fix(ui): improve category label formatting for acronyms and versions

refactor(ui): simplify categories.ts to only use dynamic label formatting
Remove hardcoded CATEGORY_IDS and CATEGORY_LABELS constants. Categories now come from the API and are formatted dynamically.
2026-06-17 13:03:14 +00:00 · 2025-12-16 18:09:18 +01:00 · 2025-12-15 19:16:06 +01:00 · 2025-12-15 19:13:29 +01:00 · 2025-12-15 17:50:01 +01:00 · 2025-12-15 17:46:03 +01:00
1607 changed files with 10284 additions and 46693 deletions
@@ -15,13 +15,6 @@ AUTH_SECRET="N/c6mnaS5+SWq81+819OrzQZlmx1Vxtp/orjttJSmw8="
 # Google Tag Manager ID
 NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID=""

-#### MCP Server ####
-PROWLER_MCP_VERSION=stable
-# For UI and MCP running on docker:
-PROWLER_MCP_SERVER_URL=http://mcp-server:8000/mcp
-# For UI running on host, MCP in docker:
-# PROWLER_MCP_SERVER_URL=http://localhost:8000/mcp
-
 #### Code Review Configuration ####
 # Enable Claude Code standards validation on pre-push hook
 # Set to 'true' to validate changes against AGENTS.md standards via Claude Code
@@ -119,7 +112,7 @@ NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}


 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.16.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.12.2

 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -46,11 +46,6 @@ provider/oci:
  - changed-files:
      - any-glob-to-any-file: "prowler/providers/oraclecloud/**"
      - any-glob-to-any-file: "tests/providers/oraclecloud/**"
-      
-provider/alibabacloud:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/alibabacloud/**"
-      - any-glob-to-any-file: "tests/providers/alibabacloud/**"

 github_actions:
  - changed-files:
@@ -74,8 +69,6 @@ mutelist:
      - any-glob-to-any-file: "tests/providers/gcp/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/kubernetes/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/mongodbatlas/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/oci/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/alibabacloud/lib/mutelist/**"

 integration/s3:
  - changed-files:
@@ -14,26 +14,14 @@ Please add a detailed description of how to review this PR.

 ### Checklist

-<details>
-
-<summary><b>Community Checklist</b></summary>
-
- [ ] This feature/issue is listed in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or roadmap.prowler.com
- [ ] Is it assigned to me, if not, request it via the issue/feature in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or [Prowler Community Slack](goto.prowler.com/slack)
-
-</details>
-
-
+- Are there new checks included in this PR? Yes / No
+    - If so, do we need to update permissions for the provider? Please review this carefully.
 - [ ] Review if the code is being covered by tests.
 - [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
 - [ ] Review if backport is needed.
 - [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
 - [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/prowler/CHANGELOG.md), if applicable.

-#### SDK/CLI
- Are there new checks included in this PR? Yes / No
-    - If so, do we need to update permissions for the provider? Please review this carefully.
-
 #### UI
 - [ ] All issue/task requirements work as expected on the UI
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
@@ -42,11 +30,6 @@ Please add a detailed description of how to review this PR.
 - [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/ui/CHANGELOG.md), if applicable.

 #### API
- [ ] All issue/task requirements work as expected on the API
- [ ] Endpoint response output (if applicable)
- [ ] EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
- [ ] Performance test results (if applicable)
- [ ] Any other relevant evidence of the implementation (if applicable)
 - [ ] Verify if API specs need to be regenerated.
 - [ ] Check if version updates are required (e.g., specs, Poetry, etc.).
 - [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/api/CHANGELOG.md), if applicable.
@@ -1,254 +0,0 @@
-name: 'API: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Get current API version
-        id: get_api_version
-        run: |
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-          echo "current_api_version=${CURRENT_API_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current API version: $CURRENT_API_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next API minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 -> API 1.18.0
-          # For next master (Prowler 5.18.0) -> API 1.19.0
-          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "Current API version: $CURRENT_API_VERSION"
-          echo "Next API minor version (for master): $NEXT_API_VERSION"
-
-      - name: Bump API versions in files for master
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 release -> version branch v5.17 should have API 1.18.1
-          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${FIRST_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.FIRST_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.FIRST_API_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # Extract current API patch to increment it
-          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            API_PATCH=${BASH_REMATCH[3]}
-
-            # API version follows Prowler minor + 1
-            # Keep same API minor (based on Prowler minor), increment patch
-            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
-
-            echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-            echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-            echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-            echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
-            echo "Current API version: $CURRENT_API_VERSION"
-            echo "Next API patch version: $NEXT_API_PATCH_VERSION"
-            echo "Target branch: $VERSION_BRANCH"
-          else
-            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
-            exit 1
-          fi
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -33,11 +33,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            api/**
@@ -42,15 +42,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/api-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
          category: '/language:${{ matrix.language }}'
@@ -57,7 +57,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Notify container push started
        id: slack-notification
@@ -93,7 +93,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Login to DockerHub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -102,7 +102,7 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build and push API container for ${{ matrix.arch }}
        id: container-push
@@ -120,18 +120,18 @@ jobs:
  # Create and push multi-architecture manifest
  create-manifest:
    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
+    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Create and push manifests for push event
        if: github.event_name == 'push'
@@ -170,7 +170,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Determine overall outcome
        id: outcome
@@ -198,8 +198,8 @@ jobs:
          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}

  trigger-deployment:
+    if: github.event_name == 'push'
    needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
@@ -207,7 +207,7 @@ jobs:

    steps:
      - name: Trigger API deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.CLOUD_DISPATCH }}
@@ -28,11 +28,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: api/Dockerfile

@@ -63,11 +63,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: api/**
          files_ignore: |
@@ -77,7 +77,7 @@ jobs:

      - name: Set up Docker Buildx
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -33,11 +33,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            api/**
@@ -60,7 +60,9 @@ jobs:

      - name: Safety
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check
+        # 76352, 76353, 77323 come from SDK, but they cannot upgrade it yet. It does not affect API
+        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
+        run: poetry run safety check --ignore 70612,66963,74429,76352,76353,77323,77744,77745

      - name: Vulture
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -73,11 +73,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            api/**
@@ -100,7 +100,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -1,247 +0,0 @@
-name: 'Docs: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Get current documentation version
-        id: get_docs_version
-        run: |
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' docs/getting-started/installation/prowler-app.mdx)
-          echo "current_docs_version=${CURRENT_DOCS_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump versions in documentation for master
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-            - All `*.mdx` files with `<VersionBadge>` components
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for version branch
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}-branch
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for patch version
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -23,11 +23,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Scan for secrets with TruffleHog
-        uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
+        uses: trufflesecurity/trufflehog@b84c3d14d189e16da175e2c27fa8136603783ffc # v3.90.12
        with:
          extra_args: '--results=verified,unknown'
@@ -56,7 +56,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Notify container push started
        id: slack-notification
@@ -91,7 +91,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Login to DockerHub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -100,7 +100,7 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build and push MCP container for ${{ matrix.arch }}
        id: container-push
@@ -126,18 +126,18 @@ jobs:
  # Create and push multi-architecture manifest
  create-manifest:
    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
+    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Create and push manifests for push event
        if: github.event_name == 'push'
@@ -176,7 +176,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Determine overall outcome
        id: outcome
@@ -204,8 +204,8 @@ jobs:
          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}

  trigger-deployment:
+    if: github.event_name == 'push'
    needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
@@ -213,7 +213,7 @@ jobs:

    steps:
      - name: Trigger MCP deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.CLOUD_DISPATCH }}
@@ -28,11 +28,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: mcp_server/Dockerfile

@@ -62,11 +62,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for MCP changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: mcp_server/**
          files_ignore: |
@@ -75,7 +75,7 @@ jobs:

      - name: Set up Docker Buildx
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build MCP container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -1,81 +0,0 @@
-name: "MCP: PyPI Release"
-
-on:
-  release:
-    types:
-      - "published"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  RELEASE_TAG: ${{ github.event.release.tag_name }}
-  PYTHON_VERSION: "3.12"
-  WORKING_DIRECTORY: ./mcp_server
-
-jobs:
-  validate-release:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      prowler_version: ${{ steps.parse-version.outputs.version }}
-      major_version: ${{ steps.parse-version.outputs.major }}
-
-    steps:
-      - name: Parse and validate version
-        id: parse-version
-        run: |
-          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
-          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Extract major version
-          MAJOR_VERSION="${PROWLER_VERSION%%.*}"
-          echo "major=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Validate major version (only Prowler 3, 4, 5 supported)
-          case ${MAJOR_VERSION} in
-            3|4|5)
-              echo "✓ Releasing Prowler MCP for tag ${PROWLER_VERSION}"
-              ;;
-            *)
-              echo "::error::Unsupported Prowler major version: ${MAJOR_VERSION}"
-              exit 1
-              ;;
-          esac
-
-  publish-prowler-mcp:
-    needs: validate-release
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      id-token: write
-    environment:
-      name: pypi-prowler-mcp
-      url: https://pypi.org/project/prowler-mcp/
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v7
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Build prowler-mcp package
-        working-directory: ${{ env.WORKING_DIRECTORY }}
-        run: uv build
-
-      - name: Publish prowler-mcp package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/
-          print-hash: true
@@ -29,13 +29,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            api/**
@@ -25,14 +25,14 @@ jobs:

    steps:
      - name: Checkout PR head
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: '**'

@@ -13,10 +13,7 @@ concurrency:

 jobs:
  trigger-cloud-pull-request:
-    if: |
-      github.event.pull_request.merged == true &&
-      github.repository == 'prowler-cloud/prowler' &&
-      !contains(github.event.pull_request.labels.*.name, 'skip-sync')
+    if: github.event.pull_request.merged == true && github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
@@ -29,7 +26,7 @@ jobs:
          echo "SHORT_SHA=${SHORT_SHA::7}" >> $GITHUB_ENV

      - name: Trigger Cloud repository pull request
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.CLOUD_DISPATCH }}
@@ -27,13 +27,13 @@ jobs:
      pull-requests: write
    steps:
    - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        fetch-depth: 0
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}

    - name: Set up Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: '3.12'

@@ -344,7 +344,7 @@ jobs:

    - name: Create PR for API dependency update
      if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
      with:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
@@ -374,7 +374,7 @@ jobs:
          no-changelog

    - name: Create draft release
-      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+      uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
      with:
        tag_name: ${{ env.PROWLER_VERSION }}
        name: Prowler ${{ env.PROWLER_VERSION }}
@@ -67,7 +67,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Calculate next minor version
        run: |
@@ -86,12 +86,13 @@ jobs:

          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env

          echo "Files modified:"
          git --no-pager diff

      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -99,7 +100,7 @@ jobs:
          commit-message: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
          branch: version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
          title: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
+          labels: no-changelog
          body: |
            ### Description

@@ -110,7 +111,7 @@ jobs:
            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}

@@ -134,12 +135,13 @@ jobs:

          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env

          echo "Files modified:"
          git --no-pager diff

      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -147,7 +149,7 @@ jobs:
          commit-message: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
          branch: version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
          title: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
+          labels: no-changelog
          body: |
            ### Description

@@ -167,7 +169,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Calculate next patch version
        run: |
@@ -191,12 +193,13 @@ jobs:

          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env

          echo "Files modified:"
          git --no-pager diff

      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
@@ -204,7 +207,7 @@ jobs:
          commit-message: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
          branch: version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
          title: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
+          labels: no-changelog
          body: |
            ### Description

@@ -31,11 +31,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: ./**
          files_ignore: |
@@ -62,7 +62,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'poetry'
@@ -79,11 +79,11 @@ jobs:

      - name: Lint with flake8
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api,skills
+        run: poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api

      - name: Check format with black
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run black --exclude api ui skills --check .
+        run: poetry run black --exclude api ui --check .

      - name: Lint with pylint
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -49,15 +49,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/sdk-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
          category: '/language:${{ matrix.language }}'
@@ -61,10 +61,10 @@ jobs:
      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -115,7 +115,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Notify container push started
        id: slack-notification
@@ -151,7 +151,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Login to DockerHub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -169,7 +169,7 @@ jobs:
          AWS_REGION: ${{ env.AWS_REGION }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build and push SDK container for ${{ matrix.arch }}
        id: container-push
@@ -188,18 +188,18 @@ jobs:
  # Create and push multi-architecture manifest
  create-manifest:
    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
+    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -208,7 +208,7 @@ jobs:
          AWS_REGION: ${{ env.AWS_REGION }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Create and push manifests for push event
        if: github.event_name == 'push'
@@ -252,7 +252,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Determine overall outcome
        id: outcome
@@ -280,8 +280,8 @@ jobs:
          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}

  dispatch-v3-deployment:
+    if: needs.setup.outputs.prowler_version_major == '3'
    needs: [setup, container-build-push]
-    if: always() && needs.setup.outputs.prowler_version_major == '3' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
@@ -294,7 +294,7 @@ jobs:

      - name: Dispatch v3 deployment (latest)
        if: github.event_name == 'push'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
@@ -303,7 +303,7 @@ jobs:

      - name: Dispatch v3 deployment (release)
        if: github.event_name == 'release'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
@@ -27,11 +27,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: Dockerfile

@@ -62,11 +62,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: ./**
          files_ignore: |
@@ -89,7 +89,7 @@ jobs:

      - name: Set up Docker Buildx
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build SDK container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -59,13 +59,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Install Poetry
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'poetry'
@@ -91,13 +91,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Install Poetry
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'poetry'
@@ -25,12 +25,12 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: 'master'

      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
@@ -39,7 +39,7 @@ jobs:
        run: pip install boto3

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -50,7 +50,7 @@ jobs:

      - name: Create pull request
        id: create-pr
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
@@ -24,15 +24,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
-          files: 
-            ./**
-            .github/workflows/sdk-security.yml
+          files: ./**
          files_ignore: |
            .github/**
            prowler/CHANGELOG.md
@@ -57,7 +55,7 @@ jobs:

      - name: Set up Python 3.12
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: '3.12'
          cache: 'poetry'
@@ -72,7 +70,7 @@ jobs:

      - name: Security scan with Safety
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check -r pyproject.toml
+        run: poetry run safety check --ignore 70612 -r pyproject.toml

      - name: Dead code detection with Vulture
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -31,11 +31,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: ./**
          files_ignore: |
@@ -62,7 +62,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'poetry'
@@ -75,7 +75,7 @@ jobs:
      - name: Check if AWS files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-aws
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/aws/**
@@ -189,7 +189,7 @@ jobs:

      - name: Upload AWS coverage to Codecov
        if: steps.changed-aws.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -200,7 +200,7 @@ jobs:
      - name: Check if Azure files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-azure
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/azure/**
@@ -213,7 +213,7 @@ jobs:

      - name: Upload Azure coverage to Codecov
        if: steps.changed-azure.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -224,7 +224,7 @@ jobs:
      - name: Check if GCP files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-gcp
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/gcp/**
@@ -237,7 +237,7 @@ jobs:

      - name: Upload GCP coverage to Codecov
        if: steps.changed-gcp.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -248,7 +248,7 @@ jobs:
      - name: Check if Kubernetes files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-kubernetes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/kubernetes/**
@@ -261,7 +261,7 @@ jobs:

      - name: Upload Kubernetes coverage to Codecov
        if: steps.changed-kubernetes.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -272,7 +272,7 @@ jobs:
      - name: Check if GitHub files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-github
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/github/**
@@ -285,7 +285,7 @@ jobs:

      - name: Upload GitHub coverage to Codecov
        if: steps.changed-github.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -296,7 +296,7 @@ jobs:
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-nhn
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/nhn/**
@@ -309,7 +309,7 @@ jobs:

      - name: Upload NHN coverage to Codecov
        if: steps.changed-nhn.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -320,7 +320,7 @@ jobs:
      - name: Check if M365 files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-m365
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/m365/**
@@ -333,7 +333,7 @@ jobs:

      - name: Upload M365 coverage to Codecov
        if: steps.changed-m365.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -344,7 +344,7 @@ jobs:
      - name: Check if IaC files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-iac
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/iac/**
@@ -357,7 +357,7 @@ jobs:

      - name: Upload IaC coverage to Codecov
        if: steps.changed-iac.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -368,7 +368,7 @@ jobs:
      - name: Check if MongoDB Atlas files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/mongodbatlas/**
@@ -381,7 +381,7 @@ jobs:

      - name: Upload MongoDB Atlas coverage to Codecov
        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -392,7 +392,7 @@ jobs:
      - name: Check if OCI files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-oraclecloud
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/**/oraclecloud/**
@@ -405,7 +405,7 @@ jobs:

      - name: Upload OCI coverage to Codecov
        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -416,7 +416,7 @@ jobs:
      - name: Check if Lib files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-lib
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/lib/**
@@ -429,7 +429,7 @@ jobs:

      - name: Upload Lib coverage to Codecov
        if: steps.changed-lib.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -440,7 +440,7 @@ jobs:
      - name: Check if Config files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-config
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/config/**
@@ -453,7 +453,7 @@ jobs:

      - name: Upload Config coverage to Codecov
        if: steps.changed-config.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -1,221 +0,0 @@
-name: 'UI: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump UI version in .env for master
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_MINOR_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -45,15 +45,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
        with:
          category: '/language:${{ matrix.language }}'
@@ -59,7 +59,7 @@ jobs:
      message-ts: ${{ steps.slack-notification.outputs.ts }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Notify container push started
        id: slack-notification
@@ -95,7 +95,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Login to DockerHub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -104,7 +104,7 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build and push UI container for ${{ matrix.arch }}
        id: container-push
@@ -125,18 +125,18 @@ jobs:
  # Create and push multi-architecture manifest
  create-manifest:
    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
+    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest

    steps:
      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Create and push manifests for push event
        if: github.event_name == 'push'
@@ -175,7 +175,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Determine overall outcome
        id: outcome
@@ -203,8 +203,8 @@ jobs:
          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}

  trigger-deployment:
+    if: github.event_name == 'push'
    needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
@@ -212,7 +212,7 @@ jobs:

    steps:
      - name: Trigger UI deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.CLOUD_DISPATCH }}
@@ -28,11 +28,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: ui/Dockerfile

@@ -63,11 +63,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: ui/**
          files_ignore: |
@@ -76,7 +76,7 @@ jobs:

      - name: Set up Docker Buildx
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build UI container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -54,7 +54,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Create k8s Kind Cluster
        uses: helm/kind-action@v1
        with:
@@ -114,7 +114,7 @@ jobs:
            echo "All database fixtures loaded successfully!"
          '
      - name: Setup Node.js environment
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version: '20.x'
      - name: Setup pnpm
@@ -126,7 +126,7 @@ jobs:
        shell: bash
        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
      - name: Setup pnpm cache
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ${{ env.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('ui/pnpm-lock.yaml') }}
@@ -139,7 +139,7 @@ jobs:
        working-directory: ./ui
        run: pnpm run build
      - name: Cache Playwright browsers
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
@@ -154,7 +154,7 @@ jobs:
        working-directory: ./ui
        run: pnpm run test:e2e
      - name: Upload test reports
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: failure()
        with:
          name: playwright-report
@@ -30,11 +30,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ui/**
@@ -45,7 +45,7 @@ jobs:

      - name: Setup Node.js ${{ env.NODE_VERSION }}
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -63,7 +63,7 @@ jobs:

      - name: Setup pnpm cache
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ${{ env.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('ui/pnpm-lock.yaml') }}
@@ -82,9 +82,6 @@ continue.json
 .continuerc
 .continuerc.json

-# AI Coding Assistants - OpenCode
-opencode.json
-
 # AI Coding Assistants - GitHub Copilot
 .copilot/
 .github/copilot/
@@ -155,9 +152,3 @@ CLAUDE.md

 # Compliance report
 *.pdf
-
-# AI Skills symlinks (generated by skills/setup.sh)
-.claude/skills
-.codex/skills
-.github/skills
-.gemini/skills
@@ -34,7 +34,6 @@ repos:
    rev: v2.3.1
    hooks:
      - id: autoflake
-        exclude: ^skills/
        args:
          [
            "--in-place",
@@ -46,20 +45,18 @@ repos:
    rev: 5.13.2
    hooks:
      - id: isort
-        exclude: ^skills/
        args: ["--profile", "black"]

  - repo: https://github.com/psf/black
    rev: 24.4.2
    hooks:
      - id: black
-        exclude: ^skills/

  - repo: https://github.com/pycqa/flake8
    rev: 7.0.0
    hooks:
      - id: flake8
-        exclude: (contrib|^skills/)
+        exclude: contrib
        args: ["--ignore=E266,W503,E203,E501,W605"]

  - repo: https://github.com/python-poetry/poetry
@@ -112,7 +109,7 @@ repos:
      - id: bandit
        name: bandit
        description: "Bandit is a tool for finding common security issues in Python code"
-        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/,./skills/' -r .'
+        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r .'
        language: system
        files: '.*\.py'

@@ -126,7 +123,7 @@ repos:
      - id: vulture
        name: vulture
        description: "Vulture finds unused code in Python programs."
-        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/,skills/" --min-confidence 100 .'
+        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/" --min-confidence 100 .'
        language: system
        files: '.*\.py'

@@ -2,83 +2,109 @@

 ## How to Use This Guide

- Start here for cross-project norms. Prowler is a monorepo with several components.
- Each component has an `AGENTS.md` file with specific guidelines (e.g., `api/AGENTS.md`, `ui/AGENTS.md`).
- Component docs override this file when guidance conflicts.
-
-## Available Skills
-
-Use these skills for detailed patterns on-demand:
-
-### Generic Skills (Any Project)
-| Skill | Description | URL |
-|-------|-------------|-----|
-| `typescript` | Const types, flat interfaces, utility types | [SKILL.md](skills/typescript/SKILL.md) |
-| `react-19` | No useMemo/useCallback, React Compiler | [SKILL.md](skills/react-19/SKILL.md) |
-| `nextjs-15` | App Router, Server Actions, streaming | [SKILL.md](skills/nextjs-15/SKILL.md) |
-| `tailwind-4` | cn() utility, no var() in className | [SKILL.md](skills/tailwind-4/SKILL.md) |
-| `playwright` | Page Object Model, MCP workflow, selectors | [SKILL.md](skills/playwright/SKILL.md) |
-| `pytest` | Fixtures, mocking, markers, parametrize | [SKILL.md](skills/pytest/SKILL.md) |
-| `django-drf` | ViewSets, Serializers, Filters | [SKILL.md](skills/django-drf/SKILL.md) |
-| `zod-4` | New API (z.email(), z.uuid()) | [SKILL.md](skills/zod-4/SKILL.md) |
-| `zustand-5` | Persist, selectors, slices | [SKILL.md](skills/zustand-5/SKILL.md) |
-| `ai-sdk-5` | UIMessage, streaming, LangChain | [SKILL.md](skills/ai-sdk-5/SKILL.md) |
-
-### Prowler-Specific Skills
-| Skill | Description | URL |
-|-------|-------------|-----|
-| `prowler` | Project overview, component navigation | [SKILL.md](skills/prowler/SKILL.md) |
-| `prowler-api` | Django + RLS + JSON:API patterns | [SKILL.md](skills/prowler-api/SKILL.md) |
-| `prowler-ui` | Next.js + shadcn conventions | [SKILL.md](skills/prowler-ui/SKILL.md) |
-| `prowler-sdk-check` | Create new security checks | [SKILL.md](skills/prowler-sdk-check/SKILL.md) |
-| `prowler-mcp` | MCP server tools and models | [SKILL.md](skills/prowler-mcp/SKILL.md) |
-| `prowler-test-sdk` | SDK testing (pytest + moto) | [SKILL.md](skills/prowler-test-sdk/SKILL.md) |
-| `prowler-test-api` | API testing (pytest-django + RLS) | [SKILL.md](skills/prowler-test-api/SKILL.md) |
-| `prowler-test-ui` | E2E testing (Playwright) | [SKILL.md](skills/prowler-test-ui/SKILL.md) |
-| `prowler-compliance` | Compliance framework structure | [SKILL.md](skills/prowler-compliance/SKILL.md) |
-| `prowler-provider` | Add new cloud providers | [SKILL.md](skills/prowler-provider/SKILL.md) |
-| `prowler-pr` | Pull request conventions | [SKILL.md](skills/prowler-pr/SKILL.md) |
-| `prowler-docs` | Documentation style guide | [SKILL.md](skills/prowler-docs/SKILL.md) |
-| `skill-creator` | Create new AI agent skills | [SKILL.md](skills/skill-creator/SKILL.md) |
-
---
+- Start here for cross-project norms, Prowler is a monorepo with several components. Every component should have an `AGENTS.md` file that contains the guidelines for the agents in that component. The file is located beside the code you are touching (e.g. `api/AGENTS.md`, `ui/AGENTS.md`, `prowler/AGENTS.md`).
+- Follow the stricter rule when guidance conflicts; component docs override this file for their scope.
+- Keep instructions synchronized. When you add new workflows or scripts, update both, the relevant component `AGENTS.md` and this file if they apply broadly.

 ## Project Overview

-Prowler is an open-source cloud security assessment tool supporting AWS, Azure, GCP, Kubernetes, GitHub, M365, and more.
+Prowler is an open-source cloud security assessment tool that supports multiple cloud providers (AWS, Azure, GCP, Kubernetes, GitHub, M365, etc.). The project consists in a monorepo with the following main components:

-| Component | Location | Tech Stack |
-|-----------|----------|------------|
-| SDK | `prowler/` | Python 3.9+, Poetry |
-| API | `api/` | Django 5.1, DRF, Celery |
-| UI | `ui/` | Next.js 15, React 19, Tailwind 4 |
-| MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
-| Dashboard | `dashboard/` | Dash, Plotly |
+- **Prowler SDK**: Python SDK, includes the Prowler CLI, providers, services, checks, compliances, config, etc. (`prowler/`)
+- **Prowler API**: Django-based REST API backend (`api/`)
+- **Prowler UI**: Next.js frontend application (`ui/`)
+- **Prowler MCP Server**: Model Context Protocol server that gives access to the entire Prowler ecosystem for LLMs (`mcp_server/`)
+- **Prowler Dashboard**: Prowler CLI feature that allows to visualize the results of the scans in a simple dashboard (`dashboard/`)

---
+### Project Structure (Key Folders & Files)
+
+- `prowler/`: Main source code for Prowler SDK (CLI, providers, services, checks, compliances, config, etc.)
+- `api/`: Django-based REST API backend components
+- `ui/`: Next.js frontend application
+- `mcp_server/`: Model Context Protocol server that gives access to the entire Prowler ecosystem for LLMs
+- `dashboard/`: Prowler CLI feature that allows to visualize the results of the scans in a simple dashboard
+- `docs/`: Documentation
+- `examples/`: Example output formats for providers and scripts
+- `permissions/`: Permission-related files and policies
+- `contrib/`: Community-contributed scripts or modules
+- `tests/`: Prowler SDK test suite
+- `docker-compose.yml`: Docker compose file to run the Prowler App (API + UI) production environment
+- `docker-compose-dev.yml`: Docker compose file to run the Prowler App (API + UI) development environment
+- `pyproject.toml`: Poetry Prowler SDK project file
+- `.pre-commit-config.yaml`: Pre-commit hooks configuration
+- `Makefile`: Makefile to run the project
+- `LICENSE`: License file
+- `README.md`: README file
+- `CONTRIBUTING.md`: Contributing guide

 ## Python Development

-```bash
-# Setup
-poetry install --with dev
-poetry run pre-commit install
+Most of the code is written in Python, so the main files in the root are focused on Python code.

