chore(api): Update prowler dependency to v5.25 for release 5.25.0 (#10906)

Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>

.config/wt.toml

@@ -0,0 +1,23 @@
+# Prowler worktree automation for worktrunk (wt CLI).
+# Runs automatically on `wt switch --create`.
+
+# Block 1: setup + copy gitignored env files (.envrc, ui/.env.local)
+# from the primary worktree — patterns selected via .worktreeinclude.
+[[pre-start]]
+skills = "./skills/setup.sh --claude"
+python = "poetry env use python3.12"
+envs = "wt step copy-ignored"
+
+# Block 2: install Python deps (requires `poetry env use` from block 1).
+[[pre-start]]
+deps = "poetry install --with dev"
+
+# Block 3: reminder — last visible output before `wt switch` returns.
+# Hooks can't mutate the parent shell, so venv activation is manual.
+[[pre-start]]
+reminder = "echo '>> Reminder: activate the venv in this shell with: eval $(poetry env activate)'"
+
+# Background: pnpm install runs while you start working.
+# Tail logs via `wt config state logs`.
+[post-start]
+ui = "cd ui && pnpm install"

.env

@@ -78,6 +78,9 @@ TASK_RETRY_ATTEMPTS=5
 
 # Valkey settings
 # If running Valkey and celery on host, use localhost, else use 'valkey'
+VALKEY_SCHEME=redis
+VALKEY_USERNAME=
+VALKEY_PASSWORD=
 VALKEY_HOST=valkey
 VALKEY_PORT=6379
 VALKEY_DB=0
@@ -142,7 +145,7 @@ SENTRY_RELEASE=local
 NEXT_PUBLIC_SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}
 
 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.16.0
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.25.0
 
 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"

.github/CODEOWNERS

@@ -1,14 +1,15 @@
 # SDK
-/* @prowler-cloud/sdk
-/prowler/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
-/tests/ @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
-/dashboard/ @prowler-cloud/sdk
-/docs/ @prowler-cloud/sdk
-/examples/ @prowler-cloud/sdk
-/util/ @prowler-cloud/sdk
-/contrib/ @prowler-cloud/sdk
-/permissions/ @prowler-cloud/sdk
-/codecov.yml @prowler-cloud/sdk @prowler-cloud/api
+/* @prowler-cloud/detection-remediation
+/prowler/ @prowler-cloud/detection-remediation
+/prowler/compliance/ @prowler-cloud/compliance
+/tests/ @prowler-cloud/detection-remediation
+/dashboard/ @prowler-cloud/detection-remediation
+/docs/ @prowler-cloud/detection-remediation
+/examples/ @prowler-cloud/detection-remediation
+/util/ @prowler-cloud/detection-remediation
+/contrib/ @prowler-cloud/detection-remediation
+/permissions/ @prowler-cloud/detection-remediation
+/codecov.yml @prowler-cloud/detection-remediation @prowler-cloud/api
 
 # API
 /api/ @prowler-cloud/api
@@ -17,7 +18,7 @@
 /ui/ @prowler-cloud/ui
 
 # AI
-/mcp_server/ @prowler-cloud/ai
+/mcp_server/ @prowler-cloud/detection-remediation
 
 # Platform
 /.github/ @prowler-cloud/platform

.github/actions/setup-python-poetry/action.yml

@@ -13,11 +13,19 @@ inputs:
   poetry-version:
     description: 'Poetry version to install'
     required: false
-    default: '2.1.1'
+    default: '2.3.4'
   install-dependencies:
     description: 'Install Python dependencies with Poetry'
     required: false
     default: 'true'
+  update-lock:
+    description: 'Run `poetry lock` during setup. Only enable when a prior step mutates pyproject.toml (e.g. API `@master` VCS rewrite). Default: false.'
+    required: false
+    default: 'false'
+  enable-cache:
+    description: 'Whether to enable Poetry dependency caching via actions/setup-python'
+    required: false
+    default: 'true'
 
 runs:
   using: 'composite'
@@ -60,21 +68,8 @@ runs:
         echo "Updated resolved_reference:"
         grep -A2 -B2 "resolved_reference" poetry.lock
 
-    - name: Update SDK resolved_reference to latest commit (prowler repo on push)
-      if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'prowler-cloud/prowler'
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: |
-        LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
-        echo "Latest commit hash: $LATEST_COMMIT"
-        sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
-          s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
-        }' poetry.lock
-        echo "Updated resolved_reference:"
-        grep -A2 -B2 "resolved_reference" poetry.lock
-
     - name: Update poetry.lock (prowler repo only)
-      if: github.repository == 'prowler-cloud/prowler'
+      if: github.repository == 'prowler-cloud/prowler' && inputs.update-lock == 'true'
       shell: bash
       working-directory: ${{ inputs.working-directory }}
       run: poetry lock
@@ -83,8 +78,10 @@ runs:
       uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ inputs.python-version }}
-        cache: 'poetry'
-        cache-dependency-path: ${{ inputs.working-directory }}/poetry.lock
+        # Disable cache when callers skip dependency install: Poetry 2.3.4 creates
+        # the venv in a path setup-python can't hash, breaking the post-step save-cache.
+        cache: ${{ inputs.enable-cache == 'true' && 'poetry' || '' }}
+        cache-dependency-path: ${{ inputs.enable-cache == 'true' && format('{0}/poetry.lock', inputs.working-directory) || '' }}
 
     - name: Install Python dependencies
       if: inputs.install-dependencies == 'true'

.github/actions/trivy-scan/action.yml

@@ -117,7 +117,10 @@ runs:
         INPUTS_IMAGE_TAG: ${{ inputs.image-tag }}
 
     - name: Comment scan results on PR
-      if: inputs.create-pr-comment == 'true' && github.event_name == 'pull_request'
+      if: >-
+        inputs.create-pr-comment == 'true'
+        && github.event_name == 'pull_request'
+        && github.event.pull_request.head.repo.full_name == github.repository
       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       env:
         IMAGE_NAME: ${{ inputs.image-name }}

.github/dependabot.yml

@@ -66,6 +66,18 @@ updates:
     cooldown:
       default-days: 7
 
+  - package-ecosystem: "pre-commit"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 25
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "pre-commit"
+    cooldown:
+      default-days: 7
+
   # Dependabot Updates are temporary disabled - 2025/04/15
   # v4.6
   # - package-ecosystem: "pip"

.github/labeler.yml

@@ -67,6 +67,11 @@ provider/googleworkspace:
       - any-glob-to-any-file: "prowler/providers/googleworkspace/**"
       - any-glob-to-any-file: "tests/providers/googleworkspace/**"
 
+provider/vercel:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/vercel/**"
+      - any-glob-to-any-file: "tests/providers/vercel/**"
+
 github_actions:
   - changed-files:
       - any-glob-to-any-file: ".github/workflows/*"
@@ -102,6 +107,8 @@ mutelist:
       - any-glob-to-any-file: "tests/providers/openstack/lib/mutelist/**"
       - any-glob-to-any-file: "prowler/providers/googleworkspace/lib/mutelist/**"
       - any-glob-to-any-file: "tests/providers/googleworkspace/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/vercel/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/vercel/lib/mutelist/**"
 
 integration/s3:
   - changed-files:

.github/test-impact.yml

@@ -177,6 +177,14 @@ modules:
       - tests/providers/llm/**
     e2e: []
 
+  - name: sdk-vercel
+    match:
+      - prowler/providers/vercel/**
+      - prowler/compliance/vercel/**
+    tests:
+      - tests/providers/vercel/**
+    e2e: []
+
   # ============================================
   # SDK - Lib modules
   # ============================================

.github/workflows/api-bump-version.yml

@@ -13,6 +13,8 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
+permissions: {}
+
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest
@@ -27,6 +29,11 @@ jobs:
       patch_version: ${{ steps.detect.outputs.patch_version }}
       current_api_version: ${{ steps.get_api_version.outputs.current_api_version }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -79,6 +86,11 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -204,6 +216,11 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/api-code-quality.yml

@@ -17,6 +17,8 @@ concurrency:
 env:
   API_WORKING_DIR: ./api
 
+permissions: {}
+
 jobs:
   api-code-quality:
     runs-on: ubuntu-latest
@@ -32,6 +34,16 @@ jobs:
         working-directory: ./api
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            api.github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -40,7 +52,7 @@ jobs:
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             api/**
@@ -57,6 +69,7 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           working-directory: ./api
+          update-lock: 'true'
 
       - name: Poetry check
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/api-codeql.yml

@@ -24,6 +24,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   api-analyze:
     name: CodeQL Security Analysis
@@ -41,6 +43,18 @@ jobs:
           - 'python'
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            uploads.github.com:443
+            release-assets.githubusercontent.com:443
+            objects.githubusercontent.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/api-container-build-push.yml

@@ -18,9 +18,6 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -36,6 +33,8 @@ env:
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api
 
+permissions: {}
+
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'
@@ -43,7 +42,14 @@ jobs:
     timeout-minutes: 5
     outputs:
       short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
+    permissions:
+      contents: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+
       - name: Calculate short SHA
         id: set-short-sha
         run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -55,7 +61,14 @@ jobs:
     timeout-minutes: 5
     outputs:
       message-ts: ${{ steps.slack-notification.outputs.ts }}
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -94,6 +107,26 @@ jobs:
       packages: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            _http._tcp.deb.debian.org:443
+            aka.ms:443
+            auth.docker.io:443
+            cdn.powershellgallery.com:443
+            dc.services.visualstudio.com:443
+            debian.map.fastlydns.net:80
+            files.pythonhosted.org:443
+            github.com:443
+            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
+            production.cloudflare.docker.com:443
+            pypi.org:443
+            registry-1.docker.io:443
+            release-assets.githubusercontent.com:443
+            www.powershellgallery.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -106,18 +139,18 @@ jobs:
           sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml
 
       - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build and push API container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           push: true
@@ -132,17 +165,26 @@ jobs:
     needs: [setup, container-build-push]
     if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
       - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |
@@ -184,7 +226,14 @@ jobs:
     needs: [setup, notify-release-started, container-build-push, create-manifest]
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -227,6 +276,13 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
       - name: Trigger API deployment
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:

.github/workflows/api-container-checks.yml

@@ -18,6 +18,8 @@ env:
   API_WORKING_DIR: ./api
   IMAGE_NAME: prowler-api
 
+permissions: {}
+
 jobs:
   api-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'
@@ -27,6 +29,13 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -35,7 +44,7 @@ jobs:
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: api/Dockerfile
 
@@ -65,6 +74,30 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            mirror.gcr.io:443
+            check.trivy.dev:443
+            github.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
+            debian.map.fastlydns.net:80
+            release-assets.githubusercontent.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            www.powershellgallery.com:443
+            aka.ms:443
+            cdn.powershellgallery.com:443
+            _http._tcp.deb.debian.org:443
+            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
+            get.trivy.dev:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -73,7 +106,7 @@ jobs:
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: api/**
           files_ignore: |
@@ -84,11 +117,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ${{ env.API_WORKING_DIR }}
           push: false

.github/workflows/api-security.yml

@@ -17,6 +17,8 @@ concurrency:
 env:
   API_WORKING_DIR: ./api
 
+permissions: {}
+
 jobs:
   api-security-scans:
     runs-on: ubuntu-latest
@@ -32,6 +34,19 @@ jobs:
         working-directory: ./api
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            pypi.org:443
+            files.pythonhosted.org:443
+            github.com:443
+            auth.safetycli.com:443
+            pyup.io:443
+            data.safetycli.com:443
+            api.github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -40,11 +55,12 @@ jobs:
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             api/**
             .github/workflows/api-security.yml
+            .safety-policy.yml
           files_ignore: |
             api/docs/**
             api/README.md
@@ -57,6 +73,7 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           working-directory: ./api
+          update-lock: 'true'
 
       - name: Bandit
         if: steps.check-changes.outputs.any_changed == 'true'
@@ -64,9 +81,8 @@ jobs:
 
       - name: Safety
         if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check --ignore 79023,79027,86217
-        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
-        # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`
+        # Accepted CVEs, severity threshold, and ignore expirations live in ../.safety-policy.yml
+        run: poetry run safety check --policy-file ../.safety-policy.yml
 
       - name: Vulture
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/api-tests.yml

@@ -22,11 +22,16 @@ env:
   POSTGRES_USER: prowler_user
   POSTGRES_PASSWORD: prowler
   POSTGRES_DB: postgres-db
+  VALKEY_SCHEME: redis
+  VALKEY_USERNAME: ""
+  VALKEY_PASSWORD: ""
   VALKEY_HOST: localhost
   VALKEY_PORT: 6379
   VALKEY_DB: 0
   API_WORKING_DIR: ./api
 
+permissions: {}
+
 jobs:
   api-tests:
     runs-on: ubuntu-latest
@@ -72,6 +77,22 @@ jobs:
           --health-retries 5
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            cli.codecov.io:443
+            keybase.io:443
+            ingest.codecov.io:443
+            storage.googleapis.com:443
+            o26192.ingest.us.sentry.io:443
+            api.github.com:443
+
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -80,7 +101,7 @@ jobs:
 
       - name: Check for API changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             api/**
@@ -97,6 +118,7 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           working-directory: ./api
+          update-lock: 'true'
 
       - name: Run tests with pytest
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/backport.yml

@@ -17,6 +17,8 @@ env:
   BACKPORT_LABEL_PREFIX: backport-to-
   BACKPORT_LABEL_IGNORE: was-backported
 
+permissions: {}
+
 jobs:
   backport:
     if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport')) && !(contains(github.event.pull_request.labels.*.name, 'was-backported'))
@@ -27,6 +29,14 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+
       - name: Check labels
         id: label_check
         uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
@@ -39,7 +49,7 @@ jobs:
 
       - name: Backport PR
         if: steps.label_check.outputs.label_check == 'success'
-        uses: sorenlouv/backport-github-action@516854e7c9f962b9939085c9a92ea28411d1ae90 # v10.2.0
+        uses: sorenlouv/backport-github-action@9460b7102fea25466026ce806c9ebf873ac48721 # v11.0.0
         with:
           github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           auto_backport_label_prefix: ${{ env.BACKPORT_LABEL_PREFIX }}

.github/workflows/ci-zizmor.yml

@@ -21,6 +21,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   zizmor:
     if: github.repository == 'prowler-cloud/prowler'
@@ -33,12 +35,22 @@ jobs:
       actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            api.github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
         with:
           token: ${{ github.token }}

.github/workflows/comment-label-update.yml

@@ -9,6 +9,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.issue.number }}
   cancel-in-progress: false
 
+permissions: {}
+
 jobs:
   update-labels:
     if: contains(github.event.issue.labels.*.name, 'status/awaiting-response')
@@ -19,6 +21,11 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Remove 'status/awaiting-response' label
         env:
           GH_TOKEN: ${{ github.token }}

.github/workflows/conventional-commit.yml

@@ -16,6 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   conventional-commit-check:
     runs-on: ubuntu-latest
@@ -25,6 +27,11 @@ jobs:
       pull-requests: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Check PR title format
         uses: agenthunt/conventional-commit-checker-action@f1823f632e95a64547566dcd2c7da920e67117ad # v2.0.1
         with:

.github/workflows/create-backport-label.yml

@@ -13,6 +13,8 @@ env:
   BACKPORT_LABEL_PREFIX: backport-to-
   BACKPORT_LABEL_COLOR: B60205
 
+permissions: {}
+
 jobs:
   create-label:
     runs-on: ubuntu-latest
@@ -22,6 +24,11 @@ jobs:
       issues: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Create backport label for minor releases
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docs-bump-version.yml

@@ -12,247 +12,77 @@ concurrency:
 env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
+  DOCS_FILE: docs/getting-started/installation/prowler-app.mdx
+
+permissions: {}
 
 jobs:
-  detect-release-type:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_minor: ${{ steps.detect.outputs.is_minor }}
-      is_patch: ${{ steps.detect.outputs.is_patch }}
-      major_version: ${{ steps.detect.outputs.major_version }}
-      minor_version: ${{ steps.detect.outputs.minor_version }}
-      patch_version: ${{ steps.detect.outputs.patch_version }}
-      current_docs_version: ${{ steps.get_docs_version.outputs.current_docs_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Get current documentation version
-        id: get_docs_version
-        run: |
-          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' docs/getting-started/installation/prowler-app.mdx)
-          echo "current_docs_version=${CURRENT_DOCS_VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-
-      - name: Detect release type and parse version
-        id: detect
-        run: |
-          if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR_VERSION=${BASH_REMATCH[1]}
-            MINOR_VERSION=${BASH_REMATCH[2]}
-            PATCH_VERSION=${BASH_REMATCH[3]}
-
-            echo "major_version=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "minor_version=${MINOR_VERSION}" >> "${GITHUB_OUTPUT}"
-            echo "patch_version=${PATCH_VERSION}" >> "${GITHUB_OUTPUT}"
-
-            if (( MAJOR_VERSION != 5 )); then
-              echo "::error::Releasing another Prowler major version, aborting..."
-              exit 1
-            fi
-
-            if (( PATCH_VERSION == 0 )); then
-              echo "is_minor=true" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=false" >> "${GITHUB_OUTPUT}"
-              echo "✓ Minor release detected: $PROWLER_VERSION"
-            else
-              echo "is_minor=false" >> "${GITHUB_OUTPUT}"
-              echo "is_patch=true" >> "${GITHUB_OUTPUT}"
-              echo "✓ Patch release detected: $PROWLER_VERSION"
-            fi
-          else
-            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
-            exit 1
-          fi
-
-  bump-minor-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_minor == 'true'
+  bump-version:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     permissions:
       contents: read
       pull-requests: write
     steps:
-      - name: Checkout repository
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Validate release version
+        run: |
+          if [[ ! $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            echo "::error::Invalid version syntax: '$PROWLER_VERSION' (must be X.Y.Z)"
+            exit 1
+          fi
+          if (( ${BASH_REMATCH[1]} != 5 )); then
+            echo "::error::Releasing another Prowler major version, aborting..."
+            exit 1
+          fi
+
+      - name: Checkout master branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          ref: ${{ env.BASE_BRANCH }}
           persist-credentials: false
 
-      - name: Calculate next minor version
+      - name: Read current docs version on master
+        id: docs_version
         run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
-
-          NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0
+          CURRENT_DOCS_VERSION=$(grep -oP 'PROWLER_UI_VERSION="\K[^"]+' "${DOCS_FILE}")
           echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}"
+          echo "Current docs version on master: $CURRENT_DOCS_VERSION"
+          echo "Target release version: $PROWLER_VERSION"
 
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next minor version: $NEXT_MINOR_VERSION"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
+          # Skip if master is already at or ahead of the release version
+          # (re-run, or patch shipped against an older minor line)
+          HIGHEST=$(printf '%s\n%s\n' "${CURRENT_DOCS_VERSION}" "${PROWLER_VERSION}" | sort -V | tail -n1)
+          if [[ "${CURRENT_DOCS_VERSION}" == "${PROWLER_VERSION}" || "${HIGHEST}" != "${PROWLER_VERSION}" ]]; then
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+            echo "Skipping bump: current ($CURRENT_DOCS_VERSION) >= release ($PROWLER_VERSION)"
+          else
+            echo "skip=false" >> "${GITHUB_OUTPUT}"
+          fi
 
-      - name: Bump versions in documentation for master
+      - name: Bump versions in documentation
+        if: steps.docs_version.outputs.skip == 'false'
         run: |
           set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
+          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
+          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" "${DOCS_FILE}"
           echo "Files modified:"
           git --no-pager diff
 
       - name: Create PR for documentation update to master
+        if: steps.docs_version.outputs.skip == 'false'
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: master
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-            - All `*.mdx` files with `<VersionBadge>` components
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-      - name: Checkout version branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }}
-          persist-credentials: false
-
-      - name: Calculate first patch version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
-
-          FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "FIRST_PATCH_VERSION=${FIRST_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "First patch version: $FIRST_PATCH_VERSION"
-          echo "Version branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
-
-      - name: Bump versions in documentation for version branch
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}-branch
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          labels: no-changelog,skip-sync
-          body: |
-            ### Description
-
-            Update Prowler documentation version references to v${{ env.PROWLER_VERSION }} in version branch after releasing Prowler v${{ env.PROWLER_VERSION }}.
-
-            ### Files Updated
-            - `docs/getting-started/installation/prowler-app.mdx`: `PROWLER_UI_VERSION` and `PROWLER_API_VERSION`
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-
-  bump-patch-version:
-    needs: detect-release-type
-    if: needs.detect-release-type.outputs.is_patch == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Calculate next patch version
-        run: |
-          MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION}
-          MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION}
-          PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION}
-          CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}"
-
-          NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1))
-          VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION}
-
-          echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}"
-          echo "NEXT_PATCH_VERSION=${NEXT_PATCH_VERSION}" >> "${GITHUB_ENV}"
-          echo "VERSION_BRANCH=${VERSION_BRANCH}" >> "${GITHUB_ENV}"
-
-          echo "Current documentation version: $CURRENT_DOCS_VERSION"
-          echo "Current release version: $PROWLER_VERSION"
-          echo "Next patch version: $NEXT_PATCH_VERSION"
-          echo "Target branch: $VERSION_BRANCH"
-        env:
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }}
-          NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }}
-
-      - name: Bump versions in documentation for patch version
-        run: |
-          set -e
-
-          # Update prowler-app.mdx with current release version
-          sed -i "s|PROWLER_UI_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_UI_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-          sed -i "s|PROWLER_API_VERSION=\"${CURRENT_DOCS_VERSION}\"|PROWLER_API_VERSION=\"${PROWLER_VERSION}\"|" docs/getting-started/installation/prowler-app.mdx
-
-          echo "Files modified:"
-          git --no-pager diff
-
-      - name: Create PR for documentation update to version branch
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
-        with:
-          author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
-          branch: docs-version-update-to-v${{ env.PROWLER_VERSION }}
-          title: 'docs: Update version to v${{ env.PROWLER_VERSION }}'
+          base: ${{ env.BASE_BRANCH }}
+          commit-message: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
+          branch: docs-version-bump-to-v${{ env.PROWLER_VERSION }}
+          title: 'chore(docs): Bump version to v${{ env.PROWLER_VERSION }}'
           labels: no-changelog,skip-sync
           body: |
             ### Description

.github/workflows/find-secrets.yml

@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   scan-secrets:
     runs-on: ubuntu-latest
@@ -22,6 +24,16 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          # We can't block as Trufflehog needs to verify secrets against vendors
+          egress-policy: audit
+          # allowed-endpoints: >
+          #   github.com:443
+          #   ghcr.io:443
+          #   pkg-containers.githubusercontent.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/helm-chart-checks.yml

@@ -21,6 +21,8 @@ concurrency:
 env:
   CHART_PATH: contrib/k8s/helm/prowler-app
 
+permissions: {}
+
 jobs:
   helm-lint:
     if: github.repository == 'prowler-cloud/prowler'
@@ -30,13 +32,18 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
 
       - name: Update chart dependencies
         run: helm dependency update ${{ env.CHART_PATH }}

.github/workflows/helm-chart-release.yml

@@ -13,6 +13,8 @@ concurrency:
 env:
   CHART_PATH: contrib/k8s/helm/prowler-app
 
+permissions: {}
+
 jobs:
   release-helm-chart:
     if: github.repository == 'prowler-cloud/prowler'
@@ -23,13 +25,18 @@ jobs:
       packages: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
 
       - name: Set appVersion from release tag
         run: |

.github/workflows/issue-lock-on-close.yml

@@ -0,0 +1,53 @@
+name: 'Tools: Lock Issue on Close'
+
+on:
+  issues:
+    types:
+      - closed
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.issue.number }}
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  lock:
+    if: |
+      github.repository == 'prowler-cloud/prowler' &&
+      github.event.issue.locked == false
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      issues: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
+      - name: Comment and lock issue
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        with:
+          script: |
+            const { owner, repo } = context.repo;
+            const issue_number = context.payload.issue.number;
+
+            try {
+              await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number,
+                body: 'This issue is now locked as it has been closed. If you are still hitting a related problem, please open a new issue and link back to this one for context. Thanks!'
+              });
+            } catch (error) {
+              core.warning(`Failed to post lock comment on issue #${issue_number}: ${error.message}`);
+            }
+
+            const lockParams = { owner, repo, issue_number };
+            if (context.payload.issue.state_reason === 'completed') {
+              lockParams.lock_reason = 'resolved';
+            }
+            await github.rest.issues.lock(lockParams);

.github/workflows/issue-triage.lock.yml

@@ -65,6 +65,11 @@ jobs:
       text: ${{ steps.compute-text.outputs.text }}
       title: ${{ steps.compute-text.outputs.title }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
@@ -129,6 +134,11 @@ jobs:
       output_types: ${{ steps.collect_output.outputs.output_types }}
       secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
@@ -762,7 +772,7 @@ jobs:
           SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload Safe Outputs
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: safe-output
           path: ${{ env.GH_AW_SAFE_OUTPUTS }}
@@ -783,13 +793,13 @@ jobs:
             await main();
       - name: Upload sanitized agent output
         if: always() && env.GH_AW_AGENT_OUTPUT
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: agent-output
           path: ${{ env.GH_AW_AGENT_OUTPUT }}
           if-no-files-found: warn
       - name: Upload engine output files
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: agent_outputs
           path: |
@@ -829,7 +839,7 @@ jobs:
       - name: Upload agent artifacts
         if: always()
         continue-on-error: true
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: agent-artifacts
           path: |
@@ -859,13 +869,18 @@ jobs:
       tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
       total_count: ${{ steps.missing_tool.outputs.total_count }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
           destination: /opt/gh-aw/actions
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: agent-output
           path: /tmp/gh-aw/safeoutputs/
@@ -966,19 +981,24 @@ jobs:
     outputs:
       success: ${{ steps.parse_results.outputs.success }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
           destination: /opt/gh-aw/actions
       - name: Download agent artifacts
         continue-on-error: true
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: agent-artifacts
           path: /tmp/gh-aw/threat-detection/
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: agent-output
           path: /tmp/gh-aw/threat-detection/
@@ -1051,7 +1071,7 @@ jobs:
             await main();
       - name: Upload threat detection log
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: threat-detection.log
           path: /tmp/gh-aw/threat-detection/detection.log
@@ -1070,6 +1090,11 @@ jobs:
     outputs:
       activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_rate_limit.outputs.rate_limit_ok == 'true') }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
@@ -1138,13 +1163,18 @@ jobs:
       process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
       process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Setup Scripts
         uses: github/gh-aw/actions/setup@9382be3ca9ac18917e111a99d4e6bbff58d0dccc # v0.43.23
         with:
           destination: /opt/gh-aw/actions
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: agent-output
           path: /tmp/gh-aw/safeoutputs/

.github/workflows/labeler.yml

@@ -15,6 +15,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   labeler:
     runs-on: ubuntu-latest
@@ -24,6 +26,11 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Apply labels to PR
         uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
@@ -38,6 +45,11 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Check if author is org member
         id: check_membership
         env:
@@ -65,7 +77,8 @@ jobs:
             "RosaRivasProwler"
             "StylusFrost"
             "toniblyx"
-            "vicferpoy"
+            "davidm4r"
+            "pfe-nazaries"
           )
 
           echo "Checking if $AUTHOR is a member of prowler-cloud organization"

.github/workflows/mcp-container-build-push.yml

@@ -17,9 +17,6 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -35,6 +32,8 @@ env:
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-mcp
 
+permissions: {}
+
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'
@@ -42,7 +41,14 @@ jobs:
     timeout-minutes: 5
     outputs:
       short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
+    permissions:
+      contents: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+
       - name: Calculate short SHA
         id: set-short-sha
         run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -54,7 +60,14 @@ jobs:
     timeout-minutes: 5
     outputs:
       message-ts: ${{ steps.slack-notification.outputs.ts }}
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -92,24 +105,38 @@ jobs:
       contents: read
       packages: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            files.pythonhosted.org:443
+            pypi.org:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build and push MCP container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           push: true
@@ -132,17 +159,27 @@ jobs:
     needs: [setup, container-build-push]
     if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            registry-1.docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+
       - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |
@@ -184,7 +221,14 @@ jobs:
     needs: [setup, notify-release-started, container-build-push, create-manifest]
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -227,6 +271,13 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
       - name: Trigger MCP deployment
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:

.github/workflows/mcp-container-checks.yml

@@ -18,6 +18,8 @@ env:
   MCP_WORKING_DIR: ./mcp_server
   IMAGE_NAME: prowler-mcp
 
+permissions: {}
+
 jobs:
   mcp-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'
@@ -27,6 +29,13 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -35,7 +44,7 @@ jobs:
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: mcp_server/Dockerfile
 
@@ -64,6 +73,26 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            files.pythonhosted.org:443
+            pypi.org:443
+            api.github.com:443
+            mirror.gcr.io:443
+            check.trivy.dev:443
+            get.trivy.dev:443
+            release-assets.githubusercontent.com:443
+            objects.githubusercontent.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -72,7 +101,7 @@ jobs:
 
       - name: Check for MCP changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: mcp_server/**
           files_ignore: |
@@ -81,11 +110,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build MCP container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ${{ env.MCP_WORKING_DIR }}
           push: false

.github/workflows/mcp-pypi-release.yml

@@ -14,6 +14,8 @@ env:
   PYTHON_VERSION: "3.12"
   WORKING_DIRECTORY: ./mcp_server
 
+permissions: {}
+
 jobs:
   validate-release:
     if: github.repository == 'prowler-cloud/prowler'
@@ -26,6 +28,11 @@ jobs:
       major_version: ${{ steps.parse-version.outputs.major }}
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Parse and validate version
         id: parse-version
         run: |
@@ -59,13 +66,18 @@ jobs:
       url: https://pypi.org/project/prowler-mcp/
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
         with:
           enable-cache: false
 

.github/workflows/pr-check-changelog.yml

@@ -16,6 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check-changelog:
     if: contains(github.event.pull_request.labels.*.name, 'no-changelog') == false
@@ -28,6 +30,14 @@ jobs:
       MONITORED_FOLDERS: 'api ui prowler mcp_server'
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -37,7 +47,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             api/**

