chore(deps): bump tj-actions/changed-files from 47.0.5 to 47.0.6

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 47.0.5 to 47.0.6. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/22103cc46bda19c2b464ffe86db46df6922fd323...9426d40962ed5378910ee2e21d5f8c6fcbf2dd96) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-version: 47.0.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-05-19 10:43:03 +00:00 · 2026-05-14 12:38:28 +00:00
171 changed files with 1756 additions and 8092 deletions
@@ -0,0 +1,291 @@
+name: 'API: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+permissions: {}
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get current API version
+        id: get_api_version
+        run: |
+          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
+          echo "current_api_version=${CURRENT_API_VERSION}" >> "${GITHUB_OUTPUT}"
+          echo "Current API version: $CURRENT_API_VERSION"
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next API minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+
+          # API version follows Prowler minor + 1
+          # For Prowler 5.17.0 -> API 1.18.0
+          # For next master (Prowler 5.18.0) -> API 1.19.0
+          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
+
+          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
+          echo "Current API version: $CURRENT_API_VERSION"
+          echo "Next API minor version (for master): $NEXT_API_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
+
+      - name: Bump API versions in files for master
+        run: |
+          set -e
+
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
+          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_VERSION}\"|" api/src/backend/api/v1/views.py
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next API minor version to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
+          branch: api-version-bump-to-v${{ env.NEXT_API_VERSION }}
+          title: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler API version to v${{ env.NEXT_API_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first API patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          # API version follows Prowler minor + 1
+          # For Prowler 5.17.0 release -> version branch v5.17 should have API 1.18.1
+          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
+
+          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
+          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
+
+      - name: Bump API versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
+          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${FIRST_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first API patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
+          branch: api-version-bump-to-v${{ env.FIRST_API_PATCH_VERSION }}
+          title: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler API version to v${{ env.FIRST_API_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next API patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+          CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}"
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          # Extract current API patch to increment it
+          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            API_PATCH=${BASH_REMATCH[3]}
+
+            # API version follows Prowler minor + 1
+            # Keep same API minor (based on Prowler minor), increment patch
+            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
+
+            echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
+            echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
+            echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+            echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
+            echo "Current API version: $CURRENT_API_VERSION"
+            echo "Next API patch version: $NEXT_API_PATCH_VERSION"
+            echo "Target branch: $VERSION_BRANCH"
+          else
+            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
+            exit 1
+          fi
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }}
+
+      - name: Bump API versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
+          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
+          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next API patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
+          branch: api-version-bump-to-v${{ env.NEXT_API_PATCH_VERSION }}
+          title: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler API version to v${{ env.NEXT_API_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -53,7 +53,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -50,7 +50,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: api/Dockerfile

@@ -103,7 +103,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: api/**
          files_ignore: |
@@ -59,7 +59,6 @@ jobs:
            github.com:443
            api.github.com:443
            objects.githubusercontent.com:443
-            raw.githubusercontent.com:443
            release-assets.githubusercontent.com:443
            api.osv.dev:443
            api.deps.dev:443
@@ -73,7 +72,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -102,7 +102,7 @@ jobs:

      - name: Check for API changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -1,376 +0,0 @@
-name: 'Release: Bump Versions'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: release-bump-versions-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  DOCS_FILE: docs/getting-started/installation/prowler-app.mdx
-
-permissions: {}
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-master:
-    name: Bump versions on master (minor release)
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout master
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: master
-          persist-credentials: false
-
-      - name: Compute next versions for master
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-
-          # SDK / UI / docs mirror the Prowler version directly.
-          NEXT_SDK_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-
-          # API is an independent stream: 1.<prowler_minor + 1>.X
-          # After Prowler 5.M.0 release, master moves on to next API minor: 1.(M+2).0
-          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
-
-          # Read current versions to drive sed replacements.
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' "${DOCS_FILE}")
-
-          echo "NEXT_SDK_VERSION=${NEXT_SDK_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Released Prowler version: $PROWLER_VERSION"
-          echo "Next SDK/UI version (master): $NEXT_SDK_VERSION"
-          echo "Next API version (master):   $NEXT_API_VERSION  (current: $CURRENT_API_VERSION)"
-          echo "Docs target version:         $PROWLER_VERSION   (current: $CURRENT_DOCS_VERSION)"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Decide whether to bump docs on master
-        id: docs_decision
-        run: |
-          # Skip docs bump if master is already at or ahead of the release version
-          # (re-run, or patch shipped against an older minor line).
-          HIGHEST=$(printf '%s\n%s\n' "${CURRENT_DOCS_VERSION}" "${PROWLER_VERSION}" | sort -V | tail -n1)
-          if [[ "${CURRENT_DOCS_VERSION}" == "${PROWLER_VERSION}" || "${HIGHEST}" != "${PROWLER_VERSION}" ]]; then
-            echo "skip=true" >> "${GITHUB_OUTPUT}"
-            echo "Skipping docs bump: current ($CURRENT_DOCS_VERSION) >= release ($PROWLER_VERSION)"
-          else
-            echo "skip=false" >> "${GITHUB_OUTPUT}"
-          fi
-
-      - name: Bump SDK version (pyproject.toml, config.py)
-        run: |
-          set -e
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_SDK_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_SDK_VERSION}\"|" prowler/config/config.py
-
-      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
-        run: |
-          set -e
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-      - name: Bump UI version (.env)
-        run: |
-          set -e
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_SDK_VERSION}|" .env
-
-      - name: Bump docs versions (prowler-app.mdx)
-        if: steps.docs_decision.outputs.skip == 'false'
-        run: |
-          set -e
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
-
-      - name: Show consolidated diff
-        run: git --no-pager diff
-
-      - name: Create PR for next versions to master
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(release): Bump versions to v${{ env.NEXT_SDK_VERSION }}'
-          branch: release-version-bump-to-v${{ env.NEXT_SDK_VERSION }}
-          title: 'chore(release): Bump versions to v${{ env.NEXT_SDK_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler versions on master after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            | Area | File(s) | New version |
-            | --- | --- | --- |
-            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.NEXT_SDK_VERSION }} |
-            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.NEXT_API_VERSION }} |
-            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.NEXT_SDK_VERSION }} |
-            | Docs | `docs/getting-started/installation/prowler-app.mdx` (`PROWLER_UI_VERSION`, `PROWLER_API_VERSION`) | v${{ env.PROWLER_VERSION }} (skipped if already at or ahead) |
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-minor-version-branch:
-    name: Bump versions on version branch (minor release)
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
-
-      - name: Compute first patch versions for version branch
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # SDK / UI first patch mirrors Prowler version directly.
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-
-          # API on this branch stays on the 1.<MINOR+1>.X stream, starting at .1
-          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
-
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Released Prowler version:     $PROWLER_VERSION"
-          echo "Version branch:               $VERSION_BRANCH"
-          echo "First SDK/UI patch:           $FIRST_PATCH_VERSION"
-          echo "First API patch:              $FIRST_API_PATCH_VERSION  (current: $CURRENT_API_VERSION)"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Bump SDK version (pyproject.toml, config.py)
-        run: |
-          set -e
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
-
-      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
-        run: |
-          set -e
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-      - name: Bump UI version (.env)
-        run: |
-          set -e
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
-
-      - name: Show consolidated diff
-        run: git --no-pager diff
-
-      - name: Create PR for first patch versions to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump versions to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: release-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(release): Bump versions to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler versions on `${{ env.VERSION_BRANCH }}` after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            | Area | File(s) | New version |
-            | --- | --- | --- |
-            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.FIRST_PATCH_VERSION }} |
-            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.FIRST_API_PATCH_VERSION }} |
-            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.FIRST_PATCH_VERSION }} |
-            | Docs | (not touched on version branches) | — |
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version-branch:
-    name: Bump versions on version branch (patch release)
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Compute next patch versions
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # SDK / UI patch mirrors Prowler version directly.
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-
-          # API on this branch stays on 1.<MINOR+1>.X; bump its patch component.
-          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            API_PATCH=${BASH_REMATCH[3]}
-            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
-          else
-            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
-            exit 1
-          fi
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Released Prowler version:     $PROWLER_VERSION"
-          echo "Version branch:               $VERSION_BRANCH"
-          echo "Next SDK/UI patch:            $NEXT_PATCH_VERSION"
-          echo "Next API patch:               $NEXT_API_PATCH_VERSION  (current: $CURRENT_API_VERSION)"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-
-      - name: Bump SDK version (pyproject.toml, config.py)
-        run: |
-          set -e
-          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
-          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
-
-      - name: Bump API version (api/pyproject.toml, specs/v1.yaml)
-        run: |
-          set -e
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-      - name: Bump UI version (.env)
-        run: |
-          set -e
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
-
-      - name: Show consolidated diff
-        run: git --no-pager diff
-
-      - name: Create PR for next patch versions to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump versions to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: release-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(release): Bump versions to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler versions on `${{ env.VERSION_BRANCH }}` after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            | Area | File(s) | New version |
-            | --- | --- | --- |
-            | SDK | `pyproject.toml`, `prowler/config/config.py` | v${{ env.NEXT_PATCH_VERSION }} |
-            | API | `api/pyproject.toml`, `api/src/backend/api/specs/v1.yaml` | v${{ env.NEXT_API_PATCH_VERSION }} |
-            | UI | `.env` (`NEXT_PUBLIC_PROWLER_RELEASE_VERSION`) | v${{ env.NEXT_PATCH_VERSION }} |
-            | Docs | (not touched on version branches) | — |
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -0,0 +1,97 @@
+name: 'Docs: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+  DOCS_FILE: docs/getting-started/installation/prowler-app.mdx
+
+permissions: {}
+
+jobs:
+  bump-version:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Validate release version
+        run: |
+          if [[ ! $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+          if (( ${BASH_REMATCH[1]} != 5 )); then
+            echo "::error::Releasing another Prowler major version, aborting..."
+            exit 1
+          fi
+
+      - name: Checkout master branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ env.BASE_BRANCH }}
+          persist-credentials: false
+
+      - name: Read current docs version on master
+        id: docs_version
+        run: |
+          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' "${DOCS_FILE}")
+          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
+          echo "Current docs version on master: $CURRENT_DOCS_VERSION"
+          echo "Target release version: $PROWLER_VERSION"
+
+          # Skip if master is already at or ahead of the release version
+          # (re-run, or patch shipped against an older minor line)
+          HIGHEST=$(printf '%s\n%s\n' "${CURRENT_DOCS_VERSION}" "${PROWLER_VERSION}" | sort -V | tail -n1)
+          if [[ "${CURRENT_DOCS_VERSION}" == "${PROWLER_VERSION}" || "${HIGHEST}" != "${PROWLER_VERSION}" ]]; then
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+            echo "Skipping bump: current ($CURRENT_DOCS_VERSION) >= release ($PROWLER_VERSION)"
+          else
+            echo "skip=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Bump versions in documentation
+        if: steps.docs_version.outputs.skip == 'false'
+        run: |
+          set -e
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for documentation update to master
+        if: steps.docs_version.outputs.skip == 'false'
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.BASE_BRANCH }}
+          commit-message: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
+          branch: docs-version-bump-to-v${{ env.PROWLER_VERSION }}
+          title: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -50,7 +50,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: mcp_server/Dockerfile

@@ -79,7 +79,6 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            ghcr.io:443
            pkg-containers.githubusercontent.com:443
            files.pythonhosted.org:443
@@ -99,7 +98,7 @@ jobs:

      - name: Check for MCP changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: mcp_server/**
          files_ignore: |
@@ -88,8 +88,7 @@ jobs:

      # The MCP server version (mcp_server/pyproject.toml) is decoupled from the Prowler release
      # version: it only changes when MCP code changes. mcp-bump-version.yml normally keeps it in
-      # sync with mcp_server/CHANGELOG.md (separate from the release bump-version.yml), but this
-      # publish workflow still runs on every release.
+      # sync with mcp_server/CHANGELOG.md, but this publish workflow still runs on every release.
      # Pre-flight PyPI check covers the legitimate "no MCP changes for this release" case (and any
      # workflow_dispatch re-runs) without failing with HTTP 400 (version exists).
      - name: Check if prowler-mcp version already exists on PyPI
@@ -52,7 +52,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            api/**
@@ -56,7 +56,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            prowler/providers/**/services/**/*.metadata.json
@@ -47,7 +47,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: '**'

@@ -53,7 +53,7 @@ jobs:

    - name: Parse version and determine branch
      run: |
-        # Validate version format (reusing pattern from bump-version.yml)
+        # Validate version format (reusing pattern from sdk-bump-version.yml)
        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
          MAJOR_VERSION=${BASH_REMATCH[1]}
          MINOR_VERSION=${BASH_REMATCH[2]}
@@ -299,6 +299,17 @@ jobs:
        fi
        echo "✓ api/pyproject.toml prowler dependency: $CURRENT_PROWLER_REF"

+    - name: Verify API version in api/src/backend/api/v1/views.py
+      if: ${{ env.HAS_API_CHANGES == 'true' }}
+      run: |
+        CURRENT_API_VERSION=$(grep 'spectacular_settings.VERSION = ' api/src/backend/api/v1/views.py | sed -E 's/.*spectacular_settings.VERSION = "([^"]+)".*/\1/' | tr -d '[:space:]')
+        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
+          echo "ERROR: API version mismatch in views.py (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
+          exit 1
+        fi
+        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"
+
    - name: Verify API version in api/src/backend/api/specs/v1.yaml
      if: ${{ env.HAS_API_CHANGES == 'true' }}
      run: |
@@ -0,0 +1,247 @@
+name: 'SDK: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+permissions: {}
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next minor version: $NEXT_MINOR_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump versions in files for master
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next minor version to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          branch: sdk-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
+          title: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.NEXT_MINOR_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "First patch version: $FIRST_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: sdk-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next patch version: $NEXT_PATCH_VERSION"
+          echo "Target branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+
+      - name: Bump versions in files for version branch
+        run: |
+          set -e
+
+          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
+          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: sdk-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler version to v${{ env.NEXT_PATCH_VERSION }} after releasing v${{ env.PROWLER_VERSION }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -48,7 +48,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ./**
          files_ignore: |
@@ -55,7 +55,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: Dockerfile

@@ -108,7 +108,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ./**
          files_ignore: |
@@ -69,7 +69,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files:
            ./**
@@ -69,7 +69,7 @@ jobs:

      - name: Check for SDK changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ./**
          files_ignore: |
@@ -102,7 +102,7 @@ jobs:
      - name: Check if AWS files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-aws
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/aws/**
@@ -232,7 +232,7 @@ jobs:
      - name: Check if Azure files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-azure
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/azure/**
@@ -256,7 +256,7 @@ jobs:
      - name: Check if GCP files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-gcp
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/gcp/**
@@ -280,7 +280,7 @@ jobs:
      - name: Check if Kubernetes files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-kubernetes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/kubernetes/**
@@ -304,7 +304,7 @@ jobs:
      - name: Check if GitHub files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-github
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/github/**
@@ -328,7 +328,7 @@ jobs:
      - name: Check if Okta files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-okta
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/okta/**
@@ -352,7 +352,7 @@ jobs:
      - name: Check if NHN files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-nhn
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/nhn/**
@@ -376,7 +376,7 @@ jobs:
      - name: Check if M365 files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-m365
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/m365/**
@@ -400,7 +400,7 @@ jobs:
      - name: Check if IaC files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-iac
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/iac/**
@@ -424,7 +424,7 @@ jobs:
      - name: Check if MongoDB Atlas files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-mongodbatlas
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/mongodbatlas/**
@@ -448,7 +448,7 @@ jobs:
      - name: Check if OCI files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-oraclecloud
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/oraclecloud/**
@@ -472,7 +472,7 @@ jobs:
      - name: Check if OpenStack files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-openstack
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/openstack/**
@@ -496,7 +496,7 @@ jobs:
      - name: Check if Google Workspace files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-googleworkspace
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/googleworkspace/**
@@ -520,7 +520,7 @@ jobs:
      - name: Check if Vercel files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-vercel
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/**/vercel/**
@@ -544,7 +544,7 @@ jobs:
      - name: Check if Lib files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-lib
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/lib/**
@@ -568,7 +568,7 @@ jobs:
      - name: Check if Config files changed
        if: steps.check-changes.outputs.any_changed == 'true'
        id: changed-config
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ./prowler/config/**
@@ -68,7 +68,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6

      - name: Setup Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -0,0 +1,253 @@
+name: 'UI: Bump Version'
+
+on:
+  release:
+    types:
+      - 'published'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+env:
+  PROWLER_VERSION: ${{ github.event.release.tag_name }}
+  BASE_BRANCH: master
+
+permissions: {}
+
+jobs:
+  detect-release-type:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      is_minor: ${{ steps.detect.outputs.is_minor }}
+      is_patch: ${{ steps.detect.outputs.is_patch }}
+      major_version: ${{ steps.detect.outputs.major_version }}
+      minor_version: ${{ steps.detect.outputs.minor_version }}
+      patch_version: ${{ steps.detect.outputs.patch_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Detect release type and parse version
+        id: detect
+        run: |
+          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            MAJOR_VERSION=${BASH_REMATCH[1]}
+            MINOR_VERSION=${BASH_REMATCH[2]}
+            PATCH_VERSION=${BASH_REMATCH[3]}
+
+            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
+            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
+
+            if (( MAJOR_VERSION != 5 )); then
+              echo "::error::Releasing another Prowler major version, aborting..."
+              exit 1
+            fi
+
+            if (( PATCH_VERSION == 0 )); then
+              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
+              echo "✓ Minor release detected: $PROWLER_VERSION"
+            else
+              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
+              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
+              echo "✓ Patch release detected: $PROWLER_VERSION"
+            fi
+          else
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+
+  bump-minor-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_minor == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next minor version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next minor version: $NEXT_MINOR_VERSION"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump UI version in .env for master
+        run: |
+          set -e
+
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next minor version to master
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: master
+          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          branch: ui-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
+          title: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler UI version to v${{ env.NEXT_MINOR_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+      - name: Checkout version branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
+          persist-credentials: false
+
+      - name: Calculate first patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+
+          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "First patch version: $FIRST_PATCH_VERSION"
+          echo "Version branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+
+      - name: Bump UI version in .env for version branch
+        run: |
+          set -e
+
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for first patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: ui-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler UI version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+
+  bump-patch-version:
+    needs: detect-release-type
+    if: needs.detect-release-type.outputs.is_patch == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Calculate next patch version
+        run: |
+          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
+          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
+          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
+
+          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
+          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
+
+          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
+          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
+
+          echo "Current version: $PROWLER_VERSION"
+          echo "Next patch version: $NEXT_PATCH_VERSION"
+          echo "Target branch: $VERSION_BRANCH"
+        env:
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
+          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
+
+      - name: Bump UI version in .env for version branch
+        run: |
+          set -e
+
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
+
+          echo "Files modified:"
+          git --no-pager diff
+
+      - name: Create PR for next patch version to version branch
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          base: ${{ env.VERSION_BRANCH }}
+          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: ui-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          labels: no-changelog,skip-sync
+          body: |
+            ### Description
+
+            Bump Prowler UI version to v${{ env.NEXT_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
+
+            ### Files Updated
+            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -50,7 +50,7 @@ jobs:

      - name: Check if Dockerfile changed
        id: dockerfile-changed
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ui/Dockerfile

@@ -80,7 +80,6 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
-            production.cloudfront.docker.com:443
            registry.npmjs.org:443
            dl-cdn.alpinelinux.org:443
            fonts.googleapis.com:443
@@ -100,7 +99,7 @@ jobs:

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: ui/**
          files_ignore: |
@@ -59,7 +59,7 @@ jobs:

      - name: Check for UI dependency changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/package.json
@@ -54,7 +54,7 @@ jobs:

      - name: Check for UI changes
        id: check-changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/**
@@ -67,7 +67,7 @@ jobs:
      - name: Get changed source files for targeted tests
        id: changed-source
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/**/*.ts
@@ -83,7 +83,7 @@ jobs:
      - name: Check for critical path changes (run all tests)
        id: critical-changes
        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            ui/lib/**
@@ -1,19 +1,22 @@
 rules:
  secrets-outside-env:
    ignore:
+      - api-bump-version.yml
      - api-container-build-push.yml
      - api-tests.yml
      - backport.yml
-      - bump-version.yml
+      - docs-bump-version.yml
      - issue-triage.lock.yml
      - mcp-container-build-push.yml
      - nightly-arm64-container-builds.yml
      - pr-merged.yml
      - prepare-release.yml
+      - sdk-bump-version.yml
      - sdk-container-build-push.yml
      - sdk-refresh-aws-services-regions.yml
      - sdk-refresh-oci-regions.yml
      - sdk-tests.yml
+      - ui-bump-version.yml
      - ui-container-build-push.yml
      - ui-e2e-tests-v2.yml
  superfluous-actions:
@@ -104,24 +104,23 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically

 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
 |---|---|---|---|---|---|---|
-| AWS | 600 | 84 | 44 | 18 | Official | UI, API, CLI |
+| AWS | 595 | 84 | 43 | 17 | Official | UI, API, CLI |
 | Azure | 167 | 22 | 19 | 16 | Official | UI, API, CLI |
 | GCP | 102 | 18 | 17 | 12 | Official | UI, API, CLI |
 | Kubernetes | 83 | 7 | 7 | 11 | Official | UI, API, CLI |
 | GitHub | 24 | 3 | 1 | 5 | Official | UI, API, CLI |
-| M365 | 102 | 10 | 4 | 10 | Official | UI, API, CLI |
+| M365 | 101 | 10 | 4 | 10 | Official | UI, API, CLI |
 | OCI | 51 | 14 | 4 | 10 | Official | UI, API, CLI |
-| Alibaba Cloud | 63 | 9 | 4 | 9 | Official | UI, API, CLI |
+| Alibaba Cloud | 61 | 9 | 4 | 9 | Official | UI, API, CLI |
 | Cloudflare | 29 | 3 | 0 | 5 | Official | UI, API, CLI |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
 | MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
 | Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 39 | 5 | 2 | 5 | Official | UI, API, CLI |
+| Google Workspace | 25 | 4 | 2 | 4 | Official | UI, API, CLI |
 | OpenStack | 34 | 5 | 0 | 9 | Official | UI, API, CLI |
-| Vercel | 26 | 6 | 0 | 8 | Official | UI, API, CLI |
+| Vercel | 26 | 6 | 0 | 5 | Official | UI, API, CLI |
 | Okta | 1 | 1 | 0 | 1 | Official | CLI |
-| Scaleway [Contact us](https://prowler.com/contact) | 1 | 1 | 0 | 1 | Unofficial | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

 > [!Note]
@@ -2,24 +2,24 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.28.0] (Prowler v5.27.0)
+## [1.28.0] (Prowler UNRELEASED)

 ### 🚀 Added

 - GIN index on `findings(categories, resource_services, resource_regions, resource_types)` to speed up `/api/v1/finding-groups` array filters [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
- `GET /health/live` and `GET /health/ready` Kubernetes-style probe endpoints following the IETF Health Check Response Format (`application/health+json`). Readiness verifies PostgreSQL, Valkey and Neo4j connectivity and returns 503 with per-dependency detail when any is unreachable [(#11200)](https://github.com/prowler-cloud/prowler/pull/11200)

 ### 🔄 Changed

- Replace `poetry` with `uv` as package manager [(#10775)](https://github.com/prowler-cloud/prowler/pull/10775)
+- Replace `poetry` with `uv` (`0.11.14`) as the API package manager; migrate `pyproject.toml` to `[dependency-groups]` and regenerate as `uv.lock` [(#10775)](https://github.com/prowler-cloud/prowler/pull/10775)
 - Remove orphaned `gin_resources_search_idx` declaration from `Resource.Meta.indexes` (DB index dropped in `0072_drop_unused_indexes`) [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
- PDF compliance reports cap detail tables at 100 failed findings per check (configurable via `DJANGO_PDF_MAX_FINDINGS_PER_CHECK`) to bound worker memory on large scans [(#11160)](https://github.com/prowler-cloud/prowler/pull/11160)
+
+---
+
+## [1.27.2] (Prowler UNRELEASED)

 ### 🐞 Fixed

- `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
- Attack Paths: `BEDROCK-001` and `BEDROCK-002` now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)
-
+- Attack Paths: BEDROCK-001 and BEDROCK-002 now target roles trusting `bedrock-agentcore.amazonaws.com` instead of `bedrock.amazonaws.com`, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) [(#11141)](https://github.com/prowler-cloud/prowler/pull/11141)