-# Code quality
+### Poetry Dev Environment
+
+For developing in Python we recommend using `poetry` to manage the dependencies. The minimal version is `2.1.1`. So it is recommended to run all commands using `poetry run ...`.
+
+To install the core dependencies to develop it is needed to run `poetry install --with dev`.
+
+### Pre-commit hooks
+
+The project has pre-commit hooks to lint and format the code. They are installed by running `poetry run pre-commit install`.
+
+When commiting a change, the hooks will be run automatically. Some of them are:
+
+- Code formatting (black, isort)
+- Linting (flake8, pylint)
+- Security checks (bandit, safety, trufflehog)
+- YAML/JSON validation
+- Poetry lock file validation
+
+
+### Linting and Formatting
+
+We use the following tools to lint and format the code:
+
+- `flake8`: for linting the code
+- `black`: for formatting the code
+- `pylint`: for linting the code
+
+You can run all using the `make` command:
+```bash
 poetry run make lint
 poetry run make format
-poetry run pre-commit run --all-files
 ```

---
+Or they will be run automatically when you commit your changes using pre-commit hooks.

 ## Commit & Pull Request Guidelines

-Follow conventional-commit style: `<type>[scope]: <description>`
+For the commit messages and pull requests name follow the conventional-commit style.

-**Types:** `feat`, `fix`, `docs`, `chore`, `perf`, `refactor`, `style`, `test`
+Befire creating a pull request, complete the checklist in `.github/pull_request_template.md`. Summaries should explain deployment impact, highlight review steps, and note changelog or permission updates. Run all relevant tests and linters before requesting review and link screenshots for UI or dashboard changes.

-Before creating a PR:
-1. Complete checklist in `.github/pull_request_template.md`
-2. Run all relevant tests and linters
-3. Link screenshots for UI changes
+### Conventional Commit Style
+
+The Conventional Commits specification is a lightweight convention on top of commit messages. It provides an easy set of rules for creating an explicit commit history; which makes it easier to write automated tools on top of.
+
+The commit message should be structured as follows:
+
+```
+<type>[optional scope]: <description>
+<BLANK LINE>
+[optional body]
+<BLANK LINE>
+[optional footer(s)]
+```
+
+Any line of the commit message cannot be longer 100 characters! This allows the message to be easier to read on GitHub as well as in various git tools
+
+#### Commit Types
+
+- **feat**: code change introuce new functionality to the application
+- **fix**: code change that solve a bug in the codebase
+- **docs**: documentation only changes
+- **chore**: changes related to the build process or auxiliary tools and libraries, that do not affect the application's functionality
+- **perf**: code change that improves performance
+- **refactor**: code change that neither fixes a bug nor adds a feature
+- **style**: changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
+- **test**: adding missing tests or correcting existing tests
@@ -47,12 +47,12 @@ help:     ## Show this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

 ##@ Build no cache
-build-no-cache-dev:
-	docker compose -f docker-compose-dev.yml build --no-cache api-dev worker-dev worker-beat mcp-server
+build-no-cache-dev: 
+	docker compose -f docker-compose-dev.yml build --no-cache api-dev worker-dev worker-beat

 ##@ Development Environment
-run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, MCP, and workers
-	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat mcp-server
+run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, and workers 
+	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat

 ##@ Development Environment
 build-and-run-api-dev: build-no-cache-dev run-api-dev
@@ -148,9 +148,9 @@ If your workstation's architecture is incompatible, you can resolve this by:
 ### Common Issues with Docker Pull Installation

 > [!Note]
-  If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local `.aws` directory into the container as a volume (e.g., `- "${HOME}/.aws:/home/prowler/.aws:ro"`). There are several ways to configure credentials for Docker containers. See the [Troubleshooting](./docs/troubleshooting.mdx) section for more details and examples.
+  If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local `.aws` directory into the container as a volume (e.g., `- "${HOME}/.aws:/home/prowler/.aws:ro"`). There are several ways to configure credentials for Docker containers. See the [Troubleshooting](./docs/troubleshooting.md) section for more details and examples.

-You can find more information in the [Troubleshooting](./docs/troubleshooting.mdx) section.
+You can find more information in the [Troubleshooting](./docs/troubleshooting.md) section.


 ### From GitHub
@@ -277,12 +277,11 @@ python prowler-cli.py -v
 # ✏️ High level architecture

 ## Prowler App
-**Prowler App** is composed of four key components:
+**Prowler App** is composed of three key components:

 - **Prowler UI**: A web-based interface, built with Next.js, providing a user-friendly experience for executing Prowler scans and visualizing results.
 - **Prowler API**: A backend service, developed with Django REST Framework, responsible for running Prowler scans and storing the generated results.
 - **Prowler SDK**: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.
- **Prowler MCP Server**: A Model Context Protocol server that provides AI tools for Lighthouse, the AI-powered security assistant. This is a critical dependency for Lighthouse functionality.

 ![Prowler App Architecture](docs/products/img/prowler-app-architecture.png)

@@ -310,45 +309,6 @@ And many more environments.

 ![Architecture](docs/img/architecture.png)

-# 🤖 AI Skills for Development
-
-Prowler includes a comprehensive set of **AI Skills** that help AI coding assistants understand Prowler's codebase patterns and conventions.
-
-## What are AI Skills?
-
-Skills are structured instructions that give AI assistants the context they need to write code that follows Prowler's standards. They include:
-
- **Coding patterns** for each component (SDK, API, UI, MCP Server)
- **Testing conventions** (pytest, Playwright)
- **Architecture guidelines** (Clean Architecture, RLS patterns)
- **Framework-specific rules** (React 19, Next.js 15, Django DRF, Tailwind 4)
-
-## Available Skills
-
-| Category | Skills |
-|----------|--------|
-| **Generic** | `typescript`, `react-19`, `nextjs-15`, `tailwind-4`, `playwright`, `pytest`, `django-drf`, `zod-4`, `zustand-5`, `ai-sdk-5` |
-| **Prowler** | `prowler`, `prowler-api`, `prowler-ui`, `prowler-mcp`, `prowler-sdk-check`, `prowler-test-ui`, `prowler-test-api`, `prowler-test-sdk`, `prowler-compliance`, `prowler-provider`, `prowler-pr`, `prowler-docs` |
-
-## Setup
-
-```bash
-./skills/setup.sh
-```
-
-This configures skills for AI coding assistants that follow the [agentskills.io](https://agentskills.io) standard:
-
-| Tool | Configuration |
-|------|---------------|
-| **Claude Code** | `.claude/skills/` (symlink) |
-| **OpenCode** | `.claude/skills/` (symlink) |
-| **Codex (OpenAI)** | `.codex/skills/` (symlink) |
-| **GitHub Copilot** | `.github/skills/` (symlink) |
-| **Gemini CLI** | `.gemini/skills/` (symlink) |
-
-> **Note:** Restart your AI coding assistant after running setup to load the skills.
-> Gemini CLI requires `experimental.skills` enabled in settings.
-
 # 📖 Documentation

 For installation instructions, usage details, tutorials, and the Developer Guide, visit https://docs.prowler.com/
@@ -1,137 +0,0 @@
-# Prowler API - AI Agent Ruleset
-
-> **Skills Reference**: For detailed patterns, use these skills:
-> - [`prowler-api`](../skills/prowler-api/SKILL.md) - Models, Serializers, Views, RLS patterns
-> - [`prowler-test-api`](../skills/prowler-test-api/SKILL.md) - Testing patterns (pytest-django)
-> - [`django-drf`](../skills/django-drf/SKILL.md) - Generic DRF patterns
-> - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns
-
-## CRITICAL RULES - NON-NEGOTIABLE
-
-### Models
- ALWAYS: UUIDv4 PKs, `inserted_at`/`updated_at` timestamps, `JSONAPIMeta` class
- ALWAYS: Inherit from `RowLevelSecurityProtectedModel` for tenant-scoped data
- NEVER: Auto-increment integer PKs, models without tenant isolation
-
-### Serializers
- ALWAYS: Separate serializers for Create/Update operations
- ALWAYS: Inherit from `RLSSerializer` for tenant-scoped models
- NEVER: Write logic in serializers (use services/utils)
-
-### Views
- ALWAYS: Inherit from `BaseRLSViewSet` for tenant-scoped resources
- ALWAYS: Define `filterset_class`, use `@extend_schema` for OpenAPI
- NEVER: Raw SQL queries, business logic in views
-
-### Row-Level Security (RLS)
- ALWAYS: Use `rls_transaction(tenant_id)` context manager
- NEVER: Query across tenants, trust client-provided tenant_id
-
-### Celery Tasks
- ALWAYS: `@shared_task` with `name`, `queue`, `RLSTask` base class
- NEVER: Long-running ops in views, request context in tasks
-
---
-
-## DECISION TREES
-
-### Serializer Selection
-```
-Read → <Model>Serializer
-Create → <Model>CreateSerializer
-Update → <Model>UpdateSerializer
-Nested read → <Model>IncludeSerializer
-```
-
-### Task vs View
-```
-< 100ms → View
-> 100ms or external API → Celery task
-Needs retry → Celery task
-```
-
---
-
-## TECH STACK
-
-Django 5.1.x | DRF 3.15.x | djangorestframework-jsonapi 7.x | Celery 5.4.x | PostgreSQL 16 | pytest 8.x
-
---
-
-## PROJECT STRUCTURE
-
-```
-api/src/backend/
-├── api/                    # Main Django app
-│   ├── v1/                # API version 1 (views, serializers, urls)
-│   ├── models.py          # Django models
-│   ├── filters.py         # FilterSet classes
-│   ├── base_views.py      # Base ViewSet classes
-│   ├── rls.py             # Row-Level Security
-│   └── tests/             # Unit tests
-├── config/                # Django configuration
-└── tasks/                 # Celery tasks
-```
-
---
-
-## COMMANDS
-
-```bash
-# Development
-poetry run python src/backend/manage.py runserver
-poetry run celery -A config.celery worker -l INFO
-
-# Database
-poetry run python src/backend/manage.py makemigrations
-poetry run python src/backend/manage.py migrate
-
-# Testing & Linting
-poetry run pytest -x --tb=short
-poetry run make lint
-```
-
---
-
-## QA CHECKLIST
-
- [ ] `poetry run pytest` passes
- [ ] `poetry run make lint` passes
- [ ] Migrations created if models changed
- [ ] New endpoints have `@extend_schema` decorators
- [ ] RLS properly applied for tenant data
- [ ] Tests cover success and error cases
-
---
-
-## NAMING CONVENTIONS
-
-| Entity | Pattern | Example |
-|--------|---------|---------|
-| Serializer (read) | `<Model>Serializer` | `ProviderSerializer` |
-| Serializer (create) | `<Model>CreateSerializer` | `ProviderCreateSerializer` |
-| Serializer (update) | `<Model>UpdateSerializer` | `ProviderUpdateSerializer` |
-| Filter | `<Model>Filter` | `ProviderFilter` |
-| ViewSet | `<Model>ViewSet` | `ProviderViewSet` |
-| Task | `<action>_<entity>_task` | `sync_provider_resources_task` |
-
---
-
-## API CONVENTIONS (JSON:API)
-
-```json
-{
-  "data": {
-    "type": "providers",
-    "id": "uuid",
-    "attributes": { "name": "value" },
-    "relationships": { "tenant": { "data": { "type": "tenants", "id": "uuid" } } }
-  }
-}
-```
-
- Content-Type: `application/vnd.api+json`
- Pagination: `?page[number]=1&page[size]=20`
- Filtering: `?filter[field]=value`, `?filter[field__in]=val1,val2`
- Sorting: `?sort=field`, `?sort=-field`
- Including: `?include=provider,findings`
@@ -2,38 +2,11 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.18.0] (Prowler UNRELEASED)
-
-### Added
- `/api/v1/overviews/compliance-watchlist` to retrieve the compliance watchlist [(#9596)](https://github.com/prowler-cloud/prowler/pull/9596)
- Support AlibabaCloud provider [(#9485)](https://github.com/prowler-cloud/prowler/pull/9485)
- `provider_id` and `provider_id__in` filter aliases for findings endpoints to enable consistent frontend parameter naming [(#9701)](https://github.com/prowler-cloud/prowler/pull/9701)
-
---
-
-## [1.17.2] (Prowler v5.16.2)
-
-### Security
- Updated dependencies to patch security vulnerabilities: Django 5.1.15 (CVE-2025-64460, CVE-2025-13372), Werkzeug 3.1.4 (CVE-2025-66221), sqlparse 0.5.5 (PVE-2025-82038), fonttools 4.60.2 (CVE-2025-66034) [(#9730)](https://github.com/prowler-cloud/prowler/pull/9730)
-
---
-
-## [1.17.1] (Prowler v5.16.1)
-
-### Changed
- Security Hub integration error when no regions [(#9635)](https://github.com/prowler-cloud/prowler/pull/9635)
-
-### Fixed
- Orphan scheduled scans caused by transaction isolation during provider creation [(#9633)](https://github.com/prowler-cloud/prowler/pull/9633)
-
---
-
-## [1.17.0] (Prowler v5.16.0)
+## [1.17.0] (Prowler UNRELEASED)

 ### Added
 - New endpoint to retrieve and overview of the categories based on finding severities [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
 - Endpoints `GET /findings` and `GET /findings/latests` can now use the category filter [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
- Account id, alias and provider name to PDF reporting table [(#9574)](https://github.com/prowler-cloud/prowler/pull/9574)

 ### Changed
 - Endpoint `GET /overviews/attack-surfaces` no longer returns the related check IDs [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
@@ -41,8 +14,7 @@ All notable changes to the **Prowler API** are documented in this file.
 - Increased execution delay for the first scheduled scan tasks to 5 seconds[(#9558)](https://github.com/prowler-cloud/prowler/pull/9558)

 ### Fixed
- Made `scan_id` a required filter in the compliance overview endpoint [(#9560)](https://github.com/prowler-cloud/prowler/pull/9560)
- Reduced unnecessary UPDATE resources operations by only saving when tag mappings change, lowering write load during scans [(#9569)](https://github.com/prowler-cloud/prowler/pull/9569)
+- Make `scan_id` a required filter in the compliance overview endpoint [(#9560)](https://github.com/prowler-cloud/prowler/pull/9560)

 ---

@@ -7,7 +7,7 @@ authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
 dependencies = [
  "celery[pytest] (>=5.4.0,<6.0.0)",
  "dj-rest-auth[with_social,jwt] (==7.0.1)",
-  "django (==5.1.15)",
+  "django (==5.1.14)",
  "django-allauth[saml] (>=65.8.0,<66.0.0)",
  "django-celery-beat (>=2.7.0,<3.0.0)",
  "django-celery-results (>=2.5.1,<3.0.0)",
@@ -36,10 +36,7 @@ dependencies = [
  "drf-simple-apikey (==2.2.1)",
  "matplotlib (>=3.10.6,<4.0.0)",
  "reportlab (>=4.4.4,<5.0.0)",
-  "gevent (>=25.9.1,<26.0.0)",
-  "werkzeug (>=3.1.4)",
-  "sqlparse (>=0.5.4)",
-  "fonttools (>=4.60.2)"
+  "gevent (>=25.9.1,<26.0.0)"
 ]
 description = "Prowler's API (Django/DRF)"
 license = "Apache-2.0"
@@ -47,7 +44,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.18.0"
+version = "1.16.0"

 [project.scripts]
 celery = "src.backend.config.settings.celery"
@@ -37,7 +37,6 @@ from api.models import (
    PermissionChoices,
    Processor,
    Provider,
-    ProviderComplianceScore,
    ProviderGroup,
    ProviderSecret,
    Resource,
@@ -93,62 +92,10 @@ class ChoiceInFilter(BaseInFilter, ChoiceFilter):
    pass


-class BaseProviderFilter(FilterSet):
-    """
-    Abstract base filter for models with direct FK to Provider.
-
-    Provides standard provider_id and provider_type filters.
-    Subclasses must define Meta.model.
-    """
-
-    provider_id = UUIDFilter(field_name="provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-
-    class Meta:
-        abstract = True
-        fields = {}
-
-
-class BaseScanProviderFilter(FilterSet):
-    """
-    Abstract base filter for models with FK to Scan (and Scan has FK to Provider).
-
-    Provides standard provider_id and provider_type filters via scan relationship.
-    Subclasses must define Meta.model.
-    """
-
-    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="scan__provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-
-    class Meta:
-        abstract = True
-        fields = {}
-
-
 class CommonFindingFilters(FilterSet):
    # We filter providers from the scan in findings
-    # Both 'provider' and 'provider_id' parameters are supported for API consistency
-    # Frontend uses 'provider_id' uniformly across all endpoints
    provider = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
    provider__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
-    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
    provider_type = ChoiceFilter(
        choices=Provider.ProviderChoices.choices, field_name="scan__provider__provider"
    )
@@ -1139,25 +1086,39 @@ class ThreatScoreSnapshotFilter(FilterSet):
        }


-class AttackSurfaceOverviewFilter(BaseScanProviderFilter):
+class AttackSurfaceOverviewFilter(FilterSet):
    """Filter for attack surface overview aggregations by provider."""

-    class Meta(BaseScanProviderFilter.Meta):
+    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
+    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
+    provider_type = ChoiceFilter(
+        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
+    )
+    provider_type__in = ChoiceInFilter(
+        field_name="scan__provider__provider",
+        choices=Provider.ProviderChoices.choices,
+        lookup_expr="in",
+    )
+
+    class Meta:
        model = AttackSurfaceOverview
+        fields = {}


-class CategoryOverviewFilter(BaseScanProviderFilter):
-    """Filter for category overview aggregations by provider."""
-
+class CategoryOverviewFilter(FilterSet):
+    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
+    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
+    provider_type = ChoiceFilter(
+        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
+    )
+    provider_type__in = ChoiceInFilter(
+        field_name="scan__provider__provider",
+        choices=Provider.ProviderChoices.choices,
+        lookup_expr="in",
+    )
    category = CharFilter(field_name="category", lookup_expr="exact")
    category__in = CharInFilter(field_name="category", lookup_expr="in")

-    class Meta(BaseScanProviderFilter.Meta):
+    class Meta:
        model = ScanCategorySummary
-
-
-class ComplianceWatchlistFilter(BaseProviderFilter):
-    """Filter for compliance watchlist overview by provider."""
-
-    class Meta(BaseProviderFilter.Meta):
-        model = ProviderComplianceScore
+        fields = {}
@@ -26,11 +26,8 @@ class Migration(migrations.Migration):
                    ),
                ),
                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
+                    "tenant_id",
+                    models.UUIDField(db_index=True, editable=False),
                ),
                (
                    "inserted_at",
@@ -59,6 +56,7 @@ class Migration(migrations.Migration):
                            ("low", "Low"),
                            ("informational", "Informational"),
                        ],
+                        max_length=50,
                    ),
                ),
                (
@@ -84,7 +82,6 @@ class Migration(migrations.Migration):
            ],
            options={
                "db_table": "scan_category_summaries",
-                "abstract": False,
            },
        ),
        migrations.AddIndex(
@@ -16,7 +16,6 @@ class Migration(migrations.Migration):
                blank=True,
                null=True,
                size=None,
-                help_text="Categories from check metadata for efficient filtering",
            ),
        ),
    ]
@@ -1,37 +0,0 @@
-# Generated by Django migration for Alibaba Cloud provider support
-
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0064_finding_categories"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'alibabacloud';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]
@@ -1,94 +0,0 @@
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.db_utils
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0065_alibabacloud_provider"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ProviderComplianceScore",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("compliance_id", models.TextField()),
-                ("requirement_id", models.TextField()),
-                (
-                    "requirement_status",
-                    api.db_utils.StatusEnumField(
-                        choices=[
-                            ("FAIL", "Fail"),
-                            ("PASS", "Pass"),
-                            ("MANUAL", "Manual"),
-                        ]
-                    ),
-                ),
-                ("scan_completed_at", models.DateTimeField()),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="compliance_scores",
-                        related_query_name="compliance_score",
-                        to="api.provider",
-                    ),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="compliance_scores",
-                        related_query_name="compliance_score",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "provider_compliance_scores",
-                "abstract": False,
-            },
-        ),
-        migrations.AddConstraint(
-            model_name="providercompliancescore",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "provider_id", "compliance_id", "requirement_id"),
-                name="unique_provider_compliance_req",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="providercompliancescore",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_providercompliancescore",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="providercompliancescore",
-            index=models.Index(
-                fields=["tenant_id", "provider_id", "compliance_id"],
-                name="pcs_tenant_prov_comp_idx",
-            ),
-        ),
-    ]
@@ -1,61 +0,0 @@
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0066_provider_compliance_score"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="TenantComplianceSummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("compliance_id", models.TextField()),
-                ("requirements_passed", models.IntegerField(default=0)),
-                ("requirements_failed", models.IntegerField(default=0)),
-                ("requirements_manual", models.IntegerField(default=0)),
-                ("total_requirements", models.IntegerField(default=0)),
-                ("updated_at", models.DateTimeField(auto_now=True)),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "tenant_compliance_summaries",
-                "abstract": False,
-            },
-        ),
-        migrations.AddConstraint(
-            model_name="tenantcompliancesummary",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "compliance_id"),
-                name="unique_tenant_compliance_summary",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="tenantcompliancesummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_tenantcompliancesummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
@@ -287,7 +287,6 @@ class Provider(RowLevelSecurityProtectedModel):
        MONGODBATLAS = "mongodbatlas", _("MongoDB Atlas")
        IAC = "iac", _("IaC")
        ORACLECLOUD = "oraclecloud", _("Oracle Cloud Infrastructure")
-        ALIBABACLOUD = "alibabacloud", _("Alibaba Cloud")

    @staticmethod
    def validate_aws_uid(value):
@@ -392,15 +391,6 @@ class Provider(RowLevelSecurityProtectedModel):
                pointer="/data/attributes/uid",
            )

-    @staticmethod
-    def validate_alibabacloud_uid(value):
-        if not re.match(r"^\d{16}$", value):
-            raise ModelValidationError(
-                detail="Alibaba Cloud account ID must be exactly 16 digits.",
-                code="alibabacloud-uid",
-                pointer="/data/attributes/uid",
-            )
-
    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
    updated_at = models.DateTimeField(auto_now=True, editable=False)
@@ -726,19 +716,14 @@ class Resource(RowLevelSecurityProtectedModel):
            self.clear_tags()
            return

-        # Add new relationships with the tenant_id field; avoid touching the
-        # Resource row unless a mapping is actually created to prevent noisy
-        # updates during scans.
-        mapping_created = False
+        # Add new relationships with the tenant_id field
        for tag in tags:
-            _, created = ResourceTagMapping.objects.update_or_create(
+            ResourceTagMapping.objects.update_or_create(
                tag=tag, resource=self, tenant_id=self.tenant_id
            )
-            mapping_created = mapping_created or created

-        if mapping_created:
-            # Only bump updated_at when the tag set truly changed
-            self.save(update_fields=["updated_at"])
+        # Save the instance
+        self.save()

    class Meta(RowLevelSecurityProtectedModel.Meta):
        db_table = "resources"
@@ -2605,92 +2590,3 @@ class AttackSurfaceOverview(RowLevelSecurityProtectedModel):

    class JSONAPIMeta:
        resource_name = "attack-surface-overviews"
-
-
-class ProviderComplianceScore(RowLevelSecurityProtectedModel):
-    """
-    Compliance requirement status from latest completed scan per provider.
-
-    Used for efficient compliance watchlist queries with FAIL-dominant aggregation
-    across multiple providers. Updated via atomic upsert after each scan completion.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="compliance_scores",
-        related_query_name="compliance_score",
-    )
-
-    provider = models.ForeignKey(
-        Provider,
-        on_delete=models.CASCADE,
-        related_name="compliance_scores",
-        related_query_name="compliance_score",
-    )
-
-    compliance_id = models.TextField()
-    requirement_id = models.TextField()
-    requirement_status = StatusEnumField(choices=StatusChoices)
-
-    scan_completed_at = models.DateTimeField()
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "provider_compliance_scores"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "provider_id", "compliance_id", "requirement_id"),
-                name="unique_provider_compliance_req",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "provider_id", "compliance_id"],
-                name="pcs_tenant_prov_comp_idx",
-            ),
-        ]
-
-
-class TenantComplianceSummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated compliance counts per tenant with FAIL-dominant logic applied.
-
-    One row per (tenant, compliance_id). Used for fast watchlist queries when
-    no provider filter is applied. Recalculated after each scan by aggregating
-    across all providers with FAIL-dominant logic at requirement level.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-
-    compliance_id = models.TextField()
-
-    requirements_passed = models.IntegerField(default=0)
-    requirements_failed = models.IntegerField(default=0)
-    requirements_manual = models.IntegerField(default=0)
-    total_requirements = models.IntegerField(default=0)
-
-    updated_at = models.DateTimeField(auto_now=True)
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "tenant_compliance_summaries"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "compliance_id"),
-                name="unique_tenant_compliance_summary",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
@@ -1,21 +1,9 @@
-from datetime import datetime, timezone
-
 import pytest
 from allauth.socialaccount.models import SocialApp
 from django.core.exceptions import ValidationError
-from django.db import IntegrityError

 from api.db_router import MainRouter
-from api.models import (
-    ProviderComplianceScore,
-    Resource,
-    ResourceTag,
-    SAMLConfiguration,
-    SAMLDomainIndex,
-    StateChoices,
-    StatusChoices,
-    TenantComplianceSummary,
-)
+from api.models import Resource, ResourceTag, SAMLConfiguration, SAMLDomainIndex


@pytest.mark.django_db
@@ -336,159 +324,3 @@ class TestSAMLConfigurationModel:
        errors = exc_info.value.message_dict
        assert "metadata_xml" in errors
        assert "There is a problem with your metadata." in errors["metadata_xml"][0]
-
-
-@pytest.mark.django_db
-class TestProviderComplianceScoreModel:
-    def test_create_provider_compliance_score(self, providers_fixture, scans_fixture):
-        provider = providers_fixture[0]
-        scan = scans_fixture[0]
-        scan.completed_at = datetime.now(timezone.utc)
-        scan.save()
-
-        score = ProviderComplianceScore.objects.create(
-            tenant_id=provider.tenant_id,
-            provider=provider,
-            scan=scan,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.PASS,
-            scan_completed_at=scan.completed_at,
-        )
-
-        assert score.compliance_id == "aws_cis_2.0"
-        assert score.requirement_id == "req_1"
-        assert score.requirement_status == StatusChoices.PASS
-
-    def test_unique_constraint_per_provider_compliance_requirement(
-        self, providers_fixture, scans_fixture
-    ):
-        provider = providers_fixture[0]
-        scan = scans_fixture[0]
-        scan.completed_at = datetime.now(timezone.utc)
-        scan.save()
-
-        ProviderComplianceScore.objects.create(
-            tenant_id=provider.tenant_id,
-            provider=provider,
-            scan=scan,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.PASS,
-            scan_completed_at=scan.completed_at,
-        )
-
-        with pytest.raises(IntegrityError):
-            ProviderComplianceScore.objects.create(
-                tenant_id=provider.tenant_id,
-                provider=provider,
-                scan=scan,
-                compliance_id="aws_cis_2.0",
-                requirement_id="req_1",
-                requirement_status=StatusChoices.FAIL,
-                scan_completed_at=scan.completed_at,
-            )
-
-    def test_different_providers_same_requirement_allowed(
-        self, providers_fixture, scans_fixture
-    ):
-        provider1, provider2, *_ = providers_fixture
-        scan1 = scans_fixture[0]
-        scan1.completed_at = datetime.now(timezone.utc)
-        scan1.save()
-
-        scan2 = scans_fixture[2]
-        scan2.state = StateChoices.COMPLETED
-        scan2.completed_at = datetime.now(timezone.utc)
-        scan2.save()
-
-        score1 = ProviderComplianceScore.objects.create(
-            tenant_id=provider1.tenant_id,
-            provider=provider1,
-            scan=scan1,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.PASS,
-            scan_completed_at=scan1.completed_at,
-        )
-
-        score2 = ProviderComplianceScore.objects.create(
-            tenant_id=provider2.tenant_id,
-            provider=provider2,
-            scan=scan2,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.FAIL,
-            scan_completed_at=scan2.completed_at,
-        )
-
-        assert score1.id != score2.id
-        assert score1.requirement_status != score2.requirement_status
-
-
-@pytest.mark.django_db
-class TestTenantComplianceSummaryModel:
-    def test_create_tenant_compliance_summary(self, tenants_fixture):
-        tenant = tenants_fixture[0]
-
-        summary = TenantComplianceSummary.objects.create(
-            tenant_id=tenant.id,
-            compliance_id="aws_cis_2.0",
-            requirements_passed=5,
-            requirements_failed=2,
-            requirements_manual=1,
-            total_requirements=8,
-        )
-
-        assert summary.compliance_id == "aws_cis_2.0"
-        assert summary.requirements_passed == 5
-        assert summary.requirements_failed == 2
-        assert summary.requirements_manual == 1
-        assert summary.total_requirements == 8
-        assert summary.updated_at is not None
-
-    def test_unique_constraint_per_tenant_compliance(self, tenants_fixture):
-        tenant = tenants_fixture[0]
-
-        TenantComplianceSummary.objects.create(
-            tenant_id=tenant.id,
-            compliance_id="aws_cis_2.0",
-            requirements_passed=5,
-            requirements_failed=2,
-            requirements_manual=1,
-            total_requirements=8,
-        )
-
-        with pytest.raises(IntegrityError):
-            TenantComplianceSummary.objects.create(
-                tenant_id=tenant.id,
-                compliance_id="aws_cis_2.0",
-                requirements_passed=3,
-                requirements_failed=4,
-                requirements_manual=1,
-                total_requirements=8,
-            )
-
-    def test_different_tenants_same_compliance_allowed(self, tenants_fixture):
-        tenant1, tenant2, *_ = tenants_fixture
-
-        summary1 = TenantComplianceSummary.objects.create(
-            tenant_id=tenant1.id,
-            compliance_id="aws_cis_2.0",
-            requirements_passed=5,
-            requirements_failed=2,
-            requirements_manual=1,
-            total_requirements=8,
-        )
-
-        summary2 = TenantComplianceSummary.objects.create(
-            tenant_id=tenant2.id,
-            compliance_id="aws_cis_2.0",
-            requirements_passed=3,
-            requirements_failed=4,
-            requirements_manual=1,
-            total_requirements=8,
-        )
-
-        assert summary1.id != summary2.id
-        assert summary1.requirements_passed != summary2.requirements_passed
@@ -16,7 +16,6 @@ from api.utils import (
    return_prowler_provider,
    validate_invitation,
 )
-from prowler.providers.alibabacloud.alibabacloud_provider import AlibabacloudProvider
 from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHubConnection
 from prowler.providers.azure.azure_provider import AzureProvider
@@ -117,7 +116,6 @@ class TestReturnProwlerProvider:
            (Provider.ProviderChoices.MONGODBATLAS.value, MongodbatlasProvider),
            (Provider.ProviderChoices.ORACLECLOUD.value, OraclecloudProvider),
            (Provider.ProviderChoices.IAC.value, IacProvider),
-            (Provider.ProviderChoices.ALIBABACLOUD.value, AlibabacloudProvider),
        ],
    )
    def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -1165,11 +1165,6 @@ class TestProviderViewSet:
                    "uid": "64b1d3c0e4b03b1234567890",
                    "alias": "Atlas Organization",
                },
-                {
-                    "provider": "alibabacloud",
-                    "uid": "1234567890123456",
-                    "alias": "Alibaba Cloud Account",
-                },
            ]
        ),
    )
@@ -1519,36 +1514,6 @@ class TestProviderViewSet:
                    "mongodbatlas-uid",
                    "uid",
                ),
-                # Alibaba Cloud UID validation - too short (not 16 digits)
-                (
