema_editor(self):
-        mock_cursor = MagicMock()
-        mock_conn = MagicMock()
-        mock_conn.cursor.return_value.__enter__ = MagicMock(return_value=mock_cursor)
-        mock_conn.cursor.return_value.__exit__ = MagicMock(return_value=False)
-        mock_schema_editor = MagicMock()
-        mock_schema_editor.connection = mock_conn
-        return mock_schema_editor, mock_cursor
-
-    def test_create_enum_type_generates_correct_sql(self):
-        """create_enum_type builds a proper CREATE TYPE … AS ENUM via psycopg2.sql."""
-        migration = PostgresEnumMigration("my_enum", ("val_a", "val_b"))
-        schema_editor, mock_cursor = self._make_mock_schema_editor()
-
-        migration.create_enum_type(apps=None, schema_editor=schema_editor)
-
-        mock_cursor.execute.assert_called_once()
-        query_arg = mock_cursor.execute.call_args[0][0]
-        assert isinstance(
-            query_arg, psycopg2_sql.Composable
-        ), "create_enum_type must pass a psycopg2.sql.Composable, not a raw string."
-        # Verify the composed SQL structure: CREATE TYPE <Identifier> AS ENUM (<Literals>)
-        parts = query_arg.seq
-        assert parts[0] == psycopg2_sql.SQL("CREATE TYPE ")
-        assert isinstance(parts[1], psycopg2_sql.Identifier)
-        assert parts[1].strings == ("my_enum",)
-        assert parts[2] == psycopg2_sql.SQL(" AS ENUM (")
-        # The enum values are a Composed of Literal items joined by ", "
-        enum_literals = [p for p in parts[3].seq if isinstance(p, psycopg2_sql.Literal)]
-        assert [lit._wrapped for lit in enum_literals] == ["val_a", "val_b"]
-        assert parts[4] == psycopg2_sql.SQL(")")
-
-    def test_drop_enum_type_generates_correct_sql(self):
-        """drop_enum_type builds a proper DROP TYPE via psycopg2.sql."""
-        migration = PostgresEnumMigration("my_enum", ("val_a",))
-        schema_editor, mock_cursor = self._make_mock_schema_editor()
-
-        migration.drop_enum_type(apps=None, schema_editor=schema_editor)
-
-        mock_cursor.execute.assert_called_once()
-        query_arg = mock_cursor.execute.call_args[0][0]
-        assert isinstance(
-            query_arg, psycopg2_sql.Composable
-        ), "drop_enum_type must pass a psycopg2.sql.Composable, not a raw string."
-        # Verify the composed SQL structure: DROP TYPE <Identifier>
-        parts = query_arg.seq
-        assert parts[0] == psycopg2_sql.SQL("DROP TYPE ")
-        assert isinstance(parts[1], psycopg2_sql.Identifier)
-        assert parts[1].strings == ("my_enum",)
@@ -23,9 +23,6 @@ from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.cloudflare.cloudflare_provider import CloudflareProvider
 from prowler.providers.gcp.gcp_provider import GcpProvider
 from prowler.providers.github.github_provider import GithubProvider
-from prowler.providers.googleworkspace.googleworkspace_provider import (
-    GoogleworkspaceProvider,
-)
 from prowler.providers.iac.iac_provider import IacProvider
 from prowler.providers.image.image_provider import ImageProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
@@ -116,7 +113,6 @@ class TestReturnProwlerProvider:
        [
            (Provider.ProviderChoices.AWS.value, AwsProvider),
            (Provider.ProviderChoices.GCP.value, GcpProvider),
-            (Provider.ProviderChoices.GOOGLEWORKSPACE.value, GoogleworkspaceProvider),
            (Provider.ProviderChoices.AZURE.value, AzureProvider),
            (Provider.ProviderChoices.KUBERNETES.value, KubernetesProvider),
            (Provider.ProviderChoices.M365.value, M365Provider),
@@ -252,10 +248,6 @@ class TestGetProwlerProviderKwargs:
                Provider.ProviderChoices.GCP.value,
                {"project_ids": ["provider_uid"]},
            ),
-            (
-                Provider.ProviderChoices.GOOGLEWORKSPACE.value,
-                {},
-            ),
            (
                Provider.ProviderChoices.KUBERNETES.value,
                {"context": "provider_uid"},
@@ -1190,26 +1190,6 @@ class TestProviderViewSet:
                    "uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
                    "alias": "OpenStack Project",
                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "C01234abc",
-                    "alias": "Google Workspace Customer",
-                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "C12345678",
-                    "alias": "Google Workspace All Digits",
-                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "CABCDEF123",
-                    "alias": "Google Workspace Uppercase",
-                },
-                {
-                    "provider": "googleworkspace",
-                    "uid": "C12",
-                    "alias": "Google Workspace Minimum Length",
-                },
            ]
        ),
    )
@@ -1362,11 +1342,7 @@ class TestProviderViewSet:
        response = authenticated_client.post(
            reverse("provider-list"), data=provider_json_payload, format="json"
        )
-        assert response.status_code == status.HTTP_409_CONFLICT
-        error = response.json()["errors"][0]
-        assert error["detail"] == "Provider already exists."
-        assert error["code"] == "conflict"
-        assert error["source"]["pointer"] == "/data/attributes/uid"
+        assert response.status_code == status.HTTP_400_BAD_REQUEST

        mock_delete_task.reset_mock()
        mock_delete_task.return_value = task_mock
@@ -1658,36 +1634,6 @@ class TestProviderViewSet:
                    "min_length",
                    "uid",
                ),
-                # Google Workspace UID validation - missing 'C' prefix
-                (
-                    {
-                        "provider": "googleworkspace",
-                        "uid": "01234abc",
-                        "alias": "test",
-                    },
-                    "googleworkspace-uid",
-                    "uid",
-                ),
-                # Google Workspace UID validation - contains special characters
-                (
-                    {
-                        "provider": "googleworkspace",
-                        "uid": "C0123-abc",
-                        "alias": "test",
-                    },
-                    "googleworkspace-uid",
-                    "uid",
-                ),
-                # Google Workspace UID validation - lowercase 'c' prefix
-                (
-                    {
-                        "provider": "googleworkspace",
-                        "uid": "c12345678",
-                        "alias": "test",
-                    },
-                    "googleworkspace-uid",
-                    "uid",
-                ),
            ]
        ),
    )
@@ -1861,21 +1807,21 @@ class TestProviderViewSet:
                (
                    "uid.icontains",
                    "1",
-                    11,
+                    10,
                ),
                ("alias", "aws_testing_1", 1),
                ("alias.icontains", "aws", 2),
-                ("inserted_at", TODAY, 12),
+                ("inserted_at", TODAY, 11),
                (
                    "inserted_at.gte",
                    "2024-01-01",
-                    12,
+                    11,
                ),
                ("inserted_at.lte", "2024-01-01", 0),
                (
                    "updated_at.gte",
                    "2024-01-01",
-                    12,
+                    11,
                ),
                ("updated_at.lte", "2024-01-01", 0),
            ]
@@ -2491,15 +2437,6 @@ class TestProviderSecretViewSet:
                    "clouds_yaml_cloud": "mycloud",
                },
            ),
-            # Google Workspace with service account credentials
-            (
-                Provider.ProviderChoices.GOOGLEWORKSPACE.value,
-                ProviderSecret.TypeChoices.STATIC,
-                {
-                    "credentials_content": '{"type": "service_account", "project_id": "test-project", "private_key_id": "key123", "private_key": "-----BEGIN PRIVATE KEY-----\\ntest\\n-----END PRIVATE KEY-----\\n", "client_email": "test@test-project.iam.gserviceaccount.com", "client_id": "123456789"}',
-                    "delegated_user": "admin@example.com",
-                },
-            ),
        ],
    )
    def test_provider_secrets_create_valid(
@@ -3810,12 +3747,6 @@ class TestTaskViewSet:

@pytest.mark.django_db
 class TestAttackPathsScanViewSet:
-    @pytest.fixture(autouse=True)
-    def _clear_throttle_cache(self):
-        from django.core.cache import cache
-
-        cache.clear()
-
    @staticmethod
    def _run_payload(query_id="aws-rds", parameters=None):
        return {
@@ -4417,6 +4348,8 @@ class TestAttackPathsScanViewSet:
            }
        }

+    # TODO: Remove skip once queries/custom and schema endpoints are unblocked
+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_graph(
        self,
        authenticated_client,
@@ -4474,6 +4407,7 @@ class TestAttackPathsScanViewSet:
        assert attributes["total_nodes"] == 1
        assert attributes["truncated"] is False

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_text_when_accept_text_plain(
        self,
        authenticated_client,
@@ -4528,6 +4462,7 @@ class TestAttackPathsScanViewSet:
        assert "## Relationships (0)" in body
        assert "## Summary" in body

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_404_when_no_nodes(
        self,
        authenticated_client,
@@ -4569,6 +4504,7 @@ class TestAttackPathsScanViewSet:

        assert response.status_code == status.HTTP_404_NOT_FOUND

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_400_when_graph_not_ready(
        self,
        authenticated_client,
@@ -4595,6 +4531,7 @@ class TestAttackPathsScanViewSet:
        assert response.status_code == status.HTTP_400_BAD_REQUEST
        assert "not available" in response.json()["errors"][0]["detail"]

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_run_custom_query_returns_403_for_write_query(
        self,
        authenticated_client,
@@ -4632,343 +4569,9 @@ class TestAttackPathsScanViewSet:

