feat(cloudflare): add Cloudflare provider with 13 security checks

Add complete Cloudflare provider integration to Prowler with comprehensive security checks covering SSL/TLS, DNS, and firewall configurations. Features: - Cloudflare provider with API Token and API Key authentication - 13 security checks across 3 services (SSL/TLS, DNS, Firewall) - Support for zone-specific and account-wide scanning - Full CLI integration with --api-token, --api-key, --api-email, --zone-id flags - Mutelist support for suppressing findings - Complete output support (CSV, JSON-OCSF, HTML) Security Checks: SSL/TLS (8 checks): - ssl_mode_full_strict: Ensure SSL/TLS mode is Full (strict) - ssl_tls_minimum_version: Ensure minimum TLS version is 1.2+ - ssl_tls_1_3_enabled: Ensure TLS 1.3 is enabled - ssl_hsts_enabled: Ensure HSTS with recommended max-age - ssl_hsts_include_subdomains: Ensure HSTS includes subdomains - ssl_always_use_https: Ensure Always Use HTTPS is enabled - ssl_automatic_https_rewrites_enabled: Ensure automatic HTTPS rewrites - ssl_opportunistic_encryption_enabled: Ensure opportunistic encryption Firewall (4 checks): - firewall_waf_enabled: Ensure WAF is enabled - firewall_security_level_medium_or_higher: Ensure security level >= medium - firewall_browser_integrity_check_enabled: Ensure browser integrity check - firewall_challenge_passage_configured: Ensure challenge passage configured DNS (1 check): - dns_dnssec_enabled: Ensure DNSSEC is enabled Core Changes: - Add CheckReportCloudflare model to prowler/lib/check/models.py - Add Cloudflare provider initialization to prowler/providers/common/provider.py - Add CloudflareOutputOptions to prowler/__main__.py - Add Cloudflare output mapping to prowler/lib/outputs/finding.py - Add Cloudflare entity type to prowler/lib/outputs/summary_table.py 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-27 18:38:52 +00:00 · 2025-10-23 18:06:44 +02:00
2825 changed files with 51398 additions and 186536 deletions
--- a/.env
+++ b/.env
@@ -10,23 +10,13 @@ NEXT_PUBLIC_API_BASE_URL=${API_BASE_URL}
 NEXT_PUBLIC_API_DOCS_URL=http://prowler-api:8080/api/v1/docs
 AUTH_TRUST_HOST=true
 UI_PORT=3000
+# Temp URL for feeds need to use actual
+RSS_FEED_URL=https://prowler.com/blog/rss
 # openssl rand -base64 32
 AUTH_SECRET="N/c6mnaS5+SWq81+819OrzQZlmx1Vxtp/orjttJSmw8="
 # Google Tag Manager ID
 NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID=""

-#### MCP Server ####
-PROWLER_MCP_VERSION=stable
-# For UI and MCP running on docker:
-PROWLER_MCP_SERVER_URL=http://mcp-server:8000/mcp
-# For UI running on host, MCP in docker:
-# PROWLER_MCP_SERVER_URL=http://localhost:8000/mcp
-
-#### Code Review Configuration ####
-# Enable Claude Code standards validation on pre-push hook
-# Set to 'true' to validate changes against AGENTS.md standards via Claude Code
-# Set to 'false' to skip validation
-CODE_REVIEW_ENABLED=true

 #### Prowler API Configuration ####
 PROWLER_API_VERSION="stable"
@@ -45,8 +35,6 @@ POSTGRES_DB=prowler_db
 # POSTGRES_REPLICA_USER=prowler
 # POSTGRES_REPLICA_PASSWORD=postgres
 # POSTGRES_REPLICA_DB=prowler_db
-# POSTGRES_REPLICA_MAX_ATTEMPTS=3
-# POSTGRES_REPLICA_RETRY_BASE_DELAY=0.5

 # Celery-Prowler task settings
 TASK_RETRY_DELAY_SECONDS=0.1
@@ -115,11 +103,9 @@ DJANGO_THROTTLE_TOKEN_OBTAIN=50/minute
 # Sentry settings
 SENTRY_ENVIRONMENT=local
 SENTRY_RELEASE=local
-NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}
-

 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.16.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.12.2

 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -138,12 +124,3 @@ LANGSMITH_TRACING=false
 LANGSMITH_ENDPOINT="https://api.smith.langchain.com"
 LANGSMITH_API_KEY=""
 LANGCHAIN_PROJECT=""
-
-# RSS Feed Configuration
-# Multiple feed sources can be configured as a JSON array (must be valid JSON, no trailing commas)
-# Each source requires: id, name, type (github_releases|blog|custom), url, and enabled flag
-# IMPORTANT: Must be a single line with valid JSON (no newlines, no trailing commas)
-# Example with one source:
-RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true}]'
-# Example with multiple sources (no trailing comma after last item):
-# RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true},{"id":"prowler-blog","name":"Prowler Blog","type":"blog","url":"https://prowler.com/blog/rss","enabled":false}]'
--- a/.github/ISSUE_TEMPLATE/feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/feature-request.yml
@@ -8,7 +8,7 @@ body:
    attributes:
      label: Feature search
      options:
-        - label: I have searched the existing issues and this feature has not been requested yet or is already in our [Public Roadmap](https://roadmap.prowler.com/roadmap)
+        - label: I have searched the existing issues and this feature has not been requested yet
          required: true
  - type: dropdown
    id: component
--- a/.github/actions/setup-python-poetry/action.yml
+++ b/.github/actions/setup-python-poetry/action.yml
@@ -22,8 +22,8 @@ inputs:
 runs:
  using: 'composite'
  steps:
-    - name: Replace @master with current branch in pyproject.toml (prowler repo only)
-      if: github.event_name == 'pull_request' && github.base_ref == 'master' && github.repository == 'prowler-cloud/prowler'
+    - name: Replace @master with current branch in pyproject.toml
+      if: github.event_name == 'pull_request' && github.base_ref == 'master'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: |
@@ -37,8 +37,8 @@ runs:
        python -m pip install --upgrade pip
        pipx install poetry==${{ inputs.poetry-version }}

-    - name: Update poetry.lock with latest Prowler commit
-      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
+    - name: Update SDK resolved_reference to latest commit
+      if: github.event_name == 'push' && github.ref == 'refs/heads/master'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: |
@@ -50,21 +50,7 @@ runs:
        echo "Updated resolved_reference:"
        grep -A2 -B2 "resolved_reference" poetry.lock

-    - name: Update SDK resolved_reference to latest commit (prowler repo on push)
-      if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'prowler-cloud/prowler'
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: |
-        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
-        echo "Latest commit hash: $LATEST_COMMIT"
-        sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
-          s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
-        }' poetry.lock
-        echo "Updated resolved_reference:"
-        grep -A2 -B2 "resolved_reference" poetry.lock
-
-    - name: Update poetry.lock (prowler repo only)
-      if: github.repository == 'prowler-cloud/prowler'
+    - name: Update poetry.lock
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: poetry lock
@@ -83,11 +69,3 @@ runs:
      run: |
        poetry install --no-root
        poetry run pip list
-
-    - name: Update Prowler Cloud API Client
-      if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler'
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: |
-        poetry remove prowler-cloud-api-client
-        poetry add ./prowler-cloud-api-client
--- a/.github/actions/slack-notification/README.md
+++ b/.github/actions/slack-notification/README.md
@@ -1,198 +0,0 @@
-# Slack Notification Action
-
-A generic and flexible GitHub composite action for sending Slack notifications using JSON template files. Supports both standalone messages and message updates, with automatic status detection.
-
-## Features
-
- **Template-based**: All messages use JSON template files for consistency
- **Automatic status detection**: Pass `step-outcome` to auto-calculate success/failure
- **Message updates**: Supports updating existing messages (using `chat.update`)
- **Simple API**: Clean and minimal interface
- **Reusable**: Use across all workflows and scenarios
- **Maintainable**: Centralized message templates
-
-## Use Cases
-
-1. **Container releases**: Track push start and completion with automatic status
-2. **Deployments**: Track deployment progress with rich Block Kit formatting
-3. **Custom notifications**: Any scenario where you need to notify Slack
-
-## Inputs
-
-| Input | Description | Required | Default |
-|-------|-------------|----------|---------|
-| `slack-bot-token` | Slack bot token for authentication | Yes | - |
-| `payload-file-path` | Path to JSON file with the Slack message payload | Yes | - |
-| `update-ts` | Message timestamp to update (leave empty for new messages) | No | `''` |
-| `step-outcome` | Step outcome for automatic status detection (sets STATUS_EMOJI and STATUS_TEXT env vars) | No | `''` |
-
-## Outputs
-
-| Output | Description |
-|--------|-------------|
-| `ts` | Timestamp of the Slack message (use for updates) |
-
-## Usage Examples
-
-### Example 1: Container Release with Automatic Status Detection
-
-Using JSON template files with automatic status detection:
-
-```yaml
-# Send start notification
- name: Notify container push started
-  if: github.event_name == 'release'
-  uses: ./.github/actions/slack-notification
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    RELEASE_TAG: ${{ env.RELEASE_TAG }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-# Do the work
- name: Build and push container
-  if: github.event_name == 'release'
-  id: container-push
-  uses: docker/build-push-action@...
-  with:
-    push: true
-    tags: ...
-
-# Send completion notification with automatic status detection
- name: Notify container push completed
-  if: github.event_name == 'release' && always()
-  uses: ./.github/actions/slack-notification
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    RELEASE_TAG: ${{ env.RELEASE_TAG }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-    step-outcome: ${{ steps.container-push.outcome }}
-```
-
-**Benefits:**
- No status calculation needed in workflow
- Reusable template files
- Clean and concise
- Automatic `STATUS_EMOJI` and `STATUS_TEXT` env vars set by action
- Consistent message format across all workflows
-
-### Example 2: Deployment with Message Update Pattern
-
-```yaml
-# Send initial deployment message
- name: Notify deployment started
-  id: slack-start
-  uses: ./.github/actions/slack-notification
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    ENVIRONMENT: PRODUCTION
-    COMMIT_HASH: ${{ github.sha }}
-    VERSION_DEPLOYED: latest
-    GITHUB_ACTOR: ${{ github.actor }}
-    GITHUB_WORKFLOW: ${{ github.workflow }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/deployment-started.json"
-
-# Run deployment
- name: Deploy
-  id: deploy
-  run: terraform apply -auto-approve
-
-# Determine additional status variables
- name: Determine deployment status
-  if: always()
-  id: deploy-status
-  run: |
-    if [[ "${{ steps.deploy.outcome }}" == "success" ]]; then
-      echo "STATUS_COLOR=28a745" >> $GITHUB_ENV
-      echo "STATUS=Completed" >> $GITHUB_ENV
-    else
-      echo "STATUS_COLOR=fc3434" >> $GITHUB_ENV
-      echo "STATUS=Failed" >> $GITHUB_ENV
-    fi
-
-# Update the same message with final status
- name: Update deployment notification
-  if: always()
-  uses: ./.github/actions/slack-notification
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    MESSAGE_TS: ${{ steps.slack-start.outputs.ts }}
-    COMPONENT: API
-    ENVIRONMENT: PRODUCTION
-    COMMIT_HASH: ${{ github.sha }}
-    VERSION_DEPLOYED: latest
-    GITHUB_ACTOR: ${{ github.actor }}
-    GITHUB_WORKFLOW: ${{ github.workflow }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-    STATUS: ${{ env.STATUS }}
-    STATUS_COLOR: ${{ env.STATUS_COLOR }}
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    update-ts: ${{ steps.slack-start.outputs.ts }}
-    payload-file-path: "./.github/scripts/slack-messages/deployment-completed.json"
-    step-outcome: ${{ steps.deploy.outcome }}
-```
-
-## Automatic Status Detection
-
-When you provide `step-outcome` input, the action automatically sets these environment variables:
-
-| Outcome | STATUS_EMOJI | STATUS_TEXT |
-|---------|--------------|-------------|
-| success | `[✓]` | `completed successfully!` |
-| failure | `[✗]` | `failed` |
-
-These variables are then available in your payload template files.
-
-## Template File Format
-
-All template files must be valid JSON and support environment variable substitution. Example:
-
-```json
-{
-  "channel": "$SLACK_CHANNEL_ID",
-  "text": "$STATUS_EMOJI $COMPONENT container release $RELEASE_TAG push $STATUS_TEXT <$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID|View run>"
-}
-```
-
-See available templates in [`.github/scripts/slack-messages/`](../../scripts/slack-messages/).
-
-## Requirements
-
- Slack Bot Token with scopes: `chat:write`, `chat:write.public`
- Slack Channel ID where messages will be posted
- JSON template files for your messages
-
-## Benefits
-
- **Consistency**: All notifications use standardized templates
- **Automatic status handling**: No need to calculate success/failure in workflows
- **Clean workflows**: Minimal boilerplate code
- **Reusable templates**: One template for all components
- **Easy to maintain**: Change template once, applies everywhere
- **Version controlled**: All message formats in git
-
-## Related Resources
-
- [Slack Block Kit Builder](https://app.slack.com/block-kit-builder)
- [Slack API Method Documentation](https://docs.slack.dev/tools/slack-github-action/sending-techniques/sending-data-slack-api-method/)
- [Message templates documentation](../../scripts/slack-messages/README.md)
--- a/.github/actions/slack-notification/action.yml
+++ b/.github/actions/slack-notification/action.yml
@@ -1,74 +0,0 @@
-name: 'Slack Notification'
-description: 'Generic action to send Slack notifications with optional message updates and automatic status detection'
-inputs:
-  slack-bot-token:
-    description: 'Slack bot token for authentication'
-    required: true
-  payload-file-path:
-    description: 'Path to JSON file with the Slack message payload'
-    required: true
-  update-ts:
-    description: 'Message timestamp to update (only for updates, leave empty for new messages)'
-    required: false
-    default: ''
-  step-outcome:
-    description: 'Outcome of a step to determine status (success/failure) - automatically sets STATUS_TEXT and STATUS_COLOR env vars'
-    required: false
-    default: ''
-outputs:
-  ts:
-    description: 'Timestamp of the Slack message'
-    value: ${{ steps.slack-notification.outputs.ts }}
-runs:
-  using: 'composite'
-  steps:
-    - name: Determine status
-      id: status
-      shell: bash
-      run: |
-        if [[ "${{ inputs.step-outcome }}" == "success" ]]; then
-          echo "STATUS_TEXT=Completed" >> $GITHUB_ENV
-          echo "STATUS_COLOR=#6aa84f" >> $GITHUB_ENV
-        elif [[ "${{ inputs.step-outcome }}" == "failure" ]]; then
-          echo "STATUS_TEXT=Failed" >> $GITHUB_ENV
-          echo "STATUS_COLOR=#fc3434" >> $GITHUB_ENV
-        else
-          # No outcome provided - pending/in progress state
-          echo "STATUS_COLOR=#dbab09" >> $GITHUB_ENV
-        fi
-
-    - name: Send Slack notification (new message)
-      if: inputs.update-ts == ''
-      id: slack-notification-post
-      uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-      env:
-        SLACK_PAYLOAD_FILE_PATH: ${{ inputs.payload-file-path }}
-      with:
-        method: chat.postMessage
-        token: ${{ inputs.slack-bot-token }}
-        payload-file-path: ${{ inputs.payload-file-path }}
-        payload-templated: true
-        errors: true
-
-    - name: Update Slack notification
-      if: inputs.update-ts != ''
-      id: slack-notification-update
-      uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-      env:
-        SLACK_PAYLOAD_FILE_PATH: ${{ inputs.payload-file-path }}
-      with:
-        method: chat.update
-        token: ${{ inputs.slack-bot-token }}
-        payload-file-path: ${{ inputs.payload-file-path }}
-        payload-templated: true
-        errors: true
-
-    - name: Set output
-      id: slack-notification
-      shell: bash
-      run: |
-        if [[ "${{ inputs.update-ts }}" == "" ]]; then
-          echo "ts=${{ steps.slack-notification-post.outputs.ts }}" >> $GITHUB_OUTPUT
-        else
-          echo "ts=${{ inputs.update-ts }}" >> $GITHUB_OUTPUT
-        fi
--- a/.github/actions/trivy-scan/action.yml
+++ b/.github/actions/trivy-scan/action.yml
@@ -45,13 +45,22 @@ outputs:
 runs:
  using: 'composite'
  steps:
-    - name: Cache Trivy vulnerability database
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+    - name: Run Trivy vulnerability scan (SARIF)
+      if: inputs.upload-sarif == 'true'
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
      with:
-        path: ~/.cache/trivy
-        key: trivy-db-${{ runner.os }}-${{ github.run_id }}
-        restore-keys: |
-          trivy-db-${{ runner.os }}-
+        image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH'
+        exit-code: '0'
+
+    - name: Upload Trivy results to GitHub Security tab
+      if: inputs.upload-sarif == 'true'
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+      with:
+        sarif_file: 'trivy-results.sarif'
+        category: 'trivy-container'

    - name: Run Trivy vulnerability scan (JSON)
      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
@@ -61,33 +70,12 @@ runs:
        output: 'trivy-report.json'
        severity: ${{ inputs.severity }}
        exit-code: '0'
-        scanners: 'vuln'
-        timeout: '5m'
-
-    - name: Run Trivy vulnerability scan (SARIF)
-      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
-      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
-      with:
-        image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
-        format: 'sarif'
-        output: 'trivy-results.sarif'
-        severity: 'CRITICAL,HIGH'
-        exit-code: '0'
-        scanners: 'vuln'
-        timeout: '5m'
-
-    - name: Upload Trivy results to GitHub Security tab
-      if: inputs.upload-sarif == 'true' && github.event_name == 'push'
-      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
-      with:
-        sarif_file: 'trivy-results.sarif'
-        category: 'trivy-container'

    - name: Upload Trivy report artifact
      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      if: always()
      with:
-        name: trivy-scan-report-${{ inputs.image-name }}-${{ inputs.image-tag }}
+        name: trivy-scan-report-${{ inputs.image-name }}
        path: trivy-report.json
        retention-days: ${{ inputs.artifact-retention-days }}

@@ -121,20 +109,20 @@ runs:
      with:
        script: |
          const comment = require('./.github/scripts/trivy-pr-comment.js');
-
+          
          // Unique identifier to find our comment
          const marker = '<!-- trivy-scan-comment:${{ inputs.image-name }} -->';
          const body = marker + '\n' + comment;
-
+          
          // Find existing comment
          const { data: comments } = await github.rest.issues.listComments({
            owner: context.repo.owner,
            repo: context.repo.repo,
            issue_number: context.issue.number,
          });
-
+          
          const existingComment = comments.find(c => c.body?.includes(marker));
-
+          
          if (existingComment) {
            // Update existing comment
            await github.rest.issues.updateComment({
--- a/.github/codeql/sdk-codeql-config.yml
+++ b/.github/codeql/sdk-codeql-config.yml
@@ -1,18 +1,4 @@
-name: 'SDK: CodeQL Config'
-paths:
-  - 'prowler/'
-
+name: "SDK - CodeQL Config"
 paths-ignore:
-  - 'api/'
-  - 'ui/'
-  - 'dashboard/'
-  - 'mcp_server/'
-  - 'tests/**'
-  - 'util/**'
-  - 'contrib/**'
-  - 'examples/**'
-  - 'prowler/**/__pycache__/**'
-  - 'prowler/**/*.md'
-
-queries:
-  - uses: security-and-quality
+  - "api/"
+  - "ui/"
--- a/.github/codeql/ui-codeql-config.yml
+++ b/.github/codeql/ui-codeql-config.yml
@@ -1,17 +1,3 @@
-name: 'UI: CodeQL Config'
+name: "UI - CodeQL Config"
 paths:
-  - 'ui/'
-
-paths-ignore:
-  - 'ui/node_modules/**'
-  - 'ui/.next/**'
-  - 'ui/out/**'
-  - 'ui/tests/**'
-  - 'ui/**/*.test.ts'
-  - 'ui/**/*.test.tsx'
-  - 'ui/**/*.spec.ts'
-  - 'ui/**/*.spec.tsx'
-  - 'ui/**/*.md'
-
-queries:
-  - uses: security-and-quality
+  - "ui/"
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -46,11 +46,6 @@ provider/oci:
  - changed-files:
      - any-glob-to-any-file: "prowler/providers/oraclecloud/**"
      - any-glob-to-any-file: "tests/providers/oraclecloud/**"
-      
-provider/alibabacloud:
-  - changed-files:
-      - any-glob-to-any-file: "prowler/providers/alibabacloud/**"
-      - any-glob-to-any-file: "tests/providers/alibabacloud/**"

 github_actions:
  - changed-files:
@@ -74,8 +69,6 @@ mutelist:
      - any-glob-to-any-file: "tests/providers/gcp/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/kubernetes/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/mongodbatlas/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/oci/lib/mutelist/**"
-      - any-glob-to-any-file: "tests/providers/alibabacloud/lib/mutelist/**"

 integration/s3:
  - changed-files:
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -14,39 +14,15 @@ Please add a detailed description of how to review this PR.

 ### Checklist

-<details>
-
-<summary><b>Community Checklist</b></summary>
-
- [ ] This feature/issue is listed in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or roadmap.prowler.com
- [ ] Is it assigned to me, if not, request it via the issue/feature in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or [Prowler Community Slack](goto.prowler.com/slack)
-
-</details>
-
-
+- Are there new checks included in this PR? Yes / No
+    - If so, do we need to update permissions for the provider? Please review this carefully.
 - [ ] Review if the code is being covered by tests.
 - [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
 - [ ] Review if backport is needed.
 - [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
 - [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/prowler/CHANGELOG.md), if applicable.

