feat(api): show only production URL in API reference playground

Merge branch 'master' into DEVREL-98-include-open-api-specification-in-mintlify
chore: update CHANGELOG
2026-06-10 13:32:44 +00:00 · 2025-11-12 09:47:28 +01:00 · 2025-11-12 09:22:08 +01:00 · 2025-11-11 07:36:18 +01:00 · 2025-11-10 08:57:34 +01:00 · 2025-11-10 08:39:59 +01:00
1388 changed files with 64838 additions and 96797 deletions
@@ -14,13 +14,14 @@ UI_PORT=3000
 AUTH_SECRET="N/c6mnaS5+SWq81+819OrzQZlmx1Vxtp/orjttJSmw8="
 # Google Tag Manager ID
 NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID=""
-
-#### MCP Server ####
-PROWLER_MCP_VERSION=stable
-# For UI and MCP running on docker:
-PROWLER_MCP_SERVER_URL=http://mcp-server:8000/mcp
-# For UI running on host, MCP in docker:
-# PROWLER_MCP_SERVER_URL=http://localhost:8000/mcp
+# Sentry
+SENTRY_DSN=
+NEXT_PUBLIC_SENTRY_DSN=
+SENTRY_ORG=
+SENTRY_PROJECT=
+SENTRY_AUTH_TOKEN=
+SENTRY_ENVIRONMENT=production
+NEXT_PUBLIC_SENTRY_ENVIRONMENT=production

 #### Code Review Configuration ####
 # Enable Claude Code standards validation on pre-push hook
@@ -115,11 +116,9 @@ DJANGO_THROTTLE_TOKEN_OBTAIN=50/minute
 # Sentry settings
 SENTRY_ENVIRONMENT=local
 SENTRY_RELEASE=local
-NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}
-

 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.16.2
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.12.2

 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -147,3 +146,4 @@ LANGCHAIN_PROJECT=""
 RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true}]'
 # Example with multiple sources (no trailing comma after last item):
 # RSS_FEED_SOURCES='[{"id":"prowler-releases","name":"Prowler Releases","type":"github_releases","url":"https://github.com/prowler-cloud/prowler/releases.atom","enabled":true},{"id":"prowler-blog","name":"Prowler Blog","type":"blog","url":"https://prowler.com/blog/rss","enabled":false}]'
+
@@ -87,7 +87,7 @@ runs:
      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      if: always()
      with:
-        name: trivy-scan-report-${{ inputs.image-name }}-${{ inputs.image-tag }}
+        name: trivy-scan-report-${{ inputs.image-name }}
        path: trivy-report.json
        retention-days: ${{ inputs.artifact-retention-days }}

@@ -1,6 +1,5 @@
 {
  "channel": "${{ env.SLACK_CHANNEL_ID }}",
-  "ts": "${{ env.MESSAGE_TS }}",
  "attachments": [
    {
      "color": "${{ env.STATUS_COLOR }}",
@@ -1,254 +0,0 @@
-name: 'API: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Get current API version
-        id: get_api_version
-        run: |
-          CURRENT_API_VERSION=$(grep -oP '^version = "\K[^"]+' api/pyproject.toml)
-          echo "current_api_version=${CURRENT_API_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current API version: $CURRENT_API_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Calculate next API minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 -> API 1.18.0
-          # For next master (Prowler 5.18.0) -> API 1.19.0
-          NEXT_API_VERSION=1.$((MINOR_VERSION + 2)).0
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_API_VERSION=${NEXT_API_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "Current API version: $CURRENT_API_VERSION"
-          echo "Next API minor version (for master): $NEXT_API_VERSION"
-
-      - name: Bump API versions in files for master
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API minor version to master
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # API version follows Prowler minor + 1
-          # For Prowler 5.17.0 release -> version branch v5.17 should have API 1.18.1
-          FIRST_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).1
-
-          echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_API_PATCH_VERSION=${FIRST_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0"
-          echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${FIRST_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first API patch version to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.FIRST_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.FIRST_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.FIRST_API_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Calculate next API patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}"
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          # Extract current API patch to increment it
-          if [[ $CURRENT_API_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            API_PATCH=${BASH_REMATCH[3]}
-
-            # API version follows Prowler minor + 1
-            # Keep same API minor (based on Prowler minor), increment patch
-            NEXT_API_PATCH_VERSION=1.$((MINOR_VERSION + 1)).$((API_PATCH + 1))
-
-            echo "CURRENT_API_VERSION=${CURRENT_API_VERSION}" >> "${GITHUB_ENV}"
-            echo "NEXT_API_PATCH_VERSION=${NEXT_API_PATCH_VERSION}" >> "${GITHUB_ENV}"
-            echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-            echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION}"
-            echo "Current API version: $CURRENT_API_VERSION"
-            echo "Next API patch version: $NEXT_API_PATCH_VERSION"
-            echo "Target branch: $VERSION_BRANCH"
-          else
-            echo "::error::Invalid API version format: $CURRENT_API_VERSION"
-            exit 1
-          fi
-
-      - name: Bump API versions in files for version branch
-        run: |
-          set -e
-
-          sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml
-          sed -i "s|spectacular_settings.VERSION = \"${CURRENT_API_VERSION}\"|spectacular_settings.VERSION = \"${NEXT_API_PATCH_VERSION}\"|" api/src/backend/api/v1/views.py
-          sed -i "s|  version: ${CURRENT_API_VERSION}|  version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next API patch version to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          branch: api-version-bump-to-v${{ env.NEXT_API_PATCH_VERSION }}
-          title: 'chore(api): Bump version to v${{ env.NEXT_API_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler API version to v${{ env.NEXT_API_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -7,16 +7,10 @@ on:
    paths:
      - 'api/**'
      - 'prowler/**'
-      - '.github/workflows/api-container-build-push.yml'
+      - '.github/workflows/api-build-lint-push-containers.yml'
  release:
    types:
      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string

 permissions:
  contents: read
@@ -28,7 +22,7 @@ concurrency:
 env:
  # Tags
  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
  STABLE_TAG: stable
  WORKING_DIRECTORY: ./api

@@ -48,44 +42,9 @@ jobs:
        id: set-short-sha
        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT

-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
+  container-build-push:
    needs: setup
    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: API
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
    timeout-minutes: 30
    permissions:
      contents: read
@@ -104,88 +63,50 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - name: Build and push API container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
+      - name: Build and push API container (latest)
+        if: github.event_name == 'push'
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
-          platforms: ${{ matrix.platform }}
          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@f61d18f46c86af724a9c804cb9ff2a6fec741c7c # main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
+      - name: Notify container push started
+        if: github.event_name == 'release'
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: API
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
+
+      - name: Build and push API container (release)
+        if: github.event_name == 'release'
+        id: container-push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Notify container push completed
+        if: github.event_name == 'release' && always()
        uses: ./.github/actions/slack-notification
        env:
          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
          COMPONENT: API
          RELEASE_TAG: ${{ env.RELEASE_TAG }}
          GITHUB_SERVER_URL: ${{ github.server_url }}
@@ -194,8 +115,7 @@ jobs:
        with:
          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
+          step-outcome: ${{ steps.container-push.outcome }}

  trigger-deployment:
    if: github.event_name == 'push'
@@ -20,7 +20,6 @@ env:

 jobs:
  api-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
@@ -44,17 +43,7 @@ jobs:
          ignore: DL3013

  api-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
@@ -79,23 +68,22 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - name: Build container for ${{ matrix.arch }}
+      - name: Build container
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.API_WORKING_DIR }}
          push: false
          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

-      - name: Scan container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+      - name: Scan container with Trivy
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
          fail-on-critical: 'false'
          severity: 'CRITICAL'
@@ -1,39 +0,0 @@
-name: 'Tools: Comment Label Update'
-
-on:
-  issue_comment:
-    types:
-      - 'created'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.issue.number }}
-  cancel-in-progress: false
-
-jobs:
-  update-labels:
-    if: contains(github.event.issue.labels.*.name, 'status/awaiting-response')
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      issues: write
-      pull-requests: write
-
-    steps:
-      - name: Remove 'status/awaiting-response' label
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          echo "Removing 'status/awaiting-response' label from #$ISSUE_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/$ISSUE_NUMBER/labels/status%2Fawaiting-response \
-            -X DELETE
-
-      - name: Add 'status/waiting-for-revision' label
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          echo "Adding 'status/waiting-for-revision' label to #$ISSUE_NUMBER"
-          gh api /repos/${{ github.repository }}/issues/$ISSUE_NUMBER/labels \
-            -X POST \
-            -f labels[]='status/waiting-for-revision'
@@ -1,247 +0,0 @@
-name: 'Docs: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Get current documentation version
-        id: get_docs_version
-        run: |
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' docs/getting-started/installation/prowler-app.mdx)
-          echo "current_docs_version=${CURRENT_DOCS_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump versions in documentation for master
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to master
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-            - All `*.mdx` files with `<VersionBadge>` components
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for version branch
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}-branch
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-          CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}"
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump versions in documentation for patch version
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -10,12 +10,6 @@ on:
  release:
    types:
      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string

 permissions:
  contents: read
@@ -27,7 +21,7 @@ concurrency:
 env:
  # Tags
  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
  STABLE_TAG: stable
  WORKING_DIRECTORY: ./mcp_server

@@ -47,44 +41,9 @@ jobs:
        id: set-short-sha
        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT

-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
+  container-build-push:
    needs: setup
    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: MCP
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
    timeout-minutes: 30
    permissions:
      contents: read
@@ -102,96 +61,65 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - name: Build and push MCP container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
+      - name: Build and push MCP container (latest)
+        if: github.event_name == 'push'
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
-          platforms: ${{ matrix.platform }}
          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}
          labels: |
            org.opencontainers.image.title=Prowler MCP Server
            org.opencontainers.image.description=Model Context Protocol server for Prowler
            org.opencontainers.image.vendor=ProwlerPro, Inc.
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.created=${{ github.event_name == 'release' && github.event.release.published_at || github.event.head_commit.timestamp }}
-            ${{ github.event_name == 'release' && format('org.opencontainers.image.version={0}', env.RELEASE_TAG) || '' }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+            org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
+      - name: Notify container push started
+        if: github.event_name == 'release'
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: MCP
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
+
+      - name: Build and push MCP container (release)
+        if: github.event_name == 'release'
+        id: container-push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          labels: |
+            org.opencontainers.image.title=Prowler MCP Server
+            org.opencontainers.image.description=Model Context Protocol server for Prowler
+            org.opencontainers.image.vendor=ProwlerPro, Inc.
+            org.opencontainers.image.version=${{ env.RELEASE_TAG }}
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.created=${{ github.event.release.published_at }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Notify container push completed
+        if: github.event_name == 'release' && always()
        uses: ./.github/actions/slack-notification
        env:
          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
          COMPONENT: MCP
          RELEASE_TAG: ${{ env.RELEASE_TAG }}
          GITHUB_SERVER_URL: ${{ github.server_url }}
@@ -200,8 +128,7 @@ jobs:
        with:
          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
+          step-outcome: ${{ steps.container-push.outcome }}

  trigger-deployment:
    if: github.event_name == 'push'
@@ -20,7 +20,6 @@ env:

 jobs:
  mcp-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
@@ -43,17 +42,7 @@ jobs:
          dockerfile: mcp_server/Dockerfile

  mcp-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
@@ -77,23 +66,22 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - name: Build MCP container for ${{ matrix.arch }}
+      - name: Build MCP container
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.MCP_WORKING_DIR }}
          push: false
          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

-      - name: Scan MCP container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+      - name: Scan MCP container with Trivy
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
          fail-on-critical: 'false'
          severity: 'CRITICAL'
@@ -13,10 +13,7 @@ concurrency:

 jobs:
  trigger-cloud-pull-request:
-    if: |
-      github.event.pull_request.merged == true &&
-      github.repository == 'prowler-cloud/prowler' &&
-      !contains(github.event.pull_request.labels.*.name, 'skip-sync')
+    if: github.event.pull_request.merged == true && github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
@@ -88,56 +88,59 @@ jobs:

    - name: Read changelog versions from release branch
      run: |
-        # Function to extract the version for a specific Prowler release from changelog
-        # This looks for entries with "(Prowler X.Y.Z)" to find the released version
-        extract_version_for_release() {
+        # Function to extract the latest version from changelog
+        extract_latest_version() {
          local changelog_file="$1"
-          local prowler_version="$2"
          if [ -f "$changelog_file" ]; then
-            # Extract version that matches this Prowler release
-            # Format: ## [version] (Prowler X.Y.Z) or ## [vversion] (Prowler vX.Y.Z)
-            local version=$(grep '^## \[' "$changelog_file" | grep "(Prowler v\?${prowler_version})" | head -1 | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
+            # Extract the first version entry (most recent) from changelog
+            # Format: ## [version] (1.2.3) or ## [vversion] (v1.2.3)
+            local version=$(grep -m 1 '^## \[' "$changelog_file" | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
            echo "$version"
          else
            echo ""
          fi
        }

-        # Read versions from changelogs for this specific Prowler release
-        SDK_VERSION=$(extract_version_for_release "prowler/CHANGELOG.md" "$PROWLER_VERSION")
-        API_VERSION=$(extract_version_for_release "api/CHANGELOG.md" "$PROWLER_VERSION")
-        UI_VERSION=$(extract_version_for_release "ui/CHANGELOG.md" "$PROWLER_VERSION")
-        MCP_VERSION=$(extract_version_for_release "mcp_server/CHANGELOG.md" "$PROWLER_VERSION")
+        # Read actual versions from changelogs (source of truth)
+        UI_VERSION=$(extract_latest_version "ui/CHANGELOG.md")
+        API_VERSION=$(extract_latest_version "api/CHANGELOG.md")
+        SDK_VERSION=$(extract_latest_version "prowler/CHANGELOG.md")
+        MCP_VERSION=$(extract_latest_version "mcp_server/CHANGELOG.md")

-        echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
-        echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
        echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
+        echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
+        echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
        echo "MCP_VERSION=${MCP_VERSION}" >> "${GITHUB_ENV}"

-        if [ -n "$SDK_VERSION" ]; then
-          echo "✓ SDK version for Prowler $PROWLER_VERSION: $SDK_VERSION"
+        if [ -n "$UI_VERSION" ]; then
+          echo "Read UI version from changelog: $UI_VERSION"
        else
-          echo "ℹ No SDK version found for Prowler $PROWLER_VERSION in prowler/CHANGELOG.md"
+          echo "Warning: No UI version found in ui/CHANGELOG.md"
        fi

        if [ -n "$API_VERSION" ]; then
-          echo "✓ API version for Prowler $PROWLER_VERSION: $API_VERSION"
+          echo "Read API version from changelog: $API_VERSION"
        else
-          echo "ℹ No API version found for Prowler $PROWLER_VERSION in api/CHANGELOG.md"
+          echo "Warning: No API version found in api/CHANGELOG.md"
        fi

-        if [ -n "$UI_VERSION" ]; then
-          echo "✓ UI version for Prowler $PROWLER_VERSION: $UI_VERSION"
+        if [ -n "$SDK_VERSION" ]; then
+          echo "Read SDK version from changelog: $SDK_VERSION"
        else
-          echo "ℹ No UI version found for Prowler $PROWLER_VERSION in ui/CHANGELOG.md"
+          echo "Warning: No SDK version found in prowler/CHANGELOG.md"
        fi

        if [ -n "$MCP_VERSION" ]; then
-          echo "✓ MCP version for Prowler $PROWLER_VERSION: $MCP_VERSION"
+          echo "Read MCP version from changelog: $MCP_VERSION"
        else
-          echo "ℹ No MCP version found for Prowler $PROWLER_VERSION in mcp_server/CHANGELOG.md"
+          echo "Warning: No MCP version found in mcp_server/CHANGELOG.md"
        fi

+        echo "UI version: $UI_VERSION"
+        echo "API version: $API_VERSION"
+        echo "SDK version: $SDK_VERSION"
+        echo "MCP version: $MCP_VERSION"
+
    - name: Extract and combine changelog entries
      run: |
        set -e
@@ -163,54 +166,70 @@ jobs:

          # Remove --- separators
          sed -i '/^---$/d' "$output_file"
+
+          # Remove only trailing empty lines (not all empty lines)
+          sed -i -e :a -e '/^\s*$/d;N;ba' "$output_file"
        }

+        # Calculate expected versions for this release
+        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+          EXPECTED_UI_VERSION="1.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}"
+          EXPECTED_API_VERSION="1.$((${BASH_REMATCH[2]} + 1)).${BASH_REMATCH[3]}"
+
+          echo "Expected UI version for this release: $EXPECTED_UI_VERSION"
+          echo "Expected API version for this release: $EXPECTED_API_VERSION"
+        fi
+
        # Determine if components have changes for this specific release
-        if [ -n "$SDK_VERSION" ]; then
-          echo "HAS_SDK_CHANGES=true" >> $GITHUB_ENV
-          HAS_SDK_CHANGES="true"
-          echo "✓ SDK changes detected - version: $SDK_VERSION"
-          extract_changelog "prowler/CHANGELOG.md" "$SDK_VERSION" "prowler_changelog.md"
-        else
-          echo "HAS_SDK_CHANGES=false" >> $GITHUB_ENV
-          HAS_SDK_CHANGES="false"
-          echo "ℹ No SDK changes for this release"
-          touch "prowler_changelog.md"
-        fi
-
-        if [ -n "$API_VERSION" ]; then
-          echo "HAS_API_CHANGES=true" >> $GITHUB_ENV
-          HAS_API_CHANGES="true"
-          echo "✓ API changes detected - version: $API_VERSION"
-          extract_changelog "api/CHANGELOG.md" "$API_VERSION" "api_changelog.md"
-        else
-          echo "HAS_API_CHANGES=false" >> $GITHUB_ENV
-          HAS_API_CHANGES="false"
-          echo "ℹ No API changes for this release"
-          touch "api_changelog.md"
-        fi
-
-        if [ -n "$UI_VERSION" ]; then
+        # UI has changes if its current version matches what we expect for this release
+        if [ -n "$UI_VERSION" ] && [ "$UI_VERSION" = "$EXPECTED_UI_VERSION" ]; then
          echo "HAS_UI_CHANGES=true" >> $GITHUB_ENV
-          HAS_UI_CHANGES="true"
-          echo "✓ UI changes detected - version: $UI_VERSION"
+          echo "✓ UI changes detected - version matches expected: $UI_VERSION"
          extract_changelog "ui/CHANGELOG.md" "$UI_VERSION" "ui_changelog.md"
        else
          echo "HAS_UI_CHANGES=false" >> $GITHUB_ENV
-          HAS_UI_CHANGES="false"
-          echo "ℹ No UI changes for this release"
+          echo "ℹ No UI changes for this release (current: $UI_VERSION, expected: $EXPECTED_UI_VERSION)"
          touch "ui_changelog.md"
        fi

-        if [ -n "$MCP_VERSION" ]; then
-          echo "HAS_MCP_CHANGES=true" >> $GITHUB_ENV
-          HAS_MCP_CHANGES="true"
-          echo "✓ MCP changes detected - version: $MCP_VERSION"
-          extract_changelog "mcp_server/CHANGELOG.md" "$MCP_VERSION" "mcp_changelog.md"
+        # API has changes if its current version matches what we expect for this release
+        if [ -n "$API_VERSION" ] && [ "$API_VERSION" = "$EXPECTED_API_VERSION" ]; then
+          echo "HAS_API_CHANGES=true" >> $GITHUB_ENV
+          echo "✓ API changes detected - version matches expected: $API_VERSION"
+          extract_changelog "api/CHANGELOG.md" "$API_VERSION" "api_changelog.md"
+        else
+          echo "HAS_API_CHANGES=false" >> $GITHUB_ENV
+          echo "ℹ No API changes for this release (current: $API_VERSION, expected: $EXPECTED_API_VERSION)"
+          touch "api_changelog.md"
+        fi
+
+        # SDK has changes if its current version matches the input version
+        if [ -n "$SDK_VERSION" ] && [ "$SDK_VERSION" = "$PROWLER_VERSION" ]; then
+          echo "HAS_SDK_CHANGES=true" >> $GITHUB_ENV
+          echo "✓ SDK changes detected - version matches input: $SDK_VERSION"
+          extract_changelog "prowler/CHANGELOG.md" "$PROWLER_VERSION" "prowler_changelog.md"
+        else
+          echo "HAS_SDK_CHANGES=false" >> $GITHUB_ENV
+          echo "ℹ No SDK changes for this release (current: $SDK_VERSION, input: $PROWLER_VERSION)"
+          touch "prowler_changelog.md"
+        fi
+
+        # MCP has changes if the changelog references this Prowler version
+        # Check if the changelog contains "(Prowler X.Y.Z)" or "(Prowler UNRELEASED)"
+        if [ -f "mcp_server/CHANGELOG.md" ]; then
+          MCP_PROWLER_REF=$(grep -m 1 "^## \[.*\] (Prowler" mcp_server/CHANGELOG.md | sed -E 's/.*\(Prowler ([^)]+)\).*/\1/' | tr -d '[:space:]')
+          if [ "$MCP_PROWLER_REF" = "$PROWLER_VERSION" ] || [ "$MCP_PROWLER_REF" = "UNRELEASED" ]; then
+            echo "HAS_MCP_CHANGES=true" >> $GITHUB_ENV
+            echo "✓ MCP changes detected - Prowler reference: $MCP_PROWLER_REF (version: $MCP_VERSION)"
+            extract_changelog "mcp_server/CHANGELOG.md" "$MCP_VERSION" "mcp_changelog.md"
+          else
+            echo "HAS_MCP_CHANGES=false" >> $GITHUB_ENV
+            echo "ℹ No MCP changes for this release (Prowler reference: $MCP_PROWLER_REF, input: $PROWLER_VERSION)"
+            touch "mcp_changelog.md"
+          fi
        else
          echo "HAS_MCP_CHANGES=false" >> $GITHUB_ENV
-          HAS_MCP_CHANGES="false"
-          echo "ℹ No MCP changes for this release"
+          echo "ℹ No MCP changelog found"
          touch "mcp_changelog.md"
        fi

@@ -306,17 +325,6 @@ jobs:
        fi
        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"

-    - name: Verify API version in api/src/backend/api/specs/v1.yaml
-      if: ${{ env.HAS_API_CHANGES == 'true' }}
-      run: |
-        CURRENT_API_VERSION=$(grep '^  version: ' api/src/backend/api/specs/v1.yaml | sed -E 's/  version: ([0-9]+\.[0-9]+\.[0-9]+)/\1/' | tr -d '[:space:]')
-        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
-        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
-          echo "ERROR: API version mismatch in api/src/backend/api/specs/v1.yaml (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
-          exit 1
-        fi
-        echo "✓ api/src/backend/api/specs/v1.yaml version: $CURRENT_API_VERSION"
-
    - name: Update API prowler dependency for minor release
      if: ${{ env.PATCH_VERSION == '0' }}
      run: |
@@ -86,6 +86,7 @@ jobs:

          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_MINOR_VERSION}\"|" pyproject.toml
          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_MINOR_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env

          echo "Files modified:"
          git --no-pager diff
@@ -99,7 +100,7 @@ jobs:
          commit-message: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
          branch: version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
          title: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
+          labels: no-changelog
          body: |
            ### Description

@@ -134,6 +135,7 @@ jobs:

          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${FIRST_PATCH_VERSION}\"|" pyproject.toml
          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${FIRST_PATCH_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env

          echo "Files modified:"
          git --no-pager diff
@@ -147,7 +149,7 @@ jobs:
          commit-message: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
          branch: version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
          title: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
+          labels: no-changelog
          body: |
            ### Description

@@ -191,6 +193,7 @@ jobs:

          sed -i "s|version = \"${PROWLER_VERSION}\"|version = \"${NEXT_PATCH_VERSION}\"|" pyproject.toml
          sed -i "s|prowler_version = \"${PROWLER_VERSION}\"|prowler_version = \"${NEXT_PATCH_VERSION}\"|" prowler/config/config.py
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env

          echo "Files modified:"
          git --no-pager diff
@@ -204,7 +207,7 @@ jobs:
          commit-message: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
          branch: version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
          title: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
+          labels: no-changelog
          body: |
            ### Description

@@ -16,12 +16,6 @@ on:
  release:
    types:
      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string

 permissions:
  contents: read
@@ -50,15 +44,19 @@ env:
  AWS_REGION: us-east-1

 jobs:
-  setup:
+  container-build-push:
    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 45
+    permissions:
+      contents: read
+      packages: write
    outputs:
      prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }}
      prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
-      latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }}
-      stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
+    env:
+      POETRY_VIRTUALENVS_CREATE: 'false'
+
    steps:
      - name: Checkout repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -78,26 +76,28 @@ jobs:
        run: |
          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
          echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"

          # Extract major version
          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
          echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_ENV}"

          # Set version-specific tags
          case ${PROWLER_VERSION_MAJOR} in
            3)
-              echo "latest_tag=v3-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v3-stable" >> "${GITHUB_OUTPUT}"
+              echo "LATEST_TAG=v3-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}"
              echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable"
              ;;
            4)
-              echo "latest_tag=v4-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v4-stable" >> "${GITHUB_OUTPUT}"
+              echo "LATEST_TAG=v4-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v4-stable" >> "${GITHUB_ENV}"
              echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable"
              ;;
            5)
-              echo "latest_tag=latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=stable" >> "${GITHUB_OUTPUT}"
+              echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
              echo "✓ Prowler v5 detected - tags: latest, stable"
              ;;
            *)
@@ -106,24 +106,45 @@ jobs:
              ;;
          esac

-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: setup
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: ${{ env.AWS_REGION }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push SDK container (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: ${{ env.DOCKERFILE_PATH }}
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

      - name: Notify container push started
-        id: slack-notification
+        if: github.event_name == 'release'
        uses: ./.github/actions/slack-notification
        env:
          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
          COMPONENT: SDK
-          RELEASE_TAG: ${{ needs.setup.outputs.prowler_version }}
+          RELEASE_TAG: ${{ env.PROWLER_VERSION }}
          GITHUB_SERVER_URL: ${{ github.server_url }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          GITHUB_RUN_ID: ${{ github.run_id }}
@@ -131,157 +152,42 @@ jobs:
          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"

-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
-    timeout-minutes: 45
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
-        env:
-          AWS_REGION: ${{ env.AWS_REGION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Build and push SDK container for ${{ matrix.arch }}
+      - name: Build and push SDK container (release)
+        if: github.event_name == 'release'
        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ${{ env.DOCKERFILE_PATH }}
          push: true
-          platforms: ${{ matrix.platform }}
          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
-
-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
-        env:
-          AWS_REGION: ${{ env.AWS_REGION }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.prowler_version }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.stable_tag }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.PROWLER_VERSION }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

      - name: Notify container push completed
+        if: github.event_name == 'release' && always()
        uses: ./.github/actions/slack-notification
        env:
          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
          COMPONENT: SDK
-          RELEASE_TAG: ${{ needs.setup.outputs.prowler_version }}
+          RELEASE_TAG: ${{ env.PROWLER_VERSION }}
          GITHUB_SERVER_URL: ${{ github.server_url }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          GITHUB_RUN_ID: ${{ github.run_id }}
        with:
          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
+          step-outcome: ${{ steps.container-push.outcome }}

  dispatch-v3-deployment:
-    if: needs.setup.outputs.prowler_version_major == '3'
-    needs: [setup, container-build-push]
+    if: needs.container-build-push.outputs.prowler_version_major == '3'
+    needs: container-build-push
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
@@ -308,4 +214,4 @@ jobs:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
          event-type: dispatch
-          client-payload: '{"version":"release","tag":"${{ needs.setup.outputs.prowler_version }}"}'
+          client-payload: '{"version":"release","tag":"${{ needs.container-build-push.outputs.prowler_version }}"}'
@@ -44,16 +44,7 @@ jobs:

  sdk-container-build-and-scan:
    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
@@ -91,23 +82,22 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - name: Build SDK container for ${{ matrix.arch }}
+      - name: Build SDK container
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          push: false
          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

-      - name: Scan SDK container with Trivy for ${{ matrix.arch }}
+      - name: Scan SDK container with Trivy
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
          fail-on-critical: 'false'
          severity: 'CRITICAL'
@@ -82,110 +82,9 @@ jobs:
            ./tests/**/aws/**
            ./poetry.lock

-      - name: Resolve AWS services under test
-        if: steps.changed-aws.outputs.any_changed == 'true'
-        id: aws-services
-        shell: bash
-        run: |
-          python3 <<'PY'
-          import os
-          from pathlib import Path
-
-          dependents = {
-              "acm": ["elb"],
-              "autoscaling": ["dynamodb"],
-              "awslambda": ["ec2", "inspector2"],
-              "backup": ["dynamodb", "ec2", "rds"],
-              "cloudfront": ["shield"],
-              "cloudtrail": ["awslambda", "cloudwatch"],
-              "cloudwatch": ["bedrock"],
-              "ec2": ["dlm", "dms", "elbv2", "emr", "inspector2", "rds", "redshift", "route53", "shield", "ssm"],
-              "ecr": ["inspector2"],
-              "elb": ["shield"],
-              "elbv2": ["shield"],
-              "globalaccelerator": ["shield"],
-              "iam": ["bedrock", "cloudtrail", "cloudwatch", "codebuild"],
-              "kafka": ["firehose"],
-              "kinesis": ["firehose"],
-              "kms": ["kafka"],
-              "organizations": ["iam", "servicecatalog"],
-              "route53": ["shield"],
-              "s3": ["bedrock", "cloudfront", "cloudtrail", "macie"],
-              "ssm": ["ec2"],
-              "vpc": ["awslambda", "ec2", "efs", "elasticache", "neptune", "networkfirewall", "rds", "redshift", "workspaces"],
-              "waf": ["elbv2"],
-              "wafv2": ["cognito", "elbv2"],
-          }
-
-          changed_raw = """${{ steps.changed-aws.outputs.all_changed_files }}"""
-          # all_changed_files is space-separated, not newline-separated
-          # Strip leading "./" if present for consistent path handling
-          changed_files = [Path(f.lstrip("./")) for f in changed_raw.split() if f]
-
-          services = set()
-          run_all = False
-
-          for path in changed_files:
-              path_str = path.as_posix()
-              parts = path.parts
-              if path_str.startswith("prowler/providers/aws/services/"):
-                  if len(parts) > 4 and "." not in parts[4]:
-                      services.add(parts[4])
-                  else:
-                      run_all = True
-              elif path_str.startswith("tests/providers/aws/services/"):
-                  if len(parts) > 4 and "." not in parts[4]:
-                      services.add(parts[4])
-                  else:
-                      run_all = True
-              elif path_str.startswith("prowler/providers/aws/") or path_str.startswith("tests/providers/aws/"):
-                  run_all = True
-
-          # Expand with direct dependent services (one level only)
-          # We only test services that directly depend on the changed services,
-          # not transitive dependencies (services that depend on dependents)
-          original_services = set(services)
-          for svc in original_services:
-              for dep in dependents.get(svc, []):
-                  services.add(dep)
-
-          if run_all or not services:
-              run_all = True
-              services = set()
-
-          service_paths = " ".join(sorted(f"tests/providers/aws/services/{svc}" for svc in services))
-
-          output_lines = [
-              f"run_all={'true' if run_all else 'false'}",
-              f"services={' '.join(sorted(services))}",
-              f"service_paths={service_paths}",
-          ]
-
-          with open(os.environ["GITHUB_OUTPUT"], "a") as gh_out:
-              for line in output_lines:
-                  gh_out.write(line + "\n")
-
-          print(f"AWS changed files (filtered): {changed_raw or 'none'}")
-          print(f"Run all AWS tests: {run_all}")
-          if services:
-              print(f"AWS service test paths: {service_paths}")
-          else:
-              print("AWS service test paths: none detected")
-          PY
-
      - name: Run AWS tests
        if: steps.changed-aws.outputs.any_changed == 'true'
-        run: |
-          echo "AWS run_all=${{ steps.aws-services.outputs.run_all }}"
-          echo "AWS service_paths='${{ steps.aws-services.outputs.service_paths }}'"
-
-          if [ "${{ steps.aws-services.outputs.run_all }}" = "true" ]; then
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
-          elif [ -z "${{ steps.aws-services.outputs.service_paths }}" ]; then
-            echo "No AWS service paths detected; skipping AWS tests."
-          else
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${{ steps.aws-services.outputs.service_paths }}
-          fi
+        run: poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws

      - name: Upload AWS coverage to Codecov
        if: steps.changed-aws.outputs.any_changed == 'true'
@@ -1,221 +0,0 @@
-name: 'UI: Bump Version'
-
-on:
-  release:
-    types:
-      - 'published'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-env:
-  PROWLER_VERSION: ${{ github.event.release.tag_name }}
-  BASE_BRANCH: master
-
-jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-    steps:
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Calculate next minor version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-
-      - name: Bump UI version in .env for master
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next minor version to master
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_MINOR_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for first patch version to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.FIRST_PATCH_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }}
-          MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }}
-          PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }}
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-
-      - name: Bump UI version in .env for version branch
-        run: |
-          set -e
-
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for next patch version to version branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: ui-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(ui): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Bump Prowler UI version to v${{ env.NEXT_PATCH_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `.env`: `NEXT_PUBLIC_PROWLER_RELEASE_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@@ -10,12 +10,6 @@ on:
  release:
    types:
      - 'published'
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., 5.14.0)'
-        required: true
-        type: string

 permissions:
  contents: read
@@ -27,7 +21,7 @@ concurrency:
 env:
  # Tags
  LATEST_TAG: latest
-  RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
  STABLE_TAG: stable
  WORKING_DIRECTORY: ./ui

@@ -50,44 +44,9 @@ jobs:
        id: set-short-sha
        run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT

-  notify-release-started:
-    if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
+  container-build-push:
    needs: setup
    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      message-ts: ${{ steps.slack-notification.outputs.ts }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Notify container push started
-        id: slack-notification
-        uses: ./.github/actions/slack-notification
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          COMPONENT: UI
-          RELEASE_TAG: ${{ env.RELEASE_TAG }}
-          GITHUB_SERVER_URL: ${{ github.server_url }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-        with:
-          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
-
-  container-build-push:
-    needs: [setup, notify-release-started]
-    if: always() && needs.setup.result == 'success' && (needs.notify-release-started.result == 'success' || needs.notify-release-started.result == 'skipped')
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
    timeout-minutes: 30
    permissions:
      contents: read
@@ -106,91 +65,56 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - name: Build and push UI container for ${{ matrix.arch }}
-        id: container-push
-        if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
+      - name: Build and push UI container (latest)
+        if: github.event_name == 'push'
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          build-args: |
-            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ (github.event_name == 'release' || github.event_name == 'workflow_dispatch') && format('v{0}', env.RELEASE_TAG) || needs.setup.outputs.short-sha }}
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ needs.setup.outputs.short-sha }}
            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
          push: true
-          platforms: ${{ matrix.platform }}
          tags: |
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

-  # Create and push multi-architecture manifest
-  create-manifest:
-    needs: [setup, container-build-push]
-    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - name: Create and push manifests for push event
-        if: github.event_name == 'push'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Create and push manifests for release event
-        if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        run: |
-          docker buildx imagetools create \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \
-            -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \
-            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64
-
-      - name: Install regctl
-        if: always()
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Cleanup intermediate architecture tags
-        if: always()
-        run: |
-          echo "Cleaning up intermediate tags..."
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true
-          regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true
-          echo "Cleanup completed"
-
-  notify-release-completed:
-    if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
-    needs: [setup, notify-release-started, container-build-push, create-manifest]
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Determine overall outcome
-        id: outcome
-        run: |
-          if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then
-            echo "outcome=success" >> $GITHUB_OUTPUT
-          else
-            echo "outcome=failure" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Notify container push completed
+      - name: Notify container push started
+        if: github.event_name == 'release'
+        uses: ./.github/actions/slack-notification
+        env:
+          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+          COMPONENT: UI
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+        with:
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: "./.github/scripts/slack-messages/container-release-started.json"
+
+      - name: Build and push UI container (release)
+        if: github.event_name == 'release'
+        id: container-push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          build-args: |
+            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${{ env.RELEASE_TAG }}
+            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Notify container push completed
+        if: github.event_name == 'release' && always()
        uses: ./.github/actions/slack-notification
        env:
          SLACK_CHANNEL_ID: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
-          MESSAGE_TS: ${{ needs.notify-release-started.outputs.message-ts }}
          COMPONENT: UI
          RELEASE_TAG: ${{ env.RELEASE_TAG }}
          GITHUB_SERVER_URL: ${{ github.server_url }}
@@ -199,8 +123,7 @@ jobs:
        with:
          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
          payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
-          step-outcome: ${{ steps.outcome.outputs.outcome }}
-          update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
+          step-outcome: ${{ steps.container-push.outcome }}

  trigger-deployment:
    if: github.event_name == 'push'
@@ -20,7 +20,6 @@ env:

 jobs:
  ui-dockerfile-lint:
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
@@ -44,17 +43,7 @@ jobs:
          ignore: DL3018

  ui-container-build-and-scan:
-    if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
@@ -78,7 +67,7 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - name: Build UI container for ${{ matrix.arch }}
+      - name: Build UI container
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
@@ -86,18 +75,17 @@ jobs:
          target: prod
          push: false
          load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
          build-args: |
            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX

-      - name: Scan UI container with Trivy for ${{ matrix.arch }}
-        if: steps.check-changes.outputs.any_changed == 'true'
+      - name: Scan UI container with Trivy
+        if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
          fail-on-critical: 'false'
          severity: 'CRITICAL'
@@ -10,7 +10,6 @@ on:
      - 'ui/**'

 jobs:
-
  e2e-tests:
    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
@@ -34,50 +33,12 @@ jobs:
      E2E_M365_SECRET_ID: ${{ secrets.E2E_M365_SECRET_ID }}
      E2E_M365_TENANT_ID: ${{ secrets.E2E_M365_TENANT_ID }}
      E2E_M365_CERTIFICATE_CONTENT: ${{ secrets.E2E_M365_CERTIFICATE_CONTENT }}
-      E2E_KUBERNETES_CONTEXT: 'kind-kind'
-      E2E_KUBERNETES_KUBECONFIG_PATH: /home/runner/.kube/config
-      E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY: ${{ secrets.E2E_GCP_BASE64_SERVICE_ACCOUNT_KEY }}
-      E2E_GCP_PROJECT_ID: ${{ secrets.E2E_GCP_PROJECT_ID }}
-      E2E_GITHUB_APP_ID: ${{ secrets.E2E_GITHUB_APP_ID }}
-      E2E_GITHUB_BASE64_APP_PRIVATE_KEY: ${{ secrets.E2E_GITHUB_BASE64_APP_PRIVATE_KEY }}
-      E2E_GITHUB_USERNAME: ${{ secrets.E2E_GITHUB_USERNAME }}
-      E2E_GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_PERSONAL_ACCESS_TOKEN }}
-      E2E_GITHUB_ORGANIZATION: ${{ secrets.E2E_GITHUB_ORGANIZATION }}
-      E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN: ${{ secrets.E2E_GITHUB_ORGANIZATION_ACCESS_TOKEN }}
-      E2E_ORGANIZATION_ID: ${{ secrets.E2E_ORGANIZATION_ID }}
-      E2E_OCI_TENANCY_ID: ${{ secrets.E2E_OCI_TENANCY_ID }}
-      E2E_OCI_USER_ID: ${{ secrets.E2E_OCI_USER_ID }}
-      E2E_OCI_FINGERPRINT: ${{ secrets.E2E_OCI_FINGERPRINT }}
-      E2E_OCI_KEY_CONTENT: ${{ secrets.E2E_OCI_KEY_CONTENT }}
-      E2E_OCI_REGION: ${{ secrets.E2E_OCI_REGION }}
-      E2E_NEW_USER_PASSWORD: ${{ secrets.E2E_NEW_USER_PASSWORD }}
-
+      E2E_NEW_PASSWORD: ${{ secrets.E2E_NEW_PASSWORD }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1
-        with:
-          cluster_name: kind
-      - name: Modify kubeconfig
-        run: |
-            # Modify the kubeconfig to use the kind cluster server to https://kind-control-plane:6443
-            # from worker service into docker-compose.yml
-            kubectl config set-cluster kind-kind --server=https://kind-control-plane:6443
-            kubectl config view
-      - name: Add network kind to docker compose
-        run: |
-          # Add the network kind to the docker compose to interconnect to kind cluster
-          yq -i '.networks.kind.external = true' docker-compose.yml
-          # Add network kind to worker service and default network too
-          yq -i '.services.worker.networks = ["kind","default"]' docker-compose.yml
      - name: Fix API data directory permissions
        run: docker run --rm -v $(pwd)/_data/api:/data alpine chown -R 1000:1000 /data
-      - name: Add AWS credentials for testing AWS SDK Default Adding Provider
-        run: |
-          echo "Adding AWS credentials for testing AWS SDK Default Adding Provider..."
-          echo "AWS_ACCESS_KEY_ID=${{ secrets.E2E_AWS_PROVIDER_ACCESS_KEY }}" >> .env
-          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.E2E_AWS_PROVIDER_SECRET_KEY }}" >> .env
      - name: Start API services
        run: |
          # Override docker-compose image tag to use latest instead of stable
@@ -117,42 +78,29 @@ jobs:
        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version: '20.x'
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-      - name: Get pnpm store directory
-        shell: bash
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - name: Setup pnpm cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('ui/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'
      - name: Install UI dependencies
        working-directory: ./ui
-        run: pnpm install --frozen-lockfile
+        run: npm ci
      - name: Build UI application
        working-directory: ./ui
-        run: pnpm run build
+        run: npm run build
      - name: Cache Playwright browsers
        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/pnpm-lock.yaml') }}
+          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-playwright-
      - name: Install Playwright browsers
        working-directory: ./ui
        if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm run test:e2e:install
+        run: npm run test:e2e:install
      - name: Run E2E tests
        working-directory: ./ui
-        run: pnpm run test:e2e
+        run: npm run test:e2e
      - name: Upload test reports
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: failure()
@@ -48,36 +48,17 @@ jobs:
        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Setup pnpm
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-
-      - name: Get pnpm store directory
-        if: steps.check-changes.outputs.any_changed == 'true'
-        shell: bash
-        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - name: Setup pnpm cache
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('ui/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'

      - name: Install dependencies
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm install --frozen-lockfile
+        run: npm ci

      - name: Run healthcheck
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run healthcheck
+        run: npm run healthcheck

      - name: Build application
        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run build
+        run: npm run build
@@ -45,86 +45,21 @@ pytest_*.xml
 .coverage
 htmlcov/

-# VSCode files and settings
+# VSCode files
 .vscode/
-*.code-workspace
-.vscode-test/

-# VSCode extension settings and workspaces
-.history/
-.ionide/
-
-# MCP Server Settings (various locations)
-**/cline_mcp_settings.json
-**/mcp_settings.json
-**/mcp-config.json
-**/mcpServers.json
-.mcp/
-
-# AI Coding Assistants - Cursor
+# Cursor files
 .cursorignore
 .cursor/
-.cursorrules

-# AI Coding Assistants - RooCode
+# RooCode files
 .roo/
 .rooignore
 .roomodes

-# AI Coding Assistants - Cline (formerly Claude Dev)
+# Cline files
 .cline/
 .clineignore
-.clinerules
-
-# AI Coding Assistants - Continue
-.continue/
-continue.json
-.continuerc
-.continuerc.json
-
-# AI Coding Assistants - GitHub Copilot
-.copilot/
-.github/copilot/
-
-# AI Coding Assistants - Amazon Q Developer (formerly CodeWhisperer)
-.aws/
-.codewhisperer/
-.amazonq/
-.aws-toolkit/
-
-# AI Coding Assistants - Tabnine
-.tabnine/
-tabnine_config.json
-
-# AI Coding Assistants - Kiro
-.kiro/
-.kiroignore
-kiro.config.json
-
-# AI Coding Assistants - Aider
-.aider/
-.aider.chat.history.md
-.aider.input.history
-.aider.tags.cache.v3/
-
-# AI Coding Assistants - Windsurf
-.windsurf/
-.windsurfignore
-
-# AI Coding Assistants - Replit Agent
-.replit
-.replitignore
-
-# AI Coding Assistants - Supermaven
-.supermaven/
-
-# AI Coding Assistants - Sourcegraph Cody
-.cody/
-
-# AI Coding Assistants - General
-.ai/
-.aiconfig
-ai-config.json

 # Terraform
 .terraform*
@@ -150,5 +85,9 @@ _data/
 # Claude
 CLAUDE.md

+# MCP Server
+mcp_server/prowler_mcp_server/prowler_app/server.py
+mcp_server/prowler_mcp_server/prowler_app/utils/schema.yaml
+
 # Compliance report
 *.pdf
@@ -126,12 +126,3 @@ repos:
        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/" --min-confidence 100 .'
        language: system
        files: '.*\.py'
-
-      - id: ui-checks
-        name: UI - Husky Pre-commit
-        description: "Run UI pre-commit checks (Claude Code validation + healthcheck)"
-        entry: bash -c 'cd ui && .husky/pre-commit'
-        language: system
-        files: '^ui/.*\.(ts|tsx|js|jsx|json|css)$'
-        pass_filenames: false
-        verbose: true
@@ -4,15 +4,10 @@ LABEL maintainer="https://github.com/prowler-cloud/prowler"
 LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"

 ARG POWERSHELL_VERSION=7.5.0
-ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
-
-ARG TRIVY_VERSION=0.66.0
-ENV TRIVY_VERSION=${TRIVY_VERSION}

 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
    wget libicu72 libunwind8 libssl3 libcurl4 ca-certificates apt-transport-https gnupg \
-    build-essential pkg-config libzstd-dev zlib1g-dev \
    && rm -rf /var/lib/apt/lists/*

 # Install PowerShell
@@ -30,24 +25,6 @@ RUN ARCH=$(uname -m) && \
    ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
    rm /tmp/powershell.tar.gz

-# Install Trivy for IaC scanning
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        TRIVY_ARCH="Linux-64bit" ; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        TRIVY_ARCH="Linux-ARM64" ; \
-    else \
-        echo "Unsupported architecture for Trivy: $ARCH" && exit 1 ; \
-    fi && \
-    wget --progress=dot:giga "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz && \
-    tar zxf /tmp/trivy.tar.gz -C /tmp && \
-    mv /tmp/trivy /usr/local/bin/trivy && \
-    chmod +x /usr/local/bin/trivy && \
-    rm /tmp/trivy.tar.gz && \
-    # Create trivy cache directory with proper permissions
-    mkdir -p /tmp/.cache/trivy && \
-    chmod 777 /tmp/.cache/trivy
-
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
@@ -47,12 +47,12 @@ help:     ## Show this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

 ##@ Build no cache
-build-no-cache-dev:
-	docker compose -f docker-compose-dev.yml build --no-cache api-dev worker-dev worker-beat mcp-server
+build-no-cache-dev: 
+	docker compose -f docker-compose-dev.yml build --no-cache api-dev worker-dev worker-beat

 ##@ Development Environment
-run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, MCP, and workers
-	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat mcp-server
+run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, and workers 
+	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat

 ##@ Development Environment
 build-and-run-api-dev: build-no-cache-dev run-api-dev
@@ -6,7 +6,7 @@
  <b><i>Prowler</b> is the Open Cloud Security platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
 </p>
 <p align="center">
-<b>Secure ANY cloud at AI Speed at <a href="https://prowler.com">prowler.com</i></b>
+<b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
 </p>

 <p align="center">
@@ -23,7 +23,6 @@
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
-  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
 </p>
 <p align="center">
    <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
@@ -36,32 +35,28 @@
 </p>
 <hr>
 <p align="center">
-  <img align="center" src="/docs/img/prowler-cloud.gif" width="100%" height="100%">
+  <img align="center" src="/docs/img/prowler-cli-quick.gif" width="100%" height="100%">
 </p>

 # Description

-**Prowler** is the world’s most widely used _open-source cloud security platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
+**Prowler** is an open-source security tool designed to assess and enforce security best practices across AWS, Azure, Google Cloud, and Kubernetes. It supports tasks such as security audits, incident response, continuous monitoring, system hardening, forensic readiness, and remediation processes.

 Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:

- **Prowler ThreatScore:** Weighted risk prioritization scoring that helps you focus on the most critical security findings first
- **Industry Standards:** CIS, NIST 800, NIST CSF, CISA, and MITRE ATT&CK
- **Regulatory Compliance and Governance:** RBI, FedRAMP, PCI-DSS, and NIS2
+- **Industry Standards:** CIS, NIST 800, NIST CSF, and CISA
+- **Regulatory Compliance and Governance:** RBI, FedRAMP, and PCI-DSS
 - **Frameworks for Sensitive Data and Privacy:** GDPR, HIPAA, and FFIEC
- **Frameworks for Organizational Governance and Quality Control:** SOC2, GXP, and ISO 27001
- **Cloud-Specific Frameworks:** AWS Foundational Technical Review (FTR), AWS Well-Architected Framework, and BSI C5
- **National Security Standards:** ENS (Spanish National Security Scheme) and KISA ISMS-P (Korean)
+- **Frameworks for Organizational Governance and Quality Control:** SOC2 and GXP
+- **AWS-Specific Frameworks:** AWS Foundational Technical Review (FTR) and AWS Well-Architected Framework (Security Pillar)
+- **National Security Standards:** ENS (Spanish National Security Scheme)
 - **Custom Security Frameworks:** Tailored to your needs

-## Prowler App / Prowler Cloud
+## Prowler App

-Prowler App / [Prowler Cloud](https://cloud.prowler.com/) is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.
+Prowler App is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.

 ![Prowler App](docs/images/products/overview.png)
-![Risk Pipeline](docs/images/products/risk-pipeline.png)
-![Threat Map](docs/images/products/threat-map.png)
-

 >For more details, refer to the [Prowler App Documentation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-app-installation)

@@ -87,16 +82,15 @@ prowler dashboard

 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
 |---|---|---|---|---|---|---|
-| AWS | 584 | 85 | 40 | 17 | Official | UI, API, CLI |
-| GCP | 89 | 17 | 14 | 5 | Official | UI, API, CLI |
-| Azure | 169 | 22 | 15 | 8 | Official | UI, API, CLI |
-| Kubernetes | 84 | 7 | 6 | 9 | Official | UI, API, CLI |
-| GitHub | 20 | 2 | 1 | 2 | Official | UI, API, CLI |
+| AWS | 576 | 82 | 39 | 10 | Official | UI, API, CLI |
+| GCP | 79 | 13 | 13 | 3 | Official | UI, API, CLI |
+| Azure | 162 | 19 | 13 | 4 | Official | UI, API, CLI |
+| Kubernetes | 83 | 7 | 5 | 7 | Official | UI, API, CLI |
+| GitHub | 17 | 2 | 1 | 0 | Official | Stable | UI, API, CLI |
 | M365 | 70 | 7 | 3 | 2 | Official | UI, API, CLI |
-| OCI | 52 | 15 | 1 | 12 | Official | UI, API, CLI |
-| Alibaba Cloud | 63 | 10 | 1 | 9 | Official | CLI |
+| OCI | 51 | 13 | 1 | 10 | Official | UI, API, CLI |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
-| MongoDB Atlas | 10 | 4 | 0 | 3 | Official | UI, API, CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 0 | Official | CLI, API |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |

@@ -159,7 +153,7 @@ You can find more information in the [Troubleshooting](./docs/troubleshooting.md

 * `git` installed.
 * `poetry` v2 installed: [poetry installation](https://python-poetry.org/docs/#installation).
-* `pnpm` installed: [pnpm installation](https://pnpm.io/installation).
+* `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
 * `Docker Compose` installed: https://docs.docker.com/compose/install/.

 **Commands to run the API**
@@ -215,9 +209,9 @@ python -m celery -A config.celery beat -l info --scheduler django_celery_beat.sc
 ``` console
 git clone https://github.com/prowler-cloud/prowler
 cd prowler/ui
-pnpm install
-pnpm run build
-pnpm start
+npm install
+npm run build
+npm start
 ```

 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
@@ -277,12 +271,11 @@ python prowler-cli.py -v
 # ✏️ High level architecture

 ## Prowler App
-**Prowler App** is composed of four key components:
+**Prowler App** is composed of three key components:

 - **Prowler UI**: A web-based interface, built with Next.js, providing a user-friendly experience for executing Prowler scans and visualizing results.
 - **Prowler API**: A backend service, developed with Django REST Framework, responsible for running Prowler scans and storing the generated results.
 - **Prowler SDK**: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.
- **Prowler MCP Server**: A Model Context Protocol server that provides AI tools for Lighthouse, the AI-powered security assistant. This is a critical dependency for Lighthouse functionality.

 ![Prowler App Architecture](docs/products/img/prowler-app-architecture.png)

@@ -2,79 +2,7 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.17.2] (Prowler v5.16.2)
-
-### Security
- Updated dependencies to patch security vulnerabilities: Django 5.1.15 (CVE-2025-64460, CVE-2025-13372), Werkzeug 3.1.4 (CVE-2025-66221), sqlparse 0.5.5 (PVE-2025-82038), fonttools 4.60.2 (CVE-2025-66034) [(#9730)](https://github.com/prowler-cloud/prowler/pull/9730)
-
---
-
-## [1.17.1] (Prowler v5.16.1)
-
-### Changed
- Security Hub integration error when no regions [(#9635)](https://github.com/prowler-cloud/prowler/pull/9635)
-
-### Fixed
- Orphan scheduled scans caused by transaction isolation during provider creation [(#9633)](https://github.com/prowler-cloud/prowler/pull/9633)
-
---
-
-## [1.17.0] (Prowler v5.16.0)
-
-### Added
- New endpoint to retrieve and overview of the categories based on finding severities [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
- Endpoints `GET /findings` and `GET /findings/latests` can now use the category filter [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
- Account id, alias and provider name to PDF reporting table [(#9574)](https://github.com/prowler-cloud/prowler/pull/9574)
-
-### Changed
- Endpoint `GET /overviews/attack-surfaces` no longer returns the related check IDs [(#9529)](https://github.com/prowler-cloud/prowler/pull/9529)
- OpenAI provider to only load chat-compatible models with tool calling support [(#9523)](https://github.com/prowler-cloud/prowler/pull/9523)
- Increased execution delay for the first scheduled scan tasks to 5 seconds[(#9558)](https://github.com/prowler-cloud/prowler/pull/9558)
-
-### Fixed
- Made `scan_id` a required filter in the compliance overview endpoint [(#9560)](https://github.com/prowler-cloud/prowler/pull/9560)
- Reduced unnecessary UPDATE resources operations by only saving when tag mappings change, lowering write load during scans [(#9569)](https://github.com/prowler-cloud/prowler/pull/9569)
-
---
-
-## [1.16.1] (Prowler v5.15.1)
-
-### Fixed
- Race condition in scheduled scan creation by adding countdown to task [(#9516)](https://github.com/prowler-cloud/prowler/pull/9516)
-
-## [1.16.0] (Prowler v5.15.0)
-
-### Added
- New endpoint to retrieve an overview of the attack surfaces [(#9309)](https://github.com/prowler-cloud/prowler/pull/9309)
- New endpoint `GET /api/v1/overviews/findings_severity/timeseries` to retrieve daily aggregated findings by severity level [(#9363)](https://github.com/prowler-cloud/prowler/pull/9363)
- Lighthouse AI support for Amazon Bedrock API key [(#9343)](https://github.com/prowler-cloud/prowler/pull/9343)
- Exception handler for provider deletions during scans [(#9414)](https://github.com/prowler-cloud/prowler/pull/9414)
- Support to use admin credentials through the read replica database [(#9440)](https://github.com/prowler-cloud/prowler/pull/9440)
-
-### Changed
- Error messages from Lighthouse celery tasks [(#9165)](https://github.com/prowler-cloud/prowler/pull/9165)
- Restore the compliance overview endpoint's mandatory filters [(#9338)](https://github.com/prowler-cloud/prowler/pull/9338)
-
---
-
-## [1.15.2] (Prowler v5.14.2)
-
-### Fixed
- Unique constraint violation during compliance overviews task [(#9436)](https://github.com/prowler-cloud/prowler/pull/9436)
- Division by zero error in ENS PDF report when all requirements are manual [(#9443)](https://github.com/prowler-cloud/prowler/pull/9443)
-
---
-
-## [1.15.1] (Prowler v5.14.1)
-
-### Fixed
- Fix typo in PDF reporting [(#9345)](https://github.com/prowler-cloud/prowler/pull/9345)
- Fix IaC provider initialization failure when mutelist processor is configured [(#9331)](https://github.com/prowler-cloud/prowler/pull/9331)
- Match logic for ThreatScore when counting findings [(#9348)](https://github.com/prowler-cloud/prowler/pull/9348)
-
---
-
-## [1.15.0] (Prowler v5.14.0)
+## [1.15.0] (Prowler UNRELEASED)

 ### Added
 - IaC (Infrastructure as Code) provider support for remote repositories [(#8751)](https://github.com/prowler-cloud/prowler/pull/8751)
@@ -86,33 +14,22 @@ All notable changes to the **Prowler API** are documented in this file.
 - Support muting findings based on simple rules with custom reason [(#9051)](https://github.com/prowler-cloud/prowler/pull/9051)
 - Support C5 compliance framework for the GCP provider [(#9097)](https://github.com/prowler-cloud/prowler/pull/9097)
 - Support for Amazon Bedrock and OpenAI compatible providers in Lighthouse AI [(#8957)](https://github.com/prowler-cloud/prowler/pull/8957)
- Support PDF reporting for ENS compliance framework [(#9158)](https://github.com/prowler-cloud/prowler/pull/9158)
- Support PDF reporting for NIS2 compliance framework [(#9170)](https://github.com/prowler-cloud/prowler/pull/9170)
+- OpenAPI schema integration with Mintlify documentation including compatibility fixes and dynamic server URL configuration [(#9168)](https://github.com/prowler-cloud/prowler/pull/9168)
 - Tenant-wide ThreatScore overview aggregation and snapshot persistence with backfill support [(#9148)](https://github.com/prowler-cloud/prowler/pull/9148)
- Added `metadata`, `details`, and `partition` attributes to `/resources` endpoint & `details`, and `partition` to `/findings` endpoint [(#9098)](https://github.com/prowler-cloud/prowler/pull/9098)
 - Support for MongoDB Atlas provider [(#9167)](https://github.com/prowler-cloud/prowler/pull/9167)
- Support Prowler ThreatScore for the K8S provider [(#9235)](https://github.com/prowler-cloud/prowler/pull/9235)
- Enhanced compliance overview endpoint with provider filtering and latest scan aggregation [(#9244)](https://github.com/prowler-cloud/prowler/pull/9244)
- New endpoint `GET /api/v1/overview/regions` to retrieve aggregated findings data by region [(#9273)](https://github.com/prowler-cloud/prowler/pull/9273)
-
-### Changed
- Optimized database write queries for scan related tasks [(#9190)](https://github.com/prowler-cloud/prowler/pull/9190)
- Date filters are now optional for `GET /api/v1/overviews/services` endpoint; returns latest scan data by default [(#9248)](https://github.com/prowler-cloud/prowler/pull/9248)
-
-### Fixed
- Scans no longer fail when findings have UIDs exceeding 300 characters; such findings are now skipped with detailed logging [(#9246)](https://github.com/prowler-cloud/prowler/pull/9246)
- Updated unique constraint for `Provider` model to exclude soft-deleted entries, resolving duplicate errors when re-deleting providers [(#9054)](https://github.com/prowler-cloud/prowler/pull/9054)
- Removed compliance generation for providers without compliance frameworks [(#9208)](https://github.com/prowler-cloud/prowler/pull/9208)
- Refresh output report timestamps for each scan [(#9272)](https://github.com/prowler-cloud/prowler/pull/9272)
- Severity overview endpoint now ignores muted findings as expected [(#9283)](https://github.com/prowler-cloud/prowler/pull/9283)
- Fixed discrepancy between ThreatScore PDF report values and database calculations [(#9296)](https://github.com/prowler-cloud/prowler/pull/9296)

 ### Security
 - Django updated to the latest 5.1 security release, 5.1.14, due to problems with potential [SQL injection](https://github.com/prowler-cloud/prowler/security/dependabot/113) and [denial-of-service vulnerability](https://github.com/prowler-cloud/prowler/security/dependabot/114) [(#9176)](https://github.com/prowler-cloud/prowler/pull/9176)

 ---

-## [1.14.1] (Prowler v5.13.1)
+## [1.14.2] (Prowler UNRELEASED)
+
+### Fixed
+- Update unique constraint for `Provider` model to exclude soft-deleted entries, resolving duplicate errors when re-deleting providers.[(#9054)](https://github.com/prowler-cloud/prowler/pull/9054)
+- Remove compliance generation for providers without compliance frameworks [(#9208)](https://github.com/prowler-cloud/prowler/pull/9208)
+
+## [1.14.1] (Prowler 5.13.1)

 ### Fixed
 - `/api/v1/overviews/providers` collapses data by provider type so the UI receives a single aggregated record per cloud family even when multiple accounts exist [(#9053)](https://github.com/prowler-cloud/prowler/pull/9053)
@@ -121,7 +38,7 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.14.0] (Prowler v5.13.0)
+## [1.14.0] (Prowler 5.13.0)

 ### Added
 - Default JWT keys are generated and stored if they are missing from configuration [(#8655)](https://github.com/prowler-cloud/prowler/pull/8655)
@@ -145,14 +62,14 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.13.2] (Prowler v5.12.3)
+## [1.13.2] (Prowler 5.12.3)

 ### Fixed
 - 500 error when deleting user [(#8731)](https://github.com/prowler-cloud/prowler/pull/8731)

 ---

-## [1.13.1] (Prowler v5.12.2)
+## [1.13.1] (Prowler 5.12.2)

 ### Changed
 - Renamed compliance overview task queue to `compliance` [(#8755)](https://github.com/prowler-cloud/prowler/pull/8755)
@@ -162,7 +79,7 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.13.0] (Prowler v5.12.0)
+## [1.13.0] (Prowler 5.12.0)

 ### Added
 - Integration with JIRA, enabling sending findings to a JIRA project [(#8622)](https://github.com/prowler-cloud/prowler/pull/8622), [(#8637)](https://github.com/prowler-cloud/prowler/pull/8637)
@@ -171,7 +88,7 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.12.0] (Prowler v5.11.0)
+## [1.12.0] (Prowler 5.11.0)

 ### Added
 - Lighthouse support for OpenAI GPT-5 [(#8527)](https://github.com/prowler-cloud/prowler/pull/8527)
@@ -183,7 +100,7 @@ All notable changes to the **Prowler API** are documented in this file.

 ---

-## [1.11.0] (Prowler v5.10.0)
+## [1.11.0] (Prowler 5.10.0)

 ### Added
 - Github provider support [(#8271)](https://github.com/prowler-cloud/prowler/pull/8271)
@@ -7,7 +7,7 @@ authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
 dependencies = [
  "celery[pytest] (>=5.4.0,<6.0.0)",
  "dj-rest-auth[with_social,jwt] (==7.0.1)",
-  "django (==5.1.15)",
+  "django (==5.1.14)",
  "django-allauth[saml] (>=65.8.0,<66.0.0)",
  "django-celery-beat (>=2.7.0,<3.0.0)",
  "django-celery-results (>=2.5.1,<3.0.0)",
@@ -24,7 +24,7 @@ dependencies = [
  "drf-spectacular-jsonapi==0.5.1",
  "gunicorn==23.0.0",
  "lxml==5.3.2",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@v5.16",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
  "psycopg2-binary==2.9.9",
  "pytest-celery[redis] (>=1.0.1,<2.0.0)",
  "sentry-sdk[django] (>=2.20.0,<3.0.0)",
@@ -35,11 +35,7 @@ dependencies = [
  "markdown (>=3.9,<4.0)",
  "drf-simple-apikey (==2.2.1)",
  "matplotlib (>=3.10.6,<4.0.0)",
-  "reportlab (>=4.4.4,<5.0.0)",
-  "gevent (>=25.9.1,<26.0.0)",
-  "werkzeug (>=3.1.4)",
-  "sqlparse (>=0.5.4)",
-  "fonttools (>=4.60.2)"
+  "reportlab (>=4.4.4,<5.0.0)"
 ]
 description = "Prowler's API (Django/DRF)"
 license = "Apache-2.0"
@@ -47,7 +43,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.17.2"
+version = "1.15.0"

 [project.scripts]
 celery = "src.backend.config.settings.celery"
@@ -26,7 +26,6 @@ class MainRouter:
    default_db = "default"
    admin_db = "admin"
    replica_db = "replica"
-    admin_replica_db = "admin_replica"

    def db_for_read(self, model, **hints):  # noqa: F841
        model_table_name = model._meta.db_table
@@ -50,12 +49,7 @@ class MainRouter:

    def allow_relation(self, obj1, obj2, **hints):  # noqa: F841
        # Allow relations when both objects originate from allowed connectors
-        allowed_dbs = {
-            self.default_db,
-            self.admin_db,
-            self.replica_db,
-            self.admin_replica_db,
-        }
+        allowed_dbs = {self.default_db, self.admin_db, self.replica_db}
        if {obj1._state.db, obj2._state.db} <= allowed_dbs:
            return True
        return None
@@ -1,14 +1,10 @@
 import uuid
 from functools import wraps

-from django.core.exceptions import ObjectDoesNotExist
-from django.db import IntegrityError, connection, transaction
+from django.db import connection, transaction
 from rest_framework_json_api.serializers import ValidationError

-from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY, rls_transaction
-from api.exceptions import ProviderDeletedException
-from api.models import Provider, Scan
+from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY


 def set_tenant(func=None, *, keep_tenant=False):
@@ -70,49 +66,3 @@ def set_tenant(func=None, *, keep_tenant=False):
        return decorator
    else:
        return decorator(func)
-
-
-def handle_provider_deletion(func):
-    """
-    Decorator that raises ProviderDeletedException if provider was deleted during execution.
-
-    Catches ObjectDoesNotExist and IntegrityError, checks if provider still exists,
-    and raises ProviderDeletedException if not. Otherwise, re-raises original exception.
-
-    Requires tenant_id and provider_id in kwargs.
-
-    Example:
-        @shared_task
-        @handle_provider_deletion
-        def scan_task(scan_id, tenant_id, provider_id):
-            ...
-    """
-
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-        try:
-            return func(*args, **kwargs)
-        except (ObjectDoesNotExist, IntegrityError):
-            tenant_id = kwargs.get("tenant_id")
-            provider_id = kwargs.get("provider_id")
-
-            with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-                if provider_id is None:
-                    scan_id = kwargs.get("scan_id")
-                    if scan_id is None:
-                        raise AssertionError(
-                            "This task does not have provider or scan in the kwargs"
-                        )
-                    scan = Scan.objects.filter(pk=scan_id).first()
-                    if scan is None:
-                        raise ProviderDeletedException(
-                            f"Provider for scan '{scan_id}' was deleted during the scan"
-                        ) from None
-                    provider_id = str(scan.provider_id)
-                if not Provider.objects.filter(pk=provider_id).exists():
-                    raise ProviderDeletedException(
-                        f"Provider '{provider_id}' was deleted during the scan"
-                    ) from None
-            raise
-
-    return wrapper
@@ -66,10 +66,6 @@ class ProviderConnectionError(Exception):
    """Base exception for provider connection errors."""


-class ProviderDeletedException(Exception):
-    """Raised when a provider has been deleted during scan/task execution."""
-
-
 def custom_exception_handler(exc, context):
    if isinstance(exc, django_validation_error):
        if hasattr(exc, "error_dict"):
@@ -23,9 +23,7 @@ from api.db_utils import (
    StatusEnumField,
 )
 from api.models import (
-    AttackSurfaceOverview,
    ComplianceRequirementOverview,
-    DailySeveritySummary,
    Finding,
    Integration,
    Invitation,
@@ -43,7 +41,6 @@ from api.models import (
    ResourceTag,
    Role,
    Scan,
-    ScanCategorySummary,
    ScanSummary,
    SeverityChoices,
    StateChoices,
@@ -158,9 +155,6 @@ class CommonFindingFilters(FilterSet):
        field_name="resources__type", lookup_expr="icontains"
    )

-    category = CharFilter(method="filter_category")
-    category__in = CharInFilter(field_name="categories", lookup_expr="overlap")
-
    # Temporarily disabled until we implement tag filtering in the UI
    # resource_tag_key = CharFilter(field_name="resources__tags__key")
    # resource_tag_key__in = CharInFilter(
@@ -192,9 +186,6 @@ class CommonFindingFilters(FilterSet):
    def filter_resource_type(self, queryset, name, value):
        return queryset.filter(resource_types__contains=[value])

-    def filter_category(self, queryset, name, value):
-        return queryset.filter(categories__contains=[value])
-
    def filter_resource_tag(self, queryset, name, value):
        overall_query = Q()
        for key_value_pair in value:
@@ -769,7 +760,7 @@ class RoleFilter(FilterSet):

 class ComplianceOverviewFilter(FilterSet):
    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    scan_id = UUIDFilter(field_name="scan_id", required=True)
+    scan_id = UUIDFilter(field_name="scan_id")
    region = CharFilter(field_name="region")

    class Meta:
@@ -803,68 +794,6 @@ class ScanSummaryFilter(FilterSet):
        }


-class DailySeveritySummaryFilter(FilterSet):
-    """Filter for findings_severity/timeseries endpoint."""
-
-    MAX_DATE_RANGE_DAYS = 365
-
-    provider_id = UUIDFilter(field_name="provider_id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="provider_id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    date_from = DateFilter(method="filter_noop")
-    date_to = DateFilter(method="filter_noop")
-
-    class Meta:
-        model = DailySeveritySummary
-        fields = ["provider_id"]
-
-    def filter_noop(self, queryset, name, value):
-        return queryset
-
-    def filter_queryset(self, queryset):
-        if not self.data.get("date_from"):
-            raise ValidationError(
-                [
-                    {
-                        "detail": "This query parameter is required.",
-                        "status": "400",
-                        "source": {"pointer": "filter[date_from]"},
-                        "code": "required",
-                    }
-                ]
-            )
-
-        today = date.today()
-        date_from = self.form.cleaned_data.get("date_from")
-        date_to = min(self.form.cleaned_data.get("date_to") or today, today)
-
-        if (date_to - date_from).days > self.MAX_DATE_RANGE_DAYS:
-            raise ValidationError(
-                [
-                    {
-                        "detail": f"Date range cannot exceed {self.MAX_DATE_RANGE_DAYS} days.",
-                        "status": "400",
-                        "source": {"pointer": "filter[date_from]"},
-                        "code": "invalid",
-                    }
-                ]
-            )
-
-        # View access
-        self.request._date_from = date_from
-        self.request._date_to = date_to
-
-        # Apply date filter (only lte for fill-forward logic)
-        queryset = queryset.filter(date__lte=date_to)
-
-        return super().filter_queryset(queryset)
-
-
 class ScanSummarySeverityFilter(ScanSummaryFilter):
    """Filter for findings_severity ScanSummary endpoint - includes status filters"""

@@ -883,8 +812,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
        elif value == OverviewStatusChoices.PASS:
            return queryset.annotate(status_count=F("_pass"))
        else:
-            # Exclude muted findings by default
-            return queryset.annotate(status_count=F("_pass") + F("fail"))
+            return queryset.annotate(status_count=F("total"))

    def filter_status_in(self, queryset, name, value):
        # Validate the status values
@@ -893,7 +821,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
            if status_val not in valid_statuses:
                raise ValidationError(f"Invalid status value: {status_val}")

-        # If all statuses or no valid statuses, exclude muted findings (pass + fail)
+        # If all statuses or no valid statuses, use total
        if (
            set(value)
            >= {
@@ -902,7 +830,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
            }
            or not value
        ):
-            return queryset.annotate(status_count=F("_pass") + F("fail"))
+            return queryset.annotate(status_count=F("total"))

        # Build the sum expression based on status values
        sum_expression = None
@@ -920,7 +848,7 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
                sum_expression = sum_expression + field_expr

        if sum_expression is None:
-            return queryset.annotate(status_count=F("_pass") + F("fail"))
+            return queryset.annotate(status_count=F("total"))

        return queryset.annotate(status_count=sum_expression)

@@ -932,6 +860,26 @@ class ScanSummarySeverityFilter(ScanSummaryFilter):
        }