        assert response.status_code == status.HTTP_403_FORBIDDEN

-    # -- SSRF blocklist (HTTP level) ----------------------------------------------
-
-    @pytest.mark.parametrize(
-        "cypher",
-        [
-            "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
-            "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
-            "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
-            "CALL apoc.export.csv.all('file.csv', {})",
-            "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
-            "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
-        ],
-        ids=[
-            "LOAD_CSV",
-            "apoc.load",
-            "apoc.import",
-            "apoc.export",
-            "apoc.cypher.run",
-            "apoc.systemdb",
-        ],
-    )
-    def test_run_custom_query_rejects_ssrf_patterns(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-        cypher,
-    ):
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        with patch(
-            "api.v1.views.graph_database.get_database_name",
-            return_value="db-test",
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(cypher),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-        assert "blocked" in response.json()["errors"][0]["detail"].lower()
-
-    # -- Cross-tenant isolation ---------------------------------------------------
-
-    def test_run_custom_query_returns_404_for_foreign_tenant(
-        self,
-        authenticated_client,
-        create_attack_paths_scan,
-    ):
-        from api.models import Provider, Tenant
-
-        foreign_tenant = Tenant.objects.create(name="foreign-tenant")
-        foreign_provider = Provider.objects.create(
-            tenant=foreign_tenant,
-            provider="aws",
-            uid="123456789999",
-        )
-        attack_paths_scan = create_attack_paths_scan(
-            foreign_provider,
-            graph_data_ready=True,
-        )
-
-        with patch(
-            "api.v1.views.graph_database.get_database_name",
-            return_value="db-test",
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_404_NOT_FOUND
-
-    def test_cartography_schema_returns_404_for_foreign_tenant(
-        self,
-        authenticated_client,
-        create_attack_paths_scan,
-    ):
-        from api.models import Provider, Tenant
-
-        foreign_tenant = Tenant.objects.create(name="foreign-tenant-schema")
-        foreign_provider = Provider.objects.create(
-            tenant=foreign_tenant,
-            provider="aws",
-            uid="123456789998",
-        )
-        attack_paths_scan = create_attack_paths_scan(
-            foreign_provider,
-            graph_data_ready=True,
-        )
-
-        response = authenticated_client.get(
-            reverse(
-                "attack-paths-scans-schema",
-                kwargs={"pk": attack_paths_scan.id},
-            )
-        )
-
-        assert response.status_code == status.HTTP_404_NOT_FOUND
-
-    # -- Authentication / authorization -------------------------------------------
-
-    def test_run_custom_query_returns_401_unauthenticated(
-        self,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.test import APIClient
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        unauthenticated = APIClient()
-        response = unauthenticated.post(
-            reverse(
-                "attack-paths-scans-queries-custom",
-                kwargs={"pk": attack_paths_scan.id},
-            ),
-            data=self._custom_query_payload(),
-            content_type=API_JSON_CONTENT_TYPE,
-        )
-
-        assert response.status_code == status.HTTP_401_UNAUTHORIZED
-
-    def test_cartography_schema_returns_401_unauthenticated(
-        self,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.test import APIClient
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        unauthenticated = APIClient()
-        response = unauthenticated.get(
-            reverse(
-                "attack-paths-scans-schema",
-                kwargs={"pk": attack_paths_scan.id},
-            )
-        )
-
-        assert response.status_code == status.HTTP_401_UNAUTHORIZED
-
-    def test_run_custom_query_returns_403_no_manage_scans(
-        self,
-        authenticated_client_no_permissions_rbac,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        response = authenticated_client_no_permissions_rbac.post(
-            reverse(
-                "attack-paths-scans-queries-custom",
-                kwargs={"pk": attack_paths_scan.id},
-            ),
-            data=self._custom_query_payload(),
-            content_type=API_JSON_CONTENT_TYPE,
-        )
-
-        assert response.status_code == status.HTTP_403_FORBIDDEN
-
-    # -- Error leakage ------------------------------------------------------------
-
-    def test_run_custom_query_does_not_leak_internals_on_error(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.exceptions import APIException
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        with (
-            patch(
-                "api.v1.views.attack_paths_views_helpers.execute_custom_query",
-                side_effect=APIException(
-                    "Attack Paths query execution failed due to a database error"
-                ),
-            ),
-            patch(
-                "api.v1.views.graph_database.get_database_name",
-                return_value="db-test",
-            ),
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_500_INTERNAL_SERVER_ERROR
-        body = json.dumps(response.json()).lower()
-        for forbidden_term in ["neo4j", "bolt://", "syntaxerror", "db-tenant-"]:
-            assert forbidden_term not in body
-
-    # -- Rate limiting (throttle) -------------------------------------------------
-
-    def test_run_custom_query_throttled_after_limit(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        mock_graph = {
-            "nodes": [{"id": "n1", "labels": ["Test"], "properties": {}}],
-            "relationships": [],
-            "total_nodes": 1,
-            "truncated": False,
-        }
-
-        url = reverse(
-            "attack-paths-scans-queries-custom",
-            kwargs={"pk": attack_paths_scan.id},
-        )
-        payload = self._custom_query_payload()
-
-        with (
-            patch(
-                "api.v1.views.attack_paths_views_helpers.execute_custom_query",
-                return_value=mock_graph,
-            ),
-            patch(
-                "api.v1.views.graph_database.get_database_name",
-                return_value="db-test",
-            ),
-            patch(
-                "api.v1.views.graph_database.clear_cache",
-            ),
-        ):
-            for i in range(11):
-                response = authenticated_client.post(
-                    url,
-                    data=payload,
-                    content_type=API_JSON_CONTENT_TYPE,
-                )
-                if i < 10:
-                    assert (
-                        response.status_code == status.HTTP_200_OK
-                    ), f"Request {i + 1} should succeed with 200 OK, got {response.status_code}"
-                else:
-                    assert (
-                        response.status_code == status.HTTP_429_TOO_MANY_REQUESTS
-                    ), f"Request {i + 1} should be throttled"
-
-    # -- Timeout simulation -------------------------------------------------------
-
-    def test_run_custom_query_returns_500_on_database_timeout(
-        self,
-        authenticated_client,
-        providers_fixture,
-        scans_fixture,
-        create_attack_paths_scan,
-    ):
-        from rest_framework.exceptions import APIException
-
-        provider = providers_fixture[0]
-        attack_paths_scan = create_attack_paths_scan(
-            provider,
-            scan=scans_fixture[0],
-            graph_data_ready=True,
-        )
-
-        with (
-            patch(
-                "api.v1.views.attack_paths_views_helpers.execute_custom_query",
-                side_effect=APIException(
-                    "Attack Paths query execution failed due to a database error"
-                ),
-            ),
-            patch(
-                "api.v1.views.graph_database.get_database_name",
-                return_value="db-test",
-            ),
-        ):
-            response = authenticated_client.post(
-                reverse(
-                    "attack-paths-scans-queries-custom",
-                    kwargs={"pk": attack_paths_scan.id},
-                ),
-                data=self._custom_query_payload(),
-                content_type=API_JSON_CONTENT_TYPE,
-            )
-
-        assert response.status_code == status.HTTP_500_INTERNAL_SERVER_ERROR
-
    # -- cartography_schema action ------------------------------------------------

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_cartography_schema_returns_urls(
        self,
        authenticated_client,
@@ -5018,6 +4621,7 @@ class TestAttackPathsScanViewSet:
        assert "schema.md" in attributes["schema_url"]
        assert "raw.githubusercontent.com" in attributes["raw_schema_url"]

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_cartography_schema_returns_404_when_no_metadata(
        self,
        authenticated_client,
@@ -5052,6 +4656,7 @@ class TestAttackPathsScanViewSet:
        assert response.status_code == status.HTTP_404_NOT_FOUND
        assert "No cartography schema metadata" in str(response.json())

+    @pytest.mark.skip(reason="Endpoint temporarily blocked")
    def test_cartography_schema_returns_400_when_graph_not_ready(
        self,
        authenticated_client,
@@ -7858,12 +7463,8 @@ class TestUserRoleRelationshipViewSet:
        assert response.status_code == status.HTTP_204_NO_CONTENT
        relationships = UserRoleRelationship.objects.filter(user=create_test_user.id)
        assert relationships.count() == 4
-        # Use set membership instead of positional slicing — QuerySet ordering is
-        # non-deterministic without an explicit order_by, which makes slice-based
-        # checks intermittently fail.
-        added_role_ids = {r.id for r in roles_fixture[:2]}
-        relationship_role_ids = {rel.role.id for rel in relationships}
-        assert added_role_ids.issubset(relationship_role_ids)
+        for relationship in relationships[2:]:  # Skip admin role
+            assert relationship.role.id in [r.id for r in roles_fixture[:2]]

    def test_create_relationship_already_exists(
        self, authenticated_client, roles_fixture, create_test_user
@@ -27,9 +27,6 @@ if TYPE_CHECKING:
    from prowler.providers.cloudflare.cloudflare_provider import CloudflareProvider
    from prowler.providers.gcp.gcp_provider import GcpProvider
    from prowler.providers.github.github_provider import GithubProvider
-    from prowler.providers.googleworkspace.googleworkspace_provider import (
-        GoogleworkspaceProvider,
-    )
    from prowler.providers.iac.iac_provider import IacProvider
    from prowler.providers.image.image_provider import ImageProvider
    from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
@@ -86,7 +83,6 @@ def return_prowler_provider(
    | CloudflareProvider
    | GcpProvider
    | GithubProvider
-    | GoogleworkspaceProvider
    | IacProvider
    | ImageProvider
    | KubernetesProvider
@@ -101,7 +97,7 @@ def return_prowler_provider(
        provider (Provider): The provider object containing the provider type and associated secrets.

    Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | GoogleworkspaceProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: The corresponding provider class.
+        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: The corresponding provider class.

    Raises:
        ValueError: If the provider type specified in `provider.provider` is not supported.
@@ -115,12 +111,6 @@ def return_prowler_provider(
            from prowler.providers.gcp.gcp_provider import GcpProvider

            prowler_provider = GcpProvider
-        case Provider.ProviderChoices.GOOGLEWORKSPACE.value:
-            from prowler.providers.googleworkspace.googleworkspace_provider import (
-                GoogleworkspaceProvider,
-            )
-
-            prowler_provider = GoogleworkspaceProvider
        case Provider.ProviderChoices.AZURE.value:
            from prowler.providers.azure.azure_provider import AzureProvider

@@ -273,7 +263,6 @@ def initialize_prowler_provider(
    | CloudflareProvider
    | GcpProvider
    | GithubProvider
-    | GoogleworkspaceProvider
    | IacProvider
    | ImageProvider
    | KubernetesProvider
@@ -289,7 +278,7 @@ def initialize_prowler_provider(
        mutelist_processor (Processor): The mutelist processor object containing the mutelist configuration.

    Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | GoogleworkspaceProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: An instance of the corresponding provider class
+        AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: An instance of the corresponding provider class
            initialized with the provider's secrets.
    """
    prowler_provider = return_prowler_provider(provider)
@@ -191,22 +191,6 @@ from rest_framework_json_api import serializers
                },
                "required": ["service_account_key"],
            },
-            {
-                "type": "object",
-                "title": "Google Workspace Service Account",
-                "properties": {
-                    "credentials_content": {
-                        "type": "string",
-                        "description": "The service account JSON credentials content for Google Workspace API access with domain-wide delegation enabled.",
-                    },
-                    "delegated_user": {
-                        "type": "string",
-                        "format": "email",
-                        "description": "The email address of the Google Workspace super admin user to impersonate for domain-wide delegation.",
-                    },
-                },
-                "required": ["credentials_content", "delegated_user"],
-            },
            {
                "type": "object",
                "title": "Kubernetes Static Credentials",
@@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth import authenticate
 from django.contrib.auth.models import update_last_login
 from django.contrib.auth.password_validation import validate_password
-from django.core.exceptions import ValidationError as DjangoValidationError
 from django.db import IntegrityError
 from drf_spectacular.utils import extend_schema_field
 from jwt.exceptions import InvalidKeyError
@@ -960,26 +959,6 @@ class ProviderCreateSerializer(RLSSerializer, BaseWriteSerializer):
            },
        }

-    def create(self, validated_data):
-        try:
-            return super().create(validated_data)
-        except DjangoValidationError as e:
-            if "unique_provider_uids" in str(e):
-                raise ConflictException(
-                    detail="Provider already exists.",
-                    pointer="/data/attributes/uid",
-                )
-            raise
-        except IntegrityError as e:
-            # Handle race conditions where the unique constraint is enforced at the DB level
-            # after validation has already passed.
-            if "unique_provider_uids" in str(e):
-                raise ConflictException(
-                    detail="Provider already exists.",
-                    pointer="/data/attributes/uid",
-                )
-            raise
-

 class ProviderUpdateSerializer(BaseWriteSerializer):
    """
@@ -1241,7 +1220,7 @@ class AttackPathsQueryRunRequestSerializer(BaseSerializerV1):


 class AttackPathsCustomQueryRunRequestSerializer(BaseSerializerV1):
-    query = serializers.CharField(max_length=10000, min_length=1, trim_whitespace=True)
+    query = serializers.CharField()

    class JSONAPIMeta:
        resource_name = "attack-paths-custom-query-run-requests"
@@ -1541,8 +1520,6 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                serializer = AzureProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.GCP.value:
                serializer = GCPProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.GOOGLEWORKSPACE.value:
-                serializer = GoogleWorkspaceProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.GITHUB.value:
                serializer = GithubProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.IAC.value:
@@ -1678,14 +1655,6 @@ class GCPServiceAccountProviderSecret(serializers.Serializer):
        resource_name = "provider-secrets"


-class GoogleWorkspaceProviderSecret(serializers.Serializer):
-    credentials_content = serializers.CharField()
-    delegated_user = serializers.EmailField()
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
 class MongoDBAtlasProviderSecret(serializers.Serializer):
    atlas_public_key = serializers.CharField()
    atlas_private_key = serializers.CharField()
@@ -51,13 +51,6 @@ from api.v1.views import (
 )


-# This helper view is used to block any endpoints that should not be available
-# To use it, add a new entry in the `urlpatterns` list, for example (old but real one):
-#     path(
-#         "attack-paths-scans/<uuid:pk>/queries/custom",
-#         _blocked_endpoint,
-#         name="attack-paths-scans-queries-custom-blocked",
-#     ),
@csrf_exempt
 def _blocked_endpoint(request, *args, **kwargs):
    return JsonResponse(
@@ -216,6 +209,17 @@ urlpatterns = [
    path("tokens/saml", SAMLTokenValidateView.as_view(), name="token-saml"),
    path("tokens/google", GoogleSocialLoginView.as_view(), name="token-google"),
    path("tokens/github", GithubSocialLoginView.as_view(), name="token-github"),
+    # TODO: Remove these blocked endpoints once they are properly tested
+    path(
+        "attack-paths-scans/<uuid:pk>/queries/custom",
+        _blocked_endpoint,
+        name="attack-paths-scans-queries-custom-blocked",
+    ),
+    path(
+        "attack-paths-scans/<uuid:pk>/schema",
+        _blocked_endpoint,
+        name="attack-paths-scans-schema-blocked",
+    ),
    path("", include(router.urls)),
    path("", include(tenants_router.urls)),
    path("", include(users_router.urls)),
@@ -3,7 +3,6 @@ import glob
 import json
 import logging
 import os
-import time

 from collections import defaultdict
 from copy import deepcopy
@@ -408,7 +407,7 @@ class SchemaView(SpectacularAPIView):

    def get(self, request, *args, **kwargs):
        spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.23.0"
+        spectacular_settings.VERSION = "1.20.0"
        spectacular_settings.DESCRIPTION = (
            "Prowler API specification.\n\nThis file is auto-generated."
        )
@@ -2452,11 +2451,6 @@ class AttackPathsScanViewSet(BaseRLSViewSet):
    # RBAC required permissions
    required_permissions = [Permissions.MANAGE_SCANS]

-    def get_throttles(self):
-        if self.action == "run_custom_attack_paths_query":
-            self.throttle_scope = "attack-paths-custom-query"
-        return super().get_throttles()
-
    def set_required_permissions(self):
        if self.request.method in SAFE_METHODS:
            self.required_permissions = []
@@ -2576,35 +2570,14 @@ class AttackPathsScanViewSet(BaseRLSViewSet):
            provider_id,
        )

-        start = time.monotonic()
        graph = attack_paths_views_helpers.execute_query(
            database_name,
            query_definition,
            parameters,
            provider_id,
        )
-        query_duration = time.monotonic() - start
        graph_database.clear_cache(database_name)

-        result_nodes = len(graph.get("nodes", []))
-        result_relationships = len(graph.get("relationships", []))
-        logger.info(
-            "attack_paths_query_run",
-            extra={
-                "user_id": str(request.user.id),
-                "tenant_id": str(attack_paths_scan.provider.tenant_id),
-                "metadata": {
-                    "query_id": query_definition.id,
-                    "provider": query_definition.provider,
-                    "scan_id": pk,
-                    "provider_id": provider_id,
-                    "result_nodes": result_nodes,
-                    "result_relationships": result_relationships,
-                    "query_duration": round(query_duration, 3),
-                },
-            },
-        )
-
        status_code = status.HTTP_200_OK
        if not graph.get("nodes"):
            status_code = status.HTTP_404_NOT_FOUND
@@ -2645,35 +2618,13 @@ class AttackPathsScanViewSet(BaseRLSViewSet):
        )
        provider_id = str(attack_paths_scan.provider_id)

-        start = time.monotonic()
        graph = attack_paths_views_helpers.execute_custom_query(
            database_name,
            serializer.validated_data["query"],
            provider_id,
        )
-        query_duration = time.monotonic() - start
        graph_database.clear_cache(database_name)

-        query_length = len(serializer.validated_data["query"])
-        result_nodes = len(graph.get("nodes", []))
-        result_relationships = len(graph.get("relationships", []))
-        logger.info(
-            "attack_paths_custom_query_run",
-            extra={
-                "user_id": str(request.user.id),
-                "tenant_id": str(attack_paths_scan.provider.tenant_id),
-                "metadata": {
-                    "provider": attack_paths_scan.provider.provider,
-                    "scan_id": pk,
-                    "provider_id": provider_id,
-                    "query_length": query_length,
-                    "result_nodes": result_nodes,
-                    "result_relationships": result_relationships,
-                    "query_duration": round(query_duration, 3),
-                },
-            },
-        )
-
        status_code = status.HTTP_200_OK
        if not graph.get("nodes"):
            status_code = status.HTTP_404_NOT_FOUND
@@ -2,7 +2,6 @@ import json
 import logging
 from enum import StrEnum

-
 from config.env import env
 from django_guid.log_filters import CorrelationId

@@ -63,8 +62,6 @@ class NDJSONFormatter(logging.Formatter):
            log_record["duration"] = record.duration
        if hasattr(record, "status_code"):
            log_record["status_code"] = record.status_code
-        if hasattr(record, "metadata"):
-            log_record["metadata"] = record.metadata

        if record.exc_info:
            log_record["exc_info"] = self.formatException(record.exc_info)
@@ -110,8 +107,6 @@ class HumanReadableFormatter(logging.Formatter):
            log_components.append(f"done in {record.duration}s:")
        if hasattr(record, "status_code"):
            log_components.append(f"{record.status_code}")
-        if hasattr(record, "metadata"):
-            log_components.append(f"metadata={record.metadata}")

        if record.exc_info:
            log_components.append(self.formatException(record.exc_info))
@@ -113,11 +113,8 @@ REST_FRAMEWORK = {
        "rest_framework.throttling.ScopedRateThrottle",
    ],
    "DEFAULT_THROTTLE_RATES": {
-        "dj_rest_auth": None,
        "token-obtain": env("DJANGO_THROTTLE_TOKEN_OBTAIN", default=None),
-        "attack-paths-custom-query": env(
-            "DJANGO_THROTTLE_ATTACK_PATHS_CUSTOM_QUERY", default="10/min"
-        ),
+        "dj_rest_auth": None,
    },
 }

@@ -3,10 +3,6 @@ from config.env import env

 DEBUG = env.bool("DJANGO_DEBUG", default=False)
 ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=["localhost", "127.0.0.1"])
-CORS_ALLOWED_ORIGINS = env.list(
-    "DJANGO_CORS_ALLOWED_ORIGINS",
-    default=["http://localhost", "http://127.0.0.1"],
-)

 # Database
 # TODO Use Django database routers https://docs.djangoproject.com/en/5.0/topics/db/multi-db/#automatic-database-routing
@@ -543,12 +543,6 @@ def providers_fixture(tenants_fixture):
        alias="openstack_testing",
        tenant_id=tenant.id,
    )
-    provider12 = Provider.objects.create(
-        provider="googleworkspace",
-        uid="C12345678",
-        alias="googleworkspace_testing",
-        tenant_id=tenant.id,
-    )

    return (
        provider1,
@@ -562,7 +556,6 @@ def providers_fixture(tenants_fixture):
        provider9,
        provider10,
        provider11,
-        provider12,
    )


@@ -43,7 +43,6 @@ def start_aws_ingestion(
        "aws_guardduty_severity_threshold": cartography_config.aws_guardduty_severity_threshold,
        "aws_cloudtrail_management_events_lookback_hours": cartography_config.aws_cloudtrail_management_events_lookback_hours,
        "experimental_aws_inspector_batch": cartography_config.experimental_aws_inspector_batch,
-        "aws_tagging_api_cleanup_batch": cartography_config.aws_tagging_api_cleanup_batch,
    }

    boto3_session = get_boto3_session(prowler_api_provider, prowler_sdk_provider)
@@ -117,30 +116,6 @@ def start_aws_ingestion(
        neo4j_session,
        common_job_parameters,
    )
-
-    if all(
-        s in requested_syncs
-        for s in ["ecs", "ec2:load_balancer_v2", "ec2:load_balancer_v2:expose"]
-    ):
-        logger.info(
-            f"Syncing lb_container_exposure scoped analysis for AWS account {prowler_api_provider.uid}"
-        )
-        cartography_aws.run_scoped_analysis_job(
-            "aws_lb_container_exposure.json",
-            neo4j_session,
-            common_job_parameters,
-        )
-
-    if all(s in requested_syncs for s in ["ec2:network_acls", "ec2:load_balancer_v2"]):
-        logger.info(
-            f"Syncing lb_nacl_direct scoped analysis for AWS account {prowler_api_provider.uid}"
-        )
-        cartography_aws.run_scoped_analysis_job(
-            "aws_lb_nacl_direct.json",
-            neo4j_session,
-            common_job_parameters,
-        )
-
    db_utils.update_attack_paths_scan_progress(attack_paths_scan, 91)

    logger.info(f"Syncing metadata for AWS account {prowler_api_provider.uid}")
@@ -264,9 +239,8 @@ def sync_aws_account(
                failed_syncs[func_name] = exception_message

                logger.warning(
-                    f"Caught exception syncing function {func_name} from AWS account {prowler_api_provider.uid}: {e}. "
-                    "Continuing to the next AWS sync function.",
-                    exc_info=True,
+                    f"Caught exception syncing function {func_name} from AWS account {prowler_api_provider.uid}. We "
+                    "are continuing on to the next AWS sync function.",
                )

                continue
@@ -1,30 +1,25 @@
 from dataclasses import dataclass
 from typing import Callable
-from uuid import UUID

 from config.env import env
+
 from tasks.jobs.attack_paths import aws

-# Batch size for Neo4j write operations (resource labeling, cleanup)
+
+# Batch size for Neo4j operations
 BATCH_SIZE = env.int("ATTACK_PATHS_BATCH_SIZE", 1000)
-# Batch size for Postgres findings fetch (keyset pagination page size)
-FINDINGS_BATCH_SIZE = env.int("ATTACK_PATHS_FINDINGS_BATCH_SIZE", 500)
-# Batch size for temp-to-tenant graph sync (nodes and relationships per cursor page)
-SYNC_BATCH_SIZE = env.int("ATTACK_PATHS_SYNC_BATCH_SIZE", 250)