-#### SDK/CLI
- Are there new checks included in this PR? Yes / No
-    - If so, do we need to update permissions for the provider? Please review this carefully.
-
-#### UI
- [ ] All issue/task requirements work as expected on the UI
- [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
- [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
- [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/ui/CHANGELOG.md), if applicable.
-
 #### API
- [ ] All issue/task requirements work as expected on the API
- [ ] Endpoint response output (if applicable)
- [ ] EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
- [ ] Performance test results (if applicable)
- [ ] Any other relevant evidence of the implementation (if applicable)
 - [ ] Verify if API specs need to be regenerated.
 - [ ] Check if version updates are required (e.g., specs, Poetry, etc.).
 - [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/api/CHANGELOG.md), if applicable.
--- a/.github/scripts/slack-messages/README.md
+++ b/.github/scripts/slack-messages/README.md
@@ -1,462 +0,0 @@
-# Slack Message Templates
-
-This directory contains reusable message templates for Slack notifications sent from GitHub Actions workflows.
-
-## Usage
-
-These JSON templates are used with the `slackapi/slack-github-action` using the Slack API method (`chat.postMessage` and `chat.update`). All templates support rich Block Kit formatting and message updates.
-
-### Available Templates
-
-**Container Releases**
- `container-release-started.json`: Simple one-line notification when container push starts
- `container-release-completed.json`: Simple one-line notification when container release completes
-
-**Deployments**
- `deployment-started.json`: Deployment start notification with Block Kit formatting
- `deployment-completed.json`: Deployment completion notification (updates the start message)
-
-All templates use the Slack API method and require a Slack Bot Token.
-
-## Setup Requirements
-
-1. Create a Slack App (or use existing)
-2. Add Bot Token Scopes: `chat:write`, `chat:write.public`
-3. Install the app to your workspace
-4. Get the Bot Token from OAuth & Permissions page
-5. Add secrets:
-   - `SLACK_BOT_TOKEN`: Your bot token
-   - `SLACK_CHANNEL_ID`: The channel ID where messages will be posted
-
-Reference: [Sending data using a Slack API method](https://docs.slack.dev/tools/slack-github-action/sending-techniques/sending-data-slack-api-method/)
-
-## Environment Variables
-
-### Required Secrets (GitHub Secrets)
- `SLACK_BOT_TOKEN`: Passed as `token` parameter to the action (not as env variable)
- `SLACK_CHANNEL_ID`: Used in payload as env variable
-
-### Container Release Variables (configured as env)
- `COMPONENT`: Component name (e.g., "API", "SDK", "UI", "MCP")
- `RELEASE_TAG` / `PROWLER_VERSION`: The release tag or version being deployed
- `GITHUB_SERVER_URL`: Provided by GitHub context
- `GITHUB_REPOSITORY`: Provided by GitHub context
- `GITHUB_RUN_ID`: Provided by GitHub context
- `STATUS_EMOJI`: Status symbol (calculated: `[✓]` for success, `[✗]` for failure)
- `STATUS_TEXT`: Status text (calculated: "completed successfully!" or "failed")
-
-### Deployment Variables (configured as env)
- `COMPONENT`: Component name (e.g., "API", "SDK", "UI", "MCP")
- `ENVIRONMENT`: Environment name (e.g., "DEVELOPMENT", "PRODUCTION")
- `COMMIT_HASH`: Commit hash being deployed
- `VERSION_DEPLOYED`: Version being deployed
- `GITHUB_ACTOR`: User who triggered the workflow
- `GITHUB_WORKFLOW`: Workflow name
- `GITHUB_SERVER_URL`: Provided by GitHub context
- `GITHUB_REPOSITORY`: Provided by GitHub context
- `GITHUB_RUN_ID`: Provided by GitHub context
-
-All other variables (MESSAGE_TS, STATUS, STATUS_COLOR, STATUS_EMOJI, etc.) are calculated internally within the workflow and should NOT be configured as environment variables.
-
-## Example Workflow Usage
-
-### Using the Generic Slack Notification Action (Recommended)
-
-**Recommended approach**: Use the generic reusable action `.github/actions/slack-notification` which provides maximum flexibility:
-
-#### Example 1: Container Release (Start + Completion)
-
-```yaml
-# Send start notification
- name: Notify container push started
-  if: github.event_name == 'release'
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "text": "API container release ${{ env.RELEASE_TAG }} push started... <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View run>"
-      }
-
-# Build and push container
- name: Build and push container
-  if: github.event_name == 'release'
-  id: container-push
-  uses: docker/build-push-action@...
-  with:
-    push: true
-    tags: ...
-
-# Calculate status
- name: Determine push status
-  if: github.event_name == 'release' && always()
-  id: push-status
-  run: |
-    if [[ "${{ steps.container-push.outcome }}" == "success" ]]; then
-      echo "emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "text=completed successfully!" >> $GITHUB_OUTPUT
-    else
-      echo "emoji=[✗]" >> $GITHUB_OUTPUT
-      echo "text=failed" >> $GITHUB_OUTPUT
-    fi
-
-# Send completion notification
- name: Notify container push completed
-  if: github.event_name == 'release' && always()
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "text": "${{ steps.push-status.outputs.emoji }} API container release ${{ env.RELEASE_TAG }} push ${{ steps.push-status.outputs.text }} <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View run>"
-      }
-```
-
-#### Example 2: Simple One-Time Message
-
-```yaml
- name: Send notification
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "text": "Deployment completed successfully!"
-      }
-```
-
-#### Example 3: Deployment with Message Update Pattern
-
-```yaml
-# Send initial deployment message
- name: Notify deployment started
-  id: slack-start
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "text": "API deployment to PRODUCTION started",
-        "attachments": [
-          {
-            "color": "dbab09",
-            "blocks": [
-              {
-                "type": "header",
-                "text": {
-                  "type": "plain_text",
-                  "text": "API | Deployment to PRODUCTION"
-                }
-              },
-              {
-                "type": "section",
-                "fields": [
-                  {
-                    "type": "mrkdwn",
-                    "text": "*Status:*\nIn Progress"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      }
-
-# Run deployment
- name: Deploy
-  id: deploy
-  run: terraform apply -auto-approve
-
-# Calculate status
- name: Determine status
-  if: always()
-  id: status
-  run: |
-    if [[ "${{ steps.deploy.outcome }}" == "success" ]]; then
-      echo "color=28a745" >> $GITHUB_OUTPUT
-      echo "emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "status=Completed" >> $GITHUB_OUTPUT
-    else
-      echo "color=fc3434" >> $GITHUB_OUTPUT
-      echo "emoji=[✗]" >> $GITHUB_OUTPUT
-      echo "status=Failed" >> $GITHUB_OUTPUT
-    fi
-
-# Update the same message with final status
- name: Update deployment notification
-  if: always()
-  uses: ./.github/actions/slack-notification
-  with:
-    slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-    update-ts: ${{ steps.slack-start.outputs.ts }}
-    payload: |
-      {
-        "channel": "${{ secrets.SLACK_CHANNEL_ID }}",
-        "ts": "${{ steps.slack-start.outputs.ts }}",
-        "text": "${{ steps.status.outputs.emoji }} API deployment to PRODUCTION ${{ steps.status.outputs.status }}",
-        "attachments": [
-          {
-            "color": "${{ steps.status.outputs.color }}",
-            "blocks": [
-              {
-                "type": "header",
-                "text": {
-                  "type": "plain_text",
-                  "text": "API | Deployment to PRODUCTION"
-                }
-              },
-              {
-                "type": "section",
-                "fields": [
-                  {
-                    "type": "mrkdwn",
-                    "text": "*Status:*\n${{ steps.status.outputs.emoji }} ${{ steps.status.outputs.status }}"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      }
-```
-
-**Benefits of using the generic action:**
- Maximum flexibility: Build any payload you need directly in the workflow
- No template files needed: Everything inline
- Supports all scenarios: one-time messages, start/update patterns, rich Block Kit
- Easy to customize per use case
- Generic: Works for containers, deployments, or any notification type
-
-For more details, see [Slack Notification Action](../../actions/slack-notification/README.md).
-
-### Using Message Templates (Alternative Approach)
-
-Simple one-line notifications for container releases:
-
-```yaml
-# Step 1: Notify when push starts
- name: Notify container push started
-  if: github.event_name == 'release'
-  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    RELEASE_TAG: ${{ env.RELEASE_TAG }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    method: chat.postMessage
-    token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-# Step 2: Build and push container
- name: Build and push container
-  id: container-push
-  uses: docker/build-push-action@...
-  with:
-    push: true
-    tags: ...
-
-# Step 3: Determine push status
- name: Determine push status
-  if: github.event_name == 'release' && always()
-  id: push-status
-  run: |
-    if [[ "${{ steps.container-push.outcome }}" == "success" ]]; then
-      echo "status-emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "status-text=completed successfully!" >> $GITHUB_OUTPUT
-    else
-      echo "status-emoji=[✗]" >> $GITHUB_OUTPUT
-      echo "status-text=failed" >> $GITHUB_OUTPUT
-    fi
-
-# Step 4: Notify when push completes (success or failure)
- name: Notify container push completed
-  if: github.event_name == 'release' && always()
-  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    RELEASE_TAG: ${{ env.RELEASE_TAG }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-    STATUS_EMOJI: ${{ steps.push-status.outputs.status-emoji }}
-    STATUS_TEXT: ${{ steps.push-status.outputs.status-text }}
-  with:
-    method: chat.postMessage
-    token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-```
-
-### Deployment with Update Pattern
-
-For deployments that start with one message and update it with the final status:
-
-```yaml
-# Step 1: Send deployment start notification
- name: Notify Deployment Start
-  id: slack-notification-start
-  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    COMPONENT: API
-    ENVIRONMENT: PRODUCTION
-    COMMIT_HASH: ${{ github.sha }}
-    VERSION_DEPLOYED: latest
-    GITHUB_ACTOR: ${{ github.actor }}
-    GITHUB_WORKFLOW: ${{ github.workflow }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-  with:
-    method: chat.postMessage
-    token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/deployment-started.json"
-
-# Step 2: Run your deployment steps
- name: Terraform Plan
-  id: terraform-plan
-  run: terraform plan
-
- name: Terraform Apply
-  id: terraform-apply
-  run: terraform apply -auto-approve
-
-# Step 3: Determine status (calculated internally, not configured)
- name: Determine Status
-  if: always()
-  id: determine-status
-  run: |
-    if [[ "${{ steps.terraform-apply.outcome }}" == "success" ]]; then
-      echo "status=Completed" >> $GITHUB_OUTPUT
-      echo "status-color=28a745" >> $GITHUB_OUTPUT
-      echo "status-emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "plan-emoji=[✓]" >> $GITHUB_OUTPUT
-      echo "apply-emoji=[✓]" >> $GITHUB_OUTPUT
-    elif [[ "${{ steps.terraform-plan.outcome }}" == "failure" || "${{ steps.terraform-apply.outcome }}" == "failure" ]]; then
-      echo "status=Failed" >> $GITHUB_OUTPUT
-      echo "status-color=fc3434" >> $GITHUB_OUTPUT
-      echo "status-emoji=[✗]" >> $GITHUB_OUTPUT
-      if [[ "${{ steps.terraform-plan.outcome }}" == "failure" ]]; then
-        echo "plan-emoji=[✗]" >> $GITHUB_OUTPUT
-      else
-        echo "plan-emoji=[✓]" >> $GITHUB_OUTPUT
-      fi
-      if [[ "${{ steps.terraform-apply.outcome }}" == "failure" ]]; then
-        echo "apply-emoji=[✗]" >> $GITHUB_OUTPUT
-      else
-        echo "apply-emoji=[✓]" >> $GITHUB_OUTPUT
-      fi
-    else
-      echo "status=Failed" >> $GITHUB_OUTPUT
-      echo "status-color=fc3434" >> $GITHUB_OUTPUT
-      echo "status-emoji=[✗]" >> $GITHUB_OUTPUT
-      echo "plan-emoji=[?]" >> $GITHUB_OUTPUT
-      echo "apply-emoji=[?]" >> $GITHUB_OUTPUT
-    fi
-
-# Step 4: Update the same Slack message (using calculated values)
- name: Notify Deployment Result
-  if: always()
-  uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-  env:
-    SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
-    MESSAGE_TS: ${{ steps.slack-notification-start.outputs.ts }}
-    COMPONENT: API
-    ENVIRONMENT: PRODUCTION
-    COMMIT_HASH: ${{ github.sha }}
-    VERSION_DEPLOYED: latest
-    GITHUB_ACTOR: ${{ github.actor }}
-    GITHUB_WORKFLOW: ${{ github.workflow }}
-    GITHUB_SERVER_URL: ${{ github.server_url }}
-    GITHUB_REPOSITORY: ${{ github.repository }}
-    GITHUB_RUN_ID: ${{ github.run_id }}
-    STATUS: ${{ steps.determine-status.outputs.status }}
-    STATUS_COLOR: ${{ steps.determine-status.outputs.status-color }}
-    STATUS_EMOJI: ${{ steps.determine-status.outputs.status-emoji }}
-    PLAN_EMOJI: ${{ steps.determine-status.outputs.plan-emoji }}
-    APPLY_EMOJI: ${{ steps.determine-status.outputs.apply-emoji }}
-    TERRAFORM_PLAN_OUTCOME: ${{ steps.terraform-plan.outcome }}
-    TERRAFORM_APPLY_OUTCOME: ${{ steps.terraform-apply.outcome }}
-  with:
-    method: chat.update
-    token: ${{ secrets.SLACK_BOT_TOKEN }}
-    payload-file-path: "./.github/scripts/slack-messages/deployment-completed.json"
-```
-
-**Note**: Variables like `STATUS`, `STATUS_COLOR`, `STATUS_EMOJI`, `PLAN_EMOJI`, `APPLY_EMOJI` are calculated by the `determine-status` step based on the outcomes of previous steps. They should NOT be manually configured.
-
-## Key Features
-
-### Benefits of Using Slack API Method
-
- **Rich Block Kit Formatting**: Full support for Slack's Block Kit including headers, sections, fields, colors, and attachments
- **Message Updates**: Update the same message instead of posting multiple messages (using `chat.update` with `ts`)
- **Consistent Experience**: Same look and feel as Prowler Cloud notifications
- **Flexible**: Easy to customize message appearance by editing JSON templates
-
-### Differences from Webhook Method
-
-| Feature | webhook-trigger | Slack API (chat.postMessage) |
-|---------|-----------------|------------------------------|
-| Setup | Workflow Builder webhook | Slack Bot Token + Channel ID |
-| Formatting | Plain text/simple | Full Block Kit support |
-| Message Update | No | Yes (with chat.update) |
-| Authentication | Webhook URL | Bot Token |
-| Scopes Required | None | chat:write, chat:write.public |
-
-## Message Appearance
-
-### Container Release (Simple One-Line)
-
-**Start message:**
-```
-API container release 4.5.0 push started... View run
-```
-
-**Completion message (success):**
-```
-[✓] API container release 4.5.0 push completed successfully! View run
-```
-
-**Completion message (failure):**
-```
-[✗] API container release 4.5.0 push failed View run
-```
-
-All messages are simple one-liners with a clickable "View run" link. The completion message adapts to show success `[✓]` or failure `[✗]` based on the outcome of the container push.
-
-### Deployment Start
- Header: Component and environment
- Yellow bar (color: `dbab09`)
- Status: In Progress
- Details: Commit, version, actor, workflow
- Link: Direct link to deployment run
-
-### Deployment Completion
- Header: Component and environment
- Green bar for success (color: `28a745`) / Red bar for failure (color: `fc3434`)
- Status: [✓] Completed or [✗] Failed
- Details: All deployment info plus terraform outcomes
- Link: Direct link to deployment run
-
-## Adding New Templates
-
-1. Create a new JSON file with Block Kit structure
-2. Use environment variable placeholders (e.g., `$VAR_NAME`)
-3. Include `channel` and `text` fields (required)
-4. Add `blocks` or `attachments` for rich formatting
-5. For update templates, include `ts` field as `$MESSAGE_TS`
-6. Document the template in this README
-7. Reference it in your workflow using `payload-file-path`
-
-## Reference
-
- [Slack Block Kit Builder](https://app.slack.com/block-kit-builder)
- [Slack API Method Documentation](https://docs.slack.dev/tools/slack-github-action/sending-techniques/sending-data-slack-api-method/)
--- a/.github/scripts/slack-messages/container-release-completed.json
+++ b/.github/scripts/slack-messages/container-release-completed.json
@@ -1,18 +0,0 @@
-{
-  "channel": "${{ env.SLACK_CHANNEL_ID }}",
-  "ts": "${{ env.MESSAGE_TS }}",
-  "attachments": [
-    {
-      "color": "${{ env.STATUS_COLOR }}",
-      "blocks": [
-        {
-          "type": "section",
-          "text": {
-            "type": "mrkdwn",
-            "text": "*Status:*\n${{ env.STATUS_TEXT }}\n\n${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push ${{ env.STATUS_TEXT }}\n\n<${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
-          }
-        }
-      ]
-    }
-  ]
-}
--- a/.github/scripts/slack-messages/container-release-started.json
+++ b/.github/scripts/slack-messages/container-release-started.json
@@ -1,17 +0,0 @@
-{
-  "channel": "${{ env.SLACK_CHANNEL_ID }}",
-  "attachments": [
-    {
-      "color": "${{ env.STATUS_COLOR }}",
-      "blocks": [
-        {
-          "type": "section",
-          "text": {
-            "type": "mrkdwn",
-            "text": "*Status:*\nStarted\n\n${{ env.COMPONENT }} container release ${{ env.RELEASE_TAG }} push started...\n\n<${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}|View run>"
-          }
-        }
-      ]
-    }
-  ]
-}
--- a/.github/workflows/api-build-lint-push-containers.yml
+++ b/.github/workflows/api-build-lint-push-containers.yml
@@ -0,0 +1,115 @@
+name: API - Build and Push containers
+
+on:
+  push:
+    branches:
+      - "master"
+    paths:
+      - "api/**"
+      - "prowler/**"
+      - ".github/workflows/api-build-lint-push-containers.yml"
+
+  # Uncomment the code below to test this action on PRs
+  # pull_request:
+  #   branches:
+  #     - "master"
+  #   paths:
+  #     - "api/**"
+  #     - ".github/workflows/api-build-lint-push-containers.yml"
+
+  release:
+    types: [published]
+
+env:
+  # Tags
+  LATEST_TAG: latest
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  STABLE_TAG: stable
+
+  WORKING_DIRECTORY: ./api
+
+  # Container Registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
+
+jobs:
+  repository-check:
+    name: Repository check
+    runs-on: ubuntu-latest
+    outputs:
+      is_repo: ${{ steps.repository_check.outputs.is_repo }}
+    steps:
+      - name: Repository check
+        id: repository_check
+        working-directory: /tmp
+        run: |
+          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
+          then
+            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "This action only runs for prowler-cloud/prowler"
+            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+  # Build Prowler OSS container
+  container-build-push:
+    needs: repository-check
+    if: needs.repository-check.outputs.is_repo == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          shortSha=$(git rev-parse --short ${{ github.sha }})
+          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push container image (latest)
+        # Comment the following line for testing
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          # Set push: false for testing
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.SHORT_SHA }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push container image (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Trigger deployment
+        if: github.event_name == 'push'
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.CLOUD_DISPATCH }}
+          event-type: prowler-api-deploy
+          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ env.SHORT_SHA }}"}'
--- a/.github/workflows/api-bump-version.yml
+++ b/.github/workflows/api-bump-version.yml
@@ -1,254 +0,0 @@
-name: 'API: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Get current API version
-        id: get_api_version
-        run: |
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-          echo "current_api_version=${CURRENT_API_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current API version: $CURRENT_API_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next API minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 -> API 1.18.0
-          # For next master (Prowler 5.18.0) -> API 1.19.0
-          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "Current API version: $CURRENT_API_VERSION"
-          echo "Next API minor version (for master): $NEXT_API_VERSION"
-
-      - name: Bump API versions in files for master
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 release -> version branch v5.17 should have API 1.18.1
-          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${FIRST_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.FIRST_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.FIRST_API_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # Extract current API patch to increment it
-          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            API_PATCH=${BASH_REMATCH[3]}
-
-            # API version follows Prowler minor + 1
-            # Keep same API minor (based on Prowler minor), increment patch
-            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
-
-            echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-            echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-            echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-            echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
-            echo "Current API version: $CURRENT_API_VERSION"
-            echo "Next API patch version: $NEXT_API_PATCH_VERSION"
-            echo "Target branch: $VERSION_BRANCH"
-          else
-            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
-            exit 1
-          fi
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
--- a/.github/workflows/api-code-quality.yml
+++ b/.github/workflows/api-code-quality.yml
@@ -1,71 +0,0 @@
-name: 'API: Code Quality'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  API_WORKING_DIR: ./api
-
-jobs:
-  api-code-quality:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.12'
-    defaults:
-      run:
-        working-directory: ./api
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for API changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            api/**
-            .github/workflows/api-code-quality.yml
-          files_ignore: |
-            api/docs/**
-            api/README.md
-            api/CHANGELOG.md
-
-      - name: Setup Python with Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
-        with:
-          python-version: ${{ matrix.python-version }}
-          working-directory: ./api
-
-      - name: Poetry check
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry check --lock
-
-      - name: Ruff lint
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run ruff check . --exclude contrib
-
-      - name: Ruff format
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run ruff format --check . --exclude contrib
-
-      - name: Pylint
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/
--- a/.github/workflows/api-codeql.yml
+++ b/.github/workflows/api-codeql.yml
@@ -25,7 +25,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  api-analyze:
+  analyze:
    name: CodeQL Security Analysis
    runs-on: ubuntu-latest
    timeout-minutes: 30
@@ -42,15 +42,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/api-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
        with:
          category: '/language:${{ matrix.language }}'
--- a/.github/workflows/api-container-build-push.yml
+++ b/.github/workflows/api-container-build-push.yml
@@ -1,215 +0,0 @@
-name: 'API: Container Build and Push'
-
-on:
-  push:
-    branches:
-      - 'master'
-    paths:
-      - 'api/**'
-      - 'prowler/**'
-      - '.github/workflows/api-container-build-push.yml'
-  release:
-    types:
-      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  # Tags
-  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
-  STABLE_TAG: stable
-  WORKING_DIRECTORY: ./api
-
-  # Container registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
-
-jobs:
-  setup:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    steps:
-      - name: Calculate short SHA
-        id: set-short-sha
-        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: setup
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: API
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build and push API container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.WORKING_DIRECTORY }}
-          push: true
-          platforms: ${{ matrix.platform }}
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@f61d18f46c86af724a9c804cb9ff2a6fec741c7c # main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
-          COMPONENT: API
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
-
-  trigger-deployment:
-    needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-
-    steps:
-      - name: Trigger API deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.CLOUD_DISPATCH }}
-          event-type: api-prowler-deployment
-          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ needs.setup.outputs.short-sha }}"}'
--- a/.github/workflows/api-container-checks.yml
+++ b/.github/workflows/api-container-checks.yml
@@ -1,101 +0,0 @@
-name: 'API: Container Checks'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  API_WORKING_DIR: ./api
-  IMAGE_NAME: prowler-api
-
-jobs:
-  api-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check if Dockerfile changed
-        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: api/Dockerfile
-
-      - name: Lint Dockerfile with Hadolint
-        if: steps.dockerfile-changed.outputs.any_changed == 'true'
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
-        with:
-          dockerfile: api/Dockerfile
-          ignore: DL3013
-
-  api-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for API changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: api/**
-          files_ignore: |
-            api/docs/**
-            api/README.md
-            api/CHANGELOG.md
-
-      - name: Set up Docker Buildx
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build container for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.API_WORKING_DIR }}
-          push: false
-          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-      - name: Scan container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/trivy-scan
-        with:
-          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
-          fail-on-critical: 'false'
-          severity: 'CRITICAL'
--- a/.github/workflows/api-pull-request.yml
+++ b/.github/workflows/api-pull-request.yml
@@ -0,0 +1,228 @@
+name: 'API: Pull Request'
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v5.*'
+    paths:
+      - '.github/workflows/api-pull-request.yml'
+      - 'api/**'
+      - '!api/docs/**'
+      - '!api/README.md'
+      - '!api/CHANGELOG.md'
+  pull_request:
+    branches:
+      - 'master'
+      - 'v5.*'
+    paths:
+      - '.github/workflows/api-pull-request.yml'
+      - 'api/**'
+      - '!api/docs/**'
+      - '!api/README.md'
+      - '!api/CHANGELOG.md'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  POSTGRES_HOST: localhost
+  POSTGRES_PORT: 5432
+  POSTGRES_ADMIN_USER: prowler
+  POSTGRES_ADMIN_PASSWORD: S3cret
+  POSTGRES_USER: prowler_user
+  POSTGRES_PASSWORD: prowler
+  POSTGRES_DB: postgres-db
+  VALKEY_HOST: localhost
+  VALKEY_PORT: 6379
+  VALKEY_DB: 0
+  API_WORKING_DIR: ./api
+  IMAGE_NAME: prowler-api
+
+jobs:
+  code-quality:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        python-version:
+          - '3.12'
+    defaults:
+      run:
+        working-directory: ./api
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup Python with Poetry
+        uses: ./.github/actions/setup-python-poetry
+        with:
+          python-version: ${{ matrix.python-version }}
+          working-directory: ./api
+
+      - name: Poetry check
+        run: poetry check --lock
+
+      - name: Ruff lint
+        run: poetry run ruff check . --exclude contrib
+
+      - name: Ruff format
+        run: poetry run ruff format --check . --exclude contrib
+
+      - name: Pylint
+        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/
+
+  security-scans:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        python-version:
+          - '3.12'
+    defaults:
+      run:
+        working-directory: ./api
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup Python with Poetry
+        uses: ./.github/actions/setup-python-poetry
+        with:
+          python-version: ${{ matrix.python-version }}
+          working-directory: ./api
+
+      - name: Bandit
+        run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
+
+      - name: Safety
+        # 76352, 76353, 77323 come from SDK, but they cannot upgrade it yet. It does not affect API
+        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
+        run: poetry run safety check --ignore 70612,66963,74429,76352,76353,77323,77744,77745
+
+      - name: Vulture
+        run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .
+
+  tests:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        python-version:
+          - '3.12'
+    defaults:
+      run:
+        working-directory: ./api
+
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
+          POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
+          POSTGRES_USER: ${{ env.POSTGRES_USER }}
+          POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
+          POSTGRES_DB: ${{ env.POSTGRES_DB }}
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+      valkey:
+        image: valkey/valkey:7-alpine3.19
+        env:
+          VALKEY_HOST: ${{ env.VALKEY_HOST }}
+          VALKEY_PORT: ${{ env.VALKEY_PORT }}
+          VALKEY_DB: ${{ env.VALKEY_DB }}
+        ports:
+          - 6379:6379
+        options: >-
+          --health-cmd "valkey-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup Python with Poetry
+        uses: ./.github/actions/setup-python-poetry
+        with:
+          python-version: ${{ matrix.python-version }}
+          working-directory: ./api
+
+      - name: Run tests with pytest
+        run: poetry run pytest --cov=./src/backend --cov-report=xml src/backend
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: api
+
+  dockerfile-lint:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Lint Dockerfile with Hadolint
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: api/Dockerfile
+          ignore: DL3013
+
+  container-build-and-scan:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build container
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.API_WORKING_DIR }}
+          push: false
+          load: true
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan container with Trivy
+        uses: ./.github/actions/trivy-scan
+        with:
+          image-name: ${{ env.IMAGE_NAME }}
+          image-tag: ${{ github.sha }}
+          fail-on-critical: 'false'
+          severity: 'CRITICAL'
--- a/.github/workflows/api-security.yml
+++ b/.github/workflows/api-security.yml
@@ -1,67 +0,0 @@
-name: 'API: Security'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  API_WORKING_DIR: ./api
-
-jobs:
-  api-security-scans:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.12'
-    defaults:
-      run:
-        working-directory: ./api
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for API changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            api/**
-            .github/workflows/api-security.yml
-          files_ignore: |
-            api/docs/**
-            api/README.md
-            api/CHANGELOG.md
-
-      - name: Setup Python with Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
-        with:
-          python-version: ${{ matrix.python-version }}
-          working-directory: ./api
-
-      - name: Bandit
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
-
-      - name: Safety
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check
-
-      - name: Vulture
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .
--- a/.github/workflows/api-tests.yml
+++ b/.github/workflows/api-tests.yml
@@ -1,107 +0,0 @@
-name: 'API: Tests'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  POSTGRES_HOST: localhost
-  POSTGRES_PORT: 5432
-  POSTGRES_ADMIN_USER: prowler
-  POSTGRES_ADMIN_PASSWORD: S3cret
-  POSTGRES_USER: prowler_user
-  POSTGRES_PASSWORD: prowler
-  POSTGRES_DB: postgres-db
-  VALKEY_HOST: localhost
-  VALKEY_PORT: 6379
-  VALKEY_DB: 0
-  API_WORKING_DIR: ./api
-
-jobs:
-  api-tests:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.12'
-    defaults:
-      run:
-        working-directory: ./api
-
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
-          POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
-          POSTGRES_USER: ${{ env.POSTGRES_USER }}
-          POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
-          POSTGRES_DB: ${{ env.POSTGRES_DB }}
-        ports:
-          - 5432:5432
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-      valkey:
-        image: valkey/valkey:7-alpine3.19
-        env:
-          VALKEY_HOST: ${{ env.VALKEY_HOST }}
-          VALKEY_PORT: ${{ env.VALKEY_PORT }}
-          VALKEY_DB: ${{ env.VALKEY_DB }}
-        ports:
-          - 6379:6379
-        options: >-
-          --health-cmd "valkey-cli ping"
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for API changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            api/**
-            .github/workflows/api-tests.yml
-          files_ignore: |
-            api/docs/**
-            api/README.md
-            api/CHANGELOG.md
-
-      - name: Setup Python with Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/setup-python-poetry
-        with:
-          python-version: ${{ matrix.python-version }}
-          working-directory: ./api
-
-      - name: Run tests with pytest
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run pytest --cov=./src/backend --cov-report=xml src/backend
-
-      - name: Upload coverage reports to Codecov
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: api
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -7,6 +7,8 @@ on:
    types:
      - 'labeled'
      - 'closed'
+    paths:
+      - '.github/workflows/backport.yml'

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -38,7 +40,7 @@ jobs:

      - name: Backport PR
        if: steps.label_check.outputs.label_check == 'success'
-        uses: sorenlouv/backport-github-action@516854e7c9f962b9939085c9a92ea28411d1ae90 # v10.2.0
+        uses: sorenlouv/backport-github-action@ad888e978060bc1b2798690dd9d03c4036560947 # v9.5.1
        with:
          github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          auto_backport_label_prefix: ${{ env.BACKPORT_LABEL_PREFIX }}
--- a/.github/workflows/comment-label-update.yml
+++ b/.github/workflows/comment-label-update.yml
@@ -1,39 +0,0 @@
-name: 'Tools: Comment Label Update'
-
-on:
-  issue_comment:
-    types:
-      - 'created'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.issue.number }}
-  cancel-in-progress: false
-
-jobs:
-  update-labels:
-    if: contains(github.event.issue.labels.*.name, 'status/awaiting-response')
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      issues: write
-      pull-requests: write
-
-    steps:
-      - name: Remove 'status/awaiting-response' label
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          echo "Removing 'status/awaiting-response' label from #$ISSUE_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/$ISSUE_NUMBER/labels/status%2Fawaiting-response \
-            -X DELETE
-
-      - name: Add 'status/waiting-for-revision' label
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          echo "Adding 'status/waiting-for-revision' label to #$ISSUE_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/$ISSUE_NUMBER/labels \
-            -X POST \
-            -f labels[]='status/waiting-for-revision'
--- a/.github/workflows/conventional-commit.yml
+++ b/.github/workflows/conventional-commit.yml
@@ -26,6 +26,6 @@ jobs:

    steps:
      - name: Check PR title format
-        uses: agenthunt/conventional-commit-checker-action@f1823f632e95a64547566dcd2c7da920e67117ad # v2.0.1
+        uses: agenthunt/conventional-commit-checker-action@9e552d650d0e205553ec7792d447929fc78e012b # v2.0.0
        with:
          pr-title-regex: '^(feat|fix|docs|style|refactor|perf|test|chore|build|ci|revert)(\([^)]+\))?!?: .+'
--- a/.github/workflows/docs-bump-version.yml
+++ b/.github/workflows/docs-bump-version.yml
@@ -1,247 +0,0 @@
-name: 'Docs: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Get current documentation version
-        id: get_docs_version
-        run: |
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' docs/getting-started/installation/prowler-app.mdx)
-          echo "current_docs_version=${CURRENT_DOCS_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump versions in documentation for master
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-            - All `*.mdx` files with `<VersionBadge>` components
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for version branch
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}-branch
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for patch version
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
--- a/.github/workflows/find-secrets.yml
+++ b/.github/workflows/find-secrets.yml
@@ -23,11 +23,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Scan for secrets with TruffleHog
-        uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
+        uses: trufflesecurity/trufflehog@ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690 # v3.90.11
        with:
          extra_args: '--results=verified,unknown'
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -27,66 +27,3 @@ jobs:
        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        with:
          sync-labels: true
-
-  label-community:
-    name: Add 'community' label if the PR is from a community contributor
-    needs: labeler
-    if: github.repository == 'prowler-cloud/prowler' && github.event.action == 'opened'
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-
-    steps:
-      - name: Check if author is org member
-        id: check_membership
-        env:
-          AUTHOR: ${{ github.event.pull_request.user.login }}
-        run: |
-          # Hardcoded list of prowler-cloud organization members
-          # This list includes members who have set their organization membership as private
-          ORG_MEMBERS=(
-            "AdriiiPRodri"
-            "Alan-TheGentleman"
-            "alejandrobailo"
-            "amitsharm"
-            "andoniaf"
-            "cesararroba"
-            "Chan9390"
-            "danibarranqueroo"
-            "HugoPBrito"
-            "jfagoagas"
-            "josemazo"
-            "lydiavilchez"
-            "mmuller88"
-            "MrCloudSec"
-            "pedrooot"
-            "prowler-bot"
-            "puchy22"
-            "rakan-pro"
-            "RosaRivasProwler"
-            "StylusFrost"
-            "toniblyx"
-            "vicferpoy"
-          )
-
-          echo "Checking if $AUTHOR is a member of prowler-cloud organization"
-
-          # Check if author is in the org members list
-          if printf '%s\n' "${ORG_MEMBERS[@]}" | grep -q "^${AUTHOR}$"; then
-            echo "is_member=true" >> $GITHUB_OUTPUT
-            echo "$AUTHOR is an organization member"
-          else
-            echo "is_member=false" >> $GITHUB_OUTPUT
-            echo "$AUTHOR is not an organization member"
-          fi
-
-      - name: Add community label
-        if: steps.check_membership.outputs.is_member == 'false'
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          echo "Adding 'community' label to PR #$PR_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/${{ github.event.number }}/labels \
-            -X POST \
-            -f labels[]='community'
--- a/.github/workflows/mcp-container-build-push.yml
+++ b/.github/workflows/mcp-container-build-push.yml
@@ -10,24 +10,18 @@ on:
  release:
    types:
      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string

 permissions:
  contents: read

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
+  cancel-in-progress: true

 env:
  # Tags
  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
  STABLE_TAG: stable
  WORKING_DIRECTORY: ./mcp_server

@@ -47,51 +41,16 @@ jobs:
        id: set-short-sha
        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT

-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
+  container-build-push:
    needs: setup
    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: MCP
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
    timeout-minutes: 30
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Login to DockerHub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -100,120 +59,50 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - name: Build and push MCP container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
+      - name: Build and push MCP container (latest)
+        if: github.event_name == 'push'
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
-          platforms: ${{ matrix.platform }}
          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}
          labels: |
            org.opencontainers.image.title=Prowler MCP Server
            org.opencontainers.image.description=Model Context Protocol server for Prowler
            org.opencontainers.image.vendor=ProwlerPro, Inc.
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.created=${{ github.event_name == 'release' && github.event.release.published_at || github.event.head_commit.timestamp }}
-            ${{ github.event_name == 'release' && format('org.opencontainers.image.version={0}', env.RELEASE_TAG) || '' }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+            org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+      - name: Build and push MCP container (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          labels: |
+            org.opencontainers.image.title=Prowler MCP Server
+            org.opencontainers.image.description=Model Context Protocol server for Prowler
+            org.opencontainers.image.vendor=ProwlerPro, Inc.
+            org.opencontainers.image.version=${{ env.RELEASE_TAG }}
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.created=${{ github.event.release.published_at }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
-          COMPONENT: MCP
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
-
-  trigger-deployment:
-    needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-
-    steps:
      - name: Trigger MCP deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        if: github.event_name == 'push'
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.CLOUD_DISPATCH }}
--- a/.github/workflows/mcp-container-checks.yml
+++ b/.github/workflows/mcp-container-checks.yml
@@ -1,99 +0,0 @@
-name: 'MCP: Container Checks'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  MCP_WORKING_DIR: ./mcp_server
-  IMAGE_NAME: prowler-mcp
-
-jobs:
-  mcp-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check if Dockerfile changed
-        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: mcp_server/Dockerfile
-
-      - name: Lint Dockerfile with Hadolint
-        if: steps.dockerfile-changed.outputs.any_changed == 'true'
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
-        with:
-          dockerfile: mcp_server/Dockerfile
-
-  mcp-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for MCP changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: mcp_server/**
-          files_ignore: |
-            mcp_server/README.md
-            mcp_server/CHANGELOG.md
-
-      - name: Set up Docker Buildx
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build MCP container for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.MCP_WORKING_DIR }}
-          push: false
-          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-      - name: Scan MCP container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/trivy-scan
-        with:
-          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
-          fail-on-critical: 'false'
-          severity: 'CRITICAL'
--- a/.github/workflows/mcp-pypi-release.yml
+++ b/.github/workflows/mcp-pypi-release.yml
@@ -1,81 +0,0 @@
-name: "MCP: PyPI Release"
-
-on:
-  release:
-    types:
-      - "published"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  RELEASE_TAG: ${{ github.event.release.tag_name }}
-  PYTHON_VERSION: "3.12"
-  WORKING_DIRECTORY: ./mcp_server
-
-jobs:
-  validate-release:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      prowler_version: ${{ steps.parse-version.outputs.version }}
-      major_version: ${{ steps.parse-version.outputs.major }}
-
-    steps:
-      - name: Parse and validate version
-        id: parse-version
-        run: |
-          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
-          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Extract major version
-          MAJOR_VERSION="${PROWLER_VERSION%%.*}"
-          echo "major=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Validate major version (only Prowler 3, 4, 5 supported)
-          case ${MAJOR_VERSION} in
-            3|4|5)
-              echo "✓ Releasing Prowler MCP for tag ${PROWLER_VERSION}"
-              ;;
-            *)
-              echo "::error::Unsupported Prowler major version: ${MAJOR_VERSION}"
-              exit 1
-              ;;
-          esac
-
-  publish-prowler-mcp:
-    needs: validate-release
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      id-token: write
-    environment:
-      name: pypi-prowler-mcp
-      url: https://pypi.org/project/prowler-mcp/
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v7
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Build prowler-mcp package
-        working-directory: ${{ env.WORKING_DIRECTORY }}
-        run: uv build
-
-      - name: Publish prowler-mcp package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/
-          print-hash: true
--- a/.github/workflows/pr-check-changelog.yml
+++ b/.github/workflows/pr-check-changelog.yml
@@ -29,13 +29,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            api/**
@@ -83,7 +83,7 @@ jobs:

      - name: Update PR comment with changelog status
        if: github.event.pull_request.head.repo.full_name == github.repository
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-id: ${{ steps.find-comment.outputs.comment-id }}
--- a/.github/workflows/pr-conflict-checker.yml
+++ b/.github/workflows/pr-conflict-checker.yml
@@ -25,14 +25,14 @@ jobs:

    steps:
      - name: Checkout PR head
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: '**'

@@ -97,7 +97,7 @@ jobs:
          body-includes: '<!-- conflict-checker-comment -->'

      - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
        with:
          comment-id: ${{ steps.find-comment.outputs.comment-id }}
          issue-number: ${{ github.event.pull_request.number }}
--- a/.github/workflows/pr-merged.yml
+++ b/.github/workflows/pr-merged.yml
@@ -13,10 +13,7 @@ concurrency:

 jobs:
  trigger-cloud-pull-request:
-    if: |
-      github.event.pull_request.merged == true &&
-      github.repository == 'prowler-cloud/prowler' &&
-      !contains(github.event.pull_request.labels.*.name, 'skip-sync')
+    if: github.event.pull_request.merged == true && github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
@@ -29,7 +26,7 @@ jobs:
          echo "SHORT_SHA=${SHORT_SHA::7}" >> $GITHUB_ENV

      - name: Trigger Cloud repository pull request
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.CLOUD_DISPATCH }}
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -27,13 +27,13 @@ jobs:
      pull-requests: write
    steps:
    - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        fetch-depth: 0
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}

    - name: Set up Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: '3.12'

@@ -47,7 +47,7 @@ jobs:
        git config --global user.name 'prowler-bot'
        git config --global user.email '179230569+prowler-bot@users.noreply.github.com'

-    - name: Parse version and determine branch
+    - name: Parse version and read changelogs
      run: |
        # Validate version format (reusing pattern from sdk-bump-version.yml)
        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
@@ -64,80 +64,66 @@ jobs:
          BRANCH_NAME="v${MAJOR_VERSION}.${MINOR_VERSION}"
          echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_ENV}"

+          # Function to extract the latest version from changelog
+          extract_latest_version() {
+            local changelog_file="$1"
+            if [ -f "$changelog_file" ]; then
+              # Extract the first version entry (most recent) from changelog
+              # Format: ## [version] (1.2.3) or ## [vversion] (v1.2.3)
+              local version=$(grep -m 1 '^## \[' "$changelog_file" | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
+              echo "$version"
+            else
+              echo ""
+            fi
+          }
+
+          # Read actual versions from changelogs (source of truth)
+          UI_VERSION=$(extract_latest_version "ui/CHANGELOG.md")
+          API_VERSION=$(extract_latest_version "api/CHANGELOG.md")
+          SDK_VERSION=$(extract_latest_version "prowler/CHANGELOG.md")
+          MCP_VERSION=$(extract_latest_version "mcp_server/CHANGELOG.md")
+
+          echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
+          echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
+          echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
+          echo "MCP_VERSION=${MCP_VERSION}" >> "${GITHUB_ENV}"
+
+          if [ -n "$UI_VERSION" ]; then
+            echo "Read UI version from changelog: $UI_VERSION"
+          else
+            echo "Warning: No UI version found in ui/CHANGELOG.md"
+          fi
+
+          if [ -n "$API_VERSION" ]; then
+            echo "Read API version from changelog: $API_VERSION"
+          else
+            echo "Warning: No API version found in api/CHANGELOG.md"
+          fi
+
+          if [ -n "$SDK_VERSION" ]; then
+            echo "Read SDK version from changelog: $SDK_VERSION"
+          else
+            echo "Warning: No SDK version found in prowler/CHANGELOG.md"
+          fi
+
+          if [ -n "$MCP_VERSION" ]; then
+            echo "Read MCP version from changelog: $MCP_VERSION"
+          else
+            echo "Warning: No MCP version found in mcp_server/CHANGELOG.md"
+          fi
+
          echo "Prowler version: $PROWLER_VERSION"
          echo "Branch name: $BRANCH_NAME"
+          echo "UI version: $UI_VERSION"
+          echo "API version: $API_VERSION"
+          echo "SDK version: $SDK_VERSION"
+          echo "MCP version: $MCP_VERSION"
          echo "Is minor release: $([ $PATCH_VERSION -eq 0 ] && echo 'true' || echo 'false')"
        else
          echo "Invalid version syntax: '$PROWLER_VERSION' (must be N.N.N)" >&2
          exit 1
        fi

-    - name: Checkout release branch
-      run: |
-        echo "Checking out branch $BRANCH_NAME for release $PROWLER_VERSION..."
-        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME"; then
-          echo "Branch $BRANCH_NAME exists locally, checking out..."
-          git checkout "$BRANCH_NAME"
-        elif git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
-          echo "Branch $BRANCH_NAME exists remotely, checking out..."
-          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
-        else
-          echo "ERROR: Branch $BRANCH_NAME does not exist. For minor releases (X.Y.0), create it manually first. For patch releases (X.Y.Z), the branch should already exist."
-          exit 1
-        fi
-
-    - name: Read changelog versions from release branch
-      run: |
-        # Function to extract the version for a specific Prowler release from changelog
-        # This looks for entries with "(Prowler X.Y.Z)" to find the released version
-        extract_version_for_release() {
-          local changelog_file="$1"
-          local prowler_version="$2"
-          if [ -f "$changelog_file" ]; then
-            # Extract version that matches this Prowler release
-            # Format: ## [version] (Prowler X.Y.Z) or ## [vversion] (Prowler vX.Y.Z)
-            local version=$(grep '^## \[' "$changelog_file" | grep "(Prowler v\?${prowler_version})" | head -1 | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
-            echo "$version"
-          else
-            echo ""
-          fi
-        }
-
-        # Read versions from changelogs for this specific Prowler release
-        SDK_VERSION=$(extract_version_for_release "prowler/CHANGELOG.md" "$PROWLER_VERSION")
-        API_VERSION=$(extract_version_for_release "api/CHANGELOG.md" "$PROWLER_VERSION")
-        UI_VERSION=$(extract_version_for_release "ui/CHANGELOG.md" "$PROWLER_VERSION")
-        MCP_VERSION=$(extract_version_for_release "mcp_server/CHANGELOG.md" "$PROWLER_VERSION")
-
-        echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
-        echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
-        echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
-        echo "MCP_VERSION=${MCP_VERSION}" >> "${GITHUB_ENV}"
-
-        if [ -n "$SDK_VERSION" ]; then
-          echo "✓ SDK version for Prowler $PROWLER_VERSION: $SDK_VERSION"
-        else
-          echo "ℹ No SDK version found for Prowler $PROWLER_VERSION in prowler/CHANGELOG.md"
-        fi
-
-        if [ -n "$API_VERSION" ]; then
-          echo "✓ API version for Prowler $PROWLER_VERSION: $API_VERSION"
-        else
-          echo "ℹ No API version found for Prowler $PROWLER_VERSION in api/CHANGELOG.md"
-        fi
-
-        if [ -n "$UI_VERSION" ]; then
-          echo "✓ UI version for Prowler $PROWLER_VERSION: $UI_VERSION"
-        else
-          echo "ℹ No UI version found for Prowler $PROWLER_VERSION in ui/CHANGELOG.md"
-        fi
-
-        if [ -n "$MCP_VERSION" ]; then
-          echo "✓ MCP version for Prowler $PROWLER_VERSION: $MCP_VERSION"
-        else
-          echo "ℹ No MCP version found for Prowler $PROWLER_VERSION in mcp_server/CHANGELOG.md"
-        fi
-
    - name: Extract and combine changelog entries
      run: |
        set -e
@@ -163,54 +149,70 @@ jobs:

          # Remove --- separators
          sed -i '/^---$/d' "$output_file"
+
+          # Remove trailing empty lines
+          sed -i '/^$/d' "$output_file"
        }

+        # Calculate expected versions for this release
+        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+          EXPECTED_UI_VERSION="1.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}"
+          EXPECTED_API_VERSION="1.$((${BASH_REMATCH[2]} + 1)).${BASH_REMATCH[3]}"
+
+          echo "Expected UI version for this release: $EXPECTED_UI_VERSION"
+          echo "Expected API version for this release: $EXPECTED_API_VERSION"
+        fi
+
        # Determine if components have changes for this specific release
-        if [ -n "$SDK_VERSION" ]; then
-          echo "HAS_SDK_CHANGES=true" >> $GITHUB_ENV
-          HAS_SDK_CHANGES="true"
-          echo "✓ SDK changes detected - version: $SDK_VERSION"
-          extract_changelog "prowler/CHANGELOG.md" "$SDK_VERSION" "prowler_changelog.md"
-        else
-          echo "HAS_SDK_CHANGES=false" >> $GITHUB_ENV
-          HAS_SDK_CHANGES="false"
-          echo "ℹ No SDK changes for this release"
-          touch "prowler_changelog.md"
-        fi
-
-        if [ -n "$API_VERSION" ]; then
-          echo "HAS_API_CHANGES=true" >> $GITHUB_ENV
-          HAS_API_CHANGES="true"
-          echo "✓ API changes detected - version: $API_VERSION"
-          extract_changelog "api/CHANGELOG.md" "$API_VERSION" "api_changelog.md"
-        else
-          echo "HAS_API_CHANGES=false" >> $GITHUB_ENV
-          HAS_API_CHANGES="false"
-          echo "ℹ No API changes for this release"
-          touch "api_changelog.md"
-        fi
-
-        if [ -n "$UI_VERSION" ]; then
+        # UI has changes if its current version matches what we expect for this release
+        if [ -n "$UI_VERSION" ] && [ "$UI_VERSION" = "$EXPECTED_UI_VERSION" ]; then
          echo "HAS_UI_CHANGES=true" >> $GITHUB_ENV
-          HAS_UI_CHANGES="true"
-          echo "✓ UI changes detected - version: $UI_VERSION"
+          echo "✓ UI changes detected - version matches expected: $UI_VERSION"
          extract_changelog "ui/CHANGELOG.md" "$UI_VERSION" "ui_changelog.md"
        else
          echo "HAS_UI_CHANGES=false" >> $GITHUB_ENV
-          HAS_UI_CHANGES="false"
-          echo "ℹ No UI changes for this release"
+          echo "ℹ No UI changes for this release (current: $UI_VERSION, expected: $EXPECTED_UI_VERSION)"
          touch "ui_changelog.md"
        fi

-        if [ -n "$MCP_VERSION" ]; then
-          echo "HAS_MCP_CHANGES=true" >> $GITHUB_ENV
-          HAS_MCP_CHANGES="true"
-          echo "✓ MCP changes detected - version: $MCP_VERSION"
-          extract_changelog "mcp_server/CHANGELOG.md" "$MCP_VERSION" "mcp_changelog.md"
+        # API has changes if its current version matches what we expect for this release
+        if [ -n "$API_VERSION" ] && [ "$API_VERSION" = "$EXPECTED_API_VERSION" ]; then
+          echo "HAS_API_CHANGES=true" >> $GITHUB_ENV
+          echo "✓ API changes detected - version matches expected: $API_VERSION"
+          extract_changelog "api/CHANGELOG.md" "$API_VERSION" "api_changelog.md"
+        else
+          echo "HAS_API_CHANGES=false" >> $GITHUB_ENV
+          echo "ℹ No API changes for this release (current: $API_VERSION, expected: $EXPECTED_API_VERSION)"
+          touch "api_changelog.md"
+        fi
+
+        # SDK has changes if its current version matches the input version
+        if [ -n "$SDK_VERSION" ] && [ "$SDK_VERSION" = "$PROWLER_VERSION" ]; then
+          echo "HAS_SDK_CHANGES=true" >> $GITHUB_ENV
+          echo "✓ SDK changes detected - version matches input: $SDK_VERSION"
+          extract_changelog "prowler/CHANGELOG.md" "$PROWLER_VERSION" "prowler_changelog.md"
+        else
+          echo "HAS_SDK_CHANGES=false" >> $GITHUB_ENV
+          echo "ℹ No SDK changes for this release (current: $SDK_VERSION, input: $PROWLER_VERSION)"
+          touch "prowler_changelog.md"
+        fi
+
+        # MCP has changes if the changelog references this Prowler version
+        # Check if the changelog contains "(Prowler X.Y.Z)" or "(Prowler UNRELEASED)"
+        if [ -f "mcp_server/CHANGELOG.md" ]; then
+          MCP_PROWLER_REF=$(grep -m 1 "^## \[.*\] (Prowler" mcp_server/CHANGELOG.md | sed -E 's/.*\(Prowler ([^)]+)\).*/\1/' | tr -d '[:space:]')
+          if [ "$MCP_PROWLER_REF" = "$PROWLER_VERSION" ] || [ "$MCP_PROWLER_REF" = "UNRELEASED" ]; then
+            echo "HAS_MCP_CHANGES=true" >> $GITHUB_ENV
+            echo "✓ MCP changes detected - Prowler reference: $MCP_PROWLER_REF (version: $MCP_VERSION)"
+            extract_changelog "mcp_server/CHANGELOG.md" "$MCP_VERSION" "mcp_changelog.md"
+          else
+            echo "HAS_MCP_CHANGES=false" >> $GITHUB_ENV
+            echo "ℹ No MCP changes for this release (Prowler reference: $MCP_PROWLER_REF, input: $PROWLER_VERSION)"
+            touch "mcp_changelog.md"
+          fi
        else
          echo "HAS_MCP_CHANGES=false" >> $GITHUB_ENV
-          HAS_MCP_CHANGES="false"
-          echo "ℹ No MCP changes for this release"
+          echo "ℹ No MCP changelog found"
          touch "mcp_changelog.md"
        fi

@@ -245,14 +247,24 @@ jobs:
          echo "" >> combined_changelog.md
        fi

-        # Add fallback message if no changelogs were added
-        if [ ! -s combined_changelog.md ]; then
-          echo "No component changes detected for this release." >> combined_changelog.md
-        fi
-
        echo "Combined changelog preview:"
        cat combined_changelog.md

+    - name: Checkout release branch for patch release
+      if: ${{ env.PATCH_VERSION != '0' }}
+      run: |
+        echo "Patch release detected, checking out existing branch $BRANCH_NAME..."
+        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists locally, checking out..."
+          git checkout "$BRANCH_NAME"
+        elif git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists remotely, checking out..."
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+        else
+          echo "ERROR: Branch $BRANCH_NAME should exist for patch release $PROWLER_VERSION"
+          exit 1
+        fi
+
    - name: Verify SDK version in pyproject.toml
      run: |
        CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')
@@ -306,16 +318,17 @@ jobs:
        fi
        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"

-    - name: Verify API version in api/src/backend/api/specs/v1.yaml
-      if: ${{ env.HAS_API_CHANGES == 'true' }}
+    - name: Checkout release branch for minor release
+      if: ${{ env.PATCH_VERSION == '0' }}
      run: |
-        CURRENT_API_VERSION=$(grep '^  version: ' api/src/backend/api/specs/v1.yaml | sed -E 's/  version: ([0-9]+\.[0-9]+\.[0-9]+)/\1/' | tr -d '[:space:]')
-        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
-        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
-          echo "ERROR: API version mismatch in api/src/backend/api/specs/v1.yaml (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
+        echo "Minor release detected (patch = 0), checking out existing branch $BRANCH_NAME..."
+        if git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists remotely, checking out..."
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+        else
+          echo "ERROR: Branch $BRANCH_NAME should exist for minor release $PROWLER_VERSION. Please create it manually first."
          exit 1
        fi
-        echo "✓ api/src/backend/api/specs/v1.yaml version: $CURRENT_API_VERSION"

    - name: Update API prowler dependency for minor release
      if: ${{ env.PATCH_VERSION == '0' }}
@@ -323,6 +336,13 @@ jobs:
        CURRENT_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
        BRANCH_NAME_TRIMMED=$(echo "$BRANCH_NAME" | tr -d '[:space:]')

+        # Create a temporary branch for the PR from the minor version branch
+        TEMP_BRANCH="update-api-dependency-$BRANCH_NAME_TRIMMED-$(date +%s)"
+        echo "TEMP_BRANCH=$TEMP_BRANCH" >> $GITHUB_ENV
+
+        # Create temp branch from the current minor version branch
+        git checkout -b "$TEMP_BRANCH"
+
        # Minor release: update the dependency to use the release branch
        echo "Updating prowler dependency from '$CURRENT_PROWLER_REF' to '$BRANCH_NAME_TRIMMED'"
        sed -i "s|prowler @ git+https://github.com/prowler-cloud/prowler.git@[^\"]*\"|prowler @ git+https://github.com/prowler-cloud/prowler.git@$BRANCH_NAME_TRIMMED\"|" api/pyproject.toml
@@ -340,19 +360,20 @@ jobs:
        poetry lock
        cd ..

+        # Commit and push the temporary branch
+        git add api/pyproject.toml api/poetry.lock
+        git commit -m "chore(api): update prowler dependency to $BRANCH_NAME_TRIMMED for release $PROWLER_VERSION"
+        git push origin "$TEMP_BRANCH"
+
        echo "✓ Prepared prowler dependency update to: $UPDATED_PROWLER_REF"

    - name: Create PR for API dependency update
      if: ${{ env.PATCH_VERSION == '0' }}
-      uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
      with:
        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-        commit-message: 'chore(api): update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}'
-        branch: update-api-dependency-${{ env.BRANCH_NAME }}-${{ github.run_number }}
+        branch: ${{ env.TEMP_BRANCH }}
        base: ${{ env.BRANCH_NAME }}
-        add-paths: |
-          api/pyproject.toml
-          api/poetry.lock
        title: "chore(api): Update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}"
        body: |
          ### Description
@@ -374,7 +395,7 @@ jobs:
          no-changelog

    - name: Create draft release
-      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+      uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
      with:
        tag_name: ${{ env.PROWLER_VERSION }}
        name: Prowler ${{ env.PROWLER_VERSION }}
@@ -385,6 +406,5 @@ jobs:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: Clean up temporary files
-      if: always()
      run: |
        rm -f prowler_changelog.md api_changelog.md ui_changelog.md mcp_changelog.md combined_changelog.md
--- a/.github/workflows/sdk-build-lint-push-containers.yml
+++ b/.github/workflows/sdk-build-lint-push-containers.yml
@@ -0,0 +1,202 @@
+name: SDK - Build and Push containers
+
+on:
+  push:
+    branches:
+      # For `v3-latest`
+      - "v3"
+      # For `v4-latest`
+      - "v4.6"
+      # For `latest`
+      - "master"
+    paths-ignore:
+      - ".github/**"
+      - "README.md"
+      - "docs/**"
+      - "ui/**"
+      - "api/**"
+
+  release:
+    types: [published]
+
+env:
+  # AWS Configuration
+  AWS_REGION_STG: eu-west-1
+  AWS_REGION_PLATFORM: eu-west-1
+  AWS_REGION: us-east-1
+
+  # Container's configuration
+  IMAGE_NAME: prowler
+  DOCKERFILE_PATH: ./Dockerfile
+
+  # Tags
+  LATEST_TAG: latest
+  STABLE_TAG: stable
+  # The RELEASE_TAG is set during runtime in releases
+  RELEASE_TAG: ""
+  # The PROWLER_VERSION and PROWLER_VERSION_MAJOR are set during runtime in releases
+  PROWLER_VERSION: ""
+  PROWLER_VERSION_MAJOR: ""
+  # TEMPORARY_TAG: temporary
+
+  # Python configuration
+  PYTHON_VERSION: 3.12
+
+  # Container Registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
+
+jobs:
+  # Build Prowler OSS container
+  container-build-push:
+    # needs: dockerfile-linter
+    runs-on: ubuntu-latest
+    outputs:
+      prowler_version_major: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION_MAJOR }}
+      prowler_version: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION }}
+    env:
+      POETRY_VIRTUALENVS_CREATE: "false"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install Poetry
+        run: |
+          pipx install poetry==2.*
+          pipx inject poetry poetry-bumpversion
+
+      - name: Get Prowler version
+        id: get-prowler-version
+        run: |
+          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
+
+          # Store prowler version major just for the release
+          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
+
+          case ${PROWLER_VERSION_MAJOR} in
+          3)
+              echo "LATEST_TAG=v3-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}"
+              ;;
+
+
+          4)
+              echo "LATEST_TAG=v4-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v4-stable" >> "${GITHUB_ENV}"
+              ;;
+
+          5)
+              echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
+              ;;
+
+          *)
+              # Fallback if any other version is present
+              echo "Releasing another Prowler major version, aborting..."
+              exit 1
+              ;;
+          esac
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: ${{ env.AWS_REGION }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push container image (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push container image (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          # Use local context to get changes
+          # https://github.com/docker/build-push-action#path-context
+          context: .
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.PROWLER_VERSION }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+#      - name: Push README to Docker Hub (toniblyx)
+#        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
+#        with:
+#          username: ${{ secrets.DOCKERHUB_USERNAME }}
+#          password: ${{ secrets.DOCKERHUB_TOKEN }}
+#          repository: ${{ env.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}
+#          readme-filepath: ./README.md
+#
+#      - name: Push README to Docker Hub (prowlercloud)
+#        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
+#        with:
+#          username: ${{ secrets.DOCKERHUB_USERNAME }}
+#          password: ${{ secrets.DOCKERHUB_TOKEN }}
+#          repository: ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}
+#          readme-filepath: ./README.md
+
+  dispatch-action:
+    needs: container-build-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get latest commit info (latest)
+        if: github.event_name == 'push'
+        run: |
+          LATEST_COMMIT_HASH=$(echo ${{ github.event.after }} | cut -b -7)
+          echo "LATEST_COMMIT_HASH=${LATEST_COMMIT_HASH}" >> $GITHUB_ENV
+
+      - name: Dispatch event (latest)
+        if: github.event_name == 'push' && needs.container-build-push.outputs.prowler_version_major == '3'
+        run: |
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --data '{"event_type":"dispatch","client_payload":{"version":"v3-latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'
+
+      - name: Dispatch event (release)
+        if: github.event_name == 'release' && needs.container-build-push.outputs.prowler_version_major == '3'
+        run: |
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ needs.container-build-push.outputs.prowler_version }}"}}'
--- a/.github/workflows/sdk-bump-version.yml
+++ b/.github/workflows/sdk-bump-version.yml
@@ -1,215 +1,146 @@
-name: 'SDK: Bump Version'
+name: SDK - Bump Version

 on:
  release:
-    types:
-      - 'published'
+    types: [published]

-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false

 env:
  PROWLER_VERSION: ${{ github.event.release.tag_name }}
  BASE_BRANCH: master

 jobs:
-  detect-release-type:
+  bump-version:
+    name: Bump Version
    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
    steps:
-      - name: Detect release type and parse version
-        id: detect
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Get Prowler version
+        shell: bash
        run: |
          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
            MAJOR_VERSION=${BASH_REMATCH[1]}
            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
+            FIX_VERSION=${BASH_REMATCH[3]}

-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+            # Export version components to GitHub environment
+            echo "MAJOR_VERSION=${MAJOR_VERSION}" >> "${GITHUB_ENV}"
+            echo "MINOR_VERSION=${MINOR_VERSION}" >> "${GITHUB_ENV}"
+            echo "FIX_VERSION=${FIX_VERSION}" >> "${GITHUB_ENV}"

-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
+            if (( MAJOR_VERSION == 5 )); then
+                if (( FIX_VERSION == 0 )); then
+                  echo "Minor Release: $PROWLER_VERSION"

-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
+                  # Set up next minor version for master
+                  BUMP_VERSION_TO=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).${FIX_VERSION}
+                  echo "BUMP_VERSION_TO=${BUMP_VERSION_TO}" >> "${GITHUB_ENV}"
+
+                  TARGET_BRANCH=${BASE_BRANCH}
+                  echo "TARGET_BRANCH=${TARGET_BRANCH}" >> "${GITHUB_ENV}"
+
+                  # Set up patch version for version branch
+                  PATCH_VERSION_TO=${MAJOR_VERSION}.${MINOR_VERSION}.1
+                  echo "PATCH_VERSION_TO=${PATCH_VERSION_TO}" >> "${GITHUB_ENV}"
+
+                  VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+                  echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+                  echo "Bumping to next minor version: ${BUMP_VERSION_TO} in branch ${TARGET_BRANCH}"
+                  echo "Bumping to next patch version: ${PATCH_VERSION_TO} in branch ${VERSION_BRANCH}"
+                else
+                  echo "Patch Release: $PROWLER_VERSION"
+
+                  BUMP_VERSION_TO=${MAJOR_VERSION}.${MINOR_VERSION}.$((FIX_VERSION + 1))
+                  echo "BUMP_VERSION_TO=${BUMP_VERSION_TO}" >> "${GITHUB_ENV}"
+
+                  TARGET_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+                  echo "TARGET_BRANCH=${TARGET_BRANCH}" >> "${GITHUB_ENV}"
+
+                  echo "Bumping to next patch version: ${BUMP_VERSION_TO} in branch ${TARGET_BRANCH}"
+                fi
            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
+                echo "Releasing another Prowler major version, aborting..."
+                exit 1
            fi
          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            echo "Invalid version syntax: '$PROWLER_VERSION' (must be N.N.N)" >&2
            exit 1
          fi

-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
+      - name: Bump versions in files
        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+            echo "Using PROWLER_VERSION=$PROWLER_VERSION"
+            echo "Using BUMP_VERSION_TO=$BUMP_VERSION_TO"

-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
+            set -e

-          echo "Current version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
+            echo "Bumping version in pyproject.toml ..."
+            sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${BUMP_VERSION_TO}\"|" pyproject.toml

-      - name: Bump versions in files for master
-        run: |
-          set -e
+            echo "Bumping version in prowler/config/config.py ..."
+            sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${BUMP_VERSION_TO}\"|" prowler/config/config.py

-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
+            echo "Bumping version in .env ..."
+            sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${BUMP_VERSION_TO}|" .env

-          echo "Files modified:"
-          git --no-pager diff
+            git --no-pager diff

-      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
+            author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+            token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+            base: ${{ env.TARGET_BRANCH }}
+            commit-message: "chore(release): Bump version to v${{ env.BUMP_VERSION_TO }}"
+            branch: "version-bump-to-v${{ env.BUMP_VERSION_TO }}"
+            title: "chore(release): Bump version to v${{ env.BUMP_VERSION_TO }}"
+            labels: no-changelog
+            body: |
+              ### Description

-            Bump Prowler version to v${{ env.NEXT_MINOR_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
+              Bump Prowler version to v${{ env.BUMP_VERSION_TO }}

-            ### License
+              ### License

-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+              By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Handle patch version for minor release
+        if: env.FIX_VERSION == '0'
+        run: |
+            echo "Using PROWLER_VERSION=$PROWLER_VERSION"
+            echo "Using PATCH_VERSION_TO=$PATCH_VERSION_TO"
+
+            set -e
+
+            echo "Bumping version in pyproject.toml ..."
+            sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${PATCH_VERSION_TO}\"|" pyproject.toml
+
+            echo "Bumping version in prowler/config/config.py ..."
+            sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${PATCH_VERSION_TO}\"|" prowler/config/config.py
+
+            echo "Bumping version in .env ..."
+            sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PATCH_VERSION_TO}|" .env
+
+            git --no-pager diff
+
+      - name: Create Pull Request for patch version
+        if: env.FIX_VERSION == '0'
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+            author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+            token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+            base: ${{ env.VERSION_BRANCH }}
+            commit-message: "chore(release): Bump version to v${{ env.PATCH_VERSION_TO }}"
+            branch: "version-bump-to-v${{ env.PATCH_VERSION_TO }}"
+            title: "chore(release): Bump version to v${{ env.PATCH_VERSION_TO }}"
+            labels: no-changelog
+            body: |
+              ### Description

-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
+              Bump Prowler version to v${{ env.PATCH_VERSION_TO }}

-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+              ### License

-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler version to v${{ env.NEXT_PATCH_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+              By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
--- a/.github/workflows/sdk-code-quality.yml
+++ b/.github/workflows/sdk-code-quality.yml
@@ -1,90 +0,0 @@
-name: 'SDK: Code Quality'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  sdk-code-quality:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.9'
-          - '3.10'
-          - '3.11'
-          - '3.12'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for SDK changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ./**
-          files_ignore: |
-            .github/**
-            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
-
-      - name: Install Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ matrix.python-version }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: |
-          poetry install --no-root
-          poetry run pip list
-
-      - name: Check Poetry lock file
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry check --lock
-
-      - name: Lint with flake8
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api,skills
-
-      - name: Check format with black
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run black --exclude api ui skills --check .
-
-      - name: Lint with pylint
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
--- a/.github/workflows/sdk-codeql.yml
+++ b/.github/workflows/sdk-codeql.yml
@@ -1,41 +1,44 @@
-name: 'SDK: CodeQL'
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: SDK - CodeQL

 on:
  push:
    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'tests/**'
-      - 'pyproject.toml'
-      - '.github/workflows/sdk-codeql.yml'
-      - '.github/codeql/sdk-codeql-config.yml'
-      - '!prowler/CHANGELOG.md'
+      - "master"
+      - "v3"
+      - "v4.*"
+      - "v5.*"
+    paths-ignore:
+      - 'ui/**'
+      - 'api/**'
+      - '.github/**'
  pull_request:
    branches:
-      - 'master'
-      - 'v5.*'
-    paths:
-      - 'prowler/**'
-      - 'tests/**'
-      - 'pyproject.toml'
-      - '.github/workflows/sdk-codeql.yml'
-      - '.github/codeql/sdk-codeql-config.yml'
-      - '!prowler/CHANGELOG.md'
+      - "master"
+      - "v3"
+      - "v4.*"
+      - "v5.*"
+    paths-ignore:
+      - 'ui/**'
+      - 'api/**'
+      - '.github/**'
  schedule:
    - cron: '00 12 * * *'

-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 jobs:
-  sdk-analyze:
-    if: github.repository == 'prowler-cloud/prowler'
-    name: CodeQL Security Analysis
+  analyze:
+    name: Analyze
    runs-on: ubuntu-latest
-    timeout-minutes: 30
    permissions:
      actions: read
      contents: read
@@ -44,20 +47,21 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        language:
-          - 'python'
+        language: [ 'python' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
-        with:
-          languages: ${{ matrix.language }}
-          config-file: ./.github/codeql/sdk-codeql-config.yml
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+      with:
+        languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/sdk-codeql-config.yml

-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
-        with:
-          category: '/language:${{ matrix.language }}'
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+      with:
+        category: "/language:${{matrix.language}}"
--- a/.github/workflows/sdk-container-build-push.yml
+++ b/.github/workflows/sdk-container-build-push.yml
@@ -1,311 +0,0 @@
-name: 'SDK: Container Build and Push'
-
-on:
-  push:
-    branches:
-      - 'v3'      # For v3-latest
-      - 'v4.6'    # For v4-latest
-      - 'master'  # For latest
-    paths-ignore:
-      - '.github/**'
-      - '!.github/workflows/sdk-container-build-push.yml'
-      - 'README.md'
-      - 'docs/**'
-      - 'ui/**'
-      - 'api/**'
-  release:
-    types:
-      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  # Container configuration
-  IMAGE_NAME: prowler
-  DOCKERFILE_PATH: ./Dockerfile
-
-  # Python configuration
-  PYTHON_VERSION: '3.12'
-
-  # Tags (dynamically set based on version)
-  LATEST_TAG: latest
-  STABLE_TAG: stable
-
-  # Container registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
-
-  # AWS configuration (for ECR)
-  AWS_REGION: us-east-1
-
-jobs:
-  setup:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }}
-      prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
-      latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }}
-      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install Poetry
-        run: |
-          pipx install poetry==2.1.1
-          pipx inject poetry poetry-bumpversion
-
-      - name: Get Prowler version and set tags
-        id: get-prowler-version
-        run: |
-          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
-          echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Extract major version
-          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
-          echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
-
-          # Set version-specific tags
-          case ${PROWLER_VERSION_MAJOR} in
-            3)
-              echo "latest_tag=v3-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v3-stable" >> "${GITHUB_OUTPUT}"
-              echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable"
-              ;;
-            4)
-              echo "latest_tag=v4-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v4-stable" >> "${GITHUB_OUTPUT}"
-              echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable"
-              ;;
-            5)
-              echo "latest_tag=latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=stable" >> "${GITHUB_OUTPUT}"
-              echo "✓ Prowler v5 detected - tags: latest, stable"
-              ;;
-            *)
-              echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}"
-              exit 1
-              ;;
-          esac
-
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: setup
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: SDK
-          RELEASE_TAG: ${{ needs.setup.outputs.prowler_version }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 45
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
-        env:
-          AWS_REGION: ${{ env.AWS_REGION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build and push SDK container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: .
-          file: ${{ env.DOCKERFILE_PATH }}
-          push: true
-          platforms: ${{ matrix.platform }}
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
-        env:
-          AWS_REGION: ${{ env.AWS_REGION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.stable_tag }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
-          COMPONENT: SDK
-          RELEASE_TAG: ${{ needs.setup.outputs.prowler_version }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
-
-  dispatch-v3-deployment:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.outputs.prowler_version_major == '3' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-
-    steps:
-      - name: Calculate short SHA
-        id: short-sha
-        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-
-      - name: Dispatch v3 deployment (latest)
-        if: github.event_name == 'push'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
-          event-type: dispatch
-          client-payload: '{"version":"v3-latest","tag":"${{ steps.short-sha.outputs.short_sha }}"}'
-
-      - name: Dispatch v3 deployment (release)
-        if: github.event_name == 'release'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
-          event-type: dispatch
-          client-payload: '{"version":"release","tag":"${{ needs.setup.outputs.prowler_version }}"}'
--- a/.github/workflows/sdk-container-checks.yml
+++ b/.github/workflows/sdk-container-checks.yml
@@ -1,113 +0,0 @@
-name: 'SDK: Container Checks'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  IMAGE_NAME: prowler
-
-jobs:
-  sdk-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check if Dockerfile changed
-        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: Dockerfile
-
-      - name: Lint Dockerfile with Hadolint
-        if: steps.dockerfile-changed.outputs.any_changed == 'true'
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
-        with:
-          dockerfile: Dockerfile
-          ignore: DL3013
-
-  sdk-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for SDK changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ./**
-          files_ignore: |
-            .github/**
-            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
-
-      - name: Set up Docker Buildx
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build SDK container for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: .
-          push: false
-          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-      - name: Scan SDK container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/trivy-scan
-        with:
-          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
-          fail-on-critical: 'false'
-          severity: 'CRITICAL'
--- a/.github/workflows/sdk-pull-request.yml
+++ b/.github/workflows/sdk-pull-request.yml
@@ -0,0 +1,286 @@
+name: SDK - Pull Request
+
+on:
+  push:
+    branches:
+      - "master"
+      - "v3"
+      - "v4.*"
+      - "v5.*"
+  pull_request:
+    branches:
+      - "master"
+      - "v3"
+      - "v4.*"
+      - "v5.*"
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Test if changes are in not ignored paths
+        id: are-non-ignored-files-changed
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: ./**
+          files_ignore: |
+            .github/**
+            docs/**
+            permissions/**
+            api/**
+            ui/**
+            prowler/CHANGELOG.md
+            README.md
+            mkdocs.yml
+            .backportrc.json
+            .env
+            docker-compose*
+            examples/**
+            .gitignore
+
+      - name: Install poetry
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          python -m pip install --upgrade pip
+          pipx install poetry==2.1.1
+
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "poetry"
+
+      - name: Install dependencies
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry install --no-root
+          poetry run pip list
+          VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \
+            grep '"tag_name":' | \
+            sed -E 's/.*"v([^"]+)".*/\1/' \
+            ) && curl -L -o /tmp/hadolint "https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64" \
+            && chmod +x /tmp/hadolint
+
+      - name: Poetry check
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry check --lock
+
+      - name: Lint with flake8
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api
+
+      - name: Checking format with black
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run black --exclude api ui --check .
+
+      - name: Lint with pylint
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
+
+      - name: Bandit
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r .
+
+      - name: Safety
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run safety check --ignore 70612 -r pyproject.toml
+
+      - name: Vulture
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .
+
+      - name: Dockerfile - Check if Dockerfile has changed
+        id: dockerfile-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            Dockerfile
+
+      - name: Hadolint
+        if: steps.dockerfile-changed-files.outputs.any_changed == 'true'
+        run: |
+          /tmp/hadolint Dockerfile --ignore=DL3013
+
+      # Test AWS
+      - name: AWS - Check if any file has changed
+        id: aws-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/aws/**
+            ./tests/providers/aws/**
+            ./poetry.lock
+
+      - name: AWS - Test
+        if: steps.aws-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
+
+      # Test Azure
+      - name: Azure - Check if any file has changed
+        id: azure-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/azure/**
+            ./tests/providers/azure/**
+            ./poetry.lock
+
+      - name: Azure - Test
+        if: steps.azure-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure
+
+      # Test GCP
+      - name: GCP - Check if any file has changed
+        id: gcp-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/gcp/**
+            ./tests/providers/gcp/**
+            ./poetry.lock
+
+      - name: GCP - Test
+        if: steps.gcp-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp
+
+      # Test Kubernetes
+      - name: Kubernetes - Check if any file has changed
+        id: kubernetes-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/kubernetes/**
+            ./tests/providers/kubernetes/**
+            ./poetry.lock
+
+      - name: Kubernetes - Test
+        if: steps.kubernetes-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes
+
+      # Test GitHub
+      - name: GitHub - Check if any file has changed
+        id: github-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/github/**
+            ./tests/providers/github/**
+            ./poetry.lock
+
+      - name: GitHub - Test
+        if: steps.github-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github
+
+      # Test NHN
+      - name: NHN - Check if any file has changed
+        id: nhn-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/nhn/**
+            ./tests/providers/nhn/**
+            ./poetry.lock
+
+      - name: NHN - Test
+        if: steps.nhn-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn
+
+      # Test M365
+      - name: M365 - Check if any file has changed
+        id: m365-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/m365/**
+            ./tests/providers/m365/**
+            ./poetry.lock
+
+      - name: M365 - Test
+        if: steps.m365-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365
+
+      # Test IaC
+      - name: IaC - Check if any file has changed
+        id: iac-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/iac/**
+            ./tests/providers/iac/**
+            ./poetry.lock
+
+      - name: IaC - Test
+        if: steps.iac-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac
+
+      # Test MongoDB Atlas
+      - name: MongoDB Atlas - Check if any file has changed
+        id: mongodb-atlas-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/mongodbatlas/**
+            ./tests/providers/mongodbatlas/**
+            .poetry.lock
+
+      - name: MongoDB Atlas - Test
+        if: steps.mongodb-atlas-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodb_atlas_coverage.xml tests/providers/mongodbatlas
+
+      # Test OCI
+      - name: OCI - Check if any file has changed
+        id: oci-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/oraclecloud/**
+            ./tests/providers/oraclecloud/**
+            ./poetry.lock
+
+      - name: OCI - Test
+        if: steps.oci-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/oraclecloud --cov-report=xml:oci_coverage.xml tests/providers/oraclecloud
+
+      # Common Tests
+      - name: Lib - Test
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib
+
+      - name: Config - Test
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config
+
+      # Codecov
+      - name: Upload coverage reports to Codecov
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler
+          files: ./aws_coverage.xml,./azure_coverage.xml,./gcp_coverage.xml,./kubernetes_coverage.xml,./github_coverage.xml,./nhn_coverage.xml,./m365_coverage.xml,./oci_coverage.xml,./lib_coverage.xml,./config_coverage.xml
--- a/.github/workflows/sdk-pypi-release.yml
+++ b/.github/workflows/sdk-pypi-release.yml
@@ -1,119 +1,98 @@
-name: 'SDK: PyPI Release'
+name: SDK - PyPI release

 on:
  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
+    types: [published]

 env:
  RELEASE_TAG: ${{ github.event.release.tag_name }}
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: 3.11
+  # CACHE: "poetry"

 jobs:
-  validate-release:
-    if: github.repository == 'prowler-cloud/prowler'
+  repository-check:
+    name: Repository check
    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
    outputs:
-      prowler_version: ${{ steps.parse-version.outputs.version }}
-      major_version: ${{ steps.parse-version.outputs.major }}
-
+      is_repo: ${{ steps.repository_check.outputs.is_repo }}
    steps:
-      - name: Parse and validate version
-        id: parse-version
+      - name: Repository check
+        id: repository_check
+        working-directory: /tmp
+        run: |
+          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
+          then
+            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "This action only runs for prowler-cloud/prowler"
+            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+  release-prowler-job:
+    runs-on: ubuntu-latest
+    needs: repository-check
+    if: needs.repository-check.outputs.is_repo == 'true'
+    env:
+      POETRY_VIRTUALENVS_CREATE: "false"
+    name: Release Prowler to PyPI
+    steps:
+      - name: Repository check
+        working-directory: /tmp
+        run: |
+              if [[ "${{ github.repository }}" != "prowler-cloud/prowler" ]]; then
+                  echo "This action only runs for prowler-cloud/prowler"
+                  exit 1
+              fi
+
+      - name: Get Prowler version
        run: |
          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
-          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"

-          # Extract major version
-          MAJOR_VERSION="${PROWLER_VERSION%%.*}"
-          echo "major=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-
-          # Validate major version
-          case ${MAJOR_VERSION} in
-            3|4|5)
-              echo "✓ Releasing Prowler v${MAJOR_VERSION} with tag ${PROWLER_VERSION}"
+          case ${PROWLER_VERSION%%.*} in
+          3)
+              echo "Releasing Prowler v3 with tag ${PROWLER_VERSION}"
              ;;
-            *)
-              echo "::error::Unsupported Prowler major version: ${MAJOR_VERSION}"
+          4)
+              echo "Releasing Prowler v4 with tag ${PROWLER_VERSION}"
+              ;;
+          5)
+              echo "Releasing Prowler v5 with tag ${PROWLER_VERSION}"
+              ;;
+          *)
+              echo "Releasing another Prowler major version, aborting..."
              exit 1
              ;;
          esac

-  publish-prowler:
-    needs: validate-release
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      id-token: write
-    environment:
-      name: pypi-prowler
-      url: https://pypi.org/project/prowler/${{ needs.validate-release.outputs.prowler_version }}/
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Install dependencies
+        run: |
+          pipx install poetry==2.1.1

-      - name: Install Poetry
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      - name: Setup Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
-          cache: 'poetry'
+          # cache: ${{ env.CACHE }}

      - name: Build Prowler package
-        run: poetry build
+        run: |
+          poetry build

      - name: Publish Prowler package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          print-hash: true
-
-  publish-prowler-cloud:
-    needs: validate-release
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      id-token: write
-    environment:
-      name: pypi-prowler-cloud
-      url: https://pypi.org/project/prowler-cloud/${{ needs.validate-release.outputs.prowler_version }}/
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Install Poetry
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-          cache: 'poetry'
-
-      - name: Install toml package
-        run: pip install toml
-
-      - name: Replicate PyPI package for prowler-cloud
        run: |
-          rm -rf ./dist ./build prowler.egg-info
-          python util/replicate_pypi_package.py
+          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
+          poetry publish

-      - name: Build prowler-cloud package
-        run: poetry build
+      - name: Replicate PyPI package
+        run: |
+          rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info
+          pip install toml
+          python util/replicate_pypi_package.py
+          poetry build

      - name: Publish prowler-cloud package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          print-hash: true
+        run: |
+          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
+          poetry publish
--- a/.github/workflows/sdk-refresh-aws-services-regions.yml
+++ b/.github/workflows/sdk-refresh-aws-services-regions.yml
@@ -1,90 +1,68 @@
-name: 'SDK: Refresh AWS Regions'
+# This is a basic workflow to help you get started with Actions
+
+name: SDK - Refresh AWS services' regions

 on:
  schedule:
-    - cron: '0 9 * * 1' # Every Monday at 09:00 UTC
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: false
+    - cron: "0 9 * * 1" # runs at 09:00 UTC every Monday

 env:
-  PYTHON_VERSION: '3.12'
-  AWS_REGION: 'us-east-1'
+  GITHUB_BRANCH: "master"
+  AWS_REGION_DEV: us-east-1

+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  refresh-aws-regions:
-    if: github.repository == 'prowler-cloud/prowler'
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
    runs-on: ubuntu-latest
-    timeout-minutes: 15
    permissions:
      id-token: write
      pull-requests: write
      contents: write
-
+    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
-          ref: 'master'
+          ref: ${{ env.GITHUB_BRANCH }}

-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      - name: setup python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-          cache: 'pip'
+          python-version: 3.9 #install the python needed

      - name: Install dependencies
-        run: pip install boto3
+        run: |
+          python -m pip install --upgrade pip
+          pip install boto3

-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+      - name: Configure AWS Credentials -- DEV
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
        with:
-          aws-region: ${{ env.AWS_REGION }}
+          aws-region: ${{ env.AWS_REGION_DEV }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
-          role-session-name: prowler-refresh-aws-regions
+          role-session-name: refresh-AWS-regions-dev

-      - name: Update AWS services regions
-        run: python util/update_aws_services_regions.py
+      # Runs a single command using the runners shell
+      - name: Run a one-line script
+        run: python3 util/update_aws_services_regions.py

-      - name: Create pull request
-        id: create-pr
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+      # Create pull request
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          author: 'prowler-bot <179230569+prowler-bot@users.noreply.github.com>'
-          committer: 'github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>'
-          commit-message: 'feat(aws): update regions for AWS services'
-          branch: 'aws-regions-update-${{ github.run_number }}'
-          title: 'feat(aws): Update regions for AWS services'
-          labels: |
-            status/waiting-for-revision
-            severity/low
-            provider/aws
-            no-changelog
+          commit-message: "feat(regions_update): Update regions for AWS services"
+          branch: "aws-services-regions-updated-${{ github.sha }}"
+          labels: "status/waiting-for-revision, severity/low, provider/aws, no-changelog"
+          title: "chore(regions_update): Changes in regions for AWS services"
          body: |
            ### Description

-            Automated update of AWS service regions from the official AWS IP ranges.
-
-            **Trigger:** ${{ github.event_name == 'schedule' && 'Scheduled (weekly)' || github.event_name == 'workflow_dispatch' && 'Manual' || 'Workflow update' }}
-            **Run:** [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
-
-            ### Checklist
-
-            - [x] This is an automated update from AWS official sources
-            - [x] No manual review of region data required
+            This PR updates the regions for AWS services.