+class ServiceOverviewFilter(ScanSummaryFilter):
+    def is_valid(self):
+        # Check if at least one of the inserted_at filters is present
+        inserted_at_filters = [
+            self.data.get("inserted_at"),
+            self.data.get("inserted_at__gte"),
+            self.data.get("inserted_at__lte"),
+        ]
+        if not any(inserted_at_filters):
+            raise ValidationError(
+                {
+                    "inserted_at": [
+                        "At least one of filter[inserted_at], filter[inserted_at__gte], or "
+                        "filter[inserted_at__lte] is required."
+                    ]
+                }
+            )
+        return super().is_valid()
+
+
 class IntegrationFilter(FilterSet):
    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
    integration_type = ChoiceFilter(choices=Integration.IntegrationChoices.choices)
@@ -1084,41 +1032,3 @@ class ThreatScoreSnapshotFilter(FilterSet):
            "inserted_at": ["date", "gte", "lte"],
            "overall_score": ["exact", "gte", "lte"],
        }
-
-
-class AttackSurfaceOverviewFilter(FilterSet):
-    """Filter for attack surface overview aggregations by provider."""
-
-    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="scan__provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-
-    class Meta:
-        model = AttackSurfaceOverview
-        fields = {}
-
-
-class CategoryOverviewFilter(FilterSet):
-    provider_id = UUIDFilter(field_name="scan__provider__id", lookup_expr="exact")
-    provider_id__in = UUIDInFilter(field_name="scan__provider__id", lookup_expr="in")
-    provider_type = ChoiceFilter(
-        field_name="scan__provider__provider", choices=Provider.ProviderChoices.choices
-    )
-    provider_type__in = ChoiceInFilter(
-        field_name="scan__provider__provider",
-        choices=Provider.ProviderChoices.choices,
-        lookup_expr="in",
-    )
-    category = CharFilter(field_name="category", lookup_expr="exact")
-    category__in = CharInFilter(field_name="category", lookup_expr="in")
-
-    class Meta:
-        model = ScanCategorySummary
-        fields = {}
@@ -22,7 +22,7 @@ class Migration(migrations.Migration):
                    ("kubernetes", "Kubernetes"),
                    ("m365", "M365"),
                    ("github", "GitHub"),
-                    ("oraclecloud", "Oracle Cloud Infrastructure"),
+                    ("oci", "Oracle Cloud Infrastructure"),
                    ("iac", "IaC"),
                ],
                default="aws",
@@ -29,8 +29,4 @@ class Migration(migrations.Migration):
                default="aws",
            ),
        ),
-        migrations.RunSQL(
-            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'mongodbatlas';",
-            reverse_sql=migrations.RunSQL.noop,
-        ),
    ]
@@ -1,29 +0,0 @@
-from django.contrib.postgres.operations import RemoveIndexConcurrently
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    atomic = False
-
-    dependencies = [
-        ("api", "0057_threatscoresnapshot"),
-    ]
-
-    operations = [
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_tenant_scan_idx",
-        ),
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_scan_comp_idx",
-        ),
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_scan_comp_req_idx",
-        ),
-        RemoveIndexConcurrently(
-            model_name="compliancerequirementoverview",
-            name="cro_scan_comp_req_reg_idx",
-        ),
-    ]
@@ -1,75 +0,0 @@
-# Generated by Django 5.1.13 on 2025-10-30 15:23
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0058_drop_redundant_compliance_requirement_indexes"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ComplianceOverviewSummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                ("compliance_id", models.TextField()),
-                ("requirements_passed", models.IntegerField(default=0)),
-                ("requirements_failed", models.IntegerField(default=0)),
-                ("requirements_manual", models.IntegerField(default=0)),
-                ("total_requirements", models.IntegerField(default=0)),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="compliance_summaries",
-                        related_query_name="compliance_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "compliance_overview_summaries",
-                "abstract": False,
-                "indexes": [
-                    models.Index(
-                        fields=["tenant_id", "scan_id"], name="cos_tenant_scan_idx"
-                    )
-                ],
-                "constraints": [
-                    models.UniqueConstraint(
-                        fields=("tenant_id", "scan_id", "compliance_id"),
-                        name="unique_compliance_summary_per_scan",
-                    )
-                ],
-            },
-        ),
-        migrations.AddConstraint(
-            model_name="complianceoverviewsummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_complianceoverviewsummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
@@ -1,89 +0,0 @@
-# Generated by Django 5.1.14 on 2025-11-19 13:03
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0059_compliance_overview_summary"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="AttackSurfaceOverview",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("inserted_at", models.DateTimeField(auto_now_add=True)),
-                (
-                    "attack_surface_type",
-                    models.CharField(
-                        choices=[
-                            ("internet-exposed", "Internet Exposed"),
-                            ("secrets", "Exposed Secrets"),
-                            ("privilege-escalation", "Privilege Escalation"),
-                            ("ec2-imdsv1", "EC2 IMDSv1 Enabled"),
-                        ],
-                        max_length=50,
-                    ),
-                ),
-                ("total_findings", models.IntegerField(default=0)),
-                ("failed_findings", models.IntegerField(default=0)),
-                ("muted_failed_findings", models.IntegerField(default=0)),
-            ],
-            options={
-                "db_table": "attack_surface_overviews",
-                "abstract": False,
-            },
-        ),
-        migrations.AddField(
-            model_name="attacksurfaceoverview",
-            name="scan",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE,
-                related_name="attack_surface_overviews",
-                related_query_name="attack_surface_overview",
-                to="api.scan",
-            ),
-        ),
-        migrations.AddField(
-            model_name="attacksurfaceoverview",
-            name="tenant",
-            field=models.ForeignKey(
-                on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="attacksurfaceoverview",
-            index=models.Index(
-                fields=["tenant_id", "scan_id"], name="attack_surf_tenant_scan_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="attacksurfaceoverview",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "attack_surface_type"),
-                name="unique_attack_surface_per_scan",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="attacksurfaceoverview",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_attacksurfaceoverview",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
@@ -1,96 +0,0 @@
-# Generated by Django 5.1.14 on 2025-12-03 13:38
-
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0060_attack_surface_overview"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="DailySeveritySummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                ("date", models.DateField()),
-                ("critical", models.IntegerField(default=0)),
-                ("high", models.IntegerField(default=0)),
-                ("medium", models.IntegerField(default=0)),
-                ("low", models.IntegerField(default=0)),
-                ("informational", models.IntegerField(default=0)),
-                ("muted", models.IntegerField(default=0)),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="daily_severity_summaries",
-                        related_query_name="daily_severity_summary",
-                        to="api.provider",
-                    ),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="daily_severity_summaries",
-                        related_query_name="daily_severity_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "daily_severity_summaries",
-                "abstract": False,
-            },
-        ),
-        migrations.AddIndex(
-            model_name="dailyseveritysummary",
-            index=models.Index(
-                fields=["tenant_id", "id"],
-                name="dss_tenant_id_idx",
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="dailyseveritysummary",
-            index=models.Index(
-                fields=["tenant_id", "provider_id"],
-                name="dss_tenant_provider_idx",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="dailyseveritysummary",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "provider", "date"),
-                name="unique_daily_severity_summary",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="dailyseveritysummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                "tenant_id",
-                name="rls_on_dailyseveritysummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
@@ -1,30 +0,0 @@
-# Generated by Django 5.1.14 on 2025-12-10
-
-from django.db import migrations
-from tasks.tasks import backfill_daily_severity_summaries_task
-
-from api.db_router import MainRouter
-from api.rls import Tenant
-
-
-def trigger_backfill_task(apps, schema_editor):
-    """
-    Trigger the backfill task for all tenants.
-
-    This dispatches backfill_daily_severity_summaries_task for each tenant
-    in the system to populate DailySeveritySummary records from historical scans.
-    """
-    tenant_ids = Tenant.objects.using(MainRouter.admin_db).values_list("id", flat=True)
-
-    for tenant_id in tenant_ids:
-        backfill_daily_severity_summaries_task.delay(tenant_id=str(tenant_id), days=90)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0061_daily_severity_summary"),
-    ]
-
-    operations = [
-        migrations.RunPython(trigger_backfill_task, migrations.RunPython.noop),
-    ]
@@ -1,111 +0,0 @@
-import uuid
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-import api.db_utils
-import api.rls
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0062_backfill_daily_severity_summaries"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ScanCategorySummary",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4,
-                        editable=False,
-                        primary_key=True,
-                        serialize=False,
-                    ),
-                ),
-                (
-                    "tenant",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="api.tenant",
-                    ),
-                ),
-                (
-                    "inserted_at",
-                    models.DateTimeField(auto_now_add=True),
-                ),
-                (
-                    "scan",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="category_summaries",
-                        related_query_name="category_summary",
-                        to="api.scan",
-                    ),
-                ),
-                (
-                    "category",
-                    models.CharField(max_length=100),
-                ),
-                (
-                    "severity",
-                    api.db_utils.SeverityEnumField(
-                        choices=[
-                            ("critical", "Critical"),
-                            ("high", "High"),
-                            ("medium", "Medium"),
-                            ("low", "Low"),
-                            ("informational", "Informational"),
-                        ],
-                    ),
-                ),
-                (
-                    "total_findings",
-                    models.IntegerField(
-                        default=0, help_text="Non-muted findings (PASS + FAIL)"
-                    ),
-                ),
-                (
-                    "failed_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Non-muted FAIL findings (subset of total_findings)",
-                    ),
-                ),
-                (
-                    "new_failed_findings",
-                    models.IntegerField(
-                        default=0,
-                        help_text="Non-muted FAIL with delta='new' (subset of failed_findings)",
-                    ),
-                ),
-            ],
-            options={
-                "db_table": "scan_category_summaries",
-                "abstract": False,
-            },
-        ),
-        migrations.AddIndex(
-            model_name="scancategorysummary",
-            index=models.Index(
-                fields=["tenant_id", "scan"], name="scs_tenant_scan_idx"
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="scancategorysummary",
-            constraint=models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "category", "severity"),
-                name="unique_category_severity_per_scan",
-            ),
-        ),
-        migrations.AddConstraint(
-            model_name="scancategorysummary",
-            constraint=api.rls.RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_scancategorysummary",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ),
-    ]
@@ -1,22 +0,0 @@
-import django.contrib.postgres.fields
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("api", "0063_scan_category_summary"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="finding",
-            name="categories",
-            field=django.contrib.postgres.fields.ArrayField(
-                base_field=models.CharField(max_length=100),
-                blank=True,
-                null=True,
-                size=None,
-                help_text="Categories from check metadata for efficient filtering",
-            ),
-        ),
-    ]
@@ -716,19 +716,14 @@ class Resource(RowLevelSecurityProtectedModel):
            self.clear_tags()
            return

-        # Add new relationships with the tenant_id field; avoid touching the
-        # Resource row unless a mapping is actually created to prevent noisy
-        # updates during scans.
-        mapping_created = False
+        # Add new relationships with the tenant_id field
        for tag in tags:
-            _, created = ResourceTagMapping.objects.update_or_create(
+            ResourceTagMapping.objects.update_or_create(
                tag=tag, resource=self, tenant_id=self.tenant_id
            )
-            mapping_created = mapping_created or created

-        if mapping_created:
-            # Only bump updated_at when the tag set truly changed
-            self.save(update_fields=["updated_at"])
+        # Save the instance
+        self.save()

    class Meta(RowLevelSecurityProtectedModel.Meta):
        db_table = "resources"
@@ -873,14 +868,6 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
        null=True,
    )

-    # Check metadata denormalization
-    categories = ArrayField(
-        models.CharField(max_length=100),
-        blank=True,
-        null=True,
-        help_text="Categories from check metadata for efficient filtering",
-    )
-
    # Relationships
    scan = models.ForeignKey(to=Scan, related_name="findings", on_delete=models.CASCADE)

@@ -1384,70 +1371,35 @@ class ComplianceRequirementOverview(RowLevelSecurityProtectedModel):
            ),
        ]
        indexes = [
+            models.Index(fields=["tenant_id", "scan_id"], name="cro_tenant_scan_idx"),
+            models.Index(
+                fields=["tenant_id", "scan_id", "compliance_id"],
+                name="cro_scan_comp_idx",
+            ),
            models.Index(
                fields=["tenant_id", "scan_id", "compliance_id", "region"],
                name="cro_scan_comp_reg_idx",
            ),
+            models.Index(
+                fields=["tenant_id", "scan_id", "compliance_id", "requirement_id"],
+                name="cro_scan_comp_req_idx",
+            ),
+            models.Index(
+                fields=[
+                    "tenant_id",
+                    "scan_id",
+                    "compliance_id",
+                    "requirement_id",
+                    "region",
+                ],
+                name="cro_scan_comp_req_reg_idx",
+            ),
        ]

    class JSONAPIMeta:
        resource_name = "compliance-requirements-overviews"


-class ComplianceOverviewSummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated compliance overview aggregated across ALL regions.
-    One row per (scan_id, compliance_id) combination.
-
-    This table optimizes the common case where users view overall compliance
-    without filtering by region. For region-specific views, the detailed
-    ComplianceRequirementOverview table is used instead.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="compliance_summaries",
-        related_query_name="compliance_summary",
-    )
-
-    compliance_id = models.TextField(blank=False)
-
-    # Pre-aggregated scores (computed across ALL regions)
-    requirements_passed = models.IntegerField(default=0)
-    requirements_failed = models.IntegerField(default=0)
-    requirements_manual = models.IntegerField(default=0)
-    total_requirements = models.IntegerField(default=0)
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "compliance_overview_summaries"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "compliance_id"),
-                name="unique_compliance_summary_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "scan_id"],
-                name="cos_tenant_scan_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "compliance-overview-summaries"
-
-
 class ScanSummary(RowLevelSecurityProtectedModel):
    objects = ActiveProviderManager()
    all_objects = models.Manager()
@@ -1513,65 +1465,6 @@ class ScanSummary(RowLevelSecurityProtectedModel):
        resource_name = "scan-summaries"


-class DailySeveritySummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated daily severity counts per provider.
-    Used by findings_severity/timeseries endpoint for efficient queries.
-    """
-
-    objects = ActiveProviderManager()
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    date = models.DateField()
-
-    provider = models.ForeignKey(
-        Provider,
-        on_delete=models.CASCADE,
-        related_name="daily_severity_summaries",
-        related_query_name="daily_severity_summary",
-    )
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="daily_severity_summaries",
-        related_query_name="daily_severity_summary",
-    )
-
-    # Aggregated fail counts by severity
-    critical = models.IntegerField(default=0)
-    high = models.IntegerField(default=0)
-    medium = models.IntegerField(default=0)
-    low = models.IntegerField(default=0)
-    informational = models.IntegerField(default=0)
-    muted = models.IntegerField(default=0)
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "daily_severity_summaries"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "provider", "date"),
-                name="unique_daily_severity_summary",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "id"],
-                name="dss_tenant_id_idx",
-            ),
-            models.Index(
-                fields=["tenant_id", "provider_id"],
-                name="dss_tenant_provider_idx",
-            ),
-        ]
-
-
 class Integration(RowLevelSecurityProtectedModel):
    class IntegrationChoices(models.TextChoices):
        AMAZON_S3 = "amazon_s3", _("Amazon S3")
@@ -1964,64 +1857,6 @@ class ResourceScanSummary(RowLevelSecurityProtectedModel):
        ]


-class ScanCategorySummary(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated category metrics per scan by severity.
-
-    Stores one row per (category, severity) combination per scan for efficient
-    overview queries. Categories come from check_metadata.categories.
-
-    Count relationships (each is a subset of the previous):
-        - total_findings >= failed_findings >= new_failed_findings
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="category_summaries",
-        related_query_name="category_summary",
-    )
-
-    category = models.CharField(max_length=100)
-    severity = SeverityEnumField(choices=SeverityChoices)
-
-    total_findings = models.IntegerField(
-        default=0, help_text="Non-muted findings (PASS + FAIL)"
-    )
-    failed_findings = models.IntegerField(
-        default=0, help_text="Non-muted FAIL findings (subset of total_findings)"
-    )
-    new_failed_findings = models.IntegerField(
-        default=0,
-        help_text="Non-muted FAIL with delta='new' (subset of failed_findings)",
-    )
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "scan_category_summaries"
-
-        indexes = [
-            models.Index(fields=["tenant_id", "scan"], name="scs_tenant_scan_idx"),
-        ]
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "category", "severity"),
-                name="unique_category_severity_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "scan-category-summaries"
-
-
 class LighthouseConfiguration(RowLevelSecurityProtectedModel):
    """
    Stores configuration and API keys for LLM services.
@@ -2412,6 +2247,9 @@ class ThreatScoreSnapshot(RowLevelSecurityProtectedModel):
    Snapshots are created automatically after each ThreatScore report generation.
    """

+    objects = models.Manager()
+    all_objects = models.Manager()
+
    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)

@@ -2535,63 +2373,3 @@ class ThreatScoreSnapshot(RowLevelSecurityProtectedModel):

    class JSONAPIMeta:
        resource_name = "threatscore-snapshots"
-
-
-class AttackSurfaceOverview(RowLevelSecurityProtectedModel):
-    """
-    Pre-aggregated attack surface metrics per scan.
-
-    Stores counts for each attack surface type (internet-exposed, secrets,
-    privilege-escalation, ec2-imdsv1) to enable fast overview queries.
-    """
-
-    class AttackSurfaceTypeChoices(models.TextChoices):
-        INTERNET_EXPOSED = "internet-exposed", _("Internet Exposed")
-        SECRETS = "secrets", _("Exposed Secrets")
-        PRIVILEGE_ESCALATION = "privilege-escalation", _("Privilege Escalation")
-        EC2_IMDSV1 = "ec2-imdsv1", _("EC2 IMDSv1 Enabled")
-
-    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
-    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
-
-    scan = models.ForeignKey(
-        Scan,
-        on_delete=models.CASCADE,
-        related_name="attack_surface_overviews",
-        related_query_name="attack_surface_overview",
-    )
-
-    attack_surface_type = models.CharField(
-        max_length=50,
-        choices=AttackSurfaceTypeChoices.choices,
-    )
-
-    # Finding counts
-    total_findings = models.IntegerField(default=0)  # All findings (PASS + FAIL)
-    failed_findings = models.IntegerField(default=0)  # Non-muted failed findings
-    muted_failed_findings = models.IntegerField(default=0)  # Muted failed findings
-
-    class Meta(RowLevelSecurityProtectedModel.Meta):
-        db_table = "attack_surface_overviews"
-
-        constraints = [
-            models.UniqueConstraint(
-                fields=("tenant_id", "scan_id", "attack_surface_type"),
-                name="unique_attack_surface_per_scan",
-            ),
-            RowLevelSecurityConstraint(
-                field="tenant_id",
-                name="rls_on_%(class)s",
-                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
-            ),
-        ]
-
-        indexes = [
-            models.Index(
-                fields=["tenant_id", "scan_id"],
-                name="attack_surf_tenant_scan_idx",
-            ),
-        ]
-
-    class JSONAPIMeta:
-        resource_name = "attack-surface-overviews"
@@ -65,11 +65,11 @@ def get_providers(role: Role) -> QuerySet[Provider]:
        A QuerySet of Provider objects filtered by the role's provider groups.
        If the role has no provider groups, returns an empty queryset.
    """
-    tenant_id = role.tenant_id
+    tenant = role.tenant
    provider_groups = role.provider_groups.all()
    if not provider_groups.exists():
        return Provider.objects.none()

    return Provider.objects.filter(
-        tenant_id=tenant_id, provider_groups__in=provider_groups
+        tenant=tenant, provider_groups__in=provider_groups
    ).distinct()
@@ -36,6 +36,143 @@ def _extract_task_example_from_components(components):
    }


+def fix_empty_id_fields(result, generator, request, public):  # noqa: F841
+    """
+    Fix empty id fields in JSON:API request schemas.
+    drf-spectacular-jsonapi sometimes generates empty id field definitions ({})
+    which cause validation errors in Mintlify and other OpenAPI validators.
+    """
+    if not isinstance(result, dict):
+        return result
+
+    components = result.get("components", {}) or {}
+    schemas = components.get("schemas", {}) or {}
+
+    for schema_name, schema in schemas.items():
+        if not isinstance(schema, dict):
+            continue
+
+        # Check if this is a JSON:API request schema with a data object
+        properties = schema.get("properties", {})
+        if not isinstance(properties, dict):
+            continue
+
+        data_prop = properties.get("data")
+        if not isinstance(data_prop, dict):
+            continue
+
+        data_properties = data_prop.get("properties", {})
+        if not isinstance(data_properties, dict):
+            continue
+
+        # Fix empty id field
+        id_field = data_properties.get("id")
+        if id_field == {} or (isinstance(id_field, dict) and not id_field):
+            data_properties["id"] = {
+                "type": "string",
+                "format": "uuid",
+                "description": "Unique identifier for this resource object.",
+            }
+
+    return result
+
+
+def convert_pattern_properties_to_additional(obj):
+    """
+    Recursively convert patternProperties to additionalProperties.
+    OpenAPI 3.0.x doesn't support patternProperties (only available in 3.1+).
+    """
+    if isinstance(obj, dict):
+        if "patternProperties" in obj:
+            # Get the pattern and its schema
+            pattern_props = obj.pop("patternProperties")
+            # Use the first pattern's schema as additionalProperties
+            if pattern_props:
+                first_pattern_schema = next(iter(pattern_props.values()))
+                obj["additionalProperties"] = first_pattern_schema
+
+        # Recursively process all nested objects
+        for key, value in obj.items():
+            obj[key] = convert_pattern_properties_to_additional(value)
+    elif isinstance(obj, list):
+        return [convert_pattern_properties_to_additional(item) for item in obj]
+
+    return obj
+
+
+def fix_pattern_properties(result, generator, request, public):  # noqa: F841
+    """
+    Convert patternProperties to additionalProperties for OpenAPI 3.0 compatibility.
+    patternProperties is only supported in OpenAPI 3.1+, but drf-spectacular
+    generates OpenAPI 3.0.x specs.
+    """
+    if not isinstance(result, dict):
+        return result
+
+    return convert_pattern_properties_to_additional(result)
+
+
+def fix_invalid_types(obj):
+    """
+    Recursively fix invalid type values in OpenAPI schemas.
+    Converts invalid types like "email" to proper OpenAPI format.
+    """
+    if isinstance(obj, dict):
+        # Fix invalid "type" values
+        if "type" in obj:
+            type_value = obj["type"]
+            if type_value == "email":
+                obj["type"] = "string"
+                obj["format"] = "email"
+            elif type_value == "url":
+                obj["type"] = "string"
+                obj["format"] = "uri"
+            elif type_value == "uuid":
+                obj["type"] = "string"
+                obj["format"] = "uuid"
+
+        # Recursively process all nested objects
+        for key, value in list(obj.items()):
+            obj[key] = fix_invalid_types(value)
+    elif isinstance(obj, list):
+        return [fix_invalid_types(item) for item in obj]
+
+    return obj
+
+
+def fix_type_formats(result, generator, request, public):  # noqa: F841
+    """
+    Fix invalid type values in OpenAPI schemas.
+    drf-spectacular sometimes generates invalid type values like "email"
+    instead of "type": "string" with "format": "email".
+    """
+    if not isinstance(result, dict):
+        return result
+
+    return fix_invalid_types(result)
+
+
+def add_api_servers(result, generator, request, public):  # noqa: F841
+    """
+    Add servers configuration to OpenAPI spec for Mintlify API playground.
+    This enables the "Try it out" feature in the documentation.
+    Only adds the production URL to ensure consistent documentation.
+    """
+    if not isinstance(result, dict):
+        return result
+
+    # Add servers array if not already present
+    if "servers" not in result:
+        result["servers"] = [
+            {
+                "url": "https://api.prowler.com",
+                "description": "Prowler Cloud API",
+            }
+        ]
+
+    return result
+
+
 def attach_task_202_examples(result, generator, request, public):  # noqa: F841
    if not isinstance(result, dict):
        return result
@@ -2,12 +2,9 @@ import uuid
 from unittest.mock import call, patch

 import pytest
-from django.core.exceptions import ObjectDoesNotExist
-from django.db import IntegrityError

 from api.db_utils import POSTGRES_TENANT_VAR, SET_CONFIG_QUERY
-from api.decorators import handle_provider_deletion, set_tenant
-from api.exceptions import ProviderDeletedException
+from api.decorators import set_tenant


@pytest.mark.django_db
@@ -37,142 +34,3 @@ class TestSetTenantDecorator:

        with pytest.raises(KeyError):
            random_func("test_arg")
-
-
-@pytest.mark.django_db
-class TestHandleProviderDeletionDecorator:
-    def test_success_no_exception(self, tenants_fixture, providers_fixture):
-        """Decorated function runs normally when no exception is raised."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            return "success"
-
-        result = task_func(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-        )
-        assert result == "success"
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    def test_provider_deleted_with_provider_id(
-        self, mock_filter, mock_rls, tenants_fixture
-    ):
-        """Raises ProviderDeletedException when provider_id provided and provider deleted."""
-        tenant = tenants_fixture[0]
-        deleted_provider_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_filter.return_value.exists.return_value = False
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(ProviderDeletedException) as exc_info:
-            task_func(tenant_id=str(tenant.id), provider_id=deleted_provider_id)
-
-        assert deleted_provider_id in str(exc_info.value)
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    @patch("api.decorators.Scan.objects.filter")
-    def test_provider_deleted_with_scan_id(
-        self, mock_scan_filter, mock_provider_filter, mock_rls, tenants_fixture
-    ):
-        """Raises ProviderDeletedException when scan exists but provider deleted."""
-        tenant = tenants_fixture[0]
-        scan_id = str(uuid.uuid4())
-        provider_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-
-        mock_scan = type("MockScan", (), {"provider_id": provider_id})()
-        mock_scan_filter.return_value.first.return_value = mock_scan
-        mock_provider_filter.return_value.exists.return_value = False
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(ProviderDeletedException) as exc_info:
-            task_func(tenant_id=str(tenant.id), scan_id=scan_id)
-
-        assert provider_id in str(exc_info.value)
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Scan.objects.filter")
-    def test_scan_deleted_cascade(self, mock_scan_filter, mock_rls, tenants_fixture):
-        """Raises ProviderDeletedException when scan was deleted (CASCADE from provider)."""
-        tenant = tenants_fixture[0]
-        scan_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_scan_filter.return_value.first.return_value = None
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(ProviderDeletedException) as exc_info:
-            task_func(tenant_id=str(tenant.id), scan_id=scan_id)
-
-        assert scan_id in str(exc_info.value)
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    def test_provider_exists_reraises_original(
-        self, mock_filter, mock_rls, tenants_fixture, providers_fixture
-    ):
-        """Re-raises original exception when provider still exists."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_filter.return_value.exists.return_value = True
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Actual object missing")
-
-        with pytest.raises(ObjectDoesNotExist):
-            task_func(tenant_id=str(tenant.id), provider_id=str(provider.id))
-
-    @patch("api.decorators.rls_transaction")
-    @patch("api.decorators.Provider.objects.filter")
-    def test_integrity_error_provider_deleted(
-        self, mock_filter, mock_rls, tenants_fixture
-    ):
-        """Raises ProviderDeletedException on IntegrityError when provider deleted."""
-        tenant = tenants_fixture[0]
-        deleted_provider_id = str(uuid.uuid4())
-
-        mock_rls.return_value.__enter__ = lambda s: None
-        mock_rls.return_value.__exit__ = lambda s, *args: None
-        mock_filter.return_value.exists.return_value = False
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise IntegrityError("FK constraint violation")
-
-        with pytest.raises(ProviderDeletedException):
-            task_func(tenant_id=str(tenant.id), provider_id=deleted_provider_id)
-
-    def test_missing_provider_and_scan_raises_assertion(self, tenants_fixture):
-        """Raises AssertionError when neither provider_id nor scan_id in kwargs."""
-
-        @handle_provider_deletion
-        def task_func(**kwargs):
-            raise ObjectDoesNotExist("Some object not found")
-
-        with pytest.raises(AssertionError) as exc_info:
-            task_func(tenant_id=str(tenants_fixture[0].id))
-
-        assert "provider or scan" in str(exc_info.value)
@@ -21,7 +21,6 @@ from prowler.providers.aws.lib.security_hub.security_hub import SecurityHubConne
 from prowler.providers.azure.azure_provider import AzureProvider
 from prowler.providers.gcp.gcp_provider import GcpProvider
 from prowler.providers.github.github_provider import GithubProvider
-from prowler.providers.iac.iac_provider import IacProvider
 from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
 from prowler.providers.m365.m365_provider import M365Provider
 from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
@@ -115,7 +114,6 @@ class TestReturnProwlerProvider:
            (Provider.ProviderChoices.GITHUB.value, GithubProvider),
            (Provider.ProviderChoices.MONGODBATLAS.value, MongodbatlasProvider),
            (Provider.ProviderChoices.ORACLECLOUD.value, OraclecloudProvider),
-            (Provider.ProviderChoices.IAC.value, IacProvider),
        ],
    )
    def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -256,72 +254,6 @@ class TestGetProwlerProviderKwargs:
        expected_result = {**secret_dict, "mutelist_content": {"key": "value"}}
        assert result == expected_result

-    def test_get_prowler_provider_kwargs_iac_provider(self):
-        """Test that IaC provider gets correct kwargs with repository URL."""
-        provider_uid = "https://github.com/org/repo"
-        secret_dict = {"access_token": "test_token"}
-        secret_mock = MagicMock()
-        secret_mock.secret = secret_dict
-
-        provider = MagicMock()
-        provider.provider = Provider.ProviderChoices.IAC.value
-        provider.secret = secret_mock
-        provider.uid = provider_uid
-
-        result = get_prowler_provider_kwargs(provider)
-
-        expected_result = {
-            "scan_repository_url": provider_uid,
-            "oauth_app_token": "test_token",
-        }
-        assert result == expected_result
-
-    def test_get_prowler_provider_kwargs_iac_provider_without_token(self):
-        """Test that IaC provider works without access token for public repos."""
-        provider_uid = "https://github.com/org/public-repo"
-        secret_dict = {}
-        secret_mock = MagicMock()
-        secret_mock.secret = secret_dict
-
-        provider = MagicMock()
-        provider.provider = Provider.ProviderChoices.IAC.value
-        provider.secret = secret_mock
-        provider.uid = provider_uid
-
-        result = get_prowler_provider_kwargs(provider)
-
-        expected_result = {"scan_repository_url": provider_uid}
-        assert result == expected_result
-
-    def test_get_prowler_provider_kwargs_iac_provider_ignores_mutelist(self):
-        """Test that IaC provider does NOT receive mutelist_content.
-
-        IaC provider uses Trivy's built-in mutelist logic, so it should not
-        receive mutelist_content even when a mutelist processor is configured.
-        """
-        provider_uid = "https://github.com/org/repo"
-        secret_dict = {"access_token": "test_token"}
-        secret_mock = MagicMock()
-        secret_mock.secret = secret_dict
-
-        mutelist_processor = MagicMock()
-        mutelist_processor.configuration = {"Mutelist": {"key": "value"}}
-
-        provider = MagicMock()
-        provider.provider = Provider.ProviderChoices.IAC.value
-        provider.secret = secret_mock
-        provider.uid = provider_uid
-
-        result = get_prowler_provider_kwargs(provider, mutelist_processor)
-
-        # IaC provider should NOT have mutelist_content
-        assert "mutelist_content" not in result
-        expected_result = {
-            "scan_repository_url": provider_uid,
-            "oauth_app_token": "test_token",
-        }
-        assert result == expected_result
-
    def test_get_prowler_provider_kwargs_unsupported_provider(self):
        # Setup
        provider_uid = "provider_uid"
@@ -158,8 +158,7 @@ def get_prowler_provider_kwargs(

    if mutelist_processor:
        mutelist_content = mutelist_processor.configuration.get("Mutelist", {})
-        # IaC provider doesn't support mutelist (uses Trivy's built-in logic)
-        if mutelist_content and provider.provider != Provider.ProviderChoices.IAC.value:
+        if mutelist_content:
            prowler_provider_kwargs["mutelist_content"] = mutelist_content

    return prowler_provider_kwargs
@@ -382,18 +381,10 @@ def get_findings_metadata_no_aggregations(tenant_id: str, filtered_queryset):
    regions = sorted({region for region in aggregation["regions"] or [] if region})
    resource_types = sorted(set(aggregation["resource_types"] or []))

-    # Aggregate categories from findings
-    categories_set = set()
-    for categories_list in filtered_queryset.values_list("categories", flat=True):
-        if categories_list:
-            categories_set.update(categories_list)
-    categories = sorted(categories_set)
-
    result = {
        "services": services,
        "regions": regions,
        "resource_types": resource_types,
-        "categories": categories,
    }

    serializer = FindingMetadataSerializer(data=result)
@@ -40,16 +40,11 @@ class BedrockCredentialsSerializer(serializers.Serializer):
    """
    Serializer for AWS Bedrock credentials validation.

-    Supports two authentication methods:
-    1. AWS access key + secret key
-    2. Bedrock API key (bearer token)
-
-    In both cases, region is mandatory.
+    Validates long-term AWS credentials (AKIA) and region format.
    """

-    access_key_id = serializers.CharField(required=False, allow_blank=False)
-    secret_access_key = serializers.CharField(required=False, allow_blank=False)
-    api_key = serializers.CharField(required=False, allow_blank=False)
+    access_key_id = serializers.CharField()
+    secret_access_key = serializers.CharField()
    region = serializers.CharField()

    def validate_access_key_id(self, value: str) -> str:
@@ -70,15 +65,6 @@ class BedrockCredentialsSerializer(serializers.Serializer):
            )
        return value

-    def validate_api_key(self, value: str) -> str:
-        """
-        Validate Bedrock API key (bearer token).
-        """
-        pattern = r"^ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/=]{110}$"
-        if not re.match(pattern, value or ""):
-            raise serializers.ValidationError("Invalid Bedrock API key format.")
-        return value
-
    def validate_region(self, value: str) -> str:
        """Validate AWS region format."""
        pattern = r"^[a-z]{2}-[a-z]+-\d+$"
@@ -88,50 +74,6 @@ class BedrockCredentialsSerializer(serializers.Serializer):
            )
        return value

-    def validate(self, attrs):
-        """
-        Enforce either:
-        - access_key_id + secret_access_key + region
-        OR
-        - api_key + region
-        """
-        access_key_id = attrs.get("access_key_id")
-        secret_access_key = attrs.get("secret_access_key")
-        api_key = attrs.get("api_key")
-        region = attrs.get("region")
-
-        errors = {}
-
-        if not region:
-            errors["region"] = ["Region is required."]
-
-        using_access_keys = bool(access_key_id or secret_access_key)
-        using_api_key = api_key is not None and api_key != ""
-
-        if using_access_keys and using_api_key:
-            errors["non_field_errors"] = [
-                "Provide either access key + secret key OR api key, not both."
-            ]
-        elif not using_access_keys and not using_api_key:
-            errors["non_field_errors"] = [
-                "You must provide either access key + secret key OR api key."
-            ]
-        elif using_access_keys:
-            # Both access_key_id and secret_access_key must be present together
-            if not access_key_id:
-                errors.setdefault("access_key_id", []).append(
-                    "AWS access key ID is required when using access key authentication."
-                )
-            if not secret_access_key:
-                errors.setdefault("secret_access_key", []).append(
-                    "AWS secret access key is required when using access key authentication."
-                )
-
-        if errors:
-            raise serializers.ValidationError(errors)
-
-        return attrs
-
    def to_internal_value(self, data):
        """Check for unknown fields before DRF filters them out."""
        if not isinstance(data, dict):
@@ -169,15 +111,6 @@ class BedrockCredentialsUpdateSerializer(BedrockCredentialsSerializer):
        for field in self.fields.values():
            field.required = False

-    def validate(self, attrs):
-        """
-        For updates, this serializer only checks individual fields.
-        It does NOT enforce the "either access keys OR api key" rule.
-        That rule is applied later, after merging with existing stored
-        credentials, in LighthouseProviderConfigUpdateSerializer.
-        """
-        return attrs
-

 class OpenAICompatibleCredentialsSerializer(serializers.Serializer):
    """
@@ -235,51 +168,27 @@ class OpenAICompatibleCredentialsSerializer(serializers.Serializer):
                "required": ["api_key"],
            },
            {
+                "type": "object",
                "title": "AWS Bedrock Credentials",
-                "oneOf": [
-                    {
-                        "title": "IAM Access Key Pair",
-                        "type": "object",
-                        "description": "Authenticate with AWS access key and secret key. Recommended when you manage IAM users or roles.",
-                        "properties": {
-                            "access_key_id": {
-                                "type": "string",
-                                "description": "AWS access key ID.",
-                                "pattern": "^AKIA[0-9A-Z]{16}$",
-                            },
-                            "secret_access_key": {
-                                "type": "string",
-                                "description": "AWS secret access key.",
-                                "pattern": "^[A-Za-z0-9/+=]{40}$",
-                            },
-                            "region": {
-                                "type": "string",
-                                "description": "AWS region identifier where Bedrock is available. Examples: us-east-1, "
-                                "us-west-2, eu-west-1, ap-northeast-1.",
-                                "pattern": "^[a-z]{2}-[a-z]+-\\d+$",
-                            },
-                        },
-                        "required": ["access_key_id", "secret_access_key", "region"],
+                "properties": {
+                    "access_key_id": {
+                        "type": "string",
+                        "description": "AWS access key ID.",
+                        "pattern": "^AKIA[0-9A-Z]{16}$",
                    },
-                    {
-                        "title": "Amazon Bedrock API Key",
-                        "type": "object",
-                        "description": "Authenticate with an Amazon Bedrock API key (bearer token). Region is still required.",
-                        "properties": {
-                            "api_key": {
-                                "type": "string",
-                                "description": "Amazon Bedrock API key (bearer token).",
-                            },
-                            "region": {
-                                "type": "string",
-                                "description": "AWS region identifier where Bedrock is available. Examples: us-east-1, "
-                                "us-west-2, eu-west-1, ap-northeast-1.",
-                                "pattern": "^[a-z]{2}-[a-z]+-\\d+$",
-                            },
-                        },
-                        "required": ["api_key", "region"],
+                    "secret_access_key": {
+                        "type": "string",
+                        "description": "AWS secret access key.",
+                        "pattern": "^[A-Za-z0-9/+=]{40}$",
                    },
-                ],
+                    "region": {
+                        "type": "string",
+                        "description": "AWS region identifier where Bedrock is available. Examples: us-east-1, "
+                        "us-west-2, eu-west-1, ap-northeast-1.",
+                        "pattern": "^[a-z]{2}-[a-z]+-\\d+$",
+                    },
+                },
+                "required": ["access_key_id", "secret_access_key", "region"],
            },
            {
                "type": "object",
@@ -72,42 +72,6 @@ from api.v1.serializer_utils.processors import ProcessorConfigField
 from api.v1.serializer_utils.providers import ProviderSecretField
 from prowler.lib.mutelist.mutelist import Mutelist

-# Base
-
-
-class BaseModelSerializerV1(serializers.ModelSerializer):
-    def get_root_meta(self, _resource, _many):
-        return {"version": "v1"}
-
-
-class BaseSerializerV1(serializers.Serializer):
-    def get_root_meta(self, _resource, _many):
-        return {"version": "v1"}
-
-
-class BaseWriteSerializer(BaseModelSerializerV1):
-    def validate(self, data):
-        if hasattr(self, "initial_data"):
-            initial_data = set(self.initial_data.keys()) - {"id", "type"}
-            unknown_keys = initial_data - set(self.fields.keys())
-            if unknown_keys:
-                raise ValidationError(f"Invalid fields: {unknown_keys}")
-        return data
-
-
-class RLSSerializer(BaseModelSerializerV1):
-    def create(self, validated_data):
-        tenant_id = self.context.get("tenant_id")
-        validated_data["tenant_id"] = tenant_id
-        return super().create(validated_data)
-
-
-class StateEnumSerializerField(serializers.ChoiceField):
-    def __init__(self, **kwargs):
-        kwargs["choices"] = StateChoices.choices
-        super().__init__(**kwargs)
-
-
 # Tokens