 # Neo4j internal labels (Prowler-specific, not provider-specific)
-# - `Internet`: Singleton node representing external internet access for exposed-resource queries
 # - `ProwlerFinding`: Label for finding nodes created by Prowler and linked to cloud resources
 # - `_ProviderResource`: Added to ALL synced nodes for provider isolation and drop/query ops
-INTERNET_NODE_LABEL = "Internet"
+# - `Internet`: Singleton node representing external internet access for exposed-resource queries
 PROWLER_FINDING_LABEL = "ProwlerFinding"
 PROVIDER_RESOURCE_LABEL = "_ProviderResource"
+INTERNET_NODE_LABEL = "Internet"

-# Dynamic isolation labels that contain entity UUIDs and are added to every synced node during sync
-# Format: _Tenant_{uuid_no_hyphens}, _Provider_{uuid_no_hyphens}
-TENANT_LABEL_PREFIX = "_Tenant_"
-PROVIDER_LABEL_PREFIX = "_Provider_"
-DYNAMIC_ISOLATION_PREFIXES = [TENANT_LABEL_PREFIX, PROVIDER_LABEL_PREFIX]
+# Phase 1 dual-write: deprecated label kept for drop_subgraph and infrastructure queries
+# Remove in Phase 2 once all nodes use the private label exclusively
+DEPRECATED_PROVIDER_RESOURCE_LABEL = "ProviderResource"


@dataclass(frozen=True)
@@ -36,6 +31,7 @@ class ProviderConfig:
    uid_field: str  # e.g., "arn"
    # Label for resources connected to the account node, enabling indexed finding lookups.
    resource_label: str  # e.g., "_AWSResource"
+    deprecated_resource_label: str  # e.g., "AWSResource"
    ingestion_function: Callable


@@ -47,6 +43,7 @@ AWS_CONFIG = ProviderConfig(
    root_node_label="AWSAccount",
    uid_field="arn",
    resource_label="_AWSResource",
+    deprecated_resource_label="AWSResource",
    ingestion_function=aws.start_aws_ingestion,
 )

@@ -59,16 +56,18 @@ PROVIDER_CONFIGS: dict[str, ProviderConfig] = {
 INTERNAL_LABELS: list[str] = [
    "Tenant",  # From Cartography, but it looks like it's ours
    PROVIDER_RESOURCE_LABEL,
+    DEPRECATED_PROVIDER_RESOURCE_LABEL,
+    # Add all provider-specific resource labels
    *[config.resource_label for config in PROVIDER_CONFIGS.values()],
+    *[config.deprecated_resource_label for config in PROVIDER_CONFIGS.values()],
 ]

 # Provider isolation properties
-PROVIDER_ID_PROPERTY = "_provider_id"
-PROVIDER_ELEMENT_ID_PROPERTY = "_provider_element_id"
-
 PROVIDER_ISOLATION_PROPERTIES: list[str] = [
-    PROVIDER_ID_PROPERTY,
-    PROVIDER_ELEMENT_ID_PROPERTY,
+    "_provider_id",
+    "_provider_element_id",
+    "provider_id",
+    "provider_element_id",
 ]

 # Cartography bookkeeping metadata
@@ -118,25 +117,7 @@ def get_provider_resource_label(provider_type: str) -> str:
    return config.resource_label if config else "_UnknownProviderResource"


-# Dynamic Isolation Label Helpers
-# --------------------------------
-
-
-def _normalize_uuid(value: str | UUID) -> str:
-    """Strip hyphens from a UUID string for use in Neo4j labels."""
-    return str(value).replace("-", "")
-
-
-def get_tenant_label(tenant_id: str | UUID) -> str:
-    """Get the Neo4j label for a tenant (e.g., `_Tenant_019c41ee7df37deca684d839f95619f8`)."""
-    return f"{TENANT_LABEL_PREFIX}{_normalize_uuid(tenant_id)}"
-
-
-def get_provider_label(provider_id: str | UUID) -> str:
-    """Get the Neo4j label for a provider (e.g., `_Provider_019c41ee7df37deca684d839f95619f8`)."""
-    return f"{PROVIDER_LABEL_PREFIX}{_normalize_uuid(provider_id)}"
-
-
-def is_dynamic_isolation_label(label: str) -> bool:
-    """Check if a label is a dynamic tenant/provider isolation label."""
-    return any(label.startswith(prefix) for prefix in DYNAMIC_ISOLATION_PREFIXES)
+def get_deprecated_provider_resource_label(provider_type: str) -> str:
+    """Get the deprecated resource label for a provider type (e.g., `AWSResource`)."""
+    config = PROVIDER_CONFIGS.get(provider_type)
+    return config.deprecated_resource_label if config else "UnknownProviderResource"
@@ -3,13 +3,15 @@ from typing import Any

 from cartography.config import Config as CartographyConfig
 from celery.utils.log import get_task_logger
-from tasks.jobs.attack_paths.config import is_provider_available

 from api.attack_paths import database as graph_database
 from api.db_utils import rls_transaction
-from api.models import AttackPathsScan as ProwlerAPIAttackPathsScan
-from api.models import Provider as ProwlerAPIProvider
-from api.models import StateChoices
+from api.models import (
+    AttackPathsScan as ProwlerAPIAttackPathsScan,
+    Provider as ProwlerAPIProvider,
+    StateChoices,
+)
+from tasks.jobs.attack_paths.config import is_provider_available

 logger = get_task_logger(__name__)

@@ -153,37 +155,6 @@ def set_provider_graph_data_ready(
        attack_paths_scan.refresh_from_db(fields=["graph_data_ready"])


-def recover_graph_data_ready(
-    attack_paths_scan: ProwlerAPIAttackPathsScan,
-) -> None:
-    """
-    Best-effort recovery of `graph_data_ready` after a scan failure.
-
-    Queries Neo4j to check if the provider still has data in the tenant
-    database. If data exists, restores `graph_data_ready=True` for all scans
-    of this provider. Never raises.
-
-    Trade-off: if the worker crashed mid-sync, partial data may exist and
-    this will re-enable queries against it. We accept that because leaving
-    `graph_data_ready=False` permanently (blocking all queries until the
-    next successful scan) is a worse outcome for the user.
-    """
-    try:
-        tenant_db = graph_database.get_database_name(attack_paths_scan.tenant_id)
-        if graph_database.has_provider_data(
-            tenant_db, str(attack_paths_scan.provider_id)
-        ):
-            set_provider_graph_data_ready(attack_paths_scan, True)
-            logger.info(
-                f"Recovered `graph_data_ready` for provider {attack_paths_scan.provider_id}"
-            )
-
-    except Exception:
-        logger.exception(
-            f"Failed to recover `graph_data_ready` for provider {attack_paths_scan.provider_id}"
-        )
-
-
 def fail_attack_paths_scan(
    tenant_id: str,
    scan_id: str,
@@ -214,5 +185,3 @@ def fail_attack_paths_scan(
            StateChoices.FAILED,
            {"global_error": error},
        )
-
-        recover_graph_data_ready(attack_paths_scan)
@@ -9,15 +9,23 @@ This module handles:
 """

 from collections import defaultdict
+from dataclasses import asdict, dataclass, fields
 from typing import Any, Generator
 from uuid import UUID

 import neo4j
+
 from cartography.config import Config as CartographyConfig
 from celery.utils.log import get_task_logger
+
+from api.db_router import READ_REPLICA_ALIAS
+from api.db_utils import rls_transaction
+from api.models import Finding as FindingModel
+from api.models import Provider, ResourceFindingMapping
+from prowler.config import config as ProwlerConfig
 from tasks.jobs.attack_paths.config import (
    BATCH_SIZE,
-    FINDINGS_BATCH_SIZE,
+    get_deprecated_provider_resource_label,
    get_node_uid_field,
    get_provider_resource_label,
    get_root_node_label,
@@ -30,54 +38,75 @@ from tasks.jobs.attack_paths.queries import (
    render_cypher_template,
 )

-from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import rls_transaction
-from api.models import Finding as FindingModel
-from api.models import Provider, ResourceFindingMapping
-from prowler.config import config as ProwlerConfig
-
 logger = get_task_logger(__name__)


-# Django ORM field names for `.values()` queries
-# Most map 1:1 to Neo4j property names, exceptions are remapped in `_to_neo4j_dict`
-_DB_QUERY_FIELDS = [
-    "id",
-    "uid",
-    "inserted_at",
-    "updated_at",
-    "first_seen_at",
-    "scan_id",
-    "delta",
-    "status",
-    "status_extended",
-    "severity",
-    "check_id",
-    "check_metadata__checktitle",
-    "muted",
-    "muted_reason",
-]
+# Type Definitions
+# -----------------
+
+# Maps dataclass field names to Django ORM query field names
+_DB_FIELD_MAP: dict[str, str] = {
+    "check_title": "check_metadata__checktitle",
+}


-def _to_neo4j_dict(record: dict[str, Any], resource_uid: str) -> dict[str, Any]:
-    """Transform a Django `.values()` record into a `dict` ready for Neo4j ingestion."""
-    return {
-        "id": str(record["id"]),
-        "uid": record["uid"],
-        "inserted_at": record["inserted_at"],
-        "updated_at": record["updated_at"],
-        "first_seen_at": record["first_seen_at"],
-        "scan_id": str(record["scan_id"]),
-        "delta": record["delta"],
-        "status": record["status"],
-        "status_extended": record["status_extended"],
-        "severity": record["severity"],
-        "check_id": str(record["check_id"]),
-        "check_title": record["check_metadata__checktitle"],
-        "muted": record["muted"],
-        "muted_reason": record["muted_reason"],
-        "resource_uid": resource_uid,
-    }
+@dataclass(slots=True)
+class Finding:
+    """
+    Finding data for Neo4j ingestion.
+
+    Can be created from a Django .values() query result using from_db_record().
+    """
+
+    id: str
+    uid: str
+    inserted_at: str
+    updated_at: str
+    first_seen_at: str
+    scan_id: str
+    delta: str
+    status: str
+    status_extended: str
+    severity: str
+    check_id: str
+    check_title: str
+    muted: bool
+    muted_reason: str | None
+    resource_uid: str | None = None
+
+    @classmethod
+    def get_db_query_fields(cls) -> tuple[str, ...]:
+        """Get field names for Django .values() query."""
+        return tuple(
+            _DB_FIELD_MAP.get(f.name, f.name)
+            for f in fields(cls)
+            if f.name != "resource_uid"
+        )
+
+    @classmethod
+    def from_db_record(cls, record: dict[str, Any], resource_uid: str) -> "Finding":
+        """Create a Finding from a Django .values() query result."""
+        return cls(
+            id=str(record["id"]),
+            uid=record["uid"],
+            inserted_at=record["inserted_at"],
+            updated_at=record["updated_at"],
+            first_seen_at=record["first_seen_at"],
+            scan_id=str(record["scan_id"]),
+            delta=record["delta"],
+            status=record["status"],
+            status_extended=record["status_extended"],
+            severity=record["severity"],
+            check_id=str(record["check_id"]),
+            check_title=record["check_metadata__checktitle"],
+            muted=record["muted"],
+            muted_reason=record["muted_reason"],
+            resource_uid=resource_uid,
+        )
+
+    def to_dict(self) -> dict[str, Any]:
+        """Convert to dict for Neo4j ingestion."""
+        return asdict(self)