 ---

@@ -42,14 +42,14 @@ dependencies = [
  "drf-spectacular-jsonapi==0.5.1",
  "defusedxml==0.7.1",
  "gunicorn==23.0.0",
-  "lxml==6.1.0",
+  "lxml==5.3.2",
  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
  "psycopg2-binary==2.9.9",
  "pytest-celery[redis] (==1.3.0)",
  "sentry-sdk[django] (==2.56.0)",
  "uuid6==2024.7.10",
  "openai (==1.109.1)",
-  "xmlsec==1.3.17",
+  "xmlsec==1.3.14",
  "h2 (==4.3.0)",
  "markdown (==3.10.2)",
  "drf-simple-apikey (==2.2.1)",
@@ -285,7 +285,7 @@ constraint-dependencies = [
  "knack==0.11.0",
  "kombu==5.6.2",
  "kubernetes==32.0.1",
-  "lxml==6.1.0",
+  "lxml==5.3.2",
  "lz4==4.4.5",
  "markdown==3.10.2",
  "markdown-it-py==4.0.0",
@@ -294,13 +294,13 @@ constraint-dependencies = [
  "matplotlib==3.10.8",
  "mccabe==0.7.0",
  "mdurl==0.1.2",
-  "microsoft-kiota-abstractions==1.9.9",
-  "microsoft-kiota-authentication-azure==1.9.9",
-  "microsoft-kiota-http==1.9.9",
-  "microsoft-kiota-serialization-form==1.9.9",
-  "microsoft-kiota-serialization-json==1.9.9",
-  "microsoft-kiota-serialization-multipart==1.9.9",
-  "microsoft-kiota-serialization-text==1.9.9",
+  "microsoft-kiota-abstractions==1.9.2",
+  "microsoft-kiota-authentication-azure==1.9.2",
+  "microsoft-kiota-http==1.9.2",
+  "microsoft-kiota-serialization-form==1.9.2",
+  "microsoft-kiota-serialization-json==1.9.2",
+  "microsoft-kiota-serialization-multipart==1.9.2",
+  "microsoft-kiota-serialization-text==1.9.2",
  "microsoft-security-utilities-secret-masker==1.0.0b4",
  "msal==1.35.0b1",
  "msal-extensions==1.2.0",
@@ -418,7 +418,7 @@ constraint-dependencies = [
  "tzdata==2025.3",
  "tzlocal==5.3.1",
  "uritemplate==4.2.0",
-  "urllib3==2.7.0",
+  "urllib3==2.6.3",
  "uuid6==2024.7.10",
  "vine==5.1.0",
  "vulture==2.14",
@@ -428,7 +428,7 @@ constraint-dependencies = [
  "workos==6.0.4",
  "wrapt==1.17.3",
  "xlsxwriter==3.2.9",
-  "xmlsec==1.3.17",
+  "xmlsec==1.3.14",
  "xmltodict==1.0.2",
  "yarl==1.22.0",
  "zipp==3.23.0",
@@ -438,12 +438,6 @@ constraint-dependencies = [
 ]
 # prowler@master needs okta==3.4.2; cartography 0.135.0 declares okta<1.0.0 for an
 # integration prowler does not import.
-#
-# prowler@master hard-pins microsoft-kiota-abstractions==1.9.2 in [project.dependencies].
-# The microsoft-kiota-http security bump to 1.9.9 (GHSA-7j59-v9qr-6fq9) requires
-# microsoft-kiota-abstractions>=1.9.9, which a constraint cannot satisfy against the
-# SDK's hard pin; override it to the patched, kiota-aligned version.
 override-dependencies = [
-  "okta==3.4.2",
-  "microsoft-kiota-abstractions==1.9.9"
+  "okta==3.4.2"
 ]
@@ -1,254 +0,0 @@
-"""Liveness and readiness endpoints following the IETF Health Check Response
-Format (draft-inadarei-api-health-check-06).
-
-Liveness reports only process status. Readiness verifies that PostgreSQL,
-Valkey and Neo4j are reachable and returns per-dependency detail when any
-of them is unreachable.
-"""
-
-from __future__ import annotations
-
-import logging
-import threading
-import time
-from contextlib import suppress
-from datetime import datetime, timezone
-from typing import Any
-
-import redis
-from config.version import API_VERSION, RELEASE_ID
-from django.conf import settings
-from django.db import connections
-from drf_spectacular.utils import extend_schema
-from rest_framework import status
-from rest_framework.renderers import JSONRenderer
-from rest_framework.response import Response
-from rest_framework.throttling import ScopedRateThrottle
-from rest_framework.views import APIView
-
-logger = logging.getLogger(__name__)
-
-SERVICE_ID = "prowler-api"
-SERVICE_DESCRIPTION = "Prowler API"
-
-# Status vocabulary from the IETF draft (section 3.1).
-STATUS_PASS = "pass"
-STATUS_FAIL = "fail"
-STATUS_WARN = "warn"
-
-# Short socket timeout so a stuck Valkey cannot stall the probe.
-# Neo4j inherits its driver-level ``connection_acquisition_timeout``.
-VALKEY_PROBE_TIMEOUT_SECONDS = 2
-
-# Brief cache window so high-frequency probes (ALB target groups, scrapers)
-# do not stampede the actual dependency checks.
-CACHE_CONTROL_HEADER = "max-age=3, must-revalidate"
-
-# In-process readiness cache. Caps real dependency hits to roughly
-# (gunicorn workers / TTL) per second regardless of incoming RPS or the
-# source-IP distribution. Kept in sync with the Cache-Control max-age.
-# Access is guarded by a lock so concurrent readers do not race on the
-# read-decide-write cycle of the double-checked locking pattern below.
-READINESS_CACHE_TTL_SECONDS = 3.0
-_readiness_cache: tuple[float, dict[str, Any], int] | None = None
-_readiness_cache_lock = threading.Lock()
-
-
-class HealthJSONRenderer(JSONRenderer):
-    """Emits responses with the ``application/health+json`` content type."""
-
-    media_type = "application/health+json"
-    format = "health"
-
-
-def _now_iso() -> str:
-    return (
-        datetime.now(timezone.utc)
-        .isoformat(timespec="milliseconds")
-        .replace("+00:00", "Z")
-    )
-
-
-def _measure(name: str, check_fn) -> tuple[dict[str, Any], float]:
-    """Time ``check_fn`` and return ``(result, elapsed_ms)``.
-
-    ``check_fn`` returns ``None`` on success or raises on failure. The full
-    exception is logged for operator diagnostics under ``name``; the
-    response payload intentionally omits the error detail to avoid leaking
-    infrastructure information (DNS names, ports, credentials, certificate
-    chains) to anonymous clients.
-    """
-    started = time.perf_counter()
-    try:
-        check_fn()
-    except Exception:
-        elapsed_ms = (time.perf_counter() - started) * 1000
-        logger.warning("Health probe '%s' failed", name, exc_info=True)
-        return ({"status": STATUS_FAIL}, elapsed_ms)
-    elapsed_ms = (time.perf_counter() - started) * 1000
-    return ({"status": STATUS_PASS}, elapsed_ms)
-
-
-def _probe_postgres() -> None:
-    with connections["default"].cursor() as cursor:
-        cursor.execute("SELECT 1")
-        cursor.fetchone()
-
-
-def _probe_valkey() -> None:
-    client = redis.Redis.from_url(
-        settings.CELERY_BROKER_URL,
-        socket_connect_timeout=VALKEY_PROBE_TIMEOUT_SECONDS,
-        socket_timeout=VALKEY_PROBE_TIMEOUT_SECONDS,
-    )
-    try:
-        if not client.ping():
-            raise RuntimeError("PING did not return PONG")
-    finally:
-        # Best-effort cleanup: a failure releasing the socket (e.g. broken
-        # connection, half-closed by the server) must not mask the probe
-        # result. Narrowed to the exception types redis-py and the stdlib
-        # socket layer can raise on close.
-        with suppress(redis.RedisError, OSError):
-            client.close()
-
-
-def _probe_neo4j() -> None:
-    # Lazy import: avoids pulling attack_paths into the boot import graph.
-    from api.attack_paths.database import get_driver
-
-    get_driver().verify_connectivity()
-
-
-def _build_check_entry(
-    component_id: str,
-    component_type: str,
-    result: dict[str, Any],
-    elapsed_ms: float,
-) -> dict[str, Any]:
-    entry: dict[str, Any] = {
-        "componentId": component_id,
-        "componentType": component_type,
-        "observedValue": round(elapsed_ms, 2),
-        "observedUnit": "ms",
-        "status": result["status"],
-        "time": _now_iso(),
-    }
-    if "output" in result:
-        entry["output"] = result["output"]
-    return entry
-
-
-def _aggregate_status(check_entries: list[dict[str, Any]]) -> str:
-    statuses = {entry["status"] for entry in check_entries}
-    if STATUS_FAIL in statuses:
-        return STATUS_FAIL
-    if STATUS_WARN in statuses:
-        return STATUS_WARN
-    return STATUS_PASS
-
-
-def _base_payload(overall_status: str) -> dict[str, Any]:
-    return {
-        "status": overall_status,
-        "version": API_VERSION,
-        "releaseId": RELEASE_ID,
-        "serviceId": SERVICE_ID,
-        "description": SERVICE_DESCRIPTION,
-    }
-
-
-def _readiness_payload() -> tuple[dict[str, Any], int]:
-    global _readiness_cache
-
-    # Lock-free fast path: a stale snapshot still satisfies the freshness
-    # check correctly because we re-check after acquiring the lock below.
-    snapshot = _readiness_cache
-    if (
-        snapshot is not None
-        and time.monotonic() - snapshot[0] < READINESS_CACHE_TTL_SECONDS
-    ):
-        return snapshot[1], snapshot[2]
-
-    with _readiness_cache_lock:
-        # Double-checked locking: another thread may have refreshed while
-        # we were waiting on the lock.
-        snapshot = _readiness_cache
-        if (
-            snapshot is not None
-            and time.monotonic() - snapshot[0] < READINESS_CACHE_TTL_SECONDS
-        ):
-            return snapshot[1], snapshot[2]
-
-        postgres_result, postgres_ms = _measure("postgres", _probe_postgres)
-        valkey_result, valkey_ms = _measure("valkey", _probe_valkey)
-        neo4j_result, neo4j_ms = _measure("neo4j", _probe_neo4j)
-
-        entries = [
-            _build_check_entry("postgres", "datastore", postgres_result, postgres_ms),
-            _build_check_entry("valkey", "datastore", valkey_result, valkey_ms),
-            _build_check_entry("neo4j", "datastore", neo4j_result, neo4j_ms),
-        ]
-        overall = _aggregate_status(entries)
-
-        payload = _base_payload(overall)
-        payload["checks"] = {
-            "postgres:responseTime": [entries[0]],
-            "valkey:responseTime": [entries[1]],
-            "neo4j:responseTime": [entries[2]],
-        }
-
-        http_status = (
-            status.HTTP_503_SERVICE_UNAVAILABLE
-            if overall == STATUS_FAIL
-            else status.HTTP_200_OK
-        )
-        _readiness_cache = (time.monotonic(), payload, http_status)
-        return payload, http_status
-
-
-def _health_response(payload: dict[str, Any], http_status: int) -> Response:
-    response = Response(payload, status=http_status)
-    response["Cache-Control"] = CACHE_CONTROL_HEADER
-    return response
-
-
-@extend_schema(exclude=True)
-class LivenessView(APIView):
-    """Liveness probe. Always 200 when the process can serve requests.
-
-    Dependencies are intentionally not consulted: a failing liveness probe
-    triggers a container restart, which must not happen for transient
-    dependency outages. Throttled per-IP so the endpoint cannot be used as
-    a cheap availability oracle for the process.
-    """
-
-    authentication_classes: list = []
-    permission_classes: list = []
-    renderer_classes = [HealthJSONRenderer]
-    throttle_classes = [ScopedRateThrottle]
-    throttle_scope = "health-live"
-
-    def get(self, _request, *_args, **_kwargs):
-        return _health_response(_base_payload(STATUS_PASS), status.HTTP_200_OK)
-
-
-@extend_schema(exclude=True)
-class ReadinessView(APIView):
-    """Readiness probe.
-
-    Returns 200 when PostgreSQL, Valkey and Neo4j all respond, or 503 with
-    per-dependency detail when any of them is unreachable. Per-IP throttle
-    plus the short in-process result cache cap the real dependency hits
-    regardless of inbound traffic shape.
-    """
-
-    authentication_classes: list = []
-    permission_classes: list = []
-    renderer_classes = [HealthJSONRenderer]
-    throttle_classes = [ScopedRateThrottle]
-    throttle_scope = "health-ready"
-
-    def get(self, _request, *_args, **_kwargs):
-        payload, http_status = _readiness_payload()
-        return _health_response(payload, http_status)
@@ -1,445 +0,0 @@
-"""Tests for the health endpoints.
-
-Cover the IETF response envelope, status code mapping (200 / 503), the
-``application/health+json`` media type and per-probe failure modes.
-"""
-
-from unittest.mock import patch
-
-import pytest
-from config import version as config_version
-from django.core.cache import cache
-from django.urls import reverse
-from rest_framework import status
-from rest_framework.test import APIClient
-
-from api import health
-
-
-HEALTH_MEDIA_TYPE = "application/health+json"
-
-
-@pytest.fixture(autouse=True)
-def _reset_health_state():
-    """Per-test isolation: clear throttle counters and the readiness cache.
-
-    DRF's ScopedRateThrottle persists state in Django's cache; without
-    clearing it the throttle budget would be shared across tests and trip
-    midway through the suite.
-    """
-    cache.clear()
-    health._readiness_cache = None
-    yield
-    cache.clear()
-    health._readiness_cache = None
-
-
-@pytest.fixture
-def api_client():
-    return APIClient()
-
-
-def _assert_health_envelope(body):
-    """Every health response must carry the RFC top-level descriptors."""
-    assert body["version"] == config_version.API_VERSION
-    assert body["releaseId"] == config_version.RELEASE_ID
-    assert body["serviceId"] == health.SERVICE_ID
-    assert body["description"] == health.SERVICE_DESCRIPTION
-
-
-class TestLivenessEndpoint:
-    def test_returns_200_with_pass_status(self, api_client):
-        response = api_client.get(reverse("health-live"))
-
-        assert response.status_code == status.HTTP_200_OK
-        assert response["Content-Type"].startswith(HEALTH_MEDIA_TYPE)
-        assert response["Cache-Control"] == health.CACHE_CONTROL_HEADER
-        body = response.json()
-        assert body["status"] == "pass"
-        _assert_health_envelope(body)
-
-    def test_does_not_require_authentication(self, api_client):
-        api_client.credentials()
-
-        response = api_client.get(reverse("health-live"))
-
-        assert response.status_code == status.HTTP_200_OK
-
-    def test_does_not_run_dependency_checks(self, api_client):
-        with (
-            patch("api.health._probe_postgres") as mock_pg,
-            patch("api.health._probe_valkey") as mock_vk,
-            patch("api.health._probe_neo4j") as mock_neo,
-        ):
-            response = api_client.get(reverse("health-live"))
-
-        assert response.status_code == status.HTTP_200_OK
-        mock_pg.assert_not_called()
-        mock_vk.assert_not_called()
-        mock_neo.assert_not_called()
-
-
-class TestReadinessEndpoint:
-    @staticmethod
-    def _patch_probes():
-        return (
-            patch("api.health._probe_postgres", return_value=None),
-            patch("api.health._probe_valkey", return_value=None),
-            patch("api.health._probe_neo4j", return_value=None),
-        )
-
-    def test_returns_200_and_pass_when_all_dependencies_healthy(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_200_OK
-        assert response["Content-Type"].startswith(HEALTH_MEDIA_TYPE)
-        assert response["Cache-Control"] == health.CACHE_CONTROL_HEADER
-
-        body = response.json()
-        _assert_health_envelope(body)
-        assert body["status"] == "pass"
-
-        # Per RFC, `checks` values are arrays of one or more measurement
-        # objects. We use a single measurement per dependency.
-        assert set(body["checks"].keys()) == {
-            "postgres:responseTime",
-            "valkey:responseTime",
-            "neo4j:responseTime",
-        }
-        for key in body["checks"]:
-            entries = body["checks"][key]
-            assert isinstance(entries, list) and len(entries) == 1
-            entry = entries[0]
-            assert entry["status"] == "pass"
-            assert entry["componentType"] == "datastore"
-            assert entry["observedUnit"] == "ms"
-            assert isinstance(entry["observedValue"], (int, float))
-            assert entry["observedValue"] >= 0
-            assert "time" in entry
-            # `output` must not leak when the check passed.
-            assert "output" not in entry
-
-    def test_returns_503_and_fail_when_postgres_is_down(self, api_client):
-        with (
-            patch(
-                "api.health._probe_postgres",
-                side_effect=RuntimeError("connection refused"),
-            ),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        pg_entry = body["checks"]["postgres:responseTime"][0]
-        assert pg_entry["status"] == "fail"
-        # Exception detail is never echoed in the response, only logged.
-        assert "output" not in pg_entry
-        assert body["checks"]["valkey:responseTime"][0]["status"] == "pass"
-        assert body["checks"]["neo4j:responseTime"][0]["status"] == "pass"
-
-    def test_returns_503_and_fail_when_valkey_is_down(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey", side_effect=ConnectionError("timeout")),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        vk_entry = body["checks"]["valkey:responseTime"][0]
-        assert vk_entry["status"] == "fail"
-        assert "output" not in vk_entry
-
-    def test_returns_503_and_fail_when_neo4j_is_down(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch(
-                "api.health._probe_neo4j",
-                side_effect=RuntimeError("ServiceUnavailable"),
-            ),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        neo_entry = body["checks"]["neo4j:responseTime"][0]
-        assert neo_entry["status"] == "fail"
-        assert "output" not in neo_entry
-
-    def test_reports_all_failures_simultaneously(self, api_client):
-        with (
-            patch("api.health._probe_postgres", side_effect=RuntimeError("pg down")),
-            patch("api.health._probe_valkey", side_effect=RuntimeError("vk down")),
-            patch("api.health._probe_neo4j", side_effect=RuntimeError("neo down")),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        body = response.json()
-        assert body["status"] == "fail"
-        for key in (
-            "postgres:responseTime",
-            "valkey:responseTime",
-            "neo4j:responseTime",
-        ):
-            entry = body["checks"][key][0]
-            assert entry["status"] == "fail"
-            # No dependency-specific error string leaks into the payload.
-            assert "output" not in entry
-
-    def test_does_not_leak_exception_detail_on_failure(self, api_client):
-        # Sanity check: an exception message resembling infra detail
-        # (host, port, credentials) must not surface in the response under
-        # any field.
-        sensitive = (
-            "connection to server at "
-            '"postgres-rw.prod.svc.cluster.local" (10.0.0.5), port 5432 '
-            'failed: FATAL: password authentication failed for user "prowler_user"'
-        )
-        with (
-            patch("api.health._probe_postgres", side_effect=RuntimeError(sensitive)),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            response = api_client.get(reverse("health-ready"))
-
-        body = response.json()
-        assert "output" not in body["checks"]["postgres:responseTime"][0]
-        payload_text = response.content.decode()
-        for token in (
-            "postgres-rw",
-            "10.0.0.5",
-            "5432",
-            "prowler_user",
-            "password authentication failed",
-        ):
-            assert token not in payload_text
-
-    def test_does_not_require_authentication(self, api_client):
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            api_client.credentials()
-            response = api_client.get(reverse("health-ready"))
-
-        assert response.status_code == status.HTTP_200_OK
-
-
-class TestReadinessCache:
-    """In-process cache caps the rate at which real probes hit the deps."""
-
-    def test_result_is_cached_for_ttl_seconds(self, api_client):
-        with (
-            patch("api.health._probe_postgres") as pg,
-            patch("api.health._probe_valkey") as vk,
-            patch("api.health._probe_neo4j") as neo,
-        ):
-            r1 = api_client.get(reverse("health-ready"))
-            r2 = api_client.get(reverse("health-ready"))
-
-        assert r1.status_code == status.HTTP_200_OK
-        assert r2.status_code == status.HTTP_200_OK
-        # Second request must not trigger fresh dep checks within the TTL.
-        assert pg.call_count == 1
-        assert vk.call_count == 1
-        assert neo.call_count == 1
-        # The cached payload is returned verbatim (same timestamps too).
-        assert r1.json() == r2.json()
-
-    def test_re_probes_after_cache_ttl_expires(self, api_client):
-        with (
-            patch("api.health._probe_postgres") as pg,
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            api_client.get(reverse("health-ready"))
-            assert pg.call_count == 1
-
-            # Rewind the cached timestamp past the TTL so the next request
-            # is forced to recompute.
-            cached_ts, payload, http_status_code = health._readiness_cache
-            health._readiness_cache = (
-                cached_ts - health.READINESS_CACHE_TTL_SECONDS - 0.1,
-                payload,
-                http_status_code,
-            )
-            api_client.get(reverse("health-ready"))
-
-        assert pg.call_count == 2
-
-    def test_cache_persists_a_failing_result(self, api_client):
-        # A failing readiness result is cached too; this is intentional so
-        # an attacker spamming the endpoint during an outage cannot amplify
-        # the dependency load.
-        with (
-            patch("api.health._probe_postgres", side_effect=RuntimeError("down")) as pg,
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-        ):
-            r1 = api_client.get(reverse("health-ready"))
-            r2 = api_client.get(reverse("health-ready"))
-
-        assert r1.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        assert r2.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
-        assert pg.call_count == 1
-
-
-class TestRateLimiting:
-    """The endpoints are unauthenticated and exposed; per-IP throttle caps
-    naive single-source floods."""
-
-    def test_live_blocks_after_budget_exhausted(self, api_client):
-        # Shrink the budget to 3 req per window so the test stays fast and
-        # deterministic. parse_rate runs once per throttle instance and
-        # each request gets a fresh instance, so this patch propagates.
-        from rest_framework.throttling import ScopedRateThrottle
-
-        with patch.object(ScopedRateThrottle, "parse_rate", return_value=(3, 60)):
-            statuses = [
-                api_client.get(reverse("health-live")).status_code for _ in range(4)
-            ]
-
-        assert statuses[:3] == [status.HTTP_200_OK] * 3
-        assert statuses[3] == status.HTTP_429_TOO_MANY_REQUESTS
-
-    def test_ready_blocks_after_budget_exhausted(self, api_client):
-        from rest_framework.throttling import ScopedRateThrottle
-
-        with (
-            patch("api.health._probe_postgres"),
-            patch("api.health._probe_valkey"),
-            patch("api.health._probe_neo4j"),
-            patch.object(ScopedRateThrottle, "parse_rate", return_value=(2, 60)),
-        ):
-            statuses = [
-                api_client.get(reverse("health-ready")).status_code for _ in range(3)
-            ]
-
-        assert statuses[:2] == [status.HTTP_200_OK] * 2
-        assert statuses[2] == status.HTTP_429_TOO_MANY_REQUESTS
-
-
-class TestProbeImplementations:
-    """Smoke tests for each probe primitive."""
-
-    @pytest.mark.django_db
-    def test_postgres_probe_succeeds_against_real_db(self):
-        assert health._probe_postgres() is None
-
-    def test_postgres_probe_propagates_db_errors(self):
-        class _BoomCursor:
-            def __enter__(self):
-                return self
-
-            def __exit__(self, *_):
-                return False
-
-            def execute(self, *_args, **_kwargs):
-                raise RuntimeError("boom")
-
-            def fetchone(self):  # pragma: no cover - never reached
-                return None
-
-        with patch("api.health.connections") as mock_connections:
-            mock_connections.__getitem__.return_value.cursor.return_value = (
-                _BoomCursor()
-            )
-            with pytest.raises(RuntimeError, match="boom"):
-                health._probe_postgres()
-
-    def test_valkey_probe_succeeds_when_ping_returns_true(self):
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            mock_from_url.return_value.ping.return_value = True
-            assert health._probe_valkey() is None
-
-    def test_valkey_probe_raises_when_ping_returns_false(self):
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            mock_from_url.return_value.ping.return_value = False
-            with pytest.raises(RuntimeError, match="PING"):
-                health._probe_valkey()
-
-    def test_valkey_probe_propagates_connection_errors(self):
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            mock_from_url.return_value.ping.side_effect = ConnectionError("nope")
-            with pytest.raises(ConnectionError, match="nope"):
-                health._probe_valkey()
-
-    def test_valkey_probe_suppresses_redis_error_on_close(self):
-        # A redis-py-level failure releasing the socket must not mask a
-        # successful PING (best-effort cleanup contract).
-        import redis as redis_pkg
-
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            client = mock_from_url.return_value
-            client.ping.return_value = True
-            client.close.side_effect = redis_pkg.RedisError("connection reset")
-
-            assert health._probe_valkey() is None
-
-        client.close.assert_called_once_with()
-
-    def test_valkey_probe_suppresses_oserror_on_close(self):
-        # Socket-layer failures (OSError family) on close are also part of
-        # the swallowed scope.
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            client = mock_from_url.return_value
-            client.ping.return_value = True
-            client.close.side_effect = OSError("EBADF")
-
-            assert health._probe_valkey() is None
-
-        client.close.assert_called_once_with()
-
-    def test_valkey_probe_lets_unexpected_close_errors_propagate(self):
-        # The suppress() is deliberately narrow: anything outside
-        # (redis.RedisError, OSError) must surface so it is not silently
-        # hidden.
-        with patch("api.health.redis.Redis.from_url") as mock_from_url:
-            client = mock_from_url.return_value
-            client.ping.return_value = True
-            client.close.side_effect = RuntimeError("bug")
-
-            with pytest.raises(RuntimeError, match="bug"):
-                health._probe_valkey()
-
-    def test_neo4j_probe_calls_verify_connectivity(self):
-        with patch("api.attack_paths.database.get_driver") as mock_get_driver:
-            mock_get_driver.return_value.verify_connectivity.return_value = None
-            assert health._probe_neo4j() is None
-            mock_get_driver.return_value.verify_connectivity.assert_called_once_with()
-
-    def test_neo4j_probe_propagates_driver_errors(self):
-        with patch("api.attack_paths.database.get_driver") as mock_get_driver:
-            mock_get_driver.return_value.verify_connectivity.side_effect = RuntimeError(
-                "unreachable"
-            )
-            with pytest.raises(RuntimeError, match="unreachable"):
-                health._probe_neo4j()
-
-
-class TestStatusAggregation:
-    def test_pass_when_all_checks_pass(self):
-        entries = [{"status": "pass"}, {"status": "pass"}]
-        assert health._aggregate_status(entries) == "pass"
-
-    def test_warn_when_any_check_warns_and_none_fail(self):
-        entries = [{"status": "pass"}, {"status": "warn"}]
-        assert health._aggregate_status(entries) == "warn"
-
-    def test_fail_when_any_check_fails(self):
-        entries = [{"status": "pass"}, {"status": "warn"}, {"status": "fail"}]
-        assert health._aggregate_status(entries) == "fail"
@@ -1,40 +0,0 @@
-"""Drift checks for the API version constants.
-
-Guarantee that ``config.version`` always reflects the canonical
-``[project].version`` declared in ``api/pyproject.toml``.
-"""
-
-import tomllib
-from pathlib import Path
-
-import pytest
-from config import version as config_version
-
-
-@pytest.fixture(scope="module")
-def pyproject_data():
-    here = Path(__file__).resolve()
-    for directory in here.parents:
-        candidate = directory / "pyproject.toml"
-        if not candidate.is_file():
-            continue
-        with candidate.open("rb") as f:
-            data = tomllib.load(f)
-        if data.get("project", {}).get("name") == "prowler-api":
-            return data
-    raise AssertionError("api/pyproject.toml not reachable from the test runner")
-
-
-def test_release_id_matches_pyproject(pyproject_data):
-    assert config_version.RELEASE_ID == pyproject_data["project"]["version"]
-
-
-def test_api_version_is_major_of_release_id():
-    assert config_version.API_VERSION == config_version.RELEASE_ID.split(".", 1)[0]
-    assert config_version.API_VERSION.isdigit()
-
-
-def test_api_version_matches_v1_url_prefix():
-    # The public contract version surfaced in the health payload must match
-    # the URL namespace the API is published under.
-    assert config_version.API_VERSION == "1"
@@ -21,7 +21,6 @@ from celery import chain, states
 from celery.result import AsyncResult
 from config.custom_logging import BackendLogger
 from config.env import env
-from config.version import RELEASE_ID
 from config.settings.social_login import (
    GITHUB_OAUTH_CALLBACK_URL,
    GOOGLE_OAUTH_CALLBACK_URL,
@@ -425,7 +424,7 @@ class SchemaView(SpectacularAPIView):

    def get(self, request, *args, **kwargs):
        spectacular_settings.TITLE = "Prowler API"
-        spectacular_settings.VERSION = RELEASE_ID
+        spectacular_settings.VERSION = "1.28.0"
        spectacular_settings.DESCRIPTION = (
            "Prowler API specification.\n\nThis file is auto-generated."
        )
@@ -118,8 +118,6 @@ REST_FRAMEWORK = {
        "attack-paths-custom-query": env(
            "DJANGO_THROTTLE_ATTACK_PATHS_CUSTOM_QUERY", default="10/min"
        ),
-        "health-live": env("DJANGO_THROTTLE_HEALTH_LIVE", default="120/min"),
-        "health-ready": env("DJANGO_THROTTLE_HEALTH_READY", default="60/min"),
    },
 }

@@ -1,9 +1,5 @@
 from django.urls import include, path

-from api.health import LivenessView, ReadinessView
-
 urlpatterns = [
    path("api/v1/", include("api.v1.urls")),
-    path("health/live", LivenessView.as_view(), name="health-live"),
-    path("health/ready", ReadinessView.as_view(), name="health-ready"),
 ]
@@ -1,41 +0,0 @@
-"""Single source of truth for the API version.
-
-The semantic version is read once from ``api/pyproject.toml`` at module
-import; consumers (health payload, OpenAPI schema) read the resulting
-constants. Fails fast at boot if the file cannot be located, so a
-packaging mistake surfaces immediately rather than serving stale data.
-"""
-
-from __future__ import annotations
-
-import tomllib
-from pathlib import Path
-
-_PROJECT_NAME = "prowler-api"
-
-
-def _discover_release_id() -> str:
-    here = Path(__file__).resolve()
-    for directory in here.parents:
-        candidate = directory / "pyproject.toml"
-        if not candidate.is_file():
-            continue
-        with candidate.open("rb") as f:
-            data = tomllib.load(f)
-        project = data.get("project") or {}
-        if project.get("name") != _PROJECT_NAME:
-            continue
-        version = project.get("version")
-        if not isinstance(version, str) or not version:
-            raise RuntimeError(
-                f"{candidate} declares an empty or invalid [project].version"
-            )
-        return version
-    raise RuntimeError(
-        f"Could not locate the {_PROJECT_NAME} pyproject.toml from {here}"
-    )
-
-
-RELEASE_ID: str = _discover_release_id()
-# Public contract major (e.g. "1"); matches the /api/v1/ namespace.
-API_VERSION: str = RELEASE_ID.split(".", 1)[0]
@@ -20,15 +20,11 @@ from tasks.jobs.reports import (
    ThreatScoreReportGenerator,
 )
 from tasks.jobs.threatscore import compute_threatscore_metrics
-from tasks.jobs.threatscore_utils import (
-    _aggregate_requirement_statistics_from_database,
-    _get_compliance_check_ids,
-)
+from tasks.jobs.threatscore_utils import _aggregate_requirement_statistics_from_database

 from api.db_router import READ_REPLICA_ALIAS, MainRouter
 from api.db_utils import rls_transaction
 from api.models import Provider, Scan, ScanSummary, StateChoices, ThreatScoreSnapshot
-from api.utils import initialize_prowler_provider
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.finding import Finding as FindingOutput

@@ -431,7 +427,6 @@ def generate_threatscore_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report based on Prowler ThreatScore framework.
@@ -460,7 +455,6 @@ def generate_threatscore_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        only_failed=only_failed,
    )

@@ -475,7 +469,6 @@ def generate_ens_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report for ENS RD2022 framework.
@@ -502,7 +495,6 @@ def generate_ens_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        include_manual=include_manual,
    )

@@ -518,7 +510,6 @@ def generate_nis2_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report for NIS2 Directive (EU) 2022/2555.
@@ -546,7 +537,6 @@ def generate_nis2_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        only_failed=only_failed,
        include_manual=include_manual,
    )
@@ -563,7 +553,6 @@ def generate_csa_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report for CSA Cloud Controls Matrix (CCM) v4.0.
@@ -591,7 +580,6 @@ def generate_csa_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        only_failed=only_failed,
        include_manual=include_manual,
    )
@@ -608,7 +596,6 @@ def generate_cis_report(
    provider_obj: Provider | None = None,
    requirement_statistics: dict[str, dict[str, int]] | None = None,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    prowler_provider=None,
 ) -> None:
    """
    Generate a PDF compliance report for a specific CIS Benchmark variant.
@@ -640,7 +627,6 @@ def generate_cis_report(
        provider_obj=provider_obj,
        requirement_statistics=requirement_statistics,
        findings_cache=findings_cache,
-        prowler_provider=prowler_provider,
        only_failed=only_failed,
        include_manual=include_manual,
    )
@@ -785,17 +771,6 @@ def generate_compliance_reports(
        results["csa"] = {"upload": False, "path": ""}
        generate_csa = False

-    # Load the framework definitions for this provider once. We use this map
-    # both to pick the latest CIS variant and to precompute the set of
-    # check_ids each framework consumes (for findings_cache eviction).
-    frameworks_bulk: dict = {}
-    try:
-        frameworks_bulk = Compliance.get_bulk(provider_type)
-    except Exception as e:
-        logger.error("Error loading compliance frameworks for %s: %s", provider_type, e)
-        # Fall through; individual frameworks will still try and fail
-        # gracefully if their compliance_id is missing.
-
    # For CIS we do NOT pre-check the provider against a hard-coded whitelist
    # (that list drifts the moment a new CIS JSON ships). Instead, we inspect
    # the dynamically loaded framework map and pick the latest available CIS
@@ -803,6 +778,7 @@ def generate_compliance_reports(
    latest_cis: str | None = None
    if generate_cis:
        try:
+            frameworks_bulk = Compliance.get_bulk(provider_type)
            latest_cis = _pick_latest_cis_variant(
                name for name in frameworks_bulk.keys() if name.startswith("cis_")
            )
@@ -839,84 +815,10 @@ def generate_compliance_reports(
        tenant_id, scan_id
    )

-    # Initialize the Prowler provider once for the whole report batch. Each
-    # generator used to re-init this in _load_compliance_data, paying the
-    # boto3/Azure-SDK construction cost 5 times per scan. The instance is
-    # only used by FindingOutput.transform_api_finding to enrich findings,
-    # so a single shared instance is correct.
-    logger.info("Initializing prowler_provider once for all reports (scan %s)", scan_id)
-    try:
-        with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-            prowler_provider = initialize_prowler_provider(provider_obj)
-    except Exception as init_error:
-        # If init fails the generators will fall back to lazy init in
-        # _load_compliance_data; we just log and continue.
-        logger.warning(
-            "Could not pre-initialize prowler_provider for scan %s: %s",
-            scan_id,
-            init_error,
-        )
-        prowler_provider = None
-
-    # Create shared findings cache up front so the eviction closure below
-    # can reference it. Defined BEFORE the closure to avoid the UnboundLocalError
-    # trap if an early-return is later inserted between the closure and its
-    # first use.
-    findings_cache: dict[str, list[FindingOutput]] = {}
+    # Create shared findings cache
+    findings_cache = {}
    logger.info("Created shared findings cache for all reports")

-    # Precompute the set of check_ids each framework consumes. After a
-    # framework finishes, every check_id that no remaining framework still
-    # needs is evicted from findings_cache so the dict does not keep
-    # growing through the batch (PROWLER-1733).
-    pending_checks_by_framework: dict[str, set[str]] = {}
-    if generate_threatscore:
-        pending_checks_by_framework["threatscore"] = _get_compliance_check_ids(
-            frameworks_bulk.get(f"prowler_threatscore_{provider_type}")
-        )
-    if generate_ens:
-        pending_checks_by_framework["ens"] = _get_compliance_check_ids(
-            frameworks_bulk.get(f"ens_rd2022_{provider_type}")
-        )
-    if generate_nis2:
-        pending_checks_by_framework["nis2"] = _get_compliance_check_ids(
-            frameworks_bulk.get(f"nis2_{provider_type}")
-        )
-    if generate_csa:
-        pending_checks_by_framework["csa"] = _get_compliance_check_ids(
-            frameworks_bulk.get(f"csa_ccm_4.0_{provider_type}")
-        )
-    if generate_cis and latest_cis:
-        pending_checks_by_framework["cis"] = _get_compliance_check_ids(
-            frameworks_bulk.get(latest_cis)
-        )
-
-    def _evict_after_framework(done_key: str) -> int:
-        """Drop from findings_cache every check_id no pending framework still needs."""
-        done = pending_checks_by_framework.pop(done_key, set())
-        still_needed: set[str] = (
-            set().union(*pending_checks_by_framework.values())
-            if pending_checks_by_framework
-            else set()
-        )
-        exclusive = done - still_needed
-        evicted = 0
-        for cid in exclusive:
-            if findings_cache.pop(cid, None) is not None:
-                evicted += 1
-        if evicted:
-            logger.info(
-                "Evicted %d exclusive check entries from findings_cache after %s "
-                "(remaining cache size: %d)",
-                evicted,
-                done_key,
-                len(findings_cache),
-            )
-            # Release the lists' memory now instead of waiting for the next
-            # gc cycle; FindingOutput instances retain quite a bit of state.
-            gc.collect()
-        return evicted
-
    generated_report_keys: list[str] = []
    output_paths: dict[str, str] = {}
    out_dir: str | None = None
@@ -1005,7 +907,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            # Compute and store ThreatScore metrics snapshot
@@ -1083,15 +984,9 @@ def generate_compliance_reports(
                logger.warning("ThreatScore report saved locally at %s", out_dir)

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=threatscore scan_id=%s tenant_id=%s",
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating ThreatScore report: %s", e)
            results["threatscore"] = {"upload": False, "path": "", "error": str(e)}

-        _evict_after_framework("threatscore")
-
    # Generate ENS report
    if generate_ens:
        generated_report_keys.append("ens")
@@ -1111,7 +1006,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            upload_uri_ens = _upload_to_s3(
@@ -1126,15 +1020,9 @@ def generate_compliance_reports(
                logger.warning("ENS report saved locally at %s", out_dir)

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=ens scan_id=%s tenant_id=%s",
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating ENS report: %s", e)
            results["ens"] = {"upload": False, "path": "", "error": str(e)}

-        _evict_after_framework("ens")
-
    # Generate NIS2 report
    if generate_nis2:
        generated_report_keys.append("nis2")
@@ -1155,7 +1043,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            upload_uri_nis2 = _upload_to_s3(
@@ -1170,15 +1057,9 @@ def generate_compliance_reports(
                logger.warning("NIS2 report saved locally at %s", out_dir)

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=nis2 scan_id=%s tenant_id=%s",
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating NIS2 report: %s", e)
            results["nis2"] = {"upload": False, "path": "", "error": str(e)}