            ### License

            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: PR creation result
-        run: |
-          if [[ "${{ steps.create-pr.outputs.pull-request-number }}" ]]; then
-            echo "✓ Pull request #${{ steps.create-pr.outputs.pull-request-number }} created successfully"
-            echo "URL: ${{ steps.create-pr.outputs.pull-request-url }}"
-          else
-            echo "✓ No changes detected - AWS regions are up to date"
-          fi
--- a/.github/workflows/sdk-security.yml
+++ b/.github/workflows/sdk-security.yml
@@ -1,79 +0,0 @@
-name: 'SDK: Security'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  sdk-security-scans:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for SDK changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: 
-            ./**
-            .github/workflows/sdk-security.yml
-          files_ignore: |
-            .github/**
-            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
-
-      - name: Install Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python 3.12
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: '3.12'
-          cache: 'poetry'
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry install --no-root
-
-      - name: Security scan with Bandit
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r .
-
-      - name: Security scan with Safety
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check -r pyproject.toml
-
-      - name: Dead code detection with Vulture
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .
--- a/.github/workflows/sdk-tests.yml
+++ b/.github/workflows/sdk-tests.yml
@@ -1,461 +0,0 @@
-name: 'SDK: Tests'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  sdk-tests:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 120
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        python-version:
-          - '3.9'
-          - '3.10'
-          - '3.11'
-          - '3.12'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for SDK changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ./**
-          files_ignore: |
-            .github/**
-            prowler/CHANGELOG.md
-            docs/**
-            permissions/**
-            api/**
-            ui/**
-            dashboard/**
-            mcp_server/**
-            README.md
-            mkdocs.yml
-            .backportrc.json
-            .env
-            docker-compose*
-            examples/**
-            .gitignore
-            contrib/**
-
-      - name: Install Poetry
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ matrix.python-version }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry install --no-root
-
-      # AWS Provider
-      - name: Check if AWS files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-aws
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/aws/**
-            ./tests/**/aws/**
-            ./poetry.lock
-
-      - name: Resolve AWS services under test
-        if: steps.changed-aws.outputs.any_changed == 'true'
-        id: aws-services
-        shell: bash
-        run: |
-          python3 <<'PY'
-          import os
-          from pathlib import Path
-
-          dependents = {
-              "acm": ["elb"],
-              "autoscaling": ["dynamodb"],
-              "awslambda": ["ec2", "inspector2"],
-              "backup": ["dynamodb", "ec2", "rds"],
-              "cloudfront": ["shield"],
-              "cloudtrail": ["awslambda", "cloudwatch"],
-              "cloudwatch": ["bedrock"],
-              "ec2": ["dlm", "dms", "elbv2", "emr", "inspector2", "rds", "redshift", "route53", "shield", "ssm"],
-              "ecr": ["inspector2"],
-              "elb": ["shield"],
-              "elbv2": ["shield"],
-              "globalaccelerator": ["shield"],
-              "iam": ["bedrock", "cloudtrail", "cloudwatch", "codebuild"],
-              "kafka": ["firehose"],
-              "kinesis": ["firehose"],
-              "kms": ["kafka"],
-              "organizations": ["iam", "servicecatalog"],
-              "route53": ["shield"],
-              "s3": ["bedrock", "cloudfront", "cloudtrail", "macie"],
-              "ssm": ["ec2"],
-              "vpc": ["awslambda", "ec2", "efs", "elasticache", "neptune", "networkfirewall", "rds", "redshift", "workspaces"],
-              "waf": ["elbv2"],
-              "wafv2": ["cognito", "elbv2"],
-          }
-
-          changed_raw = """${{ steps.changed-aws.outputs.all_changed_files }}"""
-          # all_changed_files is space-separated, not newline-separated
-          # Strip leading "./" if present for consistent path handling
-          changed_files = [Path(f.lstrip("./")) for f in changed_raw.split() if f]
-
-          services = set()
-          run_all = False
-
-          for path in changed_files:
-              path_str = path.as_posix()
-              parts = path.parts
-              if path_str.startswith("prowler/providers/aws/services/"):
-                  if len(parts) > 4 and "." not in parts[4]:
-                      services.add(parts[4])
-                  else:
-                      run_all = True
-              elif path_str.startswith("tests/providers/aws/services/"):
-                  if len(parts) > 4 and "." not in parts[4]:
-                      services.add(parts[4])
-                  else:
-                      run_all = True
-              elif path_str.startswith("prowler/providers/aws/") or path_str.startswith("tests/providers/aws/"):
-                  run_all = True
-
-          # Expand with direct dependent services (one level only)
-          # We only test services that directly depend on the changed services,
-          # not transitive dependencies (services that depend on dependents)
-          original_services = set(services)
-          for svc in original_services:
-              for dep in dependents.get(svc, []):
-                  services.add(dep)
-
-          if run_all or not services:
-              run_all = True
-              services = set()
-
-          service_paths = " ".join(sorted(f"tests/providers/aws/services/{svc}" for svc in services))
-
-          output_lines = [
-              f"run_all={'true' if run_all else 'false'}",
-              f"services={' '.join(sorted(services))}",
-              f"service_paths={service_paths}",
-          ]
-
-          with open(os.environ["GITHUB_OUTPUT"], "a") as gh_out:
-              for line in output_lines:
-                  gh_out.write(line + "\n")
-
-          print(f"AWS changed files (filtered): {changed_raw or 'none'}")
-          print(f"Run all AWS tests: {run_all}")
-          if services:
-              print(f"AWS service test paths: {service_paths}")
-          else:
-              print("AWS service test paths: none detected")
-          PY
-
-      - name: Run AWS tests
-        if: steps.changed-aws.outputs.any_changed == 'true'
-        run: |
-          echo "AWS run_all=${{ steps.aws-services.outputs.run_all }}"
-          echo "AWS service_paths='${{ steps.aws-services.outputs.service_paths }}'"
-
-          if [ "${{ steps.aws-services.outputs.run_all }}" = "true" ]; then
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
-          elif [ -z "${{ steps.aws-services.outputs.service_paths }}" ]; then
-            echo "No AWS service paths detected; skipping AWS tests."
-          else
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${{ steps.aws-services.outputs.service_paths }}
-          fi
-
-      - name: Upload AWS coverage to Codecov
-        if: steps.changed-aws.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-aws
-          files: ./aws_coverage.xml
-
-      # Azure Provider
-      - name: Check if Azure files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-azure
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/azure/**
-            ./tests/**/azure/**
-            ./poetry.lock
-
-      - name: Run Azure tests
-        if: steps.changed-azure.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure
-
-      - name: Upload Azure coverage to Codecov
-        if: steps.changed-azure.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-azure
-          files: ./azure_coverage.xml
-
-      # GCP Provider
-      - name: Check if GCP files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-gcp
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/gcp/**
-            ./tests/**/gcp/**
-            ./poetry.lock
-
-      - name: Run GCP tests
-        if: steps.changed-gcp.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp
-
-      - name: Upload GCP coverage to Codecov
-        if: steps.changed-gcp.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-gcp
-          files: ./gcp_coverage.xml
-
-      # Kubernetes Provider
-      - name: Check if Kubernetes files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-kubernetes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/kubernetes/**
-            ./tests/**/kubernetes/**
-            ./poetry.lock
-
-      - name: Run Kubernetes tests
-        if: steps.changed-kubernetes.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes
-
-      - name: Upload Kubernetes coverage to Codecov
-        if: steps.changed-kubernetes.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-kubernetes
-          files: ./kubernetes_coverage.xml
-
-      # GitHub Provider
-      - name: Check if GitHub files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-github
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/github/**
-            ./tests/**/github/**
-            ./poetry.lock
-
-      - name: Run GitHub tests
-        if: steps.changed-github.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github
-
-      - name: Upload GitHub coverage to Codecov
-        if: steps.changed-github.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-github
-          files: ./github_coverage.xml
-
-      # NHN Provider
-      - name: Check if NHN files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-nhn
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/nhn/**
-            ./tests/**/nhn/**
-            ./poetry.lock
-
-      - name: Run NHN tests
-        if: steps.changed-nhn.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn
-
-      - name: Upload NHN coverage to Codecov
-        if: steps.changed-nhn.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-nhn
-          files: ./nhn_coverage.xml
-
-      # M365 Provider
-      - name: Check if M365 files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-m365
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/m365/**
-            ./tests/**/m365/**
-            ./poetry.lock
-
-      - name: Run M365 tests
-        if: steps.changed-m365.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365
-
-      - name: Upload M365 coverage to Codecov
-        if: steps.changed-m365.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-m365
-          files: ./m365_coverage.xml
-
-      # IaC Provider
-      - name: Check if IaC files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-iac
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/iac/**
-            ./tests/**/iac/**
-            ./poetry.lock
-
-      - name: Run IaC tests
-        if: steps.changed-iac.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac
-
-      - name: Upload IaC coverage to Codecov
-        if: steps.changed-iac.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-iac
-          files: ./iac_coverage.xml
-
-      # MongoDB Atlas Provider
-      - name: Check if MongoDB Atlas files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/mongodbatlas/**
-            ./tests/**/mongodbatlas/**
-            ./poetry.lock
-
-      - name: Run MongoDB Atlas tests
-        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodbatlas_coverage.xml tests/providers/mongodbatlas
-
-      - name: Upload MongoDB Atlas coverage to Codecov
-        if: steps.changed-mongodbatlas.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-mongodbatlas
-          files: ./mongodbatlas_coverage.xml
-
-      # OCI Provider
-      - name: Check if OCI files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-oraclecloud
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/**/oraclecloud/**
-            ./tests/**/oraclecloud/**
-            ./poetry.lock
-
-      - name: Run OCI tests
-        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/providers/oraclecloud --cov-report=xml:oraclecloud_coverage.xml tests/providers/oraclecloud
-
-      - name: Upload OCI coverage to Codecov
-        if: steps.changed-oraclecloud.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-oraclecloud
-          files: ./oraclecloud_coverage.xml
-
-      # Lib
-      - name: Check if Lib files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-lib
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/lib/**
-            ./tests/lib/**
-            ./poetry.lock
-
-      - name: Run Lib tests
-        if: steps.changed-lib.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib
-
-      - name: Upload Lib coverage to Codecov
-        if: steps.changed-lib.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-lib
-          files: ./lib_coverage.xml
-
-      # Config
-      - name: Check if Config files changed
-        if: steps.check-changes.outputs.any_changed == 'true'
-        id: changed-config
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ./prowler/config/**
-            ./tests/config/**
-            ./poetry.lock
-
-      - name: Run Config tests
-        if: steps.changed-config.outputs.any_changed == 'true'
-        run: poetry run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config
-
-      - name: Upload Config coverage to Codecov
-        if: steps.changed-config.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        with:
-          flags: prowler-py${{ matrix.python-version }}-config
-          files: ./config_coverage.xml
--- a/.github/workflows/ui-build-lint-push-containers.yml
+++ b/.github/workflows/ui-build-lint-push-containers.yml
@@ -0,0 +1,121 @@
+name: UI - Build and Push containers
+
+on:
+  push:
+    branches:
+      - "master"
+    paths:
+      - "ui/**"
+      - ".github/workflows/ui-build-lint-push-containers.yml"
+
+  # Uncomment the below code to test this action on PRs
+  # pull_request:
+  #   branches:
+  #     - "master"
+  #   paths:
+  #     - "ui/**"
+  #     - ".github/workflows/ui-build-lint-push-containers.yml"
+
+  release:
+    types: [published]
+
+env:
+  # Tags
+  LATEST_TAG: latest
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  STABLE_TAG: stable
+
+  WORKING_DIRECTORY: ./ui
+
+  # Container Registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-ui
+  NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1
+
+jobs:
+  repository-check:
+    name: Repository check
+    runs-on: ubuntu-latest
+    outputs:
+      is_repo: ${{ steps.repository_check.outputs.is_repo }}
+    steps:
+      - name: Repository check
+        id: repository_check
+        working-directory: /tmp
+        run: |
+          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
+          then
+            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "This action only runs for prowler-cloud/prowler"
+            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+  # Build Prowler OSS container
+  container-build-push:
+    needs: repository-check
+    if: needs.repository-check.outputs.is_repo == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          shortSha=$(git rev-parse --short ${{ github.sha }})
+          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push container image (latest)
+        # Comment the following line for testing
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          build-args: |
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ env.SHORT_SHA }}
+            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
+          # Set push: false for testing
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.SHORT_SHA }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push container image (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          build-args: |
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${{ env.RELEASE_TAG }}
+            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Trigger deployment
+        if: github.event_name == 'push'
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+        with:
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          repository: ${{ secrets.CLOUD_DISPATCH }}
+          event-type: prowler-ui-deploy
+          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ env.SHORT_SHA }}"}'
--- a/.github/workflows/ui-bump-version.yml
+++ b/.github/workflows/ui-bump-version.yml
@@ -1,221 +0,0 @@
-name: 'UI: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump UI version in .env for master
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_MINOR_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
--- a/.github/workflows/ui-codeql.yml
+++ b/.github/workflows/ui-codeql.yml
@@ -1,37 +1,36 @@
-name: 'UI: CodeQL'
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: UI - CodeQL

 on:
  push:
    branches:
-      - 'master'
-      - 'v5.*'
+      - "master"
+      - "v5.*"
    paths:
-      - 'ui/**'
-      - '.github/workflows/ui-codeql.yml'
-      - '.github/codeql/ui-codeql-config.yml'
-      - '!ui/CHANGELOG.md'
+      - "ui/**"
  pull_request:
    branches:
-      - 'master'
-      - 'v5.*'
+      - "master"
+      - "v5.*"
    paths:
-      - 'ui/**'
-      - '.github/workflows/ui-codeql.yml'
-      - '.github/codeql/ui-codeql-config.yml'
-      - '!ui/CHANGELOG.md'
+      - "ui/**"
  schedule:
-    - cron: '00 12 * * *'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+    - cron: "00 12 * * *"

 jobs:
-  ui-analyze:
-    if: github.repository == 'prowler-cloud/prowler'
-    name: CodeQL Security Analysis
+  analyze:
+    name: Analyze
    runs-on: ubuntu-latest
-    timeout-minutes: 30
    permissions:
      actions: read
      contents: read
@@ -40,20 +39,21 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        language:
-          - 'javascript-typescript'
+        language: ["javascript"]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

+      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
        with:
-          category: '/language:${{ matrix.language }}'
+          category: "/language:${{matrix.language}}"
--- a/.github/workflows/ui-container-build-push.yml
+++ b/.github/workflows/ui-container-build-push.yml
@@ -1,220 +0,0 @@
-name: 'UI: Container Build and Push'
-
-on:
-  push:
-    branches:
-      - 'master'
-    paths:
-      - 'ui/**'
-      - '.github/workflows/ui-container-build-push.yml'
-  release:
-    types:
-      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  # Tags
-  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
-  STABLE_TAG: stable
-  WORKING_DIRECTORY: ./ui
-
-  # Container registries
-  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
-  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-ui
-
-  # Build args
-  NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1
-
-jobs:
-  setup:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
-    steps:
-      - name: Calculate short SHA
-        id: set-short-sha
-        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-
-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: setup
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: UI
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build and push UI container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.WORKING_DIRECTORY }}
-          build-args: |
-            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ (github.event_name == 'release' || github.event_name == 'workflow_dispatch') && format('v{0}', env.RELEASE_TAG) || needs.setup.outputs.short-sha }}
-            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
-          push: true
-          platforms: ${{ matrix.platform }}
-          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
-          COMPONENT: UI
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
-
-  trigger-deployment:
-    needs: [setup, container-build-push]
-    if: always() && github.event_name == 'push' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-
-    steps:
-      - name: Trigger UI deployment
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.CLOUD_DISPATCH }}
-          event-type: ui-prowler-deployment
-          client-payload: '{"sha": "${{ github.sha }}", "short_sha": "${{ needs.setup.outputs.short-sha }}"}'
--- a/.github/workflows/ui-container-checks.yml
+++ b/.github/workflows/ui-container-checks.yml
@@ -1,103 +0,0 @@
-name: 'UI: Container Checks'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  UI_WORKING_DIR: ./ui
-  IMAGE_NAME: prowler-ui
-
-jobs:
-  ui-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check if Dockerfile changed
-        id: dockerfile-changed
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ui/Dockerfile
-
-      - name: Lint Dockerfile with Hadolint
-        if: steps.dockerfile-changed.outputs.any_changed == 'true'
-        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
-        with:
-          dockerfile: ui/Dockerfile
-          ignore: DL3018
-
-  ui-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 30
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for UI changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: ui/**
-          files_ignore: |
-            ui/CHANGELOG.md
-            ui/README.md
-
-      - name: Set up Docker Buildx
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Build UI container for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: ${{ env.UI_WORKING_DIR }}
-          target: prod
-          push: false
-          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-          build-args: |
-            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX
-
-      - name: Scan UI container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: ./.github/actions/trivy-scan
-        with:
-          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
-          fail-on-critical: 'false'
-          severity: 'CRITICAL'
--- a/.github/workflows/ui-e2e-tests.yml
+++ b/.github/workflows/ui-e2e-tests.yml
@@ -10,7 +10,6 @@ on:
      - 'ui/**'

 jobs:
-
  e2e-tests:
    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
@@ -19,65 +18,11 @@ jobs:
      AUTH_TRUST_HOST: true
      NEXTAUTH_URL: 'http://localhost:3000'
      NEXT_PUBLIC_API_BASE_URL: 'http://localhost:8080/api/v1'
-      E2E_ADMIN_USER: ${{ secrets.E2E_ADMIN_USER }}
-      E2E_ADMIN_PASSWORD: ${{ secrets.E2E_ADMIN_PASSWORD }}
-      E2E_AWS_PROVIDER_ACCOUNT_ID: ${{ secrets.E2E_AWS_PROVIDER_ACCOUNT_ID }}
-      E2E_AWS_PROVIDER_ACCESS_KEY: ${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}
-      E2E_AWS_PROVIDER_SECRET_KEY: ${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}
-      E2E_AWS_PROVIDER_ROLE_ARN: ${{ secrets.E2E_AWS_PROVIDER_ROLE_ARN }}
-      E2E_AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }}
-      E2E_AZURE_CLIENT_ID: ${{ secrets.E2E_AZURE_CLIENT_ID }}
-      E2E_AZURE_SECRET_ID: ${{ secrets.E2E_AZURE_SECRET_ID }}
-      E2E_AZURE_TENANT_ID: ${{ secrets.E2E_AZURE_TENANT_ID }}
-      E2E_M365_DOMAIN_ID: ${{ secrets.E2E_M365_DOMAIN_ID }}
-      E2E_M365_CLIENT_ID: ${{ secrets.E2E_M365_CLIENT_ID }}
-      E2E_M365_SECRET_ID: ${{ secrets.E2E_M365_SECRET_ID }}
-      E2E_M365_TENANT_ID: ${{ secrets.E2E_M365_TENANT_ID }}
-      E2E_M365_CERTIFICATE_CONTENT: ${{ secrets.E2E_M365_CERTIFICATE_CONTENT }}
-      E2E_KUBERNETES_CONTEXT: 'kind-kind'
-      E2E_KUBERNETES_KUBECONFIG_PATH: /home/runner/.kube/config
-      E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY: ${{ secrets.E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY }}
-      E2E_GCP_PROJECT_ID: ${{ secrets.E2E_GCP_PROJECT_ID }}
-      E2E_GITHUB_APP_ID: ${{ secrets.E2E_GITHUB_APP_ID }}
-      E2E_GITHUB_BASE64_APP_PRIVATE_KEY: ${{ secrets.E2E_GITHUB_BASE64_APP_PRIVATE_KEY }}
-      E2E_GITHUB_USERNAME: ${{ secrets.E2E_GITHUB_USERNAME }}
-      E2E_GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_PERSONAL_ACCESS_TOKEN }}
-      E2E_GITHUB_ORGANIZATION: ${{ secrets.E2E_GITHUB_ORGANIZATION }}
-      E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN }}
-      E2E_ORGANIZATION_ID: ${{ secrets.E2E_ORGANIZATION_ID }}
-      E2E_OCI_TENANCY_ID: ${{ secrets.E2E_OCI_TENANCY_ID }}
-      E2E_OCI_USER_ID: ${{ secrets.E2E_OCI_USER_ID }}
-      E2E_OCI_FINGERPRINT: ${{ secrets.E2E_OCI_FINGERPRINT }}
-      E2E_OCI_KEY_CONTENT: ${{ secrets.E2E_OCI_KEY_CONTENT }}
-      E2E_OCI_REGION: ${{ secrets.E2E_OCI_REGION }}
-      E2E_NEW_USER_PASSWORD: ${{ secrets.E2E_NEW_USER_PASSWORD }}
-
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1
-        with:
-          cluster_name: kind
-      - name: Modify kubeconfig
-        run: |
-            # Modify the kubeconfig to use the kind cluster server to https://kind-control-plane:6443
-            # from worker service into docker-compose.yml
-            kubectl config set-cluster kind-kind --server=https://kind-control-plane:6443
-            kubectl config view
-      - name: Add network kind to docker compose
-        run: |
-          # Add the network kind to the docker compose to interconnect to kind cluster
-          yq -i '.networks.kind.external = true' docker-compose.yml
-          # Add network kind to worker service and default network too
-          yq -i '.services.worker.networks = ["kind","default"]' docker-compose.yml
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Fix API data directory permissions
        run: docker run --rm -v $(pwd)/_data/api:/data alpine chown -R 1000:1000 /data
-      - name: Add AWS credentials for testing AWS SDK Default Adding Provider
-        run: |
-          echo "Adding AWS credentials for testing AWS SDK Default Adding Provider..."
-          echo "AWS_ACCESS_KEY_ID=${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}" >> .env
-          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}" >> .env
      - name: Start API services
        run: |
          # Override docker-compose image tag to use latest instead of stable
@@ -114,47 +59,34 @@ jobs:
            echo "All database fixtures loaded successfully!"
          '
      - name: Setup Node.js environment
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version: '20.x'
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-      - name: Get pnpm store directory
-        shell: bash
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - name: Setup pnpm cache
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('ui/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'
      - name: Install UI dependencies
        working-directory: ./ui
-        run: pnpm install --frozen-lockfile
+        run: npm ci
      - name: Build UI application
        working-directory: ./ui
-        run: pnpm run build
+        run: npm run build
      - name: Cache Playwright browsers
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/pnpm-lock.yaml') }}
+          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-playwright-
      - name: Install Playwright browsers
        working-directory: ./ui
        if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm run test:e2e:install
+        run: npm run test:e2e:install
      - name: Run E2E tests
        working-directory: ./ui
-        run: pnpm run test:e2e
+        run: npm run test:e2e
      - name: Upload test reports
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: failure()
        with:
          name: playwright-report
--- a/.github/workflows/ui-pull-request.yml
+++ b/.github/workflows/ui-pull-request.yml
@@ -0,0 +1,65 @@
+name: UI - Pull Request
+
+on:
+  push:
+    branches:
+      - "master"
+      - "v5.*"
+    paths:
+      - ".github/workflows/ui-pull-request.yml"
+      - "ui/**"
+  pull_request:
+    branches:
+      - master
+      - "v5.*"
+    paths:
+      - 'ui/**'
+env:
+  UI_WORKING_DIR: ./ui
+  IMAGE_NAME: prowler-ui
+
+jobs:
+  test-and-coverage:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        node-version: [20.x]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'
+      - name: Install dependencies
+        working-directory: ./ui
+        run: npm ci
+      - name: Run Healthcheck
+        working-directory: ./ui
+        run: npm run healthcheck
+      - name: Build the application
+        working-directory: ./ui
+        run: npm run build
+
+  test-container-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Build Container
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.UI_WORKING_DIR }}
+          # Always build using `prod` target
+          target: prod
+          push: false
+          tags: ${{ env.IMAGE_NAME }}:latest
+          outputs: type=docker
+          build-args: |
+            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX
--- a/.github/workflows/ui-tests.yml
+++ b/.github/workflows/ui-tests.yml
@@ -1,83 +0,0 @@
-name: 'UI: Tests'
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'v5.*'
-  pull_request:
-    branches:
-      - 'master'
-      - 'v5.*'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  UI_WORKING_DIR: ./ui
-  NODE_VERSION: '20.x'
-
-jobs:
-  ui-tests:
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: ./ui
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Check for UI changes
-        id: check-changes
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
-        with:
-          files: |
-            ui/**
-            .github/workflows/ui-tests.yml
-          files_ignore: |
-            ui/CHANGELOG.md
-            ui/README.md
-
-      - name: Setup Node.js ${{ env.NODE_VERSION }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Setup pnpm
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-
-      - name: Get pnpm store directory
-        if: steps.check-changes.outputs.any_changed == 'true'
-        shell: bash
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - name: Setup pnpm cache
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('ui/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm install --frozen-lockfile
-
-      - name: Run healthcheck
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run healthcheck
-
-      - name: Build application
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run build
--- a/.gitignore
+++ b/.gitignore
@@ -39,95 +39,21 @@ secrets-*/
 # JUnit Reports
 junit-reports/

-# Test and coverage artifacts
-*_coverage.xml
-pytest_*.xml
-.coverage
-htmlcov/
-
-# VSCode files and settings
+# VSCode files
 .vscode/
-*.code-workspace
-.vscode-test/

-# VSCode extension settings and workspaces
-.history/
-.ionide/
-
-# MCP Server Settings (various locations)
-**/cline_mcp_settings.json
-**/mcp_settings.json
-**/mcp-config.json
-**/mcpServers.json
-.mcp/
-
-# AI Coding Assistants - Cursor
+# Cursor files
 .cursorignore
 .cursor/
-.cursorrules

-# AI Coding Assistants - RooCode
+# RooCode files
 .roo/
 .rooignore
 .roomodes

-# AI Coding Assistants - Cline (formerly Claude Dev)
+# Cline files
 .cline/
 .clineignore
-.clinerules
-
-# AI Coding Assistants - Continue
-.continue/
-continue.json
-.continuerc
-.continuerc.json
-
-# AI Coding Assistants - OpenCode
-opencode.json
-
-# AI Coding Assistants - GitHub Copilot
-.copilot/
-.github/copilot/
-
-# AI Coding Assistants - Amazon Q Developer (formerly CodeWhisperer)
-.aws/
-.codewhisperer/
-.amazonq/
-.aws-toolkit/
-
-# AI Coding Assistants - Tabnine
-.tabnine/
-tabnine_config.json
-
-# AI Coding Assistants - Kiro
-.kiro/
-.kiroignore
-kiro.config.json
-
-# AI Coding Assistants - Aider
-.aider/
-.aider.chat.history.md
-.aider.input.history
-.aider.tags.cache.v3/
-
-# AI Coding Assistants - Windsurf
-.windsurf/
-.windsurfignore
-
-# AI Coding Assistants - Replit Agent
-.replit
-.replitignore
-
-# AI Coding Assistants - Supermaven
-.supermaven/
-
-# AI Coding Assistants - Sourcegraph Cody
-.cody/
-
-# AI Coding Assistants - General
-.ai/
-.aiconfig
-ai-config.json

 # Terraform
 .terraform*
@@ -138,6 +64,7 @@ ai-config.json
 ui/.env*
 api/.env*
 mcp_server/.env*
+.env.local

 # Coverage
 .coverage*
@@ -153,11 +80,9 @@ _data/
 # Claude
 CLAUDE.md

+# MCP Server
+mcp_server/prowler_mcp_server/prowler_app/server.py
+mcp_server/prowler_mcp_server/prowler_app/utils/schema.yaml
+
 # Compliance report
 *.pdf
-
-# AI Skills symlinks (generated by skills/setup.sh)
-.claude/skills
-.codex/skills
-.github/skills
-.gemini/skills
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -34,7 +34,6 @@ repos:
    rev: v2.3.1
    hooks:
      - id: autoflake
-        exclude: ^skills/
        args:
          [
            "--in-place",
@@ -46,20 +45,18 @@ repos:
    rev: 5.13.2
    hooks:
      - id: isort
-        exclude: ^skills/
        args: ["--profile", "black"]

  - repo: https://github.com/psf/black
    rev: 24.4.2
    hooks:
      - id: black
-        exclude: ^skills/

  - repo: https://github.com/pycqa/flake8
    rev: 7.0.0
    hooks:
      - id: flake8
-        exclude: (contrib|^skills/)
+        exclude: contrib
        args: ["--ignore=E266,W503,E203,E501,W605"]

  - repo: https://github.com/python-poetry/poetry
@@ -112,7 +109,7 @@ repos:
      - id: bandit
        name: bandit
        description: "Bandit is a tool for finding common security issues in Python code"
-        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/,./skills/' -r .'
+        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r .'
        language: system
        files: '.*\.py'

@@ -126,15 +123,6 @@ repos:
      - id: vulture
        name: vulture
        description: "Vulture finds unused code in Python programs."
-        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/,skills/" --min-confidence 100 .'
+        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/" --min-confidence 100 .'
        language: system
        files: '.*\.py'
-
-      - id: ui-checks
-        name: UI - Husky Pre-commit
-        description: "Run UI pre-commit checks (Claude Code validation + healthcheck)"
-        entry: bash -c 'cd ui && .husky/pre-commit'
-        language: system
-        files: '^ui/.*\.(ts|tsx|js|jsx|json|css)$'
-        pass_filenames: false
-        verbose: true
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -2,83 +2,109 @@

 ## How to Use This Guide

- Start here for cross-project norms. Prowler is a monorepo with several components.
- Each component has an `AGENTS.md` file with specific guidelines (e.g., `api/AGENTS.md`, `ui/AGENTS.md`).
- Component docs override this file when guidance conflicts.
-
-## Available Skills
-
-Use these skills for detailed patterns on-demand:
-
-### Generic Skills (Any Project)
-| Skill | Description | URL |
-|-------|-------------|-----|
-| `typescript` | Const types, flat interfaces, utility types | [SKILL.md](skills/typescript/SKILL.md) |
-| `react-19` | No useMemo/useCallback, React Compiler | [SKILL.md](skills/react-19/SKILL.md) |
-| `nextjs-15` | App Router, Server Actions, streaming | [SKILL.md](skills/nextjs-15/SKILL.md) |
-| `tailwind-4` | cn() utility, no var() in className | [SKILL.md](skills/tailwind-4/SKILL.md) |
-| `playwright` | Page Object Model, MCP workflow, selectors | [SKILL.md](skills/playwright/SKILL.md) |
-| `pytest` | Fixtures, mocking, markers, parametrize | [SKILL.md](skills/pytest/SKILL.md) |
-| `django-drf` | ViewSets, Serializers, Filters | [SKILL.md](skills/django-drf/SKILL.md) |
-| `zod-4` | New API (z.email(), z.uuid()) | [SKILL.md](skills/zod-4/SKILL.md) |
-| `zustand-5` | Persist, selectors, slices | [SKILL.md](skills/zustand-5/SKILL.md) |
-| `ai-sdk-5` | UIMessage, streaming, LangChain | [SKILL.md](skills/ai-sdk-5/SKILL.md) |
-
-### Prowler-Specific Skills
-| Skill | Description | URL |
-|-------|-------------|-----|
-| `prowler` | Project overview, component navigation | [SKILL.md](skills/prowler/SKILL.md) |
-| `prowler-api` | Django + RLS + JSON:API patterns | [SKILL.md](skills/prowler-api/SKILL.md) |
-| `prowler-ui` | Next.js + shadcn conventions | [SKILL.md](skills/prowler-ui/SKILL.md) |
-| `prowler-sdk-check` | Create new security checks | [SKILL.md](skills/prowler-sdk-check/SKILL.md) |
-| `prowler-mcp` | MCP server tools and models | [SKILL.md](skills/prowler-mcp/SKILL.md) |
-| `prowler-test-sdk` | SDK testing (pytest + moto) | [SKILL.md](skills/prowler-test-sdk/SKILL.md) |
-| `prowler-test-api` | API testing (pytest-django + RLS) | [SKILL.md](skills/prowler-test-api/SKILL.md) |
-| `prowler-test-ui` | E2E testing (Playwright) | [SKILL.md](skills/prowler-test-ui/SKILL.md) |
-| `prowler-compliance` | Compliance framework structure | [SKILL.md](skills/prowler-compliance/SKILL.md) |
-| `prowler-provider` | Add new cloud providers | [SKILL.md](skills/prowler-provider/SKILL.md) |
-| `prowler-pr` | Pull request conventions | [SKILL.md](skills/prowler-pr/SKILL.md) |
-| `prowler-docs` | Documentation style guide | [SKILL.md](skills/prowler-docs/SKILL.md) |
-| `skill-creator` | Create new AI agent skills | [SKILL.md](skills/skill-creator/SKILL.md) |
-
---
+- Start here for cross-project norms, Prowler is a monorepo with several components. Every component should have an `AGENTS.md` file that contains the guidelines for the agents in that component. The file is located beside the code you are touching (e.g. `api/AGENTS.md`, `ui/AGENTS.md`, `prowler/AGENTS.md`).
+- Follow the stricter rule when guidance conflicts; component docs override this file for their scope.
+- Keep instructions synchronized. When you add new workflows or scripts, update both, the relevant component `AGENTS.md` and this file if they apply broadly.