 # Public API
@@ -124,6 +153,9 @@ def add_resource_label(
        {
            "__ROOT_LABEL__": get_root_node_label(provider_type),
            "__RESOURCE_LABEL__": get_provider_resource_label(provider_type),
+            "__DEPRECATED_RESOURCE_LABEL__": get_deprecated_provider_resource_label(
+                provider_type
+            ),
        },
    )

@@ -152,7 +184,7 @@ def add_resource_label(

 def load_findings(
    neo4j_session: neo4j.Session,
-    findings_batches: Generator[list[dict[str, Any]], None, None],
+    findings_batches: Generator[list[Finding], None, None],
    prowler_api_provider: Provider,
    config: CartographyConfig,
 ) -> None:
@@ -181,7 +213,7 @@ def load_findings(
        batch_size = len(batch)
        total_records += batch_size

-        parameters["findings_data"] = batch
+        parameters["findings_data"] = [f.to_dict() for f in batch]

        logger.info(f"Loading findings batch {batch_num} ({batch_size} records)")
        neo4j_session.run(query, parameters)
@@ -219,17 +251,16 @@ def cleanup_findings(
 def stream_findings_with_resources(
    prowler_api_provider: Provider,
    scan_id: str,
-) -> Generator[list[dict[str, Any]], None, None]:
+) -> Generator[list[Finding], None, None]:
    """
    Stream findings with their associated resources in batches.

    Uses keyset pagination for efficient traversal of large datasets.
-    Memory efficient: yields one batch at a time as dicts ready for Neo4j ingestion,
-    never holds all findings in memory.
+    Memory efficient: yields one batch at a time, never holds all findings in memory.
    """
    logger.info(
        f"Starting findings stream for scan {scan_id} "
-        f"(tenant {prowler_api_provider.tenant_id}) with batch size {FINDINGS_BATCH_SIZE}"
+        f"(tenant {prowler_api_provider.tenant_id}) with batch size {BATCH_SIZE}"
    )

    tenant_id = prowler_api_provider.tenant_id
@@ -278,14 +309,15 @@ def _fetch_findings_batch(
    Uses read replica and RLS-scoped transaction.
    """
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        # Use `all_objects` to get `Findings` even on soft-deleted `Providers`
-        # But even the provider is already validated as active in this context
+        # Use all_objects to avoid the ActiveProviderManager's implicit JOIN
+        # through Scan -> Provider (to check is_deleted=False).
+        # The provider is already validated as active in this context.
        qs = FindingModel.all_objects.filter(scan_id=scan_id).order_by("id")

        if after_id is not None:
            qs = qs.filter(id__gt=after_id)

-        return list(qs.values(*_DB_QUERY_FIELDS)[:FINDINGS_BATCH_SIZE])
+        return list(qs.values(*Finding.get_db_query_fields())[:BATCH_SIZE])


 # Batch Enrichment
@@ -295,7 +327,7 @@ def _fetch_findings_batch(
 def _enrich_batch_with_resources(
    findings_batch: list[dict[str, Any]],
    tenant_id: str,
-) -> list[dict[str, Any]]:
+) -> list[Finding]:
    """
    Enrich findings with their resource UIDs.

@@ -306,7 +338,7 @@ def _enrich_batch_with_resources(
    resource_map = _build_finding_resource_map(finding_ids, tenant_id)

    return [
-        _to_neo4j_dict(finding, resource_uid)
+        Finding.from_db_record(finding, resource_uid)
        for finding in findings_batch
        for resource_uid in resource_map.get(finding["id"], [])
    ]
@@ -6,10 +6,9 @@ from cartography.client.core.tx import run_write_query
 from celery.utils.log import get_task_logger

 from tasks.jobs.attack_paths.config import (
+    DEPRECATED_PROVIDER_RESOURCE_LABEL,
    INTERNET_NODE_LABEL,
    PROWLER_FINDING_LABEL,
-    PROVIDER_ELEMENT_ID_PROPERTY,
-    PROVIDER_ID_PROPERTY,
    PROVIDER_RESOURCE_LABEL,
 )

@@ -28,6 +27,8 @@ FINDINGS_INDEX_STATEMENTS = [
    # Resource indexes for Prowler Finding lookups
    "CREATE INDEX aws_resource_arn IF NOT EXISTS FOR (n:_AWSResource) ON (n.arn);",
    "CREATE INDEX aws_resource_id IF NOT EXISTS FOR (n:_AWSResource) ON (n.id);",
+    "CREATE INDEX deprecated_aws_resource_arn IF NOT EXISTS FOR (n:AWSResource) ON (n.arn);",
+    "CREATE INDEX deprecated_aws_resource_id IF NOT EXISTS FOR (n:AWSResource) ON (n.id);",
    # Prowler Finding indexes
    f"CREATE INDEX prowler_finding_id IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.id);",
    f"CREATE INDEX prowler_finding_provider_uid IF NOT EXISTS FOR (n:{PROWLER_FINDING_LABEL}) ON (n.provider_uid);",
@@ -39,8 +40,10 @@ FINDINGS_INDEX_STATEMENTS = [

 # Indexes for provider resource sync operations
 SYNC_INDEX_STATEMENTS = [
-    f"CREATE INDEX provider_resource_element_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n.{PROVIDER_ELEMENT_ID_PROPERTY});",
-    f"CREATE INDEX provider_resource_provider_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n.{PROVIDER_ID_PROPERTY});",
+    f"CREATE INDEX provider_element_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n._provider_element_id);",
+    f"CREATE INDEX provider_resource_provider_id IF NOT EXISTS FOR (n:{PROVIDER_RESOURCE_LABEL}) ON (n._provider_id);",
+    f"CREATE INDEX deprecated_provider_element_id IF NOT EXISTS FOR (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL}) ON (n.provider_element_id);",
+    f"CREATE INDEX deprecated_provider_resource_provider_id IF NOT EXISTS FOR (n:{DEPRECATED_PROVIDER_RESOURCE_LABEL}) ON (n.provider_id);",
 ]


@@ -2,8 +2,6 @@
 from tasks.jobs.attack_paths.config import (
    INTERNET_NODE_LABEL,
    PROWLER_FINDING_LABEL,
-    PROVIDER_ELEMENT_ID_PROPERTY,
-    PROVIDER_ID_PROPERTY,
    PROVIDER_RESOURCE_LABEL,
 )

@@ -28,7 +26,7 @@ ADD_RESOURCE_LABEL_TEMPLATE = """
    MATCH (account:__ROOT_LABEL__ {id: $provider_uid})-->(r)
    WHERE NOT r:__ROOT_LABEL__ AND NOT r:__RESOURCE_LABEL__
    WITH r LIMIT $batch_size
-    SET r:__RESOURCE_LABEL__
+    SET r:__RESOURCE_LABEL__:__DEPRECATED_RESOURCE_LABEL__
    RETURN COUNT(r) AS labeled_count
 """

@@ -151,18 +149,22 @@ RELATIONSHIPS_FETCH_QUERY = """
    LIMIT $batch_size
 """

-NODE_SYNC_TEMPLATE = f"""
+NODE_SYNC_TEMPLATE = """
    UNWIND $rows AS row
-    MERGE (n:__NODE_LABELS__ {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.provider_element_id}})
+    MERGE (n:__NODE_LABELS__ {_provider_element_id: row.provider_element_id})
    SET n += row.props
-    SET n.{PROVIDER_ID_PROPERTY} = $provider_id
-"""
+    SET n._provider_id = $provider_id
+    SET n.provider_element_id = row.provider_element_id
+    SET n.provider_id = $provider_id
+"""  # The last two lines are deprecated properties

 RELATIONSHIP_SYNC_TEMPLATE = f"""
    UNWIND $rows AS row
-    MATCH (s:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.start_element_id}})
-    MATCH (t:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.end_element_id}})
-    MERGE (s)-[r:__REL_TYPE__ {{{PROVIDER_ELEMENT_ID_PROPERTY}: row.provider_element_id}}]->(t)
+    MATCH (s:{PROVIDER_RESOURCE_LABEL} {{_provider_element_id: row.start_element_id}})
+    MATCH (t:{PROVIDER_RESOURCE_LABEL} {{_provider_element_id: row.end_element_id}})
+    MERGE (s)-[r:__REL_TYPE__ {{_provider_element_id: row.provider_element_id}}]->(t)
    SET r += row.props
-    SET r.{PROVIDER_ID_PROPERTY} = $provider_id
-"""
+    SET r._provider_id = $provider_id
+    SET r.provider_element_id = row.provider_element_id
+    SET r.provider_id = $provider_id
+"""  # The last two lines are deprecated properties
@@ -1,60 +1,6 @@
-"""
-Attack Paths scan orchestrator.
-
-Runs the full scan lifecycle for a single provider, called from a Celery task.
-The idea is simple: ingest everything into a throwaway Neo4j database, enrich
-it with Prowler-specific data, then swap it into the tenant's long-lived
-database so queries never see a half-built graph.
-
-Two databases are involved:
- Temporary (db-tmp-scan-<attack_paths_scan_id>): short-lived, single-provider, dropped after sync.
- Tenant (db-tenant-<tenant_uuid>): long-lived, multi-provider, what the API queries against.
-
-Pipeline steps:
-
-1. Resolve the Prowler provider and SDK credentials from the scan ID.
-   Retrieve or create the AttackPathsScan row. Exit early if the provider
-   type has no ingestion function (only AWS is supported today).
-
-2. Create a fresh temporary Neo4j database and set up Cartography indexes
-   plus ProwlerFinding indexes before writing any data.
-
-3. Run the provider-specific Cartography ingestion (e.g. aws.start_aws_ingestion).
-   This iterates over cloud services and writes the standard Cartography nodes
-   (AWSAccount, EC2Instance, IAMRole, etc.) and relationships (RESOURCE,
-   POLICY, STATEMENT, TRUSTS_AWS_PRINCIPAL, ...) into the temp database.
-   Wrapped in call_within_event_loop because some Cartography modules use async.
-
-4. Run Cartography post-processing: ontology for label propagation and
-   analysis for derived relationships.
-
-5. Create an Internet singleton node and add CAN_ACCESS relationships to
-   internet-exposed resources (EC2Instance, LoadBalancer, LoadBalancerV2).
-
-6. Stream Prowler findings from Postgres in batches. Each finding becomes a
-   ProwlerFinding node linked to its cloud-resource node via HAS_FINDING.
-   Before that, an _AWSResource label (provider-specific) is added to all
-   nodes connected to the AWSAccount so finding lookups can use an index.
-   Stale findings from previous scans are cleaned up.
-
-7. Sync the temp database into the tenant database:
-   - Drop the old provider subgraph (matched by _provider_id property).
-     graph_data_ready is set to False for all scans of this provider while
-     the swap happens so the API doesn't serve partial data.
-   - Copy nodes and relationships in batches. Every synced node gets a
-     _ProviderResource label and _provider_id / _provider_element_id
-     properties for multi-provider isolation.
-   - Set graph_data_ready back to True.
-
-8. Drop the temporary database, mark the AttackPathsScan as COMPLETED.
-
-On failure the temp database is dropped, the scan is marked FAILED, and the
-exception propagates to Celery.
-
-"""
-
 import logging
 import time
+
 from typing import Any