-                    {
-                        "provider": "alibabacloud",
-                        "uid": "123456789012345",
-                        "alias": "test",
-                    },
-                    "alibabacloud-uid",
-                    "uid",
-                ),
-                # Alibaba Cloud UID validation - too long (not 16 digits)
-                (
-                    {
-                        "provider": "alibabacloud",
-                        "uid": "12345678901234567",
-                        "alias": "test",
-                    },
-                    "alibabacloud-uid",
-                    "uid",
-                ),
-                # Alibaba Cloud UID validation - contains non-digits
-                (
-                    {
-                        "provider": "alibabacloud",
-                        "uid": "123456789012345a",
-                        "alias": "test",
-                    },
-                    "alibabacloud-uid",
-                    "uid",
-                ),
            ]
        ),
    )
@@ -1722,21 +1687,21 @@ class TestProviderViewSet:
                (
                    "uid.icontains",
                    "1",
-                    8,
+                    7,
                ),
                ("alias", "aws_testing_1", 1),
                ("alias.icontains", "aws", 2),
-                ("inserted_at", TODAY, 9),
+                ("inserted_at", TODAY, 8),
                (
                    "inserted_at.gte",
                    "2024-01-01",
-                    9,
+                    8,
                ),
                ("inserted_at.lte", "2024-01-01", 0),
                (
                    "updated_at.gte",
                    "2024-01-01",
-                    9,
+                    8,
                ),
                ("updated_at.lte", "2024-01-01", 0),
            ]
@@ -2286,46 +2251,6 @@ class TestProviderSecretViewSet:
                    "atlas_private_key": "private-key",
                },
            ),
-            # Alibaba Cloud credentials (with access key only)
-            (
-                Provider.ProviderChoices.ALIBABACLOUD.value,
-                ProviderSecret.TypeChoices.STATIC,
-                {
-                    "access_key_id": "LTAI5t1234567890abcdef",
-                    "access_key_secret": "my-secret-access-key",
-                },
-            ),
-            # Alibaba Cloud credentials (with STS security token)
-            (
-                Provider.ProviderChoices.ALIBABACLOUD.value,
-                ProviderSecret.TypeChoices.STATIC,
-                {
-                    "access_key_id": "LTAI5t1234567890abcdef",
-                    "access_key_secret": "my-secret-access-key",
-                    "security_token": "my-security-token-for-sts",
-                },
-            ),
-            # Alibaba Cloud RAM Role Assumption (minimal required fields)
-            (
-                Provider.ProviderChoices.ALIBABACLOUD.value,
-                ProviderSecret.TypeChoices.ROLE,
-                {
-                    "role_arn": "acs:ram::1234567890123456:role/ProwlerRole",
-                    "access_key_id": "LTAI5t1234567890abcdef",
-                    "access_key_secret": "my-secret-access-key",
-                },
-            ),
-            # Alibaba Cloud RAM Role Assumption (with optional role_session_name)
-            (
-                Provider.ProviderChoices.ALIBABACLOUD.value,
-                ProviderSecret.TypeChoices.ROLE,
-                {
-                    "role_arn": "acs:ram::1234567890123456:role/ProwlerRole",
-                    "access_key_id": "LTAI5t1234567890abcdef",
-                    "access_key_secret": "my-secret-access-key",
-                    "role_session_name": "ProwlerAuditSession",
-                },
-            ),
        ],
    )
    def test_provider_secrets_create_valid(
@@ -4110,37 +4035,6 @@ class TestFindingViewSet:
        assert response.status_code == status.HTTP_200_OK
        assert len(response.json()["data"]) == 2

-    def test_finding_filter_by_provider_id_alias(
-        self, authenticated_client, findings_fixture
-    ):
-        """Test that provider_id filter alias works identically to provider filter."""
-        response = authenticated_client.get(
-            reverse("finding-list"),
-            {
-                "filter[provider_id]": findings_fixture[0].scan.provider.id,
-                "filter[inserted_at]": TODAY,
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert len(response.json()["data"]) == 2
-
-    def test_finding_filter_by_provider_id_in_alias(
-        self, authenticated_client, findings_fixture
-    ):
-        """Test that provider_id__in filter alias works identically to provider__in filter."""
-        response = authenticated_client.get(
-            reverse("finding-list"),
-            {
-                "filter[provider_id__in]": [
-                    findings_fixture[0].scan.provider.id,
-                    findings_fixture[1].scan.provider.id,
-                ],
-                "filter[inserted_at]": TODAY,
-            },
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert len(response.json()["data"]) == 2
-
    @pytest.mark.parametrize(
        "filter_name",
        (
@@ -4362,28 +4256,6 @@ class TestFindingViewSet:
            == latest_scan_finding.status
        )

-    def test_findings_latest_filter_by_provider_id_alias(
-        self, authenticated_client, latest_scan_finding
-    ):
-        """Test that provider_id filter alias works on latest findings endpoint."""
-        response = authenticated_client.get(
-            reverse("finding-latest"),
-            {"filter[provider_id]": latest_scan_finding.scan.provider.id},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert len(response.json()["data"]) == 1
-
-    def test_findings_latest_filter_by_provider_id_in_alias(
-        self, authenticated_client, latest_scan_finding
-    ):
-        """Test that provider_id__in filter alias works on latest findings endpoint."""
-        response = authenticated_client.get(
-            reverse("finding-latest"),
-            {"filter[provider_id__in]": str(latest_scan_finding.scan.provider.id)},
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert len(response.json()["data"]) == 1
-
    def test_findings_metadata_latest(self, authenticated_client, latest_scan_finding):
        response = authenticated_client.get(
            reverse("finding-metadata_latest"),
@@ -8009,97 +7881,6 @@ class TestOverviewViewSet:
        assert data[0]["attributes"]["failed_findings"] == 13
        assert data[0]["attributes"]["new_failed_findings"] == 5

-    def test_compliance_watchlist_no_filters_uses_tenant_summary(
-        self, authenticated_client, tenant_compliance_summary_fixture
-    ):
-        response = authenticated_client.get(reverse("overview-compliance-watchlist"))
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-
-        assert len(data) == 2
-
-        by_id = {item["id"]: item["attributes"] for item in data}
-        assert "aws_cis_2.0" in by_id
-        assert by_id["aws_cis_2.0"]["requirements_passed"] == 1
-        assert by_id["aws_cis_2.0"]["requirements_failed"] == 2
-        assert by_id["aws_cis_2.0"]["requirements_manual"] == 1
-        assert by_id["aws_cis_2.0"]["total_requirements"] == 4
-
-        assert "gdpr_aws" in by_id
-        assert by_id["gdpr_aws"]["requirements_passed"] == 5
-        assert by_id["gdpr_aws"]["requirements_failed"] == 0
-        assert by_id["gdpr_aws"]["total_requirements"] == 7
-
-    def test_compliance_watchlist_with_provider_filter_uses_provider_scores(
-        self,
-        authenticated_client,
-        provider_compliance_scores_fixture,
-        providers_fixture,
-    ):
-        provider1 = providers_fixture[0]
-        url = f"{reverse('overview-compliance-watchlist')}?filter[provider_id]={provider1.id}"
-        response = authenticated_client.get(url)
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-
-        assert len(data) == 2
-        by_id = {item["id"]: item["attributes"] for item in data}
-
-        assert by_id["aws_cis_2.0"]["requirements_passed"] == 1
-        assert by_id["aws_cis_2.0"]["requirements_failed"] == 1
-        assert by_id["aws_cis_2.0"]["requirements_manual"] == 1
-        assert by_id["aws_cis_2.0"]["total_requirements"] == 3
-
-    def test_compliance_watchlist_fail_dominant_logic(
-        self, authenticated_client, provider_compliance_scores_fixture
-    ):
-        response = authenticated_client.get(
-            f"{reverse('overview-compliance-watchlist')}?filter[provider_type]=aws"
-        )
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-
-        by_id = {item["id"]: item["attributes"] for item in data}
-        aws_cis = by_id["aws_cis_2.0"]
-
-        assert aws_cis["requirements_failed"] == 2
-        assert aws_cis["requirements_passed"] == 0
-        assert aws_cis["requirements_manual"] == 1
-        assert aws_cis["total_requirements"] == 3
-
-    def test_compliance_watchlist_provider_id_in_filter(
-        self,
-        authenticated_client,
-        provider_compliance_scores_fixture,
-        providers_fixture,
-    ):
-        provider1, provider2, *_ = providers_fixture
-        url = (
-            f"{reverse('overview-compliance-watchlist')}"
-            f"?filter[provider_id__in]={provider1.id},{provider2.id}"
-        )
-        response = authenticated_client.get(url)
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert len(data) >= 1
-
-    def test_compliance_watchlist_empty_result(self, authenticated_client):
-        response = authenticated_client.get(reverse("overview-compliance-watchlist"))
-        assert response.status_code == status.HTTP_200_OK
-        data = response.json()["data"]
-        assert data == []
-
-    @pytest.mark.parametrize(
-        "invalid_provider_type",
-        ["invalid", "not_a_provider", "AWS", "awss"],
-    )
-    def test_compliance_watchlist_invalid_provider_type_filter(
-        self, authenticated_client, invalid_provider_type
-    ):
-        url = f"{reverse('overview-compliance-watchlist')}?filter[provider_type]={invalid_provider_type}"
-        response = authenticated_client.get(url)
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-

@pytest.mark.django_db
 class TestScheduleViewSet:
@@ -11,7 +11,6 @@ from api.exceptions import InvitationTokenExpiredException
 from api.models import Integration, Invitation, Processor, Provider, Resource
 from api.v1.serializers import FindingMetadataSerializer
 from prowler.lib.outputs.jira.jira import Jira, JiraBasicAuthError
-from prowler.providers.alibabacloud.alibabacloud_provider import AlibabacloudProvider
 from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.aws.lib.s3.s3 import S3
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHub
@@ -64,9 +63,8 @@ def merge_dicts(default_dict: dict, replacement_dict: dict) -> dict:

 def return_prowler_provider(
    provider: Provider,
-) -> (
-    AlibabacloudProvider
-    | AwsProvider
+) -> [
+    AwsProvider
    | AzureProvider
    | GcpProvider
    | GithubProvider
@@ -75,14 +73,14 @@ def return_prowler_provider(
    | M365Provider
    | MongodbatlasProvider
    | OraclecloudProvider
-):
+]:
    """Return the Prowler provider class based on the given provider type.

    Args:
        provider (Provider): The provider object containing the provider type and associated secrets.

    Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OraclecloudProvider: The corresponding provider class.
+        AwsProvider | AzureProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | OraclecloudProvider | MongodbatlasProvider: The corresponding provider class.

    Raises:
        ValueError: If the provider type specified in `provider.provider` is not supported.
@@ -106,8 +104,6 @@ def return_prowler_provider(
            prowler_provider = IacProvider
        case Provider.ProviderChoices.ORACLECLOUD.value:
            prowler_provider = OraclecloudProvider
-        case Provider.ProviderChoices.ALIBABACLOUD.value:
-            prowler_provider = AlibabacloudProvider
        case _:
            raise ValueError(f"Provider type {provider.provider} not supported")
    return prowler_provider
@@ -173,8 +169,7 @@ def initialize_prowler_provider(
    provider: Provider,
    mutelist_processor: Processor | None = None,
 ) -> (
-    AlibabacloudProvider
-    | AwsProvider
+    AwsProvider
    | AzureProvider
    | GcpProvider
    | GithubProvider
@@ -191,8 +186,9 @@ def initialize_prowler_provider(
        mutelist_processor (Processor): The mutelist processor object containing the mutelist configuration.

    Returns:
-        AlibabacloudProvider | AwsProvider | AzureProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OraclecloudProvider: An instance of the corresponding provider class
-            initialized with the provider's secrets.
+        AwsProvider | AzureProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | OraclecloudProvider | MongodbatlasProvider: An instance of the corresponding provider class
+            (`AwsProvider`, `AzureProvider`, `GcpProvider`, `GithubProvider`, `IacProvider`, `KubernetesProvider`, `M365Provider`, `OraclecloudProvider` or `MongodbatlasProvider`) initialized with the
+            provider's secrets.
    """
    prowler_provider = return_prowler_provider(provider)
    prowler_provider_kwargs = get_prowler_provider_kwargs(provider, mutelist_processor)
@@ -304,48 +304,6 @@ from rest_framework_json_api import serializers
                },
                "required": ["atlas_public_key", "atlas_private_key"],
            },
-            {
-                "type": "object",
-                "title": "Alibaba Cloud Static Credentials",
-                "properties": {
-                    "access_key_id": {
-                        "type": "string",
-                        "description": "The Alibaba Cloud access key ID for authentication.",
-                    },
-                    "access_key_secret": {
-                        "type": "string",
-                        "description": "The Alibaba Cloud access key secret for authentication.",
-                    },
-                    "security_token": {
-                        "type": "string",
-                        "description": "The STS security token for temporary credentials (optional).",
-                    },
-                },
-                "required": ["access_key_id", "access_key_secret"],
-            },
-            {
-                "type": "object",
-                "title": "Alibaba Cloud RAM Role Assumption",
-                "properties": {
-                    "role_arn": {
-                        "type": "string",
-                        "description": "The ARN of the RAM role to assume (e.g., acs:ram::1234567890123456:role/ProwlerRole).",
-                    },
-                    "access_key_id": {
-                        "type": "string",
-                        "description": "The Alibaba Cloud access key ID of the RAM user that will assume the role.",
-                    },
-                    "access_key_secret": {
-                        "type": "string",
-                        "description": "The Alibaba Cloud access key secret of the RAM user that will assume the role.",
-                    },
-                    "role_session_name": {
-                        "type": "string",
-                        "description": "An identifier for the role session (optional, defaults to 'ProwlerSession').",
-                    },
-                },
-                "required": ["role_arn", "access_key_id", "access_key_secret"],
-            },
        ]
    }
 )
@@ -1390,23 +1390,12 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                serializer = OracleCloudProviderSecret(data=secret)
            elif provider_type == Provider.ProviderChoices.MONGODBATLAS.value:
                serializer = MongoDBAtlasProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.ALIBABACLOUD.value:
-                serializer = AlibabaCloudProviderSecret(data=secret)
            else:
                raise serializers.ValidationError(
                    {"provider": f"Provider type not supported {provider_type}"}
                )
        elif secret_type == ProviderSecret.TypeChoices.ROLE:
-            if provider_type == Provider.ProviderChoices.AWS.value:
-                serializer = AWSRoleAssumptionProviderSecret(data=secret)
-            elif provider_type == Provider.ProviderChoices.ALIBABACLOUD.value:
-                serializer = AlibabaCloudRoleAssumptionProviderSecret(data=secret)
-            else:
-                raise serializers.ValidationError(
-                    {
-                        "secret_type": f"Role assumption not supported for provider type: {provider_type}"
-                    }
-                )
+            serializer = AWSRoleAssumptionProviderSecret(data=secret)
        elif secret_type == ProviderSecret.TypeChoices.SERVICE_ACCOUNT:
            serializer = GCPServiceAccountProviderSecret(data=secret)
        else:
@@ -1543,34 +1532,6 @@ class OracleCloudProviderSecret(serializers.Serializer):
        resource_name = "provider-secrets"


-class AlibabaCloudProviderSecret(serializers.Serializer):
-    access_key_id = serializers.CharField()
-    access_key_secret = serializers.CharField()
-    security_token = serializers.CharField(required=False)
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
-class AlibabaCloudRoleAssumptionProviderSecret(serializers.Serializer):
-    role_arn = serializers.CharField(
-        help_text="Access Key ID of the RAM user that will assume the role"
-    )
-    access_key_id = serializers.CharField(
-        help_text="Access Key ID of the RAM user that will assume the role"
-    )
-    access_key_secret = serializers.CharField(
-        help_text="Access Key Secret of the RAM user that will assume the role"
-    )
-    role_session_name = serializers.CharField(
-        required=False,
-        help_text="Session name for the assumed role session (optional, defaults to 'ProwlerSession')",
-    )
-
-    class Meta:
-        resource_name = "provider-secrets"
-
-
 class AWSRoleAssumptionProviderSecret(serializers.Serializer):
    role_arn = serializers.CharField()
    external_id = serializers.CharField()
@@ -2303,20 +2264,6 @@ class CategoryOverviewSerializer(BaseSerializerV1):
        resource_name = "category-overviews"


-class ComplianceWatchlistOverviewSerializer(BaseSerializerV1):
-    """Serializer for compliance watchlist overview with FAIL-dominant aggregation."""
-
-    id = serializers.CharField(source="compliance_id")
-    compliance_id = serializers.CharField()
-    requirements_passed = serializers.IntegerField()
-    requirements_failed = serializers.IntegerField()
-    requirements_manual = serializers.IntegerField()
-    total_requirements = serializers.IntegerField()
-
-    class JSONAPIMeta:
-        resource_name = "compliance-watchlist-overviews"
-
-
 class OverviewRegionSerializer(serializers.Serializer):
    id = serializers.SerializerMethodField()
    provider_type = serializers.CharField()
@@ -101,7 +101,6 @@ from api.filters import (
    AttackSurfaceOverviewFilter,
    CategoryOverviewFilter,
    ComplianceOverviewFilter,
-    ComplianceWatchlistFilter,
    CustomDjangoFilterBackend,
    DailySeveritySummaryFilter,
    FindingFilter,
@@ -145,7 +144,6 @@ from api.models import (
    MuteRule,
    Processor,
    Provider,
-    ProviderComplianceScore,
    ProviderGroup,
    ProviderGroupMembership,
    ProviderSecret,
@@ -165,7 +163,6 @@ from api.models import (
    StateChoices,
    Task,
    TenantAPIKey,
-    TenantComplianceSummary,
    ThreatScoreSnapshot,
    User,
    UserRoleRelationship,
@@ -188,7 +185,6 @@ from api.v1.serializers import (
    ComplianceOverviewDetailThreatscoreSerializer,
    ComplianceOverviewMetadataSerializer,
    ComplianceOverviewSerializer,
-    ComplianceWatchlistOverviewSerializer,
    FindingDynamicFilterSerializer,
    FindingMetadataSerializer,
    FindingSerializer,
@@ -363,7 +359,7 @@ class SchemaView(SpectacularAPIView):

    def get(self, request, *args, **kwargs):
        spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = "1.18.0"
+        spectacular_settings.VERSION = "1.17.0"
        spectacular_settings.DESCRIPTION = (
            "Prowler API specification.\n\nThis file is auto-generated."
        )
@@ -4146,8 +4142,6 @@ class OverviewViewSet(BaseRLSViewSet):
            return AttackSurfaceOverviewSerializer
        elif self.action == "categories":
            return CategoryOverviewSerializer
-        elif self.action == "compliance_watchlist":
-            return ComplianceWatchlistOverviewSerializer
        return super().get_serializer_class()

    def get_filterset_class(self):
@@ -4163,8 +4157,6 @@ class OverviewViewSet(BaseRLSViewSet):
            return CategoryOverviewFilter
        elif self.action == "attack_surface":
            return AttackSurfaceOverviewFilter
-        elif self.action == "compliance_watchlist":
-            return ComplianceWatchlistFilter
        return None

    def filter_queryset(self, queryset):
@@ -4248,8 +4240,6 @@ class OverviewViewSet(BaseRLSViewSet):
            self.request.query_params, exclude_keys=set(exclude_keys or [])
        )
        filterset = filterset_class(normalized_params, queryset=queryset)
-        if not filterset.is_valid():
-            raise ValidationError(filterset.errors)
        return filterset.qs

    def _latest_scan_ids_for_allowed_providers(self, tenant_id, provider_filters=None):
@@ -4266,10 +4256,9 @@ class OverviewViewSet(BaseRLSViewSet):
        )

    def _extract_provider_filters_from_params(self):
-        """Extract and validate provider filters from query params."""
+        """Extract provider filters from query params to apply on Scan queryset."""
        params = self.request.query_params
        filters = {}
-        valid_provider_types = {c[0] for c in Provider.ProviderChoices.choices}

        provider_id = params.get("filter[provider_id]")
        if provider_id:
@@ -4281,21 +4270,11 @@ class OverviewViewSet(BaseRLSViewSet):

        provider_type = params.get("filter[provider_type]")
        if provider_type:
-            if provider_type not in valid_provider_types:
-                raise ValidationError(
-                    {"provider_type": f"Invalid choice: {provider_type}"}
-                )
            filters["provider__provider"] = provider_type

        provider_type_in = params.get("filter[provider_type__in]")
        if provider_type_in:
-            types = provider_type_in.split(",")
-            invalid = [t for t in types if t not in valid_provider_types]
-            if invalid:
-                raise ValidationError(
-                    {"provider_type__in": f"Invalid choices: {', '.join(invalid)}"}
-                )
-            filters["provider__provider__in"] = types
+            filters["provider__provider__in"] = provider_type_in.split(",")

        return filters

@@ -5005,92 +4984,6 @@ class OverviewViewSet(BaseRLSViewSet):
            status=status.HTTP_200_OK,
        )

-    @action(
-        detail=False,
-        methods=["get"],
-        url_name="compliance-watchlist",
-        url_path="compliance-watchlist",
-    )
-    def compliance_watchlist(self, request):
-        """
-        Get compliance watchlist overview with FAIL-dominant aggregation.
-
-        Without filters: uses pre-aggregated TenantComplianceSummary (~70 rows).
-        With provider filters: queries ProviderComplianceScore with FAIL-dominant logic.
-        """
-        tenant_id = request.tenant_id
-        rbac_filter = self._get_provider_filter()
-        query_params = request.query_params
-
-        has_provider_filter = any(
-            key.startswith("filter[provider") for key in query_params.keys()
-        )
-        has_rbac_restriction = bool(rbac_filter)
-
-        if not has_provider_filter and not has_rbac_restriction:
-            response_data = list(
-                TenantComplianceSummary.objects.filter(tenant_id=tenant_id)
-                .values(
-                    "compliance_id",
-                    "requirements_passed",
-                    "requirements_failed",
-                    "requirements_manual",
-                    "total_requirements",
-                )
-                .order_by("compliance_id")
-            )
-        else:
-            base_queryset = ProviderComplianceScore.objects.filter(
-                tenant_id=tenant_id, **rbac_filter
-            )
-
-            filtered_queryset = self._apply_filterset(
-                base_queryset, ComplianceWatchlistFilter
-            )
-
-            aggregation = (
-                filtered_queryset.values("compliance_id", "requirement_id")
-                .annotate(
-                    has_fail=Sum(
-                        Case(When(requirement_status="FAIL", then=1), default=0)
-                    ),
-                    has_manual=Sum(
-                        Case(When(requirement_status="MANUAL", then=1), default=0)
-                    ),
-                )
-                .values("compliance_id", "requirement_id", "has_fail", "has_manual")
-            )
-
-            compliance_data = defaultdict(
-                lambda: {
-                    "requirements_passed": 0,
-                    "requirements_failed": 0,
-                    "requirements_manual": 0,
-                    "total_requirements": 0,
-                }
-            )
-
-            for row in aggregation:
-                cid = row["compliance_id"]
-                compliance_data[cid]["total_requirements"] += 1
-
-                if row["has_fail"] and row["has_fail"] > 0:
-                    compliance_data[cid]["requirements_failed"] += 1
-                elif row["has_manual"] and row["has_manual"] > 0:
-                    compliance_data[cid]["requirements_manual"] += 1
-                else:
-                    compliance_data[cid]["requirements_passed"] += 1
-
-            response_data = [
-                {"compliance_id": cid, **data}
-                for cid, data in sorted(compliance_data.items())
-            ]
-
-        return Response(
-            self.get_serializer(response_data, many=True).data,
-            status=status.HTTP_200_OK,
-        )
-

@extend_schema(tags=["Schedule"])
@extend_schema_view(
@@ -30,7 +30,6 @@ from api.models import (
    MuteRule,
    Processor,
    Provider,
-    ProviderComplianceScore,
    ProviderGroup,
    ProviderSecret,
    Resource,
@@ -46,7 +45,6 @@ from api.models import (
    StatusChoices,
    Task,
    TenantAPIKey,
-    TenantComplianceSummary,
    User,
    UserRoleRelationship,
 )
@@ -519,12 +517,6 @@ def providers_fixture(tenants_fixture):
        alias="mongodbatlas_testing",
        tenant_id=tenant.id,
    )
-    provider9 = Provider.objects.create(
-        provider="alibabacloud",
-        uid="1234567890123456",
-        alias="alibabacloud_testing",
-        tenant_id=tenant.id,
-    )

    return (
        provider1,
@@ -535,7 +527,6 @@ def providers_fixture(tenants_fixture):
        provider6,
        provider7,
        provider8,
-        provider9,
    )


@@ -1633,108 +1624,6 @@ def get_authorization_header(access_token: str) -> dict:
    return {"Authorization": f"Bearer {access_token}"}


-@pytest.fixture
-def provider_compliance_scores_fixture(
-    tenants_fixture, providers_fixture, scans_fixture
-):
-    """Create ProviderComplianceScore entries for compliance watchlist tests."""
-    tenant = tenants_fixture[0]
-    provider1, provider2, *_ = providers_fixture
-    scan1, _, scan3 = scans_fixture
-
-    scan1.completed_at = datetime.now(timezone.utc) - timedelta(hours=1)
-    scan1.save()
-    scan3.state = StateChoices.COMPLETED
-    scan3.completed_at = datetime.now(timezone.utc)
-    scan3.save()
-
-    scores = [
-        ProviderComplianceScore.objects.create(
-            tenant_id=tenant.id,
-            provider=provider1,
-            scan=scan1,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.PASS,
-            scan_completed_at=scan1.completed_at,
-        ),
-        ProviderComplianceScore.objects.create(
-            tenant_id=tenant.id,
-            provider=provider1,
-            scan=scan1,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_2",
-            requirement_status=StatusChoices.FAIL,
-            scan_completed_at=scan1.completed_at,
-        ),
-        ProviderComplianceScore.objects.create(
-            tenant_id=tenant.id,
-            provider=provider1,
-            scan=scan1,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_3",
-            requirement_status=StatusChoices.MANUAL,
-            scan_completed_at=scan1.completed_at,
-        ),
-        ProviderComplianceScore.objects.create(
-            tenant_id=tenant.id,
-            provider=provider2,
-            scan=scan3,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.FAIL,
-            scan_completed_at=scan3.completed_at,
-        ),
-        ProviderComplianceScore.objects.create(
-            tenant_id=tenant.id,
-            provider=provider2,
-            scan=scan3,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_2",
-            requirement_status=StatusChoices.PASS,
-            scan_completed_at=scan3.completed_at,
-        ),
-        ProviderComplianceScore.objects.create(
-            tenant_id=tenant.id,
-            provider=provider1,
-            scan=scan1,
-            compliance_id="gdpr_aws",
-            requirement_id="gdpr_req_1",
-            requirement_status=StatusChoices.PASS,
-            scan_completed_at=scan1.completed_at,
-        ),
-    ]
-
-    return scores
-
-
-@pytest.fixture
-def tenant_compliance_summary_fixture(tenants_fixture):
-    """Create TenantComplianceSummary entries for compliance watchlist tests."""
-    tenant = tenants_fixture[0]
-
-    summaries = [
-        TenantComplianceSummary.objects.create(
-            tenant_id=tenant.id,
-            compliance_id="aws_cis_2.0",
-            requirements_passed=1,
-            requirements_failed=2,
-            requirements_manual=1,
-            total_requirements=4,
-        ),
-        TenantComplianceSummary.objects.create(
-            tenant_id=tenant.id,
-            compliance_id="gdpr_aws",
-            requirements_passed=5,
-            requirements_failed=0,
-            requirements_manual=2,
-            total_requirements=7,
-        ),
-    ]
-
-    return summaries
-
-
 def pytest_collection_modifyitems(items):
    """Ensure test_rbac.py is executed first."""
    items.sort(key=lambda item: 0 if "test_rbac.py" in item.nodeid else 1)
@@ -1,28 +1,17 @@
 from collections import defaultdict
 from datetime import timedelta

-from celery.utils.log import get_task_logger
 from django.db.models import Sum
 from django.utils import timezone
-from tasks.jobs.queries import (
-    COMPLIANCE_UPSERT_PROVIDER_SCORE_SQL,
-    COMPLIANCE_UPSERT_TENANT_SUMMARY_ALL_SQL,
-)
 from tasks.jobs.scan import aggregate_category_counts

-from api.db_router import READ_REPLICA_ALIAS, MainRouter
-from api.db_utils import (
-    POSTGRES_TENANT_VAR,
-    SET_CONFIG_QUERY,
-    psycopg_connection,
-    rls_transaction,
-)
+from api.db_router import READ_REPLICA_ALIAS
+from api.db_utils import rls_transaction
 from api.models import (
    ComplianceOverviewSummary,
    ComplianceRequirementOverview,
    DailySeveritySummary,
    Finding,
-    ProviderComplianceScore,
    Resource,
    ResourceFindingMapping,
    ResourceScanSummary,
@@ -32,8 +21,6 @@ from api.models import (
    StateChoices,
 )

-logger = get_task_logger(__name__)
-

 def backfill_resource_scan_summaries(tenant_id: str, scan_id: str):
    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
@@ -354,114 +341,3 @@ def backfill_scan_category_summaries(tenant_id: str, scan_id: str):
        )

    return {"status": "backfilled", "categories_count": len(category_counts)}
-
-
-def backfill_provider_compliance_scores(tenant_id: str) -> dict:
-    """
-    Backfill ProviderComplianceScore from latest completed scan per provider.
-
-    For each provider with completed scans, finds the most recent scan and
-    upserts compliance requirement statuses with FAIL-dominant aggregation.
-
-    Args:
-        tenant_id: Target tenant UUID
-
-    Returns:
-        dict: Statistics about the backfill operation
-    """
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        completed_scans = Scan.all_objects.filter(
-            tenant_id=tenant_id,
-            state=StateChoices.COMPLETED,
-            completed_at__isnull=False,
-        )
-        if not completed_scans.exists():
-            return {"status": "no completed scans"}
-
-        existing_providers = set(
-            ProviderComplianceScore.objects.filter(tenant_id=tenant_id)
-            .values_list("provider_id", flat=True)
-            .distinct()
-        )
-
-        if existing_providers:
-            completed_scans = completed_scans.exclude(
-                provider_id__in=existing_providers
-            )
-
-        scan_info = list(
-            completed_scans.order_by("provider_id", "-completed_at")
-            .distinct("provider_id")
-            .values("id", "provider_id", "completed_at")
-        )
-
-        if not scan_info:
-            return {"status": "no scans to process"}
-
-    total_upserted = 0
-    providers_processed = 0
-    providers_skipped = 0
-
-    for scan in scan_info:
-        provider_id = scan["provider_id"]
-
-        scan_id = scan["id"]
-
-        try:
-            with psycopg_connection(MainRouter.default_db) as connection:
-                connection.autocommit = False
-                try:
-                    with connection.cursor() as cursor:
-                        cursor.execute(
-                            SET_CONFIG_QUERY, [POSTGRES_TENANT_VAR, tenant_id]
-                        )
-                        cursor.execute(
-                            COMPLIANCE_UPSERT_PROVIDER_SCORE_SQL,
-                            [tenant_id, str(scan_id)],
-                        )
-                        upserted = cursor.rowcount
-                    connection.commit()
-                    total_upserted += upserted
-                    providers_processed += 1
-                except Exception:
-                    connection.rollback()
-                    raise
-        except Exception as e:
-            providers_skipped += 1
-            logger.exception(