.github/workflows/pr-check-compliance-mapping.yml

@@ -0,0 +1,188 @@
+name: 'Tools: Check Compliance Mapping'
+
+on:
+  pull_request:
+    types:
+      - 'opened'
+      - 'synchronize'
+      - 'reopened'
+      - 'labeled'
+      - 'unlabeled'
+    branches:
+      - 'master'
+      - 'v5.*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  check-compliance-mapping:
+    if: >-
+      github.event.pull_request.state == 'open' &&
+      contains(github.event.pull_request.labels.*.name, 'no-compliance-check') == false &&
+      (
+        (github.event.action != 'labeled' && github.event.action != 'unlabeled')
+        || github.event.label.name == 'no-compliance-check'
+      )
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          # zizmor: ignore[artipacked]
+          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        with:
+          files: |
+            prowler/providers/**/services/**/*.metadata.json
+            prowler/compliance/**/*.json
+
+      - name: Check if new checks are mapped in compliance
+        id: compliance-check
+        run: |
+          ADDED_METADATA="${STEPS_CHANGED_FILES_OUTPUTS_ADDED_FILES}"
+          ALL_CHANGED="${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}"
+
+          # Filter only new metadata files (new checks)
+          new_checks=""
+          for f in $ADDED_METADATA; do
+            case "$f" in *.metadata.json) new_checks="$new_checks $f" ;; esac
+          done
+
+          if [ -z "$(echo "$new_checks" | tr -d ' ')" ]; then
+            echo "No new checks detected."
+            echo "has_new_checks=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Collect compliance files changed in this PR
+          changed_compliance=""
+          for f in $ALL_CHANGED; do
+            case "$f" in prowler/compliance/*.json) changed_compliance="$changed_compliance $f" ;; esac
+          done
+
+          UNMAPPED=""
+          MAPPED=""
+
+          for metadata_file in $new_checks; do
+            check_dir=$(dirname "$metadata_file")
+            check_id=$(basename "$check_dir")
+            provider=$(echo "$metadata_file" | cut -d'/' -f3)
+
+            # Read CheckID from the metadata JSON for accuracy
+            if [ -f "$metadata_file" ]; then
+              json_check_id=$(python3 -c "import json; print(json.load(open('$metadata_file')).get('CheckID', ''))" 2>/dev/null || echo "")
+              if [ -n "$json_check_id" ]; then
+                check_id="$json_check_id"
+              fi
+            fi
+
+            # Search for the check ID in compliance files changed in this PR
+            found_in=""
+            for comp_file in $changed_compliance; do
+              if grep -q "\"${check_id}\"" "$comp_file" 2>/dev/null; then
+                found_in="${found_in}$(basename "$comp_file" .json), "
+              fi
+            done
+
+            if [ -n "$found_in" ]; then
+              found_in=$(echo "$found_in" | sed 's/, $//')
+              MAPPED="${MAPPED}- \`${check_id}\` (\`${provider}\`): ${found_in}"$'\n'
+            else
+              UNMAPPED="${UNMAPPED}- \`${check_id}\` (\`${provider}\`)"$'\n'
+            fi
+          done
+
+          echo "has_new_checks=true" >> "$GITHUB_OUTPUT"
+
+          if [ -n "$UNMAPPED" ]; then
+            echo "has_unmapped=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_unmapped=false" >> "$GITHUB_OUTPUT"
+          fi
+
+          {
+            echo "unmapped<<EOF"
+            echo -e "${UNMAPPED}"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+          {
+            echo "mapped<<EOF"
+            echo -e "${MAPPED}"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+        env:
+          STEPS_CHANGED_FILES_OUTPUTS_ADDED_FILES: ${{ steps.changed-files.outputs.added_files }}
+          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+
+      - name: Manage compliance review label
+        if: steps.compliance-check.outputs.has_new_checks == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          HAS_UNMAPPED: ${{ steps.compliance-check.outputs.has_unmapped }}
+        run: |
+          LABEL_NAME="needs-compliance-review"
+
+          if [ "$HAS_UNMAPPED" = "true" ]; then
+            echo "Adding compliance review label to PR #${PR_NUMBER}..."
+            gh pr edit "$PR_NUMBER" --add-label "$LABEL_NAME" --repo "${{ github.repository }}" || true
+          else
+            echo "Removing compliance review label from PR #${PR_NUMBER}..."
+            gh pr edit "$PR_NUMBER" --remove-label "$LABEL_NAME" --repo "${{ github.repository }}" || true
+          fi
+
+      - name: Find existing compliance comment
+        if: steps.compliance-check.outputs.has_new_checks == 'true' && github.event.pull_request.head.repo.full_name == github.repository
+        id: find-comment
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: '<!-- compliance-mapping-check -->'
+
+      - name: Create or update compliance comment
+        if: steps.compliance-check.outputs.has_new_checks == 'true' && github.event.pull_request.head.repo.full_name == github.repository
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          edit-mode: replace
+          body: |
+            <!-- compliance-mapping-check -->
+            ## Compliance Mapping Review
+
+            This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.
+
+            ${{ steps.compliance-check.outputs.unmapped != '' && format('### New checks not mapped to any compliance framework in this PR
+
+            {0}
+
+            > Please review whether these checks should be added to compliance framework requirements in `prowler/compliance/<provider>/`. Each compliance JSON has a `Checks` array inside each requirement — add the check ID there if it satisfies that requirement.', steps.compliance-check.outputs.unmapped) || '' }}
+
+            ${{ steps.compliance-check.outputs.mapped != '' && format('### New checks already mapped in this PR
+
+            {0}', steps.compliance-check.outputs.mapped) || '' }}
+
+            Use the `no-compliance-check` label to skip this check.

.github/workflows/pr-conflict-checker.yml

@@ -15,6 +15,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check-conflicts:
     runs-on: ubuntu-latest
@@ -25,6 +27,11 @@ jobs:
       issues: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout PR head
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -34,7 +41,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: '**'
 

.github/workflows/pr-merged.yml

@@ -12,6 +12,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: false
 
+permissions: {}
+
 jobs:
   trigger-cloud-pull-request:
     if: |
@@ -23,6 +25,13 @@ jobs:
     permissions:
       contents: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
       - name: Calculate short commit SHA
         id: vars
         run: |

.github/workflows/prepare-release.yml

@@ -17,6 +17,8 @@ concurrency:
 env:
   PROWLER_VERSION: ${{ inputs.prowler_version }}
 
+permissions: {}
+
 jobs:
   prepare-release:
     if: github.event_name == 'workflow_dispatch' && github.repository == 'prowler-cloud/prowler'
@@ -26,6 +28,11 @@ jobs:
       contents: write
       pull-requests: write
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
@@ -33,15 +40,12 @@ jobs:
         token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
         persist-credentials: false
 
-    - name: Set up Python
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+    - name: Setup Python with Poetry
+      uses: ./.github/actions/setup-python-poetry
       with:
         python-version: '3.12'
-
-    - name: Install Poetry
-      run: |
-        python3 -m pip install --user poetry==2.1.1
-        echo "$HOME/.local/bin" >> $GITHUB_PATH
+        install-dependencies: 'false'
+        enable-cache: 'false'
 
     - name: Configure Git
       run: |
@@ -375,7 +379,7 @@ jobs:
           no-changelog
 
     - name: Create draft release
-      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+      uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
       with:
         tag_name: ${{ env.PROWLER_VERSION }}
         name: Prowler ${{ env.PROWLER_VERSION }}

.github/workflows/sdk-bump-version.yml

@@ -13,6 +13,8 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
+permissions: {}
+
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest
@@ -26,6 +28,11 @@ jobs:
       minor_version: ${{ steps.detect.outputs.minor_version }}
       patch_version: ${{ steps.detect.outputs.patch_version }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Detect release type and parse version
         id: detect
         run: |
@@ -66,6 +73,11 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -101,9 +113,9 @@ jobs:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           base: master
-          commit-message: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
-          branch: version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
-          title: 'chore(release): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
+          branch: sdk-version-bump-to-v${{ env.NEXT_MINOR_VERSION }}
+          title: 'chore(sdk): Bump version to v${{ env.NEXT_MINOR_VERSION }}'
           labels: no-changelog,skip-sync
           body: |
             ### Description
@@ -153,9 +165,9 @@ jobs:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
-          branch: version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
-          title: 'chore(release): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          commit-message: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
+          branch: sdk-version-bump-to-v${{ env.FIRST_PATCH_VERSION }}
+          title: 'chore(sdk): Bump version to v${{ env.FIRST_PATCH_VERSION }}'
           labels: no-changelog,skip-sync
           body: |
             ### Description
@@ -175,6 +187,11 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -216,9 +233,9 @@ jobs:
           author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
           token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
           base: ${{ env.VERSION_BRANCH }}
-          commit-message: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
-          branch: version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
-          title: 'chore(release): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          commit-message: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
+          branch: sdk-version-bump-to-v${{ env.NEXT_PATCH_VERSION }}
+          title: 'chore(sdk): Bump version to v${{ env.NEXT_PATCH_VERSION }}'
           labels: no-changelog,skip-sync
           body: |
             ### Description

.github/workflows/sdk-check-duplicate-test-names.yml

@@ -10,6 +10,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check-duplicate-test-names:
     if: github.repository == 'prowler-cloud/prowler'
@@ -19,6 +21,13 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/sdk-code-quality.yml

@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   sdk-code-quality:
     if: github.repository == 'prowler-cloud/prowler'
@@ -24,12 +26,20 @@ jobs:
     strategy:
       matrix:
         python-version:
-          - '3.9'
           - '3.10'
           - '3.11'
           - '3.12'
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -38,7 +48,7 @@ jobs:
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: ./**
           files_ignore: |
@@ -61,22 +71,11 @@ jobs:
             contrib/**
             **/AGENTS.md
 
-      - name: Install Poetry
+      - name: Setup Python with Poetry
         if: steps.check-changes.outputs.any_changed == 'true'
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ matrix.python-version }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-python-poetry
         with:
           python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: |
-          poetry install --no-root
-          poetry run pip list
 
       - name: Check Poetry lock file
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/sdk-codeql.yml

@@ -30,6 +30,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   sdk-analyze:
     if: github.repository == 'prowler-cloud/prowler'
@@ -48,6 +50,16 @@ jobs:
           - 'python'
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            uploads.github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/sdk-container-build-push.yml

@@ -23,9 +23,6 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -45,10 +42,13 @@ env:
   # Container registries
   PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
   PROWLERCLOUD_DOCKERHUB_IMAGE: prowler
+  TONIBLYX_DOCKERHUB_REPOSITORY: toniblyx
 
   # AWS configuration (for ECR)
   AWS_REGION: us-east-1
 
+permissions: {}
+
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'
@@ -59,21 +59,32 @@ jobs:
       prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
       latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }}
       stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
+    permissions:
+      contents: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Setup Python with Poetry
+        uses: ./.github/actions/setup-python-poetry
         with:
           python-version: ${{ env.PYTHON_VERSION }}
+          install-dependencies: 'false'
+          enable-cache: 'false'
 
-      - name: Install Poetry
-        run: |
-          pipx install poetry==2.1.1
-          pipx inject poetry poetry-bumpversion
+      - name: Inject poetry-bumpversion plugin
+        run: pipx inject poetry poetry-bumpversion
 
       - name: Get Prowler version and set tags
         id: get-prowler-version
@@ -115,7 +126,14 @@ jobs:
     timeout-minutes: 5
     outputs:
       message-ts: ${{ steps.slack-notification.outputs.ts }}
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -154,19 +172,40 @@ jobs:
       packages: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.ecr-public.us-east-1.amazonaws.com:443
+            public.ecr.aws:443
+            registry-1.docker.io:443
+            production.cloudflare.docker.com:443
+            auth.docker.io:443
+            debian.map.fastlydns.net:80
+            github.com:443
+            release-assets.githubusercontent.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            www.powershellgallery.com:443
+            aka.ms:443
+            cdn.powershellgallery.com:443
+            _http._tcp.deb.debian.org:443
+            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: public.ecr.aws
           username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -175,12 +214,12 @@ jobs:
           AWS_REGION: ${{ env.AWS_REGION }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build and push SDK container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           file: ${{ env.DOCKERFILE_PATH }}
@@ -196,16 +235,32 @@ jobs:
     needs: [setup, container-build-push]
     if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            registry-1.docker.io:443
+            auth.docker.io:443
+            public.ecr.aws:443
+            production.cloudflare.docker.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            api.ecr-public.us-east-1.amazonaws.com:443
+
+
       - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: public.ecr.aws
           username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -213,15 +268,11 @@ jobs:
         env:
           AWS_REGION: ${{ env.AWS_REGION }}
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |
           docker buildx imagetools create \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
             -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
@@ -232,12 +283,10 @@ jobs:
         if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
         run: |
           docker buildx imagetools create \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
-            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
             -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
+            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
+            -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64
         env:
@@ -245,6 +294,39 @@ jobs:
           NEEDS_SETUP_OUTPUTS_STABLE_TAG: ${{ needs.setup.outputs.stable_tag }}
           NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }}
 
+      # Push to toniblyx/prowler only for current version (latest/stable/release tags)
+      - name: Login to DockerHub (toniblyx)
+        if: needs.setup.outputs.latest_tag == 'latest'
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          username: ${{ secrets.TONIBLYX_DOCKERHUB_USERNAME }}
+          password: ${{ secrets.TONIBLYX_DOCKERHUB_PASSWORD }}
+
+      - name: Push manifests to toniblyx for push event
+        if: needs.setup.outputs.latest_tag == 'latest' && github.event_name == 'push'
+        run: |
+          docker buildx imagetools create \
+            -t ${{ env.TONIBLYX_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:latest \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:latest
+
+      - name: Push manifests to toniblyx for release event
+        if: needs.setup.outputs.latest_tag == 'latest' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
+        run: |
+          docker buildx imagetools create \
+            -t ${{ env.TONIBLYX_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \
+            -t ${{ env.TONIBLYX_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:stable \
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:stable
+        env:
+          NEEDS_SETUP_OUTPUTS_PROWLER_VERSION: ${{ needs.setup.outputs.prowler_version }}
+
+      # Re-login as prowlercloud for cleanup of intermediate tags
+      - name: Login to DockerHub (prowlercloud)
+        if: always()
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Install regctl
         if: always()
         uses: regclient/actions/regctl-installer@da9319db8e44e8b062b3a147e1dfb2f574d41a03 # main
@@ -264,7 +346,14 @@ jobs:
     needs: [setup, notify-release-started, container-build-push, create-manifest]
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -307,6 +396,11 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Calculate short SHA
         id: short-sha
         run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT

.github/workflows/sdk-container-checks.yml

@@ -17,6 +17,8 @@ concurrency:
 env:
   IMAGE_NAME: prowler
 
+permissions: {}
+
 jobs:
   sdk-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'
@@ -26,6 +28,13 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -34,7 +43,7 @@ jobs:
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: Dockerfile
 
@@ -64,6 +73,30 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
+            api.github.com:443
+            mirror.gcr.io:443
+            check.trivy.dev:443
+            debian.map.fastlydns.net:80
+            release-assets.githubusercontent.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            www.powershellgallery.com:443
+            aka.ms:443
+            cdn.powershellgallery.com:443
+            _http._tcp.deb.debian.org:443
+            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
+            get.trivy.dev:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -72,7 +105,7 @@ jobs:
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: ./**
           files_ignore: |
@@ -97,11 +130,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build SDK container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           push: false

.github/workflows/sdk-pypi-release.yml

@@ -13,6 +13,8 @@ env:
   RELEASE_TAG: ${{ github.event.release.tag_name }}
   PYTHON_VERSION: '3.12'
 
+permissions: {}
+
 jobs:
   validate-release:
     if: github.repository == 'prowler-cloud/prowler'
@@ -25,6 +27,11 @@ jobs:
       major_version: ${{ steps.parse-version.outputs.major }}
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Parse and validate version
         id: parse-version
         run: |
@@ -58,18 +65,22 @@ jobs:
       url: https://pypi.org/project/prowler/${{ needs.validate-release.outputs.prowler_version }}/
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - name: Install Poetry
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Setup Python with Poetry
+        uses: ./.github/actions/setup-python-poetry
         with:
           python-version: ${{ env.PYTHON_VERSION }}
+          install-dependencies: 'false'
+          enable-cache: 'false'
 
       - name: Build Prowler package
         run: poetry build
@@ -91,18 +102,22 @@ jobs:
       url: https://pypi.org/project/prowler-cloud/${{ needs.validate-release.outputs.prowler_version }}/
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - name: Install Poetry
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Setup Python with Poetry
+        uses: ./.github/actions/setup-python-poetry
         with:
           python-version: ${{ env.PYTHON_VERSION }}
+          install-dependencies: 'false'
+          enable-cache: 'false'
 
       - name: Install toml package
         run: pip install toml

.github/workflows/sdk-refresh-aws-services-regions.yml

@@ -13,6 +13,8 @@ env:
   PYTHON_VERSION: '3.12'
   AWS_REGION: 'us-east-1'
 
+permissions: {}
+
 jobs:
   refresh-aws-regions:
     if: github.repository == 'prowler-cloud/prowler'
@@ -24,6 +26,11 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/sdk-refresh-oci-regions.yml

@@ -12,6 +12,8 @@ concurrency:
 env:
   PYTHON_VERSION: '3.12'
 
+permissions: {}
+
 jobs:
   refresh-oci-regions:
     if: github.repository == 'prowler-cloud/prowler'
@@ -22,6 +24,11 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/sdk-security.yml

@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   sdk-security-scans:
     if: github.repository == 'prowler-cloud/prowler'
@@ -23,6 +25,19 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            pypi.org:443
+            files.pythonhosted.org:443
+            github.com:443
+            auth.safetycli.com:443
+            pyup.io:443
+            data.safetycli.com:443
+            api.github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -31,7 +46,7 @@ jobs:
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files:
             ./**
@@ -56,20 +71,11 @@ jobs:
             contrib/**
             **/AGENTS.md
 
-      - name: Install Poetry
+      - name: Setup Python with Poetry
         if: steps.check-changes.outputs.any_changed == 'true'
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python 3.12
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-python-poetry
         with:
           python-version: '3.12'
-          cache: 'poetry'
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry install --no-root
 
       - name: Security scan with Bandit
         if: steps.check-changes.outputs.any_changed == 'true'
@@ -77,7 +83,8 @@ jobs:
 
       - name: Security scan with Safety
         if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry run safety check -r pyproject.toml
+        # Accepted CVEs, severity threshold, and ignore expirations live in .safety-policy.yml
+        run: poetry run safety check -r pyproject.toml --policy-file .safety-policy.yml
 
       - name: Dead code detection with Vulture
         if: steps.check-changes.outputs.any_changed == 'true'

.github/workflows/sdk-tests.yml

@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   sdk-tests:
     if: github.repository == 'prowler-cloud/prowler'
@@ -24,12 +26,41 @@ jobs:
     strategy:
       matrix:
         python-version:
-          - '3.9'
           - '3.10'
           - '3.11'
           - '3.12'
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            api.github.com:443
+            release-assets.githubusercontent.com:443
+            *.amazonaws.com:443
+            *.googleapis.com:443
+            schema.ocsf.io:443
+            registry-1.docker.io:443
+            production.cloudflare.docker.com:443
+            powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
+            o26192.ingest.us.sentry.io:443
+            management.azure.com:443
+            login.microsoftonline.com:443
+            keybase.io:443
+            ingest.codecov.io:443
+            graph.microsoft.com:443
+            dc.services.visualstudio.com:443
+            cloud.mongodb.com:443
+            cli.codecov.io:443
+            auth.docker.io:443
+            api.vercel.com:443
+            api.atlassian.com:443
+            aka.ms:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -38,7 +69,7 @@ jobs:
 
       - name: Check for SDK changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: ./**
           files_ignore: |
@@ -61,26 +92,17 @@ jobs:
             contrib/**
             **/AGENTS.md
 
-      - name: Install Poetry
+      - name: Setup Python with Poetry
         if: steps.check-changes.outputs.any_changed == 'true'
-        run: pipx install poetry==2.1.1
-
-      - name: Set up Python ${{ matrix.python-version }}
-        if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-python-poetry
         with:
           python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-
-      - name: Install dependencies
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: poetry install --no-root
 
       # AWS Provider
       - name: Check if AWS files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-aws
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/aws/**
@@ -187,11 +209,11 @@ jobs:
           echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'"
 
           if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
+            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
           elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then
             echo "No AWS service paths detected; skipping AWS tests."
           else
-            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
+            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
           fi
         env:
           STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }}
@@ -210,7 +232,7 @@ jobs:
       - name: Check if Azure files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-azure
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/azure/**
@@ -234,7 +256,7 @@ jobs:
       - name: Check if GCP files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-gcp
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/gcp/**
@@ -258,7 +280,7 @@ jobs:
       - name: Check if Kubernetes files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-kubernetes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/kubernetes/**
@@ -282,7 +304,7 @@ jobs:
       - name: Check if GitHub files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-github
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/github/**
@@ -306,7 +328,7 @@ jobs:
       - name: Check if NHN files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-nhn
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/nhn/**
@@ -330,7 +352,7 @@ jobs:
       - name: Check if M365 files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-m365
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/m365/**
@@ -354,7 +376,7 @@ jobs:
       - name: Check if IaC files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-iac
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/iac/**
@@ -378,7 +400,7 @@ jobs:
       - name: Check if MongoDB Atlas files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-mongodbatlas
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/mongodbatlas/**
@@ -402,7 +424,7 @@ jobs:
       - name: Check if OCI files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-oraclecloud
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/oraclecloud/**
@@ -426,7 +448,7 @@ jobs:
       - name: Check if OpenStack files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-openstack
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/openstack/**
@@ -450,7 +472,7 @@ jobs:
       - name: Check if Google Workspace files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-googleworkspace
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/**/googleworkspace/**
@@ -470,11 +492,35 @@ jobs:
           flags: prowler-py${{ matrix.python-version }}-googleworkspace
           files: ./googleworkspace_coverage.xml
 
+      # Vercel Provider
+      - name: Check if Vercel files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-vercel
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        with:
+          files: |
+            ./prowler/**/vercel/**
+            ./tests/**/vercel/**
+            ./poetry.lock
+
+      - name: Run Vercel tests
+        if: steps.changed-vercel.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/vercel --cov-report=xml:vercel_coverage.xml tests/providers/vercel
+
+      - name: Upload Vercel coverage to Codecov
+        if: steps.changed-vercel.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-vercel
+          files: ./vercel_coverage.xml
+
       # Lib
       - name: Check if Lib files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-lib
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/lib/**
@@ -498,7 +544,7 @@ jobs:
       - name: Check if Config files changed
         if: steps.check-changes.outputs.any_changed == 'true'
         id: changed-config
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ./prowler/config/**

.github/workflows/test-impact-analysis.yml

@@ -31,6 +31,8 @@ on:
         description: "Whether there are UI E2E tests to run"
         value: ${{ jobs.analyze.outputs.has-ui-e2e }}
 
+permissions: {}
+
 jobs:
   analyze:
     runs-on: ubuntu-latest
@@ -45,8 +47,19 @@ jobs:
       has-sdk-tests: ${{ steps.set-flags.outputs.has-sdk-tests }}
       has-api-tests: ${{ steps.set-flags.outputs.has-api-tests }}
       has-ui-e2e: ${{ steps.set-flags.outputs.has-ui-e2e }}
+    permissions:
+      contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -55,7 +68,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
 
       - name: Setup Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

.github/workflows/ui-bump-version.yml

@@ -13,6 +13,8 @@ env:
   PROWLER_VERSION: ${{ github.event.release.tag_name }}
   BASE_BRANCH: master
 
+permissions: {}
+
 jobs:
   detect-release-type:
     runs-on: ubuntu-latest
@@ -26,6 +28,11 @@ jobs:
       minor_version: ${{ steps.detect.outputs.minor_version }}
       patch_version: ${{ steps.detect.outputs.patch_version }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Detect release type and parse version
         id: detect
         run: |
@@ -66,6 +73,11 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -89,7 +101,7 @@ jobs:
         run: |
           set -e
 
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_MINOR_VERSION}|" .env
 
           echo "Files modified:"
           git --no-pager diff
@@ -143,7 +155,7 @@ jobs:
         run: |
           set -e
 
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${FIRST_PATCH_VERSION}|" .env
 
           echo "Files modified:"
           git --no-pager diff
@@ -179,6 +191,11 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -208,7 +225,7 @@ jobs:
         run: |
           set -e
 
-          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${PROWLER_VERSION}|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
+          sed -i "s|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=.*|NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${NEXT_PATCH_VERSION}|" .env
 
           echo "Files modified:"
           git --no-pager diff

.github/workflows/ui-codeql.yml

@@ -26,6 +26,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   ui-analyze:
     if: github.repository == 'prowler-cloud/prowler'
@@ -44,6 +46,16 @@ jobs:
           - 'javascript-typescript'
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            uploads.github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/ui-container-build-push.yml

@@ -17,9 +17,6 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -38,6 +35,8 @@ env:
   # Build args
   NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1
 
+permissions: {}
+
 jobs:
   setup:
     if: github.repository == 'prowler-cloud/prowler'
@@ -45,7 +44,14 @@ jobs:
     timeout-minutes: 5
     outputs:
       short-sha: ${{ steps.set-short-sha.outputs.short-sha }}
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Calculate short SHA
         id: set-short-sha
         run: echo "short-sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
@@ -57,7 +63,14 @@ jobs:
     timeout-minutes: 5
     outputs:
       message-ts: ${{ steps.slack-notification.outputs.ts }}
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -96,24 +109,38 @@ jobs:
       packages: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            registry-1.docker.io:443
+            production.cloudflare.docker.com:443
+            auth.docker.io:443
+            registry.npmjs.org:443
+            dl-cdn.alpinelinux.org:443
+            fonts.googleapis.com:443
+            fonts.gstatic.com:443
+            github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build and push UI container for ${{ matrix.arch }}
         id: container-push
         if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ${{ env.WORKING_DIRECTORY }}
           build-args: |
@@ -131,17 +158,27 @@ jobs:
     needs: [setup, container-build-push]
     if: always() && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
+
       - name: Login to DockerHub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
       - name: Create and push manifests for push event
         if: github.event_name == 'push'
         run: |
@@ -183,7 +220,14 @@ jobs:
     needs: [setup, notify-release-started, container-build-push, create-manifest]
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -226,6 +270,13 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
       - name: Trigger UI deployment
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:

.github/workflows/ui-container-checks.yml

@@ -18,6 +18,8 @@ env:
   UI_WORKING_DIR: ./ui
   IMAGE_NAME: prowler-ui
 
+permissions: {}
+
 jobs:
   ui-dockerfile-lint:
     if: github.repository == 'prowler-cloud/prowler'
@@ -27,6 +29,13 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -35,7 +44,7 @@ jobs:
 
       - name: Check if Dockerfile changed
         id: dockerfile-changed
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: ui/Dockerfile
 
@@ -65,6 +74,26 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
+            registry.npmjs.org:443
+            dl-cdn.alpinelinux.org:443
+            fonts.googleapis.com:443
+            fonts.gstatic.com:443
+            api.github.com:443
+            mirror.gcr.io:443
+            check.trivy.dev:443
+            get.trivy.dev:443
+            release-assets.githubusercontent.com:443
+            objects.githubusercontent.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -73,7 +102,7 @@ jobs:
 
       - name: Check for UI changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: ui/**
           files_ignore: |
@@ -83,11 +112,11 @@ jobs:
 
       - name: Set up Docker Buildx
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build UI container for ${{ matrix.arch }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ${{ env.UI_WORKING_DIR }}
           target: prod

.github/workflows/ui-e2e-tests-v2.yml

@@ -15,13 +15,14 @@ on:
       - 'ui/**'
       - 'api/**'  # API changes can affect UI E2E
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   # First, analyze which tests need to run
   impact-analysis:
     if: github.repository == 'prowler-cloud/prowler'
+    permissions:
+      contents: read
     uses: ./.github/workflows/test-impact-analysis.yml
 
   # Run E2E tests based on impact analysis
@@ -75,8 +76,15 @@ jobs:
       # Pass E2E paths from impact analysis
       E2E_TEST_PATHS: ${{ needs.impact-analysis.outputs.ui-e2e }}
       RUN_ALL_TESTS: ${{ needs.impact-analysis.outputs.run-all }}
+    permissions:
+      contents: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -152,21 +160,21 @@ jobs:
           '
 
       - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: '24.13.0'
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10
+          package_json_file: ui/package.json
           run_install: false
 
       - name: Get pnpm store directory
         run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
 
       - name: Setup pnpm and Next.js cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ${{ env.STORE_PATH }}
@@ -186,7 +194,7 @@ jobs:
         run: pnpm run build
 
       - name: Cache Playwright browsers
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         id: playwright-cache
         with:
           path: ~/.cache/ms-playwright
@@ -253,7 +261,7 @@ jobs:
           fi
 
       - name: Upload test reports
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: failure()
         with:
           name: playwright-report
@@ -273,7 +281,14 @@ jobs:
       needs.impact-analysis.outputs.has-ui-e2e != 'true' &&
       needs.impact-analysis.outputs.run-all != 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: No E2E tests needed
         run: |
           echo "## E2E Tests Skipped" >> $GITHUB_STEP_SUMMARY

.github/workflows/ui-tests.yml

@@ -18,6 +18,8 @@ env:
   UI_WORKING_DIR: ./ui
   NODE_VERSION: '24.13.0'
 
+permissions: {}
+
 jobs:
   ui-tests:
     runs-on: ubuntu-latest
@@ -29,6 +31,18 @@ jobs:
         working-directory: ./ui
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry.npmjs.org:443
+            fonts.googleapis.com:443
+            fonts.gstatic.com:443
+            api.github.com:443
+            release-assets.githubusercontent.com:443
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -37,7 +51,7 @@ jobs:
 
       - name: Check for UI changes
         id: check-changes
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ui/**
@@ -50,7 +64,7 @@ jobs:
       - name: Get changed source files for targeted tests
         id: changed-source
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ui/**/*.ts
@@ -66,7 +80,7 @@ jobs:
       - name: Check for critical path changes (run all tests)
         id: critical-changes
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         with:
           files: |
             ui/lib/**
@@ -78,15 +92,15 @@ jobs:
 
       - name: Setup Node.js ${{ env.NODE_VERSION }}
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
 
       - name: Setup pnpm
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10
+          package_json_file: ui/package.json
           run_install: false
 
       - name: Get pnpm store directory
@@ -96,7 +110,7 @@ jobs:
 
       - name: Setup pnpm and Next.js cache
         if: steps.check-changes.outputs.any_changed == 'true'
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ${{ env.STORE_PATH }}