 from cartography.config import Config as CartographyConfig
@@ -62,14 +8,16 @@ from cartography.intel import analysis as cartography_analysis
 from cartography.intel import create_indexes as cartography_create_indexes
 from cartography.intel import ontology as cartography_ontology
 from celery.utils.log import get_task_logger
-from tasks.jobs.attack_paths import db_utils, findings, internet, sync, utils
-from tasks.jobs.attack_paths.config import get_cartography_ingestion_function

 from api.attack_paths import database as graph_database
 from api.db_utils import rls_transaction
-from api.models import Provider as ProwlerAPIProvider
-from api.models import StateChoices
+from api.models import (
+    Provider as ProwlerAPIProvider,
+    StateChoices,
+)
 from api.utils import initialize_prowler_provider
+from tasks.jobs.attack_paths import db_utils, findings, internet, sync, utils
+from tasks.jobs.attack_paths.config import get_cartography_ingestion_function

 # Without this Celery goes crazy with Cartography logging
 logging.getLogger("cartography").setLevel(logging.ERROR)
@@ -144,10 +92,6 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
        attack_paths_scan, task_id, tenant_cartography_config
    )

-    subgraph_dropped = False
-    sync_completed = False
-    provider_gated = False
-
    try:
        logger.info(
            f"Creating Neo4j database {tmp_cartography_config.neo4j_database} for tenant {prowler_api_provider.tenant_id}"
@@ -226,12 +170,10 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:

        logger.info(f"Deleting existing provider graph in {tenant_database_name}")
        db_utils.set_provider_graph_data_ready(attack_paths_scan, False)
-        provider_gated = True
        graph_database.drop_subgraph(
            database=tenant_database_name,
            provider_id=str(prowler_api_provider.id),
        )
-        subgraph_dropped = True
        db_utils.update_attack_paths_scan_progress(attack_paths_scan, 98)

        logger.info(
@@ -240,10 +182,8 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
        sync.sync_graph(
            source_database=tmp_database_name,
            target_database=tenant_database_name,
-            tenant_id=str(prowler_api_provider.tenant_id),
            provider_id=str(prowler_api_provider.id),
        )
-        sync_completed = True
        db_utils.set_graph_data_ready(attack_paths_scan, True)
        db_utils.update_attack_paths_scan_progress(attack_paths_scan, 99)

@@ -268,40 +208,22 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
        logger.exception(exception_message)
        ingestion_exceptions["global_error"] = exception_message

-        # Recover graph_data_ready based on how far the swap got.
-        # Partial drop (mid-batch failure) may leave `subgraph_dropped=False`
-        # with data partially deleted, so we prefer that over permanently blocked queries.
-        try:
-            if sync_completed:
-                db_utils.set_graph_data_ready(attack_paths_scan, True)
-            elif provider_gated and not subgraph_dropped:
-                db_utils.set_provider_graph_data_ready(attack_paths_scan, True)
-
-        except Exception:
-            logger.error(
-                f"Failed to recover `graph_data_ready` for provider {attack_paths_scan.provider_id}",
-                exc_info=True,
-            )
-
-        # Dropping the temporary database if it still exists
+        # Handling databases changes
        try:
            graph_database.drop_database(tmp_cartography_config.neo4j_database)

-        except Exception as e:
+        except Exception:
            logger.error(
-                f"Failed to drop temporary Neo4j database `{tmp_cartography_config.neo4j_database}` during cleanup: {e}",
-                exc_info=True,
+                f"Failed to drop temporary Neo4j database {tmp_cartography_config.neo4j_database} during cleanup"
            )

-        # Set Attack Paths scan state to FAILED
        try:
            db_utils.finish_attack_paths_scan(
                attack_paths_scan, StateChoices.FAILED, ingestion_exceptions
            )
-        except Exception as e:
-            logger.error(
-                f"Could not mark Attack Paths scan {attack_paths_scan.id} as `FAILED` (row may have been deleted): {e}",
-                exc_info=True,
+        except Exception:
+            logger.warning(
+                f"Could not mark attack paths scan {attack_paths_scan.id} as FAILED (row may have been deleted)"
            )

        raise
@@ -8,16 +8,14 @@ to the tenant database, adding provider isolation labels and properties.
 from collections import defaultdict
 from typing import Any

-import neo4j
 from celery.utils.log import get_task_logger

 from api.attack_paths import database as graph_database
 from tasks.jobs.attack_paths.config import (
+    BATCH_SIZE,
+    DEPRECATED_PROVIDER_RESOURCE_LABEL,
    PROVIDER_ISOLATION_PROPERTIES,
    PROVIDER_RESOURCE_LABEL,
-    SYNC_BATCH_SIZE,
-    get_provider_label,
-    get_tenant_label,
 )
 from tasks.jobs.attack_paths.indexes import IndexType, create_indexes
 from tasks.jobs.attack_paths.queries import (
@@ -39,7 +37,6 @@ def create_sync_indexes(neo4j_session) -> None:
 def sync_graph(
    source_database: str,
    target_database: str,
-    tenant_id: str,
    provider_id: str,
 ) -> dict[str, int]:
    """
@@ -48,7 +45,6 @@ def sync_graph(
    Args:
        `source_database`: The temporary scan database
        `target_database`: The tenant database
-        `tenant_id`: The tenant ID for isolation
        `provider_id`: The provider ID for isolation

    Returns:
@@ -57,7 +53,6 @@ def sync_graph(
    nodes_synced = sync_nodes(
        source_database,
        target_database,
-        tenant_id,
        provider_id,
    )
    relationships_synced = sync_relationships(
@@ -75,45 +70,50 @@ def sync_graph(
 def sync_nodes(
    source_database: str,
    target_database: str,
-    tenant_id: str,
    provider_id: str,
 ) -> int:
    """
    Sync nodes from source to target database.

    Adds `_ProviderResource` label and `_provider_id` property to all nodes.
-    Also adds dynamic `_Tenant_{id}` and `_Provider_{id}` isolation labels.
-
-    Source and target sessions are opened sequentially per batch to avoid
-    holding two Bolt connections simultaneously for the entire sync duration.
    """
    last_id = -1
    total_synced = 0

-    while True:
-        grouped: dict[tuple[str, ...], list[dict[str, Any]]] = defaultdict(list)
-        batch_count = 0
-
-        with graph_database.get_session(source_database) as source_session:
-            result = source_session.run(
-                NODE_FETCH_QUERY,
-                {"last_id": last_id, "batch_size": SYNC_BATCH_SIZE},
+    with (
+        graph_database.get_session(source_database) as source_session,
+        graph_database.get_session(target_database) as target_session,
+    ):
+        while True:
+            rows = list(
+                source_session.run(
+                    NODE_FETCH_QUERY,
+                    {"last_id": last_id, "batch_size": BATCH_SIZE},
+                )
            )
-            for record in result:
-                batch_count += 1
-                last_id = record["internal_id"]
-                key, value = _node_to_sync_dict(record, provider_id)
-                grouped[key].append(value)

-        if batch_count == 0:
-            break
+            if not rows:
+                break
+
+            last_id = rows[-1]["internal_id"]
+
+            grouped: dict[tuple[str, ...], list[dict[str, Any]]] = defaultdict(list)
+            for row in rows:
+                labels = tuple(sorted(set(row["labels"] or [])))
+                props = dict(row["props"] or {})
+                _strip_internal_properties(props)
+                provider_element_id = f"{provider_id}:{row['element_id']}"
+                grouped[labels].append(
+                    {
+                        "provider_element_id": provider_element_id,
+                        "props": props,
+                    }
+                )

-        with graph_database.get_session(target_database) as target_session:
            for labels, batch in grouped.items():
                label_set = set(labels)
                label_set.add(PROVIDER_RESOURCE_LABEL)
-                label_set.add(get_tenant_label(tenant_id))
-                label_set.add(get_provider_label(provider_id))
+                label_set.add(DEPRECATED_PROVIDER_RESOURCE_LABEL)
                node_labels = ":".join(f"`{label}`" for label in sorted(label_set))

                query = render_cypher_template(
@@ -127,10 +127,10 @@ def sync_nodes(
                    },
                )

-        total_synced += batch_count
-        logger.info(
-            f"Synced {total_synced} nodes from {source_database} to {target_database}"
-        )
+            total_synced += len(rows)
+            logger.info(
+                f"Synced {total_synced} nodes from {source_database} to {target_database}"
+            )

    return total_synced

@@ -144,32 +144,41 @@ def sync_relationships(
    Sync relationships from source to target database.