 ## Project Overview

-Prowler is an open-source cloud security assessment tool supporting AWS, Azure, GCP, Kubernetes, GitHub, M365, and more.
+Prowler is an open-source cloud security assessment tool that supports multiple cloud providers (AWS, Azure, GCP, Kubernetes, GitHub, M365, etc.). The project consists in a monorepo with the following main components:

-| Component | Location | Tech Stack |
-|-----------|----------|------------|
-| SDK | `prowler/` | Python 3.9+, Poetry |
-| API | `api/` | Django 5.1, DRF, Celery |
-| UI | `ui/` | Next.js 15, React 19, Tailwind 4 |
-| MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
-| Dashboard | `dashboard/` | Dash, Plotly |
+- **Prowler SDK**: Python SDK, includes the Prowler CLI, providers, services, checks, compliances, config, etc. (`prowler/`)
+- **Prowler API**: Django-based REST API backend (`api/`)
+- **Prowler UI**: Next.js frontend application (`ui/`)
+- **Prowler MCP Server**: Model Context Protocol server that gives access to the entire Prowler ecosystem for LLMs (`mcp_server/`)
+- **Prowler Dashboard**: Prowler CLI feature that allows to visualize the results of the scans in a simple dashboard (`dashboard/`)

---
+### Project Structure (Key Folders & Files)
+
+- `prowler/`: Main source code for Prowler SDK (CLI, providers, services, checks, compliances, config, etc.)
+- `api/`: Django-based REST API backend components
+- `ui/`: Next.js frontend application
+- `mcp_server/`: Model Context Protocol server that gives access to the entire Prowler ecosystem for LLMs
+- `dashboard/`: Prowler CLI feature that allows to visualize the results of the scans in a simple dashboard
+- `docs/`: Documentation
+- `examples/`: Example output formats for providers and scripts
+- `permissions/`: Permission-related files and policies
+- `contrib/`: Community-contributed scripts or modules
+- `tests/`: Prowler SDK test suite
+- `docker-compose.yml`: Docker compose file to run the Prowler App (API + UI) production environment
+- `docker-compose-dev.yml`: Docker compose file to run the Prowler App (API + UI) development environment
+- `pyproject.toml`: Poetry Prowler SDK project file
+- `.pre-commit-config.yaml`: Pre-commit hooks configuration
+- `Makefile`: Makefile to run the project
+- `LICENSE`: License file
+- `README.md`: README file
+- `CONTRIBUTING.md`: Contributing guide

 ## Python Development

-```bash
-# Setup
-poetry install --with dev
-poetry run pre-commit install
+Most of the code is written in Python, so the main files in the root are focused on Python code.

-# Code quality
+### Poetry Dev Environment
+
+For developing in Python we recommend using `poetry` to manage the dependencies. The minimal version is `2.1.1`. So it is recommended to run all commands using `poetry run ...`.
+
+To install the core dependencies to develop it is needed to run `poetry install --with dev`.
+
+### Pre-commit hooks
+
+The project has pre-commit hooks to lint and format the code. They are installed by running `poetry run pre-commit install`.
+
+When commiting a change, the hooks will be run automatically. Some of them are:
+
+- Code formatting (black, isort)
+- Linting (flake8, pylint)
+- Security checks (bandit, safety, trufflehog)
+- YAML/JSON validation
+- Poetry lock file validation
+
+
+### Linting and Formatting
+
+We use the following tools to lint and format the code:
+
+- `flake8`: for linting the code
+- `black`: for formatting the code
+- `pylint`: for linting the code
+
+You can run all using the `make` command:
+```bash
 poetry run make lint
 poetry run make format
-poetry run pre-commit run --all-files
 ```

---
+Or they will be run automatically when you commit your changes using pre-commit hooks.

 ## Commit & Pull Request Guidelines

-Follow conventional-commit style: `<type>[scope]: <description>`
+For the commit messages and pull requests name follow the conventional-commit style.

-**Types:** `feat`, `fix`, `docs`, `chore`, `perf`, `refactor`, `style`, `test`
+Befire creating a pull request, complete the checklist in `.github/pull_request_template.md`. Summaries should explain deployment impact, highlight review steps, and note changelog or permission updates. Run all relevant tests and linters before requesting review and link screenshots for UI or dashboard changes.

-Before creating a PR:
-1. Complete checklist in `.github/pull_request_template.md`
-2. Run all relevant tests and linters
-3. Link screenshots for UI changes
+### Conventional Commit Style
+
+The Conventional Commits specification is a lightweight convention on top of commit messages. It provides an easy set of rules for creating an explicit commit history; which makes it easier to write automated tools on top of.
+
+The commit message should be structured as follows:
+
+```
+<type>[optional scope]: <description>
+<BLANK LINE>
+[optional body]
+<BLANK LINE>
+[optional footer(s)]
+```
+
+Any line of the commit message cannot be longer 100 characters! This allows the message to be easier to read on GitHub as well as in various git tools
+
+#### Commit Types
+
+- **feat**: code change introuce new functionality to the application
+- **fix**: code change that solve a bug in the codebase
+- **docs**: documentation only changes
+- **chore**: changes related to the build process or auxiliary tools and libraries, that do not affect the application's functionality
+- **perf**: code change that improves performance
+- **refactor**: code change that neither fixes a bug nor adds a feature
+- **style**: changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
+- **test**: adding missing tests or correcting existing tests
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -10,4 +10,4 @@
 Want some swag as appreciation for your contribution?

 # Prowler Developer Guide
-https://goto.prowler.com/devguide
+https://docs.prowler.com/projects/prowler-open-source/en/latest/developer-guide/introduction/
--- a/23
+++ b/23
@@ -4,15 +4,10 @@ LABEL maintainer="https://github.com/prowler-cloud/prowler"
 LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"

 ARG POWERSHELL_VERSION=7.5.0
-ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
-
-ARG TRIVY_VERSION=0.66.0
-ENV TRIVY_VERSION=${TRIVY_VERSION}

 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
    wget libicu72 libunwind8 libssl3 libcurl4 ca-certificates apt-transport-https gnupg \
-    build-essential pkg-config libzstd-dev zlib1g-dev \
    && rm -rf /var/lib/apt/lists/*

 # Install PowerShell
@@ -30,24 +25,6 @@ RUN ARCH=$(uname -m) && \
    ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
    rm /tmp/powershell.tar.gz

-# Install Trivy for IaC scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        TRIVY_ARCH="Linux-64bit" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        TRIVY_ARCH="Linux-ARM64" ; \
-    else \
-        echo "Unsupported architecture for Trivy: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz && \
-    tar zxf /tmp/trivy.tar.gz -C /tmp && \
-    mv /tmp/trivy /usr/local/bin/trivy && \
-    chmod +x /usr/local/bin/trivy && \
-    rm /tmp/trivy.tar.gz && \
-    # Create trivy cache directory with proper permissions
-    mkdir -p /tmp/.cache/trivy && \
-    chmod 777 /tmp/.cache/trivy
-
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
--- a/8
+++ b/8
@@ -47,12 +47,12 @@ help:     ## Show this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

 ##@ Build no cache
-build-no-cache-dev:
-	docker compose -f docker-compose-dev.yml build --no-cache api-dev worker-dev worker-beat mcp-server
+build-no-cache-dev: 
+	docker compose -f docker-compose-dev.yml build --no-cache api-dev worker-dev worker-beat

 ##@ Development Environment
-run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, MCP, and workers
-	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat mcp-server
+run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, and workers 
+	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat

 ##@ Development Environment
 build-and-run-api-dev: build-no-cache-dev run-api-dev
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
  <b><i>Prowler</b> is the Open Cloud Security platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
 </p>
 <p align="center">
-<b>Secure ANY cloud at AI Speed at <a href="https://prowler.com">prowler.com</i></b>
+<b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
 </p>

 <p align="center">
@@ -23,7 +23,6 @@
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
-  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
 </p>
 <p align="center">
    <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
@@ -36,32 +35,28 @@
 </p>
 <hr>
 <p align="center">
-  <img align="center" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
+  <img align="center" src="/docs/img/prowler-cli-quick.gif" width="100%" height="100%">
 </p>

 # Description

-**Prowler** is the world’s most widely used _open-source cloud security platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
+**Prowler** is an open-source security tool designed to assess and enforce security best practices across AWS, Azure, Google Cloud, and Kubernetes. It supports tasks such as security audits, incident response, continuous monitoring, system hardening, forensic readiness, and remediation processes.

 Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:

- **Prowler ThreatScore:** Weighted risk prioritization scoring that helps you focus on the most critical security findings first
- **Industry Standards:** CIS, NIST 800, NIST CSF, CISA, and MITRE ATT&CK
- **Regulatory Compliance and Governance:** RBI, FedRAMP, PCI-DSS, and NIS2
+- **Industry Standards:** CIS, NIST 800, NIST CSF, and CISA
+- **Regulatory Compliance and Governance:** RBI, FedRAMP, and PCI-DSS
 - **Frameworks for Sensitive Data and Privacy:** GDPR, HIPAA, and FFIEC
- **Frameworks for Organizational Governance and Quality Control:** SOC2, GXP, and ISO 27001
- **Cloud-Specific Frameworks:** AWS Foundational Technical Review (FTR), AWS Well-Architected Framework, and BSI C5
- **National Security Standards:** ENS (Spanish National Security Scheme) and KISA ISMS-P (Korean)
+- **Frameworks for Organizational Governance and Quality Control:** SOC2 and GXP
+- **AWS-Specific Frameworks:** AWS Foundational Technical Review (FTR) and AWS Well-Architected Framework (Security Pillar)
+- **National Security Standards:** ENS (Spanish National Security Scheme)
 - **Custom Security Frameworks:** Tailored to your needs

-## Prowler App / Prowler Cloud
+## Prowler App

-Prowler App / [Prowler Cloud](https://cloud.prowler.com/) is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.
-
-![Prowler App](docs/images/products/overview.png)
-![Risk Pipeline](docs/images/products/risk-pipeline.png)
-![Threat Map](docs/images/products/threat-map.png)
+Prowler App is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.

+![Prowler App](docs/products/img/overview.png)

 >For more details, refer to the [Prowler App Documentation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-app-installation)

@@ -78,27 +73,26 @@ prowler <provider>
 ```console
 prowler dashboard
 ```
-![Prowler Dashboard](docs/images/products/dashboard.png)
+![Prowler Dashboard](docs/products/img/dashboard.png)

 # Prowler at a Glance
 > [!Tip]
 > For the most accurate and up-to-date information about checks, services, frameworks, and categories, visit [**Prowler Hub**](https://hub.prowler.com).


-| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
-|---|---|---|---|---|---|---|
-| AWS | 584 | 85 | 40 | 17 | Official | UI, API, CLI |
-| GCP | 89 | 17 | 14 | 5 | Official | UI, API, CLI |
-| Azure | 169 | 22 | 15 | 8 | Official | UI, API, CLI |
-| Kubernetes | 84 | 7 | 6 | 9 | Official | UI, API, CLI |
-| GitHub | 20 | 2 | 1 | 2 | Official | UI, API, CLI |
-| M365 | 70 | 7 | 3 | 2 | Official | UI, API, CLI |
-| OCI | 52 | 15 | 1 | 12 | Official | UI, API, CLI |
-| Alibaba Cloud | 63 | 10 | 1 | 9 | Official | CLI |
-| IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
-| MongoDB Atlas | 10 | 4 | 0 | 3 | Official | UI, API, CLI |
-| LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
-| NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |
+| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Stage | Interface |
+|---|---|---|---|---|---|---|---|
+| AWS | 576 | 82 | 38 | 10 | Official | Stable | UI, API, CLI |
+| GCP | 79 | 13 | 11 | 3 | Official | Stable | UI, API, CLI |
+| Azure | 162 | 19 | 12 | 4 | Official | Stable | UI, API, CLI |
+| Kubernetes | 83 | 7 | 5 | 7 | Official | Stable | UI, API, CLI |
+| GitHub | 17 | 2 | 1 | 0 | Official | Stable | UI, API, CLI |
+| M365 | 70 | 7 | 3 | 2 | Official | Stable | UI, API, CLI |
+| OCI | 51 | 13 | 1 | 10 | Official | Stable | CLI |
+| IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | Beta | CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 0 | Official | Beta | CLI |
+| LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | Beta | CLI |
+| NHN | 6 | 2 | 1 | 0 | Unofficial | Beta | CLI |

 > [!Note]
 > The numbers in the table are updated periodically.
@@ -148,9 +142,9 @@ If your workstation's architecture is incompatible, you can resolve this by:
 ### Common Issues with Docker Pull Installation

 > [!Note]
-  If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local `.aws` directory into the container as a volume (e.g., `- "${HOME}/.aws:/home/prowler/.aws:ro"`). There are several ways to configure credentials for Docker containers. See the [Troubleshooting](./docs/troubleshooting.mdx) section for more details and examples.
+  If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local `.aws` directory into the container as a volume (e.g., `- "${HOME}/.aws:/home/prowler/.aws:ro"`). There are several ways to configure credentials for Docker containers. See the [Troubleshooting](./docs/troubleshooting.md) section for more details and examples.

-You can find more information in the [Troubleshooting](./docs/troubleshooting.mdx) section.
+You can find more information in the [Troubleshooting](./docs/troubleshooting.md) section.


 ### From GitHub
@@ -159,7 +153,7 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md

 * `git` installed.
 * `poetry` v2 installed: [poetry installation](https://python-poetry.org/docs/#installation).
-* `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
+* `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
 * `Docker Compose` installed: https://docs.docker.com/compose/install/.

 **Commands to run the API**
@@ -215,9 +209,9 @@ python -m celery -A config.celery beat -l info --scheduler django_celery_beat.sc
 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler/ui
-pnpm install
-pnpm run build
-pnpm start
+npm install
+npm run build
+npm start
 ```

 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
@@ -277,12 +271,11 @@ python prowler-cli.py -v
 # ✏️ High level architecture

 ## Prowler App
-**Prowler App** is composed of four key components:
+**Prowler App** is composed of three key components:

 - **Prowler UI**: A web-based interface, built with Next.js, providing a user-friendly experience for executing Prowler scans and visualizing results.
 - **Prowler API**: A backend service, developed with Django REST Framework, responsible for running Prowler scans and storing the generated results.
 - **Prowler SDK**: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.
- **Prowler MCP Server**: A Model Context Protocol server that provides AI tools for Lighthouse, the AI-powered security assistant. This is a critical dependency for Lighthouse functionality.

 ![Prowler App Architecture](docs/products/img/prowler-app-architecture.png)

@@ -310,45 +303,6 @@ And many more environments.

 ![Architecture](docs/img/architecture.png)

-# 🤖 AI Skills for Development
-
-Prowler includes a comprehensive set of **AI Skills** that help AI coding assistants understand Prowler's codebase patterns and conventions.
-
-## What are AI Skills?
-
-Skills are structured instructions that give AI assistants the context they need to write code that follows Prowler's standards. They include:
-
- **Coding patterns** for each component (SDK, API, UI, MCP Server)
- **Testing conventions** (pytest, Playwright)
- **Architecture guidelines** (Clean Architecture, RLS patterns)
- **Framework-specific rules** (React 19, Next.js 15, Django DRF, Tailwind 4)
-
-## Available Skills
-
-| Category | Skills |
-|----------|--------|
-| **Generic** | `typescript`, `react-19`, `nextjs-15`, `tailwind-4`, `playwright`, `pytest`, `django-drf`, `zod-4`, `zustand-5`, `ai-sdk-5` |
-| **Prowler** | `prowler`, `prowler-api`, `prowler-ui`, `prowler-mcp`, `prowler-sdk-check`, `prowler-test-ui`, `prowler-test-api`, `prowler-test-sdk`, `prowler-compliance`, `prowler-provider`, `prowler-pr`, `prowler-docs` |
-
-## Setup
-
-```bash
-./skills/setup.sh
-```
-
-This configures skills for AI coding assistants that follow the [agentskills.io](https://agentskills.io) standard:
-
-| Tool | Configuration |
-|------|---------------|
-| **Claude Code** | `.claude/skills/` (symlink) |
-| **OpenCode** | `.claude/skills/` (symlink) |
-| **Codex (OpenAI)** | `.codex/skills/` (symlink) |
-| **GitHub Copilot** | `.github/skills/` (symlink) |
-| **Gemini CLI** | `.gemini/skills/` (symlink) |
-
-> **Note:** Restart your AI coding assistant after running setup to load the skills.
-> Gemini CLI requires `experimental.skills` enabled in settings.
-
 # 📖 Documentation

 For installation instructions, usage details, tutorials, and the Developer Guide, visit https://docs.prowler.com/
--- a/api/AGENTS.md
+++ b/api/AGENTS.md
@@ -1,137 +0,0 @@
-# Prowler API - AI Agent Ruleset
-
-> **Skills Reference**: For detailed patterns, use these skills:
-> - [`prowler-api`](../skills/prowler-api/SKILL.md) - Models, Serializers, Views, RLS patterns
-> - [`prowler-test-api`](../skills/prowler-test-api/SKILL.md) - Testing patterns (pytest-django)
-> - [`django-drf`](../skills/django-drf/SKILL.md) - Generic DRF patterns
-> - [`pytest`](../skills/pytest/SKILL.md) - Generic pytest patterns
-
-## CRITICAL RULES - NON-NEGOTIABLE
-
-### Models
- ALWAYS: UUIDv4 PKs, `inserted_at`/`updated_at` timestamps, `JSONAPIMeta` class
- ALWAYS: Inherit from `RowLevelSecurityProtectedModel` for tenant-scoped data
- NEVER: Auto-increment integer PKs, models without tenant isolation
-
-### Serializers
- ALWAYS: Separate serializers for Create/Update operations
- ALWAYS: Inherit from `RLSSerializer` for tenant-scoped models
- NEVER: Write logic in serializers (use services/utils)
-
-### Views
- ALWAYS: Inherit from `BaseRLSViewSet` for tenant-scoped resources
- ALWAYS: Define `filterset_class`, use `@extend_schema` for OpenAPI
- NEVER: Raw SQL queries, business logic in views
-
-### Row-Level Security (RLS)
- ALWAYS: Use `rls_transaction(tenant_id)` context manager
- NEVER: Query across tenants, trust client-provided tenant_id
-
-### Celery Tasks
- ALWAYS: `@shared_task` with `name`, `queue`, `RLSTask` base class
- NEVER: Long-running ops in views, request context in tasks
-
---
-
-## DECISION TREES
-
-### Serializer Selection
-```
-Read → <Model>Serializer
-Create → <Model>CreateSerializer
-Update → <Model>UpdateSerializer
-Nested read → <Model>IncludeSerializer
-```
-
-### Task vs View
-```
-< 100ms → View
-> 100ms or external API → Celery task
-Needs retry → Celery task
-```
-
---
-
-## TECH STACK
-
-Django 5.1.x | DRF 3.15.x | djangorestframework-jsonapi 7.x | Celery 5.4.x | PostgreSQL 16 | pytest 8.x
-
---
-
-## PROJECT STRUCTURE
-
-```
-api/src/backend/
-├── api/                    # Main Django app
-│   ├── v1/                # API version 1 (views, serializers, urls)
-│   ├── models.py          # Django models
-│   ├── filters.py         # FilterSet classes
-│   ├── base_views.py      # Base ViewSet classes
-│   ├── rls.py             # Row-Level Security
-│   └── tests/             # Unit tests
-├── config/                # Django configuration
-└── tasks/                 # Celery tasks
-```
-
---
-
-## COMMANDS
-
-```bash
-# Development
-poetry run python src/backend/manage.py runserver
-poetry run celery -A config.celery worker -l INFO
-
-# Database
-poetry run python src/backend/manage.py makemigrations
-poetry run python src/backend/manage.py migrate
-
-# Testing & Linting
-poetry run pytest -x --tb=short
-poetry run make lint
-```
-
---
-
-## QA CHECKLIST
-
- [ ] `poetry run pytest` passes
- [ ] `poetry run make lint` passes
- [ ] Migrations created if models changed
- [ ] New endpoints have `@extend_schema` decorators
- [ ] RLS properly applied for tenant data
- [ ] Tests cover success and error cases
-
---
-
-## NAMING CONVENTIONS
-
-| Entity | Pattern | Example |
-|--------|---------|---------|
-| Serializer (read) | `<Model>Serializer` | `ProviderSerializer` |
-| Serializer (create) | `<Model>CreateSerializer` | `ProviderCreateSerializer` |
-| Serializer (update) | `<Model>UpdateSerializer` | `ProviderUpdateSerializer` |
-| Filter | `<Model>Filter` | `ProviderFilter` |
-| ViewSet | `<Model>ViewSet` | `ProviderViewSet` |
-| Task | `<action>_<entity>_task` | `sync_provider_resources_task` |
-
---
-
-## API CONVENTIONS (JSON:API)
-
-```json
-{
-  "data": {
-    "type": "providers",
-    "id": "uuid",
-    "attributes": { "name": "value" },
-    "relationships": { "tenant": { "data": { "type": "tenants", "id": "uuid" } } }
-  }
-}
-```
-
- Content-Type: `application/vnd.api+json`
- Pagination: `?page[number]=1&page[size]=20`
- Filtering: `?filter[field]=value`, `?filter[field__in]=val1,val2`
- Sorting: `?sort=field`, `?sort=-field`
- Including: `?include=provider,findings`
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -2,135 +2,7 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.18.0] (Prowler UNRELEASED)
-
-### Added
- `/api/v1/overviews/compliance-watchlist` to retrieve the compliance watchlist [(#9596)](https://github.com/prowler-cloud/prowler/pull/9596)
- Support AlibabaCloud provider [(#9485)](https://github.com/prowler-cloud/prowler/pull/9485)
- `provider_id` and `provider_id__in` filter aliases for findings endpoints to enable consistent frontend parameter naming [(#9701)](https://github.com/prowler-cloud/prowler/pull/9701)
-
---
-
-## [1.17.2] (Prowler v5.16.2)
-
-### Security
- Updated dependencies to patch security vulnerabilities: Django 5.1.15 (CVE-2025-64460, CVE-2025-13372), Werkzeug 3.1.4 (CVE-2025-66221), sqlparse 0.5.5 (PVE-2025-82038), fonttools 4.60.2 (CVE-2025-66034) [(#9730)](https://github.com/prowler-cloud/prowler/pull/9730)
-
---
-
-## [1.17.1] (Prowler v5.16.1)
-
-### Changed
- Security Hub integration error when no regions [(#9635)](https://github.com/prowler-cloud/prowler/pull/9635)
-
-### Fixed
- Orphan scheduled scans caused by transaction isolation during provider creation [(#9633)](https://github.com/prowler-cloud/prowler/pull/9633)
-
---
-
-## [1.17.0] (Prowler v5.16.0)
-
-### Added
- New endpoint to retrieve and overview of the categories based on finding severities [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
- Endpoints `GET /findings` and `GET /findings/latests` can now use the category filter [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
- Account id, alias and provider name to PDF reporting table [(#9574)](https://github.com/prowler-cloud/prowler/pull/9574)
-
-### Changed
- Endpoint `GET /overviews/attack-surfaces` no longer returns the related check IDs [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
- OpenAI provider to only load chat-compatible models with tool calling support [(#9523)](https://github.com/prowler-cloud/prowler/pull/9523)
- Increased execution delay for the first scheduled scan tasks to 5 seconds[(#9558)](https://github.com/prowler-cloud/prowler/pull/9558)
-
-### Fixed
- Made `scan_id` a required filter in the compliance overview endpoint [(#9560)](https://github.com/prowler-cloud/prowler/pull/9560)
- Reduced unnecessary UPDATE resources operations by only saving when tag mappings change, lowering write load during scans [(#9569)](https://github.com/prowler-cloud/prowler/pull/9569)
-
---
-
-## [1.16.1] (Prowler v5.15.1)
-
-### Fixed
- Race condition in scheduled scan creation by adding countdown to task [(#9516)](https://github.com/prowler-cloud/prowler/pull/9516)
-
-## [1.16.0] (Prowler v5.15.0)
-
-### Added
- New endpoint to retrieve an overview of the attack surfaces [(#9309)](https://github.com/prowler-cloud/prowler/pull/9309)
- New endpoint `GET /api/v1/overviews/findings_severity/timeseries` to retrieve daily aggregated findings by severity level [(#9363)](https://github.com/prowler-cloud/prowler/pull/9363)
- Lighthouse AI support for Amazon Bedrock API key [(#9343)](https://github.com/prowler-cloud/prowler/pull/9343)
- Exception handler for provider deletions during scans [(#9414)](https://github.com/prowler-cloud/prowler/pull/9414)
- Support to use admin credentials through the read replica database [(#9440)](https://github.com/prowler-cloud/prowler/pull/9440)
-
-### Changed
- Error messages from Lighthouse celery tasks [(#9165)](https://github.com/prowler-cloud/prowler/pull/9165)
- Restore the compliance overview endpoint's mandatory filters [(#9338)](https://github.com/prowler-cloud/prowler/pull/9338)
-
---
-
-## [1.15.2] (Prowler v5.14.2)
-
-### Fixed
- Unique constraint violation during compliance overviews task [(#9436)](https://github.com/prowler-cloud/prowler/pull/9436)
- Division by zero error in ENS PDF report when all requirements are manual [(#9443)](https://github.com/prowler-cloud/prowler/pull/9443)
-
---
-
-## [1.15.1] (Prowler v5.14.1)
-
-### Fixed
- Fix typo in PDF reporting [(#9345)](https://github.com/prowler-cloud/prowler/pull/9345)
- Fix IaC provider initialization failure when mutelist processor is configured [(#9331)](https://github.com/prowler-cloud/prowler/pull/9331)
- Match logic for ThreatScore when counting findings [(#9348)](https://github.com/prowler-cloud/prowler/pull/9348)
-
---
-
-## [1.15.0] (Prowler v5.14.0)
-
-### Added
- IaC (Infrastructure as Code) provider support for remote repositories [(#8751)](https://github.com/prowler-cloud/prowler/pull/8751)
- Extend `GET /api/v1/providers` with provider-type filters and optional pagination disable to support the new Overview filters [(#8975)](https://github.com/prowler-cloud/prowler/pull/8975)
- New endpoint to retrieve the number of providers grouped by provider type [(#8975)](https://github.com/prowler-cloud/prowler/pull/8975)
- Support for configuring multiple LLM providers [(#8772)](https://github.com/prowler-cloud/prowler/pull/8772)
- Support C5 compliance framework for Azure provider [(#9081)](https://github.com/prowler-cloud/prowler/pull/9081)
- Support for Oracle Cloud Infrastructure (OCI) provider [(#8927)](https://github.com/prowler-cloud/prowler/pull/8927)
- Support muting findings based on simple rules with custom reason [(#9051)](https://github.com/prowler-cloud/prowler/pull/9051)
- Support C5 compliance framework for the GCP provider [(#9097)](https://github.com/prowler-cloud/prowler/pull/9097)
- Support for Amazon Bedrock and OpenAI compatible providers in Lighthouse AI [(#8957)](https://github.com/prowler-cloud/prowler/pull/8957)
- Support PDF reporting for ENS compliance framework [(#9158)](https://github.com/prowler-cloud/prowler/pull/9158)
- Support PDF reporting for NIS2 compliance framework [(#9170)](https://github.com/prowler-cloud/prowler/pull/9170)
- Tenant-wide ThreatScore overview aggregation and snapshot persistence with backfill support [(#9148)](https://github.com/prowler-cloud/prowler/pull/9148)
- Added `metadata`, `details`, and `partition` attributes to `/resources` endpoint & `details`, and `partition` to `/findings` endpoint [(#9098)](https://github.com/prowler-cloud/prowler/pull/9098)
- Support for MongoDB Atlas provider [(#9167)](https://github.com/prowler-cloud/prowler/pull/9167)
- Support Prowler ThreatScore for the K8S provider [(#9235)](https://github.com/prowler-cloud/prowler/pull/9235)
- Enhanced compliance overview endpoint with provider filtering and latest scan aggregation [(#9244)](https://github.com/prowler-cloud/prowler/pull/9244)
- New endpoint `GET /api/v1/overview/regions` to retrieve aggregated findings data by region [(#9273)](https://github.com/prowler-cloud/prowler/pull/9273)
-
-### Changed
- Optimized database write queries for scan related tasks [(#9190)](https://github.com/prowler-cloud/prowler/pull/9190)
- Date filters are now optional for `GET /api/v1/overviews/services` endpoint; returns latest scan data by default [(#9248)](https://github.com/prowler-cloud/prowler/pull/9248)
-
-### Fixed
- Scans no longer fail when findings have UIDs exceeding 300 characters; such findings are now skipped with detailed logging [(#9246)](https://github.com/prowler-cloud/prowler/pull/9246)
- Updated unique constraint for `Provider` model to exclude soft-deleted entries, resolving duplicate errors when re-deleting providers [(#9054)](https://github.com/prowler-cloud/prowler/pull/9054)
- Removed compliance generation for providers without compliance frameworks [(#9208)](https://github.com/prowler-cloud/prowler/pull/9208)
- Refresh output report timestamps for each scan [(#9272)](https://github.com/prowler-cloud/prowler/pull/9272)
- Severity overview endpoint now ignores muted findings as expected [(#9283)](https://github.com/prowler-cloud/prowler/pull/9283)
- Fixed discrepancy between ThreatScore PDF report values and database calculations [(#9296)](https://github.com/prowler-cloud/prowler/pull/9296)
-
-### Security
- Django updated to the latest 5.1 security release, 5.1.14, due to problems with potential [SQL injection](https://github.com/prowler-cloud/prowler/security/dependabot/113) and [denial-of-service vulnerability](https://github.com/prowler-cloud/prowler/security/dependabot/114) [(#9176)](https://github.com/prowler-cloud/prowler/pull/9176)
-
---
-
-## [1.14.1] (Prowler v5.13.1)
-
-### Fixed
- `/api/v1/overviews/providers` collapses data by provider type so the UI receives a single aggregated record per cloud family even when multiple accounts exist [(#9053)](https://github.com/prowler-cloud/prowler/pull/9053)
- Added retry logic to database transactions to handle Aurora read replica connection failures during scale-down events [(#9064)](https://github.com/prowler-cloud/prowler/pull/9064)
- Security Hub integrations stop failing when they read relationships via the replica by allowing replica relations and saving updates through the primary [(#9080)](https://github.com/prowler-cloud/prowler/pull/9080)
-
---
-
-## [1.14.0] (Prowler v5.13.0)
+## [1.14.0] (Prowler UNRELEASED)