@@ -215,7 +179,7 @@ class TokenSocialLoginSerializer(BaseTokenSerializer):


 # TODO: Check if we can change the parent class to TokenRefreshSerializer from rest_framework_simplejwt.serializers
-class TokenRefreshSerializer(BaseSerializerV1):
+class TokenRefreshSerializer(serializers.Serializer):
    refresh = serializers.CharField()

    # Output token
@@ -249,7 +213,7 @@ class TokenRefreshSerializer(BaseSerializerV1):
            raise ValidationError({"refresh": "Invalid or expired token"})


-class TokenSwitchTenantSerializer(BaseSerializerV1):
+class TokenSwitchTenantSerializer(serializers.Serializer):
    tenant_id = serializers.UUIDField(
        write_only=True, help_text="The tenant ID for which to request a new token."
    )
@@ -273,10 +237,41 @@ class TokenSwitchTenantSerializer(BaseSerializerV1):
        return generate_tokens(user, tenant_id)


+# Base
+
+
+class BaseSerializerV1(serializers.ModelSerializer):
+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}
+
+
+class BaseWriteSerializer(BaseSerializerV1):
+    def validate(self, data):
+        if hasattr(self, "initial_data"):
+            initial_data = set(self.initial_data.keys()) - {"id", "type"}
+            unknown_keys = initial_data - set(self.fields.keys())
+            if unknown_keys:
+                raise ValidationError(f"Invalid fields: {unknown_keys}")
+        return data
+
+
+class RLSSerializer(BaseSerializerV1):
+    def create(self, validated_data):
+        tenant_id = self.context.get("tenant_id")
+        validated_data["tenant_id"] = tenant_id
+        return super().create(validated_data)
+
+
+class StateEnumSerializerField(serializers.ChoiceField):
+    def __init__(self, **kwargs):
+        kwargs["choices"] = StateChoices.choices
+        super().__init__(**kwargs)
+
+
 # Users


-class UserSerializer(BaseModelSerializerV1):
+class UserSerializer(BaseSerializerV1):
    """
    Serializer for the User model.
    """
@@ -407,7 +402,7 @@ class UserUpdateSerializer(BaseWriteSerializer):
        return super().update(instance, validated_data)


-class RoleResourceIdentifierSerializer(BaseSerializerV1):
+class RoleResourceIdentifierSerializer(serializers.Serializer):
    resource_type = serializers.CharField(source="type")
    id = serializers.UUIDField()

@@ -590,7 +585,7 @@ class TaskSerializer(RLSSerializer, TaskBase):
 # Tenants


-class TenantSerializer(BaseModelSerializerV1):
+class TenantSerializer(BaseSerializerV1):
    """
    Serializer for the Tenant model.
    """
@@ -602,7 +597,7 @@ class TenantSerializer(BaseModelSerializerV1):
        fields = ["id", "name", "memberships"]


-class TenantIncludeSerializer(BaseModelSerializerV1):
+class TenantIncludeSerializer(BaseSerializerV1):
    class Meta:
        model = Tenant
        fields = ["id", "name"]
@@ -778,7 +773,7 @@ class ProviderGroupUpdateSerializer(ProviderGroupSerializer):
        return super().update(instance, validated_data)


-class ProviderResourceIdentifierSerializer(BaseSerializerV1):
+class ProviderResourceIdentifierSerializer(serializers.Serializer):
    resource_type = serializers.CharField(source="type")
    id = serializers.UUIDField()

@@ -1115,7 +1110,7 @@ class ScanTaskSerializer(RLSSerializer):
        ]


-class ScanReportSerializer(BaseSerializerV1):
+class ScanReportSerializer(serializers.Serializer):
    id = serializers.CharField(source="scan")

    class Meta:
@@ -1123,7 +1118,7 @@ class ScanReportSerializer(BaseSerializerV1):
        fields = ["id"]


-class ScanComplianceReportSerializer(BaseSerializerV1):
+class ScanComplianceReportSerializer(serializers.Serializer):
    id = serializers.CharField(source="scan")
    name = serializers.CharField()

@@ -1172,17 +1167,11 @@ class ResourceSerializer(RLSSerializer):
            "findings",
            "failed_findings_count",
            "url",
-            "metadata",
-            "details",
-            "partition",
        ]
        extra_kwargs = {
            "id": {"read_only": True},
            "inserted_at": {"read_only": True},
            "updated_at": {"read_only": True},
-            "metadata": {"read_only": True},
-            "details": {"read_only": True},
-            "partition": {"read_only": True},
        }

    included_serializers = {
@@ -1239,15 +1228,11 @@ class ResourceIncludeSerializer(RLSSerializer):
            "service",
            "type_",
            "tags",
-            "details",
-            "partition",
        ]
        extra_kwargs = {
            "id": {"read_only": True},
            "inserted_at": {"read_only": True},
            "updated_at": {"read_only": True},
-            "details": {"read_only": True},
-            "partition": {"read_only": True},
        }

    @extend_schema_field(
@@ -1272,7 +1257,7 @@ class ResourceIncludeSerializer(RLSSerializer):
        return fields


-class ResourceMetadataSerializer(BaseSerializerV1):
+class ResourceMetadataSerializer(serializers.Serializer):
    services = serializers.ListField(child=serializers.CharField(), allow_empty=True)
    regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)
    types = serializers.ListField(child=serializers.CharField(), allow_empty=True)
@@ -1301,7 +1286,6 @@ class FindingSerializer(RLSSerializer):
            "severity",
            "check_id",
            "check_metadata",
-            "categories",
            "raw_result",
            "inserted_at",
            "updated_at",
@@ -1343,7 +1327,7 @@ class FindingIncludeSerializer(RLSSerializer):


 # To be removed when the related endpoint is removed as well
-class FindingDynamicFilterSerializer(BaseSerializerV1):
+class FindingDynamicFilterSerializer(serializers.Serializer):
    services = serializers.ListField(child=serializers.CharField(), allow_empty=True)
    regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)

@@ -1351,13 +1335,12 @@ class FindingDynamicFilterSerializer(BaseSerializerV1):
        resource_name = "finding-dynamic-filters"


-class FindingMetadataSerializer(BaseSerializerV1):
+class FindingMetadataSerializer(serializers.Serializer):
    services = serializers.ListField(child=serializers.CharField(), allow_empty=True)
    regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)
    resource_types = serializers.ListField(
        child=serializers.CharField(), allow_empty=True
    )
-    categories = serializers.ListField(child=serializers.CharField(), allow_empty=True)
    # Temporarily disabled until we implement tag filtering in the UI
    # tags = serializers.JSONField(help_text="Tags are described as key-value pairs.")

@@ -2046,7 +2029,7 @@ class RoleProviderGroupRelationshipSerializer(RLSSerializer, BaseWriteSerializer
 # Compliance overview


-class ComplianceOverviewSerializer(BaseSerializerV1):
+class ComplianceOverviewSerializer(serializers.Serializer):
    """
    Serializer for compliance requirement status aggregated by compliance framework.

@@ -2068,7 +2051,7 @@ class ComplianceOverviewSerializer(BaseSerializerV1):
        resource_name = "compliance-overviews"


-class ComplianceOverviewDetailSerializer(BaseSerializerV1):
+class ComplianceOverviewDetailSerializer(serializers.Serializer):
    """
    Serializer for detailed compliance requirement information.

@@ -2097,7 +2080,7 @@ class ComplianceOverviewDetailThreatscoreSerializer(ComplianceOverviewDetailSeri
    total_findings = serializers.IntegerField()


-class ComplianceOverviewAttributesSerializer(BaseSerializerV1):
+class ComplianceOverviewAttributesSerializer(serializers.Serializer):
    id = serializers.CharField()
    compliance_name = serializers.CharField()
    framework_description = serializers.CharField()
@@ -2111,7 +2094,7 @@ class ComplianceOverviewAttributesSerializer(BaseSerializerV1):
        resource_name = "compliance-requirements-attributes"


-class ComplianceOverviewMetadataSerializer(BaseSerializerV1):
+class ComplianceOverviewMetadataSerializer(serializers.Serializer):
    regions = serializers.ListField(child=serializers.CharField(), allow_empty=True)

    class JSONAPIMeta:
@@ -2121,7 +2104,7 @@ class ComplianceOverviewMetadataSerializer(BaseSerializerV1):
 # Overviews


-class OverviewProviderSerializer(BaseSerializerV1):
+class OverviewProviderSerializer(serializers.Serializer):
    id = serializers.CharField(source="provider")
    findings = serializers.SerializerMethodField(read_only=True)
    resources = serializers.SerializerMethodField(read_only=True)
@@ -2129,6 +2112,9 @@ class OverviewProviderSerializer(BaseSerializerV1):
    class JSONAPIMeta:
        resource_name = "providers-overview"

+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}
+
    @extend_schema_field(
        {
            "type": "object",
@@ -2162,15 +2148,18 @@ class OverviewProviderSerializer(BaseSerializerV1):
        }


-class OverviewProviderCountSerializer(BaseSerializerV1):
+class OverviewProviderCountSerializer(serializers.Serializer):
    id = serializers.CharField(source="provider")
    count = serializers.IntegerField()

    class JSONAPIMeta:
        resource_name = "providers-count-overview"

+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}

-class OverviewFindingSerializer(BaseSerializerV1):
+
+class OverviewFindingSerializer(serializers.Serializer):
    id = serializers.CharField(default="n/a")
    new = serializers.IntegerField()
    changed = serializers.IntegerField()
@@ -2189,12 +2178,15 @@ class OverviewFindingSerializer(BaseSerializerV1):
    class JSONAPIMeta:
        resource_name = "findings-overview"

+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}
+
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields["pass"] = self.fields.pop("_pass")


-class OverviewSeveritySerializer(BaseSerializerV1):
+class OverviewSeveritySerializer(serializers.Serializer):
    id = serializers.CharField(default="n/a")
    critical = serializers.IntegerField()
    high = serializers.IntegerField()
@@ -2205,24 +2197,11 @@ class OverviewSeveritySerializer(BaseSerializerV1):
    class JSONAPIMeta:
        resource_name = "findings-severity-overview"

-
-class FindingsSeverityOverTimeSerializer(BaseSerializerV1):
-    """Serializer for daily findings severity trend data."""
-
-    id = serializers.DateField(source="date")
-    critical = serializers.IntegerField()
-    high = serializers.IntegerField()
-    medium = serializers.IntegerField()
-    low = serializers.IntegerField()
-    informational = serializers.IntegerField()
-    muted = serializers.IntegerField()
-    scan_ids = serializers.ListField(child=serializers.UUIDField())
-
-    class JSONAPIMeta:
-        resource_name = "findings-severity-over-time"
+    def get_root_meta(self, _resource, _many):
+        return {"version": "v1"}


-class OverviewServiceSerializer(BaseSerializerV1):
+class OverviewServiceSerializer(serializers.Serializer):
    id = serializers.CharField(source="service")
    total = serializers.IntegerField()
    _pass = serializers.IntegerField()
@@ -2236,54 +2215,6 @@ class OverviewServiceSerializer(BaseSerializerV1):
        super().__init__(*args, **kwargs)
        self.fields["pass"] = self.fields.pop("_pass")

-
-class AttackSurfaceOverviewSerializer(BaseSerializerV1):
-    """Serializer for attack surface overview aggregations."""
-
-    id = serializers.CharField(source="attack_surface_type")
-    total_findings = serializers.IntegerField()
-    failed_findings = serializers.IntegerField()
-    muted_failed_findings = serializers.IntegerField()
-
-    class JSONAPIMeta:
-        resource_name = "attack-surface-overviews"
-
-
-class CategoryOverviewSerializer(BaseSerializerV1):
-    """Serializer for category overview aggregations."""
-
-    id = serializers.CharField(source="category")
-    total_findings = serializers.IntegerField()
-    failed_findings = serializers.IntegerField()
-    new_failed_findings = serializers.IntegerField()
-    severity = serializers.JSONField(
-        help_text="Severity breakdown: {informational, low, medium, high, critical}"
-    )
-
-    class JSONAPIMeta:
-        resource_name = "category-overviews"
-
-
-class OverviewRegionSerializer(serializers.Serializer):
-    id = serializers.SerializerMethodField()
-    provider_type = serializers.CharField()
-    region = serializers.CharField()
-    total = serializers.IntegerField()
-    _pass = serializers.IntegerField()
-    fail = serializers.IntegerField()
-    muted = serializers.IntegerField()
-
-    class JSONAPIMeta:
-        resource_name = "regions-overview"
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.fields["pass"] = self.fields.pop("_pass")
-
-    def get_id(self, obj):
-        """Generate unique ID from provider_type and region."""
-        return f"{obj['provider_type']}:{obj['region']}"
-
    def get_root_meta(self, _resource, _many):
        return {"version": "v1"}

@@ -2291,7 +2222,7 @@ class OverviewRegionSerializer(serializers.Serializer):
 # Schedules


-class ScheduleDailyCreateSerializer(BaseSerializerV1):
+class ScheduleDailyCreateSerializer(serializers.Serializer):
    provider_id = serializers.UUIDField(required=True)

    class JSONAPIMeta:
@@ -2627,7 +2558,7 @@ class IntegrationUpdateSerializer(BaseWriteIntegrationSerializer):
        return representation


-class IntegrationJiraDispatchSerializer(BaseSerializerV1):
+class IntegrationJiraDispatchSerializer(serializers.Serializer):
    """
    Serializer for dispatching findings to JIRA integration.
    """
@@ -2790,14 +2721,14 @@ class ProcessorUpdateSerializer(BaseWriteSerializer):
 # SSO


-class SamlInitiateSerializer(BaseSerializerV1):
+class SamlInitiateSerializer(serializers.Serializer):
    email_domain = serializers.CharField()

    class JSONAPIMeta:
        resource_name = "saml-initiate"


-class SamlMetadataSerializer(BaseSerializerV1):
+class SamlMetadataSerializer(serializers.Serializer):
    class JSONAPIMeta:
        resource_name = "saml-meta"

@@ -3329,19 +3260,6 @@ class LighthouseProviderConfigUpdateSerializer(BaseWriteSerializer):
            and provider_type
            == LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK
        ):
-            # For updates, enforce that the authentication method (access keys vs API key)
-            # is immutable. To switch methods, the UI must delete and recreate the provider.
-            existing_credentials = (
-                self.instance.credentials_decoded if self.instance else {}
-            ) or {}
-
-            existing_uses_api_key = "api_key" in existing_credentials
-            existing_uses_access_keys = any(
-                k in existing_credentials
-                for k in ("access_key_id", "secret_access_key")
-            )
-
-            # First run field-level validation on the partial payload
            try:
                BedrockCredentialsUpdateSerializer(data=credentials).is_valid(
                    raise_exception=True
@@ -3352,31 +3270,6 @@ class LighthouseProviderConfigUpdateSerializer(BaseWriteSerializer):
                    e.detail[f"credentials/{key}"] = value
                    del e.detail[key]
                raise e
-
-            # Then enforce invariants about not changing the auth method
-            # If the existing config uses an API key, forbid introducing access keys.
-            if existing_uses_api_key and any(
-                k in credentials for k in ("access_key_id", "secret_access_key")
-            ):
-                raise ValidationError(
-                    {
-                        "credentials/non_field_errors": [
-                            "Cannot change Bedrock authentication method from API key "
-                            "to access key via update. Delete and recreate the provider instead."
-                        ]
-                    }
-                )
-
-            # If the existing config uses access keys, forbid introducing an API key.
-            if existing_uses_access_keys and "api_key" in credentials:
-                raise ValidationError(
-                    {
-                        "credentials/non_field_errors": [
-                            "Cannot change Bedrock authentication method from access key "
-                            "to API key via update. Delete and recreate the provider instead."
-                        ]
-                    }
-                )
        elif (
            credentials is not None
            and provider_type
@@ -125,6 +125,10 @@ SPECTACULAR_SETTINGS = {
        "drf_spectacular_jsonapi.hooks.fix_nested_path_parameters",
    ],
    "POSTPROCESSING_HOOKS": [
+        "api.schema_hooks.fix_empty_id_fields",
+        "api.schema_hooks.fix_pattern_properties",
+        "api.schema_hooks.fix_type_formats",
+        "api.schema_hooks.add_api_servers",
        "api.schema_hooks.attach_task_202_examples",
    ],
    "TITLE": "API Reference - Prowler",
@@ -36,14 +36,6 @@ DATABASES = {
        "HOST": env("POSTGRES_REPLICA_HOST", default=default_db_host),
        "PORT": env("POSTGRES_REPLICA_PORT", default=default_db_port),
    },
-    "admin_replica": {
-        "ENGINE": "psqlextra.backend",
-        "NAME": env("POSTGRES_REPLICA_DB", default=default_db_name),
-        "USER": env("POSTGRES_ADMIN_USER", default="prowler"),
-        "PASSWORD": env("POSTGRES_ADMIN_PASSWORD", default="S3cret"),
-        "HOST": env("POSTGRES_REPLICA_HOST", default=default_db_host),
-        "PORT": env("POSTGRES_REPLICA_PORT", default=default_db_port),
-    },
 }

 DATABASES["default"] = DATABASES["prowler_user"]
@@ -37,14 +37,6 @@ DATABASES = {
        "HOST": env("POSTGRES_REPLICA_HOST", default=default_db_host),
        "PORT": env("POSTGRES_REPLICA_PORT", default=default_db_port),
    },
-    "admin_replica": {
-        "ENGINE": "psqlextra.backend",
-        "NAME": env("POSTGRES_REPLICA_DB", default=default_db_name),
-        "USER": env("POSTGRES_ADMIN_USER"),
-        "PASSWORD": env("POSTGRES_ADMIN_PASSWORD"),
-        "HOST": env("POSTGRES_REPLICA_HOST", default=default_db_host),
-        "PORT": env("POSTGRES_REPLICA_PORT", default=default_db_port),
-    },
 }

 DATABASES["default"] = DATABASES["prowler_user"]
@@ -5,9 +5,6 @@ IGNORED_EXCEPTIONS = [
    # Provider is not connected due to credentials errors
    "is not connected",
    "ProviderConnectionError",
-    # Provider was deleted during a scan
-    "ProviderDeletedException",
-    "violates foreign key constraint",
    # Authentication Errors from AWS
    "InvalidToken",
    "AccessDeniedException",
@@ -11,14 +11,10 @@ from django.urls import reverse
 from django_celery_results.models import TaskResult
 from rest_framework import status
 from rest_framework.test import APIClient
-from tasks.jobs.backfill import (
-    backfill_resource_scan_summaries,
-    backfill_scan_category_summaries,
-)
+from tasks.jobs.backfill import backfill_resource_scan_summaries

 from api.db_utils import rls_transaction
 from api.models import (
-    AttackSurfaceOverview,
    ComplianceOverview,
    ComplianceRequirementOverview,
    Finding,
@@ -39,7 +35,6 @@ from api.models import (
    SAMLConfiguration,
    SAMLDomainIndex,
    Scan,
-    ScanCategorySummary,
    ScanSummary,
    StateChoices,
    StatusChoices,
@@ -1113,8 +1108,8 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
        region="region1",
        _pass=1,
        fail=0,
-        muted=2,
-        total=3,
+        muted=0,
+        total=1,
        new=1,
        changed=0,
        unchanged=0,
@@ -1122,7 +1117,7 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
        fail_changed=0,
        pass_new=1,
        pass_changed=0,
-        muted_new=2,
+        muted_new=0,
        muted_changed=0,
        scan=scan,
    )
@@ -1135,8 +1130,8 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
        region="region2",
        _pass=0,
        fail=1,
-        muted=3,
-        total=4,
+        muted=1,
+        total=2,
        new=2,
        changed=0,
        unchanged=0,
@@ -1144,7 +1139,7 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
        fail_changed=0,
        pass_new=0,
        pass_changed=0,
-        muted_new=3,
+        muted_new=1,
        muted_changed=0,
        scan=scan,
    )
@@ -1157,8 +1152,8 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
        region="region1",
        _pass=1,
        fail=0,
-        muted=1,
-        total=2,
+        muted=0,
+        total=1,
        new=1,
        changed=0,
        unchanged=0,
@@ -1166,7 +1161,7 @@ def scan_summaries_fixture(tenants_fixture, providers_fixture):
        fail_changed=0,
        pass_new=1,
        pass_changed=0,
-        muted_new=1,
+        muted_new=0,
        muted_changed=0,
        scan=scan,
    )
@@ -1275,113 +1270,6 @@ def latest_scan_finding(authenticated_client, providers_fixture, resources_fixtu
    return finding


-@pytest.fixture(scope="function")
-def findings_with_categories(scans_fixture, resources_fixture):
-    scan = scans_fixture[0]
-    resource = resources_fixture[0]
-
-    finding = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_with_categories_1",
-        scan=scan,
-        delta=None,
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="genai_check",
-        check_metadata={"CheckId": "genai_check"},
-        categories=["gen-ai", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding.add_resources([resource])
-    backfill_resource_scan_summaries(str(scan.tenant_id), str(scan.id))
-    return finding
-
-
-@pytest.fixture(scope="function")
-def findings_with_multiple_categories(scans_fixture, resources_fixture):
-    scan = scans_fixture[0]
-    resource1, resource2 = resources_fixture[:2]
-
-    finding1 = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_multi_cat_1",
-        scan=scan,
-        delta=None,
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="genai_check",
-        check_metadata={"CheckId": "genai_check"},
-        categories=["gen-ai", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding1.add_resources([resource1])
-
-    finding2 = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_multi_cat_2",
-        scan=scan,
-        delta=None,
-        status=Status.FAIL,
-        status_extended="test status 2",
-        impact=Severity.high,
-        impact_extended="test impact 2",
-        severity=Severity.high,
-        raw_result={"status": Status.FAIL},
-        check_id="iam_check",
-        check_metadata={"CheckId": "iam_check"},
-        categories=["iam", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding2.add_resources([resource2])
-
-    backfill_resource_scan_summaries(str(scan.tenant_id), str(scan.id))
-    return finding1, finding2
-
-
-@pytest.fixture(scope="function")
-def latest_scan_finding_with_categories(
-    authenticated_client, providers_fixture, resources_fixture
-):
-    provider = providers_fixture[0]
-    tenant_id = str(providers_fixture[0].tenant_id)
-    resource = resources_fixture[0]
-    scan = Scan.objects.create(
-        name="latest completed scan with categories",
-        provider=provider,
-        trigger=Scan.TriggerChoices.MANUAL,
-        state=StateChoices.COMPLETED,
-        tenant_id=tenant_id,
-    )
-    finding = Finding.objects.create(
-        tenant_id=tenant_id,
-        uid="latest_finding_with_categories",
-        scan=scan,
-        delta="new",
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="genai_iam_check",
-        check_metadata={"CheckId": "genai_iam_check"},
-        categories=["gen-ai", "iam"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding.add_resources([resource])
-    backfill_resource_scan_summaries(tenant_id, str(scan.id))
-    backfill_scan_category_summaries(tenant_id, str(scan.id))
-    return finding
-
-
@pytest.fixture(scope="function")
 def latest_scan_resource(authenticated_client, providers_fixture):
    provider = providers_fixture[0]
@@ -1581,45 +1469,6 @@ def mute_rules_fixture(tenants_fixture, create_test_user, findings_fixture):
    return mute_rule1, mute_rule2


-@pytest.fixture
-def create_attack_surface_overview():
-    def _create(tenant, scan, attack_surface_type, total=10, failed=5, muted_failed=2):
-        return AttackSurfaceOverview.objects.create(
-            tenant=tenant,
-            scan=scan,
-            attack_surface_type=attack_surface_type,
-            total_findings=total,
-            failed_findings=failed,
-            muted_failed_findings=muted_failed,
-        )
-
-    return _create
-
-
-@pytest.fixture
-def create_scan_category_summary():
-    def _create(
-        tenant,
-        scan,
-        category,
-        severity,
-        total_findings=10,
-        failed_findings=5,
-        new_failed_findings=2,
-    ):
-        return ScanCategorySummary.objects.create(
-            tenant=tenant,
-            scan=scan,
-            category=category,
-            severity=severity,
-            total_findings=total_findings,
-            failed_findings=failed_findings,
-            new_failed_findings=new_failed_findings,
-        )
-
-    return _create
-
-
 def get_authorization_header(access_token: str) -> dict:
    return {"Authorization": f"Bearer {access_token}"}

@@ -61,5 +61,4 @@ def schedule_provider_scan(provider_instance: Provider):
            "tenant_id": str(provider_instance.tenant_id),
            "provider_id": provider_id,
        },
-        countdown=5,  # Avoid race conditions between the worker and the database
    )
@@ -1,29 +1,15 @@
-from collections import defaultdict
-from datetime import timedelta
-
-from django.db.models import Sum
-from django.utils import timezone
-from tasks.jobs.scan import aggregate_category_counts
-
-from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
 from api.models import (
-    ComplianceOverviewSummary,
-    ComplianceRequirementOverview,
-    DailySeveritySummary,
-    Finding,
    Resource,
    ResourceFindingMapping,
    ResourceScanSummary,
    Scan,
-    ScanCategorySummary,
-    ScanSummary,
    StateChoices,
 )


 def backfill_resource_scan_summaries(tenant_id: str, scan_id: str):
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
+    with rls_transaction(tenant_id):
        if ResourceScanSummary.objects.filter(
            tenant_id=tenant_id, scan_id=scan_id
        ).exists():
@@ -73,271 +59,3 @@ def backfill_resource_scan_summaries(tenant_id: str, scan_id: str):
            )

    return {"status": "backfilled", "inserted": len(summaries)}
-
-
-def backfill_compliance_summaries(tenant_id: str, scan_id: str):
-    """
-    Backfill ComplianceOverviewSummary records for a completed scan.
-
-    This function checks if summary records already exist for the scan.
-    If not, it aggregates compliance requirement data and creates the summaries.
-
-    Args:
-        tenant_id: Target tenant UUID
-        scan_id: Scan UUID to backfill
-
-    Returns:
-        dict: Status indicating whether backfill was performed
-    """
-    with rls_transaction(tenant_id):
-        if ComplianceOverviewSummary.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).exists():
-            return {"status": "already backfilled"}
-
-    with rls_transaction(tenant_id):
-        if not Scan.objects.filter(
-            tenant_id=tenant_id,
-            id=scan_id,
-            state__in=(StateChoices.COMPLETED, StateChoices.FAILED),
-        ).exists():
-            return {"status": "scan is not completed"}
-
-        # Fetch all compliance requirement overview rows for this scan
-        requirement_rows = ComplianceRequirementOverview.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).values(
-            "compliance_id",
-            "requirement_id",
-            "requirement_status",
-        )
-
-        if not requirement_rows:
-            return {"status": "no compliance data to backfill"}
-
-        # Group by (compliance_id, requirement_id) across regions
-        requirement_statuses = defaultdict(
-            lambda: {"fail_count": 0, "pass_count": 0, "total_count": 0}
-        )
-
-        for row in requirement_rows:
-            compliance_id = row["compliance_id"]
-            requirement_id = row["requirement_id"]
-            requirement_status = row["requirement_status"]
-
-            # Aggregate requirement status across regions
-            key = (compliance_id, requirement_id)
-            requirement_statuses[key]["total_count"] += 1
-
-            if requirement_status == "FAIL":
-                requirement_statuses[key]["fail_count"] += 1
-            elif requirement_status == "PASS":
-                requirement_statuses[key]["pass_count"] += 1
-
-        # Determine per-requirement status and aggregate to compliance level
-        compliance_summaries = defaultdict(
-            lambda: {
-                "total_requirements": 0,
-                "requirements_passed": 0,
-                "requirements_failed": 0,
-                "requirements_manual": 0,
-            }
-        )
-
-        for (compliance_id, requirement_id), counts in requirement_statuses.items():
-            # Apply business rule: any FAIL → requirement fails
-            if counts["fail_count"] > 0:
-                req_status = "FAIL"
-            elif counts["pass_count"] == counts["total_count"]:
-                req_status = "PASS"
-            else:
-                req_status = "MANUAL"
-
-            # Aggregate to compliance level
-            compliance_summaries[compliance_id]["total_requirements"] += 1
-            if req_status == "PASS":
-                compliance_summaries[compliance_id]["requirements_passed"] += 1
-            elif req_status == "FAIL":
-                compliance_summaries[compliance_id]["requirements_failed"] += 1
-            else:
-                compliance_summaries[compliance_id]["requirements_manual"] += 1
-
-        # Create summary objects
-        summary_objects = []
-        for compliance_id, data in compliance_summaries.items():
-            summary_objects.append(
-                ComplianceOverviewSummary(
-                    tenant_id=tenant_id,
-                    scan_id=scan_id,
-                    compliance_id=compliance_id,
-                    requirements_passed=data["requirements_passed"],
-                    requirements_failed=data["requirements_failed"],
-                    requirements_manual=data["requirements_manual"],
-                    total_requirements=data["total_requirements"],
-                )
-            )
-
-        # Bulk insert summaries
-        if summary_objects:
-            ComplianceOverviewSummary.objects.bulk_create(
-                summary_objects, batch_size=500, ignore_conflicts=True
-            )
-
-    return {"status": "backfilled", "inserted": len(summary_objects)}
-
-
-def backfill_daily_severity_summaries(tenant_id: str, days: int = None):
-    """
-    Backfill DailySeveritySummary from completed scans.
-    Groups by provider+date, keeps latest scan per day.
-    """
-    created_count = 0
-    updated_count = 0
-
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        scan_filter = {
-            "tenant_id": tenant_id,
-            "state": StateChoices.COMPLETED,
-            "completed_at__isnull": False,
-        }
-
-        if days is not None:
-            cutoff_date = timezone.now() - timedelta(days=days)
-            scan_filter["completed_at__gte"] = cutoff_date
-
-        completed_scans = (
-            Scan.objects.filter(**scan_filter)
-            .order_by("provider_id", "-completed_at")
-            .values("id", "provider_id", "completed_at")
-        )
-
-        if not completed_scans:
-            return {"status": "no scans to backfill"}
-
-        # Keep only latest scan per provider/day
-        latest_scans_by_day = {}
-        for scan in completed_scans:
-            key = (scan["provider_id"], scan["completed_at"].date())
-            if key not in latest_scans_by_day:
-                latest_scans_by_day[key] = scan
-
-    # Process each provider/day
-    for (provider_id, scan_date), scan in latest_scans_by_day.items():
-        scan_id = scan["id"]
-
-        with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-            severity_totals = (
-                ScanSummary.objects.filter(
-                    tenant_id=tenant_id,
-                    scan_id=scan_id,
-                )
-                .values("severity")
-                .annotate(total_fail=Sum("fail"), total_muted=Sum("muted"))
-            )
-
-            severity_data = {
-                "critical": 0,
-                "high": 0,
-                "medium": 0,
-                "low": 0,
-                "informational": 0,
-                "muted": 0,
-            }
-
-            for row in severity_totals:
-                severity = row["severity"]
-                if severity in severity_data:
-                    severity_data[severity] = row["total_fail"] or 0
-                severity_data["muted"] += row["total_muted"] or 0
-
-        with rls_transaction(tenant_id):
-            _, created = DailySeveritySummary.objects.update_or_create(
-                tenant_id=tenant_id,
-                provider_id=provider_id,
-                date=scan_date,
-                defaults={
-                    "scan_id": scan_id,
-                    "critical": severity_data["critical"],
-                    "high": severity_data["high"],
-                    "medium": severity_data["medium"],
-                    "low": severity_data["low"],
-                    "informational": severity_data["informational"],
-                    "muted": severity_data["muted"],
-                },
-            )
-
-            if created:
-                created_count += 1
-            else:
-                updated_count += 1
-
-    return {
-        "status": "backfilled",
-        "created": created_count,
-        "updated": updated_count,
-        "total_days": len(latest_scans_by_day),
-    }
-
-
-def backfill_scan_category_summaries(tenant_id: str, scan_id: str):
-    """
-    Backfill ScanCategorySummary for a completed scan.
-
-    Aggregates category counts from all findings in the scan and creates
-    one ScanCategorySummary row per (category, severity) combination.
-
-    Args:
-        tenant_id: Target tenant UUID
-        scan_id: Scan UUID to backfill
-
-    Returns:
-        dict: Status indicating whether backfill was performed
-    """
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        if ScanCategorySummary.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).exists():
-            return {"status": "already backfilled"}
-
-        if not Scan.objects.filter(
-            tenant_id=tenant_id,
-            id=scan_id,
-            state__in=(StateChoices.COMPLETED, StateChoices.FAILED),
-        ).exists():
-            return {"status": "scan is not completed"}
-
-        category_counts: dict[tuple[str, str], dict[str, int]] = {}
-        for finding in Finding.all_objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        ).values("categories", "severity", "status", "delta", "muted"):
-            aggregate_category_counts(
-                categories=finding.get("categories") or [],
-                severity=finding.get("severity"),
-                status=finding.get("status"),
-                delta=finding.get("delta"),
-                muted=finding.get("muted", False),
-                cache=category_counts,
-            )
-
-        if not category_counts:
-            return {"status": "no categories to backfill"}
-
-    category_summaries = [
-        ScanCategorySummary(
-            tenant_id=tenant_id,
-            scan_id=scan_id,
-            category=category,
-            severity=severity,
-            total_findings=counts["total"],
-            failed_findings=counts["failed"],
-            new_failed_findings=counts["new_failed"],
-        )
-        for (category, severity), counts in category_counts.items()
-    ]
-
-    with rls_transaction(tenant_id):
-        ScanCategorySummary.objects.bulk_create(
-            category_summaries, batch_size=500, ignore_conflicts=True
-        )
-
-    return {"status": "backfilled", "categories_count": len(category_counts)}
@@ -15,7 +15,6 @@ from prowler.config.config import (
    html_file_suffix,
    json_asff_file_suffix,
    json_ocsf_file_suffix,
-    set_output_timestamp,
 )
 from prowler.lib.outputs.asff.asff import ASFF
 from prowler.lib.outputs.compliance.aws_well_architected.aws_well_architected import (
@@ -59,9 +58,6 @@ from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_azur
 from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_gcp import (
    ProwlerThreatScoreGCP,
 )
-from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_kubernetes import (
-    ProwlerThreatScoreKubernetes,
-)
 from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_m365 import (
    ProwlerThreatScoreM365,
 )
@@ -108,10 +104,6 @@ COMPLIANCE_CLASS_MAP = {
    "kubernetes": [
        (lambda name: name.startswith("cis_"), KubernetesCIS),
        (lambda name: name.startswith("iso27001_"), KubernetesISO27001),
-        (
-            lambda name: name == "prowler_threatscore_kubernetes",
-            ProwlerThreatScoreKubernetes,
-        ),
    ],
    "m365": [
        (lambda name: name.startswith("cis_"), M365CIS),
@@ -242,33 +234,36 @@ def _upload_to_s3(
        logger.error(f"S3 upload failed: {str(e)}")


-def _build_output_path(
-    output_directory: str,
-    prowler_provider: str,
-    tenant_id: str,
-    scan_id: str,
-    subdirectory: str = None,
-) -> str:
+def _generate_output_directory(
+    output_directory, prowler_provider: object, tenant_id: str, scan_id: str
+) -> tuple[str, str, str]:
    """
-    Build a file system path for the output directory of a prowler scan.
+    Generate a file system path for the output directory of a prowler scan.
+
+    This function constructs the output directory path by combining a base
+    temporary output directory, the tenant ID, the scan ID, and details about
+    the prowler provider along with a timestamp. The resulting path is used to
+    store the output files of a prowler scan.
+
+    Note:
+        This function depends on one external variable:
+          - `output_file_timestamp`: A timestamp (as a string) used to uniquely identify the output.

    Args:
        output_directory (str): The base output directory.
-        prowler_provider (str): An identifier or descriptor for the prowler provider.
-                               Typically, this is a string indicating the provider (e.g., "aws").
+        prowler_provider (object): An identifier or descriptor for the prowler provider.
+                                   Typically, this is a string indicating the provider (e.g., "aws").
        tenant_id (str): The unique identifier for the tenant.
        scan_id (str): The unique identifier for the scan.
-        subdirectory (str, optional): Optional subdirectory to include in the path
-                                     (e.g., "compliance", "threatscore", "ens").

    Returns:
-        str: The constructed path with directory created.
+        str: The constructed file system path for the prowler scan output directory.