-        _evict_after_framework("nis2")
-
    # Generate CSA CCM report
    if generate_csa:
        generated_report_keys.append("csa")
@@ -1199,7 +1080,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            upload_uri_csa = _upload_to_s3(
@@ -1214,15 +1094,9 @@ def generate_compliance_reports(
                logger.warning("CSA CCM report saved locally at %s", out_dir)

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=csa scan_id=%s tenant_id=%s",
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating CSA CCM report: %s", e)
            results["csa"] = {"upload": False, "path": "", "error": str(e)}

-        _evict_after_framework("csa")
-
    # Generate CIS Benchmark report for the latest available version only.
    # CIS ships multiple versions per provider (e.g. cis_1.4_aws, cis_5.0_aws,
    # cis_6.0_aws); we dynamically pick the highest semantic version at run
@@ -1245,7 +1119,6 @@ def generate_compliance_reports(
                provider_obj=provider_obj,
                requirement_statistics=requirement_statistics,
                findings_cache=findings_cache,
-                prowler_provider=prowler_provider,
            )

            upload_uri_cis = _upload_to_s3(
@@ -1274,22 +1147,14 @@ def generate_compliance_reports(
                )

        except Exception as e:
-            logger.exception(
-                "compliance_report_failed framework=cis variant=%s scan_id=%s tenant_id=%s",
-                latest_cis,
-                scan_id,
-                tenant_id,
-            )
+            logger.error("Error generating CIS report %s: %s", latest_cis, e)
            results["cis"] = {
                "upload": False,
                "path": "",
                "error": str(e),
            }
        finally:
-            # Free ReportLab/matplotlib memory before moving on. CIS is
-            # always the last framework, so evicting its entries clears the
-            # cache entirely (subject to its check_ids set).
-            _evict_after_framework("cis")
+            # Free ReportLab/matplotlib memory before moving on.
            gc.collect()

    # Clean up temporary files only if all generated reports were
@@ -1,9 +1,6 @@
 import gc
 import os
-import resource as _resource_module
-import time
 from abc import ABC, abstractmethod
-from contextlib import contextmanager
 from dataclasses import dataclass, field
 from typing import Any

@@ -44,7 +41,6 @@ from .config import (
    COLOR_LIGHT_BLUE,
    COLOR_LIGHTER_BLUE,
    COLOR_PROWLER_DARK_GREEN,
-    FINDINGS_TABLE_CHUNK_SIZE,
    PADDING_LARGE,
    PADDING_SMALL,
    FrameworkConfig,
@@ -52,46 +48,6 @@ from .config import (

 logger = get_task_logger(__name__)

-
-@contextmanager
-def _log_phase(phase: str, **tags: Any):
-    """Log start/end timing and RSS deltas around a long-running task section.
-
-    Generic helper: callers pass arbitrary ``key=value`` tags
-    (e.g. ``scan_id``, ``framework``, ``provider_id``) and they are
-    emitted as part of the structured log line, so Grafana/Datadog/
-    CloudWatch queries can pivot by whichever dimension is relevant to
-    the task. ``getrusage`` returns KB on Linux and bytes on macOS;
-    the values are still useful in relative terms even though units
-    differ across platforms.
-    """
-    tag_str = " ".join(f"{key}={value}" for key, value in tags.items())
-    suffix = f" {tag_str}" if tag_str else ""
-
-    start = time.perf_counter()
-    rss_before = _resource_module.getrusage(_resource_module.RUSAGE_SELF).ru_maxrss
-    logger.info("phase_start phase=%s%s rss_kb=%d", phase, suffix, rss_before)
-    try:
-        yield
-    except Exception:
-        elapsed = time.perf_counter() - start
-        logger.exception(
-            "phase_failed phase=%s%s elapsed_s=%.2f", phase, suffix, elapsed
-        )
-        raise
-    else:
-        elapsed = time.perf_counter() - start
-        rss_after = _resource_module.getrusage(_resource_module.RUSAGE_SELF).ru_maxrss
-        logger.info(
-            "phase_end phase=%s%s elapsed_s=%.2f rss_kb=%d delta_rss_kb=%d",
-            phase,
-            suffix,
-            elapsed,
-            rss_after,
-            rss_after - rss_before,
-        )
-
-
 # Register fonts (done once at module load)
 _fonts_registered: bool = False

@@ -379,7 +335,6 @@ class BaseComplianceReportGenerator(ABC):
        provider_obj: Provider | None = None,
        requirement_statistics: dict[str, dict[str, int]] | None = None,
        findings_cache: dict[str, list[FindingOutput]] | None = None,
-        prowler_provider: Any | None = None,
        **kwargs,
    ) -> None:
        """Generate the PDF compliance report.
@@ -396,35 +351,23 @@ class BaseComplianceReportGenerator(ABC):
            provider_obj: Optional pre-fetched Provider object
            requirement_statistics: Optional pre-aggregated statistics
            findings_cache: Optional pre-loaded findings cache
-            prowler_provider: Optional pre-initialized Prowler provider. When
-                generating multiple reports for the same scan the master
-                function initializes this once and passes it in to avoid
-                re-running boto3/Azure-SDK setup per framework.
            **kwargs: Additional framework-specific arguments
        """
-        framework = self.config.display_name
        logger.info(
-            "report_generation_start framework=%s scan_id=%s compliance_id=%s",
-            framework,
-            scan_id,
-            compliance_id,
+            "Generating %s report for scan %s", self.config.display_name, scan_id
        )

        try:
            # 1. Load compliance data
-            with _log_phase(
-                "load_compliance_data", scan_id=scan_id, framework=framework
-            ):
-                data = self._load_compliance_data(
-                    tenant_id=tenant_id,
-                    scan_id=scan_id,
-                    compliance_id=compliance_id,
-                    provider_id=provider_id,
-                    provider_obj=provider_obj,
-                    requirement_statistics=requirement_statistics,
-                    findings_cache=findings_cache,
-                    prowler_provider=prowler_provider,
-                )
+            data = self._load_compliance_data(
+                tenant_id=tenant_id,
+                scan_id=scan_id,
+                compliance_id=compliance_id,
+                provider_id=provider_id,
+                provider_obj=provider_obj,
+                requirement_statistics=requirement_statistics,
+                findings_cache=findings_cache,
+            )

            # 2. Create PDF document
            doc = self._create_document(output_path, data)
@@ -434,54 +377,37 @@ class BaseComplianceReportGenerator(ABC):
            elements = []

            # Cover page (lightweight)
-            with _log_phase("cover_page", scan_id=scan_id, framework=framework):
-                elements.extend(self.create_cover_page(data))
-                elements.append(PageBreak())
+            elements.extend(self.create_cover_page(data))
+            elements.append(PageBreak())

            # Executive summary (framework-specific)
-            with _log_phase("executive_summary", scan_id=scan_id, framework=framework):
-                elements.extend(self.create_executive_summary(data))
+            elements.extend(self.create_executive_summary(data))

            # Body sections (charts + requirements index)
            # Override _build_body_sections() in subclasses to change section order
-            with _log_phase("body_sections", scan_id=scan_id, framework=framework):
-                elements.extend(self._build_body_sections(data))
+            elements.extend(self._build_body_sections(data))

            # Detailed findings - heaviest section, loads findings on-demand
-            with _log_phase("detailed_findings", scan_id=scan_id, framework=framework):
-                elements.extend(self.create_detailed_findings(data, **kwargs))
-                gc.collect()  # Free findings data after processing
+            logger.info("Building detailed findings section...")
+            elements.extend(self.create_detailed_findings(data, **kwargs))
+            gc.collect()  # Free findings data after processing

            # 4. Build the PDF
-            logger.info(
-                "doc_build_about_to_run framework=%s scan_id=%s elements=%d",
-                framework,
-                scan_id,
-                len(elements),
-            )
-            with _log_phase("doc_build", scan_id=scan_id, framework=framework):
-                self._build_pdf(doc, elements, data)
+            logger.info("Building PDF document with %d elements...", len(elements))
+            self._build_pdf(doc, elements, data)

            # Final cleanup
            del elements
            gc.collect()

-            logger.info(
-                "report_generation_end framework=%s scan_id=%s output_path=%s",
-                framework,
-                scan_id,
-                output_path,
-            )
+            logger.info("Successfully generated report at %s", output_path)

-        except Exception:
-            # logger.exception captures the full traceback; the contextual
-            # keys keep production search-by-scan-id viable.
-            logger.exception(
-                "report_generation_failed framework=%s scan_id=%s compliance_id=%s",
-                framework,
-                scan_id,
-                compliance_id,
-            )
+        except Exception as e:
+            import traceback
+
+            tb_lineno = e.__traceback__.tb_lineno if e.__traceback__ else "unknown"
+            logger.error("Error generating report, line %s -- %s", tb_lineno, e)
+            logger.error("Full traceback:\n%s", traceback.format_exc())
            raise

    def _build_body_sections(self, data: ComplianceData) -> list:
@@ -712,25 +638,15 @@ class BaseComplianceReportGenerator(ABC):
        for req in requirements:
            check_ids_to_load.extend(req.checks)

-        # Load findings on-demand only for the checks that will be displayed.
-        # When ``only_failed`` is active at requirement level, also push the
-        # FAIL filter down to the finding level: a requirement marked FAIL
-        # because 1/1000 findings failed must not render a table dominated by
-        # 999 PASS rows. That hides the actual failure under noise and
-        # makes the per-check cap truncate the wrong rows.
-        # ``total_counts`` is populated with the pre-cap total per check_id
-        # (FAIL-only when only_failed is active) so the "Showing first N of
-        # M" banner uses the same denominator the reader cares about.
+        # Load findings on-demand only for the checks that will be displayed
+        # Uses the shared findings cache to avoid duplicate queries across reports
        logger.info("Loading findings on-demand for %d requirements", len(requirements))
-        total_counts: dict[str, int] = {}
        findings_by_check_id = _load_findings_for_requirement_checks(
            data.tenant_id,
            data.scan_id,
            check_ids_to_load,
            data.prowler_provider,
            data.findings_by_check_id,  # Pass the cache to update it
-            total_counts_out=total_counts,
-            only_failed_findings=only_failed,
        )

        for req in requirements:
@@ -762,31 +678,9 @@ class BaseComplianceReportGenerator(ABC):
                        )
                    )
                else:
-                    # Surface truncation BEFORE the tables so readers see it
-                    # at the same scroll position as the data itself, not
-                    # after thousands of rendered rows.
-                    loaded = len(findings)
-                    total = total_counts.get(check_id, loaded)
-                    if total > loaded:
-                        kind = "failed findings" if only_failed else "findings"
-                        elements.append(
-                            Paragraph(
-                                f"<b>&#9888; Showing first {loaded:,} of "
-                                f"{total:,} {kind} for this check.</b> "
-                                f"Use the CSV or JSON-OCSF export for the full "
-                                f"list. The PDF caps detail rows to keep "
-                                f"the report readable and bounded in size.",
-                                self.styles["normal"],
-                            )
-                        )
-                        elements.append(Spacer(1, 0.05 * inch))
-
-                    # Create chunked findings tables to prevent OOM when a
-                    # single check has thousands of findings (ReportLab
-                    # resolves layout per Flowable, so many small tables
-                    # render contiguously with a bounded memory peak).
-                    findings_tables = self._create_findings_tables(findings)
-                    elements.extend(findings_tables)
+                    # Create findings table
+                    findings_table = self._create_findings_table(findings)
+                    elements.append(findings_table)

                elements.append(Spacer(1, 0.1 * inch))

@@ -841,7 +735,6 @@ class BaseComplianceReportGenerator(ABC):
        provider_obj: Provider | None,
        requirement_statistics: dict | None,
        findings_cache: dict | None,
-        prowler_provider: Any | None = None,
    ) -> ComplianceData:
        """Load and aggregate compliance data from the database.

@@ -853,9 +746,6 @@ class BaseComplianceReportGenerator(ABC):
            provider_obj: Optional pre-fetched Provider
            requirement_statistics: Optional pre-aggregated statistics
            findings_cache: Optional pre-loaded findings
-            prowler_provider: Optional pre-initialized Prowler provider. When
-                the master function initializes it once and passes it in,
-                we skip the per-report ``initialize_prowler_provider`` call.

        Returns:
            Aggregated ComplianceData object
@@ -865,8 +755,7 @@ class BaseComplianceReportGenerator(ABC):
            if provider_obj is None:
                provider_obj = Provider.objects.get(id=provider_id)

-            if prowler_provider is None:
-                prowler_provider = initialize_prowler_provider(provider_obj)
+            prowler_provider = initialize_prowler_provider(provider_obj)
            provider_type = provider_obj.provider

            # Load compliance framework
@@ -934,32 +823,13 @@ class BaseComplianceReportGenerator(ABC):
    ) -> SimpleDocTemplate:
        """Create the PDF document template.

-        Validates that ``output_path`` is a filesystem path string with an
-        existing parent directory. SimpleDocTemplate technically accepts a
-        BytesIO too, but we want every report to land on disk so the
-        Celery worker doesn't hold the full PDF in memory while uploading
-        to S3.
-
        Args:
            output_path: Path for the output PDF
            data: Compliance data for metadata

        Returns:
            Configured SimpleDocTemplate
-
-        Raises:
-            TypeError: ``output_path`` is not a string.
-            FileNotFoundError: The parent directory does not exist.
        """
-        if not isinstance(output_path, str):
-            raise TypeError(
-                "output_path must be a filesystem path string; "
-                f"got {type(output_path).__name__}"
-            )
-        parent_dir = os.path.dirname(output_path)
-        if parent_dir and not os.path.isdir(parent_dir):
-            raise FileNotFoundError(f"Output directory does not exist: {parent_dir}")
-
        return SimpleDocTemplate(
            output_path,
            pagesize=letter,
@@ -1006,10 +876,47 @@ class BaseComplianceReportGenerator(ABC):
            onLaterPages=add_footer,
        )

-    # Column layout shared by all findings sub-tables. Defined as a method so
-    # subclasses can override it without re-implementing the chunking logic.
-    def _findings_table_columns(self) -> list[ColumnConfig]:
-        return [
+    def _create_findings_table(self, findings: list[FindingOutput]) -> Any:
+        """Create a findings table.
+
+        Args:
+            findings: List of finding objects
+
+        Returns:
+            ReportLab Table element
+        """
+
+        def get_finding_title(f):
+            metadata = getattr(f, "metadata", None)
+            if metadata:
+                return getattr(metadata, "CheckTitle", getattr(f, "check_id", ""))
+            return getattr(f, "check_id", "")
+
+        def get_resource_name(f):
+            name = getattr(f, "resource_name", "")
+            if not name:
+                name = getattr(f, "resource_uid", "")
+            return name
+
+        def get_severity(f):
+            metadata = getattr(f, "metadata", None)
+            if metadata:
+                return getattr(metadata, "Severity", "").capitalize()
+            return ""
+
+        # Convert findings to dicts for the table
+        data = []
+        for f in findings:
+            item = {
+                "title": get_finding_title(f),
+                "resource_name": get_resource_name(f),
+                "severity": get_severity(f),
+                "status": getattr(f, "status", "").upper(),
+                "region": getattr(f, "region", "global"),
+            }
+            data.append(item)
+
+        columns = [
            ColumnConfig("Finding", 2.5 * inch, "title"),
            ColumnConfig("Resource", 3 * inch, "resource_name"),
            ColumnConfig("Severity", 0.9 * inch, "severity"),
@@ -1017,122 +924,9 @@ class BaseComplianceReportGenerator(ABC):
            ColumnConfig("Region", 0.9 * inch, "region"),
        ]

-    @staticmethod
-    def _finding_to_row(f: FindingOutput) -> dict[str, str]:
-        """Project a FindingOutput onto the row dict the table expects.
-
-        Kept defensive: missing metadata or attributes return empty strings
-        rather than raising, so a single malformed finding never breaks the
-        whole report.
-        """
-        metadata = getattr(f, "metadata", None)
-        title = (
-            getattr(metadata, "CheckTitle", getattr(f, "check_id", ""))
-            if metadata
-            else getattr(f, "check_id", "")
-        )
-        resource_name = getattr(f, "resource_name", "") or getattr(
-            f, "resource_uid", ""
-        )
-        severity = getattr(metadata, "Severity", "").capitalize() if metadata else ""
-        return {
-            "title": title,
-            "resource_name": resource_name,
-            "severity": severity,
-            "status": getattr(f, "status", "").upper(),
-            "region": getattr(f, "region", "global"),
-        }
-
-    def _create_findings_tables(
-        self,
-        findings: list[FindingOutput],
-        chunk_size: int | None = None,
-    ) -> list[Any]:
-        """Build a list of small findings tables to keep ``doc.build()`` memory bounded.
-
-        ReportLab resolves layout (column widths, row heights, page-breaks)
-        per Flowable. A single ``LongTable`` of 15k rows forces all of that
-        to be computed at once and reliably OOMs the worker on large scans.
-        Splitting into chunks of ``chunk_size`` rows produces an equivalent-
-        looking PDF (LongTable repeats headers; chunks render contiguously)
-        with a bounded memory peak per chunk.
-
-        Args:
-            findings: List of finding objects for a single check.
-            chunk_size: Rows per sub-table. ``None`` uses
-                ``FINDINGS_TABLE_CHUNK_SIZE`` from config.
-
-        Returns:
-            List of ReportLab flowables (interleaved ``Table``/``LongTable``
-            and small ``Spacer`` between chunks). Empty list when there are
-            no findings.
-        """
-        if not findings:
-            return []
-
-        chunk_size = chunk_size or FINDINGS_TABLE_CHUNK_SIZE
-
-        # Build all rows first so we can chunk without re-walking the
-        # FindingOutput list. Malformed findings are skipped with a logged
-        # exception, never enough to abort the entire report.
-        rows: list[dict[str, str]] = []
-        for f in findings:
-            try:
-                rows.append(self._finding_to_row(f))
-            except Exception:
-                logger.exception(
-                    "Skipping malformed finding while building table for check %s",
-                    getattr(f, "check_id", "unknown"),
-                )
-
-        if not rows:
-            return []
-
-        columns = self._findings_table_columns()
-
-        flowables: list = []
-        total = len(rows)
-        for start in range(0, total, chunk_size):
-            chunk = rows[start : start + chunk_size]
-            flowables.append(
-                create_data_table(
-                    data=chunk,
-                    columns=columns,
-                    header_color=self.config.primary_color,
-                    normal_style=self.styles["normal_center"],
-                )
-            )
-            # A tiny spacer between chunks keeps them visually contiguous
-            # without forcing a page-break (KeepTogether would negate the
-            # memory benefit of chunking).
-            if start + chunk_size < total:
-                flowables.append(Spacer(1, 0.05 * inch))
-
-        if total > chunk_size:
-            logger.debug(
-                "Built %d findings sub-tables (chunk_size=%d, total_findings=%d)",
-                (total + chunk_size - 1) // chunk_size,
-                chunk_size,
-                total,
-            )
-
-        return flowables
-
-    def _create_findings_table(self, findings: list[FindingOutput]) -> Any:
-        """Deprecated alias kept for backwards compatibility.
-
-        Returns the first chunk produced by ``_create_findings_tables``.
-        New callers MUST use ``_create_findings_tables``, which returns a
-        list of flowables and is what ``create_detailed_findings`` invokes.
-        """
-        flowables = self._create_findings_tables(findings)
-        if flowables:
-            return flowables[0]
-        # Empty input → return an empty (header-only) table so callers that
-        # used to receive a Table never get None.
        return create_data_table(
-            data=[],
-            columns=self._findings_table_columns(),
+            data=data,
+            columns=columns,
            header_color=self.config.primary_color,
            normal_style=self.styles["normal_center"],
        )
@@ -1,11 +1,9 @@
 import gc
 import io
 import math
-import time
 from typing import Callable

 import matplotlib
-from celery.utils.log import get_task_logger

 # Use non-interactive Agg backend for memory efficiency in server environments
 # This MUST be set before importing pyplot
@@ -22,26 +20,6 @@ from .config import (  # noqa: E402
    CHART_DPI_DEFAULT,
 )

-logger = get_task_logger(__name__)
-
-
-def _log_chart_built(name: str, dpi: int, buffer: io.BytesIO, started: float) -> None:
-    """Emit a structured DEBUG line summarising a chart render.
-
-    Centralised so the formatting stays consistent across all chart helpers
-    and so we never accidentally pay for buffer.getbuffer().nbytes when
-    debug logging is disabled.
-    """
-    if logger.isEnabledFor(10):  # logging.DEBUG
-        logger.debug(
-            "chart_built name=%s dpi=%d bytes=%d elapsed_s=%.2f",
-            name,
-            dpi,
-            buffer.getbuffer().nbytes,
-            time.perf_counter() - started,
-        )
-
-
 # Use centralized DPI setting from config
 DEFAULT_CHART_DPI = CHART_DPI_DEFAULT

@@ -99,7 +77,6 @@ def create_vertical_bar_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    if color_func is None:
        color_func = get_chart_color_for_percentage

@@ -145,7 +122,6 @@ def create_vertical_bar_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("vertical_bar", dpi, buffer, _started)
    return buffer


@@ -180,7 +156,6 @@ def create_horizontal_bar_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    if color_func is None:
        color_func = get_chart_color_for_percentage

@@ -232,7 +207,6 @@ def create_horizontal_bar_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("horizontal_bar", dpi, buffer, _started)
    return buffer


@@ -265,7 +239,6 @@ def create_radar_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    num_vars = len(labels)
    angles = [n / float(num_vars) * 2 * math.pi for n in range(num_vars)]

@@ -302,7 +275,6 @@ def create_radar_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("radar", dpi, buffer, _started)
    return buffer


@@ -331,7 +303,6 @@ def create_pie_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    fig, ax = plt.subplots(figsize=figsize)

    _, _, autotexts = ax.pie(
@@ -359,7 +330,6 @@ def create_pie_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("pie", dpi, buffer, _started)
    return buffer


@@ -392,7 +362,6 @@ def create_stacked_bar_chart(
    Returns:
        BytesIO buffer containing the PNG image
    """
-    _started = time.perf_counter()
    fig, ax = plt.subplots(figsize=figsize)

    # Default colors if not provided
@@ -432,5 +401,4 @@ def create_stacked_bar_chart(
        plt.close(fig)
        gc.collect()  # Force garbage collection after heavy matplotlib operation

-    _log_chart_built("stacked_bar", dpi, buffer, _started)
    return buffer
@@ -475,15 +475,8 @@ def create_data_table(
            else:
                value = item.get(col.field, "")

-            # Wrap every string cell in Paragraph so the data rows keep the
-            # caller-supplied font/colour/alignment. Skipping Paragraph for
-            # short cells (a tempting micro-optimisation) breaks visual
-            # consistency: ReportLab Table falls back to Helvetica/black for
-            # raw strings, mixing fonts within the same table.
-            # ``escape_html`` keeps ``<``/``>``/``&`` in resource names from
-            # breaking Paragraph's mini-HTML parser.
            if normal_style and isinstance(value, str):
-                value = Paragraph(escape_html(value), normal_style)
+                value = Paragraph(value, normal_style)
            row.append(value)
        table_data.append(row)

@@ -515,26 +508,17 @@ def create_data_table(
    for idx, col in enumerate(columns):
        styles.append(("ALIGN", (idx, 0), (idx, -1), col.align))

-    # Alternate row backgrounds: single O(1) ROWBACKGROUNDS style entry.
-    # The previous implementation appended N per-row BACKGROUND commands,
-    # which scaled the TableStyle list linearly with row count. ReportLab
-    # cycles through the colour list row-by-row so the visual is identical.
-    # The ALTERNATE_ROWS_MAX_SIZE cap is preserved to mirror legacy
-    # behaviour (very large tables stay plain), but the memory cost of the
-    # styles list is now constant regardless of row count.
+    # Alternate row backgrounds - skip for very large tables as it adds memory overhead
    if (
        alternate_rows
        and len(table_data) > 1
        and len(table_data) <= ALTERNATE_ROWS_MAX_SIZE
    ):
-        styles.append(
-            (
-                "ROWBACKGROUNDS",
-                (0, 1),
-                (-1, -1),
-                [colors.white, colors.Color(0.98, 0.98, 0.98)],
-            )
-        )
+        for i in range(1, len(table_data)):
+            if i % 2 == 0:
+                styles.append(
+                    ("BACKGROUND", (0, i), (-1, i), colors.Color(0.98, 0.98, 0.98))
+                )

    table.setStyle(TableStyle(styles))
    return table
@@ -1,4 +1,3 @@
-import os
 from dataclasses import dataclass, field

 from reportlab.lib import colors
@@ -24,47 +23,6 @@ ALTERNATE_ROWS_MAX_SIZE = 200
 # Larger = fewer queries but more memory per batch
 FINDINGS_BATCH_SIZE = 2000

-# Maximum rows per findings sub-table. ReportLab resolves layout per Flowable;
-# splitting a huge findings list into multiple smaller tables keeps the peak
-# memory of doc.build() bounded. A single 15k-row LongTable would force
-# ReportLab to compute all column widths/row heights/page-breaks at once and
-# OOM the worker; 300-row chunks are rendered contiguously with negligible
-# visual impact.
-FINDINGS_TABLE_CHUNK_SIZE = 300
-
-# Maximum findings rendered per check in the detailed-findings section.
-#
-# Product behaviour: compliance PDFs render at most ``MAX_FINDINGS_PER_CHECK``
-# **failed** findings per check (PASS rows are excluded at SQL level by the
-# ``only_failed`` flag that all four list-rendering frameworks default to:
-# ThreatScore, NIS2, CSA, CIS; ENS does not render finding tables). Above
-# this cap each affected check renders an in-PDF banner
-# ("Showing first 100 of N failed findings for this check. Use the CSV
-# or JSON export for the full list") so the reader knows the table is
-# truncated and where to find the full data.
-#
-# Why a cap exists at all:
-#   * ``FindingOutput.transform_api_finding`` is O(N) per finding (Pydantic
-#     v1 validation + nested model construction).
-#   * ReportLab resolves layout per Flowable; thousands of sub-tables make
-#     ``doc.build()`` very slow and grow the PDF unboundedly.
-#   * A human-readable executive/auditor PDF does not need 12,000 rows for
-#     one check; that is forensic data and lives in the CSV/JSON exports.
-#
-# Why 100 specifically:
-#   * Covers ~99% of real scans without truncation (most checks emit far
-#     fewer than 100 findings even in enterprise estates).
-#   * Worst-case rendered rows = 100 × ~500 checks = 50k rows across all
-#     frameworks, which keeps RSS bounded and a 5-framework run completes
-#     in minutes instead of hours.
-#
-# Override at runtime via ``DJANGO_PDF_MAX_FINDINGS_PER_CHECK``:
-#   * Set to ``0`` to disable the cap entirely (load every finding; only
-#     advisable for small scans).
-#   * Set to a larger value (e.g. ``500``) for forensic detail in big runs;
-#     watch RSS in the Celery worker.
-MAX_FINDINGS_PER_CHECK = int(os.environ.get("DJANGO_PDF_MAX_FINDINGS_PER_CHECK", "100"))
-

 # =============================================================================
 # Base colors
@@ -1,8 +1,6 @@
 from celery.utils.log import get_task_logger
 from config.django.base import DJANGO_FINDINGS_BATCH_SIZE
-from django.db.models import Count, F, Q, Window
-from django.db.models.functions import RowNumber
-from tasks.jobs.reports.config import MAX_FINDINGS_PER_CHECK
+from django.db.models import Count, Q

 from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
@@ -156,8 +154,6 @@ def _load_findings_for_requirement_checks(
    check_ids: list[str],
    prowler_provider,
    findings_cache: dict[str, list[FindingOutput]] | None = None,
-    total_counts_out: dict[str, int] | None = None,
-    only_failed_findings: bool = False,
 ) -> dict[str, list[FindingOutput]]:
    """
    Load findings for specific check IDs on-demand with optional caching.
@@ -182,23 +178,6 @@ def _load_findings_for_requirement_checks(
        prowler_provider: The initialized Prowler provider instance.
        findings_cache (dict, optional): Cache of already loaded findings.
            If provided, checks are first looked up in cache before querying database.
-        total_counts_out (dict, optional): If provided, populated with
-            ``{check_id: total_findings_in_db}`` BEFORE any per-check cap is
-            applied. Lets callers render a "Showing first N of M" banner for
-            truncated checks. Only populated for ``check_ids`` actually
-            queried (cache hits keep whatever value the caller already had).
-            When ``only_failed_findings=True`` the total is FAIL-only.
-        only_failed_findings (bool): When True, push the ``status=FAIL``
-            filter down into the SQL query so PASS rows are never loaded
-            from the DB nor pydantic-transformed. This matches the
-            ``only_failed`` requirement-level filter applied at PDF render
-            time: a requirement marked FAIL because 1/1000 findings failed
-            shouldn't render a table of 999 PASS rows. That hides the
-            actual failure under noise and wastes the per-check cap on
-            irrelevant data. NOTE: the findings cache stores whatever the
-            first caller asked for, so all callers in a single
-            ``generate_compliance_reports`` run MUST pass the same flag
-            (which they do: it threads from ``only_failed`` defaults).