 ### Added
 - Default JWT keys are generated and stored if they are missing from configuration [(#8655)](https://github.com/prowler-cloud/prowler/pull/8655)
@@ -154,14 +26,14 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.13.2] (Prowler v5.12.3)
+## [1.13.2] (Prowler 5.12.3)

 ### Fixed
 - 500 error when deleting user [(#8731)](https://github.com/prowler-cloud/prowler/pull/8731)

 ---

-## [1.13.1] (Prowler v5.12.2)
+## [1.13.1] (Prowler 5.12.2)

 ### Changed
 - Renamed compliance overview task queue to `compliance` [(#8755)](https://github.com/prowler-cloud/prowler/pull/8755)
@@ -171,7 +43,7 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.13.0] (Prowler v5.12.0)
+## [1.13.0] (Prowler 5.12.0)

 ### Added
 - Integration with JIRA, enabling sending findings to a JIRA project [(#8622)](https://github.com/prowler-cloud/prowler/pull/8622), [(#8637)](https://github.com/prowler-cloud/prowler/pull/8637)
@@ -180,7 +52,7 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.12.0] (Prowler v5.11.0)
+## [1.12.0] (Prowler 5.11.0)

 ### Added
 - Lighthouse support for OpenAI GPT-5 [(#8527)](https://github.com/prowler-cloud/prowler/pull/8527)
@@ -192,7 +64,7 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.11.0] (Prowler v5.10.0)
+## [1.11.0] (Prowler 5.10.0)

 ### Added
 - Github provider support [(#8271)](https://github.com/prowler-cloud/prowler/pull/8271)
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -5,9 +5,6 @@ LABEL maintainer="https://github.com/prowler-cloud/api"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}

-ARG TRIVY_VERSION=0.66.0
-ENV TRIVY_VERSION=${TRIVY_VERSION}
-
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
    wget \
@@ -39,24 +36,6 @@ RUN ARCH=$(uname -m) && \
    ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
    rm /tmp/powershell.tar.gz

-# Install Trivy for IaC scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        TRIVY_ARCH="Linux-64bit" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        TRIVY_ARCH="Linux-ARM64" ; \
-    else \
-        echo "Unsupported architecture for Trivy: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz && \
-    tar zxf /tmp/trivy.tar.gz -C /tmp && \
-    mv /tmp/trivy /usr/local/bin/trivy && \
-    chmod +x /usr/local/bin/trivy && \
-    rm /tmp/trivy.tar.gz && \
-    # Create trivy cache directory with proper permissions
-    mkdir -p /tmp/.cache/trivy && \
-    chmod 777 /tmp/.cache/trivy
-
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
--- a/api/poetry.lock
+++ b/api/poetry.lock
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -7,7 +7,7 @@ authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
 dependencies = [
  "celery[pytest] (>=5.4.0,<6.0.0)",
  "dj-rest-auth[with_social,jwt] (==7.0.1)",
-  "django (==5.1.15)",
+  "django (==5.1.13)",
  "django-allauth[saml] (>=65.8.0,<66.0.0)",
  "django-celery-beat (>=2.7.0,<3.0.0)",
  "django-celery-results (>=2.5.1,<3.0.0)",
@@ -35,11 +35,7 @@ dependencies = [
  "markdown (>=3.9,<4.0)",
  "drf-simple-apikey (==2.2.1)",
  "matplotlib (>=3.10.6,<4.0.0)",
-  "reportlab (>=4.4.4,<5.0.0)",
-  "gevent (>=25.9.1,<26.0.0)",
-  "werkzeug (>=3.1.4)",
-  "sqlparse (>=0.5.4)",
-  "fonttools (>=4.60.2)"
+  "reportlab (>=4.4.4,<5.0.0)"
 ]
 description = "Prowler's API (Django/DRF)"
 license = "Apache-2.0"
@@ -47,7 +43,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.18.0"
+version = "1.14.0"

 [project.scripts]
 celery = "src.backend.config.settings.celery"
--- a/api/src/backend/api/admin.py
+++ b/api/src/backend/api/admin.py
@@ -0,0 +1,3 @@
+# from django.contrib import admin
+
+# Register your models here.
--- a/api/src/backend/api/compliance.py
+++ b/api/src/backend/api/compliance.py
@@ -144,7 +144,6 @@ def generate_scan_compliance(
    Returns:
        None: This function modifies the compliance_overview in place.
    """
-
    for compliance_id in PROWLER_CHECKS[provider_type][check_id]:
        for requirement in compliance_overview[compliance_id]["requirements"].values():
            if check_id in requirement["checks"]:
--- a/api/src/backend/api/db_router.py
+++ b/api/src/backend/api/db_router.py
@@ -26,7 +26,6 @@ class MainRouter:
    default_db = "default"
    admin_db = "admin"
    replica_db = "replica"
-    admin_replica_db = "admin_replica"

    def db_for_read(self, model, **hints):  # noqa: F841
        model_table_name = model._meta.db_table
@@ -49,14 +48,8 @@ class MainRouter:
        return db == self.admin_db

    def allow_relation(self, obj1, obj2, **hints):  # noqa: F841
-        # Allow relations when both objects originate from allowed connectors
-        allowed_dbs = {
-            self.default_db,
-            self.admin_db,
-            self.replica_db,
-            self.admin_replica_db,
-        }
-        if {obj1._state.db, obj2._state.db} <= allowed_dbs:
+        # Allow relations if both objects are in either "default" or "admin" db connectors
+        if {obj1._state.db, obj2._state.db} <= {self.default_db, self.admin_db}:
            return True
        return None

--- a/api/src/backend/api/db_utils.py
+++ b/api/src/backend/api/db_utils.py
@@ -1,35 +1,18 @@
 import re
 import secrets
-import time
 import uuid
 from contextlib import contextmanager
 from datetime import datetime, timedelta, timezone

-from celery.utils.log import get_task_logger
-from config.env import env
 from django.conf import settings
 from django.contrib.auth.models import BaseUserManager
-from django.db import (
-    DEFAULT_DB_ALIAS,
-    OperationalError,
-    connection,
-    connections,
-    models,
-    transaction,
-)
+from django.db import DEFAULT_DB_ALIAS, connection, connections, models, transaction
 from django_celery_beat.models import PeriodicTask
 from psycopg2 import connect as psycopg2_connect
 from psycopg2.extensions import AsIs, new_type, register_adapter, register_type
 from rest_framework_json_api.serializers import ValidationError

-from api.db_router import (
-    READ_REPLICA_ALIAS,
-    get_read_db_alias,
-    reset_read_db_alias,
-    set_read_db_alias,
-)
-
-logger = get_task_logger(__name__)
+from api.db_router import get_read_db_alias, reset_read_db_alias, set_read_db_alias

 DB_USER = settings.DATABASES["default"]["USER"] if not settings.TESTING else "test"
 DB_PASSWORD = (
@@ -45,9 +28,6 @@ TASK_RUNNER_DB_TABLE = "django_celery_results_taskresult"
 POSTGRES_TENANT_VAR = "api.tenant_id"
 POSTGRES_USER_VAR = "api.user_id"

-REPLICA_MAX_ATTEMPTS = env.int("POSTGRES_REPLICA_MAX_ATTEMPTS", default=3)
-REPLICA_RETRY_BASE_DELAY = env.float("POSTGRES_REPLICA_RETRY_BASE_DELAY", default=0.5)
-
 SET_CONFIG_QUERY = "SELECT set_config(%s, %s::text, TRUE);"


@@ -91,51 +71,24 @@ def rls_transaction(
    if db_alias not in connections:
        db_alias = DEFAULT_DB_ALIAS

-    alias = db_alias
-    is_replica = READ_REPLICA_ALIAS and alias == READ_REPLICA_ALIAS
-    max_attempts = REPLICA_MAX_ATTEMPTS if is_replica else 1
+    router_token = None
+    try:
+        if db_alias != DEFAULT_DB_ALIAS:
+            router_token = set_read_db_alias(db_alias)

-    for attempt in range(1, max_attempts + 1):
-        router_token = None
-
-        # On final attempt, fallback to primary
-        if attempt == max_attempts and is_replica:
-            logger.warning(
-                f"RLS transaction failed after {attempt - 1} attempts on replica, "
-                f"falling back to primary DB"
-            )
-            alias = DEFAULT_DB_ALIAS
-
-        conn = connections[alias]
-        try:
-            if alias != DEFAULT_DB_ALIAS:
-                router_token = set_read_db_alias(alias)
-
-            with transaction.atomic(using=alias):
-                with conn.cursor() as cursor:
-                    try:
-                        # just in case the value is a UUID object
-                        uuid.UUID(str(value))
-                    except ValueError:
-                        raise ValidationError("Must be a valid UUID")
-                    cursor.execute(SET_CONFIG_QUERY, [parameter, value])
-                    yield cursor
-            return
-        except OperationalError as e:
-            # If on primary or max attempts reached, raise
-            if not is_replica or attempt == max_attempts:
-                raise
-
-            # Retry with exponential backoff
-            delay = REPLICA_RETRY_BASE_DELAY * (2 ** (attempt - 1))
-            logger.info(
-                f"RLS transaction failed on replica (attempt {attempt}/{max_attempts}), "
-                f"retrying in {delay}s. Error: {e}"
-            )
-            time.sleep(delay)
-        finally:
-            if router_token is not None:
-                reset_read_db_alias(router_token)
+        with transaction.atomic(using=db_alias):
+            conn = connections[db_alias]
+            with conn.cursor() as cursor:
+                try:
+                    # just in case the value is a UUID object
+                    uuid.UUID(str(value))
+                except ValueError:
+                    raise ValidationError("Must be a valid UUID")
+                cursor.execute(SET_CONFIG_QUERY, [parameter, value])
+                yield cursor
+    finally:
+        if router_token is not None:
+            reset_read_db_alias(router_token)


 class CustomUserManager(BaseUserManager):
--- a/api/src/backend/api/decorators.py
+++ b/api/src/backend/api/decorators.py
@@ -1,14 +1,10 @@
 import uuid
 from functools import wraps

-from django.core.exceptions import ObjectDoesNotExist
-from django.db import IntegrityError, connection, transaction
+from django.db import connection, transaction
 from rest_framework_json_api.serializers import ValidationError

-from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY, rls_transaction
-from api.exceptions import ProviderDeletedException
-from api.models import Provider, Scan
+from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY


 def set_tenant(func=None, *, keep_tenant=False):
@@ -70,49 +66,3 @@ def set_tenant(func=None, *, keep_tenant=False):
        return decorator
    else:
        return decorator(func)
-
-
-def handle_provider_deletion(func):
-    """
-    Decorator that raises ProviderDeletedException if provider was deleted during execution.
-
-    Catches ObjectDoesNotExist and IntegrityError, checks if provider still exists,
-    and raises ProviderDeletedException if not. Otherwise, re-raises original exception.
-
-    Requires tenant_id and provider_id in kwargs.
-
-    Example:
-        @shared_task
-        @handle_provider_deletion
-        def scan_task(scan_id, tenant_id, provider_id):
-            ...
-    """
-
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-        try:
-            return func(*args, **kwargs)
-        except (ObjectDoesNotExist, IntegrityError):
-            tenant_id = kwargs.get("tenant_id")
-            provider_id = kwargs.get("provider_id")
-
-            with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-                if provider_id is None:
-                    scan_id = kwargs.get("scan_id")
-                    if scan_id is None:
-                        raise AssertionError(
-                            "This task does not have provider or scan in the kwargs"
-                        )
-                    scan = Scan.objects.filter(pk=scan_id).first()
-                    if scan is None:
-                        raise ProviderDeletedException(
-                            f"Provider for scan '{scan_id}' was deleted during the scan"
-                        ) from None
-                    provider_id = str(scan.provider_id)
-                if not Provider.objects.filter(pk=provider_id).exists():
-                    raise ProviderDeletedException(
-                        f"Provider '{provider_id}' was deleted during the scan"
-                    ) from None
-            raise
-
-    return wrapper
--- a/api/src/backend/api/exceptions.py
+++ b/api/src/backend/api/exceptions.py
@@ -66,10 +66,6 @@ class ProviderConnectionError(Exception):
    """Base exception for provider connection errors."""


-class ProviderDeletedException(Exception):
-    """Raised when a provider has been deleted during scan/task execution."""
-
-
 def custom_exception_handler(exc, context):
    if isinstance(exc, django_validation_error):
        if hasattr(exc, "error_dict"):
--- a/api/src/backend/api/filters.py
+++ b/api/src/backend/api/filters.py
@@ -23,35 +23,27 @@ from api.db_utils import (
    StatusEnumField,
 )
 from api.models import (
-    AttackSurfaceOverview,
    ComplianceRequirementOverview,
-    DailySeveritySummary,
    Finding,
    Integration,
    Invitation,
-    LighthouseProviderConfiguration,
-    LighthouseProviderModels,
    Membership,
-    MuteRule,
    OverviewStatusChoices,
    PermissionChoices,
    Processor,
    Provider,
-    ProviderComplianceScore,
    ProviderGroup,
    ProviderSecret,
    Resource,
    ResourceTag,
    Role,
    Scan,
-    ScanCategorySummary,
    ScanSummary,
    SeverityChoices,
    StateChoices,
    StatusChoices,
    Task,
    TenantAPIKey,
-    ThreatScoreSnapshot,
    User,
 )
 from api.rls import Tenant
@@ -93,62 +85,10 @@ class ChoiceInFilter(BaseInFilter, ChoiceFilter):
    pass


-class BaseProviderFilter(FilterSet):
-    """
-    Abstract base filter for models with direct FK to Provider.
-
-    Provides standard provider_id and provider_type filters.
-    Subclasses must define Meta.model.
-    """
-
-    provider_id = UUIDFilter(field_name="provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-
-    class Meta:
-        abstract = True
-        fields = {}
-
-
-class BaseScanProviderFilter(FilterSet):
-    """
-    Abstract base filter for models with FK to Scan (and Scan has FK to Provider).
-
-    Provides standard provider_id and provider_type filters via scan relationship.
-    Subclasses must define Meta.model.
-    """
-
-    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="scan__provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-
-    class Meta:
-        abstract = True
-        fields = {}
-
-
 class CommonFindingFilters(FilterSet):
    # We filter providers from the scan in findings
-    # Both 'provider' and 'provider_id' parameters are supported for API consistency
-    # Frontend uses 'provider_id' uniformly across all endpoints
    provider = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
    provider__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
-    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
    provider_type = ChoiceFilter(
        choices=Provider.ProviderChoices.choices, field_name="scan__provider__provider"
    )
@@ -211,9 +151,6 @@ class CommonFindingFilters(FilterSet):
        field_name="resources__type", lookup_expr="icontains"
    )

-    category = CharFilter(method="filter_category")
-    category__in = CharInFilter(field_name="categories", lookup_expr="overlap")
-
    # Temporarily disabled until we implement tag filtering in the UI
    # resource_tag_key = CharFilter(field_name="resources__tags__key")
    # resource_tag_key__in = CharInFilter(
@@ -245,9 +182,6 @@ class CommonFindingFilters(FilterSet):
    def filter_resource_type(self, queryset, name, value):
        return queryset.filter(resource_types__contains=[value])

-    def filter_category(self, queryset, name, value):
-        return queryset.filter(categories__contains=[value])
-
    def filter_resource_tag(self, queryset, name, value):
        overall_query = Q()
        for key_value_pair in value:
@@ -311,14 +245,6 @@ class ProviderFilter(FilterSet):
        choices=Provider.ProviderChoices.choices,
        lookup_expr="in",
    )
-    provider_type = ChoiceFilter(
-        choices=Provider.ProviderChoices.choices, field_name="provider"
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )

    class Meta:
        model = Provider
@@ -822,7 +748,7 @@ class RoleFilter(FilterSet):

 class ComplianceOverviewFilter(FilterSet):
    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    scan_id = UUIDFilter(field_name="scan_id", required=True)
+    scan_id = UUIDFilter(field_name="scan_id")
    region = CharFilter(field_name="region")

    class Meta:
@@ -856,68 +782,6 @@ class ScanSummaryFilter(FilterSet):
        }


-class DailySeveritySummaryFilter(FilterSet):
-    """Filter for findings_severity/timeseries endpoint."""
-
-    MAX_DATE_RANGE_DAYS = 365
-
-    provider_id = UUIDFilter(field_name="provider_id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="provider_id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    date_from = DateFilter(method="filter_noop")
-    date_to = DateFilter(method="filter_noop")
-
-    class Meta:
-        model = DailySeveritySummary
-        fields = ["provider_id"]
-
-    def filter_noop(self, queryset, name, value):
-        return queryset
-
-    def filter_queryset(self, queryset):
-        if not self.data.get("date_from"):
-            raise ValidationError(
-                [
-                    {
-                        "detail": "This query parameter is required.",
-                        "status": "400",
-                        "source": {"pointer": "filter[date_from]"},
-                        "code": "required",
-                    }
-                ]
-            )
-
-        today = date.today()
-        date_from = self.form.cleaned_data.get("date_from")
-        date_to = min(self.form.cleaned_data.get("date_to") or today, today)
-
-        if (date_to - date_from).days > self.MAX_DATE_RANGE_DAYS:
-            raise ValidationError(
-                [
-                    {
-                        "detail": f"Date range cannot exceed {self.MAX_DATE_RANGE_DAYS} days.",
-                        "status": "400",
-                        "source": {"pointer": "filter[date_from]"},
-                        "code": "invalid",
-                    }
-                ]
-            )
-
-        # View access
-        self.request._date_from = date_from
-        self.request._date_to = date_to
-
-        # Apply date filter (only lte for fill-forward logic)
-        queryset = queryset.filter(date__lte=date_to)
-
-        return super().filter_queryset(queryset)
-
-
 class ScanSummarySeverityFilter(ScanSummaryFilter):
    """Filter for findings_severity ScanSummary endpoint - includes status filters"""

@@ -936,8 +800,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
        elif value == OverviewStatusChoices.PASS:
            return queryset.annotate(status_count=F("_pass"))
        else:
-            # Exclude muted findings by default
-            return queryset.annotate(status_count=F("_pass") + F("fail"))
+            return queryset.annotate(status_count=F("total"))

    def filter_status_in(self, queryset, name, value):
        # Validate the status values
@@ -946,7 +809,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
            if status_val not in valid_statuses:
                raise ValidationError(f"Invalid status value: {status_val}")

-        # If all statuses or no valid statuses, exclude muted findings (pass + fail)
+        # If all statuses or no valid statuses, use total
        if (
            set(value)
            >= {
@@ -955,7 +818,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
            }
            or not value
        ):
-            return queryset.annotate(status_count=F("_pass") + F("fail"))
+            return queryset.annotate(status_count=F("total"))

        # Build the sum expression based on status values
        sum_expression = None
@@ -973,7 +836,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
                sum_expression = sum_expression + field_expr

        if sum_expression is None:
-            return queryset.annotate(status_count=F("_pass") + F("fail"))
+            return queryset.annotate(status_count=F("total"))

        return queryset.annotate(status_count=sum_expression)

@@ -985,6 +848,26 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
        }