    Adds `_provider_id` property to all relationships.
-
-    Source and target sessions are opened sequentially per batch to avoid
-    holding two Bolt connections simultaneously for the entire sync duration.
    """
    last_id = -1
    total_synced = 0

-    while True:
-        grouped: dict[str, list[dict[str, Any]]] = defaultdict(list)
-        batch_count = 0
-
-        with graph_database.get_session(source_database) as source_session:
-            result = source_session.run(
-                RELATIONSHIPS_FETCH_QUERY,
-                {"last_id": last_id, "batch_size": SYNC_BATCH_SIZE},
+    with (
+        graph_database.get_session(source_database) as source_session,
+        graph_database.get_session(target_database) as target_session,
+    ):
+        while True:
+            rows = list(
+                source_session.run(
+                    RELATIONSHIPS_FETCH_QUERY,
+                    {"last_id": last_id, "batch_size": BATCH_SIZE},
+                )
            )
-            for record in result:
-                batch_count += 1
-                last_id = record["internal_id"]
-                key, value = _rel_to_sync_dict(record, provider_id)
-                grouped[key].append(value)

-        if batch_count == 0:
-            break
+            if not rows:
+                break
+
+            last_id = rows[-1]["internal_id"]
+
+            grouped: dict[str, list[dict[str, Any]]] = defaultdict(list)
+            for row in rows:
+                props = dict(row["props"] or {})
+                _strip_internal_properties(props)
+                rel_type = row["rel_type"]
+                grouped[rel_type].append(
+                    {
+                        "start_element_id": f"{provider_id}:{row['start_element_id']}",
+                        "end_element_id": f"{provider_id}:{row['end_element_id']}",
+                        "provider_element_id": f"{provider_id}:{rel_type}:{row['internal_id']}",
+                        "props": props,
+                    }
+                )

-        with graph_database.get_session(target_database) as target_session:
            for rel_type, batch in grouped.items():
                query = render_cypher_template(
                    RELATIONSHIP_SYNC_TEMPLATE, {"__REL_TYPE__": rel_type}
@@ -182,42 +191,14 @@ def sync_relationships(
                    },
                )

-        total_synced += batch_count
-        logger.info(
-            f"Synced {total_synced} relationships from {source_database} to {target_database}"
-        )
+            total_synced += len(rows)
+            logger.info(
+                f"Synced {total_synced} relationships from {source_database} to {target_database}"
+            )

    return total_synced


-def _node_to_sync_dict(
-    record: neo4j.Record, provider_id: str
-) -> tuple[tuple[str, ...], dict[str, Any]]:
-    """Transform a source node record into a (grouping_key, sync_dict) pair."""
-    props = dict(record["props"] or {})
-    _strip_internal_properties(props)
-    labels = tuple(sorted(set(record["labels"] or [])))
-    return labels, {
-        "provider_element_id": f"{provider_id}:{record['element_id']}",
-        "props": props,
-    }
-
-
-def _rel_to_sync_dict(
-    record: neo4j.Record, provider_id: str
-) -> tuple[str, dict[str, Any]]:
-    """Transform a source relationship record into a (grouping_key, sync_dict) pair."""
-    props = dict(record["props"] or {})
-    _strip_internal_properties(props)
-    rel_type = record["rel_type"]
-    return rel_type, {
-        "start_element_id": f"{provider_id}:{record['start_element_id']}",
-        "end_element_id": f"{provider_id}:{record['end_element_id']}",
-        "provider_element_id": f"{provider_id}:{rel_type}:{record['internal_id']}",
-        "props": props,
-    }
-
-
 def _strip_internal_properties(props: dict[str, Any]) -> None:
    """Remove provider isolation properties before the += spread in sync templates."""
    for key in PROVIDER_ISOLATION_PROPERTIES:
@@ -336,6 +336,7 @@ class ENSReportGenerator(BaseComplianceReportGenerator):
        for req in data.requirements:
            if req.status == StatusChoices.MANUAL:
                continue
+
            m = get_requirement_metadata(req.id, data.attributes_by_requirement_id)
            if m:
                marco = getattr(m, "Marco", "Otros")
@@ -364,12 +365,9 @@ class ENSReportGenerator(BaseComplianceReportGenerator):
                elements.append(Paragraph(f"{categoria_name}", self.styles["h3"]))

                for req in reqs:
-                    if req["status"] == StatusChoices.PASS:
-                        status_indicator = "✓"
-                    elif req["status"] == StatusChoices.MANUAL:
-                        status_indicator = "⊙"
-                    else:
-                        status_indicator = "✗"
+                    status_indicator = (
+                        "✓" if req["status"] == StatusChoices.PASS else "✗"
+                    )
                    nivel_badge = f"[{req['nivel'].upper()}]" if req["nivel"] else ""
                    elements.append(
                        Paragraph(
@@ -843,14 +841,11 @@ class ENSReportGenerator(BaseComplianceReportGenerator):
            elements.append(Spacer(1, 0.15 * inch))

            # Status and Nivel badges row
-            status_text = str(req.status).upper()
-            status_color = (
-                COLOR_HIGH_RISK if req.status == StatusChoices.FAIL else COLOR_GRAY
-            )
+            status_color = COLOR_HIGH_RISK  # FAIL
            nivel_color = nivel_colors.get(nivel, COLOR_GRAY)

            badges_row1 = [
-                ["State:", status_text, "", f"Nivel: {nivel.upper()}"],
+                ["State:", "FAIL", "", f"Nivel: {nivel.upper()}"],
            ]
            badges_table1 = Table(
                badges_row1,
@@ -35,27 +35,19 @@ def _aggregate_requirement_statistics_from_database(
        }
    """
    requirement_statistics_by_check_id = {}
-    # TODO: take into account that now the relation is 1 finding == 1 resource, review this when the logic changes
+
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
        aggregated_statistics_queryset = (
            Finding.all_objects.filter(
-                tenant_id=tenant_id,
-                scan_id=scan_id,
-                muted=False,
-                resources__provider__is_deleted=False,
+                tenant_id=tenant_id, scan_id=scan_id, muted=False
            )
            .values("check_id")
            .annotate(
                total_findings=Count(
                    "id",
-                    distinct=True,
                    filter=Q(status__in=[StatusChoices.PASS, StatusChoices.FAIL]),
                ),
-                passed_findings=Count(
-                    "id",
-                    distinct=True,
-                    filter=Q(status=StatusChoices.PASS),
-                ),
+                passed_findings=Count("id", filter=Q(status=StatusChoices.PASS)),
            )
        )

@@ -29,7 +29,7 @@ from tasks.jobs.threatscore_utils import (
    _load_findings_for_requirement_checks,
 )

-from api.models import Finding, Resource, ResourceFindingMapping, StatusChoices
+from api.models import Finding, StatusChoices
 from prowler.lib.check.models import Severity

 matplotlib.use("Agg")  # Use non-interactive backend for tests
@@ -39,50 +39,43 @@ matplotlib.use("Agg")  # Use non-interactive backend for tests
 class TestAggregateRequirementStatistics:
    """Test suite for _aggregate_requirement_statistics_from_database function."""

-    def _create_finding_with_resource(
-        self, tenant, scan, uid, check_id, status, severity=Severity.high
-    ):
-        """Helper to create a finding linked to a resource (matching scan processing behavior)."""
-        finding = Finding.objects.create(
-            tenant_id=tenant.id,
-            scan=scan,
-            uid=uid,
-            check_id=check_id,
-            status=status,
-            severity=severity,
-            impact=severity,
-            check_metadata={},
-            raw_result={},
-        )
-        resource = Resource.objects.create(
-            tenant_id=tenant.id,
-            provider=scan.provider,
-            uid=f"resource-{uid}",
-            name=f"resource-{uid}",
-            region="us-east-1",
-            service="test",
-            type="test::resource",
-        )
-        ResourceFindingMapping.objects.create(
-            tenant_id=tenant.id,
-            finding=finding,
-            resource=resource,
-        )
-        return finding
-
    def test_aggregates_findings_correctly(self, tenants_fixture, scans_fixture):
        """Verify correct pass/total counts per check are aggregated from database."""
        tenant = tenants_fixture[0]
        scan = scans_fixture[0]

-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-1",
+            check_id="check_1",
+            status=StatusChoices.PASS,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
        )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-2", "check_1", StatusChoices.FAIL
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-2",
+            check_id="check_1",
+            status=StatusChoices.FAIL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
        )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-3", "check_2", StatusChoices.PASS, Severity.medium
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-3",
+            check_id="check_2",
+            status=StatusChoices.PASS,
+            severity=Severity.medium,
+            impact=Severity.medium,
+            check_metadata={},
+            raw_result={},
        )

        result = _aggregate_requirement_statistics_from_database(
@@ -113,73 +106,17 @@ class TestAggregateRequirementStatistics:
        tenant = tenants_fixture[0]
        scan = scans_fixture[0]

-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.FAIL
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-1",
+            check_id="check_1",
+            status=StatusChoices.FAIL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
        )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-2", "check_1", StatusChoices.FAIL
-        )
-
-        result = _aggregate_requirement_statistics_from_database(
-            str(tenant.id), str(scan.id)
-        )
-
-        assert result["check_1"]["passed"] == 0
-        assert result["check_1"]["total"] == 2
-
-    def test_multiple_findings_same_check(self, tenants_fixture, scans_fixture):
-        """Verify multiple findings for same check are correctly aggregated."""
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        for i in range(5):
-            self._create_finding_with_resource(
-                tenant,
-                scan,
-                f"finding-{i}",
-                "check_1",
-                StatusChoices.PASS if i % 2 == 0 else StatusChoices.FAIL,
-            )
-
-        result = _aggregate_requirement_statistics_from_database(
-            str(tenant.id), str(scan.id)
-        )
-
-        assert result["check_1"]["passed"] == 3
-        assert result["check_1"]["total"] == 5
-
-    def test_mixed_statuses(self, tenants_fixture, scans_fixture):
-        """Verify MANUAL status is not counted in total or passed."""
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
-        )
-        self._create_finding_with_resource(
-            tenant, scan, "finding-2", "check_1", StatusChoices.MANUAL
-        )
-
-        result = _aggregate_requirement_statistics_from_database(
-            str(tenant.id), str(scan.id)
-        )
-
-        # MANUAL findings are excluded from the aggregation query
-        # since it only counts PASS and FAIL statuses
-        assert result["check_1"]["passed"] == 1
-        assert result["check_1"]["total"] == 1
-
-    def test_excludes_findings_without_resources(self, tenants_fixture, scans_fixture):
-        """Verify findings without resources are excluded from aggregation."""
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        # Finding WITH resource → should be counted
-        self._create_finding_with_resource(
-            tenant, scan, "finding-1", "check_1", StatusChoices.PASS
-        )
-
-        # Finding WITHOUT resource → should be EXCLUDED
        Finding.objects.create(
            tenant_id=tenant.id,
            scan=scan,
@@ -196,15 +133,40 @@ class TestAggregateRequirementStatistics:
            str(tenant.id), str(scan.id)
        )

-        assert result["check_1"]["passed"] == 1
-        assert result["check_1"]["total"] == 1
+        assert result["check_1"]["passed"] == 0
+        assert result["check_1"]["total"] == 2

-    def test_multiple_resources_no_double_count(self, tenants_fixture, scans_fixture):
-        """Verify a finding with multiple resources is only counted once."""
+    def test_multiple_findings_same_check(self, tenants_fixture, scans_fixture):
+        """Verify multiple findings for same check are correctly aggregated."""
        tenant = tenants_fixture[0]
        scan = scans_fixture[0]