-                "Error backfilling provider %s for tenant %s: %s",
-                provider_id,
-                tenant_id,
-                e,
-            )
-
-    # Recalculate tenant summary after all providers are backfilled
-    if providers_processed > 0:
-        with psycopg_connection(MainRouter.default_db) as connection:
-            connection.autocommit = False
-            try:
-                with connection.cursor() as cursor:
-                    cursor.execute(SET_CONFIG_QUERY, [POSTGRES_TENANT_VAR, tenant_id])
-                    # Advisory lock to prevent race conditions
-                    cursor.execute(
-                        "SELECT pg_advisory_xact_lock(hashtext(%s))", [tenant_id]
-                    )
-                    cursor.execute(
-                        COMPLIANCE_UPSERT_TENANT_SUMMARY_ALL_SQL,
-                        [tenant_id, tenant_id],
-                    )
-                    tenant_summary_count = cursor.rowcount
-                connection.commit()
-            except Exception:
-                connection.rollback()
-                raise
-    else:
-        tenant_summary_count = 0
-
-    return {
-        "status": "backfilled",
-        "providers_processed": providers_processed,
-        "providers_skipped": providers_skipped,
-        "total_upserted": total_upserted,
-        "tenant_summary_count": tenant_summary_count,
-    }
@@ -27,7 +27,6 @@ from prowler.lib.outputs.compliance.c5.c5_gcp import GCPC5
 from prowler.lib.outputs.compliance.ccc.ccc_aws import CCC_AWS
 from prowler.lib.outputs.compliance.ccc.ccc_azure import CCC_Azure
 from prowler.lib.outputs.compliance.ccc.ccc_gcp import CCC_GCP
-from prowler.lib.outputs.compliance.cis.cis_alibabacloud import AlibabaCloudCIS
 from prowler.lib.outputs.compliance.cis.cis_aws import AWSCIS
 from prowler.lib.outputs.compliance.cis.cis_azure import AzureCIS
 from prowler.lib.outputs.compliance.cis.cis_gcp import GCPCIS
@@ -51,9 +50,6 @@ from prowler.lib.outputs.compliance.mitre_attack.mitre_attack_azure import (
    AzureMitreAttack,
 )
 from prowler.lib.outputs.compliance.mitre_attack.mitre_attack_gcp import GCPMitreAttack
-from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_alibaba import (
-    ProwlerThreatScoreAlibaba,
-)
 from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_aws import (
    ProwlerThreatScoreAWS,
 )
@@ -132,13 +128,6 @@ COMPLIANCE_CLASS_MAP = {
    "oraclecloud": [
        (lambda name: name.startswith("cis_"), OracleCloudCIS),
    ],
-    "alibabacloud": [
-        (lambda name: name.startswith("cis_"), AlibabaCloudCIS),
-        (
-            lambda name: name == "prowler_threatscore_alibabacloud",
-            ProwlerThreatScoreAlibaba,
-        ),
-    ],
 }


@@ -19,9 +19,6 @@ from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.aws.lib.s3.s3 import S3
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHub
 from prowler.providers.common.models import Connection
-from prowler.providers.aws.lib.security_hub.exceptions.exceptions import (
-    SecurityHubNoEnabledRegionsError,
-)

 logger = get_task_logger(__name__)

@@ -225,9 +222,8 @@ def get_security_hub_client_from_integration(
        )
        return True, security_hub
    else:
-        # Reset regions information if connection fails and integration is not connected
+        # Reset regions information if connection fails
        with rls_transaction(tenant_id, using=MainRouter.default_db):
-            integration.connected = False
            integration.configuration["regions"] = {}
            integration.save()

@@ -334,18 +330,15 @@ def upload_security_hub_integration(
                                )

                                if not connected:
-                                    if isinstance(
-                                        security_hub.error,
-                                        SecurityHubNoEnabledRegionsError,
+                                    logger.error(
+                                        f"Security Hub connection failed for integration {integration.id}: "
+                                        f"{security_hub.error}"
+                                    )
+                                    with rls_transaction(
+                                        tenant_id, using=MainRouter.default_db
                                    ):
-                                        logger.warning(
-                                            f"Security Hub integration {integration.id} has no enabled regions"
-                                        )
-                                    else:
-                                        logger.error(
-                                            f"Security Hub connection failed for integration {integration.id}: "
-                                            f"{security_hub.error}"
-                                        )
+                                        integration.connected = False
+                                        integration.save()
                                    break  # Skip this integration

                                security_hub_client = security_hub
@@ -416,16 +409,22 @@ def upload_security_hub_integration(
                            logger.warning(
                                f"Failed to archive previous findings: {str(archive_error)}"
                            )
+
            except Exception as e:
                logger.error(
                    f"Security Hub integration {integration.id} failed: {str(e)}"
                )
+                continue

        result = integration_executions == len(integrations)
        if result:
            logger.info(
                f"All Security Hub integrations completed successfully for provider {provider_id}"
            )
+        else:
+            logger.error(
+                f"Some Security Hub integrations failed for provider {provider_id}"
+            )

        return result

@@ -1,134 +0,0 @@
-"""
-Shared SQL queries for tasks.
-
-This module centralizes raw SQL queries used across multiple task modules
-to ensure consistency and maintainability.
-"""
-
-# =============================================================================
-# COMPLIANCE SCORE QUERIES
-# =============================================================================
-
-# Upsert provider compliance scores from a scan's compliance requirements.
-# Uses FAIL-dominant aggregation: FAIL > MANUAL > PASS
-# Parameters: [tenant_id, scan_id]
-COMPLIANCE_UPSERT_PROVIDER_SCORE_SQL = """
-    INSERT INTO provider_compliance_scores
-        (id, tenant_id, provider_id, scan_id, compliance_id, requirement_id,
-         requirement_status, scan_completed_at)
-    SELECT
-        gen_random_uuid(),
-        agg.tenant_id,
-        agg.provider_id,
-        agg.scan_id,
-        agg.compliance_id,
-        agg.requirement_id,
-        agg.requirement_status,
-        agg.completed_at
-    FROM (
-        SELECT DISTINCT ON (cro.compliance_id, cro.requirement_id)
-            cro.tenant_id,
-            s.provider_id,
-            cro.scan_id,
-            cro.compliance_id,
-            cro.requirement_id,
-            (CASE
-                WHEN bool_or(cro.requirement_status = 'FAIL')
-                    OVER (PARTITION BY cro.compliance_id, cro.requirement_id) THEN 'FAIL'
-                WHEN bool_or(cro.requirement_status = 'MANUAL')
-                    OVER (PARTITION BY cro.compliance_id, cro.requirement_id) THEN 'MANUAL'
-                ELSE 'PASS'
-            END)::status as requirement_status,
-            s.completed_at
-        FROM compliance_requirements_overviews cro
-        JOIN scans s ON s.id = cro.scan_id
-        WHERE cro.tenant_id = %s AND cro.scan_id = %s
-        ORDER BY cro.compliance_id, cro.requirement_id
-    ) agg
-    ON CONFLICT (tenant_id, provider_id, compliance_id, requirement_id)
-    DO UPDATE SET
-        requirement_status = EXCLUDED.requirement_status,
-        scan_id = EXCLUDED.scan_id,
-        scan_completed_at = EXCLUDED.scan_completed_at
-    WHERE EXCLUDED.scan_completed_at > provider_compliance_scores.scan_completed_at
-"""
-
-# Upsert tenant compliance summary for specific compliance IDs.
-# Aggregates across all providers with FAIL-dominant logic at requirement level.
-# Parameters: [tenant_id, tenant_id, compliance_ids_array]
-COMPLIANCE_UPSERT_TENANT_SUMMARY_SQL = """
-    INSERT INTO tenant_compliance_summaries
-        (id, tenant_id, compliance_id,
-         requirements_passed, requirements_failed, requirements_manual,
-         total_requirements, updated_at)
-    SELECT
-        gen_random_uuid(),
-        %s as tenant_id,
-        compliance_id,
-        COUNT(*) FILTER (WHERE req_status = 'PASS') as requirements_passed,
-        COUNT(*) FILTER (WHERE req_status = 'FAIL') as requirements_failed,
-        COUNT(*) FILTER (WHERE req_status = 'MANUAL') as requirements_manual,
-        COUNT(*) as total_requirements,
-        NOW() as updated_at
-    FROM (
-        SELECT
-            compliance_id,
-            requirement_id,
-            CASE
-                WHEN bool_or(requirement_status = 'FAIL') THEN 'FAIL'
-                WHEN bool_or(requirement_status = 'MANUAL') THEN 'MANUAL'
-                ELSE 'PASS'
-            END as req_status
-        FROM provider_compliance_scores
-        WHERE tenant_id = %s AND compliance_id = ANY(%s)
-        GROUP BY compliance_id, requirement_id
-    ) req_agg
-    GROUP BY compliance_id
-    ON CONFLICT (tenant_id, compliance_id)
-    DO UPDATE SET
-        requirements_passed = EXCLUDED.requirements_passed,
-        requirements_failed = EXCLUDED.requirements_failed,
-        requirements_manual = EXCLUDED.requirements_manual,
-        total_requirements = EXCLUDED.total_requirements,
-        updated_at = NOW()
-"""
-
-# Upsert tenant compliance summary for ALL compliance IDs in tenant.
-# Used by backfill when recalculating entire tenant summary.
-# Parameters: [tenant_id, tenant_id]
-COMPLIANCE_UPSERT_TENANT_SUMMARY_ALL_SQL = """
-    INSERT INTO tenant_compliance_summaries
-        (id, tenant_id, compliance_id,
-         requirements_passed, requirements_failed, requirements_manual,
-         total_requirements, updated_at)
-    SELECT
-        gen_random_uuid(),
-        %s as tenant_id,
-        compliance_id,
-        COUNT(*) FILTER (WHERE req_status = 'PASS') as requirements_passed,
-        COUNT(*) FILTER (WHERE req_status = 'FAIL') as requirements_failed,
-        COUNT(*) FILTER (WHERE req_status = 'MANUAL') as requirements_manual,
-        COUNT(*) as total_requirements,
-        NOW() as updated_at
-    FROM (
-        SELECT
-            compliance_id,
-            requirement_id,
-            CASE
-                WHEN bool_or(requirement_status = 'FAIL') THEN 'FAIL'
-                WHEN bool_or(requirement_status = 'MANUAL') THEN 'MANUAL'
-                ELSE 'PASS'
-            END as req_status
-        FROM provider_compliance_scores
-        WHERE tenant_id = %s
-        GROUP BY compliance_id, requirement_id
-    ) req_agg
-    GROUP BY compliance_id
-    ON CONFLICT (tenant_id, compliance_id)
-    DO UPDATE SET
-        requirements_passed = EXCLUDED.requirements_passed,
-        requirements_failed = EXCLUDED.requirements_failed,
-        requirements_manual = EXCLUDED.requirements_manual,
-        total_requirements = EXCLUDED.total_requirements,
-        updated_at = NOW()
-"""
@@ -243,28 +243,15 @@ def _safe_getattr(obj, attr: str, default: str = "N/A") -> str:


 def _create_info_table_style() -> TableStyle:
-    """Create a reusable table style for information/metadata tables.
-
-    ReportLab TableStyle coordinate system:
-        - Format: (COMMAND, (start_col, start_row), (end_col, end_row), value)
-        - Coordinates use (column, row) format, starting at (0, 0) for top-left cell
-        - Negative indices work like Python slicing: -1 means "last row/column"
-        - (0, 0) to (0, -1) = entire first column (all rows)
-        - (0, 0) to (-1, 0) = entire first row (all columns)
-        - (0, 0) to (-1, -1) = entire table
-        - Styles are applied in order; later rules override earlier ones
-    """
+    """Create a reusable table style for information/metadata tables."""
    return TableStyle(
        [
-            # Column 0 (labels): blue background with white text
            ("BACKGROUND", (0, 0), (0, -1), COLOR_BLUE),
            ("TEXTCOLOR", (0, 0), (0, -1), COLOR_WHITE),
            ("FONTNAME", (0, 0), (0, -1), "FiraCode"),
-            # Column 1 (values): light blue background with gray text
            ("BACKGROUND", (1, 0), (1, -1), COLOR_BG_BLUE),
            ("TEXTCOLOR", (1, 0), (1, -1), COLOR_GRAY),
            ("FONTNAME", (1, 0), (1, -1), "PlusJakartaSans"),
-            # Apply to entire table
            ("ALIGN", (0, 0), (-1, -1), "LEFT"),
            ("VALIGN", (0, 0), (-1, -1), "TOP"),
            ("FONTSIZE", (0, 0), (-1, -1), 11),
@@ -278,30 +265,19 @@ def _create_info_table_style() -> TableStyle:


 def _create_header_table_style(header_color: colors.Color = None) -> TableStyle:
-    """Create a reusable table style for tables with headers.
-
-    ReportLab TableStyle coordinate system:
-        - Format: (COMMAND, (start_col, start_row), (end_col, end_row), value)
-        - (0, 0) to (-1, 0) = entire first row (header row)
-        - (1, 1) to (-1, -1) = all data cells (excludes header row and first column)
-        - See _create_info_table_style() for full coordinate system documentation
-    """
+    """Create a reusable table style for tables with headers."""
    if header_color is None:
        header_color = COLOR_BLUE

    return TableStyle(
        [
-            # Header row (row 0): colored background with white text
            ("BACKGROUND", (0, 0), (-1, 0), header_color),
            ("TEXTCOLOR", (0, 0), (-1, 0), COLOR_WHITE),
            ("FONTNAME", (0, 0), (-1, 0), "FiraCode"),
            ("FONTSIZE", (0, 0), (-1, 0), 10),
-            # Apply to entire table
            ("ALIGN", (0, 0), (-1, -1), "CENTER"),
            ("VALIGN", (0, 0), (-1, -1), "MIDDLE"),
-            # Data cells (excluding header): smaller font
            ("FONTSIZE", (1, 1), (-1, -1), 9),
-            # Apply to entire table
            ("GRID", (0, 0), (-1, -1), 1, COLOR_GRID_GRAY),
            ("LEFTPADDING", (0, 0), (-1, -1), PADDING_MEDIUM),
            ("RIGHTPADDING", (0, 0), (-1, -1), PADDING_MEDIUM),
@@ -312,30 +288,18 @@ def _create_header_table_style(header_color: colors.Color = None) -> TableStyle:


 def _create_findings_table_style() -> TableStyle:
-    """Create a reusable table style for findings tables.
-
-    ReportLab TableStyle coordinate system:
-        - Format: (COMMAND, (start_col, start_row), (end_col, end_row), value)
-        - (0, 0) to (-1, 0) = entire first row (header row)
-        - (0, 0) to (0, 0) = only the top-left cell
-        - See _create_info_table_style() for full coordinate system documentation
-    """
+    """Create a reusable table style for findings tables."""
    return TableStyle(
        [
-            # Header row (row 0): colored background with white text
            ("BACKGROUND", (0, 0), (-1, 0), COLOR_BLUE),
            ("TEXTCOLOR", (0, 0), (-1, 0), COLOR_WHITE),
            ("FONTNAME", (0, 0), (-1, 0), "FiraCode"),
-            # Only top-left cell centered (for index/number column)
            ("ALIGN", (0, 0), (0, 0), "CENTER"),
-            # Apply to entire table
            ("VALIGN", (0, 0), (-1, -1), "MIDDLE"),
            ("FONTSIZE", (0, 0), (-1, -1), 9),
            ("GRID", (0, 0), (-1, -1), 0.1, COLOR_BORDER_GRAY),
-            # Remove padding only from top-left cell
            ("LEFTPADDING", (0, 0), (0, 0), 0),
            ("RIGHTPADDING", (0, 0), (0, 0), 0),
-            # Apply to entire table
            ("TOPPADDING", (0, 0), (-1, -1), PADDING_SMALL),
            ("BOTTOMPADDING", (0, 0), (-1, -1), PADDING_SMALL),
        ]
@@ -1139,15 +1103,11 @@ def generate_threatscore_report(
        elements.append(Spacer(1, 0.5 * inch))

        # Add compliance information table
-        provider_alias = provider_obj.alias or "N/A"
        info_data = [
            ["Framework:", compliance_framework],
            ["ID:", compliance_id],
            ["Name:", Paragraph(compliance_name, normal_center)],
            ["Version:", compliance_version],
-            ["Provider:", provider_type.upper()],
-            ["Account ID:", provider_obj.uid],
-            ["Alias:", provider_alias],
            ["Scan ID:", scan_id],
            ["Description:", Paragraph(compliance_description, normal_center)],
        ]
@@ -2099,15 +2059,12 @@ def generate_ens_report(
        elements.append(Spacer(1, 0.5 * inch))

        # Add compliance information table
-        provider_alias = provider_obj.alias or "N/A"
        info_data = [
            ["Framework:", compliance_framework],
            ["ID:", compliance_id],
            ["Nombre:", Paragraph(compliance_name, normal_center)],
            ["Versión:", compliance_version],
            ["Proveedor:", provider_type.upper()],
-            ["Account ID:", provider_obj.uid],
-            ["Alias:", provider_alias],
            ["Scan ID:", scan_id],
            ["Descripción:", Paragraph(compliance_description, normal_center)],
        ]
@@ -2115,12 +2072,12 @@ def generate_ens_report(
        info_table.setStyle(
            TableStyle(
                [
-                    ("BACKGROUND", (0, 0), (0, -1), colors.Color(0.2, 0.4, 0.6)),
-                    ("TEXTCOLOR", (0, 0), (0, -1), colors.white),
-                    ("FONTNAME", (0, 0), (0, -1), "FiraCode"),
-                    ("BACKGROUND", (1, 0), (1, -1), colors.Color(0.95, 0.97, 1.0)),
-                    ("TEXTCOLOR", (1, 0), (1, -1), colors.Color(0.2, 0.2, 0.2)),
-                    ("FONTNAME", (1, 0), (1, -1), "PlusJakartaSans"),
+                    ("BACKGROUND", (0, 0), (0, 6), colors.Color(0.2, 0.4, 0.6)),
+                    ("TEXTCOLOR", (0, 0), (0, 6), colors.white),
+                    ("FONTNAME", (0, 0), (0, 6), "FiraCode"),
+                    ("BACKGROUND", (1, 0), (1, 6), colors.Color(0.95, 0.97, 1.0)),
+                    ("TEXTCOLOR", (1, 0), (1, 6), colors.Color(0.2, 0.2, 0.2)),
+                    ("FONTNAME", (1, 0), (1, 6), "PlusJakartaSans"),
                    ("ALIGN", (0, 0), (-1, -1), "LEFT"),
                    ("VALIGN", (0, 0), (-1, -1), "TOP"),
                    ("FONTSIZE", (0, 0), (-1, -1), 11),
@@ -3040,14 +2997,11 @@ def generate_nis2_report(
        elements.append(Spacer(1, 0.3 * inch))

        # Compliance metadata table
-        provider_alias = provider_obj.alias or "N/A"
        metadata_data = [
            ["Framework:", compliance_framework],
            ["Name:", Paragraph(compliance_name, normal_center)],
            ["Version:", compliance_version or "N/A"],
            ["Provider:", provider_type.upper()],
-            ["Account ID:", provider_obj.uid],
-            ["Alias:", provider_alias],
            ["Scan ID:", scan_id],
            ["Description:", Paragraph(compliance_description, normal_center)],
        ]
@@ -3531,7 +3485,6 @@ def generate_compliance_reports(
        "gcp",
        "m365",
        "kubernetes",
-        "alibabacloud",
    ]:
        logger.info(
            f"Provider {provider_id} ({provider_type}) is not supported for ThreatScore report"
@@ -14,10 +14,6 @@ from config.env import env
 from config.settings.celery import CELERY_DEADLOCK_ATTEMPTS
 from django.db import IntegrityError, OperationalError
 from django.db.models import Case, Count, IntegerField, Prefetch, Q, Sum, When
-from tasks.jobs.queries import (
-    COMPLIANCE_UPSERT_PROVIDER_SCORE_SQL,
-    COMPLIANCE_UPSERT_TENANT_SUMMARY_SQL,
-)
 from tasks.utils import CustomEncoder

 from api.compliance import PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE
@@ -1493,140 +1489,3 @@ def aggregate_daily_severity(tenant_id: str, scan_id: str):
        "date": str(scan_date),
        "severity_data": severity_data,
    }
-
-
-def update_provider_compliance_scores(tenant_id: str, scan_id: str):
-    """
-    Update ProviderComplianceScore with requirement statuses from a completed scan.
-
-    Uses atomic SQL upsert with ON CONFLICT for concurrency safety. Only updates
-    if the new scan is more recent than existing data. Also cleans up stale
-    requirements that no longer exist in the new scan.
-
-    Reads from primary DB (not replica) to avoid replication lag issues since
-    this runs immediately after create_compliance_requirements_task.
-
-    Args:
-        tenant_id: Tenant that owns the scan.
-        scan_id: Scan UUID whose compliance data should be materialized.
-
-    Returns:
-        dict: Statistics about the upsert operation.
-    """
-    with rls_transaction(tenant_id):
-        scan = (
-            Scan.all_objects.filter(
-                tenant_id=tenant_id,
-                id=scan_id,
-                state=StateChoices.COMPLETED,
-            )
-            .select_related("provider")
-            .first()
-        )
-
-        if not scan:
-            logger.warning(
-                f"Scan {scan_id} not found or not completed for compliance score update"
-            )
-            return {"status": "skipped", "reason": "scan not completed"}
-
-        if not scan.completed_at:
-            logger.warning(f"Scan {scan_id} has no completed_at timestamp")
-            return {"status": "skipped", "reason": "no completed_at"}
-
-        provider_id = str(scan.provider_id)
-        scan_completed_at = scan.completed_at
-
-    delete_stale_sql = """
-        DELETE FROM provider_compliance_scores pcs
-        WHERE pcs.tenant_id = %s
-          AND pcs.provider_id = %s
-          AND pcs.scan_completed_at < %s
-          AND NOT EXISTS (
-              SELECT 1 FROM compliance_requirements_overviews cro
-              WHERE cro.tenant_id = pcs.tenant_id
-                AND cro.scan_id = %s
-                AND cro.compliance_id = pcs.compliance_id
-                AND cro.requirement_id = pcs.requirement_id
-          )
-        RETURNING compliance_id
-    """
-
-    compliance_ids_sql = """
-        SELECT DISTINCT compliance_id
-        FROM compliance_requirements_overviews
-        WHERE tenant_id = %s AND scan_id = %s
-    """
-
-    try:
-        with psycopg_connection(MainRouter.default_db) as connection:
-            connection.autocommit = False
-            try:
-                with connection.cursor() as cursor:
-                    cursor.execute(SET_CONFIG_QUERY, [POSTGRES_TENANT_VAR, tenant_id])
-
-                    # Update requirement-level scores per provider
-                    cursor.execute(
-                        COMPLIANCE_UPSERT_PROVIDER_SCORE_SQL, [tenant_id, scan_id]
-                    )
-                    upserted_count = cursor.rowcount
-
-                    cursor.execute(compliance_ids_sql, [tenant_id, scan_id])
-                    scan_rows = cursor.fetchall()
-                    if not isinstance(scan_rows, (list, tuple)):
-                        scan_rows = []
-                    scan_compliance_ids = {row[0] for row in scan_rows}
-
-                    cursor.execute(
-                        delete_stale_sql,
-                        [tenant_id, provider_id, scan_completed_at, scan_id],
-                    )
-                    deleted_rows = cursor.fetchall()
-                    if not isinstance(deleted_rows, (list, tuple)):
-                        deleted_rows = []
-                    deleted_ids = {row[0] for row in deleted_rows}
-                    stale_deleted = len(deleted_ids)
-
-                    impacted_compliance_ids = sorted(scan_compliance_ids | deleted_ids)
-
-                    if impacted_compliance_ids:
-                        # Advisory lock on tenant to prevent race conditions when
-                        # multiple scans complete simultaneously for the same tenant
-                        cursor.execute(
-                            "SELECT pg_advisory_xact_lock(hashtext(%s))", [tenant_id]
-                        )
-
-                        # Recalculate tenant-level summary (FAIL-dominant across all providers)
-                        cursor.execute(
-                            COMPLIANCE_UPSERT_TENANT_SUMMARY_SQL,
-                            [tenant_id, tenant_id, impacted_compliance_ids],
-                        )
-                        tenant_summary_count = cursor.rowcount
-                    else:
-                        tenant_summary_count = 0
-
-                connection.commit()
-            except Exception:
-                connection.rollback()
-                raise
-
-        logger.info(
-            f"Provider compliance scores updated for scan {scan_id}: "
-            f"{upserted_count} upserted, {stale_deleted} stale deleted, "
-            f"{tenant_summary_count} tenant summaries upserted"
-        )
-
-        return {
-            "status": "completed",
-            "scan_id": str(scan_id),
-            "provider_id": provider_id,
-            "upserted": upserted_count,
-            "stale_deleted": stale_deleted,
-            "tenant_summary_count": tenant_summary_count,
-        }
-
-    except Exception as e:
-        logger.error(
-            f"Error updating provider compliance scores for scan {scan_id}: {e}"
-        )
-        raise
@@ -11,7 +11,6 @@ from django_celery_beat.models import PeriodicTask
 from tasks.jobs.backfill import (
    backfill_compliance_summaries,
    backfill_daily_severity_summaries,
-    backfill_provider_compliance_scores,
    backfill_resource_scan_summaries,
    backfill_scan_category_summaries,
 )
@@ -45,7 +44,6 @@ from tasks.jobs.scan import (
    aggregate_findings,
    create_compliance_requirements,
    perform_prowler_scan,
-    update_provider_compliance_scores,
 )
 from tasks.utils import batched, get_next_execution_datetime

@@ -63,58 +61,6 @@ from prowler.lib.outputs.finding import Finding as FindingOutput
 logger = get_task_logger(__name__)


-def _cleanup_orphan_scheduled_scans(
-    tenant_id: str,
-    provider_id: str,
-    scheduler_task_id: int,
-) -> int:
-    """
-    TEMPORARY WORKAROUND: Clean up orphan AVAILABLE scans.
-
-    Detects and removes AVAILABLE scans that were never used due to an
-    issue during the first scheduled scan setup.
-
-    An AVAILABLE scan is considered orphan if there's also a SCHEDULED scan for
-    the same provider with the same scheduler_task_id. This situation indicates
-    that the first scan execution didn't find the AVAILABLE scan (because it
-    wasn't committed yet, probably) and created a new one, leaving the AVAILABLE orphaned.
-
-    Args:
-        tenant_id: The tenant ID.
-        provider_id: The provider ID.
-        scheduler_task_id: The PeriodicTask ID that triggers these scans.
-
-    Returns:
-        Number of orphan scans deleted (0 if none found).
-    """
-    orphan_available_scans = Scan.objects.filter(
-        tenant_id=tenant_id,
-        provider_id=provider_id,
-        trigger=Scan.TriggerChoices.SCHEDULED,
-        state=StateChoices.AVAILABLE,
-        scheduler_task_id=scheduler_task_id,
-    )
-
-    scheduled_scan_exists = Scan.objects.filter(
-        tenant_id=tenant_id,
-        provider_id=provider_id,
-        trigger=Scan.TriggerChoices.SCHEDULED,
-        state=StateChoices.SCHEDULED,
-        scheduler_task_id=scheduler_task_id,
-    ).exists()
-
-    if scheduled_scan_exists and orphan_available_scans.exists():
-        orphan_count = orphan_available_scans.count()
-        logger.warning(
-            f"[WORKAROUND] Found {orphan_count} orphan AVAILABLE scan(s) for "
-            f"provider {provider_id} alongside a SCHEDULED scan. Cleaning up orphans..."
-        )
-        orphan_available_scans.delete()
-        return orphan_count
-
-    return 0
-
-
 def _perform_scan_complete_tasks(tenant_id: str, scan_id: str, provider_id: str):
    """
    Helper function to perform tasks after a scan is completed.
@@ -124,10 +70,9 @@ def _perform_scan_complete_tasks(tenant_id: str, scan_id: str, provider_id: str)
        scan_id (str): The ID of the scan that was performed.
        provider_id (str): The primary key of the Provider instance that was scanned.
    """
-    chain(
-        create_compliance_requirements_task.si(tenant_id=tenant_id, scan_id=scan_id),
-        update_provider_compliance_scores_task.si(tenant_id=tenant_id, scan_id=scan_id),
-    ).apply_async()
+    create_compliance_requirements_task.apply_async(
+        kwargs={"tenant_id": tenant_id, "scan_id": scan_id}
+    )
    aggregate_attack_surface_task.apply_async(
        kwargs={"tenant_id": tenant_id, "scan_id": scan_id}
    )
@@ -302,14 +247,6 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
            return serializer.data

        next_scan_datetime = get_next_execution_datetime(task_id, provider_id)
-
-        # TEMPORARY WORKAROUND: Clean up orphan scans from transaction isolation issue
-        _cleanup_orphan_scheduled_scans(
-            tenant_id=tenant_id,
-            provider_id=provider_id,
-            scheduler_task_id=periodic_task_instance.id,
-        )
-
        scan_instance, _ = Scan.objects.get_or_create(
            tenant_id=tenant_id,
            provider_id=provider_id,
@@ -613,20 +550,6 @@ def backfill_scan_category_summaries_task(tenant_id: str, scan_id: str):
    return backfill_scan_category_summaries(tenant_id=tenant_id, scan_id=scan_id)


-@shared_task(name="backfill-provider-compliance-scores", queue="backfill")
-def backfill_provider_compliance_scores_task(tenant_id: str):
-    """
-    Backfill ProviderComplianceScore from latest completed scan per provider.
-
-    Used to populate the compliance watchlist materialized table for tenants
-    that had scans before the feature was deployed.
-
-    Args:
-        tenant_id: Target tenant UUID.
-    """
-    return backfill_provider_compliance_scores(tenant_id=tenant_id)
-
-
@shared_task(base=RLSTask, name="scan-compliance-overviews", queue="compliance")
@handle_provider_deletion
 def create_compliance_requirements_task(tenant_id: str, scan_id: str):
@@ -660,21 +583,6 @@ def aggregate_attack_surface_task(tenant_id: str, scan_id: str):
    return aggregate_attack_surface(tenant_id=tenant_id, scan_id=scan_id)


-@shared_task(name="scan-provider-compliance-scores", queue="compliance")
-def update_provider_compliance_scores_task(tenant_id: str, scan_id: str):
-    """
-    Update provider compliance scores from a completed scan.
-
-    This task materializes compliance requirement statuses into ProviderComplianceScore
-    for efficient watchlist queries. Uses atomic upsert with concurrency protection.
-
-    Args:
-        tenant_id (str): The tenant ID for which to update scores.
-        scan_id (str): The ID of the scan whose data should be materialized.
-    """
-    return update_provider_compliance_scores(tenant_id=tenant_id, scan_id=scan_id)
-
-
@shared_task(name="scan-daily-severity", queue="overview")
@handle_provider_deletion
 def aggregate_daily_severity_task(tenant_id: str, scan_id: str):
@@ -1,11 +1,8 @@
-from datetime import datetime, timezone
-from unittest.mock import MagicMock, patch
 from uuid import uuid4

 import pytest
 from tasks.jobs.backfill import (
    backfill_compliance_summaries,
-    backfill_provider_compliance_scores,
    backfill_resource_scan_summaries,
    backfill_scan_category_summaries,
 )
@@ -263,62 +260,3 @@ class TestBackfillScanCategorySummaries:
            assert summary.total_findings == 1
            assert summary.failed_findings == 1
            assert summary.new_failed_findings == 1
-
-
-@pytest.mark.django_db
-class TestBackfillProviderComplianceScores:
-    def test_no_completed_scans(self, tenants_fixture):
-        tenant = tenants_fixture[2]
-        result = backfill_provider_compliance_scores(str(tenant.id))
-        assert result == {"status": "no completed scans"}
-
-    def test_no_scans_to_process(self, tenants_fixture, scans_fixture):
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-        scan.completed_at = None
-        scan.save()
-
-        result = backfill_provider_compliance_scores(str(tenant.id))
-        assert result == {"status": "no completed scans"}
-
-    @patch("tasks.jobs.backfill.psycopg_connection")
-    def test_successful_backfill_executes_sql_queries(
-        self,
-        mock_psycopg_connection,
-        tenants_fixture,
-        scans_fixture,
-        settings,
-    ):
-        """Test successful backfill executes SQL queries and returns correct stats."""
-        settings.DATABASES.setdefault("admin", settings.DATABASES["default"])
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        # Set completed_at to make the scan eligible for backfill
-        scan.completed_at = datetime.now(timezone.utc)
-        scan.save()
-
-        connection = MagicMock()
-        cursor = MagicMock()
-        cursor_context = MagicMock()
-        cursor_context.__enter__.return_value = cursor
-        cursor_context.__exit__.return_value = False
-        connection.cursor.return_value = cursor_context
-        connection.__enter__.return_value = connection
-        connection.__exit__.return_value = False
-        connection.autocommit = True
-
-        context_manager = MagicMock()
-        context_manager.__enter__.return_value = connection
-        context_manager.__exit__.return_value = False
-        mock_psycopg_connection.return_value = context_manager
-
-        cursor.rowcount = 5
-
-        result = backfill_provider_compliance_scores(str(tenant.id))
-
-        assert result["status"] == "backfilled"
-        assert result["providers_processed"] == 1
-        assert result["providers_skipped"] == 0
-        assert result["total_upserted"] == 5
-        assert result["tenant_summary_count"] == 5
@@ -1199,6 +1199,9 @@ class TestSecurityHubIntegrationUploads:
                    )

        assert result is False
+        # Integration should be marked as disconnected
+        integration.save.assert_called_once()
+        assert integration.connected is False

    @patch("tasks.jobs.integrations.ASFF")
    @patch("tasks.jobs.integrations.FindingOutput")
@@ -24,7 +24,6 @@ from tasks.jobs.scan import (
    aggregate_findings,
    create_compliance_requirements,
    perform_prowler_scan,
-    update_provider_compliance_scores,
 )
 from tasks.utils import CustomEncoder

@@ -4023,123 +4022,3 @@ class TestAggregateCategoryCounts:
        assert len(cache) == 3
        for cat in ["security", "compliance", "data-protection"]:
            assert cache[(cat, "low")] == {"total": 1, "failed": 1, "new_failed": 1}