.github/zizmor.yml

@@ -0,0 +1,25 @@
+rules:
+  secrets-outside-env:
+    ignore:
+      - api-bump-version.yml
+      - api-container-build-push.yml
+      - api-tests.yml
+      - backport.yml
+      - docs-bump-version.yml
+      - issue-triage.lock.yml
+      - mcp-container-build-push.yml
+      - pr-merged.yml
+      - prepare-release.yml
+      - sdk-bump-version.yml
+      - sdk-container-build-push.yml
+      - sdk-refresh-aws-services-regions.yml
+      - sdk-refresh-oci-regions.yml
+      - sdk-tests.yml
+      - ui-bump-version.yml
+      - ui-container-build-push.yml
+      - ui-e2e-tests-v2.yml
+  superfluous-actions:
+    ignore:
+      - pr-check-changelog.yml
+      - pr-conflict-checker.yml
+      - prepare-release.yml

.gitignore

@@ -60,6 +60,7 @@ htmlcov/
 **/mcp-config.json
 **/mcpServers.json
 .mcp/
+.mcp.json
 
 # AI Coding Assistants - Cursor
 .cursorignore
@@ -83,6 +84,7 @@ continue.json
 .continuerc.json
 
 # AI Coding Assistants - OpenCode
+.opencode/
 opencode.json
 
 # AI Coding Assistants - GitHub Copilot
@@ -149,6 +151,8 @@ node_modules
 
 # Persistent data
 _data/
+/openspec/
+/.gitmodules
 
 # AI Instructions (generated by skills/setup.sh from AGENTS.md)
 CLAUDE.md

.pre-commit-config.yaml

@@ -1,12 +1,11 @@
 repos:
-  ## GENERAL
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+  ## GENERAL (prek built-in — no external repo needed)
+  - repo: builtin
     hooks:
       - id: check-merge-conflict
       - id: check-yaml
-        args: ["--unsafe"]
-        exclude: prowler/config/llm_config.yaml
+        args: ["--allow-multiple-documents"]
+        exclude: (prowler/config/llm_config.yaml|contrib/)
       - id: check-json
       - id: end-of-file-fixer
       - id: trailing-whitespace
@@ -16,7 +15,7 @@ repos:
 
   ## TOML
   - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.13.0
+    rev: v2.16.0
     hooks:
       - id: pretty-format-toml
         args: [--autofix]
@@ -24,24 +23,25 @@ repos:
 
   ## GITHUB ACTIONS
   - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.6.0
+    rev: v1.24.1
     hooks:
       - id: zizmor
         files: ^\.github/
 
   ## BASH
   - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.10.0
+    rev: v0.11.0
     hooks:
       - id: shellcheck
         exclude: contrib
 
-  ## PYTHON
+  ## PYTHON — SDK (prowler/, tests/, dashboard/, util/, scripts/)
   - repo: https://github.com/myint/autoflake
-    rev: v2.3.1
+    rev: v2.3.3
     hooks:
       - id: autoflake
-        exclude: ^skills/
+        name: "SDK - autoflake"
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args:
           [
             "--in-place",
@@ -50,99 +50,127 @@ repos:
           ]
 
   - repo: https://github.com/pycqa/isort
-    rev: 5.13.2
+    rev: 8.0.1
     hooks:
       - id: isort
-        exclude: ^skills/
+        name: "SDK - isort"
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args: ["--profile", "black"]
 
   - repo: https://github.com/psf/black
-    rev: 24.4.2
+    rev: 26.3.1
     hooks:
       - id: black
-        exclude: ^skills/
+        name: "SDK - black"
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
 
   - repo: https://github.com/pycqa/flake8
-    rev: 7.0.0
+    rev: 7.3.0
     hooks:
       - id: flake8
-        exclude: (contrib|^skills/)
+        name: "SDK - flake8"
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args: ["--ignore=E266,W503,E203,E501,W605"]
 
+  ## PYTHON — API + MCP Server (ruff)
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.11
+    hooks:
+      - id: ruff
+        name: "API + MCP - ruff check"
+        files: { glob: ["{api,mcp_server}/**/*.py"] }
+        args: ["--fix"]
+      - id: ruff-format
+        name: "API + MCP - ruff format"
+        files: { glob: ["{api,mcp_server}/**/*.py"] }
+
+  ## PYTHON — Poetry
   - repo: https://github.com/python-poetry/poetry
-    rev: 2.1.1
+    rev: 2.3.4
     hooks:
       - id: poetry-check
         name: API - poetry-check
         args: ["--directory=./api"]
+        files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
 
       - id: poetry-lock
         name: API - poetry-lock
         args: ["--directory=./api"]
+        files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
 
       - id: poetry-check
         name: SDK - poetry-check
         args: ["--directory=./"]
+        files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
 
       - id: poetry-lock
         name: SDK - poetry-lock
         args: ["--directory=./"]
+        files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
 
+  ## CONTAINERS
   - repo: https://github.com/hadolint/hadolint
-    rev: v2.13.0-beta
+    rev: v2.14.0
     hooks:
       - id: hadolint
         args: ["--ignore=DL3013"]
 
+  ## LOCAL HOOKS
   - repo: local
     hooks:
       - id: pylint
-        name: pylint
-        entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
+        name: "SDK - pylint"
+        entry: pylint --disable=W,C,R,E -j 0 -rn -sn
         language: system
-        files: '.*\.py'
+        types: [python]
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
 
       - id: trufflehog
         name: TruffleHog
         description: Detect secrets in your data.
-        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
+        entry: bash -c 'trufflehog --no-update git file://. --since-commit HEAD --only-verified --fail'
         # For running trufflehog in docker, use the following entry instead:
         # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
         language: system
+        pass_filenames: false
         stages: ["pre-commit", "pre-push"]
 
       - id: bandit
         name: bandit
         description: "Bandit is a tool for finding common security issues in Python code"
-        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/,./skills/' -r .'
+        entry: bandit -q -lll
         language: system
+        types: [python]
         files: '.*\.py'
+        exclude:
+          { glob: ["{contrib,skills}/**", "**/.venv/**", "**/*_test.py"] }
 
       - id: safety
         name: safety
         description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
-        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
-        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
-        # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`
-        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027,86217'
+        # Accepted CVEs, severity threshold, and ignore expirations live in .safety-policy.yml
+        entry: safety check --policy-file .safety-policy.yml
         language: system
+        pass_filenames: false
+        files:
+          {
+            glob:
+              [
+                "**/pyproject.toml",
+                "**/poetry.lock",
+                "**/requirements*.txt",
+                ".safety-policy.yml",
+              ],
+          }
 
       - id: vulture
         name: vulture
         description: "Vulture finds unused code in Python programs."
-        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/,skills/" --min-confidence 100 .'
+        entry: vulture --min-confidence 100
         language: system
+        types: [python]
         files: '.*\.py'
-
-      - id: ui-checks
-        name: UI - Husky Pre-commit
-        description: "Run UI pre-commit checks (Claude Code validation + healthcheck)"
-        entry: bash -c 'cd ui && .husky/pre-commit'
-        language: system
-        files: '^ui/.*\.(ts|tsx|js|jsx|json|css)$'
-        pass_filenames: false
-        verbose: true

.readthedocs.yaml

@@ -13,7 +13,7 @@ build:
     post_create_environment:
       # Install poetry
       # https://python-poetry.org/docs/#installing-manually
-      - python -m pip install poetry
+      - python -m pip install poetry==2.3.4
     post_install:
       # Install dependencies with 'docs' dependency group
       # https://python-poetry.org/docs/managing-dependencies/#dependency-groups

.safety-policy.yml

@@ -0,0 +1,58 @@
+# Safety policy for `safety check` (Safety CLI 3.x, v2 schema).
+# Applied in: .pre-commit-config.yaml, .github/workflows/api-security.yml,
+# .github/workflows/sdk-security.yml via `--policy-file`.
+#
+# Validate: poetry run safety validate policy_file --path .safety-policy.yml
+
+security:
+  # Scan unpinned requirements too. Prowler pins via poetry.lock, so this is
+  # defensive against accidental unpinned entries.
+  ignore-unpinned-requirements: False
+
+  # CVSS severity filter. 7 = report only HIGH (7.0–8.9) and CRITICAL (9.0–10.0).
+  # Reference: 9=CRITICAL only, 7=CRITICAL+HIGH, 4=CRITICAL+HIGH+MEDIUM.
+  ignore-cvss-severity-below: 7
+
+  # Unknown severity is unrated, not safe. Keep False so unrated CVEs still fail
+  # the build and get a human eye. Flip to True only if noise is unmanageable.
+  ignore-cvss-unknown-severity: False
+
+  # Fail the build when a non-ignored vulnerability is found.
+  continue-on-vulnerability-error: False
+
+  # Explicit accepted vulnerabilities. Each entry MUST have a reason and an
+  # expiry. Expired entries fail the scan, forcing re-audit.
+  ignore-vulnerabilities:
+    77744:
+      reason: "Botocore requires urllib3 1.X. Remove once upgraded to urllib3 2.X."
+      expires: '2026-10-22'
+    77745:
+      reason: "Botocore requires urllib3 1.X. Remove once upgraded to urllib3 2.X."
+      expires: '2026-10-22'
+    79023:
+      reason: "knack ReDoS; blocked until azure-cli-core (via cartography) allows knack >=0.13.0."
+      expires: '2026-10-22'
+    79027:
+      reason: "knack ReDoS; blocked until azure-cli-core (via cartography) allows knack >=0.13.0."
+      expires: '2026-10-22'
+    86217:
+      reason: "alibabacloud-tea-openapi==0.4.3 blocks upgrade to cryptography >=46.0.0."
+      expires: '2026-10-22'
+    71600:
+      reason: "CVE-2024-1135 false positive. Fixed in gunicorn 22.0.0; project uses 23.0.0."
+      expires: '2026-10-22'
+    70612:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'
+    66963:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'
+    74429:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'
+    76352:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'
+    76353:
+      reason: "TBD - audit required. Reason not documented in prior --ignore list."
+      expires: '2026-07-22'

.worktreeinclude

@@ -0,0 +1,2 @@
+.envrc
+ui/.env.local

AGENTS.md

@@ -140,7 +140,7 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,
 
 | Component | Location | Tech Stack |
 |-----------|----------|------------|
-| SDK | `prowler/` | Python 3.9+, Poetry |
+| SDK | `prowler/` | Python 3.10+, Poetry 2.3+ |
 | API | `api/` | Django 5.1, DRF, Celery |
 | UI | `ui/` | Next.js 15, React 19, Tailwind 4 |
 | MCP Server | `mcp_server/` | FastMCP, Python 3.12+ |
@@ -153,12 +153,12 @@ Prowler is an open-source cloud security assessment tool supporting AWS, Azure,
 ```bash
 # Setup
 poetry install --with dev
-poetry run pre-commit install
+poetry run prek install
 
 # Code quality
 poetry run make lint
 poetry run make format
-poetry run pre-commit run --all-files
+poetry run prek run --all-files
 ```
 
 ---

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12.11-slim-bookworm AS build
+FROM python:3.12.11-slim-bookworm@sha256:519591d6871b7bc437060736b9f7456b8731f1499a57e22e6c285135ae657bf7 AS build
 
 LABEL maintainer="https://github.com/prowler-cloud/prowler"
 LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
@@ -9,6 +9,9 @@ ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 ARG TRIVY_VERSION=0.69.2
 ENV TRIVY_VERSION=${TRIVY_VERSION}
 
+ARG ZIZMOR_VERSION=1.24.1
+ENV ZIZMOR_VERSION=${ZIZMOR_VERSION}
+
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
     wget libicu72 libunwind8 libssl3 libcurl4 ca-certificates apt-transport-https gnupg \
@@ -48,6 +51,22 @@ RUN ARCH=$(uname -m) && \
     mkdir -p /tmp/.cache/trivy && \
     chmod 777 /tmp/.cache/trivy
 
+# Install zizmor for GitHub Actions workflow scanning
+RUN ARCH=$(uname -m) && \
+    if [ "$ARCH" = "x86_64" ]; then \
+        ZIZMOR_ARCH="x86_64-unknown-linux-gnu" ; \
+    elif [ "$ARCH" = "aarch64" ]; then \
+        ZIZMOR_ARCH="aarch64-unknown-linux-gnu" ; \
+    else \
+        echo "Unsupported architecture for zizmor: $ARCH" && exit 1 ; \
+    fi && \
+    wget --progress=dot:giga "https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-${ZIZMOR_ARCH}.tar.gz" -O /tmp/zizmor.tar.gz && \
+    mkdir -p /tmp/zizmor-extract && \
+    tar zxf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract && \
+    mv /tmp/zizmor-extract/zizmor /usr/local/bin/zizmor && \
+    chmod +x /usr/local/bin/zizmor && \
+    rm -rf /tmp/zizmor.tar.gz /tmp/zizmor-extract
+
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
     adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
@@ -68,7 +87,7 @@ ENV HOME='/home/prowler'
 ENV PATH="${HOME}/.local/bin:${PATH}"
 #hadolint ignore=DL3013
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir poetry
+    pip install --no-cache-dir poetry==2.3.4
 
 RUN poetry install --compile && \
     rm -rf ~/.cache/pip

README.md

@@ -3,7 +3,7 @@
   <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
 </p>
 <p align="center">
-  <b><i>Prowler</b> is the Open Cloud Security platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
+  <b><i>Prowler</b> is the Open Cloud Security Platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
 </p>
 <p align="center">
 <b>Secure ANY cloud at AI Speed at <a href="https://prowler.com">prowler.com</i></b>
@@ -41,7 +41,7 @@
 
 # Description
 
-**Prowler** is the world’s most widely used _open-source cloud security platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
+**Prowler** is the world’s most widely used _Open-Source Cloud Security Platform_ that automates security and compliance across **any cloud environment**. With hundreds of ready-to-use security checks, remediation guidance, and compliance frameworks, Prowler is built to _“Secure ANY Cloud at AI Speed”_. Prowler delivers **AI-driven**, **customizable**, and **easy-to-use** assessments, dashboards, reports, and integrations, making cloud security **simple**, **scalable**, and **cost-effective** for organizations of any size.
 
 Prowler includes hundreds of built-in controls to ensure compliance with standards and frameworks, including:
 
@@ -119,6 +119,7 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 | Image | N/A | N/A | N/A | N/A | Official | CLI, API |
 | Google Workspace | 1 | 1 | 0 | 1 | Official | CLI |
 | OpenStack | 27 | 4 | 0 | 8 | Official | UI, API, CLI |
+| Vercel | 30 | 6 | 0 | 5 | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |
 
 > [!Note]
@@ -239,9 +240,17 @@ pnpm start
 
 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.
 
+**Pre-commit Hooks Setup**
+
+Some pre-commit hooks require tools installed on your system:
+
+1. **Install [TruffleHog](https://github.com/trufflesecurity/trufflehog#install)** (secret scanning) — see the [official installation options](https://github.com/trufflesecurity/trufflehog#install).
+
+2. **Install [Hadolint](https://github.com/hadolint/hadolint#install)** (Dockerfile linting) — see the [official installation options](https://github.com/hadolint/hadolint#install).
+
 ## Prowler CLI
 ### Pip package
-Prowler CLI is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/). Consequently, it can be installed using pip with Python >3.9.1, <3.13:
+Prowler CLI is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/). Consequently, it can be installed using pip with Python >=3.10, <3.13:
 
 ```console
 pip install prowler
@@ -273,7 +282,7 @@ The container images are available here:
 
 ### From GitHub
 
-Python >3.9.1, <3.13 is required with pip and Poetry:
+Python >=3.10, <3.13 is required with pip and Poetry:
 
 ``` console
 git clone https://github.com/prowler-cloud/prowler
@@ -291,6 +300,36 @@ python prowler-cli.py -v
 > If your Poetry version is below v2.0.0, continue using `poetry shell` to activate your environment.
 > For further guidance, refer to the Poetry Environment Activation Guide https://python-poetry.org/docs/managing-environments/#activating-the-environment.
 
+# 🛡️ GitHub Action
+
+The official **Prowler GitHub Action** runs Prowler scans in your GitHub workflows using the official [`prowlercloud/prowler`](https://hub.docker.com/r/prowlercloud/prowler) Docker image. Scans run on any [supported provider](https://docs.prowler.com/user-guide/providers/), with optional [`--push-to-cloud`](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings) to send findings to Prowler Cloud and optional SARIF upload so findings show up in the repo's **Security → Code scanning** tab and as inline PR annotations.
+
+```yaml
+name: Prowler IaC Scan
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  prowler:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: prowler-cloud/prowler@5.25
+        with:
+          provider: iac
+          output-formats: sarif json-ocsf
+          upload-sarif: true
+          flags: --severity critical high
+```
+
+Full configuration, per-provider authentication, and SARIF examples: [Prowler GitHub Action tutorial](docs/user-guide/tutorials/prowler-app-github-action.mdx). Marketplace listing: [Prowler Security Scan](https://github.com/marketplace/actions/prowler-security-scan).
+
 # ✏️ High level architecture
 
 ## Prowler App
@@ -301,7 +340,10 @@ python prowler-cli.py -v
 - **Prowler SDK**: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.
 - **Prowler MCP Server**: A Model Context Protocol server that provides AI tools for Lighthouse, the AI-powered security assistant. This is a critical dependency for Lighthouse functionality.
 
-![Prowler App Architecture](docs/products/img/prowler-app-architecture.png)
+![Prowler App Architecture](docs/images/products/prowler-app-architecture.png)
+
+<!-- Diagram source: docs/images/products/prowler-app-architecture.mmd — edit there, re-render at https://mermaid.live, and replace the PNG. -->
+
 
 ## Prowler CLI
 

action.yml

@@ -0,0 +1,307 @@
+name: Prowler Security Scan
+description: Run Prowler cloud security scanner using the official Docker image
+branding:
+  icon: cloud
+  color: green
+
+inputs:
+  provider:
+    description: Cloud provider to scan (e.g. aws, azure, gcp, github, kubernetes, iac). See https://docs.prowler.com for supported providers.
+    required: true
+  image-tag:
+    description: >
+      Docker image tag for prowlercloud/prowler.
+      Default is "stable" (latest release). Available tags:
+      "stable" (latest release), "latest" (master branch, not stable),
+      "<x.y.z>" (pinned release version).
+      See all tags at https://hub.docker.com/r/prowlercloud/prowler/tags
+    required: false
+    default: stable
+  output-formats:
+    description: Output format(s) for scan results (e.g. "json-ocsf", "sarif json-ocsf")
+    required: false
+    default: json-ocsf
+  push-to-cloud:
+    description: Push scan findings to Prowler Cloud. Requires the PROWLER_CLOUD_API_KEY environment variable. See https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli
+    required: false
+    default: "false"
+  flags:
+    description: 'Additional CLI flags passed to the Prowler scan (e.g. "--severity critical high --compliance cis_aws"). Values containing spaces can be quoted, e.g. "--resource-tag ''Environment=My Server''".'
+    required: false
+    default: ""
+  extra-env:
+    description: >
+      Space-, newline-, or comma-separated list of host environment variable NAMES to forward to the Prowler container
+      (e.g. "AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN" for AWS,
+      "GITHUB_PERSONAL_ACCESS_TOKEN" for GitHub, "CLOUDFLARE_API_TOKEN" for Cloudflare).
+      List names only; set the values via `env:` at the workflow or job level (typically from `secrets.*`).
+      See the README for per-provider examples.
+    required: false
+    default: ""
+  upload-sarif:
+    description: 'Upload SARIF results to GitHub Code Scanning (requires "sarif" in output-formats and both `security-events: write` and `actions: read` permissions)'
+    required: false
+    default: "false"
+  sarif-file:
+    description: Path to the SARIF file to upload (auto-detected from output/ if not set)
+    required: false
+    default: ""
+  sarif-category:
+    description: Category for the SARIF upload (used to distinguish multiple analyses)
+    required: false
+    default: prowler
+  fail-on-findings:
+    description: Fail the workflow step when Prowler detects findings (exit code 3). By default the action tolerates findings and succeeds.
+    required: false
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    - name: Validate inputs
+      shell: bash
+      env:
+        INPUT_IMAGE_TAG: ${{ inputs.image-tag }}
+        INPUT_UPLOAD_SARIF: ${{ inputs.upload-sarif }}
+        INPUT_OUTPUT_FORMATS: ${{ inputs.output-formats }}
+      run: |
+        # Validate image tag format (alphanumeric, dots, hyphens, underscores only)
+        if [[ ! "$INPUT_IMAGE_TAG" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+          echo "::error::Invalid image-tag '${INPUT_IMAGE_TAG}'. Must contain only alphanumeric characters, dots, hyphens, and underscores."
+          exit 1
+        fi
+
+        # Warn if upload-sarif is enabled but sarif not in output-formats
+        if [ "$INPUT_UPLOAD_SARIF" = "true" ]; then
+          if [[ ! "$INPUT_OUTPUT_FORMATS" =~ (^|[[:space:]])sarif($|[[:space:]]) ]]; then
+            echo "::warning::upload-sarif is enabled but 'sarif' is not included in output-formats ('${INPUT_OUTPUT_FORMATS}'). SARIF upload will fail unless you add 'sarif' to output-formats."
+          fi
+        fi
+
+    - name: Run Prowler scan
+      shell: bash
+      env:
+        INPUT_PROVIDER: ${{ inputs.provider }}
+        INPUT_IMAGE_TAG: ${{ inputs.image-tag }}
+        INPUT_OUTPUT_FORMATS: ${{ inputs.output-formats }}
+        INPUT_PUSH_TO_CLOUD: ${{ inputs.push-to-cloud }}
+        INPUT_FLAGS: ${{ inputs.flags }}
+        INPUT_EXTRA_ENV: ${{ inputs.extra-env }}
+        INPUT_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }}
+      run: |
+        set -e
+
+        # Parse space-separated inputs with shlex so values with spaces can be quoted
+        # (e.g. `--resource-tag 'Environment=My Server'`).
+        mapfile -t OUTPUT_FORMATS < <(python3 -c 'import shlex, os; [print(t) for t in shlex.split(os.environ.get("INPUT_OUTPUT_FORMATS", ""))]')
+        mapfile -t EXTRA_FLAGS < <(python3 -c 'import shlex, os; [print(t) for t in shlex.split(os.environ.get("INPUT_FLAGS", ""))]')
+        mapfile -t EXTRA_ENV_NAMES < <(python3 -c 'import shlex, os; [print(t) for t in shlex.split(os.environ.get("INPUT_EXTRA_ENV", "").replace(",", " "))]')
+
+        env_args=()
+        for var in "${EXTRA_ENV_NAMES[@]}"; do
+          [ -z "$var" ] && continue
+          if [[ ! "$var" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]]; then
+            echo "::error::Invalid env var name '${var}' in extra-env. Names must match ^[A-Za-z_][A-Za-z0-9_]*$."
+            exit 1
+          fi
+          env_args+=("-e" "$var")
+        done
+
+        push_args=()
+        if [ "$INPUT_PUSH_TO_CLOUD" = "true" ]; then
+          push_args=("--push-to-cloud")
+          env_args+=("-e" "PROWLER_CLOUD_API_KEY")
+        fi
+
+        mkdir -p "$GITHUB_WORKSPACE/output"
+        chmod 777 "$GITHUB_WORKSPACE/output"
+
+        set +e
+        docker run --rm \
+          "${env_args[@]}" \
+          -v "$GITHUB_WORKSPACE:/home/prowler/workspace" \
+          -v "$GITHUB_WORKSPACE/output:/home/prowler/workspace/output" \
+          -w /home/prowler/workspace \
+          "prowlercloud/prowler:${INPUT_IMAGE_TAG}" \
+          "$INPUT_PROVIDER" \
+          --output-formats "${OUTPUT_FORMATS[@]}" \
+          "${push_args[@]}" \
+          "${EXTRA_FLAGS[@]}"
+        exit_code=$?
+        set -e
+
+        # Exit code 3 = findings detected
+        if [ "$exit_code" -eq 3 ] && [ "$INPUT_FAIL_ON_FINDINGS" != "true" ]; then
+          echo "::notice::Prowler detected findings (exit code 3). Set fail-on-findings to 'true' to fail the workflow on findings."
+          exit 0
+        fi
+        exit $exit_code
+
+    - name: Upload scan results
+      if: always()
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      with:
+        name: prowler-${{ inputs.provider }}
+        path: output/
+        retention-days: 30
+        if-no-files-found: warn
+
+    - name: Find SARIF file
+      if: always() && inputs.upload-sarif == 'true'
+      id: find-sarif
+      shell: bash
+      env:
+        INPUT_SARIF_FILE: ${{ inputs.sarif-file }}
+      run: |
+        if [ -n "$INPUT_SARIF_FILE" ]; then
+          echo "sarif_path=$INPUT_SARIF_FILE" >> "$GITHUB_OUTPUT"
+        else
+          sarif_file=$(find output/ -name '*.sarif' -type f | head -1)
+          if [ -z "$sarif_file" ]; then
+            echo "::warning::No .sarif file found in output/. Ensure 'sarif' is included in output-formats."
+            echo "sarif_path=" >> "$GITHUB_OUTPUT"
+          else
+            echo "sarif_path=$sarif_file" >> "$GITHUB_OUTPUT"
+          fi
+        fi
+
+    - name: Upload SARIF to GitHub Code Scanning
+      if: always() && inputs.upload-sarif == 'true' && steps.find-sarif.outputs.sarif_path != ''
+      uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+      with:
+        sarif_file: ${{ steps.find-sarif.outputs.sarif_path }}
+        category: ${{ inputs.sarif-category }}
+
+    - name: Write scan summary
+      if: always()
+      shell: bash
+      env:
+        INPUT_PROVIDER: ${{ inputs.provider }}
+        INPUT_UPLOAD_SARIF: ${{ inputs.upload-sarif }}
+        INPUT_PUSH_TO_CLOUD: ${{ inputs.push-to-cloud }}
+        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        REPO_URL: ${{ github.server_url }}/${{ github.repository }}
+        BRANCH: ${{ github.head_ref || github.ref_name }}
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        set +e
+
+        # Build a link to the scan step in the workflow logs. Requires `actions: read`
+        # on the caller's GITHUB_TOKEN; silently skips the link if unavailable.
+        scan_step_url=""
+        if [ -n "${GH_TOKEN:-}" ] && command -v gh >/dev/null 2>&1; then
+          job_info=$(gh api \
+            "repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT:-1}/jobs" \
+            --jq ".jobs[] | select(.runner_name == \"${RUNNER_NAME:-}\")" 2>/dev/null)
+          if [ -n "$job_info" ]; then
+            job_id=$(jq -r '.id // empty' <<<"$job_info")
+            step_number=$(jq -r '[.steps[]? | select((.name // "") | test("Run Prowler scan"; "i")) | .number] | first // empty' <<<"$job_info")
+            if [ -z "$step_number" ]; then
+              step_number=$(jq -r '[.steps[]? | select(.status == "in_progress") | .number] | first // empty' <<<"$job_info")
+            fi
+            if [ -n "$job_id" ] && [ -n "$step_number" ]; then
+              scan_step_url="${REPO_URL}/actions/runs/${GITHUB_RUN_ID}/job/${job_id}#step:${step_number}:1"
+            elif [ -n "$job_id" ]; then
+              scan_step_url="${REPO_URL}/actions/runs/${GITHUB_RUN_ID}/job/${job_id}"
+            fi
+          fi
+        fi
+
+        # Map provider code to a properly-cased display name.
+        case "$INPUT_PROVIDER" in
+          alibabacloud)    provider_name="Alibaba Cloud" ;;
+          aws)             provider_name="AWS" ;;
+          azure)           provider_name="Azure" ;;
+          cloudflare)      provider_name="Cloudflare" ;;
+          gcp)             provider_name="GCP" ;;
+          github)          provider_name="GitHub" ;;
+          googleworkspace) provider_name="Google Workspace" ;;
+          iac)             provider_name="IaC" ;;
+          image)           provider_name="Container Image" ;;
+          kubernetes)      provider_name="Kubernetes" ;;
+          llm)             provider_name="LLM" ;;
+          m365)            provider_name="Microsoft 365" ;;
+          mongodbatlas)    provider_name="MongoDB Atlas" ;;
+          nhn)             provider_name="NHN" ;;
+          openstack)       provider_name="OpenStack" ;;
+          oraclecloud)     provider_name="Oracle Cloud" ;;
+          vercel)          provider_name="Vercel" ;;
+          *)               provider_name="${INPUT_PROVIDER^}" ;;
+        esac
+
+        ocsf_file=$(find output/ -name '*.ocsf.json' -type f 2>/dev/null | head -1)
+
+        {
+          echo "## Prowler ${provider_name} Scan Summary"
+          echo ""
+
+          counts=""
+          if [ -n "$ocsf_file" ] && [ -s "$ocsf_file" ]; then
+            counts=$(jq -r '[
+                length,
+                ([.[] | select(.status_code == "FAIL")] | length),
+                ([.[] | select(.status_code == "PASS")] | length),
+                ([.[] | select(.status_code == "MUTED")] | length),
+                ([.[] | select(.status_code == "FAIL" and .severity == "Critical")] | length),
+                ([.[] | select(.status_code == "FAIL" and .severity == "High")] | length),
+                ([.[] | select(.status_code == "FAIL" and .severity == "Medium")] | length),
+                ([.[] | select(.status_code == "FAIL" and .severity == "Low")] | length),
+                ([.[] | select(.status_code == "FAIL" and .severity == "Informational")] | length)
+              ] | @tsv' "$ocsf_file" 2>/dev/null)
+          fi
+
+          if [ -n "$counts" ]; then
+            read -r total fail pass muted critical high medium low info <<<"$counts"
+
+            line="**${fail:-0} failing** · ${pass:-0} passing"
+            [ "${muted:-0}" -gt 0 ] && line="${line} · ${muted} muted"
+            echo "${line} — ${total:-0} checks total"
+            echo ""
+            echo "| Severity | Failing |"
+            echo "|----------|---------|"
+            echo "| ‼️ Critical | ${critical:-0} |"
+            echo "| 🔴 High | ${high:-0} |"
+            echo "| 🟠 Medium | ${medium:-0} |"
+            echo "| 🔵 Low | ${low:-0} |"
+            echo "| ⚪ Informational | ${info:-0} |"
+            echo ""
+          else
+            echo "_No findings report was produced. Check the scan logs above._"
+            echo ""
+          fi
+
+          if [ -n "$scan_step_url" ]; then
+            echo "**Scan logs:** [view in workflow run](${scan_step_url})"
+            echo ""
+          fi
+
+          echo "**Get the full report:** [\`prowler-${INPUT_PROVIDER}\` artifact](${RUN_URL}#artifacts)"
+
+          if [ "$INPUT_UPLOAD_SARIF" = "true" ] && [ -n "$BRANCH" ]; then
+            encoded_branch=$(jq -nr --arg b "$BRANCH" '$b|@uri')
+            echo ""
+            echo "**See results in GitHub Code Security:** [open alerts on \`${BRANCH}\`](${REPO_URL}/security/code-scanning?query=is%3Aopen+branch%3A${encoded_branch})"
+          fi
+
+          if [ "$INPUT_PUSH_TO_CLOUD" != "true" ]; then
+            echo ""
+            echo "---"
+            echo ""
+            echo "### Scale ${provider_name} security with Prowler Cloud ☁️"
+            echo ""
+            echo "Send this scan's findings to **[Prowler Cloud](https://cloud.prowler.com)** and get:"
+            echo ""
+            echo "- **Unified findings** across every cloud, SaaS provider (M365, Google Workspace, GitHub, MongoDB Atlas), IaC repo, Kubernetes cluster, and container image"
+            echo "- **Posture over time** with alerts, and notifications"
+            echo "- **Prowler Lighthouse AI**: agentic assistant that triages findings, explains root cause and helps with remediation"
+            echo "- **50+ Compliance frameworks** mapped automatically"
+            echo "- **Enterprise-ready platform**: SOC 2 Type 2, SSO/SAML, AWS Security Hub, S3 and Jira integrations"
+            echo ""
+            echo "**Get started in 3 steps:**"
+            echo "1. Create an account at [cloud.prowler.com](https://cloud.prowler.com)"
+            echo "2. Generate a Prowler Cloud API key ([docs](https://docs.prowler.com/user-guide/tutorials/prowler-app-import-findings#using-the-cli))"
+            echo "3. Add \`PROWLER_CLOUD_API_KEY\` to your GitHub secrets and set \`push-to-cloud: true\` on this action"
+            echo ""
+            echo "See [prowler.com/pricing](https://prowler.com/pricing) for plan details."
+          fi
+        } >> "$GITHUB_STEP_SUMMARY"