+class ServiceOverviewFilter(ScanSummaryFilter):
+    def is_valid(self):
+        # Check if at least one of the inserted_at filters is present
+        inserted_at_filters = [
+            self.data.get("inserted_at"),
+            self.data.get("inserted_at__gte"),
+            self.data.get("inserted_at__lte"),
+        ]
+        if not any(inserted_at_filters):
+            raise ValidationError(
+                {
+                    "inserted_at": [
+                        "At least one of filter[inserted_at], filter[inserted_at__gte], or "
+                        "filter[inserted_at__lte] is required."
+                    ]
+                }
+            )
+        return super().is_valid()
+
+
 class IntegrationFilter(FilterSet):
    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
    integration_type = ChoiceFilter(choices=Integration.IntegrationChoices.choices)
@@ -1045,119 +928,3 @@ class TenantApiKeyFilter(FilterSet):
            "revoked": ["exact"],
            "name": ["exact", "icontains"],
        }
-
-
-class LighthouseProviderConfigFilter(FilterSet):
-    provider_type = ChoiceFilter(
-        choices=LighthouseProviderConfiguration.LLMProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        choices=LighthouseProviderConfiguration.LLMProviderChoices.choices,
-        field_name="provider_type",
-        lookup_expr="in",
-    )
-    is_active = BooleanFilter()
-
-    class Meta:
-        model = LighthouseProviderConfiguration
-        fields = {
-            "provider_type": ["exact", "in"],
-            "is_active": ["exact"],
-        }
-
-
-class LighthouseProviderModelsFilter(FilterSet):
-    provider_type = ChoiceFilter(
-        choices=LighthouseProviderConfiguration.LLMProviderChoices.choices,
-        field_name="provider_configuration__provider_type",
-    )
-    provider_type__in = ChoiceInFilter(
-        choices=LighthouseProviderConfiguration.LLMProviderChoices.choices,
-        field_name="provider_configuration__provider_type",
-        lookup_expr="in",
-    )
-
-    # Allow filtering by model id
-    model_id = CharFilter(field_name="model_id", lookup_expr="exact")
-    model_id__icontains = CharFilter(field_name="model_id", lookup_expr="icontains")
-    model_id__in = CharInFilter(field_name="model_id", lookup_expr="in")
-
-    class Meta:
-        model = LighthouseProviderModels
-        fields = {
-            "model_id": ["exact", "icontains", "in"],
-        }
-
-
-class MuteRuleFilter(FilterSet):
-    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
-    created_by = UUIDFilter(field_name="created_by__id", lookup_expr="exact")
-
-    class Meta:
-        model = MuteRule
-        fields = {
-            "id": ["exact", "in"],
-            "name": ["exact", "icontains"],
-            "reason": ["icontains"],
-            "enabled": ["exact"],
-            "inserted_at": ["gte", "lte"],
-            "updated_at": ["gte", "lte"],
-        }
-
-
-class ThreatScoreSnapshotFilter(FilterSet):
-    """
-    Filter for ThreatScore snapshots.
-    Allows filtering by scan, provider, compliance_id, and date ranges.
-    """
-
-    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    scan_id = UUIDFilter(field_name="scan__id", lookup_expr="exact")
-    scan_id__in = UUIDInFilter(field_name="scan__id", lookup_expr="in")
-    provider_id = UUIDFilter(field_name="provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-    compliance_id = CharFilter(field_name="compliance_id", lookup_expr="exact")
-    compliance_id__in = CharInFilter(field_name="compliance_id", lookup_expr="in")
-
-    class Meta:
-        model = ThreatScoreSnapshot
-        fields = {
-            "scan": ["exact", "in"],
-            "provider": ["exact", "in"],
-            "compliance_id": ["exact", "in"],
-            "inserted_at": ["date", "gte", "lte"],
-            "overall_score": ["exact", "gte", "lte"],
-        }
-
-
-class AttackSurfaceOverviewFilter(BaseScanProviderFilter):
-    """Filter for attack surface overview aggregations by provider."""
-
-    class Meta(BaseScanProviderFilter.Meta):
-        model = AttackSurfaceOverview
-
-
-class CategoryOverviewFilter(BaseScanProviderFilter):
-    """Filter for category overview aggregations by provider."""
-
-    category = CharFilter(field_name="category", lookup_expr="exact")
-    category__in = CharInFilter(field_name="category", lookup_expr="in")
-
-    class Meta(BaseScanProviderFilter.Meta):
-        model = ScanCategorySummary
-
-
-class ComplianceWatchlistFilter(BaseProviderFilter):
-    """Filter for compliance watchlist overview by provider."""
-
-    class Meta(BaseProviderFilter.Meta):
-        model = ProviderComplianceScore
--- a/api/src/backend/api/migrations/0048_api_key.py
+++ b/api/src/backend/api/migrations/0048_api_key.py
@@ -24,7 +24,7 @@ class Migration(migrations.Migration):
                (
                    "name",
                    models.CharField(
-                        max_length=100,
+                        max_length=255,
                        validators=[django.core.validators.MinLengthValidator(3)],
                    ),
                ),
--- a/api/src/backend/api/migrations/0050_lighthouse_multi_llm.py
+++ b/api/src/backend/api/migrations/0050_lighthouse_multi_llm.py
@@ -1,266 +0,0 @@
-# Generated by Django 5.1.12 on 2025-10-09 07:50
-
-import json
-import logging
-import uuid
-
-import django.db.models.deletion
-from config.custom_logging import BackendLogger
-from cryptography.fernet import Fernet
-from django.conf import settings
-from django.db import migrations, models
-
-import api.rls
-from api.db_router import MainRouter
-
-logger = logging.getLogger(BackendLogger.API)
-
-
-def migrate_lighthouse_configs_forward(apps, schema_editor):
-    """
-    Migrate data from old LighthouseConfiguration to new multi-provider models.
-    Old system: one LighthouseConfiguration per tenant (always OpenAI).
-    """
-    LighthouseConfiguration = apps.get_model("api", "LighthouseConfiguration")
-    LighthouseProviderConfiguration = apps.get_model(
-        "api", "LighthouseProviderConfiguration"
-    )
-    LighthouseTenantConfiguration = apps.get_model(
-        "api", "LighthouseTenantConfiguration"
-    )
-    LighthouseProviderModels = apps.get_model("api", "LighthouseProviderModels")
-
-    fernet = Fernet(settings.SECRETS_ENCRYPTION_KEY.encode())
-
-    # Migrate only tenants that actually have a LighthouseConfiguration
-    for old_config in (
-        LighthouseConfiguration.objects.using(MainRouter.admin_db)
-        .select_related("tenant")
-        .all()
-    ):
-        tenant = old_config.tenant
-        tenant_id = str(tenant.id)
-
-        try:
-            # Create OpenAI provider configuration for this tenant
-            api_key_decrypted = fernet.decrypt(bytes(old_config.api_key)).decode()
-            credentials_encrypted = fernet.encrypt(
-                json.dumps({"api_key": api_key_decrypted}).encode()
-            )
-            provider_config = LighthouseProviderConfiguration.objects.using(
-                MainRouter.admin_db
-            ).create(
-                tenant=tenant,
-                provider_type="openai",
-                credentials=credentials_encrypted,
-                is_active=old_config.is_active,
-            )
-
-            # Create tenant configuration from old values
-            LighthouseTenantConfiguration.objects.using(MainRouter.admin_db).create(
-                tenant=tenant,
-                business_context=old_config.business_context or "",
-                default_provider="openai",
-                default_models={"openai": old_config.model},
-            )
-
-            # Create initial provider model record
-            LighthouseProviderModels.objects.using(MainRouter.admin_db).create(
-                tenant=tenant,
-                provider_configuration=provider_config,
-                model_id=old_config.model,
-                model_name=old_config.model,
-                default_parameters={},
-            )
-
-        except Exception:
-            logger.exception(
-                "Failed to migrate lighthouse config for tenant %s", tenant_id
-            )
-            continue
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0049_compliancerequirementoverview_passed_failed_findings"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="LighthouseProviderConfiguration",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                ("updated_at", models.DateTimeField(auto_now=True)),
-                (
-                    "provider_type",
-                    models.CharField(
-                        choices=[("openai", "OpenAI")],
-                        help_text="LLM provider name",
-                        max_length=50,
-                    ),
-                ),
-                ("base_url", models.URLField(blank=True, null=True)),
-                (
-                    "credentials",
-                    models.BinaryField(
-                        help_text="Encrypted JSON credentials for the provider"
-                    ),
-                ),
-                ("is_active", models.BooleanField(default=True)),
-            ],
-            options={
-                "db_table": "lighthouse_provider_configurations",
-                "abstract": False,
-            },
-        ),
-        migrations.CreateModel(
-            name="LighthouseProviderModels",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                ("updated_at", models.DateTimeField(auto_now=True)),
-                ("model_id", models.CharField(max_length=100)),
-                ("model_name", models.CharField(max_length=100)),
-                ("default_parameters", models.JSONField(blank=True, default=dict)),
-            ],
-            options={
-                "db_table": "lighthouse_provider_models",
-                "abstract": False,
-            },
-        ),
-        migrations.CreateModel(
-            name="LighthouseTenantConfiguration",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                ("updated_at", models.DateTimeField(auto_now=True)),
-                ("business_context", models.TextField(blank=True, default="")),
-                ("default_provider", models.CharField(blank=True, max_length=50)),
-                ("default_models", models.JSONField(blank=True, default=dict)),
-            ],
-            options={
-                "db_table": "lighthouse_tenant_config",
-                "abstract": False,
-            },
-        ),
-        migrations.AddField(
-            model_name="lighthouseproviderconfiguration",
-            name="tenant",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-            ),
-        ),
-        migrations.AddField(
-            model_name="lighthouseprovidermodels",
-            name="provider_configuration",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE,
-                related_name="available_models",
-                to="api.lighthouseproviderconfiguration",
-            ),
-        ),
-        migrations.AddField(
-            model_name="lighthouseprovidermodels",
-            name="tenant",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-            ),
-        ),
-        migrations.AddField(
-            model_name="lighthousetenantconfiguration",
-            name="tenant",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="lighthouseproviderconfiguration",
-            index=models.Index(
-                fields=["tenant_id", "provider_type"], name="lh_pc_tenant_type_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="lighthouseproviderconfiguration",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_lighthouseproviderconfiguration",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="lighthouseproviderconfiguration",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "provider_type"),
-                name="unique_provider_config_per_tenant",
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="lighthouseprovidermodels",
-            index=models.Index(
-                fields=["tenant_id", "provider_configuration"],
-                name="lh_prov_models_cfg_idx",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="lighthouseprovidermodels",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_lighthouseprovidermodels",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="lighthouseprovidermodels",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "provider_configuration", "model_id"),
-                name="unique_provider_model_per_configuration",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="lighthousetenantconfiguration",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_lighthousetenantconfiguration",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="lighthousetenantconfiguration",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id",), name="unique_tenant_lighthouse_config"
-            ),
-        ),
-        # Migrate data from old LighthouseConfiguration to new tables
-        # This runs after all tables, indexes, and constraints are created
-        # The old Lighthouse configuration table is not removed, so reverse_code is noop
-        # During rollbacks, the old Lighthouse configuration remains intact while the new tables are removed
-        migrations.RunPython(
-            migrate_lighthouse_configs_forward,
-            reverse_code=migrations.RunPython.noop,
-        ),
-    ]
--- a/api/src/backend/api/migrations/0051_oraclecloud_provider.py
+++ b/api/src/backend/api/migrations/0051_oraclecloud_provider.py
@@ -1,34 +0,0 @@
-# Generated by Django 5.1.7 on 2025-10-14 00:00
-
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0050_lighthouse_multi_llm"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'oraclecloud';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]
--- a/api/src/backend/api/migrations/0052_mute_rules.py
+++ b/api/src/backend/api/migrations/0052_mute_rules.py
@@ -1,117 +0,0 @@
-# Generated by Django 5.1.13 on 2025-10-22 11:56
-
-import uuid
-
-import django.contrib.postgres.fields
-import django.core.validators
-import django.db.models.deletion
-from django.conf import settings
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0051_oraclecloud_provider"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="MuteRule",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                ("updated_at", models.DateTimeField(auto_now=True)),
-                (
-                    "name",
-                    models.CharField(
-                        help_text="Human-readable name for this rule",
-                        max_length=100,
-                        validators=[django.core.validators.MinLengthValidator(3)],
-                    ),
-                ),
-                (
-                    "reason",
-                    models.TextField(
-                        help_text="Reason for muting",
-                        max_length=500,
-                        validators=[django.core.validators.MinLengthValidator(3)],
-                    ),
-                ),
-                (
-                    "enabled",
-                    models.BooleanField(
-                        default=True, help_text="Whether this rule is currently enabled"
-                    ),
-                ),
-                (
-                    "finding_uids",
-                    django.contrib.postgres.fields.ArrayField(
-                        base_field=models.CharField(max_length=255),
-                        help_text="List of finding UIDs to mute",
-                        size=None,
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "mute_rules",
-                "abstract": False,
-            },
-        ),
-        migrations.AddField(
-            model_name="finding",
-            name="muted_at",
-            field=models.DateTimeField(
-                blank=True, help_text="Timestamp when this finding was muted", null=True
-            ),
-        ),
-        migrations.AlterField(
-            model_name="tenantapikey",
-            name="name",
-            field=models.CharField(
-                max_length=100,
-                validators=[django.core.validators.MinLengthValidator(3)],
-            ),
-        ),
-        migrations.AddField(
-            model_name="muterule",
-            name="created_by",
-            field=models.ForeignKey(
-                help_text="User who created this rule",
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="created_mute_rules",
-                to=settings.AUTH_USER_MODEL,
-            ),
-        ),
-        migrations.AddField(
-            model_name="muterule",
-            name="tenant",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="muterule",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_muterule",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="muterule",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "name"), name="unique_mute_rule_name_per_tenant"
-            ),
-        ),
-    ]
--- a/api/src/backend/api/migrations/0053_lighthouse_bedrock_openai_compatible.py
+++ b/api/src/backend/api/migrations/0053_lighthouse_bedrock_openai_compatible.py
@@ -1,25 +0,0 @@
-# Generated by Django 5.1.12 on 2025-10-14 11:46
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0052_mute_rules"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="lighthouseproviderconfiguration",
-            name="provider_type",
-            field=models.CharField(
-                choices=[
-                    ("openai", "OpenAI"),
-                    ("bedrock", "AWS Bedrock"),
-                    ("openai_compatible", "OpenAI Compatible"),
-                ],
-                help_text="LLM provider name",
-                max_length=50,
-            ),
-        )
-    ]
--- a/api/src/backend/api/migrations/0054_iac_provider.py
+++ b/api/src/backend/api/migrations/0054_iac_provider.py
@@ -1,35 +0,0 @@
-# Generated by Django 5.1.10 on 2025-09-09 09:25
-
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0053_lighthouse_bedrock_openai_compatible"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("iac", "IaC"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'iac';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]
--- a/api/src/backend/api/migrations/0055_mongodbatlas_provider.py
+++ b/api/src/backend/api/migrations/0055_mongodbatlas_provider.py
@@ -1,36 +0,0 @@
-# Generated by Django 5.1.13 on 2025-11-05 08:37
-
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0054_iac_provider"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'mongodbatlas';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]
--- a/api/src/backend/api/migrations/0056_remove_provider_unique_provider_uids_and_more.py
+++ b/api/src/backend/api/migrations/0056_remove_provider_unique_provider_uids_and_more.py
@@ -1,24 +0,0 @@
-# Generated by Django 5.1.13 on 2025-11-06 09:20
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0055_mongodbatlas_provider"),
-    ]
-
-    operations = [
-        migrations.RemoveConstraint(
-            model_name="provider",
-            name="unique_provider_uids",
-        ),
-        migrations.AddConstraint(
-            model_name="provider",
-            constraint=models.UniqueConstraint(
-                condition=models.Q(("is_deleted", False)),
-                fields=("tenant_id", "provider", "uid"),
-                name="unique_provider_uids",
-            ),
-        ),
-    ]
--- a/api/src/backend/api/migrations/0057_threatscoresnapshot.py
+++ b/api/src/backend/api/migrations/0057_threatscoresnapshot.py
@@ -1,170 +0,0 @@
-# Generated by Django 5.1.13 on 2025-10-31 09:04
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0056_remove_provider_unique_provider_uids_and_more"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ThreatScoreSnapshot",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                (
-                    "compliance_id",
-                    models.CharField(
-                        help_text="Compliance framework ID (e.g., 'prowler_threatscore_aws')",
-                        max_length=100,
-                    ),
-                ),
-                (
-                    "overall_score",
-                    models.DecimalField(
-                        decimal_places=2,
-                        help_text="Overall ThreatScore percentage (0-100)",
-                        max_digits=5,
-                    ),
-                ),
-                (
-                    "score_delta",
-                    models.DecimalField(
-                        blank=True,
-                        decimal_places=2,
-                        help_text="Score change compared to previous snapshot (positive = improvement)",
-                        max_digits=5,
-                        null=True,
-                    ),
-                ),
-                (
-                    "section_scores",
-                    models.JSONField(
-                        blank=True,
-                        default=dict,
-                        help_text="ThreatScore breakdown by section",
-                    ),
-                ),
-                (
-                    "critical_requirements",
-                    models.JSONField(
-                        blank=True,
-                        default=list,
-                        help_text="List of critical failed requirements (risk >= 4)",
-                    ),
-                ),
-                (
-                    "total_requirements",
-                    models.IntegerField(
-                        default=0, help_text="Total number of requirements evaluated"
-                    ),
-                ),
-                (
-                    "passed_requirements",
-                    models.IntegerField(
-                        default=0, help_text="Number of requirements with PASS status"
-                    ),
-                ),
-                (
-                    "failed_requirements",
-                    models.IntegerField(
-                        default=0, help_text="Number of requirements with FAIL status"
-                    ),
-                ),
-                (
-                    "manual_requirements",
-                    models.IntegerField(
-                        default=0, help_text="Number of requirements with MANUAL status"
-                    ),
-                ),
-                (
-                    "total_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Total number of findings across all requirements",
-                    ),
-                ),
-                (
-                    "passed_findings",
-                    models.IntegerField(
-                        default=0, help_text="Number of findings with PASS status"
-                    ),
-                ),
-                (
-                    "failed_findings",
-                    models.IntegerField(
-                        default=0, help_text="Number of findings with FAIL status"
-                    ),
-                ),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="threatscore_snapshots",
-                        related_query_name="threatscore_snapshot",
-                        to="api.provider",
-                    ),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="threatscore_snapshots",
-                        related_query_name="threatscore_snapshot",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "threatscore_snapshots",
-                "abstract": False,
-            },
-        ),
-        migrations.AddIndex(
-            model_name="threatscoresnapshot",
-            index=models.Index(
-                fields=["tenant_id", "scan_id"], name="threatscore_snap_t_scan_idx"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="threatscoresnapshot",
-            index=models.Index(
-                fields=["tenant_id", "provider_id"], name="threatscore_snap_t_prov_idx"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="threatscoresnapshot",
-            index=models.Index(
-                fields=["tenant_id", "inserted_at"], name="threatscore_snap_t_time_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="threatscoresnapshot",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_threatscoresnapshot",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
--- a/api/src/backend/api/migrations/0058_drop_redundant_compliance_requirement_indexes.py
+++ b/api/src/backend/api/migrations/0058_drop_redundant_compliance_requirement_indexes.py
@@ -1,29 +0,0 @@
-from django.contrib.postgres.operations import RemoveIndexConcurrently
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    atomic = False
-
-    dependencies = [
-        ("api", "0057_threatscoresnapshot"),
-    ]
-
-    operations = [
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_tenant_scan_idx",
-        ),
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_scan_comp_idx",
-        ),
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_scan_comp_req_idx",
-        ),
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_scan_comp_req_reg_idx",
-        ),
-    ]
--- a/api/src/backend/api/migrations/0059_compliance_overview_summary.py
+++ b/api/src/backend/api/migrations/0059_compliance_overview_summary.py
@@ -1,75 +0,0 @@
-# Generated by Django 5.1.13 on 2025-10-30 15:23
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0058_drop_redundant_compliance_requirement_indexes"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ComplianceOverviewSummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                ("compliance_id", models.TextField()),
-                ("requirements_passed", models.IntegerField(default=0)),
-                ("requirements_failed", models.IntegerField(default=0)),
-                ("requirements_manual", models.IntegerField(default=0)),
-                ("total_requirements", models.IntegerField(default=0)),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="compliance_summaries",
-                        related_query_name="compliance_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "compliance_overview_summaries",
-                "abstract": False,
-                "indexes": [
-                    models.Index(
-                        fields=["tenant_id", "scan_id"], name="cos_tenant_scan_idx"
-                    )
-                ],
-                "constraints": [
-                    models.UniqueConstraint(
-                        fields=("tenant_id", "scan_id", "compliance_id"),
-                        name="unique_compliance_summary_per_scan",
-                    )
-                ],
-            },
-        ),
-        migrations.AddConstraint(
-            model_name="complianceoverviewsummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_complianceoverviewsummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
--- a/api/src/backend/api/migrations/0060_attack_surface_overview.py
+++ b/api/src/backend/api/migrations/0060_attack_surface_overview.py
@@ -1,89 +0,0 @@
-# Generated by Django 5.1.14 on 2025-11-19 13:03
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0059_compliance_overview_summary"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="AttackSurfaceOverview",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                (
-                    "attack_surface_type",
-                    models.CharField(
-                        choices=[
-                            ("internet-exposed", "Internet Exposed"),
-                            ("secrets", "Exposed Secrets"),
-                            ("privilege-escalation", "Privilege Escalation"),
-                            ("ec2-imdsv1", "EC2 IMDSv1 Enabled"),
-                        ],
-                        max_length=50,
-                    ),
-                ),
-                ("total_findings", models.IntegerField(default=0)),
-                ("failed_findings", models.IntegerField(default=0)),
-                ("muted_failed_findings", models.IntegerField(default=0)),
-            ],
-            options={
-                "db_table": "attack_surface_overviews",
-                "abstract": False,
-            },
-        ),
-        migrations.AddField(
-            model_name="attacksurfaceoverview",
-            name="scan",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE,
-                related_name="attack_surface_overviews",
-                related_query_name="attack_surface_overview",
-                to="api.scan",
-            ),
-        ),
-        migrations.AddField(
-            model_name="attacksurfaceoverview",
-            name="tenant",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="attacksurfaceoverview",
-            index=models.Index(
-                fields=["tenant_id", "scan_id"], name="attack_surf_tenant_scan_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="attacksurfaceoverview",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "attack_surface_type"),
-                name="unique_attack_surface_per_scan",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="attacksurfaceoverview",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_attacksurfaceoverview",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
--- a/api/src/backend/api/migrations/0061_daily_severity_summary.py
+++ b/api/src/backend/api/migrations/0061_daily_severity_summary.py
@@ -1,96 +0,0 @@
-# Generated by Django 5.1.14 on 2025-12-03 13:38
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0060_attack_surface_overview"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="DailySeveritySummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("date", models.DateField()),
-                ("critical", models.IntegerField(default=0)),
-                ("high", models.IntegerField(default=0)),
-                ("medium", models.IntegerField(default=0)),
-                ("low", models.IntegerField(default=0)),
-                ("informational", models.IntegerField(default=0)),
-                ("muted", models.IntegerField(default=0)),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="daily_severity_summaries",
-                        related_query_name="daily_severity_summary",
-                        to="api.provider",
-                    ),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="daily_severity_summaries",
-                        related_query_name="daily_severity_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "daily_severity_summaries",
-                "abstract": False,
-            },
-        ),
-        migrations.AddIndex(
-            model_name="dailyseveritysummary",
-            index=models.Index(
-                fields=["tenant_id", "id"],
-                name="dss_tenant_id_idx",
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="dailyseveritysummary",
-            index=models.Index(
-                fields=["tenant_id", "provider_id"],
-                name="dss_tenant_provider_idx",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="dailyseveritysummary",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "provider", "date"),
-                name="unique_daily_severity_summary",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="dailyseveritysummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_dailyseveritysummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
--- a/api/src/backend/api/migrations/0062_backfill_daily_severity_summaries.py
+++ b/api/src/backend/api/migrations/0062_backfill_daily_severity_summaries.py
@@ -1,30 +0,0 @@
-# Generated by Django 5.1.14 on 2025-12-10
-
-from django.db import migrations
-from tasks.tasks import backfill_daily_severity_summaries_task
-
-from api.db_router import MainRouter
-from api.rls import Tenant
-
-
-def trigger_backfill_task(apps, schema_editor):
-    """
-    Trigger the backfill task for all tenants.
-
-    This dispatches backfill_daily_severity_summaries_task for each tenant
-    in the system to populate DailySeveritySummary records from historical scans.
-    """
-    tenant_ids = Tenant.objects.using(MainRouter.admin_db).values_list("id", flat=True)
-
-    for tenant_id in tenant_ids:
-        backfill_daily_severity_summaries_task.delay(tenant_id=str(tenant_id), days=90)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0061_daily_severity_summary"),
-    ]
-
-    operations = [
-        migrations.RunPython(trigger_backfill_task, migrations.RunPython.noop),
-    ]
--- a/api/src/backend/api/migrations/0063_scan_category_summary.py
+++ b/api/src/backend/api/migrations/0063_scan_category_summary.py
@@ -1,111 +0,0 @@
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.db_utils
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0062_backfill_daily_severity_summaries"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ScanCategorySummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-                (
-                    "inserted_at",
-                    models.DateTimeField(auto_now_add=True),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="category_summaries",
-                        related_query_name="category_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "category",
-                    models.CharField(max_length=100),
-                ),
-                (
-                    "severity",
-                    api.db_utils.SeverityEnumField(
-                        choices=[
-                            ("critical", "Critical"),
-                            ("high", "High"),
-                            ("medium", "Medium"),
-                            ("low", "Low"),
-                            ("informational", "Informational"),
-                        ],
-                    ),
-                ),
-                (
-                    "total_findings",
-                    models.IntegerField(
-                        default=0, help_text="Non-muted findings (PASS + FAIL)"
-                    ),
-                ),
-                (
-                    "failed_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Non-muted FAIL findings (subset of total_findings)",
-                    ),
-                ),
-                (
-                    "new_failed_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Non-muted FAIL with delta='new' (subset of failed_findings)",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "scan_category_summaries",
-                "abstract": False,
-            },
-        ),
-        migrations.AddIndex(
-            model_name="scancategorysummary",
-            index=models.Index(
-                fields=["tenant_id", "scan"], name="scs_tenant_scan_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="scancategorysummary",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "category", "severity"),
-                name="unique_category_severity_per_scan",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="scancategorysummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_scancategorysummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
--- a/api/src/backend/api/migrations/0064_finding_categories.py
+++ b/api/src/backend/api/migrations/0064_finding_categories.py
@@ -1,22 +0,0 @@
-import django.contrib.postgres.fields
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0063_scan_category_summary"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="finding",
-            name="categories",
-            field=django.contrib.postgres.fields.ArrayField(
-                base_field=models.CharField(max_length=100),
-                blank=True,
-                null=True,
-                size=None,
-                help_text="Categories from check metadata for efficient filtering",
-            ),
-        ),
-    ]
--- a/api/src/backend/api/migrations/0065_alibabacloud_provider.py
+++ b/api/src/backend/api/migrations/0065_alibabacloud_provider.py
@@ -1,37 +0,0 @@
-# Generated by Django migration for Alibaba Cloud provider support
-
-from django.db import migrations
-
-import api.db_utils
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0064_finding_categories"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="provider",
-            name="provider",
-            field=api.db_utils.ProviderEnumField(
-                choices=[
-                    ("aws", "AWS"),
-                    ("azure", "Azure"),
-                    ("gcp", "GCP"),
-                    ("kubernetes", "Kubernetes"),
-                    ("m365", "M365"),
-                    ("github", "GitHub"),
-                    ("mongodbatlas", "MongoDB Atlas"),
-                    ("iac", "IaC"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
-                    ("alibabacloud", "Alibaba Cloud"),
-                ],
-                default="aws",
-            ),
-        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'alibabacloud';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
-    ]
--- a/api/src/backend/api/migrations/0066_provider_compliance_score.py
+++ b/api/src/backend/api/migrations/0066_provider_compliance_score.py
@@ -1,94 +0,0 @@
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.db_utils
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0065_alibabacloud_provider"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ProviderComplianceScore",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("compliance_id", models.TextField()),
-                ("requirement_id", models.TextField()),
-                (
-                    "requirement_status",
-                    api.db_utils.StatusEnumField(
-                        choices=[
-                            ("FAIL", "Fail"),
-                            ("PASS", "Pass"),
-                            ("MANUAL", "Manual"),
-                        ]
-                    ),
-                ),
-                ("scan_completed_at", models.DateTimeField()),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="compliance_scores",
-                        related_query_name="compliance_score",
-                        to="api.provider",
-                    ),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="compliance_scores",
-                        related_query_name="compliance_score",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "provider_compliance_scores",
-                "abstract": False,
-            },
-        ),
-        migrations.AddConstraint(
-            model_name="providercompliancescore",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "provider_id", "compliance_id", "requirement_id"),
-                name="unique_provider_compliance_req",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="providercompliancescore",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_providercompliancescore",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="providercompliancescore",
-            index=models.Index(
-                fields=["tenant_id", "provider_id", "compliance_id"],
-                name="pcs_tenant_prov_comp_idx",
-            ),
-        ),
-    ]
--- a/api/src/backend/api/migrations/0067_tenant_compliance_summary.py
+++ b/api/src/backend/api/migrations/0067_tenant_compliance_summary.py
@@ -1,61 +0,0 @@
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0066_provider_compliance_score"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="TenantComplianceSummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("compliance_id", models.TextField()),
-                ("requirements_passed", models.IntegerField(default=0)),
-                ("requirements_failed", models.IntegerField(default=0)),
-                ("requirements_manual", models.IntegerField(default=0)),
-                ("total_requirements", models.IntegerField(default=0)),
-                ("updated_at", models.DateTimeField(auto_now=True)),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "tenant_compliance_summaries",
-                "abstract": False,
-            },
-        ),
-        migrations.AddConstraint(
-            model_name="tenantcompliancesummary",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "compliance_id"),
-                name="unique_tenant_compliance_summary",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="tenantcompliancesummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_tenantcompliancesummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
--- a/api/src/backend/api/models.py
+++ b/api/src/backend/api/models.py
@@ -284,10 +284,6 @@ class Provider(RowLevelSecurityProtectedModel):
        KUBERNETES = "kubernetes", _("Kubernetes")
        M365 = "m365", _("M365")
        GITHUB = "github", _("GitHub")
-        MONGODBATLAS = "mongodbatlas", _("MongoDB Atlas")
-        IAC = "iac", _("IaC")
-        ORACLECLOUD = "oraclecloud", _("Oracle Cloud Infrastructure")
-        ALIBABACLOUD = "alibabacloud", _("Alibaba Cloud")

    @staticmethod
    def validate_aws_uid(value):
@@ -358,49 +354,6 @@ class Provider(RowLevelSecurityProtectedModel):
                pointer="/data/attributes/uid",
            )

-    @staticmethod
-    def validate_iac_uid(value):
-        # Validate that it's a valid repository URL (git URL format)
-        if not re.match(
-            r"^(https?://|git@|ssh://)[^\s/]+[^\s]*\.git$|^(https?://)[^\s/]+[^\s]*$",
-            value,
-        ):
-            raise ModelValidationError(
-                detail="IaC provider ID must be a valid repository URL (e.g., https://github.com/user/repo or https://github.com/user/repo.git).",
-                code="iac-uid",
-                pointer="/data/attributes/uid",
-            )
-
-    @staticmethod
-    def validate_oraclecloud_uid(value):
-        if not re.match(
-            r"^ocid1\.([a-z0-9_-]+)\.([a-z0-9_-]+)\.([a-z0-9_-]*)\.([a-z0-9]+)$", value
-        ):
-            raise ModelValidationError(
-                detail="Oracle Cloud Infrastructure provider ID must be a valid tenancy OCID in the format: "
-                "ocid1.<resource_type>.<realm>.<region>.<unique_id>",
-                code="oraclecloud-uid",
-                pointer="/data/attributes/uid",
-            )
-
-    @staticmethod
-    def validate_mongodbatlas_uid(value):
-        if not re.match(r"^[0-9a-fA-F]{24}$", value):
-            raise ModelValidationError(
-                detail="MongoDB Atlas organization ID must be a 24-character hexadecimal string.",
-                code="mongodbatlas-uid",
-                pointer="/data/attributes/uid",
-            )
-
-    @staticmethod
-    def validate_alibabacloud_uid(value):
-        if not re.match(r"^\d{16}$", value):
-            raise ModelValidationError(
-                detail="Alibaba Cloud account ID must be exactly 16 digits.",
-                code="alibabacloud-uid",
-                pointer="/data/attributes/uid",
-            )
-
    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
    updated_at = models.DateTimeField(auto_now=True, editable=False)
@@ -435,8 +388,7 @@ class Provider(RowLevelSecurityProtectedModel):

        constraints = [
            models.UniqueConstraint(
-                fields=("tenant_id", "provider", "uid"),
-                condition=Q(is_deleted=False),
+                fields=("tenant_id", "provider", "uid", "is_deleted"),
                name="unique_provider_uids",
            ),
            RowLevelSecurityConstraint(
@@ -726,19 +678,14 @@ class Resource(RowLevelSecurityProtectedModel):
            self.clear_tags()
            return

-        # Add new relationships with the tenant_id field; avoid touching the
-        # Resource row unless a mapping is actually created to prevent noisy
-        # updates during scans.
-        mapping_created = False
+        # Add new relationships with the tenant_id field
        for tag in tags:
-            _, created = ResourceTagMapping.objects.update_or_create(
+            ResourceTagMapping.objects.update_or_create(
                tag=tag, resource=self, tenant_id=self.tenant_id
            )
-            mapping_created = mapping_created or created

-        if mapping_created:
-            # Only bump updated_at when the tag set truly changed
-            self.save(update_fields=["updated_at"])
+        # Save the instance
+        self.save()

    class Meta(RowLevelSecurityProtectedModel.Meta):
        db_table = "resources"
@@ -863,9 +810,6 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
    muted_reason = models.TextField(
        blank=True, null=True, validators=[MinLengthValidator(3)], max_length=500
    )
-    muted_at = models.DateTimeField(
-        null=True, blank=True, help_text="Timestamp when this finding was muted"
-    )
    compliance = models.JSONField(default=dict, null=True, blank=True)

    # Denormalize resource data for performance
@@ -883,14 +827,6 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
        null=True,
    )

-    # Check metadata denormalization
-    categories = ArrayField(
-        models.CharField(max_length=100),
-        blank=True,
-        null=True,
-        help_text="Categories from check metadata for efficient filtering",
-    )
-
    # Relationships
    scan = models.ForeignKey(to=Scan, related_name="findings", on_delete=models.CASCADE)

@@ -1394,70 +1330,35 @@ class ComplianceRequirementOverview(RowLevelSecurityProtectedModel):
            ),
        ]
        indexes = [
+            models.Index(fields=["tenant_id", "scan_id"], name="cro_tenant_scan_idx"),
+            models.Index(
+                fields=["tenant_id", "scan_id", "compliance_id"],
+                name="cro_scan_comp_idx",
+            ),
            models.Index(
                fields=["tenant_id", "scan_id", "compliance_id", "region"],
                name="cro_scan_comp_reg_idx",
            ),
+            models.Index(
+                fields=["tenant_id", "scan_id", "compliance_id", "requirement_id"],
+                name="cro_scan_comp_req_idx",
+            ),
+            models.Index(
+                fields=[
+                    "tenant_id",
+                    "scan_id",
+                    "compliance_id",
+                    "requirement_id",
+                    "region",
+                ],
+                name="cro_scan_comp_req_reg_idx",
+            ),
        ]

    class JSONAPIMeta:
        resource_name = "compliance-requirements-overviews"


-class ComplianceOverviewSummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated compliance overview aggregated across ALL regions.
-    One row per (scan_id, compliance_id) combination.
-
-    This table optimizes the common case where users view overall compliance
-    without filtering by region. For region-specific views, the detailed
-    ComplianceRequirementOverview table is used instead.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="compliance_summaries",
-        related_query_name="compliance_summary",
-    )
-
-    compliance_id = models.TextField(blank=False)
-
-    # Pre-aggregated scores (computed across ALL regions)
-    requirements_passed = models.IntegerField(default=0)
-    requirements_failed = models.IntegerField(default=0)
-    requirements_manual = models.IntegerField(default=0)
-    total_requirements = models.IntegerField(default=0)
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "compliance_overview_summaries"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "compliance_id"),
-                name="unique_compliance_summary_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "scan_id"],
-                name="cos_tenant_scan_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "compliance-overview-summaries"
-
-
 class ScanSummary(RowLevelSecurityProtectedModel):
    objects = ActiveProviderManager()
    all_objects = models.Manager()
@@ -1523,65 +1424,6 @@ class ScanSummary(RowLevelSecurityProtectedModel):
        resource_name = "scan-summaries"


-class DailySeveritySummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated daily severity counts per provider.
-    Used by findings_severity/timeseries endpoint for efficient queries.
-    """
-
-    objects = ActiveProviderManager()
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    date = models.DateField()
-
-    provider = models.ForeignKey(
-        Provider,
-        on_delete=models.CASCADE,
-        related_name="daily_severity_summaries",
-        related_query_name="daily_severity_summary",
-    )
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="daily_severity_summaries",
-        related_query_name="daily_severity_summary",
-    )
-
-    # Aggregated fail counts by severity
-    critical = models.IntegerField(default=0)
-    high = models.IntegerField(default=0)
-    medium = models.IntegerField(default=0)
-    low = models.IntegerField(default=0)
-    informational = models.IntegerField(default=0)
-    muted = models.IntegerField(default=0)
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "daily_severity_summaries"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "provider", "date"),
-                name="unique_daily_severity_summary",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "id"],
-                name="dss_tenant_id_idx",
-            ),
-            models.Index(
-                fields=["tenant_id", "provider_id"],
-                name="dss_tenant_provider_idx",
-            ),
-        ]
-
-
 class Integration(RowLevelSecurityProtectedModel):
    class IntegrationChoices(models.TextChoices):
        AMAZON_S3 = "amazon_s3", _("Amazon S3")
@@ -1974,64 +1816,6 @@ class ResourceScanSummary(RowLevelSecurityProtectedModel):
        ]


-class ScanCategorySummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated category metrics per scan by severity.
-
-    Stores one row per (category, severity) combination per scan for efficient
-    overview queries. Categories come from check_metadata.categories.
-
-    Count relationships (each is a subset of the previous):
-        - total_findings >= failed_findings >= new_failed_findings
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="category_summaries",
-        related_query_name="category_summary",
-    )
-
-    category = models.CharField(max_length=100)
-    severity = SeverityEnumField(choices=SeverityChoices)
-
-    total_findings = models.IntegerField(
-        default=0, help_text="Non-muted findings (PASS + FAIL)"
-    )
-    failed_findings = models.IntegerField(
-        default=0, help_text="Non-muted FAIL findings (subset of total_findings)"
-    )
-    new_failed_findings = models.IntegerField(
-        default=0,
-        help_text="Non-muted FAIL with delta='new' (subset of failed_findings)",
-    )
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "scan_category_summaries"
-
-        indexes = [
-            models.Index(fields=["tenant_id", "scan"], name="scs_tenant_scan_idx"),
-        ]
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "category", "severity"),
-                name="unique_category_severity_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "scan-category-summaries"
-
-
 class LighthouseConfiguration(RowLevelSecurityProtectedModel):
    """
    Stores configuration and API keys for LLM services.
@@ -2089,6 +1873,22 @@ class LighthouseConfiguration(RowLevelSecurityProtectedModel):
    def clean(self):
        super().clean()

+        # Validate temperature
+        if not 0 <= self.temperature <= 1:
+            raise ModelValidationError(
+                detail="Temperature must be between 0 and 1",
+                code="invalid_temperature",
+                pointer="/data/attributes/temperature",
+            )
+
+        # Validate max_tokens
+        if not 500 <= self.max_tokens <= 5000:
+            raise ModelValidationError(
+                detail="Max tokens must be between 500 and 5000",
+                code="invalid_max_tokens",
+                pointer="/data/attributes/max_tokens",
+            )
+
    @property
    def api_key_decoded(self):
        """Return the decrypted API key, or None if unavailable or invalid."""
@@ -2113,6 +1913,15 @@ class LighthouseConfiguration(RowLevelSecurityProtectedModel):
                code="invalid_api_key",
                pointer="/data/attributes/api_key",
            )
+
+        # Validate OpenAI API key format
+        openai_key_pattern = r"^sk-[\w-]+T3BlbkFJ[\w-]+$"
+        if not re.match(openai_key_pattern, value):
+            raise ModelValidationError(
+                detail="Invalid OpenAI API key format.",
+                code="invalid_api_key",
+                pointer="/data/attributes/api_key",
+            )
        self.api_key = fernet.encrypt(value.encode())

    def save(self, *args, **kwargs):
@@ -2138,59 +1947,6 @@ class LighthouseConfiguration(RowLevelSecurityProtectedModel):
        resource_name = "lighthouse-configurations"


-class MuteRule(RowLevelSecurityProtectedModel):
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-    updated_at = models.DateTimeField(auto_now=True, editable=False)
-
-    # Rule metadata
-    name = models.CharField(
-        max_length=100,
-        validators=[MinLengthValidator(3)],
-        help_text="Human-readable name for this rule",
-    )
-    reason = models.TextField(
-        validators=[MinLengthValidator(3)],
-        max_length=500,
-        help_text="Reason for muting",
-    )
-    enabled = models.BooleanField(
-        default=True, help_text="Whether this rule is currently enabled"
-    )
-
-    # Audit fields
-    created_by = models.ForeignKey(
-        User,
-        on_delete=models.SET_NULL,
-        null=True,
-        related_name="created_mute_rules",
-        help_text="User who created this rule",
-    )
-
-    # Rule criteria - array of finding UIDs
-    finding_uids = ArrayField(
-        models.CharField(max_length=255), help_text="List of finding UIDs to mute"
-    )
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "mute_rules"
-
-        constraints = [
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-            models.UniqueConstraint(
-                fields=("tenant_id", "name"),
-                name="unique_mute_rule_name_per_tenant",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "mute-rules"
-
-
 class Processor(RowLevelSecurityProtectedModel):
    class ProcessorChoices(models.TextChoices):
        MUTELIST = "mutelist", _("Mutelist")
@@ -2228,469 +1984,3 @@ class Processor(RowLevelSecurityProtectedModel):

    class JSONAPIMeta:
        resource_name = "processors"
-
-
-class LighthouseProviderConfiguration(RowLevelSecurityProtectedModel):
-    """
-    Per-tenant configuration for an LLM provider (credentials, base URL, activation).
-
-    One configuration per provider type per tenant.
-    """
-
-    class LLMProviderChoices(models.TextChoices):
-        OPENAI = "openai", _("OpenAI")
-        BEDROCK = "bedrock", _("AWS Bedrock")
-        OPENAI_COMPATIBLE = "openai_compatible", _("OpenAI Compatible")
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-    updated_at = models.DateTimeField(auto_now=True, editable=False)
-
-    provider_type = models.CharField(
-        max_length=50,
-        choices=LLMProviderChoices.choices,
-        help_text="LLM provider name",
-    )
-
-    # For OpenAI-compatible providers
-    base_url = models.URLField(blank=True, null=True)
-
-    # Encrypted JSON for provider-specific auth
-    credentials = models.BinaryField(
-        blank=False, null=False, help_text="Encrypted JSON credentials for the provider"
-    )
-
-    is_active = models.BooleanField(default=True)
-
-    def __str__(self):
-        return f"{self.get_provider_type_display()} ({self.tenant_id})"
-
-    def clean(self):
-        super().clean()
-
-    @property
-    def credentials_decoded(self):
-        if not self.credentials:
-            return None
-        try:
-            decrypted_data = fernet.decrypt(bytes(self.credentials))
-            return json.loads(decrypted_data.decode())
-        except (InvalidToken, json.JSONDecodeError) as e:
-            logger.warning("Failed to decrypt provider credentials: %s", e)
-            return None
-        except Exception as e:
-            logger.exception(
-                "Unexpected error while decrypting provider credentials: %s", e
-            )
-            return None
-
-    @credentials_decoded.setter
-    def credentials_decoded(self, value):
-        """
-        Set and encrypt credentials (assumes serializer performed validation).
-        """
-        if not value:
-            raise ModelValidationError(
-                detail="Credentials are required",
-                code="invalid_credentials",
-                pointer="/data/attributes/credentials",
-            )
-        self.credentials = fernet.encrypt(json.dumps(value).encode())
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "lighthouse_provider_configurations"
-
-        constraints = [
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-            models.UniqueConstraint(
-                fields=["tenant_id", "provider_type"],
-                name="unique_provider_config_per_tenant",
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "provider_type"],
-                name="lh_pc_tenant_type_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "lighthouse-providers"
-
-
-class LighthouseTenantConfiguration(RowLevelSecurityProtectedModel):
-    """
-    Tenant-level Lighthouse settings (business context and defaults).
-    One record per tenant.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-    updated_at = models.DateTimeField(auto_now=True, editable=False)
-
-    business_context = models.TextField(blank=True, default="")
-
-    # Preferred provider key (e.g., "openai", "bedrock", "openai_compatible")
-    default_provider = models.CharField(max_length=50, blank=True)
-
-    # Mapping of provider -> model id, e.g., {"openai": "gpt-4o", "bedrock": "anthropic.claude-v2"}
-    default_models = models.JSONField(default=dict, blank=True)
-
-    def __str__(self):
-        return f"Lighthouse Tenant Config for {self.tenant_id}"
-
-    def clean(self):
-        super().clean()
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "lighthouse_tenant_config"
-
-        constraints = [
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-            models.UniqueConstraint(
-                fields=["tenant_id"], name="unique_tenant_lighthouse_config"
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "lighthouse-configurations"
-
-
-class LighthouseProviderModels(RowLevelSecurityProtectedModel):
-    """
-    Per-tenant, per-provider configuration list of available LLM models.
-    RLS-protected; populated via provider API using tenant-scoped credentials.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-    updated_at = models.DateTimeField(auto_now=True, editable=False)
-
-    # Scope to a specific provider configuration within a tenant
-    provider_configuration = models.ForeignKey(
-        LighthouseProviderConfiguration,
-        on_delete=models.CASCADE,
-        related_name="available_models",
-    )
-    model_id = models.CharField(max_length=100)
-
-    # Human-friendly model name
-    model_name = models.CharField(max_length=100)
-
-    # Model-specific default parameters (e.g., temperature, max_tokens)
-    default_parameters = models.JSONField(default=dict, blank=True)
-
-    def __str__(self):
-        return f"{self.provider_configuration.provider_type}:{self.model_id} ({self.tenant_id})"
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "lighthouse_provider_models"
-        constraints = [
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-            models.UniqueConstraint(
-                fields=["tenant_id", "provider_configuration", "model_id"],
-                name="unique_provider_model_per_configuration",
-            ),
-        ]
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "provider_configuration"],
-                name="lh_prov_models_cfg_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "lighthouse-models"
-
-
-class ThreatScoreSnapshot(RowLevelSecurityProtectedModel):
-    """
-    Stores historical ThreatScore metrics for a given scan.
-    Snapshots are created automatically after each ThreatScore report generation.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="threatscore_snapshots",
-        related_query_name="threatscore_snapshot",
-    )
-
-    provider = models.ForeignKey(
-        Provider,
-        on_delete=models.CASCADE,
-        related_name="threatscore_snapshots",
-        related_query_name="threatscore_snapshot",
-    )
-
-    compliance_id = models.CharField(
-        max_length=100,
-        blank=False,
-        null=False,
-        help_text="Compliance framework ID (e.g., 'prowler_threatscore_aws')",
-    )
-
-    # Overall ThreatScore metrics
-    overall_score = models.DecimalField(
-        max_digits=5,
-        decimal_places=2,
-        help_text="Overall ThreatScore percentage (0-100)",
-    )
-
-    # Score improvement/degradation compared to previous snapshot
-    score_delta = models.DecimalField(
-        max_digits=5,
-        decimal_places=2,
-        null=True,
-        blank=True,
-        help_text="Score change compared to previous snapshot (positive = improvement)",
-    )
-
-    # Section breakdown stored as JSON
-    # Format: {"1. IAM": 85.5, "2. Attack Surface": 92.3, ...}
-    section_scores = models.JSONField(
-        default=dict,
-        blank=True,
-        help_text="ThreatScore breakdown by section",
-    )
-
-    # Critical requirements metadata stored as JSON
-    # Format: [{"requirement_id": "...", "risk_level": 5, "weight": 150, ...}, ...]
-    critical_requirements = models.JSONField(
-        default=list,
-        blank=True,
-        help_text="List of critical failed requirements (risk >= 4)",
-    )
-
-    # Summary statistics
-    total_requirements = models.IntegerField(
-        default=0,
-        help_text="Total number of requirements evaluated",
-    )
-
-    passed_requirements = models.IntegerField(
-        default=0,
-        help_text="Number of requirements with PASS status",
-    )
-
-    failed_requirements = models.IntegerField(
-        default=0,
-        help_text="Number of requirements with FAIL status",
-    )
-
-    manual_requirements = models.IntegerField(
-        default=0,
-        help_text="Number of requirements with MANUAL status",
-    )
-
-    total_findings = models.IntegerField(
-        default=0,
-        help_text="Total number of findings across all requirements",
-    )
-
-    passed_findings = models.IntegerField(
-        default=0,
-        help_text="Number of findings with PASS status",
-    )
-
-    failed_findings = models.IntegerField(
-        default=0,
-        help_text="Number of findings with FAIL status",
-    )
-
-    def __str__(self):
-        return f"ThreatScore {self.overall_score}% for scan {self.scan_id} ({self.inserted_at})"
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "threatscore_snapshots"
-
-        constraints = [
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "scan_id"],
-                name="threatscore_snap_t_scan_idx",
-            ),
-            models.Index(
-                fields=["tenant_id", "provider_id"],
-                name="threatscore_snap_t_prov_idx",
-            ),
-            models.Index(
-                fields=["tenant_id", "inserted_at"],
-                name="threatscore_snap_t_time_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "threatscore-snapshots"
-
-
-class AttackSurfaceOverview(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated attack surface metrics per scan.
-
-    Stores counts for each attack surface type (internet-exposed, secrets,
-    privilege-escalation, ec2-imdsv1) to enable fast overview queries.
-    """
-
-    class AttackSurfaceTypeChoices(models.TextChoices):
-        INTERNET_EXPOSED = "internet-exposed", _("Internet Exposed")
-        SECRETS = "secrets", _("Exposed Secrets")
-        PRIVILEGE_ESCALATION = "privilege-escalation", _("Privilege Escalation")
-        EC2_IMDSV1 = "ec2-imdsv1", _("EC2 IMDSv1 Enabled")
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="attack_surface_overviews",
-        related_query_name="attack_surface_overview",
-    )
-
-    attack_surface_type = models.CharField(
-        max_length=50,
-        choices=AttackSurfaceTypeChoices.choices,
-    )
-
-    # Finding counts
-    total_findings = models.IntegerField(default=0)  # All findings (PASS + FAIL)
-    failed_findings = models.IntegerField(default=0)  # Non-muted failed findings
-    muted_failed_findings = models.IntegerField(default=0)  # Muted failed findings
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "attack_surface_overviews"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "attack_surface_type"),
-                name="unique_attack_surface_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "scan_id"],
-                name="attack_surf_tenant_scan_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "attack-surface-overviews"
-
-
-class ProviderComplianceScore(RowLevelSecurityProtectedModel):
-    """
-    Compliance requirement status from latest completed scan per provider.
-
-    Used for efficient compliance watchlist queries with FAIL-dominant aggregation
-    across multiple providers. Updated via atomic upsert after each scan completion.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="compliance_scores",
-        related_query_name="compliance_score",
-    )
-
-    provider = models.ForeignKey(
-        Provider,
-        on_delete=models.CASCADE,
-        related_name="compliance_scores",
-        related_query_name="compliance_score",
-    )
-
-    compliance_id = models.TextField()
-    requirement_id = models.TextField()
-    requirement_status = StatusEnumField(choices=StatusChoices)
-
-    scan_completed_at = models.DateTimeField()
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "provider_compliance_scores"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "provider_id", "compliance_id", "requirement_id"),
-                name="unique_provider_compliance_req",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "provider_id", "compliance_id"],
-                name="pcs_tenant_prov_comp_idx",
-            ),
-        ]
-
-
-class TenantComplianceSummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated compliance counts per tenant with FAIL-dominant logic applied.
-
-    One row per (tenant, compliance_id). Used for fast watchlist queries when
-    no provider filter is applied. Recalculated after each scan by aggregating
-    across all providers with FAIL-dominant logic at requirement level.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-
-    compliance_id = models.TextField()
-
-    requirements_passed = models.IntegerField(default=0)
-    requirements_failed = models.IntegerField(default=0)
-    requirements_manual = models.IntegerField(default=0)
-    total_requirements = models.IntegerField(default=0)
-
-    updated_at = models.DateTimeField(auto_now=True)
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "tenant_compliance_summaries"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "compliance_id"),
-                name="unique_tenant_compliance_summary",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
--- a/api/src/backend/api/rbac/permissions.py
+++ b/api/src/backend/api/rbac/permissions.py
@@ -65,11 +65,11 @@ def get_providers(role: Role) -> QuerySet[Provider]:
        A QuerySet of Provider objects filtered by the role's provider groups.
        If the role has no provider groups, returns an empty queryset.
    """
-    tenant_id = role.tenant_id
+    tenant = role.tenant
    provider_groups = role.provider_groups.all()
    if not provider_groups.exists():
        return Provider.objects.none()