-
-
-@pytest.mark.django_db
-class TestUpdateProviderComplianceScores:
-    @patch("tasks.jobs.scan.psycopg_connection")
-    def test_update_provider_compliance_scores_basic(
-        self,
-        mock_psycopg_connection,
-        tenants_fixture,
-        scans_fixture,
-        settings,
-    ):
-        settings.DATABASES.setdefault("admin", settings.DATABASES["default"])
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-        tenant_id = str(tenant.id)
-        scan_id = str(scan.id)
-
-        scan.state = StateChoices.COMPLETED
-        scan.completed_at = datetime.now(timezone.utc)
-        scan.save()
-
-        connection = MagicMock()
-        cursor = MagicMock()
-        cursor_context = MagicMock()
-        cursor_context.__enter__.return_value = cursor
-        cursor_context.__exit__.return_value = False
-        connection.cursor.return_value = cursor_context
-        connection.__enter__.return_value = connection
-        connection.__exit__.return_value = False
-        connection.autocommit = True
-
-        context_manager = MagicMock()
-        context_manager.__enter__.return_value = connection
-        context_manager.__exit__.return_value = False
-        mock_psycopg_connection.return_value = context_manager
-
-        cursor.rowcount = 2
-
-        result = update_provider_compliance_scores(tenant_id, scan_id)
-
-        assert result["status"] == "completed"
-        assert result["upserted"] == 2
-        assert cursor.execute.call_count >= 3
-        connection.commit.assert_called_once()
-
-    def test_update_provider_compliance_scores_skips_incomplete_scan(
-        self, tenants_fixture, scans_fixture
-    ):
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[1]
-        tenant_id = str(tenant.id)
-        scan_id = str(scan.id)
-
-        result = update_provider_compliance_scores(tenant_id, scan_id)
-
-        assert result["status"] == "skipped"
-        assert result["reason"] == "scan not completed"
-
-    def test_update_provider_compliance_scores_skips_no_completed_at(
-        self, tenants_fixture, scans_fixture
-    ):
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-        tenant_id = str(tenant.id)
-        scan_id = str(scan.id)
-
-        scan.state = StateChoices.COMPLETED
-        scan.completed_at = None
-        scan.save()
-
-        result = update_provider_compliance_scores(tenant_id, scan_id)
-
-        assert result["status"] == "skipped"
-        assert result["reason"] == "no completed_at"
-
-    @patch("tasks.jobs.scan.psycopg_connection")
-    def test_update_provider_compliance_scores_executes_sql_queries(
-        self,
-        mock_psycopg_connection,
-        tenants_fixture,
-        providers_fixture,
-        scans_fixture,
-        settings,
-    ):
-        settings.DATABASES.setdefault("admin", settings.DATABASES["default"])
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-        tenant_id = str(tenant.id)
-        scan_id = str(scan.id)
-
-        scan.state = StateChoices.COMPLETED
-        scan.completed_at = datetime.now(timezone.utc)
-        scan.save()
-
-        connection = MagicMock()
-        cursor = MagicMock()
-        cursor_context = MagicMock()
-        cursor_context.__enter__.return_value = cursor
-        cursor_context.__exit__.return_value = False
-        connection.cursor.return_value = cursor_context
-        connection.__enter__.return_value = connection
-        connection.__exit__.return_value = False
-
-        context_manager = MagicMock()
-        context_manager.__enter__.return_value = connection
-        context_manager.__exit__.return_value = False
-        mock_psycopg_connection.return_value = context_manager
-
-        cursor.rowcount = 1
-        cursor.fetchall.side_effect = [[("aws_cis_2.0",)], []]
-
-        result = update_provider_compliance_scores(tenant_id, scan_id)
-
-        assert result["status"] == "completed"
-
-        calls = [str(c) for c in cursor.execute.call_args_list]
-        assert any("provider_compliance_scores" in c for c in calls)
-        assert any("tenant_compliance_summaries" in c for c in calls)
-        assert any("pg_advisory_xact_lock" in c for c in calls)
@@ -4,13 +4,11 @@ from unittest.mock import MagicMock, patch
 import openai
 import pytest
 from botocore.exceptions import ClientError
-from django_celery_beat.models import IntervalSchedule, PeriodicTask
 from tasks.jobs.lighthouse_providers import (
    _create_bedrock_client,
    _extract_bedrock_credentials,
 )
 from tasks.tasks import (
-    _cleanup_orphan_scheduled_scans,
    _perform_scan_complete_tasks,
    check_integrations_task,
    check_lighthouse_provider_connection_task,
@@ -24,8 +22,6 @@ from api.models import (
    Integration,
    LighthouseProviderConfiguration,
    LighthouseProviderModels,
-    Scan,
-    StateChoices,
 )


@@ -730,9 +726,7 @@ class TestGenerateOutputs:

 class TestScanCompleteTasks:
    @patch("tasks.tasks.aggregate_attack_surface_task.apply_async")
-    @patch("tasks.tasks.chain")
-    @patch("tasks.tasks.create_compliance_requirements_task.si")
-    @patch("tasks.tasks.update_provider_compliance_scores_task.si")
+    @patch("tasks.tasks.create_compliance_requirements_task.apply_async")
    @patch("tasks.tasks.perform_scan_summary_task.si")
    @patch("tasks.tasks.generate_outputs_task.si")
    @patch("tasks.tasks.generate_compliance_reports_task.si")
@@ -743,22 +737,15 @@ class TestScanCompleteTasks:
        mock_compliance_reports_task,
        mock_outputs_task,
        mock_scan_summary_task,
-        mock_update_compliance_scores_task,
        mock_compliance_requirements_task,
-        mock_chain,
        mock_attack_surface_task,
    ):
        """Test that scan complete tasks are properly orchestrated with optimized reports."""
        _perform_scan_complete_tasks("tenant-id", "scan-id", "provider-id")

-        # Verify compliance requirements task is called via chain
+        # Verify compliance requirements task is called
        mock_compliance_requirements_task.assert_called_once_with(
-            tenant_id="tenant-id", scan_id="scan-id"
-        )
-
-        # Verify update provider compliance scores task is called via chain
-        mock_update_compliance_scores_task.assert_called_once_with(
-            tenant_id="tenant-id", scan_id="scan-id"
+            kwargs={"tenant_id": "tenant-id", "scan_id": "scan-id"},
        )

        # Verify attack surface task is called
@@ -1728,343 +1715,3 @@ class TestRefreshLighthouseProviderModelsTask:
            assert result["deleted"] == 0
            assert "error" in result
            assert result["error"] is not None
-
-
-@pytest.mark.django_db
-class TestCleanupOrphanScheduledScans:
-    """Unit tests for _cleanup_orphan_scheduled_scans helper function."""
-
-    def _create_periodic_task(self, provider_id, tenant_id):
-        """Helper to create a PeriodicTask for testing."""
-        interval, _ = IntervalSchedule.objects.get_or_create(every=24, period="hours")
-        return PeriodicTask.objects.create(
-            name=f"scan-perform-scheduled-{provider_id}",
-            task="scan-perform-scheduled",
-            interval=interval,
-            kwargs=f'{{"tenant_id": "{tenant_id}", "provider_id": "{provider_id}"}}',
-            enabled=True,
-        )
-
-    def test_cleanup_deletes_orphan_when_both_available_and_scheduled_exist(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that AVAILABLE scan is deleted when SCHEDULED also exists."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create orphan AVAILABLE scan
-        orphan_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Create SCHEDULED scan (next execution)
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify orphan was deleted
-        assert deleted_count == 1
-        assert not Scan.objects.filter(id=orphan_scan.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-
-    def test_cleanup_does_not_delete_when_only_available_exists(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that AVAILABLE scan is NOT deleted when no SCHEDULED exists."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create only AVAILABLE scan (normal first scan scenario)
-        available_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify nothing was deleted
-        assert deleted_count == 0
-        assert Scan.objects.filter(id=available_scan.id).exists()
-
-    def test_cleanup_does_not_delete_when_only_scheduled_exists(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that nothing is deleted when only SCHEDULED exists."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create only SCHEDULED scan (normal subsequent scan scenario)
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify nothing was deleted
-        assert deleted_count == 0
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-
-    def test_cleanup_returns_zero_when_no_scans_exist(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that cleanup returns 0 when no scans exist."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Execute cleanup with no scans
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        assert deleted_count == 0
-
-    def test_cleanup_deletes_multiple_orphan_available_scans(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that multiple AVAILABLE orphan scans are all deleted."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create multiple orphan AVAILABLE scans
-        orphan_scan_1 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-        orphan_scan_2 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Create SCHEDULED scan
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify all orphans were deleted
-        assert deleted_count == 2
-        assert not Scan.objects.filter(id=orphan_scan_1.id).exists()
-        assert not Scan.objects.filter(id=orphan_scan_2.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-
-    def test_cleanup_does_not_affect_different_provider(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that cleanup only affects scans for the specified provider."""
-        tenant = tenants_fixture[0]
-        provider1 = providers_fixture[0]
-        provider2 = providers_fixture[1]
-        periodic_task1 = self._create_periodic_task(provider1.id, tenant.id)
-        periodic_task2 = self._create_periodic_task(provider2.id, tenant.id)
-
-        # Create orphan scenario for provider1
-        orphan_scan_p1 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider1,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task1.id,
-        )
-        scheduled_scan_p1 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider1,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task1.id,
-        )
-
-        # Create AVAILABLE scan for provider2 (should not be affected)
-        available_scan_p2 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider2,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task2.id,
-        )
-
-        # Execute cleanup for provider1 only
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider1.id),
-            scheduler_task_id=periodic_task1.id,
-        )
-
-        # Verify only provider1's orphan was deleted
-        assert deleted_count == 1
-        assert not Scan.objects.filter(id=orphan_scan_p1.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan_p1.id).exists()
-        assert Scan.objects.filter(id=available_scan_p2.id).exists()
-
-    def test_cleanup_does_not_affect_manual_scans(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that cleanup only affects SCHEDULED trigger scans, not MANUAL."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create orphan AVAILABLE scheduled scan
-        orphan_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Create SCHEDULED scan
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Create AVAILABLE manual scan (should not be affected)
-        manual_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Manual scan",
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.AVAILABLE,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify only scheduled orphan was deleted
-        assert deleted_count == 1
-        assert not Scan.objects.filter(id=orphan_scan.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-        assert Scan.objects.filter(id=manual_scan.id).exists()
-
-    def test_cleanup_does_not_affect_different_scheduler_task(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that cleanup only affects scans with the specified scheduler_task_id."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task1 = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create another periodic task
-        interval, _ = IntervalSchedule.objects.get_or_create(every=24, period="hours")
-        periodic_task2 = PeriodicTask.objects.create(
-            name=f"scan-perform-scheduled-other-{provider.id}",
-            task="scan-perform-scheduled",
-            interval=interval,
-            kwargs=f'{{"tenant_id": "{tenant.id}", "provider_id": "{provider.id}"}}',
-            enabled=True,
-        )
-
-        # Create orphan scenario for periodic_task1
-        orphan_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task1.id,
-        )
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task1.id,
-        )
-
-        # Create AVAILABLE scan for periodic_task2 (should not be affected)
-        available_scan_other_task = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task2.id,
-        )
-
-        # Execute cleanup for periodic_task1 only
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task1.id,
-        )
-
-        # Verify only periodic_task1's orphan was deleted
-        assert deleted_count == 1
-        assert not Scan.objects.filter(id=orphan_scan.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-        assert Scan.objects.filter(id=available_scan_other_task.id).exists()
@@ -1,24 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_cis
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_cis(
-        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
-    )
@@ -1,25 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_cis
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_cis(
-        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
-    )
@@ -1,24 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_cis
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_cis(
-        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
-    )
@@ -1,28 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_threatscore
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "REQUIREMENTS_ATTRIBUTES_SUBSECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_threatscore(
-        aux,
-        "REQUIREMENTS_ATTRIBUTES_SECTION",
-        "REQUIREMENTS_ATTRIBUTES_SUBSECTION",
-        "REQUIREMENTS_ID",
-    )
@@ -312,28 +312,3 @@ def create_table_row_dropdown(table_rows: list) -> html.Div:
            ),
        ],
    )
-
-
-def create_category_dropdown(categories: list) -> html.Div:
-    """
-    Dropdown to select the category.
-    Args:
-        categories (list): List of categories.
-    Returns:
-        html.Div: Dropdown to select the category.
-    """
-    return html.Div(
-        [
-            html.Label(
-                "Category:", className="text-prowler-stone-900 font-bold text-sm"
-            ),
-            dcc.Dropdown(
-                id="category-filter",
-                options=[{"label": i, "value": i} for i in categories],
-                value=["All"],
-                clearable=False,
-                multi=True,
-                style={"color": "#000000"},
-            ),
-        ],
-    )
@@ -12,7 +12,6 @@ def create_layout_overview(
    provider_dropdown: html.Div,
    table_row_dropdown: html.Div,
    status_dropdown: html.Div,
-    category_dropdown: html.Div,
    table_div_header: html.Div,
    amount_providers: int,
 ) -> html.Div:
@@ -52,9 +51,8 @@ def create_layout_overview(
                    html.Div([service_dropdown], className=""),
                    html.Div([provider_dropdown], className=""),
                    html.Div([status_dropdown], className=""),
-                    html.Div([category_dropdown], className=""),
                ],
-                className="grid gap-x-4 mb-[30px] sm:grid-cols-2 lg:grid-cols-5",
+                className="grid gap-x-4 mb-[30px] sm:grid-cols-2 lg:grid-cols-4",
            ),
            html.Div(
                [
@@ -407,11 +407,9 @@ def display_data(
            compliance_module = importlib.import_module(
                f"dashboard.compliance.{current}"
            )
-            # Build subset list based on available columns
-            dedup_columns = ["CHECKID", "STATUS", "RESOURCEID", "STATUSEXTENDED"]
-            if "MUTED" in data.columns:
-                dedup_columns.insert(2, "MUTED")
-            data = data.drop_duplicates(subset=dedup_columns)
+            data = data.drop_duplicates(
+                subset=["CHECKID", "STATUS", "MUTED", "RESOURCEID", "STATUSEXTENDED"]
+            )

            if "threatscore" in analytics_input:
                data = get_threatscore_mean_by_pillar(data)
@@ -654,7 +652,6 @@ def get_table(current_compliance, table):
 def get_threatscore_mean_by_pillar(df):
    score_per_pillar = {}
    max_score_per_pillar = {}
-    counted_findings_per_pillar = {}

    for _, row in df.iterrows():
        pillar = (
@@ -666,18 +663,6 @@ def get_threatscore_mean_by_pillar(df):
        if pillar not in score_per_pillar:
            score_per_pillar[pillar] = 0
            max_score_per_pillar[pillar] = 0
-            counted_findings_per_pillar[pillar] = set()
-
-        # Skip muted findings for score calculation
-        is_muted = "MUTED" in df.columns and row.get("MUTED") == "True"
-        if is_muted:
-            continue
-
-        # Create unique finding identifier to avoid counting duplicates
-        finding_id = f"{row.get('CHECKID', '')}_{row.get('RESOURCEID', '')}"
-        if finding_id in counted_findings_per_pillar[pillar]:
-            continue
-        counted_findings_per_pillar[pillar].add(finding_id)

        level_of_risk = pd.to_numeric(
            row["REQUIREMENTS_ATTRIBUTES_LEVELOFRISK"], errors="coerce"
@@ -721,10 +706,6 @@ def get_table_prowler_threatscore(df):
    score_per_pillar = {}
    max_score_per_pillar = {}
    pillars = {}
-    counted_findings_per_pillar = {}
-    counted_pass = set()
-    counted_fail = set()
-    counted_muted = set()

    df_copy = df.copy()

@@ -739,24 +720,6 @@ def get_table_prowler_threatscore(df):
            pillars[pillar] = {"FAIL": 0, "PASS": 0, "MUTED": 0}
            score_per_pillar[pillar] = 0
            max_score_per_pillar[pillar] = 0
-            counted_findings_per_pillar[pillar] = set()
-
-        # Create unique finding identifier
-        finding_id = f"{row.get('CHECKID', '')}_{row.get('RESOURCEID', '')}"
-
-        # Check if muted
-        is_muted = "MUTED" in df_copy.columns and row.get("MUTED") == "True"
-
-        # Count muted findings (separate from score calculation)
-        if is_muted and finding_id not in counted_muted:
-            counted_muted.add(finding_id)
-            pillars[pillar]["MUTED"] += 1
-            continue  # Skip muted findings for score calculation
-
-        # Skip if already counted for this pillar
-        if finding_id in counted_findings_per_pillar[pillar]:
-            continue
-        counted_findings_per_pillar[pillar].add(finding_id)

        level_of_risk = pd.to_numeric(
            row["REQUIREMENTS_ATTRIBUTES_LEVELOFRISK"], errors="coerce"
@@ -775,14 +738,13 @@ def get_table_prowler_threatscore(df):
        max_score_per_pillar[pillar] += level_of_risk * weight

        if row["STATUS"] == "PASS":
-            if finding_id not in counted_pass:
-                counted_pass.add(finding_id)
-                pillars[pillar]["PASS"] += 1
+            pillars[pillar]["PASS"] += 1
            score_per_pillar[pillar] += level_of_risk * weight
        elif row["STATUS"] == "FAIL":
-            if finding_id not in counted_fail:
-                counted_fail.add(finding_id)
-                pillars[pillar]["FAIL"] += 1
+            pillars[pillar]["FAIL"] += 1
+
+        if "MUTED" in row and row["MUTED"] == "True":
+            pillars[pillar]["MUTED"] += 1

    result_df = []

@@ -35,7 +35,6 @@ from dashboard.config import (
 from dashboard.lib.cards import create_provider_card
 from dashboard.lib.dropdowns import (
    create_account_dropdown,
-    create_category_dropdown,
    create_date_dropdown,
    create_provider_dropdown,
    create_region_dropdown,
@@ -344,18 +343,6 @@ else:
    status = [x for x in status if str(x) != "nan" and x.__class__.__name__ == "str"]

    status_dropdown = create_status_dropdown(status)
-
-    # Create the category dropdown
-    categories = []
-    if "CATEGORIES" in data.columns:
-        for cat_list in data["CATEGORIES"].dropna().unique():
-            if cat_list and str(cat_list) != "nan":
-                for cat in str(cat_list).split(","):
-                    cat = cat.strip()
-                    if cat and cat not in categories:
-                        categories.append(cat)
-    categories = ["All"] + sorted(categories)
-    category_dropdown = create_category_dropdown(categories)
    table_div_header = []
    table_div_header.append(
        html.Div(
@@ -517,7 +504,6 @@ else:
        provider_dropdown,
        table_row_dropdown,
        status_dropdown,
-        category_dropdown,
        table_div_header,
        len(data["PROVIDER"].unique()),
    )
@@ -554,8 +540,6 @@ else:
        Output("table-rows", "options"),
        Output("status-filter", "value"),
        Output("status-filter", "options"),
-        Output("category-filter", "value"),
-        Output("category-filter", "options"),
        Output("aws_card", "n_clicks"),
        Output("azure_card", "n_clicks"),
        Output("gcp_card", "n_clicks"),
@@ -573,7 +557,6 @@ else:
    Input("provider-filter", "value"),
    Input("table-rows", "value"),
    Input("status-filter", "value"),
-    Input("category-filter", "value"),
    Input("search-input", "value"),
    Input("aws_card", "n_clicks"),
    Input("azure_card", "n_clicks"),
@@ -599,7 +582,6 @@ def filter_data(
    provider_values,
    table_row_values,
    status_values,
-    category_values,
    search_value,
    aws_clicks,
    azure_clicks,
@@ -983,41 +965,6 @@ def filter_data(

    status_filter_options = ["All"] + list(filtered_data["STATUS"].unique())

-    # Filter Category
-    if "CATEGORIES" in filtered_data.columns:
-        if category_values == ["All"]:
-            updated_category_values = None
-        elif "All" in category_values and len(category_values) > 1:
-            category_values.remove("All")
-            updated_category_values = category_values
-        elif len(category_values) == 0:
-            updated_category_values = None
-            category_values = ["All"]
-        else:
-            updated_category_values = category_values
-
-        if updated_category_values:
-            filtered_data = filtered_data[
-                filtered_data["CATEGORIES"].apply(
-                    lambda x: any(
-                        cat.strip() in updated_category_values
-                        for cat in str(x).split(",")
-                        if str(x) != "nan"
-                    )
-                )
-            ]
-
-        category_filter_options = ["All"]
-        for cat_list in filtered_data["CATEGORIES"].dropna().unique():
-            if cat_list and str(cat_list) != "nan":
-                for cat in str(cat_list).split(","):
-                    cat = cat.strip()
-                    if cat and cat not in category_filter_options:
-                        category_filter_options.append(cat)
-        category_filter_options = sorted(category_filter_options)
-    else:
-        category_filter_options = ["All"]
-
    if len(filtered_data_sp) == 0:
        fig = px.pie()
        fig.update_layout(
@@ -1565,8 +1512,6 @@ def filter_data(
            table_row_options,
            status_values,
            status_filter_options,
-            category_values,
-            category_filter_options,
            aws_clicks,
            azure_clicks,
            gcp_clicks,
@@ -1604,8 +1549,6 @@ def filter_data(
            table_row_options,
            status_values,
            status_filter_options,
-            category_values,
-            category_filter_options,
            aws_clicks,
            azure_clicks,
            gcp_clicks,
@@ -41,9 +41,6 @@ services:
    volumes:
      - "./ui:/app"
      - "/app/node_modules"
-    depends_on:
-      mcp-server:
-        condition: service_healthy

  postgres:
    image: postgres:16.3-alpine3.20
@@ -60,11 +57,7 @@ services:
    ports:
      - "${POSTGRES_PORT:-5432}:${POSTGRES_PORT:-5432}"
    healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "sh -c 'pg_isready -U ${POSTGRES_ADMIN_USER} -d ${POSTGRES_DB}'",
-        ]
+      test: ["CMD-SHELL", "sh -c 'pg_isready -U ${POSTGRES_ADMIN_USER} -d ${POSTGRES_DB}'"]
      interval: 5s
      timeout: 5s
      retries: 5
@@ -125,32 +118,6 @@ services:
      - "../docker-entrypoint.sh"
      - "beat"

-  mcp-server:
-    build:
-      context: ./mcp_server
-      dockerfile: Dockerfile
-    environment:
-      - PROWLER_MCP_TRANSPORT_MODE=http
-    env_file:
-      - path: .env
-        required: false
-    ports:
-      - "8000:8000"
-    volumes:
-      - ./mcp_server/prowler_mcp_server:/app/prowler_mcp_server
-      - ./mcp_server/pyproject.toml:/app/pyproject.toml
-      - ./mcp_server/entrypoint.sh:/app/entrypoint.sh
-    command: ["uvicorn", "--host", "0.0.0.0", "--port", "8000"]
-    healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "wget -q -O /dev/null http://127.0.0.1:8000/health || exit 1",
-        ]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-
 volumes:
  outputs:
    driver: local
@@ -1,9 +1,3 @@
-# Production Docker Compose configuration
-# Uses pre-built images from Docker Hub (prowlercloud/*)
-#
-# For development with local builds and hot-reload, use docker-compose-dev.yml instead:
-#   docker compose -f docker-compose-dev.yml up
-#
 services:
  api:
    hostname: "prowler-api"
@@ -32,9 +26,6 @@ services:
        required: false
    ports:
      - ${UI_PORT:-3000}:${UI_PORT:-3000}
-    depends_on:
-      mcp-server:
-        condition: service_healthy

  postgres:
    image: postgres:16.3-alpine3.20
@@ -102,22 +93,6 @@ services:
      - "../docker-entrypoint.sh"
      - "beat"

-  mcp-server:
-    image: prowlercloud/prowler-mcp:${PROWLER_MCP_VERSION:-stable}
-    environment:
-      - PROWLER_MCP_TRANSPORT_MODE=http
-    env_file:
-      - path: .env
-        required: false
-    ports:
-      - "8000:8000"
-    command: ["uvicorn", "--host", "0.0.0.0", "--port", "8000"]
-    healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:8000/health || exit 1"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-
 volumes:
  output:
    driver: local
@@ -479,66 +479,6 @@ Effective headers and section titles enhance document readability and structure,

 ---

-## Version Badge for Feature Documentation
-
-The Version Badge component indicates when a specific feature or functionality was introduced in Prowler. This component is located at `docs/snippets/version-badge.mdx` and should be used consistently across the documentation.
-
-### When to Use the Version Badge
-
-Use the Version Badge when documenting:
-
-* New features added in a specific version.
-* New CLI options or flags.
-* New API endpoints or SDK methods.
-* New compliance frameworks or security checks.
-* Breaking changes or deprecated features (with appropriate context).
-
-### How to Use the Version Badge
-
-1.  **Import the Component**
-
-    At the top of the MDX file, import the snippet:
-
-    ```mdx
-    import { VersionBadge } from "/snippets/version-badge.mdx"
-    ```
-
-2.  **Place the Badge**
-
-    Insert the badge immediately after the section header or feature title:
-
-    ```mdx
-    ## New Feature Name
-
-    <VersionBadge version="4.5.0" />
-
-    Description of the feature...
-    ```
-
-3.  **Version Format**
-
-    Use semantic versioning format (e.g., `4.5.0`, `5.0.0`). Do not include the "v" prefix.
-
-### Placement Guidelines
-
-* Place the Version Badge on its own line, directly below the header.
-* Leave a blank line after the badge before continuing with the content.
-* For subsections, place the badge only if the subsection introduces something new independently from the parent section.
-
-**Example:**
-
-```mdx
-## Tag-Based Scanning
-
-import { VersionBadge } from "/snippets/version-badge.mdx"
-
-<VersionBadge version="4.3.0" />
-
-Tag-Based Scanning allows filtering resources by AWS tags during security assessments...
-```
-
---
-
 ## Avoid Assumptions Regarding Audience’s Expertise

 ### Understand Your Audience’s Expertise
@@ -1,216 +0,0 @@
---
-title: 'AI Skills System'
---
-
-This guide explains the AI Skills system that provides on-demand context and patterns to AI agents working with the Prowler codebase.
-
-<Info>
-**What are AI Skills?** Skills are structured instructions that help AI agents (Claude Code, Cursor, Copilot, etc.) understand Prowler's conventions, patterns, and best practices.
-</Info>
-
-## Architecture Overview
-
-```mermaid
-graph LR
-    subgraph FLOW["AI Skills Architecture"]
-        A["AI Agent"] -->|"1. matches trigger"| B["AGENTS.md"]
-        B -->|"2. loads"| C["Skill"]
-        C -->|"3. provides"| D["Patterns<br/>Templates<br/>Commands"]
-        C -->|"4. references"| E["Local Docs"]
-        D --> F["Correct Output"]
-        E --> F
-    end
-
-    style A fill:#1e3a5f,stroke:#4a9eff,color:#fff
-    style B fill:#5c4d1a,stroke:#ffd700,color:#fff
-    style C fill:#1a4d1a,stroke:#4caf50,color:#fff
-    style E fill:#4a1a4d,stroke:#ba68c8,color:#fff
-    style F fill:#1a4d2e,stroke:#66bb6a,color:#fff
-```
-
-## How It Works
-
-```mermaid
-sequenceDiagram
-    participant U as User
-    participant A as AI Agent
-    participant R as AGENTS.md
-    participant S as Skill
-    participant AS as assets/
-    participant RF as references/
-    participant D as Local Docs
-
-    U->>A: "Create an AWS security check"
-
-    Note over A: Analyze request context
-
-    A->>R: Find matching skill trigger
-    R-->>A: prowler-sdk-check matches
-
-    A->>S: Load SKILL.md
-    S-->>A: Patterns, rules, templates, commands
-
-    Note over A: Need code template?
-
-    A->>AS: Read assets/aws_check.py
-    AS-->>A: Check implementation template
-
-    Note over A: Need more details?
-
-    A->>RF: Read references/metadata-docs.md
-    RF-->>A: Points to local docs
-
-    A->>D: Read docs/developer-guide/checks.mdx
-    D-->>A: Full documentation
-
-    Note over A: Execute with full context
-
-    A->>U: Creates check with correct patterns
-```
-
-## Before vs After
-
-```mermaid
-graph TD
-    subgraph COMPARISON["BEFORE vs AFTER"]
-        direction LR
-
-        subgraph BEFORE["Without Skills"]
-            B1["AI guesses conventions"]
-            B2["Wrong structure"]
-            B3["Multiple iterations"]
-            B4["Web searches for docs"]
-            B5["Inconsistent patterns"]
-        end
-
-        subgraph AFTER["With Skills"]
-            A1["AI loads exact patterns"]
-            A2["Correct structure"]
-            A3["First-time right"]
-            A4["Local docs referenced"]
-            A5["Consistent patterns"]
-        end
-    end
-
-    style BEFORE fill:#5c1a1a,stroke:#ef5350,color:#fff
-    style AFTER fill:#1a4d1a,stroke:#66bb6a,color:#fff
-```
-
-## Complete Architecture
-
-```mermaid
-flowchart TB
-    subgraph ENTRY["ENTRY POINT"]
-        AGENTS["AGENTS.md<br/>━━━━━━━━━━━━━━━━━<br/>• Available skills registry<br/>• Skill → Trigger mapping<br/>• Component navigation"]
-    end
-
-    subgraph SKILLS["SKILLS LIBRARY"]
-        direction TB
-
-        subgraph GENERIC["Generic Skills"]
-            G1["typescript"]
-            G2["react-19"]
-            G3["nextjs-15"]
-            G4["tailwind-4"]
-            G5["pytest"]
-            G6["playwright"]
-            G7["django-drf"]
-            G8["zod-4"]
-            G9["zustand-5"]
-            G10["ai-sdk-5"]
-        end
-
-        subgraph PROWLER["Prowler Skills"]
-            P1["prowler"]
-            P2["prowler-sdk-check"]
-            P3["prowler-api"]
-            P4["prowler-ui"]
-            P5["prowler-mcp"]
-            P6["prowler-provider"]
-            P7["prowler-compliance"]
-            P8["prowler-docs"]
-            P9["prowler-pr"]
-        end
-
-        subgraph TESTING["Testing Skills"]
-            T1["prowler-test-sdk"]
-            T2["prowler-test-api"]
-            T3["prowler-test-ui"]
-        end
-
-        subgraph META["Meta Skills"]
-            M1["skill-creator"]
-        end
-    end
-
-    subgraph STRUCTURE["SKILL STRUCTURE"]
-        direction LR
-
-        SKILLMD["SKILL.md<br/>━━━━━━━━━━━━━━<br/>• Frontmatter<br/>• Critical patterns<br/>• Decision trees<br/>• Code examples<br/>• Commands<br/>• Keywords"]
-
-        ASSETS["assets/<br/>━━━━━━━━━━━━━━<br/>• Code templates<br/>• JSON schemas<br/>• Config examples"]
-
-        REFS["references/<br/>━━━━━━━━━━━━━━<br/>• Local doc paths<br/>• No web URLs<br/>• Single source"]
-    end
-
-    subgraph DOCS["DOCUMENTATION"]
-        direction TB
-        DD["docs/developer-guide/"]
-        D1["checks.mdx"]
-        D2["unit-testing.mdx"]
-        D3["provider.mdx"]
-        D4["mcp-server.mdx"]
-        D5["..."]
-
-        DD --> D1
-        DD --> D2
-        DD --> D3
-        DD --> D4
-        DD --> D5
-    end
-
-    ENTRY --> SKILLS
-    SKILLS --> STRUCTURE
-    SKILLMD --> ASSETS
-    SKILLMD --> REFS
-    REFS -.->|"points to"| DOCS
-
-    style ENTRY fill:#1e3a5f,stroke:#4a9eff,color:#fff
-    style GENERIC fill:#5c4d1a,stroke:#ffd700,color:#fff
-    style PROWLER fill:#1a4d1a,stroke:#66bb6a,color:#fff
-    style TESTING fill:#4d1a3d,stroke:#f06292,color:#fff
-    style META fill:#4a1a4d,stroke:#ba68c8,color:#fff
-    style STRUCTURE fill:#5c3d1a,stroke:#ffb74d,color:#fff
-    style DOCS fill:#1a3d4d,stroke:#4dd0e1,color:#fff
-```
-
-## Skills Included
-
-| Type | Skills |
-|------|--------|
-| **Generic** | typescript, react-19, nextjs-15, tailwind-4, pytest, playwright, django-drf, zod-4, zustand-5, ai-sdk-5 |
-| **Prowler** | prowler, prowler-sdk-check, prowler-api, prowler-ui, prowler-mcp, prowler-provider, prowler-compliance, prowler-docs, prowler-pr |
-| **Testing** | prowler-test-sdk, prowler-test-api, prowler-test-ui |
-| **Meta** | skill-creator |