api/CHANGELOG.md

@@ -2,6 +2,143 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
+## [1.26.0] (Prowler v5.25.0)
+
+### 🚀 Added
+
+- CIS Benchmark PDF report generation for scans, exposing the latest CIS version per provider via `GET /scans/{id}/cis/{name}/` [(#10650)](https://github.com/prowler-cloud/prowler/pull/10650)
+- `/overviews/resource-groups` (resource inventory), `/overviews/categories` and `/overviews/attack-surfaces` now reflect newly-muted findings without waiting for the next scan. The post-mute `reaggregate-all-finding-group-summaries` task now also dispatches `aggregate_scan_resource_group_summaries_task`, `aggregate_scan_category_summaries_task` and `aggregate_attack_surface_task` per latest scan of every `(provider, day)` pair, rebuilding `ScanGroupSummary`, `ScanCategorySummary` and `AttackSurfaceOverview` alongside the tables already covered in #10827 [(#10843)](https://github.com/prowler-cloud/prowler/pull/10843)
+- Install zizmor v1.24.1 in API Docker image for GitHub Actions workflow scanning [(#10607)](https://github.com/prowler-cloud/prowler/pull/10607)
+
+### 🔄 Changed
+
+- Allows tenant owners to expel users from their organizations  [(#10787)](https://github.com/prowler-cloud/prowler/pull/10787)
+- `aggregate_findings`, `aggregate_attack_surface`, `aggregate_scan_resource_group_summaries` and `aggregate_scan_category_summaries` now upsert via `bulk_create(update_conflicts=True, ...)` instead of the prior `ignore_conflicts=True` / plain INSERT / `already backfilled` short-circuit. Re-runs triggered by the post-mute reaggregation pipeline no longer trip the `unique_*_per_scan` constraints nor silently drop updates, and are race-safe under concurrent writers (e.g. scan completion overlapping with a fresh mute rule) [(#10843)](https://github.com/prowler-cloud/prowler/pull/10843)
+- Rename the scan-category and scan-resource-group summary aggregators from `backfill_*` to `aggregate_*` [(#10843)](https://github.com/prowler-cloud/prowler/pull/10843)
+
+### 🐞 Fixed
+
+- `generate_outputs_task` crashing with `KeyError` for compliance frameworks listed by `get_compliance_frameworks` but not loadable by `Compliance.get_bulk` [(#10903)](https://github.com/prowler-cloud/prowler/pull/10903)
+
+---
+
+## [1.25.4] (Prowler v5.24.4)
+
+### 🚀 Added
+
+- `DJANGO_SENTRY_TRACES_SAMPLE_RATE` env var (default `0.02`) enables Sentry performance tracing for the API [(#10873)](https://github.com/prowler-cloud/prowler/pull/10873)
+
+### 🔄 Changed
+
+- Attack Paths: Neo4j driver `connection_acquisition_timeout` is now configurable via `NEO4J_CONN_ACQUISITION_TIMEOUT` (default lowered from 120 s to 15 s) [(#10873)](https://github.com/prowler-cloud/prowler/pull/10873)
+
+### 🐞 Fixed
+
+- `/tmp/prowler_api_output` saturation in compliance report workers: the final `rmtree` in `generate_compliance_reports` now only waits on frameworks actually generated for the provider (so unsupported frameworks no longer leave a placeholder `results` entry that blocks cleanup), output directories are created lazily per enabled framework, and both `generate_compliance_reports` and `generate_outputs_task` run an opportunistic stale cleanup at task start with a 48h age threshold, a per-host `fcntl` throttle, a 50-deletions-per-run cap, and guards that protect EXECUTING scans and scans whose `output_location` still points to a local path (metadata lookups routed through the admin DB so RLS does not hide those rows) [(#10874)](https://github.com/prowler-cloud/prowler/pull/10874)
+
+---
+
+## [1.25.3] (Prowler v5.24.3)
+
+### 🚀 Added
+
+- `/overviews/findings`, `/overviews/findings-severity` and `/overviews/services` now reflect newly-muted findings without waiting for the next scan. The post-mute `reaggregate-all-finding-group-summaries` task was extended to re-run the same per-scan pipeline that scan completion runs (`ScanSummary`, `DailySeveritySummary`, `FindingGroupDailySummary`) on the latest scan of every `(provider, day)` pair, keeping the pre-aggregated tables in sync with `Finding.muted` updates [(#10827)](https://github.com/prowler-cloud/prowler/pull/10827)
+
+### 🐞 Fixed
+
+- Finding groups aggregated `status` now treats muted findings as resolved: a group is `FAIL` only while at least one non-muted FAIL remains, otherwise it is `PASS` (including fully-muted groups). The `filter[status]` filter and the `sort=status` ordering share the same semantics, keeping `status` consistent with `fail_count` and the orthogonal `muted` flag [(#10825)](https://github.com/prowler-cloud/prowler/pull/10825)
+- `aggregate_findings` is now idempotent: it deletes the scan's existing `ScanSummary` rows before `bulk_create`, so re-runs (such as the post-mute reaggregation pipeline) no longer violate the `unique_scan_summary` constraint and no longer abort the downstream `DailySeveritySummary` / `FindingGroupDailySummary` recomputation for the affected scan [(#10827)](https://github.com/prowler-cloud/prowler/pull/10827)
+- Attack Paths: Findings on AWS were silently dropped during the Neo4j merge for resources whose Cartography node is keyed by a short identifier (e.g. EC2 instances) rather than the full ARN [(#10839)](https://github.com/prowler-cloud/prowler/pull/10839)
+
+---
+
+## [1.25.2] (Prowler v5.24.2)
+
+### 🔄 Changed
+
+- Finding groups `/resources` endpoints now materialize the filtered finding IDs into a Python list before filtering `ResourceFindingMapping`, so PostgreSQL switches from a Merge Semi Join that read hundreds of thousands of RFM index entries to a Nested Loop Index Scan over `finding_id`. The `has_mappings.exists()` pre-check is removed, and a request-scoped cache deduplicates the finding-id round-trip across the helpers that build different RFM querysets [(#10816)](https://github.com/prowler-cloud/prowler/pull/10816)
+
+### 🐞 Fixed
+
+- `/finding-groups/latest/<check_id>/resources` now selects the latest completed scan per provider by `-completed_at` (then `-inserted_at`) instead of `-inserted_at`, matching the `/finding-groups/latest` summary path and the daily-summary upsert so overlapping scans no longer produce diverging `delta`/`new_count` between the two endpoints [(#10802)](https://github.com/prowler-cloud/prowler/pull/10802)
+
+
+## [1.25.1] (Prowler v5.24.1)
+
+### 🔄 Changed
+
+- Attack Paths: Restore `SYNC_BATCH_SIZE` and `FINDINGS_BATCH_SIZE` defaults to 1000, upgrade Cartography to 0.135.0, enable Celery queue priority for cleanup task, rewrite Finding insertion, remove AWS graph cleanup and add timing logs [(#10729)](https://github.com/prowler-cloud/prowler/pull/10729)
+
+### 🐞 Fixed
+
+- Finding group resources endpoints now include findings without associated resources (orphaned IaC findings) as simulated resource rows, and return one row per finding when multiple findings share a resource [(#10708)](https://github.com/prowler-cloud/prowler/pull/10708)
+- Attack Paths: Missing `tenant_id` filter while getting related findings after scan completes [(#10722)](https://github.com/prowler-cloud/prowler/pull/10722)
+- Finding group counters `pass_count`, `fail_count` and `manual_count` now exclude muted findings [(#10753)](https://github.com/prowler-cloud/prowler/pull/10753)
+- Silent data loss in `ResourceFindingMapping` bulk insert that left findings orphaned when `INSERT ... ON CONFLICT DO NOTHING` dropped rows without raising; added explicit `unique_fields` [(#10724)](https://github.com/prowler-cloud/prowler/pull/10724)
+- `DELETE /tenants/{tenant_pk}/memberships/{id}` now deletes the expelled user's account when the removed membership was their last one, and blacklists every outstanding refresh token for that user so their existing sessions can no longer mint new access tokens [(#10787)](https://github.com/prowler-cloud/prowler/pull/10787)
+
+---
+
+## [1.25.0] (Prowler v5.24.0)
+
+### 🔄 Changed
+
+- Bump Poetry to `2.3.4` in Dockerfile and pre-commit hooks. Regenerate `api/poetry.lock` [(#10681)](https://github.com/prowler-cloud/prowler/pull/10681)
+- Attack Paths: Remove dead `cleanup_findings` no-op and its supporting `prowler_finding_lastupdated` index [(#10684)](https://github.com/prowler-cloud/prowler/pull/10684)
+
+### 🐞 Fixed
+
+- Worker-beat race condition on cold start: replaced `sleep 15` with API service healthcheck dependency (Docker Compose) and init containers (Helm), aligned Gunicorn default port to `8080` [(#10603)](https://github.com/prowler-cloud/prowler/pull/10603)
+- API container startup crash on Linux due to root-owned bind-mount preventing JWT key generation [(#10646)](https://github.com/prowler-cloud/prowler/pull/10646)
+
+### 🔐 Security
+
+- `pytest` from 8.2.2 to 9.0.3 to fix CVE-2025-71176 [(#10678)](https://github.com/prowler-cloud/prowler/pull/10678)
+
+---
+
+## [1.24.0] (Prowler v5.23.0)
+
+### 🚀 Added
+
+- RBAC role lookup filtered by `tenant_id` to prevent cross-tenant privilege leak [(#10491)](https://github.com/prowler-cloud/prowler/pull/10491)
+- `VALKEY_SCHEME`, `VALKEY_USERNAME`, and `VALKEY_PASSWORD` environment variables to configure Celery broker TLS/auth connection details for Valkey/ElastiCache [(#10420)](https://github.com/prowler-cloud/prowler/pull/10420)
+- `Vercel` provider support [(#10190)](https://github.com/prowler-cloud/prowler/pull/10190)
+- Finding groups list and latest endpoints support `sort=delta`, ordering by `new_count` then `changed_count` so groups with the most new findings rank highest [(#10606)](https://github.com/prowler-cloud/prowler/pull/10606)
+- Finding group resources endpoints (`/finding-groups/{check_id}/resources` and `/finding-groups/latest/{check_id}/resources`) now expose `finding_id` per row, pointing to the most recent matching Finding for each resource. UUIDv7 ordering guarantees `Max(finding__id)` resolves to the latest snapshot [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
+- Handle CIS and CISA SCuBA compliance framework from google workspace [(#10629)](https://github.com/prowler-cloud/prowler/pull/10629)
+- Sort support for all finding group counter fields: `pass_muted_count`, `fail_muted_count`, `manual_muted_count`, and all `new_*`/`changed_*` status-mute breakdown counters [(#10655)](https://github.com/prowler-cloud/prowler/pull/10655)
+
+### 🔄 Changed
+
+- Finding groups list/latest/resources now expose `status` ∈ `{FAIL, PASS, MANUAL}` and `muted: bool` as orthogonal fields. The aggregated `status` reflects the underlying check outcome regardless of mute state, and `muted=true` signals that every finding in the group/resource is muted. New `manual_count` is exposed alongside `pass_count`/`fail_count`, plus `pass_muted_count`/`fail_muted_count`/`manual_muted_count` siblings so clients can isolate the muted half of each status. The `new_*`/`changed_*` deltas are now broken down by status and mute state via 12 new counters (`new_fail_count`, `new_fail_muted_count`, `new_pass_count`, `new_pass_muted_count`, `new_manual_count`, `new_manual_muted_count` and the matching `changed_*` set). New `filter[muted]=true|false` and `sort=status` (FAIL > PASS > MANUAL) / `sort=muted` are supported. `filter[status]=MUTED` is no longer accepted [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
+- Attack Paths: Periodic cleanup of stale scans with dead-worker detection via Celery inspect, marking orphaned `EXECUTING` scans as `FAILED` and recovering `graph_data_ready` [(#10387)](https://github.com/prowler-cloud/prowler/pull/10387)
+- Attack Paths: Replace `_provider_id` property with `_Provider_{uuid}` label for provider isolation, add regex-based label injection for custom queries [(#10402)](https://github.com/prowler-cloud/prowler/pull/10402)
+
+### 🐞 Fixed
+
+- `reaggregate_all_finding_group_summaries_task` now refreshes finding group daily summaries for every `(provider, day)` combination instead of only the latest scan per provider, matching the unbounded scope of `mute_historical_findings_task`. Mute rule operations no longer leave older daily summaries drifting from the underlying muted findings [(#10630)](https://github.com/prowler-cloud/prowler/pull/10630)
+- Finding groups list/latest now apply computed status/severity filters and finding-level prefilters (delta, region, service, category, resource group, scan, resource type), plus `check_title` support for sort/filter consistency [(#10428)](https://github.com/prowler-cloud/prowler/pull/10428)
+- Populate compliance data inside `check_metadata` for findings, which was always returned as `null` [(#10449)](https://github.com/prowler-cloud/prowler/pull/10449)
+- 403 error for admin users listing tenants due to roles query not using the admin database connection [(#10460)](https://github.com/prowler-cloud/prowler/pull/10460)
+- Filter transient Neo4j defunct connection logs in Sentry `before_send` to suppress false-positive alerts handled by `RetryableSession` retries [(#10452)](https://github.com/prowler-cloud/prowler/pull/10452)
+- `MANAGE_ACCOUNT` permission no longer required for listing and creating tenants [(#10468)](https://github.com/prowler-cloud/prowler/pull/10468)
+- Finding groups muted filter, counters, metadata extraction and mute reaggregation [(#10477)](https://github.com/prowler-cloud/prowler/pull/10477)
+- Finding groups `check_title__icontains` resolution, `name__icontains` resource filter and `resource_group` field in `/resources` response [(#10486)](https://github.com/prowler-cloud/prowler/pull/10486)
+- Membership `post_delete` signal using raw FK ids to avoid `DoesNotExist` during cascade deletions [(#10497)](https://github.com/prowler-cloud/prowler/pull/10497)
+- Finding group resources endpoints returning false 404 when filters match no results, and `sort` parameter being ignored [(#10510)](https://github.com/prowler-cloud/prowler/pull/10510)
+- Jira integration failing with `JiraInvalidIssueTypeError` on non-English Jira instances due to hardcoded `"Task"` issue type; now dynamically fetches available issue types per project [(#10534)](https://github.com/prowler-cloud/prowler/pull/10534)
+- Finding group `first_seen_at` now reflects when a new finding appeared in the scan instead of the oldest carry-forward date across all unchanged findings [(#10595)](https://github.com/prowler-cloud/prowler/pull/10595)
+- Attack Paths: Remove `clear_cache` call from read-only query endpoints; cache clearing belongs to the scan/ingestion flow, not API queries [(#10586)](https://github.com/prowler-cloud/prowler/pull/10586)
+
+### 🔐 Security
+
+- Pin all unpinned dependencies to exact versions to prevent supply chain attacks and ensure reproducible builds [(#10469)](https://github.com/prowler-cloud/prowler/pull/10469)
+- `authlib` bumped from 1.6.6 to 1.6.9 to fix CVE-2026-28802 (JWT `alg: none` validation bypass) [(#10579)](https://github.com/prowler-cloud/prowler/pull/10579)
+- `aiohttp` bumped from 3.13.3 to 3.13.5 to fix CVE-2026-34520 (the C parser accepted null bytes and control characters in response headers) [(#10538)](https://github.com/prowler-cloud/prowler/pull/10538)
+
+---
+
 ## [1.23.0] (Prowler v5.22.0)
 
 ### 🚀 Added

api/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12.10-slim-bookworm AS build
+FROM python:3.12.10-slim-bookworm@sha256:fd95fa221297a88e1cf49c55ec1828edd7c5a428187e67b5d1805692d11588db AS build
 
 LABEL maintainer="https://github.com/prowler-cloud/api"
 
@@ -8,6 +8,9 @@ ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 ARG TRIVY_VERSION=0.69.2
 ENV TRIVY_VERSION=${TRIVY_VERSION}
 
+ARG ZIZMOR_VERSION=1.24.1
+ENV ZIZMOR_VERSION=${ZIZMOR_VERSION}
+
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
     wget \
@@ -22,6 +25,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libtool \
     libxslt1-dev \
     python3-dev \
+    git \
     && rm -rf /var/lib/apt/lists/*
 
 # Install PowerShell
@@ -57,6 +61,22 @@ RUN ARCH=$(uname -m) && \
     mkdir -p /tmp/.cache/trivy && \
     chmod 777 /tmp/.cache/trivy
 
+# Install zizmor for GitHub Actions workflow scanning
+RUN ARCH=$(uname -m) && \
+    if [ "$ARCH" = "x86_64" ]; then \
+        ZIZMOR_ARCH="x86_64-unknown-linux-gnu" ; \
+    elif [ "$ARCH" = "aarch64" ]; then \
+        ZIZMOR_ARCH="aarch64-unknown-linux-gnu" ; \
+    else \
+        echo "Unsupported architecture for zizmor: $ARCH" && exit 1 ; \
+    fi && \
+    wget --progress=dot:giga "https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-${ZIZMOR_ARCH}.tar.gz" -O /tmp/zizmor.tar.gz && \
+    mkdir -p /tmp/zizmor-extract && \
+    tar zxf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract && \
+    mv /tmp/zizmor-extract/zizmor /usr/local/bin/zizmor && \
+    chmod +x /usr/local/bin/zizmor && \
+    rm -rf /tmp/zizmor.tar.gz /tmp/zizmor-extract
+
 # Add prowler user
 RUN addgroup --gid 1000 prowler && \
     adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler
@@ -71,7 +91,7 @@ RUN mkdir -p /tmp/prowler_api_output
 COPY pyproject.toml ./
 
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir poetry
+    pip install --no-cache-dir poetry==2.3.4
 
 ENV PATH="/home/prowler/.local/bin:$PATH"
 

api/docker-entrypoint.sh

@@ -30,14 +30,32 @@ start_prod_server() {
   poetry run gunicorn -c config/guniconf.py config.wsgi:application
 }
 
+resolve_worker_hostname() {
+  TASK_ID=""
+
+  if [ -n "$ECS_CONTAINER_METADATA_URI_V4" ]; then
+    TASK_ID=$(wget -qO- --timeout=2 "${ECS_CONTAINER_METADATA_URI_V4}/task" | \
+      python3 -c "import sys,json; print(json.load(sys.stdin)['TaskARN'].split('/')[-1])" 2>/dev/null)
+  fi
+
+  if [ -z "$TASK_ID" ]; then
+    TASK_ID=$(python3 -c "import uuid; print(uuid.uuid4().hex)")
+  fi
+
+  echo "${TASK_ID}@$(hostname)"
+}
+
 start_worker() {
   echo "Starting the worker..."
-  poetry run python -m celery -A config.celery worker -l "${DJANGO_LOGGING_LEVEL:-info}" -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans -E --max-tasks-per-child 1
+  poetry run python -m celery -A config.celery worker \
+    -n "$(resolve_worker_hostname)" \
+    -l "${DJANGO_LOGGING_LEVEL:-info}" \
+    -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance,attack-paths-scans \
+    -E --max-tasks-per-child 1
 }
 
 start_worker_beat() {
   echo "Starting the worker-beat..."
-  sleep 15
   poetry run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler
 }
 

api/pyproject.toml

@@ -5,44 +5,44 @@ requires = ["poetry-core"]
 [project]
 authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
 dependencies = [
-  "celery (>=5.4.0,<6.0.0)",
+  "celery (==5.6.2)",
   "dj-rest-auth[with_social,jwt] (==7.0.1)",
   "django (==5.1.15)",
-  "django-allauth[saml] (>=65.13.0,<66.0.0)",
-  "django-celery-beat (>=2.7.0,<3.0.0)",
-  "django-celery-results (>=2.5.1,<3.0.0)",
+  "django-allauth[saml] (==65.15.0)",
+  "django-celery-beat (==2.9.0)",
+  "django-celery-results (==2.6.0)",
   "django-cors-headers==4.4.0",
   "django-environ==0.11.2",
   "django-filter==24.3",
   "django-guid==3.5.0",
-  "django-postgres-extra (>=2.0.8,<3.0.0)",
+  "django-postgres-extra (==2.0.9)",
   "djangorestframework==3.15.2",
   "djangorestframework-jsonapi==7.0.2",
-  "djangorestframework-simplejwt (>=5.3.1,<6.0.0)",
-  "drf-nested-routers (>=0.94.1,<1.0.0)",
+  "djangorestframework-simplejwt (==5.5.1)",
+  "drf-nested-routers (==0.95.0)",
   "drf-spectacular==0.27.2",
   "drf-spectacular-jsonapi==0.5.1",
   "defusedxml==0.7.1",
   "gunicorn==23.0.0",
   "lxml==5.3.2",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@v5.25",
   "psycopg2-binary==2.9.9",
-  "pytest-celery[redis] (>=1.0.1,<2.0.0)",
-  "sentry-sdk[django] (>=2.20.0,<3.0.0)",
+  "pytest-celery[redis] (==1.3.0)",
+  "sentry-sdk[django] (==2.56.0)",
   "uuid6==2024.7.10",
-  "openai (>=1.82.0,<2.0.0)",
+  "openai (==1.109.1)",
   "xmlsec==1.3.14",
   "h2 (==4.3.0)",
-  "markdown (>=3.9,<4.0)",
+  "markdown (==3.10.2)",
   "drf-simple-apikey (==2.2.1)",
-  "matplotlib (>=3.10.6,<4.0.0)",
-  "reportlab (>=4.4.4,<5.0.0)",
-  "neo4j (>=6.0.0,<7.0.0)",
-  "cartography (==0.132.0)",
-  "gevent (>=25.9.1,<26.0.0)",
-  "werkzeug (>=3.1.4)",
-  "sqlparse (>=0.5.4)",
-  "fonttools (>=4.60.2)"
+  "matplotlib (==3.10.8)",
+  "reportlab (==4.4.10)",
+  "neo4j (==6.1.0)",
+  "cartography (==0.135.0)",
+  "gevent (==25.9.1)",
+  "werkzeug (==3.1.7)",
+  "sqlparse (==0.5.5)",
+  "fonttools (==4.62.1)"
 ]
 description = "Prowler's API (Django/DRF)"
 license = "Apache-2.0"
@@ -50,7 +50,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.23.0"
+version = "1.26.0"
 
 [project.scripts]
 celery = "src.backend.config.settings.celery"
@@ -62,10 +62,9 @@ django-silk = "5.3.2"
 docker = "7.1.0"
 filelock = "3.20.3"
 freezegun = "1.5.1"
-marshmallow = ">=3.15.0,<4.0.0"
 mypy = "1.10.1"
 pylint = "3.2.5"
-pytest = "8.2.2"
+pytest = "9.0.3"
 pytest-cov = "5.0.0"
 pytest-django = "4.8.0"
 pytest-env = "1.1.3"
@@ -75,3 +74,4 @@ ruff = "0.5.0"
 safety = "3.7.0"
 tqdm = "4.67.1"
 vulture = "2.14"
+prek = "0.3.9"

api/src/backend/api/attack_paths/cypher_sanitizer.py

@@ -0,0 +1,170 @@
+"""
+Cypher sanitizer for custom (user-supplied) Attack Paths queries.
+
+Two responsibilities:
+
+1. **Validation** - reject queries containing SSRF or dangerous procedure
+   patterns (defense-in-depth; the primary control is ``neo4j.READ_ACCESS``).
+
+2. **Provider-scoped label injection** - inject a dynamic
+   ``_Provider_{uuid}`` label into every node pattern so the database can
+   use its native label index for provider isolation.
+
+Label-injection pipeline:
+
+1. **Protect** string literals and line comments (placeholder replacement).
+2. **Split** by top-level clause keywords to track clause context.
+3. **Pass A** - inject into *labeled* node patterns in ALL segments.
+4. **Pass B** - inject into *bare* node patterns in MATCH segments only.
+5. **Restore** protected regions.
+"""
+
+import re
+
+from rest_framework.exceptions import ValidationError
+
+from tasks.jobs.attack_paths.config import get_provider_label
+
+
+# Step 1 - String / comment protection
+# Single combined regex: strings first, then line comments.
+# The regex engine finds the leftmost match, so a string like 'https://prowler.com'
+# is consumed as a string before the // inside it can match as a comment.
+_PROTECTED_RE = re.compile(r"'(?:[^'\\]|\\.)*'|\"(?:[^\"\\]|\\.)*\"|//[^\n]*")
+
+# Step 2 - Clause splitting
+# OPTIONAL MATCH must come before MATCH to avoid partial matching.
+_CLAUSE_RE = re.compile(
+    r"\b(OPTIONAL\s+MATCH|MATCH|WHERE|RETURN|WITH|ORDER\s+BY"
+    r"|SKIP|LIMIT|UNION|UNWIND|CALL)\b",
+    re.IGNORECASE,
+)
+
+# Pass A - Labeled node patterns (all segments)
+# Matches node patterns that have at least one :Label.
+# (?<!\w)\(  - open paren NOT preceded by a word char (excludes function calls).
+# Group 1:  optional variable + one or more :Label
+# Group 2:  optional {properties} + closing paren
+_LABELED_NODE_RE = re.compile(
+    r"(?<!\w)\("
+    r"("
+    r"\s*(?:[a-zA-Z_]\w*)?"
+    r"(?:\s*:\s*(?:`[^`]*`|[a-zA-Z_]\w*))+"
+    r")"
+    r"("
+    r"\s*(?:\{[^}]*\})?"
+    r"\s*\)"
+    r")"
+)
+
+# Pass B - Bare node patterns (MATCH segments only)
+# Matches (identifier) or (identifier {properties}) without any :Label.
+# Only applied in MATCH/OPTIONAL MATCH segments.
+_BARE_NODE_RE = re.compile(
+    r"(?<!\w)\(" r"(\s*[a-zA-Z_]\w*)" r"(\s*(?:\{[^}]*\})?)" r"\s*\)"
+)
+
+_MATCH_CLAUSES = frozenset({"MATCH", "OPTIONAL MATCH"})
+
+
+def _inject_labeled(segment: str, label: str) -> str:
+    """Inject provider label into all node patterns that have existing labels."""
+    return _LABELED_NODE_RE.sub(rf"(\1:{label}\2", segment)
+
+
+def _inject_bare(segment: str, label: str) -> str:
+    """Inject provider label into bare `(identifier)` node patterns."""
+
+    def _replace(match):
+        var = match.group(1)
+        props = match.group(2).strip()
+        if props:
+            return f"({var}:{label} {props})"
+        return f"({var}:{label})"
+
+    return _BARE_NODE_RE.sub(_replace, segment)
+
+
+def inject_provider_label(cypher: str, provider_id: str) -> str:
+    """Rewrite a Cypher query to scope every node pattern to a provider.
+
+    Args:
+        cypher: The original Cypher query string.
+        provider_id: The provider UUID (will be converted to a label via
+            `get_provider_label`).
+
+    Returns:
+        The rewritten Cypher with `:_Provider_{uuid}` appended to every
+        node pattern.
+    """
+    label = get_provider_label(provider_id)
+
+    # Step 1: Protect strings and comments (single pass, leftmost-first)
+    protected: list[str] = []
+
+    def _save(match):
+        protected.append(match.group(0))
+        return f"\x00P{len(protected) - 1}\x00"
+
+    work = _PROTECTED_RE.sub(_save, cypher)
+
+    # Step 2: Split by clause keywords
+    parts = _CLAUSE_RE.split(work)
+
+    # Steps 3-4: Apply injection passes per segment
+    result: list[str] = []
+    current_clause: str | None = None
+
+    for i, part in enumerate(parts):
+        if i % 2 == 1:
+            # Keyword token - normalize for clause tracking
+            current_clause = re.sub(r"\s+", " ", part.strip()).upper()
+            result.append(part)
+        else:
+            # Content segment - apply injection based on clause context
+            part = _inject_labeled(part, label)
+            if current_clause in _MATCH_CLAUSES:
+                part = _inject_bare(part, label)
+            result.append(part)
+
+    work = "".join(result)
+
+    # Step 5: Restore protected regions
+    for i, original in enumerate(protected):
+        work = work.replace(f"\x00P{i}\x00", original)
+
+    return work
+
+
+# ---------------------------------------------------------------------------
+# Validation
+# ---------------------------------------------------------------------------
+
+# Patterns that indicate SSRF or dangerous procedure calls
+# Defense-in-depth layer - the primary control is `neo4j.READ_ACCESS`
+_BLOCKED_PATTERNS = [
+    re.compile(r"\bLOAD\s+CSV\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.load\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.import\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.export\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.cypher\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.systemdb\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.config\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.periodic\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.do\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.trigger\b", re.IGNORECASE),
+    re.compile(r"\bapoc\.custom\b", re.IGNORECASE),
+]
+
+
+def validate_custom_query(cypher: str) -> None:
+    """Reject queries containing known SSRF or dangerous procedure patterns.
+
+    Raises ValidationError if a blocked pattern is found.
+    String literals and comments are stripped before matching to avoid
+    false positives.
+    """
+    stripped = _PROTECTED_RE.sub("", cypher)
+    for pattern in _BLOCKED_PATTERNS:
+        if pattern.search(stripped):
+            raise ValidationError({"query": "Query contains a blocked operation"})

api/src/backend/api/attack_paths/database.py

@@ -11,8 +11,8 @@ from config.env import env
 from django.conf import settings
 from tasks.jobs.attack_paths.config import (
     BATCH_SIZE,
-    PROVIDER_ID_PROPERTY,
     PROVIDER_RESOURCE_LABEL,
+    get_provider_label,
 )
 
 from api.attack_paths.retryable_session import RetryableSession
@@ -28,6 +28,7 @@ READ_QUERY_TIMEOUT_SECONDS = env.int(
     "ATTACK_PATHS_READ_QUERY_TIMEOUT_SECONDS", default=30
 )
 MAX_CUSTOM_QUERY_NODES = env.int("ATTACK_PATHS_MAX_CUSTOM_QUERY_NODES", default=250)
+CONN_ACQUISITION_TIMEOUT = env.int("NEO4J_CONN_ACQUISITION_TIMEOUT", default=15)
 READ_EXCEPTION_CODES = [
     "Neo.ClientError.Statement.AccessMode",
     "Neo.ClientError.Procedure.ProcedureNotFound",
@@ -62,7 +63,7 @@ def init_driver() -> neo4j.Driver:
                 auth=(config["USER"], config["PASSWORD"]),
                 keep_alive=True,
                 max_connection_lifetime=7200,
-                connection_acquisition_timeout=120,
+                connection_acquisition_timeout=CONN_ACQUISITION_TIMEOUT,
                 max_connection_pool_size=50,
             )
             _driver.verify_connectivity()
@@ -163,11 +164,8 @@ def drop_subgraph(database: str, provider_id: str) -> int:
     Uses batched deletion to avoid memory issues with large graphs.
     Silently returns 0 if the database doesn't exist.
     """
+    provider_label = get_provider_label(provider_id)
     deleted_nodes = 0
-    parameters = {
-        "provider_id": provider_id,
-        "batch_size": BATCH_SIZE,
-    }
 
     try:
         with get_session(database) as session:
@@ -175,12 +173,12 @@ def drop_subgraph(database: str, provider_id: str) -> int:
             while deleted_count > 0:
                 result = session.run(
                     f"""
-                    MATCH (n:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ID_PROPERTY}: $provider_id}})
+                    MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`)
                     WITH n LIMIT $batch_size
                     DETACH DELETE n
                     RETURN COUNT(n) AS deleted_nodes_count
                     """,
-                    parameters,
+                    {"batch_size": BATCH_SIZE},
                 )
                 deleted_count = result.single().get("deleted_nodes_count", 0)
                 deleted_nodes += deleted_count
@@ -199,15 +197,12 @@ def has_provider_data(database: str, provider_id: str) -> bool:
 