-        finding = Finding.objects.create(
+        for i in range(5):
+            Finding.objects.create(
+                tenant_id=tenant.id,
+                scan=scan,
+                uid=f"finding-{i}",
+                check_id="check_1",
+                status=StatusChoices.PASS if i % 2 == 0 else StatusChoices.FAIL,
+                severity=Severity.high,
+                impact=Severity.high,
+                check_metadata={},
+                raw_result={},
+            )
+
+        result = _aggregate_requirement_statistics_from_database(
+            str(tenant.id), str(scan.id)
+        )
+
+        assert result["check_1"]["passed"] == 3
+        assert result["check_1"]["total"] == 5
+
+    def test_mixed_statuses(self, tenants_fixture, scans_fixture):
+        """Verify MANUAL status is counted in total but not passed."""
+        tenant = tenants_fixture[0]
+        scan = scans_fixture[0]
+
+        Finding.objects.create(
            tenant_id=tenant.id,
            scan=scan,
            uid="finding-1",
@@ -215,27 +177,24 @@ class TestAggregateRequirementStatistics:
            check_metadata={},
            raw_result={},
        )
-        # Link two resources to the same finding
-        for i in range(2):
-            resource = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"resource-{i}",
-                name=f"resource-{i}",
-                region="us-east-1",
-                service="test",
-                type="test::resource",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id,
-                finding=finding,
-                resource=resource,
-            )
+        Finding.objects.create(
+            tenant_id=tenant.id,
+            scan=scan,
+            uid="finding-2",
+            check_id="check_1",
+            status=StatusChoices.MANUAL,
+            severity=Severity.high,
+            impact=Severity.high,
+            check_metadata={},
+            raw_result={},
+        )

        result = _aggregate_requirement_statistics_from_database(
            str(tenant.id), str(scan.id)
        )

+        # MANUAL findings are excluded from the aggregation query
+        # since it only counts PASS and FAIL statuses
        assert result["check_1"]["passed"] == 1
        assert result["check_1"]["total"] == 1

@@ -334,172 +334,6 @@ class TestGenerateOutputs:
                output_location="s3://bucket/zipped.zip"
            )

-    @patch("tasks.tasks._upload_to_s3")
-    @patch("tasks.tasks._compress_output_files")
-    @patch("tasks.tasks.get_compliance_frameworks")
-    @patch("tasks.tasks.Compliance.get_bulk")
-    @patch("tasks.tasks.initialize_prowler_provider")
-    @patch("tasks.tasks.Provider.objects.get")
-    @patch("tasks.tasks.ScanSummary.objects.filter")
-    @patch("tasks.tasks.Finding.all_objects.filter")
-    def test_generate_outputs_accepts_legacy_persisted_check_metadata(
-        self,
-        mock_finding_filter,
-        mock_scan_summary_filter,
-        mock_provider_get,
-        mock_initialize_provider,
-        mock_compliance_get_bulk,
-        mock_get_available_frameworks,
-        mock_compress,
-        mock_upload,
-    ):
-        mock_scan_summary_filter.return_value.exists.return_value = True
-
-        mock_provider = MagicMock()
-        mock_provider.uid = "azure-subscription-123"
-        mock_provider.provider = "azure"
-        mock_provider_get.return_value = mock_provider
-
-        prowler_provider = MagicMock()
-        prowler_provider.type = "azure"
-        prowler_provider.identity.identity_type = "mock_identity_type"
-        prowler_provider.identity.identity_id = "mock_identity_id"
-        prowler_provider.identity.subscriptions = {
-            "legacy-subscription": "legacy-sub-id"
-        }
-        prowler_provider.identity.tenant_ids = ["test-ing-432a-a828-d9c965196f87"]
-        prowler_provider.identity.tenant_domain = "mock_tenant_domain"
-        prowler_provider.region_config.name = "AzureCloud"
-        mock_initialize_provider.return_value = prowler_provider
-
-        mock_compliance_get_bulk.return_value = {}
-        mock_get_available_frameworks.return_value = []
-
-        resource = MagicMock()
-        resource.uid = (
-            "/subscriptions/legacy-sub-id/providers/Microsoft.Authorization/"
-            "policyAssignments/legacy"
-        )
-        resource.name = "legacy-policy"
-        resource.region = "global"
-        resource.metadata = "{}"
-        resource.details = ""
-        resource.tags.all.return_value = [MagicMock(key="env", value="prod")]
-
-        dummy_finding = MagicMock()
-        dummy_finding.uid = "finding-uid-legacy"
-        dummy_finding.status = "FAIL"
-        dummy_finding.status_extended = "Legacy metadata finding"
-        dummy_finding.muted = False
-        dummy_finding.compliance = {}
-        dummy_finding.raw_result = {}
-        dummy_finding.check_id = (
-            "entra_conditional_access_policy_require_mfa_for_management_api"
-        )
-        dummy_finding.check_metadata = {
-            "provider": "azure",
-            "checkid": "entra_conditional_access_policy_require_mfa_for_management_api",
-            "checktitle": "Ensure Multifactor Authentication is Required for Windows Azure Service Management API",
-            "checktype": [],
-            "servicename": "entra",
-            "subservicename": "",
-            "severity": "medium",
-            "resourcetype": "#microsoft.graph.conditionalAccess",
-            "resourcegroup": "IAM",
-            "description": "Legacy description",
-            "risk": "Legacy risk",
-            "relatedurl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-azure-management",
-            "additionalurls": [
-                "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps"
-            ],
-            "remediation": {
-                "code": {
-                    "cli": "",
-                    "other": "",
-                    "nativeiac": "",
-                    "terraform": "",
-                },
-                "recommendation": {
-                    "text": "Legacy remediation",
-                    "url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps",
-                },
-            },
-            "resourceidtemplate": "",
-            "categories": [],
-            "dependson": [],
-            "relatedto": [],
-            "notes": "Legacy notes",
-        }
-        dummy_finding.resources.first.return_value = resource
-
-        mock_finding_filter.return_value.order_by.return_value.iterator.return_value = [
-            dummy_finding
-        ]
-
-        writer_instances = []
-
-        def writer_factory(*args, **kwargs):
-            writer = MagicMock()
-            writer._data = []
-            writer.transform = MagicMock()
-            writer.batch_write_data_to_file = MagicMock()
-            writer.findings = kwargs["findings"]
-            writer_instances.append(writer)
-            return writer
-
-        with (
-            patch(
-                "tasks.tasks.FindingOutput._transform_findings_stats",
-                return_value={"some": "stats"},
-            ),
-            patch(
-                "tasks.tasks.OUTPUT_FORMATS_MAPPING",
-                {
-                    "json": {
-                        "class": writer_factory,
-                        "suffix": ".json",
-                        "kwargs": {},
-                    }
-                },
-            ),
-            patch(
-                "tasks.tasks._generate_output_directory",
-                return_value=(
-                    "/tmp/test/out-dir",
-                    "/tmp/test/comp-dir",
-                ),
-            ),
-            patch("tasks.tasks.Scan.all_objects.filter") as mock_scan_update,
-            patch("tasks.tasks.rmtree"),
-        ):
-            mock_compress.return_value = "/tmp/zipped.zip"
-            mock_upload.return_value = "s3://bucket/zipped.zip"
-
-            result = generate_outputs_task(
-                scan_id=self.scan_id,
-                provider_id=self.provider_id,
-                tenant_id=self.tenant_id,
-            )
-
-            assert result == {"upload": True}
-            assert len(writer_instances) == 1
-
-            transformed_finding = writer_instances[0].findings[0]
-            assert transformed_finding.metadata.CheckTitle.startswith("Ensure")
-            assert (
-                transformed_finding.metadata.RelatedUrl
-                == "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-azure-management"
-            )
-            assert (
-                transformed_finding.metadata.Remediation.Recommendation.Url
-                == "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps"
-            )
-            assert transformed_finding.metadata.Severity.value == "medium"
-
-            mock_scan_update.return_value.update.assert_called_once_with(
-                output_location="s3://bucket/zipped.zip"
-            )
-
    def test_generate_outputs_fails_upload(self):
        with (
            patch("tasks.tasks.ScanSummary.objects.filter") as mock_filter,
@@ -1 +0,0 @@
-charts/
@@ -13,8 +13,6 @@ keywords:
  - gcp
  - kubernetes
 maintainers:
-  - name: Dani
-    email: andre.gomes@promptlyhealth.com
  - name: Mihai
    email: mihai.legat@gmail.com
 dependencies:
@@ -558,9 +558,9 @@ neo4j:
  # Neo4j Configuration (yaml format)
  config:
    dbms_security_procedures_allowlist: "apoc.*"
-    dbms_security_procedures_unrestricted: ""
+    dbms_security_procedures_unrestricted: "apoc.*"

  apoc_config:
-    apoc.export.file.enabled: "false"
-    apoc.import.file.enabled: "false"
+    apoc.export.file.enabled: "true"
+    apoc.import.file.enabled: "true"
    apoc.import.file.use_neo4j_config: "true"
@@ -21,7 +21,7 @@ print(
    f"{Fore.GREEN}Loading all CSV files from the folder {folder_path_overview} ...\n{Style.RESET_ALL}"
 )
 cli.show_server_banner = lambda *x: click.echo(
-    f"{Fore.YELLOW}NOTE:{Style.RESET_ALL} If you are using {Fore.GREEN}{Style.BRIGHT}Prowler Cloud{Style.RESET_ALL} with the S3 integration or that integration \nfrom {Fore.CYAN}{Style.BRIGHT}Prowler CLI{Style.RESET_ALL} and you want to use your data from your S3 bucket,\nrun: `{orange_color}aws s3 cp s3://<your-bucket>/output/csv ./output --recursive{Style.RESET_ALL}`\nand then run `prowler dashboard` again to load the new files."
+    f"{Fore.YELLOW}NOTE:{Style.RESET_ALL} If you are using {Fore.GREEN}{Style.BRIGHT}Prowler SaaS{Style.RESET_ALL} with the S3 integration or that integration \nfrom {Fore.CYAN}{Style.BRIGHT}Prowler Open Source{Style.RESET_ALL} and you want to use your data from your S3 bucket,\nrun: `{orange_color}aws s3 cp s3://<your-bucket>/output/csv ./output --recursive{Style.RESET_ALL}`\nand then run `prowler dashboard` again to load the new files."
 )

 # Initialize the app - incorporate css
@@ -1,20 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_rbi
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ]
-    return get_section_containers_rbi(aux, "REQUIREMENTS_ID")
@@ -1,20 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_rbi
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ]
-    return get_section_containers_rbi(aux, "REQUIREMENTS_ID")
@@ -1,24 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_format3
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_format3(
-        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
-    )
@@ -1,24 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_format3
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_format3(
-        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
-    )
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Adrián Jesús Peña Rodríguez	f5f4404ca9	chore: merge master	2026-02-26 19:13:58 +01:00
Adrián Jesús Peña Rodríguez	4dec30b4b6	fix(sdk): scope scan_id by provider and account - Generate scan_id per provider account pair - Adjust OCSF scan_id test to cover multiple accounts	2026-02-26 19:05:32 +01:00
Adrián Jesús Peña Rodríguez	c0e5a7ce97	feat(ingestions): allow multiple scan_ids and providers inside the ocsf	2026-02-26 17:16:51 +01:00