-
-## Skill Structure
-
-Each skill follows the [Agent Skills spec](https://agentskills.io):
-
-```
-skills/{skill-name}/
-├── SKILL.md          # Patterns, rules, decision trees
-├── assets/           # Code templates, schemas
-└── references/       # Links to local docs (single source of truth)
-```
-
-## Key Design Decisions
-
-1. **Self-contained skills** - Critical patterns inline for fast loading
-2. **Local doc references** - No web URLs, points to `docs/developer-guide/*.mdx`
-3. **Single source of truth** - Skills reference docs, no duplication
-4. **On-demand loading** - AI loads only what's needed for the task
-
-## Creating New Skills
-
-Use the `skill-creator` meta-skill to create new skills that follow the Agent Skills spec. See `AGENTS.md` for the full list of available skills and their triggers.
@@ -1,212 +0,0 @@
---
-title: 'Alibaba Cloud Provider'
---
-
-This page details the [Alibaba Cloud](https://www.alibabacloud.com/) provider implementation in Prowler.
-
-By default, Prowler will audit all the Alibaba Cloud regions that are available. To configure it, follow the [Alibaba Cloud getting started guide](/user-guide/providers/alibabacloud/getting-started-alibabacloud).
-
-## Alibaba Cloud Provider Classes Architecture
-
-The Alibaba Cloud provider implementation follows the general [Provider structure](/developer-guide/provider). This section focuses on the Alibaba Cloud-specific implementation, highlighting how the generic provider concepts are realized for Alibaba Cloud in Prowler. For a full overview of the provider pattern, base classes, and extension guidelines, see [Provider documentation](/developer-guide/provider).
-
-### Main Class
-
- **Location:** [`prowler/providers/alibabacloud/alibabacloud_provider.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/alibabacloud_provider.py)
- **Base Class:** Inherits from `Provider` (see [base class details](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/common/provider.py)).
- **Purpose:** Central orchestrator for Alibaba Cloud-specific logic, session management, credential validation, and configuration.
- **Key Alibaba Cloud Responsibilities:**
-    - Initializes and manages Alibaba Cloud sessions (supports Access Keys, STS Temporary Credentials, RAM Role Assumption, ECS RAM Role, OIDC Authentication, and Credentials URI).
-    - Validates credentials using STS GetCallerIdentity.
-    - Loads and manages configuration, mutelist, and fixer settings.
-    - Discovers and manages Alibaba Cloud regions.
-    - Provides properties and methods for downstream Alibaba Cloud service classes to access session, identity, and configuration data.
-
-### Data Models
-
- **Location:** [`prowler/providers/alibabacloud/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/models.py)
- **Purpose:** Define structured data for Alibaba Cloud identity, session, credentials, and region info.
- **Key Alibaba Cloud Models:**
-    - `AlibabaCloudCallerIdentity`: Stores caller identity information from STS GetCallerIdentity (account_id, principal_id, arn, identity_type).
-    - `AlibabaCloudIdentityInfo`: Holds Alibaba Cloud identity metadata including account ID, user info, profile, and audited regions.
-    - `AlibabaCloudCredentials`: Stores credentials (access_key_id, access_key_secret, security_token).
-    - `AlibabaCloudRegion`: Represents an Alibaba Cloud region with region_id and region_name.
-    - `AlibabaCloudSession`: Manages the session and provides methods to create service clients.
-
-### `AlibabaCloudService` (Service Base Class)
-
- **Location:** [`prowler/providers/alibabacloud/lib/service/service.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/lib/service/service.py)
- **Purpose:** Abstract base class that all Alibaba Cloud service-specific classes inherit from. This implements the generic service pattern (described in [service page](/developer-guide/services#service-base-class)) specifically for Alibaba Cloud.
- **Key Alibaba Cloud Responsibilities:**
-    - Receives an `AlibabacloudProvider` instance to access session, identity, and configuration.
-    - Manages regional clients for services that are region-specific.
-    - Provides `__threading_call__` method to make API calls in parallel by region or resource.
-    - Exposes common audit context (`audited_account`, `audited_account_name`, `audit_resources`, `audit_config`) to subclasses.
-
-### Exception Handling
-
- **Location:** [`prowler/providers/alibabacloud/exceptions/exceptions.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/exceptions/exceptions.py)
- **Purpose:** Custom exception classes for Alibaba Cloud-specific error handling.
- **Key Alibaba Cloud Exceptions:**
-    - `AlibabaCloudClientError`: General client errors
-    - `AlibabaCloudNoCredentialsError`: No credentials found
-    - `AlibabaCloudInvalidCredentialsError`: Invalid credentials provided
-    - `AlibabaCloudSetUpSessionError`: Session setup failures
-    - `AlibabaCloudAssumeRoleError`: RAM role assumption failures
-    - `AlibabaCloudInvalidRegionError`: Invalid region specified
-    - `AlibabaCloudHTTPError`: HTTP/API errors
-
-### Session and Utility Helpers
-
- **Location:** [`prowler/providers/alibabacloud/lib/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/alibabacloud/lib/)
- **Purpose:** Helpers for argument parsing, mutelist management, and other cross-cutting concerns.
-
-## Specific Patterns in Alibaba Cloud Services
-
-The generic service pattern is described in [service page](/developer-guide/services#service-structure-and-initialisation). You can find all the currently implemented services in the following locations:
-
- Directly in the code, in location [`prowler/providers/alibabacloud/services/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/alibabacloud/services)
- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
-
-The best reference to understand how to implement a new service is following the [service implementation documentation](/developer-guide/services#adding-a-new-service) and taking other services already implemented as reference. In next subsection you can find a list of common patterns that are used across all Alibaba Cloud services.
-
-### Alibaba Cloud Service Common Patterns
-
- Services communicate with Alibaba Cloud using the official Alibaba Cloud Python SDKs. Documentation for individual services can be found in the [Alibaba Cloud SDK documentation](https://www.alibabacloud.com/help/en/sdk).
- Every Alibaba Cloud service class inherits from `AlibabaCloudService`, ensuring access to session, identity, configuration, and client utilities.
- The constructor (`__init__`) always calls `super().__init__` with the service name, provider, and optionally `global_service=True` for services that are not regional (e.g., RAM).
- Resource containers **must** be initialized in the constructor. For regional services, resources are typically stored in dictionaries keyed by region and resource ID.
- All Alibaba Cloud resources are represented as Pydantic `BaseModel` classes, providing type safety and structured access to resource attributes.
- Alibaba Cloud SDK functions are wrapped in try/except blocks, with specific handling for errors, always logging errors.
- Regional services use `self.regional_clients` to maintain clients for each audited region.
- The `__threading_call__` method is used for parallel execution across regions or resources.
-
-### Example Service Implementation
-
-```python
-from prowler.lib.logger import logger
-from prowler.providers.alibabacloud.lib.service.service import AlibabaCloudService
-
-
-class MyService(AlibabaCloudService):
-    def __init__(self, provider):
-        # Initialize parent class with service name
-        super().__init__("myservice", provider)
-
-        # Initialize resource containers
-        self.resources = {}
-
-        # Discover resources using threading
-        self.__threading_call__(self._describe_resources)
-
-    def _describe_resources(self, regional_client):
-        try:
-            region = regional_client.region
-            response = regional_client.describe_resources()
-
-            for resource in response.body.resources:
-                self.resources[resource.id] = MyResource(
-                    id=resource.id,
-                    name=resource.name,
-                    region=region,
-                    # ... other attributes
-                )
-        except Exception as error:
-            logger.error(
-                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-            )
-```
-
-## Specific Patterns in Alibaba Cloud Checks
-
-The Alibaba Cloud checks pattern is described in [checks page](/developer-guide/checks). You can find all the currently implemented checks:
-
- Directly in the code, within each service folder, each check has its own folder named after the name of the check. (e.g. [`prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/`](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers/alibabacloud/services/ram/ram_no_root_access_key))
- In the [Prowler Hub](https://hub.prowler.com/) for a more human-readable view.
-
-The best reference to understand how to implement a new check is following the [check implementation documentation](/developer-guide/checks#creating-a-check) and taking other similar checks as reference.
-
-### Check Report Class
-
-The `CheckReportAlibabaCloud` class models a single finding for an Alibaba Cloud resource in a check report. It is defined in [`prowler/lib/check/models.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py) and inherits from the generic `Check_Report` base class.
-
-#### Purpose
-
-`CheckReportAlibabaCloud` extends the base report structure with Alibaba Cloud-specific fields, enabling detailed tracking of the resource, resource ID, ARN, and region associated with each finding.
-
-#### Constructor and Attribute Population
-
-When you instantiate `CheckReportAlibabaCloud`, you must provide the check metadata and a resource object. The class will attempt to automatically populate its Alibaba Cloud-specific attributes from the resource, using the following logic:
-
- **`resource_id`**:
-    - Uses `resource.id` if present.
-    - Otherwise, uses `resource.name` if present.
-    - Defaults to an empty string if not available.
-
- **`resource_arn`**:
-    - Uses `resource.arn` if present.
-    - Defaults to an empty string if not available.
-
- **`region`**:
-    - Uses `resource.region` if present.
-    - Defaults to an empty string if not available.
-
-If the resource object does not contain the required attributes, you must set them manually in the check logic.
-
-Other attributes are inherited from the `Check_Report` class, from which you **always** have to set the `status` and `status_extended` attributes in the check logic.
-
-#### Example Usage
-
-```python
-from prowler.lib.check.models import Check, CheckReportAlibabaCloud
-from prowler.providers.alibabacloud.services.myservice.myservice_client import myservice_client
-
-
-class myservice_example_check(Check):
-    def execute(self) -> list[CheckReportAlibabaCloud]:
-        findings = []
-
-        for resource in myservice_client.resources.values():
-            report = CheckReportAlibabaCloud(
-                metadata=self.metadata(),
-                resource=resource
-            )
-            report.region = resource.region
-            report.resource_id = resource.id
-            report.resource_arn = f"acs:myservice::{myservice_client.audited_account}:resource/{resource.id}"
-
-            if resource.is_compliant:
-                report.status = "PASS"
-                report.status_extended = f"Resource {resource.name} is compliant."
-            else:
-                report.status = "FAIL"
-                report.status_extended = f"Resource {resource.name} is not compliant."
-
-            findings.append(report)
-
-        return findings
-```
-
-## Authentication Methods
-
-The Alibaba Cloud provider supports multiple authentication methods, prioritized in the following order:
-
-1. **Credentials URI** - Retrieve credentials from an external URI endpoint
-2. **OIDC Role Authentication** - For applications running in ACK with RRSA enabled
-3. **ECS RAM Role** - For ECS instances with attached RAM roles
-4. **RAM Role Assumption** - Cross-account access with role assumption
-5. **STS Temporary Credentials** - Pre-obtained temporary credentials
-6. **Permanent Access Keys** - Static access key credentials
-7. **Default Credential Chain** - Automatic credential discovery
-
-For detailed authentication configuration, see the [Authentication documentation](/user-guide/providers/alibabacloud/authentication).
-
-## Regions
-
-Alibaba Cloud has multiple regions across the globe. By default, Prowler audits all available regions. You can specify specific regions using the `--regions` CLI argument:
-
-```bash
-prowler alibabacloud --regions cn-hangzhou cn-shanghai
-```
-
-The list of supported regions is maintained in [`prowler/providers/alibabacloud/config.py`](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/alibabacloud/config.py).
@@ -237,7 +237,6 @@ Below is a generic example of a check metadata file. **Do not include comments i
  "ResourceIdTemplate": "",
  "Severity": "medium",
  "ResourceType": "Other",
-  "ResourceGroup": "security",
  "Description": "This check verifies that the service resource has the required **security setting** enabled to protect against potential vulnerabilities.\n\nIt ensures that the resource follows security best practices and maintains proper access controls. The check evaluates whether the security configuration is properly implemented and active.",
  "Risk": "Without proper security settings, the resource may be vulnerable to:\n\n- **Unauthorized access** - Malicious actors could gain entry\n- **Data breaches** - Sensitive information could be compromised\n- **Security threats** - Various attack vectors could be exploited\n\nThis could result in compliance violations and potential financial or reputational damage.",
  "RelatedUrl": "",
@@ -313,33 +312,7 @@ The type of resource being audited. This field helps categorize and organize fin
 - **Azure**: Use types from [Azure Resource Graph](https://learn.microsoft.com/en-us/azure/governance/resource-graph/reference/supported-tables-resources), for example: `Microsoft.Storage/storageAccounts`.
 - **Google Cloud**: Use [Cloud Asset Inventory asset types](https://cloud.google.com/asset-inventory/docs/asset-types), for example: `compute.googleapis.com/Instance`.
 - **Kubernetes**: Use types shown under `KIND` from `kubectl api-resources`.
- **Oracle Cloud Infrastructure**: Use types from [Oracle Cloud Infrastructure documentation](https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/Search/Tasks/queryingresources_topic-Listing_Supported_Resource_Types.htm).
- **M365 / GitHub / MongoDB Atlas**: Leave empty due to lack of standardized types.
-
-#### ResourceGroup
-
-A high-level classification that groups checks by the type of cloud resource they audit. This field enables filtering and organizing findings by resource category across all providers. The value must be one of the following predefined groups:
-
-| Group | Description |
-|-------|-------------|
-| `compute` | Virtual machines, instances, auto-scaling groups, workspaces, streaming |
-| `container` | Container orchestration, Kubernetes, registries, pods |
-| `serverless` | Functions, step functions, event-driven compute |
-| `database` | Relational, NoSQL, caches, search engines, data warehouses, graph databases |
-| `storage` | Object storage, block storage, file systems, backups, archives |
-| `network` | VPCs, subnets, load balancers, DNS, VPN, firewalls, CDN |
-| `IAM` | IAM users, roles, policies, access keys, service accounts, directories |
-| `messaging` | Queues, topics, event buses, streaming, email services |
-| `security` | WAF, secrets, KMS, certificates, security tools, defenders, DDoS protection |
-| `monitoring` | Logs, metrics, alerts, audit trails, observability, config tracking |
-| `api_gateway` | API management, REST APIs, GraphQL endpoints |
-| `ai_ml` | Machine learning, AI services, notebooks, training, LLM |
-| `governance` | Accounts, organizations, projects, policies, settings, compliance tools |
-| `collaboration` | Productivity SaaS apps (Exchange, Teams, SharePoint) |
-| `devops` | CI/CD, infrastructure as code, automation, code repositories, version control |
-| `analytics` | Data warehouses, query engines, ETL pipelines, BI tools, data lakes |
-
-The group is determined by the resource type being audited, not the service. For example, an EC2 security group check would use `network` (not `compute`), while an EC2 instance check would use `compute`.
+- **M365 / GitHub**: Leave empty due to lack of standardized types.

 #### Description

@@ -1,327 +0,0 @@
---
-title: 'End-2-End Tests for Prowler App'
---
-
-End-to-end (E2E) tests validate complete user flows in Prowler App (UI + API). These tests are implemented with [Playwright](https://playwright.dev/) under the `ui/tests` folder and are designed to run against a Prowler App environment.
-
-## General Recommendations
-
-When adding or maintaining E2E tests for Prowler App, follow these guidelines:
-
-1. **Test real user journeys**
-   Focus on full workflows (for example, sign-up → login → add provider → launch scan) instead of low-level UI details already covered by unit or integration tests.
-
-2. **Group tests by entity or feature area**
-   - Organize E2E tests by entity or feature area (for example, `providers.spec.ts`, `scans.spec.ts`, `invitations.spec.ts`, `sign-up.spec.ts`).
-   - Each entity should have its own test file and corresponding page model class (for example, `ProvidersPage`, `ScansPage`, `InvitationsPage`).
-   - Related tests for the same entity should be grouped together in the same test file to improve maintainability and make it easier to find and update tests for a specific feature.
-
-3. **Use a Page Model (Page Object Model)**
-   - Encapsulate selectors and common actions in page classes instead of repeating them in each test.
-   - Leverage and extend the existing Playwright page models in `ui/tests`—such as `ProvidersPage`, `ScansPage`, and others—which are all based on the shared `BasePage`.
-   - Page models for Prowler App pages should be placed in their respective entity folders (for example, `ui/tests/providers/providers-page.ts`).
-   - Page models for external pages (not part of Prowler App) should be grouped in the `external` folder (for example, `ui/tests/external/github-page.ts`).
-   - This approach improves readability, reduces duplication, and makes refactors safer.
-
-4. **Reuse authentication states (StorageState)**
-   - Multiple authentication setup projects are available that generate pre-authenticated state files stored in `playwright/.auth/`. Each project requires specific environment variables:
-     - `admin.auth.setup` – Admin users with full system permissions (requires `E2E_ADMIN_USER` / `E2E_ADMIN_PASSWORD`)
-     - `manage-scans.auth.setup` – Users with scan management permissions (requires `E2E_MANAGE_SCANS_USER` / `E2E_MANAGE_SCANS_PASSWORD`)
-     - `manage-integrations.auth.setup` – Users with integration management permissions (requires `E2E_MANAGE_INTEGRATIONS_USER` / `E2E_MANAGE_INTEGRATIONS_PASSWORD`)
-     - `manage-account.auth.setup` – Users with account management permissions (requires `E2E_MANAGE_ACCOUNT_USER` / `E2E_MANAGE_ACCOUNT_PASSWORD`)
-     - `manage-cloud-providers.auth.setup` – Users with cloud provider management permissions (requires `E2E_MANAGE_CLOUD_PROVIDERS_USER` / `E2E_MANAGE_CLOUD_PROVIDERS_PASSWORD`)
-     - `unlimited-visibility.auth.setup` – Users with unlimited visibility permissions (requires `E2E_UNLIMITED_VISIBILITY_USER` / `E2E_UNLIMITED_VISIBILITY_PASSWORD`)
-     - `invite-and-manage-users.auth.setup` – Users with user invitation and management permissions (requires `E2E_INVITE_AND_MANAGE_USERS_USER` / `E2E_INVITE_AND_MANAGE_USERS_PASSWORD`)
-   <Note>
-   If fixtures have been applied (fixtures are used to populate the database with initial development data), you can use the user `e2e@prowler.com` with password `Thisisapassword123@` to configure the Admin credentials by setting `E2E_ADMIN_USER=e2e@prowler.com` and `E2E_ADMIN_PASSWORD=Thisisapassword123@`.
-   </Note>
-
-   - Within test files, use `test.use({ storageState: "playwright/.auth/admin_user.json" })` to load the pre-authenticated state, avoiding redundant authentication steps in each test. This must be placed at the test level (not inside the test function) to apply the authentication state to all tests in that scope. This approach is preferred over declaring dependencies in `playwright.config.ts` because it provides more control over which authentication states are used in specific tests.
-
-     **Example:**
-
-     ```typescript
-     // Use admin authentication state for all tests in this scope
-     test.use({ storageState: "playwright/.auth/admin_user.json" });
-
-     test("should perform admin action", async ({ page }) => {
-       // Test implementation
-     });
-     ```
-
-5. **Tag and document scenarios**
-   - Follow the existing naming convention for suites and test cases (for example, `SCANS-E2E-001`, `PROVIDER-E2E-003`) and use tags such as `@e2e`, `@serial` and feature tags (for example, `@providers`, `@scans`,`@aws`) to filter and organize tests.
-
-   **Example:**
-     ```typescript
-     test(
-       "should add a new AWS provider with static credentials",
-       {
-         tag: [
-           "@critical",
-           "@e2e",
-           "@providers",
-           "@aws",
-           "@serial",
-           "@PROVIDER-E2E-001",
-         ],
-       },
-       async ({ page }) => {
-         // Test implementation
-       }
-     );
-     ```
-   -  Document each one in the Markdown files under `ui/tests`, including **Priority**, **Tags**, **Description**, **Preconditions**, **Flow steps**, **Expected results**,**Key verification points** and **Notes**.
-
-   **Example**
-   ```Markdown
-   ## Test Case: `SCANS-E2E-001` - Execute On-Demand Scan
-
-   **Priority:** `critical`
-
-   **Tags:**
-
-   - type → @e2e, @serial
-   - feature → @scans
-
-   **Description/Objective:** Validates the complete flow to execute an on-demand scan selecting a provider by UID and confirming success on the Scans page.
-
-   **Preconditions:**
-
-   - Admin user authentication required (admin.auth.setup setup)
-   - Environment variables configured for : E2E_AWS_PROVIDER_ACCOUNT_ID,E2E_AWS_PROVIDER_ACCESS_KEY and E2E_AWS_PROVIDER_SECRET_KEY
-   - Remove any existing AWS provider with the same Account ID before starting the test
-   - This test must be run serially and never in parallel with other tests, as it requires the Account ID Provider to be already registered.
-
-   ### Flow Steps:
-
-   1. Navigate to Scans page
-   2. Open provider selector and choose the entry whose text contains E2E_AWS_PROVIDER_ACCOUNT_ID
-   3. Optionally fill scan label (alias)
-   4. Click "Start now" to launch the scan
-   5. Verify the success toast appears
-   6. Verify a row in the Scans table contains the provided scan label (or shows the new scan entry)
-
-   ### Expected Result:
-
-   - Scan is launched successfully
-   - Success toast is displayed to the user
-   - Scans table displays the new scan entry (including the alias when provided)
-
-   ### Key verification points:
-
-   - Scans page loads correctly
-   - Provider select is available and lists the configured provider UID
-   - "Start now" button is rendered and enabled when form is valid
-   - Success toast message: "The scan was launched successfully."
-   - Table contains a row with the scan label or new scan state (queued/available/executing)
-
-   ### Notes:
-
-   - The table may take a short time to reflect the new scan; assertions look for a row containing the alias.
-   - Provider cleanup performed before each test to ensure clean state
-   - Tests should run serially to avoid state conflicts.
-
-   ```
-
-6. **Use environment variables for secrets and dynamic data**
-   Credentials, provider identifiers, secrets, tokens must come from environment variables (for example, `E2E_AWS_PROVIDER_ACCOUNT_ID`, `E2E_AWS_PROVIDER_ACCESS_KEY`, `E2E_AWS_PROVIDER_SECRET_KEY`, `E2E_GCP_PROJECT_ID`).
-
-   <Warning>
-   Never commit real secrets, tokens, or account IDs to the repository.
-   </Warning>
-
-7. **Keep tests deterministic and isolated**
-   - Use Playwright's `test.beforeEach()` and `test.afterEach()` hooks to manage test state:
-     - **`test.beforeEach()`**: Execute cleanup or setup logic before each test runs (for example, delete existing providers with a specific account ID to ensure a clean state).
-     - **`test.afterEach()`**: Execute cleanup logic after each test completes (for example, remove test data created during the test execution to prevent interference with subsequent tests).
-   - Define tests as serial using `test.describe.serial()` when they share state or resources that could interfere with parallel execution (for example, tests that use the same provider account ID or create dependent resources). This ensures tests within the serial group run sequentially, preventing race conditions and data conflicts.
-   - Use unique identifiers (for example, random suffixes for emails or labels) to prevent data collisions.
-
-8. **Use explicit waiting strategies**
-   - Avoid using `waitForLoadState('networkidle')` as it is unreliable and can lead to flaky tests or unnecessary delays.
-   - Leverage Playwright's auto-waiting capabilities by waiting for specific elements to be actionable (for example, `locator.click()`, `locator.fill()`, `locator.waitFor()`).
-   - **Prioritize selector strategies**: Prefer `page.getByRole()` over other approaches like `page.getByText()`. `getByRole()` is more resilient to UI changes, aligns with accessibility best practices, and better reflects how users interact with the application (by role and accessible name rather than implementation details).
-   - For dynamic content, wait for specific UI elements that indicate the page is ready (for example, button becoming enabled, a specific text appearing, etc).
-   - This approach makes tests more reliable, faster, and aligned with how users actually interact with the application.
-
-   **Common waiting patterns used in Prowler E2E tests:**
-
-   - **Element visibility assertions**: Use `expect(locator).toBeVisible()` or `expect(locator).not.toBeVisible()` to wait for elements to appear or disappear (Playwright automatically waits for these conditions).
-
-   - **URL changes**: Use `expect(page).toHaveURL(url)` or `page.waitForURL(url)` to wait for navigation to complete.
-
-   - **Element states**: Use `locator.waitFor({ state: "visible" })` or `locator.waitFor({ state: "hidden" })` when you need explicit state control.
-
-   - **Text content**: Use `expect(locator).toHaveText(text)` or `expect(locator).toContainText(text)` to wait for specific text to appear.
-
-   - **Element attributes**: Use `expect(locator).toHaveAttribute(name, value)` to wait for attributes like `aria-disabled="false"` indicating a button is enabled.
-
-   - **Custom conditions**: Use `page.waitForFunction(() => condition)` for complex conditions that cannot be expressed with locators (for example, checking DOM element dimensions or computed styles).
-
-   - **Retryable assertions**: Use `expect(async () => { ... }).toPass({ timeout })` for conditions that may take time to stabilize (for example, waiting for table rows to filter after a server request).
-
-   - **Scroll into view**: Use `locator.scrollIntoViewIfNeeded()` before interacting with elements that may be outside the viewport.
-
-   **Example from Prowler tests:**
-
-   ```typescript
-   // Wait for page to load by checking main content is visible
-   await expect(page.locator("main")).toBeVisible();
-
-   // Wait for URL change after form submission
-   await expect(page).toHaveURL("/providers");
-
-   // Wait for button to become enabled
-   await expect(submitButton).toHaveAttribute("aria-disabled", "false");
-
-   // Wait for loading spinner to disappear
-   await expect(page.getByText("Loading")).not.toBeVisible();
-
-   // Wait for custom condition
-   await page.waitForFunction(() => {
-     const main = document.querySelector("main");
-     return main && main.offsetHeight > 0;
-   });
-
-   // Wait for retryable condition (e.g., table filtering)
-   await expect(async () => {
-     const rowCount = await tableRows.count();
-     expect(rowCount).toBeLessThanOrEqual(1);
-   }).toPass({ timeout: 20000 });
-   ```
-
-## Running Prowler Tests
-
-E2E tests for Prowler App run from the `ui` project using Playwright. The Playwright configuration lives in `ui/playwright.config.ts` and defines:
-
- `testDir: "./tests"` – location of E2E test files (relative to the `ui` project root, so `ui/tests`).
- `webServer` – how to start the Next.js development server and connect to Prowler API.
- `use.baseURL` – base URL for browser interactions (defaults to `http://localhost:3000` or `AUTH_URL` if set).
- `reporter: [["list"]]` – uses the list reporter to display test results in a concise format in the terminal. Other reporter options are available (for example, `html`, `json`, `junit`, `github`), and multiple reporters can be configured simultaneously. See the [Playwright reporter documentation](https://playwright.dev/docs/test-reporters) for all available options.
- `expect.timeout: 20000` – timeout for assertions (20 seconds). This is the maximum time Playwright will wait for an assertion to pass before considering it failed.
- **Test artifacts** (in `use` configuration): By default, `trace`, `screenshot`, and `video` are set to `"off"` to minimize resource usage. To review test failures or debug issues, these can be enabled in `playwright.config.ts` by changing them to `"on"`, `"on-first-retry"`, or `"retain-on-failure"` depending on your needs.
- `outputDir: "/tmp/playwright-tests"` – directory where Playwright stores test artifacts (screenshots, videos, traces) during test execution.
- **CI-specific configuration**: The configuration uses different settings when running in CI environments (detected via `process.env.CI`):
-  - **Retries**: `2` retries in CI (to handle flaky tests), `0` retries locally (for faster feedback during development).
-  - **Workers**: `1` worker in CI (sequential execution for stability), `undefined` locally (parallel execution by default for faster test runs).
-
-### Prerequisites
-
-Before running E2E tests:
-
- **Install root and UI dependencies**
-  - Follow the [developer guide introduction](/developer-guide/introduction#getting-the-code-and-installing-all-dependencies) to clone the repository and install core dependencies.
-  - From the `ui` directory, install frontend dependencies:
-
-    ```bash
-    cd ui
-    pnpm install
-    pnpm run test:e2e:install  # Install Playwright browsers
-    ```
-
- **Ensure Prowler API is available**
-  - By default, Playwright uses `NEXT_PUBLIC_API_BASE_URL=http://localhost:8080/api/v1` (configured in `playwright.config.ts`).
-  - Start Prowler API so it is reachable on that URL (for example, via `docker-compose-dev.yml` or the development orchestration used locally).
-  - If a different API URL is required, set `NEXT_PUBLIC_API_BASE_URL` accordingly before running the tests.
-
- **Ensure Prowler App UI is available**
-  - Playwright automatically starts the Next.js server through the `webServer` block in `playwright.config.ts` (`pnpm run dev` by default).
-  - If the UI is already running on `http://localhost:3000`, Playwright will reuse the existing server when `reuseExistingServer` is `true`.
-
- **Configure E2E environment variables**
-  - Suite-specific variables (for example, provider account IDs, credentials, and E2E user data) must be provided before running tests.
-  - They can be defined either:
-    - As exported environment variables in the shell before executing the Playwright commands, or
-    - In a `.env.local` or `.env` file under `ui/`, and then loaded into the shell before running tests, for example:
-
-      ```bash
-      cd ui
-      set -a
-      source .env.local  # or .env
-      set +a
-      ```
-  - Refer to the Markdown documentation files in `ui/tests` for each E2E suite (for example, the `*.md` files that describe sign-up, providers, scans, invitations, and other flows) to see the exact list of required variables and their meaning.
-  - Each E2E test suite explicitly checks that its required environment variables are defined at runtime and will fail with a clear error message if any mandatory variable is missing, making misconfiguration easy to detect.
-
-### Executing Tests
-
-To execute E2E tests for Prowler App:
-
-1. **Run the full E2E suite (headless)**
-
-   From the `ui` directory:
-
-   ```bash
-   pnpm run test:e2e
-   ```
-
-   This command runs Playwright with the configured projects
-
-2. **Run E2E tests with the Playwright UI runner**
-
-   ```bash
-   pnpm run test:e2e:ui
-   ```
-
-   This opens the Playwright test runner UI to inspect, debug, and rerun specific tests or projects.
-
-3. **Debug E2E tests interactively**
-
-   ```bash
-   pnpm run test:e2e:debug
-   ```
-
-   Use this mode to step through flows, inspect selectors, and adjust timings. It runs tests in headed mode with debugging tools enabled.
-
-4. **Run tests in headed mode without debugger**
-
-   ```bash
-   pnpm run test:e2e:headed
-   ```
-
-   This is useful to visually confirm flows while still running the full suite.
-
-5. **View previous test reports**
-
-   ```bash
-   pnpm run test:e2e:report
-   ```
-
-   This opens the latest Playwright HTML report, including traces and screenshots when enabled.
-
-6. **Run specific tests or subsets**
-
-   In addition to the predefined scripts, Playwright allows filtering which tests run. These examples use the Playwright CLI directly through `pnpm`:
-
-   - **By test ID (`@ID` in the test metadata or description)**
-
-     To run a single test case identified by its ID (for example, `@PROVIDER-E2E-001` or `@SCANS-E2E-001`):
-
-     ```bash
-     pnpm playwright test --grep @PROVIDER-E2E-001
-     ```
-
-   - **By tags**
-
-     To run all tests that share a common tag (for example, all provider E2E tests tagged with `@providers`):
-
-     ```bash
-     pnpm playwright test --grep @providers
-     ```
-
-     This is useful to focus on a specific feature area such as providers, scans, invitations, or sign-up.
-
-   - **By Playwright project**
-