     Returns `False` if the database doesn't exist.
     """
-    query = (
-        f"MATCH (n:{PROVIDER_RESOURCE_LABEL} "
-        f"{{{PROVIDER_ID_PROPERTY}: $provider_id}}) "
-        "RETURN 1 LIMIT 1"
-    )
+    provider_label = get_provider_label(provider_id)
+    query = f"MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`) RETURN 1 LIMIT 1"
 
     try:
         with get_session(database, default_access_mode=neo4j.READ_ACCESS) as session:
-            result = session.run(query, {"provider_id": provider_id})
+            result = session.run(query)
             return result.single() is not None
 
     except GraphDatabaseQueryException as exc:

api/src/backend/api/attack_paths/queries/aws.py

@@ -3,7 +3,7 @@ from api.attack_paths.queries.types import (
     AttackPathsQueryDefinition,
     AttackPathsQueryParameterDefinition,
 )
-from tasks.jobs.attack_paths.config import PROVIDER_ID_PROPERTY, PROWLER_FINDING_LABEL
+from tasks.jobs.attack_paths.config import PROWLER_FINDING_LABEL
 
 
 # Custom Attack Path Queries
@@ -16,8 +16,6 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(
     description="Detect EC2 instances with SSH exposed to the internet that can assume higher-privileged roles to read tagged sensitive S3 buckets despite bucket-level public access blocks.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
-
         MATCH path_s3 = (aws:AWSAccount {{id: $provider_uid}})--(s3:S3Bucket)--(t:AWSTag)
         WHERE toLower(t.key) = toLower($tag_key) AND toLower(t.value) = toLower($tag_value)
 
@@ -31,7 +29,7 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(
 
         MATCH path_assume_role = (ec2)-[p:STS_ASSUMEROLE_ALLOW*1..9]-(r:AWSRole)
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        OPTIONAL MATCH (internet:Internet)-[can_access:CAN_ACCESS]->(ec2)
 
         WITH collect(path_s3) + collect(path_ec2) + collect(path_role) + collect(path_assume_role) AS paths,
             head(collect(internet)) AS internet, collect(can_access) AS can_access
@@ -40,7 +38,7 @@ AWS_INTERNET_EXPOSED_EC2_SENSITIVE_S3_ACCESS = AttackPathsQueryDefinition(
 
         WITH paths, internet, can_access, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
     """,
@@ -79,7 +77,7 @@ AWS_RDS_INSTANCES = AttackPathsQueryDefinition(
 
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -102,7 +100,7 @@ AWS_RDS_UNENCRYPTED_STORAGE = AttackPathsQueryDefinition(
 
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -125,7 +123,7 @@ AWS_S3_ANONYMOUS_ACCESS_BUCKETS = AttackPathsQueryDefinition(
 
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -149,7 +147,7 @@ AWS_IAM_STATEMENTS_ALLOW_ALL_ACTIONS = AttackPathsQueryDefinition(
 
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -173,7 +171,7 @@ AWS_IAM_STATEMENTS_ALLOW_DELETE_POLICY = AttackPathsQueryDefinition(
 
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -197,7 +195,7 @@ AWS_IAM_STATEMENTS_ALLOW_CREATE_ACTIONS = AttackPathsQueryDefinition(
 
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -215,12 +213,10 @@ AWS_EC2_INSTANCES_INTERNET_EXPOSED = AttackPathsQueryDefinition(
     description="Find EC2 instances flagged as exposed to the internet within the selected account.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
-
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)
         WHERE ec2.exposed_internet = true
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        OPTIONAL MATCH (internet:Internet)-[can_access:CAN_ACCESS]->(ec2)
 
         WITH collect(path) AS paths, head(collect(internet)) AS internet, collect(can_access) AS can_access
         UNWIND paths AS p
@@ -228,7 +224,7 @@ AWS_EC2_INSTANCES_INTERNET_EXPOSED = AttackPathsQueryDefinition(
 
         WITH paths, internet, can_access, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
     """,
@@ -242,13 +238,11 @@ AWS_SECURITY_GROUPS_OPEN_INTERNET_FACING = AttackPathsQueryDefinition(
     description="Find internet-facing resources associated with security groups that allow inbound access from '0.0.0.0/0'.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
-
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)--(sg:EC2SecurityGroup)--(ipi:IpPermissionInbound)--(ir:IpRange)
         WHERE ec2.exposed_internet = true
             AND ir.range = "0.0.0.0/0"
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
+        OPTIONAL MATCH (internet:Internet)-[can_access:CAN_ACCESS]->(ec2)
 
         WITH collect(path) AS paths, head(collect(internet)) AS internet, collect(can_access) AS can_access
         UNWIND paths AS p
@@ -256,7 +250,7 @@ AWS_SECURITY_GROUPS_OPEN_INTERNET_FACING = AttackPathsQueryDefinition(
 
         WITH paths, internet, can_access, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
     """,
@@ -270,12 +264,10 @@ AWS_CLASSIC_ELB_INTERNET_EXPOSED = AttackPathsQueryDefinition(
     description="Find Classic Load Balancers exposed to the internet along with their listeners.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
-
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elb:LoadBalancer)--(listener:ELBListener)
         WHERE elb.exposed_internet = true
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elb)
+        OPTIONAL MATCH (internet:Internet)-[can_access:CAN_ACCESS]->(elb)
 
         WITH collect(path) AS paths, head(collect(internet)) AS internet, collect(can_access) AS can_access
         UNWIND paths AS p
@@ -283,7 +275,7 @@ AWS_CLASSIC_ELB_INTERNET_EXPOSED = AttackPathsQueryDefinition(
 
         WITH paths, internet, can_access, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
     """,
@@ -297,12 +289,10 @@ AWS_ELBV2_INTERNET_EXPOSED = AttackPathsQueryDefinition(
     description="Find ELBv2 load balancers exposed to the internet along with their listeners.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
-
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elbv2:LoadBalancerV2)--(listener:ELBV2Listener)
         WHERE elbv2.exposed_internet = true
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elbv2)
+        OPTIONAL MATCH (internet:Internet)-[can_access:CAN_ACCESS]->(elbv2)
 
         WITH collect(path) AS paths, head(collect(internet)) AS internet, collect(can_access) AS can_access
         UNWIND paths AS p
@@ -310,7 +300,7 @@ AWS_ELBV2_INTERNET_EXPOSED = AttackPathsQueryDefinition(
 
         WITH paths, internet, can_access, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
     """,
@@ -324,15 +314,13 @@ AWS_PUBLIC_IP_RESOURCE_LOOKUP = AttackPathsQueryDefinition(
     description="Given a public IP address, find the related AWS resource and its adjacent node within the selected account.",
     provider="aws",
     cypher=f"""
-        OPTIONAL MATCH (internet:Internet {{{PROVIDER_ID_PROPERTY}: $provider_id}})
-
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x)-[q]-(y)
         WHERE (x:EC2PrivateIp AND x.public_ip = $ip)
            OR (x:EC2Instance AND x.publicipaddress = $ip)
            OR (x:NetworkInterface AND x.public_ip = $ip)
            OR (x:ElasticIPAddress AND x.public_ip = $ip)
 
-        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(x)
+        OPTIONAL MATCH (internet:Internet)-[can_access:CAN_ACCESS]->(x)
 
         WITH collect(path) AS paths, head(collect(internet)) AS internet, collect(can_access) AS can_access
         UNWIND paths AS p
@@ -340,7 +328,7 @@ AWS_PUBLIC_IP_RESOURCE_LOOKUP = AttackPathsQueryDefinition(
 
         WITH paths, internet, can_access, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr, internet, can_access
     """,
@@ -403,7 +391,7 @@ AWS_APPRUNNER_PRIVESC_PASSROLE_CREATE_SERVICE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -441,7 +429,7 @@ AWS_APPRUNNER_PRIVESC_UPDATE_SERVICE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -511,7 +499,7 @@ AWS_BEDROCK_PRIVESC_PASSROLE_CODE_INTERPRETER = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -558,7 +546,7 @@ AWS_BEDROCK_PRIVESC_INVOKE_CODE_INTERPRETER = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -610,7 +598,7 @@ AWS_CLOUDFORMATION_PRIVESC_PASSROLE_CREATE_STACK = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -648,7 +636,7 @@ AWS_CLOUDFORMATION_PRIVESC_UPDATE_STACK = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -709,7 +697,7 @@ AWS_CLOUDFORMATION_PRIVESC_PASSROLE_CREATE_STACKSET = AttackPathsQueryDefinition
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -761,7 +749,7 @@ AWS_CLOUDFORMATION_PRIVESC_PASSROLE_UPDATE_STACKSET = AttackPathsQueryDefinition
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -808,7 +796,7 @@ AWS_CLOUDFORMATION_PRIVESC_CHANGESET = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -869,7 +857,7 @@ AWS_CODEBUILD_PRIVESC_PASSROLE_CREATE_PROJECT = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -907,7 +895,7 @@ AWS_CODEBUILD_PRIVESC_START_BUILD = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -945,7 +933,7 @@ AWS_CODEBUILD_PRIVESC_START_BUILD_BATCH = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1006,7 +994,7 @@ AWS_CODEBUILD_PRIVESC_PASSROLE_CREATE_PROJECT_BATCH = AttackPathsQueryDefinition
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1077,7 +1065,7 @@ AWS_DATAPIPELINE_PRIVESC_PASSROLE_CREATE_PIPELINE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1129,7 +1117,7 @@ AWS_EC2_PRIVESC_PASSROLE_IAM = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1185,7 +1173,7 @@ AWS_EC2_PRIVESC_MODIFY_INSTANCE_ATTRIBUTE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1237,7 +1225,7 @@ AWS_EC2_PRIVESC_PASSROLE_SPOT_INSTANCES = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1284,7 +1272,7 @@ AWS_EC2_PRIVESC_LAUNCH_TEMPLATE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1322,7 +1310,7 @@ AWS_EC2INSTANCECONNECT_PRIVESC_SEND_SSH_PUBLIC_KEY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1392,7 +1380,7 @@ AWS_ECS_PRIVESC_PASSROLE_CREATE_SERVICE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1462,7 +1450,7 @@ AWS_ECS_PRIVESC_PASSROLE_RUN_TASK = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1523,7 +1511,7 @@ AWS_ECS_PRIVESC_PASSROLE_CREATE_SERVICE_EXISTING_CLUSTER = AttackPathsQueryDefin
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1584,7 +1572,7 @@ AWS_ECS_PRIVESC_PASSROLE_RUN_TASK_EXISTING_CLUSTER = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1645,7 +1633,7 @@ AWS_ECS_PRIVESC_PASSROLE_START_TASK_EXISTING_CLUSTER = AttackPathsQueryDefinitio
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1692,7 +1680,7 @@ AWS_ECS_PRIVESC_EXECUTE_COMMAND = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1744,7 +1732,7 @@ AWS_GLUE_PRIVESC_PASSROLE_DEV_ENDPOINT = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1782,7 +1770,7 @@ AWS_GLUE_PRIVESC_UPDATE_DEV_ENDPOINT = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1843,7 +1831,7 @@ AWS_GLUE_PRIVESC_PASSROLE_CREATE_JOB = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1904,7 +1892,7 @@ AWS_GLUE_PRIVESC_PASSROLE_CREATE_JOB_TRIGGER = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -1965,7 +1953,7 @@ AWS_GLUE_PRIVESC_PASSROLE_UPDATE_JOB = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2026,7 +2014,7 @@ AWS_GLUE_PRIVESC_PASSROLE_UPDATE_JOB_TRIGGER = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2069,7 +2057,7 @@ AWS_IAM_PRIVESC_CREATE_POLICY_VERSION = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2112,7 +2100,7 @@ AWS_IAM_PRIVESC_CREATE_ACCESS_KEY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2169,7 +2157,7 @@ AWS_IAM_PRIVESC_DELETE_CREATE_ACCESS_KEY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2212,7 +2200,7 @@ AWS_IAM_PRIVESC_CREATE_LOGIN_PROFILE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2252,7 +2240,7 @@ AWS_IAM_PRIVESC_PUT_ROLE_POLICY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2295,7 +2283,7 @@ AWS_IAM_PRIVESC_UPDATE_LOGIN_PROFILE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2335,7 +2323,7 @@ AWS_IAM_PRIVESC_PUT_USER_POLICY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2375,7 +2363,7 @@ AWS_IAM_PRIVESC_ATTACH_USER_POLICY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2415,7 +2403,7 @@ AWS_IAM_PRIVESC_ATTACH_ROLE_POLICY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2458,7 +2446,7 @@ AWS_IAM_PRIVESC_ATTACH_GROUP_POLICY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2501,7 +2489,7 @@ AWS_IAM_PRIVESC_PUT_GROUP_POLICY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2544,7 +2532,7 @@ AWS_IAM_PRIVESC_UPDATE_ASSUME_ROLE_POLICY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2587,7 +2575,7 @@ AWS_IAM_PRIVESC_ADD_USER_TO_GROUP = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2630,7 +2618,7 @@ AWS_IAM_PRIVESC_ATTACH_ROLE_POLICY_ASSUME_ROLE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2687,7 +2675,7 @@ AWS_IAM_PRIVESC_ATTACH_USER_POLICY_CREATE_ACCESS_KEY = AttackPathsQueryDefinitio
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2731,7 +2719,7 @@ AWS_IAM_PRIVESC_CREATE_POLICY_VERSION_ASSUME_ROLE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2774,7 +2762,7 @@ AWS_IAM_PRIVESC_PUT_ROLE_POLICY_ASSUME_ROLE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2831,7 +2819,7 @@ AWS_IAM_PRIVESC_PUT_USER_POLICY_CREATE_ACCESS_KEY = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2888,7 +2876,7 @@ AWS_IAM_PRIVESC_ATTACH_ROLE_POLICY_UPDATE_ASSUME_ROLE = AttackPathsQueryDefiniti
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -2946,7 +2934,7 @@ AWS_IAM_PRIVESC_CREATE_POLICY_VERSION_UPDATE_ASSUME_ROLE = AttackPathsQueryDefin
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3003,7 +2991,7 @@ AWS_IAM_PRIVESC_PUT_ROLE_POLICY_UPDATE_ASSUME_ROLE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3064,7 +3052,7 @@ AWS_LAMBDA_PRIVESC_PASSROLE_CREATE_FUNCTION = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3125,7 +3113,7 @@ AWS_LAMBDA_PRIVESC_PASSROLE_CREATE_FUNCTION_EVENT_SOURCE = AttackPathsQueryDefin
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3168,7 +3156,7 @@ AWS_LAMBDA_PRIVESC_UPDATE_FUNCTION_CODE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3225,7 +3213,7 @@ AWS_LAMBDA_PRIVESC_UPDATE_FUNCTION_CODE_INVOKE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3282,7 +3270,7 @@ AWS_LAMBDA_PRIVESC_UPDATE_FUNCTION_CODE_ADD_PERMISSION = AttackPathsQueryDefinit
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3343,7 +3331,7 @@ AWS_LAMBDA_PRIVESC_PASSROLE_CREATE_FUNCTION_ADD_PERMISSION = AttackPathsQueryDef
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3395,7 +3383,7 @@ AWS_SAGEMAKER_PRIVESC_PASSROLE_CREATE_NOTEBOOK = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3447,7 +3435,7 @@ AWS_SAGEMAKER_PRIVESC_PASSROLE_CREATE_TRAINING_JOB = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3499,7 +3487,7 @@ AWS_SAGEMAKER_PRIVESC_PASSROLE_CREATE_PROCESSING_JOB = AttackPathsQueryDefinitio
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3542,7 +3530,7 @@ AWS_SAGEMAKER_PRIVESC_PRESIGNED_NOTEBOOK_URL = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3612,7 +3600,7 @@ AWS_SAGEMAKER_PRIVESC_LIFECYCLE_CONFIG_NOTEBOOK = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3650,7 +3638,7 @@ AWS_SSM_PRIVESC_START_SESSION = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3688,7 +3676,7 @@ AWS_SSM_PRIVESC_SEND_COMMAND = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,
@@ -3731,7 +3719,7 @@ AWS_STS_PRIVESC_ASSUME_ROLE = AttackPathsQueryDefinition(
         WITH paths, collect(DISTINCT n) AS unique_nodes
         UNWIND unique_nodes AS n
 
-        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
+        OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL'}})
 
         RETURN paths, collect(DISTINCT pf) as dpf, collect(DISTINCT pfr) as dpfr
     """,

api/src/backend/api/attack_paths/queries/schema.py

@@ -1,13 +1,18 @@
-from tasks.jobs.attack_paths.config import PROVIDER_ID_PROPERTY, PROVIDER_RESOURCE_LABEL
+from tasks.jobs.attack_paths.config import PROVIDER_RESOURCE_LABEL, get_provider_label
+
+
+def get_cartography_schema_query(provider_id: str) -> str:
+    """Build the Cartography schema metadata query scoped to a provider label."""
+    provider_label = get_provider_label(provider_id)
+    return f"""
+        MATCH (n:{PROVIDER_RESOURCE_LABEL}:`{provider_label}`)
+        WHERE n._module_name STARTS WITH 'cartography:'
+          AND NOT n._module_name IN ['cartography:ontology', 'cartography:prowler']
+          AND n._module_version IS NOT NULL
+        RETURN n._module_name AS module_name, n._module_version AS module_version
+        LIMIT 1
+    """
 
-CARTOGRAPHY_SCHEMA_METADATA = f"""
-    MATCH (n:{PROVIDER_RESOURCE_LABEL} {{{PROVIDER_ID_PROPERTY}: $provider_id}})
-    WHERE n._module_name STARTS WITH 'cartography:'
-      AND NOT n._module_name IN ['cartography:ontology', 'cartography:prowler']
-      AND n._module_version IS NOT NULL
-    RETURN n._module_name AS module_name, n._module_version AS module_version
-    LIMIT 1
-"""
 
 GITHUB_SCHEMA_URL = (
     "https://github.com/cartography-cncf/cartography/blob/"

api/src/backend/api/attack_paths/views_helpers.py

@@ -1,22 +1,26 @@
 import logging
-import re
 
 from typing import Any, Iterable
 
 import neo4j
+
 from rest_framework.exceptions import APIException, PermissionDenied, ValidationError
 
 from api.attack_paths import database as graph_database, AttackPathsQueryDefinition
+from api.attack_paths.cypher_sanitizer import (
+    inject_provider_label,
+    validate_custom_query,
+)
 from api.attack_paths.queries.schema import (
-    CARTOGRAPHY_SCHEMA_METADATA,
     GITHUB_SCHEMA_URL,
     RAW_SCHEMA_URL,
+    get_cartography_schema_query,
 )
 from config.custom_logging import BackendLogger
 from tasks.jobs.attack_paths.config import (
     INTERNAL_LABELS,
     INTERNAL_PROPERTIES,
-    PROVIDER_ID_PROPERTY,
+    get_provider_label,
     is_dynamic_isolation_label,
 )
 
@@ -72,7 +76,6 @@ def prepare_parameters(
 
     clean_parameters = {
         "provider_uid": str(provider_uid),
-        "provider_id": str(provider_id),
     }
 
     for definition_parameter in definition.parameters:
@@ -123,38 +126,6 @@ def execute_query(
 
 # Custom query helpers
 
-# Patterns that indicate SSRF or dangerous procedure calls
-# Defense-in-depth layer - the primary control is `neo4j.READ_ACCESS`
-_BLOCKED_PATTERNS = [
-    re.compile(r"\bLOAD\s+CSV\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.load\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.import\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.export\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.cypher\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.systemdb\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.config\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.periodic\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.do\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.trigger\b", re.IGNORECASE),
-    re.compile(r"\bapoc\.custom\b", re.IGNORECASE),
-]
-
-# Strip string literals so patterns inside quotes don't cause false positives
-# Handles escaped quotes (\' and \") inside strings
-_STRING_LITERALS = re.compile(r"'(?:[^'\\]|\\.)*'|\"(?:[^\"\\]|\\.)*\"")
-
-
-def validate_custom_query(cypher: str) -> None:
-    """Reject queries containing known SSRF or dangerous procedure patterns.
-
-    Raises ValidationError if a blocked pattern is found.
-    String literals are stripped before matching to avoid false positives.
-    """
-    stripped = _STRING_LITERALS.sub("", cypher)
-    for pattern in _BLOCKED_PATTERNS:
-        if pattern.search(stripped):
-            raise ValidationError({"query": "Query contains a blocked operation"})
-
 
 def normalize_custom_query_payload(raw_data):
     if not isinstance(raw_data, dict):
@@ -173,7 +144,15 @@ def execute_custom_query(
     cypher: str,
     provider_id: str,
 ) -> dict[str, Any]:
+    # Defense-in-depth for custom queries:
+    # 1. neo4j.READ_ACCESS — prevents mutations at the driver level
+    # 2. inject_provider_label() — regex-based label injection scopes node patterns
+    # 3. _serialize_graph() — post-query filter drops nodes without the provider label
+    #
+    # Layer 2 is best-effort (regex can't fully parse Cypher);
+    # layer 3 is the safety net that guarantees provider isolation.
     validate_custom_query(cypher)
+    cypher = inject_provider_label(cypher, provider_id)
 
     try:
         graph = graph_database.execute_read_query(
@@ -208,10 +187,7 @@ def get_cartography_schema(
         with graph_database.get_session(
             database_name, default_access_mode=neo4j.READ_ACCESS
         ) as session:
-            result = session.run(
-                CARTOGRAPHY_SCHEMA_METADATA,
-                {"provider_id": provider_id},
-            )
+            result = session.run(get_cartography_schema_query(provider_id))
             record = result.single()
     except graph_database.GraphDatabaseQueryException as exc:
         logger.error(f"Cartography schema query failed: {exc}")
@@ -255,10 +231,12 @@ def _truncate_graph(graph: dict[str, Any]) -> dict[str, Any]:
 
 
 def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
+    provider_label = get_provider_label(provider_id)
+
     nodes = []
     kept_node_ids = set()
     for node in graph.nodes:
-        if node._properties.get(PROVIDER_ID_PROPERTY) != provider_id:
+        if provider_label not in node.labels:
             continue
 
         kept_node_ids.add(node.element_id)
@@ -273,14 +251,11 @@ def _serialize_graph(graph, provider_id: str) -> dict[str, Any]:
     filtered_count = len(graph.nodes) - len(nodes)
     if filtered_count > 0:
         logger.debug(
-            f"Filtered {filtered_count} nodes without matching provider_id={provider_id}"
+            f"Filtered {filtered_count} nodes without provider label {provider_label}"
         )
 
     relationships = []
     for relationship in graph.relationships:
-        if relationship._properties.get(PROVIDER_ID_PROPERTY) != provider_id:
-            continue
-
         if (
             relationship.start_node.element_id not in kept_node_ids
             or relationship.end_node.element_id not in kept_node_ids

api/src/backend/api/base_views.py

@@ -1,10 +1,10 @@
 from django.conf import settings
-from django.core.exceptions import ObjectDoesNotExist
 from django.db import transaction
 from rest_framework import permissions
 from rest_framework.exceptions import NotAuthenticated
 from rest_framework.filters import SearchFilter
 from rest_framework.permissions import SAFE_METHODS
+from rest_framework.response import Response
 from rest_framework_json_api import filters
 from rest_framework_json_api.views import ModelViewSet
 
@@ -12,7 +12,7 @@ from api.authentication import CombinedJWTOrAPIKeyAuthentication
 from api.db_router import MainRouter, reset_read_db_alias, set_read_db_alias
 from api.db_utils import POSTGRES_USER_VAR, rls_transaction
 from api.filters import CustomDjangoFilterBackend
-from api.models import Role, Tenant
+from api.models import Role, UserRoleRelationship
 from api.rbac.permissions import HasPermissions
 
 
@@ -113,27 +113,22 @@ class BaseTenantViewset(BaseViewSet):
             if request is not None:
                 request.db_alias = self.db_alias
 
-            with transaction.atomic(using=self.db_alias):
-                tenant = super().dispatch(request, *args, **kwargs)
-
-            try:
-                # If the request is a POST, create the admin role
-                if request.method == "POST":
-                    isinstance(tenant, dict) and self._create_admin_role(
-                        tenant.data["id"]
-                    )
-            except Exception as e:
-                self._handle_creation_error(e, tenant)
-                raise
-
-            return tenant
+            if request.method == "POST":
+                with transaction.atomic(using=MainRouter.admin_db):
+                    tenant = super().dispatch(request, *args, **kwargs)
+                    if isinstance(tenant, Response) and tenant.status_code == 201:
+                        self._create_admin_role(tenant.data["id"])
+                    return tenant
+            else:
+                with transaction.atomic(using=self.db_alias):
+                    return super().dispatch(request, *args, **kwargs)
         finally:
             if alias_token is not None:
                 reset_read_db_alias(alias_token)
             self.db_alias = MainRouter.default_db
 
     def _create_admin_role(self, tenant_id):
-        Role.objects.using(MainRouter.admin_db).create(
+        admin_role = Role.objects.using(MainRouter.admin_db).create(
             name="admin",
             tenant_id=tenant_id,
             manage_users=True,
@@ -144,15 +139,11 @@ class BaseTenantViewset(BaseViewSet):
             manage_scans=True,
             unlimited_visibility=True,
         )
-
-    def _handle_creation_error(self, error, tenant):
-        if tenant.data.get("id"):
-            try:
-                Tenant.objects.using(MainRouter.admin_db).filter(
-                    id=tenant.data["id"]
-                ).delete()
-            except ObjectDoesNotExist:
-                pass  # Tenant might not exist, handle gracefully
+        UserRoleRelationship.objects.using(MainRouter.admin_db).create(
+            user=self.request.user,
+            role=admin_role,
+            tenant_id=tenant_id,
+        )
 
     def initial(self, request, *args, **kwargs):
         if request.auth is None:

api/src/backend/api/compliance.py

@@ -1,7 +1,6 @@
 from collections.abc import Iterable, Mapping
 
 from api.models import Provider
-from prowler.config.config import get_available_compliance_frameworks
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.check.models import CheckMetadata
 
@@ -95,12 +94,12 @@ PROWLER_CHECKS = LazyChecksMapping()
 
 
 def get_compliance_frameworks(provider_type: Provider.ProviderChoices) -> list[str]:
-    """
-    Retrieve and cache the list of available compliance frameworks for a specific cloud provider.
+    """List compliance frameworks the API can load for `provider_type`.
 
-    This function lazily loads and caches the available compliance frameworks (e.g., CIS, MITRE, ISO)
-    for each provider type (AWS, Azure, GCP, etc.) on first access. Subsequent calls for the same
-    provider will return the cached result.
+    The list is sourced from `Compliance.get_bulk` so that the names
+    returned here are guaranteed to be loadable by the bulk loader. This
+    prevents downstream key mismatches (e.g. CSV report generation iterating
+    framework names and looking them up in the bulk dict).
 