    Example:
-        >>> _build_output_path("/tmp", "aws", "tenant-1234", "scan-5678")
-        '/tmp/tenant-1234/scan-5678/prowler-output-aws-20230215123456'
-        >>> _build_output_path("/tmp", "aws", "tenant-1234", "scan-5678", "threatscore")
-        '/tmp/tenant-1234/scan-5678/threatscore/prowler-output-aws-20230215123456'
+        >>> _generate_output_directory("/tmp", "aws", "tenant-1234", "scan-5678")
+        '/tmp/tenant-1234/aws/scan-5678/prowler-output-2023-02-15T12:34:56',
+        '/tmp/tenant-1234/aws/scan-5678/compliance/prowler-output-2023-02-15T12:34:56'
+        '/tmp/tenant-1234/aws/scan-5678/threatscore/prowler-output-2023-02-15T12:34:56'
    """
    # Sanitize the prowler provider name to ensure it is a valid directory name
    prowler_provider_sanitized = re.sub(r"[^\w\-]", "-", prowler_provider)
@@ -276,107 +271,23 @@ def _build_output_path(
    with rls_transaction(tenant_id):
        started_at = Scan.objects.get(id=scan_id).started_at

-    set_output_timestamp(started_at)
-
    timestamp = started_at.strftime("%Y%m%d%H%M%S")
-
-    if subdirectory:
-        path = (
-            f"{output_directory}/{tenant_id}/{scan_id}/{subdirectory}/prowler-output-"
-            f"{prowler_provider_sanitized}-{timestamp}"
-        )
-    else:
-        path = (
-            f"{output_directory}/{tenant_id}/{scan_id}/prowler-output-"
-            f"{prowler_provider_sanitized}-{timestamp}"
-        )
-
-    # Create directory for the path if it doesn't exist
+    path = (
+        f"{output_directory}/{tenant_id}/{scan_id}/prowler-output-"
+        f"{prowler_provider_sanitized}-{timestamp}"
+    )
    os.makedirs("/".join(path.split("/")[:-1]), exist_ok=True)

-    return path
-
-
-def _generate_compliance_output_directory(
-    output_directory: str,
-    prowler_provider: str,
-    tenant_id: str,
-    scan_id: str,
-    compliance_framework: str,
-) -> str:
-    """
-    Generate a file system path for a compliance framework output directory.
-
-    This function constructs the output directory path specifically for a compliance
-    framework (e.g., "threatscore", "ens") by combining a base temporary output directory,
-    the tenant ID, the scan ID, the compliance framework name, and details about the
-    prowler provider along with a timestamp.
-
-    Args:
-        output_directory (str): The base output directory.
-        prowler_provider (str): An identifier or descriptor for the prowler provider.
-                               Typically, this is a string indicating the provider (e.g., "aws").
-        tenant_id (str): The unique identifier for the tenant.
-        scan_id (str): The unique identifier for the scan.
-        compliance_framework (str): The compliance framework name (e.g., "threatscore", "ens").
-
-    Returns:
-        str: The path for the compliance framework output directory.
-
-    Example:
-        >>> _generate_compliance_output_directory("/tmp", "aws", "tenant-1234", "scan-5678", "threatscore")
-        '/tmp/tenant-1234/scan-5678/threatscore/prowler-output-aws-20230215123456'
-        >>> _generate_compliance_output_directory("/tmp", "aws", "tenant-1234", "scan-5678", "ens")
-        '/tmp/tenant-1234/scan-5678/ens/prowler-output-aws-20230215123456'
-        >>> _generate_compliance_output_directory("/tmp", "aws", "tenant-1234", "scan-5678", "nis2")
-        '/tmp/tenant-1234/scan-5678/nis2/prowler-output-aws-20230215123456'
-    """
-    return _build_output_path(
-        output_directory,
-        prowler_provider,
-        tenant_id,
-        scan_id,
-        subdirectory=compliance_framework,
+    compliance_path = (
+        f"{output_directory}/{tenant_id}/{scan_id}/compliance/prowler-output-"
+        f"{prowler_provider_sanitized}-{timestamp}"
    )
+    os.makedirs("/".join(compliance_path.split("/")[:-1]), exist_ok=True)

-
-def _generate_output_directory(
-    output_directory: str,
-    prowler_provider: str,
-    tenant_id: str,
-    scan_id: str,
-) -> tuple[str, str]:
-    """
-    Generate file system paths for the standard and compliance output directories of a prowler scan.
-
-    This function constructs both the standard output directory path and the compliance
-    output directory path by combining a base temporary output directory, the tenant ID,
-    the scan ID, and details about the prowler provider along with a timestamp.
-
-    Args:
-        output_directory (str): The base output directory.
-        prowler_provider (str): An identifier or descriptor for the prowler provider.
-                               Typically, this is a string indicating the provider (e.g., "aws").
-        tenant_id (str): The unique identifier for the tenant.
-        scan_id (str): The unique identifier for the scan.
-
-    Returns:
-        tuple[str, str]: A tuple containing (standard_path, compliance_path).
-
-    Example:
-        >>> _generate_output_directory("/tmp", "aws", "tenant-1234", "scan-5678")
-        ('/tmp/tenant-1234/scan-5678/prowler-output-aws-20230215123456',
-         '/tmp/tenant-1234/scan-5678/compliance/prowler-output-aws-20230215123456')
-    """
-    standard_path = _build_output_path(
-        output_directory, prowler_provider, tenant_id, scan_id
-    )
-    compliance_path = _build_output_path(
-        output_directory,
-        prowler_provider,
-        tenant_id,
-        scan_id,
-        subdirectory="compliance",
+    threatscore_path = (
+        f"{output_directory}/{tenant_id}/{scan_id}/threatscore/prowler-output-"
+        f"{prowler_provider_sanitized}-{timestamp}"
    )
+    os.makedirs("/".join(threatscore_path.split("/")[:-1]), exist_ok=True)

-    return standard_path, compliance_path
+    return path, compliance_path, threatscore_path
@@ -19,9 +19,6 @@ from prowler.providers.aws.aws_provider import AwsProvider
 from prowler.providers.aws.lib.s3.s3 import S3
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHub
 from prowler.providers.common.models import Connection
-from prowler.providers.aws.lib.security_hub.exceptions.exceptions import (
-    SecurityHubNoEnabledRegionsError,
-)

 logger = get_task_logger(__name__)

@@ -225,9 +222,8 @@ def get_security_hub_client_from_integration(
        )
        return True, security_hub
    else:
-        # Reset regions information if connection fails and integration is not connected
+        # Reset regions information if connection fails
        with rls_transaction(tenant_id, using=MainRouter.default_db):
-            integration.connected = False
            integration.configuration["regions"] = {}
            integration.save()

@@ -334,18 +330,15 @@ def upload_security_hub_integration(
                                )

                                if not connected:
-                                    if isinstance(
-                                        security_hub.error,
-                                        SecurityHubNoEnabledRegionsError,
+                                    logger.error(
+                                        f"Security Hub connection failed for integration {integration.id}: "
+                                        f"{security_hub.error}"
+                                    )
+                                    with rls_transaction(
+                                        tenant_id, using=MainRouter.default_db
                                    ):
-                                        logger.warning(
-                                            f"Security Hub integration {integration.id} has no enabled regions"
-                                        )
-                                    else:
-                                        logger.error(
-                                            f"Security Hub connection failed for integration {integration.id}: "
-                                            f"{security_hub.error}"
-                                        )
+                                        integration.connected = False
+                                        integration.save()
                                    break  # Skip this integration

                                security_hub_client = security_hub
@@ -416,16 +409,22 @@ def upload_security_hub_integration(
                            logger.warning(
                                f"Failed to archive previous findings: {str(archive_error)}"
                            )
+
            except Exception as e:
                logger.error(
                    f"Security Hub integration {integration.id} failed: {str(e)}"
                )
+                continue

        result = integration_executions == len(integrations)
        if result:
            logger.info(
                f"All Security Hub integrations completed successfully for provider {provider_id}"
            )
+        else:
+            logger.error(
+                f"Some Security Hub integrations failed for provider {provider_id}"
+            )

        return result

@@ -2,8 +2,6 @@ from typing import Dict

 import boto3
 import openai
-from botocore import UNSIGNED
-from botocore.config import Config
 from botocore.exceptions import BotoCoreError, ClientError
 from celery.utils.log import get_task_logger

@@ -11,74 +9,6 @@ from api.models import LighthouseProviderConfiguration, LighthouseProviderModels

 logger = get_task_logger(__name__)

-# OpenAI model prefixes to exclude from Lighthouse model selection.
-# These models don't support text chat completions and tool calling.
-EXCLUDED_OPENAI_MODEL_PREFIXES = (
-    "dall-e",  # Image generation
-    "whisper",  # Audio transcription
-    "tts-",  # Text-to-speech (tts-1, tts-1-hd, etc.)
-    "sora",  # Text-to-video (sora-2, sora-2-pro, etc.)
-    "text-embedding",  # Embeddings
-    "embedding",  # Embeddings (alternative naming)
-    "text-moderation",  # Content moderation
-    "omni-moderation",  # Content moderation
-    "text-davinci",  # Legacy completion models
-    "text-curie",  # Legacy completion models
-    "text-babbage",  # Legacy completion models
-    "text-ada",  # Legacy completion models
-    "davinci",  # Legacy completion models
-    "curie",  # Legacy completion models
-    "babbage",  # Legacy completion models
-    "ada",  # Legacy completion models
-    "computer-use",  # Computer control agent
-    "gpt-image",  # Image generation
-    "gpt-audio",  # Audio models
-    "gpt-realtime",  # Realtime voice API
-)
-
-# OpenAI model substrings to exclude (patterns that can appear anywhere in model ID).
-# These patterns identify non-chat model variants.
-EXCLUDED_OPENAI_MODEL_SUBSTRINGS = (
-    "-audio-",  # Audio preview models (gpt-4o-audio-preview, etc.)
-    "-realtime-",  # Realtime preview models (gpt-4o-realtime-preview, etc.)
-    "-transcribe",  # Transcription models (gpt-4o-transcribe, etc.)
-    "-tts",  # TTS models (gpt-4o-mini-tts)
-    "-instruct",  # Legacy instruct models (gpt-3.5-turbo-instruct, etc.)
-)
-
-
-def _extract_error_message(e: Exception) -> str:
-    """
-    Extract a user-friendly error message from various exception types.
-
-    This function handles exceptions from different providers (OpenAI, AWS Bedrock)
-    and extracts the most relevant error message for display to users.
-
-    Args:
-        e: The exception to extract a message from.
-
-    Returns:
-        str: A user-friendly error message.
-    """
-    # For OpenAI SDK errors (>= v1.0)
-    # OpenAI exceptions have a 'body' attribute with error details
-    if hasattr(e, "body") and isinstance(e.body, dict):
-        if "message" in e.body:
-            return e.body["message"]
-        # Sometimes nested under 'error' key
-        if "error" in e.body and isinstance(e.body["error"], dict):
-            return e.body["error"].get("message", str(e))
-
-    # For boto3 ClientError
-    # Boto3 exceptions have a 'response' attribute with error details
-    if hasattr(e, "response") and isinstance(e.response, dict):
-        error_info = e.response.get("Error", {})
-        if error_info.get("Message"):
-            return error_info["Message"]
-
-    # Fallback to string representation for unknown error types
-    return str(e)
-

 def _extract_openai_api_key(
    provider_cfg: LighthouseProviderConfiguration,
@@ -126,39 +56,21 @@ def _extract_bedrock_credentials(
    """
    Safely extract AWS Bedrock credentials from a provider configuration.

-    Supports two authentication methods:
-    1. AWS access key + secret key + region
-    2. Bedrock API key (bearer token) + region
-
    Args:
        provider_cfg (LighthouseProviderConfiguration): The provider configuration instance
            containing the credentials.

    Returns:
-        Dict[str, str] | None: Dictionary with either:
-            - 'access_key_id', 'secret_access_key', and 'region' for access key auth
-            - 'api_key' and 'region' for API key (bearer token) auth
-            Returns None if credentials are invalid or missing.
+        Dict[str, str] | None: Dictionary with 'access_key_id', 'secret_access_key', and
+            'region' if present and valid, otherwise None.
    """
    creds = provider_cfg.credentials_decoded
    if not isinstance(creds, dict):
        return None

-    region = creds.get("region")
-    if not isinstance(region, str) or not region:
-        return None
-
-    # Check for API key authentication first
-    api_key = creds.get("api_key")
-    if isinstance(api_key, str) and api_key:
-        return {
-            "api_key": api_key,
-            "region": region,
-        }
-
-    # Fall back to access key authentication
    access_key_id = creds.get("access_key_id")
    secret_access_key = creds.get("secret_access_key")
+    region = creds.get("region")

    # Validate all required fields are present and are strings
    if (
@@ -166,6 +78,8 @@ def _extract_bedrock_credentials(
        or not access_key_id
        or not isinstance(secret_access_key, str)
        or not secret_access_key
+        or not isinstance(region, str)
+        or not region
    ):
        return None

@@ -176,51 +90,6 @@ def _extract_bedrock_credentials(
    }


-def _create_bedrock_client(
-    bedrock_creds: Dict[str, str], service_name: str = "bedrock"
-):
-    """
-    Create a boto3 Bedrock client with the appropriate authentication method.
-
-    Supports two authentication methods:
-    1. API key (bearer token) - uses unsigned requests with Authorization header
-    2. AWS access key + secret key - uses standard SigV4 signing
-
-    Args:
-        bedrock_creds: Dictionary with either:
-            - 'api_key' and 'region' for API key (bearer token) auth
-            - 'access_key_id', 'secret_access_key', and 'region' for access key auth
-        service_name: The Bedrock service name. Use 'bedrock' for control plane
-            operations (list_foundation_models, etc.) or 'bedrock-runtime' for
-            inference operations.
-
-    Returns:
-        boto3 client configured for the specified Bedrock service.
-    """
-    region = bedrock_creds["region"]
-
-    if "api_key" in bedrock_creds:
-        bearer_token = bedrock_creds["api_key"]
-        client = boto3.client(
-            service_name=service_name,
-            region_name=region,
-            config=Config(signature_version=UNSIGNED),
-        )
-
-        def inject_bearer_token(request, **kwargs):
-            request.headers["Authorization"] = f"Bearer {bearer_token}"
-
-        client.meta.events.register("before-send.*.*", inject_bearer_token)
-        return client
-
-    return boto3.client(
-        service_name=service_name,
-        region_name=region,
-        aws_access_key_id=bedrock_creds["access_key_id"],
-        aws_secret_access_key=bedrock_creds["secret_access_key"],
-    )
-
-
 def check_lighthouse_provider_connection(provider_config_id: str) -> Dict:
    """
    Validate a Lighthouse provider configuration by calling the provider API and
@@ -272,7 +141,12 @@ def check_lighthouse_provider_connection(provider_config_id: str) -> Dict:
                }

            # Test connection by listing foundation models
-            bedrock_client = _create_bedrock_client(bedrock_creds)
+            bedrock_client = boto3.client(
+                "bedrock",
+                aws_access_key_id=bedrock_creds["access_key_id"],
+                aws_secret_access_key=bedrock_creds["secret_access_key"],
+                region_name=bedrock_creds["region"],
+            )
            _ = bedrock_client.list_foundation_models()

        elif (
@@ -305,54 +179,32 @@ def check_lighthouse_provider_connection(provider_config_id: str) -> Dict:
        return {"connected": True, "error": None}

    except Exception as e:
-        error_message = _extract_error_message(e)
        logger.warning(
-            "%s connection check failed: %s", provider_cfg.provider_type, error_message
+            "%s connection check failed: %s", provider_cfg.provider_type, str(e)
        )
        provider_cfg.is_active = False
        provider_cfg.save()
-        return {"connected": False, "error": error_message}
+        return {"connected": False, "error": str(e)}


 def _fetch_openai_models(api_key: str) -> Dict[str, str]:
    """
    Fetch available models from OpenAI API.

-    Filters out models that don't support text input/output and tool calling,
-    such as image generation (DALL-E), audio transcription (Whisper),
-    text-to-speech (TTS), embeddings, and moderation models.
-
    Args:
        api_key: OpenAI API key for authentication.

    Returns:
        Dict mapping model_id to model_name. For OpenAI, both are the same
-        as the API doesn't provide separate display names. Only includes
-        models that support text input, text output or tool calling.
+        as the API doesn't provide separate display names.

    Raises:
        Exception: If the API call fails.
    """
    client = openai.OpenAI(api_key=api_key)
    models = client.models.list()
-
-    # Filter models to only include those supporting chat completions + tool calling
-    filtered_models = {}
-    for model in getattr(models, "data", []):
-        model_id = model.id
-
-        # Skip if model ID starts with excluded prefixes
-        if model_id.startswith(EXCLUDED_OPENAI_MODEL_PREFIXES):
-            continue
-
-        # Skip if model ID contains excluded substrings
-        if any(substring in model_id for substring in EXCLUDED_OPENAI_MODEL_SUBSTRINGS):
-            continue
-
-        # Include model (supports chat completions + tool calling)
-        filtered_models[model_id] = model_id
-
-    return filtered_models
+    # OpenAI uses model.id for both ID and display name
+    return {m.id: m.id for m in getattr(models, "data", [])}


 def _fetch_openai_compatible_models(base_url: str, api_key: str) -> Dict[str, str]:
@@ -380,219 +232,105 @@ def _fetch_openai_compatible_models(base_url: str, api_key: str) -> Dict[str, st
    return available_models


-def _get_region_prefix(region: str) -> str:
-    """
-    Determine geographic prefix for AWS region.
-
-    Examples: ap-south-1 -> apac, us-east-1 -> us, eu-west-1 -> eu
-    """
-    if region.startswith(("us-", "ca-", "sa-")):
-        return "us"
-    elif region.startswith("eu-"):
-        return "eu"
-    elif region.startswith("ap-"):
-        return "apac"
-    return "global"
-
-
-def _clean_inference_profile_name(profile_name: str) -> str:
-    """
-    Remove geographic prefix from inference profile name.
-
-    AWS includes geographic prefixes in profile names which are redundant
-    since the profile ID already contains this information.
-
-    Examples:
-        "APAC Anthropic Claude 3.5 Sonnet" -> "Anthropic Claude 3.5 Sonnet"
-        "GLOBAL Claude Sonnet 4.5" -> "Claude Sonnet 4.5"
-        "US Anthropic Claude 3 Haiku" -> "Anthropic Claude 3 Haiku"
-    """
-    prefixes = ["APAC ", "GLOBAL ", "US ", "EU ", "APAC-", "GLOBAL-", "US-", "EU-"]
-
-    for prefix in prefixes:
-        if profile_name.upper().startswith(prefix.upper()):
-            return profile_name[len(prefix) :].strip()
-
-    return profile_name
-
-
-def _supports_text_modality(input_modalities: list, output_modalities: list) -> bool:
-    """Check if model supports TEXT for both input and output."""
-    return "TEXT" in input_modalities and "TEXT" in output_modalities
-
-
-def _get_foundation_model_modalities(
-    bedrock_client, model_id: str
-) -> tuple[list, list] | None:
-    """
-    Fetch input and output modalities for a foundation model.
-
-    Returns:
-        (input_modalities, output_modalities) or None if fetch fails
-    """
-    try:
-        model_info = bedrock_client.get_foundation_model(modelIdentifier=model_id)
-        model_details = model_info.get("modelDetails", {})
-        input_mods = model_details.get("inputModalities", [])
-        output_mods = model_details.get("outputModalities", [])
-        return (input_mods, output_mods)
-    except (BotoCoreError, ClientError) as e:
-        logger.debug("Could not fetch model details for %s: %s", model_id, str(e))
-        return None
-
-
-def _extract_foundation_model_ids(profile_models: list) -> list[str]:
-    """
-    Extract foundation model IDs from inference profile model ARNs.
-
-    Args:
-        profile_models: List of model references from inference profile
-
-    Returns:
-        List of foundation model IDs extracted from ARNs
-    """
-    model_ids = []
-    for model_ref in profile_models:
-        model_arn = model_ref.get("modelArn", "")
-        if "foundation-model/" in model_arn:
-            model_id = model_arn.split("foundation-model/")[1]
-            model_ids.append(model_id)
-    return model_ids
-
-
-def _build_inference_profile_map(
-    bedrock_client, region: str
-) -> Dict[str, tuple[str, str]]:
-    """
-    Build map of foundation_model_id -> best inference profile.
-
-    Returns:
-        Dict mapping foundation_model_id to (profile_id, profile_name)
-        Only includes profiles with TEXT modality support
-        Prefers region-matched profiles over others
-    """
-    region_prefix = _get_region_prefix(region)
-    model_to_profile: Dict[str, tuple[str, str]] = {}
-
-    try:
-        response = bedrock_client.list_inference_profiles()
-        profiles = response.get("inferenceProfileSummaries", [])
-
-        for profile in profiles:
-            profile_id = profile.get("inferenceProfileId")
-            profile_name = profile.get("inferenceProfileName")
-
-            if not profile_id or not profile_name:
-                continue
-
-            profile_models = profile.get("models", [])
-            if not profile_models:
-                continue
-
-            foundation_model_ids = _extract_foundation_model_ids(profile_models)
-            if not foundation_model_ids:
-                continue
-
-            modalities = _get_foundation_model_modalities(
-                bedrock_client, foundation_model_ids[0]
-            )
-            if not modalities:
-                continue
-
-            input_mods, output_mods = modalities
-            if not _supports_text_modality(input_mods, output_mods):
-                continue
-
-            is_preferred = profile_id.startswith(f"{region_prefix}.")
-            clean_name = _clean_inference_profile_name(profile_name)
-
-            for foundation_model_id in foundation_model_ids:
-                if foundation_model_id not in model_to_profile:
-                    model_to_profile[foundation_model_id] = (profile_id, clean_name)
-                elif is_preferred and not model_to_profile[foundation_model_id][
-                    0
-                ].startswith(f"{region_prefix}."):
-                    model_to_profile[foundation_model_id] = (profile_id, clean_name)
-
-    except (BotoCoreError, ClientError) as e:
-        logger.info("Could not fetch inference profiles in %s: %s", region, str(e))
-
-    return model_to_profile
-
-
-def _check_on_demand_availability(bedrock_client, model_id: str) -> bool:
-    """Check if an ON_DEMAND foundation model is entitled and available."""
-    try:
-        availability = bedrock_client.get_foundation_model_availability(
-            modelId=model_id
-        )
-        entitlement = availability.get("entitlementAvailability")
-        return entitlement == "AVAILABLE"
-    except (BotoCoreError, ClientError) as e:
-        logger.debug("Could not check availability for %s: %s", model_id, str(e))
-        return False
-
-
 def _fetch_bedrock_models(bedrock_creds: Dict[str, str]) -> Dict[str, str]:
    """
-    Fetch available models from AWS Bedrock, preferring inference profiles over ON_DEMAND.
+    Fetch available models from AWS Bedrock with entitlement verification.

-    Strategy:
-    1. Build map of foundation_model -> best_inference_profile (with TEXT validation)
-    2. For each TEXT-capable foundation model:
-       - Use inference profile ID if available (preferred - better throughput)
-       - Fallback to foundation model ID if only ON_DEMAND available
-    3. Verify entitlement for ON_DEMAND models
+    This function:
+    1. Lists foundation models with TEXT modality support
+    2. Lists inference profiles with TEXT modality support
+    3. Verifies user has entitlement access to each model

    Args:
-        bedrock_creds: Dict with 'region' and auth credentials
+        bedrock_creds: Dictionary with 'access_key_id', 'secret_access_key', and 'region'.

    Returns:
-        Dict mapping model_id to model_name. IDs can be:
-        - Inference profile IDs (e.g., "apac.anthropic.claude-3-5-sonnet-20240620-v1:0")
-        - Foundation model IDs (e.g., "anthropic.claude-3-5-sonnet-20240620-v1:0")
+        Dict mapping model_id to model_name for all accessible models.
+
+    Raises:
+        BotoCoreError, ClientError: If AWS API calls fail.
    """
-    bedrock_client = _create_bedrock_client(bedrock_creds)
-    region = bedrock_creds["region"]
+    bedrock_client = boto3.client(
+        "bedrock",
+        aws_access_key_id=bedrock_creds["access_key_id"],
+        aws_secret_access_key=bedrock_creds["secret_access_key"],
+        region_name=bedrock_creds["region"],
+    )

-    model_to_profile = _build_inference_profile_map(bedrock_client, region)
+    models_to_check: Dict[str, str] = {}

+    # Step 1: Get foundation models with TEXT modality
    foundation_response = bedrock_client.list_foundation_models()
    model_summaries = foundation_response.get("modelSummaries", [])

-    models_to_return: Dict[str, str] = {}
-    on_demand_models: set[str] = set()
-
    for model in model_summaries:
-        input_mods = model.get("inputModalities", [])
-        output_mods = model.get("outputModalities", [])
+        # Check if model supports TEXT input and output modality
+        input_modalities = model.get("inputModalities", [])
+        output_modalities = model.get("outputModalities", [])

-        if not _supports_text_modality(input_mods, output_mods):
+        if "TEXT" not in input_modalities or "TEXT" not in output_modalities:
            continue

        model_id = model.get("modelId")
-        model_name = model.get("modelName")
-
-        if not model_id or not model_name:
+        if not model_id:
            continue

-        if model_id in model_to_profile:
-            profile_id, profile_name = model_to_profile[model_id]
-            models_to_return[profile_id] = profile_name
-        else:
-            inference_types = model.get("inferenceTypesSupported", [])
-            if "ON_DEMAND" in inference_types:
-                models_to_return[model_id] = model_name
-                on_demand_models.add(model_id)
+        inference_types = model.get("inferenceTypesSupported", [])

+        # Only include models with ON_DEMAND inference support
+        if "ON_DEMAND" in inference_types:
+            models_to_check[model_id] = model["modelName"]
+
+    # Step 2: Get inference profiles
+    try:
+        inference_profiles_response = bedrock_client.list_inference_profiles()
+        inference_profiles = inference_profiles_response.get(
+            "inferenceProfileSummaries", []
+        )
+
+        for profile in inference_profiles:
+            # Check if profile supports TEXT modality
+            input_modalities = profile.get("inputModalities", [])
+            output_modalities = profile.get("outputModalities", [])
+
+            if "TEXT" not in input_modalities or "TEXT" not in output_modalities:
+                continue
+
+            profile_id = profile.get("inferenceProfileId")
+            if profile_id:
+                models_to_check[profile_id] = profile["inferenceProfileName"]
+
+    except (BotoCoreError, ClientError) as e:
+        logger.info(
+            "Could not fetch inference profiles in %s: %s",
+            bedrock_creds["region"],
+            str(e),
+        )
+
+    # Step 3: Verify entitlement availability for each model
    available_models: Dict[str, str] = {}

-    for model_id, model_name in models_to_return.items():
-        if model_id in on_demand_models:
-            if _check_on_demand_availability(bedrock_client, model_id):
+    for model_id, model_name in models_to_check.items():
+        try:
+            availability = bedrock_client.get_foundation_model_availability(
+                modelId=model_id
+            )
+
+            entitlement = availability.get("entitlementAvailability")
+
+            # Only include models user has access to
+            if entitlement == "AVAILABLE":
                available_models[model_id] = model_name
-        else:
-            available_models[model_id] = model_name
+            else:
+                logger.debug(
+                    "Skipping model %s - entitlement status: %s", model_id, entitlement
+                )
+
+        except (BotoCoreError, ClientError) as e:
+            logger.debug(
+                "Could not check availability for model %s: %s", model_id, str(e)
+            )
+            continue

    return available_models

@@ -621,6 +359,7 @@ def refresh_lighthouse_provider_models(provider_config_id: str) -> Dict:
    provider_cfg = LighthouseProviderConfiguration.objects.get(pk=provider_config_id)
    fetched_models: Dict[str, str] = {}

+    # Fetch models from the appropriate provider
    try:
        if (
            provider_cfg.provider_type
@@ -675,13 +414,12 @@ def refresh_lighthouse_provider_models(provider_config_id: str) -> Dict:
            }

    except Exception as e:
-        error_message = _extract_error_message(e)
        logger.warning(
            "Unexpected error refreshing %s models: %s",
            provider_cfg.provider_type,
-            error_message,
+            str(e),
        )
-        return {"created": 0, "updated": 0, "deleted": 0, "error": error_message}
+        return {"created": 0, "updated": 0, "deleted": 0, "error": str(e)}

    # Upsert models into the catalog
    created = 0
@@ -1,14 +1,9 @@
-from collections import defaultdict
-
 from celery.utils.log import get_task_logger
-from config.django.base import DJANGO_FINDINGS_BATCH_SIZE
 from django.db.models import Count, Q
-from tasks.utils import batched

 from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
 from api.models import Finding, StatusChoices
-from prowler.lib.outputs.finding import Finding as FindingOutput

 logger = get_task_logger(__name__)

@@ -41,15 +36,10 @@ def _aggregate_requirement_statistics_from_database(

    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
        aggregated_statistics_queryset = (
-            Finding.all_objects.filter(
-                tenant_id=tenant_id, scan_id=scan_id, muted=False
-            )
+            Finding.all_objects.filter(tenant_id=tenant_id, scan_id=scan_id)
            .values("check_id")
            .annotate(
-                total_findings=Count(
-                    "id",
-                    filter=Q(status__in=[StatusChoices.PASS, StatusChoices.FAIL]),
-                ),
+                total_findings=Count("id"),
                passed_findings=Count("id", filter=Q(status=StatusChoices.PASS)),
            )
        )
@@ -135,105 +125,3 @@ def _calculate_requirements_data_from_statistics(
        )

    return attributes_by_requirement_id, requirements_list
-
-
-def _load_findings_for_requirement_checks(
-    tenant_id: str,
-    scan_id: str,
-    check_ids: list[str],
-    prowler_provider,
-    findings_cache: dict[str, list[FindingOutput]] | None = None,
-) -> dict[str, list[FindingOutput]]:
-    """
-    Load findings for specific check IDs on-demand with optional caching.
-
-    This function loads only the findings needed for a specific set of checks,
-    minimizing memory usage by avoiding loading all findings at once. This is used
-    when generating detailed findings tables for specific requirements in the PDF.
-
-    Supports optional caching to avoid duplicate queries when generating multiple
-    reports for the same scan.
-
-    Args:
-        tenant_id (str): The tenant ID for Row-Level Security context.
-        scan_id (str): The ID of the scan to retrieve findings for.
-        check_ids (list[str]): List of check IDs to load findings for.
-        prowler_provider: The initialized Prowler provider instance.
-        findings_cache (dict, optional): Cache of already loaded findings.
-            If provided, checks are first looked up in cache before querying database.
-
-    Returns:
-        dict[str, list[FindingOutput]]: Dictionary mapping check_id to list of FindingOutput objects.
-
-    Example:
-        {
-            'aws_iam_user_mfa_enabled': [FindingOutput(...), FindingOutput(...)],
-            'aws_s3_bucket_public_access': [FindingOutput(...)]
-        }
-    """
-    findings_by_check_id = defaultdict(list)
-
-    if not check_ids:
-        return dict(findings_by_check_id)
-
-    # Initialize cache if not provided
-    if findings_cache is None:
-        findings_cache = {}
-
-    # Separate cached and non-cached check_ids
-    check_ids_to_load = []
-    cache_hits = 0
-    cache_misses = 0
-
-    for check_id in check_ids:
-        if check_id in findings_cache:
-            # Reuse from cache
-            findings_by_check_id[check_id] = findings_cache[check_id]
-            cache_hits += 1
-        else:
-            # Need to load from database
-            check_ids_to_load.append(check_id)
-            cache_misses += 1
-
-    if cache_hits > 0:
-        logger.info(
-            f"Findings cache: {cache_hits} hits, {cache_misses} misses "
-            f"({cache_hits / (cache_hits + cache_misses) * 100:.1f}% hit rate)"
-        )
-
-    # If all check_ids were in cache, return early
-    if not check_ids_to_load:
-        return dict(findings_by_check_id)
-
-    logger.info(f"Loading findings for {len(check_ids_to_load)} checks on-demand")
-
-    findings_queryset = (
-        Finding.all_objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id, check_id__in=check_ids_to_load
-        )
-        .order_by("uid")
-        .iterator()
-    )
-
-    with rls_transaction(tenant_id, using=READ_REPLICA_ALIAS):
-        for batch, is_last_batch in batched(
-            findings_queryset, DJANGO_FINDINGS_BATCH_SIZE
-        ):
-            for finding_model in batch:
-                finding_output = FindingOutput.transform_api_finding(
-                    finding_model, prowler_provider
-                )
-                findings_by_check_id[finding_output.check_id].append(finding_output)
-                # Update cache with newly loaded findings
-                if finding_output.check_id not in findings_cache:
-                    findings_cache[finding_output.check_id] = []
-                findings_cache[finding_output.check_id].append(finding_output)
-
-    total_findings_loaded = sum(
-        len(findings) for findings in findings_by_check_id.values()
-    )
-    logger.info(
-        f"Loaded {total_findings_loaded} findings for {len(findings_by_check_id)} checks"
-    )
-
-    return dict(findings_by_check_id)
@@ -8,12 +8,7 @@ from celery.utils.log import get_task_logger
 from config.celery import RLSTask
 from config.django.base import DJANGO_FINDINGS_BATCH_SIZE, DJANGO_TMP_OUTPUT_DIRECTORY
 from django_celery_beat.models import PeriodicTask
-from tasks.jobs.backfill import (
-    backfill_compliance_summaries,
-    backfill_daily_severity_summaries,
-    backfill_resource_scan_summaries,
-    backfill_scan_category_summaries,
-)
+from tasks.jobs.backfill import backfill_resource_scan_summaries
 from tasks.jobs.connection import (
    check_integration_connection,
    check_lighthouse_connection,
@@ -37,10 +32,8 @@ from tasks.jobs.lighthouse_providers import (
    refresh_lighthouse_provider_models,
 )
 from tasks.jobs.muting import mute_historical_findings
-from tasks.jobs.report import generate_compliance_reports_job
+from tasks.jobs.report import generate_threatscore_report_job
 from tasks.jobs.scan import (
-    aggregate_attack_surface,
-    aggregate_daily_severity,
    aggregate_findings,
    create_compliance_requirements,
    perform_prowler_scan,
@@ -50,7 +43,7 @@ from tasks.utils import batched, get_next_execution_datetime
 from api.compliance import get_compliance_frameworks
 from api.db_router import READ_REPLICA_ALIAS
 from api.db_utils import rls_transaction
-from api.decorators import handle_provider_deletion, set_tenant
+from api.decorators import set_tenant
 from api.models import Finding, Integration, Provider, Scan, ScanSummary, StateChoices
 from api.utils import initialize_prowler_provider
 from api.v1.serializers import ScanTaskSerializer
@@ -61,58 +54,6 @@ from prowler.lib.outputs.finding import Finding as FindingOutput
 logger = get_task_logger(__name__)


-def _cleanup_orphan_scheduled_scans(
-    tenant_id: str,
-    provider_id: str,
-    scheduler_task_id: int,
-) -> int:
-    """
-    TEMPORARY WORKAROUND: Clean up orphan AVAILABLE scans.
-
-    Detects and removes AVAILABLE scans that were never used due to an
-    issue during the first scheduled scan setup.
-
-    An AVAILABLE scan is considered orphan if there's also a SCHEDULED scan for
-    the same provider with the same scheduler_task_id. This situation indicates
-    that the first scan execution didn't find the AVAILABLE scan (because it
-    wasn't committed yet, probably) and created a new one, leaving the AVAILABLE orphaned.
-
-    Args:
-        tenant_id: The tenant ID.
-        provider_id: The provider ID.
-        scheduler_task_id: The PeriodicTask ID that triggers these scans.
-
-    Returns:
-        Number of orphan scans deleted (0 if none found).
-    """
-    orphan_available_scans = Scan.objects.filter(
-        tenant_id=tenant_id,
-        provider_id=provider_id,
-        trigger=Scan.TriggerChoices.SCHEDULED,
-        state=StateChoices.AVAILABLE,
-        scheduler_task_id=scheduler_task_id,
-    )
-
-    scheduled_scan_exists = Scan.objects.filter(
-        tenant_id=tenant_id,
-        provider_id=provider_id,
-        trigger=Scan.TriggerChoices.SCHEDULED,
-        state=StateChoices.SCHEDULED,
-        scheduler_task_id=scheduler_task_id,
-    ).exists()
-
-    if scheduled_scan_exists and orphan_available_scans.exists():
-        orphan_count = orphan_available_scans.count()
-        logger.warning(
-            f"[WORKAROUND] Found {orphan_count} orphan AVAILABLE scan(s) for "
-            f"provider {provider_id} alongside a SCHEDULED scan. Cleaning up orphans..."
-        )
-        orphan_available_scans.delete()
-        return orphan_count
-
-    return 0
-
-
 def _perform_scan_complete_tasks(tenant_id: str, scan_id: str, provider_id: str):
    """
    Helper function to perform tasks after a scan is completed.
@@ -125,20 +66,13 @@ def _perform_scan_complete_tasks(tenant_id: str, scan_id: str, provider_id: str)
    create_compliance_requirements_task.apply_async(
        kwargs={"tenant_id": tenant_id, "scan_id": scan_id}
    )
-    aggregate_attack_surface_task.apply_async(
-        kwargs={"tenant_id": tenant_id, "scan_id": scan_id}
-    )
    chain(
        perform_scan_summary_task.si(tenant_id=tenant_id, scan_id=scan_id),
-        group(
-            aggregate_daily_severity_task.si(tenant_id=tenant_id, scan_id=scan_id),
-            generate_outputs_task.si(
-                scan_id=scan_id, provider_id=provider_id, tenant_id=tenant_id
-            ),
+        generate_outputs_task.si(
+            scan_id=scan_id, provider_id=provider_id, tenant_id=tenant_id
        ),
        group(
-            # Use optimized task that generates both reports with shared queries
-            generate_compliance_reports_task.si(
+            generate_threatscore_report_task.si(
                tenant_id=tenant_id, scan_id=scan_id, provider_id=provider_id
            ),
            check_integrations_task.si(
@@ -202,7 +136,6 @@ def delete_provider_task(provider_id: str, tenant_id: str):


@shared_task(base=RLSTask, name="scan-perform", queue="scans")
-@handle_provider_deletion
 def perform_scan_task(
    tenant_id: str, scan_id: str, provider_id: str, checks_to_execute: list[str] = None
 ):
@@ -235,7 +168,6 @@ def perform_scan_task(