-     To run only the tests associated with a given project defined in `playwright.config.ts` (for example, `providers` or `scans`):
-
-     ```bash
-     pnpm playwright test --project=providers
-     ```
-
-     Combining project and grep filters is also supported, enabling very narrow runs (for example, a single test ID within the `providers` project). For additional CLI options and combinations, see the [Playwright command line documentation](https://playwright.dev/docs/test-cli).
-
-<Note>
-For detailed flows, preconditions, and environment variable requirements per feature, always refer to the Markdown files in `ui/tests`. Those documents are the single source of truth for business expectations and validation points in each E2E suite.
-</Note>
@@ -6,10 +6,6 @@ Thanks for your interest in contributing to Prowler!

 Prowler can be extended in various ways. This guide provides the different ways to contribute and how to get started.

-<Warning>
-Maintainers will assess whether a change fits the project roadmap and scope before merging.
-</Warning>
-
 ## Contributing to Prowler

 ### Review Current Issues
@@ -36,9 +32,6 @@ Prowler is constantly evolving. Contributions to checks, services, or integratio
  <Card title="Adding New Providers" icon="cloud" href="/developer-guide/provider">
    If you would like to extend Prowler to work with a new cloud provider, this typically involves setting up new services and checks to ensure compatibility.
  </Card>
-  <Card title="Adding New Compliance Frameworks" icon="scale-balanced" href="/developer-guide/security-compliance-framework">
-    Need to ensure Prowler supports a specific compliance framework? Add new security compliance frameworks to map checks against regulatory or industry standards.
-  </Card>
  <Card title="Adding New Output Formats" icon="file" href="/developer-guide/outputs">
    Want to tailor how results are displayed or exported? You can add custom output formats.
  </Card>
@@ -220,4 +213,4 @@ pipx install "git+https://github.com/prowler-cloud/prowler.git@branch-name"

 Replace `branch-name` with the name of the branch you want to test. This will install Prowler in an isolated environment, allowing you to try out the changes safely.

-For more details on testing go to the [Testing section](/developer-guide/unit-testing) of this documentation.
+For more details on testing go to the [Testing section](/developer-guide/unit-testing) of this documentation.
@@ -1,407 +0,0 @@
---
-title: 'Lighthouse AI Architecture'
---
-
-This document describes the internal architecture of Prowler Lighthouse AI, enabling developers to understand how components interact and where to add new functionality.
-
-<Info>
-**Looking for user documentation?** See:
- [Lighthouse AI Overview](/getting-started/products/prowler-lighthouse-ai) - Capabilities and FAQs
- [How Lighthouse AI Works](/user-guide/tutorials/prowler-app-lighthouse) - Configuration and usage
- [Multi-LLM Provider Setup](/user-guide/tutorials/prowler-app-lighthouse-multi-llm) - Provider configuration
-</Info>
-
-## Architecture Overview
-
-Lighthouse AI operates as a Langchain-based agent that connects Large Language Models (LLMs) with Prowler security data through the Model Context Protocol (MCP).
-
-<img className="block dark:hidden" src="/images/lighthouse-architecture-light.png" alt="Prowler Lighthouse Architecture" />
-<img className="hidden dark:block" src="/images/lighthouse-architecture-dark.png" alt="Prowler Lighthouse Architecture" />
-
-### Three-Tier Architecture
-
-The system follows a three-tier architecture:
-
-1. **Frontend (Next.js)**: Chat interface, message rendering, model selection
-2. **API Route**: Request handling, authentication, stream transformation
-3. **Langchain Agent**: LLM orchestration, tool calling through MCP
-
-### Request Flow
-
-When a user sends a message through the Lighthouse chat interface, the system processes it through several stages:
-
-1. **User Submits a Message**.
-   The chat component (`ui/components/lighthouse/chat.tsx`) captures the user's question (e.g., "What are my critical findings in AWS?") and sends it as an HTTP POST request to the backend API route.
-
-2. **Authentication and Context Assembly**.
-   The API route (`ui/app/api/lighthouse/analyst/route.ts`) validates the user's session, extracts the JWT token (stored via `auth-context.ts`), and gathers context including the tenant's business context and current security posture data (assembled in `data.ts`).
-
-3. **Agent Initialization**.
-   The workflow orchestrator (`ui/lib/lighthouse/workflow.ts`) creates a Langchain agent configured with:
-   - The selected LLM, instantiated through the factory (`llm-factory.ts`)
-   - A system prompt containing available tools and instructions (`system-prompt.ts`)
-   - Two meta-tools (`describe_tool` and `execute_tool`) for accessing Prowler data
-
-4. **LLM Reasoning and Tool Calling**.
-   The agent sends the conversation to the LLM, which decides whether to respond directly or call tools to fetch data. When tools are needed, the meta-tools in `ui/lib/lighthouse/tools/meta-tool.ts` interact with the MCP client (`mcp-client.ts`) to:
-   - First call `describe_tool` to understand the tool's parameters
-   - Then call `execute_tool` to retrieve data from the MCP Server
-   - Continue reasoning with the returned data
-
-5. **Streaming Response**.
-   As the LLM generates its response, the stream handler (`ui/lib/lighthouse/analyst-stream.ts`) transforms Langchain events into UI-compatible messages and streams tokens back to the browser in real-time using Server-Sent Events. The stream includes both text tokens and tool execution events (displayed as "chain of thought").
-
-6. **Message Rendering**.
-   The frontend receives the stream and renders it through `message-item.tsx` with markdown formatting. Any tool calls that occurred during reasoning are displayed via `chain-of-thought-display.tsx`.
-
-## Frontend Components
-
-Frontend components reside in `ui/components/lighthouse/` and handle the chat interface and configuration workflows.
-
-### Core Components
-
-| Component | Location | Purpose |
-|-----------|----------|---------|
-| `chat.tsx` | `ui/components/lighthouse/` | Main chat interface managing message history and input handling |
-| `message-item.tsx` | `ui/components/lighthouse/` | Individual message rendering with markdown support |
-| `select-model.tsx` | `ui/components/lighthouse/` | Model and provider selection dropdown |
-| `chain-of-thought-display.tsx` | `ui/components/lighthouse/` | Displays tool calls and reasoning steps during execution |
-
-### Configuration Components
-
-| Component | Location | Purpose |
-|-----------|----------|---------|
-| `lighthouse-settings.tsx` | `ui/components/lighthouse/` | Settings panel for business context and preferences |
-| `connect-llm-provider.tsx` | `ui/components/lighthouse/` | Provider connection workflow |
-| `llm-providers-table.tsx` | `ui/components/lighthouse/` | Provider management table |
-| `forms/delete-llm-provider-form.tsx` | `ui/components/lighthouse/forms/` | Provider deletion confirmation dialog |
-
-### Supporting Components
-
-| Component | Location | Purpose |
-|-----------|----------|---------|
-| `banner.tsx` / `banner-client.tsx` | `ui/components/lighthouse/` | Status banners and notifications |
-| `workflow/` | `ui/components/lighthouse/workflow/` | Multi-step configuration workflows |
-| `ai-elements/` | `ui/components/lighthouse/ai-elements/` | Custom UI primitives for chat interface (input, select, dropdown, tooltip) |
-
-## Library Code
-
-Core library code resides in `ui/lib/lighthouse/` and handles agent orchestration, MCP communication, and stream processing.
-
-### Workflow Orchestrator
-
-**Location:** `ui/lib/lighthouse/workflow.ts`
-
-The workflow module serves as the core orchestrator, responsible for:
-
- Initializing the Langchain agent with system prompt and tools
- Loading tenant configuration (default provider, model, business context)
- Creating the LLM instance through the factory
- Generating dynamic tool listings from available MCP tools
-
-```typescript
-// Simplified workflow initialization
-export async function initLighthouseWorkflow(runtimeConfig?: RuntimeConfig) {
-  await initializeMCPClient();
-
-  const toolListing = generateToolListing();
-  const systemPrompt = LIGHTHOUSE_SYSTEM_PROMPT_TEMPLATE.replace(
-    "{{TOOL_LISTING}}",
-    toolListing,
-  );
-
-  const llm = createLLM({
-    provider: providerType,
-    model: modelId,
-    credentials,
-    // ...
-  });
-
-  return createAgent({
-    model: llm,
-    tools: [describeTool, executeTool],
-    systemPrompt,
-  });
-}
-```
-
-### MCP Client Manager
-
-**Location:** `ui/lib/lighthouse/mcp-client.ts`
-
-The MCP client manages connections to the Prowler MCP Server using a singleton pattern:
-
- **Connection Management**: Retry logic with configurable attempts and delays
- **Tool Discovery**: Fetches available tools from MCP server on initialization
- **Authentication Injection**: Automatically adds JWT tokens to `prowler_app_*` tool calls
- **Reconnection**: Supports forced reconnection after server restarts
-
-Key constants:
- `MAX_RETRY_ATTEMPTS`: 3 connection attempts
- `RETRY_DELAY_MS`: 2000ms between retries
- `RECONNECT_INTERVAL_MS`: 5 minutes before retry after failure
-
-```typescript
-// Authentication injection for Prowler App tools
-private handleBeforeToolCall = ({ name, args }) => {
-  // Only inject auth for prowler_app_* tools (user-specific data)
-  if (!name.startsWith("prowler_app_")) {
-    return { args };
-  }
-
-  const accessToken = getAuthContext();
-  return {
-    args,
-    headers: { Authorization: `Bearer ${accessToken}` },
-  };
-};
-```
-
-### Meta-Tools
-
-**Location:** `ui/lib/lighthouse/tools/meta-tool.ts`
-
-Instead of registering all MCP tools directly with the agent, Lighthouse uses two meta-tools for dynamic tool discovery and execution:
-
-| Tool | Purpose |
-|------|---------|
-| `describe_tool` | Retrieves full schema and parameter details for a specific tool |
-| `execute_tool` | Executes a tool with provided parameters |
-
-This pattern reduces the number of tools the LLM must track while maintaining access to all MCP capabilities.
-
-### Additional Library Modules
-
-| Module | Location | Purpose |
-|--------|----------|---------|
-| `analyst-stream.ts` | `ui/lib/lighthouse/` | Transforms Langchain stream events to UI message format |
-| `llm-factory.ts` | `ui/lib/lighthouse/` | Creates LLM instances for OpenAI, Bedrock, and OpenAI-compatible providers |
-| `system-prompt.ts` | `ui/lib/lighthouse/` | System prompt template with dynamic tool listing injection |
-| `auth-context.ts` | `ui/lib/lighthouse/` | AsyncLocalStorage for JWT token propagation across async boundaries |
-| `types.ts` | `ui/lib/lighthouse/` | TypeScript type definitions |
-| `constants.ts` | `ui/lib/lighthouse/` | Configuration constants and error messages |
-| `utils.ts` | `ui/lib/lighthouse/` | Message conversion and model parameter extraction |
-| `validation.ts` | `ui/lib/lighthouse/` | Input validation utilities |
-| `data.ts` | `ui/lib/lighthouse/` | Current data section generation for context enrichment |
-
-## API Route
-
-**Location:** `ui/app/api/lighthouse/analyst/route.ts`
-
-The API route handles chat requests and manages the streaming response pipeline:
-
-1. **Request Parsing**: Extracts messages, model, and provider from request body
-2. **Authentication**: Validates session and extracts access token
-3. **Context Assembly**: Gathers business context and current data
-4. **Agent Initialization**: Creates Langchain agent with runtime configuration
-5. **Stream Processing**: Transforms agent events to UI-compatible format
-6. **Error Handling**: Captures errors with Sentry integration
-
-```typescript
-export async function POST(req: Request) {
-  const { messages, model, provider } = await req.json();
-
-  const session = await auth();
-  if (!session?.accessToken) {
-    return Response.json({ error: "Unauthorized" }, { status: 401 });
-  }
-
-  return await authContextStorage.run(accessToken, async () => {
-    const app = await initLighthouseWorkflow(runtimeConfig);
-    const agentStream = app.streamEvents({ messages }, { version: "v2" });
-
-    // Transform stream events to UI format
-    const stream = new ReadableStream({
-      async start(controller) {
-        for await (const streamEvent of agentStream) {
-          // Handle on_chat_model_stream, on_tool_start, on_tool_end, etc.
-        }
-      },
-    });
-
-    return createUIMessageStreamResponse({ stream });
-  });
-}
-```
-
-## Backend Components
-
-Backend components handle LLM provider configuration, model management, and credential storage.
-
-### Database Models
-
-**Location:** `api/src/backend/api/models.py`
-
-| Model | Purpose |
-|-------|---------|
-| `LighthouseProviderConfiguration` | Per-tenant LLM provider credentials (encrypted with Fernet) |
-| `LighthouseTenantConfiguration` | Tenant-level settings including business context and default provider/model |
-| `LighthouseProviderModels` | Available models per provider configuration |
-
-All models implement Row-Level Security (RLS) for tenant isolation.
-
-#### LighthouseProviderConfiguration
-
-Stores provider-specific credentials for each tenant:
-
- **provider_type**: `openai`, `bedrock`, or `openai_compatible`
- **credentials**: Encrypted JSON containing API keys or AWS credentials
- **base_url**: Custom endpoint for OpenAI-compatible providers
- **is_active**: Connection validation status
-
-#### LighthouseTenantConfiguration
-
-Stores tenant-wide Lighthouse settings:
-
- **business_context**: Optional context for personalized responses
- **default_provider**: Default LLM provider type
- **default_models**: JSON mapping provider types to default model IDs
-
-#### LighthouseProviderModels
-
-Catalogs available models for each provider:
-
- **model_id**: Provider-specific model identifier
- **model_name**: Human-readable display name
- **default_parameters**: Optional model-specific parameters
-
-### Background Jobs
-
-**Location:** `api/src/backend/tasks/jobs/lighthouse_providers.py`
-
-#### check_lighthouse_provider_connection
-
-Validates provider credentials by making a test API call:
-
- OpenAI: Lists models via `client.models.list()`
- Bedrock: Lists foundation models via `bedrock_client.list_foundation_models()`
- OpenAI-compatible: Lists models via custom base URL
-
-Updates `is_active` status based on connection result.
-
-#### refresh_lighthouse_provider_models
-
-Synchronizes available models from provider APIs:
-
- Fetches current model catalog from provider
- Filters out non-chat models (DALL-E, Whisper, TTS, embeddings)
- Upserts model records in `LighthouseProviderModels`
- Removes stale models no longer available
-
-**Excluded OpenAI model prefixes:**
-```python
-EXCLUDED_OPENAI_MODEL_PREFIXES = (
-    "dall-e", "whisper", "tts-", "sora",
-    "text-embedding", "text-moderation",
-    # Legacy models
-    "text-davinci", "davinci", "curie", "babbage", "ada",
-)
-```
-
-## MCP Server Integration
-
-Lighthouse AI communicates with the Prowler MCP Server to access security data. For detailed MCP Server architecture, see [Extending the MCP Server](/developer-guide/mcp-server).
-
-### Tool Namespacing
-
-MCP tools are organized into three namespaces based on authentication requirements:
-
-| Namespace | Auth Required | Description |
-|-----------|---------------|-------------|
-| `prowler_app_*` | Yes (JWT) | Prowler Cloud/App tools for findings, providers, scans, resources |
-| `prowler_hub_*` | No | Security checks catalog, compliance frameworks |
-| `prowler_docs_*` | No | Documentation search and retrieval |
-
-### Authentication Flow
-
-1. User authenticates with Prowler App, receiving a JWT token
-2. Token is stored in session and propagated via `authContextStorage`
-3. MCP client injects `Authorization: Bearer <token>` header for `prowler_app_*` calls
-4. MCP Server validates token and applies RLS filtering
-
-### Tool Execution Pattern
-
-The agent uses meta-tools rather than direct tool registration:
-
-```
-Agent needs data → describe_tool("prowler_app_search_findings")
-    → Returns parameter schema → execute_tool with parameters
-    → MCP client adds auth header → MCP Server executes
-    → Results returned to agent → Agent continues reasoning
-```
-
-## Extension Points
-
-### Adding New LLM Providers
-
-To add a new LLM provider:
-
-1. **Frontend**: Update `ui/lib/lighthouse/llm-factory.ts` with provider-specific initialization
-2. **Backend**: Add provider type to `LighthouseProviderConfiguration.LLMProviderChoices`
-3. **Jobs**: Add credential extraction and model fetching in `lighthouse_providers.py`
-4. **UI**: Add connection workflow in `ui/components/lighthouse/workflow/`
-
-### Modifying System Prompt
-
-The system prompt template lives in `ui/lib/lighthouse/system-prompt.ts`. The `{{TOOL_LISTING}}` placeholder is dynamically replaced with available MCP tools during agent initialization.
-
-### Adding Stream Events
-
-To handle new Langchain stream events, modify `ui/lib/lighthouse/analyst-stream.ts`. Current handlers include:
-
- `on_chat_model_stream`: Token-by-token text streaming
- `on_chat_model_end`: Model completion with tool call detection
- `on_tool_start`: Tool execution started
- `on_tool_end`: Tool execution completed
-
-### Adding MCP Tools
-
-See [Extending the MCP Server](/developer-guide/mcp-server) for detailed instructions on adding new tools to the Prowler MCP Server.
-
-## Configuration
-
-### Environment Variables
-
-| Variable | Description |
-|----------|-------------|
-| `PROWLER_MCP_SERVER_URL` | MCP server endpoint (e.g., `https://mcp.prowler.com/mcp`) |
-
-### Database Configuration
-
-Provider credentials are stored encrypted in `LighthouseProviderConfiguration`:
-
- **OpenAI**: `{"api_key": "sk-..."}`
- **Bedrock**: `{"access_key_id": "...", "secret_access_key": "...", "region": "us-east-1"}` or `{"api_key": "...", "region": "us-east-1"}`
- **OpenAI-compatible**: `{"api_key": "..."}` with `base_url` field
-
-### Tenant Configuration
-
-Business context and default settings are stored in `LighthouseTenantConfiguration`:
-
-```python
-{
-    "business_context": "Optional organization context for personalized responses",
-    "default_provider": "openai",
-    "default_models": {
-        "openai": "gpt-4o",
-        "bedrock": "anthropic.claude-3-5-sonnet-20240620-v1:0"
-    }
-}
-```
-
-## Related Documentation
-
-<CardGroup cols={2}>
-  <Card title="MCP Server Extension" icon="wrench" href="/developer-guide/mcp-server">
-    Adding new tools to the Prowler MCP Server
-  </Card>
-  <Card title="Lighthouse AI Overview" icon="robot" href="/getting-started/products/prowler-lighthouse-ai">
-    Capabilities, FAQs, and limitations
-  </Card>
-  <Card title="Multi-LLM Setup" icon="sliders" href="/user-guide/tutorials/prowler-app-lighthouse-multi-llm">
-    Configuring multiple LLM providers
-  </Card>
-  <Card title="How Lighthouse Works" icon="gear" href="/user-guide/tutorials/prowler-app-lighthouse">
-    User-facing architecture and setup guide
-  </Card>
-</CardGroup>
@@ -0,0 +1,140 @@
+---
+title: 'Extending Prowler Lighthouse AI'
+---
+
+This guide helps developers customize and extend Prowler Lighthouse AI by adding or modifying AI agents.
+
+## Understanding AI Agents
+
+AI agents combine Large Language Models (LLMs) with specialized tools that provide environmental context. These tools can include API calls, system command execution, or any function-wrapped capability.
+
+### Types of AI Agents
+
+AI agents fall into two main categories:
+
+- **Autonomous Agents**: Freely chooses from available tools to complete tasks, adapting their approach based on context. They decide which tools to use and when.
+- **Workflow Agents**: Follows structured paths with predefined logic. They execute specific tool sequences and can include conditional logic.
+
+Prowler Lighthouse AI is an autonomous agent - selecting the right tool(s) based on the users query.
+
+<Note>
+To learn more about AI agents, read [Anthropic's blog post on building effective agents](https://www.anthropic.com/engineering/building-effective-agents).
+
+</Note>
+### LLM Dependency
+
+The autonomous nature of agents depends on the underlying LLM. Autonomous agents using identical system prompts and tools but powered by different LLM providers might approach user queries differently. Agent with one LLM might solve a problem efficiently, while with another it might take a different route or fail entirely.
+
+After evaluating multiple LLM providers (OpenAI, Gemini, Claude, LLama) based on tool calling features and response accuracy, we recommend using the `gpt-4o` model.
+
+## Prowler Lighthouse AI Architecture
+
+Prowler Lighthouse AI uses a multi-agent architecture orchestrated by the [Langgraph-Supervisor](https://www.npmjs.com/package/@langchain/langgraph-supervisor) library.
+
+### Architecture Components
+
+<img src="/images/prowler-app/lighthouse-architecture.png" alt="Prowler Lighthouse architecture" />
+
+Prowler Lighthouse AI integrates with the NextJS application:
+
+- The [Langgraph-Supervisor](https://www.npmjs.com/package/@langchain/langgraph-supervisor) library integrates directly with NextJS
+- The system uses the authenticated user session to interact with the Prowler API server
+- Agents only access data the current user is authorized to view
+- Session management operates automatically, ensuring Role-Based Access Control (RBAC) is maintained
+
+## Available Prowler AI Agents
+
+The following specialized AI agents are available in Prowler:
+
+### Agent Overview
+
+- **provider_agent**: Fetches information about cloud providers connected to Prowler
+- **user_info_agent**: Retrieves information about Prowler users
+- **scans_agent**: Fetches information about Prowler scans
+- **compliance_agent**: Retrieves compliance overviews across scans
+- **findings_agent**: Fetches information about individual findings across scans
+- **overview_agent**: Retrieves overview information (providers, findings by status and severity, etc.)
+
+## How to Add New Capabilities
+
+### Updating the Supervisor Prompt
+
+The supervisor agent controls system behavior, tone, and capabilities. You can find the supervisor prompt at: [https://github.com/prowler-cloud/prowler/blob/master/ui/lib/lighthouse/prompts.ts](https://github.com/prowler-cloud/prowler/blob/master/ui/lib/lighthouse/prompts.ts)
+
+#### Supervisor Prompt Modifications
+
+Modifying the supervisor prompt allows you to:
+
+- Change personality or response style
+- Add new high-level capabilities
+- Modify task delegation to specialized agents
+- Set up guardrails (query types to answer or decline)
+
+<Note>
+The supervisor agent should not have its own tools. This design keeps the system modular and maintainable.
+
+</Note>
+### How to Create New Specialized Agents
+
+The supervisor agent and all specialized agents are defined in the `route.ts` file. The supervisor agent uses [langgraph-supervisor](https://www.npmjs.com/package/@langchain/langgraph-supervisor), while other agents use the prebuilt [create-react-agent](https://langchain-ai.github.io/langgraphjs/how-tos/create-react-agent/).
+
+To add new capabilities or all Lighthouse AI to interact with other APIs, create additional specialized agents:
+
+1. First determine what the new agent would do. Create a detailed prompt defining the agent's purpose and capabilities. You can see an example from [here](https://github.com/prowler-cloud/prowler/blob/master/ui/lib/lighthouse/prompts.ts#L359-L385).
+<Note>
+Ensure that the new agent's capabilities don't collide with existing agents. For example, if there's already a *findings_agent* that talks to findings APIs don't create a new agent to do the same.
+
+</Note>
+2. Create necessary tools for the agents to access specific data or perform actions. A tool is a specialized function that extends the capabilities of LLM by allowing it to access external data or APIs. A tool is triggered by LLM based on the description of the tool and the user's query.
+For example, the description of `getScanTool` is "Fetches detailed information about a specific scan by its ID." If the description doesn't convey what the tool is capable of doing, LLM will not invoke the function. If the description of `getScanTool` was set to something random or not set at all, LLM will not answer queries like "Give me the critical issues from the scan ID xxxxxxxxxxxxxxx"
+<Note>
+Ensure that one tool is added to one agent only. Adding tools is optional. There can be agents with no tools at all.
+
+</Note>
+3. Use the `createReactAgent` function to define a new agent. For example, the rolesAgent name is "roles_agent" and has access to call tools "*getRolesTool*" and "*getRoleTool*"
+```js
+const rolesAgent = createReactAgent({
+  llm: llm,
+  tools: [getRolesTool, getRoleTool],
+  name: "roles_agent",
+  prompt: rolesAgentPrompt,
+});
+```
+
+4. Create a detailed prompt defining the agent's purpose and capabilities.
+
+5. Add the new agent to the available agents list:
+```js
+const agents = [
+  userInfoAgent,
+  providerAgent,
+  overviewAgent,
+  scansAgent,
+  complianceAgent,
+  findingsAgent,
+  rolesAgent,  // New agent added here
+];
+// Create supervisor workflow
+const workflow = createSupervisor({
+  agents: agents,
+  llm: supervisorllm,
+  prompt: supervisorPrompt,
+  outputMode: "last_message",
+});
+```
+
+6. Update the supervisor's system prompt to summarize the new agent's capabilities.
+
+### Best Practices for Agent Development
+
+When developing new agents or capabilities:
+
+- **Clear Responsibility Boundaries**: Each agent should have a defined purpose with minimal overlap. No two agents should access the same tools or different tools accessing the same Prowler APIs.
+- **Minimal Data Access**: Agents should only request the data they need, keeping requests specific to minimize context window usage, cost, and response time.
+- **Thorough Prompting:** Ensure agent prompts include clear instructions about:
+    - The agent's purpose and limitations
+    - How to use its tools
+    - How to format responses for the supervisor
+    - Error handling procedures (Optional)
+- **Security Considerations:** Agents should never modify data or access sensitive information like secrets or credentials.
+- **Testing:** Thoroughly test new agents with various queries before deploying to production.
@@ -220,7 +220,6 @@ The function returns a JSON file containing the list of regions for the provider
          "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"
        ],
        "aws-cn": ["cn-north-1", "cn-northwest-1"],
-        "aws-eusc": ["eusc-de-east-1"],
        "aws-us-gov": ["us-gov-east-1", "us-gov-west-1"]
      }
    }
@@ -19,9 +19,7 @@
        "groups": [
          {
            "group": "Welcome",
-            "pages": [
-              "introduction"
-            ]
+            "pages": ["introduction"]
          },
          {
            "group": "Prowler Cloud",
@@ -51,9 +49,7 @@
          },
          {
            "group": "Prowler Lighthouse AI",
-            "pages": [
-              "getting-started/products/prowler-lighthouse-ai"
-            ]
+            "pages": ["getting-started/products/prowler-lighthouse-ai"]
          },
          {
            "group": "Prowler MCP Server",
@@ -99,14 +95,7 @@
              },
              "user-guide/tutorials/prowler-app-rbac",
              "user-guide/tutorials/prowler-app-api-keys",
-              {
-                "group": "Mutelist",
-                "expanded": true,
-                "pages": [
-                  "user-guide/tutorials/prowler-app-simple-mutelist",
-                  "user-guide/tutorials/prowler-app-mute-findings"
-                ]
-              },
+              "user-guide/tutorials/prowler-app-mute-findings",
              {
                "group": "Integrations",
                "expanded": true,
@@ -160,9 +149,7 @@
              "user-guide/cli/tutorials/quick-inventory",
              {
                "group": "Tutorials",
-                "pages": [
-                  "user-guide/cli/tutorials/parallel-execution"
-                ]
+                "pages": ["user-guide/cli/tutorials/parallel-execution"]
              }
            ]
          },
@@ -250,9 +237,7 @@
              },
              {
                "group": "LLM",
-                "pages": [
-                  "user-guide/providers/llm/getting-started-llm"
-                ]
+                "pages": ["user-guide/providers/llm/getting-started-llm"]
              },
              {
                "group": "Oracle Cloud Infrastructure",
@@ -265,9 +250,7 @@
          },
          {
            "group": "Compliance",
-            "pages": [
-              "user-guide/compliance/tutorials/threatscore"
-            ]
+            "pages": ["user-guide/compliance/tutorials/threatscore"]
          }
        ]
      },
@@ -284,9 +267,8 @@
              "developer-guide/outputs",
              "developer-guide/integrations",
              "developer-guide/security-compliance-framework",
-              "developer-guide/lighthouse-architecture",
-              "developer-guide/mcp-server",
-              "developer-guide/ai-skills"
+              "developer-guide/lighthouse",
+              "developer-guide/mcp-server"
            ]
          },
          {
@@ -295,7 +277,6 @@
              "developer-guide/aws-details",
              "developer-guide/azure-details",
              "developer-guide/gcp-details",
-              "developer-guide/alibabacloud-details",
              "developer-guide/kubernetes-details",
              "developer-guide/m365-details",
              "developer-guide/github-details",
@@ -310,8 +291,7 @@
                "group": "Testing",
                "pages": [
                  "developer-guide/unit-testing",
-                  "developer-guide/integration-testing",
-                  "developer-guide/end2end-testing"
+                  "developer-guide/integration-testing"
                ]
              },
              "developer-guide/debugging",
@@ -324,21 +304,15 @@
      },
      {
        "tab": "Security",
-        "pages": [
-          "security"
-        ]
+        "pages": ["security"]
      },
      {
        "tab": "Contact Us",
-        "pages": [
-          "contact"
-        ]
+        "pages": ["contact"]
      },
      {
        "tab": "Troubleshooting",
-        "pages": [
-          "troubleshooting"
-        ]
+        "pages": ["troubleshooting"]
      },
      {
        "tab": "About Us",
@@ -10,7 +10,7 @@ Complete reference guide for all tools available in the Prowler MCP Server. Tool
 |----------|------------|------------------------|
 | Prowler Hub | 10 tools | No |
 | Prowler Documentation | 2 tools | No |
-| Prowler Cloud/App | 24 tools | Yes |
+| Prowler Cloud/App | 22 tools | Yes |

 ## Tool Naming Convention

@@ -80,24 +80,16 @@ Tools for managing finding muting, including pattern-based bulk muting (mutelist
 - **`prowler_app_update_mute_rule`** - Update a mute rule's name, reason, or enabled status
 - **`prowler_app_delete_mute_rule`** - Delete a mute rule from the system

-### Compliance Management
-
-Tools for viewing compliance status and framework details across all cloud providers.
-
- **`prowler_app_get_compliance_overview`** - Get high-level compliance status across all frameworks for a specific scan or provider, including pass/fail statistics per framework
- **`prowler_app_get_compliance_framework_state_details`** - Get detailed requirement-level breakdown for a specific compliance framework, including failed requirements and associated finding IDs
-
 ## Prowler Hub Tools

 Access Prowler's security check catalog and compliance frameworks. **No authentication required.**

-Tools follow a **two-tier pattern**: lightweight listing for browsing + detailed retrieval for complete information.
+### Check Discovery

-### Check Discovery and Details
-
- **`prowler_hub_list_checks`** - List security checks with lightweight data (id, title, severity, provider) and advanced filtering options
- **`prowler_hub_semantic_search_checks`** - Full-text search across check metadata with lightweight results
- **`prowler_hub_get_check_details`** - Get comprehensive details for a specific check including risk, remediation guidance, and compliance mappings
+- **`prowler_hub_get_checks`** - List security checks with advanced filtering options
+- **`prowler_hub_get_check_filters`** - Return available filter values for checks (providers, services, severities, categories, compliances)
+- **`prowler_hub_search_checks`** - Full-text search across check metadata
+- **`prowler_hub_get_check_raw_metadata`** - Fetch raw check metadata in JSON format

 ### Check Code

@@ -106,21 +98,20 @@ Tools follow a **two-tier pattern**: lightweight listing for browsing + detailed

 ### Compliance Frameworks

- **`prowler_hub_list_compliances`** - List compliance frameworks with lightweight data (id, name, provider) and filtering options
- **`prowler_hub_semantic_search_compliances`** - Full-text search across compliance frameworks with lightweight results
- **`prowler_hub_get_compliance_details`** - Get comprehensive compliance details including requirements and mapped checks
+- **`prowler_hub_get_compliance_frameworks`** - List and filter compliance frameworks
+- **`prowler_hub_search_compliance_frameworks`** - Full-text search across compliance frameworks

-### Providers Information
+### Provider Information

- **`prowler_hub_list_providers`** - List Prowler official providers
- **`prowler_hub_get_provider_services`** - Get available services for a specific provider
+- **`prowler_hub_list_providers`** - List Prowler official providers and their services
+- **`prowler_hub_get_artifacts_count`** - Get total count of checks and frameworks in Prowler Hub

 ## Prowler Documentation Tools

 Search and access official Prowler documentation. **No authentication required.**

- **`prowler_docs_search`** - Search the official Prowler documentation using full-text search with the `term` parameter
- **`prowler_docs_get_document`** - Retrieve the full markdown content of a specific documentation file using the path from search results
+- **`prowler_docs_search`** - Search the official Prowler documentation using full-text search
+- **`prowler_docs_get_document`** - Retrieve the full markdown content of a specific documentation file

 ## Usage Tips

@@ -115,15 +115,10 @@ To update the environment file:
 Edit the `.env` file and change version values:

 ```env
-PROWLER_UI_VERSION="5.16.0"
-PROWLER_API_VERSION="5.16.0"
+PROWLER_UI_VERSION="5.9.0"
+PROWLER_API_VERSION="5.9.0"
 ```

-<Note>
-  You can find the latest versions of Prowler App in the [Releases Github section](https://github.com/prowler-cloud/prowler/releases) or in the [Container Versions](#container-versions) section of this documentation.
-</Note>
-
-
 #### Option 2: Using Docker Compose Pull

 ```bash
@@ -6,7 +6,7 @@ title: "Overview"

 **Why this matters**: Every engineer has asked, “What does this check actually do?” Prowler Hub answers that question in one place, lets you pin to a specific version, and pulls definitions into your own tools or dashboards.

-![](/images/products/prowler-hub.png)
+![](/images/products/prowler-hub.webp)

 <Card title="Go to Prowler Hub" href="https://hub.prowler.com" />

@@ -14,4 +14,4 @@ Prowler Hub also provides a fully documented public API that you can integrate i

 📚 Explore the API docs at: https://hub.prowler.com/api/docs

-Whether you’re customizing policies, managing compliance, or enhancing visibility, Prowler Hub is built to support your security operations.
+Whether you’re customizing policies, managing compliance, or enhancing visibility, Prowler Hub is built to support your security operations.
@@ -59,14 +59,6 @@ Prowler Lighthouse AI is powerful, but there are limitations:
 - **NextJS session dependence**: If your Prowler application session expires or logs out, Lighthouse AI will error out. Refresh and log back in to continue.
 - **Response quality**: The response quality depends on the selected LLM provider and model. Choose models with strong tool-calling capabilities for best results. We recommend `gpt-5` model from OpenAI.

-## Extending Lighthouse AI
-
-Lighthouse AI retrieves data through Prowler MCP. To add new capabilities, extend the Prowler MCP Server with additional tools and Lighthouse AI discovers them automatically.
-
-For development details, see:
- [Lighthouse AI Architecture](/developer-guide/lighthouse-architecture) - Internal architecture and extension points
- [Extending the MCP Server](/developer-guide/mcp-server) - Adding new tools to Prowler MCP
-
 ### Getting Help

 If you encounter issues with Prowler Lighthouse AI or have suggestions for improvements, please [reach out through our Slack channel](https://goto.prowler.com/slack).
@@ -75,6 +67,94 @@ If you encounter issues with Prowler Lighthouse AI or have suggestions for impro

 The following API endpoints are accessible to Prowler Lighthouse AI. Data from the following API endpoints could be shared with LLM provider depending on the scope of user's query:

+#### Accessible API Endpoints
+
+**User Management:**
+
+- List all users - `/api/v1/users`
+- Retrieve the current user's information - `/api/v1/users/me`
+
+**Provider Management:**
+
+- List all providers - `/api/v1/providers`
+- Retrieve data from a provider - `/api/v1/providers/{id}`
+
+**Scan Management:**
+
+- List all scans - `/api/v1/scans`
+- Retrieve data from a specific scan - `/api/v1/scans/{id}`
+
+**Resource Management:**
+
+- List all resources - `/api/v1/resources`
+- Retrieve data for a resource - `/api/v1/resources/{id}`
+
+**Findings Management:**
+
+- List all findings - `/api/v1/findings`
+- Retrieve data from a specific finding - `/api/v1/findings/{id}`
+- Retrieve metadata values from findings - `/api/v1/findings/metadata`
+
+**Overview Data:**
+
+- Get aggregated findings data - `/api/v1/overviews/findings`
+- Get findings data by severity - `/api/v1/overviews/findings_severity`
+- Get aggregated provider data - `/api/v1/overviews/providers`
+- Get findings data by service - `/api/v1/overviews/services`
+
+**Compliance Management:**
+
+- List compliance overviews (optionally filter by scan) - `/api/v1/compliance-overviews`
+- Retrieve data from a specific compliance overview - `/api/v1/compliance-overviews/{id}`
+
+#### Excluded API Endpoints
+
+Not all Prowler API endpoints are integrated with Lighthouse AI. They are intentionally excluded for the following reasons:
+
+- OpenAI/other LLM providers shouldn't have access to sensitive data (like fetching provider secrets and other sensitive config)
+- Users queries don't need responses from those API endpoints (ex: tasks, tenant details, downloading zip file, etc.)
+
+**Excluded Endpoints:**
+
+**User Management:**
+
+- List specific users information - `/api/v1/users/{id}`
+- List user memberships - `/api/v1/users/{user_pk}/memberships`
+- Retrieve membership data from the user - `/api/v1/users/{user_pk}/memberships/{id}`
+
+**Tenant Management:**
+
+- List all tenants - `/api/v1/tenants`
+- Retrieve data from a tenant - `/api/v1/tenants/{id}`
+- List tenant memberships - `/api/v1/tenants/{tenant_pk}/memberships`
+- List all invitations - `/api/v1/tenants/invitations`
+- Retrieve data from tenant invitation - `/api/v1/tenants/invitations/{id}`
+
+**Security and Configuration:**
+
+- List all secrets - `/api/v1/providers/secrets`
+- Retrieve data from a secret - `/api/v1/providers/secrets/{id}`
+- List all provider groups - `/api/v1/provider-groups`
+- Retrieve data from a provider group - `/api/v1/provider-groups/{id}`
+
+**Reports and Tasks:**
+
+- Download zip report - `/api/v1/scans/{v1}/report`
+- List all tasks - `/api/v1/tasks`
+- Retrieve data from a specific task - `/api/v1/tasks/{id}`
+
+**Lighthouse AI Configuration:**
+
+- List LLM providers - `/api/v1/lighthouse/providers`
+- Retrieve LLM provider - `/api/v1/lighthouse/providers/{id}`
+- List available models - `/api/v1/lighthouse/models`
+- Retrieve tenant configuration - `/api/v1/lighthouse/configuration`
+
+<Note>
+Agents only have access to hit GET endpoints. They don't have access to other HTTP methods.
+
+</Note>
+
 ## FAQs

 **1. Which LLM providers are supported?**
@@ -87,21 +167,13 @@ Lighthouse AI supports three providers:

 For detailed configuration instructions, see [Using Multiple LLM Providers with Lighthouse](/user-guide/tutorials/prowler-app-lighthouse-multi-llm).

-**2. Why some models don't appear in Lighthouse AI?**
+**2. Why a multi-agent supervisor model?**

-LLM providers offer different types of models. Not every model can be integrated with Lighthouse AI (for example, text-to-speech, vision, embedding, computer use, etc.).
-
-Lighthouse AI requires models that support:
-
- Text input
- Text output
- Tool calling
-
-Lighthouse AI [automatically filters](https://github.com/prowler-cloud/prowler/blob/master/api/src/backend/tasks/jobs/lighthouse_providers.py#L341-L353) out models that do not support these capabilities, so some provider models may not appear in the Lighthouse AI model list.
+Context windows are limited. While demo data fits inside the context window, querying real-world data often exceeds it. A multi-agent architecture is used so different agents fetch different sizes of data and respond with the minimum required data to the supervisor. This spreads the context window usage across agents.

 **3. Is my security data shared with LLM providers?**

-Minimal data is shared to generate useful responses. Agent can access security findings and remediation details when needed. Provider secrets are protected by design and cannot be read. The LLM provider credentials configured with Lighthouse AI are only accessible to the Next.js server and are never sent to the LLM providers. Resource metadata (names, tags, account/project IDs, etc.) may be shared with the configured LLM provider based on query requirements.
+Minimal data is shared to generate useful responses. Agents can access security findings and remediation details when needed. Provider secrets are protected by design and cannot be read. The LLM provider credentials configured with Lighthouse AI are only accessible to our NextJS server and are never sent to the LLM providers. Resource metadata (names, tags, account/project IDs, etc) may be shared with the configured LLM provider based on query requirements.

 **4. Can the Lighthouse AI change my cloud environment?**

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Alan Buscaglia	f34a025acc	fix(ui): improve category label formatting for acronyms and versions	2025-12-16 18:09:18 +01:00
Alan Buscaglia	d2886a5e10	refactor(ui): simplify categories.ts to only use dynamic label formatting Remove hardcoded CATEGORY_IDS and CATEGORY_LABELS constants. Categories now come from the API and are formatted dynamically.	2025-12-15 19:16:06 +01:00
Alan Buscaglia	1e1dfa29c0	chore(ui): apply ThreatScore wording from PR #9524	2025-12-15 19:13:29 +01:00
Alan Buscaglia	747e6c9f81	feat(ui): add 'All categories' option to risk radar selector	2025-12-15 17:50:01 +01:00
Alan Buscaglia	dab231d626	feat(ui): add category selector for risk radar and findings filters - Add CategorySelector component to risk radar view for filtering by category - Add fade effect to non-selected radar chart points - Add category filter to findings page using shared labelFormatter - Extract category labels to shared lib/categories.ts - Remove category from active filter badges (now handled by select)	2025-12-15 17:46:03 +01:00