     Args:
         provider_type (Provider.ProviderChoices): The cloud provider type for which to retrieve
@@ -112,8 +111,8 @@ def get_compliance_frameworks(provider_type: Provider.ProviderChoices) -> list[s
     """
     global AVAILABLE_COMPLIANCE_FRAMEWORKS
     if provider_type not in AVAILABLE_COMPLIANCE_FRAMEWORKS:
-        AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type] = (
-            get_available_compliance_frameworks(provider_type)
+        AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type] = list(
+            Compliance.get_bulk(provider_type).keys()
         )
 
     return AVAILABLE_COMPLIANCE_FRAMEWORKS[provider_type]

api/src/backend/api/filters.py

@@ -15,6 +15,7 @@ from django_filters.rest_framework import (
 from rest_framework_json_api.django_filters.backends import DjangoFilterBackend
 from rest_framework_json_api.serializers import ValidationError
 
+from api.constants import SEVERITY_ORDER
 from api.db_utils import (
     FindingDeltaEnumField,
     InvitationStateEnumField,
@@ -43,6 +44,7 @@ from api.models import (
     ProviderGroup,
     ProviderSecret,
     Resource,
+    ResourceFindingMapping,
     ResourceTag,
     Role,
     Scan,
@@ -196,17 +198,13 @@ class CommonFindingFilters(FilterSet):
         field_name="resource_services", lookup_expr="icontains"
     )
 
-    resource_uid = CharFilter(field_name="resources__uid")
-    resource_uid__in = CharInFilter(field_name="resources__uid", lookup_expr="in")
-    resource_uid__icontains = CharFilter(
-        field_name="resources__uid", lookup_expr="icontains"
-    )
+    resource_uid = CharFilter(method="filter_resource_uid")
+    resource_uid__in = CharInFilter(method="filter_resource_uid_in")
+    resource_uid__icontains = CharFilter(method="filter_resource_uid_icontains")
 
-    resource_name = CharFilter(field_name="resources__name")
-    resource_name__in = CharInFilter(field_name="resources__name", lookup_expr="in")
-    resource_name__icontains = CharFilter(
-        field_name="resources__name", lookup_expr="icontains"
-    )
+    resource_name = CharFilter(method="filter_resource_name")
+    resource_name__in = CharInFilter(method="filter_resource_name_in")
+    resource_name__icontains = CharFilter(method="filter_resource_name_icontains")
 
     resource_type = CharFilter(method="filter_resource_type")
     resource_type__in = CharInFilter(field_name="resource_types", lookup_expr="overlap")
@@ -264,6 +262,52 @@ class CommonFindingFilters(FilterSet):
             )
         return queryset.filter(overall_query).distinct()
 
+    def filter_check_title_icontains(self, queryset, name, value):
+        # Resolve from the summary table (has check_title column + trigram
+        # GIN index) instead of scanning JSON in the findings table.
+        matching_check_ids = (
+            FindingGroupDailySummary.objects.filter(
+                check_title__icontains=value,
+            )
+            .values_list("check_id", flat=True)
+            .distinct()
+        )
+        return queryset.filter(check_id__in=matching_check_ids)
+
+    # --- Resource subquery filters ---
+    # Resolve resource → RFM → finding_ids first, then filter findings
+    # by id__in.  This avoids a 3-way JOIN driven from the (huge)
+    # findings side and lets PostgreSQL start from the resources
+    # unique-constraint index instead.
+
+    @staticmethod
+    def _finding_ids_for_resources(**lookup):
+        return ResourceFindingMapping.objects.filter(
+            resource__in=Resource.objects.filter(**lookup).values("id")
+        ).values("finding_id")
+
+    def filter_resource_uid(self, queryset, name, value):
+        return queryset.filter(id__in=self._finding_ids_for_resources(uid=value))
+
+    def filter_resource_uid_in(self, queryset, name, value):
+        return queryset.filter(id__in=self._finding_ids_for_resources(uid__in=value))
+
+    def filter_resource_uid_icontains(self, queryset, name, value):
+        return queryset.filter(
+            id__in=self._finding_ids_for_resources(uid__icontains=value)
+        )
+
+    def filter_resource_name(self, queryset, name, value):
+        return queryset.filter(id__in=self._finding_ids_for_resources(name=value))
+
+    def filter_resource_name_in(self, queryset, name, value):
+        return queryset.filter(id__in=self._finding_ids_for_resources(name__in=value))
+
+    def filter_resource_name_icontains(self, queryset, name, value):
+        return queryset.filter(
+            id__in=self._finding_ids_for_resources(name__icontains=value)
+        )
+
 
 class TenantFilter(FilterSet):
     inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
@@ -286,6 +330,7 @@ class MembershipFilter(FilterSet):
         model = Membership
         fields = {
             "tenant": ["exact"],
+            "user": ["exact"],
             "role": ["exact"],
             "date_joined": ["date", "gte", "lte"],
         }
@@ -390,6 +435,7 @@ class ScanFilter(ProviderRelationshipFilterSet):
     class Meta:
         model = Scan
         fields = {
+            "id": ["exact", "in"],
             "provider": ["exact", "in"],
             "name": ["exact", "icontains"],
             "started_at": ["gte", "lte"],
@@ -803,11 +849,15 @@ class FindingGroupFilter(CommonFindingFilters):
     check_id = CharFilter(field_name="check_id", lookup_expr="exact")
     check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
     check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
+    check_title__icontains = CharFilter(method="filter_check_title_icontains")
+    scan = UUIDFilter(field_name="scan_id", lookup_expr="exact")
+    scan__in = UUIDInFilter(field_name="scan_id", lookup_expr="in")
 
     class Meta:
         model = Finding
         fields = {
             "check_id": ["exact", "in", "icontains"],
+            "scan": ["exact", "in"],
         }
 
     def filter_queryset(self, queryset):
@@ -895,15 +945,31 @@ class LatestFindingGroupFilter(CommonFindingFilters):
     check_id = CharFilter(field_name="check_id", lookup_expr="exact")
     check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
     check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
+    check_title__icontains = CharFilter(method="filter_check_title_icontains")
+    scan = UUIDFilter(field_name="scan_id", lookup_expr="exact")
+    scan__in = UUIDInFilter(field_name="scan_id", lookup_expr="in")
 
     class Meta:
         model = Finding
         fields = {
             "check_id": ["exact", "in", "icontains"],
+            "scan": ["exact", "in"],
         }
 
 
-class FindingGroupSummaryFilter(FilterSet):
+class _CheckTitleToCheckIdMixin:
+    """Resolve check_title search to check_ids so all provider rows are kept."""
+
+    def filter_check_title_to_check_ids(self, queryset, name, value):
+        matching_check_ids = (
+            queryset.filter(check_title__icontains=value)
+            .values_list("check_id", flat=True)
+            .distinct()
+        )
+        return queryset.filter(check_id__in=matching_check_ids)
+
+
+class FindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
     """
     Filter for FindingGroupDailySummary queries.
 
@@ -926,9 +992,7 @@ class FindingGroupSummaryFilter(FilterSet):
     check_id = CharFilter(field_name="check_id", lookup_expr="exact")
     check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
     check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(
-        field_name="check_title", lookup_expr="icontains"
-    )
+    check_title__icontains = CharFilter(method="filter_check_title_to_check_ids")
 
     # Provider filters
     provider_id = UUIDFilter(field_name="provider_id", lookup_expr="exact")
@@ -1016,7 +1080,7 @@ class FindingGroupSummaryFilter(FilterSet):
         return dt
 
 
-class LatestFindingGroupSummaryFilter(FilterSet):
+class LatestFindingGroupSummaryFilter(_CheckTitleToCheckIdMixin, FilterSet):
     """
     Filter for FindingGroupDailySummary /latest endpoint.
 
@@ -1028,9 +1092,7 @@ class LatestFindingGroupSummaryFilter(FilterSet):
     check_id = CharFilter(field_name="check_id", lookup_expr="exact")
     check_id__in = CharInFilter(field_name="check_id", lookup_expr="in")
     check_id__icontains = CharFilter(field_name="check_id", lookup_expr="icontains")
-    check_title__icontains = CharFilter(
-        field_name="check_title", lookup_expr="icontains"
-    )
+    check_title__icontains = CharFilter(method="filter_check_title_to_check_ids")
 
     # Provider filters
     provider_id = UUIDFilter(field_name="provider_id", lookup_expr="exact")
@@ -1048,6 +1110,99 @@ class LatestFindingGroupSummaryFilter(FilterSet):
         }
 
 
+class FindingGroupAggregatedComputedFilter(FilterSet):
+    """Filter aggregated finding-group rows by computed status/severity/muted."""
+
+    STATUS_CHOICES = (
+        ("FAIL", "Fail"),
+        ("PASS", "Pass"),
+        ("MANUAL", "Manual"),
+    )
+
+    status = ChoiceFilter(method="filter_status", choices=STATUS_CHOICES)
+    status__in = CharInFilter(method="filter_status_in", lookup_expr="in")
+    severity = ChoiceFilter(method="filter_severity", choices=SeverityChoices)
+    severity__in = CharInFilter(method="filter_severity_in", lookup_expr="in")
+    muted = BooleanFilter(field_name="muted")
+    include_muted = BooleanFilter(method="filter_include_muted")
+
+    def filter_status(self, queryset, name, value):
+        return queryset.filter(aggregated_status=value)
+
+    def filter_status_in(self, queryset, name, value):
+        values = value
+        if isinstance(value, str):
+            values = [part.strip() for part in value.split(",") if part.strip()]
+
+        allowed = {choice[0] for choice in self.STATUS_CHOICES}
+        invalid = [
+            status_value for status_value in values if status_value not in allowed
+        ]
+        if invalid:
+            raise ValidationError(
+                [
+                    {
+                        "detail": f"invalid status filter: {invalid[0]}",
+                        "status": "400",
+                        "source": {"pointer": "/data"},
+                        "code": "invalid",
+                    }
+                ]
+            )
+
+        if not values:
+            return queryset
+
+        return queryset.filter(aggregated_status__in=values)
+
+    def filter_severity(self, queryset, name, value):
+        severity_order = SEVERITY_ORDER.get(value)
+        if severity_order is None:
+            raise ValidationError(
+                [
+                    {
+                        "detail": f"invalid severity filter: {value}",
+                        "status": "400",
+                        "source": {"pointer": "/data"},
+                        "code": "invalid",
+                    }
+                ]
+            )
+        return queryset.filter(severity_order=severity_order)
+
+    def filter_severity_in(self, queryset, name, value):
+        values = value
+        if isinstance(value, str):
+            values = [part.strip() for part in value.split(",") if part.strip()]
+
+        orders = []
+        for severity_value in values:
+            severity_order = SEVERITY_ORDER.get(severity_value)
+            if severity_order is None:
+                raise ValidationError(
+                    [
+                        {
+                            "detail": f"invalid severity filter: {severity_value}",
+                            "status": "400",
+                            "source": {"pointer": "/data"},
+                            "code": "invalid",
+                        }
+                    ]
+                )
+            orders.append(severity_order)
+
+        if not orders:
+            return queryset
+
+        return queryset.filter(severity_order__in=orders)
+
+    def filter_include_muted(self, queryset, name, value):
+        if value is True:
+            return queryset
+        # include_muted=false: exclude fully-muted groups
+        return queryset.exclude(muted=True)
+
+
 class ProviderSecretFilter(FilterSet):
     inserted_at = DateFilter(
         field_name="inserted_at",

api/src/backend/api/migrations/0086_attack_paths_cleanup_periodic_task.py

@@ -0,0 +1,49 @@
+from django.db import migrations
+
+
+TASK_NAME = "attack-paths-cleanup-stale-scans"
+INTERVAL_HOURS = 1
+
+
+def create_periodic_task(apps, schema_editor):
+    IntervalSchedule = apps.get_model("django_celery_beat", "IntervalSchedule")
+    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
+
+    schedule, _ = IntervalSchedule.objects.get_or_create(
+        every=INTERVAL_HOURS,
+        period="hours",
+    )
+
+    PeriodicTask.objects.update_or_create(
+        name=TASK_NAME,
+        defaults={
+            "task": TASK_NAME,
+            "interval": schedule,
+            "enabled": True,
+        },
+    )
+
+
+def delete_periodic_task(apps, schema_editor):
+    IntervalSchedule = apps.get_model("django_celery_beat", "IntervalSchedule")
+    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
+
+    PeriodicTask.objects.filter(name=TASK_NAME).delete()
+
+    # Clean up the schedule if no other task references it
+    IntervalSchedule.objects.filter(
+        every=INTERVAL_HOURS,
+        period="hours",
+        periodictask__isnull=True,
+    ).delete()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0085_finding_group_daily_summary_trgm_indexes"),
+        ("django_celery_beat", "0019_alter_periodictasks_options"),
+    ]
+
+    operations = [
+        migrations.RunPython(create_periodic_task, delete_periodic_task),
+    ]

api/src/backend/api/migrations/0087_vercel_provider.py

@@ -0,0 +1,40 @@
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0086_attack_paths_cleanup_periodic_task"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="provider",
+            field=api.db_utils.ProviderEnumField(
+                choices=[
+                    ("aws", "AWS"),
+                    ("azure", "Azure"),
+                    ("gcp", "GCP"),
+                    ("kubernetes", "Kubernetes"),
+                    ("m365", "M365"),
+                    ("github", "GitHub"),
+                    ("mongodbatlas", "MongoDB Atlas"),
+                    ("iac", "IaC"),
+                    ("oraclecloud", "Oracle Cloud Infrastructure"),
+                    ("alibabacloud", "Alibaba Cloud"),
+                    ("cloudflare", "Cloudflare"),
+                    ("openstack", "OpenStack"),
+                    ("image", "Image"),
+                    ("googleworkspace", "Google Workspace"),
+                    ("vercel", "Vercel"),
+                ],
+                default="aws",
+            ),
+        ),
+        migrations.RunSQL(
+            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'vercel';",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+    ]

api/src/backend/api/migrations/0088_finding_group_status_muted_fields.py

@@ -0,0 +1,95 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0087_vercel_provider"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="manual_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="pass_muted_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="fail_muted_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="manual_muted_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="muted",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="new_fail_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="new_fail_muted_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="new_pass_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="new_pass_muted_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="new_manual_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="new_manual_muted_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="changed_fail_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="changed_fail_muted_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="changed_pass_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="changed_pass_muted_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="changed_manual_count",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="findinggroupdailysummary",
+            name="changed_manual_muted_count",
+            field=models.IntegerField(default=0),
+        ),
+    ]

api/src/backend/api/migrations/0089_backfill_finding_group_status_muted.py

@@ -0,0 +1,31 @@
+from django.db import migrations
+from tasks.tasks import backfill_finding_group_summaries_task
+
+from api.db_router import MainRouter
+from api.rls import Tenant
+
+
+def trigger_backfill_task(apps, schema_editor):
+    """
+    Re-dispatch the finding-group backfill task for every tenant so the new
+    `manual_count` and `muted` columns added in 0088 get populated from the
+    last 10 days of completed scans.
+
+    The aggregator (`aggregate_finding_group_summaries`) recomputes every
+    column on each call, so it back-populates the new fields without touching
+    the existing ones beyond a normal upsert.
+    """
+    tenant_ids = Tenant.objects.using(MainRouter.admin_db).values_list("id", flat=True)
+
+    for tenant_id in tenant_ids:
+        backfill_finding_group_summaries_task.delay(tenant_id=str(tenant_id), days=10)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0088_finding_group_status_muted_fields"),
+    ]
+
+    operations = [
+        migrations.RunPython(trigger_backfill_task, migrations.RunPython.noop),
+    ]

api/src/backend/api/migrations/0090_attack_paths_cleanup_priority.py

@@ -0,0 +1,23 @@
+from django.db import migrations
+
+TASK_NAME = "attack-paths-cleanup-stale-scans"
+
+
+def set_cleanup_priority(apps, schema_editor):
+    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
+    PeriodicTask.objects.filter(name=TASK_NAME).update(priority=0)
+
+
+def unset_cleanup_priority(apps, schema_editor):
+    PeriodicTask = apps.get_model("django_celery_beat", "PeriodicTask")
+    PeriodicTask.objects.filter(name=TASK_NAME).update(priority=None)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0089_backfill_finding_group_status_muted"),
+    ]
+
+    operations = [
+        migrations.RunPython(set_cleanup_priority, unset_cleanup_priority),
+    ]

api/src/backend/api/models.py

@@ -4,11 +4,11 @@ import re
 from datetime import datetime, timedelta, timezone
 from uuid import UUID, uuid4
 
+import defusedxml
 from allauth.socialaccount.models import SocialApp
 from config.custom_logging import BackendLogger
 from config.settings.social_login import SOCIALACCOUNT_PROVIDERS
 from cryptography.fernet import Fernet, InvalidToken
-import defusedxml
 from defusedxml import ElementTree as ET
 from django.conf import settings
 from django.contrib.auth.models import AbstractBaseUser
@@ -295,6 +295,7 @@ class Provider(RowLevelSecurityProtectedModel):
         OPENSTACK = "openstack", _("OpenStack")
         IMAGE = "image", _("Image")
         GOOGLEWORKSPACE = "googleworkspace", _("Google Workspace")
+        VERCEL = "vercel", _("Vercel")
 
     @staticmethod
     def validate_aws_uid(value):
@@ -438,6 +439,15 @@ class Provider(RowLevelSecurityProtectedModel):
                 pointer="/data/attributes/uid",
             )
 
+    @staticmethod
+    def validate_vercel_uid(value):
+        if not re.match(r"^team_[a-zA-Z0-9]{16,32}$", value):
+            raise ModelValidationError(
+                detail="Vercel provider ID must be a valid Vercel Team ID (e.g., team_xxxxxxxxxxxxxxxxxxxxxxxx).",
+                code="vercel-uid",
+                pointer="/data/attributes/uid",
+            )
+
     @staticmethod
     def validate_image_uid(value):
         if not re.match(r"^[a-zA-Z0-9][a-zA-Z0-9._/:@-]{2,249}$", value):
@@ -1738,15 +1748,45 @@ class FindingGroupDailySummary(RowLevelSecurityProtectedModel):
     # Severity stored as integer for MAX aggregation (5=critical, 4=high, etc.)
     severity_order = models.SmallIntegerField(default=1)
 
-    # Finding counts
+    # Finding counts (inclusive of muted findings; use the `muted` flag to
+    # tell whether the group has any actionable findings).
     pass_count = models.IntegerField(default=0)
     fail_count = models.IntegerField(default=0)
+    manual_count = models.IntegerField(default=0)
     muted_count = models.IntegerField(default=0)
 
-    # Delta counts
+    # Status counts restricted to muted findings, so clients can isolate the
+    # muted half of each status (e.g. `pass_count - pass_muted_count` gives the
+    # actionable PASS findings).
+    pass_muted_count = models.IntegerField(default=0)
+    fail_muted_count = models.IntegerField(default=0)
+    manual_muted_count = models.IntegerField(default=0)
+
+    # Whether every finding for this (provider, check, day) is muted.
+    muted = models.BooleanField(default=False)
+
+    # Delta counts (non-muted, kept for convenience and as a "total" view).
     new_count = models.IntegerField(default=0)
     changed_count = models.IntegerField(default=0)
 
+    # Delta breakdown by (status, muted) so clients can answer questions like
+    # "how many new failing findings appeared in this scan?" without scanning
+    # the underlying findings table. Mirrors the existing pass/fail/manual
+    # naming, with `_muted_count` siblings tracking the muted half of each
+    # bucket explicitly.
+    new_fail_count = models.IntegerField(default=0)
+    new_fail_muted_count = models.IntegerField(default=0)
+    new_pass_count = models.IntegerField(default=0)
+    new_pass_muted_count = models.IntegerField(default=0)
+    new_manual_count = models.IntegerField(default=0)
+    new_manual_muted_count = models.IntegerField(default=0)
+    changed_fail_count = models.IntegerField(default=0)
+    changed_fail_muted_count = models.IntegerField(default=0)
+    changed_pass_count = models.IntegerField(default=0)
+    changed_pass_muted_count = models.IntegerField(default=0)
+    changed_manual_count = models.IntegerField(default=0)
+    changed_manual_muted_count = models.IntegerField(default=0)
+
     # Resource counts
     resources_fail = models.IntegerField(default=0)
     resources_total = models.IntegerField(default=0)

api/src/backend/api/rbac/permissions.py

@@ -1,7 +1,7 @@
 from enum import Enum
-from typing import Optional
 
 from django.db.models import QuerySet
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import BasePermission
 
 from api.db_router import MainRouter
@@ -29,8 +29,17 @@ class HasPermissions(BasePermission):
         if not required_permissions:
             return True
 
+        tenant_id = getattr(request, "tenant_id", None)
+        if not tenant_id:
+            tenant_id = request.auth.get("tenant_id") if request.auth else None
+        if not tenant_id:
+            return False
+
         user_roles = (
-            User.objects.using(MainRouter.admin_db).get(id=request.user.id).roles.all()
+            User.objects.using(MainRouter.admin_db)
+            .get(id=request.user.id)
+            .roles.using(MainRouter.admin_db)
+            .filter(tenant_id=tenant_id)
         )
         if not user_roles:
             return False
@@ -42,14 +51,17 @@ class HasPermissions(BasePermission):
         return True
 
 
-def get_role(user: User) -> Optional[Role]:
+def get_role(user: User, tenant_id: str) -> Role:
     """
-    Retrieve the first role assigned to the given user.
+    Retrieve the role assigned to the given user in the specified tenant.
 
-    Returns:
-        The user's first Role instance if the user has any roles, otherwise None.
+    Raises:
+        PermissionDenied: If the user has no role in the given tenant.
     """
-    return user.roles.first()
+    role = user.roles.using(MainRouter.admin_db).filter(tenant_id=tenant_id).first()
+    if role is None:
+        raise PermissionDenied("User has no role in this tenant.")
+    return role
 
 
 def get_providers(role: Role) -> QuerySet[Provider]:

api/src/backend/api/signals.py

@@ -61,7 +61,7 @@ def revoke_membership_api_keys(sender, instance, **kwargs):  # noqa: F841
     in that tenant should be revoked to prevent further access.
     """
     TenantAPIKey.objects.filter(
-        entity=instance.user, tenant_id=instance.tenant.id
+        entity_id=instance.user_id, tenant_id=instance.tenant_id
     ).update(revoked=True)
 
 

api/src/backend/api/specs/v1.yaml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: Prowler API
-  version: 1.23.0
+  version: 1.26.0
   description: |-
     Prowler API specification.
 
@@ -372,6 +372,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -387,6 +388,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -409,6 +411,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -426,6 +429,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -1351,6 +1355,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -1366,6 +1371,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -1827,6 +1833,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -1842,6 +1849,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -1864,6 +1872,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -1881,6 +1890,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -2429,6 +2439,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -2444,6 +2455,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -2466,6 +2478,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -2483,6 +2496,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -2939,6 +2953,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -2954,6 +2969,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -2976,6 +2992,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -2993,6 +3010,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -3447,6 +3465,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -3462,6 +3481,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -3484,6 +3504,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -3501,6 +3522,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -3943,6 +3965,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -3958,6 +3981,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -3980,6 +4004,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -3997,6 +4022,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -5780,6 +5806,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -5795,6 +5822,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -5817,6 +5845,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -5834,6 +5863,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -5955,6 +5985,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -5970,6 +6001,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -5992,6 +6024,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6009,6 +6042,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -6119,6 +6153,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6134,6 +6169,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -6155,6 +6191,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6172,6 +6209,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -6314,6 +6352,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6329,6 +6368,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -6351,6 +6391,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6368,6 +6409,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -6523,6 +6565,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6538,6 +6581,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -6560,6 +6604,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6577,6 +6622,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -6726,6 +6772,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6741,6 +6788,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -6762,6 +6810,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -6779,6 +6828,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -6970,6 +7020,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -6985,6 +7036,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -7007,6 +7059,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -7024,6 +7077,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -7144,6 +7198,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -7159,6 +7214,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -7181,6 +7237,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -7198,6 +7255,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -7342,6 +7400,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -7357,6 +7416,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -7379,6 +7439,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -7396,6 +7457,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -8181,6 +8243,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -8196,6 +8259,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider__in]
         schema:
@@ -8218,6 +8282,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -8235,6 +8300,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -8257,6 +8323,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -8272,6 +8339,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -8294,6 +8362,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -8311,6 +8380,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - name: filter[search]
@@ -8980,6 +9050,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -8995,6 +9066,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -9017,6 +9089,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -9034,6 +9107,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -9527,6 +9601,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -9542,6 +9617,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -9564,6 +9640,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -9581,6 +9658,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -9887,6 +9965,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -9902,6 +9981,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -9924,6 +10004,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -9941,6 +10022,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -10253,6 +10335,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -10268,6 +10351,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -10290,6 +10374,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -10307,6 +10392,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -11129,6 +11215,7 @@ paths:
           - mongodbatlas
           - openstack
           - oraclecloud
+          - vercel
         description: |-
           * `aws` - AWS
           * `azure` - Azure
@@ -11144,6 +11231,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
       - in: query
         name: filter[provider_type__in]
         schema:
@@ -11166,6 +11254,7 @@ paths:
             - mongodbatlas
             - openstack
             - oraclecloud
+            - vercel
         description: |-
           Multiple values may be separated by commas.
 
@@ -11183,6 +11272,7 @@ paths:
           * `openstack` - OpenStack
           * `image` - Image
           * `googleworkspace` - Google Workspace
+          * `vercel` - Vercel
         explode: false
         style: form
       - in: query
@@ -18463,6 +18553,15 @@ components:
                     required:
                     - clouds_yaml_content
                     - clouds_yaml_cloud
+                  - type: object
+                    title: Vercel API Token
+                    properties:
+                      api_token:
+                        type: string
+                        description: Vercel API token for authentication. Can be scoped
+                          to a specific team.
+                    required:
+                    - api_token
                   writeOnly: true
               required:
               - secret
@@ -19465,6 +19564,7 @@ components:
               - openstack
               - image
               - googleworkspace
+              - vercel
               type: string
               description: |-
                 * `aws` - AWS
@@ -19481,6 +19581,7 @@ components:
                 * `openstack` - OpenStack
                 * `image` - Image
                 * `googleworkspace` - Google Workspace
+                * `vercel` - Vercel
               x-spec-enum-id: c0d56cad8ab9abe5
             uid:
               type: string
@@ -19601,6 +19702,7 @@ components:
               - openstack
               - image
               - googleworkspace
+              - vercel
               type: string
               x-spec-enum-id: c0d56cad8ab9abe5
               description: |-
@@ -19620,6 +19722,7 @@ components:
                 * `openstack` - OpenStack
                 * `image` - Image
                 * `googleworkspace` - Google Workspace
+                * `vercel` - Vercel
             uid:
               type: string
               title: Unique identifier for the provider, set by the provider
@@ -19671,6 +19774,7 @@ components:
                   - openstack
                   - image
                   - googleworkspace
+                  - vercel
                   type: string
                   x-spec-enum-id: c0d56cad8ab9abe5
                   description: |-
@@ -19690,6 +19794,7 @@ components:
                     * `openstack` - OpenStack
                     * `image` - Image
                     * `googleworkspace` - Google Workspace
+                    * `vercel` - Vercel
                 uid:
                   type: string
                   minLength: 3
@@ -20539,6 +20644,15 @@ components:
                 required:
                 - clouds_yaml_content
                 - clouds_yaml_cloud
+              - type: object
+                title: Vercel API Token
+                properties:
+                  api_token:
+                    type: string
+                    description: Vercel API token for authentication. Can be scoped
+                      to a specific team.
+                required:
+                - api_token
               writeOnly: true
           required:
           - secret_type
@@ -20955,6 +21069,15 @@ components:
                     required:
                     - clouds_yaml_content
                     - clouds_yaml_cloud
+                  - type: object
+                    title: Vercel API Token
+                    properties:
+                      api_token:
+                        type: string
+                        description: Vercel API token for authentication. Can be scoped
+                          to a specific team.
+                    required:
+                    - api_token
                   writeOnly: true
               required:
               - secret_type
@@ -21381,6 +21504,15 @@ components:
                 required:
                 - clouds_yaml_content
                 - clouds_yaml_cloud
+              - type: object
+                title: Vercel API Token
+                properties:
+                  api_token:
+                    type: string
+                    description: Vercel API token for authentication. Can be scoped
+                      to a specific team.
+                required:
+                - api_token
               writeOnly: true
           required:
           - secret

api/src/backend/api/tests/integration/test_authentication.py

@@ -215,6 +215,21 @@ class TestTokenSwitchTenant:
         tenant_id = tenants_fixture[0].id
         user_instance = User.objects.get(email=test_user)
         Membership.objects.create(user=user_instance, tenant_id=tenant_id)
+        # Assign an admin role in the target tenant so the user can access resources
+        target_role = Role.objects.create(
+            name="admin",
+            tenant_id=tenant_id,
+            manage_users=True,
+            manage_account=True,
+            manage_billing=True,
+            manage_providers=True,
+            manage_integrations=True,
+            manage_scans=True,
+            unlimited_visibility=True,
+        )
+        UserRoleRelationship.objects.create(
+            user=user_instance, role=target_role, tenant_id=tenant_id
+        )
 
         # Check that using our new user's credentials we can authenticate and get the providers
         access_token, _ = get_api_tokens(client, test_user, test_password)

api/src/backend/api/tests/test_attack_paths.py

@@ -11,7 +11,7 @@ from api.attack_paths import database as graph_database
 from api.attack_paths import views_helpers
 from tasks.jobs.attack_paths.config import (
     PROVIDER_ELEMENT_ID_PROPERTY,
-    PROVIDER_ID_PROPERTY,
+    get_provider_label,
 )
 
 
@@ -53,7 +53,7 @@ def test_prepare_parameters_includes_provider_and_casts(
     )
 
     assert result["provider_uid"] == "123456789012"
-    assert result["provider_id"] == "test-provider-id"
+    assert "provider_id" not in result
     assert result["limit"] == 5
 
 
@@ -107,12 +107,12 @@ def test_execute_query_serializes_graph(
     parameters = {"provider_uid": "123"}
 
     provider_id = "test-provider-123"
+    plabel = get_provider_label(provider_id)
     node = attack_paths_graph_stub_classes.Node(
         element_id="node-1",
-        labels=["AWSAccount"],
+        labels=["AWSAccount", plabel],
         properties={
             "name": "account",
-            PROVIDER_ID_PROPERTY: provider_id,
             "complex": {
                 "items": [
                     attack_paths_graph_stub_classes.NativeValue("value"),
@@ -121,15 +121,13 @@ def test_execute_query_serializes_graph(
             },
         },
     )
-    node_2 = attack_paths_graph_stub_classes.Node(
-        "node-2", ["RDSInstance"], {PROVIDER_ID_PROPERTY: provider_id}
-    )
+    node_2 = attack_paths_graph_stub_classes.Node("node-2", ["RDSInstance", plabel], {})
     relationship = attack_paths_graph_stub_classes.Relationship(
         element_id="rel-1",
         rel_type="OWNS",
         start_node=node,
         end_node=node_2,
-        properties={"weight": 1, PROVIDER_ID_PROPERTY: provider_id},
+        properties={"weight": 1},
     )
     graph = SimpleNamespace(nodes=[node, node_2], relationships=[relationship])
 
@@ -213,29 +211,27 @@ def test_execute_query_raises_permission_denied_on_read_only(
             )
 