    Returns:
        dict[str, list[FindingOutput]]: Dictionary mapping check_id to list of FindingOutput objects.
@@ -243,88 +222,17 @@ def _load_findings_for_requirement_checks(
        )

        with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-            base_qs = Finding.all_objects.filter(
-                tenant_id=tenant_id,
-                scan_id=scan_id,
-                check_id__in=check_ids_to_load,
+            # Use iterator with chunk_size for memory-efficient streaming
+            # chunk_size controls how many rows Django fetches from DB at once
+            findings_queryset = (
+                Finding.all_objects.filter(
+                    tenant_id=tenant_id,
+                    scan_id=scan_id,
+                    check_id__in=check_ids_to_load,
+                )
+                .order_by("check_id", "uid")
+                .iterator(chunk_size=DJANGO_FINDINGS_BATCH_SIZE)
            )
-            if only_failed_findings:
-                # Push the FAIL filter down into SQL: DB returns ~N×FAIL
-                # rows instead of N×ALL, and we never spend pydantic CPU on
-                # PASS findings the PDF would never render.
-                base_qs = base_qs.filter(status=StatusChoices.FAIL)
-
-            # Aggregate totals once so we (a) know which checks need capping
-            # and (b) can surface "Showing first N of M" in the PDF banner.
-            # Cheap: a single COUNT grouped by check_id.
-            totals: dict[str, int] = {
-                row["check_id"]: row["total"]
-                for row in base_qs.values("check_id").annotate(total=Count("id"))
-            }
-            if total_counts_out is not None:
-                total_counts_out.update(totals)
-
-            cap = MAX_FINDINGS_PER_CHECK
-            checks_over_cap = (
-                {cid for cid, n in totals.items() if n > cap} if cap > 0 else set()
-            )
-
-            # Use iterator with chunk_size for memory-efficient streaming.
-            # FindingOutput.transform_api_finding (prowler/lib/outputs/finding.py)
-            # reads finding.resources.first() and resource.tags.all() per
-            # finding, which without prefetch generates 2N queries per chunk.
-            # prefetch_related runs once per iterator chunk (Django >=4.1) and
-            # collapses that into a constant 2 extra queries per chunk.
-            if checks_over_cap:
-                # Two-step query so we can both cap rows per check AND attach
-                # prefetch_related on the streamed results:
-                #
-                #   1) ``ranked`` annotates every matching finding with a
-                #      per-check row number via a window function. The
-                #      partition keeps numbering independent per check, and
-                #      ordering by ``uid`` makes the "first N" selection
-                #      deterministic across runs (same scan → same rows).
-                #
-                #   2) The outer ``Finding.all_objects.filter(id__in=...)``
-                #      keeps only IDs whose row number is within the cap and
-                #      re-opens a plain queryset on it. Django cannot combine
-                #      ``Window`` annotations with ``prefetch_related`` on the
-                #      same queryset (the window is evaluated post-aggregation
-                #      and the prefetch loader fights with it), so the inner
-                #      SELECT becomes a subquery and the outer queryset is
-                #      free to prefetch resources/tags as usual.
-                #
-                # PostgreSQL only materialises
-                # ``cap * |checks_over_cap| + sum(uncapped)`` rows for the
-                # window step, vs the full table scan the previous path did.
-                ranked = base_qs.annotate(
-                    rn=Window(
-                        expression=RowNumber(),
-                        partition_by=[F("check_id")],
-                        order_by=F("uid").asc(),
-                    )
-                )
-                findings_queryset = (
-                    Finding.all_objects.filter(
-                        id__in=ranked.filter(rn__lte=cap).values("id")
-                    )
-                    .prefetch_related("resources", "resources__tags")
-                    .order_by("check_id", "uid")
-                    .iterator(chunk_size=DJANGO_FINDINGS_BATCH_SIZE)
-                )
-                logger.info(
-                    "Per-check cap=%d active for %d checks (max %d each); "
-                    "skipping transform for surplus rows",
-                    cap,
-                    len(checks_over_cap),
-                    cap,
-                )
-            else:
-                findings_queryset = (
-                    base_qs.prefetch_related("resources", "resources__tags")
-                    .order_by("check_id", "uid")
-                    .iterator(chunk_size=DJANGO_FINDINGS_BATCH_SIZE)
-                )

            # Pre-initialize empty lists for all check_ids to load
            # This avoids repeated dict lookups and 'if not in' checks
@@ -340,11 +248,7 @@ def _load_findings_for_requirement_checks(
                findings_count += 1

            logger.info(
-                "Loaded %d findings for %d checks (truncated %d checks total=%d)",
-                findings_count,
-                len(check_ids_to_load),
-                len(checks_over_cap),
-                sum(totals.values()),
+                f"Loaded {findings_count} findings for {len(check_ids_to_load)} checks"
            )

    # Build result dict using cache references (no data duplication)
@@ -354,40 +258,3 @@ def _load_findings_for_requirement_checks(
    }

    return result
-
-
-def _get_compliance_check_ids(compliance_obj) -> set[str]:
-    """Return the union of all check_ids referenced by a compliance framework.
-
-    Used by the master report orchestrator to know which checks each
-    framework consumes from the shared ``findings_cache``, so that once a
-    framework finishes the entries no other pending framework needs can be
-    evicted from the cache (PROWLER-1733).
-
-    Args:
-        compliance_obj: A loaded Compliance framework object exposing a
-            ``Requirements`` iterable, each requirement carrying ``Checks``.
-            ``None`` is treated as "no checks" rather than raising, so the
-            caller can pass ``frameworks_bulk.get(...)`` directly without
-            an extra existence check.
-
-    Returns:
-        Set of check_id strings (empty if ``compliance_obj`` is ``None``).
-    """
-    if compliance_obj is None:
-        return set()
-    checks: set[str] = set()
-    requirements = getattr(compliance_obj, "Requirements", None) or []
-    try:
-        # Defensive: Mock objects (used in unit tests) return another Mock
-        # for any attribute access, which is truthy but not iterable. Treat
-        # any non-iterable Requirements value as "no checks".
-        for req in requirements:
-            req_checks = getattr(req, "Checks", None) or []
-            try:
-                checks.update(req_checks)
-            except TypeError:
-                continue
-    except TypeError:
-        return set()
-    return checks
@@ -69,7 +69,7 @@ from tasks.utils import (

 from api.compliance import get_compliance_frameworks
 from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import delete_related_daily_task, rls_transaction
+from api.db_utils import rls_transaction
 from api.decorators import handle_provider_deletion, set_tenant
 from api.models import Finding, Integration, Provider, Scan, ScanSummary, StateChoices
 from api.utils import initialize_prowler_provider
@@ -274,17 +274,6 @@ def perform_scan_task(
    Returns:
        dict: The result of the scan execution, typically including the status and results of the performed checks.
    """
-    with rls_transaction(tenant_id):
-        if not Provider.objects.filter(pk=provider_id).exists():
-            logger.warning(
-                "scan-perform skipped: provider %s no longer exists "
-                "(tenant=%s, scan=%s)",
-                provider_id,
-                tenant_id,
-                scan_id,
-            )
-            return None
-
    result = perform_prowler_scan(
        tenant_id=tenant_id,
        scan_id=scan_id,
@@ -321,16 +310,6 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
    task_id = self.request.id

    with rls_transaction(tenant_id):
-        if not Provider.objects.filter(pk=provider_id).exists():
-            logger.warning(
-                "scheduled scan-perform skipped: provider %s no longer exists "
-                "(tenant=%s)",
-                provider_id,
-                tenant_id,
-            )
-            delete_related_daily_task(provider_id)
-            return None
-
        periodic_task_instance = PeriodicTask.objects.get(
            name=f"scan-perform-scheduled-{provider_id}"
        )
@@ -44,8 +44,6 @@ from api.models import (
    Finding,
    Resource,
    ResourceFindingMapping,
-    ResourceTag,
-    ResourceTagMapping,
    StateChoices,
    StatusChoices,
 )
@@ -369,317 +367,6 @@ class TestLoadFindingsForChecks:

        assert result == {}

-    def test_prefetch_avoids_n_plus_one(self, tenants_fixture, scans_fixture):
-        """Loading N findings must NOT execute O(N) extra queries for resources/tags.
-
-        Regression test for PROWLER-1733. ``FindingOutput.transform_api_finding``
-        reads ``finding.resources.first()`` and ``resource.tags.all()`` per
-        finding. Without ``prefetch_related`` that's 2N additional queries;
-        with prefetch it collapses to a small constant per iterator chunk.
-        """
-        from django.test.utils import CaptureQueriesContext
-        from django.db import connections
-
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        # Build N findings, each linked to one resource that owns 2 tags.
-        N = 20
-        for i in range(N):
-            finding = Finding.objects.create(
-                tenant_id=tenant.id,
-                scan=scan,
-                uid=f"f-prefetch-{i}",
-                check_id="aws_check_prefetch",
-                status=StatusChoices.FAIL,
-                severity=Severity.high,
-                impact=Severity.high,
-                check_metadata={
-                    "provider": "aws",
-                    "checkid": "aws_check_prefetch",
-                    "checktitle": "t",
-                    "checktype": [],
-                    "servicename": "s",
-                    "subservicename": "",
-                    "severity": "high",
-                    "resourcetype": "r",
-                    "description": "",
-                    "risk": "",
-                    "relatedurl": "",
-                    "remediation": {
-                        "recommendation": {"text": "", "url": ""},
-                        "code": {
-                            "nativeiac": "",
-                            "terraform": "",
-                            "cli": "",
-                            "other": "",
-                        },
-                    },
-                    "resourceidtemplate": "",
-                    "categories": [],
-                    "dependson": [],
-                    "relatedto": [],
-                    "notes": "",
-                },
-                raw_result={},
-            )
-            resource = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"r-prefetch-{i}",
-                name=f"r-prefetch-{i}",
-                metadata="{}",
-                details="",
-                region="us-east-1",
-                service="s",
-                type="t::r",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id, finding=finding, resource=resource
-            )
-            for k in ("env", "owner"):
-                tag, _ = ResourceTag.objects.get_or_create(
-                    tenant_id=tenant.id, key=k, value=f"v-{i}-{k}"
-                )
-                ResourceTagMapping.objects.create(
-                    tenant_id=tenant.id, resource=resource, tag=tag
-                )
-
-        mock_provider = Mock()
-        mock_provider.type = "aws"
-        mock_provider.identity.account = "test"
-
-        # Patch transform_api_finding to a no-op so the test isolates queries
-        # to the queryset/prefetch path (transform itself is exercised by
-        # the integration tests above and not by this regression check).
-        with patch(
-            "tasks.jobs.threatscore_utils.FindingOutput.transform_api_finding",
-            side_effect=lambda model, provider: Mock(check_id=model.check_id),
-        ):
-            with CaptureQueriesContext(
-                connections["default_read_replica"]
-                if "default_read_replica" in connections.databases
-                else connections["default"]
-            ) as ctx:
-                _load_findings_for_requirement_checks(
-                    str(tenant.id),
-                    str(scan.id),
-                    ["aws_check_prefetch"],
-                    mock_provider,
-                )
-
-        # Expected: a small constant number of queries irrespective of N.
-        # Pre-fix this would be ~1 + 2*N. We give some slack for RLS SET
-        # LOCAL statements that the rls_transaction emits.
-        assert len(ctx.captured_queries) < N, (
-            f"Expected O(1) queries with prefetch_related; got "
-            f"{len(ctx.captured_queries)} for N={N} (N+1 regression?)"
-        )
-
-    def test_max_findings_per_check_cap(self, tenants_fixture, scans_fixture):
-        """When a check exceeds ``MAX_FINDINGS_PER_CHECK``, only ``cap`` rows
-        are loaded AND ``total_counts_out`` reports the pre-cap total.
-
-        Guards the PROWLER-1733 truncation knob: prevents both runaway memory
-        and silent data loss in the PDF (the banner relies on knowing the
-        real total).
-        """
-        from unittest.mock import patch as _patch
-
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        # Create 12 findings for a single check; cap to 5.
-        check_id = "aws_check_cap_test"
-        for i in range(12):
-            finding = Finding.objects.create(
-                tenant_id=tenant.id,
-                scan=scan,
-                uid=f"f-cap-{i:02d}",
-                check_id=check_id,
-                status=StatusChoices.FAIL,
-                severity=Severity.high,
-                impact=Severity.high,
-                check_metadata={},
-                raw_result={},
-            )
-            resource = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"r-cap-{i:02d}",
-                name=f"r-cap-{i:02d}",
-                metadata="{}",
-                details="",
-                region="us-east-1",
-                service="s",
-                type="t::r",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id, finding=finding, resource=resource
-            )
-
-        mock_provider = Mock(type="aws")
-        mock_provider.identity.account = "test"
-
-        totals: dict = {}
-        # Patch the cap to a small value AND skip the heavy transform so we
-        # only assert on row counts and totals.
-        with (
-            _patch("tasks.jobs.threatscore_utils.MAX_FINDINGS_PER_CHECK", 5),
-            _patch(
-                "tasks.jobs.threatscore_utils.FindingOutput.transform_api_finding",
-                side_effect=lambda model, provider: Mock(check_id=model.check_id),
-            ),
-        ):
-            result = _load_findings_for_requirement_checks(
-                str(tenant.id),
-                str(scan.id),
-                [check_id],
-                mock_provider,
-                total_counts_out=totals,
-            )
-
-        assert (
-            len(result[check_id]) == 5
-        ), f"cap=5 should yield exactly 5 loaded findings, got {len(result[check_id])}"
-        assert (
-            totals[check_id] == 12
-        ), f"total_counts_out should report the pre-cap total (12), got {totals[check_id]}"
-
-    def test_only_failed_findings_pushes_down_to_sql(
-        self, tenants_fixture, scans_fixture
-    ):
-        """When ``only_failed_findings=True``, PASS rows are excluded by the
-        DB filter, not just visually hidden afterwards.
-
-        Regression for the consistency fix: previously the requirement-level
-        ``only_failed`` flag filtered which requirements appeared, but inside
-        each rendered requirement the table still showed PASS rows mixed
-        with FAIL, which combined with ``MAX_FINDINGS_PER_CHECK`` could
-        truncate to 1000 PASS findings and hide the actual failure.
-        """
-        from unittest.mock import patch as _patch
-
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-        check_id = "aws_check_only_failed_test"
-
-        # Mix PASS and FAIL so the filter has something to drop.
-        for i in range(6):
-            status = StatusChoices.FAIL if i % 2 == 0 else StatusChoices.PASS
-            finding = Finding.objects.create(
-                tenant_id=tenant.id,
-                scan=scan,
-                uid=f"f-of-{i:02d}",
-                check_id=check_id,
-                status=status,
-                severity=Severity.high,
-                impact=Severity.high,
-                check_metadata={},
-                raw_result={},
-            )
-            resource = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"r-of-{i:02d}",
-                name=f"r-of-{i:02d}",
-                metadata="{}",
-                details="",
-                region="us-east-1",
-                service="s",
-                type="t::r",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id, finding=finding, resource=resource
-            )
-
-        mock_provider = Mock(type="aws")
-        mock_provider.identity.account = "test"
-
-        totals: dict = {}
-        with _patch(
-            "tasks.jobs.threatscore_utils.FindingOutput.transform_api_finding",
-            side_effect=lambda model, provider: Mock(
-                check_id=model.check_id, status=model.status
-            ),
-        ):
-            result = _load_findings_for_requirement_checks(
-                str(tenant.id),
-                str(scan.id),
-                [check_id],
-                mock_provider,
-                total_counts_out=totals,
-                only_failed_findings=True,
-            )
-
-        # 3 FAIL + 3 PASS in DB; FAIL-only filter should load just 3.
-        loaded = result[check_id]
-        assert len(loaded) == 3, f"expected 3 FAIL findings, got {len(loaded)}"
-        statuses = {getattr(f, "status", None) for f in loaded}
-        assert statuses == {
-            StatusChoices.FAIL
-        }, f"expected all loaded findings to be FAIL; got statuses {statuses}"
-        # total_counts must reflect the FAIL-only total, not the global total.
-        assert (
-            totals[check_id] == 3
-        ), f"total_counts should be FAIL-only (3), got {totals[check_id]}"
-
-    def test_max_findings_per_check_disabled(self, tenants_fixture, scans_fixture):
-        """``MAX_FINDINGS_PER_CHECK=0`` disables the cap; load all rows."""
-        from unittest.mock import patch as _patch
-
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        check_id = "aws_check_uncapped"
-        for i in range(8):
-            f = Finding.objects.create(
-                tenant_id=tenant.id,
-                scan=scan,
-                uid=f"f-unc-{i:02d}",
-                check_id=check_id,
-                status=StatusChoices.FAIL,
-                severity=Severity.high,
-                impact=Severity.high,
-                check_metadata={},
-                raw_result={},
-            )
-            r = Resource.objects.create(
-                tenant_id=tenant.id,
-                provider=scan.provider,
-                uid=f"r-unc-{i:02d}",
-                name=f"r-unc-{i:02d}",
-                metadata="{}",
-                details="",
-                region="us-east-1",
-                service="s",
-                type="t::r",
-            )
-            ResourceFindingMapping.objects.create(
-                tenant_id=tenant.id, finding=f, resource=r
-            )
-
-        mock_provider = Mock(type="aws")
-        mock_provider.identity.account = "test"
-        totals: dict = {}
-        with (
-            _patch("tasks.jobs.threatscore_utils.MAX_FINDINGS_PER_CHECK", 0),
-            _patch(
-                "tasks.jobs.threatscore_utils.FindingOutput.transform_api_finding",
-                side_effect=lambda model, provider: Mock(check_id=model.check_id),
-            ),
-        ):
-            result = _load_findings_for_requirement_checks(
-                str(tenant.id),
-                str(scan.id),
-                [check_id],
-                mock_provider,
-                total_counts_out=totals,
-            )
-
-        assert len(result[check_id]) == 8
-        assert totals[check_id] == 8
-

 class TestCleanupStaleTmpOutputDirectories:
    """Unit tests for opportunistic stale cleanup under tmp output root."""
@@ -1168,181 +855,6 @@ class TestGenerateComplianceReportsOptimized:
        assert result["cis"] == {"upload": False, "path": ""}
        mock_cis.assert_not_called()

-    @patch("api.utils.initialize_prowler_provider")
-    @patch("tasks.jobs.report.rmtree")
-    @patch("tasks.jobs.report._upload_to_s3")
-    @patch("tasks.jobs.report.generate_cis_report")
-    @patch("tasks.jobs.report.generate_csa_report")
-    @patch("tasks.jobs.report.generate_nis2_report")
-    @patch("tasks.jobs.report.generate_ens_report")
-    @patch("tasks.jobs.report.generate_threatscore_report")
-    @patch("tasks.jobs.report._generate_compliance_output_directory")
-    @patch("tasks.jobs.report._aggregate_requirement_statistics_from_database")
-    @patch("tasks.jobs.report.Compliance.get_bulk")
-    @patch("tasks.jobs.report.Provider.objects.get")
-    @patch("tasks.jobs.report.ScanSummary.objects.filter")
-    def test_findings_cache_eviction_after_framework(
-        self,
-        mock_scan_summary_filter,
-        mock_provider_get,
-        mock_get_bulk,
-        mock_aggregate_stats,
-        mock_generate_output_dir,
-        mock_threatscore,
-        mock_ens,
-        mock_nis2,
-        mock_csa,
-        mock_cis,
-        mock_upload_to_s3,
-        mock_rmtree,
-        mock_init_provider,
-    ):
-        """After each framework finishes, exclusive entries are evicted.
-
-        Threat scenario for PROWLER-1733: the shared ``findings_cache`` used
-        to grow monotonically through all 5 frameworks. With the new
-        eviction logic, check_ids only used by ThreatScore are dropped when
-        ThreatScore finishes, before ENS runs.
-        """
-        from types import SimpleNamespace
-        from tasks.jobs import report as report_mod
-
-        mock_scan_summary_filter.return_value.exists.return_value = True
-        mock_provider_get.return_value = Mock(uid="provider-uid", provider="aws")
-        # ThreatScore consumes {tsc_only, shared}; ENS consumes {ens_only,
-        # shared}. After ThreatScore evicts, tsc_only must be gone but
-        # shared and ens_only must remain.
-        mock_get_bulk.return_value = {
-            "prowler_threatscore_aws": SimpleNamespace(
-                Requirements=[SimpleNamespace(Checks=["tsc_only", "shared"])]
-            ),
-            "ens_rd2022_aws": SimpleNamespace(
-                Requirements=[SimpleNamespace(Checks=["ens_only", "shared"])]
-            ),
-        }
-        mock_aggregate_stats.return_value = {}
-        mock_generate_output_dir.return_value = "/tmp/tenant/scan/x/prowler-out"
-        mock_upload_to_s3.return_value = "s3://bucket/tenant/scan/x/report.pdf"
-        mock_init_provider.return_value = Mock(name="prowler_provider")
-
-        # Seed the cache as if both frameworks had already loaded their
-        # findings. We mutate it indirectly: each generator wrapper is a
-        # Mock: make ThreatScore populate the cache, and have ENS observe
-        # the state at call time so we can introspect post-eviction.
-        observed_state: dict = {}
-
-        def _threatscore_side_effect(**kwargs):
-            cache = kwargs["findings_cache"]
-            cache["tsc_only"] = ["tsc-finding"]
-            cache["shared"] = ["shared-finding"]
-
-        def _ens_side_effect(**kwargs):
-            # ENS runs AFTER threatscore's _evict_after_framework("threatscore").
-            observed_state["cache_keys_when_ens_runs"] = set(
-                kwargs["findings_cache"].keys()
-            )
-            kwargs["findings_cache"]["ens_only"] = ["ens-finding"]
-
-        mock_threatscore.side_effect = _threatscore_side_effect
-        mock_ens.side_effect = _ens_side_effect
-
-        report_mod.generate_compliance_reports(
-            tenant_id=str(uuid.uuid4()),
-            scan_id=str(uuid.uuid4()),
-            provider_id=str(uuid.uuid4()),
-            generate_threatscore=True,
-            generate_ens=True,
-            generate_nis2=False,
-            generate_csa=False,
-            generate_cis=False,
-        )
-
-        # ``tsc_only`` was exclusive to ThreatScore → evicted before ENS ran.
-        # ``shared`` is still pending for ENS → must remain.
-        assert (
-            "tsc_only" not in observed_state["cache_keys_when_ens_runs"]
-        ), "tsc_only should have been evicted before ENS ran"
-        assert (
-            "shared" in observed_state["cache_keys_when_ens_runs"]
-        ), "shared must remain in cache because ENS still needs it"
-
-    @patch("tasks.jobs.report.initialize_prowler_provider")
-    @patch("tasks.jobs.report.rmtree")
-    @patch("tasks.jobs.report._upload_to_s3")
-    @patch("tasks.jobs.report.generate_cis_report")
-    @patch("tasks.jobs.report.generate_csa_report")
-    @patch("tasks.jobs.report.generate_nis2_report")
-    @patch("tasks.jobs.report.generate_ens_report")
-    @patch("tasks.jobs.report.generate_threatscore_report")
-    @patch("tasks.jobs.report._generate_compliance_output_directory")
-    @patch("tasks.jobs.report._aggregate_requirement_statistics_from_database")
-    @patch("tasks.jobs.report.Compliance.get_bulk")
-    @patch("tasks.jobs.report.Provider.objects.get")
-    @patch("tasks.jobs.report.ScanSummary.objects.filter")
-    def test_prowler_provider_initialized_once(
-        self,
-        mock_scan_summary_filter,
-        mock_provider_get,
-        mock_get_bulk,
-        mock_aggregate_stats,
-        mock_generate_output_dir,
-        mock_threatscore,
-        mock_ens,
-        mock_nis2,
-        mock_csa,
-        mock_cis,
-        mock_upload_to_s3,
-        mock_rmtree,
-        mock_init_provider,
-    ):
-        """``initialize_prowler_provider`` must be called exactly once for
-        the whole batch (PROWLER-1733). Previously each generator re-init'd
-        the SDK provider in ``_load_compliance_data`` → 5 inits per scan.
-        """
-        mock_scan_summary_filter.return_value.exists.return_value = True
-        mock_provider_get.return_value = Mock(uid="provider-uid", provider="aws")
-        # CIS variant discovery needs at least one cis_* key.
-        mock_get_bulk.return_value = {"cis_6.0_aws": Mock()}
-        mock_aggregate_stats.return_value = {}
-        mock_generate_output_dir.return_value = "/tmp/tenant/scan/x/prowler-out"
-        mock_upload_to_s3.return_value = "s3://bucket/tenant/scan/x/report.pdf"
-        mock_init_provider.return_value = Mock(name="prowler_provider")
-
-        generate_compliance_reports(
-            tenant_id=str(uuid.uuid4()),
-            scan_id=str(uuid.uuid4()),
-            provider_id=str(uuid.uuid4()),
-            generate_threatscore=True,
-            generate_ens=True,
-            generate_nis2=True,
-            generate_csa=True,
-            generate_cis=True,
-        )
-
-        # All 5 wrappers were invoked once each…
-        mock_threatscore.assert_called_once()
-        mock_ens.assert_called_once()
-        mock_nis2.assert_called_once()
-        mock_csa.assert_called_once()
-        mock_cis.assert_called_once()
-        # …but the SDK provider was initialized only once.
-        assert mock_init_provider.call_count == 1, (
-            f"expected 1 init, got {mock_init_provider.call_count} "
-            f"(prowler_provider must be shared across reports)"
-        )
-
-        # The shared instance must reach every wrapper as kwargs.
-        shared = mock_init_provider.return_value
-        for mock_wrapper in (
-            mock_threatscore,
-            mock_ens,
-            mock_nis2,
-            mock_csa,
-            mock_cis,
-        ):
-            _, call_kwargs = mock_wrapper.call_args
-            assert call_kwargs.get("prowler_provider") is shared
-
    @patch("tasks.jobs.report.rmtree")
    @patch("tasks.jobs.report._upload_to_s3")
    @patch("tasks.jobs.report.generate_threatscore_report")
@@ -1269,48 +1269,6 @@ class TestComponentEdgeCases:
        # Should be a LongTable for large datasets
        assert isinstance(table, LongTable)

-    def test_zebra_uses_rowbackgrounds_not_per_row_background(self, monkeypatch):
-        """The styles list must contain exactly one ROWBACKGROUNDS entry
-        regardless of row count, never N per-row BACKGROUND entries.
-        """
-        captured: dict = {}
-
-        # Capture the list passed to TableStyle. create_data_table builds a
-        # list of style tuples and wraps it in a TableStyle exactly once;
-        # by patching TableStyle we intercept that list.
-        import tasks.jobs.reports.components as comp_mod
-
-        original_table_style = comp_mod.TableStyle
-
-        def _capture_table_style(style_list):
-            captured["styles"] = list(style_list)
-            return original_table_style(style_list)
-
-        monkeypatch.setattr(comp_mod, "TableStyle", _capture_table_style)
-
-        data = [{"name": f"Item {i}"} for i in range(60)]
-        columns = [ColumnConfig("Name", 2 * inch, "name")]
-        comp_mod.create_data_table(data, columns, alternate_rows=True)
-
-        styles = captured["styles"]
-        # Count by command name.
-        names = [s[0] for s in styles if isinstance(s, tuple) and s]
-        # Exactly one ROWBACKGROUNDS entry.
-        assert names.count("ROWBACKGROUNDS") == 1
-        # Zero per-row BACKGROUND entries on data rows. (The header row
-        # BACKGROUND command is intentional and lives at coords (0,0)/(-1,0).)
-        data_row_bg = [
-            s
-            for s in styles
-            if isinstance(s, tuple)
-            and s[0] == "BACKGROUND"
-            and not (s[1] == (0, 0) and s[2] == (-1, 0))
-        ]
-        assert data_row_bg == [], (
-            f"expected no per-row BACKGROUND entries on data rows; "
-            f"got {len(data_row_bg)}"
-        )
-
    def test_create_risk_component_zero_values(self):
        """Test risk component with zero values."""
        component = create_risk_component(risk_level=0, weight=0, score=0)
@@ -1386,194 +1344,3 @@ class TestFrameworkConfigEdgeCases:
        assert get_framework_config("my_custom_threatscore_compliance") is not None
        assert get_framework_config("ens_something_else") is not None
        assert get_framework_config("nis2_gcp") is not None
-
-
-# =============================================================================
-# Findings Table Chunking Tests (PROWLER-1733)
-# =============================================================================
-#
-# These tests guard the OOM-prevention behaviour added in PROWLER-1733:
-# ``_create_findings_tables`` must split a list of findings into multiple
-# small sub-tables instead of producing one giant Table, which would force
-# ReportLab to resolve layout for all rows at once and OOM the worker on
-# scans with thousands of findings per check.
-
-
-class _DummyMetadata:
-    """Lightweight stand-in for FindingOutput.metadata used in chunking tests."""
-
-    def __init__(self, check_title: str = "Title", severity: str = "high"):
-        self.CheckTitle = check_title
-        self.Severity = severity
-
-
-class _DummyFinding:
-    """Lightweight stand-in for FindingOutput used in chunking tests.
-
-    The chunking code only reads a small set of attributes via ``getattr``,
-    so a duck-typed object is enough and lets the tests run without touching
-    the DB or pydantic deserialisation.
-    """
-
-    def __init__(
-        self,
-        check_id: str = "aws_check",
-        resource_name: str = "res-1",
-        resource_uid: str = "",
-        status: str = "FAIL",
-        region: str = "us-east-1",
-        with_metadata: bool = True,
-    ):
-        self.check_id = check_id
-        self.resource_name = resource_name
-        self.resource_uid = resource_uid
-        self.status = status
-        self.region = region
-        if with_metadata:
-            self.metadata = _DummyMetadata()
-        else:
-            self.metadata = None
-
-
-def _make_concrete_generator():
-    """Return a minimal concrete subclass of BaseComplianceReportGenerator."""
-
-    class _Concrete(BaseComplianceReportGenerator):
-        def create_executive_summary(self, data):
-            return []
-
-        def create_charts_section(self, data):
-            return []
-
-        def create_requirements_index(self, data):
-            return []
-
-    return _Concrete(FrameworkConfig(name="test", display_name="Test"))
-
-
-class TestFindingsTableChunking:
-    """Tests for ``_create_findings_tables`` (PROWLER-1733)."""
-
-    def test_chunking_produces_expected_number_of_subtables(self):
-        """5000 findings @ chunk_size=300 → 17 sub-tables + 16 spacers."""
-        generator = _make_concrete_generator()
-        findings = [_DummyFinding(check_id="c1") for _ in range(5000)]
-
-        flowables = generator._create_findings_tables(findings, chunk_size=300)
-
-        tables = [f for f in flowables if isinstance(f, (Table, LongTable))]
-        spacers = [f for f in flowables if isinstance(f, Spacer)]
-        # ceil(5000 / 300) == 17
-        assert len(tables) == 17
-        # Spacer between every pair of contiguous tables, not after the last
-        assert len(spacers) == 16
-
-    def test_chunk_size_param_overrides_default(self):
-        """250 findings @ chunk_size=100 → 3 sub-tables."""
-        generator = _make_concrete_generator()
-        findings = [_DummyFinding(check_id="c2") for _ in range(250)]
-
-        flowables = generator._create_findings_tables(findings, chunk_size=100)
-        tables = [f for f in flowables if isinstance(f, (Table, LongTable))]
-        assert len(tables) == 3
-
-    def test_empty_findings_returns_empty_list(self):
-        """No findings → no flowables. Callers can extend(...) safely."""
-        generator = _make_concrete_generator()
-        assert generator._create_findings_tables([]) == []
-
-    def test_single_chunk_has_no_spacer(self):
-        """A single sub-table must not emit a trailing spacer."""
-        generator = _make_concrete_generator()
-        findings = [_DummyFinding(check_id="c3") for _ in range(10)]
-
-        flowables = generator._create_findings_tables(findings, chunk_size=300)
-        assert len(flowables) == 1
-        assert isinstance(flowables[0], (Table, LongTable))
-
-    def test_malformed_finding_is_skipped(self):
-        """A broken finding must not abort the report; it is logged and skipped."""
-        generator = _make_concrete_generator()
-
-        class _Broken:
-            # No attributes at all; getattr() defaults will mostly cope, but
-            # we force an explicit error by making the metadata attribute
-            # itself raise on access.
-            @property
-            def metadata(self):
-                raise RuntimeError("boom")
-
-            check_id = "broken"
-
-        findings = [
-            _DummyFinding(check_id="c4"),
-            _Broken(),
-            _DummyFinding(check_id="c4"),
-        ]
-        flowables = generator._create_findings_tables(findings, chunk_size=300)
-        # Two good rows → one sub-table containing them; the broken one is
-        # logged and dropped, not propagated.
-        tables = [f for f in flowables if isinstance(f, (Table, LongTable))]
-        assert len(tables) == 1
-
-    def test_create_findings_table_alias_returns_first_chunk(self):
-        """The deprecated alias must keep returning a single Table flowable."""
-        generator = _make_concrete_generator()
-        findings = [_DummyFinding(check_id="c5") for _ in range(700)]
-
-        first = generator._create_findings_table(findings)
-        assert isinstance(first, (Table, LongTable))
-
-    def test_create_findings_table_alias_empty(self):
-        """Alias on empty input returns an empty (header-only) Table, not None."""
-        generator = _make_concrete_generator()
-        result = generator._create_findings_table([])
-        # The legacy alias never returned None; an empty header-only table
-        # is a strict superset of that contract.
-        assert isinstance(result, (Table, LongTable))
-
-
-# =============================================================================
-# Logging Context Manager Tests (PROWLER-1733)
-# =============================================================================
-
-
-class TestLogPhaseContextManager:
-    """Tests for ``_log_phase`` (PROWLER-1733).
-
-    The context manager emits structured ``phase_start`` / ``phase_end``
-    logs with ``scan_id``, ``framework`` and ``elapsed_s``, so Datadog/
-    CloudWatch queries can pivot by scan and find the slow section.
-    """
-
-    def test_emits_start_and_end_with_elapsed_and_rss(self, caplog):
-        from tasks.jobs.reports.base import _log_phase
-
-        caplog.set_level("INFO", logger="tasks.jobs.reports.base")
-        with _log_phase("unit_test_phase", scan_id="s-1", framework="Test FW"):
-            pass
-
-        messages = [r.getMessage() for r in caplog.records]
-        starts = [m for m in messages if "phase_start" in m]
-        ends = [m for m in messages if "phase_end" in m]
-
-        assert len(starts) == 1 and len(ends) == 1
-        assert "phase=unit_test_phase" in starts[0]
-        assert "scan_id=s-1" in starts[0]
-        assert "framework=Test FW" in starts[0]
-        assert "elapsed_s=" in ends[0]
-        assert "rss_kb=" in ends[0]
-        assert "delta_rss_kb=" in ends[0]
-
-    def test_failure_logs_phase_failed_and_reraises(self, caplog):
-        from tasks.jobs.reports.base import _log_phase
-
-        caplog.set_level("INFO", logger="tasks.jobs.reports.base")
-        with pytest.raises(RuntimeError, match="boom"):
-            with _log_phase("failing_phase", scan_id="s-2", framework="FW"):
-                raise RuntimeError("boom")
-
-        messages = [r.getMessage() for r in caplog.records]
-        assert any("phase_failed" in m and "failing_phase" in m for m in messages)
-        # No phase_end on the failure path.
-        assert not any("phase_end" in m for m in messages)
@@ -21,7 +21,6 @@ from tasks.tasks import (
    check_lighthouse_provider_connection_task,
    generate_outputs_task,
    perform_attack_paths_scan_task,
-    perform_scan_task,
    perform_scheduled_scan_task,
    reaggregate_all_finding_group_summaries_task,
    refresh_lighthouse_provider_models_task,
@@ -2455,57 +2454,6 @@ class TestPerformScheduledScanTask:
            == 1
        )