@shared_task(base=RLSTask, bind=True, name="scan-perform-scheduled", queue="scans")
-@handle_provider_deletion
 def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
    """
    Task to perform a scheduled Prowler scan on a given provider.
@@ -299,14 +231,6 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
            return serializer.data

        next_scan_datetime = get_next_execution_datetime(task_id, provider_id)
-
-        # TEMPORARY WORKAROUND: Clean up orphan scans from transaction isolation issue
-        _cleanup_orphan_scheduled_scans(
-            tenant_id=tenant_id,
-            provider_id=provider_id,
-            scheduler_task_id=periodic_task_instance.id,
-        )
-
        scan_instance, _ = Scan.objects.get_or_create(
            tenant_id=tenant_id,
            provider_id=provider_id,
@@ -349,7 +273,6 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):


@shared_task(name="scan-summary", queue="overview")
-@handle_provider_deletion
 def perform_scan_summary_task(tenant_id: str, scan_id: str):
    return aggregate_findings(tenant_id=tenant_id, scan_id=scan_id)

@@ -365,7 +288,6 @@ def delete_tenant_task(tenant_id: str):
    queue="scan-reports",
 )
@set_tenant(keep_tenant=True)
-@handle_provider_deletion
 def generate_outputs_task(scan_id: str, provider_id: str, tenant_id: str):
    """
    Process findings in batches and generate output files in multiple formats.
@@ -394,7 +316,7 @@ def generate_outputs_task(scan_id: str, provider_id: str, tenant_id: str):

    frameworks_bulk = Compliance.get_bulk(provider_type)
    frameworks_avail = get_compliance_frameworks(provider_type)
-    out_dir, comp_dir = _generate_output_directory(
+    out_dir, comp_dir, _ = _generate_output_directory(
        DJANGO_TMP_OUTPUT_DIRECTORY, provider_uid, tenant_id, scan_id
    )

@@ -561,7 +483,6 @@ def generate_outputs_task(scan_id: str, provider_id: str, tenant_id: str):


@shared_task(name="backfill-scan-resource-summaries", queue="backfill")
-@handle_provider_deletion
 def backfill_scan_resource_summaries_task(tenant_id: str, scan_id: str):
    """
    Tries to backfill the resource scan summaries table for a given scan.
@@ -573,45 +494,7 @@ def backfill_scan_resource_summaries_task(tenant_id: str, scan_id: str):
    return backfill_resource_scan_summaries(tenant_id=tenant_id, scan_id=scan_id)


-@shared_task(name="backfill-compliance-summaries", queue="backfill")
-@handle_provider_deletion
-def backfill_compliance_summaries_task(tenant_id: str, scan_id: str):
-    """
-    Tries to backfill compliance overview summaries for a completed scan.
-
-    This task aggregates compliance requirement data across regions
-    to create pre-computed summary records for fast compliance overview queries.
-
-    Args:
-        tenant_id (str): The tenant identifier.
-        scan_id (str): The scan identifier.
-    """
-    return backfill_compliance_summaries(tenant_id=tenant_id, scan_id=scan_id)
-
-
-@shared_task(name="backfill-daily-severity-summaries", queue="backfill")
-def backfill_daily_severity_summaries_task(tenant_id: str, days: int = None):
-    """Backfill DailySeveritySummary from historical scans. Use days param to limit scope."""
-    return backfill_daily_severity_summaries(tenant_id=tenant_id, days=days)
-
-
-@shared_task(name="backfill-scan-category-summaries", queue="backfill")
-@handle_provider_deletion
-def backfill_scan_category_summaries_task(tenant_id: str, scan_id: str):
-    """
-    Backfill ScanCategorySummary for a completed scan.
-
-    Aggregates unique categories from findings and creates a summary row.
-
-    Args:
-        tenant_id (str): The tenant identifier.
-        scan_id (str): The scan identifier.
-    """
-    return backfill_scan_category_summaries(tenant_id=tenant_id, scan_id=scan_id)
-
-
@shared_task(base=RLSTask, name="scan-compliance-overviews", queue="compliance")
-@handle_provider_deletion
 def create_compliance_requirements_task(tenant_id: str, scan_id: str):
    """
    Creates detailed compliance requirement records for a scan.
@@ -627,29 +510,6 @@ def create_compliance_requirements_task(tenant_id: str, scan_id: str):
    return create_compliance_requirements(tenant_id=tenant_id, scan_id=scan_id)


-@shared_task(name="scan-attack-surface-overviews", queue="overview")
-@handle_provider_deletion
-def aggregate_attack_surface_task(tenant_id: str, scan_id: str):
-    """
-    Creates attack surface overview records for a scan.
-
-    This task processes findings and aggregates them into attack surface categories
-    (internet-exposed, secrets, privilege-escalation, ec2-imdsv1) for quick overview queries.
-
-    Args:
-        tenant_id (str): The tenant ID for which to create records.
-        scan_id (str): The ID of the scan for which to create records.
-    """
-    return aggregate_attack_surface(tenant_id=tenant_id, scan_id=scan_id)
-
-
-@shared_task(name="scan-daily-severity", queue="overview")
-@handle_provider_deletion
-def aggregate_daily_severity_task(tenant_id: str, scan_id: str):
-    """Aggregate scan severity into DailySeveritySummary for findings_severity/timeseries endpoint."""
-    return aggregate_daily_severity(tenant_id=tenant_id, scan_id=scan_id)
-
-
@shared_task(base=RLSTask, name="lighthouse-connection-check")
@set_tenant
 def check_lighthouse_connection_task(lighthouse_config_id: str, tenant_id: str = None):
@@ -688,7 +548,6 @@ def refresh_lighthouse_provider_models_task(


@shared_task(name="integration-check")
-@handle_provider_deletion
 def check_integrations_task(tenant_id: str, provider_id: str, scan_id: str = None):
    """
    Check and execute all configured integrations for a provider.
@@ -753,7 +612,6 @@ def check_integrations_task(tenant_id: str, provider_id: str, scan_id: str = Non
    name="integration-s3",
    queue="integrations",
 )
-@handle_provider_deletion
 def s3_integration_task(
    tenant_id: str,
    provider_id: str,
@@ -810,34 +668,19 @@ def jira_integration_task(

@shared_task(
    base=RLSTask,
-    name="scan-compliance-reports",
+    name="scan-threatscore-report",
    queue="scan-reports",
 )
-@handle_provider_deletion
-def generate_compliance_reports_task(tenant_id: str, scan_id: str, provider_id: str):
+def generate_threatscore_report_task(tenant_id: str, scan_id: str, provider_id: str):
    """
-    Optimized task to generate ThreatScore, ENS, and NIS2 reports with shared queries.
-
-    This task is more efficient than running separate report tasks because it reuses database queries:
-    - Provider object fetched once (instead of three times)
-    - Requirement statistics aggregated once (instead of three times)
-    - Can reduce database load by up to 50-70%
-
+    Task to generate a threatscore report for a given scan.
    Args:
        tenant_id (str): The tenant identifier.
        scan_id (str): The scan identifier.
        provider_id (str): The provider identifier.
-
-    Returns:
-        dict: Results for all reports containing upload status and paths.
    """
-    return generate_compliance_reports_job(
-        tenant_id=tenant_id,
-        scan_id=scan_id,
-        provider_id=provider_id,
-        generate_threatscore=True,
-        generate_ens=True,
-        generate_nis2=True,
+    return generate_threatscore_report_job(
+        tenant_id=tenant_id, scan_id=scan_id, provider_id=provider_id
    )


@@ -1,97 +1,43 @@
 from uuid import uuid4

 import pytest
-from tasks.jobs.backfill import (
-    backfill_compliance_summaries,
-    backfill_resource_scan_summaries,
-    backfill_scan_category_summaries,
-)
+from tasks.jobs.backfill import backfill_resource_scan_summaries

-from api.models import (
-    ComplianceOverviewSummary,
-    Finding,
-    ResourceScanSummary,
-    Scan,
-    ScanCategorySummary,
-    StateChoices,
-)
-from prowler.lib.check.models import Severity
-from prowler.lib.outputs.finding import Status
-
-
-@pytest.fixture(scope="function")
-def resource_scan_summary_data(scans_fixture):
-    scan = scans_fixture[0]
-    return ResourceScanSummary.objects.create(
-        tenant_id=scan.tenant_id,
-        scan_id=scan.id,
-        resource_id=str(uuid4()),
-        service="aws",
-        region="us-east-1",
-        resource_type="instance",
-    )
-
-
-@pytest.fixture(scope="function")
-def get_not_completed_scans(providers_fixture):
-    provider_id = providers_fixture[0].id
-    tenant_id = providers_fixture[0].tenant_id
-    scan_1 = Scan.objects.create(
-        tenant_id=tenant_id,
-        trigger=Scan.TriggerChoices.MANUAL,
-        state=StateChoices.EXECUTING,
-        provider_id=provider_id,
-    )
-    scan_2 = Scan.objects.create(
-        tenant_id=tenant_id,
-        trigger=Scan.TriggerChoices.MANUAL,
-        state=StateChoices.AVAILABLE,
-        provider_id=provider_id,
-    )
-    return scan_1, scan_2
-
-
-@pytest.fixture(scope="function")
-def findings_with_categories_fixture(scans_fixture, resources_fixture):
-    scan = scans_fixture[0]
-    resource = resources_fixture[0]
-
-    finding = Finding.objects.create(
-        tenant_id=scan.tenant_id,
-        uid="finding_with_categories",
-        scan=scan,
-        delta="new",
-        status=Status.FAIL,
-        status_extended="test status",
-        impact=Severity.critical,
-        impact_extended="test impact",
-        severity=Severity.critical,
-        raw_result={"status": Status.FAIL},
-        check_id="test_check",
-        check_metadata={"CheckId": "test_check"},
-        categories=["gen-ai", "security"],
-        first_seen_at="2024-01-02T00:00:00Z",
-    )
-    finding.add_resources([resource])
-    return finding
-
-
-@pytest.fixture(scope="function")
-def scan_category_summary_fixture(scans_fixture):
-    scan = scans_fixture[0]
-    return ScanCategorySummary.objects.create(
-        tenant_id=scan.tenant_id,
-        scan=scan,
-        category="existing-category",
-        severity=Severity.critical,
-        total_findings=1,
-        failed_findings=0,
-        new_failed_findings=0,
-    )
+from api.models import ResourceScanSummary, Scan, StateChoices


@pytest.mark.django_db
 class TestBackfillResourceScanSummaries:
+    @pytest.fixture(scope="function")
+    def resource_scan_summary_data(self, scans_fixture):
+        scan = scans_fixture[0]
+        return ResourceScanSummary.objects.create(
+            tenant_id=scan.tenant_id,
+            scan_id=scan.id,
+            resource_id=str(uuid4()),
+            service="aws",
+            region="us-east-1",
+            resource_type="instance",
+        )
+
+    @pytest.fixture(scope="function")
+    def get_not_completed_scans(self, providers_fixture):
+        provider_id = providers_fixture[0].id
+        tenant_id = providers_fixture[0].tenant_id
+        scan_1 = Scan.objects.create(
+            tenant_id=tenant_id,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.EXECUTING,
+            provider_id=provider_id,
+        )
+        scan_2 = Scan.objects.create(
+            tenant_id=tenant_id,
+            trigger=Scan.TriggerChoices.MANUAL,
+            state=StateChoices.AVAILABLE,
+            provider_id=provider_id,
+        )
+        return scan_1, scan_2
+
    def test_already_backfilled(self, resource_scan_summary_data):
        tenant_id = resource_scan_summary_data.tenant_id
        scan_id = resource_scan_summary_data.scan_id
@@ -131,132 +77,3 @@ class TestBackfillResourceScanSummaries:
            assert summary.service == resource.service
            assert summary.region == resource.region
            assert summary.resource_type == resource.type
-
-    def test_no_resources_to_backfill(self, scans_fixture):
-        scan = scans_fixture[1]  # Failed scan with no findings/resources
-        tenant_id = str(scan.tenant_id)
-        scan_id = str(scan.id)
-
-        result = backfill_resource_scan_summaries(tenant_id, scan_id)
-
-        assert result == {"status": "no resources to backfill"}
-
-
-@pytest.mark.django_db
-class TestBackfillComplianceSummaries:
-    def test_already_backfilled(self, scans_fixture):
-        scan = scans_fixture[0]
-        tenant_id = str(scan.tenant_id)
-        ComplianceOverviewSummary.objects.create(
-            tenant_id=scan.tenant_id,
-            scan=scan,
-            compliance_id="aws_account_security_onboarding_aws",
-            requirements_passed=1,
-            requirements_failed=0,
-            requirements_manual=0,
-            total_requirements=1,
-        )
-
-        result = backfill_compliance_summaries(tenant_id, str(scan.id))
-
-        assert result == {"status": "already backfilled"}
-
-    def test_not_completed_scan(self, get_not_completed_scans):
-        for scan in get_not_completed_scans:
-            result = backfill_compliance_summaries(str(scan.tenant_id), str(scan.id))
-            assert result == {"status": "scan is not completed"}
-
-    def test_no_compliance_data(self, scans_fixture):
-        scan = scans_fixture[1]  # Failed scan with no compliance rows
-
-        result = backfill_compliance_summaries(str(scan.tenant_id), str(scan.id))
-
-        assert result == {"status": "no compliance data to backfill"}
-
-    def test_backfill_creates_compliance_summaries(
-        self, tenants_fixture, scans_fixture, compliance_requirements_overviews_fixture
-    ):
-        tenant = tenants_fixture[0]
-        scan = scans_fixture[0]
-
-        result = backfill_compliance_summaries(str(tenant.id), str(scan.id))
-
-        expected = {
-            "aws_account_security_onboarding_aws": {
-                "requirements_passed": 1,
-                "requirements_failed": 1,
-                "requirements_manual": 1,
-                "total_requirements": 3,
-            },
-            "cis_1.4_aws": {
-                "requirements_passed": 0,
-                "requirements_failed": 1,
-                "requirements_manual": 0,
-                "total_requirements": 1,
-            },
-            "mitre_attack_aws": {
-                "requirements_passed": 0,
-                "requirements_failed": 1,
-                "requirements_manual": 0,
-                "total_requirements": 1,
-            },
-        }
-
-        assert result == {"status": "backfilled", "inserted": len(expected)}
-
-        summaries = ComplianceOverviewSummary.objects.filter(
-            tenant_id=str(tenant.id), scan_id=str(scan.id)
-        )
-        assert summaries.count() == len(expected)
-
-        for summary in summaries:
-            assert summary.compliance_id in expected
-            expected_counts = expected[summary.compliance_id]
-            assert summary.requirements_passed == expected_counts["requirements_passed"]
-            assert summary.requirements_failed == expected_counts["requirements_failed"]
-            assert summary.requirements_manual == expected_counts["requirements_manual"]
-            assert summary.total_requirements == expected_counts["total_requirements"]
-
-
-@pytest.mark.django_db
-class TestBackfillScanCategorySummaries:
-    def test_already_backfilled(self, scan_category_summary_fixture):
-        tenant_id = scan_category_summary_fixture.tenant_id
-        scan_id = scan_category_summary_fixture.scan_id
-
-        result = backfill_scan_category_summaries(str(tenant_id), str(scan_id))
-
-        assert result == {"status": "already backfilled"}
-
-    def test_not_completed_scan(self, get_not_completed_scans):
-        for scan in get_not_completed_scans:
-            result = backfill_scan_category_summaries(str(scan.tenant_id), str(scan.id))
-            assert result == {"status": "scan is not completed"}
-
-    def test_no_categories_to_backfill(self, scans_fixture):
-        scan = scans_fixture[1]  # Failed scan with no findings
-        result = backfill_scan_category_summaries(str(scan.tenant_id), str(scan.id))
-        assert result == {"status": "no categories to backfill"}
-
-    def test_successful_backfill(self, findings_with_categories_fixture):
-        finding = findings_with_categories_fixture
-        tenant_id = str(finding.tenant_id)
-        scan_id = str(finding.scan_id)
-
-        result = backfill_scan_category_summaries(tenant_id, scan_id)
-
-        # 2 categories × 1 severity = 2 rows
-        assert result == {"status": "backfilled", "categories_count": 2}
-
-        summaries = ScanCategorySummary.objects.filter(
-            tenant_id=tenant_id, scan_id=scan_id
-        )
-        assert summaries.count() == 2
-        categories = set(summaries.values_list("category", flat=True))
-        assert categories == {"gen-ai", "security"}
-
-        for summary in summaries:
-            assert summary.severity == Severity.critical
-            assert summary.total_findings == 1
-            assert summary.failed_findings == 1
-            assert summary.new_failed_findings == 1
@@ -28,7 +28,6 @@ class TestScheduleProviderScan:
                    "tenant_id": str(provider_instance.tenant_id),
                    "provider_id": str(provider_instance.id),
                },
-                countdown=5,
            )

            task_name = f"scan-perform-scheduled-{provider_instance.id}"
@@ -9,7 +9,6 @@ import pytest
 from botocore.exceptions import ClientError
 from tasks.jobs.export import (
    _compress_output_files,
-    _generate_compliance_output_directory,
    _generate_output_directory,
    _upload_to_s3,
    get_s3_client,
@@ -148,11 +147,10 @@ class TestOutputs:
        )
        mock_logger.assert_called()

-    @patch("tasks.jobs.export.set_output_timestamp")
    @patch("tasks.jobs.export.rls_transaction")
    @patch("tasks.jobs.export.Scan")
    def test_generate_output_directory_creates_paths(
-        self, mock_scan, mock_rls_transaction, mock_set_timestamp, tmpdir
+        self, mock_scan, mock_rls_transaction, tmpdir
    ):
        # Mock the scan object with a started_at timestamp
        mock_scan_instance = MagicMock()
@@ -170,40 +168,22 @@ class TestOutputs:
        provider = "aws"
        expected_timestamp = "20230615103045"

-        # Test _generate_output_directory (returns standard and compliance paths)
-        path, compliance = _generate_output_directory(
+        path, compliance, threatscore = _generate_output_directory(
            base_dir, provider, tenant_id, scan_id
        )

        assert os.path.isdir(os.path.dirname(path))
        assert os.path.isdir(os.path.dirname(compliance))
+        assert os.path.isdir(os.path.dirname(threatscore))
+
        assert path.endswith(f"{provider}-{expected_timestamp}")
        assert compliance.endswith(f"{provider}-{expected_timestamp}")
-        assert "/compliance/" in compliance
-
-        # Test _generate_compliance_output_directory with "threatscore"
-        threatscore = _generate_compliance_output_directory(
-            base_dir, provider, tenant_id, scan_id, compliance_framework="threatscore"
-        )
-
-        assert os.path.isdir(os.path.dirname(threatscore))
        assert threatscore.endswith(f"{provider}-{expected_timestamp}")
-        assert "/threatscore/" in threatscore

-        # Test _generate_compliance_output_directory with "ens"
-        ens = _generate_compliance_output_directory(
-            base_dir, provider, tenant_id, scan_id, compliance_framework="ens"
-        )
-
-        assert os.path.isdir(os.path.dirname(ens))
-        assert ens.endswith(f"{provider}-{expected_timestamp}")
-        assert "/ens/" in ens
-
-    @patch("tasks.jobs.export.set_output_timestamp")
    @patch("tasks.jobs.export.rls_transaction")
    @patch("tasks.jobs.export.Scan")
    def test_generate_output_directory_invalid_character(
-        self, mock_scan, mock_rls_transaction, mock_set_timestamp, tmpdir
+        self, mock_scan, mock_rls_transaction, tmpdir
    ):
        # Mock the scan object with a started_at timestamp
        mock_scan_instance = MagicMock()
@@ -221,25 +201,14 @@ class TestOutputs:
        provider = "aws/test@check"
        expected_timestamp = "20230615103045"

-        # Test provider name sanitization with _generate_output_directory
-        path, compliance = _generate_output_directory(
+        path, compliance, threatscore = _generate_output_directory(
            base_dir, provider, tenant_id, scan_id
        )

        assert os.path.isdir(os.path.dirname(path))
        assert os.path.isdir(os.path.dirname(compliance))
+        assert os.path.isdir(os.path.dirname(threatscore))
+
        assert path.endswith(f"aws-test-check-{expected_timestamp}")
        assert compliance.endswith(f"aws-test-check-{expected_timestamp}")
-
-        # Test provider name sanitization with _generate_compliance_output_directory
-        threatscore = _generate_compliance_output_directory(
-            base_dir, provider, tenant_id, scan_id, compliance_framework="threatscore"
-        )
-        ens = _generate_compliance_output_directory(
-            base_dir, provider, tenant_id, scan_id, compliance_framework="ens"
-        )
-
-        assert os.path.isdir(os.path.dirname(threatscore))
-        assert os.path.isdir(os.path.dirname(ens))
        assert threatscore.endswith(f"aws-test-check-{expected_timestamp}")
-        assert ens.endswith(f"aws-test-check-{expected_timestamp}")
@@ -1199,6 +1199,9 @@ class TestSecurityHubIntegrationUploads:
                    )

        assert result is False
+        # Integration should be marked as disconnected
+        integration.save.assert_called_once()
+        assert integration.connected is False

    @patch("tasks.jobs.integrations.ASFF")
    @patch("tasks.jobs.integrations.FindingOutput")
@@ -4,13 +4,7 @@ from unittest.mock import MagicMock, patch
 import openai
 import pytest
 from botocore.exceptions import ClientError
-from django_celery_beat.models import IntervalSchedule, PeriodicTask
-from tasks.jobs.lighthouse_providers import (
-    _create_bedrock_client,
-    _extract_bedrock_credentials,
-)
 from tasks.tasks import (
-    _cleanup_orphan_scheduled_scans,
    _perform_scan_complete_tasks,
    check_integrations_task,
    check_lighthouse_provider_connection_task,
@@ -24,203 +18,9 @@ from api.models import (
    Integration,
    LighthouseProviderConfiguration,
    LighthouseProviderModels,
-    Scan,
-    StateChoices,
 )


-@pytest.mark.django_db
-class TestExtractBedrockCredentials:
-    """Unit tests for _extract_bedrock_credentials helper function."""
-
-    def test_extract_access_key_credentials(self, tenants_fixture):
-        """Test extraction of access key + secret key credentials."""
-        provider_cfg = LighthouseProviderConfiguration(
-            tenant_id=tenants_fixture[0].id,
-            provider_type=LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
-            is_active=True,
-        )
-        provider_cfg.credentials_decoded = {
-            "access_key_id": "AKIAIOSFODNN7EXAMPLE",
-            "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
-            "region": "us-east-1",
-        }
-        provider_cfg.save()
-
-        result = _extract_bedrock_credentials(provider_cfg)
-
-        assert result is not None
-        assert result["access_key_id"] == "AKIAIOSFODNN7EXAMPLE"
-        assert result["secret_access_key"] == "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
-        assert result["region"] == "us-east-1"
-        assert "api_key" not in result
-
-    def test_extract_api_key_credentials(self, tenants_fixture):
-        """Test extraction of API key (bearer token) credentials."""
-        valid_api_key = "ABSKQmVkcm9ja0FQSUtleS" + ("A" * 110)
-        provider_cfg = LighthouseProviderConfiguration(
-            tenant_id=tenants_fixture[0].id,
-            provider_type=LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
-            is_active=True,
-        )
-        provider_cfg.credentials_decoded = {
-            "api_key": valid_api_key,
-            "region": "us-west-2",
-        }
-        provider_cfg.save()
-
-        result = _extract_bedrock_credentials(provider_cfg)
-
-        assert result is not None
-        assert result["api_key"] == valid_api_key
-        assert result["region"] == "us-west-2"
-        assert "access_key_id" not in result
-        assert "secret_access_key" not in result
-
-    def test_api_key_takes_precedence_over_access_keys(self, tenants_fixture):
-        """Test that API key is preferred when both auth methods are present."""
-        valid_api_key = "ABSKQmVkcm9ja0FQSUtleS" + ("B" * 110)
-        provider_cfg = LighthouseProviderConfiguration(
-            tenant_id=tenants_fixture[0].id,
-            provider_type=LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
-            is_active=True,
-        )
-        provider_cfg.credentials_decoded = {
-            "api_key": valid_api_key,
-            "access_key_id": "AKIAIOSFODNN7EXAMPLE",
-            "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
-            "region": "eu-west-1",
-        }
-        provider_cfg.save()
-
-        result = _extract_bedrock_credentials(provider_cfg)
-
-        assert result is not None
-        assert result["api_key"] == valid_api_key
-        assert result["region"] == "eu-west-1"
-        assert "access_key_id" not in result
-
-    def test_missing_region_returns_none(self, tenants_fixture):
-        """Test that missing region returns None."""
-        provider_cfg = LighthouseProviderConfiguration(
-            tenant_id=tenants_fixture[0].id,
-            provider_type=LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
-            is_active=True,
-        )
-        provider_cfg.credentials_decoded = {
-            "api_key": "ABSKQmVkcm9ja0FQSUtleS" + ("A" * 110),
-        }
-        provider_cfg.save()
-
-        result = _extract_bedrock_credentials(provider_cfg)
-
-        assert result is None
-
-    def test_empty_credentials_returns_none(self, tenants_fixture):
-        """Test that empty credentials dict returns None (region only is not enough)."""
-        provider_cfg = LighthouseProviderConfiguration(
-            tenant_id=tenants_fixture[0].id,
-            provider_type=LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
-            is_active=True,
-        )
-        # Only region, no auth credentials - should return None
-        provider_cfg.credentials_decoded = {
-            "region": "us-east-1",
-        }
-        provider_cfg.save()
-
-        result = _extract_bedrock_credentials(provider_cfg)
-
-        assert result is None
-
-    def test_non_dict_credentials_returns_none(self, tenants_fixture):
-        """Test that non-dict credentials returns None."""
-        provider_cfg = LighthouseProviderConfiguration(
-            tenant_id=tenants_fixture[0].id,
-            provider_type=LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
-            is_active=True,
-        )
-        # Store valid credentials first to pass model validation
-        provider_cfg.credentials_decoded = {
-            "api_key": "ABSKQmVkcm9ja0FQSUtleS" + ("A" * 110),
-            "region": "us-east-1",
-        }
-        provider_cfg.save()
-
-        # Mock the credentials_decoded property to return a non-dict value
-        # This simulates corrupted/invalid stored data
-        with patch.object(
-            type(provider_cfg),
-            "credentials_decoded",
-            new_callable=lambda: property(lambda self: "invalid"),
-        ):
-            result = _extract_bedrock_credentials(provider_cfg)
-
-        assert result is None
-
-
-class TestCreateBedrockClient:
-    """Unit tests for _create_bedrock_client helper function."""
-
-    @patch("tasks.jobs.lighthouse_providers.boto3.client")
-    def test_create_client_with_access_keys(self, mock_boto_client):
-        """Test creating client with access key authentication."""
-        mock_client = MagicMock()
-        mock_boto_client.return_value = mock_client
-
-        creds = {
-            "access_key_id": "AKIAIOSFODNN7EXAMPLE",
-            "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
-            "region": "us-east-1",
-        }
-
-        result = _create_bedrock_client(creds)
-
-        assert result == mock_client
-        mock_boto_client.assert_called_once_with(
-            service_name="bedrock",
-            region_name="us-east-1",
-            aws_access_key_id="AKIAIOSFODNN7EXAMPLE",
-            aws_secret_access_key="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
-        )
-
-    @patch("tasks.jobs.lighthouse_providers.Config")
-    @patch("tasks.jobs.lighthouse_providers.boto3.client")
-    def test_create_client_with_api_key(self, mock_boto_client, mock_config):
-        """Test creating client with API key authentication."""
-        mock_client = MagicMock()
-        mock_events = MagicMock()
-        mock_client.meta.events = mock_events
-        mock_boto_client.return_value = mock_client
-        mock_config_instance = MagicMock()
-        mock_config.return_value = mock_config_instance
-        valid_api_key = "ABSKQmVkcm9ja0FQSUtleS" + ("A" * 110)
-
-        creds = {
-            "api_key": valid_api_key,
-            "region": "us-west-2",
-        }
-
-        result = _create_bedrock_client(creds)
-
-        assert result == mock_client
-        mock_boto_client.assert_called_once_with(
-            service_name="bedrock",
-            region_name="us-west-2",
-            config=mock_config_instance,
-        )
-        mock_events.register.assert_called_once()
-        call_args = mock_events.register.call_args
-        assert call_args[0][0] == "before-send.*.*"
-
-        # Verify handler injects bearer token
-        handler_fn = call_args[0][1]
-        mock_request = MagicMock()
-        mock_request.headers = {}
-        handler_fn(mock_request)
-        assert mock_request.headers["Authorization"] == f"Bearer {valid_api_key}"
-
-
 # TODO Move this to outputs/reports jobs
@pytest.mark.django_db
 class TestGenerateOutputs:
@@ -309,6 +109,7 @@ class TestGenerateOutputs:
                return_value=(
                    "/tmp/test/out-dir",
                    "/tmp/test/comp-dir",
+                    "/tmp/test/threat-dir",
                ),
            ),
            patch("tasks.tasks.Scan.all_objects.filter") as mock_scan_update,
@@ -338,7 +139,7 @@ class TestGenerateOutputs:
            patch("tasks.tasks.Finding.all_objects.filter") as mock_findings,
            patch(
                "tasks.tasks._generate_output_directory",
-                return_value=("/tmp/test/out", "/tmp/test/comp"),
+                return_value=("/tmp/test/out", "/tmp/test/comp", "/tmp/test/threat"),
            ),
            patch("tasks.tasks.FindingOutput._transform_findings_stats"),
            patch("tasks.tasks.FindingOutput.transform_api_finding"),
@@ -408,7 +209,7 @@ class TestGenerateOutputs:
            patch("tasks.tasks.Finding.all_objects.filter") as mock_findings,
            patch(
                "tasks.tasks._generate_output_directory",
-                return_value=("/tmp/test/out", "/tmp/test/comp"),
+                return_value=("/tmp/test/out", "/tmp/test/comp", "/tmp/test/threat"),
            ),
            patch(
                "tasks.tasks.FindingOutput._transform_findings_stats",
@@ -488,6 +289,7 @@ class TestGenerateOutputs:
                return_value=(
                    "/tmp/test/outdir",
                    "/tmp/test/compdir",
+                    "/tmp/test/threatdir",
                ),
            ),
            patch("tasks.tasks._compress_output_files", return_value="outdir.zip"),
@@ -566,6 +368,7 @@ class TestGenerateOutputs:
                return_value=(
                    "/tmp/test/outdir",
                    "/tmp/test/compdir",
+                    "/tmp/test/threatdir",
                ),
            ),
            patch("tasks.tasks.FindingOutput._transform_findings_stats"),
@@ -633,7 +436,7 @@ class TestGenerateOutputs:
            patch("tasks.tasks.Finding.all_objects.filter") as mock_findings,
            patch(
                "tasks.tasks._generate_output_directory",
-                return_value=("/tmp/test/out", "/tmp/test/comp"),
+                return_value=("/tmp/test/out", "/tmp/test/comp", "/tmp/test/threat"),
            ),
            patch(
                "tasks.tasks.FindingOutput._transform_findings_stats",
@@ -691,7 +494,7 @@ class TestGenerateOutputs:
            patch("tasks.tasks.Finding.all_objects.filter") as mock_findings,
            patch(
                "tasks.tasks._generate_output_directory",
-                return_value=("/tmp/test/out", "/tmp/test/comp"),
+                return_value=("/tmp/test/out", "/tmp/test/comp", "/tmp/test/threat"),
            ),
            patch("tasks.tasks.FindingOutput._transform_findings_stats"),
            patch("tasks.tasks.FindingOutput.transform_api_finding"),
@@ -729,55 +532,37 @@ class TestGenerateOutputs:


 class TestScanCompleteTasks:
-    @patch("tasks.tasks.aggregate_attack_surface_task.apply_async")
    @patch("tasks.tasks.create_compliance_requirements_task.apply_async")
    @patch("tasks.tasks.perform_scan_summary_task.si")
    @patch("tasks.tasks.generate_outputs_task.si")
-    @patch("tasks.tasks.generate_compliance_reports_task.si")
+    @patch("tasks.tasks.generate_threatscore_report_task.si")
    @patch("tasks.tasks.check_integrations_task.si")
    def test_scan_complete_tasks(
        self,
        mock_check_integrations_task,
-        mock_compliance_reports_task,
+        mock_threatscore_task,
        mock_outputs_task,
        mock_scan_summary_task,
-        mock_compliance_requirements_task,
-        mock_attack_surface_task,
+        mock_compliance_tasks,
    ):
-        """Test that scan complete tasks are properly orchestrated with optimized reports."""
        _perform_scan_complete_tasks("tenant-id", "scan-id", "provider-id")
-
-        # Verify compliance requirements task is called
-        mock_compliance_requirements_task.assert_called_once_with(
+        mock_compliance_tasks.assert_called_once_with(
            kwargs={"tenant_id": "tenant-id", "scan_id": "scan-id"},
        )
-
-        # Verify attack surface task is called
-        mock_attack_surface_task.assert_called_once_with(
-            kwargs={"tenant_id": "tenant-id", "scan_id": "scan-id"},
-        )
-
-        # Verify scan summary task is called
        mock_scan_summary_task.assert_called_once_with(
            scan_id="scan-id",
            tenant_id="tenant-id",
        )
-
-        # Verify outputs task is called
        mock_outputs_task.assert_called_once_with(
            scan_id="scan-id",
            provider_id="provider-id",
            tenant_id="tenant-id",
        )
-
-        # Verify optimized compliance reports task is called (replaces individual tasks)
-        mock_compliance_reports_task.assert_called_once_with(
+        mock_threatscore_task.assert_called_once_with(
            tenant_id="tenant-id",
            scan_id="scan-id",
            provider_id="provider-id",
        )
-
-        # Verify integrations task is called
        mock_check_integrations_task.assert_called_once_with(
            tenant_id="tenant-id",
            provider_id="provider-id",
@@ -953,7 +738,7 @@ class TestCheckIntegrationsTask:
        mock_initialize_provider.return_value = MagicMock()
        mock_compliance_bulk.return_value = {}
        mock_get_frameworks.return_value = []
-        mock_generate_dir.return_value = ("out-dir", "comp-dir")
+        mock_generate_dir.return_value = ("out-dir", "comp-dir", "threat-dir")
        mock_transform_stats.return_value = {"stats": "data"}

        # Mock findings
@@ -1078,7 +863,7 @@ class TestCheckIntegrationsTask:
        mock_initialize_provider.return_value = MagicMock()
        mock_compliance_bulk.return_value = {}
        mock_get_frameworks.return_value = []
-        mock_generate_dir.return_value = ("out-dir", "comp-dir")
+        mock_generate_dir.return_value = ("out-dir", "comp-dir", "threat-dir")
        mock_transform_stats.return_value = {"stats": "data"}

        # Mock findings
@@ -1194,7 +979,7 @@ class TestCheckIntegrationsTask:
        mock_initialize_provider.return_value = MagicMock()
        mock_compliance_bulk.return_value = {}
        mock_get_frameworks.return_value = []
-        mock_generate_dir.return_value = ("out-dir", "comp-dir")
+        mock_generate_dir.return_value = ("out-dir", "comp-dir", "threat-dir")
        mock_transform_stats.return_value = {"stats": "data"}