 
-def test_serialize_graph_filters_by_provider_id(attack_paths_graph_stub_classes):
+def test_serialize_graph_filters_by_provider_label(attack_paths_graph_stub_classes):
     provider_id = "provider-keep"
+    plabel = get_provider_label(provider_id)
+    other_label = get_provider_label("provider-other")
 
-    node_keep = attack_paths_graph_stub_classes.Node(
-        "n1", ["AWSAccount"], {PROVIDER_ID_PROPERTY: provider_id}
-    )
+    node_keep = attack_paths_graph_stub_classes.Node("n1", ["AWSAccount", plabel], {})
     node_drop = attack_paths_graph_stub_classes.Node(
-        "n2", ["AWSAccount"], {PROVIDER_ID_PROPERTY: "provider-other"}
+        "n2", ["AWSAccount", other_label], {}
     )
 
     rel_keep = attack_paths_graph_stub_classes.Relationship(
-        "r1", "OWNS", node_keep, node_keep, {PROVIDER_ID_PROPERTY: provider_id}
-    )
-    rel_drop_by_provider = attack_paths_graph_stub_classes.Relationship(
-        "r2", "OWNS", node_keep, node_drop, {PROVIDER_ID_PROPERTY: "provider-other"}
+        "r1", "OWNS", node_keep, node_keep, {}
     )
+    # Relationship connecting a kept node to a dropped node — filtered by endpoint check
     rel_drop_orphaned = attack_paths_graph_stub_classes.Relationship(
-        "r3", "OWNS", node_keep, node_drop, {PROVIDER_ID_PROPERTY: provider_id}
+        "r2", "OWNS", node_keep, node_drop, {}
     )
 
     graph = SimpleNamespace(
         nodes=[node_keep, node_drop],
-        relationships=[rel_keep, rel_drop_by_provider, rel_drop_orphaned],
+        relationships=[rel_keep, rel_drop_orphaned],
     )
 
     result = views_helpers._serialize_graph(graph, provider_id)
@@ -354,7 +350,6 @@ def test_serialize_properties_filters_internal_fields():
         "_module_name": "cartography:aws",
         "_module_version": "0.98.0",
         # Provider isolation
-        PROVIDER_ID_PROPERTY: "42",
         PROVIDER_ELEMENT_ID_PROPERTY: "42:abc123",
     }
 
@@ -449,14 +444,11 @@ def test_execute_custom_query_serializes_graph(
     attack_paths_graph_stub_classes,
 ):
     provider_id = "test-provider-123"
-    node_1 = attack_paths_graph_stub_classes.Node(
-        "node-1", ["AWSAccount"], {PROVIDER_ID_PROPERTY: provider_id}
-    )
-    node_2 = attack_paths_graph_stub_classes.Node(
-        "node-2", ["RDSInstance"], {PROVIDER_ID_PROPERTY: provider_id}
-    )
+    plabel = get_provider_label(provider_id)
+    node_1 = attack_paths_graph_stub_classes.Node("node-1", ["AWSAccount", plabel], {})
+    node_2 = attack_paths_graph_stub_classes.Node("node-2", ["RDSInstance", plabel], {})
     relationship = attack_paths_graph_stub_classes.Relationship(
-        "rel-1", "OWNS", node_1, node_2, {PROVIDER_ID_PROPERTY: provider_id}
+        "rel-1", "OWNS", node_1, node_2, {}
     )
 
     graph_result = MagicMock()
@@ -471,10 +463,11 @@ def test_execute_custom_query_serializes_graph(
             "db-tenant-test", "MATCH (n) RETURN n", provider_id
         )
 
-    mock_execute.assert_called_once_with(
-        database="db-tenant-test",
-        cypher="MATCH (n) RETURN n",
-    )
+    mock_execute.assert_called_once()
+    call_kwargs = mock_execute.call_args[1]
+    assert call_kwargs["database"] == "db-tenant-test"
+    # The cypher is rewritten with the provider label injection
+    assert plabel in call_kwargs["cypher"]
     assert len(result["nodes"]) == 2
     assert result["relationships"][0]["label"] == "OWNS"
     assert result["truncated"] is False
@@ -511,72 +504,6 @@ def test_execute_custom_query_wraps_graph_errors():
     mock_logger.error.assert_called_once()
 
 
-# -- validate_custom_query ------------------------------------------------
-
-
-@pytest.mark.parametrize(
-    "cypher",
-    [
-        "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
-        "load csv from 'http://evil.com' as row return row",
-        "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
-        "CALL apoc.load.csvParams('http://evil.com/', {}, null) YIELD list RETURN list",
-        "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
-        "CALL apoc.export.csv.all('file.csv', {})",
-        "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
-        "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
-        "CALL apoc.config.list() YIELD key, value RETURN key, value",
-        "CALL apoc.periodic.iterate('MATCH (n) RETURN n', 'DELETE n', {batchSize: 100})",
-        "CALL apoc.do.when(true, 'CREATE (n) RETURN n', '', {}) YIELD value RETURN value",
-        "CALL apoc.trigger.add('t', 'RETURN 1', {phase: 'before'})",
-        "CALL apoc.custom.asProcedure('myProc', 'RETURN 1')",
-    ],
-    ids=[
-        "LOAD_CSV",
-        "LOAD_CSV_lowercase",
-        "apoc.load.json",
-        "apoc.load.csvParams",
-        "apoc.import.csv",
-        "apoc.export.csv",
-        "apoc.cypher.run",
-        "apoc.systemdb.graph",
-        "apoc.config.list",
-        "apoc.periodic.iterate",
-        "apoc.do.when",
-        "apoc.trigger.add",
-        "apoc.custom.asProcedure",
-    ],
-)
-def test_validate_custom_query_rejects_blocked_patterns(cypher):
-    with pytest.raises(ValidationError) as exc:
-        views_helpers.validate_custom_query(cypher)
-
-    assert "blocked operation" in str(exc.value.detail)
-
-
-@pytest.mark.parametrize(
-    "cypher",
-    [
-        "MATCH (n:AWSAccount) RETURN n LIMIT 10",
-        "MATCH (a)-[r]->(b) RETURN a, r, b",
-        "MATCH (n) WHERE n.name CONTAINS 'load' RETURN n",
-        "CALL apoc.create.vNode(['Label'], {}) YIELD node RETURN node",
-        "MATCH (n) WHERE n.name = 'apoc.load.json' RETURN n",
-        'MATCH (n) WHERE n.description = "LOAD CSV is cool" RETURN n',
-    ],
-    ids=[
-        "simple_match",
-        "traversal",
-        "contains_load_substring",
-        "apoc_virtual_node",
-        "apoc_load_inside_single_quotes",
-        "load_csv_inside_double_quotes",
-    ],
-)
-def test_validate_custom_query_allows_clean_queries(cypher):
-    views_helpers.validate_custom_query(cypher)
-
-
 # -- _truncate_graph ----------------------------------------------------------
 
 

api/src/backend/api/tests/test_attack_paths_database.py

@@ -12,6 +12,8 @@ from unittest.mock import MagicMock, patch
 import neo4j
 import pytest
 
+import api.attack_paths.database as db_module
+
 
 class TestLazyInitialization:
     """Test that Neo4j driver is initialized lazily on first use."""
@@ -19,8 +21,6 @@ class TestLazyInitialization:
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
         """Reset module-level singleton state before each test."""
-        import api.attack_paths.database as db_module
-
         original_driver = db_module._driver
 
         db_module._driver = None
@@ -31,8 +31,6 @@ class TestLazyInitialization:
 
     def test_driver_not_initialized_at_import(self):
         """Driver should be None after module import (no eager connection)."""
-        import api.attack_paths.database as db_module
-
         assert db_module._driver is None
 
     @patch("api.attack_paths.database.settings")
@@ -41,8 +39,6 @@ class TestLazyInitialization:
         self, mock_driver_factory, mock_settings
     ):
         """init_driver() should create connection only when called."""
-        import api.attack_paths.database as db_module
-
         mock_driver = MagicMock()
         mock_driver_factory.return_value = mock_driver
         mock_settings.DATABASES = {
@@ -69,8 +65,6 @@ class TestLazyInitialization:
         self, mock_driver_factory, mock_settings
     ):
         """Subsequent calls should return cached driver without reconnecting."""
-        import api.attack_paths.database as db_module
-
         mock_driver = MagicMock()
         mock_driver_factory.return_value = mock_driver
         mock_settings.DATABASES = {
@@ -99,8 +93,6 @@ class TestLazyInitialization:
         self, mock_driver_factory, mock_settings
     ):
         """get_driver() should use init_driver() for lazy initialization."""
-        import api.attack_paths.database as db_module
-
         mock_driver = MagicMock()
         mock_driver_factory.return_value = mock_driver
         mock_settings.DATABASES = {
@@ -118,14 +110,50 @@ class TestLazyInitialization:
         mock_driver_factory.assert_called_once()
 
 
+class TestConnectionAcquisitionTimeout:
+    """Test that the connection acquisition timeout is configurable."""
+
+    @pytest.fixture(autouse=True)
+    def reset_module_state(self):
+        original_driver = db_module._driver
+        original_timeout = db_module.CONN_ACQUISITION_TIMEOUT
+
+        db_module._driver = None
+
+        yield
+
+        db_module._driver = original_driver
+        db_module.CONN_ACQUISITION_TIMEOUT = original_timeout
+
+    @patch("api.attack_paths.database.settings")
+    @patch("api.attack_paths.database.neo4j.GraphDatabase.driver")
+    def test_driver_receives_configured_timeout(
+        self, mock_driver_factory, mock_settings
+    ):
+        """init_driver() should pass CONN_ACQUISITION_TIMEOUT to the neo4j driver."""
+        mock_driver_factory.return_value = MagicMock()
+        mock_settings.DATABASES = {
+            "neo4j": {
+                "HOST": "localhost",
+                "PORT": 7687,
+                "USER": "neo4j",
+                "PASSWORD": "password",
+            }
+        }
+        db_module.CONN_ACQUISITION_TIMEOUT = 42
+
+        db_module.init_driver()
+
+        _, kwargs = mock_driver_factory.call_args
+        assert kwargs["connection_acquisition_timeout"] == 42
+
+
 class TestAtexitRegistration:
     """Test that atexit cleanup handler is registered correctly."""
 
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
         """Reset module-level singleton state before each test."""
-        import api.attack_paths.database as db_module
-
         original_driver = db_module._driver
 
         db_module._driver = None
@@ -141,8 +169,6 @@ class TestAtexitRegistration:
         self, mock_driver_factory, mock_atexit_register, mock_settings
     ):
         """atexit.register should be called on first initialization."""
-        import api.attack_paths.database as db_module
-
         mock_driver_factory.return_value = MagicMock()
         mock_settings.DATABASES = {
             "neo4j": {
@@ -168,8 +194,6 @@ class TestAtexitRegistration:
         The double-checked locking on _driver ensures the atexit registration
         block only executes once (when _driver is first created).
         """
-        import api.attack_paths.database as db_module
-
         mock_driver_factory.return_value = MagicMock()
         mock_settings.DATABASES = {
             "neo4j": {
@@ -194,8 +218,6 @@ class TestCloseDriver:
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
         """Reset module-level singleton state before each test."""
-        import api.attack_paths.database as db_module
-
         original_driver = db_module._driver
 
         db_module._driver = None
@@ -206,8 +228,6 @@ class TestCloseDriver:
 
     def test_close_driver_closes_and_clears_driver(self):
         """close_driver() should close the driver and set it to None."""
-        import api.attack_paths.database as db_module
-
         mock_driver = MagicMock()
         db_module._driver = mock_driver
 
@@ -218,8 +238,6 @@ class TestCloseDriver:
 
     def test_close_driver_handles_none_driver(self):
         """close_driver() should handle case where driver is None."""
-        import api.attack_paths.database as db_module
-
         db_module._driver = None
 
         # Should not raise
@@ -229,8 +247,6 @@ class TestCloseDriver:
 
     def test_close_driver_clears_driver_even_on_close_error(self):
         """Driver should be cleared even if close() raises an exception."""
-        import api.attack_paths.database as db_module
-
         mock_driver = MagicMock()
         mock_driver.close.side_effect = Exception("Connection error")
         db_module._driver = mock_driver
@@ -246,8 +262,6 @@ class TestExecuteReadQuery:
     """Test read query execution helper."""
 
     def test_execute_read_query_calls_read_session_and_returns_result(self):
-        import api.attack_paths.database as db_module
-
         tx = MagicMock()
         expected_graph = MagicMock()
         run_result = MagicMock()
@@ -289,8 +303,6 @@ class TestExecuteReadQuery:
         assert result is expected_graph
 
     def test_execute_read_query_defaults_parameters_to_empty_dict(self):
-        import api.attack_paths.database as db_module
-
         tx = MagicMock()
         run_result = MagicMock()
         run_result.graph.return_value = MagicMock()
@@ -325,8 +337,6 @@ class TestGetSessionReadOnly:
 
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
-        import api.attack_paths.database as db_module
-
         original_driver = db_module._driver
         db_module._driver = None
         yield
@@ -341,8 +351,6 @@ class TestGetSessionReadOnly:
     )
     def test_get_session_raises_write_query_not_allowed(self, neo4j_code):
         """Read-mode Neo4j errors should raise `WriteQueryNotAllowedException`."""
-        import api.attack_paths.database as db_module
-
         mock_session = MagicMock()
         neo4j_error = neo4j.exceptions.Neo4jError._hydrate_neo4j(
             code=neo4j_code,
@@ -362,8 +370,6 @@ class TestGetSessionReadOnly:
 
     def test_get_session_raises_generic_exception_for_other_errors(self):
         """Non-read-mode Neo4j errors should raise GraphDatabaseQueryException."""
-        import api.attack_paths.database as db_module
-
         mock_session = MagicMock()
         neo4j_error = neo4j.exceptions.Neo4jError._hydrate_neo4j(
             code="Neo.ClientError.Statement.SyntaxError",
@@ -388,8 +394,6 @@ class TestThreadSafety:
     @pytest.fixture(autouse=True)
     def reset_module_state(self):
         """Reset module-level singleton state before each test."""
-        import api.attack_paths.database as db_module
-
         original_driver = db_module._driver
 
         db_module._driver = None
@@ -404,8 +408,6 @@ class TestThreadSafety:
         self, mock_driver_factory, mock_settings
     ):
         """Multiple threads calling init_driver() should create only one driver."""
-        import api.attack_paths.database as db_module
-
         mock_driver = MagicMock()
         mock_driver_factory.return_value = mock_driver
         mock_settings.DATABASES = {
@@ -448,8 +450,6 @@ class TestHasProviderData:
     """Test has_provider_data helper for checking provider nodes in Neo4j."""
 
     def test_returns_true_when_nodes_exist(self):
-        import api.attack_paths.database as db_module
-
         mock_session = MagicMock()
         mock_result = MagicMock()
         mock_result.single.return_value = MagicMock()  # non-None record
@@ -468,8 +468,6 @@ class TestHasProviderData:
         mock_session.run.assert_called_once()
 
     def test_returns_false_when_no_nodes(self):
-        import api.attack_paths.database as db_module
-
         mock_session = MagicMock()
         mock_result = MagicMock()
         mock_result.single.return_value = None
@@ -486,8 +484,6 @@ class TestHasProviderData:
             assert db_module.has_provider_data("db-tenant-abc", "provider-123") is False
 
     def test_returns_false_when_database_not_found(self):
-        import api.attack_paths.database as db_module
-
         session_ctx = MagicMock()
         session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
             message="Database does not exist",
@@ -503,8 +499,6 @@ class TestHasProviderData:
             )
 
     def test_raises_on_other_errors(self):
-        import api.attack_paths.database as db_module
-
         session_ctx = MagicMock()
         session_ctx.__enter__.side_effect = db_module.GraphDatabaseQueryException(
             message="Connection refused",

api/src/backend/api/tests/test_celery_settings.py

@@ -0,0 +1,43 @@
+import pytest
+from config.settings.celery import _build_celery_broker_url
+
+
+class TestBuildCeleryBrokerUrl:
+    def test_without_credentials(self):
+        broker_url = _build_celery_broker_url("redis", "", "", "valkey", "6379", "0")
+
+        assert broker_url == "redis://valkey:6379/0"
+
+    def test_with_password_only(self):
+        broker_url = _build_celery_broker_url(
+            "rediss", "", "secret", "cache.example.com", "6379", "0"
+        )
+
+        assert broker_url == "rediss://:secret@cache.example.com:6379/0"
+
+    def test_with_username_and_password(self):
+        broker_url = _build_celery_broker_url(
+            "rediss", "default", "secret", "cache.example.com", "6379", "0"
+        )
+
+        assert broker_url == "rediss://default:secret@cache.example.com:6379/0"
+
+    def test_with_username_only(self):
+        broker_url = _build_celery_broker_url(
+            "redis", "admin", "", "valkey", "6379", "0"
+        )
+
+        assert broker_url == "redis://admin@valkey:6379/0"
+
+    def test_url_encodes_credentials(self):
+        broker_url = _build_celery_broker_url(
+            "rediss", "user@name", "p@ss:word", "cache.example.com", "6379", "0"
+        )
+
+        assert (
+            broker_url == "rediss://user%40name:p%40ss%3Aword@cache.example.com:6379/0"
+        )
+
+    def test_invalid_scheme_raises_error(self):
+        with pytest.raises(ValueError, match="Invalid VALKEY_SCHEME 'http'"):
+            _build_celery_broker_url("http", "", "", "valkey", "6379", "0")

api/src/backend/api/tests/test_compliance.py

@@ -1,13 +1,18 @@
 from unittest.mock import MagicMock, patch
 
+import pytest
+
+from api import compliance as compliance_module
 from api.compliance import (
     generate_compliance_overview_template,
     generate_scan_compliance,
+    get_compliance_frameworks,
     get_prowler_provider_checks,
     get_prowler_provider_compliance,
     load_prowler_checks,
 )
 from api.models import Provider
+from prowler.lib.check.compliance_models import Compliance
 
 
 class TestCompliance:
@@ -250,3 +255,58 @@ class TestCompliance:
         }
 
         assert template == expected_template
+
+
+@pytest.fixture
+def reset_compliance_cache():
+    """Reset the module-level cache so each test starts cold."""
+    previous = dict(compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS)
+    compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.clear()
+    try:
+        yield
+    finally:
+        compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.clear()
+        compliance_module.AVAILABLE_COMPLIANCE_FRAMEWORKS.update(previous)
+
+
+class TestGetComplianceFrameworks:
+    def test_returns_keys_from_compliance_get_bulk(self, reset_compliance_cache):
+        with patch("api.compliance.Compliance") as mock_compliance:
+            mock_compliance.get_bulk.return_value = {
+                "cis_1.4_aws": MagicMock(),
+                "mitre_attack_aws": MagicMock(),
+            }
+            result = get_compliance_frameworks(Provider.ProviderChoices.AWS)
+
+        assert sorted(result) == ["cis_1.4_aws", "mitre_attack_aws"]
+        mock_compliance.get_bulk.assert_called_once_with(Provider.ProviderChoices.AWS)
+
+    def test_caches_result_per_provider(self, reset_compliance_cache):
+        with patch("api.compliance.Compliance") as mock_compliance:
+            mock_compliance.get_bulk.return_value = {"cis_1.4_aws": MagicMock()}
+            get_compliance_frameworks(Provider.ProviderChoices.AWS)
+            get_compliance_frameworks(Provider.ProviderChoices.AWS)
+
+        # Cached after first call.
+        assert mock_compliance.get_bulk.call_count == 1
+
+    @pytest.mark.parametrize(
+        "provider_type",
+        [choice.value for choice in Provider.ProviderChoices],
+    )
+    def test_listing_is_subset_of_bulk(self, reset_compliance_cache, provider_type):
+        """Regression for CLOUD-API-40S: every name returned by
+        ``get_compliance_frameworks`` must be loadable via ``Compliance.get_bulk``.
+
+        A divergence here is what produced ``KeyError: 'csa_ccm_4.0'`` in
+        ``generate_outputs_task`` after universal/multi-provider compliance
+        JSONs were introduced at the top-level ``prowler/compliance/`` path.
+        """
+        bulk_keys = set(Compliance.get_bulk(provider_type).keys())
+        listed = set(get_compliance_frameworks(provider_type))
+
+        missing = listed - bulk_keys
+        assert not missing, (
+            f"get_compliance_frameworks({provider_type!r}) returned names not "
+            f"loadable by Compliance.get_bulk: {sorted(missing)}"
+        )

api/src/backend/api/tests/test_cypher_sanitizer.py

@@ -0,0 +1,429 @@
+"""Unit tests for the Cypher sanitizer (validation + provider-label injection)."""
+
+from unittest.mock import patch
+
+import pytest
+
+from rest_framework.exceptions import ValidationError
+
+from api.attack_paths.cypher_sanitizer import (
+    inject_provider_label,
+    validate_custom_query,
+)
+
+PROVIDER_ID = "019c41ee-7df3-7dec-a684-d839f95619f8"
+LABEL = "_Provider_019c41ee7df37deca684d839f95619f8"
+
+
+def _inject(cypher: str) -> str:
+    """Shortcut that patches `get_provider_label` to avoid config imports."""
+    with patch(
+        "api.attack_paths.cypher_sanitizer.get_provider_label", return_value=LABEL
+    ):
+        return inject_provider_label(cypher, PROVIDER_ID)
+
+
+# ---------------------------------------------------------------------------
+# Pass A - Labeled node patterns (all clauses)
+# ---------------------------------------------------------------------------
+
+
+class TestLabeledNodes:
+    def test_single_label(self):
+        result = _inject("MATCH (n:AWSRole) RETURN n")
+        assert f"(n:AWSRole:{LABEL})" in result
+
+    def test_label_with_properties(self):
+        result = _inject("MATCH (n:AWSRole {name: 'admin'}) RETURN n")
+        assert f"(n:AWSRole:{LABEL} {{name: 'admin'}})" in result
+
+    def test_multiple_labels(self):
+        result = _inject("MATCH (n:AWSRole:AWSPrincipal) RETURN n")
+        assert f"(n:AWSRole:AWSPrincipal:{LABEL})" in result
+
+    def test_anonymous_labeled(self):
+        result = _inject(
+            "MATCH (:AWSPrincipal {arn: 'ecs-tasks.amazonaws.com'}) RETURN 1"
+        )
+        assert f"(:AWSPrincipal:{LABEL} {{arn: 'ecs-tasks.amazonaws.com'}})" in result
+
+    def test_backtick_label(self):
+        result = _inject("MATCH (n:`My Label`) RETURN n")
+        assert f"(n:`My Label`:{LABEL})" in result
+
+    def test_labeled_in_where_clause(self):
+        """Labeled nodes in WHERE (pattern existence) still get the label."""
+        result = _inject(
+            "MATCH (n:AWSRole) WHERE EXISTS((n)-[:REL]->(:Target)) RETURN n"
+        )
+        assert f"(n:AWSRole:{LABEL})" in result
+        assert f"(:Target:{LABEL})" in result
+
+    def test_labeled_in_return_clause(self):
+        """Labeled nodes in RETURN still get the label (they're always node patterns)."""
+        result = _inject("MATCH (n:AWSRole) RETURN (n:AWSRole)")
+        assert result.count(f":AWSRole:{LABEL}") == 2
+
+    def test_labeled_in_optional_match(self):
+        result = _inject(
+            "OPTIONAL MATCH (pf:ProwlerFinding {status: 'FAIL'}) RETURN pf"
+        )
+        assert f"(pf:ProwlerFinding:{LABEL} {{status: 'FAIL'}})" in result
+
+
+# ---------------------------------------------------------------------------
+# Pass B - Bare node patterns (MATCH/OPTIONAL MATCH only)
+# ---------------------------------------------------------------------------
+
+
+class TestBareNodes:
+    def test_bare_in_match(self):
+        result = _inject("MATCH (a)-[:HAS_POLICY]->(b) RETURN a, b")
+        assert f"(a:{LABEL})" in result
+        assert f"(b:{LABEL})" in result
+
+    def test_bare_with_properties_in_match(self):
+        result = _inject("MATCH (n {name: 'x'}) RETURN n")
+        assert f"(n:{LABEL} {{name: 'x'}})" in result
+
+    def test_bare_in_optional_match(self):
+        result = _inject("OPTIONAL MATCH (n)-[r]-(m) RETURN n")
+        assert f"(n:{LABEL})" in result
+        assert f"(m:{LABEL})" in result
+
+    def test_bare_not_injected_in_return(self):
+        """Bare (identifier) in RETURN could be expression grouping."""
+        cypher = "MATCH (n:AWSRole) RETURN (n)"
+        result = _inject(cypher)
+        # The labeled (n:AWSRole) gets the label, but the bare (n) in RETURN should not
+        assert f"(n:AWSRole:{LABEL})" in result
+        # Count how many times the label appears - should be 1 (from MATCH only)
+        assert result.count(LABEL) == 1
+
+    def test_bare_not_injected_in_where(self):
+        cypher = "MATCH (n:AWSRole) WHERE (n.x > 1) RETURN n"
+        result = _inject(cypher)
+        # (n.x > 1) is an expression group, not a node pattern - should be untouched
+        assert "(n.x > 1)" in result
+
+    def test_bare_not_injected_in_with(self):
+        cypher = "MATCH (n:AWSRole) WITH (n) RETURN n"
+        result = _inject(cypher)
+        assert result.count(LABEL) == 1
+
+    def test_bare_not_injected_in_unwind(self):
+        cypher = "UNWIND nodes(path) as n OPTIONAL MATCH (n)-[r]-(m) RETURN n"
+        result = _inject(cypher)
+        # (n) and (m) in OPTIONAL MATCH get injected, but nodes(path) in UNWIND does not
+        assert f"(n:{LABEL})" in result
+        assert f"(m:{LABEL})" in result
+
+
+# ---------------------------------------------------------------------------
+# Function call exclusion
+# ---------------------------------------------------------------------------
+
+
+class TestFunctionCallExclusion:
+    @pytest.mark.parametrize(
+        "func_call",
+        [
+            "collect(DISTINCT pf)",
+            "any(x IN stmt.action WHERE toLower(x) = 'iam:*')",
+            "toLower(action)",
+            "nodes(path)",
+            "count(n)",
+            "apoc.create.vNode(labels)",
+            "EXISTS(n.prop)",
+            "size(n.list)",
+        ],
+    )
+    def test_function_calls_not_injected(self, func_call):
+        cypher = f"MATCH (n:AWSRole) WHERE {func_call} RETURN n"
+        result = _inject(cypher)
+        # The function call should remain unchanged
+        assert func_call in result
+        # Only the MATCH labeled node should get the label
+        assert result.count(LABEL) == 1
+
+
+# ---------------------------------------------------------------------------
+# String and comment protection
+# ---------------------------------------------------------------------------
+
+
+class TestProtection:
+    def test_string_with_fake_node_pattern(self):
+        cypher = "MATCH (n:AWSRole) WHERE n.name = '(fake:Label)' RETURN n"
+        result = _inject(cypher)
+        assert "'(fake:Label)'" in result
+        assert result.count(LABEL) == 1
+
+    def test_double_quoted_string(self):
+        cypher = 'MATCH (n:AWSRole) WHERE n.name = "(fake:Label)" RETURN n'
+        result = _inject(cypher)
+        assert '"(fake:Label)"' in result
+        assert result.count(LABEL) == 1
+
+    def test_line_comment_with_node_pattern(self):
+        cypher = "// (n:Fake)\nMATCH (n:AWSRole) RETURN n"
+        result = _inject(cypher)
+        assert "// (n:Fake)" in result
+        assert result.count(LABEL) == 1
+
+    def test_string_containing_double_slash(self):
+        """Strings with // inside should be consumed as strings, not comments."""
+        cypher = "MATCH (n:AWSRole {url: 'https://example.com'}) RETURN n"
+        result = _inject(cypher)
+        assert "'https://example.com'" in result
+        assert f"(n:AWSRole:{LABEL}" in result
+
+    def test_escaped_quotes_in_string(self):
+        cypher = r"MATCH (n:AWSRole) WHERE n.name = 'it\'s a test' RETURN n"
+        result = _inject(cypher)
+        assert result.count(LABEL) == 1
+
+
+# ---------------------------------------------------------------------------
+# Clause splitting
+# ---------------------------------------------------------------------------
+
+
+class TestClauseSplitting:
+    def test_case_insensitive_keywords(self):
+        cypher = "match (n:AWSRole) where n.x = 1 return n"
+        result = _inject(cypher)
+        assert f"(n:AWSRole:{LABEL})" in result
+
+    def test_optional_match_with_extra_whitespace(self):
+        cypher = "OPTIONAL   MATCH (n:AWSRole) RETURN n"
+        result = _inject(cypher)
+        assert f"(n:AWSRole:{LABEL})" in result
+
+    def test_multiple_match_clauses(self):
+        cypher = (
+            "MATCH (a:AWSAccount)--(b:AWSRole) "
+            "MATCH (b)--(c:AWSPolicy) "
+            "RETURN a, b, c"
+        )
+        result = _inject(cypher)
+        assert f"(a:AWSAccount:{LABEL})" in result
+        assert f"(b:AWSRole:{LABEL})" in result
+        assert f"(c:AWSPolicy:{LABEL})" in result
+        # (b) in second MATCH is bare and gets injected
+        assert result.count(LABEL) == 4  # a, b (labeled), b (bare in 2nd MATCH), c
+
+
+# ---------------------------------------------------------------------------
+# Real-world query patterns from aws.py
+# ---------------------------------------------------------------------------
+
+
+class TestRealWorldQueries:
+    def test_basic_resource_query(self):
+        cypher = (
+            "MATCH path = (aws:AWSAccount {id: $provider_uid})--(rds:RDSInstance)\n"
+            "UNWIND nodes(path) as n\n"
+            "OPTIONAL MATCH (n)-[pfr]-(pf:ProwlerFinding {status: 'FAIL'})\n"
+            "RETURN path, collect(DISTINCT pf) as dpf"
+        )
+        result = _inject(cypher)
+        assert f"(aws:AWSAccount:{LABEL} {{id: $provider_uid}})" in result
+        assert f"(rds:RDSInstance:{LABEL})" in result
+        assert f"(n:{LABEL})" in result
+        assert f"(pf:ProwlerFinding:{LABEL} {{status: 'FAIL'}})" in result
+        assert "nodes(path)" in result  # function call untouched
+        assert "collect(DISTINCT pf)" in result  # function call untouched
+
+    def test_privilege_escalation_query(self):
+        cypher = (
+            "MATCH path_principal = (aws:AWSAccount {id: $uid})"
+            "--(principal:AWSPrincipal)--(pol:AWSPolicy)\n"
+            "WHERE pol.effect = 'Allow'\n"
+            "MATCH (principal)--(cfn_policy:AWSPolicy)"
+            "--(stmt_cfn:AWSPolicyStatement)\n"
+            "WHERE any(action IN stmt_cfn.action WHERE toLower(action) = 'iam:passrole')\n"
+            "MATCH path_target = (aws)--(target_role:AWSRole)"
+            "-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal {arn: 'cloudformation.amazonaws.com'})\n"
+            "RETURN path_principal, path_target"
+        )
+        result = _inject(cypher)
+        assert f"(aws:AWSAccount:{LABEL} {{id: $uid}})" in result
+        assert f"(principal:AWSPrincipal:{LABEL})" in result
+        assert f"(pol:AWSPolicy:{LABEL})" in result
+        assert f"(principal:{LABEL})" in result  # bare in 2nd MATCH
+        assert f"(cfn_policy:AWSPolicy:{LABEL})" in result
+        assert f"(stmt_cfn:AWSPolicyStatement:{LABEL})" in result
+        assert f"(aws:{LABEL})" in result  # bare in 3rd MATCH
+        assert f"(target_role:AWSRole:{LABEL})" in result
+        assert (
+            f"(:AWSPrincipal:{LABEL} {{arn: 'cloudformation.amazonaws.com'}})" in result
+        )
+        # Function calls in WHERE untouched
+        assert "any(action IN" in result
+        assert "toLower(action)" in result
+
+    def test_custom_bare_query(self):
+        cypher = (
+            "MATCH (a)-[:HAS_POLICY]->(b)\n"
+            "WHERE a.name CONTAINS 'admin'\n"
+            "RETURN a, b"
+        )
+        result = _inject(cypher)
+        assert f"(a:{LABEL})" in result
+        assert f"(b:{LABEL})" in result
+        assert result.count(LABEL) == 2
+
+    def test_internet_via_path_connectivity(self):
+        """Post-refactor pattern: Internet reached via CAN_ACCESS, not standalone."""
+        cypher = (
+            "MATCH path = (aws:AWSAccount {id: $provider_uid})--(ec2:EC2Instance)\n"
+            "WHERE ec2.exposed_internet = true\n"
+            "OPTIONAL MATCH (internet:Internet)-[can_access:CAN_ACCESS]->(ec2)\n"
+            "RETURN path, internet, can_access"
+        )
+        result = _inject(cypher)
+        assert f"(aws:AWSAccount:{LABEL}" in result
+        assert f"(ec2:EC2Instance:{LABEL})" in result
+        assert f"(internet:Internet:{LABEL})" in result
+        # ec2 in OPTIONAL MATCH is bare, but already labeled via Pass A won't match it
+        # because it has no label. It IS bare, so Pass B injects.
+        assert f"(ec2:{LABEL})" in result
+
+
+# ---------------------------------------------------------------------------
+# Edge cases
+# ---------------------------------------------------------------------------
+
+
+class TestEdgeCases:
+    def test_empty_query(self):
+        assert _inject("") == ""
+
+    def test_no_node_patterns(self):
+        cypher = "RETURN 1 + 2"
+        assert _inject(cypher) == cypher
+
+    def test_anonymous_empty_parens_not_injected(self):
+        """Empty () in MATCH is extremely rare but should not be injected."""
+        cypher = "MATCH ()--(m:AWSRole) RETURN m"
+        result = _inject(cypher)
+        assert "()" in result  # empty parens untouched
+        assert f"(m:AWSRole:{LABEL})" in result
+
+    def test_fully_anonymous_query_bypasses_injection(self):
+        """All-anonymous patterns bypass injection entirely.
+
+        MATCH ()--()--() has no labels and no variables, so neither Pass A
+        (labeled) nor Pass B (bare identifier) can inject the provider label.
+        This is safe because _serialize_graph() (Layer 3) filters every
+        returned node by provider label, dropping cross-provider data before
+        it reaches the user.
+        """
+        cypher = "MATCH ()--()--() RETURN *"
+        result = _inject(cypher)
+        assert result == cypher  # completely unmodified
+        assert LABEL not in result
+
+    def test_relationship_patterns_untouched(self):
+        cypher = "MATCH (a:X)-[r:REL_TYPE {x: 1}]->(b:Y) RETURN a"
+        result = _inject(cypher)
+        assert "[r:REL_TYPE {x: 1}]" in result  # relationship untouched
+        assert f"(a:X:{LABEL})" in result
+        assert f"(b:Y:{LABEL})" in result
+
+    def test_call_subquery(self):
+        cypher = (
+            "CALL {\n"
+            "  MATCH (inner:AWSRole) RETURN inner\n"
+            "}\n"
+            "MATCH (outer:AWSAccount) RETURN outer, inner"
+        )
+        result = _inject(cypher)
+        assert f"(inner:AWSRole:{LABEL})" in result
+        assert f"(outer:AWSAccount:{LABEL})" in result
+
+    def test_multiple_protected_regions(self):
+        cypher = (
+            "MATCH (n:X {a: 'hello'}) " 'WHERE n.b = "world" ' "// comment\n" "RETURN n"
+        )
+        result = _inject(cypher)
+        assert "'hello'" in result
+        assert '"world"' in result
+        assert "// comment" in result
+        assert f"(n:X:{LABEL}" in result
+
+    def test_idempotent_on_already_injected(self):
+        """Running injection twice should add the label twice (not ideal, but predictable)."""
+        first = _inject("MATCH (n:AWSRole) RETURN n")
+        second = _inject(first)
+        # The label appears twice (stacked)
+        assert second.count(LABEL) == 2
+
+
+# ---------------------------------------------------------------------------
+# Validation
+# ---------------------------------------------------------------------------
+
+
+class TestValidation:
+    @pytest.mark.parametrize(
+        "cypher",
+        [
+            "LOAD CSV FROM 'http://169.254.169.254/' AS x RETURN x",
+            "load csv from 'http://evil.com' as row return row",
+            "CALL apoc.load.json('http://evil.com/') YIELD value RETURN value",
+            "CALL apoc.load.csvParams('http://evil.com/', {}, null) YIELD list RETURN list",
+            "CALL apoc.import.csv([{fileName: 'f'}], [], {}) YIELD node RETURN node",
+            "CALL apoc.export.csv.all('file.csv', {})",
+            "CALL apoc.cypher.run('CREATE (n)', {}) YIELD value RETURN value",
+            "CALL apoc.systemdb.graph() YIELD nodes RETURN nodes",
+            "CALL apoc.config.list() YIELD key, value RETURN key, value",
+            "CALL apoc.periodic.iterate('MATCH (n) RETURN n', 'DELETE n', {batchSize: 100})",
+            "CALL apoc.do.when(true, 'CREATE (n) RETURN n', '', {}) YIELD value RETURN value",
+            "CALL apoc.trigger.add('t', 'RETURN 1', {phase: 'before'})",
+            "CALL apoc.custom.asProcedure('myProc', 'RETURN 1')",
+        ],
+        ids=[
+            "LOAD_CSV",
+            "LOAD_CSV_lowercase",
+            "apoc.load.json",
+            "apoc.load.csvParams",
+            "apoc.import.csv",
+            "apoc.export.csv",
+            "apoc.cypher.run",
+            "apoc.systemdb.graph",
+            "apoc.config.list",
+            "apoc.periodic.iterate",
+            "apoc.do.when",
+            "apoc.trigger.add",
+            "apoc.custom.asProcedure",
+        ],
+    )
+    def test_rejects_blocked_patterns(self, cypher):
+        with pytest.raises(ValidationError) as exc:
+            validate_custom_query(cypher)
+
+        assert "blocked operation" in str(exc.value.detail)
+
+    @pytest.mark.parametrize(
+        "cypher",
+        [
+            "MATCH (n:AWSAccount) RETURN n LIMIT 10",
+            "MATCH (a)-[r]->(b) RETURN a, r, b",
+            "MATCH (n) WHERE n.name CONTAINS 'load' RETURN n",
+            "CALL apoc.create.vNode(['Label'], {}) YIELD node RETURN node",
+            "MATCH (n) WHERE n.name = 'apoc.load.json' RETURN n",
+            'MATCH (n) WHERE n.description = "LOAD CSV is cool" RETURN n',
+        ],
+        ids=[
+            "simple_match",
+            "traversal",
+            "contains_load_substring",
+            "apoc_virtual_node",
+            "apoc_load_inside_single_quotes",
+            "load_csv_inside_double_quotes",
+        ],
+    )
+    def test_allows_clean_queries(self, cypher):
+        validate_custom_query(cypher)