-    def test_no_op_when_provider_does_not_exist(self, tenants_fixture):
-        """Return None without raising when the provider was already deleted."""
-        tenant = tenants_fixture[0]
-        missing_provider_id = str(uuid.uuid4())
-        task_id = str(uuid.uuid4())
-        self._create_task_result(tenant.id, task_id)
-        # Orphan PeriodicTask left behind from a previous lifecycle.
-        self._create_periodic_task(missing_provider_id, tenant.id)
-        orphan_name = f"scan-perform-scheduled-{missing_provider_id}"
-        assert PeriodicTask.objects.filter(name=orphan_name).exists()
-
-        with (
-            patch("tasks.tasks.perform_prowler_scan") as mock_scan,
-            patch("tasks.tasks._perform_scan_complete_tasks") as mock_complete_tasks,
-            self._override_task_request(perform_scheduled_scan_task, id=task_id),
-        ):
-            result = perform_scheduled_scan_task.run(
-                tenant_id=str(tenant.id), provider_id=missing_provider_id
-            )
-
-        assert result is None
-        mock_scan.assert_not_called()
-        mock_complete_tasks.assert_not_called()
-        # Orphan PeriodicTask is cleaned up so beat stops re-firing it.
-        assert not PeriodicTask.objects.filter(name=orphan_name).exists()
-
-
-@pytest.mark.django_db
-class TestPerformScanTask:
-    """Unit tests for perform_scan_task."""
-
-    def test_no_op_when_provider_does_not_exist(self, tenants_fixture):
-        """Return None without raising when the provider was already deleted."""
-        tenant = tenants_fixture[0]
-        missing_provider_id = str(uuid.uuid4())
-        scan_id = str(uuid.uuid4())
-
-        with (
-            patch("tasks.tasks.perform_prowler_scan") as mock_scan,
-            patch("tasks.tasks._perform_scan_complete_tasks") as mock_complete_tasks,
-        ):
-            result = perform_scan_task.run(
-                tenant_id=str(tenant.id),
-                scan_id=scan_id,
-                provider_id=missing_provider_id,
-            )
-
-        assert result is None
-        mock_scan.assert_not_called()
-        mock_complete_tasks.assert_not_called()
-

@pytest.mark.django_db
 class TestReaggregateAllFindingGroupSummaries:
@@ -222,7 +222,7 @@ constraints = [
    { name = "knack", specifier = "==0.11.0" },
    { name = "kombu", specifier = "==5.6.2" },
    { name = "kubernetes", specifier = "==32.0.1" },
-    { name = "lxml", specifier = "==6.1.0" },
+    { name = "lxml", specifier = "==5.3.2" },
    { name = "lz4", specifier = "==4.4.5" },
    { name = "markdown", specifier = "==3.10.2" },
    { name = "markdown-it-py", specifier = "==4.0.0" },
@@ -231,13 +231,13 @@ constraints = [
    { name = "matplotlib", specifier = "==3.10.8" },
    { name = "mccabe", specifier = "==0.7.0" },
    { name = "mdurl", specifier = "==0.1.2" },
-    { name = "microsoft-kiota-abstractions", specifier = "==1.9.9" },
-    { name = "microsoft-kiota-authentication-azure", specifier = "==1.9.9" },
-    { name = "microsoft-kiota-http", specifier = "==1.9.9" },
-    { name = "microsoft-kiota-serialization-form", specifier = "==1.9.9" },
-    { name = "microsoft-kiota-serialization-json", specifier = "==1.9.9" },
-    { name = "microsoft-kiota-serialization-multipart", specifier = "==1.9.9" },
-    { name = "microsoft-kiota-serialization-text", specifier = "==1.9.9" },
+    { name = "microsoft-kiota-abstractions", specifier = "==1.9.2" },
+    { name = "microsoft-kiota-authentication-azure", specifier = "==1.9.2" },
+    { name = "microsoft-kiota-http", specifier = "==1.9.2" },
+    { name = "microsoft-kiota-serialization-form", specifier = "==1.9.2" },
+    { name = "microsoft-kiota-serialization-json", specifier = "==1.9.2" },
+    { name = "microsoft-kiota-serialization-multipart", specifier = "==1.9.2" },
+    { name = "microsoft-kiota-serialization-text", specifier = "==1.9.2" },
    { name = "microsoft-security-utilities-secret-masker", specifier = "==1.0.0b4" },
    { name = "msal", specifier = "==1.35.0b1" },
    { name = "msal-extensions", specifier = "==1.2.0" },
@@ -355,7 +355,7 @@ constraints = [
    { name = "tzdata", specifier = "==2025.3" },
    { name = "tzlocal", specifier = "==5.3.1" },
    { name = "uritemplate", specifier = "==4.2.0" },
-    { name = "urllib3", specifier = "==2.7.0" },
+    { name = "urllib3", specifier = "==2.6.3" },
    { name = "uuid6", specifier = "==2024.7.10" },
    { name = "vine", specifier = "==5.1.0" },
    { name = "vulture", specifier = "==2.14" },
@@ -365,7 +365,7 @@ constraints = [
    { name = "workos", specifier = "==6.0.4" },
    { name = "wrapt", specifier = "==1.17.3" },
    { name = "xlsxwriter", specifier = "==3.2.9" },
-    { name = "xmlsec", specifier = "==1.3.17" },
+    { name = "xmlsec", specifier = "==1.3.14" },
    { name = "xmltodict", specifier = "==1.0.2" },
    { name = "yarl", specifier = "==1.22.0" },
    { name = "zipp", specifier = "==3.23.0" },
@@ -373,10 +373,7 @@ constraints = [
    { name = "zope-interface", specifier = "==8.2" },
    { name = "zstd", specifier = "==1.5.7.3" },
 ]
-overrides = [
-    { name = "microsoft-kiota-abstractions", specifier = "==1.9.9" },
-    { name = "okta", specifier = "==3.4.2" },
-]
+overrides = [{ name = "okta", specifier = "==3.4.2" }]

 [[package]]
 name = "about-time"
@@ -3477,50 +3474,44 @@ wheels = [

 [[package]]
 name = "lxml"
-version = "6.1.0"
+version = "5.3.2"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/28/30/9abc9e34c657c33834eaf6cd02124c61bdf5944d802aa48e69be8da3585d/lxml-6.1.0.tar.gz", hash = "sha256:bfd57d8008c4965709a919c3e9a98f76c2c7cb319086b3d26858250620023b13", size = 4197006, upload-time = "2026-04-18T04:32:51.613Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/80/61/d3dc048cd6c7be6fe45b80cedcbdd4326ba4d550375f266d9f4246d0f4bc/lxml-5.3.2.tar.gz", hash = "sha256:773947d0ed809ddad824b7b14467e1a481b8976e87278ac4a730c2f7c7fcddc1", size = 3679948, upload-time = "2025-04-05T18:31:58.757Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/5e/5d/3bccad330292946f97962df9d5f2d3ae129cce6e212732a781e856b91e07/lxml-6.1.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:cec05be8c876f92a5aa07b01d60bbb4d11cfbdd654cad0561c0d7b5c043a61b9", size = 8526232, upload-time = "2026-04-18T04:27:40.389Z" },
-    { url = "https://files.pythonhosted.org/packages/a7/51/adc8826570a112f83bb4ddb3a2ab510bbc2ccd62c1b9fe1f34fae2d90b57/lxml-6.1.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:9c03e048b6ce8e77b09c734e931584894ecd58d08296804ca2d0b184c933ce50", size = 4595448, upload-time = "2026-04-18T04:27:44.208Z" },
-    { url = "https://files.pythonhosted.org/packages/54/84/5a9ec07cbe1d2334a6465f863b949a520d2699a755738986dcd3b6b89e3f/lxml-6.1.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:942454ff253da14218f972b23dc72fa4edf6c943f37edd19cd697618b626fac5", size = 4923771, upload-time = "2026-04-18T04:32:17.402Z" },
-    { url = "https://files.pythonhosted.org/packages/a7/23/851cfa33b6b38adb628e45ad51fb27105fa34b2b3ba9d1d4aa7a9428dfe0/lxml-6.1.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:d036ee7b99d5148072ac7c9b847193decdfeac633db350363f7bce4fff108f0e", size = 5068101, upload-time = "2026-04-18T04:32:21.437Z" },
-    { url = "https://files.pythonhosted.org/packages/b0/38/41bf99c2023c6b79916ba057d83e9db21d642f473cac210201222882d38b/lxml-6.1.0-cp311-cp311-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3ae5d8d5427f3cc317e7950f2da7ad276df0cfa37b8de2f5658959e618ea8512", size = 5002573, upload-time = "2026-04-18T04:32:25.373Z" },
-    { url = "https://files.pythonhosted.org/packages/c2/20/053aa10bdc39747e1e923ce2d45413075e84f70a136045bb09e5eaca41d3/lxml-6.1.0-cp311-cp311-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:363e47283bde87051b821826e71dde47f107e08614e1aa312ba0c5711e77738c", size = 5202816, upload-time = "2026-04-18T04:32:29.393Z" },
-    { url = "https://files.pythonhosted.org/packages/9a/da/bc710fad8bf04b93baee752c192eaa2210cd3a84f969d0be7830fea55802/lxml-6.1.0-cp311-cp311-manylinux_2_28_i686.whl", hash = "sha256:f504d861d9f2a8f94020130adac88d66de93841707a23a86244263d1e54682f5", size = 5329999, upload-time = "2026-04-18T04:32:34.019Z" },
-    { url = "https://files.pythonhosted.org/packages/b3/cb/bf035dedbdf7fab49411aa52e4236f3445e98d38647d85419e6c0d2806b9/lxml-6.1.0-cp311-cp311-manylinux_2_31_armv7l.whl", hash = "sha256:23a5dc68e08ed13331d61815c08f260f46b4a60fdd1640bbeb82cf89a9d90289", size = 4659643, upload-time = "2026-04-18T04:32:37.932Z" },
-    { url = "https://files.pythonhosted.org/packages/5c/4f/22be31f33727a5e4c7b01b0a874503026e50329b259d3587e0b923cf964b/lxml-6.1.0-cp311-cp311-manylinux_2_38_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:f15401d8d3dbf239e23c818afc10c7207f7b95f9a307e092122b6f86dd43209a", size = 5265963, upload-time = "2026-04-18T04:32:41.881Z" },
-    { url = "https://files.pythonhosted.org/packages/c8/2b/d44d0e5c79226017f4ab8c87a802ebe4f89f97e6585a8e4166dffcdd7b6e/lxml-6.1.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:fcf3da95e93349e0647d48d4b36a12783105bcc74cb0c416952f9988410846a3", size = 5045444, upload-time = "2026-04-18T04:32:44.512Z" },
-    { url = "https://files.pythonhosted.org/packages/d3/c3/3f034fec1594c331a6dbf9491238fdcc9d66f68cc529e109ec75b97197e1/lxml-6.1.0-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:0d082495c5fcf426e425a6e28daaba1fcb6d8f854a4ff01effb1f1f381203eb9", size = 4712703, upload-time = "2026-04-18T04:32:47.16Z" },
-    { url = "https://files.pythonhosted.org/packages/12/16/0b83fccc158218aca75a7aa33e97441df737950734246b9fffa39301603d/lxml-6.1.0-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:e3c4f84b24a1fcba435157d111c4b755099c6ff00a3daee1ad281817de75ed11", size = 5252745, upload-time = "2026-04-18T04:32:50.427Z" },
-    { url = "https://files.pythonhosted.org/packages/dd/ee/12e6c1b39a77666c02eaa77f94a870aaf63c4ac3a497b2d52319448b01c6/lxml-6.1.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:976a6b39b1b13e8c354ad8d3f261f3a4ac6609518af91bdb5094760a08f132c4", size = 5226822, upload-time = "2026-04-18T04:32:53.437Z" },
-    { url = "https://files.pythonhosted.org/packages/34/20/c7852904858b4723af01d2fc14b5d38ff57cb92f01934a127ebd9a9e51aa/lxml-6.1.0-cp311-cp311-win32.whl", hash = "sha256:857efde87d365706590847b916baff69c0bc9252dc5af030e378c9800c0b10e3", size = 3594026, upload-time = "2026-04-18T04:27:31.903Z" },
-    { url = "https://files.pythonhosted.org/packages/02/05/d60c732b56da5085175c07c74b2df4e6d181b0c9a61e1691474f06ef4b39/lxml-6.1.0-cp311-cp311-win_amd64.whl", hash = "sha256:183bfb45a493081943be7ea2b5adfc2b611e1cf377cefa8b8a8be404f45ef9a7", size = 4025114, upload-time = "2026-04-18T04:27:34.077Z" },
-    { url = "https://files.pythonhosted.org/packages/c2/df/c84dcc175fd690823436d15b41cb920cd5ba5e14cd8bfb00949d5903b320/lxml-6.1.0-cp311-cp311-win_arm64.whl", hash = "sha256:19f4164243fc206d12ed3d866e80e74f5bc3627966520da1a5f97e42c32a3f39", size = 3667742, upload-time = "2026-04-18T04:27:38.45Z" },
-    { url = "https://files.pythonhosted.org/packages/d2/d4/9326838b59dc36dfae42eec9656b97520f9997eee1de47b8316aaeed169c/lxml-6.1.0-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:d2f17a16cd8751e8eb233a7e41aecdf8e511712e00088bf9be455f604cd0d28d", size = 8570663, upload-time = "2026-04-18T04:27:48.253Z" },
-    { url = "https://files.pythonhosted.org/packages/d8/a4/053745ce1f8303ccbb788b86c0db3a91b973675cefc42566a188637b7c40/lxml-6.1.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:f0cea5b1d3e6e77d71bd2b9972eb2446221a69dc52bb0b9c3c6f6e5700592d93", size = 4624024, upload-time = "2026-04-18T04:27:52.594Z" },
-    { url = "https://files.pythonhosted.org/packages/90/97/a517944b20f8fd0932ad2109482bee4e29fe721416387a363306667941f6/lxml-6.1.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:fc46da94826188ed45cb53bd8e3fc076ae22675aea2087843d4735627f867c6d", size = 4930895, upload-time = "2026-04-18T04:32:56.29Z" },
-    { url = "https://files.pythonhosted.org/packages/94/7c/e08a970727d556caa040a44773c7b7e3ad0f0d73dedc863543e9a8b931f2/lxml-6.1.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9147d8e386ec3b82c3b15d88927f734f565b0aaadef7def562b853adca45784a", size = 5093820, upload-time = "2026-04-18T04:32:58.94Z" },
-    { url = "https://files.pythonhosted.org/packages/88/ee/2a5c2aa2c32016a226ca25d3e1056a8102ea6e1fe308bf50213586635400/lxml-6.1.0-cp312-cp312-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:5715e0e28736a070f3f34a7ccc09e2fdcba0e3060abbcf61a1a5718ff6d6b105", size = 5005790, upload-time = "2026-04-18T04:33:01.272Z" },
-    { url = "https://files.pythonhosted.org/packages/e3/38/a0db9be8f38ad6043ab9429487c128dd1d30f07956ef43040402f8da49e8/lxml-6.1.0-cp312-cp312-manylinux_2_26_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:4937460dc5df0cdd2f06a86c285c28afda06aefa3af949f9477d3e8df430c485", size = 5630827, upload-time = "2026-04-18T04:33:04.036Z" },
-    { url = "https://files.pythonhosted.org/packages/31/ba/3c13d3fc24b7cacf675f808a3a1baabf43a30d0cd24c98f94548e9aa58eb/lxml-6.1.0-cp312-cp312-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:bc783ee3147e60a25aa0445ea82b3e8aabb83b240f2b95d32cb75587ff781814", size = 5240445, upload-time = "2026-04-18T04:33:06.87Z" },
-    { url = "https://files.pythonhosted.org/packages/55/ba/eeef4ccba09b2212fe239f46c1692a98db1878e0872ae320756488878a94/lxml-6.1.0-cp312-cp312-manylinux_2_28_i686.whl", hash = "sha256:40d9189f80075f2e1f88db21ef815a2b17b28adf8e50aaf5c789bfe737027f32", size = 5350121, upload-time = "2026-04-18T04:33:09.365Z" },
-    { url = "https://files.pythonhosted.org/packages/7e/01/1da87c7b587c38d0cbe77a01aae3b9c1c49ed47d76918ef3db8fc151b1ca/lxml-6.1.0-cp312-cp312-manylinux_2_31_armv7l.whl", hash = "sha256:05b9b8787e35bec69e68daf4952b2e6dfcfb0db7ecf1a06f8cdfbbac4eb71aad", size = 4694949, upload-time = "2026-04-18T04:33:11.628Z" },
-    { url = "https://files.pythonhosted.org/packages/a1/88/7db0fe66d5aaf128443ee1623dec3db1576f3e4c17751ec0ef5866468590/lxml-6.1.0-cp312-cp312-manylinux_2_38_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:0f0f08beb0182e3e9a86fae124b3c47a7b41b7b69b225e1377db983802404e54", size = 5243901, upload-time = "2026-04-18T04:33:13.95Z" },
-    { url = "https://files.pythonhosted.org/packages/00/a8/1346726af7d1f6fca1f11223ba34001462b0a3660416986d37641708d57c/lxml-6.1.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:73becf6d8c81d4c76b1014dbd3584cb26d904492dcf73ca85dc8bff08dcd6d2d", size = 5048054, upload-time = "2026-04-18T04:33:16.965Z" },
-    { url = "https://files.pythonhosted.org/packages/2e/b7/85057012f035d1a0c87e02f8c723ca3c3e6e0728bcf4cb62080b21b1c1e3/lxml-6.1.0-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:1ae225f66e5938f4fa29d37e009a3bb3b13032ac57eb4eb42afa44f6e4054e69", size = 4777324, upload-time = "2026-04-18T04:33:19.832Z" },
-    { url = "https://files.pythonhosted.org/packages/75/6c/ad2f94a91073ef570f33718040e8e160d5fb93331cf1ab3ca1323f939e2d/lxml-6.1.0-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:690022c7fae793b0489aa68a658822cea83e0d5933781811cabbf5ea3bcfe73d", size = 5645702, upload-time = "2026-04-18T04:33:22.436Z" },
-    { url = "https://files.pythonhosted.org/packages/3b/89/0bb6c0bd549c19004c60eea9dc554dd78fd647b72314ef25d460e0d208c6/lxml-6.1.0-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:63aeafc26aac0be8aff14af7871249e87ea1319be92090bfd632ec68e03b16a5", size = 5232901, upload-time = "2026-04-18T04:33:26.21Z" },
-    { url = "https://files.pythonhosted.org/packages/a1/d9/d609a11fb567da9399f525193e2b49847b5a409cdebe737f06a8b7126bdc/lxml-6.1.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:264c605ab9c0e4aa1a679636f4582c4d3313700009fac3ec9c3412ed0d8f3e1d", size = 5261333, upload-time = "2026-04-18T04:33:28.984Z" },
-    { url = "https://files.pythonhosted.org/packages/a6/3a/ac3f99ec8ac93089e7dd556f279e0d14c24de0a74a507e143a2e4b496e7c/lxml-6.1.0-cp312-cp312-win32.whl", hash = "sha256:56971379bc5ee8037c5a0f09fa88f66cdb7d37c3e38af3e45cf539f41131ac1f", size = 3596289, upload-time = "2026-04-18T04:27:42.819Z" },
-    { url = "https://files.pythonhosted.org/packages/f2/a7/0a915557538593cb1bbeedcd40e13c7a261822c26fecbbdb71dad0c2f540/lxml-6.1.0-cp312-cp312-win_amd64.whl", hash = "sha256:bba078de0031c219e5dd06cf3e6bf8fb8e6e64a77819b358f53bb132e3e03366", size = 3997059, upload-time = "2026-04-18T04:27:46.764Z" },
-    { url = "https://files.pythonhosted.org/packages/92/96/a5dc078cf0126fbfbc35611d77ecd5da80054b5893e28fb213a5613b9e1d/lxml-6.1.0-cp312-cp312-win_arm64.whl", hash = "sha256:c3592631e652afa34999a088f98ba7dfc7d6aff0d535c410bea77a71743f3819", size = 3659552, upload-time = "2026-04-18T04:27:51.133Z" },
-    { url = "https://files.pythonhosted.org/packages/f2/88/55143966481409b1740a3ac669e611055f49efd68087a5ce41582325db3e/lxml-6.1.0-pp311-pypy311_pp73-macosx_10_15_x86_64.whl", hash = "sha256:546b66c0dd1bb8d9fa89d7123e5fa19a8aff3a1f2141eb22df96112afb17b842", size = 3930134, upload-time = "2026-04-18T04:32:35.008Z" },
-    { url = "https://files.pythonhosted.org/packages/b5/97/28b985c2983938d3cb696dd5501423afb90a8c3e869ef5d3c62569282c0f/lxml-6.1.0-pp311-pypy311_pp73-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:5cfa1a34df366d9dc0d5eaf420f4cf2bb1e1bebe1066d1c2fc28c179f8a4004c", size = 4210749, upload-time = "2026-04-18T04:36:03.626Z" },
-    { url = "https://files.pythonhosted.org/packages/29/67/dfab2b7d58214921935ccea7ce9b3df9b7d46f305d12f0f532ac7cf6b804/lxml-6.1.0-pp311-pypy311_pp73-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:db88156fcf544cdbf0d95588051515cfdfd4c876fc66444eb98bceb5d6db76de", size = 4318463, upload-time = "2026-04-18T04:36:06.309Z" },
-    { url = "https://files.pythonhosted.org/packages/32/a2/4ac7eb32a4d997dd352c32c32399aae27b3f268d440e6f9cfa405b575d2f/lxml-6.1.0-pp311-pypy311_pp73-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:07f98f5496f96bf724b1e3c933c107f0cbf2745db18c03d2e13a291c3afd2635", size = 4251124, upload-time = "2026-04-18T04:36:09.056Z" },
-    { url = "https://files.pythonhosted.org/packages/33/ef/d6abd850bb4822f9b720cfe36b547a558e694881010ff7d012191e8769c6/lxml-6.1.0-pp311-pypy311_pp73-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4642e04449a1e164b5ff71ffd901ddb772dfabf5c9adf1b7be5dffe1212bc037", size = 4401758, upload-time = "2026-04-18T04:36:11.803Z" },
-    { url = "https://files.pythonhosted.org/packages/40/44/3ee09a5b60cb44c4f2fbc1c9015cfd6ff5afc08f991cab295d3024dcbf2d/lxml-6.1.0-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:7da13bb6fbadfafb474e0226a30570a3445cfd47c86296f2446dafbd77079ace", size = 3508860, upload-time = "2026-04-18T04:32:48.619Z" },
+    { url = "https://files.pythonhosted.org/packages/84/b8/2b727f5a90902f7cc5548349f563b60911ca05f3b92e35dfa751349f265f/lxml-5.3.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:9d61a7d0d208ace43986a92b111e035881c4ed45b1f5b7a270070acae8b0bfb4", size = 8163457, upload-time = "2025-04-05T18:25:55.176Z" },
+    { url = "https://files.pythonhosted.org/packages/91/84/23135b2dc72b3440d68c8f39ace2bb00fe78e3a2255f7c74f7e76f22498e/lxml-5.3.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:856dfd7eda0b75c29ac80a31a6411ca12209183e866c33faf46e77ace3ce8a79", size = 4433445, upload-time = "2025-04-05T18:25:57.631Z" },
+    { url = "https://files.pythonhosted.org/packages/c9/1c/6900ade2294488f80598af7b3229669562166384bb10bf4c915342a2f288/lxml-5.3.2-cp311-cp311-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7a01679e4aad0727bedd4c9407d4d65978e920f0200107ceeffd4b019bd48529", size = 5029603, upload-time = "2025-04-05T18:26:00.145Z" },
+    { url = "https://files.pythonhosted.org/packages/2f/e9/31dbe5deaccf0d33ec279cf400306ad4b32dfd1a0fee1fca40c5e90678fe/lxml-5.3.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b6b37b4c3acb8472d191816d4582379f64d81cecbdce1a668601745c963ca5cc", size = 4771236, upload-time = "2025-04-05T18:26:02.656Z" },
+    { url = "https://files.pythonhosted.org/packages/68/41/c3412392884130af3415af2e89a2007e00b2a782be6fb848a95b598a114c/lxml-5.3.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3df5a54e7b7c31755383f126d3a84e12a4e0333db4679462ef1165d702517477", size = 5369815, upload-time = "2025-04-05T18:26:05.842Z" },
+    { url = "https://files.pythonhosted.org/packages/34/0a/ba0309fd5f990ea0cc05aba2bea225ef1bcb07ecbf6c323c6b119fc46e7f/lxml-5.3.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c09a40f28dcded933dc16217d6a092be0cc49ae25811d3b8e937c8060647c353", size = 4843663, upload-time = "2025-04-05T18:26:09.143Z" },
+    { url = "https://files.pythonhosted.org/packages/b6/c6/663b5d87d51d00d4386a2d52742a62daa486c5dc6872a443409d9aeafece/lxml-5.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a1ef20f1851ccfbe6c5a04c67ec1ce49da16ba993fdbabdce87a92926e505412", size = 4918028, upload-time = "2025-04-05T18:26:12.243Z" },
+    { url = "https://files.pythonhosted.org/packages/75/5f/f6a72ccbe05cf83341d4b6ad162ed9e1f1ffbd12f1c4b8bc8ae413392282/lxml-5.3.2-cp311-cp311-manylinux_2_28_aarch64.whl", hash = "sha256:f79a63289dbaba964eb29ed3c103b7911f2dce28c36fe87c36a114e6bd21d7ad", size = 4792005, upload-time = "2025-04-05T18:26:15.081Z" },
+    { url = "https://files.pythonhosted.org/packages/37/7b/8abd5b332252239ffd28df5842ee4e5bf56e1c613c323586c21ccf5af634/lxml-5.3.2-cp311-cp311-manylinux_2_28_ppc64le.whl", hash = "sha256:75a72697d95f27ae00e75086aed629f117e816387b74a2f2da6ef382b460b710", size = 5405363, upload-time = "2025-04-05T18:26:17.618Z" },
+    { url = "https://files.pythonhosted.org/packages/5a/79/549b7ec92b8d9feb13869c1b385a0749d7ccfe5590d1e60f11add9cdd580/lxml-5.3.2-cp311-cp311-manylinux_2_28_s390x.whl", hash = "sha256:b9b00c9ee1cc3a76f1f16e94a23c344e0b6e5c10bec7f94cf2d820ce303b8c01", size = 4932915, upload-time = "2025-04-05T18:26:20.269Z" },
+    { url = "https://files.pythonhosted.org/packages/57/eb/4fa626d0bac8b4f2aa1d0e6a86232db030fd0f462386daf339e4a0ee352b/lxml-5.3.2-cp311-cp311-manylinux_2_28_x86_64.whl", hash = "sha256:77cbcab50cbe8c857c6ba5f37f9a3976499c60eada1bf6d38f88311373d7b4bc", size = 4983473, upload-time = "2025-04-05T18:26:23.828Z" },
+    { url = "https://files.pythonhosted.org/packages/1b/c8/79d61d13cbb361c2c45fbe7c8bd00ea6a23b3e64bc506264d2856c60d702/lxml-5.3.2-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:29424058f072a24622a0a15357bca63d796954758248a72da6d512f9bd9a4493", size = 4855284, upload-time = "2025-04-05T18:26:26.504Z" },
+    { url = "https://files.pythonhosted.org/packages/80/16/9f84e1ef03a13136ab4f9482c9adaaad425c68b47556b9d3192a782e5d37/lxml-5.3.2-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:7d82737a8afe69a7c80ef31d7626075cc7d6e2267f16bf68af2c764b45ed68ab", size = 5458355, upload-time = "2025-04-05T18:26:29.086Z" },
+    { url = "https://files.pythonhosted.org/packages/aa/6d/f62860451bb4683e87636e49effb76d499773337928e53356c1712ccec24/lxml-5.3.2-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:95473d1d50a5d9fcdb9321fdc0ca6e1edc164dce4c7da13616247d27f3d21e31", size = 5300051, upload-time = "2025-04-05T18:26:31.723Z" },
+    { url = "https://files.pythonhosted.org/packages/3f/5f/3b6c4acec17f9a57ea8bb89a658a70621db3fb86ea588e7703b6819d9b03/lxml-5.3.2-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:2162068f6da83613f8b2a32ca105e37a564afd0d7009b0b25834d47693ce3538", size = 5033481, upload-time = "2025-04-05T18:26:34.312Z" },
+    { url = "https://files.pythonhosted.org/packages/79/bd/3c4dd7d903bb9981f4876c61ef2ff5d5473e409ef61dc7337ac207b91920/lxml-5.3.2-cp311-cp311-win32.whl", hash = "sha256:f8695752cf5d639b4e981afe6c99e060621362c416058effd5c704bede9cb5d1", size = 3474266, upload-time = "2025-04-05T18:26:36.545Z" },
+    { url = "https://files.pythonhosted.org/packages/1f/ea/9311fa1ef75b7d601c89600fc612838ee77ad3d426184941cba9cf62641f/lxml-5.3.2-cp311-cp311-win_amd64.whl", hash = "sha256:d1a94cbb4ee64af3ab386c2d63d6d9e9cf2e256ac0fd30f33ef0a3c88f575174", size = 3815230, upload-time = "2025-04-05T18:26:39.486Z" },
+    { url = "https://files.pythonhosted.org/packages/0d/7e/c749257a7fabc712c4df57927b0f703507f316e9f2c7e3219f8f76d36145/lxml-5.3.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:16b3897691ec0316a1aa3c6585f61c8b7978475587c5b16fc1d2c28d283dc1b0", size = 8193212, upload-time = "2025-04-05T18:26:42.692Z" },
+    { url = "https://files.pythonhosted.org/packages/a8/50/17e985ba162c9f1ca119f4445004b58f9e5ef559ded599b16755e9bfa260/lxml-5.3.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:a8d4b34a0eeaf6e73169dcfd653c8d47f25f09d806c010daf074fba2db5e2d3f", size = 4451439, upload-time = "2025-04-05T18:26:46.468Z" },
+    { url = "https://files.pythonhosted.org/packages/c2/b5/4960ba0fcca6ce394ed4a2f89ee13083e7fcbe9641a91166e8e9792fedb1/lxml-5.3.2-cp312-cp312-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9cd7a959396da425022e1e4214895b5cfe7de7035a043bcc2d11303792b67554", size = 5052146, upload-time = "2025-04-05T18:26:49.737Z" },
+    { url = "https://files.pythonhosted.org/packages/5f/d1/184b04481a5d1f5758916de087430752a7b229bddbd6c1d23405078c72bd/lxml-5.3.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cac5eaeec3549c5df7f8f97a5a6db6963b91639389cdd735d5a806370847732b", size = 4789082, upload-time = "2025-04-05T18:26:52.295Z" },
+    { url = "https://files.pythonhosted.org/packages/7d/75/1a19749d373e9a3d08861addccdf50c92b628c67074b22b8f3c61997cf5a/lxml-5.3.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:29b5f7d77334877c2146e7bb8b94e4df980325fab0a8af4d524e5d43cd6f789d", size = 5312300, upload-time = "2025-04-05T18:26:54.923Z" },
+    { url = "https://files.pythonhosted.org/packages/fb/00/9d165d4060d3f347e63b219fcea5c6a3f9193e9e2868c6801e18e5379725/lxml-5.3.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:13f3495cfec24e3d63fffd342cc8141355d1d26ee766ad388775f5c8c5ec3932", size = 4836655, upload-time = "2025-04-05T18:26:57.488Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/e9/06720a33cc155966448a19677f079100517b6629a872382d22ebd25e48aa/lxml-5.3.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e70ad4c9658beeff99856926fd3ee5fde8b519b92c693f856007177c36eb2e30", size = 4961795, upload-time = "2025-04-05T18:27:00.126Z" },
+    { url = "https://files.pythonhosted.org/packages/2d/57/4540efab2673de2904746b37ef7f74385329afd4643ed92abcc9ec6e00ca/lxml-5.3.2-cp312-cp312-manylinux_2_28_aarch64.whl", hash = "sha256:507085365783abd7879fa0a6fa55eddf4bdd06591b17a2418403bb3aff8a267d", size = 4779791, upload-time = "2025-04-05T18:27:03.061Z" },
+    { url = "https://files.pythonhosted.org/packages/99/ad/6056edf6c9f4fa1d41e6fbdae52c733a4a257fd0d7feccfa26ae051bb46f/lxml-5.3.2-cp312-cp312-manylinux_2_28_ppc64le.whl", hash = "sha256:5bb304f67cbf5dfa07edad904732782cbf693286b9cd85af27059c5779131050", size = 5346807, upload-time = "2025-04-05T18:27:05.877Z" },
+    { url = "https://files.pythonhosted.org/packages/a1/fa/5be91fc91a18f3f705ea5533bc2210b25d738c6b615bf1c91e71a9b2f26b/lxml-5.3.2-cp312-cp312-manylinux_2_28_s390x.whl", hash = "sha256:3d84f5c093645c21c29a4e972b84cb7cf682f707f8706484a5a0c7ff13d7a988", size = 4909213, upload-time = "2025-04-05T18:27:08.588Z" },
+    { url = "https://files.pythonhosted.org/packages/f3/74/71bb96a3b5ae36b74e0402f4fa319df5559a8538577f8c57c50f1b57dc15/lxml-5.3.2-cp312-cp312-manylinux_2_28_x86_64.whl", hash = "sha256:bdc13911db524bd63f37b0103af014b7161427ada41f1b0b3c9b5b5a9c1ca927", size = 4987694, upload-time = "2025-04-05T18:27:11.66Z" },
+    { url = "https://files.pythonhosted.org/packages/08/c2/3953a68b0861b2f97234b1838769269478ccf872d8ea7a26e911238220ad/lxml-5.3.2-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:1ec944539543f66ebc060ae180d47e86aca0188bda9cbfadff47d86b0dc057dc", size = 4862865, upload-time = "2025-04-05T18:27:14.194Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/9a/52e48f7cfd5a5e61f44a77e679880580dfb4f077af52d6ed5dd97e3356fe/lxml-5.3.2-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:59d437cc8a7f838282df5a199cf26f97ef08f1c0fbec6e84bd6f5cc2b7913f6e", size = 5423383, upload-time = "2025-04-05T18:27:16.988Z" },
+    { url = "https://files.pythonhosted.org/packages/17/67/42fe1d489e4dcc0b264bef361aef0b929fbb2b5378702471a3043bc6982c/lxml-5.3.2-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:0e275961adbd32e15672e14e0cc976a982075208224ce06d149c92cb43db5b93", size = 5286864, upload-time = "2025-04-05T18:27:19.703Z" },
+    { url = "https://files.pythonhosted.org/packages/29/e4/03b1d040ee3aaf2bd4e1c2061de2eae1178fe9a460d3efc1ea7ef66f6011/lxml-5.3.2-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:038aeb6937aa404480c2966b7f26f1440a14005cb0702078c173c028eca72c31", size = 5056819, upload-time = "2025-04-05T18:27:22.814Z" },
+    { url = "https://files.pythonhosted.org/packages/83/b3/e2ec8a6378e4d87da3af9de7c862bcea7ca624fc1a74b794180c82e30123/lxml-5.3.2-cp312-cp312-win32.whl", hash = "sha256:3c2c8d0fa3277147bff180e3590be67597e17d365ce94beb2efa3138a2131f71", size = 3486177, upload-time = "2025-04-05T18:27:25.078Z" },
+    { url = "https://files.pythonhosted.org/packages/d5/8a/6a08254b0bab2da9573735725caab8302a2a1c9b3818533b41568ca489be/lxml-5.3.2-cp312-cp312-win_amd64.whl", hash = "sha256:77809fcd97dfda3f399102db1794f7280737b69830cd5c961ac87b3c5c05662d", size = 3817134, upload-time = "2025-04-05T18:27:27.481Z" },
 ]