    return Provider.objects.filter(
-        tenant_id=tenant_id, provider_groups__in=provider_groups
+        tenant=tenant, provider_groups__in=provider_groups
    ).distinct()
--- a/api/src/backend/api/signals.py
+++ b/api/src/backend/api/signals.py
@@ -6,14 +6,7 @@ from django.dispatch import receiver
 from django_celery_results.backends.database import DatabaseBackend

 from api.db_utils import delete_related_daily_task
-from api.models import (
-    LighthouseProviderConfiguration,
-    LighthouseTenantConfiguration,
-    Membership,
-    Provider,
-    TenantAPIKey,
-    User,
-)
+from api.models import Membership, Provider, TenantAPIKey, User


 def create_task_result_on_publish(sender=None, headers=None, **kwargs):  # noqa: F841
@@ -63,33 +56,3 @@ def revoke_membership_api_keys(sender, instance, **kwargs):  # noqa: F841
    TenantAPIKey.objects.filter(
        entity=instance.user, tenant_id=instance.tenant.id
    ).update(revoked=True)
-
-
-@receiver(pre_delete, sender=LighthouseProviderConfiguration)
-def cleanup_lighthouse_defaults_before_delete(sender, instance, **kwargs):  # noqa: F841
-    """
-    Ensure tenant Lighthouse defaults do not reference a soon-to-be-deleted provider.
-
-    This runs for both per-instance deletes and queryset (bulk) deletes.
-    """
-    try:
-        tenant_cfg = LighthouseTenantConfiguration.objects.get(
-            tenant_id=instance.tenant_id
-        )
-    except LighthouseTenantConfiguration.DoesNotExist:
-        return
-
-    updated = False
-    defaults = tenant_cfg.default_models or {}
-
-    if instance.provider_type in defaults:
-        defaults.pop(instance.provider_type, None)
-        tenant_cfg.default_models = defaults
-        updated = True
-
-    if tenant_cfg.default_provider == instance.provider_type:
-        tenant_cfg.default_provider = ""
-        updated = True
-
-    if updated:
-        tenant_cfg.save()
--- a/api/src/backend/api/specs/v1.yaml
+++ b/api/src/backend/api/specs/v1.yaml
--- a/api/src/backend/api/tests/integration/test_rls_transaction.py
+++ b/api/src/backend/api/tests/integration/test_rls_transaction.py
@@ -1,39 +0,0 @@
-"""Tests for rls_transaction retry and fallback logic."""
-
-import pytest
-from django.db import DEFAULT_DB_ALIAS
-from rest_framework_json_api.serializers import ValidationError
-
-from api.db_utils import rls_transaction
-
-
-@pytest.mark.django_db
-class TestRLSTransaction:
-    """Simple integration tests for rls_transaction using real DB."""
-
-    @pytest.fixture
-    def tenant(self, tenants_fixture):
-        return tenants_fixture[0]
-
-    def test_success_on_primary(self, tenant):
-        """Basic: transaction succeeds on primary database."""
-        with rls_transaction(str(tenant.id), using=DEFAULT_DB_ALIAS) as cursor:
-            cursor.execute("SELECT 1")
-            result = cursor.fetchone()
-            assert result == (1,)
-
-    def test_invalid_uuid_raises_validation_error(self):
-        """Invalid UUID raises ValidationError before DB operations."""
-        with pytest.raises(ValidationError, match="Must be a valid UUID"):
-            with rls_transaction("not-a-uuid", using=DEFAULT_DB_ALIAS):
-                pass
-
-    def test_custom_parameter_name(self, tenant):
-        """Test custom RLS parameter name."""
-        custom_param = "api.custom_id"
-        with rls_transaction(
-            str(tenant.id), parameter=custom_param, using=DEFAULT_DB_ALIAS
-        ) as cursor:
-            cursor.execute("SELECT current_setting(%s, true)", [custom_param])
-            result = cursor.fetchone()
-            assert result == (str(tenant.id),)
--- a/api/src/backend/api/tests/test_db_utils.py
+++ b/api/src/backend/api/tests/test_db_utils.py
@@ -1,15 +1,12 @@
 from datetime import datetime, timezone
 from enum import Enum
-from unittest.mock import MagicMock, patch
+from unittest.mock import patch

 import pytest
 from django.conf import settings
-from django.db import DEFAULT_DB_ALIAS, OperationalError
 from freezegun import freeze_time
-from rest_framework_json_api.serializers import ValidationError

 from api.db_utils import (
-    POSTGRES_TENANT_VAR,
    _should_create_index_on_partition,
    batch_delete,
    create_objects_in_batches,
@@ -17,22 +14,11 @@ from api.db_utils import (
    generate_api_key_prefix,
    generate_random_token,
    one_week_from_now,
-    rls_transaction,
    update_objects_in_batches,
 )
 from api.models import Provider


-@pytest.fixture
-def enable_read_replica():
-    """
-    Fixture to enable READ_REPLICA_ALIAS for tests that need replica functionality.
-    This avoids polluting the global test configuration.
-    """
-    with patch("api.db_utils.READ_REPLICA_ALIAS", "replica"):
-        yield "replica"
-
-
 class TestEnumToChoices:
    def test_enum_to_choices_simple(self):
        class Color(Enum):
@@ -353,498 +339,3 @@ class TestGenerateApiKeyPrefix:
            prefix = generate_api_key_prefix()
            random_part = prefix[3:]  # Strip 'pk_'
            assert all(char in allowed_chars for char in random_part)
-
-
-@pytest.mark.django_db
-class TestRlsTransaction:
-    def test_rls_transaction_valid_uuid_string(self, tenants_fixture):
-        """Test rls_transaction with valid UUID string."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with rls_transaction(tenant_id) as cursor:
-            assert cursor is not None
-            cursor.execute("SELECT current_setting(%s)", [POSTGRES_TENANT_VAR])
-            result = cursor.fetchone()
-            assert result[0] == tenant_id
-
-    def test_rls_transaction_valid_uuid_object(self, tenants_fixture):
-        """Test rls_transaction with UUID object."""
-        tenant = tenants_fixture[0]
-
-        with rls_transaction(tenant.id) as cursor:
-            assert cursor is not None
-            cursor.execute("SELECT current_setting(%s)", [POSTGRES_TENANT_VAR])
-            result = cursor.fetchone()
-            assert result[0] == str(tenant.id)
-
-    def test_rls_transaction_invalid_uuid_raises_validation_error(self):
-        """Test rls_transaction raises ValidationError for invalid UUID."""
-        invalid_uuid = "not-a-valid-uuid"
-
-        with pytest.raises(ValidationError, match="Must be a valid UUID"):
-            with rls_transaction(invalid_uuid):
-                pass
-
-    def test_rls_transaction_uses_default_database_when_no_alias(self, tenants_fixture):
-        """Test rls_transaction uses DEFAULT_DB_ALIAS when no alias specified."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=None):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                with patch("api.db_utils.transaction.atomic"):
-                    with rls_transaction(tenant_id):
-                        pass
-
-                mock_connections.__getitem__.assert_called_with(DEFAULT_DB_ALIAS)
-
-    def test_rls_transaction_uses_specified_alias(self, tenants_fixture):
-        """Test rls_transaction uses specified database alias via using parameter."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-        custom_alias = "custom_db"
-
-        with patch("api.db_utils.connections") as mock_connections:
-            mock_conn = MagicMock()
-            mock_cursor = MagicMock()
-            mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-            mock_connections.__getitem__.return_value = mock_conn
-            mock_connections.__contains__.return_value = True
-
-            with patch("api.db_utils.transaction.atomic"):
-                with patch("api.db_utils.set_read_db_alias") as mock_set_alias:
-                    with patch("api.db_utils.reset_read_db_alias") as mock_reset_alias:
-                        mock_set_alias.return_value = "test_token"
-                        with rls_transaction(tenant_id, using=custom_alias):
-                            pass
-
-                        mock_connections.__getitem__.assert_called_with(custom_alias)
-                        mock_set_alias.assert_called_once_with(custom_alias)
-                        mock_reset_alias.assert_called_once_with("test_token")
-
-    def test_rls_transaction_uses_read_replica_from_router(
-        self, tenants_fixture, enable_read_replica
-    ):
-        """Test rls_transaction uses read replica alias from router."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                with patch("api.db_utils.transaction.atomic"):
-                    with patch("api.db_utils.set_read_db_alias") as mock_set_alias:
-                        with patch(
-                            "api.db_utils.reset_read_db_alias"
-                        ) as mock_reset_alias:
-                            mock_set_alias.return_value = "test_token"
-                            with rls_transaction(tenant_id):
-                                pass
-
-                            mock_connections.__getitem__.assert_called()
-                            mock_set_alias.assert_called_once()
-                            mock_reset_alias.assert_called_once()
-
-    def test_rls_transaction_fallback_to_default_when_alias_not_in_connections(
-        self, tenants_fixture
-    ):
-        """Test rls_transaction falls back to DEFAULT_DB_ALIAS when alias not in connections."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-        invalid_alias = "nonexistent_db"
-
-        with patch("api.db_utils.get_read_db_alias", return_value=invalid_alias):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-
-                def contains_check(alias):
-                    return alias == DEFAULT_DB_ALIAS
-
-                mock_connections.__contains__.side_effect = contains_check
-                mock_connections.__getitem__.return_value = mock_conn
-
-                with patch("api.db_utils.transaction.atomic"):
-                    with rls_transaction(tenant_id):
-                        pass
-
-                    mock_connections.__getitem__.assert_called_with(DEFAULT_DB_ALIAS)
-
-    def test_rls_transaction_successful_execution_on_replica_no_retries(
-        self, tenants_fixture, enable_read_replica
-    ):
-        """Test successful execution on replica without retries."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                with patch("api.db_utils.transaction.atomic"):
-                    with patch("api.db_utils.set_read_db_alias", return_value="token"):
-                        with patch("api.db_utils.reset_read_db_alias"):
-                            with rls_transaction(tenant_id):
-                                pass
-
-                            assert mock_cursor.execute.call_count == 1
-
-    def test_rls_transaction_retry_with_exponential_backoff_on_operational_error(
-        self, tenants_fixture, enable_read_replica
-    ):
-        """Test retry with exponential backoff on OperationalError on replica."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                call_count = 0
-
-                def atomic_side_effect(*args, **kwargs):
-                    nonlocal call_count
-                    call_count += 1
-                    if call_count < 3:
-                        raise OperationalError("Connection error")
-                    return MagicMock(
-                        __enter__=MagicMock(return_value=None),
-                        __exit__=MagicMock(return_value=False),
-                    )
-
-                with patch(
-                    "api.db_utils.transaction.atomic", side_effect=atomic_side_effect
-                ):
-                    with patch("api.db_utils.time.sleep") as mock_sleep:
-                        with patch(
-                            "api.db_utils.set_read_db_alias", return_value="token"
-                        ):
-                            with patch("api.db_utils.reset_read_db_alias"):
-                                with patch("api.db_utils.logger") as mock_logger:
-                                    with rls_transaction(tenant_id):
-                                        pass
-
-                                    assert mock_sleep.call_count == 2
-                                    mock_sleep.assert_any_call(0.5)
-                                    mock_sleep.assert_any_call(1.0)
-                                    assert mock_logger.info.call_count == 2
-
-    def test_rls_transaction_max_three_attempts_for_replica(
-        self, tenants_fixture, enable_read_replica
-    ):
-        """Test maximum 3 attempts for replica database."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                with patch("api.db_utils.transaction.atomic") as mock_atomic:
-                    mock_atomic.side_effect = OperationalError("Persistent error")
-
-                    with patch("api.db_utils.time.sleep"):
-                        with patch(
-                            "api.db_utils.set_read_db_alias", return_value="token"
-                        ):
-                            with patch("api.db_utils.reset_read_db_alias"):
-                                with pytest.raises(OperationalError):
-                                    with rls_transaction(tenant_id):
-                                        pass
-
-                                assert mock_atomic.call_count == 3
-
-    def test_rls_transaction_only_one_attempt_for_primary(self, tenants_fixture):
-        """Test only 1 attempt for primary database."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=None):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                with patch("api.db_utils.transaction.atomic") as mock_atomic:
-                    mock_atomic.side_effect = OperationalError("Primary error")
-
-                    with pytest.raises(OperationalError):
-                        with rls_transaction(tenant_id):
-                            pass
-
-                    assert mock_atomic.call_count == 1
-
-    def test_rls_transaction_fallback_to_primary_after_max_attempts(
-        self, tenants_fixture, enable_read_replica
-    ):
-        """Test fallback to primary DB after max attempts on replica."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                call_count = 0
-
-                def atomic_side_effect(*args, **kwargs):
-                    nonlocal call_count
-                    call_count += 1
-                    if call_count < 3:
-                        raise OperationalError("Replica error")
-                    return MagicMock(
-                        __enter__=MagicMock(return_value=None),
-                        __exit__=MagicMock(return_value=False),
-                    )
-
-                with patch(
-                    "api.db_utils.transaction.atomic", side_effect=atomic_side_effect
-                ):
-                    with patch("api.db_utils.time.sleep"):
-                        with patch(
-                            "api.db_utils.set_read_db_alias", return_value="token"
-                        ):
-                            with patch("api.db_utils.reset_read_db_alias"):
-                                with patch("api.db_utils.logger") as mock_logger:
-                                    with rls_transaction(tenant_id):
-                                        pass
-
-                                    mock_logger.warning.assert_called_once()
-                                    warning_msg = mock_logger.warning.call_args[0][0]
-                                    assert "falling back to primary DB" in warning_msg
-
-    def test_rls_transaction_logger_warning_on_fallback(
-        self, tenants_fixture, enable_read_replica
-    ):
-        """Test logger warnings are emitted on fallback to primary."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                call_count = 0
-
-                def atomic_side_effect(*args, **kwargs):
-                    nonlocal call_count
-                    call_count += 1
-                    if call_count < 3:
-                        raise OperationalError("Replica error")
-                    return MagicMock(
-                        __enter__=MagicMock(return_value=None),
-                        __exit__=MagicMock(return_value=False),
-                    )
-
-                with patch(
-                    "api.db_utils.transaction.atomic", side_effect=atomic_side_effect
-                ):
-                    with patch("api.db_utils.time.sleep"):
-                        with patch(
-                            "api.db_utils.set_read_db_alias", return_value="token"
-                        ):
-                            with patch("api.db_utils.reset_read_db_alias"):
-                                with patch("api.db_utils.logger") as mock_logger:
-                                    with rls_transaction(tenant_id):
-                                        pass
-
-                                    assert mock_logger.info.call_count == 2
-                                    assert mock_logger.warning.call_count == 1
-
-    def test_rls_transaction_operational_error_raised_immediately_on_primary(
-        self, tenants_fixture
-    ):
-        """Test OperationalError raised immediately on primary without retry."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=None):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                with patch("api.db_utils.transaction.atomic") as mock_atomic:
-                    mock_atomic.side_effect = OperationalError("Primary error")
-
-                    with patch("api.db_utils.time.sleep") as mock_sleep:
-                        with pytest.raises(OperationalError):
-                            with rls_transaction(tenant_id):
-                                pass
-
-                        mock_sleep.assert_not_called()
-
-    def test_rls_transaction_operational_error_raised_after_max_attempts(
-        self, tenants_fixture, enable_read_replica
-    ):
-        """Test OperationalError raised after max attempts on replica."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=enable_read_replica):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                with patch("api.db_utils.transaction.atomic") as mock_atomic:
-                    mock_atomic.side_effect = OperationalError(
-                        "Persistent replica error"
-                    )
-
-                    with patch("api.db_utils.time.sleep"):
-                        with patch(
-                            "api.db_utils.set_read_db_alias", return_value="token"
-                        ):
-                            with patch("api.db_utils.reset_read_db_alias"):
-                                with pytest.raises(OperationalError):
-                                    with rls_transaction(tenant_id):
-                                        pass
-
-    def test_rls_transaction_router_token_set_for_non_default_alias(
-        self, tenants_fixture
-    ):
-        """Test router token is set when using non-default alias."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-        custom_alias = "custom_db"
-
-        with patch("api.db_utils.connections") as mock_connections:
-            mock_conn = MagicMock()
-            mock_cursor = MagicMock()
-            mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-            mock_connections.__getitem__.return_value = mock_conn
-            mock_connections.__contains__.return_value = True
-
-            with patch("api.db_utils.transaction.atomic"):
-                with patch("api.db_utils.set_read_db_alias") as mock_set_alias:
-                    with patch("api.db_utils.reset_read_db_alias") as mock_reset_alias:
-                        mock_set_alias.return_value = "test_token"
-                        with rls_transaction(tenant_id, using=custom_alias):
-                            pass
-
-                        mock_set_alias.assert_called_once_with(custom_alias)
-                        mock_reset_alias.assert_called_once_with("test_token")
-
-    def test_rls_transaction_router_token_reset_in_finally_block(self, tenants_fixture):
-        """Test router token is reset in finally block even on error."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-        custom_alias = "custom_db"
-
-        with patch("api.db_utils.connections") as mock_connections:
-            mock_conn = MagicMock()
-            mock_cursor = MagicMock()
-            mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-            mock_connections.__getitem__.return_value = mock_conn
-            mock_connections.__contains__.return_value = True
-
-            with patch("api.db_utils.transaction.atomic") as mock_atomic:
-                mock_atomic.side_effect = Exception("Unexpected error")
-
-                with patch("api.db_utils.set_read_db_alias", return_value="test_token"):
-                    with patch("api.db_utils.reset_read_db_alias") as mock_reset_alias:
-                        with pytest.raises(Exception):
-                            with rls_transaction(tenant_id, using=custom_alias):
-                                pass
-
-                        mock_reset_alias.assert_called_once_with("test_token")
-
-    def test_rls_transaction_router_token_not_set_for_default_alias(
-        self, tenants_fixture
-    ):
-        """Test router token is not set when using default alias."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with patch("api.db_utils.get_read_db_alias", return_value=None):
-            with patch("api.db_utils.connections") as mock_connections:
-                mock_conn = MagicMock()
-                mock_cursor = MagicMock()
-                mock_conn.cursor.return_value.__enter__.return_value = mock_cursor
-                mock_connections.__getitem__.return_value = mock_conn
-                mock_connections.__contains__.return_value = True
-
-                with patch("api.db_utils.transaction.atomic"):
-                    with patch("api.db_utils.set_read_db_alias") as mock_set_alias:
-                        with patch(
-                            "api.db_utils.reset_read_db_alias"
-                        ) as mock_reset_alias:
-                            with rls_transaction(tenant_id):
-                                pass
-
-                            mock_set_alias.assert_not_called()
-                            mock_reset_alias.assert_not_called()
-
-    def test_rls_transaction_set_config_query_executed_with_correct_params(
-        self, tenants_fixture
-    ):
-        """Test SET_CONFIG_QUERY executed with correct parameters."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with rls_transaction(tenant_id) as cursor:
-            cursor.execute("SELECT current_setting(%s)", [POSTGRES_TENANT_VAR])
-            result = cursor.fetchone()
-            assert result[0] == tenant_id
-
-    def test_rls_transaction_custom_parameter(self, tenants_fixture):
-        """Test rls_transaction with custom parameter name."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-        custom_param = "api.user_id"
-
-        with rls_transaction(tenant_id, parameter=custom_param) as cursor:
-            cursor.execute("SELECT current_setting(%s)", [custom_param])
-            result = cursor.fetchone()
-            assert result[0] == tenant_id
-
-    def test_rls_transaction_cursor_yielded_correctly(self, tenants_fixture):
-        """Test cursor is yielded correctly."""
-        tenant = tenants_fixture[0]
-        tenant_id = str(tenant.id)
-
-        with rls_transaction(tenant_id) as cursor:
-            assert cursor is not None
-            cursor.execute("SELECT 1")
-            result = cursor.fetchone()
-            assert result[0] == 1
--- a/api/src/backend/api/tests/test_decorators.py
+++ b/api/src/backend/api/tests/test_decorators.py
@@ -2,12 +2,9 @@ import uuid
 from unittest.mock import call, patch

 import pytest
-from django.core.exceptions import ObjectDoesNotExist
-from django.db import IntegrityError

 from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY
-from api.decorators import handle_provider_deletion, set_tenant
-from api.exceptions import ProviderDeletedException
+from api.decorators import set_tenant


@pytest.mark.django_db
@@ -37,142 +34,3 @@ class TestSetTenantDecorator:

        with pytest.raises(KeyError):
            random_func("test_arg")
-
-
-@pytest.mark.django_db
-class TestHandleProviderDeletionDecorator:
-    def test_success_no_exception(self, tenants_fixture, providers_fixture):
-        """Decorated function runs normally when no exception is raised."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            return "success"
-
-        result = task_func(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-        )
-        assert result == "success"
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    def test_provider_deleted_with_provider_id(
-        self, mock_filter, mock_rls, tenants_fixture
-    ):
-        """Raises ProviderDeletedException when provider_id provided and provider deleted."""
-        tenant = tenants_fixture[0]
-        deleted_provider_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_filter.return_value.exists.return_value = False
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(ProviderDeletedException) as exc_info:
-            task_func(tenant_id=str(tenant.id), provider_id=deleted_provider_id)
-
-        assert deleted_provider_id in str(exc_info.value)
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    @patch("api.decorators.Scan.objects.filter")
-    def test_provider_deleted_with_scan_id(
-        self, mock_scan_filter, mock_provider_filter, mock_rls, tenants_fixture
-    ):
-        """Raises ProviderDeletedException when scan exists but provider deleted."""
-        tenant = tenants_fixture[0]
-        scan_id = str(uuid.uuid4())
-        provider_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-
-        mock_scan = type("MockScan", (), {"provider_id": provider_id})()
-        mock_scan_filter.return_value.first.return_value = mock_scan
-        mock_provider_filter.return_value.exists.return_value = False
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(ProviderDeletedException) as exc_info:
-            task_func(tenant_id=str(tenant.id), scan_id=scan_id)
-
-        assert provider_id in str(exc_info.value)
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Scan.objects.filter")
-    def test_scan_deleted_cascade(self, mock_scan_filter, mock_rls, tenants_fixture):
-        """Raises ProviderDeletedException when scan was deleted (CASCADE from provider)."""
-        tenant = tenants_fixture[0]
-        scan_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_scan_filter.return_value.first.return_value = None
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(ProviderDeletedException) as exc_info:
-            task_func(tenant_id=str(tenant.id), scan_id=scan_id)
-
-        assert scan_id in str(exc_info.value)
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    def test_provider_exists_reraises_original(
-        self, mock_filter, mock_rls, tenants_fixture, providers_fixture
-    ):
-        """Re-raises original exception when provider still exists."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_filter.return_value.exists.return_value = True
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Actual object missing")
-
-        with pytest.raises(ObjectDoesNotExist):
-            task_func(tenant_id=str(tenant.id), provider_id=str(provider.id))
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    def test_integrity_error_provider_deleted(
-        self, mock_filter, mock_rls, tenants_fixture
-    ):
-        """Raises ProviderDeletedException on IntegrityError when provider deleted."""
-        tenant = tenants_fixture[0]
-        deleted_provider_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_filter.return_value.exists.return_value = False
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise IntegrityError("FK constraint violation")
-
-        with pytest.raises(ProviderDeletedException):
-            task_func(tenant_id=str(tenant.id), provider_id=deleted_provider_id)
-
-    def test_missing_provider_and_scan_raises_assertion(self, tenants_fixture):
-        """Raises AssertionError when neither provider_id nor scan_id in kwargs."""
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(AssertionError) as exc_info:
-            task_func(tenant_id=str(tenants_fixture[0].id))
-
-        assert "provider or scan" in str(exc_info.value)
--- a/api/src/backend/api/tests/test_models.py
+++ b/api/src/backend/api/tests/test_models.py
@@ -1,21 +1,9 @@
-from datetime import datetime, timezone
-
 import pytest
 from allauth.socialaccount.models import SocialApp
 from django.core.exceptions import ValidationError
-from django.db import IntegrityError

 from api.db_router import MainRouter
-from api.models import (
-    ProviderComplianceScore,
-    Resource,
-    ResourceTag,
-    SAMLConfiguration,
-    SAMLDomainIndex,
-    StateChoices,
-    StatusChoices,
-    TenantComplianceSummary,
-)
+from api.models import Resource, ResourceTag, SAMLConfiguration, SAMLDomainIndex


@pytest.mark.django_db
@@ -336,159 +324,3 @@ class TestSAMLConfigurationModel:
        errors = exc_info.value.message_dict
        assert "metadata_xml" in errors
        assert "There is a problem with your metadata." in errors["metadata_xml"][0]
-
-
-@pytest.mark.django_db
-class TestProviderComplianceScoreModel:
-    def test_create_provider_compliance_score(self, providers_fixture, scans_fixture):
-        provider = providers_fixture[0]
-        scan = scans_fixture[0]
-        scan.completed_at = datetime.now(timezone.utc)
-        scan.save()
-
-        score = ProviderComplianceScore.objects.create(
-            tenant_id=provider.tenant_id,
-            provider=provider,
-            scan=scan,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.PASS,
-            scan_completed_at=scan.completed_at,
-        )
-
-        assert score.compliance_id == "aws_cis_2.0"
-        assert score.requirement_id == "req_1"
-        assert score.requirement_status == StatusChoices.PASS
-
-    def test_unique_constraint_per_provider_compliance_requirement(
-        self, providers_fixture, scans_fixture
-    ):
-        provider = providers_fixture[0]
-        scan = scans_fixture[0]
-        scan.completed_at = datetime.now(timezone.utc)
-        scan.save()
-
-        ProviderComplianceScore.objects.create(
-            tenant_id=provider.tenant_id,
-            provider=provider,
-            scan=scan,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.PASS,
-            scan_completed_at=scan.completed_at,
-        )
-
-        with pytest.raises(IntegrityError):
-            ProviderComplianceScore.objects.create(
-                tenant_id=provider.tenant_id,
-                provider=provider,
-                scan=scan,
-                compliance_id="aws_cis_2.0",
-                requirement_id="req_1",
-                requirement_status=StatusChoices.FAIL,
-                scan_completed_at=scan.completed_at,
-            )
-
-    def test_different_providers_same_requirement_allowed(
-        self, providers_fixture, scans_fixture
-    ):
-        provider1, provider2, *_ = providers_fixture
-        scan1 = scans_fixture[0]
-        scan1.completed_at = datetime.now(timezone.utc)
-        scan1.save()
-
-        scan2 = scans_fixture[2]
-        scan2.state = StateChoices.COMPLETED
-        scan2.completed_at = datetime.now(timezone.utc)
-        scan2.save()
-
-        score1 = ProviderComplianceScore.objects.create(
-            tenant_id=provider1.tenant_id,
-            provider=provider1,
-            scan=scan1,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.PASS,
-            scan_completed_at=scan1.completed_at,
-        )
-
-        score2 = ProviderComplianceScore.objects.create(
-            tenant_id=provider2.tenant_id,
-            provider=provider2,
-            scan=scan2,
-            compliance_id="aws_cis_2.0",
-            requirement_id="req_1",
-            requirement_status=StatusChoices.FAIL,
-            scan_completed_at=scan2.completed_at,
-        )
-
-        assert score1.id != score2.id
-        assert score1.requirement_status != score2.requirement_status
-
-
-@pytest.mark.django_db
-class TestTenantComplianceSummaryModel:
-    def test_create_tenant_compliance_summary(self, tenants_fixture):
-        tenant = tenants_fixture[0]
-
-        summary = TenantComplianceSummary.objects.create(
-            tenant_id=tenant.id,
-            compliance_id="aws_cis_2.0",
-            requirements_passed=5,
-            requirements_failed=2,
-            requirements_manual=1,
-            total_requirements=8,
-        )
-
-        assert summary.compliance_id == "aws_cis_2.0"
-        assert summary.requirements_passed == 5
-        assert summary.requirements_failed == 2
-        assert summary.requirements_manual == 1
-        assert summary.total_requirements == 8
-        assert summary.updated_at is not None
-
-    def test_unique_constraint_per_tenant_compliance(self, tenants_fixture):
-        tenant = tenants_fixture[0]
-
-        TenantComplianceSummary.objects.create(
-            tenant_id=tenant.id,
-            compliance_id="aws_cis_2.0",
-            requirements_passed=5,
-            requirements_failed=2,
-            requirements_manual=1,
-            total_requirements=8,
-        )
-
-        with pytest.raises(IntegrityError):
-            TenantComplianceSummary.objects.create(
-                tenant_id=tenant.id,
-                compliance_id="aws_cis_2.0",
-                requirements_passed=3,
-                requirements_failed=4,
-                requirements_manual=1,
-                total_requirements=8,
-            )
-
-    def test_different_tenants_same_compliance_allowed(self, tenants_fixture):
-        tenant1, tenant2, *_ = tenants_fixture
-
-        summary1 = TenantComplianceSummary.objects.create(
-            tenant_id=tenant1.id,
-            compliance_id="aws_cis_2.0",
-            requirements_passed=5,
-            requirements_failed=2,
-            requirements_manual=1,
-            total_requirements=8,
-        )
-
-        summary2 = TenantComplianceSummary.objects.create(
-            tenant_id=tenant2.id,
-            compliance_id="aws_cis_2.0",
-            requirements_passed=3,
-            requirements_failed=4,
-            requirements_manual=1,
-            total_requirements=8,
-        )
-
-        assert summary1.id != summary2.id
-        assert summary1.requirements_passed != summary2.requirements_passed
--- a/Show More
+++ b/Show More