api/src/backend/api/tests/test_rbac.py

@@ -2,7 +2,7 @@ import json
 from unittest.mock import ANY, Mock, patch
 
 import pytest
-from conftest import TODAY
+from conftest import TEST_PASSWORD, TODAY
 from django.urls import reverse
 from rest_framework import status
 
@@ -830,3 +830,66 @@ class TestUserRoleLinkPermissions:
         )
 
         assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+@pytest.mark.django_db
+class TestCrossTenantRoleLeak:
+    """Regression tests for get_role() cross-tenant privilege leak.
+
+    get_role() must query admin_db (bypassing RLS) so that a user with a role
+    in tenant A cannot accidentally pass role checks when authenticated against
+    tenant B where they have no role.
+    """
+
+    def test_user_with_role_in_tenant_a_denied_in_tenant_b(self, tenants_fixture):
+        """User has admin role in tenant A, membership in tenant B but no role.
+        Hitting an RBAC-protected endpoint with a tenant-B token must return 403."""
+        from rest_framework.test import APIClient
+
+        tenant_a = tenants_fixture[0]
+        tenant_b = tenants_fixture[1]
+
+        user = User.objects.create_user(
+            name="cross_tenant_user",
+            email="cross_tenant@test.com",
+            password=TEST_PASSWORD,
+        )
+        Membership.objects.create(
+            user=user, tenant=tenant_a, role=Membership.RoleChoices.OWNER
+        )
+        Membership.objects.create(
+            user=user, tenant=tenant_b, role=Membership.RoleChoices.OWNER
+        )
+
+        # Role only in tenant A
+        role = Role.objects.create(
+            name="admin",
+            tenant_id=tenant_a.id,
+            manage_users=True,
+            manage_account=True,
+            manage_billing=True,
+            manage_providers=True,
+            manage_integrations=True,
+            manage_scans=True,
+            unlimited_visibility=True,
+        )
+        UserRoleRelationship.objects.create(user=user, role=role, tenant_id=tenant_a.id)
+
+        # Mint token scoped to tenant B (where user has NO role)
+        serializer = TokenSerializer(
+            data={
+                "type": "tokens",
+                "email": "cross_tenant@test.com",
+                "password": TEST_PASSWORD,
+                "tenant_id": tenant_b.id,
+            }
+        )
+        serializer.is_valid(raise_exception=True)
+        access_token = serializer.validated_data["access"]
+
+        client = APIClient()
+        client.defaults["HTTP_AUTHORIZATION"] = f"Bearer {access_token}"
+
+        # user-list requires manage_users permission via HasPermissions
+        response = client.get(reverse("user-list"))
+        assert response.status_code == status.HTTP_403_FORBIDDEN

api/src/backend/api/tests/test_sentry.py

@@ -4,14 +4,25 @@ from unittest.mock import MagicMock
 from config.settings.sentry import before_send
 
 
+def _make_log_record(msg, level=logging.ERROR, name="test", args=None):
+    """Build a real LogRecord so getMessage() works like in production."""
+    record = logging.LogRecord(
+        name=name,
+        level=level,
+        pathname="",
+        lineno=0,
+        msg=msg,
+        args=args,
+        exc_info=None,
+    )
+    return record
+
+
 def test_before_send_ignores_log_with_ignored_exception():
     """Test that before_send ignores logs containing ignored exceptions."""
-    log_record = MagicMock()
-    log_record.msg = "Provider kubernetes is not connected"
-    log_record.levelno = logging.ERROR  # 40
+    log_record = _make_log_record("Provider kubernetes is not connected")
 
     hint = {"log_record": log_record}
-
     event = MagicMock()
 
     result = before_send(event, hint)
@@ -36,12 +47,9 @@ def test_before_send_ignores_exception_with_ignored_exception():
 
 def test_before_send_passes_through_non_ignored_log():
     """Test that before_send passes through logs that don't contain ignored exceptions."""
-    log_record = MagicMock()
-    log_record.msg = "Some other error message"
-    log_record.levelno = logging.ERROR  # 40
+    log_record = _make_log_record("Some other error message")
 
     hint = {"log_record": log_record}
-
     event = MagicMock()
 
     result = before_send(event, hint)
@@ -66,15 +74,53 @@ def test_before_send_passes_through_non_ignored_exception():
 
 def test_before_send_handles_warning_level():
     """Test that before_send handles warning level logs."""
-    log_record = MagicMock()
-    log_record.msg = "Provider kubernetes is not connected"
-    log_record.levelno = logging.WARNING  # 30
+    log_record = _make_log_record(
+        "Provider kubernetes is not connected", level=logging.WARNING
+    )
 
     hint = {"log_record": log_record}
-
     event = MagicMock()
 
     result = before_send(event, hint)
 
     # Assert that the event was dropped (None returned)
     assert result is None
+
+
+def test_before_send_ignores_neo4j_defunct_connection():
+    """Test that before_send drops neo4j.io defunct connection logs.
+
+    The Neo4j driver logs transient connection errors at ERROR level
+    before RetryableSession retries them. These are noise.
+
+    The driver uses %s formatting, so "defunct" is in the args, not
+    in the template. This test mirrors the real LogRecord structure.
+    """
+    log_record = _make_log_record(
+        msg="[#%04X]  _: <CONNECTION> error: %s: %r",
+        name="neo4j.io",
+        args=(
+            0xE5CC,
+            "Failed to read from defunct connection "
+            "IPv4Address(('cloud-neo4j.prowler.com', 7687))",
+            ConnectionResetError(104, "Connection reset by peer"),
+        ),
+    )
+
+    hint = {"log_record": log_record}
+    event = MagicMock()
+
+    assert before_send(event, hint) is None
+
+
+def test_before_send_passes_non_defunct_neo4j_log():
+    """Test that before_send passes through neo4j.io logs that are not about defunct connections."""
+    log_record = _make_log_record(
+        msg="Some other neo4j transport error",
+        name="neo4j.io",
+    )
+
+    hint = {"log_record": log_record}
+    event = MagicMock()
+
+    assert before_send(event, hint) == event

api/src/backend/api/tests/test_utils.py

@@ -33,6 +33,7 @@ from prowler.providers.m365.m365_provider import M365Provider
 from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
 from prowler.providers.openstack.openstack_provider import OpenstackProvider
 from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
+from prowler.providers.vercel.vercel_provider import VercelProvider
 
 
 class TestMergeDicts:
@@ -128,6 +129,7 @@ class TestReturnProwlerProvider:
             (Provider.ProviderChoices.CLOUDFLARE.value, CloudflareProvider),
             (Provider.ProviderChoices.OPENSTACK.value, OpenstackProvider),
             (Provider.ProviderChoices.IMAGE.value, ImageProvider),
+            (Provider.ProviderChoices.VERCEL.value, VercelProvider),
         ],
     )
     def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -218,6 +220,24 @@ class TestProwlerProviderConnectionTest:
             registry_token="tok123",
         )
 
+    @patch("api.utils.return_prowler_provider")
+    def test_prowler_provider_connection_test_vercel_provider(
+        self, mock_return_prowler_provider
+    ):
+        """Test connection test for Vercel provider passes team_id."""
+        provider = MagicMock()
+        provider.uid = "team_abcdef1234567890"
+        provider.provider = Provider.ProviderChoices.VERCEL.value
+        provider.secret.secret = {"api_token": "vercel_token_123"}
+        mock_return_prowler_provider.return_value = MagicMock()
+
+        prowler_provider_connection_test(provider)
+        mock_return_prowler_provider.return_value.test_connection.assert_called_once_with(
+            api_token="vercel_token_123",
+            team_id="team_abcdef1234567890",
+            raise_on_exception=False,
+        )
+
     @patch("api.utils.return_prowler_provider")
     def test_prowler_provider_connection_test_image_provider_no_creds(
         self, mock_return_prowler_provider
@@ -284,6 +304,10 @@ class TestGetProwlerProviderKwargs:
                 Provider.ProviderChoices.OPENSTACK.value,
                 {},
             ),
+            (
+                Provider.ProviderChoices.VERCEL.value,
+                {"team_id": "provider_uid"},
+            ),
         ],
     )
     def test_get_prowler_provider_kwargs(self, provider_type, expected_extra_kwargs):
@@ -782,11 +806,15 @@ class TestProwlerIntegrationConnectionTest:
         }
         integration.configuration = {}
 
-        # Mock successful JIRA connection with projects
+        # Mock successful JIRA connection with projects and issue types
         mock_connection = MagicMock()
         mock_connection.is_connected = True
         mock_connection.error = None
         mock_connection.projects = {"PROJ1": "Project 1", "PROJ2": "Project 2"}
+        mock_connection.issue_types = {
+            "PROJ1": ["Task", "Bug"],
+            "PROJ2": ["Task", "Story"],
+        }
         mock_jira_class.test_connection.return_value = mock_connection
 
         # Mock rls_transaction context manager
@@ -815,6 +843,12 @@ class TestProwlerIntegrationConnectionTest:
             "PROJ2": "Project 2",
         }
 
+        # Verify issue types were saved to integration configuration
+        assert integration.configuration["issue_types"] == {
+            "PROJ1": ["Task", "Bug"],
+            "PROJ2": ["Task", "Story"],
+        }
+
         # Verify integration.save() was called
         integration.save.assert_called_once()
 
@@ -838,6 +872,7 @@ class TestProwlerIntegrationConnectionTest:
         mock_connection.is_connected = False
         mock_connection.error = Exception("Authentication failed: Invalid credentials")
         mock_connection.projects = {}  # Empty projects when connection fails
+        mock_connection.issue_types = {}  # Empty issue types when connection fails
         mock_jira_class.test_connection.return_value = mock_connection
 
         # Mock rls_transaction context manager
@@ -863,6 +898,9 @@ class TestProwlerIntegrationConnectionTest:
         # Verify empty projects dict was saved to integration configuration
         assert integration.configuration["projects"] == {}
 
+        # Verify empty issue types dict was saved to integration configuration
+        assert integration.configuration["issue_types"] == {}
+
         # Verify integration.save() was called even on connection failure
         integration.save.assert_called_once()
 
@@ -881,11 +919,11 @@ class TestProwlerIntegrationConnectionTest:
             "domain": "example.atlassian.net",
         }
         integration.configuration = {
-            "issue_types": ["Task"],  # Existing configuration
+            "issue_types": {"OLD_PROJ": ["Task"]},  # Existing configuration
             "projects": {"OLD_PROJ": "Old Project"},  # Will be overwritten
         }
 
-        # Mock successful JIRA connection with new projects
+        # Mock successful JIRA connection with new projects and issue types
         mock_connection = MagicMock()
         mock_connection.is_connected = True
         mock_connection.error = None
@@ -893,6 +931,10 @@ class TestProwlerIntegrationConnectionTest:
             "NEW_PROJ1": "New Project 1",
             "NEW_PROJ2": "New Project 2",
         }
+        mock_connection.issue_types = {
+            "NEW_PROJ1": ["Task", "Bug"],
+            "NEW_PROJ2": ["Story"],
+        }
         mock_jira_class.test_connection.return_value = mock_connection
 
         # Mock rls_transaction context manager
@@ -910,8 +952,11 @@ class TestProwlerIntegrationConnectionTest:
             "NEW_PROJ2": "New Project 2",
         }
 
-        # Verify other configuration fields were preserved
-        assert integration.configuration["issue_types"] == ["Task"]
+        # Verify issue types were also updated
+        assert integration.configuration["issue_types"] == {
+            "NEW_PROJ1": ["Task", "Bug"],
+            "NEW_PROJ2": ["Story"],
+        }
 
         # Verify integration.save() was called
         integration.save.assert_called_once()

api/src/backend/api/utils.py

@@ -39,6 +39,7 @@ if TYPE_CHECKING:
     )
     from prowler.providers.openstack.openstack_provider import OpenstackProvider
     from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
+    from prowler.providers.vercel.vercel_provider import VercelProvider
 
 
 class CustomOAuth2Client(OAuth2Client):
@@ -94,6 +95,7 @@ def return_prowler_provider(
     | MongodbatlasProvider
     | OpenstackProvider
     | OraclecloudProvider
+    | VercelProvider
 ):
     """Return the Prowler provider class based on the given provider type.
 
@@ -175,6 +177,10 @@ def return_prowler_provider(
             from prowler.providers.image.image_provider import ImageProvider
 
             prowler_provider = ImageProvider
+        case Provider.ProviderChoices.VERCEL.value:
+            from prowler.providers.vercel.vercel_provider import VercelProvider
+
+            prowler_provider = VercelProvider
         case _:
             raise ValueError(f"Provider type {provider.provider} not supported")
     return prowler_provider
@@ -235,6 +241,11 @@ def get_prowler_provider_kwargs(
         # clouds_yaml_content, clouds_yaml_cloud and provider_id are validated
         # in the provider itself, so it's not needed here.
         pass
+    elif provider.provider == Provider.ProviderChoices.VERCEL.value:
+        prowler_provider_kwargs = {
+            **prowler_provider_kwargs,
+            "team_id": provider.uid,
+        }
     elif provider.provider == Provider.ProviderChoices.IMAGE.value:
         # Detect whether uid is a registry URL (e.g. "docker.io/andoniaf") or
         # a concrete image reference (e.g. "docker.io/andoniaf/myimage:latest").
@@ -281,6 +292,7 @@ def initialize_prowler_provider(
     | MongodbatlasProvider
     | OpenstackProvider
     | OraclecloudProvider
+    | VercelProvider
 ):
     """Initialize a Prowler provider instance based on the given provider type.
 
@@ -332,6 +344,13 @@ def prowler_provider_connection_test(provider: Provider) -> Connection:
             "raise_on_exception": False,
         }
         return prowler_provider.test_connection(**openstack_kwargs)
+    elif provider.provider == Provider.ProviderChoices.VERCEL.value:
+        vercel_kwargs = {
+            **prowler_provider_kwargs,
+            "team_id": provider.uid,
+            "raise_on_exception": False,
+        }
+        return prowler_provider.test_connection(**vercel_kwargs)
     elif provider.provider == Provider.ProviderChoices.IMAGE.value:
         image_kwargs = {
             "image": provider.uid,
@@ -415,8 +434,12 @@ def prowler_integration_connection_test(integration: Integration) -> Connection:
             raise_on_exception=False,
         )
         project_keys = jira_connection.projects if jira_connection.is_connected else {}
+        issue_types = (
+            jira_connection.issue_types if jira_connection.is_connected else {}
+        )
         with rls_transaction(str(integration.tenant_id)):
             integration.configuration["projects"] = project_keys
+            integration.configuration["issue_types"] = issue_types
             integration.save()
         return jira_connection
     elif integration.integration_type == Integration.IntegrationChoices.SLACK:

api/src/backend/api/v1/serializer_utils/integrations.py

@@ -69,8 +69,10 @@ class SecurityHubConfigSerializer(BaseValidateSerializer):
 
 class JiraConfigSerializer(BaseValidateSerializer):
     domain = serializers.CharField(read_only=True)
-    issue_types = serializers.ListField(
-        read_only=True, child=serializers.CharField(), default=["Task"]
+    issue_types = serializers.DictField(
+        read_only=True,
+        child=serializers.ListField(child=serializers.CharField()),
+        default={},
     )
     projects = serializers.DictField(read_only=True)
 

api/src/backend/api/v1/serializer_utils/providers.py

@@ -404,6 +404,17 @@ from rest_framework_json_api import serializers
                 },
                 "required": ["clouds_yaml_content", "clouds_yaml_cloud"],
             },
+            {
+                "type": "object",
+                "title": "Vercel API Token",
+                "properties": {
+                    "api_token": {
+                        "type": "string",
+                        "description": "Vercel API token for authentication. Can be scoped to a specific team.",
+                    },
+                },
+                "required": ["api_token"],
+            },
         ]
     }
 )

api/src/backend/api/v1/serializers.py

@@ -1573,6 +1573,8 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
                 serializer = OpenStackCloudsYamlProviderSecret(data=secret)
             elif provider_type == Provider.ProviderChoices.IMAGE.value:
                 serializer = ImageProviderSecret(data=secret)
+            elif provider_type == Provider.ProviderChoices.VERCEL.value:
+                serializer = VercelProviderSecret(data=secret)
             else:
                 raise serializers.ValidationError(
                     {"provider": f"Provider type not supported {provider_type}"}
@@ -1779,6 +1781,13 @@ class ImageProviderSecret(serializers.Serializer):
         return attrs
 
 
+class VercelProviderSecret(serializers.Serializer):
+    api_token = serializers.CharField()
+
+    class Meta:
+        resource_name = "provider-secrets"
+
+
 class AlibabaCloudProviderSecret(serializers.Serializer):
     access_key_id = serializers.CharField()
     access_key_secret = serializers.CharField()
@@ -2713,11 +2722,11 @@ class BaseWriteIntegrationSerializer(BaseWriteSerializer):
                 )
             config_serializer = JiraConfigSerializer
             # Create non-editable configuration for JIRA integration
-            default_jira_issue_types = ["Task"]
+            # issue_types will be populated per project when connection is tested
             configuration.update(
                 {
                     "projects": {},
-                    "issue_types": default_jira_issue_types,
+                    "issue_types": {},
                     "domain": credentials.get("domain"),
                 }
             )
@@ -2932,13 +2941,25 @@ class IntegrationUpdateSerializer(BaseWriteIntegrationSerializer):
         return representation
 
 
+class IntegrationJiraIssueTypesSerializer(BaseSerializerV1):
+    """
+    Serializer for Jira issue types response.
+    """
+
+    project_key = serializers.CharField(read_only=True)
+    issue_types = serializers.ListField(child=serializers.CharField(), read_only=True)
+
+    class JSONAPIMeta:
+        resource_name = "jira-issue-types"
+
+
 class IntegrationJiraDispatchSerializer(BaseSerializerV1):
     """
     Serializer for dispatching findings to JIRA integration.
     """
 
     project_key = serializers.CharField(required=True)
-    issue_type = serializers.ChoiceField(required=True, choices=["Task"])
+    issue_type = serializers.CharField(required=True)
 
     class JSONAPIMeta:
         resource_name = "integrations-jira-dispatches"
@@ -2967,6 +2988,23 @@ class IntegrationJiraDispatchSerializer(BaseSerializerV1):
                 }
             )
 
+        issue_type = attrs.get("issue_type")
+        available_issue_types = integration_instance.configuration.get(
+            "issue_types", {}
+        )
+        # Handle old format where issue_types was a flat list (e.g., ["Task"])
+        if not isinstance(available_issue_types, dict):
+            available_issue_types = {}
+        project_issue_types = available_issue_types.get(project_key, [])
+        if project_issue_types and issue_type not in project_issue_types:
+            raise ValidationError(
+                {
+                    "issue_type": f"The issue type '{issue_type}' is not available for project '{project_key}'. "
+                    f"Available types: {', '.join(project_issue_types)}. "
+                    "Refresh the connection if this is an error."
+                }
+            )
+
         return validated_attrs
 
 
@@ -4147,6 +4185,7 @@ class FindingGroupSerializer(BaseSerializerV1):
     check_description = serializers.CharField(required=False, allow_null=True)
     severity = serializers.CharField()
     status = serializers.CharField()
+    muted = serializers.BooleanField()
     impacted_providers = serializers.ListField(
         child=serializers.CharField(), required=False
     )
@@ -4154,9 +4193,25 @@ class FindingGroupSerializer(BaseSerializerV1):
     resources_total = serializers.IntegerField()
     pass_count = serializers.IntegerField()
     fail_count = serializers.IntegerField()
+    manual_count = serializers.IntegerField()
+    pass_muted_count = serializers.IntegerField()
+    fail_muted_count = serializers.IntegerField()
+    manual_muted_count = serializers.IntegerField()
     muted_count = serializers.IntegerField()
     new_count = serializers.IntegerField()
     changed_count = serializers.IntegerField()
+    new_fail_count = serializers.IntegerField()
+    new_fail_muted_count = serializers.IntegerField()
+    new_pass_count = serializers.IntegerField()
+    new_pass_muted_count = serializers.IntegerField()
+    new_manual_count = serializers.IntegerField()
+    new_manual_muted_count = serializers.IntegerField()
+    changed_fail_count = serializers.IntegerField()
+    changed_fail_muted_count = serializers.IntegerField()
+    changed_pass_count = serializers.IntegerField()
+    changed_pass_muted_count = serializers.IntegerField()
+    changed_manual_count = serializers.IntegerField()
+    changed_manual_muted_count = serializers.IntegerField()
     first_seen_at = serializers.DateTimeField(required=False, allow_null=True)
     last_seen_at = serializers.DateTimeField(required=False, allow_null=True)
     failing_since = serializers.DateTimeField(required=False, allow_null=True)
@@ -4170,16 +4225,21 @@ class FindingGroupResourceSerializer(BaseSerializerV1):
     Serializer for Finding Group Resources - resources within a finding group.
 
     Returns individual resources with their current status, severity,
-    and timing information.
+    and timing information. Orphan findings (without any resource) expose the
+    finding id as `id` so the row stays identifiable in the UI.
     """
 
-    id = serializers.UUIDField(source="resource_id")
+    id = serializers.UUIDField(source="row_id")
     resource = serializers.SerializerMethodField()
     provider = serializers.SerializerMethodField()
+    finding_id = serializers.UUIDField()
     status = serializers.CharField()
     severity = serializers.CharField()
+    muted = serializers.BooleanField()
+    delta = serializers.CharField(required=False, allow_null=True)
     first_seen_at = serializers.DateTimeField(required=False, allow_null=True)
     last_seen_at = serializers.DateTimeField(required=False, allow_null=True)
+    muted_reason = serializers.CharField(required=False, allow_null=True)
 
     class JSONAPIMeta:
         resource_name = "finding-group-resources"
@@ -4193,6 +4253,7 @@ class FindingGroupResourceSerializer(BaseSerializerV1):
                 "service": {"type": "string"},
                 "region": {"type": "string"},
                 "type": {"type": "string"},
+                "resource_group": {"type": "string"},
             },
         }
     )
@@ -4204,6 +4265,7 @@ class FindingGroupResourceSerializer(BaseSerializerV1):
             "service": obj.get("resource_service", ""),
             "region": obj.get("resource_region", ""),
             "type": obj.get("resource_type", ""),
+            "resource_group": obj.get("resource_group", ""),
         }
 
     @extend_schema_field(