        # Mock findings
@@ -1352,16 +1137,6 @@ class TestCheckLighthouseProviderConnectionTask:
                None,
                {"connected": True, "error": None},
            ),
-            # Bedrock API key authentication
-            (
-                LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
-                {
-                    "api_key": "ABSKQmVkcm9ja0FQSUtleS" + ("A" * 110),
-                    "region": "us-east-1",
-                },
-                None,
-                {"connected": True, "error": None},
-            ),
        ],
    )
    def test_check_connection_success_all_providers(
@@ -1430,24 +1205,6 @@ class TestCheckLighthouseProviderConnectionTask:
                    "list_foundation_models",
                ),
            ),
-            # Bedrock API key authentication failure
-            (
-                LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
-                {
-                    "api_key": "ABSKQmVkcm9ja0FQSUtleS" + ("X" * 110),
-                    "region": "us-east-1",
-                },
-                None,
-                ClientError(
-                    {
-                        "Error": {
-                            "Code": "UnrecognizedClientException",
-                            "Message": "Invalid API key",
-                        }
-                    },
-                    "list_foundation_models",
-                ),
-            ),
        ],
    )
    def test_check_connection_api_failure(
@@ -1572,17 +1329,6 @@ class TestRefreshLighthouseProviderModelsTask:
                {"openai.gpt-oss-120b-1:0": "gpt-oss-120b"},
                1,
            ),
-            # Bedrock API key authentication
-            (
-                LighthouseProviderConfiguration.LLMProviderChoices.BEDROCK,
-                {
-                    "api_key": "ABSKQmVkcm9ja0FQSUtleS" + ("A" * 110),
-                    "region": "us-east-1",
-                },
-                None,
-                {"anthropic.claude-v3": "Claude 3"},
-                1,
-            ),
        ],
    )
    def test_refresh_models_create_new(
@@ -1719,343 +1465,3 @@ class TestRefreshLighthouseProviderModelsTask:
            assert result["deleted"] == 0
            assert "error" in result
            assert result["error"] is not None
-
-
-@pytest.mark.django_db
-class TestCleanupOrphanScheduledScans:
-    """Unit tests for _cleanup_orphan_scheduled_scans helper function."""
-
-    def _create_periodic_task(self, provider_id, tenant_id):
-        """Helper to create a PeriodicTask for testing."""
-        interval, _ = IntervalSchedule.objects.get_or_create(every=24, period="hours")
-        return PeriodicTask.objects.create(
-            name=f"scan-perform-scheduled-{provider_id}",
-            task="scan-perform-scheduled",
-            interval=interval,
-            kwargs=f'{{"tenant_id": "{tenant_id}", "provider_id": "{provider_id}"}}',
-            enabled=True,
-        )
-
-    def test_cleanup_deletes_orphan_when_both_available_and_scheduled_exist(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that AVAILABLE scan is deleted when SCHEDULED also exists."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create orphan AVAILABLE scan
-        orphan_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Create SCHEDULED scan (next execution)
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify orphan was deleted
-        assert deleted_count == 1
-        assert not Scan.objects.filter(id=orphan_scan.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-
-    def test_cleanup_does_not_delete_when_only_available_exists(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that AVAILABLE scan is NOT deleted when no SCHEDULED exists."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create only AVAILABLE scan (normal first scan scenario)
-        available_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify nothing was deleted
-        assert deleted_count == 0
-        assert Scan.objects.filter(id=available_scan.id).exists()
-
-    def test_cleanup_does_not_delete_when_only_scheduled_exists(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that nothing is deleted when only SCHEDULED exists."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create only SCHEDULED scan (normal subsequent scan scenario)
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify nothing was deleted
-        assert deleted_count == 0
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-
-    def test_cleanup_returns_zero_when_no_scans_exist(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that cleanup returns 0 when no scans exist."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Execute cleanup with no scans
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        assert deleted_count == 0
-
-    def test_cleanup_deletes_multiple_orphan_available_scans(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that multiple AVAILABLE orphan scans are all deleted."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create multiple orphan AVAILABLE scans
-        orphan_scan_1 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-        orphan_scan_2 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Create SCHEDULED scan
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify all orphans were deleted
-        assert deleted_count == 2
-        assert not Scan.objects.filter(id=orphan_scan_1.id).exists()
-        assert not Scan.objects.filter(id=orphan_scan_2.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-
-    def test_cleanup_does_not_affect_different_provider(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that cleanup only affects scans for the specified provider."""
-        tenant = tenants_fixture[0]
-        provider1 = providers_fixture[0]
-        provider2 = providers_fixture[1]
-        periodic_task1 = self._create_periodic_task(provider1.id, tenant.id)
-        periodic_task2 = self._create_periodic_task(provider2.id, tenant.id)
-
-        # Create orphan scenario for provider1
-        orphan_scan_p1 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider1,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task1.id,
-        )
-        scheduled_scan_p1 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider1,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task1.id,
-        )
-
-        # Create AVAILABLE scan for provider2 (should not be affected)
-        available_scan_p2 = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider2,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task2.id,
-        )
-
-        # Execute cleanup for provider1 only
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider1.id),
-            scheduler_task_id=periodic_task1.id,
-        )
-
-        # Verify only provider1's orphan was deleted
-        assert deleted_count == 1
-        assert not Scan.objects.filter(id=orphan_scan_p1.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan_p1.id).exists()
-        assert Scan.objects.filter(id=available_scan_p2.id).exists()
-
-    def test_cleanup_does_not_affect_manual_scans(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that cleanup only affects SCHEDULED trigger scans, not MANUAL."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create orphan AVAILABLE scheduled scan
-        orphan_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Create SCHEDULED scan
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Create AVAILABLE manual scan (should not be affected)
-        manual_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Manual scan",
-            trigger=Scan.TriggerChoices.MANUAL,
-            state=StateChoices.AVAILABLE,
-        )
-
-        # Execute cleanup
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task.id,
-        )
-
-        # Verify only scheduled orphan was deleted
-        assert deleted_count == 1
-        assert not Scan.objects.filter(id=orphan_scan.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-        assert Scan.objects.filter(id=manual_scan.id).exists()
-
-    def test_cleanup_does_not_affect_different_scheduler_task(
-        self, tenants_fixture, providers_fixture
-    ):
-        """Test that cleanup only affects scans with the specified scheduler_task_id."""
-        tenant = tenants_fixture[0]
-        provider = providers_fixture[0]
-        periodic_task1 = self._create_periodic_task(provider.id, tenant.id)
-
-        # Create another periodic task
-        interval, _ = IntervalSchedule.objects.get_or_create(every=24, period="hours")
-        periodic_task2 = PeriodicTask.objects.create(
-            name=f"scan-perform-scheduled-other-{provider.id}",
-            task="scan-perform-scheduled",
-            interval=interval,
-            kwargs=f'{{"tenant_id": "{tenant.id}", "provider_id": "{provider.id}"}}',
-            enabled=True,
-        )
-
-        # Create orphan scenario for periodic_task1
-        orphan_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task1.id,
-        )
-        scheduled_scan = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.SCHEDULED,
-            scheduler_task_id=periodic_task1.id,
-        )
-
-        # Create AVAILABLE scan for periodic_task2 (should not be affected)
-        available_scan_other_task = Scan.objects.create(
-            tenant_id=tenant.id,
-            provider=provider,
-            name="Daily scheduled scan",
-            trigger=Scan.TriggerChoices.SCHEDULED,
-            state=StateChoices.AVAILABLE,
-            scheduler_task_id=periodic_task2.id,
-        )
-
-        # Execute cleanup for periodic_task1 only
-        deleted_count = _cleanup_orphan_scheduled_scans(
-            tenant_id=str(tenant.id),
-            provider_id=str(provider.id),
-            scheduler_task_id=periodic_task1.id,
-        )
-
-        # Verify only periodic_task1's orphan was deleted
-        assert deleted_count == 1
-        assert not Scan.objects.filter(id=orphan_scan.id).exists()
-        assert Scan.objects.filter(id=scheduled_scan.id).exists()
-        assert Scan.objects.filter(id=available_scan_other_task.id).exists()
@@ -1,24 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_cis
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_cis(
-        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
-    )
@@ -1,28 +0,0 @@
-import warnings
-
-from dashboard.common_methods import get_section_containers_threatscore
-
-warnings.filterwarnings("ignore")
-
-
-def get_table(data):
-    aux = data[
-        [
-            "REQUIREMENTS_ID",
-            "REQUIREMENTS_DESCRIPTION",
-            "REQUIREMENTS_ATTRIBUTES_SECTION",
-            "REQUIREMENTS_ATTRIBUTES_SUBSECTION",
-            "CHECKID",
-            "STATUS",
-            "REGION",
-            "ACCOUNTID",
-            "RESOURCEID",
-        ]
-    ].copy()
-
-    return get_section_containers_threatscore(
-        aux,
-        "REQUIREMENTS_ATTRIBUTES_SECTION",
-        "REQUIREMENTS_ATTRIBUTES_SUBSECTION",
-        "REQUIREMENTS_ID",
-    )
@@ -61,7 +61,6 @@ def create_layout_overview(
                    html.Div(className="flex", id="gcp_card", n_clicks=0),
                    html.Div(className="flex", id="k8s_card", n_clicks=0),
                    html.Div(className="flex", id="m365_card", n_clicks=0),
-                    html.Div(className="flex", id="alibabacloud_card", n_clicks=0),
                ],
                className=f"grid gap-x-4 mb-[30px] sm:grid-cols-2 lg:grid-cols-{amount_providers}",
            ),
@@ -78,8 +78,6 @@ def load_csv_files(csv_files):
                result = result.replace("_KUBERNETES", " - KUBERNETES")
            if "M65" in result:
                result = result.replace("_M65", " - M65")
-            if "ALIBABACLOUD" in result:
-                result = result.replace("_ALIBABACLOUD", " - ALIBABACLOUD")
            results.append(result)

    unique_results = set(results)
@@ -127,7 +125,7 @@ if data is None:
    )
 else:

-    data["ASSESSMENTDATE"] = pd.to_datetime(data["ASSESSMENTDATE"], format="mixed")
+    data["ASSESSMENTDATE"] = pd.to_datetime(data["ASSESSMENTDATE"])
    data["ASSESSMENT_TIME"] = data["ASSESSMENTDATE"].dt.strftime("%Y-%m-%d %H:%M:%S")

    data_values = data["ASSESSMENT_TIME"].unique()
@@ -280,13 +278,9 @@ def display_data(
            data["REQUIREMENTS_ATTRIBUTES_PROFILE"] = data[
                "REQUIREMENTS_ATTRIBUTES_PROFILE"
            ].apply(lambda x: x.split(" - ")[0])
-
-    # Rename the column LOCATION to REGION for Alibaba Cloud
-    if "alibabacloud" in analytics_input:
-        data = data.rename(columns={"LOCATION": "REGION"})
    # Filter the chosen level of the CIS
    if is_level_1:
-        data = data[data["REQUIREMENTS_ATTRIBUTES_PROFILE"].str.contains("Level 1")]
+        data = data[data["REQUIREMENTS_ATTRIBUTES_PROFILE"] == "Level 1"]

    # Rename the column PROJECTID to ACCOUNTID for GCP
    if data.columns.str.contains("PROJECTID").any():
@@ -79,9 +79,6 @@ ks8_provider_logo = html.Img(
 m365_provider_logo = html.Img(
    src="assets/images/providers/m365_provider.png", alt="m365 provider"
 )
-alibabacloud_provider_logo = html.Img(
-    src="assets/images/providers/alibabacloud_provider.png", alt="alibabacloud provider"
-)


 def load_csv_files(csv_files):
@@ -256,8 +253,6 @@ else:
                accounts.append(account + " - AWS")
            if "kubernetes" in list(data[data["ACCOUNT_UID"] == account]["PROVIDER"]):
                accounts.append(account + " - K8S")
-            if "alibabacloud" in list(data[data["ACCOUNT_UID"] == account]["PROVIDER"]):
-                accounts.append(account + " - ALIBABACLOUD")

    account_dropdown = create_account_dropdown(accounts)

@@ -303,8 +298,6 @@ else:
            services.append(service + " - GCP")
        if "m365" in list(data[data["SERVICE_NAME"] == service]["PROVIDER"]):
            services.append(service + " - M365")
-        if "alibabacloud" in list(data[data["SERVICE_NAME"] == service]["PROVIDER"]):
-            services.append(service + " - ALIBABACLOUD")

    services = ["All"] + services
    services = [
@@ -527,7 +520,6 @@ else:
        Output("gcp_card", "children"),
        Output("k8s_card", "children"),
        Output("m365_card", "children"),
-        Output("alibabacloud_card", "children"),
        Output("subscribe_card", "children"),
        Output("info-file-over", "title"),
        Output("severity-filter", "value"),
@@ -545,7 +537,6 @@ else:
        Output("gcp_card", "n_clicks"),
        Output("k8s_card", "n_clicks"),
        Output("m365_card", "n_clicks"),
-        Output("alibabacloud_card", "n_clicks"),
    ],
    Input("cloud-account-filter", "value"),
    Input("region-filter", "value"),
@@ -569,7 +560,6 @@ else:
    Input("sort_button_region", "n_clicks"),
    Input("sort_button_service", "n_clicks"),
    Input("sort_button_account", "n_clicks"),
-    Input("alibabacloud_card", "n_clicks"),
 )
 def filter_data(
    cloud_account_values,
@@ -594,7 +584,6 @@ def filter_data(
    sort_button_region,
    sort_button_service,
    sort_button_account,
-    alibabacloud_clicks,
 ):
    # Use n_clicks for vulture
    n_clicks_csv = n_clicks_csv
@@ -610,7 +599,6 @@ def filter_data(
            gcp_clicks = 0
            k8s_clicks = 0
            m365_clicks = 0
-            alibabacloud_clicks = 0
    if azure_clicks > 0:
        filtered_data = data.copy()
        if azure_clicks % 2 != 0 and "azure" in list(data["PROVIDER"]):
@@ -619,7 +607,6 @@ def filter_data(
            gcp_clicks = 0
            k8s_clicks = 0
            m365_clicks = 0
-            alibabacloud_clicks = 0
    if gcp_clicks > 0:
        filtered_data = data.copy()
        if gcp_clicks % 2 != 0 and "gcp" in list(data["PROVIDER"]):
@@ -628,7 +615,6 @@ def filter_data(
            azure_clicks = 0
            k8s_clicks = 0
            m365_clicks = 0
-            alibabacloud_clicks = 0
    if k8s_clicks > 0:
        filtered_data = data.copy()
        if k8s_clicks % 2 != 0 and "kubernetes" in list(data["PROVIDER"]):
@@ -637,7 +623,6 @@ def filter_data(
            azure_clicks = 0
            gcp_clicks = 0
            m365_clicks = 0
-            alibabacloud_clicks = 0
    if m365_clicks > 0:
        filtered_data = data.copy()
        if m365_clicks % 2 != 0 and "m365" in list(data["PROVIDER"]):
@@ -646,16 +631,7 @@ def filter_data(
            azure_clicks = 0
            gcp_clicks = 0
            k8s_clicks = 0
-            alibabacloud_clicks = 0
-    if alibabacloud_clicks > 0:
-        filtered_data = data.copy()
-        if alibabacloud_clicks % 2 != 0 and "alibabacloud" in list(data["PROVIDER"]):
-            filtered_data = filtered_data[filtered_data["PROVIDER"] == "alibabacloud"]
-            aws_clicks = 0
-            azure_clicks = 0
-            gcp_clicks = 0
-            k8s_clicks = 0
-            m365_clicks = 0
+
    # For all the data, we will add to the status column the value 'MUTED (FAIL)' and 'MUTED (PASS)' depending on the value of the column 'STATUS' and 'MUTED'
    if "MUTED" in filtered_data.columns:
        filtered_data["STATUS"] = filtered_data.apply(
@@ -747,8 +723,6 @@ def filter_data(
                all_account_ids.append(account)
            if "kubernetes" in list(data[data["ACCOUNT_UID"] == account]["PROVIDER"]):
                all_account_ids.append(account)
-            if "alibabacloud" in list(data[data["ACCOUNT_UID"] == account]["PROVIDER"]):
-                all_account_ids.append(account)

    all_account_names = []
    if "ACCOUNT_NAME" in filtered_data.columns:
@@ -771,10 +745,6 @@ def filter_data(
                    cloud_accounts_options.append(item + " - AWS")
                if "kubernetes" in list(data[data["ACCOUNT_UID"] == item]["PROVIDER"]):
                    cloud_accounts_options.append(item + " - K8S")
-                if "alibabacloud" in list(
-                    data[data["ACCOUNT_UID"] == item]["PROVIDER"]
-                ):
-                    cloud_accounts_options.append(item + " - ALIBABACLOUD")
            if "ACCOUNT_NAME" in filtered_data.columns:
                if "azure" in list(data[data["ACCOUNT_NAME"] == item]["PROVIDER"]):
                    cloud_accounts_options.append(item + " - AZURE")
@@ -903,10 +873,6 @@ def filter_data(
                filtered_data[filtered_data["SERVICE_NAME"] == item]["PROVIDER"]
            ):
                service_filter_options.append(item + " - M365")
-            if "alibabacloud" in list(
-                filtered_data[filtered_data["SERVICE_NAME"] == item]["PROVIDER"]
-            ):
-                service_filter_options.append(item + " - ALIBABACLOUD")

    # Filter Service
    if service_values == ["All"]:
@@ -1358,12 +1324,6 @@ def filter_data(
                    filtered_data.loc[
                        filtered_data["ACCOUNT_UID"] == account, "ACCOUNT_UID"
                    ] = (account + " - M365")
-                if "alibabacloud" in list(
-                    data[data["ACCOUNT_UID"] == account]["PROVIDER"]
-                ):
-                    filtered_data.loc[
-                        filtered_data["ACCOUNT_UID"] == account, "ACCOUNT_UID"
-                    ] = (account + " - ALIBABACLOUD")

        table_collapsible = []
        for item in filtered_data.to_dict("records"):
@@ -1450,13 +1410,6 @@ def filter_data(
    else:
        m365_card = None

-    if "alibabacloud" in list(data["PROVIDER"].unique()):
-        alibabacloud_card = create_provider_card(
-            "alibabacloud", alibabacloud_provider_logo, "Accounts", full_filtered_data
-        )
-    else:
-        alibabacloud_card = None
-
    # Subscribe to Prowler Cloud card
    subscribe_card = [
        html.Div(
@@ -1501,7 +1454,6 @@ def filter_data(
            gcp_card,
            k8s_card,
            m365_card,
-            alibabacloud_card,
            subscribe_card,
            list_files,
            severity_values,
@@ -1517,7 +1469,6 @@ def filter_data(
            gcp_clicks,
            k8s_clicks,
            m365_clicks,
-            alibabacloud_clicks,
        )
    else:
        return (
@@ -1536,7 +1487,6 @@ def filter_data(
            gcp_card,
            k8s_card,
            m365_card,
-            alibabacloud_card,
            subscribe_card,
            list_files,
            severity_values,
@@ -1554,7 +1504,6 @@ def filter_data(
            gcp_clicks,
            k8s_clicks,
            m365_clicks,
-            alibabacloud_clicks,
        )


@@ -41,9 +41,6 @@ services:
    volumes:
      - "./ui:/app"
      - "/app/node_modules"
-    depends_on:
-      mcp-server:
-        condition: service_healthy

  postgres:
    image: postgres:16.3-alpine3.20
@@ -60,11 +57,7 @@ services:
    ports:
      - "${POSTGRES_PORT:-5432}:${POSTGRES_PORT:-5432}"
    healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "sh -c 'pg_isready -U ${POSTGRES_ADMIN_USER} -d ${POSTGRES_DB}'",
-        ]
+      test: ["CMD-SHELL", "sh -c 'pg_isready -U ${POSTGRES_ADMIN_USER} -d ${POSTGRES_DB}'"]
      interval: 5s
      timeout: 5s
      retries: 5
@@ -125,32 +118,6 @@ services:
      - "../docker-entrypoint.sh"
      - "beat"

-  mcp-server:
-    build:
-      context: ./mcp_server
-      dockerfile: Dockerfile
-    environment:
-      - PROWLER_MCP_TRANSPORT_MODE=http
-    env_file:
-      - path: .env
-        required: false
-    ports:
-      - "8000:8000"
-    volumes:
-      - ./mcp_server/prowler_mcp_server:/app/prowler_mcp_server
-      - ./mcp_server/pyproject.toml:/app/pyproject.toml
-      - ./mcp_server/entrypoint.sh:/app/entrypoint.sh
-    command: ["uvicorn", "--host", "0.0.0.0", "--port", "8000"]
-    healthcheck:
-      test:
-        [
-          "CMD-SHELL",
-          "wget -q -O /dev/null http://127.0.0.1:8000/health || exit 1",
-        ]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-
 volumes:
  outputs:
    driver: local
@@ -1,9 +1,3 @@
-# Production Docker Compose configuration
-# Uses pre-built images from Docker Hub (prowlercloud/*)
-#
-# For development with local builds and hot-reload, use docker-compose-dev.yml instead:
-#   docker compose -f docker-compose-dev.yml up
-#
 services:
  api:
    hostname: "prowler-api"
@@ -32,9 +26,6 @@ services:
        required: false
    ports:
      - ${UI_PORT:-3000}:${UI_PORT:-3000}
-    depends_on:
-      mcp-server:
-        condition: service_healthy

  postgres:
    image: postgres:16.3-alpine3.20
@@ -102,22 +93,6 @@ services:
      - "../docker-entrypoint.sh"
      - "beat"

-  mcp-server:
-    image: prowlercloud/prowler-mcp:${PROWLER_MCP_VERSION:-stable}
-    environment:
-      - PROWLER_MCP_TRANSPORT_MODE=http
-    env_file:
-      - path: .env
-        required: false
-    ports:
-      - "8000:8000"
-    command: ["uvicorn", "--host", "0.0.0.0", "--port", "8000"]
-    healthcheck:
-      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:8000/health || exit 1"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-
 volumes:
  output:
    driver: local
@@ -213,5 +213,3 @@ Also is important to keep all code examples as short as possible, including the
 | software-supply-chain   | Detects or prevents tampering, unauthorized packages, or third-party risks in software supply chain                                                                                               |
 | e3                      | M365-specific controls enabled by or dependent on an E3 license (e.g., baseline security policies, conditional access)                                                                            |
 | e5                      | M365-specific controls enabled by or dependent on an E5 license (e.g., advanced threat protection, audit, DLP, and eDiscovery)                                                                    |
-| privilege-escalation    | Detects IAM policies or permissions that allow identities to elevate their privileges beyond their intended scope, potentially gaining administrator or higher-level access through specific action combinations |
-| ec2-imdsv1              | Identifies EC2 instances using Instance Metadata Service version 1 (IMDSv1), which is vulnerable to SSRF attacks and should be replaced with IMDSv2 for enhanced security                        |
@@ -1,447 +0,0 @@
---
-title: 'Extending the MCP Server'
---
-
-This guide explains how to extend the Prowler MCP Server with new tools and features.
-
-<Info>
-**New to Prowler MCP Server?** Start with the user documentation:
- [Overview](/getting-started/products/prowler-mcp) - Key capabilities, use cases, and deployment options
- [Installation](/getting-started/installation/prowler-mcp) - Install locally or use the managed server
- [Configuration](/getting-started/basic-usage/prowler-mcp) - Configure Claude Desktop, Cursor, and other MCP hosts
- [Tools Reference](/getting-started/basic-usage/prowler-mcp-tools) - Complete list of all available tools
-</Info>
-
-## Introduction
-
-The Prowler MCP Server brings the entire Prowler ecosystem to AI assistants through the [Model Context Protocol (MCP)](https://modelcontextprotocol.io). It enables seamless integration with AI tools like Claude Desktop, Cursor, and other MCP clients.
-
-The server follows a modular architecture with three independent sub-servers:
-
-| Sub-Server | Auth Required | Description |
-|------------|---------------|-------------|
-| Prowler App | Yes | Full access to Prowler Cloud and Self-Managed features |
-| Prowler Hub | No | Security checks catalog with **over 1000 checks**, fixers, and **70+ compliance frameworks** |
-| Prowler Documentation | No | Full-text search and retrieval of official documentation |
-
-<Note>
-For a complete list of tools and their descriptions, see the [Tools Reference](/getting-started/basic-usage/prowler-mcp-tools).
-</Note>
-
-## Architecture Overview
-
-The MCP Server architecture is illustrated in the [Overview documentation](/getting-started/products/prowler-mcp#mcp-server-architecture). AI assistants connect through the MCP protocol to access Prowler's three main components.
-
-### Server Structure
-
-The main server orchestrates three sub-servers with prefixed namespacing:
-
-```
-mcp_server/prowler_mcp_server/
-├── server.py                 # Main orchestrator
-├── main.py                   # CLI entry point
-├── prowler_hub/
-├── prowler_app/
-│   ├── tools/                # Tool implementations
-│   ├── models/               # Pydantic models
-│   └── utils/                # API client, auth, loader
-└── prowler_documentation/
-```
-
-### Tool Registration Patterns
-
-The MCP Server uses two patterns for tool registration:
-
-1. **Direct Decorators** (Prowler Hub/Docs): Tools are registered using `@mcp.tool()` decorators
-2. **Auto-Discovery** (Prowler App): All public methods of `BaseTool` subclasses are auto-registered
-
-## Adding Tools to Prowler App
-
-### Step 1: Create the Tool Class
-
-Create a new file or add to an existing file in `prowler_app/tools/`:
-
-```python
-# prowler_app/tools/new_feature.py
-from typing import Any
-
-from pydantic import Field
-
-from prowler_mcp_server.prowler_app.models.new_feature import (
-    FeatureListResponse,
-    DetailedFeature,
-)
-from prowler_mcp_server.prowler_app.tools.base import BaseTool
-
-
-class NewFeatureTools(BaseTool):
-    """Tools for managing new features."""
-
-    async def list_features(
-        self,
-        status: str | None = Field(
-            default=None,
-            description="Filter by status (active, inactive, pending)"
-        ),
-        page_size: int = Field(
-            default=50,
-            description="Number of results per page (1-100)"
-        ),
-    ) -> dict[str, Any]:
-        """List all features with optional filtering.
-
-        Returns a lightweight list of features optimized for LLM consumption.
-        Use get_feature for complete information about a specific feature.
-        """
-        # Validate parameters
-        self.api_client.validate_page_size(page_size)
-
-        # Build query parameters
-        params: dict[str, Any] = {"page[size]": page_size}
-        if status:
-            params["filter[status]"] = status
-
-        # Make API request
-        clean_params = self.api_client.build_filter_params(params)
-        response = await self.api_client.get("/api/v1/features", params=clean_params)
-
-        # Transform to LLM-friendly format
-        return FeatureListResponse.from_api_response(response).model_dump()
-
-    async def get_feature(
-        self,
-        feature_id: str = Field(description="The UUID of the feature"),
-    ) -> dict[str, Any]:
-        """Get detailed information about a specific feature.
-
-        Returns complete feature details including configuration and metadata.
-        """
-        try:
-            response = await self.api_client.get(f"/api/v1/features/{feature_id}")
-            return DetailedFeature.from_api_response(response["data"]).model_dump()
-        except Exception as e:
-            self.logger.error(f"Failed to get feature {feature_id}: {e}")
-            return {"error": str(e), "status": "failed"}
-```
-
-### Step 2: Create the Models
-
-Create corresponding models in `prowler_app/models/`:
-
-```python
-# prowler_app/models/new_feature.py
-from typing import Any
-
-from pydantic import Field
-
-from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
-
-
-class SimplifiedFeature(MinimalSerializerMixin):
-    """Lightweight feature for list operations."""
-
-    id: str = Field(description="Unique feature identifier")
-    name: str = Field(description="Feature name")
-    status: str = Field(description="Current status")
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "SimplifiedFeature":
-        """Transform API response to simplified format."""
-        attributes = data.get("attributes", {})
-        return cls(
-            id=data["id"],
-            name=attributes["name"],
-            status=attributes["status"],
-        )
-
-
-class DetailedFeature(SimplifiedFeature):
-    """Extended feature with complete details."""
-
-    description: str | None = Field(default=None, description="Feature description")
-    configuration: dict[str, Any] | None = Field(default=None, description="Configuration")
-    created_at: str = Field(description="Creation timestamp")
-    updated_at: str = Field(description="Last update timestamp")
-
-    @classmethod
-    def from_api_response(cls, data: dict[str, Any]) -> "DetailedFeature":
-        """Transform API response to detailed format."""
-        attributes = data.get("attributes", {})
-        return cls(
-            id=data["id"],
-            name=attributes["name"],
-            status=attributes["status"],
-            description=attributes.get("description"),
-            configuration=attributes.get("configuration"),
-            created_at=attributes["created_at"],
-            updated_at=attributes["updated_at"],
-        )
-
-
-class FeatureListResponse(MinimalSerializerMixin):
-    """Response wrapper for feature list operations."""
-
-    count: int = Field(description="Total number of features")
-    features: list[SimplifiedFeature] = Field(description="List of features")
-
-    @classmethod
-    def from_api_response(cls, response: dict[str, Any]) -> "FeatureListResponse":
-        """Transform API response to list format."""
-        data = response.get("data", [])
-        features = [SimplifiedFeature.from_api_response(item) for item in data]
-        return cls(count=len(features), features=features)
-```
-
-### Step 3: Verify Auto-Discovery
-
-No manual registration is needed. The `tool_loader.py` automatically discovers and registers all `BaseTool` subclasses. Verify your tool is loaded by checking the server logs:
-
-```
-INFO - Auto-registered 2 tools from NewFeatureTools
-INFO - Loaded and registered: NewFeatureTools
-```
-
-## Adding Tools to Prowler Hub/Docs
-
-For Prowler Hub or Documentation tools, use the `@mcp.tool()` decorator directly:
-
-```python
-# prowler_hub/server.py
-from fastmcp import FastMCP
-
-hub_mcp_server = FastMCP("prowler-hub")
-
-@hub_mcp_server.tool()
-async def get_new_artifact(
-    artifact_id: str,
-) -> dict:
-    """Fetch a specific artifact from Prowler Hub.
-
-    Args:
-        artifact_id: The unique identifier of the artifact
-
-    Returns:
-        Dictionary containing artifact details
-    """
-    response = prowler_hub_client.get(f"/artifact/{artifact_id}")
-    response.raise_for_status()
-    return response.json()
-```
-
-## Model Design Patterns
-
-### MinimalSerializerMixin
-
-All models should use `MinimalSerializerMixin` to optimize responses for LLM consumption:
-
-```python
-from prowler_mcp_server.prowler_app.models.base import MinimalSerializerMixin
-
-class MyModel(MinimalSerializerMixin):
-    """Model that excludes empty values from serialization."""
-    required_field: str
-    optional_field: str | None = None  # Excluded if None
-    empty_list: list = []              # Excluded if empty
-```
-
-This mixin automatically excludes:
- `None` values
- Empty strings
- Empty lists
- Empty dictionaries
-
-### Two-Tier Model Pattern
-
-Use two-tier models for efficient responses:
-
- **Simplified**: Lightweight models for list operations
- **Detailed**: Extended models for single-item retrieval
-
-```python
-class SimplifiedItem(MinimalSerializerMixin):
-    """Use for list operations - minimal fields."""
-    id: str
-    name: str
-    status: str
-
-class DetailedItem(SimplifiedItem):
-    """Use for get operations - extends simplified with details."""
-    description: str | None = None
-    configuration: dict | None = None
-    created_at: str
-    updated_at: str
-```
-
-### Factory Method Pattern
-
-Always implement `from_api_response()` for API transformation:
-
-```python
-@classmethod
-def from_api_response(cls, data: dict[str, Any]) -> "MyModel":
-    """Transform API response to model.
-
-    This method handles the JSON:API format used by Prowler API,
-    extracting attributes and relationships as needed.
-    """
-    attributes = data.get("attributes", {})
-    return cls(
-        id=data["id"],
-        name=attributes["name"],
-        # ... map other fields
-    )
-```
-
-## API Client Usage
-
-The `ProwlerAPIClient` is a singleton that handles authentication and HTTP requests:
-
-```python
-class MyTools(BaseTool):
-    async def my_tool(self) -> dict:
-        # GET request
-        response = await self.api_client.get("/api/v1/endpoint", params={"key": "value"})
-
-        # POST request
-        response = await self.api_client.post(
-            "/api/v1/endpoint",
-            json_data={"data": {"type": "items", "attributes": {...}}}
-        )
-
-        # PATCH request
-        response = await self.api_client.patch(
-            f"/api/v1/endpoint/{id}",
-            json_data={"data": {"attributes": {...}}}
-        )
-
-        # DELETE request
-        response = await self.api_client.delete(f"/api/v1/endpoint/{id}")
-```
-
-### Helper Methods
-
-The API client provides useful helper methods:
-
-```python
-# Validate page size (1-1000)
-self.api_client.validate_page_size(page_size)
-
-# Normalize date range with max days limit
-date_range = self.api_client.normalize_date_range(date_from, date_to, max_days=2)
-
-# Build filter parameters (handles type conversion)
-clean_params = self.api_client.build_filter_params({
-    "filter[status]": "active",
-    "filter[severity__in]": ["high", "critical"],  # Converts to comma-separated
-    "filter[muted]": True,  # Converts to "true"
-})
-
-# Poll async task until completion
-result = await self.api_client.poll_task_until_complete(
-    task_id=task_id,
-    timeout=60,
-    poll_interval=1.0
-)
-```
-
-## Best Practices
-
-### Tool Docstrings
-
-Tool docstrings become description that is going to be read by the LLM. Provide clear usage instructions and common workflows:
-
-```python
-async def search_items(self, status: str = Field(...)) -> dict:
-    """Search items with advanced filtering.
-
-    Returns a lightweight list optimized for LLM consumption.
-    Use get_item for complete details about a specific item.
-
-    Common workflows:
-    - Find critical items: status="critical"
-    - Find recent items: Use date_from parameter
-    """
-```
-
-### Error Handling
-
-Return structured error responses instead of raising exceptions:
-
-```python
-async def get_item(self, item_id: str) -> dict:
-    try:
-        response = await self.api_client.get(f"/api/v1/items/{item_id}")
-        return DetailedItem.from_api_response(response["data"]).model_dump()
-    except Exception as e:
-        self.logger.error(f"Failed to get item {item_id}: {e}")
-        return {"error": str(e), "status": "failed"}
-```
-
-### Parameter Descriptions
-
-Use Pydantic `Field()` with clear descriptions. This also helps LLMs understand
-the purpose of each parameter, so be as descriptive as possible:
-
-```python
-async def list_items(
-    self,
-    severity: list[str] = Field(
-        default=[],
-        description="Filter by severity levels (critical, high, medium, low)"
-    ),
-    status: str | None = Field(
-        default=None,
-        description="Filter by status (PASS, FAIL, MANUAL)"
-    ),
-    page_size: int = Field(
-        default=50,
-        description="Results per page"
-    ),
-) -> dict:
-```
-
-## Development Commands
-
-```bash
-# Navigate to MCP server directory
-cd mcp_server
-
-# Run in STDIO mode (default)
-uv run prowler-mcp
-
-# Run in HTTP mode
-uv run prowler-mcp --transport http --host 0.0.0.0 --port 8000
-
-# Run with environment variables
-PROWLER_APP_API_KEY="pk_xxx" uv run prowler-mcp
-```
-
-For complete installation and deployment options, see:
- [Installation Guide](/getting-started/installation/prowler-mcp#from-source-development) - Development setup instructions
- [Configuration Guide](/getting-started/basic-usage/prowler-mcp) - MCP client configuration
-
-For development I recommend to use the [Model Context Protocol Inspector](https://github.com/modelcontextprotocol/inspector) as MCP client to test and debug your tools.
-
-## Related Documentation
-
-<CardGroup cols={2}>
-  <Card title="MCP Server Overview" icon="circle-info" href="/getting-started/products/prowler-mcp">
-    Key capabilities, use cases, and deployment options
-  </Card>
-  <Card title="Tools Reference" icon="wrench" href="/getting-started/basic-usage/prowler-mcp-tools">
-    Complete reference of all available tools
-  </Card>
-  <Card title="Prowler Hub" icon="database" href="/getting-started/products/prowler-hub">
-    Security checks and compliance frameworks catalog
-  </Card>
-  <Card title="Lighthouse AI" icon="robot" href="/getting-started/products/prowler-lighthouse-ai">
-    AI-powered security analyst
-  </Card>
-</CardGroup>
-
-## Additional Resources
-
- [MCP Protocol Specification](https://modelcontextprotocol.io) - Model Context Protocol details
- [Prowler API Documentation](https://api.prowler.com/api/v1/docs) - API reference
- [Prowler Hub API](https://hub.prowler.com/api/docs) - Hub API reference
- [GitHub Repository](https://github.com/prowler-cloud/prowler) - Source code
@@ -63,82 +63,6 @@ Other Commands for Running Tests
 Refer to the [pytest documentation](https://docs.pytest.org/en/7.1.x/getting-started.html) for more details.