 [[package]]
@@ -3663,21 +3654,21 @@ wheels = [

 [[package]]
 name = "microsoft-kiota-abstractions"
-version = "1.9.9"
+version = "1.9.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "opentelemetry-api" },
    { name = "opentelemetry-sdk" },
    { name = "std-uritemplate" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/8f/94/37315b82a1bcc08145e5bc2af7396a4be8160ac138ec269611c3b9589b7a/microsoft_kiota_abstractions-1.9.9.tar.gz", hash = "sha256:5df9a8e0517a4568726c2cac6d9789284cc6ffa66043b68eba42ae55749fb861", size = 24468, upload-time = "2026-03-02T21:03:50.133Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/fa/42/e9ddbdf6c2c772651e09ad74bd28dbf1c11e3f54bbb7cdb88ce57959f7c3/microsoft_kiota_abstractions-1.9.2.tar.gz", hash = "sha256:29cdafe8d0672f23099556e0b120dca6231c752cca9393e1e0092fa9ca594572", size = 24456, upload-time = "2025-02-06T13:12:37.979Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/53/6a/7d5a1a8131f0eccc6b45839c091aa00ba29661854e7defaa7936cf342fa7/microsoft_kiota_abstractions-1.9.9-py3-none-any.whl", hash = "sha256:8d0a14eda42f3f0ccac2e9512227a338f69998dc9b782fd21cb8ca7c48302caa", size = 44453, upload-time = "2026-03-02T21:03:51.11Z" },
+    { url = "https://files.pythonhosted.org/packages/4c/29/5d2f55d5925236e7c4c1a1b521567bc89ecf0b439354eae0f10e7f10aba2/microsoft_kiota_abstractions-1.9.2-py3-none-any.whl", hash = "sha256:a8853d272a84da59d6a2fe11a76c28e9c55bdab268a345ba48e918cb6822b607", size = 44411, upload-time = "2025-02-06T13:12:36.093Z" },
 ]

 [[package]]
 name = "microsoft-kiota-authentication-azure"
-version = "1.9.9"
+version = "1.9.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "aiohttp" },
@@ -3686,14 +3677,14 @@ dependencies = [
    { name = "opentelemetry-api" },
    { name = "opentelemetry-sdk" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/ca/ce/5ae8b37ee4a50f0ed5e092c2d0105d60b592e6102a190959f76658a0994c/microsoft_kiota_authentication_azure-1.9.9.tar.gz", hash = "sha256:aca5e7dc8a0a28224f9025a479349ac2f9aaf166bfd6bc707f232658b45eec28", size = 5000, upload-time = "2026-03-02T21:04:02.355Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/97/bc/91b07dd6923f351afaa3121d12eab99a49f4da8128975fc8eefc1d1bef9b/microsoft_kiota_authentication_azure-1.9.2.tar.gz", hash = "sha256:171045f522a93d9340fbddc4cabb218f14f1d9d289e82e535b3d9291986c3d5a", size = 4986, upload-time = "2025-02-06T13:12:47.76Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/98/de/dc504324b776d00a420886cc6f39e04be2cf48cab0e9b18f8450a5efcc29/microsoft_kiota_authentication_azure-1.9.9-py3-none-any.whl", hash = "sha256:73dc21a1a2861ea78a135327291db3322e2255542a18b311dd03fd908342e902", size = 6951, upload-time = "2026-03-02T21:04:03.18Z" },
+    { url = "https://files.pythonhosted.org/packages/31/91/30a29f828b40d85c0bcef803fafbca6a30761fe5cef451dee0e6ad95a74a/microsoft_kiota_authentication_azure-1.9.2-py3-none-any.whl", hash = "sha256:56840f8b15df8aedfd143fb2deb7cc7fae4ac0bafb1a50546b7313a7b3ab4ca0", size = 6908, upload-time = "2025-02-06T13:12:46.153Z" },
 ]

 [[package]]
 name = "microsoft-kiota-http"
-version = "1.9.9"
+version = "1.9.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "httpx", extra = ["http2"] },
@@ -3701,57 +3692,57 @@ dependencies = [
    { name = "opentelemetry-api" },
    { name = "opentelemetry-sdk" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5d/3f/fc18eb0d1d845daf6355fd54fd990af7f7e10043ef6a6da39b9e5981cbaf/microsoft_kiota_http-1.9.9.tar.gz", hash = "sha256:ae672b145df71b644f8da0951767a12a4ce47a40576d86eba19b7c22d9e160f9", size = 21493, upload-time = "2026-03-02T21:04:11.662Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/5d/f3/4738613a6711917a1b4f829c962f3ce09a286c12a1037dc0fd666a9f4ad7/microsoft_kiota_http-1.9.2.tar.gz", hash = "sha256:2ba3d04a3d1d5d600736eebc1e33533d54d87799ac4fbb92c9cce4a97809af61", size = 21205, upload-time = "2025-02-06T13:12:56.783Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c4/6a/cc1b1055b4b6d4dfc1be7a71917c2f0ef19c070c6a18b16d3c1032d20925/microsoft_kiota_http-1.9.9-py3-none-any.whl", hash = "sha256:a5b1b217ac9afeb4054f12515417e3b1d2be12a9385a70a41d18d64379ea2e7e", size = 31945, upload-time = "2026-03-02T21:04:12.328Z" },
+    { url = "https://files.pythonhosted.org/packages/95/2d/1b23c6f3c3fd1bbf065c11cdb66f59ccefcfed7bae0b7de9adb260260e05/microsoft_kiota_http-1.9.2-py3-none-any.whl", hash = "sha256:3a2d930a70d0184d9f4848473f929ee892462cae1acfaf33b2d193f1828c76c2", size = 31507, upload-time = "2025-02-06T13:12:55.022Z" },
 ]

 [[package]]
 name = "microsoft-kiota-serialization-form"
-version = "1.9.9"
+version = "1.9.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "microsoft-kiota-abstractions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/ee/b4/18e9fce60a30c8b6ea0a6278fb81cf352127340d48df2d7c52ff1b579488/microsoft_kiota_serialization_form-1.9.9.tar.gz", hash = "sha256:3cdc8b172baec5b5282af72f2ce02715edcd23252ce0b5af96075256edd75114", size = 9015, upload-time = "2026-03-02T21:04:20.39Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/5d/51/ddbed9c6a3d7197c94d03d5a71bd01181fa0e6051b5919ca81e116061a30/microsoft_kiota_serialization_form-1.9.2.tar.gz", hash = "sha256:badfbe65d8ec3369bd58b01022d13ef590edf14babeef94188efe3f4ec24fe41", size = 8987, upload-time = "2025-02-06T13:13:07.425Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/0b/24/eb8436b882f1473bd0a868848d214df3df2d9b3db8e5422d111032f1114f/microsoft_kiota_serialization_form-1.9.9-py3-none-any.whl", hash = "sha256:1c426d4f0d463fc9215c41d7fa0f3dc5fe8d3c80573d555cf63ea67000148d84", size = 10718, upload-time = "2026-03-02T21:04:21.25Z" },
+    { url = "https://files.pythonhosted.org/packages/68/e1/5cd5f6c636f9913ccf9143fc78f61563cecdf3c268a5d0743d3da26e3add/microsoft_kiota_serialization_form-1.9.2-py3-none-any.whl", hash = "sha256:7b997efb2c8750b1d4fbc00878ba2a3e6e1df3fcefc8815226c90fcc9c54f218", size = 10664, upload-time = "2025-02-06T13:13:04.482Z" },
 ]

 [[package]]
 name = "microsoft-kiota-serialization-json"
-version = "1.9.9"
+version = "1.9.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "microsoft-kiota-abstractions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b8/2f/d36eba916c00136da122d1701acb862c5b1f2e22b6dc6fa4e0f4abda2786/microsoft_kiota_serialization_json-1.9.9.tar.gz", hash = "sha256:9b27479427f49bbac15ead8e8ff0176e47fcdf81153611acc408f5f399342079", size = 9545, upload-time = "2026-03-02T21:04:29.177Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/7d/ea/fee81f1cb68d5163573294935311a9c45d7da7dc08aa4acd86690ddafdcb/microsoft_kiota_serialization_json-1.9.2.tar.gz", hash = "sha256:19f7beb69c67b2cb77ca96f77824ee78a693929e20237bb5476ea54f69118bf1", size = 9345, upload-time = "2025-02-06T13:13:15.582Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/3f/7b/b3f606ef2dcbdebe12ae27004ed6e7542370cb2494265f11a8877a1de2d1/microsoft_kiota_serialization_json-1.9.9-py3-none-any.whl", hash = "sha256:bb80b93e81bab41dc142e9b254f79bf0b7b9fe49a796ca0c8e8691925bd3967f", size = 11210, upload-time = "2026-03-02T21:04:29.844Z" },
+    { url = "https://files.pythonhosted.org/packages/95/1a/30dbe36cbd3f5d55d63f7ba086d51e90875806723a336e4782b17df80541/microsoft_kiota_serialization_json-1.9.2-py3-none-any.whl", hash = "sha256:8f4ecf485607fff3df5ce8fa9b9c957bc7f4bff1658b183703e180af753098e3", size = 10963, upload-time = "2025-02-06T13:13:14.351Z" },
 ]

 [[package]]
 name = "microsoft-kiota-serialization-multipart"
-version = "1.9.9"
+version = "1.9.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "microsoft-kiota-abstractions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5f/44/24087f0fac7c5682c13c7fb61468a0c5a5185b9f243de3a99309aa6fcaa7/microsoft_kiota_serialization_multipart-1.9.9.tar.gz", hash = "sha256:f8730be6da5f6c63a6bf4ea310a9723b9998a47a04745887dc156d08f119a829", size = 5162, upload-time = "2026-03-02T21:04:48.1Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d0/10/a8ea0a0f58bbc79c5f22bf868f10eac9f505f092e3f72ba1f050ab13316c/microsoft_kiota_serialization_multipart-1.9.2.tar.gz", hash = "sha256:b1851409205668d83f5c7a35a8b6fca974b341985b4a92841e95aaec93b7ca0a", size = 5152, upload-time = "2025-02-06T13:13:37.39Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/61/db/6b988fdf771c3d07dff4a116176d575832daf2a43823444d145d71da5b61/microsoft_kiota_serialization_multipart-1.9.9-py3-none-any.whl", hash = "sha256:572e9cbafa2eb946452cdadfb019a4e9245768c0d61c3089d3436d4f5106c550", size = 6696, upload-time = "2026-03-02T21:04:48.98Z" },
+    { url = "https://files.pythonhosted.org/packages/ca/2a/2109bbf9865685bbedf756b8b8a25284c366870496f8fe3a5a0ee7c476f5/microsoft_kiota_serialization_multipart-1.9.2-py3-none-any.whl", hash = "sha256:641ad374046f1c7adff90d110bdc68d77418adb1e479a716f4ffea3647f0ead6", size = 6649, upload-time = "2025-02-06T13:13:34.579Z" },
 ]

 [[package]]
 name = "microsoft-kiota-serialization-text"
-version = "1.9.9"
+version = "1.9.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "microsoft-kiota-abstractions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/a3/3c/d244ad08e03003134871698aa54de8243bcc61c0faf3ab114293bb76d6ad/microsoft_kiota_serialization_text-1.9.9.tar.gz", hash = "sha256:18bc0764dda4078a4c953300253344e05d0cdb9c17136f1a2f695d438cedb402", size = 7325, upload-time = "2026-03-02T21:04:37.567Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/81/20/aac457a8a0ce90510dc82ca5ba0d80484aeaf87d75d08ebefcbb81373683/microsoft_kiota_serialization_text-1.9.2.tar.gz", hash = "sha256:4289508ebac0cefdc4fa21c545051769a9409913972355ccda9116b647f978f2", size = 7306, upload-time = "2025-02-06T13:13:25.045Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/37/f8/43f8d00fed6e090810d3ce0c05e06c23eaa5dee6e87ab1fb89d96ca9559f/microsoft_kiota_serialization_text-1.9.9-py3-none-any.whl", hash = "sha256:84418119d4929a76fde7f31e957e240e003bf145757838b9aa3a0f36dec1b789", size = 8885, upload-time = "2026-03-02T21:04:38.76Z" },
+    { url = "https://files.pythonhosted.org/packages/5a/3a/81c75a275183ceadfd3b87731adff69ebb46c5f43b8617c88375a53808e5/microsoft_kiota_serialization_text-1.9.2-py3-none-any.whl", hash = "sha256:6e63129ea29eb9b976f4ed56fc6595d204e29fc309958b639299e9f9f4e5edb4", size = 8840, upload-time = "2025-02-06T13:13:22.997Z" },
 ]

 [[package]]
@@ -4585,7 +4576,7 @@ requires-dist = [
    { name = "gevent", specifier = "==25.9.1" },
    { name = "gunicorn", specifier = "==23.0.0" },
    { name = "h2", specifier = "==4.3.0" },
-    { name = "lxml", specifier = "==6.1.0" },
+    { name = "lxml", specifier = "==5.3.2" },
    { name = "markdown", specifier = "==3.10.2" },
    { name = "matplotlib", specifier = "==3.10.8" },
    { name = "neo4j", specifier = "==6.1.0" },
@@ -4598,7 +4589,7 @@ requires-dist = [
    { name = "sqlparse", specifier = "==0.5.5" },
    { name = "uuid6", specifier = "==2024.7.10" },
    { name = "werkzeug", specifier = "==3.1.7" },
-    { name = "xmlsec", specifier = "==1.3.17" },
+    { name = "xmlsec", specifier = "==1.3.14" },
 ]

 [package.metadata.requires-dev]
@@ -5714,11 +5705,11 @@ wheels = [

 [[package]]
 name = "urllib3"
-version = "2.7.0"
+version = "2.6.3"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c", size = 433602, upload-time = "2026-05-07T16:13:18.596Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7f/3e/5db95bcf282c52709639744ca2a8b149baccf648e39c8cc87553df9eae0c/urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897", size = 131087, upload-time = "2026-05-07T16:13:17.151Z" },
+    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
 ]

 [[package]]
@@ -5832,31 +5823,31 @@ wheels = [

 [[package]]
 name = "xmlsec"
-version = "1.3.17"
+version = "1.3.14"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "lxml" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/49/14/538b75379e6ab8f688f14d8663e2ab138d9c778bac4999d155b5f33c71c1/xmlsec-1.3.17.tar.gz", hash = "sha256:f3fac9ae679f66585925cc00c5f6839ae36c1d03157619571dee18acc05b9c01", size = 115637, upload-time = "2025-11-11T16:20:46.019Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/25/5b/244459b51dfe91211c1d9ec68fb5307dfc51e014698f52de575d25f753e0/xmlsec-1.3.14.tar.gz", hash = "sha256:934f804f2f895bcdb86f1eaee236b661013560ee69ec108d29cdd6e5f292a2d9", size = 68854, upload-time = "2024-04-17T19:34:29.388Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/28/e4/970614d892749da00df253c370230fd24143028268923a1c35651fb3f962/xmlsec-1.3.17-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d4a7ee007c6b55f7621330aee8330ef2dafa4225fce554064571ca826beafe7e", size = 3450577, upload-time = "2025-11-11T16:19:34.159Z" },
-    { url = "https://files.pythonhosted.org/packages/50/4a/2f48ad48fecbd49dbbc6f2a5b540cd65277089fd5b8b5d8c7e816c3625c2/xmlsec-1.3.17-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:a1ef656421d01851618d0fe5518e57469159c14a48e05125f7bd3225631952f9", size = 3846698, upload-time = "2025-11-11T16:19:35.408Z" },
-    { url = "https://files.pythonhosted.org/packages/a9/07/0130e0b711f7443d0abdec403ea5128392cd5b241bb53f4ec41d144d94db/xmlsec-1.3.17-cp311-cp311-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:80fff2251d0e73714435b5860ce200990dffe85466dd91d08d75c4d64ee9967d", size = 4423233, upload-time = "2025-11-11T16:19:37.129Z" },
-    { url = "https://files.pythonhosted.org/packages/00/f7/a4e588d61f602f25a51b6004be9a162e36e746fa1cbeb12248794a96766b/xmlsec-1.3.17-cp311-cp311-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4f2bf6bbf04f8a912483d268b4c2727d400d1806d054624da13bee4b9f6fa28a", size = 4163716, upload-time = "2025-11-11T16:19:38.365Z" },
-    { url = "https://files.pythonhosted.org/packages/1b/a2/f8c019445134dfc59afb5874d1fc4fe212ec2dc45a8c33806a15b5c0c119/xmlsec-1.3.17-cp311-cp311-manylinux_2_38_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:a603584ceee175036e1bccdbe65d551c0fff67343fd506bfa6cec52bc64d9a75", size = 3875404, upload-time = "2025-11-11T16:19:40.008Z" },
-    { url = "https://files.pythonhosted.org/packages/5c/c3/90c0e26bb9f95799c64874ebee0b43eaf7e5b5ba912bcd87ed4cc46ea514/xmlsec-1.3.17-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:26cc3d81437b51839946d2e93d09371dfd73ed2831dc7e37eff0fb52fc33747c", size = 4460640, upload-time = "2025-11-11T16:19:41.372Z" },
-    { url = "https://files.pythonhosted.org/packages/ba/be/7b85b0ff4281779293d93a8bbef70a6b72ba60d8a80d15653bd4967d0c07/xmlsec-1.3.17-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:d862f023f56a49c06576be41dfaf213c9ac77e7a344e7f204278c365bb36d00e", size = 4209625, upload-time = "2025-11-11T16:19:43.289Z" },
-    { url = "https://files.pythonhosted.org/packages/dc/6d/028472e523c2f667a4634881b65acfa939bc4902ed37e1e9fe1d55d45ec0/xmlsec-1.3.17-cp311-cp311-win_amd64.whl", hash = "sha256:9877303e8c72d7aa2467d1af12e56d67b8fb50d324eda5848e0ec5ee2176aac5", size = 2445935, upload-time = "2025-11-11T16:19:44.605Z" },
-    { url = "https://files.pythonhosted.org/packages/f0/01/d36fd82b837167546951e7e088dbd2f0dacf553157d256b2a25802d28a95/xmlsec-1.3.17-cp311-cp311-win_arm64.whl", hash = "sha256:b3f306f5aef47336b8299d8dbee31fa0b2eba4579f9f41396070f7a97d0dcd49", size = 2261485, upload-time = "2025-11-11T16:19:46.212Z" },
-    { url = "https://files.pythonhosted.org/packages/cd/a5/d91216f7dbb85cb65cb7249fcc894f5389a8a4843857aff678646cab77fa/xmlsec-1.3.17-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:df4a8d7fef3ffe90e572400d47392ea480120e339c292f802830ed09d449e622", size = 3450960, upload-time = "2025-11-11T16:19:47.794Z" },
-    { url = "https://files.pythonhosted.org/packages/b7/38/c37bd4e164259e0b271fe4d17d054f31c7287a1e4c47d24ef77d723b3493/xmlsec-1.3.17-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ed63cbd87dd69ebcf3a9f82d87b67818c9a7d656325dd4fb34d6c4dfbaa84017", size = 3846774, upload-time = "2025-11-11T16:19:49.636Z" },
-    { url = "https://files.pythonhosted.org/packages/a6/ff/83430c5df33c6ad402728a681998c5b2872c090b556a558d02f8cf1d2f24/xmlsec-1.3.17-cp312-cp312-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:5c3008b32a15d24b6c9da39bf6ede8dc3122570a640a73795d763aea55a2193e", size = 4425910, upload-time = "2025-11-11T16:19:50.95Z" },
-    { url = "https://files.pythonhosted.org/packages/02/41/bb94c7a97ea613b3860f6152bb7efcf5be524d135592e094ecc64ff79228/xmlsec-1.3.17-cp312-cp312-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:1a0b9a1dcda547e0340eefa6f4a04b87dbd9e40cd514487f347934f94fd559ab", size = 4169038, upload-time = "2025-11-11T16:19:52.217Z" },
-    { url = "https://files.pythonhosted.org/packages/3b/4c/852ba0805df27b7bd1e88e9524d9573b076c3a126e936b1f18c6f22fb968/xmlsec-1.3.17-cp312-cp312-manylinux_2_38_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:3a53c14d4bc40b0f0fcc6d7908b88f3cbbcf36e25c392f796d88aee7dee5beea", size = 3876430, upload-time = "2025-11-11T16:19:53.388Z" },
-    { url = "https://files.pythonhosted.org/packages/b0/f0/08fec6adc65f6911b49b4fa71e920c8f6434f44fdc427c71360e6dd9e9ce/xmlsec-1.3.17-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:5346616e1fe1015f7800698c15225c7902f45db199e217af2039a21989aff7e9", size = 4464419, upload-time = "2025-11-11T16:19:54.777Z" },
-    { url = "https://files.pythonhosted.org/packages/25/ce/84789ba3929715806deae88f10bc31e1ff904aa735059ee3855c104a142d/xmlsec-1.3.17-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:64c1184d51c8a67e3d1eb3ac477e307a07e2b40fd03cd0c8084b147ea0f342db", size = 4215080, upload-time = "2025-11-11T16:19:56.293Z" },
-    { url = "https://files.pythonhosted.org/packages/f3/6e/57b5054187cd2b42e5310dc1f6d209fced456f93dae25345a422b3a290ef/xmlsec-1.3.17-cp312-cp312-win_amd64.whl", hash = "sha256:d360d4adfb53d3adeca398c225cb7e2a73a2246414455937082a1fa19bd8572b", size = 2445872, upload-time = "2025-11-11T16:19:57.713Z" },
-    { url = "https://files.pythonhosted.org/packages/04/7b/f64c95df054dd793ae1925f04248abd359b1c26cc2320d67407e7fd26e4d/xmlsec-1.3.17-cp312-cp312-win_arm64.whl", hash = "sha256:eee89c268a35f8a08a8e9abef6f466b97577e94f5cac8bf32c25e97cd5020097", size = 2261464, upload-time = "2025-11-11T16:19:58.937Z" },
+    { url = "https://files.pythonhosted.org/packages/18/50/1399337e8399d2ba3da41ab51b562d34be26c5492672fd7b4cd0e4a3f2a1/xmlsec-1.3.14-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:7799a9ff3593f9dd43464e18b1a621640bffc40456c47c23383727f937dca7fc", size = 3299561, upload-time = "2024-04-18T16:25:42.404Z" },
+    { url = "https://files.pythonhosted.org/packages/c0/d7/22be4901f34c6aba17fe9245d49183a805fd30830883f8fb5c521ac8fdcd/xmlsec-1.3.14-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1fe23c2dd5f5dbcb24f40e2c1061e2672a32aabee7cf8ac5337036a485607d72", size = 3675216, upload-time = "2024-04-18T16:25:45.109Z" },
+    { url = "https://files.pythonhosted.org/packages/ea/62/c9cd9d7e3779e2f99b014db7ed55f563a0b81752bf038abfe6993bb86afa/xmlsec-1.3.14-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0be3b7a28e54a03b87faf07fb3c6dc3e50a2c79b686718c3ad08300b8bf6bb67", size = 4199323, upload-time = "2024-04-18T16:25:47.79Z" },
+    { url = "https://files.pythonhosted.org/packages/71/5d/cbceb6e9c7a65e8633f6c74b8eb7001b237f6429f404089b00d9dc80673e/xmlsec-1.3.14-cp311-cp311-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:48e894ad3e7de373f56efc09d6a56f7eae73a8dd4cec8943313134849e9c6607", size = 3612306, upload-time = "2024-04-18T16:25:49.559Z" },
+    { url = "https://files.pythonhosted.org/packages/e8/11/5f70ff7db45978771f29b00b4a2b5cee47249dccf4689483c0119dc27ad8/xmlsec-1.3.14-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:204d3c586b8bd6f02a5d4c59850a8157205569d40c32567f49576fa5795d897d", size = 3916777, upload-time = "2024-04-18T16:25:51.504Z" },
+    { url = "https://files.pythonhosted.org/packages/4b/32/051b377b1aca16ab8c32ae052edecf9e6d05bad4d731a5752c6bd20f78ab/xmlsec-1.3.14-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:6679cec780386d848e7351d4b0de92c4483289ea4f0a2187e216159f939a4c6b", size = 4267602, upload-time = "2024-04-18T16:25:53.207Z" },
+    { url = "https://files.pythonhosted.org/packages/84/b1/37d10b7365defd6c7e63bff622f6eeadb7b9b0d5c7fb5f42d11870547003/xmlsec-1.3.14-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c4d41c83c8a2b8d8030204391ebeb6174fbdb044f0331653c4b5a4ce4150bcc0", size = 4011807, upload-time = "2024-04-18T16:25:55.493Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/32/67df0a89f03357cc0def7f38ad2577aaace2a3f452dbb2b7fea2823dfb64/xmlsec-1.3.14-cp311-cp311-win32.whl", hash = "sha256:df4aa0782a53032fd35e18dcd6d328d6126324bfcfdef0cb5c2856f25b4b6f94", size = 2145719, upload-time = "2024-04-17T19:34:04.022Z" },
+    { url = "https://files.pythonhosted.org/packages/7a/41/b343798e514ff571456db5774be5fff20b34b38a1dbb21cbb6e49926329b/xmlsec-1.3.14-cp311-cp311-win_amd64.whl", hash = "sha256:1072878301cb9243a54679e0520e6a5be2266c07a28b0ecef9e029d05a90ffcd", size = 2441744, upload-time = "2024-04-17T19:34:06.248Z" },
+    { url = "https://files.pythonhosted.org/packages/35/66/cb02e33c72fe7279016d60802e1e1b6b007a8b056ca34b990fca30356921/xmlsec-1.3.14-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:1eb3dcf244a52f796377112d8f238dbb522eb87facffb498425dc8582a84a6bf", size = 3299742, upload-time = "2024-04-18T16:25:57.12Z" },
+    { url = "https://files.pythonhosted.org/packages/60/f2/a7489f3bd3bb7c2bbebe100a72e9e10cb645aac5ef160a7ed01e9b7817aa/xmlsec-1.3.14-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:330147ce59fbe56a9be5b2085d739c55a569f112576b3f1b33681f87416eaf33", size = 3675677, upload-time = "2024-04-18T16:25:58.939Z" },
+    { url = "https://files.pythonhosted.org/packages/15/1a/4703acc7dea24146db06cd4f93c4e9d6a148ff10f5b21a7eddca36fc4da4/xmlsec-1.3.14-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ed4034939d8566ccdcd3b4e4f23c63fd807fb8763ae5668d59a19e11640a8242", size = 4201542, upload-time = "2024-04-18T16:26:01.101Z" },
+    { url = "https://files.pythonhosted.org/packages/c4/b6/1e5ee93e0150721d4c832860c321f0edc3ed753f4a0f376f48cce41bf697/xmlsec-1.3.14-cp312-cp312-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a98eadfcb0c3b23ccceb7a2f245811f8d784bd287640dcfe696a26b9db1e2fc0", size = 3616672, upload-time = "2024-04-18T16:26:03.585Z" },
+    { url = "https://files.pythonhosted.org/packages/6e/43/e83346261f25ee1f9eb0b6719bb77d19dff194333a02c0747dd1d360d520/xmlsec-1.3.14-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:86ff7b2711557c1087b72b0a1a88d82eafbf2a6d38b97309a6f7101d4a7041c3", size = 3921961, upload-time = "2024-04-18T16:26:06.09Z" },
+    { url = "https://files.pythonhosted.org/packages/d9/d2/228f5e7edf8cf2affb76c22cd77a1adf423a8ce1b73c727a32d6939dcb18/xmlsec-1.3.14-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:774d5d1e45f07f953c1cc14fd055c1063f0725f7248b6b0e681f59fd8638934d", size = 4263947, upload-time = "2024-04-18T16:26:08.171Z" },
+    { url = "https://files.pythonhosted.org/packages/dc/d5/393ab85efbf633ea0d10e21a8dbb0a83d5b6ba66a16ce1fb987b90262335/xmlsec-1.3.14-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:bd10ca3201f164482775a7ce61bf7ee9aade2e7d032046044dd0f6f52c91d79d", size = 4010992, upload-time = "2024-04-18T16:26:10.347Z" },
+    { url = "https://files.pythonhosted.org/packages/d1/70/d74de2e26fb9c92220411d44aa179826d525491c033e3828650ad3fafaaf/xmlsec-1.3.14-cp312-cp312-win32.whl", hash = "sha256:19c86bab1498e4c2e56d8e2c878f461ccb6e56b67fd7522b0c8fda46d8910781", size = 2146077, upload-time = "2024-04-17T19:34:08.94Z" },
+    { url = "https://files.pythonhosted.org/packages/e3/3f/75e69fa9d2084524ca4e796442d8058a78d78c64c1e8229d552c031a23b4/xmlsec-1.3.14-cp312-cp312-win_amd64.whl", hash = "sha256:d0762f4232bce2c7f6c0af329db8b821b4460bbe123a2528fb5677d03db7a4b5", size = 2441942, upload-time = "2024-04-17T19:34:10.416Z" },
 ]

 [[package]]
@@ -590,16 +590,13 @@ resources: {}
  #   memory: 128Mi

 # This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
-# /health/live succeeds while the process answers; /health/ready also
-# checks PostgreSQL, Valkey and Neo4j connectivity and returns 503 when
-# any of them is unreachable.
 livenessProbe:
  httpGet:
-    path: /health/live
+    path: /
    port: http
 readinessProbe:
  httpGet:
-    path: /health/ready
+    path: /
    port: http

 #This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
@@ -270,23 +270,20 @@ api:
  # 3m30s to setup DB
  # startupProbe:
  #   httpGet:
-  #     path: /health/live
+  #     path: /api/v1/docs
  #     port: http

  # This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
-  # /health/live succeeds while the process answers; /health/ready also
-  # checks PostgreSQL, Valkey and Neo4j connectivity and returns 503 when
-  # any of them is unreachable.
  livenessProbe:
    failureThreshold: 10
    httpGet:
-      path: /health/live
+      path: /api/v1/docs
      port: http
    periodSeconds: 20
  readinessProbe:
    failureThreshold: 10
    httpGet:
-      path: /health/ready
+      path: /api/v1/docs
      port: http
    periodSeconds: 20

@@ -37,7 +37,7 @@ services:
      neo4j:
        condition: service_healthy
    healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/health/live || exit 1"]
+      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 12
@@ -211,7 +211,6 @@ services:
      interval: 10s
      timeout: 5s
      retries: 3
-      start_period: 60s

 volumes:
  outputs:
@@ -33,7 +33,7 @@ services:
      neo4j:
        condition: service_healthy
    healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/health/live || exit 1"]
+      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 12
@@ -176,7 +176,6 @@ services:
      interval: 10s
      timeout: 5s
      retries: 3
-      start_period: 60s

 volumes:
  output:
@@ -152,7 +152,7 @@ These should have been already installed if `uv sync` was already run.

 </Note>
 - [`bandit`](https://pypi.org/project/bandit/) for code security review.
- [`osv-scanner`](https://github.com/google/osv-scanner) and [`dependabot`](https://github.com/features/security) for dependencies.
+- [`safety`](https://pypi.org/project/safety/) and [`dependabot`](https://github.com/features/security) for dependencies.
 - [`hadolint`](https://github.com/hadolint/hadolint) and [`dockle`](https://github.com/goodwithtech/dockle) for container security.
 - [`Snyk`](https://docs.snyk.io/integrations/snyk-container-integrations/container-security-with-docker-hub-integration) for container security in Docker Hub.
 - [`clair`](https://github.com/quay/clair) for container security in Amazon ECR.
@@ -326,13 +326,6 @@
                  "user-guide/providers/openstack/authentication"
                ]
              },
-              {
-                "group": "Scaleway",
-                "pages": [
-                  "user-guide/providers/scaleway/getting-started-scaleway",
-                  "user-guide/providers/scaleway/authentication"
-                ]
-              },
              {
                "group": "Vercel",
                "pages": [
@@ -360,8 +353,7 @@
            "group": "Cookbooks",
            "pages": [
              "user-guide/cookbooks/kubernetes-in-cluster",
-              "user-guide/cookbooks/cicd-pipeline",
-              "user-guide/cookbooks/powerbi-cis-benchmarks"
+              "user-guide/cookbooks/cicd-pipeline"
            ]
          }
        ]
@@ -35,7 +35,6 @@ Prowler supports a wide range of providers organized by category:
 | **NHN**                                                                          | Unofficial | Tenants                  | CLI          |
 | [OpenStack](/user-guide/providers/openstack/getting-started-openstack)           | Official   | Projects                 | UI, API, CLI |
 | [Oracle Cloud](/user-guide/providers/oci/getting-started-oci)                    | Official   | Tenancies / Compartments | UI, API, CLI |
-| [Scaleway](/user-guide/providers/scaleway/getting-started-scaleway) [Contact us](https://prowler.com/contact) | Unofficial   | Organizations            | CLI          |

 ### Infrastructure as Code Providers

@@ -39,11 +39,10 @@ Dependencies are continuously monitored for known vulnerabilities with timely up

 ### Dependency Vulnerability Scanning

- **osv-scanner:** Scans lockfiles against the [OSV.dev](https://osv.dev) vulnerability database
-  - Runs in CI on every pull request and push for SDK, API, and UI
-  - Fails the build on `HIGH`, `CRITICAL`, and `UNKNOWN` severity findings
-  - Posts a per-lockfile report as a PR comment
-  - Per-vulnerability ignores (with reason and expiry) live in `osv-scanner.toml` at the repo root
+- **Safety:** Scans Python dependencies against known vulnerability databases
+  - Runs on every commit via pre-commit hooks
+  - Integrated into CI/CD for SDK and API
+  - Configured with selective ignores for tracked exceptions
 - **Trivy:** Multi-purpose scanner for containers and dependencies
  - Scans all container images (UI, API, SDK, MCP Server)
  - Checks for vulnerabilities in OS packages and application dependencies
@@ -149,14 +149,6 @@ Prowler Cloud and App expose two formats:
 * **CSV report:** Every requirement, every check, and every finding for the selected scan and filters. Available for all supported frameworks.
 * **PDF report:** Curated executive-style report. Currently supported for Prowler ThreatScore, ENS RD2022, NIS2, and CSA CCM. Additional PDF reports are added in subsequent Prowler releases.

-<Note>
-**PDF detail section is capped at the first 100 failed findings per check.** The PDF is intended as an executive/auditor document, not a raw data dump: when a check produces more than 100 failed findings the report renders the first 100 and shows a banner pointing the reader to the CSV or JSON-OCSF export for the complete list. The compliance CSV and the scan outputs are never truncated.
-
-The cap is configurable per deployment via the `DJANGO_PDF_MAX_FINDINGS_PER_CHECK` environment variable on the Prowler API workers; set it to `0` to disable truncation entirely. The default value of `100` keeps the PDF readable and bounded in size on enterprise-scale scans (hundreds of thousands of findings) without affecting smaller scans, where the cap is rarely reached.
-
-Only **failed** findings are rendered in the detail section. PASS findings for the same check are excluded at query time. The PDF surfaces what needs attention, and the CSV/JSON exports surface everything for forensic review.
-</Note>
-
 #### Downloading From the Detail Page

 Inside any framework detail page, the **CSV** and **PDF** buttons in the header trigger the same downloads as the overview dropdown. The PDF button only appears for frameworks that support it.
@@ -1,168 +0,0 @@
---
-title: "Visualize Multi-Cloud CIS Benchmarks With Power BI"
-description: "Ingest Prowler compliance CSV exports into a ready-made Microsoft Power BI template that surfaces CIS Benchmark posture across AWS, Azure, Google Cloud, and Kubernetes."
---
-
-The Multi-Cloud CIS Benchmarks Power BI template turns Prowler compliance CSV exports into an interactive dashboard. The template ingests scan results from Prowler CLI or Prowler Cloud and renders cross-provider CIS Benchmark coverage, profile-level breakdowns, regional drill-downs, and time-series trends. Center for Internet Security (CIS) Benchmarks are industry-standard configuration baselines maintained by CIS.
-
-The template and its source files live in the Prowler repository under [`contrib/PowerBI/Multicloud CIS Benchmarks`](https://github.com/prowler-cloud/prowler/tree/master/contrib/PowerBI/Multicloud%20CIS%20Benchmarks).
-
-<img src="/images/powerbi/report-cover.png" alt="Multi-Cloud CIS Benchmarks Power BI report cover showing aggregated compliance posture across providers" width="900" />
-
-## Prerequisites
-
-The setup requires the following components:
-
-* **Microsoft Power BI Desktop:** free download from Microsoft.
-* **Prowler compliance CSV exports:** produced by Prowler CLI or downloaded from Prowler Cloud or Prowler App.
-* **Local directory:** holds the CSV exports that the template ingests at load time.
-
-## Supported CIS Benchmarks
-
-The template ships with predefined mappings for the following CIS Benchmark versions. Exports must match these versions for the dashboard to populate correctly:
-
-| Compliance Framework                           | Version  |
-| ---------------------------------------------- | -------- |
-| CIS Amazon Web Services Foundations Benchmark  | v6.0     |
-| CIS Microsoft Azure Foundations Benchmark      | v5.0     |
-| CIS Google Cloud Platform Foundation Benchmark | v4.0     |
-| CIS Kubernetes Benchmark                       | v1.12.0  |
-
-<Warning>
-Other CIS Benchmark versions are not recognized by the template. Confirm the framework version before running the scan or downloading the export.
-</Warning>
-
-## Setup
-
-### Step 1: Install Microsoft Power BI Desktop
-
-Download and install Microsoft Power BI Desktop from the official Microsoft site. The template is opened with this application.
-
-### Step 2: Generate Compliance CSV Exports
-
-Compliance CSV exports can be generated through Prowler CLI or downloaded from Prowler Cloud and Prowler App.
-
-#### Option A: Prowler CLI
-
-Run a scan with the `--compliance` flag pointing to the appropriate CIS framework, for example:
-
-```sh
-prowler aws --compliance cis_6.0_aws
-prowler azure --compliance cis_5.0_azure
-prowler gcp --compliance cis_4.0_gcp
-prowler kubernetes --compliance cis_1.12_kubernetes
-```
-
-The compliance CSV exports are written to `output/compliance/` by default.
-
-#### Option B: Prowler Cloud or Prowler App
-
-Open the Compliance section, select the desired CIS Benchmark, and download the CSV export.
-
-<img src="/images/powerbi/download-compliance-scan.png" alt="Compliance section in Prowler Cloud showing the CSV download option for a CIS Benchmark scan" width="900" />
-
-### Step 3: Create a Local Directory for the Exports
-
-Place every CSV export in a single local directory. The template parses filenames to detect the provider, so filenames must keep the provider keyword (`aws`, `azure`, `gcp`, or `kubernetes`).
-
-<Note>
-Time-series visualizations such as "Compliance Percent Over Time" require multiple scans from different dates in the same directory.
-</Note>
-
-### Step 4: Open the Power BI Template
-
-Download the template file [`Prowler Multicloud CIS Benchmarks.pbit`](https://github.com/prowler-cloud/prowler/raw/master/contrib/PowerBI/Multicloud%20CIS%20Benchmarks/Prowler%20Multicloud%20CIS%20Benchmarks.pbit) and open it. Power BI Desktop prompts for the full filepath to the directory created in step 3.
-
-### Step 5: Provide the Directory Filepath
-
-Enter the absolute filepath without quotation marks. The Windows "copy as path" feature wraps the path in quotation marks automatically; remove them before submitting.
-
-### Step 6: Save the Report as a `.pbix` File
-
-Once the filepath is submitted, the template ingests the CSV exports and renders the report. Save the populated report as a `.pbix` file for future use. Re-running the `.pbit` template generates a fresh report against an updated directory.
-
-## Validation
-
-To confirm the CSV exports were ingested correctly, open the "Configuration" tab inside the report.
-
-<img src="/images/powerbi/validation.png" alt="Configuration tab in the Power BI report displaying loaded CIS Benchmarks, the Prowler CSV folder path, and the list of ingested exports" width="900" />
-
-The "Configuration" tab exposes three tables:
-
-* **Loaded CIS Benchmarks:** lists the benchmarks and versions supported by the template. This table is defined by the template itself and is not editable. All benchmarks remain listed regardless of which provider exports were supplied.
-* **Prowler CSV Folder:** displays the absolute path provided during template load.
-* **Loaded Prowler Exports:** lists every CSV file detected in the directory. A green checkmark identifies the file used as the latest assessment for each provider and benchmark combination.
-
-## Report Sections
-
-The report is organized into three navigable pages:
-
-| Report Page | Purpose                                                                              |
-| ----------- | ------------------------------------------------------------------------------------ |
-| Overview    | Aggregates CIS Benchmark posture across AWS, Azure, Google Cloud, and Kubernetes.    |
-| Benchmark   | Focuses on a single CIS Benchmark with profile-level and regional filters.           |
-| Requirement | Drill-through page that surfaces details for a single benchmark requirement.         |
-
-### Overview Page
-
-The Overview page summarizes CIS Benchmark posture across every supported provider.
-
-<img src="/images/powerbi/overview-page.png" alt="Overview page in the Power BI report aggregating CIS Benchmark posture across AWS, Azure, Google Cloud, and Kubernetes" width="900" />
-
-The Overview page contains the following components:
-
-| Component                                | Description                                                                  |
-| ---------------------------------------- | ---------------------------------------------------------------------------- |
-| CIS Benchmark Overview                   | Table listing benchmark name, version, and overall compliance percentage.    |
-| Provider by Requirement Status           | Bar chart breaking down requirements by status and provider.                 |
-| Compliance Percent Heatmap               | Heatmap of compliance percentage by benchmark and profile level.             |
-| Profile Level by Requirement Status      | Bar chart breaking down requirements by status and profile level.            |
-| Compliance Percent Over Time by Provider | Line chart tracking overall compliance percentage over time by provider.     |
-
-### Benchmark Page
-
-The Benchmark page focuses on a single CIS Benchmark. The benchmark, profile level, and region can be selected through dropdown filters.
-
-<img src="/images/powerbi/benchmark-page.png" alt="Benchmark page in the Power BI report showing region heatmap, section breakdown, time-series trend, and the requirements table" width="900" />
-
-The Benchmark page contains the following components:
-
-| Component                                | Description                                                                                                                       |
-| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
-| Compliance Percent Heatmap               | Heatmap of compliance percentage by region and profile level.                                                                     |
-| Benchmark Section by Requirement Status  | Bar chart of requirements grouped by benchmark section and status.                                                                |
-| Compliance Percent Over Time by Region   | Line chart tracking compliance percentage over time by region.                                                                    |
-| Benchmark Requirements                   | Table listing requirement section, requirement number, requirement title, number of resources tested, status, and failing checks. |
-
-### Requirement Page
-
-The Requirement page is a drill-through view that exposes the full context of a single requirement. To populate the page, right-click a row in the "Benchmark Requirements" table on the Benchmark page and select "Drill through" > "Requirement".
-
-<img src="/images/powerbi/requirement-page.png" alt="Requirement drill-through page in the Power BI report showing rationale, remediation, regional breakdown, and the resource-level check results" width="900" />
-
-The Requirement page contains the following components:
-
-| Component                                  | Description                                                                                  |
-| ------------------------------------------ | -------------------------------------------------------------------------------------------- |
-| Title                                      | Requirement title.                                                                           |
-| Rationale                                  | Rationale for the requirement.                                                               |
-| Remediation                                | Remediation guidance for the requirement.                                                    |
-| Region by Check Status                     | Bar chart of Prowler check results grouped by region and status.                             |
-| Resource Checks for Benchmark Requirements | Table listing resource ID, resource name, status, description, and the underlying Prowler check. |
-
-## Walkthrough Video
-
-A full walkthrough is available on YouTube:
-
-[![Multi-Cloud CIS Benchmarks Power BI walkthrough video thumbnail](/images/powerbi/walkthrough-video-thumb.png)](https://www.youtube.com/watch?v=lfKFkTqBxjU)
-
-## Related Resources
-
-<CardGroup cols={2}>
-  <Card title="Compliance Frameworks" icon="shield-check" href="/user-guide/compliance/tutorials/compliance">
-    Review the Compliance workflow across Prowler Cloud, Prowler App, and Prowler CLI.
-  </Card>
-  <Card title="Prowler Dashboard" icon="chart-line" href="/user-guide/cli/tutorials/dashboard">
-    Explore the built-in local dashboard for Prowler CSV exports.
-  </Card>
-</CardGroup>
@@ -18,7 +18,7 @@ Prowler requests the following read-only OAuth 2.0 scopes:
 | `https://www.googleapis.com/auth/admin.directory.domain.readonly` | Read access to domain information |
 | `https://www.googleapis.com/auth/admin.directory.customer.readonly` | Read access to customer information (Customer ID) |
 | `https://www.googleapis.com/auth/admin.directory.orgunit.readonly` | Read access to organizational unit hierarchy (identifies the root OU for policy filtering) |
-| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar, Gmail, Chat, and Drive service checks) |
+| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar service checks) |
 | `https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly` | Read access to admin roles and role assignments |

 <Warning>
@@ -40,7 +40,7 @@ In the [Google Cloud Console](https://console.cloud.google.com), select the targ
 | API | Required For |
 |-----|--------------|
 | **Admin SDK API** | Directory service checks (users, roles, domains) |
-| **Cloud Identity API** | Calendar, Gmail, Chat, and Drive service checks (domain-level application policies) |
+| **Cloud Identity API** | Calendar service checks (domain-level sharing and invitation policies) |

 For each API:

@@ -49,7 +49,7 @@ For each API:
 3. Click **Enable**

 <Note>
-Both APIs must be enabled in the same GCP project that hosts the Service Account. Calendar, Gmail, Chat, and Drive checks will return no findings if the Cloud Identity API is not enabled.
+Both APIs must be enabled in the same GCP project that hosts the Service Account. Calendar checks will return no findings if the Cloud Identity API is not enabled.
 </Note>

 ### Step 3: Create a Service Account
@@ -176,9 +176,9 @@ If Prowler connects but returns empty results or permission errors for specific
 - Verify all scopes are authorized in the Admin Console
 - Ensure the delegated user is an active super administrator

-### Policy API Checks Return No Findings
+### Calendar Checks Return No Findings

-If the Directory checks run successfully but the Calendar, Gmail, Chat, or Drive checks return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:
+If the Directory checks run successfully but the Calendar checks (e.g., `calendar_external_sharing_primary_calendar`) return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:

 - The **Cloud Identity API** is enabled in the GCP project hosting the Service Account (Step 2)
 - The scope `https://www.googleapis.com/auth/cloud-identity.policies.readonly` is included in the Domain-Wide Delegation OAuth scopes list in the Admin Console (Step 5)
@@ -1,37 +0,0 @@
---
-title: 'Scaleway Authentication in Prowler'
---
-
-Prowler authenticates to Scaleway using a **Scaleway API key** (access key + secret key). The integration is read-only and only needs permission to list IAM users and API keys in the audited organization.
-
-## Prerequisites
-
-1. A Scaleway organization with IAM access.
-2. A Scaleway API key with at least the `IAMReadOnly` policy bound to a dedicated IAM user (do not use the account root user).
-3. Your organization ID (visible at the top right of the Scaleway console).
-
-## Authentication Method
-
-Prowler reads credentials **exclusively** from the standard Scaleway environment variables. There are no credential CLI flags, so secrets are never exposed in shell history or process listings.
-
-| Variable | Purpose |
-|---|---|
-| `SCW_ACCESS_KEY` | API key access key |
-| `SCW_SECRET_KEY` | API key secret key |
-| `SCW_DEFAULT_ORGANIZATION_ID` | Optional, required when the key bearer is an application |
-| `SCW_DEFAULT_PROJECT_ID` | Optional, default project for project-scoped resources |
-| `SCW_DEFAULT_REGION` | Optional, defaults to `fr-par` |
-
-The scope variables can also be passed as CLI flags (`--organization-id`, `--project-id`, `--region`), which override the corresponding environment variables.
-
-```bash
-export SCW_ACCESS_KEY="SCW..."
-export SCW_SECRET_KEY="..."
-export SCW_DEFAULT_ORGANIZATION_ID="..."
-
-prowler scaleway
-```
-
-## Required Scaleway Permissions
-
-The API key bearer needs read access to the IAM API in order to list users and API keys. The `IAMReadOnly` policy is sufficient. Refer to the [Scaleway IAM policy reference](https://www.scaleway.com/en/docs/identity-and-access-management/iam/reference-content/permission-sets/) for the full list of permissions.
@@ -1,37 +0,0 @@
---
-title: "Getting Started With Scaleway on Prowler"
---
-
-Prowler for Scaleway scans IAM resources in your Scaleway organization for security misconfigurations. The current release ships one check that flags API keys still owned by the account root user.
-
-## Prerequisites
-
-1. A Scaleway organization with IAM access.
-2. A Scaleway API key with at least the `IAMReadOnly` policy bound to a dedicated IAM user (do not use the account root user).
-3. Your organization ID (visible at the top right of the Scaleway console).
-
-## Authentication
-
-Prowler authenticates to Scaleway with a Scaleway API key. See [Scaleway Authentication in Prowler](./authentication) for the full setup, environment variables, CLI flags, and required permissions.
-
-## Run a scan
-
-```bash
-export SCW_ACCESS_KEY="SCW..."
-export SCW_SECRET_KEY="..."
-export SCW_DEFAULT_ORGANIZATION_ID="..."
-
-prowler scaleway
-```
-
-To run only the IAM root-key check:
-
-```bash
-prowler scaleway --check iam_api_keys_no_root_owned
-```
-
-## Checks shipped
-
-| Check ID | Severity | Description |
-|---|---|---|
-| `iam_api_keys_no_root_owned` | Critical | Fails when any Scaleway IAM API key is still owned by the account root user. |
@@ -0,0 +1,115 @@
+# Prowler Multicloud CIS Benchmarks PowerBI Template
+![Prowler Report](https://github.com/user-attachments/assets/560f7f83-1616-4836-811a-16963223c72f)
+
+## Getting Started
+
+1. Install Microsoft PowerBI Desktop
+
+   This report requires the Microsoft PowerBI Desktop software which can be downloaded for free from Microsoft.
+2. Run compliance scans in Prowler
+
+   The report uses compliance csv outputs from Prowler. Compliance scans be run using either [Prowler CLI](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-cli) or [Prowler Cloud/App](https://cloud.prowler.com/sign-in)
+   1. Prowler CLI -&gt; Run a Prowler scan using the --compliance option
+   2. Prowler Cloud/App -&gt; Navigate to the compliance section to download csv outputs
+![Download Compliance Scan](https://github.com/user-attachments/assets/42c11a60-8ce8-4c60-a663-2371199c052b)
+
+
+   The template supports the following CIS Benchmarks only:
+
+   | Compliance Framework                           | Version |
+   | ---------------------------------------------- | ------- |
+   | CIS Amazon Web Services Foundations Benchmark  | v4.0.1  |
+   | CIS Google Cloud Platform Foundation Benchmark | v3.0.0  |
+   | CIS Microsoft Azure Foundations Benchmark      | v3.0.0  |
+   | CIS Kubernetes Benchmark                       | v1.10.0 |
+
+   Ensure you run or download the correct benchmark versions.
+3. Create a local directory to store Prowler csvoutputs
+
+   Once downloaded, place your csv outputs in a directory on your local machine. If you rename the files, they must maintain the provider in the filename.
+
+   To use time-series capabilities such as "compliance percent over time" you'll need scans from multiple dates.
+4. Download and run the PowerBI template file (.pbit)
+
+   Running the .pbit file will open PowerBI Desktop and prompt you for the full filepath to the local directory
+5. Enter the full filepath to the directory created in step 3
+
+   Provide the full filepath from the root directory.
+
+   Ensure that the filepath is not wrapped in quotation marks (""). If you use Window's "copy as path" feature, it will automatically include quotation marks.
+6. Save the report as a PowerBI file (.pbix)
+
+   Once the filepath is entered, the template will automatically ingest and populate the report. You can then save this file as a new PowerBI report. If you'd like to generate another report, simply re-run the template file (.pbit) from step 4.
+
+## Validation
+
+After setting up your dashboard, you may want to validate the Prowler csv files were ingested correctly. To do this, navigate to the "Configuration" tab.
+
+The "loaded CIS Benchmarks" table shows the supported benchmarks and versions. This is defined by the template file and not editable by the user. All benchmarks will be loaded regardless of which providers you provided csv outputs for.
+
+The "Prowler CSV Folder" shows the path to the local directory you provided.
+
+The "Loaded Prowler Exports" table shows the ingested csv files from the local directory. It will mark files that are treated as the latest assessment with a green checkmark.
+
+![Prowler Validation](https://github.com/user-attachments/assets/a543ca9b-6cbe-4ad1-b32a-d4ac2163d447)
+
+## Report Sections
+
+The PowerBI Report is broken into three main report pages
+
+| Report Page | Description                                                                         |
+| ----------- | ----------------------------------------------------------------------------------- |
+| Overview    | Provides general CIS Benchmark overview across both AWS, Azure, GCP, and Kubernetes |
+| Benchmark   | Provides overview of a single CIS Benchmark                                         |
+| Requirement | Drill-through page to view details of a single requirement                          |
+
+
+### Overview Page
+
+The overview page is a general CIS Benchmark overview across both AWS, Azure, GCP, and Kubernetes.
+
+![image](https://github.com/user-attachments/assets/94164fa9-36a4-4bb9-890d-e9a9a63a3e7d)
+
+The page has the following components:
+
+| Component                                | Description                                                              |
+| ---------------------------------------- | ------------------------------------------------------------------------ |
+| CIS Benchmark Overview                   | Table with benchmark name, Version, and overall compliance percentage    |
+| Provider by Requirement Status           | Bar chart showing benchmark requirements by status by provider           |
+| Compliance Percent Heatmap               | Heatmap showing compliance percent by benchmark and profile level        |
+| Profile level by Requirement Status      | Bar chart showing requirements by status and profile level               |
+| Compliance Percent Over Time by Provider | Line chart showing overall compliance perecentage over time by provider. |
+
+### Benchmark Page
+
+The benchmark page provides an overview of a single CIS Benchmark. You can select the benchmark from the dropdown as well as scope down to specific profile levels or regions.
+
+![image](https://github.com/user-attachments/assets/34498ee8-317b-4b81-b241-c561451d8def)
+
+The page has the following components:
+
+| Component                               | Description                                                                                                                                |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
+| Compliance Percent Heatmap              | Heatmap showing compliance percent by region and profile level                                                                             |
+| Benchmark Section by Requirement Status | Bar chart showing benchmark requirements by bennchmark section and status                                                                  |
+| Compliance percent Over Time by Region  | Line chart showing overall compliance percentage over time by region                                                                       |
+| Benchmark Requirements                  | Table showing requirement section, requirement number, reuqirement title, number of resources tested, status, and number of failing checks |
+
+### Requirement Page
+
+The requirement page is a drill-through page to view details of a single requirement. To populate the requirement page right click on a requiement from the "Benchmark Requirements" table on the benchmark page and select "Drill through" -&gt; "Requirement".
+
+![image](https://github.com/user-attachments/assets/5c9172d9-56fe-4514-b341-7e708863fad6)
+
+The requirement page has the following components:
+
+| Component                                  | Description                                                                       |
+| ------------------------------------------ | --------------------------------------------------------------------------------- |
+| Title                                      | Title of the requirement                                                          |
+| Rationale                                  | Rationale of the requirement                                                      |
+| Remediation                                | Remedation guidance for the requirement                                           |
+| Region by Check Status                     | Bar chart showing Prowler checks by region and status                             |
+| Resource Checks for Benchmark Requirements | Table showing Resource ID, Resource Name, Status, Description, and Prowler Checkl |
+
+## Walkthrough Video
+[![image](https://github.com/user-attachments/assets/866642c6-43ac-4aac-83d3-bb625002da0b)](https://www.youtube.com/watch?v=lfKFkTqBxjU)
@@ -2,11 +2,11 @@

 All notable changes to the **Prowler MCP Server** are documented in this file.