 </Note>
-
-## AWS Service Dependency Table (CI Optimization)
-
-To optimize CI pipeline execution time, the GitHub Actions workflow for AWS tests uses a **service dependency table** that determines which tests to run based on changed files. This ensures that when a service is modified, all dependent services are also tested.
-
-### How It Works
-
-The dependency table is defined in `.github/workflows/sdk-tests.yml` within the "Resolve AWS services under test" step. When files in a specific AWS service are changed:
-
-1. Tests for the changed service are run
-2. Tests for all services that **depend on** the changed service are also run
-
-For example, if you modify the `ec2` service, tests will also run for `dlm`, `dms`, `elbv2`, `emr`, `inspector2`, `rds`, `redshift`, `route53`, `shield`, `ssm`, and `workspaces` because these services use the EC2 client.
-
-### Current Dependency Table
-
-The table maps a service (key) to the list of services that depend on it (values):
-
-| Service | Dependent Services |
-|---------|-------------------|
-| `acm` | `elb` |
-| `autoscaling` | `dynamodb` |
-| `awslambda` | `ec2`, `inspector2` |
-| `backup` | `dynamodb`, `ec2`, `rds` |
-| `cloudfront` | `shield` |
-| `cloudtrail` | `awslambda`, `cloudwatch` |
-| `cloudwatch` | `bedrock` |
-| `ec2` | `dlm`, `dms`, `elbv2`, `emr`, `inspector2`, `rds`, `redshift`, `route53`, `shield`, `ssm` |
-| `ecr` | `inspector2` |
-| `elb` | `shield` |
-| `elbv2` | `shield` |
-| `globalaccelerator` | `shield` |
-| `iam` | `bedrock`, `cloudtrail`, `cloudwatch`, `codebuild` |
-| `kafka` | `firehose` |
-| `kinesis` | `firehose` |
-| `kms` | `kafka` |
-| `organizations` | `iam`, `servicecatalog` |
-| `route53` | `shield` |
-| `s3` | `bedrock`, `cloudfront`, `cloudtrail`, `macie` |
-| `ssm` | `ec2` |
-| `vpc` | `awslambda`, `ec2`, `efs`, `elasticache`, `neptune`, `networkfirewall`, `rds`, `redshift`, `workspaces` |
-| `waf` | `elbv2` |
-| `wafv2` | `cognito`, `elbv2` |
-
-### When to Update the Table
-
-You must update the dependency table when:
-
-1. **A new check or service uses another service's client**: If your check imports a client from another service (e.g., `from prowler.providers.aws.services.ec2.ec2_client import ec2_client` in a non-ec2 check), add your service to the dependent services list of that client's service.
-
-2. **A service relationship changes**: If you remove or add a service client dependency in an existing check, update the table accordingly.
-
-### How to Update the Table
-
-1. Open `.github/workflows/sdk-tests.yml`
-2. Find the `dependents` dictionary in the "Resolve AWS services under test" step
-3. Add or modify entries as needed
-4. **Update this documentation page** (`docs/developer-guide/unit-testing.mdx`) to reflect the changes in the [Current Dependency Table](#current-dependency-table) section above
-
-```python
-dependents = {
-    # ... existing entries ...
-    "service_being_used": ["service_that_uses_it"],
-}
-```
-
-**Example**: If you create a new check in the `newservice` service that imports `ec2_client`, add `newservice` to the `ec2` entry:
-
-```python
-"ec2": ["dlm", "dms", "elbv2", "emr", "inspector2", "newservice", "rds", "redshift", "route53", "shield", "ssm"],
-```
-
-<Warning>
-Failing to update this table when adding cross-service dependencies may result in CI tests passing even when related functionality is broken, as the dependent service tests won't be triggered.
-</Warning>
-
 ## AWS Testing Approaches

 For AWS provider, different testing approaches apply based on API coverage based on several criteria.
@@ -19,7 +19,9 @@
        "groups": [
          {
            "group": "Welcome",
-            "pages": ["introduction"]
+            "pages": [
+              "introduction"
+            ]
          },
          {
            "group": "Prowler Cloud",
@@ -49,7 +51,9 @@
          },
          {
            "group": "Prowler Lighthouse AI",
-            "pages": ["getting-started/products/prowler-lighthouse-ai"]
+            "pages": [
+              "user-guide/tutorials/prowler-app-lighthouse"
+            ]
          },
          {
            "group": "Prowler MCP Server",
@@ -105,13 +109,7 @@
                  "user-guide/tutorials/prowler-app-jira-integration"
                ]
              },
-              {
-                "group": "Lighthouse AI",
-                "pages": [
-                  "user-guide/tutorials/prowler-app-lighthouse",
-                  "user-guide/tutorials/prowler-app-lighthouse-multi-llm"
-                ]
-              },
+              "user-guide/tutorials/prowler-app-lighthouse",
              "user-guide/tutorials/prowler-cloud-public-ips",
              {
                "group": "Tutorials",
@@ -149,7 +147,9 @@
              "user-guide/cli/tutorials/quick-inventory",
              {
                "group": "Tutorials",
-                "pages": ["user-guide/cli/tutorials/parallel-execution"]
+                "pages": [
+                  "user-guide/cli/tutorials/parallel-execution"
+                ]
              }
            ]
          },
@@ -192,13 +192,6 @@
                  "user-guide/providers/gcp/retry-configuration"
                ]
              },
-              {
-                "group": "Alibaba Cloud",
-                "pages": [
-                  "user-guide/providers/alibabacloud/getting-started-alibabacloud",
-                  "user-guide/providers/alibabacloud/authentication"
-                ]
-              },
              {
                "group": "Kubernetes",
                "pages": [
@@ -237,7 +230,9 @@
              },
              {
                "group": "LLM",
-                "pages": ["user-guide/providers/llm/getting-started-llm"]
+                "pages": [
+                  "user-guide/providers/llm/getting-started-llm"
+                ]
              },
              {
                "group": "Oracle Cloud Infrastructure",
@@ -250,7 +245,9 @@
          },
          {
            "group": "Compliance",
-            "pages": ["user-guide/compliance/tutorials/threatscore"]
+            "pages": [
+              "user-guide/compliance/tutorials/threatscore"
+            ]
          }
        ]
      },
@@ -267,8 +264,7 @@
              "developer-guide/outputs",
              "developer-guide/integrations",
              "developer-guide/security-compliance-framework",
-              "developer-guide/lighthouse",
-              "developer-guide/mcp-server"
+              "developer-guide/lighthouse"
            ]
          },
          {
@@ -304,15 +300,21 @@
      },
      {
        "tab": "Security",
-        "pages": ["security"]
+        "pages": [
+          "security"
+        ]
      },
      {
        "tab": "Contact Us",
-        "pages": ["contact"]
+        "pages": [
+          "contact"
+        ]
      },
      {
        "tab": "Troubleshooting",
-        "pages": ["troubleshooting"]
+        "pages": [
+          "troubleshooting"
+        ]
      },
      {
        "tab": "About Us",
@@ -327,6 +329,10 @@
      {
        "tab": "Public Roadmap",
        "href": "https://roadmap.prowler.com/"
+      },
+      {
+        "tab": "API Reference",
+        "openapi": "api-reference/openapi.yml"
      }
    ],
    "global": {
@@ -10,7 +10,7 @@ Complete reference guide for all tools available in the Prowler MCP Server. Tool
 |----------|------------|------------------------|
 | Prowler Hub | 10 tools | No |
 | Prowler Documentation | 2 tools | No |
-| Prowler Cloud/App | 24 tools | Yes |
+| Prowler Cloud/App | 28 tools | Yes |

 ## Tool Naming Convention

@@ -20,6 +20,39 @@ All tools follow a consistent naming pattern with prefixes:
 - `prowler_docs_*` - Prowler documentation search and retrieval
 - `prowler_app_*` - Prowler Cloud and App (Self-Managed) management tools

+## Prowler Hub Tools
+
+Access Prowler's security check catalog and compliance frameworks. **No authentication required.**
+
+### Check Discovery
+
+- **`prowler_hub_get_checks`** - List security checks with advanced filtering options
+- **`prowler_hub_get_check_filters`** - Return available filter values for checks (providers, services, severities, categories, compliances)
+- **`prowler_hub_search_checks`** - Full-text search across check metadata
+- **`prowler_hub_get_check_raw_metadata`** - Fetch raw check metadata in JSON format
+
+### Check Code
+
+- **`prowler_hub_get_check_code`** - Fetch the Python implementation code for a security check
+- **`prowler_hub_get_check_fixer`** - Fetch the automated fixer code for a check (if available)
+
+### Compliance Frameworks
+
+- **`prowler_hub_get_compliance_frameworks`** - List and filter compliance frameworks
+- **`prowler_hub_search_compliance_frameworks`** - Full-text search across compliance frameworks
+
+### Provider Information
+
+- **`prowler_hub_list_providers`** - List Prowler official providers and their services
+- **`prowler_hub_get_artifacts_count`** - Get total count of checks and frameworks in Prowler Hub
+
+## Prowler Documentation Tools
+
+Search and access official Prowler documentation. **No authentication required.**
+
+- **`prowler_docs_search`** - Search the official Prowler documentation using full-text search
+- **`prowler_docs_get_document`** - Retrieve the full markdown content of a specific documentation file
+
 ## Prowler Cloud/App Tools

 Manage Prowler Cloud or Prowler App (Self-Managed) features. **Requires authentication.**
@@ -30,97 +63,49 @@ These tools require a valid API key. See the [Configuration Guide](/getting-star

 ### Findings Management

-Tools for searching, viewing, and analyzing security findings across all cloud providers.
-
- **`prowler_app_search_security_findings`** - Search and filter security findings with advanced filtering options (severity, status, provider, region, service, check ID, date range, muted status)
- **`prowler_app_get_finding_details`** - Get comprehensive details about a specific finding including remediation guidance, check metadata, and resource relationships
- **`prowler_app_get_findings_overview`** - Get aggregate statistics and trends about security findings as a markdown report
+- **`prowler_app_list_findings`** - List security findings with advanced filtering
+- **`prowler_app_get_finding`** - Get detailed information about a specific finding
+- **`prowler_app_get_latest_findings`** - Retrieve latest findings from the most recent scans
+- **`prowler_app_get_findings_metadata`** - Get unique metadata values from filtered findings
+- **`prowler_app_get_latest_findings_metadata`** - Get metadata from latest findings across all providers

 ### Provider Management

-Tools for managing cloud provider connections in Prowler.
+- **`prowler_app_list_providers`** - List all providers with filtering options
+- **`prowler_app_create_provider`** - Create a new provider in the current tenant
+- **`prowler_app_get_provider`** - Get detailed information about a specific provider
+- **`prowler_app_update_provider`** - Update provider details (alias, etc.)
+- **`prowler_app_delete_provider`** - Delete a specific provider
+- **`prowler_app_test_provider_connection`** - Test provider connection status

- **`prowler_app_search_providers`** - Search and view configured providers with their connection status
- **`prowler_app_connect_provider`** - Register and connect a provider with credentials for security scanning
- **`prowler_app_delete_provider`** - Permanently remove a provider from Prowler
+### Provider Secrets Management
+
+- **`prowler_app_list_provider_secrets`** - List all provider secrets with filtering
+- **`prowler_app_add_provider_secret`** - Add or update credentials for a provider
+- **`prowler_app_get_provider_secret`** - Get detailed information about a provider secret
+- **`prowler_app_update_provider_secret`** - Update provider secret details
+- **`prowler_app_delete_provider_secret`** - Delete a provider secret

 ### Scan Management

-Tools for managing and monitoring security scans.
+- **`prowler_app_list_scans`** - List all scans with filtering options
+- **`prowler_app_create_scan`** - Trigger a manual scan for a specific provider
+- **`prowler_app_get_scan`** - Get detailed information about a specific scan
+- **`prowler_app_update_scan`** - Update scan details
+- **`prowler_app_get_scan_compliance_report`** - Download compliance report as CSV
+- **`prowler_app_get_scan_report`** - Download ZIP file containing complete scan report

- **`prowler_app_list_scans`** - List and filter security scans across all providers
- **`prowler_app_get_scan`** - Get comprehensive details about a specific scan (progress, duration, resource counts)
- **`prowler_app_trigger_scan`** - Trigger a manual security scan for a provider
- **`prowler_app_schedule_daily_scan`** - Schedule automated daily scans for continuous monitoring
- **`prowler_app_update_scan`** - Update scan name for better organization
+### Schedule Management

-### Resources Management
+- **`prowler_app_schedules_daily_scan`** - Create a daily scheduled scan for a provider

-Tools for searching, viewing, and analyzing cloud resources discovered by Prowler.
+### Processor Management

- **`prowler_app_list_resources`** - List and filter cloud resources with advanced filtering options (provider, region, service, resource type, tags)
- **`prowler_app_get_resource`** - Get comprehensive details about a specific resource including configuration, metadata, and finding relationships
- **`prowler_app_get_resources_overview`** - Get aggregate statistics about cloud resources as a markdown report
-
-### Muting Management
-
-Tools for managing finding muting, including pattern-based bulk muting (mutelist) and finding-specific mute rules.
-
-#### Mutelist (Pattern-Based Muting)
-
- **`prowler_app_get_mutelist`** - Retrieve the current mutelist configuration for the tenant
- **`prowler_app_set_mutelist`** - Create or update the mutelist configuration for pattern-based bulk muting
- **`prowler_app_delete_mutelist`** - Remove the mutelist configuration from the tenant
-
-#### Mute Rules (Finding-Specific Muting)
-
- **`prowler_app_list_mute_rules`** - Search and filter mute rules with pagination support
- **`prowler_app_get_mute_rule`** - Retrieve comprehensive details about a specific mute rule
- **`prowler_app_create_mute_rule`** - Create a new mute rule to mute specific findings with documentation and audit trail
- **`prowler_app_update_mute_rule`** - Update a mute rule's name, reason, or enabled status
- **`prowler_app_delete_mute_rule`** - Delete a mute rule from the system
-
-### Compliance Management
-
-Tools for viewing compliance status and framework details across all cloud providers.
-
- **`prowler_app_get_compliance_overview`** - Get high-level compliance status across all frameworks for a specific scan or provider, including pass/fail statistics per framework
- **`prowler_app_get_compliance_framework_state_details`** - Get detailed requirement-level breakdown for a specific compliance framework, including failed requirements and associated finding IDs
-
-## Prowler Hub Tools
-
-Access Prowler's security check catalog and compliance frameworks. **No authentication required.**
-
-Tools follow a **two-tier pattern**: lightweight listing for browsing + detailed retrieval for complete information.
-
-### Check Discovery and Details
-
- **`prowler_hub_list_checks`** - List security checks with lightweight data (id, title, severity, provider) and advanced filtering options
- **`prowler_hub_semantic_search_checks`** - Full-text search across check metadata with lightweight results
- **`prowler_hub_get_check_details`** - Get comprehensive details for a specific check including risk, remediation guidance, and compliance mappings
-
-### Check Code
-
- **`prowler_hub_get_check_code`** - Fetch the Python implementation code for a security check
- **`prowler_hub_get_check_fixer`** - Fetch the automated fixer code for a check (if available)
-
-### Compliance Frameworks
-
- **`prowler_hub_list_compliances`** - List compliance frameworks with lightweight data (id, name, provider) and filtering options
- **`prowler_hub_semantic_search_compliances`** - Full-text search across compliance frameworks with lightweight results
- **`prowler_hub_get_compliance_details`** - Get comprehensive compliance details including requirements and mapped checks
-
-### Providers Information
-
- **`prowler_hub_list_providers`** - List Prowler official providers
- **`prowler_hub_get_provider_services`** - Get available services for a specific provider
-
-## Prowler Documentation Tools
-
-Search and access official Prowler documentation. **No authentication required.**
-
- **`prowler_docs_search`** - Search the official Prowler documentation using full-text search with the `term` parameter
- **`prowler_docs_get_document`** - Retrieve the full markdown content of a specific documentation file using the path from search results
+- **`prowler_app_processors_list`** - List all processors with filtering
+- **`prowler_app_processors_create`** - Create a new processor (currently only mute lists supported)
+- **`prowler_app_processors_retrieve`** - Get processor details by ID
+- **`prowler_app_processors_partial_update`** - Update processor configuration
+- **`prowler_app_processors_destroy`** - Delete a processor

 ## Usage Tips

@@ -139,7 +139,7 @@ STDIO mode is only available when running the MCP server locally.
          "args": ["/absolute/path/to/prowler/mcp_server/"],
          "env": {
            "PROWLER_APP_API_KEY": "<your-api-key-here>",
-            "API_BASE_URL": "https://api.prowler.com/api/v1"
+            "PROWLER_API_BASE_URL": "https://api.prowler.com"
          }
        }
      }
@@ -147,7 +147,7 @@ STDIO mode is only available when running the MCP server locally.
    ```

    <Note>
-    Replace `/absolute/path/to/prowler/mcp_server/` with the actual path. The `API_BASE_URL` is optional and defaults to Prowler Cloud API.
+    Replace `/absolute/path/to/prowler/mcp_server/` with the actual path. The `PROWLER_API_BASE_URL` is optional and defaults to Prowler Cloud API.
    </Note>

  </Tab>
@@ -167,7 +167,7 @@ STDIO mode is only available when running the MCP server locally.
            "--env",
            "PROWLER_APP_API_KEY=<your-api-key-here>",
            "--env",
-            "API_BASE_URL=https://api.prowler.com/api/v1",
+            "PROWLER_API_BASE_URL=https://api.prowler.com",
            "prowlercloud/prowler-mcp"
          ]
        }
@@ -176,7 +176,7 @@ STDIO mode is only available when running the MCP server locally.
    ```

    <Note>
-    The `API_BASE_URL` is optional and defaults to Prowler Cloud API.
+    The `PROWLER_API_BASE_URL` is optional and defaults to Prowler Cloud API.
    </Note>

  </Tab>
@@ -4,12 +4,12 @@ title: "Installation"

 ### Installation

-Prowler App offers flexible installation methods tailored to various environments.
+Prowler App supports multiple installation methods based on your environment.

 Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detailed usage instructions.

 <Warning>
-  Prowler configuration is based on `.env` files. Every version of Prowler can have differences on that file, so, please, use the file that corresponds with that version or repository branch or tag.
+  Prowler configuration is based in `.env` files. Every version of Prowler can have differences on that file, so, please, use the file that corresponds with that version or repository branch or tag.
 </Warning>

 <Tabs>
@@ -26,6 +26,8 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
    curl -sLO "https://raw.githubusercontent.com/prowler-cloud/prowler/refs/tags/${VERSION}/.env"
    docker compose up -d
    ```
+
+    > Containers are built for `linux/amd64`. If your workstation's architecture is different, please set `DOCKER_DEFAULT_PLATFORM=linux/amd64` in your environment or use the `--platform linux/amd64` flag in the docker command.
  </Tab>
  <Tab title="GitHub">
    _Requirements_:
@@ -104,27 +106,20 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
  </Tab>
 </Tabs>

-### Updating Prowler App
+### Update Prowler App

 Upgrade Prowler App installation using one of two options:

-#### Option 1: Updating the Environment File
-
-To update the environment file:
+#### Option 1: Update Environment File

 Edit the `.env` file and change version values:

 ```env
-PROWLER_UI_VERSION="5.16.1"
-PROWLER_API_VERSION="5.16.1"
+PROWLER_UI_VERSION="5.9.0"
+PROWLER_API_VERSION="5.9.0"
 ```

-<Note>
-  You can find the latest versions of Prowler App in the [Releases Github section](https://github.com/prowler-cloud/prowler/releases) or in the [Container Versions](#container-versions) section of this documentation.
-</Note>
-
-
-#### Option 2: Using Docker Compose Pull
+#### Option 2: Use Docker Compose Pull

 ```bash
 docker compose pull --policy always
@@ -138,7 +133,7 @@ The `--policy always` flag ensures that Docker pulls the latest images even if t
  Everything is preserved, nothing will be deleted after the update.
 </Note>

-### Troubleshooting Installation Issues
+### Troubleshooting

 If containers don't start, check logs for errors:

@@ -150,16 +145,16 @@ docker compose logs
 docker images | grep prowler
 ```

-If issues are encountered, rollback to the previous version by changing the `.env` file back to the previous version and running:
+If you encounter issues, you can rollback to the previous version by changing the `.env` file back to your previous version and running:

 ```bash
 docker compose pull
 docker compose up -d
 ```

-### Container Versions
+### Container versions

-The available versions of Prowler App are the following:
+The available versions of Prowler CLI are the following:

 - `latest`: in sync with `master` branch (please note that it is not a stable version)
 - `v4-latest`: in sync with `v4` branch (please note that it is not a stable version)
@@ -4,7 +4,7 @@ title: 'Installation'

 ## Installation

-To install Prowler as a Python package, use `Python >= 3.9, <= 3.12`. Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/):
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/). Install it as a Python package with `Python >= 3.9, <= 3.12`:

 <Tabs>
  <Tab title="pipx">
@@ -41,7 +41,7 @@ To install Prowler as a Python package, use `Python >= 3.9, <= 3.12`. Prowler is
    prowler -v
    ```

-    To upgrade Prowler to the latest version:
+    Upgrade Prowler to the latest version:

    ``` bash
    pip install --upgrade prowler
@@ -54,6 +54,8 @@ To install Prowler as a Python package, use `Python >= 3.9, <= 3.12`. Prowler is
    * In the command below, change `-v` to your local directory path in order to access the reports.
    * AWS, GCP, Azure and/or Kubernetes credentials

+    > Containers are built for `linux/amd64`. If your workstation's architecture is different, please set `DOCKER_DEFAULT_PLATFORM=linux/amd64` in your environment or use the `--platform linux/amd64` flag in the docker command.
+
    _Commands_:

    ``` bash
@@ -73,7 +75,7 @@ To install Prowler as a Python package, use `Python >= 3.9, <= 3.12`. Prowler is

    _Commands_:

-    ```bash
+    ```
    git clone https://github.com/prowler-cloud/prowler
    cd prowler
    poetry install
@@ -92,7 +94,7 @@ To install Prowler as a Python package, use `Python >= 3.9, <= 3.12`. Prowler is

    _Commands_:

-    ```bash
+    ```
    python3 -m pip install --user pipx
    python3 -m pipx ensurepath
    pipx install prowler
@@ -102,7 +104,7 @@ To install Prowler as a Python package, use `Python >= 3.9, <= 3.12`. Prowler is
  <Tab title="Ubuntu">
    _Requirements_:

-    * `Ubuntu 23.04` or above. For older Ubuntu versions, check [pipx installation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#__tabbed_1_1) and ensure `Python >= 3.9, <= 3.12` is installed.
+    * `Ubuntu 23.04` or above, if you are using an older version of Ubuntu check [pipx installation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#__tabbed_1_1) and ensure you have `Python >= 3.9, <= 3.12`.
    * `Python >= 3.9, <= 3.12`
    * AWS, GCP, Azure and/or Kubernetes credentials

@@ -119,7 +121,7 @@ To install Prowler as a Python package, use `Python >= 3.9, <= 3.12`. Prowler is
  <Tab title="Brew">
    _Requirements_:

-    * `Brew` installed on Mac or Linux
+    * `Brew` installed in your Mac or Linux
    * AWS, GCP, Azure and/or Kubernetes credentials

    _Commands_:
@@ -169,8 +171,7 @@ To install Prowler as a Python package, use `Python >= 3.9, <= 3.12`. Prowler is
    ```
  </Tab>
 </Tabs>
-
-## Container Versions
+## Container versions

 The available versions of Prowler CLI are the following:

@@ -52,7 +52,7 @@ Choose one of the following installation methods:
    ```bash
    docker run --rm -i \
      -e PROWLER_APP_API_KEY="pk_your_api_key" \
-      -e API_BASE_URL="https://api.prowler.com/api/v1" \
+      -e PROWLER_API_BASE_URL="https://api.prowler.com" \
      prowlercloud/prowler-mcp
    ```

@@ -181,19 +181,19 @@ Configure the server using environment variables:
 | Variable | Description | Required | Default |
 |----------|-------------|----------|---------|
 | `PROWLER_APP_API_KEY` | Prowler API key | Only for STDIO mode | - |
-| `API_BASE_URL` | Custom Prowler API endpoint | No | `https://api.prowler.com/api/v1` |
+| `PROWLER_API_BASE_URL` | Custom Prowler API endpoint | No | `https://api.prowler.com` |
 | `PROWLER_MCP_TRANSPORT_MODE` | Default transport mode (overwritten by `--transport` argument) | No | `stdio` |

 <CodeGroup>
 ```bash macOS/Linux
 export PROWLER_APP_API_KEY="pk_your_api_key_here"
-export API_BASE_URL="https://api.prowler.com/api/v1"
+export PROWLER_API_BASE_URL="https://api.prowler.com"
 export PROWLER_MCP_TRANSPORT_MODE="http"
 ```

 ```bash Windows PowerShell
 $env:PROWLER_APP_API_KEY="pk_your_api_key_here"
-$env:API_BASE_URL="https://api.prowler.com/api/v1"
+$env:PROWLER_API_BASE_URL="https://api.prowler.com"
 $env:PROWLER_MCP_TRANSPORT_MODE="http"
 ```
 </CodeGroup>
@@ -208,7 +208,7 @@ For convenience, create a `.env` file in the `mcp_server` directory:

 ```bash .env
 PROWLER_APP_API_KEY=pk_your_api_key_here
-API_BASE_URL=https://api.prowler.com/api/v1
+PROWLER_API_BASE_URL=https://api.prowler.com
 PROWLER_MCP_TRANSPORT_MODE=stdio
 ```

@@ -6,7 +6,7 @@ title: "Overview"

 **Why this matters**: Every engineer has asked, “What does this check actually do?” Prowler Hub answers that question in one place, lets you pin to a specific version, and pulls definitions into your own tools or dashboards.

-![](/images/products/prowler-hub.png)
+![](/images/products/prowler-hub.webp)

 <Card title="Go to Prowler Hub" href="https://hub.prowler.com" />

@@ -14,4 +14,4 @@ Prowler Hub also provides a fully documented public API that you can integrate i

 📚 Explore the API docs at: https://hub.prowler.com/api/docs

-Whether you’re customizing policies, managing compliance, or enhancing visibility, Prowler Hub is built to support your security operations.
+Whether you’re customizing policies, managing compliance, or enhancing visibility, Prowler Hub is built to support your security operations.
@@ -1,180 +0,0 @@
---
-title: 'Overview'
---
-
-import { VersionBadge } from "/snippets/version-badge.mdx"
-
-<VersionBadge version="5.8.0" />
-
-Prowler Lighthouse AI is a Cloud Security Analyst chatbot that helps you understand, prioritize, and remediate security findings in your cloud environments. It's designed to provide security expertise for teams without dedicated resources, acting as your 24/7 virtual cloud security analyst.
-
-<img src="/images/prowler-app/lighthouse-intro.png" alt="Prowler Lighthouse" />
-
-<Card title="Set Up Lighthouse AI" icon="rocket" href="/user-guide/tutorials/prowler-app-lighthouse#set-up">
-  Learn how to configure Lighthouse AI with your preferred LLM provider
-</Card>
-
-## Capabilities
-
-Prowler Lighthouse AI is designed to be your AI security team member, with capabilities including:
-
-### Natural Language Querying
-
-Ask questions in plain English about your security findings. Examples:
-
- "What are my highest risk findings?"
- "Show me all S3 buckets with public access."
- "What security issues were found in my production accounts?"
-
-<img src="/images/prowler-app/lighthouse-feature1.png" alt="Natural language querying" />
-
-### Detailed Remediation Guidance
-
-Get tailored step-by-step instructions for fixing security issues:
-
- Clear explanations of the problem and its impact
- Commands or console steps to implement fixes
- Alternative approaches with different solutions
-
-<img src="/images/prowler-app/lighthouse-feature2.png" alt="Detailed Remediation" />
-
-### Enhanced Context and Analysis
-
-Lighthouse AI can provide additional context to help you understand the findings:
-
- Explain security concepts related to findings in simple terms
- Provide risk assessments based on your environment and context
- Connect related findings to show broader security patterns
-
-<img src="/images/prowler-app/lighthouse-config.png" alt="Business Context" />
-
-<img src="/images/prowler-app/lighthouse-feature3.png" alt="Contextual Responses" />
-
-## Important Notes
-
-Prowler Lighthouse AI is powerful, but there are limitations:
-
- **Continuous improvement**: Please report any issues, as the feature may make mistakes or encounter errors, despite extensive testing.
- **Access limitations**: Lighthouse AI can only access data the logged-in user can view. If you can't see certain information, Lighthouse AI can't see it either.
- **NextJS session dependence**: If your Prowler application session expires or logs out, Lighthouse AI will error out. Refresh and log back in to continue.
- **Response quality**: The response quality depends on the selected LLM provider and model. Choose models with strong tool-calling capabilities for best results. We recommend `gpt-5` model from OpenAI.
-
-### Getting Help
-
-If you encounter issues with Prowler Lighthouse AI or have suggestions for improvements, please [reach out through our Slack channel](https://goto.prowler.com/slack).
-
-### What Data Is Shared to LLM Providers?
-
-The following API endpoints are accessible to Prowler Lighthouse AI. Data from the following API endpoints could be shared with LLM provider depending on the scope of user's query:
-
-#### Accessible API Endpoints
-
-**User Management:**
-
- List all users - `/api/v1/users`
- Retrieve the current user's information - `/api/v1/users/me`
-
-**Provider Management:**
-
- List all providers - `/api/v1/providers`
- Retrieve data from a provider - `/api/v1/providers/{id}`
-
-**Scan Management:**
-
- List all scans - `/api/v1/scans`
- Retrieve data from a specific scan - `/api/v1/scans/{id}`
-
-**Resource Management:**
-
- List all resources - `/api/v1/resources`
- Retrieve data for a resource - `/api/v1/resources/{id}`
-
-**Findings Management:**
-
- List all findings - `/api/v1/findings`
- Retrieve data from a specific finding - `/api/v1/findings/{id}`
- Retrieve metadata values from findings - `/api/v1/findings/metadata`
-
-**Overview Data:**
-
- Get aggregated findings data - `/api/v1/overviews/findings`
- Get findings data by severity - `/api/v1/overviews/findings_severity`
- Get aggregated provider data - `/api/v1/overviews/providers`
- Get findings data by service - `/api/v1/overviews/services`
-
-**Compliance Management:**
-
- List compliance overviews (optionally filter by scan) - `/api/v1/compliance-overviews`
- Retrieve data from a specific compliance overview - `/api/v1/compliance-overviews/{id}`
-
-#### Excluded API Endpoints
-
-Not all Prowler API endpoints are integrated with Lighthouse AI. They are intentionally excluded for the following reasons:
-
- OpenAI/other LLM providers shouldn't have access to sensitive data (like fetching provider secrets and other sensitive config)
- Users queries don't need responses from those API endpoints (ex: tasks, tenant details, downloading zip file, etc.)
-
-**Excluded Endpoints:**
-
-**User Management:**
-
- List specific users information - `/api/v1/users/{id}`
- List user memberships - `/api/v1/users/{user_pk}/memberships`
- Retrieve membership data from the user - `/api/v1/users/{user_pk}/memberships/{id}`
-
-**Tenant Management:**
-
- List all tenants - `/api/v1/tenants`
- Retrieve data from a tenant - `/api/v1/tenants/{id}`
- List tenant memberships - `/api/v1/tenants/{tenant_pk}/memberships`
- List all invitations - `/api/v1/tenants/invitations`
- Retrieve data from tenant invitation - `/api/v1/tenants/invitations/{id}`
-
-**Security and Configuration:**
-
- List all secrets - `/api/v1/providers/secrets`
- Retrieve data from a secret - `/api/v1/providers/secrets/{id}`
- List all provider groups - `/api/v1/provider-groups`
- Retrieve data from a provider group - `/api/v1/provider-groups/{id}`
-
-**Reports and Tasks:**
-
- Download zip report - `/api/v1/scans/{v1}/report`
- List all tasks - `/api/v1/tasks`
- Retrieve data from a specific task - `/api/v1/tasks/{id}`
-
-**Lighthouse AI Configuration:**
-
- List LLM providers - `/api/v1/lighthouse/providers`
- Retrieve LLM provider - `/api/v1/lighthouse/providers/{id}`
- List available models - `/api/v1/lighthouse/models`
- Retrieve tenant configuration - `/api/v1/lighthouse/configuration`
-
-<Note>
-Agents only have access to hit GET endpoints. They don't have access to other HTTP methods.
-
-</Note>
-
-## FAQs
-
-**1. Which LLM providers are supported?**
-
-Lighthouse AI supports three providers:
-
- **OpenAI** - GPT models (GPT-5, GPT-4o, etc.)
- **Amazon Bedrock** - Claude, Llama, Titan, and other models via AWS
- **OpenAI Compatible** - Custom endpoints like OpenRouter, Ollama, or any OpenAI-compatible service
-
-For detailed configuration instructions, see [Using Multiple LLM Providers with Lighthouse](/user-guide/tutorials/prowler-app-lighthouse-multi-llm).
-
-**2. Why a multi-agent supervisor model?**
-
-Context windows are limited. While demo data fits inside the context window, querying real-world data often exceeds it. A multi-agent architecture is used so different agents fetch different sizes of data and respond with the minimum required data to the supervisor. This spreads the context window usage across agents.
-
-**3. Is my security data shared with LLM providers?**
-
-Minimal data is shared to generate useful responses. Agents can access security findings and remediation details when needed. Provider secrets are protected by design and cannot be read. The LLM provider credentials configured with Lighthouse AI are only accessible to our NextJS server and are never sent to the LLM providers. Resource metadata (names, tags, account/project IDs, etc) may be shared with the configured LLM provider based on query requirements.
-
-**4. Can the Lighthouse AI change my cloud environment?**
-
-No. The agent doesn't have the tools to make the changes, even if the configured cloud provider API keys contain permissions to modify resources.
@@ -19,11 +19,12 @@ The Prowler MCP Server provides three main integration points:
 ### 1. Prowler Cloud and Prowler App (Self-Managed)

 Full access to Prowler Cloud platform and self-managed Prowler App for:
- **Findings Analysis**: Query, filter, and analyze security findings across all your cloud environments
- **Provider Management**: Create, configure, and manage your configured Prowler providers (AWS, Azure, GCP, etc.)
- **Scan Orchestration**: Trigger on-demand scans and schedule recurring security assessments
- **Resource Inventory**: Search and view detailed information about your audited resources
- **Muting Management**: Create and manage muting lists/rules to suppress non-relevant findings
+- **Provider Management**: Create, configure, and manage cloud providers (AWS, Azure, GCP, etc.).
+- **Scan Orchestration**: Trigger on-demand scans and schedule recurring security assessments.
+- **Findings Analysis**: Query, filter, and analyze security findings across all your cloud environments.
+- **Compliance Reporting**: Generate compliance reports for various frameworks (CIS, PCI-DSS, HIPAA, etc.).
+- **Secrets Management**: Securely manage provider credentials and connection details.
+- **Processor Configuration**: Set up the [Prowler Mutelist](/user-guide/tutorials/prowler-app-mute-findings) to mute findings.

 ### 2. Prowler Hub

@@ -48,10 +49,7 @@ The following diagram illustrates the Prowler MCP Server architecture and its in
 <img className="block dark:hidden" src="/images/prowler_mcp_schema_light.png" alt="Prowler MCP Server Schema" />
 <img className="hidden dark:block" src="/images/prowler_mcp_schema_dark.png" alt="Prowler MCP Server Schema" />

-The architecture shows how AI assistants connect through the MCP protocol to access Prowler's three main components:
- Prowler Cloud/App for security operations
- Prowler Hub for security knowledge
- Prowler Documentation for guidance and reference.
+The architecture shows how AI assistants connect through the MCP protocol to access Prowler's three main components: Prowler Cloud/App for security operations, Prowler Hub for security knowledge, and Prowler Documentation for guidance and reference.

 ## Use Cases

@@ -59,12 +57,12 @@ The Prowler MCP Server enables powerful workflows through AI assistants:

 **Security Operations**
 - "Show me all critical findings from my AWS production accounts"
- "Register my new AWS account in Prowler and run a scheduled scan every day"
- "List all muted findings and detect what findgings are muted by a not enough good reason in relation to their severity"
+- "What is my compliance status for the PCI standards accross all my AWS accounts according to the latest Prowler scan results?"
+- "Register my new AWS account in Prowler and run an scheduled scan every day"

 **Security Research**
- "Explain what the S3 bucket public access Prowler check does"
- "Find all Prowler checks related to encryption at rest"
+- "Explain what the S3 bucket public access check does"
+- "Find all checks related to encryption at rest"
 - "What is the latest version of the CIS that Prowler is covering per provider?"

 **Documentation & Learning**
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Andoni A.	60350794da	feat(api): show only production URL in API reference playground	2025-11-12 09:47:28 +01:00
Andoni Alonso	6a876a3205	Merge branch 'master' into DEVREL-98-include-open-api-specification-in-mintlify	2025-11-12 09:22:08 +01:00
Andoni A.	e9f6bc8604	chore: update CHANGELOG	2025-11-11 07:36:18 +01:00
Andoni A.	dc71d86c35	chore(api): regenerate openapi schema	2025-11-10 08:57:34 +01:00
Andoni Alonso	7a54900a62	Merge branch 'master' into DEVREL-98-include-open-api-specification-in-mintlify	2025-11-10 08:39:59 +01:00
Andoni A.	1d62b8d64e	fix(docs): json version is not needed	2025-11-05 14:52:23 +01:00
Andoni A.	0f5dc165bb	fix(docs): use hardlink, mintlify can't follow the symlink	2025-11-05 12:51:27 +01:00
Andoni A.	676a11bb13	feat(docs): use symlink to point to openapi spec	2025-11-05 12:43:16 +01:00
Andoni A.	4b80544f0a	chore: update CHANGELOG	2025-11-05 12:35:44 +01:00
Andoni A.	6815a9dd86	feat(api): add dynamic server URL configuration to OpenAPI schema Add a new postprocessing hook 'add_api_servers' that dynamically configures the servers array in the OpenAPI specification based on the request environment. This hook: - Detects the current environment (local, staging, or production) from the request host - Adds the current server URL as the primary option - Includes production (https://api.prowler.com) as a fallback option when generating from non-production environments - Enables users to toggle between local and production servers in Mintlify's API playground via a dropdown Server detection logic: - localhost/127.0.0.1 → "Local Development Server" - hosts with 'dev' or 'staging' → "Development/Staging API" - api.prowler.com → "Prowler Cloud API" This enables the "Try it out" feature in Mintlify documentation and allows testing against different environments without modifying the spec.	2025-11-05 12:04:18 +01:00
Andoni A.	00441e776d	feat(api): add OpenAPI schema postprocessing hooks for Mintlify compatibility Add three postprocessing hooks to fix OpenAPI 3.0.x compatibility issues generated by drf-spectacular-jsonapi: 1. fix_empty_id_fields: Fixes empty id field definitions ({}) in JSON:API request schemas (particularly PATCH/update requests) by replacing them with proper schema: {"type": "string", "format": "uuid", "description": "..."} 2. fix_pattern_properties: Converts patternProperties to additionalProperties for OpenAPI 3.0 compatibility. patternProperties is only available in OpenAPI 3.1+, but drf-spectacular generates 3.0.3 specs. This is needed for the Prowler mutelist configuration which uses dynamic keys. 3. fix_type_formats: Fixes invalid type values like "email" that drf-spectacular generates from Django's EmailField. Converts them to proper OpenAPI format: "type": "string" with "format": "email". Also handles "url" → "uri" and "uuid" formats. These hooks ensure the generated OpenAPI schema validates correctly with Mintlify and other OpenAPI 3.0.x tools.	2025-11-05 11:36:24 +01:00
Andoni A.	4037927c61	Merge branch 'master' into try-openapi	2025-11-05 10:36:07 +01:00
Andoni A.	20337b7e0c	poc: test `yq` to create json schema	2025-10-31 08:24:21 +01:00