-## [0.7.0] (Prowler v5.27.0)
+## [0.7.0] (Prowler UNRELEASED)

 ### 🚀 Added

- Finding Groups tools [(#11140)](https://github.com/prowler-cloud/prowler/pull/11140)
+- MCP Server tools for Prowler Finding Groups Management [(#11140)](https://github.com/prowler-cloud/prowler/pull/11140)

 ### 🔐 Security

@@ -41,22 +41,12 @@ async def setup_main_server():
        logger.error(f"Failed to import Prowler Documentation server: {e}")


-# Response follows the IETF Health Check Response Format
-# (draft-inadarei-api-health-check-06). `version` is the contract version of
-# this endpoint; `releaseId` is the package build version.
+# Add health check endpoint
@prowler_mcp_server.custom_route("/health", methods=["GET"])
-async def health_check(_request) -> JSONResponse:
+async def health_check(request) -> JSONResponse:
    """Health check endpoint."""
    return JSONResponse(
-        {
-            "status": "pass",
-            "version": "1",
-            "releaseId": __version__,
-            "serviceId": "prowler-mcp-server",
-            "description": "Prowler MCP Server",
-        },
-        media_type="application/health+json",
-        headers={"Cache-Control": "no-store"},
+        {"status": "healthy", "service": "prowler-mcp-server", "version": __version__}
    )


@@ -2,11 +2,6 @@
 build-backend = "setuptools.build_meta"
 requires = ["setuptools>=61.0", "wheel"]

-[dependency-groups]
-dev = [
-  "pytest==8.3.5"
-]
-
 [project]
 dependencies = [
  "fastmcp==2.14.0",
@@ -21,8 +16,5 @@ version = "0.5.0"
 [project.scripts]
 prowler-mcp = "prowler_mcp_server.main:main"

-[tool.pytest.ini_options]
-testpaths = ["tests"]
-
 [tool.uv]
 package = true
@@ -1,46 +0,0 @@
-"""Tests for the Prowler MCP Server health endpoint."""
-
-from starlette.testclient import TestClient
-
-from prowler_mcp_server import __version__
-from prowler_mcp_server.server import app
-
-
-def test_health_returns_ietf_pass_response():
-    """GET /health returns 200 with the IETF health-check body and headers."""
-    client = TestClient(app)
-
-    response = client.get("/health")
-
-    assert response.status_code == 200
-    assert response.headers["content-type"] == "application/health+json"
-    assert response.headers["cache-control"] == "no-store"
-    assert response.json() == {
-        "status": "pass",
-        "version": "1",
-        "releaseId": __version__,
-        "serviceId": "prowler-mcp-server",
-        "description": "Prowler MCP Server",
-    }
-
-
-def test_health_release_id_matches_package_version():
-    """The endpoint must surface the current package __version__ as releaseId.
-
-    Drift between the response and the installed package would mislead any
-    monitoring tool that uses releaseId to identify the running build.
-    """
-    client = TestClient(app)
-
-    response = client.get("/health")
-
-    assert response.json()["releaseId"] == __version__
-
-
-def test_health_rejects_non_get_methods():
-    """The endpoint only exposes GET; other verbs return 405."""
-    client = TestClient(app)
-
-    response = client.post("/health")
-
-    assert response.status_code == 405
@@ -443,15 +443,6 @@ wheels = [
    { url = "https://files.pythonhosted.org/packages/fa/5e/f8e9a1d23b9c20a551a8a02ea3637b4642e22c2626e3a13a9a29cdea99eb/importlib_metadata-8.7.1-py3-none-any.whl", hash = "sha256:5a1f80bf1daa489495071efbb095d75a634cf28a8bc299581244063b53176151", size = 27865, upload-time = "2025-12-21T10:00:18.329Z" },
 ]

-[[package]]
-name = "iniconfig"
-version = "2.3.0"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/72/34/14ca021ce8e5dfedc35312d08ba8bf51fdd999c576889fc2c24cb97f4f10/iniconfig-2.3.0.tar.gz", hash = "sha256:c76315c77db068650d49c5b56314774a7804df16fee4402c1f19d6d15d8c4730", size = 20503, upload-time = "2025-10-18T21:55:43.219Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/cb/b1/3846dd7f199d53cb17f49cba7e651e9ce294d8497c8c150530ed11865bb8/iniconfig-2.3.0-py3-none-any.whl", hash = "sha256:f631c04d2c48c52b84d0d0549c99ff3859c98df65b3101406327ecc7d53fbf12", size = 7484, upload-time = "2025-10-18T21:55:41.639Z" },
-]
-
 [[package]]
 name = "jaraco-classes"
 version = "3.4.0"
@@ -685,15 +676,6 @@ wheels = [
    { url = "https://files.pythonhosted.org/packages/cf/df/d3f1ddf4bb4cb50ed9b1139cc7b1c54c34a1e7ce8fd1b9a37c0d1551a6bd/opentelemetry_api-1.39.1-py3-none-any.whl", hash = "sha256:2edd8463432a7f8443edce90972169b195e7d6a05500cd29e6d13898187c9950", size = 66356, upload-time = "2025-12-11T13:32:17.304Z" },
 ]

-[[package]]
-name = "packaging"
-version = "26.2"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/d7/f1/e7a6dd94a8d4a5626c03e4e99c87f241ba9e350cd9e6d75123f992427270/packaging-26.2.tar.gz", hash = "sha256:ff452ff5a3e828ce110190feff1178bb1f2ea2281fa2075aadb987c2fb221661", size = 228134, upload-time = "2026-04-24T20:15:23.917Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/df/b2/87e62e8c3e2f4b32e5fe99e0b86d576da1312593b39f47d8ceef365e95ed/packaging-26.2-py3-none-any.whl", hash = "sha256:5fc45236b9446107ff2415ce77c807cee2862cb6fac22b8a73826d0693b0980e", size = 100195, upload-time = "2026-04-24T20:15:22.081Z" },
-]
-
 [[package]]
 name = "pathable"
 version = "0.4.4"
@@ -721,15 +703,6 @@ wheels = [
    { url = "https://files.pythonhosted.org/packages/73/cb/ac7874b3e5d58441674fb70742e6c374b28b0c7cb988d37d991cde47166c/platformdirs-4.5.0-py3-none-any.whl", hash = "sha256:e578a81bb873cbb89a41fcc904c7ef523cc18284b7e3b3ccf06aca1403b7ebd3", size = 18651, upload-time = "2025-10-08T17:44:47.223Z" },
 ]

-[[package]]
-name = "pluggy"
-version = "1.6.0"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/f9/e2/3e91f31a7d2b083fe6ef3fa267035b518369d9511ffab804f839851d2779/pluggy-1.6.0.tar.gz", hash = "sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3", size = 69412, upload-time = "2025-05-15T12:30:07.975Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/54/20/4d324d65cc6d9205fabedc306948156824eb9f0ee1633355a8f7ec5c66bf/pluggy-1.6.0-py3-none-any.whl", hash = "sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746", size = 20538, upload-time = "2025-05-15T12:30:06.134Z" },
-]
-
 [[package]]
 name = "prometheus-client"
 version = "0.24.1"
@@ -748,20 +721,12 @@ dependencies = [
    { name = "httpx" },
 ]

-[package.dev-dependencies]
-dev = [
-    { name = "pytest" },
-]
-
 [package.metadata]
 requires-dist = [
    { name = "fastmcp", specifier = "==2.14.0" },
    { name = "httpx", specifier = "==0.28.1" },
 ]

-[package.metadata.requires-dev]
-dev = [{ name = "pytest", specifier = "==8.3.5" }]
-
 [[package]]
 name = "py-key-value-aio"
 version = "0.3.0"
@@ -941,21 +906,6 @@ wheels = [
    { url = "https://files.pythonhosted.org/packages/1e/bc/22540e73c5f5ae18f02924cd3954a6c9a4aa6b713c841a94c98335d333a1/pyperclip-1.10.0-py3-none-any.whl", hash = "sha256:596fbe55dc59263bff26e61d2afbe10223e2fccb5210c9c96a28d6887cfcc7ec", size = 11062, upload-time = "2025-09-18T00:53:59.252Z" },
 ]

-[[package]]
-name = "pytest"
-version = "8.3.5"
-source = { registry = "https://pypi.org/simple" }
-dependencies = [
-    { name = "colorama", marker = "sys_platform == 'win32'" },
-    { name = "iniconfig" },
-    { name = "packaging" },
-    { name = "pluggy" },
-]
-sdist = { url = "https://files.pythonhosted.org/packages/ae/3c/c9d525a414d506893f0cd8a8d0de7706446213181570cdbd766691164e40/pytest-8.3.5.tar.gz", hash = "sha256:f4efe70cc14e511565ac476b57c279e12a855b11f48f212af1080ef2263d3845", size = 1450891, upload-time = "2025-03-02T12:54:54.503Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/30/3d/64ad57c803f1fa1e963a7946b6e0fea4a70df53c1a7fed304586539c2bac/pytest-8.3.5-py3-none-any.whl", hash = "sha256:c69214aa47deac29fad6c2a4f590b9c4a9fdb16a403176fe154b79c0b4d4d820", size = 343634, upload-time = "2025-03-02T12:54:52.069Z" },
-]
-
 [[package]]
 name = "python-dotenv"
 version = "1.1.1"
@@ -2,24 +2,20 @@

 All notable changes to the **Prowler SDK** are documented in this file.

-## [5.27.0] (Prowler v5.27.0)
+## [5.27.0] (Prowler UNRELEASED)

 ### 🚀 Added

- 6 Chat file sharing, external messaging, spaces, and apps access checks for Google Workspace provider using the Cloud Identity Policy API [(#11126)](https://github.com/prowler-cloud/prowler/pull/11126)
 - `entra_service_principal_no_secrets_for_permanent_tier0_roles` check for M365 provider [(#10788)](https://github.com/prowler-cloud/prowler/pull/10788)
 - `iam_user_access_not_stale_to_sagemaker` check for AWS provider with configurable `max_unused_sagemaker_access_days` (default 90) [(#11000)](https://github.com/prowler-cloud/prowler/pull/11000)
 - `cloudtrail_bedrock_logging_enabled` check for AWS provider [(#10858)](https://github.com/prowler-cloud/prowler/pull/10858)
 - Okta provider with OAuth 2.0 authentication and `signon_global_session_idle_timeout_15min` check [(#11079)](https://github.com/prowler-cloud/prowler/pull/11079)
 - `sagemaker_domain_sso_configured` check for AWS provider [(#11094)](https://github.com/prowler-cloud/prowler/pull/11094)
- Scaleway provider with `iam_api_keys_no_root_owned` check [(#11166)](https://github.com/prowler-cloud/prowler/pull/11166)

 ### 🔄 Changed

 - `entra_emergency_access_exclusion` check for M365 provider now scopes the exclusion requirement to enabled Conditional Access policies with a `Block` grant control instead of every enabled policy, focusing on the lockout-relevant policy set [(#10849)](https://github.com/prowler-cloud/prowler/pull/10849)
 - AWS IAM customer-managed policy checks no longer emit `FAIL` on unattached policies unless `--scan-unused-services` is enabled [(#11150)](https://github.com/prowler-cloud/prowler/pull/11150)
- Replace `poetry` with `uv` as package manager [(#11162)](https://github.com/prowler-cloud/prowler/pull/11162)
- Replace `safety` with `osv-scanner` for dependency vulnerability scanning in SDK CI and pre-commit [(#11167)](https://github.com/prowler-cloud/prowler/pull/11167)

 ### 🐞 Fixed

@@ -27,10 +23,14 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Google Workspace Calendar and Drive services sharing a single resource row, causing the service field to be overwritten by the last check executed [(#11161)](https://github.com/prowler-cloud/prowler/pull/11161)
 - `zone_waf_enabled` check for Cloudflare provider now appends a plan-aware hint to the FAIL `status_extended`: a possible-false-positive note on paid plans (Pro, Business, Enterprise) where the legacy `waf` zone setting can read `off` even though WAF managed rulesets are deployed via the dashboard, and a "not available on the Cloudflare Free plan" note on Free zones [(#9896)](https://github.com/prowler-cloud/prowler/pull/9896)
 - Google Workspace Gmail checks sharing a single resource row, causing the service field to be overwritten by the last check executed [(#11169)](https://github.com/prowler-cloud/prowler/pull/11169)
- Google Workspace Drive and Calendar services missing server-side policy filters [(#11195)](https://github.com/prowler-cloud/prowler/pull/11195)
+
+---
+
+## [5.26.2] (Prowler UNRELEASED)
+
+### 🐞 Fixed
+
 - `entra_users_mfa_capable` and `entra_break_glass_account_fido2_security_key_registered` report a preventive FAIL per affected user (with the missing permission named) when the M365 service principal lacks `AuditLog.Read.All`, instead of mass false positives [(#10907)](https://github.com/prowler-cloud/prowler/pull/10907)
- Duplicated GCP CIS requirements IDs [(#11180)](https://github.com/prowler-cloud/prowler/pull/11180)
- `VercelSession.token` is now excluded from serialization and representation to prevent the Vercel API token from leaking through `.dict()`, `.json()` or logs [(#11198)](https://github.com/prowler-cloud/prowler/pull/11198)

 ---

@@ -157,7 +157,6 @@ from prowler.providers.nhn.models import NHNOutputOptions
 from prowler.providers.okta.models import OktaOutputOptions
 from prowler.providers.openstack.models import OpenStackOutputOptions
 from prowler.providers.oraclecloud.models import OCIOutputOptions
-from prowler.providers.scaleway.models import ScalewayOutputOptions
 from prowler.providers.vercel.models import VercelOutputOptions


@@ -432,10 +431,6 @@ def prowler():
        output_options = OktaOutputOptions(
            args, bulk_checks_metadata, global_provider.identity
        )
-    elif provider == "scaleway":
-        output_options = ScalewayOutputOptions(
-            args, bulk_checks_metadata, global_provider.identity
-        )

    # Run the quick inventory for the provider if available
    if hasattr(args, "quick_inventory") and args.quick_inventory:
@@ -914,7 +914,7 @@
      ]
    },
    {
-      "Id": "3.10",
+      "Id": "3.1",
      "Description": "Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'",
      "Checks": [],
      "Attributes": [
@@ -1132,7 +1132,7 @@
      ]
    },
    {
-      "Id": "4.10",
+      "Id": "4.1",
      "Description": "Ensure That App Engine Applications Enforce HTTPS Connections",
      "Checks": [],
      "Attributes": [
@@ -1084,9 +1084,7 @@
    {
      "Id": "3.1.4.1.1",
      "Description": "Ensure external filesharing in Google Chat and Hangouts is disabled",
-      "Checks": [
-        "chat_external_file_sharing_disabled"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "3 Apps",
@@ -1107,9 +1105,7 @@
    {
      "Id": "3.1.4.1.2",
      "Description": "Ensure internal filesharing in Google Chat and Hangouts is disabled",
-      "Checks": [
-        "chat_internal_file_sharing_disabled"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "3 Apps",
@@ -1130,9 +1126,7 @@
    {
      "Id": "3.1.4.2.1",
      "Description": "Ensure Google Chat externally is restricted to allowed domains",
-      "Checks": [
-        "chat_external_messaging_restricted"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "3 Apps",
@@ -1153,9 +1147,7 @@
    {
      "Id": "3.1.4.3.1",
      "Description": "Ensure external spaces in Google Chat and Hangouts are restricted",
-      "Checks": [
-        "chat_external_spaces_restricted"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "3 Apps",
@@ -1176,9 +1168,7 @@
    {
      "Id": "3.1.4.4.1",
      "Description": "Ensure allow users to install Chat apps is disabled",
-      "Checks": [
-        "chat_apps_installation_disabled"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "3 Apps",
@@ -1199,9 +1189,7 @@
    {
      "Id": "3.1.4.4.2",
      "Description": "Ensure allow users to add and use incoming webhooks is disabled",
-      "Checks": [
-        "chat_incoming_webhooks_disabled"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "3 Apps",
@@ -1466,9 +1466,7 @@
    {
      "Id": "GWS.CHAT.2.1",
      "Description": "External file sharing SHALL be disabled to protect sensitive information from unauthorized or accidental sharing",
-      "Checks": [
-        "chat_external_file_sharing_disabled"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "Chat",
@@ -1494,9 +1492,7 @@
    {
      "Id": "GWS.CHAT.4.1",
      "Description": "External chat messaging SHALL be restricted to allowlisted domains only",
-      "Checks": [
-        "chat_external_messaging_restricted"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "Chat",
@@ -75,7 +75,6 @@ class Provider(str, Enum):
    ALIBABACLOUD = "alibabacloud"
    OPENSTACK = "openstack"
    IMAGE = "image"
-    SCALEWAY = "scaleway"
    VERCEL = "vercel"
    OKTA = "okta"

@@ -741,10 +741,6 @@ def execute(
                is_finding_muted_args["team_id"] = (
                    team.id if team else global_provider.identity.user_id
                )
-            elif global_provider.type == "scaleway":
-                is_finding_muted_args["organization_id"] = (
-                    global_provider.identity.organization_id
-                )
            elif global_provider.type == "oraclecloud":
                is_finding_muted_args["tenancy_id"] = (
                    global_provider.identity.tenancy_id
@@ -1318,54 +1318,6 @@ class CheckReportVercel(Check_Report):
        return "global"


-@dataclass
-class CheckReportScaleway(Check_Report):
-    """Contains the Scaleway Check's finding information.
-
-    Scaleway scans run at the organization level. Most IAM/account-level
-    resources are global; regional resources expose a ``region`` attribute
-    on the underlying object, which we surface as the report ``region``.
-    """
-
-    resource_name: str
-    resource_id: str
-    organization_id: str
-
-    def __init__(
-        self,
-        metadata: Dict,
-        resource: Any,
-        resource_name: str = None,
-        resource_id: str = None,
-        organization_id: str = None,
-    ) -> None:
-        """Initialize the Scaleway Check's finding information.
-
-        Args:
-            metadata: Check metadata dictionary.
-            resource: The Scaleway resource being checked.
-            resource_name: Override for resource name.
-            resource_id: Override for resource ID.
-            organization_id: Override for the organization ID.
-        """
-        super().__init__(metadata, resource)
-        self.resource_name = resource_name or getattr(
-            resource, "name", getattr(resource, "resource_name", "")
-        )
-        self.resource_id = resource_id or getattr(
-            resource, "id", getattr(resource, "resource_id", "")
-        )
-        self.organization_id = organization_id or getattr(
-            resource, "organization_id", ""
-        )
-        self._region = getattr(resource, "region", None) or "global"
-
-    @property
-    def region(self) -> str:
-        """Scaleway regional resources expose their own region; IAM is global."""
-        return self._region
-
-
 # Testing Pending
 def load_check_metadata(metadata_file: str) -> CheckMetadata:
    """
@@ -29,10 +29,10 @@ class ProwlerArgumentParser:
        self.parser = argparse.ArgumentParser(
            prog="prowler",
            formatter_class=RawTextHelpFormatter,
-            usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,scaleway,vercel,dashboard,iac,image,llm} ...",
+            usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,vercel,dashboard,iac,image,llm} ...",
            epilog="""
 Available Cloud Providers:
-  {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,iac,llm,image,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,scaleway,vercel}
+  {aws,azure,gcp,kubernetes,m365,github,googleworkspace,okta,iac,llm,image,nhn,mongodbatlas,oraclecloud,alibabacloud,cloudflare,openstack,vercel}
    aws                 AWS Provider
    azure               Azure Provider
    gcp                 GCP Provider
@@ -50,7 +50,6 @@ Available Cloud Providers:
    image               Container Image Provider
    nhn                 NHN Provider (Unofficial)
    mongodbatlas        MongoDB Atlas Provider
-    scaleway            Scaleway Provider
    vercel              Vercel Provider

 Available components:
@@ -442,18 +442,6 @@ class Finding(BaseModel):
                output_data["resource_uid"] = check_output.resource_id
                output_data["region"] = "global"

-            elif provider.type == "scaleway":
-                output_data["auth_method"] = "api_key"
-                output_data["account_uid"] = get_nested_attribute(
-                    provider, "identity.organization_id"
-                )
-                output_data["account_name"] = get_nested_attribute(
-                    provider, "identity.bearer_email"
-                ) or get_nested_attribute(provider, "identity.organization_id")
-                output_data["resource_name"] = check_output.resource_name
-                output_data["resource_uid"] = check_output.resource_id
-                output_data["region"] = check_output.region
-
            elif provider.type == "alibabacloud":
                output_data["auth_method"] = get_nested_attribute(
                    provider, "identity.identity_arn"
@@ -1450,77 +1450,6 @@ class HTML(Output):
            )
            return ""

-    @staticmethod
-    def get_scaleway_assessment_summary(provider: Provider) -> str:
-        """
-        get_scaleway_assessment_summary gets the HTML assessment summary for the Scaleway provider
-
-        Args:
-            provider (Provider): the Scaleway provider object
-
-        Returns:
-            str: HTML assessment summary for the Scaleway provider
-        """
-        try:
-            assessment_items = f"""
-                            <li class="list-group-item">
-                                <b>Organization ID:</b> {provider.identity.organization_id}
-                            </li>"""
-
-            credentials_items = """
-                            <li class="list-group-item">
-                                <b>Authentication:</b> API Key
-                            </li>"""
-
-            access_key = getattr(provider.session, "access_key", None)
-            if access_key:
-                credentials_items += f"""
-                            <li class="list-group-item">
-                                <b>Access Key:</b> {access_key}
-                            </li>"""
-
-            bearer_type = getattr(provider.identity, "bearer_type", None)
-            bearer_email = getattr(provider.identity, "bearer_email", None)
-            bearer_id = getattr(provider.identity, "bearer_id", None)
-            if bearer_type:
-                bearer_label = bearer_email or bearer_id or "-"
-                credentials_items += f"""
-                            <li class="list-group-item">
-                                <b>Bearer:</b> {bearer_type} ({bearer_label})
-                            </li>"""
-
-            region = getattr(provider.session, "default_region", None)
-            if region:
-                credentials_items += f"""
-                            <li class="list-group-item">
-                                <b>Default Region:</b> {region}
-                            </li>"""
-
-            return f"""
-                <div class="col-md-2">
-                    <div class="card">
-                        <div class="card-header">
-                            Scaleway Assessment Summary
-                        </div>
-                        <ul class="list-group list-group-flush">{assessment_items}
-                        </ul>
-                    </div>
-                </div>
-                <div class="col-md-4">
-                    <div class="card">
-                        <div class="card-header">
-                            Scaleway Credentials
-                        </div>
-                        <ul class="list-group list-group-flush">{credentials_items}
-                        </ul>
-                    </div>
-                </div>"""
-        except Exception as error:
-            logger.error(
-                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
-            )
-            return ""
-
    @staticmethod
    def get_assessment_summary(provider: Provider) -> str:
        """
@@ -42,8 +42,6 @@ def stdout_report(finding, color, verbose, status, fix):
        details = finding.region
    if finding.check_metadata.Provider == "okta":
        details = finding.region
-    if finding.check_metadata.Provider == "scaleway":
-        details = finding.region

    if (verbose or fix) and (not status or finding.status in status):
        if finding.muted:
@@ -111,9 +111,6 @@ def display_summary_table(
        elif provider.type == "okta":
            entity_type = "Okta Org"
            audited_entities = provider.identity.org_domain
-        elif provider.type == "scaleway":
-            entity_type = "Organization"
-            audited_entities = provider.identity.organization_id

        # Check if there are findings and that they are not all MANUAL
        if findings and not all(finding.status == "MANUAL" for finding in findings):
@@ -416,18 +416,6 @@ class Provider(ABC):
                        mutelist_path=arguments.mutelist_file,
                        fixer_config=fixer_config,
                    )
-                elif "scaleway" in provider_class_name.lower():
-                    # Credentials are read from the SCW_ACCESS_KEY /
-                    # SCW_SECRET_KEY env vars by the provider itself; there
-                    # are no credential CLI flags to avoid leaking secrets.
-                    provider_class(
-                        organization_id=getattr(arguments, "organization_id", None),
-                        project_id=getattr(arguments, "project_id", None),
-                        region=getattr(arguments, "region", None),
-                        config_path=arguments.config_file,
-                        mutelist_path=arguments.mutelist_file,
-                        fixer_config=fixer_config,
-                    )

        except TypeError as error:
            logger.critical(
@@ -30,10 +30,7 @@ class Calendar(GoogleWorkspaceService):
                logger.error("Failed to build Cloud Identity service")
                return

-            request = service.policies().list(
-                pageSize=100,
-                filter='setting.type.matches("calendar.*")',
-            )
+            request = service.policies().list(pageSize=100)
            fetch_succeeded = True

            while request is not None:
@@ -1,39 +0,0 @@
-{
-  "Provider": "googleworkspace",
-  "CheckID": "chat_apps_installation_disabled",
-  "CheckTitle": "Chat apps installation is disabled for users",
-  "CheckType": [],
-  "ServiceName": "chat",
-  "SubServiceName": "",
-  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "NotDefined",
-  "ResourceGroup": "collaboration",
-  "Description": "Google Chat apps connect to external services to look up information, schedule meetings, or complete tasks. Apps are accounts created by Google, users in the organization, or third parties that can access user data including **email addresses**, **conversation content**, and **organizational information**.",
-  "Risk": "Unrestricted Chat app installation allows **unvetted third-party applications** to access user data including conversation content and organizational information. An attacker could distribute a malicious Chat app to **exfiltrate confidential data** or establish **persistent access** to internal communications.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://support.google.com/a/answer/6089179",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
-  ],
-  "Remediation": {
-    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Google Chat and classic Hangouts**\n3. Click **Chat apps**\n4. Under Chat apps access settings, set **Allow users to install Chat apps** to **OFF**\n5. Click **Save**",
-      "Terraform": ""
-    },
-    "Recommendation": {
-      "Text": "Disable Chat apps installation to prevent **unvetted third-party applications** from accessing organizational data through the Chat platform.",
-      "Url": "https://hub.prowler.com/check/chat_apps_installation_disabled"
-    }
-  },
-  "Categories": [
-    "trust-boundaries"
-  ],
-  "DependsOn": [],
-  "RelatedTo": [
-    "chat_incoming_webhooks_disabled"
-  ],
-  "Notes": ""
-}
@@ -1,52 +0,0 @@
-from typing import List
-
-from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
-from prowler.providers.googleworkspace.services.chat.chat_client import chat_client
-
-
-class chat_apps_installation_disabled(Check):
-    """Check that users cannot install Chat apps.
-
-    This check verifies that the domain-level Chat policy prevents users
-    from installing Chat apps, reducing the risk of data exposure through
-    third-party or unvetted applications.
-    """
-
-    def execute(self) -> List[CheckReportGoogleWorkspace]:
-        findings = []
-
-        if chat_client.policies_fetched:
-            report = CheckReportGoogleWorkspace(
-                metadata=self.metadata(),
-                resource=chat_client.policies,
-                resource_id="chatPolicies",
-                resource_name="Chat Policies",
-                customer_id=chat_client.provider.identity.customer_id,
-            )
-
-            apps_enabled = chat_client.policies.enable_apps
-
-            if apps_enabled is False:
-                report.status = "PASS"
-                report.status_extended = (
-                    f"Chat apps installation is disabled "
-                    f"in domain {chat_client.provider.identity.domain}."
-                )
-            elif apps_enabled is None:
-                report.status = "PASS"
-                report.status_extended = (
-                    f"Chat apps installation uses Google's secure default "
-                    f"configuration (disabled) "
-                    f"in domain {chat_client.provider.identity.domain}."
-                )
-            else:
-                report.status = "FAIL"
-                report.status_extended = (
-                    f"Chat apps installation is enabled "
-                    f"in domain {chat_client.provider.identity.domain}. "
-                    f"Chat apps installation should be disabled to prevent unvetted apps."
-                )
-
-            findings.append(report)
-
-        return findings
@@ -1,4 +0,0 @@
-from prowler.providers.common.provider import Provider
-from prowler.providers.googleworkspace.services.chat.chat_service import Chat
-
-chat_client = Chat(Provider.get_global_provider())
@@ -1,40 +0,0 @@
-{
-  "Provider": "googleworkspace",
-  "CheckID": "chat_external_file_sharing_disabled",
-  "CheckTitle": "External file sharing in Chat is set to no files",
-  "CheckType": [],
-  "ServiceName": "chat",
-  "SubServiceName": "",
-  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "NotDefined",
-  "ResourceGroup": "collaboration",
-  "Description": "Google Chat **external file sharing** controls whether users can share files with people outside the organization via Chat conversations. Files often contain **confidential information**, and organizations in regulated industries need to control the flow of this information outside their boundaries.",
-  "Risk": "Enabled external file sharing allows users to send files containing **confidential information** to external parties through Chat. This creates a **data leakage** channel that bypasses DLP controls, particularly dangerous for organizations handling **regulated data** such as PII, PHI, or financial records.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://support.google.com/a/answer/9540647",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
-  ],
-  "Remediation": {
-    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Google Chat and classic Hangouts**\n3. Click **Chat File Sharing**\n4. Under Setting, set **External filesharing** to **No files**\n5. Click **Save**",
-      "Terraform": ""
-    },
-    "Recommendation": {
-      "Text": "Disable **external file sharing** in Chat to prevent users from sharing files with people outside the organization through Chat conversations.",
-      "Url": "https://hub.prowler.com/check/chat_external_file_sharing_disabled"
-    }
-  },
-  "Categories": [
-    "trust-boundaries"
-  ],
-  "DependsOn": [],
-  "RelatedTo": [
-    "chat_internal_file_sharing_disabled",
-    "drive_sharing_allowlisted_domains"
-  ],
-  "Notes": ""
-}
@@ -1,52 +0,0 @@
-from typing import List
-
-from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
-from prowler.providers.googleworkspace.services.chat.chat_client import chat_client
-
-
-class chat_external_file_sharing_disabled(Check):
-    """Check that external file sharing in Google Chat is disabled.
-
-    This check verifies that the domain-level Chat policy prevents users
-    from sharing files with people outside the organization via Chat,
-    protecting sensitive information from unauthorized external access.
-    """
-
-    def execute(self) -> List[CheckReportGoogleWorkspace]:
-        findings = []
-
-        if chat_client.policies_fetched:
-            report = CheckReportGoogleWorkspace(
-                metadata=self.metadata(),
-                resource=chat_client.policies,
-                resource_id="chatPolicies",
-                resource_name="Chat Policies",
-                customer_id=chat_client.provider.identity.customer_id,
-            )
-
-            external_sharing = chat_client.policies.external_file_sharing
-
-            if external_sharing == "NO_FILES":
-                report.status = "PASS"
-                report.status_extended = (
-                    f"External file sharing in Chat is disabled "
-                    f"in domain {chat_client.provider.identity.domain}."
-                )
-            else:
-                report.status = "FAIL"
-                if external_sharing is None:
-                    report.status_extended = (
-                        f"External file sharing in Chat is not explicitly configured "
-                        f"in domain {chat_client.provider.identity.domain}. "
-                        f"External file sharing should be set to No files."
-                    )
-                else:
-                    report.status_extended = (
-                        f"External file sharing in Chat is set to {external_sharing} "
-                        f"in domain {chat_client.provider.identity.domain}. "
-                        f"External file sharing should be set to No files."
-                    )
-
-            findings.append(report)
-
-        return findings
@@ -1,40 +0,0 @@
-{
-  "Provider": "googleworkspace",
-  "CheckID": "chat_external_messaging_restricted",
-  "CheckTitle": "External Chat messaging is restricted to allowed domains",
-  "CheckType": [],
-  "ServiceName": "chat",
-  "SubServiceName": "",
-  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "NotDefined",
-  "ResourceGroup": "collaboration",
-  "Description": "Google Chat **external messaging** controls whether users can send messages to people outside the organization. If external messaging is allowed, it can optionally be restricted to only **allowlisted domains** to limit the scope of external communication.",
-  "Risk": "Unrestricted external messaging allows users to communicate freely with **any external party**, increasing the risk of **data exfiltration** through conversation content and **social engineering attacks** from untrusted domains targeting internal users.",
-  "RelatedUrl": "",
-  "AdditionalURLs": [
-    "https://support.google.com/a/answer/9540647",
-    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
-  ],
-  "Remediation": {
-    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Google Chat and classic Hangouts**\n3. Click **External Chat Settings**\n4. Select **Chat externally**\n5. Set **Allow users to send messages outside the organization** to **ON**\n6. Check **Only allow this for allowlisted domains**\n7. Click **Save**",
-      "Terraform": ""
-    },
-    "Recommendation": {
-      "Text": "Restrict **external Chat messaging** to **allowlisted domains** only to limit information flow to trusted parties and reduce exposure to external threats.",
-      "Url": "https://hub.prowler.com/check/chat_external_messaging_restricted"
-    }
-  },
-  "Categories": [
-    "trust-boundaries"
-  ],
-  "DependsOn": [],
-  "RelatedTo": [
-    "chat_external_spaces_restricted",
-    "drive_sharing_allowlisted_domains"
-  ],
-  "Notes": ""
-}
@@ -1,59 +0,0 @@
-from typing import List
-
-from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
-from prowler.providers.googleworkspace.services.chat.chat_client import chat_client
-
-
-class chat_external_messaging_restricted(Check):
-    """Check that external Chat messaging is restricted to allowed domains.
-
-    This check verifies that external Chat messaging is either disabled
-    entirely or restricted to allowlisted domains only, preventing
-    unrestricted communication with external users.
-    """
-
-    def execute(self) -> List[CheckReportGoogleWorkspace]:
-        findings = []
-
-        if chat_client.policies_fetched:
-            report = CheckReportGoogleWorkspace(
-                metadata=self.metadata(),
-                resource=chat_client.policies,
-                resource_id="chatPolicies",
-                resource_name="Chat Policies",
-                customer_id=chat_client.provider.identity.customer_id,
-            )
-
-            allow_external = chat_client.policies.allow_external_chat
-            restriction = chat_client.policies.external_chat_restriction
-
-            if allow_external is False:
-                report.status = "PASS"
-                report.status_extended = (
-                    f"External Chat messaging is disabled "
-                    f"in domain {chat_client.provider.identity.domain}."
-                )
-            elif allow_external is None and restriction is None:
-                report.status = "PASS"
-                report.status_extended = (
-                    f"External Chat messaging uses Google's secure default "
-                    f"configuration (disabled) "
-                    f"in domain {chat_client.provider.identity.domain}."
-                )
-            elif restriction == "TRUSTED_DOMAINS":
-                report.status = "PASS"
-                report.status_extended = (
-                    f"External Chat messaging is restricted to allowed domains "
-                    f"in domain {chat_client.provider.identity.domain}."
-                )
-            else:
-                report.status = "FAIL"
-                report.status_extended = (
-                    f"External Chat messaging is not restricted to allowed domains "
-                    f"in domain {chat_client.provider.identity.domain}. "
-                    f"External messaging should be restricted to allowed domains only."
-                )
-
-            findings.append(report)
-
-        return findings
--- a/Show More
+++ b/Show More